Artificial intelligence-based network security situation comparative analysis method, device and medium
By constructing a bandwidth utilization coordinate system and classifying access behaviors, an artificial intelligence-based approach solves the problem of a single data source for network security situation analysis, enabling multi-dimensional analysis and anomaly detection of server network security situation.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING TRUSFORT TECH CO LTD
- Filing Date
- 2025-09-01
- Publication Date
- 2026-06-19
AI Technical Summary
Existing network security situation analysis methods rely on a single data source, making it difficult to effectively compare and analyze the network security situation of servers from multiple dimensions.
Using an artificial intelligence-based approach, a Cartesian coordinate system is constructed to represent real-time and historical bandwidth utilization. The slope of the bandwidth utilization curve is analyzed, access behaviors are categorized, and the network security status of the server is comprehensively analyzed by combining the changes in the number of accesses.
It enables effective comparative analysis of network security posture, timely detection of anomalies and issuance of early warnings, and improves the accuracy and efficiency of network security monitoring.
Smart Images

Figure CN121000477B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of network security technology, specifically a network security situation comparison and analysis method, device, and medium based on artificial intelligence. Background Technology
[0002] With the rapid development of Internet technology, cybersecurity threats have become increasingly complex and diverse, posing huge risks to individuals, enterprises and countries. In the context of the digital age, the development of the cybersecurity situation is deeply affected by technological innovation, application expansion and policy changes, and presents a multi-dimensional dynamic evolution.
[0003] In existing technologies, the data sources for network security situation analysis methods are relatively singular, usually relying solely on system log data in servers, which makes it difficult to comprehensively reflect the network security status. At the same time, the analysis perspective of existing methods is relatively singular, but network security situation is related to multiple influencing factors such as server real-time bandwidth utilization, access behavior, and access frequency. Existing technologies are unable to compare and analyze the network security situation of servers from different dimensions.
[0004] To this end, the present invention proposes a network security situation comparison and analysis method, device and medium based on artificial intelligence. Summary of the Invention
[0005] In view of the shortcomings of existing technologies, the purpose of this invention is to provide a method, device and medium for comparative analysis of network security situation based on artificial intelligence.
[0006] The technical problem to be solved by this invention is:
[0007] How to effectively compare and analyze the network security posture.
[0008] To achieve the above objectives, the present invention adopts the following technical solution:
[0009] The first aspect is a cybersecurity situational awareness comparison and analysis method based on artificial intelligence, which includes the following steps:
[0010] Step S1: Calculate the real-time bandwidth utilization rate and historical bandwidth utilization rate based on real-time data and historical data, and construct the corresponding Cartesian coordinate system based on the real-time bandwidth utilization rate and historical bandwidth utilization rate;
[0011] Step S2: Analyze the slope of the historical bandwidth occupancy rate line in the historical bandwidth coordinate system, and obtain the maximum and minimum values of the historical slope of the historical bandwidth occupancy rate line within the bandwidth detection period. Based on the maximum and minimum values of the historical slope, construct a slope reference interval.
[0012] Step S3: Calculate the actual slope of the real-time bandwidth utilization curve and analyze the actual slope and the abnormal duration rate within the bandwidth detection period.
[0013] Step S4: Classify the server's access behavior within the abnormal bandwidth period based on the single access bandwidth to obtain the first access behavior and the second access behavior. Then, analyze the server's network security based on the change in the number of accesses of the first access behavior and the second access behavior.
[0014] Furthermore, the analysis process in step S1 includes the following sub-steps:
[0015] Step S11: Collect the theoretical bandwidth of the server and the real-time transmission rate of data in the server at different time points, and divide the real-time transmission rate by the theoretical bandwidth to obtain the real-time bandwidth utilization rate of the server at different time points.
[0016] Step S12: Set up different bandwidth detection nodes and record the time interval between adjacent bandwidth detection nodes as the bandwidth detection time period;
[0017] Step S13: Obtain the historical data transmission rate in the server, and divide the historical transmission rate by the theoretical bandwidth to obtain the historical bandwidth utilization rate of the server.
