Internet privacy self-regulating handling system and method
By employing anomaly detection models, blockchain-based layered sharing, and layered reinforcement learning models, the system addresses the issues of weak identification capabilities, delayed responses, and rigid compliance strategies in internet security supervision systems. This enables efficient threat perception, intelligence sharing, and dynamic response, enhancing the system's adaptability and response efficiency.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- JIANGSU DINGHONG SYSTEM ENGINEERING CO LTD
- Filing Date
- 2025-09-29
- Publication Date
- 2026-07-07
AI Technical Summary
Existing internet security monitoring systems have shortcomings in anomaly detection, intelligence sharing, disaster recovery response, and compliance optimization, resulting in problems such as weak identification capabilities, high false alarm rates, delayed response, and rigid compliance strategies.
Employing an anomaly detection model, a layered blockchain architecture, a layered reinforcement learning model, and a dynamic response strategy, this approach automates and intelligently manages attack event detection, threat intelligence sharing, dynamic disaster recovery, and compliance strategies. The anomaly detection model is trained using the Isolation Forest algorithm, threat intelligence is shared layer by layer using the blockchain, a layered reinforcement learning model is constructed for dynamic response, and the policy network is optimized through a reward function.
It improved the identification rate of unknown threats, reduced the false alarm rate, achieved real-time response and dynamic compliance, and enhanced the system's adaptability and overall response efficiency.
Smart Images

Figure CN121173553B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of information security technology, and in particular to an internet confidentiality self-monitoring and handling system and method. Background Technology
[0002] Existing internet security monitoring systems face multidimensional challenges: In terms of anomaly detection, these systems rely on fixed feature libraries, resulting in weak identification capabilities for unknown threats and a high false alarm rate due to isolated alert mechanisms. Regarding intelligence sharing, centralized architectures lead to issues such as inadequate trust mechanisms, privacy risks, and performance bottlenecks. Disaster recovery response strategies are still based on preset cycles and fail to effectively integrate with real-time threat intelligence, resulting in lag in core asset protection. Compliance optimization heavily relies on manual configuration, making it difficult to dynamically adapt to the constantly changing threat environment and multi-domain compliance requirements (such as GDPR and PCI-DSS), easily leading to conflicts between security strategies and business objectives. More fundamentally, traditional systems lack a collaborative optimization mechanism for security effectiveness, business continuity, and compliance constraints, resulting in low overall response efficiency and significantly insufficient system adaptability. Summary of the Invention
[0003] This invention aims to solve the problem of how to automate and intelligently manage internet security supervision from anomaly detection to policy self-optimization by linking the entire process of attack detection, threat intelligence sharing, and dynamic response disaster recovery.
[0004] To solve the above-mentioned technical problems, the technical solution adopted by the present invention is as follows:
[0005] A self-regulatory method for internet security, comprising:
[0006] Attack event detection steps: Collect system behavior data, calculate real-time anomaly scores using a trained anomaly detection model, and determine whether an attack event has been triggered based on a dynamic threshold;
[0007] Threat intelligence sharing steps: The attack events are subjected to feature extraction and de-identification processing to generate feature summaries, and cross-business domain sharing is achieved through a blockchain layered architecture;
[0008] Disaster recovery handling steps: Calculate the disaster recovery priority based on the threat parameters of the attack event. When the disaster recovery priority exceeds a preset threshold, trigger the corresponding disaster recovery protection action.
[0009] Dynamic response steps: Construct a hierarchical reinforcement learning model, combine security objectives, business constraints and compliance rules to generate disposal strategies, and optimize the strategy network through a reward function.
[0010] Furthermore, the attack event detection step includes: training a normal behavior profile using the Isolation Forest algorithm. The training data comes from whitelisted behavior data within 30 days after system deployment, excluding data during holidays and system upgrade periods. The number of trees is 100, and the subsampling size is 256.
