A method and system for controlling cyberspace information security
By conducting real-time monitoring and hazard assessment, a response strategy library is built, and network security strategies are optimized. This addresses the shortcomings of existing network security protection methods in terms of dynamic adaptability and intelligence, and enables rapid response and efficient network security control.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- NANJING INST OF RAILWAY TECH
- Filing Date
- 2025-01-13
- Publication Date
- 2026-06-30
Smart Images

Figure CN119892455B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network information security technology, specifically to a network space information security control method and system. Background Technology
[0002] With the rapid development of information technology, cyberspace has become the primary platform for information exchange and storage, widely used in various fields such as government, finance, healthcare, and education. However, with the popularization and increasing complexity of network applications, cybersecurity threats have also become increasingly diversified and complex. Security incidents such as data breaches, cyberattacks, and malware propagation occur frequently, posing serious challenges to the stable operation of information systems and data security. Therefore, how to effectively monitor network activity, identify and assess abnormal events in real time, and take timely and appropriate security control measures has become a key issue in current cybersecurity management.
[0003] Chinese invention patent application CN113382405A discloses a cyberspace information security control method. This method involves automatic and continuous monitoring of information network links, implementing geographic and temporal characteristic security control, intelligent matching of a privacy-protected, secure, and reliable instant response verification protocol, instant validity authentication of the privacy-protected, secure, and reliable instant response verification protocol, unique dynamic features, and secure and reliable instant authentication of communication network links. This achieves privacy-preserving point-to-point instant secure and reliable communication. Furthermore, it incorporates infinite element feature encryption technology to support secure and reliable instant verification of blockchain for massive numbers of users, addressing issues such as uncertainty and inconsistency in cyberspace information network links, tamperable records, difficulty in tracing the responding parties, and limited blockchain user capacity.
[0004] Existing cybersecurity protection methods have many shortcomings in real-time monitoring and risk assessment, often relying on static rules and preset thresholds, making it difficult to dynamically adapt to constantly changing security threats. Furthermore, traditional security response mechanisms lack intelligence and automation, failing to flexibly adjust response strategies according to the level of risk, resulting in unsatisfactory response speed and effectiveness when facing complex and ever-changing security incidents. Simultaneously, existing systems lack effective integration and coordination in penetration testing, alerting mechanisms, and response strategy optimization, making it difficult to achieve comprehensive, in-depth, and continuous control over cybersecurity risks. The level of intelligence and responsiveness in cybersecurity management is poor, and the security and stable operation of information systems cannot be guaranteed.
[0005] Therefore, the present invention provides a method and system for controlling cyberspace information security. Summary of the Invention
[0006] (a) Technical problems to be solved
[0007] To address the shortcomings of existing technologies, this invention provides a cyberspace information security control method and system. It constrains penetration testing intensity based on hazard scores within a preset testing period. If the network security level is lower than expected, vulnerability detection and patching are performed; otherwise, critical data is backed up or transferred. It monitors and identifies abnormal events in real time. If an anomaly is detected, an alarm command is issued. If the alarm is not responded to and the number of abnormal nodes exceeds expectations, an intervention level is generated from the corresponding abnormal alarm data. When the intervention level exceeds expectations, a two-level alarm mechanism is activated for the abnormal event. Abnormal events are classified, and a response strategy library is constructed. If alarm commands are received continuously, the alarm channel is switched to ensure command reception. A hazard assessment model is used to evaluate abnormal events and match and execute corresponding response strategies. It quickly outputs targeted processing strategies, achieving rapid and targeted responses when controlling the network system. This solves the technical problems described in the background art.
[0008] (II) Technical Solution
[0009] To achieve the above objectives, the present invention provides the following technical solution:
[0010] A cyberspace information security control method includes: real-time monitoring of network activities and collection of abnormal events and their impact data; obtaining a hazard score after conducting a hazard assessment and summarizing it to generate a risk coefficient Ro; if the risk coefficient Ro exceeds a risk threshold, determining the access permissions of each user and implementing role-based access control.
[0011] Within a preset testing period, the intensity of penetration testing is constrained by the hazard score. Penetration testing data is collected to generate a test set. A penetration coefficient is constructed to assess the level of network security. If the penetration coefficient exceeds the threshold, vulnerability detection and patching are performed; otherwise, critical data is backed up or transferred.
