A data security risk quantitative dynamic evaluation method and system
By constructing a risk distribution map and dynamic monitoring strategies, identifying mutation nodes and assessing risk spread, the problem of real-time assessment and control of data security risks in multi-node systems is solved, achieving efficient risk management and prevention.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- HENAN DINGXIN INFORMATION SECURITY RATING EVALUATION CO LTD
- Filing Date
- 2025-12-16
- Publication Date
- 2026-06-23
AI Technical Summary
Existing technologies struggle to assess and control data security risks in a real-time and comprehensive manner in multi-node systems. Especially in complex network environments, traditional methods are unable to cope with the rapid changes and spread of risks, resulting in lagging protective measures and a lack of real-time monitoring and dynamic adjustment mechanisms.
By collecting real-time interaction data from a multi-node system, a risk distribution map is constructed, mutation nodes and target areas are identified, the risk spread range is assessed, monitoring frequency parameters are generated, risk monitoring strategies are adjusted, multi-node collaborative control schemes are determined, and the safety strategy is optimized through simulation verification.
It has enabled precise risk control of multi-node systems, improved the timeliness of risk warnings and the synergy of prevention and control strategies, enhanced the initiative and overall effectiveness of data security management, and significantly improved the objectivity and accuracy of risk perception.
Smart Images

Figure CN121644199B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of data security technology, and in particular to a method and system for dynamic assessment of data security risks. Background Technology
[0002] With the rapid development of information technology, especially the widespread application of cloud computing, big data, and the Internet of Things, data security has become a critical issue for enterprises and organizations worldwide. In complex, multi-node interactive environments, ensuring the security, integrity, and confidentiality of data during transmission has become a key challenge, particularly in financial transactions involving sensitive data, medical record storage, and industrial control systems, where any data breach or tampering can have serious consequences.
[0003] Currently, traditional data security measures often focus on the security of a single node or static security strategies, neglecting the complex interactions between multiple nodes and their potential impact on data security. Because the frequency of interactions and risk fluctuations between nodes in a multi-node system change over time, traditional methods cannot comprehensively and in real-time assess and control potential security risks. Especially in highly dynamic network environments, existing methods struggle to cope with the rapid changes and spread of risks, and protective measures may lag behind, resulting in risks not being detected and controlled in a timely manner. To address this issue, some existing technologies attempt to conduct static risk assessments by introducing factors such as data leakage probability and node vulnerability scores; however, these methods often lack real-time monitoring and dynamic adjustment mechanisms, failing to accurately reflect the time-varying characteristics of risks. Furthermore, the lack of comprehensive analysis of the intensity of interactions between nodes and the frequency of risk fluctuations also limits the accuracy and real-time nature of risk assessments.
[0004] Therefore, there is an urgent need for a comprehensive risk quantification assessment method based on dynamic data collection and analysis, which can capture and respond to risk fluctuations in multi-node systems in real time, and ensure effective prevention and optimization of data security in complex network environments. Summary of the Invention
[0005] To address the aforementioned technical issues, this application provides a method and system for dynamic assessment of data security risks, which enables precise control of data security risks in multi-node systems, significantly improving the timeliness of risk warnings, the synergy of prevention and control strategies, and the overall effectiveness of security management.
[0006] Firstly, this application provides a method for quantitative and dynamic assessment of data security risks, the method comprising:
[0007] Step S1: Collect real-time interaction data between nodes in the multi-node system, combine it with the preset risk assessment model, calculate the initial data leakage probability and vulnerability score of each node, and construct a preliminary risk distribution map;
[0008] Step S2: Based on the preliminary risk distribution map, analyze the risk fluctuation frequency change trend of each node, identify potential threats, and mark nodes with risk fluctuation frequencies higher than a preset threshold as mutation nodes, and define the area where the mutation nodes are located as the target area.
[0009] Step S3: For the target area, assess the risk spread range and mark high-risk transmission chains, extract critical paths from the high-risk transmission chains, calculate the risk cumulative effect index value of the critical paths, and generate monitoring frequency parameters;
[0010] Step S4: Adjust the risk monitoring strategy based on the monitoring frequency parameters, update the risk assessment matrix, analyze the synchronization requirements of the interaction intensity between nodes according to the risk assessment matrix, and determine the multi-node collaborative control scheme.
[0011] Step S5: Construct a multi-stage interactive scenario, simulate and verify the multi-node collaborative control scheme, determine whether the risk fluctuation frequency has reached a stable state, and output the final data security risk control scheme.
[0012] Secondly, this application provides a data security risk quantification and dynamic assessment system, the system comprising:
[0013] The preliminary analysis module is used to collect interaction data between nodes in a multi-node system in real time, and combined with a preset risk assessment model, calculate the initial data leakage probability and vulnerability score of each node to construct a preliminary risk distribution map.
[0014] The anomaly identification module is used to analyze the risk fluctuation frequency change trend of each node based on the preliminary risk distribution map, identify potential threats, and mark nodes with risk fluctuation frequencies higher than a preset threshold as mutation nodes, and define the area where the mutation node is located as the target area.
[0015] The risk positioning module is used to assess the risk spread range and mark high-risk transmission chains for the target area, extract critical paths from the high-risk transmission chains, calculate the risk cumulative effect index value of the critical paths, and generate monitoring frequency parameters.
[0016] The monitoring and control module is used to adjust the risk monitoring strategy based on the monitoring frequency parameter, update the risk assessment matrix, analyze the synchronization requirements of the interaction intensity between nodes based on the risk assessment matrix, and determine a multi-node collaborative control scheme.
[0017] The simulation verification module is used to construct multi-stage interactive scenarios, simulate and verify the multi-node collaborative control scheme, determine whether the risk fluctuation frequency has reached a stable state, and output the final data security risk control scheme.
[0018] Compared with the prior art, the beneficial effects of this application are at least as follows:
[0019] This application provides a method and system for dynamic assessment of data security risks. By extracting interaction intensity and fluctuation frequency characteristics from real-time interactive data and constructing a quantitative risk distribution map, it realizes a fundamental transformation from qualitative judgment to quantitative visualization of the security status of multi-node systems, and greatly improves the objectivity and accuracy of risk perception.
[0020] By identifying mutation nodes and target areas, assessing risk diffusion chains, and dynamically generating monitoring parameters based on path simulation, the focus of risk prevention and control shifts from static node reinforcement to dynamic propagation path blocking, significantly improving the timeliness of early warning and the accuracy of intervention for high-risk and highly diffuse threats.
[0021] This application also continuously optimizes monitoring strategies and generates collaborative control schemes by integrating real-time status data, and finally verifies the effectiveness of the schemes through simulation, forming a complete "assessment-early warning-control-verification" intelligent closed loop. This enables security strategies to adapt to the ever-changing network environment and threat landscape, thereby fundamentally improving the initiative, collaboration and overall effectiveness of data security risk management in complex systems. Attached Figure Description
[0022] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0023] Figure 1 This is a flowchart of a data security risk quantification and dynamic assessment method according to an embodiment of this application;
[0024] Figure 2 This is a schematic diagram of the risk topology of an embodiment of this application;
[0025] Figure 3 This is a schematic diagram comparing the performance of the technical solution of this application with that of traditional solutions in an embodiment of this application;
[0026] Figure 4 This is a schematic diagram of the structure of a data security risk quantification and dynamic assessment system according to an embodiment of this application. Detailed Implementation
[0027] This application provides a method and system for dynamic assessment of data security risks. The terms "first," "second," "third," "fourth," etc. (if present) in the specification, claims, and accompanying drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such use of terms can be interchanged where appropriate so that the embodiments described herein can be implemented in a sequence other than that illustrated or described herein. Furthermore, the terms "comprising" or "having" and any variations thereof are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or device that includes a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or devices.