[0018] Step S14: Construct a Cartesian coordinate system with time as the horizontal axis and historical bandwidth utilization rate as the vertical axis. Draw a line graph of the server's historical bandwidth utilization rate within different bandwidth detection time periods in the Cartesian coordinate system, and record the corresponding Cartesian coordinate system as the historical bandwidth coordinate system.
[0019] Similarly, construct a Cartesian coordinate system with time as the horizontal axis and real-time bandwidth utilization as the vertical axis. Plot a line graph of the server's real-time bandwidth utilization during different bandwidth detection time periods in the Cartesian coordinate system, and denote the corresponding Cartesian coordinate system as the real-time bandwidth coordinate system.
[0020] Furthermore, the analysis process in step S2 includes the following sub-steps:
[0021] Step S21: Record the broken line in the historical bandwidth coordinate system as the historical bandwidth utilization rate broken line;
[0022] Step S22: Subtract the historical bandwidth utilization rate of the previous time node from the historical bandwidth utilization rate of the current time node to obtain the historical bandwidth utilization rate difference.
[0023] Step S23: Divide the historical bandwidth utilization difference by a fixed time interval to obtain the historical slope of the historical bandwidth utilization curve between adjacent time nodes within the bandwidth detection period.
[0024] Similarly, the historical slopes of the line graphs showing different historical bandwidth occupancy rates within the bandwidth detection period are calculated.
[0025] Step S24: Traverse and compare the historical slopes of different historical bandwidth occupancy rate lines within the bandwidth detection time period to obtain the maximum and minimum values of the historical slopes;
[0026] Step S25: Use the minimum historical slope as the left endpoint of the slope reference interval for the real-time bandwidth occupancy rate within the corresponding bandwidth detection time period, and use the maximum historical slope as the right endpoint of the slope reference interval for the real-time bandwidth occupancy rate within the corresponding bandwidth detection time period to construct a slope reference interval.
[0027] Furthermore, the analysis process in step S3 includes the following sub-steps:
[0028] Step S31: Record the broken line in the real-time bandwidth coordinate system as the real-time bandwidth occupancy rate broken line, and repeat steps S22-S23 to calculate the actual slope of the broken lines of different real-time bandwidth occupancy rates within the bandwidth detection time period.
[0029] Step S32: Compare the actual slope of the real-time bandwidth occupancy rate line within the bandwidth detection time period with the slope reference interval;
[0030] If the actual slope of all real-time bandwidth utilization curves within the bandwidth detection period falls within the slope reference range, no action will be taken.
[0031] If the actual slope of any real-time bandwidth utilization rate line within the bandwidth detection period does not fall within the slope reference range, proceed to step S33.
[0032] Step S33: Record the real-time bandwidth utilization line whose actual slope does not fall within the slope reference interval as the abnormal bandwidth line, and record the real-time bandwidth utilization line whose actual slope falls within the slope reference interval as the normal bandwidth line.
[0033] Furthermore, the analysis process in step S3 also includes the following sub-steps:
[0034] Step S34: If there are continuous abnormal bandwidth lines, the time nodes at both ends of the continuous abnormal bandwidth lines are recorded as abnormal time nodes, and the time interval between abnormal time nodes is recorded as abnormal bandwidth time interval.
[0035] If there is a single abnormal bandwidth line, the time nodes at both ends of the corresponding abnormal line are directly recorded as abnormal time nodes, and the time interval between abnormal time nodes is recorded as abnormal bandwidth time interval.
[0036] Step S35: Summing up the durations of all abnormal bandwidth time periods and comparing them with the total duration of the bandwidth detection time period to obtain the abnormal duration rate within the bandwidth detection time period;
[0037] Step S36: If the abnormal duration rate during the bandwidth detection period is less than or equal to the preset abnormal duration rate, proceed to step S4.
[0038] If the abnormal duration rate exceeds the preset abnormal duration rate during the bandwidth detection period, a security warning will be issued immediately.
[0039] Furthermore, the analysis process in step S4 includes the following sub-steps:
[0040] Step S41: Obtain the number of server accesses and the bandwidth per access at different abnormal time points within the abnormal bandwidth period.
