A method for security threat perception and detection of global network devices
By constructing a node-level threat field, quantifying the dynamic intensity of network threat propagation, and generating a global threat level, the problems of data silos and inaccurate resource allocation in existing technologies are solved, and dynamic adaptive protection of network security is achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING SHANGZHANG INFORMATION TECHNOLOGY CO LTD
- Filing Date
- 2026-01-30
- Publication Date
- 2026-06-30
Smart Images

Figure CN121841825B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security, and in particular to a method for detecting and sensing security threats to network devices across the entire network domain. Background Technology
[0002] Real-time awareness and adaptive protection against cybersecurity threats are core aspects of ensuring information system security. Traditional mainstream cybersecurity monitoring systems rely on deploying Intrusion Detection Systems (IDS), firewall log analysis, and User and Entity Behavior Analysis (UEBA) tools. However, these traditional methods have revealed a series of closely related and progressively evolving technical shortcomings when dealing with modern, advanced, and dynamic cyberattacks.
[0003] First, network traffic data, host behavior logs, and attack signature alerts are typically collected and analyzed independently by different systems, lacking temporal alignment and spatial correlation between the data. This results in security analysis being in a state of data silos, making it difficult to depict the comprehensive security status of a local area from a multi-dimensional integrated perspective, and leaving any subsequent advanced analysis lacking a high-quality, interconnected data foundation.
[0004] Furthermore, existing technical methods often rely on the severity level or simple thresholds of individual alert events for assessment, lacking a quantitative characterization of the uneven distribution, propagation direction, and evolution trend of threats across the entire network's logical space. This results in security operations personnel being unable to obtain an intuitive, global threat landscape map, making it difficult to grasp the overall risk level macroscopically and to pinpoint the key frontiers of threat evolution microscopically, thus leading to a lack of precise spatial guidance for defense decisions.
[0005] Finally, when faced with sudden threats requiring enhanced monitoring, the system cannot automatically identify hotspots where threats are rapidly changing but monitoring is sparse. Furthermore, it cannot adaptively calculate and inject temporary monitoring resources into optimal locations based on the direction and intensity of threat spread. This prevents limited computing and storage resources from being prioritized and accurately allocated to the most critical areas across the entire network, thus limiting the overall resilience and efficiency of the monitoring system. Summary of the Invention
[0006] The purpose of this invention is to provide a security threat perception and detection method for global network devices, which solves the above-mentioned technical problems pointed out in the prior art.
[0007] This invention provides a method for detecting and sensing security threats in a global network device, comprising the following steps:
[0008] Real-time acquisition of multi-dimensional security status data from network security monitoring systems;
[0009] Based on multi-dimensional security status data, the node-level threat field of the network security monitoring system is constructed and solved by combining the firework algorithm with the dynamic intensity analysis of threat propagation of each characteristic node in the virtual network topology of the network security monitoring system.
[0010] Global security status data is extracted from multi-dimensional security status data, and combined with the dynamic intensity of threat propagation of all feature nodes in the node-level threat field to generate the global threat level of the network security monitoring system at the current moment.
[0011] Adjust the target protection commands of the network security monitoring system based on the overall threat level of the network security monitoring system.
[0012] Preferably, based on multi-dimensional security status data, the node-level threat field of the network security monitoring system is constructed and solved by combining the firework algorithm with the dynamic intensity analysis of threat propagation of each characteristic node in the virtual network topology of the network security monitoring system. The steps include the following:
[0013] Based on the network topology of the network security monitoring system, a corresponding virtual network space is defined; the virtual network space is uniformly discretized along each logical dimension and divided into discrete logical grid units.
[0014] Initialize the fireworks algorithm population, which contains N fireworks individuals, each representing a list of feature node spatial distributions; initialize the iteration parameters, including the initial population's optimal spatial allocation capability strength, convergence threshold, iteration counter, and maximum iteration count threshold; the iteration count of the iteration counter is initially set to 0;
[0015] Collect historical threat detection datasets; the historical threat detection datasets include sequences of all network traffic data, all behavior log data, and attack feature data that change synchronously over time during multiple complete network attacks;
[0016] Traverse each individual firework, and traverse each feature node in the spatial distribution list of feature nodes in the current individual firework. Based on the preset perception radius of the current feature node and the threat response rate analysis of feature nodes based on the historical threat detection dataset, calculate the spatial allocation capability strength of the current individual firework.
[0017] Based on the spatial allocation capability strength combined with the maximum number of iterations threshold and the convergence threshold, the target feature node spatial distribution list is obtained through iteration.
[0018] The threat propagation intensity value of each feature node is calculated by combining the spatial distribution list of target feature nodes with multi-dimensional security status data analysis; the vector set of threat propagation intensity values of all feature nodes constitutes a real-time node-level threat field.
[0019] Preferably, the spatial distribution list of target feature nodes is obtained by combining the spatial allocation capability strength with the maximum number of iterations threshold and the convergence threshold, including the following steps:
[0020] When the iteration termination condition is met, the output is a list of spatial distributions of target feature nodes. Otherwise, the number of explosion sparks and the explosion amplitude of each firework individual are calculated based on the spatial distribution capability of each individual firework. For each individual firework, the explosion direction is randomly superimposed on the position coordinates of each feature node within the corresponding explosion amplitude to generate an explosion individual with a number of explosion sparks. Multiple mutant individuals are randomly generated with a fixed probability. The explosion individuals and mutant individuals together constitute a new firework individual to be determined.
[0021] The initial node density uniformity is calculated based on the network topology distance between the position coordinates of every two feature nodes in the new firework individual to be determined; when the initial node density uniformity is lower than the preset uniformity threshold, the position of the feature nodes in the new firework individual to be determined is fine-tuned to obtain the target new firework individual.