[0028] For ease of understanding, the specific process of the embodiments of this application is described below. Please refer to [link / reference]. Figure 1 One embodiment of the data security risk quantification and dynamic assessment method in this application includes:
[0029] Step S1: Collect real-time interaction data between nodes in the multi-node system, combine it with the preset risk assessment model, calculate the initial data leakage probability and vulnerability score of each node, and construct a preliminary risk distribution map.
[0030] Step S1 includes: constructing a node association network based on real-time interaction data collected in the multi-node system using graph structure analysis technology, and calculating the interaction strength index between nodes; performing time-series analysis on the interaction strength index to extract characteristic data of risk fluctuation frequency; inputting the interaction strength index and the characteristic data of risk fluctuation frequency into a preset risk assessment model to calculate the initial data leakage probability of each node; calculating the vulnerability score of each node based on the initial data leakage probability value and the interaction strength index; and constructing a preliminary risk distribution map based on the vulnerability score, the data leakage probability value, and the node association relationship.
[0031] Specifically, in the dynamic assessment of data security risks, accurate modeling of the interaction behavior of multi-node systems is the primary foundation for risk quantification. Its core lies in constructing a risk distribution map that reflects the dynamic relationships and risk states between nodes. In practice, real-time interaction data between nodes is first acquired using tools such as system logs and network traffic probes. This real-time interaction data, as raw data, contains key information such as the source node, target node, timestamp, data volume, and interaction results. Essentially, it is a digital log of system interaction behavior, providing a data foundation for subsequent graph structure modeling. To transform discrete, dynamic interaction logs into a structured model capable of quantitative analysis, graph analysis techniques are employed for data processing. This process first cleans and aggregates the original interaction logs, filtering out invalid records and merging recurring interaction events within a short period. Subsequently, the entire multi-node system is modeled as a directed weighted graph, where each node corresponds to a business entity within the system, such as a server, service instance, or user terminal. Each directed edge represents an interaction relationship from one entity to another. The edge weight, i.e., the interaction strength index, is determined by calculating the product of the interaction frequency and the amount of interaction data between the node pairs corresponding to that edge within a specific time window. The interaction frequency reflects the tightness of the connection between nodes, while the amount of interaction data characterizes the importance of the connection. The product of these two factors comprehensively reflects the actual strength of the association between nodes, ensuring that this index is not only structural but also dynamic and carries business semantics. For example, in a 10-minute sampling window of an online payment system, if a user service node initiates 50 requests to the payment gateway node and transmits 150MB of data, its interaction strength index is: 50×150=750. This index comprehensively reflects the tightness of the connection between nodes and the importance of the business, providing a dynamic and semantic data foundation for subsequent risk quantification.
[0032] After obtaining the interaction strength index, further time-series analysis is performed to extract dynamic risk characteristics. Specifically, for each node, statistical analysis is conducted on the strength index sequence of all its interaction edges, calculating the standard deviation of fluctuation and peak frequency of the sequence per unit time, thereby obtaining the risk fluctuation frequency characteristic data of that node. For example, in an online payment system, the interaction strength index sequence from the user service node to the payment gateway node is continuously monitored. By analyzing its strength value within one hour, the standard deviation of fluctuation per minute is calculated to be 45. At the same time, eight sudden peaks exceeding twice the average strength are identified. This risk fluctuation frequency characteristic data quantifies the abnormal fluctuation and sudden activity of the interaction link behavior, directly characterizing the real-time risk level of abnormal access or potential attacks faced by this core business path.
[0033] Next, the interaction intensity index and risk fluctuation frequency feature data are combined to construct a multi-dimensional feature vector, which serves as the input to a pre-defined risk assessment model. This model is a logistic regression classifier trained based on labeled samples from historical data breach events. During model training, the feature vector of each sample consists of the interaction intensity and fluctuation frequency features of the same node within the same time window extracted from historical interaction logs. The sample label is binary-coded according to whether a data breach event actually occurred at that node during the subsequent pre-defined observation period, with 1 indicating a breach and 0 indicating no breach. The model learns the feature weights through an optimization algorithm, and its decision function is: ,in, The weight coefficients obtained through learning, These represent the values corresponding to the interaction strength index and the risk fluctuation frequency characteristic data, respectively. b is the bias term. In the application phase, the real-time feature vector of the user service node in the online payment system, for example, an interaction strength of 750 and a fluctuation frequency characteristic value of 45, is substituted into the function to calculate the z-value, and then processed using the sigmoid function: This is mapped to an initial data leakage probability value between 0 and 1, which quantifies the likelihood of a node leaking under the current dynamic behavior pattern, providing a key risk quantification output for subsequent vulnerability assessment.
[0034] After obtaining the initial data leakage probability of a node, its vulnerability score is calculated using a weighted fusion algorithm, combining this probability value with the interaction strength indicators of all outgoing edges. For example, for a user service node in an online payment system, its initial leakage probability is 0.6, its interaction strength with the payment gateway is 750, and its interaction strength with the log service is 10. Setting the leakage probability weight as α=0.7 and the total interaction strength weight as β=0.3, and performing normalization, the vulnerability score of this node is calculated. This rating quantifies the inherent risk of a node and its propagation impact within the business chain. Furthermore, it considers not only the node's own leakage risk but also its interactive influence within the network; nodes with high interaction intensity have higher inherent risks and correspondingly higher vulnerability scores. Finally, using each node in the system as the basic unit, the vulnerability score and initial data leakage probability are used as attributes, and interaction intensity is used as the weight of the connecting edges to construct a preliminary risk distribution map. This map is typically represented as a visual network graph where node color depth represents risk level and edge thickness represents interaction intensity, providing a structured and quantitative global data foundation for subsequent risk trend analysis, threat identification, and propagation assessment.
[0035] Step S2: Based on the preliminary risk distribution map, analyze the risk fluctuation frequency change trend of each node, identify potential threats, and mark nodes with risk fluctuation frequencies higher than the preset threshold as mutation nodes, and define the area where the mutation nodes are located as the target area.
[0036] Step S2 includes: extracting the vulnerability scores and initial data leakage probability of each node from the preliminary risk distribution map; analyzing the fluctuation trend of the time-series data and comparing it with historical behavior data to identify abnormal behavior patterns; determining potential threat characteristics based on abnormal behavior patterns and calculating the dynamic value of risk fluctuation frequency for each node; marking nodes with dynamic values higher than a preset threshold as mutation nodes to form a mutation node set; and locating node regions with risk fluctuation frequencies higher than a preset threshold based on the distribution of the mutation node set, defining them as target regions.