[0012] Real-time monitoring and identification of abnormal events. If an abnormality is detected, an alarm command is issued. If the alarm is not responded to and the abnormal node exceeds the expectation, the corresponding abnormal alarm data is used to generate an intervention level Iop. When the intervention level Iop exceeds the expectation, a secondary alarm mechanism is activated for the abnormal event.
[0013] Classify abnormal events and build a response strategy library. If alarm commands are received continuously, switch alarm channels to ensure command reception. Use a hazard assessment model to evaluate abnormal events and match and execute the corresponding response strategies.
[0014] The system collects response feedback data to construct response coefficients. If the response coefficients are lower than the response threshold, an optimization command is issued. The system then optimizes the response strategy using principal component analysis and genetic algorithms, updates the strategy library, and imposes constraints on the data backup process.
[0015] Furthermore, during the security control phase, network activities are monitored in real time, and abnormal events and their corresponding impact data are collected and labeled. Descriptions are added to the impact of the corresponding events. Using the abnormal event data as input, a trained hazard assessment model is used to conduct hazard assessment and obtain the corresponding hazard scores. After summarizing the hazard scores and occurrence time nodes of abnormal events in the current monitoring period, the data is compiled as abnormal status data.
[0016] Furthermore, penetration testing is conducted within a pre-set testing period to obtain relevant test data, and the obtained test data is then aggregated to generate a penetration testing data set.
[0017] The test intensity (Qop) of the penetration test is constrained based on the hazard score, as follows:
[0018]
[0019] Where p is the number of abnormal events, Yf ij Yf is the difference in hazard scores between the i-th and j-th abnormal events. a F1 is the average of the differences, with weighting coefficients: 0≤F1≤1, 0≤F2≤1, and F1+F2=1.
[0020] Furthermore, using the penetration test data within the penetration test dataset as input, the trained penetration security evaluation model is used to evaluate the penetration security and output the penetration coefficient. Based on the relationship between the penetration coefficient and the corresponding threshold, the corresponding processing method is selected. If the obtained penetration coefficient exceeds the corresponding penetration threshold, vulnerability detection is performed on the current network system to obtain the corresponding vulnerability data. The corresponding patching scheme is matched for the detected vulnerabilities. If the obtained penetration coefficient does not exceed the corresponding penetration threshold, the selected data is backed up or transferred.
[0021] Furthermore, the network system is monitored in real time and the corresponding monitoring data is obtained and summarized as abnormal event data. The abnormal event data is used as data to identify abnormal events using a trained abnormal event recognition model. If an abnormal event is found, an alarm command is sent to the outside.
[0022] If the receiving end does not respond after receiving the alarm command, the time node in which no response is made is regarded as an abnormal node. If the number of abnormal nodes in the current period exceeds the expectation, the time information, frequency of abnormal events and location of each abnormal node are obtained, and the abnormal alarm data set is generated after being summarized.
[0023] Furthermore, an intervention level Iop is generated from the abnormal alarm data set. If the obtained intervention level Iop exceeds the preset intervention threshold, a secondary alarm command is issued to the outside. The method for generating the intervention level Iop is as follows:
[0024]
[0025] In the formula: t is the time variable, t0≤t≤t1; t0 and t1 are the start and end times of the time interval, X=(x,y), is the location where the abnormal event occurs, x∈Ω, Ω is the spatial investigation area; f(t,x) is the frequency function of the abnormal event; e(t,x) is the severity function of the abnormal event; p(x)≥0 is the regional importance function; w(x) is the spatial weighting function, and α, β, γ are weighting coefficients.
[0026] Furthermore, after collecting event data from several abnormal events within the current stage as input, a pre-trained classification algorithm is used to classify the abnormal events, obtaining several event classes; several response strategies corresponding to the event classes are summarized, and after review, a corresponding response strategy library is generated.
[0027] Furthermore, if a Level 1 alarm command is received consecutively or a Level 2 alarm command is received, the event reporting channel is switched. After the network system detects an abnormal event, the trained hazard assessment model is used to evaluate the abnormality of the abnormal event and obtain the corresponding hazard score.
[0028] If the obtained hazard score exceeds expectations, a pre-trained recommendation algorithm is used to match the corresponding response strategy for the abnormal event from the response strategy library, and the response strategy is executed to respond to the current abnormal event.
[0029] Furthermore, after responding to the current abnormal event, the corresponding response feedback data is collected and obtained. Using the response feedback data as input, the trained feedback evaluation model is used to evaluate the response feedback and output the response coefficient. If the obtained response coefficient is lower than the response threshold, an optimization command is issued to the outside.