[0022] Increment the iteration counter by 1 to obtain the current iteration count; return to the above operation for each target new firework individual to calculate the spatial allocation ability strength; after sorting each target new firework individual in descending order of spatial allocation ability strength, select the top m target new firework individuals and return to the above operation, and use the current optimal spatial allocation ability strength of the population as the initial spatial allocation ability strength for re-iteration until the target feature node spatial distribution list is obtained.
[0023] Preferably, based on the preset perception radius of the current feature node and combined with the threat response rate analysis of feature nodes based on historical threat detection datasets, the spatial allocation capability strength of the current individual firework is obtained, including the following steps:
[0024] Based on the network traffic data value and behavior feature value of behavior log data within the preset perception radius of the current feature node at each sampling moment in the historical threat detection dataset, the maximum traffic difference and the maximum behavior gradient value are calculated respectively, and then state change rate analysis is performed to obtain the historical state change rate sequence.
[0025] Extract the local average traffic time series of the current feature node, analyze it in conjunction with the total traffic time series of the entire network to obtain the traffic lag time series, and then perform correlation analysis in conjunction with the feature data time series to obtain the single node correlation degree of the current feature node.
[0026] Extract the attack feature step moments from the attack feature data time series; split the attack feature data time series by all attack feature step moments to obtain the pre-step interval time series and the post-step interval time series; calculate the pre-step steady-state value and the post-step steady-state value according to the historical state change rate of the pre-step interval time series and the post-step interval time series respectively.
[0027] Based on the total change from the steady-state value before the step to the steady-state value after the step at each attack feature step moment, calculate the target state value of the current feature node at the attack feature step moment; based on the target state value, search backward from the attack feature step moment to obtain the actual arrival time of the feature node in this step event.
[0028] The threat response rate is calculated by analyzing the difference between the step time of each attack feature and the actual arrival time, and the spatial allocation capability strength is obtained by combining the single-node correlation degree.
[0029] Preferably, the spatial allocation capability strength is calculated by analyzing and calculating the difference between the step time and the actual arrival time of each attack feature, and combining the obtained threat response rate with the single-node correlation degree, including the following operation steps:
[0030] For each attack feature step time of the current feature node, calculate the difference between the actual arrival time and the attack feature step time to obtain the single delay time of the current feature node to the attack feature step time; after traversing all feature nodes, obtain the average event delay time based on the arithmetic mean of all single delay times of all feature nodes under the same attack feature step time.
[0031] Sum the average event latency times corresponding to the step moments of all attack features of all feature nodes to obtain the cumulative average latency time; take the reciprocal of the cumulative average latency time to obtain the threat response rate.
[0032] The spatial allocation capability strength is calculated by using the single-node correlation degree and threat response rate of each feature node.
[0033] Preferably, based on the network traffic data value and behavioral feature value of the behavior log data within the preset perception radius of the current feature node at each sampling time in the historical threat detection dataset, the maximum traffic difference and the maximum behavioral gradient value are calculated respectively, and then state change rate analysis is performed to obtain the historical state change rate sequence, including the following steps:
[0034] At each sampling moment of the historical threat detection dataset, acquire all network traffic data values within the preset perception radius of the current feature node; simultaneously acquire the behavioral feature values of the behavioral log data within the preset perception radius of the current feature node; calculate the maximum traffic difference between all network traffic monitoring points; and simultaneously calculate the maximum behavioral gradient value of all behavioral log data in each direction.
[0035] Multiply the maximum flow difference by the maximum behavior gradient value to calculate the historical state change rate corresponding to the sampling time; use the historical state change rates of all sampling times in the historical threat detection dataset to construct a historical state change rate sequence.
[0036] Preferably, in the historical threat detection dataset, the local average traffic time series of the current feature node is extracted and analyzed in conjunction with the total network traffic time series to obtain the traffic lag time series. Then, correlation analysis is performed with the feature data time series to obtain the single-node correlation degree of the current feature node. This includes the following steps:
[0037] In the historical threat detection dataset, the average value of all traffic sensors within the preset sensing radius of the current feature node is extracted to form a local average traffic time series; the total network traffic time series is extracted, and the cross-correlation function between the local average traffic time series and the total network traffic time series is calculated. The time delay that maximizes the cross-correlation function value is found to obtain the traffic lag time; the traffic lag time series is obtained based on the traffic lag time; the average reading sequence of all behavior log sensors within the preset sensing radius of the current feature node is used as the behavior feature data time series.
[0038] The absolute value of the Pearson correlation coefficient between the historical state change rate time series and the flow lag time series of the current feature node is the first correlation coefficient; the absolute value of the Pearson correlation coefficient between the historical state change rate time series and the behavioral feature data time series of the current feature node is the second correlation coefficient; the first correlation coefficient and the second correlation coefficient are added together to obtain the single-node correlation degree of the current feature node.
[0039] Preferably, the threat propagation intensity value of each feature node is calculated based on a list of spatial distributions of target feature nodes combined with multi-dimensional security status data analysis, including the following steps:
[0040] Using a list of target feature nodes' spatial distributions as the initial computational network, each feature node is traversed, and a preset sensing radius is determined based on its network spatial coordinates. From multi-dimensional security status data, all network traffic sensor readings within this preset sensing radius are extracted, and the maximum traffic difference is calculated. From the same preset sensing radius, all behavior log sensor readings are extracted, and the maximum behavior gradient is calculated. The real-time maximum traffic difference and the maximum behavior gradient are then combined to obtain the dynamic threat propagation intensity of the current feature node.