[0041] Step S42: Classify the single access bandwidth according to the access bandwidth size;
[0042] Step S43: Obtain the initial first access count of the first access behavior and the initial second access count of the second access behavior in the server at the first abnormal time node within the abnormal bandwidth period.
[0043] Similarly, obtain the real-time first access count of the first access behavior and the real-time second access count of the second access behavior in the server when the remaining abnormal time nodes are within the abnormal bandwidth period.
[0044] Furthermore, the classification process in step S42 includes the following sub-steps:
[0045] Step S421: Compare the single access bandwidth with the reference bandwidth threshold;
[0046] Step S422: If the bandwidth of a single access is less than the reference bandwidth threshold, then the corresponding access behavior is recorded as the first access behavior.
[0047] Step S423: If the bandwidth of a single access is greater than or equal to the reference bandwidth threshold, then the corresponding access behavior is recorded as the second access behavior.
[0048] Furthermore, the analysis process in step S4 also includes the following sub-steps:
[0049] Step S44: Subtract the initial first access count from the real-time first access count to obtain the change in the first access count in the server at the corresponding abnormal time node; subtract the initial second access count from the real-time second access count to obtain the change in the second access count in the server at the corresponding abnormal time node.
[0050] Step S45: Compare the changes in the first and second access counts on the server at the abnormal time points with zero;
[0051] If the change in the first access count or the change in the second access count is greater than zero at the abnormal time point, a security warning will be issued immediately.
[0052] If the change in the first number of accesses to the server is greater than zero and the change in the second number of accesses is greater than zero at the abnormal time point, the network security status of the server will be continuously monitored.
[0053] If the change in the first number of accesses to the server is less than or equal to zero and the change in the second number of accesses is less than or equal to zero at the abnormal time point, a security warning will be issued immediately.
[0054] Secondly, an electronic device, the electronic device comprising:
[0055] A memory that stores a computer program;
[0056] The processor is communicatively connected to the memory. When the computer program is executed by the processor, it implements the artificial intelligence-based network security situation comparison and analysis method.
[0057] Thirdly, a computer-readable storage medium storing a computer program that, when executed by a processor, implements the aforementioned AI-based network security situational awareness analysis method.
[0058] In summary, due to the adoption of the above technical solution, the beneficial effects of the present invention are:
[0059] 1. This invention first calculates the real-time bandwidth utilization rate and historical bandwidth utilization rate based on real-time data and historical data, and then constructs a corresponding Cartesian coordinate system based on the real-time bandwidth utilization rate and historical bandwidth utilization rate. Then, it analyzes the slope of the historical bandwidth utilization rate line in the historical bandwidth coordinate system, and obtains the maximum and minimum values of the historical slope of the historical bandwidth utilization rate line within the bandwidth detection period. Based on the maximum and minimum values of the historical slope, a slope reference interval is constructed. This invention realizes the preliminary analysis of real-time data in the server.
[0060] 2. This invention also calculates the actual slope of the real-time bandwidth utilization curve and analyzes the actual slope and the abnormal duration rate within the bandwidth detection period. Then, based on the single access bandwidth, the server's access behavior within the abnormal bandwidth period is classified into first access behavior and second access behavior. Then, based on the change in the number of accesses of the first access behavior and the second access behavior, the network security of the server is analyzed. This invention achieves effective comparative analysis of network security situation. Attached Figure Description
[0061] To facilitate understanding by those skilled in the art, the present invention will be further described below with reference to the accompanying drawings.
[0062] Figure 1 This is a flowchart of the method of the present invention;
[0063] Figure 2 This is a schematic diagram of the historical bandwidth coordinate system in this invention;
[0064] Figure 3 This is a schematic diagram of the real-time bandwidth coordinate system in this invention;
[0065] Figure 4 This is a schematic diagram of the electronic device in this invention. Detailed Implementation
[0066] The technical solution of the present invention will be clearly and completely described below with reference to the embodiments. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0067] Example 1, please refer to Figures 1-3 As shown, the technical solution provided by this invention is: a network security situation comparison and analysis method based on artificial intelligence, the specific method of which is as follows:
[0068] Step S1: Calculate the real-time bandwidth utilization rate and historical bandwidth utilization rate based on real-time data and historical data, and construct the corresponding Cartesian coordinate system based on the real-time bandwidth utilization rate and historical bandwidth utilization rate;
[0069] In this embodiment, the analysis process in step S1 includes the following sub-steps:
[0070] Step S11: Collect the theoretical bandwidth of the server and the real-time transmission rate of data in the server at different time points, and divide the real-time transmission rate by the theoretical bandwidth to obtain the real-time bandwidth utilization rate of the server at different time points.