[0030] Furthermore, upon receiving the optimization instruction, principal component analysis is performed on the abnormal event data, response feedback data, and response strategy data to identify the key factors affecting the feedback response. A pre-trained genetic algorithm optimizes the response strategy based on these key factors. If the current abnormal event continues or recurs, the corresponding abnormal event is re-matched with the response strategy, and the optimized response strategy is executed.
[0031] Furthermore, critical data is backed up when no abnormal events are identified, and the data backup frequency is constrained. After a backup interval that meets the constraints, critical data is backed up at selected time points. The constraint method is as follows:
[0032]
[0033] Where: F(t,x) is the data backup frequency at time t and location x; Iop(t,x) is the intervention degree at time t and location x; Ro(t,x) is the response coefficient at time t and location x, Δ and These are the weighting coefficients.
[0034] A cyberspace information security control system includes a risk identification unit that monitors network activities in real time and collects abnormal events and their impact data, obtains a hazard score after conducting a hazard assessment and generates a risk coefficient Ro, and if the risk coefficient Ro exceeds a risk threshold, determines the access permissions of each user and implements role-based access control.
[0035] The network testing unit, within a preset testing cycle, constrains the intensity of penetration testing based on the hazard score, collects penetration testing data to generate a test set, constructs a penetration coefficient to assess the level of network security, and performs vulnerability detection and patching if the penetration coefficient exceeds the threshold; otherwise, it backs up or transfers critical data.
[0036] The safety alarm unit monitors and identifies abnormal events in real time. If an abnormality is detected, an alarm command is issued. If the alarm is not responded to and the abnormal node exceeds expectations, the corresponding abnormal alarm data is used to generate an intervention level Iop. When the intervention level Iop exceeds expectations, a secondary alarm mechanism is activated for the abnormal event.
[0037] The safety response unit classifies abnormal events and builds a response strategy library. If alarm commands are received continuously, the alarm channel is switched to ensure command reception. The hazard assessment model is used to evaluate abnormal events and match and execute the corresponding response strategies.
[0038] The strategy optimization unit collects response feedback data to construct response coefficients. If the response coefficients are lower than the response threshold, it issues optimization instructions and optimizes the response strategy through principal component analysis and genetic algorithm, updates the strategy library, and constrains the data backup process.
[0039] (III) Beneficial Effects
[0040] This invention provides a method and system for controlling cyberspace information security, which has the following beneficial effects:
[0041] 1. Conduct a comprehensive evaluation of the harm of each abnormal event. When an abnormal event occurs in the network system, the risk and harm of each abnormal event can be evaluated to determine the corresponding response priority and response level. By generating a risk coefficient Ro from the collected abnormal state data, a preliminary evaluation of the security risks faced by the network system can be conducted, and corresponding handling strategies can be matched according to the risk level.
[0042] 2. Match the extent of penetration testing with the risk level of the abnormal event to avoid penetration testing failing to achieve the expected results; if the expected results are not achieved at present, the current penetration test can be adjusted in a timely manner; match different security control strategies according to the security level of the network system to make security control more targeted and thus achieve better security control results.
[0043] 3. On the basis of the security control already implemented in the network system, continue to detect and identify abnormal events faced by the network system and activate the alarm mechanism. When abnormal events continue to occur, further processing can be carried out in a timely manner. The corresponding abnormal state data generates the Intervention Level (Iop), and the Iop is used to comprehensively evaluate the management process of abnormal events to determine the security risks currently faced by the network system.
[0044] 4. By classifying various abnormal events and adopting corresponding response strategies, the efficiency of handling abnormal events can be improved after they occur. By conducting hazard and risk assessments, it can be quickly determined whether a response is required. When a response is required, targeted handling strategies can be quickly output, enabling rapid and targeted responses when controlling the network system.
[0045] 5. Response coefficients are constructed by collecting response feedback data. Based on the response coefficients, the reliability and effectiveness of the current response can be evaluated, facilitating timely adjustments and optimizations when the expected results are not achieved. The given response strategy is iteratively optimized and improved, and the optimized response strategy is executed to improve the pertinence and adaptability of the response strategy, making the handling of abnormal network events more targeted.