[0041] By traversing all feature nodes, a vector set of threat propagation intensity values is obtained, which constitutes the initial node-level threat field for the current calculation cycle;
[0042] The difference in the vector of threat propagation intensity values between any two adjacent feature nodes in the virtual network space is calculated and then divided by the network topology distance between the nodes to obtain the internal threat gradient. Local regions consisting of multiple pairs of feature nodes whose internal threat gradient magnitude exceeds a preset first threshold are identified, and the feature node distribution density of these local regions is calculated. If the feature node distribution density of a local region is lower than a preset second threshold, the local region is determined to be a potential region for drastic state change. If no local regions consisting of multiple pairs of feature nodes whose internal threat gradient magnitude exceeds the preset first threshold are obtained, the initial node-level threat field is output as the target node-level threat field.
[0043] Within each potential region of state drastic change, new temporary feature nodes are inserted according to the spatial distribution of the internal threat gradient, forming a redistributed feature node network.
[0044] Based on the redistributed feature node network, the above calculation process is repeated until the target node-level threat field is obtained as the output.
[0045] A better method for calculating the dynamic intensity of threat propagation is as follows:
[0046] The real-time maximum traffic difference is normalized to obtain the normalized traffic difference value; the maximum behavioral gradient is normalized to obtain the normalized behavioral gradient value; the occurrence frequency of each attack feature is counted based on the feature nodes, and the logarithmic term of the ratio is calculated by combining the baseline security frequency of each attack feature obtained from historical normal business data; the normalized traffic difference value, the normalized behavioral gradient value, and the logarithmic term are multiplied by preset weight coefficients and then summed to obtain the dynamic intensity of threat propagation.
[0047] Preferably, within each potential region of drastic state change, new temporary feature nodes are inserted based on the spatial distribution of the internal threat gradient to form a redistributed feature node network, including the following steps:
[0048] The average internal threat gradient magnitude is obtained by averaging all internal threat gradients within the current state-changing potential region. The average internal threat gradient magnitude and the feature node distribution density are then weighted and summed to obtain the priority processing score for the current state-changing potential region.
[0049] Select the potential region of state change corresponding to the highest priority processing score as the target debugging region; extract the gradient direction of all internal threat gradients in the target debugging region; perform clustering based on the gradient direction to obtain multiple threat propagation direction subsets; calculate the mean of internal threat gradients in each threat propagation direction subset to obtain the threat change intensity of the subset.
[0050] Traverse each threat propagation direction subset, and based on the coordinates of each feature node in the current threat propagation direction subset, determine the insertion curve of the current threat propagation direction subset by linear fitting along the average gradient of the internal threat gradient of each feature node in the current threat propagation direction subset.
[0051] The number of inserted nodes is calculated based on the intensity of the subset threat change in the current threat propagation direction subset;
[0052] Equidistant sampling is performed along the insertion curve to obtain candidate positions for the number of insertion nodes. When the network topology distance between each candidate position and all feature nodes in the virtual network space is less than the minimum node spacing threshold, the candidate position is eliminated, and the remaining candidate positions are determined as target positions. New temporary feature nodes are inserted at each target position to form a redistributed feature node network.
[0053] Compared with the prior art, the embodiments of the present invention have at least the following technical advantages:
[0054] Analysis of the security threat perception and detection method for a global network device provided by this invention reveals that, in practical applications, network traffic data, behavior log data, and attack characteristic data are first collected synchronously to provide necessary multi-dimensional factual evidence for all subsequent analyses. Then, the distribution of feature nodes in the virtual network topology is optimized using the fireworks algorithm to find the coordinate set that allows for the most efficient deployment of feature node coordinates. Based on this coordinate set, the dynamic intensity of threat propagation at each feature node is calculated. The intensity values of all nodes collectively constitute a node-level threat field, quantifying the uneven distribution and local intensity of threats in the network logical space, thus achieving the transformation from massive data to a computable threat situation. Furthermore, the detection method employed in this invention extracts node-level threat peak indicators, mean indicators, and dispersion indicators from the node-level threat field. The system uses six indicators to form the internal statistical characteristics of the threat field. It calculates global behavioral load indicators, threat polarization indicators, and cumulative threat indicators from the original multi-dimensional security status data to reflect the overall network load and attack pressure. These six indicators are then integrated into a six-dimensional comprehensive state vector, which is input into a pre-trained global threat level classification model. Based on historical experience (data), the model categorizes and judges the current complex state, outputting a discrete global threat level to provide a basis for subsequent decision-making. Finally, the technical solution adopted in this invention generates corresponding target protection instructions based on the global threat level, such as adjusting firewall rules, updating the intrusion detection signature database, restricting specific network traffic, or enabling / disabling network segmentation isolation. This allows network security configurations to be dynamically and automatically adjusted according to changes in the threat situation, thereby ensuring that protection measures always match the current risk level. Attached Figure Description
[0055] Figure 1 This is a schematic diagram of the main process of a security threat perception and detection method for global network devices.
[0056] Figure 2 This is a schematic diagram of virtual network space simulation in a security threat perception and detection method for global network devices.
[0057] Figure 3 This is a schematic diagram simulating a logical grid cell in a security threat perception and detection method for global network devices.
[0058] Figure 4 This is a schematic diagram of a real-time node-level threat field simulation in a security threat perception and detection method for global network devices. Detailed Implementation
[0059] The technical solution of the present invention will now be clearly and completely described with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0060] The present invention will now be described in further detail with reference to specific embodiments and accompanying drawings.
[0061] Example 1
[0062] like Figure 1 As shown, Embodiment 1 of the present invention provides a security threat perception and detection method for a global network device, comprising the following steps:
[0063] S10: During network operation, collect multi-dimensional security status data from the network security monitoring system in real time; multi-dimensional security status data includes: network traffic data (from mirrored traffic or NetFlow / sFlow data from network switches and routers), behavior log data (from system logs and security logs generated by servers, firewalls, and identity authentication systems), and attack characteristic data (from alarm information from intrusion detection systems / intrusion prevention systems (IDS / IPS) or indicator data from threat intelligence platforms).
