Information security situation awareness method based on virus memory function, medium and device

By constructing an information security situational awareness method with virus memory functionality, the problem of system paralysis caused by the dynamic spread of network viruses was solved, enabling rapid virus identification and removal, and improving system operating efficiency.

CN116738417BActive Publication Date: 2026-06-26SHANDONG SKY NETWORK SECURITY TECH DEV CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SHANDONG SKY NETWORK SECURITY TECH DEV CO LTD
Filing Date
2023-05-10
Publication Date
2026-06-26

Smart Images

  • Figure CN116738417B_ABST
    Figure CN116738417B_ABST
Patent Text Reader

Abstract

The present application relates to the technical field of network security, and especially relates to an information security situation awareness method based on virus memory function, a medium and equipment, and discloses an information security situation awareness method based on virus memory function, a medium and equipment, which aims at the dynamic diffusion trend of existing network viruses in a network system, establishes a memory knowledge base of viruses in the network system, and adopts different ways for virus detection and killing of terminal equipment that has been infected by viruses, abnormally running terminal equipment and terminal equipment without infection, reduces the utilization rate of system running memory for virus detection and killing, and solves the problem that the overall terminal equipment in the network system presents a dynamic change trend for current network viruses, and if simple virus scanning and killing in a large area is used, a large amount of data needs to be loaded and run, a long time needs to be consumed, system normal running memory is occupied, and system paralysis is caused due to loading and processing of massive data.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and in particular to information security situational awareness methods, media, and devices based on virus memory functions. Background Technology

[0002] Situational awareness is a dynamic and holistic ability to understand security risks based on the environment. It is a way to improve the ability to discover, identify, understand, analyze, and respond to security threats from a global perspective, based on security big data. Ultimately, it is for decision-making and action, and is the implementation of security capabilities.

[0003] Situational awareness is the perception of environmental elements within a certain time and space, the understanding of the meaning of these elements, and the prediction of their future development. Currently, when people mention "situational awareness," they mainly refer to "network security situational awareness," which applies the relevant theories and methods of situational awareness to the field of network security. Network security situational awareness enables network security personnel to grasp the overall security status of the network, identify existing problems and abnormal activities, and make corresponding feedback or improvements. By analyzing and predicting the network security situation over a period of time, it provides strong support and reference for high-level decision-making. The spread of network viruses has now changed from static to dynamic; the process of a virus transforming from static to dynamic is called virus activation. Dynamic viruses in memory exist in two forms: activatable and active. When the virus code in memory can be executed by the normal mechanisms of the system, the dynamic virus is in an activatable state. When the system is executing the virus code, the virus is in an active state. Viruses in the activatable state gain system control by intercepting normal operating mechanisms such as system interrupts, thus transforming into the active state. Viruses in the activatable state can only gain partial system control, while viruses in the active state gain full system control.

[0004] With the advent of 5G, situational awareness will be used more and more. However, during the use of this technology, massive amounts of data will be generated. Real-time analysis and calculation of this massive amount of data are required. For each user request and each data collection, the server needs to query massive amounts of multi-dimensional data, and then aggregate, filter, select and sort this data before finally responding to the user. Multiple viruses spread simultaneously in networks, and their propagation processes are dynamic and independent. Existing network virus propagation is no longer a single-virus-designated propagation pattern; it has evolved into a cluster-based, dynamic propagation. For example, a network system contains numerous individual terminal devices. Dynamic network viruses enter the system in a cluster mode, causing viral fission and attacking individual devices through different virus types. Each device in the network system defends itself individually, but each device has different defense capabilities and virus recognition abilities, resulting in varying probabilities of infection. However, if a portion of the network devices are infected, the entire network system will malfunction. Simply scanning and removing viruses on a large scale requires loading and processing a large amount of data, consuming considerable time and consuming system memory, potentially causing system paralysis due to the massive data load. To address this problem, information security situational awareness methods, media, and devices based on virus memory functionality have been developed. Summary of the Invention

[0005] The purpose of this invention is to provide an information security situational awareness method, medium, and device based on virus memory function, in order to solve the problem that current network viruses exhibit a dynamic trend in targeting all terminal devices in a network system. Once a portion of the network system is infected by a network virus, the entire network system will be unable to operate normally. If a large-scale virus scan and removal is simply performed, it requires loading and running a large amount of data, which takes a long time and occupies the system's normal operating memory, leading to system paralysis due to the loading and processing of massive amounts of data.