[0011] Output anomaly scores in the range of 0-1 for real-time data;
[0012] Historical abnormal score samples were fitted using a normal distribution. The initial threshold was set to μ+3σ. The data was refitted every 24 hours based on newly added normal data. If there were no abnormalities exceeding the threshold for three consecutive times, the threshold was lowered to μ+2.5σ, and otherwise it was raised to μ+3.5σ.
[0013] Furthermore, the data is cleaned before training the normal behavior profile: the forward filling method is used to handle ≤5% missing sampling points, and the Z-score method is used to remove outliers with |Z|>3, with a training data volume of ≥50,000 records.
[0014] Furthermore, the threat intelligence sharing steps include:
[0015] Feature digest generation: Extract threat type identifier, SHA-256 hash of attack source IP, feature vector hash of process call sequence, timestamp and confidence level, and generate feature digest after de-identification;
[0016] Blockchain layered sharing: The sidechain layer is divided according to business domain, and the intelligence of nodes within the shard is synchronized through PBFT consensus with a latency of <500ms; when a cross-domain attack is detected, the intelligence root hash is anchored to the main chain, and the main chain adopts PoS consensus with a block interval of 10 minutes.
[0017] Privacy protection: A private set intersection protocol with secure multi-party computation is used to enable participants to verify common threat sources without disclosing plaintext data.
[0018] Furthermore, the disaster recovery and handling steps include:
[0019] Disaster recovery priority is calculated using the following formula: Disaster recovery priority = Basic importance score × Attack severity level × Attack tactics score × Target clarity score × Dynamic confidence multiplier;
[0020] The attack severity level is based on the CVSS 4.0 scoring system, which maps CVSS scores of 9.0-10.0 to 10 points, 7.0-8.9 to 8 points, 5.0-6.9 to 5 points, and 0.1-4.9 to 2 points.
[0021] Furthermore, the disaster recovery protection actions include:
[0022] Call the virtual machine snapshot system to perform real-time snapshots of the core database, with an RTO of <5 minutes, and synchronize them to off-site cloud storage;
[0023] Based on the five-tuple, abnormal connections related to attack events are blocked, while access is allowed from IPs on a preset whitelist. The blocking rules are distributed to the firewall through the SDN controller, and a 2-hour countdown is set for automatic release. Before release, two-factor authentication confirmation by the security administrator is required.
[0024] Furthermore, in the dynamic response step, the hierarchical reinforcement learning model includes:
[0025] High-level policy network: Loads a compliance knowledge base and generates sub-objectives that include security objectives, business constraints, and compliance constraints after receiving threat intelligence;
[0026] The underlying policy network: The atomic action space includes firewall blocking of IPs, EDR process termination, and IAM account freezing, and the action sequence is selected through the Q-learning algorithm.
[0027] Furthermore, the reward function is calculated as follows:
[0028] Reward = α×S + β×B + γ×C, where S is the security effectiveness score, B is the business continuity score, and C is the compliance score.
[0029] The default values for core business systems are β=0.5, α=0.3, and γ=0.2; the default values for non-core systems are α=0.5, β=0.2, and γ=0.3. The weight configuration is fixed to the policy network after being approved by the compliance department.
[0030] Furthermore, the dynamic response step also includes strategy optimization:
[0031] In the first 1000 rounds, expert rules were fitted through imitation learning, and negative reward values were assigned to incorrect decisions;
[0032] During the reinforcement learning phase, the policy network weights are adjusted every 100 rounds using gradient descent with a learning rate of 0.001. The policy is solidified when the reward fluctuation is ≤5% for 50 consecutive rounds. The weight configuration can be updated quarterly via API, and the update records are automatically uploaded to the blockchain for notarization.
[0033] An internet security self-monitoring and handling system includes:
[0034] Intelligent data acquisition agent: Deployed on servers, terminals and network devices, it collects system call sequences, network connection modes, CPU utilization and I / O rates of the data acquisition process, with a sampling period of 10 seconds / time;
[0035] Dynamic baseline analysis module: Performs the attack event detection steps described above;
[0036] Blockchain collaboration module: Performs the threat intelligence sharing steps described above;
[0037] 3D Disaster Recovery Module: Performs the disaster recovery procedures described above;
[0038] Compliance self-optimization module: Executes the dynamic response steps described above.