[0071] It should be noted that the theoretical bandwidth of the server can be obtained from the server's hardware specifications, while the real-time transmission rate can be obtained from the server in real time.
[0072] Step S12: Set up different bandwidth detection nodes and record the time interval between adjacent bandwidth detection nodes as the bandwidth detection time period;
[0073] For example, if the bandwidth detection nodes are 9 o'clock and 10 o'clock, then the period from 9 o'clock to 10 o'clock is recorded as the bandwidth detection time period. It should be noted that the number of time nodes is the same in different bandwidth detection time periods.
[0074] Step S13: Obtain the historical data transmission rate in the server, and divide the historical transmission rate by the theoretical bandwidth to obtain the historical bandwidth utilization rate of the server.
[0075] Step S14, please refer to Figure 2 As shown, a Cartesian coordinate system is constructed with time as the horizontal axis and historical bandwidth utilization rate as the vertical axis. A line graph of the server's historical bandwidth utilization rate during different bandwidth detection time periods is plotted in the Cartesian coordinate system, and the corresponding Cartesian coordinate system is denoted as the historical bandwidth coordinate system.
[0076] Similarly, please refer to Figure 3 As shown, a Cartesian coordinate system is constructed with time as the horizontal axis and real-time bandwidth utilization rate as the vertical axis. A line graph of the server's real-time bandwidth utilization rate during different bandwidth detection time periods is plotted in the Cartesian coordinate system, and the corresponding Cartesian coordinate system is denoted as the real-time bandwidth coordinate system.
[0077] In this embodiment, please refer to Figure 2 and Figure 3 As shown, black dots represent bandwidth detection nodes, white dots represent time nodes, and the time intervals between black dots represent bandwidth detection time intervals.
[0078] Step S2: Analyze the slope of the historical bandwidth occupancy rate line in the historical bandwidth coordinate system, and obtain the maximum and minimum values of the historical slope of the historical bandwidth occupancy rate line within the bandwidth detection period. Based on the maximum and minimum values of the historical slope, construct a slope reference interval.
[0079] In this embodiment, the analysis process in step S2 includes the following sub-steps:
[0080] Step S21: Record the broken line in the historical bandwidth coordinate system as the historical bandwidth utilization rate broken line;
[0081] It needs to be explained that, Figure 2 and Figure 3 The diagram only shows a bandwidth detection period. Since there are different bandwidth detection time points and different time nodes in the historical bandwidth coordinate system, there are different bandwidth detection period periods in reality, and different historical bandwidth occupancy rate line graphs exist within different bandwidth detection period periods.
[0082] Step S22: Subtract the historical bandwidth utilization rate of the previous time node from the historical bandwidth utilization rate of the current time node to obtain the historical bandwidth utilization rate difference.
[0083] It should be noted that the current time node here does not refer to the real-time node corresponding to the current moment, but rather the time node that needs to be calculated is recorded as the current time node;
[0084] Step S23: Divide the historical bandwidth utilization difference by a fixed time interval to obtain the historical slope of the historical bandwidth utilization curve between adjacent time nodes within the bandwidth detection period.
[0085] Similarly, the historical slopes of the line graphs showing different historical bandwidth occupancy rates within the bandwidth detection period are calculated.
[0086] It should be explained that the fixed time interval is the fixed time interval between the current time node and the previous time node;
[0087] Step S24: Traverse and compare the historical slopes of different historical bandwidth occupancy rate lines within the bandwidth detection time period to obtain the maximum and minimum values of the historical slopes;
[0088] Step S25: Use the minimum historical slope as the left endpoint of the slope reference interval for the real-time bandwidth occupancy rate within the corresponding bandwidth detection time period, and use the maximum historical slope as the right endpoint of the slope reference interval for the real-time bandwidth occupancy rate within the corresponding bandwidth detection time period to construct a slope reference interval.