[0046] 6. Adapt the backup frequency and backup time points to the current backup scenario to achieve better backup results. When controlling network security, reduce the risk of loss and leakage of critical data and ensure data security. Attached Figure Description
[0047] Figure 1 This is a schematic diagram of the network space information security control method of the present invention;
[0048] Figure 2 This is a schematic diagram of the cyberspace information security control system of the present invention. Detailed Implementation
[0049] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0050] Please see Figure 1 This invention provides a method for controlling cyberspace information security, comprising:
[0051] Step 1: Monitor network activity in real time and collect data on abnormal events and their impact. After conducting a hazard assessment, obtain a hazard score and generate a risk coefficient Ro. If the risk coefficient Ro exceeds the risk threshold, determine the access permissions of each user and implement role-based access control.
[0052] Step one includes the following:
[0053] Step 101: During the security control phase, monitor network activities in real time, such as data exchange and access. Collect and label abnormal events and their corresponding impact data within the preset monitoring period, and add descriptions to the impact of the corresponding events.
[0054] A machine learning algorithm is trained using labeled sample data to obtain a trained hazard assessment model; abnormal event data is used as input to perform a hazard assessment using the trained hazard assessment model to obtain the corresponding hazard score.
[0055] When used for network security maintenance, the system collects and labels historical data on abnormal events to comprehensively evaluate the harm of each abnormal event. When an abnormal event occurs in the network system, the system can evaluate the risk and harm of each abnormal event and determine the corresponding response priority and response level.
[0056] Step 102: After summarizing the hazard scores and occurrence times of abnormal events within the current monitoring period, compile the data as abnormal state data. Under dimensionless conditions, generate the risk coefficient Ro from the abnormal state data as follows:
[0057]
[0058] In the formula: H(t) is the hazard score at time point t, [T0,T1] is the monitoring period, α is the weighting coefficient, which takes a value between 0 and 1, and Δt i The time interval between the i-th abnormal event and the (i+1)-th event, where N is the total number of abnormal events detected within the monitoring period;
[0059] Risk thresholds are pre-set based on historical data and anticipated impacts on abnormal events;
[0060] If the risk coefficient Ro exceeds the risk threshold, it indicates that the network security risk in the current stage is relatively high and timely intervention is required to improve the response capability to sudden abnormal events. After determining the access permissions of each user, role-based access control is implemented according to the access permissions to provide hierarchical network access rights.
[0061] When using it, refer to the content in steps 101 and 102:
[0062] As a further development, if several abnormal events are issued consecutively in the current stage, it indicates that the security risk in the current stage is relatively high. At this time, by generating a risk coefficient Ro through the collected abnormal state data, a preliminary assessment of the security risks faced by the network system can be made, and corresponding handling strategies can be matched according to the degree of risk. As a preliminary response method, in order to reduce human risk, the data access content is controlled to reduce the risk of data leakage.
[0063] Step 2: Within the preset testing period, the penetration test intensity is constrained by the hazard score. Penetration test data is collected to generate a test set. A penetration coefficient is constructed to assess the network security level. If the penetration coefficient exceeds the threshold, vulnerability detection and patching are performed; otherwise, critical data is backed up or transferred.
[0064] Step two includes the following:
[0065] Step 201: Conduct penetration testing within a pre-set testing period. Constrain the test intensity (Qop) of the penetration test based on the hazard score, as follows:
[0066]
[0067] Where p is the number of abnormal events, Yf ij Yf is the difference in hazard scores between the i-th and j-th abnormal events. a F1 is the average of the differences, with weighting coefficients: 0≤F1≤1, 0≤F2≤1, and F1+F2=1.
[0068] Acquire relevant test data, such as identified vulnerability information, vulnerability exploitation attempt results, network traffic data, credentials and authentication data, privilege escalation and lateral movement data, and post-penetration persistence mechanism information. Summarize the acquired test data to generate a penetration test data set.
[0069] When in use, in order to implement security control over the network system when a series of abnormal events occur, the penetration test should be matched with the risk level of the abnormal events to avoid the penetration test failing to achieve the expected results; and if the expected results are not achieved at present, the current penetration test can be adjusted in a timely manner.
[0070] Step 202: Train a convolutional neural network using the labeled sample data to obtain the trained penetration security evaluation model;
[0071] Using penetration test data from the penetration test dataset as input, the trained penetration security evaluation model is used to evaluate penetration security and output a penetration coefficient. The penetration coefficient is then used to evaluate the current security level of the network system. Based on the relationship between the penetration coefficient and the corresponding threshold, the appropriate processing method is selected.