[0006] This invention provides an information security situational awareness method based on virus memory function, including:

[0007] Acquire basic situational awareness data and the currently configured information security situational awareness virus dynamic identification strategy, and configure network virus dynamic classification and identification categories for the information security situational awareness virus dynamic identification strategy.

[0008] The system receives packet traffic, obtains packet traffic virus detection data fed back by various terminal devices in the network system, constructs a dynamic network virus situation awareness feedback database, establishes memory tags for network viruses fed back by various terminal devices in the network system according to the information security situation awareness virus dynamic identification strategy, dynamically sends newly added network virus data with established memory tags to various terminal devices in the network in real time, and each terminal device in the network system prioritizes using the newly added network virus data to perform virus detection on the received packet traffic data, constructs a knowledge base for the newly added network virus data corresponding to the memory tags and establishes a search query mechanism, and feeds back the corresponding data information of the knowledge base according to the received information.

[0009] The situational awareness basic data is preprocessed, the effective values ​​in the situational awareness basic data are analyzed, and the effective data in the situational awareness basic data are filtered out to obtain the situational awareness data to be analyzed.

[0010] The situational awareness data to be analyzed is used to extract features to establish a training set, which is then divided into independent training, validation, and test sets to construct a situational awareness analysis model.

[0011] The situational awareness data to be analyzed is processed together with the situational awareness analysis model and the knowledge base data to obtain virus attribute data. The location of the virus attribute data is searched on the physical server and the virtual server. The search task is sent to the idle area for data processing. Based on the search feedback information, the corresponding information in the knowledge base is retrieved to obtain the event result.

[0012] The event outcomes are then subjected to trend assessment to obtain situational awareness analysis results.

[0013] Furthermore, acquire basic situational awareness data and the currently configured information security situational awareness virus dynamic identification strategy, and configure dynamic classification and identification categories for network viruses for the information security situational awareness virus dynamic identification strategy, including:

[0014] The situational awareness basic data includes first basic data and second basic data. The system is detected to obtain system missed detection information, data transmission information and interface flow data, and the data is stored in the first basic database.

[0015] The system's operation and maintenance data is retrieved and stored in the second basic database. The system's operation and maintenance data includes system operation history data, system operation logs, and system maintenance data.

[0016] A dynamic network situation awareness system is constructed based on the data in the first basic database and the second basic database. A dynamic virus infection type classification data repository is established for network individual terminals in the dynamic network awareness system. The dynamic virus infection type classification data repository is divided into a known virus database, a newly added virus database, and a suspected virus database.

[0017] Furthermore, a knowledge base is constructed for the newly added network virus data corresponding to the memory tags, and a search and query mechanism is established. Based on the received information, the knowledge base is fed back the corresponding data information, including:

[0018] A knowledge base is built for newly added network virus data corresponding to memory tags. Based on the historical data of the network virus data in the knowledge base, the network virus security level is established by using the network virus data in the knowledge base to establish the network virus security level.

[0019] Establish a regional management policy for individual terminal devices in the network system. The regional management policy includes normal operation areas, abnormal areas, and network virus infection areas.

[0020] The network virus security level is matched with the area management policy to obtain the association between the network virus security level and the area management policy. Based on the association between the network virus security level and the area management policy, virus data corresponding to the network virus security level in the knowledge base is matched.

[0021] Furthermore, the situational awareness basic data is preprocessed, the valid values ​​in the situational awareness basic data are analyzed, and the valid data in the situational awareness basic data are filtered out to obtain the situational awareness data to be analyzed, including:

[0022] Based on the aforementioned situational awareness basic data, the acquired situational awareness basic data is filtered for valid values ​​to obtain valid situational awareness basic data and erroneous situational awareness basic data.