[0089] Step S3: Calculate the actual slope of the real-time bandwidth utilization curve and analyze the actual slope and the abnormal duration rate within the bandwidth detection period.
[0090] Specifically, the analysis process in step S3 includes the following sub-steps:
[0091] Step S31: Record the broken line in the real-time bandwidth coordinate system as the real-time bandwidth occupancy rate broken line, and repeat steps S22-S23 to calculate the actual slope of the broken lines of different real-time bandwidth occupancy rates within the bandwidth detection time period.
[0092] Step S32: Compare the actual slope of the real-time bandwidth occupancy rate line within the bandwidth detection time period with the slope reference interval;
[0093] If the actual slope of all real-time bandwidth utilization rate curves within the bandwidth detection period falls within the slope reference range, it indicates that the real-time bandwidth utilization rate within the bandwidth detection period is within the normal range, and no operation is performed.
[0094] If the actual slope of any real-time bandwidth utilization rate line within the bandwidth detection period is not within the slope reference range, it indicates that the real-time bandwidth utilization rate within the bandwidth detection period is not within the normal range, and then proceed to step S33.
[0095] Step S33: Record the real-time bandwidth utilization rate line whose actual slope does not fall within the slope reference interval as the abnormal bandwidth line, and record the real-time bandwidth utilization rate line whose actual slope falls within the slope reference interval as the normal bandwidth line.
[0096] Step S34: If there are continuous abnormal bandwidth lines, the time nodes at both ends of the continuous abnormal bandwidth lines are recorded as abnormal time nodes, and the time interval between abnormal time nodes is recorded as abnormal bandwidth time interval.
[0097] If there is a single abnormal bandwidth line, the time nodes at both ends of the corresponding abnormal line are directly recorded as abnormal time nodes, and the time interval between abnormal time nodes is recorded as abnormal bandwidth time interval.
[0098] Step S35: Summing up the durations of all abnormal bandwidth time periods and comparing them with the total duration of the bandwidth detection time period to obtain the abnormal duration rate within the bandwidth detection time period;
[0099] Step S36: If the abnormal duration rate during the bandwidth detection period is less than or equal to the preset abnormal duration rate, proceed to step S4.
[0100] If the abnormal duration rate exceeds the preset abnormal duration rate during the bandwidth detection period, a security warning will be issued immediately.
[0101] Step S4: Classify the server access behavior within the abnormal bandwidth period based on the single access bandwidth to obtain the first access behavior and the second access behavior. Then, analyze the network security of the server based on the change in the number of accesses of the first access behavior and the second access behavior.
[0102] In this embodiment, the analysis process in step S4 includes the following sub-steps:
[0103] Step S41: Obtain the number of server accesses and the bandwidth per access at different abnormal time points within the abnormal bandwidth period.
[0104] It should be noted that the bandwidth per access is the amount of bandwidth used to access the server once. The number of accesses and the bandwidth per access can be obtained from the storage units in the server.
[0105] Step S42: Classify the single access bandwidth according to the access bandwidth size. The classification process includes the following sub-steps:
[0106] Step S421: Compare the single access bandwidth with the reference bandwidth threshold;
[0107] Step S422: If the bandwidth of a single access is less than the reference bandwidth threshold, then the corresponding access behavior is recorded as the first access behavior.
[0108] Step S423: If the bandwidth of a single access is greater than or equal to the reference bandwidth threshold, then the corresponding access behavior is recorded as the second access behavior.
[0109] It should be noted that the bandwidth of a single access for the first access behavior is less than that of a single access for the second access behavior, and the reference bandwidth threshold can be 1MB / s.
[0110] Step S43: Obtain the initial first access count of the first access behavior and the initial second access count of the second access behavior in the server at the first abnormal time node within the abnormal bandwidth period.
[0111] Similarly, obtain the real-time first access count of the first access behavior and the real-time second access count of the second access behavior in the server when the remaining abnormal time nodes are within the abnormal bandwidth period.