[0039] Compared with the prior art, the beneficial effects of the present invention include:
[0040] This invention solves the technical problems of traditional systems, such as reliance on fixed rules, low efficiency of intelligence sharing, passive and lagging disaster recovery, and rigid compliance policies, through a closed-loop design of the entire process of threat perception, intelligence collaboration, disaster recovery response, and policy optimization. Attached Figure Description
[0041] The disclosure of this invention is illustrated with reference to the accompanying drawings. It should be understood that the drawings are for illustrative purposes only and are not intended to limit the scope of protection of this invention. In the drawings, the same reference numerals are used to refer to the same parts. Wherein:
[0042] Figure 1 This is a flowchart of the processing method of the present invention.
[0043] Figure 2 This is a flowchart of the attack event detection steps. Detailed Implementation
[0044] It is readily understood that, based on the technical solution of this invention, those skilled in the art can propose various interchangeable structural methods and implementations without altering the essential spirit of the invention. Therefore, the following detailed embodiments and accompanying drawings are merely illustrative examples of the technical solution of this invention and should not be considered as the entirety of the invention or as limitations or restrictions on the technical solution of this invention.
[0045] As shown in the attached diagram, this invention is applied to a commercial bank's internet security self-regulation scenario, requiring the protection of its core transaction system (daily transaction volume of 3 million transactions, RTO ≤ 5 minutes) and sensitive customer data (compliant with GDPR and the State Financial Regulatory Commission's "Cybersecurity Management Measures"). The system is deployed in the head office data center and three off-site disaster recovery nodes, connecting to the existing Palo Alto firewall (IP blocking response latency ≤ 100ms), CrowdStrike EDR (process termination success rate ≥ 99.5%), and VMware snapshot system (snapshot generation time ≤ 30 seconds). Through layered reinforcement learning and blockchain collaboration, it achieves threat self-management and compliance closed-loop.
[0046] S100, the attack event detection steps are as follows:
[0047] S110, Intelligent Data Acquisition Agent Deployment: Install a lightweight agent on servers (core database, application server), terminals, and network switches. Data acquisition dimensions include:
[0048] A. Process system call sequence (e.g., sys_read / sys_write call frequency, sampling period 10 seconds / call);
[0049] B. Network connection mode (source IP: port connection frequency, 5-tuple log contains IP hash value).
[0050] C. Resource metrics (CPU utilization 5-minute moving average, I / O rate (MB / s)).
[0051] S120, normal behavior baseline training includes:
[0052] S121, Data Cleaning: Exclude data from the first 3 days of system deployment (initialization phase), use 30 days of whitelisted data (manually labeled with no attack events), process 3% missing values using forward imputation, and remove 2% outliers using Z-score (such as data from backup periods when CPU was at 100% instantaneously).
[0053] S122, Model Training: The Isolation Forest algorithm (number of trees = 100, subsampling size = 256) is used to generate a 128-dimensional feature vector (network connection frequency is normalized to [0,1], and process call sequence is transformed by TF-IDF).
[0054] S123, Anomaly detection threshold: Calculate the average distance from the sample point to the isolation hyperplane in real time (normalized to [0,1]), and set the dynamic threshold to μ+3σ (μ=0.3, σ=0.1→threshold=0.6). Trigger an alarm when the anomaly score is greater than the threshold for 3 consecutive times.
[0055] When process PID=4521 (not in the whitelist) initiates a connection to 192.168.1.100:8080 (frequency > 10 times the baseline), and the 5-minute moving average of CPU usage is 85% (baseline μ=30%, σ=15% → anomaly score=0.82>threshold 0.6), it is determined to be a "data outage attack event" with a confidence level of 92%.