[0023] The valid situational awareness basic data is clustered and summarized, and the erroneous situational awareness basic data is corrected. If the modified data still does not meet the preset requirements of situational awareness basic data, the modified data is listed as invalid data.

[0024] By performing correlation analysis on the clustered and aggregated effective situational awareness data, a situational awareness event dataset is obtained.

[0025] Further, the situational awareness data to be analyzed is processed with the situational awareness analysis model and knowledge base data to obtain virus attribute data. The location of the virus attribute data is searched on both physical and virtual servers. The search task is sent to an idle area for data processing. Based on the search feedback information, the corresponding information in the knowledge base is retrieved to obtain the event results, including:

[0026] Establish a main node for situation data analysis and sub-nodes for situation analysis;

[0027] Establish a correlation between the situation analysis sub-nodes and the situation analysis model;

[0028] The analysis request, which substitutes the situational awareness data to be analyzed into the situational awareness analysis model, is transmitted to the situational data analysis master node, and the analysis request is synchronized to the situational analysis sub-nodes through the master node.

[0029] Further trend assessment of the event outcomes yields situational awareness analysis results, including:

[0030] Based on the situational awareness data and current network operation status information corresponding to the event results, determine the trend assessment elements;

[0031] Valid data from the situational awareness base data are selected based on trend assessment factors;

[0032] The trend assessment elements are used to retrieve the corresponding trend analysis plan from the knowledge base.

[0033] Furthermore, based on the analysis of valid values ​​in the aforementioned situational awareness foundational data, the analysis includes obtaining network security information of server nodes, the vulnerability status, threat status, and system operational status of each node, and the operating formula is as follows:

[0034] )* );

[0035] in This represents the vulnerability status value of node i. This represents the threat status value of node i. This represents the operational status value of node i. This represents the vulnerability weight of node i. This represents the threat weight of node i. This represents the weight of the running state of node i. The weight of each state value can be set according to the topology of different nodes in the network and the importance of the cluster.

[0036] The present invention provides a computer device, including a memory, a processor, and a program stored in the memory and executable on the processor, wherein the processor executes the program to implement the method described in any of the above-mentioned embodiments.

[0037] The present invention provides a computer-readable storage medium having a computer program stored thereon, wherein the program, when executed by a processor, implements any one of the methods described above.

[0038] The present invention provides a computer program product, including a computer program that, when executed by a processor, implements the method described in any one of the above-described embodiments.

[0039] The beneficial effects of this invention are as follows: This invention discloses an information security situation awareness method, medium, and device based on virus memory function. Addressing the dynamic spread of existing network viruses in network systems, this invention establishes a virus memory knowledge base within the network system. It employs differentiated methods for virus detection and removal on infected terminal devices, abnormally operating terminal devices, and uninfected terminal devices. This reduces the utilization of system memory by virus detection and removal, improves the processing speed of virus detection and removal, and avoids system paralysis caused by loading and processing massive amounts of data. Attached Figure Description

[0040] To more clearly illustrate the technical solution of the present invention, the drawings used in the embodiments will be briefly introduced below. Obviously, those skilled in the art can obtain other drawings based on these drawings without creative effort.

[0041] Figure 1 A flowchart of an information security situation awareness method based on virus memory function provided in an embodiment of the present invention.

[0042] Figure 2 The flowchart of step S101 of the information security situation awareness method based on virus memory function provided in the embodiment of the present invention.

[0043] Figure 3 The flowchart of step S102 of the information security situation awareness method based on virus memory function provided in the embodiment of the present invention.

[0044] Figure 4 The flowchart of step S103 of the information security situation awareness method based on virus memory function provided in the embodiment of the present invention.

[0045] Figure 5 The flowchart of step S105 of the information security situation awareness method based on virus memory function provided in the embodiment of the present invention.

[0046] Figure 6 The flowchart of step S106 of the information security situation awareness method based on virus memory function provided in the embodiment of the present invention.