[0037] Specifically, after constructing a preliminary risk distribution map, the process moves into the dynamic threat identification phase. The core of this phase lies in continuously monitoring the temporal evolution of risk indicators at each node in the map to identify behaviors deviating from normal patterns and accurately pinpoint high-risk areas. In practice, vulnerability scores and initial data leakage probability values for each node are periodically extracted from the established map, forming their respective time-series data. For example, during the monitoring of an online payment system, vulnerability score sequences for user service nodes are recorded at minute intervals, such as 0.35, 0.38, 0.52, 0.48, 0.61, and their data leakage probability sequences, such as 0.10, 0.11, 0.15, 0.14, 0.20; these sequences directly and quantitatively reflect the dynamic evolution of the node's security status. To analyze its fluctuation trend, a moving average filter is first applied to each sequence to smooth short-term noise. Then, the standard deviation and slope of the sequence within the sliding time window are calculated. Taking the user service node mentioned above as an example, the standard deviation of its vulnerability score sequence in the last five minutes is calculated to be 0.11, while the typical baseline standard deviation of the same time period in the past week is 0.03. By comparing with historical behavior data and using Euclidean distance or cosine similarity for quantitative comparison, the historical behavior data is stored in the historical behavior feature database, which contains the typical fluctuation range, mean and change pattern of various nodes under normal business cycles. The Euclidean distance calculation result between the current sequence and the historical normal pattern is significantly greater than the preset similarity threshold, such as 1.0, and is thus identified as an abnormal behavior pattern. This pattern reveals an abnormal feature of a rapid increase in vulnerability score in a short period of time.
[0038] Furthermore, key features are extracted based on the identified anomaly patterns, such as the starting point of the score increase, the average rate of increase, and the peak amplitude, and these are used to construct a potential threat feature. The constructed threat feature vector is used as a time-domain signal input, and the discrete-time series is transformed to the frequency domain using a Fast Fourier Transform to obtain its spectral distribution. The dominant frequency component with the highest energy in the spectrum is identified, for example, located at 0.8 Hz. The amplitude of this frequency component far exceeds the noise floor, and this 0.8 Hz is extracted as the dynamic value of the risk fluctuation frequency, indicating that the abnormal behavior in the threat feature signal repeats at a period of approximately 0.8 times per second, quantifying the intensity of the risk oscillation. Nodes with dynamic values higher than a preset threshold, such as 0.4 Hz, are marked as mutation nodes. The preset threshold is set based on statistical analysis of early abnormal activities in a large number of historical attack events and is used to distinguish background noise from real threats. The above analysis process is performed on all nodes, and all marked mutation nodes are summarized to form a mutation node set.
[0039] Subsequently, based on the network topology coordinates of the set of mutated nodes, such as their logical location in the system architecture or IP address range information, spatial clustering algorithms, such as the density-based DBSCAN algorithm, are applied for analysis. This algorithm aggregates mutated nodes that are geographically close into different clusters by setting neighborhood radius and minimum number of points. For example, in a cloud computing environment, the DBSCAN algorithm may identify a dense cluster containing five mutated nodes, all of which are located in a subnet of the same Virtual Private Cloud (VPC). The continuous network area covered by this cluster, i.e., the subnet, is defined as a target area. This target area represents the range in which risky and abnormal activities are highly concentrated in logical space, providing a clear key investigation range for subsequent in-depth assessment of the spread path and potential impact of risks within this area. This achieves the transition from global risk situation awareness to precise local high-risk target location.
[0040] Step S3: For the target area, assess the risk spread range and mark high-risk transmission chains, extract critical paths from the high-risk transmission chains, calculate the risk cumulative effect index value of the critical paths, and generate monitoring frequency parameters.
[0041] Step S3, which assesses the scope of risk spread, includes: calculating the propagation path length between nodes based on the set of mutated nodes within the target area, and estimating the propagation delay time along each propagation path by combining historical interaction data; marking propagation paths with a propagation path length exceeding a preset threshold as high-risk propagation chains, and generating a list of high-risk propagation chains; calculating the breadth index of risk spread based on the propagation path length and delay time, defining the nodes within the network range covered by the breadth index as target nodes; calculating the degree of dependence of target nodes on high-risk propagation chains; analyzing the actual impact range of risk spread based on the degree of dependence, and updating the assessment results of the scope of risk spread according to the impact range.
[0042] Specifically, after identifying the target area comprised of the set of mutation nodes, the next step is an in-depth assessment of the risk diffusion range. The core of this phase lies in quantifying the potential breadth and impact chain of risk propagation from this area outwards. First, based on a visualized network diagram established from the risk distribution map, the propagation path length from each mutation node within the target area to other nodes in the network is calculated. For example, in the data center network of an online payment system, its risk topology diagram is as follows: Figure 2 As shown, assuming the mutation nodes in the target area include user service node A, payment gateway node P, and risk control center node R, during the evaluation, starting from mutation node A, the shortest path length from node A to core database node D is calculated using Dijkstra's shortest path algorithm. The weights of this algorithm are set as the reciprocal of the interaction strength between nodes, that is, the more frequent the interaction, the lower the weight of the link and the shorter the path length. If the interaction strength between A and P is 800 and the interaction strength between P and D is 500, then the weight of the path A→P is 1 / 800 and the weight of P→D is 1 / 500. The path length from A to D calculated accordingly is the sum of these two weights, which quantifies the theoretical distance of risk propagation along this link.
[0043] After obtaining the propagation path length, the propagation delay time along each path is further estimated by combining historical interaction data. Specifically, for the node pair to be evaluated, such as user service node A and database node D, the request-response time series of the node pair over the past N consecutive monitoring periods (e.g., 72) are extracted from the historical log database to form a time series dataset. This dataset is used as input to train an autoregressive moving average model, where the model order is determined by the AIC criterion. After training, the model captures the autocorrelation and moving average characteristics of the path response time. In the application phase, the actual response times of the most recent M periods (e.g., 10 periods) are used as model input, and the model outputs a predicted value for the delay time of the next period. This predicted value is corrected by incorporating the real-time load factor of the current network topology. The real-time load factor is calculated based on global CPU and bandwidth utilization. Finally, the estimated delay time (e.g., 2.5 milliseconds) for the risk to propagate from node A to node D along this path under the current system state is generated. This process combines the time series prediction model with specific network path performance evaluation, quantifying historical behavior patterns into a reliable estimate of future delays.
[0044] Next, the path length and delay time are combined, and a weighted calculation is performed to obtain a risk diffusion breadth index. The path length weight is set as follows: For example, 0.6, the delay time weight is For example, 0.4, then If a path length is 3.0 and the delay time is 2.5 milliseconds, then the breadth index is 2.8. A preset breadth threshold, such as 2.5, is set based on statistical analysis of the characteristics of propagation paths in historical risk events. All propagation paths with a breadth index exceeding this threshold are marked as high-risk propagation chains, and a list of high-risk propagation chains is generated. Subsequently, all nodes within the network range covered by the breadth index are defined as target nodes. Figure 2 Taking the online payment system shown as an example, starting from the mutation node A in the target area, the propagation occurs along a link with an interaction strength of 800 to node P, and then along a link with an interaction strength of 500 to node D, forming a typical propagation path A→P→D. Based on the weighted length and predicted delay of this path, if the calculated breadth index exceeds a preset threshold, the path A→P→D is marked as a high-risk propagation chain. The endpoint D of this chain and its adjacent downstream nodes L (log service) and S (settlement service) are defined as the target nodes corresponding to this chain. These nodes constitute the first wave of direct impact range of the risk spreading outward from the target area. Next, the dependence of the target node on the upstream high-risk propagation chain is calculated. The dependence is quantified by the proportion of the amount of data input or the number of business requests received by the target node from the key upstream nodes of the high-risk propagation chain within the set observation period, relative to the total amount of the same type of data input or the total number of business requests received by the target node during the same period. For example, regarding the log service of target node L, analyzing its log data sources reveals that its dependence is specifically represented by the proportion of log entries originating from the endpoint D of the high-risk propagation chain to the total number of log entries processed by node L during the observation period. If the statistics show that there are 850 log entries originating from node D, while node L processes a total of 1000 log entries during the same period, then the dependence of node L on this high-risk propagation chain is calculated to be 0.85. This quantified dependence value accurately characterizes the coupling strength of target node L to the upstream risk chain at the data flow level, and provides key input parameters for subsequent steps to simulate the actual propagation path and impact range of the risk based on a probabilistic model.