[0064] S20: Based on multi-dimensional security status data, the dynamic intensity analysis of threat propagation of each feature node in the virtual network topology of the network security monitoring system is combined with the fireworks algorithm to construct and solve the node-level threat field of the network security monitoring system (the node-level threat field is actually the output of the dynamic intensity of threat propagation of all feature nodes).
[0065] S30: Extract global security status data from multi-dimensional security status data, and combine it with the dynamic intensity of threat propagation of all feature nodes in the node-level threat field to generate the global threat level of the network security monitoring system at the current moment;
[0066] It should be noted that the above embodiments of this application extract the maximum value, average value, and variance of the vector of all threat propagation intensity values from the node-level threat field, which are respectively used as the node-level threat peak index, the node-level threat mean index, and the node-level threat dispersion index.
[0067] Then, the following indicators are extracted from the multi-dimensional security status data: the average value of all behavior log sensors is used as the global behavior load indicator; the ratio of total network traffic to total attack signatures is used as the global threat polarization indicator; and the cumulative threat intensity from the start of monitoring to the present is calculated by integrating the attack signature data time series as the global cumulative threat indicator.
[0068] The above six indicators are combined in a fixed order to form a six-dimensional comprehensive state vector. This six-dimensional comprehensive state vector is input into a pre-trained offline global threat level classification model (such as a support vector machine, SVM). The model learns the risk level corresponding to different vector values based on historical attack and defense data and outputs a discrete level number, such as 1 (safe) to 5 (dangerous). This number is the final global threat level of the network security monitoring system, which quantifies the comprehensive threat pressure that the system is currently under.
[0069] S40: Based on the global threat level of the network security monitoring system, dynamically adjust the target protection instructions of the network security monitoring system to ensure that the network protection process is carried out within the preset security and performance boundaries.
[0070] It should be noted that the target protection commands include: adjusting firewall rules, updating the intrusion detection system signature database, restricting specific network traffic, and enabling or disabling network segmentation isolation. These target protection commands are targeted protection methods determined by the global threat level. The rules for setting the global threat level and the target protection commands are pre-stored in a target command mapping table. Once the target protection commands are determined, this table is invoked to obtain the matching target protection commands.
[0071] The above-described embodiments of this application first synchronously collect network traffic data, behavior log data, and attack characteristic data to provide the necessary multi-dimensional factual evidence for all subsequent analyses. Then, the distribution of characteristic nodes in the virtual network topology is optimized using the fireworks algorithm to find the coordinate set that can deploy the coordinates of characteristic nodes in the most efficient way. Based on the coordinate set, the dynamic intensity of threat propagation at each characteristic node is calculated. The intensity values of all nodes together constitute a node-level threat field, quantifying the uneven distribution and local intensity of threats in the network logical space, and realizing the transformation from massive data to a computable threat situation. Furthermore, node-level threat peak indicators, mean indicators, and dispersion indicators are extracted from the node-level threat field to form the internal statistical characteristics of the threat field. From the original multi-dimensional... The system calculates global behavioral load indicators, threat polarization indicators, and cumulative threat indicators from the security status data to reflect the overall network load and attack pressure. These six indicators are then integrated into a six-dimensional comprehensive state vector, which is input into a pre-trained global threat level classification model (such as SVM). Based on historical experience (data), the model categorizes and judges the current complex state, outputting a discrete global threat level to provide a basis for subsequent decision-making. Finally, based on the global threat level generated in step S30, corresponding target protection instructions are generated, such as adjusting firewall rules, updating the intrusion detection signature database, restricting specific network traffic, or enabling / disabling network segmentation isolation. This allows network security configurations to dynamically and automatically adjust with changes in the threat landscape, ensuring that protection measures always match the current risk level.
[0072] Specifically, in step S20, based on multi-dimensional security status data, and through the fireworks algorithm combined with the dynamic intensity analysis of threat propagation of each characteristic node in the virtual network topology of the network security monitoring system, the node-level threat field of the network security monitoring system is constructed and solved, including the following steps:
[0073] S21: Based on the network topology of the network security monitoring system, define the corresponding virtual network space (e.g., Figure 2 As shown); the virtual network space is uniformly discretized along various logical dimensions (for example, the logical dimensions may include: first dimension business importance score (1-10); second dimension network exposure surface level (1-5); third dimension historical security event density (times / month)), dividing it into discrete logical grid units (e.g. Figure 3 As shown, it can be seen Figure 3 (virtual mesh in the middle).
[0074] It should be noted that in the above embodiments of this application, the logical dimensions are used to construct the virtual network space and are indicators related to network security situation assessment. Each logical dimension corresponds to a coordinate axis, which together constitute a multi-dimensional feature space (i.e., the virtual network space mentioned above). Each logical entity in the network (such as a subnet, a business unit, or a device group) can be mapped to a point in this space according to its attributes, thereby mapping the complex and unstructured network relationships to a structured and computable mathematical space, so that distance (representing difference) and position (representing state) can be quantified, thus providing a unified and computable mathematical basis for subsequent optimization based on the fireworks algorithm and field-based analysis. Each logical grid cell represents a unique logical coordinate interval, which together constitute a discrete candidate location grid covering the entire virtual network space. Feature nodes (feature nodes are logical monitoring points or computing agents defined in the virtual network space (i.e., the feature space composed of the above logical dimensions) for performing local threat assessment) will be deployed at the logical locations represented by these logical grid cells.