[0072] When used, as a further step, a penetration coefficient can be constructed from the test data based on the penetration test, which can further evaluate the current security of the network system.
[0073] Step 203: If the obtained penetration coefficient exceeds the corresponding penetration threshold, perform vulnerability detection on the current network system, obtain the corresponding vulnerability data, and match the corresponding patching scheme for the detected vulnerabilities in order to patch known vulnerabilities and reduce the risk of exploitation; if the obtained penetration coefficient does not exceed the corresponding penetration threshold, back up or transfer the selected data to avoid loss of critical data when abnormal events occur.
[0074] When using it, combine steps 201 and 203:
[0075] As a further development, as a method for controlling network system security, different security control strategies are matched according to the security level of the network system, making security control more targeted and thus achieving better security control results.
[0076] Step 3: Monitor and identify abnormal events in real time. If an abnormality is found, issue an alarm command. If the alarm is not responded to and the abnormal node exceeds the expectation, generate an intervention level Iop from the corresponding abnormal alarm data. When the intervention level Iop exceeds the expectation, activate the secondary alarm mechanism for the abnormal event.
[0077] Step three includes the following:
[0078] Step 301: Monitor the network system in real time and obtain the corresponding monitoring data, such as network traffic data, device and hardware data, application and service data, user activity data and security event data, and summarize them into abnormal event data.
[0079] A machine learning algorithm is trained using labeled sample data to obtain a trained anomaly recognition model; the anomaly data is used as data to identify anomalies, and if an anomaly is found, an alarm command is sent to the outside.
[0080] As a further step, based on the security controls already implemented on the network system, we will continue to detect and identify abnormal events faced by the network system and activate alarm mechanisms so that we can take further action in a timely manner when we encounter abnormal events again.
[0081] Step 302: If the receiving end does not respond after receiving the alarm command, the time node of no response is taken as the abnormal node. If the number of abnormal nodes in the current stage exceeds the expectation, the time information, frequency of abnormal events and location area of each abnormal node are obtained, and the abnormal alarm data set is generated after summarizing.
[0082] Step 303: Under dimensionless conditions, generate the intervention level (Iop) from the abnormal alarm data set. Use the intervention level to perform an in-depth evaluation of the current security level of the network system, as follows:
[0083]
[0084] In the formula: t is the time variable, representing the specific time when the abnormal event occurs, t0≤t≤t1; t0 and t1 are the start and end times of the time interval, defining the time range for investigation, set according to actual needs; X=(x,y) is a spatial coordinate vector, representing the location where the abnormal event occurs, x∈Ω, Ω is the spatial investigation area, representing the geographical or network topology range where the abnormal event occurs, determined according to the actual network topology; f(t,x) is the frequency function of the abnormal event, representing the frequency of the abnormal event occurring at time t and location x; e(t,x) is the severity function of the abnormal event. The number represents the severity of the anomalous event at time t and location x, e(t,x)≥0; p(x)≥0 is the regional importance function, reflecting the importance of the region at location x; w(x) is the spatial weighting function, reflecting the contribution weight of different locations to the intervention degree, w(x)≥0; α is the weighting coefficient of the frequency function, used to adjust the contribution of frequency to the intervention degree, α>0; β is the weighting coefficient of the severity function, used to adjust the contribution of severity to the intervention degree, β>0; γ is the weighting coefficient of regional importance, used to adjust the contribution of regional importance to the intervention degree, γ>0.
[0085] Based on historical data and anticipated management of abnormal events, intervention thresholds are pre-set;
[0086] If the obtained intervention level (Iop) exceeds the preset intervention threshold, it indicates that the frequency of abnormal events is high and the degree of harm is also high in the current stage. At this time, a second-level alarm command is issued to the outside to realize the activation of the multi-level alarm mechanism and multi-level alarm for abnormal events.
[0087] When using this method, refer to steps 301 to 303:
[0088] As a further development and an extension of the single-level alarm command, considering that current abnormal events may not be responded to or controlled in a timely manner, an intervention level (Iop) is generated from the corresponding abnormal state data. The intervention level (Iop) is used to comprehensively evaluate the management process of abnormal events, determine the security risks currently faced by the network system, and take further intervention measures when the security risks are too great.