[0056] S200, the steps for sharing threat intelligence are as follows:
[0057] The blockchain's layered and sharded architecture is as follows:
[0058] Main chain layer: responsible for cross-domain intelligence verification, adopts PoS consensus (staking tokens = 1000 tokens / node, block interval 10 minutes), and the malicious node penalty mechanism is to deduct 50% of the staked tokens;
[0059] Sharded sidechain layer: Divided into 3 shards according to business domain (core transaction / personal credit / financial management), each shard contains 5 PBFT consensus nodes (fault tolerance f=1), and data synchronization within the shard is achieved through incremental hash synchronization (Merkle branch size ≤2KB), with a latency of <500ms.
[0060] S210, Cross-Domain Intelligence Verification Process:
[0061] S211, Cross-domain attack detection: When the "core transaction shard" and "personal credit shard" simultaneously detect abnormal connections from the same IP (203.0.113.5), a cross-domain intelligence joint hash (SHA-256 (shard 1 root hash + shard 2 root hash)) is generated.
[0062] S212, Main Chain Anchoring: The joint hash is written into the CrossDomainHash field of the block header by the main chain validator node (PoS consensus), and other shards achieve global awareness by querying the root hash of the main chain block H+1.
[0063] The dynamic response steps for S300 are as follows:
[0064] S310, Construct a hierarchical reinforcement learning model, including:
[0065] High-level policy network: Loads a compliance knowledge base through a structured rule parser, transforming natural language clauses into a three-dimensional constraint vector (security objective S / business constraint B / compliance rule C):
[0066] Example ①: GDPR Article 4 "Data Minimization Principle" → Vector [0.8, 0, 0.2] (S weight 0.8, C weight 0.2);
[0067] Example ②: Article 22 of the "Measures for the Administration of Cybersecurity" issued by the State Financial Supervision and Administration Bureau of China: "Logs must be retained for at least 6 months" → Vector [0, 0.9, 0.1] (B weight 0.9).
[0068] The underlying policy network contains 5 classes of atomic actions in its action space. The Q-value formula for the Q-learning algorithm is:
[0069] Q(s,a) = Q(s,a) + α[r + γ×maxQ(s',a') - Q(s,a)]
[0070] in:
[0071] State s = Attack event feature vector (threat type = data leakage, confidence level = 0.92, system type = core transaction);
[0072] Action a = Atomic action (block IP / terminate process / snapshot restore / account freeze / traffic throttling);
[0073] The reward r is calculated using the Reward function (see below).
[0074] S320, Reward Function and Strategy Optimization
[0075] Scoring rules include
[0076] Safety and effectiveness S: Successful blocking = +10 points, failure = -5 points;
[0077] Business Continuity B: Transaction delay 80ms ≤ threshold 100ms = +8 points, interruption = -20 points;
[0078] Compliance score C: Logs containing IP hash + operation time + executor ID = +10 points, missing any one item = -5 points.
[0079] Weight configuration
[0080] Core business systems (such as transaction systems): α=0.3 (S), β=0.5 (B), γ=0.2 (C);
[0081] Non-core systems (such as office terminals): α=0.5, β=0.2, γ=0.3;
[0082] Industry compatibility: Medical systems (compliance priority) γ=0.4, Internet companies (business priority) β=0.4. Adjustments require approval from the compliance department via API (generating an electronic signature configuration file and storing it on the main chain's Config field).
[0083] Strategy solidification
[0084] The first 1000 rounds of imitation learning: fit expert rules (such as "data leakage → block IP + terminate process"), and mark negative rewards (r=-15 points) for misjudgment decisions (such as mistakenly blocking normal transactions).
[0085] Reinforcement learning phase: Every 100 rounds, the weights are adjusted using gradient descent (learning rate = 0.001). When the Q-value fluctuation is ≤5% for 50 consecutive rounds and the reward is stable at 9±0.4 points, the strategy is solidified into a .pkl model file and stored on the blockchain.