[0075] In this embodiment, traffic probes deployed on critical links and hosts in the network, as well as log collection agents deployed on servers and terminals, continuously generate raw network traffic data and raw behavior log data. Attack feature data is generated by intrusion detection systems (IDS) or security information and event management (SIEM) systems deployed at the network boundary. The mapping logic is to map each traffic probe and log collection agent to one or more fixed logical grid cells in the virtual network space according to its actual network device or network segment, serving as the data source for that cell. Feature nodes are logical computing units in the virtual network space, deployed on logical grid cells, reading data from the data source associated with their logical grid cells, performing the calculations in this application, and outputting threat propagation strength values. The node-level threat field is a vector field composed of the threat propagation strength values output by all feature nodes, arranged according to their spatial locations.
[0076] S22: Initialize the fireworks algorithm population. The fireworks algorithm population (an optimization search group consisting of N "firework individuals") contains N fireworks individuals (each fireworks individual represents a list of candidate feature node spatial distributions). Each fireworks individual represents a list of feature node spatial distributions. Initialize the iteration parameters, which include the initial population's optimal spatial allocation capability strength (the evaluation value of the best individual in the initial iteration), the convergence threshold (the difference threshold used to determine whether the algorithm has converged), the iteration counter, and the maximum number of iterations threshold. The iteration counter is initially set to 0.
[0077] S23: Collect historical threat detection datasets; the historical threat detection datasets include sequences of all network traffic data, all behavior log data, and attack feature data that change synchronously over time during multiple complete network attacks;
[0078] S24: Traverse each individual firework, traverse each feature node in the spatial distribution list of feature nodes in the current individual firework, and calculate the spatial allocation capability strength of the current individual firework based on the preset perception radius of the current feature node (a pre-set logical distance value used to limit the local influence range of the feature node during data analysis. Its value can be set according to the actual network scale and monitoring granularity requirements, for example, set to 3 network topology distances (hop count)). Combined with the threat response rate analysis of feature nodes based on the historical threat detection dataset, the spatial allocation capability strength of the current individual firework is obtained (a scalar value used to quantitatively evaluate the representativeness of a feature node spatial distribution list for reconstructing the network node-level threat field. The higher the value, the more comprehensively and sensitively the spatial distribution of the feature nodes can capture and reflect the spatial non-uniformity of the threat state within the network).
[0079] S25: Select the maximum value of the spatial allocation ability strength of all individual fireworks as the optimal spatial allocation ability strength of the population; determine whether the current iteration number has reached the maximum iteration number threshold; if yes, output the fireworks individuals corresponding to the optimal spatial allocation ability strength of the population as the target feature node spatial distribution list set; if no, determine whether the change in the optimal spatial allocation ability strength of the population from the initial optimal spatial allocation ability strength to the current iteration number is less than the convergence threshold; if yes, output the fireworks individuals corresponding to the optimal spatial allocation ability strength of the population as the target feature node spatial distribution list set; if no, calculate the spatial allocation ability strength of each individual fireworks. The number of explosion sparks for each individual firework (the number of derivative individuals generated by that individual firework in one iteration) and the explosion amplitude (the radius of the range within which the coordinates of the derivative individuals generated by that individual firework can change randomly) are calculated. For each individual firework, the position coordinates of each feature node within the corresponding explosion amplitude are randomly superimposed with the explosion direction to generate explosion individuals (derived individuals generated by the individual firework through the explosion operation). Multiple mutant individuals (a small number of derivative individuals generated in a completely random manner and unaffected by the current population) are also randomly generated with a fixed probability. The explosion individuals and mutant individuals together constitute the new individual firework to be determined (the candidate set of next-generation population individuals).
[0080] S26: Based on the network topology distance (a distance metric defined in the network graph model space that reflects the tightness of logical or physical connections between nodes, such as the shortest path hop count) of the position coordinates of every two feature nodes in the new firework individual to be determined, the initial node density uniformity is calculated (a scalar value used to quantify the uniformity of the distribution of feature nodes in the virtual network space, usually represented by the reciprocal of the variance of the network topology distance between all feature nodes); when the initial node density uniformity is lower than the preset uniformity threshold, the positions of the feature nodes in the new firework individual to be determined are fine-tuned to obtain the target new firework individual;
[0081] S27: Increment the iteration count of the iteration counter by 1 to obtain the current iteration count; return to step S24 for each target new firework individual to calculate the spatial allocation ability strength; after sorting each target new firework individual in descending order of spatial allocation ability strength, select the first m target new firework individuals and return to step S24, and use the current optimal spatial allocation ability strength of the population as the initial spatial allocation ability strength for re-iteration until the target feature node spatial distribution list is obtained.
[0082] S28: The threat propagation intensity value of each feature node is calculated based on the spatial distribution list of target feature nodes and multi-dimensional security status data analysis; a vector set of threat propagation intensity values of all feature nodes is used to construct a real-time node-level threat field (e.g., Figure 4As shown, a vector field composed of vectors of threat propagation intensity values of all feature nodes is used to quantify the spatial distribution non-uniformity and evolution trend of threat states within the network.
[0083] It should be noted that, in the above embodiments of this application, firstly, a structured virtual network space (graph model space) is defined based on the actual network topology and business relationships. Then, this space is discretized along its logical dimensions, divided into small logical grid units, constructing a computable and measurable mathematical analysis foundation. Unstructured network entities are mapped to points in the space, network relationships are quantified as distances and locations, and a discretized candidate location grid is provided for the subsequent deployment of feature nodes. Then, the fireworks algorithm is executed. An initial fireworks algorithm population consisting of N individual fireworks is created, each representing a list of spatial distributions of feature nodes (i.e., a monitoring point deployment scheme). Simultaneously, various iteration parameters for the algorithm are set, establishing the starting point and control mechanism for the optimization search, generating multiple candidate node deployment schemes (population), and preparing parameters to control the algorithm's search process (iteration, convergence), thus preparing for subsequent iterative optimization. First, a historical threat detection dataset containing the complete network attack process is collected. This dataset synchronously includes time series of network traffic data, behavior log data, and attack feature data, providing a standardized historical data foundation for algorithm training and evaluation. The time-labeled multi-dimensional attack process data is used as the basis for subsequent calculation of the threat response rate of feature nodes and evaluation of the merits of deployment schemes (spatial allocation capability strength). Second, by traversing every feature node contained in each individual firework in the population (i.e., each deployment scheme), based on the preset perception radius of the node and the historical threat detection dataset, the overall effectiveness of the node distribution represented by the individual is analyzed and calculated to obtain the spatial allocation capability strength value. This enables quantitative scoring of each node deployment scheme, measuring the representativeness of the scheme in reconstructing the node-level threat field. The higher the score, the more comprehensively the deployment scheme can capture the unevenness of the network threat state.