[0045] By combining the calculated dependence of downstream nodes on high-risk propagation chains, propagation simulation is used to quantify the actual impact range of the risk. The specific simulation process is as follows: each high-risk propagation chain and its downstream nodes are constructed as a directed graph. At the start of the simulation, only mutated nodes on the chain are set as "infected." In each round of simulation, an "infected" node attempts to transmit the risk to its downstream nodes. The probability of successful transmission is equal to the downstream node's dependence on the upstream node. For example, if the database node's dependence on the payment gateway node is 70%, then the probability of the risk being transmitted from the payment gateway to the database in each round of simulation is 70%. This process is determined using random number generation. The simulation is repeated multiple times, recording all nodes whose state changes to "infected." Finally, all nodes that are frequently infected in multiple simulations, for example, nodes with an infection frequency exceeding 50%, are identified as the "actual impact range" affected by the chain. This actual range is combined with the "preliminary impact range" calculated earlier based on path length and delay. If the preliminary range includes 5 nodes, and the simulation identifies 8 nodes, the final assessment result of the risk spread range is updated to these 8 nodes, thus obtaining an assessment result that is closer to the real risk spread scenario.
[0046] By integrating the propagation distance calculated by the shortest path algorithm, the propagation delay predicted by the autoregressive moving average model, and Monte Carlo simulation based on dependency graphs, the theoretical breadth of risk diffusion is transformed into a dynamic impact range assessment that closely reflects actual business scenarios. Specifically for online payment systems, this method can accurately quantify the risk transmission chain from a single point of failure, such as a payment gateway anomaly, to the core database and even downstream risk control services. It identifies key impact nodes that may be missed by traditional static analysis. Its direct effect is to provide a high-confidence risk diffusion boundary for subsequent steps, enabling decisions to set dynamic monitoring frequencies for high-risk propagation chains and adjust protection strategies for key dependent nodes with reliable data support.
[0047] In step S3, the critical path is extracted from the high-risk transmission chain, and the risk accumulation effect index value of the critical path is calculated. This includes: analyzing the information transmission efficiency of each chain based on the list of high-risk transmission chains, and identifying the critical path based on the information transmission efficiency; calculating the risk accumulation effect index value for the critical path by combining the vulnerability score of the nodes on the path with the probability of data leakage; simulating the critical path using path simulation technology, analyzing the spread speed of risk along the critical path, and generating the initial value of the monitoring frequency parameter based on the spread speed.
[0048] Specifically, after generating the list of high-risk transmission chains, the next stage is critical path extraction and risk accumulation effect analysis. The core of this stage is to accurately identify the few critical links posing the greatest threat to the system from numerous potential risk paths and quantify their risk values. In practice, the node sequence and interaction data of each high-risk transmission chain in the list are first read. The calculation of information transmission efficiency is based on the following formula: ,by Figure 2 Taking the high-risk propagation chain A→P→D as an example, this path includes two links: A→P and P→D. If the data exchange volume of the A→P link is 75MB and the average response time is 150 milliseconds during the monitoring period, its throughput is 500MB / s; if the data exchange volume of the P→D link is 100MB and the response time is 200 milliseconds, its throughput is also 500MB / s. Therefore, the information transmission efficiency of the A→P→D path is (500+500) / 2=500MB / s. This information transmission efficiency directly quantifies the smoothness and speed of data flow along this path. Further, paths with information transmission efficiency higher than a preset threshold, such as 300MB / s, are selected and marked as "critical paths." This threshold is set according to the business's requirements for data real-time performance. High-efficiency paths like A→P→D carry the core business's data artery. Once a risk occurs here, its impact will be amplified rapidly and spread quickly to downstream nodes L, S, etc., due to the high-speed and large-volume data flow. Therefore, they must be prioritized for identification and close monitoring.
[0049] After identifying the critical path, its risk accumulation effect index value is further quantified. The calculation process integrates the inherent risk attributes of all nodes on the path. Taking the aforementioned critical path A→P→D as an example, assume that the maintained node attributes show that: node A has a vulnerability score of 0.2 and a data leakage probability of 0.1; node P has a vulnerability score of 0.3 and a leakage probability of 0.15; and node D has a vulnerability score of 0.4 and a leakage probability of 0.2. First, the total risk value of the path is calculated as the sum of the two attributes of each node: (0.2+0.1)+(0.3+0.15)+(0.4+0.2)=1.35. Considering that the risk may be amplified along the path length during propagation, the total risk value is multiplied by the number of hops in the path, which in this example is 2 hops, i.e., from A to D through two edges, resulting in an initial cumulative effect index value of 1.35×2=2.7. The initial cumulative effect index value quantifies the potential destructive total amount of risk propagating along the critical path A→P→D. It integrates the inherent risk (vulnerability) and leakage probability of each node on the path, as well as the potential risk amplification effect caused by the path structure (length). To make paths of different lengths comparable, this value is standardized to between 0 and 1, for example, by dividing it by a preset maximum possible risk value to obtain a standardized index value.
[0050] Next, to assess the dynamic characteristics of risk propagation along this critical path, Monte Carlo simulation was used. The simulation model used nodes along the path as state units. Initially, only node A at the path's starting point was marked as "infected." In each simulation iteration, the "infected" node attempted to propagate the risk to the next node on the path with a preset probability of propagation to neighboring nodes, for example, set to 0.6 based on interaction strength and network conditions. Successful propagation was determined by random numbers. Simultaneously, the simulation considered historical latency between nodes, such as a 2-millisecond delay from A to P and a 3-millisecond delay from P to D, as the time cost of state transitions. A large number of iterations, such as 500, were run, recording the time required for the risk to propagate from node A to node D in each iteration, i.e., the time to cover the entire path. The average of all iteration results was taken to obtain the average propagation speed of the risk along the critical path, for example, calculating an average of 0.4 nodes covered per millisecond, or an average of 12.5 milliseconds to cover the entire path. Based on this expansion rate, initial values for the frequency parameters for monitoring this critical path are generated. For example, the monitoring frequency should be set to be inversely proportional to the risk propagation rate; if the expansion rate is fast, monitoring needs to be more intensive, as shown by the formula: Calculations show that if the base frequency is once per minute and the expansion speed factor is 0.4 nodes / millisecond, a higher initial monitoring frequency parameter value can be calculated. However, the calculated monitoring frequency parameter is only an initial value. In a dynamic risk environment, this parameter must be continuously calibrated and optimized based on the real-time status of the path. The detailed optimization process will be explained later.