[0112] Step S44: Subtract the initial first access count from the real-time first access count to obtain the change in the first access count in the server at the corresponding abnormal time node; subtract the initial second access count from the real-time second access count to obtain the change in the second access count in the server at the corresponding abnormal time node.
[0113] Step S45: Compare the changes in the first and second access counts on the server at the abnormal time points with zero;
[0114] If the change in the first access count or the change in the second access count is greater than zero at the abnormal time point, a security warning will be issued immediately.
[0115] If the change in the first number of accesses to the server is greater than zero and the change in the second number of accesses is greater than zero at the abnormal time point, the network security status of the server will be continuously monitored.
[0116] If the change in the first number of accesses to the server is less than or equal to zero and the change in the second number of accesses is less than or equal to zero at the abnormal time point, a security warning will be issued immediately.
[0117] It should be explained that if the change in the first number of accesses to the server is greater than zero and the change in the second number of accesses is less than or equal to zero at the time of the anomaly, it indicates a significant increase in single access behaviors for small or large data at that time, which may indicate a DDoS attack or the rapid spread of malware within the local area network. If the change in the first number of accesses to the server is greater than zero and the change in the second number of accesses is greater than zero at the time of the anomaly, it indicates that the number of access behaviors for both small and large data is increasing at that time, and continuous monitoring of the server's network security status is necessary. If the change in the first number of accesses to the server is less than or equal to zero and the change in the second number of accesses is less than or equal to zero at the time of the anomaly, it indicates that the number of access behaviors for both small and large data is decreasing at that time, which conflicts with the slope of the real-time bandwidth utilization curve being greater than zero, and an immediate warning should be issued.
[0118] Example 2: This embodiment of the invention also provides an electronic device for running the aforementioned AI-based network security situation comparison and analysis method; see [link to example]. Figure 4 The schematic diagram of an electronic device provided by the embodiment of the present invention shown above includes a memory and a processor. The memory is used to store one or more computer instructions, which are executed by the processor to realize the above-mentioned artificial intelligence-based network security situation comparison and analysis method.
[0119] Furthermore, Figure 4 The electronic device shown also includes a communication bus and a communication interface, with the processor, communication interface and memory connected via the communication bus;
[0120] The memory may include high-speed random access memory (RAM) or non-volatile memory, such as at least one disk storage device. Communication between this system network element and at least one other network element is achieved through at least one communication interface (wired or wireless), which can use the Internet, wide area network, local area network, metropolitan area network, etc. The communication bus can be an ISA bus, PCI bus, or EISA bus, etc. The communication bus can be divided into address bus, data bus, control bus, etc. For ease of representation, Figure 4 The symbol is represented by only one double-headed arrow, but this does not mean that there is only one communication bus or one type of communication bus.
[0121] The processor may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above methods can be completed by integrated logic circuits in the processor's hardware or by software instructions. The processor can be a general-purpose processor, including a Central Processing Unit (CPU), a Network Processor (NP), etc.; it can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. It can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of this invention. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the methods disclosed in the embodiments of this invention can be directly embodied in the execution of a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software modules can reside in random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, or other mature storage media in the art. The storage medium is located in the memory, and the processor reads the information in the memory and, in conjunction with its hardware, completes the steps of the method described in the foregoing embodiments.
[0122] Example 3: This embodiment of the invention also provides a computer storage medium that stores computer-executable instructions. When the computer-executable instructions are called and executed by a processor, the computer-executable instructions cause the processor to implement the above-mentioned artificial intelligence-based network security situation comparison and analysis method. For specific implementation, please refer to the method embodiment, which will not be repeated here.
[0123] The computer program product of the AI-based network security situation comparison and analysis method provided in this embodiment of the invention includes a computer storage medium storing program code. The instructions included in the program code can be used to execute the methods in the preceding method embodiments. For specific implementation, please refer to the method embodiments, which will not be repeated here.
[0124] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working process of the system and / or device described above can be referred to the corresponding process in the foregoing method embodiments, and will not be repeated here.