[0084] Next, based on the spatial allocation ability strength of all individuals in the current population, it is determined whether the convergence condition or the maximum number of iterations is met. If it is met, the current best individual is output as the target feature node spatial distribution list set. If it is not met, the number of explosion sparks and the explosion amplitude of each individual are calculated based on the intensity value. A new set of new fireworks individuals to be determined is generated through explosion and mutation operations, driving the fireworks algorithm to complete a round of survival of the fittest search process. Through selection, explosion, mutation and other operations, new and potentially better node layout schemes are explored based on the original scheme (population).
[0085] Furthermore, for newly generated, undetermined firework individuals, the initial node density uniformity of their internal feature node distribution is calculated. If the uniformity is lower than a threshold, the node positions are fine-tuned to obtain the target firework individual. This ensures the rationality of the spatial distribution of monitoring points in the candidate deployment scheme, avoiding excessive aggregation or sparseness of feature nodes in the virtual network space, thereby ensuring the stable representativeness and reliability of the threat field calculated based on these nodes. Through iterative loop control, the optimization process can continuously generate new schemes based on the results of the previous round, evaluate the new schemes, and select better schemes, iterating step by step until the optimal feature node spatial distribution list set that meets the conditions is found. Finally, using the target feature node spatial distribution list set, combined with real-time collected multi-dimensional security status data, the threat propagation intensity value of each feature node is calculated to generate the real-time node-level threat field at the current moment. In the form of a quantified vector field, the spatial distribution non-uniformity and evolution trend of the threat status within the network are intuitively represented, providing fine-grained input for subsequent global threat level assessment.
[0086] Specifically, in step S24, based on the preset perception radius of the current feature node and combined with the threat response rate analysis of feature nodes based on the historical threat detection dataset, the spatial allocation capability strength of the current individual firework is obtained, including the following steps:
[0087] S241: At each sampling moment in the historical threat detection dataset, acquire all network traffic data values within the preset perception radius of the current feature node; simultaneously acquire the behavioral feature values of the behavioral log data within the preset perception radius of the current feature node; calculate the maximum traffic difference between all network traffic monitoring points (the difference between the maximum and minimum instantaneous traffic values of all traffic monitoring points within the perception radius of the current feature node); and simultaneously calculate the maximum behavioral gradient value of all behavioral log data in each direction (a scalar value used to quantify the degree of change in user or system behavior within a unit of time in a local area surrounding the current feature node; the calculation method is to aggregate the data of all behavioral log sensors within the preset perception radius at sampling moment t into the behavioral feature vector of that area at time t, and then calculate the change (i.e., the difference) of the behavioral feature vector between adjacent sampling moments (t and t-1); then calculate the rate of change of the change projected on the preset multiple analysis dimensions, and take the maximum value among all the rate of change in all dimensions as the maximum behavioral gradient value at that sampling moment).
[0088] S242: Multiply the maximum traffic difference by the maximum behavioral gradient value to calculate the historical state change rate corresponding to the sampling time (the historical state change rate is a scalar value used to quantify the combined instantaneous drastic change in network load and behavioral state in this local area, obtained by multiplying the maximum traffic difference by the maximum behavioral gradient value; where the maximum traffic difference reflects the degree of traffic imbalance among different network monitoring points within the sensing range of the feature node; when the maximum traffic difference is small, it indicates that the network load of each node in the area is relatively balanced, with no obvious abnormal traffic concentration; when the maximum traffic difference suddenly increases, it indicates that a hotspot or abnormal traffic concentration phenomenon has occurred in the area, for example: during a DDoS attack, the inbound traffic of the attacked server surges while the traffic of other nodes is normal; during an internal scanning attack, the scanning source generates traffic to multiple targets, resulting in uneven traffic distribution; during data leakage, the outbound traffic of a specific node increases abnormally; where the maximum behavioral gradient value reflects the rate of change of the dimension with the most drastic change among the dimensions of the behavioral feature vector; when the maximum behavioral gradient value is small, This indicates that user and system behavior patterns are relatively stable. When the maximum behavior gradient value suddenly increases, it indicates a sudden change in abnormal behavior patterns. For example, during a brute-force attack, the number of failed login attempts increases sharply in a short period of time; during a lateral movement attack, the frequency of access to sensitive files on a new host increases sharply; and during malware propagation, the number of abnormal process launches rises rapidly. The quantification of the intensity of instantaneous changes (i.e., multiplying the maximum traffic difference by the maximum behavior gradient value) uses a product instead of a sum because network attacks often cause both traffic and behavioral anomalies simultaneously. The product operation will only significantly increase the result when both factors increase significantly, thus ensuring that if there is only traffic anomaly (such as normal large file downloads) without behavioral anomalies, the product value will not be too large. When both are abnormal (such as attack behavior), the product value will be amplified exponentially. This calculation is based on the difference between adjacent sampling times, capturing the rate of change rather than the absolute state, which can detect the start of an attack earlier. The historical state change rate sequence is constructed using the historical state change rate of all sampling times in the historical threat detection dataset.