[0086] S330, Dynamic Response Example
[0087] Upon detecting a data leakage attack: The high-level policy network generates sub-objectives: "Block the threat (S) + Do not interrupt transactions (B) + Log compliance (C)"; The low-level policy network selects an action sequence through Q-learning: [Block IP=203.0.113.5 → Terminate process PID=4521 → Save audit log]; Reward calculation: S=+10 points, B=+8 points (transaction delay 80ms), C=+10 points (log complies with GDPR), Reward under core system weight = 0.3×10+0.5×8+0.2×10=9 points; Policy solidification: If the Reward fluctuation is ≤5% for 50 consecutive rounds, the action sequence is solidified as the default handling policy and stored on the blockchain shard sidechain.
[0088] S400 Disaster Recovery and Handling Procedures
[0089] The priority calculation formula for the dynamic disaster recovery priority model is: Disaster recovery priority = Basic importance score × Attack severity level × Recovery difficulty coefficient × Data value coefficient
[0090] Basic importance score: Core database = 80 points (based on the first-level importance of the "Guidelines for Information Technology Risk Management of Commercial Banks"), Office terminal = 30 points;
[0091] Attack severity level: based on MITRE ATT&CK attack chain match (full chain match = 10 points, single stage = 5 points).
[0092] Recovery difficulty level: Snapshot recovery = 9 points, data reconstruction = 5 points;
[0093] Data value coefficient: Customer transaction data = 10 points, log data = 1 point.
[0094] Disaster recovery response example
[0095] The core database has been subjected to a "data leak attack" (attack severity = 10 points, recovery difficulty = 9 points, data value = 10 points), priority = 80 × 10 × 9 × 10 = 72000 points (trigger threshold = 40000 points). The system will automatically execute:
[0096] Traffic is switched to the backup node (RTO = 4 minutes ≤ threshold 5 minutes).
[0097] Generate a visual map of the attack path (including 203.0.113.5 → PID=4521 → data outgoing timeline).
[0098] The audit report passed the compliance inspection by the State Financial Regulatory Commission (log retention = 6 months, including IP hash and the ID of the person in charge).
[0099] It should be noted that those skilled in the art will understand that the above embodiments are merely illustrative and that model parameters (such as the number of trees and the learning rate) and action space (adding a "file isolation" action) can be adjusted without departing from the technical concept of the present invention. All such modifications fall within the protection scope of the present invention.
[0100] The advantages of this invention are:
[0101] 1. By combining hierarchical reinforcement learning with dynamic mapping of compliance clauses, the strategy can be self-evolved, overcoming the lag of manual configuration;
[0102] 2. The threat-driven dynamic disaster recovery prioritization model transforms passive backup into proactive response, significantly reducing the losses caused by attacks;
[0103] 3. An anomaly detection method based on multi-dimensional features and behavioral correlation graphs improves the identification rate of unknown threats.
[0104] The technical scope of this invention is not limited to the content described above. Those skilled in the art can make various modifications and variations to the above embodiments without departing from the technical concept of this invention, and all such modifications and variations should fall within the protection scope of this invention.
Claims
1. A method for self-regulating and handling internet security issues, characterized in that, Includes the following steps: Attack detection steps: Using system whitelist behavior data as training samples, an anomaly detection model is trained using the Isolation Forest algorithm with 100 trees and a subsampling size of 256. Anomaly scores within the range of 0-1 are output for real-time collected system behavior data. A normal distribution is fitted based on historical anomaly score samples to obtain the sample mean μ and standard deviation σ, with an initial dynamic threshold set to μ+3σ. Every 24 hours, the model is refitted with newly added normal data, and μ and σ are updated, constituting one refitting cycle. If no anomalies exceed the threshold within three consecutive refitting cycles, the dynamic threshold is lowered to μ+2.5σ; otherwise, it is raised to μ+3.5σ. When the real-time anomaly score exceeds the current dynamic threshold, an attack event is triggered. Threat intelligence sharing steps: The attack events are characterized and anonymized. Threat type identifiers, SHA-256 hash values of the attack source IP, feature vector hash values of process call sequences, and timestamps are extracted and anonymized to form a feature digest. Shard sidechains are divided according to business domains. Intelligence synchronization between nodes within each shard is achieved through the PBFT consensus protocol. When a cross-domain attack is detected, the intelligence root hash is anchored to the main chain. The main chain uses the PoS consensus protocol with a block interval of 10 minutes. A Private Set Intersection (PSI) protocol based on secure multi-party