[0125] Furthermore, in the description of the embodiments of the present invention, unless otherwise explicitly specified and limited, the terms "installation," "connection," and "linking" should be interpreted broadly. For example, they can refer to a fixed connection, a detachable connection, or an integral connection; they can refer to a mechanical connection or an electrical connection; they can refer to a direct connection or an indirect connection through an intermediate medium; and they can refer to the internal connection of two components. Those skilled in the art can understand the specific meaning of the above terms in the present invention based on the specific circumstances.
[0126] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this invention, essentially, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0127] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features therein. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of the present invention.
Claims
1. A cybersecurity situational awareness comparison and analysis method based on artificial intelligence, characterized in that, The method includes the following steps: Step S1: Calculate the real-time bandwidth utilization rate and historical bandwidth utilization rate based on real-time data and historical data, and construct the corresponding Cartesian coordinate system based on the real-time bandwidth utilization rate and historical bandwidth utilization rate; The analysis process in step S1 includes the following sub-steps: Step S11: Collect the theoretical bandwidth of the server and the real-time transmission rate of data in the server at different time points, and divide the real-time transmission rate by the theoretical bandwidth to obtain the real-time bandwidth utilization rate of the server at different time points. Step S12: Set up different bandwidth detection nodes and record the time interval between adjacent bandwidth detection nodes as the bandwidth detection time period; Step S13: Obtain the historical data transmission rate in the server, and divide the historical transmission rate by the theoretical bandwidth to obtain the historical bandwidth utilization rate of the server. Step S14: Construct a Cartesian coordinate system with time as the horizontal axis and historical bandwidth utilization rate as the vertical axis. Draw a line graph of the server's historical bandwidth utilization rate within different bandwidth detection time periods in the Cartesian coordinate system, and record the corresponding Cartesian coordinate system as the historical bandwidth coordinate system. Similarly, construct a Cartesian coordinate system with time as the horizontal axis and real-time bandwidth utilization rate as the vertical axis. Plot a line graph of the server's real-time bandwidth utilization rate within different bandwidth detection time periods in the Cartesian coordinate system, and denote the corresponding Cartesian coordinate system as the real-time bandwidth coordinate system. Step S2: Analyze the slope of the historical bandwidth occupancy rate line in the historical bandwidth coordinate system, and obtain the maximum and minimum values of the historical slope of the historical bandwidth occupancy rate line within the bandwidth detection period. Based on the maximum and minimum values of the historical slope, construct a slope reference interval. Step S3: Calculate the actual slope of the real-time bandwidth utilization curve and analyze the actual slope and the abnormal duration rate within the bandwidth detection period. The analysis process in step S3 includes the following sub-steps: Step S31: Record the broken line in the real-time bandwidth coordinate system as the real-time bandwidth utilization rate broken line, and calculate the actual slope of the broken line of different real-time bandwidth utilization rates within the bandwidth detection period by combining the calculation process of the historical slope corresponding to the broken line of different historical bandwidth utilization rates within the bandwidth detection period. Step S32: Compare the actual slope of the real-time bandwidth occupancy rate line within the bandwidth detection time period with the slope reference interval; If the actual slope of all real-time bandwidth utilization curves within the bandwidth detection period falls within the slope reference range, no action will be taken. If the actual slope of any real-time bandwidth utilization rate line within the bandwidth detection period does not fall within the slope reference range, proceed to step S33. Step S33: Record the real-time bandwidth utilization rate line whose actual slope does not fall within the slope reference interval as the abnormal bandwidth line, and record the real-time bandwidth utilization rate line whose actual slope falls within the slope reference interval as the normal bandwidth line. Step S34: If there are continuous abnormal bandwidth lines, the time nodes at both ends of the continuous abnormal bandwidth lines are recorded as abnormal time nodes, and the time interval between abnormal time nodes is recorded as abnormal bandwidth time interval. If there is a single abnormal bandwidth line, the time nodes at both ends of the corresponding abnormal line are directly recorded as abnormal time nodes, and the time interval between abnormal time nodes is recorded as abnormal bandwidth time interval. Step S35: Sum the durations of all abnormal bandwidth time periods and divide by the total duration of the bandwidth detection time period to obtain the abnormal duration rate within the bandwidth detection time period. Step S36: If the abnormal duration rate during the bandwidth detection period is less than or equal to the preset abnormal duration rate, proceed to step S4. If the abnormal duration rate during the bandwidth detection period exceeds the preset abnormal duration rate, a security warning will be issued immediately. Step S4: Classify the server access behavior within all abnormal bandwidth time periods based on the single access bandwidth to obtain the first access behavior and the second access behavior. Then, analyze the server network security based on the change in the number of accesses of the first access behavior and the second access behavior.