[0089] S243: In the historical threat detection dataset, extract the average value of all traffic sensors within the preset perception radius of the current feature node to form a local average traffic time series; extract the total network traffic time series, calculate the cross-correlation function between the local average traffic time series and the total network traffic time series, find the time delay that maximizes the cross-correlation function value, and obtain the traffic lag time; obtain the traffic lag time series based on the traffic lag time (i.e., the sequence of traffic lag time in continuous time); take the sequence of average readings of all behavior log sensors within the preset perception radius of the current feature node as the behavior feature data time series;
[0090] S244: The absolute value of the Pearson correlation coefficient between the historical state change rate time series and the flow lag time series of the current feature node is the first correlation coefficient; the absolute value of the Pearson correlation coefficient between the historical state change rate time series and the behavioral feature data time series of the current feature node is the second correlation coefficient; the first correlation coefficient and the second correlation coefficient are added together to obtain the single-node correlation degree of the current feature node (a scalar value used to quantify the overall correlation strength between the state change at the location of the feature node and the two effects of flow lag and behavioral change in its region; the higher the correlation degree, the more effectively the data of the node can characterize the comprehensive dynamic response behavior of the local area).
[0091] S245: In the historical threat detection dataset, extract the attack feature step moments (the moments when the attack feature data undergoes a preset increase step change) from the attack feature data time series; split the attack feature data time series into multiple interval time series by all attack feature step moments; in the interval time series, the interval time series before the attack feature step moments are the pre-step interval time series; the interval time series after the attack feature step moments are the post-step interval time series; the average of the historical state change rates of the pre-step interval time series is taken as the pre-step steady-state value; the average of the historical state change rates of the post-step interval time series is taken as the post-step steady-state value.
[0092] S246: Calculate the total change from the steady-state value before the step to the steady-state value after the step for each attack feature step moment; based on the steady-state value before the step of the current feature node, add the total change multiplied by a preset proportional coefficient (usually set to 0.632, which corresponds to the time when the step response of a first-order inertial system reaches 63.2% of the final value, used to simulate the delay characteristics of threat propagation on the network) to obtain the target state value of the current feature node at the attack feature step moment; in the historical state change rate time series of the current feature node, search backward from the attack feature step moment to find the specific moment when the state change rate first reaches or exceeds the target state value, (recorded as) to obtain the actual arrival time of the node in this step event;
[0093] S247: For each attack feature step moment of the current feature node, calculate the difference between the actual arrival time and the attack feature step moment to obtain the single delay time of the current feature node to the attack feature step moment; after traversing all feature nodes, obtain the average event delay time based on the arithmetic mean of all single delay times of all feature nodes under the same attack feature step moment.
[0094] S248: Sum the average event latency times corresponding to the step moments of all attack features of all feature nodes to obtain the cumulative average latency time; take the reciprocal of the cumulative average latency time to obtain the threat response rate (a scalar value used to quantify the average speed of the response of this group of feature nodes to network attack events; the higher the value, the faster the response).
[0095] S249: The spatial allocation capability strength is calculated by using the single-node correlation degree and threat response rate of each characteristic node (in the current fireworks individual);
[0096] The calculation method for spatial allocation capability strength is as follows:
[0097] ;
[0098] Wherein, λ is a preset weighting coefficient (a dimensionless scalar factor used to balance the importance of the two indicators of single-node correlation and threat response rate in the final calculation of spatial allocation capability strength. Its value is determined by cross-validation on historical datasets and by grid search with the goal of maximizing the correlation between the spatial allocation capability strength value and the ranking of the superiority and inferiority of the deployment schemes evaluated by experts. The typical value range is [0.5,2]).
[0099] It should be noted that, in the above-described embodiments of this application, the maximum traffic difference at the network level and the maximum behavioral gradient value at the behavior level are calculated for each sampling moment of the historical dataset within a preset perception radius of the feature node. These two basic scalar values quantify the degree of drastic change in network load and user behavior in a local area at each moment. Then, the maximum traffic difference and the maximum behavioral gradient value at each moment are multiplied to obtain the historical state change rate at that moment. These are then arranged in chronological order to form a sequence. By integrating the instantaneous changes in both network and behavior dimensions, a unified time series index is generated to characterize the comprehensive dynamics of a local area, providing core data for subsequent correlation analysis and response speed analysis. Next, the local average traffic time series and behavioral feature data time series of the area where the node is located are extracted from the historical data. Through cross-correlation analysis, a traffic lag time series is obtained, resulting in three time series reflecting the overall traffic level, the overall behavior level, and the lag of traffic changes relative to the overall network changes in the area. These three time series serve as a reference for evaluating the node's characterization capability.
[0100] Furthermore, the absolute values of the Pearson correlation coefficients of the node's own historical state change rate sequence, flow lag time series, and behavioral characteristic data time series are calculated separately, and the sum is used to obtain the single node correlation degree. This quantifies the statistical correlation strength between the local comprehensive dynamics (historical state change rate) perceived by the characteristic node and the deep and persistent effects (flow lag, behavioral changes) in the region. The higher the correlation degree, the more effectively the node's data can represent the overall dynamic response behavior of its region.
[0101] This step identifies moments of significant step change (attack characteristic step moments) from the historical attack characteristic data time series. Using these moments as boundaries, the historical state change rate series is segmented, and the average values before and after the step are calculated as the pre-step steady-state value and post-step steady-state value, respectively. This pinpoints the precise moment of the historical attack event and quantifies the typical steady-state level of the local region where the node is located before and after the attack event, establishing a benchmark for measuring response delay. For each attack step, the total change in state is calculated, and a target state value is determined based on this and a preset proportional coefficient. Then, starting from the attack characteristic step moment, the historical state change of the node is analyzed. The system searches for the moment when the target value is first reached in the state change rate sequence and records it as the actual arrival time. It measures the actual time elapsed from the occurrence of the network attack (attack characteristic step) to the state change in the area where the node is located reaching a specific level, and uses this as input to calculate the response delay. Then, for each attack step, the actual arrival time is subtracted from the attack characteristic step time to obtain the single delay time of the node for this event. The delay times of all nodes under the same attack event are averaged to obtain the event average delay time. From the delay times of individual nodes, the average response delay of the current characteristic node distribution scheme (firework individual) to a specific attack event is obtained by aggregating the delay times of individual nodes.