computation is adopted, enabling all participants to verify common threat sources without disclosing plaintext data to each other, thus achieving cross-business domain intelligence sharing. Disaster recovery procedures: Based on the threat parameters of the attack event, the disaster recovery priority is calculated according to the following formula: Disaster recovery priority = Basic importance score × Attack severity level × Recovery difficulty coefficient × Data value coefficient; where, the basic importance score is assessed based on the business importance level of the protected asset; the attack severity level is mapped based on the MITRE ATT&CK attack chain matching degree, and the more complete the attack chain matching degree, the higher the level; the recovery difficulty coefficient is assessed based on the recovery method required for the data; the data value coefficient is assessed based on the sensitivity and business value of the data; when the disaster recovery priority exceeds a preset threshold, the corresponding disaster recovery protection action is triggered; Dynamic response steps: Construct a hierarchical reinforcement learning model; the hierarchical reinforcement learning model includes a high-level policy network and a low-level policy network; the high-level policy network is used to load a compliance knowledge base, and after receiving threat intelligence, generates sub-objectives containing security objectives, business constraints, and compliance constraints; the atomic action space of the low-level policy network includes firewall blocking of IPs, EDR process termination, and IAM account freezing. Using the sub-objectives and attack event feature vectors output by the high-level policy network as state inputs, an action sequence is selected in the atomic action space using the Q-learning algorithm; the policy network is optimized using the reward function Reward=α×S+β×B+γ×C, where S is the security effectiveness score, B is the business continuity score, C is the compliance score, and α, β, and γ are corresponding weight coefficients; generate a handling strategy.
2. The internet confidentiality self-monitoring and handling method according to claim 1, characterized in that, In the attack event detection step, before training the anomaly detection model, the training data is preprocessed as follows: data collected during the initial stage of system deployment, holidays, and system upgrade periods are excluded; missing sampling points with a sampling missing rate of no more than 5% are processed using the forward imputation method; outliers with |Z|>3 are removed using the Z-score method; and the total amount of training data is no less than 50,000 records.
3. The internet confidentiality self-monitoring and handling method according to claim 1, characterized in that, The disaster recovery protection actions include: calling the virtual machine snapshot system to perform real-time snapshots of the core database and synchronizing them to off-site cloud storage; blocking abnormal connections related to the attack event based on the five-tuple, allowing pre-defined whitelisted IPs to continue accessing the network, with the blocking rules being distributed to the firewall through the SDN controller and a 2-hour countdown timer set; automatically lifting the blocking rules after the expiration of the validity period; and requiring manual lifting of the blocking rules in advance during the countdown period, which must be confirmed by the security administrator through two-factor authentication.
4. The internet confidentiality self-monitoring and handling method according to claim 1, characterized in that, The dynamic response step also includes a strategy optimization process: first, it performs imitation learning through 1000 training iterations to fit expert handling rules and labels negative reward values for misjudgment decisions; then it enters the reinforcement learning stage: every 100 training iterations, the parameter weights of the policy network are adjusted using gradient descent, with the learning rate set to 0.001; when the Reward value fluctuation range of 50 consecutive training iterations does not exceed 5%, the policy network is solidified; the solidified policy network weight configuration can be updated quarterly via API interface, and the update records are automatically uploaded to the blockchain for notarization.
5. An internet security self-monitoring and handling system, characterized in that, include: The intelligent data acquisition agent is deployed on servers, terminals, and network devices to collect process system call sequences, network connection modes, CPU utilization, and I / O rates, with a sampling period of 10 seconds per instance. The dynamic baseline analysis module is used to perform the attack event detection step as described in any one of claims 1 to 2; A blockchain collaboration module is used to execute the threat intelligence sharing steps described in claim 1; A three-dimensional disaster recovery module is used to execute the disaster recovery handling steps as described in claim 1 or 3; The compliance self-optimization module is used to execute the dynamic response steps described in claim 1 or 4.