[0089] Step 4: Classify abnormal events and build a response strategy library. If alarm commands are received continuously, switch alarm channels to ensure command reception. Use the hazard assessment model to evaluate abnormal events and match and execute the corresponding response strategies.
[0090] Step four includes the following:
[0091] Step 401: After collecting event data of several abnormal events in the current stage as input, the abnormal events are classified by a pre-trained classification algorithm to obtain several event classes; through online retrieval or offline formulation, several response strategies corresponding to the event classes are summarized, and after review, the corresponding response strategy library is generated.
[0092] When in use, by classifying each abnormal event and taking corresponding response strategies, the efficiency of handling abnormal events can be improved after they occur.
[0093] Step 402: Considering that the lack of response from the data end may be due to the failure to effectively receive alarm commands, if a Level 1 alarm command is received consecutively or a Level 2 alarm command is received, the event reporting channel should be switched. For example, the current message reminder can be changed to a message reminder combined with an audio alarm to avoid the user or the receiving end failing to effectively receive the alarm command.
[0094] After the network system detects an abnormal event, it uses the trained hazard assessment model to evaluate the abnormality of the event and obtain the corresponding hazard score. If the obtained hazard score exceeds the expectation, a response command is sent to the outside.
[0095] Upon receiving a response instruction, a pre-trained recommendation algorithm is used to match the corresponding response strategy for the abnormal event from the response strategy library, and the response strategy is executed to respond to the current abnormal event.
[0096] When using this method, refer to steps 401 and 402:
[0097] When an abnormal event occurs in the network system, a hazard and risk assessment can be conducted to quickly determine whether a response is required. If a response is required, a targeted handling strategy can be quickly output, enabling a rapid and targeted response when controlling the network system.
[0098] Step 5: Collect response feedback data to construct response coefficients. If the response coefficients are lower than the response threshold, issue optimization instructions and optimize the response strategy through principal component analysis and genetic algorithm. Update the strategy library and constrain the data backup process.
[0099] Step five includes the following:
[0100] Step 501: After responding to the current abnormal event, collect and obtain the corresponding response feedback data, including event resolution status, detection timeliness, response speed, recovery integrity, downtime, data loss and cost assessment, etc., and generate a response feedback data set after summarizing.
[0101] A convolutional neural network is trained using labeled sample data to obtain a trained feedback evaluation model. The trained feedback evaluation model is used to evaluate the response feedback and output response coefficients, which are then used to evaluate the current response state.
[0102] Based on historical data and anticipated management of abnormal events, pre-set response thresholds;
[0103] If the obtained response coefficient is lower than the response threshold, it means that the current response intervention to the abnormal event has failed to achieve the expected effect and intervention needs to be carried out again. At this time, an optimization instruction is issued to the outside.
[0104] When in use, after responding to abnormal events, a response coefficient is constructed by collecting response feedback data. Based on the response coefficient, the reliability and effectiveness of the current response can be evaluated, which facilitates timely adjustments and optimizations when the expected results are not achieved.
[0105] Step 502: After receiving the optimization instruction, perform principal component analysis on the abnormal event data, response feedback data, and response strategy data to obtain the key factors affecting the feedback response; use a pre-trained genetic algorithm to optimize the response strategy based on the key factors to obtain the optimized response strategy.
[0106] The optimized response strategy is added to the response strategy library. If the current abnormal event continues or recurs, the response strategy is rematched for the corresponding abnormal event and the optimized response strategy is executed.
[0107] As a further step, when the current response strategy fails to achieve the expected results, the given response strategy is iteratively optimized and improved, the optimized response strategy is executed, the relevance and adaptability of the response strategy are improved, and the handling of abnormal network events is made more targeted.
[0108] Step 503: Back up critical data when no abnormal events are identified, and constrain the data backup frequency. After a backup interval that meets the constraints, back up the critical data at the selected time node. The constraint method is as follows:
[0109]
[0110] Where: F(t,x) is the data backup frequency at time t and location x, usually expressed as the number of backups per unit time; Iop(t,x) is the intervention degree at time t and location x, quantifying the impact of network anomalies on the overall network state; Ro(t,x) is the response coefficient at time t and location x, Δ and These are weighting coefficients, with values ranging from 0 to 1;
[0111] When using this method, refer to steps 501 to 503:
[0112] By performing phased backups of critical data and adapting the backup frequency and timing to the current backup scenario, the actual backup effect is improved. When controlling network security, the risk of loss and leakage of critical data is further reduced, thus ensuring data security.