[0047] Figure 7 This invention provides a framework diagram of an information security situational awareness system with a virus memory function.

[0048] Figure 8 This is a schematic diagram of the topology of an individual terminal in a network system provided in an embodiment of the present invention. Detailed Implementation

[0049] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below in conjunction with specific embodiments and corresponding drawings. Obviously, the described embodiments are only a part of the embodiments of this invention, and not all of them. Based on the embodiments of this invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this invention. The technical solutions provided by various embodiments of this invention will be described in detail below with reference to the accompanying drawings.

[0050] Please see Figure 1 This invention provides an information security situation awareness method based on virus memory function, including:

[0051] S101: Obtain basic situational awareness data and the currently configured information security situational awareness virus dynamic identification strategy, and configure the network virus dynamic classification and identification category for the information security situational awareness virus dynamic identification strategy.

[0052] The situational awareness basic data includes first basic data and second basic data. The system is detected to obtain missed detection information, data transmission information, and interface flow data. The data is stored in the first basic database. The system operation and maintenance data is retrieved and stored in the second basic database. The system operation and maintenance data includes system operation history data, system operation logs, and system maintenance data. A dynamic network situational awareness system is constructed based on the data in the first and second basic databases. A dynamic virus infection type classification data repository is established for network individual terminals in the dynamic network awareness system. The dynamic virus infection type classification data repository is divided into a known virus database, a newly added virus database, and suspected virus data.

[0053] S102, receive packet traffic, obtain packet traffic virus detection data fed back by each terminal device in the network system, construct a dynamic network virus situation awareness feedback database, establish memory tags for network viruses fed back by each terminal device in the network system according to the information security situation awareness virus dynamic identification strategy, dynamically send the newly added network virus data with established memory tags to each terminal device in the network in real time, each terminal device in the network system prioritizes using the newly added network virus data to perform virus detection on the received packet traffic data, and constructs a knowledge base for the newly added network virus data corresponding to the memory tags and establishes a search query mechanism, and feeds back the corresponding data information of the knowledge base according to the received information;

[0054] A knowledge base is constructed for newly added network virus data corresponding to memory tags. Based on the impact of network virus data on individual terminal devices in the network system, a network virus security level is established. A regional management policy is established for individual terminal devices in the network system, including normal operation zones, abnormal zones, and network virus infection zones. The network virus security level is matched with the regional management policy to obtain the association between the network virus security level and the regional management policy. Based on the association between the network virus security level and the regional management policy, the virus data corresponding to the network virus security level in the knowledge base is prioritized for processing.

[0055] S103, preprocess the situational awareness basic data, analyze the effective values ​​in the situational awareness basic data, filter out the effective data in the situational awareness basic data, and obtain the situational awareness data to be analyzed.

[0056] Based on the situational awareness analysis model, the acquired situational awareness basic data is filtered for valid values ​​to obtain valid and erroneous situational awareness basic data. The valid situational awareness basic data is then clustered and summarized, while the erroneous situational awareness basic data is corrected. If the modified data still does not meet the preset requirements for situational awareness basic data, it is listed as invalid data. The clustered and summarized valid situational awareness data is then subjected to correlation analysis to obtain a situational awareness event dataset. Invalid and out-of-range data are removed, and the valid data is processed and analyzed.

[0057] Data preprocessing involves cleaning, filtering, standardizing, linking, and tagging the collected data, and loading the standardized data into the data storage. For the standardized data, the original logs and original traffic should be saved.

[0058] S104. Extract features from the situational awareness data to be analyzed to establish a training set, which is then divided into independent training, validation, and test sets to construct a situational awareness analysis model.

[0059] S105, the situational awareness data to be analyzed is processed with the situational awareness analysis model and knowledge base data to obtain virus attribute data. The location of virus attribute data is searched on physical servers and virtual servers. The search task is sent to an idle area for data processing. The corresponding information in the knowledge base is retrieved according to the search feedback information to obtain the event result.