2. The artificial intelligence-based network security situation comparison and analysis method according to claim 1, characterized in that, The analysis process in step S2 includes the following sub-steps: Step S21: Record the broken line in the historical bandwidth coordinate system as the historical bandwidth utilization rate broken line; Step S22: Subtract the historical bandwidth utilization rate of the previous time node from the historical bandwidth utilization rate of the current time node to obtain the historical bandwidth utilization rate difference. Step S23: Divide the historical bandwidth utilization difference by a fixed time interval to obtain the historical slope of the historical bandwidth utilization curve between adjacent time nodes within the bandwidth detection period; wherein, the fixed time interval is the fixed time interval between the current time node and the previous time node. Similarly, the historical slopes of the line graphs showing different historical bandwidth occupancy rates within the bandwidth detection period are calculated. Step S24: Traverse and compare the historical slopes of different historical bandwidth occupancy rate lines within the bandwidth detection time period to obtain the maximum and minimum values of the historical slopes; Step S25: Use the minimum historical slope as the left endpoint of the slope reference interval for the real-time bandwidth occupancy rate within the corresponding bandwidth detection time period, and use the maximum historical slope as the right endpoint of the slope reference interval for the real-time bandwidth occupancy rate within the corresponding bandwidth detection time period to construct a slope reference interval.
3. The method for comparative analysis of network security situation based on artificial intelligence according to claim 1, characterized in that, The analysis process in step S4 includes the following sub-steps: Step S41: Obtain the number of server accesses and the bandwidth per access at different abnormal time points within the abnormal bandwidth period. Step S42: Classify the single access bandwidth according to the access bandwidth size; Step S43: Obtain the initial first access count of the first access behavior and the initial second access count of the second access behavior in the server at the first abnormal time node within the abnormal bandwidth period. Similarly, obtain the real-time first access count of the first access behavior and the real-time second access count of the second access behavior in the server when the remaining abnormal time nodes are within the abnormal bandwidth period.
4. The artificial intelligence-based network security situation comparison and analysis method according to claim 3, characterized in that, The classification process in step S42 includes the following sub-steps: Step S421: Compare the single access bandwidth with the reference bandwidth threshold; Step S422: If the bandwidth of a single access is less than the reference bandwidth threshold, then the corresponding access behavior is recorded as the first access behavior. Step S423: If the bandwidth of a single access is greater than or equal to the reference bandwidth threshold, then the corresponding access behavior is recorded as the second access behavior.
5. The artificial intelligence-based network security situation comparison and analysis method according to claim 4, characterized in that, The analysis process in step S4 also includes the following sub-steps: Step S44: Subtract the initial first access count from the real-time first access count to obtain the change in the first access count in the server at the corresponding abnormal time node; subtract the initial second access count from the real-time second access count to obtain the change in the second access count in the server at the corresponding abnormal time node. Step S45: Compare the changes in the first and second access counts on the server at the abnormal time points with zero; If either the change in the first access count or the change in the second access count is greater than zero at an abnormal time point, a security alert will be issued immediately. If the change in the first number of accesses to the server is greater than zero and the change in the second number of accesses is greater than zero at the abnormal time point, the network security status of the server will be continuously monitored. If the change in the first number of accesses to the server is less than or equal to zero and the change in the second number of accesses is less than or equal to zero at the abnormal time point, a security warning will be issued immediately.
6. An electronic device, characterized in that, The electronic device includes: A memory that stores a computer program; A processor, communicatively connected to the memory, implements the method described in any one of claims 1-5 when the computer program is executed by the processor.
7. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the method of any one of claims 1 to 5.