[0051] By quantifying data transmission efficiency to accurately locate core business links, and combining the risk of each node with the path structure to assess its overall risk equivalent, and finally predicting the spread speed of risk along the link through dynamic simulation, abstract security threats are transformed into specific and operable monitoring frequency parameters. This allows security protection to shift from general monitoring to prioritizing data channels that carry critical business, are high-risk, and spread rapidly, thereby significantly improving the accuracy of early warning and the timeliness of control of systemic risks, and achieving optimal security deployment under limited resources.
[0052] The step S3 of generating the monitoring frequency parameters also includes: selecting high-priority paths from the critical paths based on the risk accumulation effect index value and the initial value of the monitoring frequency parameters; performing cyclic monitoring on the high-priority paths and collecting real-time status data of the nodes on the high-priority paths in each monitoring cycle; using the collected real-time status data as input, generating risk diffusion prediction data through path simulation technology; and dynamically adjusting the monitoring frequency parameters based on the risk diffusion prediction data.
[0053] Specifically, after obtaining the initial values of the critical paths and their monitoring frequency parameters, the process enters the dynamic monitoring and parameter adjustment phase for high-priority paths. The core of this phase lies in continuously tracking the status changes of the highest-risk paths and optimizing the monitoring strategy accordingly. In practice, not all critical paths are monitored with equal intensity. Instead, a composite screening criterion is used to identify "high-priority paths" from the critical paths. This criterion comprehensively considers two quantitative indicators for the path: first, the risk accumulation effect index value calculated in the previous step, which reflects the total inherent risk of the path; and second, the initial value of the monitoring frequency parameter, which reflects the urgency of risk propagation along the path. These two indicators are normalized and then weighted and summed. For example, the cumulative effect index has a weight of 0.6, and the initial monitoring frequency index has a weight of 0.4. A priority score is calculated for each critical path, and a priority threshold, such as 0.7, is set. Paths with scores higher than this threshold are marked as high-priority paths. This screening mechanism ensures that monitoring resources are preferentially concentrated on those paths that are both high-risk and urgent.
[0054] After identifying the high-priority path, a closed-loop monitoring and adjustment process is initiated. First, according to the monitoring frequency set for the path (e.g., twice per minute for the initial value), real-time status data of all nodes on the path is collected within each monitoring cycle. This data includes, but is not limited to, real-time CPU and memory utilization, current network connection count, error log frequency of specific services, and instantaneous interaction intensity with other nodes outside the path. This real-time status data constitutes a snapshot of the path's current operational health and risk level. Subsequently, this collected real-time status data is used as the latest input parameters to re-drive the path simulation technology previously used to calculate expansion speed. However, unlike the initial simulation, the purpose of this simulation is to generate short-term risk diffusion prediction data. The process of generating risk diffusion prediction data is as follows: the collected real-time status data, such as node CPU load and current interaction failure rate, is quantified into dynamic parameters of the simulation model; for example, a high CPU load, such as 90%, is mapped to an increase in response latency of the corresponding node when handling risk events, such as latency time multiplied by 1.5; in the simulation, the "infection" state transition of each node at each time step depends not only on the preset fixed... The propagation probability depends more on its current dynamic delay coefficient and instantaneous interaction intensity. Starting from the current moment, a future prediction duration of 5 minutes is set. Within this duration, multiple Monte Carlo independent iterations are performed according to the rules mentioned above that incorporate real-time parameters. Each iteration starts from the current actual risk state, such as the path starting point "infected", and simulates the propagation trajectory of the risk within the future time window. Finally, all iteration results are statistically analyzed: the proportion of iterations in which the risk propagates to the path endpoint is calculated as the predicted diffusion probability; the average propagation time from the starting point to the endpoint is calculated as the predicted diffusion time. Finally, the specific probability and time prediction values are output as risk diffusion prediction data.
[0055] Finally, based on this newly generated risk diffusion prediction data, the previously set monitoring frequency parameters are dynamically adjusted. The adjustment logic follows a feedback control principle: if the prediction data shows that the threat of risk diffusion is intensifying, such as an increase in probability or a shortening of time, the monitoring frequency is increased by a preset ratio to obtain more intensive state sampling and achieve tighter tracking; conversely, if the predicted threat is mitigated, the frequency can be appropriately reduced to save resources. The specific adjustment is achieved through an incremental formula: New monitoring frequency parameter = Original parameter × (1 + k × Rate of change), where k is the sensitivity coefficient, and the rate of change is the percentage change in the predicted data relative to the previous baseline. For example, if the predicted diffusion time shortens from 12.5 milliseconds to 10 milliseconds, the rate of change is -20%, and k is set to 0.5, then the new frequency parameter will increase by 10% from the original value. This adjusted parameter value is immediately applied to the next monitoring cycle, thus completing a closed loop of "monitoring-collection-simulation prediction-parameter adjustment". By continuously cycling this process, the monitoring frequency can dynamically adapt to the risk evolution of the current path, achieving accurate and adaptive tracking of the highest-risk targets.
[0056] By collecting node status in real time and driving simulation prediction, static risk analysis is transformed into dynamic closed-loop control. Its core benefit lies in the fact that it enables the monitoring system to no longer rely on a fixed frequency, but to intelligently adjust the monitoring intensity for aggravating risks or reduce the monitoring input for mitigating risks based on the real-time predicted trend of risk spread. This significantly optimizes the utilization efficiency of computing and bandwidth resources while ensuring the security of core business links, and realizes a fundamental transformation of security protection from passive response to proactive adaptation.
[0057] Step S4: Adjust the risk monitoring strategy based on the monitoring frequency parameters, update the risk assessment matrix, analyze the synchronization requirements of the interaction intensity between nodes based on the risk assessment matrix, and determine the multi-node collaborative control scheme.
[0058] In step S4, adjusting the risk monitoring strategy based on the monitoring frequency parameter and updating the risk assessment matrix includes: calculating the deviation of the monitoring frequency parameter from the preset standard level for high-priority paths; if the deviation exceeds the preset threshold, adjusting the monitoring strategy according to the dependence of downstream nodes of the high-priority path and determining the monitoring frequency of downstream nodes; adaptively adjusting the information transmission efficiency evaluation standard of nodes according to the monitoring frequency; and using fusion weight allocation technology to integrate the adjusted information transmission efficiency evaluation standard with the vulnerability score and data leakage probability of nodes to generate an updated risk assessment matrix.
[0059] Specifically, after dynamically adjusting the monitoring frequency of high-priority paths, the process enters the stage of global monitoring strategy optimization and collaborative control scheme generation. The core of this stage is to transform abnormal signals from local paths into updates to the global risk assessment matrix and further coordinate the security strategies of all nodes. In practice, for each high-priority path, its latest monitoring frequency parameters are first compared with the system's preset standard operating level. The preset standard level is the average or baseline value of the monitoring frequency for various types of paths, calculated based on historical long-term operational data. The difference between the parameter value and this standard is calculated to obtain the deviation. For example, if the dynamic monitoring frequency parameter of a payment core path is adjusted to 5 scans per minute, while the historical standard level for this type of path is 2 scans per minute, the deviation is calculated as 3. A deviation threshold is preset, for example, 2.5. When the deviation exceeds this threshold, it indicates that the risk status of the path is significantly abnormal, and its relevant monitoring strategy needs to be adjusted immediately.