[0060] Establish a situation data analysis master node and situation analysis sub-nodes, establish a relationship between the situation analysis sub-nodes and the situation analysis model, transmit the analysis request of the situation awareness data to be analyzed into the situation awareness analysis model to the situation data analysis master node, and synchronize the analysis request to the situation analysis sub-nodes through the master node.

[0061] A master node and sub-nodes are established. The master node distributes the data to be processed to the sub-nodes according to the data type. The situation analysis models corresponding to the sub-nodes are linked. Each sub-node corresponds to a different situation analysis type. By distributing the data to the sub-nodes according to the data type from the master node, all data is prevented from accumulating on the master node, which would otherwise cause long data processing times.

[0062] S106, Perform trend assessment on the event results to obtain situational awareness analysis results.

[0063] Based on the situational awareness basic data and current network operation status information corresponding to the event results, trend assessment elements are determined. Based on the trend assessment elements, the corresponding valid data in the situational awareness basic data are screened, and the trend assessment elements are used to retrieve the corresponding trend analysis plan from the knowledge base.

[0064] The knowledge base pre-stores multiple trend analysis contingency plans. For example, when the corresponding valid data is data that the system cannot operate normally, the knowledge base retrieves the pre-stored situation analysis contingency plan, saves the existing data of the system, continuously tests whether each port of the system is operating normally, and presents the contingency plan.

[0065] The collected data is synchronously distributed to the branch nodes through the main node. The branch nodes analyze the data and provide feedback, avoiding the slow read and write speed caused by all data being read and written through a single main node. By using pre-stored plans in the knowledge base, the corresponding trend analysis plans in the knowledge base can be quickly retrieved.

[0066] The server establishes communication connections with the device and backend control terminals. The server acquires basic situational awareness data, constructs a situational awareness analysis model and a knowledge base, and establishes a search and query mechanism within the knowledge base. It can provide corresponding data information based on received information. The basic situational awareness data is preprocessed to obtain situational awareness data to be analyzed. This data is then integrated with the situational awareness analysis model and the knowledge base for retrieval. Location searches are performed on physical and virtual servers, and data comparison and retrieval tasks are sent to idle areas for data processing. Based on the retrieval feedback, corresponding information is retrieved from the knowledge base to obtain event results. Trend assessment is performed on these event results to obtain situational awareness analysis results. By establishing an analysis model based on the basic data and defining corresponding event handling methods within the knowledge base, the collected data is synchronously distributed to branch nodes through a central node. Branch nodes analyze the data and provide feedback, avoiding slow read / write speeds caused by all data being read and written through a single central node. This solves the problem of excessive time consumption during information security situational awareness analysis of large amounts of network data.

[0067] Specifically, please refer to Figure 2 Acquire basic situational awareness data and the currently configured information security situational awareness virus dynamic identification strategy, and configure network virus dynamic classification and identification categories for the information security situational awareness virus dynamic identification strategy, including:

[0068] S201, the situational awareness basic data includes first basic data and second basic data, the system is detected, the system missed detection information, data transmission information and interface flow data are obtained, and the data is stored in the first basic database;

[0069] S202, retrieve the operation and maintenance data in the system and store it in the second basic database. The operation and maintenance data in the system includes system operation history data, system operation logs and system maintenance data.

[0070] S203, construct a dynamic network situational awareness system based on the data in the first basic database and the second basic database, and establish a dynamic virus infection type classification data repository for network individual terminals in the dynamic network awareness system. The dynamic virus infection type classification data repository is divided into a known virus database, a newly added virus database, and a suspected virus database.

[0071] Historical data is used to compare with subsequent and continuously generated new data to determine whether there are any anomalies in the data, and to serve as the data foundation for data trend analysis.

[0072] Data acquisition mainly includes log acquisition and raw traffic acquisition. Log acquisition functions include log reception, log classification, log formatting, and log forwarding. Traffic acquisition functions include traffic acquisition, protocol parsing, file restoration, and traffic metadata reporting. The above-mentioned data acquisition is stored on the platform.