[0113] Please see Figure 2 This invention provides a cyberspace information security control system, comprising,
[0114] The risk identification unit monitors network activity in real time and collects data on abnormal events and their impact. After conducting a hazard assessment, it obtains a hazard score and generates a risk coefficient Ro. If the risk coefficient Ro exceeds the risk threshold, it determines the access permissions of each user and implements role-based access control.
[0115] The network testing unit, within a preset testing cycle, constrains the intensity of penetration testing based on the hazard score, collects penetration testing data to generate a test set, constructs a penetration coefficient to assess the level of network security, and performs vulnerability detection and patching if the penetration coefficient exceeds the threshold; otherwise, it backs up or transfers critical data.
[0116] The safety alarm unit monitors and identifies abnormal events in real time. If an abnormality is detected, an alarm command is issued. If the alarm is not responded to and the abnormal node exceeds expectations, the corresponding abnormal alarm data is used to generate an intervention level Iop. When the intervention level Iop exceeds expectations, a secondary alarm mechanism is activated for the abnormal event.
[0117] The safety response unit classifies abnormal events and builds a response strategy library. If alarm commands are received continuously, the alarm channel is switched to ensure command reception. The hazard assessment model is used to evaluate abnormal events and match and execute the corresponding response strategies.
[0118] The strategy optimization unit collects response feedback data to construct response coefficients. If the response coefficients are lower than the response threshold, it issues optimization instructions and optimizes the response strategy through principal component analysis and genetic algorithm, updates the strategy library, and constrains the data backup process.
[0119] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.
[0120] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0121] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.
[0122] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0123] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. A method for controlling cyberspace information security, characterized in that: include, Real-time monitoring of network activity and collection of data on abnormal events and their impact; hazard assessment to obtain hazard scores and aggregate them to generate risk coefficients. If the risk coefficient If the risk threshold is exceeded, role-based access control will be implemented after determining the user's access permissions. Within a preset testing period, the intensity of penetration testing is constrained by the hazard score. Penetration testing data is collected to generate a test set. A penetration coefficient is constructed to assess the level of network security. If the penetration coefficient exceeds the threshold, vulnerability detection and patching are performed; otherwise, critical data is backed up or transferred. Real-time monitoring and identification of abnormal events; if an anomaly is detected, an alarm command is issued; if the alarm is not responded to and the abnormal node exceeds expectations, the corresponding abnormal alarm data is used to generate an intervention level. In terms of intervention level When an abnormal event exceeds expectations, a level-two alarm mechanism will be activated. Classify abnormal events and build a response strategy library. If alarm commands are received continuously, switch alarm channels to ensure command reception. Use a hazard assessment model to evaluate abnormal events and match and execute the corresponding response strategies. Collect response feedback data to construct response coefficients. If the response coefficients are lower than the response threshold, an optimization command is issued. The response strategy is optimized through principal component analysis and genetic algorithm. The strategy library is updated and the data backup process is constrained. During the security control phase, network activities are monitored in real time. After collecting and labeling abnormal events and their corresponding impact data, descriptions are added to the impact of the corresponding events. Using the abnormal event data as input, the trained hazard assessment model is used to conduct hazard assessment and obtain the corresponding hazard score. After summarizing the hazard scores and occurrence times of abnormal events within the current monitoring period, the data is compiled as abnormal status data. Penetration testing is conducted within a pre-set testing period to acquire relevant test data, which is then compiled into a penetration test dataset. The testing intensity is assessed based on the hazard score. Constraints are applied, and the constraint methods are as follows: ; in, This represents the number of abnormal events. It is the difference in hazard scores between the i-th and j-th abnormal events. The average of the differences, weighted by: , ,and .
2. The cyberspace information security control method according to claim 1, characterized in that: Using the penetration test data in the penetration test dataset as input, the trained penetration security evaluation model is used to evaluate the penetration security and output the penetration coefficient. The corresponding processing method is selected based on the relationship between the penetration coefficient and the corresponding threshold. If the obtained penetration coefficient exceeds the penetration threshold, perform vulnerability detection on the current network, obtain corresponding vulnerability data, and match the corresponding patching scheme for the detected vulnerabilities. If the obtained penetration coefficient does not exceed the corresponding penetration threshold, back up or transfer the selected data.