[0060] Once the deviation is determined to exceed the limit, the monitoring strategy is refined based on the dependency level of downstream nodes along the high-priority path. The dependency level of downstream nodes was previously calculated during the risk diffusion assessment, quantifying their dependence on the path in terms of business processes and data flow. For example, for the aforementioned core payment path, the dependency level of its downstream settlement service node might be as high as 0.8, while that of a minor reporting service node might be only 0.2. Based on the dependency level, monitoring priorities are reallocated: high-dependency nodes, such as settlement services, are prioritized to the highest level; low-dependency nodes are correspondingly downgraded. Simultaneously, specific monitoring frequencies are assigned to these downstream nodes based on the newly assigned priorities. The mapping relationship between priority and frequency is preset; for example, the highest priority corresponds to 3 scans per minute, and medium priority corresponds to 1 scan per minute. In this way, monitoring resources are precisely directed to the nodes most likely to be affected by risk diffusion.
[0061] Based on the newly determined monitoring frequency for downstream nodes, the information transmission efficiency evaluation criteria for these nodes are updated accordingly. Information transmission efficiency, originally used to measure the data transmission performance of a path, is related to monitoring intensity. For example, for a node designated for high-frequency monitoring, the required information transmission efficiency criteria are more stringent, such as requiring end-to-end latency of data interaction to be less than 100 milliseconds; while for low-frequency monitored nodes, the latency standard can be relaxed to 500 milliseconds. The efficiency thresholds that a node should meet are dynamically adjusted according to its new monitoring frequency. Subsequently, a fusion weight allocation technique is used to integrate the adjusted information transmission efficiency evaluation criteria with the node's inherent risk attributes, namely vulnerability scores and data leakage probabilities, to generate an updated global risk assessment matrix. This technique assigns dynamic weights to different risk indicators for each node in the matrix, based on the real-time interaction intensity between nodes and the node's new priority in the monitoring strategy. For example, for a node that interacts closely with high-priority paths and is itself elevated to high monitoring priority, its information transmission efficiency standard might have a weight of 0.5, vulnerability score a weight of 0.3, and data leakage probability a weight of 0.2 in the matrix calculation. This weighted calculation is performed on all nodes, and the weighted sum of each indicator yields the node's comprehensive risk value in the updated matrix. Ultimately, the comprehensive risk values of all nodes constitute a new risk assessment matrix reflecting the latest risk situation and monitoring strategies. This matrix not only records the static risk of nodes but also incorporates the results of strategy adjustments driven by dynamic monitoring needs, providing a real-time and accurate data foundation for the next step of analyzing the synchronization requirements of inter-node interaction strength and generating a global collaborative control scheme.
[0062] Step S4 involves analyzing the synchronization requirements of inter-node interaction intensity and determining a multi-node collaborative control scheme. This includes: extracting risk distribution data between nodes based on the updated risk assessment matrix and analyzing the changing trends of inter-node interaction intensity; determining the synchronization requirements and priorities of inter-node security policies based on the changing trends and establishing a preliminary framework for the control scheme; calculating the weighted values of inter-node interaction intensity using the preliminary framework; optimizing the fusion weight allocation based on the weighted values; adjusting the execution parameters of the control scheme based on the fusion weight allocation; and generating a multi-node collaborative control scheme using the execution parameters.
[0063] Specifically, after generating the updated risk assessment matrix, the collaborative control scheme formulation phase begins. Its core lies in coordinating the security interactions between nodes based on the latest global risk view, ensuring the entire system operates under a unified strategy. In practice, risk distribution data for each node is first extracted from the updated risk assessment matrix. This data includes the node's latest comprehensive risk value and its relative position in the matrix. Based on this, the changing trend of the interaction intensity between any two interacting nodes is analyzed. This is achieved by comparing their interaction intensity index sequences over a continuous monitoring period, such as calculating their slope or using moving averages to identify rising, falling, or stable trends. For example, analysis reveals that the interaction intensity between payment gateway node P and core database node D has shown a rapid upward trend in the past ten minutes, while the interaction intensity between P and log service node L has remained stable. Based on the analyzed trends, the urgency of synchronizing security policies between different node pairs is determined, i.e., the synchronization requirement priority. For node pairs with rapidly increasing interaction intensity, their business coupling is strengthening, and inconsistent security policies could lead to serious conflicts or vulnerabilities; therefore, they are given high priority. For node pairs with stable trends, medium or low priority is assigned. Based on priority ranking, a preliminary framework for a control scheme is formed, which clarifies which nodes' strategies need to be coordinated first, the order of coordination, and the expected coordination goals.
[0064] Subsequently, within this framework, a weighted value for the interaction strength between nodes is calculated. This weighted value is not simply the interaction strength, but rather a combination of the node's risk level, derived from the matrix and synchronization priority. The formula for calculating the weighted interaction strength is as follows: For example, for a high-priority node pair P and D, the interaction strength is 800, the risk value of node P is 0.7, and the risk value of node D is 0.8. If the priority coefficient is set to 1.5 for high priority, then the weighted interaction strength is 900. The weighted value of the interaction strength between nodes is a "security calibration" indicator for the collaboration strategy. It combines the original business traffic data with the real-time risk level of the two nodes and the urgency of link collaboration to weight the data, thereby transforming "traffic size" into a quantitative basis for "security importance" and ensuring that the final solution prioritizes the highest-risk interaction links.
[0065] Next, based on the calculated weighted interaction strength and combined with optimized fusion weight allocation technology, the final fusion weight is adjusted for the generation control scheme. Here, the fusion weight determines the relative importance of each node's own risk attributes and the interaction relationships between nodes when formulating a unified interaction strategy. For example, in an online payment system, node risk attributes reflect static weaknesses such as server vulnerabilities, while interaction relationships represent dynamic business connections such as transaction links. The optimization process of fusion weights aims to balance the decision-making weight of these two factors when formulating a system-wide security strategy. If it is found that the current strategy does not match the high-intensity interaction behavior of the core payment link (i.e., the matching degree is low), the interaction relationship weight is increased to ensure that the final scheme can effectively coordinate the security parameters of key transaction flows, rather than simply strengthening a single point in isolation. The specific optimization process is an iterative loop: Initialize a weight allocation, for example, a node risk attribute weight of 0.4 and an interaction relationship weight of 0.6; then, based on the matching degree between the weighted interaction intensity vector and the node risk vector, the matching degree is measured by calculating the cosine similarity, and dynamically adjust the ratio of these two types of weights; if the matching degree is low, increase the proportion of the interaction relationship weight to make the scheme focus more on coordinating interaction behaviors; after several iterations, until the matching degree reaches a preset threshold such as 0.85, an optimized fusion weight allocation is obtained, for example, the final determination is a node risk weight of 0.3 and an interaction relationship weight of 0.7.
[0066] Based on this optimized fusion weight allocation, the specific execution parameters of the control scheme are adjusted. These parameters directly define the strength, frequency, and protocol requirements of secure interactions between nodes. The adjustment principle is that for interactions assigned high importance in the optimized weights, their corresponding execution parameters, such as data encryption strength, session timeout, and access frequency limits, are calibrated to ensure consistency or proportionality among nodes in these parameters. For example, based on the fusion weight results, the interaction between node P and node D is determined to be the most critical, and their interaction encryption protocol is uniformly adjusted to the highest level, with the bidirectional access session timeout synchronized to 5 minutes. Finally, all adjusted execution parameters are integrated to generate a specific, executable multi-node collaborative control scheme. This scheme is output in the form of a policy configuration file or instruction set, clearly defining the set of security parameters that each node in the network should adhere to when interacting with other nodes. Through this process, it is ensured that the control scheme is not a static rule, but an adaptive strategy generated based on real-time risk analysis, dynamic trends, and global coordination needs, thus laying the foundation for achieving a final stable risk state.