[0073] Specifically, please refer to Figure 3 Construct a situational awareness analysis model and knowledge base. Establish a search and query mechanism within the knowledge base, which can provide feedback on relevant data information based on the received information, including:

[0074] S301, construct a knowledge base for newly added network virus data corresponding to memory tags, and establish network virus security levels based on historical data of the impact of network virus data on individual terminal devices in the network system.

[0075] S302, establish a regional management policy for individual terminal devices in the network system. The regional management policy includes normal operation areas, abnormal areas, and network virus infection areas.

[0076] S303, Match the network virus security level with the area management policy to obtain the association between the network virus security level and the area management policy, and match the virus data corresponding to the network virus security level in the knowledge base according to the association between the network virus security level and the area management policy.

[0077] Specifically, please refer to Figure 4 The situational awareness basic data is preprocessed, and the valid values ​​in the situational awareness basic data are analyzed to filter out the valid data in the situational awareness basic data, thus obtaining the situational awareness data to be analyzed, including:

[0078] S401, Based on the situational awareness basic data, the acquired situational awareness basic data is filtered for valid values ​​to obtain valid situational awareness basic data and erroneous situational awareness basic data.

[0079] S402, perform data clustering and summarization on the effective situational awareness basic data, and correct the erroneous situational awareness basic data. If the modified data still does not meet the preset requirements of the situational awareness basic data, then the modified data is listed as invalid data.

[0080] S403. Perform correlation analysis on the clustered and summarized effective situational awareness data to obtain a situational awareness event dataset.

[0081] The normal operation of the situational awareness system can utilize visualization technology to structure previously fragmented threat alerts, abnormal behavior alerts, asset management, and other data into a global, dynamic, and interconnected visual view. By leveraging network-wide threat intelligence and big data platform analysis, it can monitor attack events and potential risks in real time, enabling real-time monitoring and early warning of security incidents. It provides a variety of data visualization effects, including charts, radar charts, topology maps, heat maps, and other styles, presenting risks from different perspectives and dimensions.

[0082] Specifically, please refer to Figure 5 The situational awareness data to be analyzed is processed together with the situational awareness analysis model and knowledge base data to obtain virus attribute data. The location of the virus attribute data is searched on both physical and virtual servers. The search task is sent to an idle area for data processing. Based on the search feedback information, the corresponding information in the knowledge base is retrieved to obtain the event results, including:

[0083] S501, establish the main node for situation data analysis and sub-nodes for situation analysis;

[0084] S502 establishes a correlation between the situation analysis sub-nodes and the situation analysis model.

[0085] S503, the analysis request of substituting the situational awareness data to be analyzed into the situational awareness analysis model is transmitted to the situational data analysis master node, and the analysis request is synchronized to the situational analysis sub-node through the master node.

[0086] Establish a situation data analysis master node and situation analysis sub-nodes, establish a relationship between the situation analysis sub-nodes and the situation analysis model, transmit the analysis request of the situation awareness data to be analyzed into the situation awareness analysis model to the situation data analysis master node, and synchronize the analysis request to the situation analysis sub-nodes through the master node.

[0087] A master node and sub-nodes are established. The master node distributes the data to be processed to the sub-nodes according to the data type. The situation analysis models corresponding to the sub-nodes are linked. Each sub-node corresponds to a different situation analysis type. By distributing the data to the sub-nodes according to the data type from the master node, all data is prevented from accumulating on the master node, which would otherwise cause long data processing times.

[0088] Specifically, please refer to Figure 6 The event outcomes are then subjected to trend assessment to obtain situational awareness analysis results, including:

[0089] S601, determine the trend assessment elements based on the situational awareness basic data and current network operation status information corresponding to the event results;

[0090] S602, Filter the corresponding valid data in the situational awareness basic data according to the trend assessment elements;

[0091] S603, retrieve the corresponding trend analysis plan from the knowledge base by screening the trend assessment elements.