3. The cyberspace information security control method according to claim 2, characterized in that: The system monitors the network system in real time and acquires the corresponding monitoring data. The data is then aggregated as abnormal event data. The trained abnormal event recognition model is used to identify abnormal events. If an abnormal event is found, an alarm command is sent to the outside. If the receiving end does not respond after receiving the alarm command, the time node in which no response is made is regarded as an abnormal node. If the number of abnormal nodes in the current period exceeds the expectation, the time information, frequency of abnormal events and location of each abnormal node are obtained, and the abnormal alarm data set is generated after being summarized.
4. A cyberspace information security control method according to claim 3, characterized in that: Intervention level generated from abnormal alarm data set If the degree of intervention obtained If the threshold is exceeded, a secondary alarm command is issued to the outside, which generates the intervention level. The method is as follows: ; In the formula: Time variable, ; and These are the start and end times of the time interval. = , indicating the location where the abnormal event occurred. , For spatial research area; This is a frequency function of abnormal events; The severity function of an abnormal event; This is a regional importance function; For spatial weighting functions, , , These are the weighting coefficients.
5. A cyberspace information security control method according to claim 4, characterized in that: After collecting event data from several abnormal events within the current stage as input, a pre-trained classification algorithm is used to classify the abnormal events, resulting in several event classes. Several response strategies corresponding to the event classes are then summarized and, after review, generated into a corresponding response strategy library.
6. A cyberspace information security control method according to claim 5, characterized in that: If a Level 1 alarm command is received consecutively or a Level 2 alarm command is received, the event reporting channel is switched. After the network system detects an abnormal event, the trained hazard assessment model is used to evaluate the abnormality of the abnormal event and obtain the corresponding hazard score. If the obtained hazard score exceeds expectations, a pre-trained recommendation algorithm is used to match the corresponding response strategy for the abnormal event from the response strategy library, and the response strategy is executed to respond to the current abnormal event.
7. A cyberspace information security control method according to claim 6, characterized in that: After responding to the current abnormal event, the system collects and obtains the corresponding response feedback data. Using the response feedback data as input, the trained feedback evaluation model evaluates the response feedback and outputs the response coefficient. If the obtained response coefficient is lower than the response threshold, an optimization command is issued to the outside.
8. A cyberspace information security control method according to claim 7, characterized in that: Upon receiving the optimization instruction, principal component analysis is performed on the abnormal event data, response feedback data, and response strategy data to identify the key factors affecting the feedback response. A pre-trained genetic algorithm optimizes the response strategy based on these key factors. If the current abnormal event continues or recurs, the corresponding abnormal event is re-matched with the response strategy, and the optimized response strategy is executed.
9. A cyberspace information security control method according to claim 8, characterized in that: Critical data is backed up when no abnormal events are identified, and the data backup frequency is constrained. After a backup interval that meets the constraints, critical data is backed up at a selected time node. The constraint method is as follows: ; in: For time and location Data backup frequency at the location; For time and location Intervention level at the location; For time and location The response coefficient at that location, and These are the weighting coefficients.
10. A cyberspace information security control system, employing the control method according to any one of claims 1 to 9, characterized in that: include, The risk identification unit monitors network activity in real time and collects data on abnormal events and their impacts. After conducting a hazard assessment, it obtains a hazard score and aggregates the data to generate a risk coefficient. If the risk coefficient If the risk threshold is exceeded, determine the access permissions of each user and implement role-based access control. The network testing unit, within a preset testing cycle, constrains the intensity of penetration testing based on the hazard score, collects penetration testing data to generate a test set, constructs a penetration coefficient to assess the level of network security, and performs vulnerability detection and patching if the penetration coefficient exceeds the threshold; otherwise, it backs up or transfers critical data. The safety alarm unit monitors and identifies abnormal events in real time. If an abnormality is detected, an alarm command is issued. If the alarm is not responded to and the abnormal event exceeds expectations, the corresponding abnormal alarm data is used to generate an intervention level. In terms of intervention level When an abnormal event exceeds expectations, a level-two alarm mechanism will be activated. The safety response unit classifies abnormal events and builds a response strategy library. If alarm commands are received continuously, the alarm channel is switched to ensure command reception. The hazard assessment model is used to evaluate abnormal events and match and execute the corresponding response strategies. The strategy optimization unit collects response feedback data to construct response coefficients. If the response coefficients are lower than the response threshold, it issues optimization instructions and optimizes the response strategy through principal component analysis and genetic algorithm, updates the strategy library, and constrains the data backup process.