[0067] Step S5: Construct a multi-stage interactive scenario, simulate and verify the multi-node collaborative control scheme, determine whether the risk fluctuation frequency has reached a stable state, and output the final data security risk control scheme.
[0068] Step S5, determining whether the risk fluctuation frequency has reached a stable state, includes: constructing a multi-stage interactive scenario based on a multi-node collaborative control scheme; simulating the propagation process of risk along a high-priority path in the multi-stage interactive scenario and recording the changes in the risk fluctuation frequency during the simulation; calculating the risk accumulation effect index under the action of the multi-node collaborative control scheme based on the changes; if the risk accumulation effect index is lower than a preset threshold, it is determined that the risk fluctuation frequency has reached a stable state; integrating the multi-node collaborative control scheme and simulation verification results, and outputting the final data security risk control scheme.
[0069] Specifically, after generating the multi-node collaborative control scheme, the process enters the scheme verification and final output stage. The core of this stage lies in constructing a simulation environment that reflects the complexity of a real network to verify whether the control scheme can stabilize system risks. In practical implementation, a multi-stage interactive simulation scenario is first constructed based on the security interaction parameters set for each node in the control scheme. For example, in a verification scenario of an online payment system, based on the actual topology of the payment network, key entities such as user services, payment gateways, risk control centers, and core databases are modeled as nodes in the scenario. Each edge between nodes is assigned the target interaction strength specified in the control scheme, such as encrypted data transmission rate and synchronization strategies such as session timeout. Simultaneously, the scenario simulates real-time data acquisition behavior, such as periodically generating simulated business requests to drive dynamic changes in node states. Subsequently, in this simulation scenario, the propagation process of risk along the identified high-priority path is specifically simulated. Continuing with the aforementioned payment system as an example, the high-priority transaction path from user service node A, through payment gateway node P, to core database node D is selected as the simulation object. A simulated risk event, such as an abnormal access request, is injected from the path's starting point A. At each step of the simulation, based on the current interaction strength and control strategy defined in the scenario, the probability and delay of risk propagation along the path to the next node are calculated. During this process, the real-time changes in the risk fluctuation frequency of each node on the path are continuously recorded, forming detailed time-series data of these changes. Next, based on the recorded changes in risk fluctuation frequency, a risk accumulation effect index under the control scheme is calculated. This index integrates the magnitude and duration of risk fluctuations, as well as the average vulnerability of nodes on the path. For example, the calculation results show that after the control scheme is implemented, the risk accumulation effect index of this path drops from 3.5 in the early stage of simulation to 1.8. A stable threshold of 2.0 is preset. This threshold is set based on the historical safety baseline. The calculated index of 1.8 is compared with the threshold of 2.0. Since 1.8 is lower than 2.0, it is determined that under the action of the control scheme, the risk fluctuation frequency of this high priority path and even the entire system has reached a stable state.
[0070] Finally, by integrating the multi-node collaborative control scheme that has been verified through simulation, key verification data such as the decline curve of the risk accumulation effect index, the time point of reaching stability, and optimization suggestions, a final version of a deliverable and executable data security risk control scheme is generated. This scheme not only includes specific configuration parameters but also comes with quantitative proof of its effectiveness, providing confidence and basis for the deployment of the scheme.
[0071] like Figure 3 The diagram illustrates a performance comparison between the proposed solution and traditional solutions. Based on actual simulation test data, this diagram quantitatively demonstrates the substantial improvement of the proposed solution in key performance indicators. Firstly, traditional methods rely on pre-set static security policies and rules, with each network node operating its protection mechanism independently. This lacks dynamic perception of the overall system risk situation and inter-node policy coordination, resulting in a passive and isolated protection mode. Test data shows that the traditional static solution has a risk coverage rate of approximately 60%, an average response time of 120 milliseconds, and a resource utilization efficiency of approximately 40%. In contrast, the collaborative control scheme proposed in this application increases the risk coverage rate to 85%, reduces the response time to 45 milliseconds, and improves resource efficiency to 75%. Furthermore, the final scheme after closed-loop optimization achieves an excellent performance of 95% risk coverage, 25 milliseconds response time, and 90% resource efficiency. This comparison diagram provides conclusive quantitative data demonstrating that the proposed solution, through dynamic evaluation and collaborative control mechanisms, has achieved significant technical progress in risk protection breadth, response speed, and resource utilization, providing objective and reliable data support for evaluating the technical effectiveness of this application.
[0072] In summary, this application provides a complete dynamic assessment method for data security risk quantification, from data perception to policy closed loop. This method begins with real-time acquisition of multi-node interaction behavior and graph structure modeling. By extracting interaction intensity and risk fluctuation frequency characteristics, a quantitative risk distribution map is constructed. Subsequently, through temporal analysis of the map, abrupt change nodes and high-risk areas are accurately identified. Graph theory algorithms, temporal prediction, and Monte Carlo simulation are comprehensively applied to progressively assess the risk diffusion range, extract critical paths, calculate cumulative effects, and generate dynamic monitoring parameters. The core innovation of this method lies in constructing an intelligent closed loop of "monitoring-analysis-simulation-adjustment": based on real-time status data, path simulation is driven to generate short-term risk predictions, and the monitoring frequency and global policy weights are dynamically calibrated accordingly. Finally, a verified and effective control scheme is output through simulation verification. The entire process transforms abstract security threats into quantifiable, predictable, and controllable specific parameters, achieving a fundamental shift in security protection from post-event response to pre-event warning, and from static deployment to dynamic collaboration. This significantly improves the accuracy, adaptability, and overall effectiveness of data security risk control in complex network environments.
[0073] The above describes a method for dynamic assessment of data security risk quantification in embodiments of this application. The following describes a system for dynamic assessment of data security risk quantification in embodiments of this application. Please refer to [link / reference]. Figure 4 One embodiment of the data security risk quantification and dynamic assessment system in this application includes:
[0074] The preliminary analysis module is used to collect interaction data between nodes in a multi-node system in real time, and combined with a preset risk assessment model, calculate the initial data leakage probability and vulnerability score of each node to construct a preliminary risk distribution map.
[0075] The anomaly identification module is used to analyze the risk fluctuation frequency change trend of each node based on the preliminary risk distribution map, identify potential threats, and mark nodes with risk fluctuation frequencies higher than a preset threshold as mutation nodes, and define the area where the mutation node is located as the target area.
[0076] The risk positioning module is used to assess the scope of risk spread and mark high-risk transmission chains for target areas, extract critical paths from high-risk transmission chains, calculate the risk cumulative effect index value of critical paths, and generate monitoring frequency parameters.
[0077] The monitoring and control module is used to adjust the risk monitoring strategy based on the monitoring frequency parameter, update the risk assessment matrix, analyze the synchronization requirements of the interaction intensity between nodes based on the risk assessment matrix, and determine the multi-node collaborative control scheme.
[0078] The simulation verification module is used to construct multi-stage interactive scenarios, simulate and verify multi-node collaborative control schemes, determine whether the risk fluctuation frequency has reached a stable state, and output the final data security risk control scheme.
[0079] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0080] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0081] The above-described embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this application.