[0092] Furthermore, based on the analysis of valid values ​​in the aforementioned situational awareness foundational data, the analysis includes obtaining network security information of server nodes, the vulnerability status, threat status, and system operational status of each node, and the operating formula is as follows:

[0093] )* );

[0094] in This represents the vulnerability status value of node i. This represents the threat status value of node i. This represents the operational status value of node i. This represents the vulnerability weight of node i. This represents the threat weight of node i. This represents the weight of the running state of node i. The weight of each state value can be set according to the topology of different nodes in the network and the importance of the cluster.

[0095] The present invention provides a computer device, including a memory, a processor, and a program stored in the memory and executable on the processor, wherein the processor executes the program to implement the method described in any of the above-mentioned embodiments.

[0096] The present invention provides a computer-readable storage medium having a computer program stored thereon, wherein the program, when executed by a processor, implements any one of the methods described above.

[0097] The present invention provides a computer program product, including a computer program that, when executed by a processor, implements the method described in any one of the above-described embodiments.

[0098] As can be seen from the above embodiments, the information security situation awareness method, medium, and device based on virus memory function provided by the present invention addresses the dynamic spread trend of existing network viruses in network systems by establishing a virus memory knowledge base in the network system. It dynamically receives new network virus data types reported by individuals in the network system in real time, prioritizing the detection and removal of new network virus types by individuals in the network system. This ensures that the virus detection data of all individual devices in the network system is dynamically updated. Furthermore, it establishes a virus spread partition management system, employing differentiated methods for virus detection and removal of infected terminal devices, abnormally operating terminal devices, and uninfected terminal devices. This reduces the utilization rate of system memory during virus detection and removal. It solves the problem that current network viruses exhibit a dynamic trend towards affecting all terminal devices in the network system. If a portion of the network devices are infected with a network virus, the entire network system will malfunction. Simply scanning and removing viruses on a large scale requires loading and processing a large amount of data, consuming a long time and occupying the system's normal operating memory, potentially leading to system paralysis due to the massive data load.

[0099] Those skilled in the art will clearly understand that the techniques in the embodiments of the present invention can be implemented using software plus necessary general-purpose hardware platforms. Based on this understanding, the technical solutions in the embodiments of the present invention, or the parts that contribute to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in various embodiments or certain parts of the embodiments of the present invention.

[0100] The same or similar parts between the various embodiments in this specification can be referred to mutually. Since they are basically similar to the method embodiments, the description is relatively simple, and relevant parts can be referred to the description in the method embodiments.

[0101] The embodiments of the present invention described above do not constitute a limitation on the scope of protection of the present invention.

Claims

1. An information security situational awareness method based on virus memory function, characterized in that, This includes: acquiring basic situational awareness data and the currently configured information security situational awareness virus dynamic identification strategy, and configuring dynamic classification and identification categories for network viruses for the information security situational awareness virus dynamic identification strategy; The system receives packet traffic, acquires packet traffic virus detection data from various terminal devices in the network system, constructs a dynamic network virus situation awareness feedback database, establishes memory tags for network viruses reported by various terminal devices in the network system according to the information security situation awareness virus dynamic identification strategy, and dynamically sends newly added network virus data with established memory tags to various terminal devices in the network in real time. Each terminal device in the network system prioritizes using the newly added network virus data to perform virus detection on the received packet traffic data, and constructs a knowledge base for the newly added network virus data corresponding to the memory tags and establishes a search and query mechanism, feeding back corresponding data information from the knowledge base based on the received information. The situational awareness basic data is preprocessed, the valid values ​​in the situational awareness basic data are analyzed, and the valid data in the situational awareness basic data are filtered out to obtain the situational awareness data to be analyzed; The situational awareness data to be analyzed is used to extract features to establish a training set, which is then divided into independent training, validation, and test sets to construct a situational awareness analysis model. Establish a main node and sub-nodes for situational data analysis: Establish a relationship between the sub-nodes and the situational awareness analysis model: Transmit the analysis request, which substitutes the situational awareness data to be analyzed into the situational awareness analysis model, to the main node. The analysis request is then synchronized through the main node to the sub-nodes for processing to obtain virus attribute data. A search for the location of virus attribute data is performed on both physical and virtual servers. The search task is sent to an idle area for data processing. Based on the search feedback, the corresponding information in the knowledge base is retrieved to obtain the event results. The event outcomes are then subjected to trend assessment to obtain situational awareness analysis results.