Claims
1. A method for quantitative and dynamic assessment of data security risks, characterized in that, The method includes: Step S1: Collect real-time interaction data between nodes in the multi-node system, combine it with the preset risk assessment model, calculate the initial data leakage probability and vulnerability score of each node, and construct a preliminary risk distribution map; Step S2: Based on the preliminary risk distribution map, analyze the risk fluctuation frequency change trend of each node, identify potential threats, and mark nodes with risk fluctuation frequencies higher than a preset threshold as mutation nodes, and define the area where the mutation nodes are located as the target area. Step S3: For the target area, assess the risk spread range and mark high-risk transmission chains, extract critical paths from the high-risk transmission chains, calculate the risk cumulative effect index value of the critical paths, and generate monitoring frequency parameters; Step S3, which involves extracting critical paths from the high-risk propagation chains and calculating the risk accumulation effect index value of the critical paths, includes: analyzing the information transmission efficiency of each chain based on the list of high-risk propagation chains, and identifying critical paths based on the information transmission efficiency; calculating the risk accumulation effect index value for the critical paths by combining the vulnerability scores of nodes on the path with the probability of data leakage; simulating the critical paths using path simulation technology to analyze the spread speed of risk along the critical paths, and generating initial values for monitoring frequency parameters based on the spread speed; generating monitoring frequency parameters in step S3 further includes: selecting high-priority paths from the critical paths based on the risk accumulation effect index value and the initial values of the monitoring frequency parameters; cyclically monitoring the high-priority paths and collecting real-time status data of nodes on the high-priority paths in each monitoring cycle; using the collected real-time status data as input, generating risk spread prediction data through path simulation technology, and dynamically adjusting the monitoring frequency parameters based on the risk spread prediction data. Step S4: Adjust the risk monitoring strategy based on the monitoring frequency parameters, update the risk assessment matrix, analyze the synchronization requirements of the interaction intensity between nodes according to the risk assessment matrix, and determine the multi-node collaborative control scheme. Step S5: Construct a multi-stage interactive scenario, simulate and verify the multi-node collaborative control scheme, determine whether the risk fluctuation frequency has reached a stable state, and output the final data security risk control scheme.
2. The method according to claim 1, characterized in that, Step S1 includes: Based on real-time interactive data collected in a multi-node system, a node association network is constructed using graph structure analysis technology, and the interaction strength index between nodes is calculated. Perform time-series analysis on the interaction intensity index to extract characteristic data of risk fluctuation frequency; Input the interaction intensity index and the characteristic data of the risk fluctuation frequency into a preset risk assessment model to calculate the initial data leakage probability of each node; Based on the initial data leakage probability value and the interaction strength index, calculate the vulnerability score for each node; Based on the vulnerability score, the data leakage probability value, and the node correlation, a preliminary risk distribution map is constructed.
3. The method according to claim 1, characterized in that, Step S2 includes: Extract the vulnerability scores of each node and the time-series changes in the initial data leakage probability from the preliminary risk distribution map; Analyze the fluctuation trend of the time-series change data and compare it with historical behavior data to identify abnormal behavior patterns; Based on the abnormal behavior patterns, potential threat characteristics are determined, and dynamic values of risk fluctuation frequencies at each node are calculated. Nodes whose dynamic values are higher than a preset threshold are marked as mutation nodes, forming a mutation node set; Based on the distribution of the set of mutation nodes, the node regions with risk fluctuation frequencies higher than a preset threshold are located and defined as target regions.
4. The method according to claim 1, characterized in that, Step S3 assesses the scope of risk diffusion, including: Based on the set of mutation nodes in the target area, the propagation path length between nodes is calculated, and the propagation delay time along each propagation path is estimated by combining historical interaction data. Propagation paths whose length exceeds a preset threshold are marked as high-risk propagation chains, and a list of high-risk propagation chains is generated. Based on the propagation path length and the delay time, a breadth index of risk spread is calculated, and nodes within the network range covered by the breadth index are defined as target nodes. Calculate the degree of dependence of the target node on the high-risk propagation chain; Based on the degree of dependence, the actual impact range of risk propagation is analyzed, and the assessment results of the risk diffusion range are updated according to the impact range.
5. The method according to claim 1, characterized in that, Step S4 involves adjusting the risk monitoring strategy based on the monitoring frequency parameter and updating the risk assessment matrix, including: For high-priority paths, calculate the deviation of the monitoring frequency parameter from the preset standard level; If the deviation exceeds a preset threshold, the monitoring strategy is adjusted according to the dependence of the downstream nodes of the high-priority path, and the monitoring frequency of the downstream nodes is determined. The information transmission efficiency evaluation criteria for nodes are adaptively adjusted based on the monitoring frequency. By employing a fusion weighting allocation technique, the adjusted information transmission efficiency evaluation criteria are integrated with the node vulnerability score and data leakage probability to generate an updated risk assessment matrix.
6. The method according to claim 5, characterized in that, Step S4 analyzes the synchronization requirements of the interaction strength between nodes and determines the multi-node cooperative control scheme, including: Based on the updated risk assessment matrix, risk distribution data among nodes is extracted, and the changing trend of interaction intensity among nodes is analyzed. Based on the aforementioned trends, determine the synchronization requirements and priorities of security policies between nodes, and establish a preliminary framework for the control scheme. Using the initial framework, a weighted value for the interaction strength between nodes is calculated; based on the weighted value, an optimized fusion weight allocation is performed; based on the fusion weight allocation, the execution parameters of the control scheme are adjusted, and a multi-node collaborative control scheme is generated using the execution parameters.
7. The method according to claim 1, characterized in that, Step S5, determining whether the risk fluctuation frequency has reached a stable state, includes: Based on the aforementioned multi-node collaborative control scheme, a multi-stage interactive scenario is constructed; In the multi-stage interactive scenario, the propagation process of risk along the high-priority path is simulated, and the changes in the frequency of risk fluctuations during the simulation are recorded. Calculate the risk accumulation effect index under the multi-node collaborative control scheme based on the changes described above; If the risk accumulation effect index is lower than the preset threshold, it is determined that the risk fluctuation frequency has reached a stable state. By integrating the multi-node collaborative control scheme and simulation verification results, the final data security risk control scheme is output.
8. A data security risk quantification and dynamic assessment system, used to implement the data security risk quantification and dynamic assessment method as described in any one of claims 1-7, characterized in that, The system includes: The preliminary analysis module is used to collect interaction data between nodes in a multi-node system in real time, and combined with a preset risk assessment model, calculate the initial data leakage probability and vulnerability score of each node to construct a preliminary risk distribution map. The anomaly identification module is used to analyze the risk fluctuation frequency change trend of each node based on the preliminary risk distribution map, identify potential threats, and mark nodes with risk fluctuation frequencies higher than a preset threshold as mutation nodes, and define the area where the mutation node is located as the target area. The risk positioning module is used to assess the risk spread range and mark high-risk transmission chains for the target area, extract critical paths from the high-risk transmission chains, calculate the risk cumulative effect index value of the critical paths, and generate monitoring frequency parameters. The monitoring and control module is used to adjust the risk monitoring strategy based on the monitoring frequency parameter, update the risk assessment matrix, analyze the synchronization requirements of the interaction intensity between nodes based on the risk assessment matrix, and determine a multi-node collaborative control scheme. The simulation verification module is used to construct multi-stage interactive scenarios, simulate and verify the multi-node collaborative control scheme, determine whether the risk fluctuation frequency has reached a stable state, and output the final data security risk control scheme.