2. The information security situation awareness method based on virus memory function as described in claim 1, characterized in that, Acquire basic situational awareness data and the currently configured information security situational awareness virus dynamic identification strategy, and configure dynamic classification and identification categories for network viruses for the information security situational awareness virus dynamic identification strategy, including: The situational awareness basic data includes first basic data and second basic data. The system is detected to obtain system missed detection information, data transmission information and interface flow data, and the data is stored in the first basic database. The system retrieves and stores the operation and maintenance data in the second basic database. The operation and maintenance data in the system includes system operation history data, system operation logs, and system maintenance data. A dynamic network situation awareness system is constructed based on the data in the first basic database and the second basic database. A dynamic virus infection type classification data repository is established for network individual terminals in the dynamic network situation awareness system. The dynamic virus infection type classification data repository is divided into a known virus database, a newly added virus database, and a suspected virus database.

3. The information security situation awareness method based on virus memory function as described in claim 1, characterized in that, Furthermore, a knowledge base is constructed for newly added network virus data corresponding to the memory tags, and a search and query mechanism is established. Based on the received information, the knowledge base is fed back corresponding data information, including: A knowledge base is built for newly added network virus data corresponding to memory tags. Based on the historical data of the network virus data in the knowledge base, the network virus security level is established by using the network virus data in the knowledge base to establish the network virus security level. Establish a regional management policy for individual terminal devices in the network system. The regional management policy includes normal operation areas, abnormal areas, and network virus infection areas. The network virus security level is matched with the area management policy to obtain the association between the network virus security level and the area management policy. Based on the association between the network virus security level and the area management policy, virus data corresponding to the network virus security level in the knowledge base is matched.

4. The information security situation awareness method based on virus memory function as described in claim 1, characterized in that, The situational awareness basic data is preprocessed, and the valid values ​​in the situational awareness basic data are analyzed to filter out the valid data, resulting in situational awareness data to be analyzed, including: Based on the aforementioned situational awareness basic data, the acquired situational awareness basic data is filtered for valid values ​​to obtain valid situational awareness basic data and erroneous situational awareness basic data; The valid situational awareness basic data is clustered and summarized, and the erroneous situational awareness basic data is corrected. If the modified data still does not meet the preset requirements of the situational awareness basic data, the modified data is listed as invalid data. The clustered and summarized valid situational awareness data is then subjected to correlation analysis to obtain the situational awareness event dataset.

5. The information security situation awareness method based on virus memory function as described in claim 1, characterized in that, The event outcomes are then subjected to trend assessment to obtain situational awareness analysis results, including: Based on the situational awareness data and current network operation status information corresponding to the event results, determine the trend assessment elements; Valid data from the situational awareness base data are selected based on trend assessment factors; The trend assessment elements are selected and the corresponding trend analysis plan is retrieved from the knowledge base.

6. The information security situation awareness method based on virus memory function as described in claim 1, characterized in that, The analysis is based on valid values ​​in the aforementioned situational awareness data. This analysis includes obtaining network security information for each server node, including its vulnerability status, threat status, and system operational status. The formula for this analysis is as follows: ; Where S represents the network security status of the server node, and the symbol * represents the inner product operation. This represents the vulnerability status value of node i. This represents the threat status value of node i. This represents the operational status value of node i. This represents the vulnerability weight of node i. This represents the threat weight of node i. This represents the weight of the running state of node i. The weight of each state value is set according to the topology of different nodes in the network and the importance of the cluster.

7. A computer device, characterized in that, The method includes a memory and a processor, the memory storing a computer program, and the processor executing the computer program to implement the steps of the method according to any one of claims 1-6.

8. A computer-readable storage medium, characterized in that, It stores a computer program thereon, which, when executed by a processor, implements the steps of the method described in any one of claims 1-6.

9. A computer program product, characterized in that, Includes a computer program that, when executed by a processor, implements the steps of the method described in any one of claims 1-6.