[0102] Further, in step S248, the average event delay time of all feature nodes represented by a single firework individual at all historical attack feature step moments is accumulated to obtain the cumulative average delay time. Then, the reciprocal of this cumulative average delay time is taken to calculate the overall average response speed index of the feature node distribution scheme (firework individual) to historical attack events, i.e., the threat response rate. The higher the value, the faster the overall response speed of this deployment scheme to attacks. Finally, the single-node correlation degree of all feature nodes in a single firework individual is summed and added to the result after multiplying the threat response rate of the individual by the weighting coefficient λ. The two dimensions of node representation effectiveness (sum of single-node correlation degree) and deployment scheme response speed (threat response rate) are combined to finally generate a single comprehensive score for the spatial distribution list set of the feature node (firework individual), i.e., spatial allocation capability strength.
[0103] Specifically, in step S28, the threat propagation intensity value of each feature node is calculated based on the target feature node spatial distribution list set combined with multi-dimensional security status data analysis, including the following steps:
[0104] S281: Using the target feature node spatial distribution list as the initial computational network, traverse each feature node and determine the preset sensing radius based on the network spatial coordinates of the feature node; extract all network traffic sensor readings within the preset sensing radius from the multi-dimensional security status data and calculate the maximum traffic difference; extract all behavior log sensor readings within the same preset sensing radius and calculate the maximum behavior gradient (the calculation method is the same as in step S241 above, and will not be repeated here; for example, there are two behavior log sensors within the sensing radius of a certain feature node, which monitor failed logins respectively). Within adjacent 1-minute intervals, the average number of failed login attempts in this area increased from 3 times / minute to 12 times / minute, and the average number of abnormal processes increased from 2 times / minute to 5 times / minute. Therefore, the rate of change for the failed login dimension is (12-3) / 1 = 9 times / minute², and the rate of change for the abnormal process dimension is (5-2) / 1 = 3 times / minute². Taking the maximum of these two values, we obtain the maximum behavioral gradient value = 9 times / minute², indicating that failed login behavior is rapidly and abnormally increasing. Calculating the real-time maximum traffic difference and the maximum behavioral gradient yields the current threat propagation dynamic intensity of the characteristic node. As a scalar value, it is used to quantify the immediate and comprehensive threat severity in the local network region where the i-th feature node is located.
[0105] Threat Propagation Dynamics ;
[0106] In the formula, It is the normalized value of the real-time maximum flow difference (using min-max normalization). It is the normalized value of the maximum behavior gradient (using min-max normalization). It is the number of occurrences of the p-th attack feature based on the i-th feature node. It is the baseline security frequency (security threshold parameter, obtained by statistically analyzing the number of times this attack feature appears in long-term historical normal business data and taking the upper limit of its confidence interval (e.g., 99%)) for the p-th attack feature. This represents the total number of attack feature dimensions. , , The weighting coefficients are model calibration parameters, whose values are obtained by fitting the data on a labeled historical attack and defense dataset with the goal of optimizing the comprehensive threat detection index using an optimization algorithm. The analysis method is common knowledge to those skilled in the art and will not be described in detail in this application.
[0107] The calculations in the above embodiments of this application, the first item ( The first item represents an anomaly at the network load layer. It normalizes the real-time maximum traffic difference to eliminate magnitude differences caused by varying network sizes or locations, reflecting the instantaneous degree of sudden or abnormal congestion in that local area. This is a typical manifestation of DDoS or scanning attacks; the second item ( ) represents anomalies in user or system behavior. It normalizes the real-time maximum behavior gradient, illustrating its use to quantify the drastic changes in command execution sequences and other behaviors within a short period. It can be used to detect attacks such as lateral movement and privilege abuse. The third item ( The term represents the enrichment of known attack intelligence. The numerator is the sum of the number of observed attack features of various types, and the denominator is the sum of their historical normal baseline (baseline security frequency). A logarithmic function is used to prevent a few high-frequency attack features from dominating the results. +1 ensures that the parameter is non-negative. This term measures the concentration of known attack patterns (such as specific vulnerability exploits and malware communication features) in the region. The three threat indicators of the above three different dimensions are integrated into a scalar through weighting coefficients. The weights are obtained by optimizing and fitting historical attack and defense data so that the comprehensive value can most effectively represent the threat severity defined in the historical data. This formula integrates the three key and observable cybersecurity dimensions of network traffic anomalies, behavioral anomalies, and known attack features into a unified local threat intensity indicator.
[0108] S282: Traverse all feature nodes to obtain a vector set of threat propagation intensity values, which constitutes the initial node-level threat field for the current calculation cycle;
[0109] S283: Calculate the vector difference of threat propagation intensity values between every two adjacent feature nodes in the virtual network space, and then divide it by the network topology distance between the nodes to obtain the internal threat gradient (vector, representing the rate of change and direction of the dynamic intensity of threat propagation per unit network topology distance, where the "direction" is the propagation path of the network topology relationship); obtain local regions consisting of multiple pairs of feature nodes whose internal threat gradient magnitude exceeds a preset first threshold (the first threshold is determined by the 90th percentile of the historical internal threat gradient magnitude) (i.e., the internal threat gradients calculated between all adjacent feature nodes in this local region exceed the first threshold), and calculate the feature node distribution density of the local region (i.e., the number of feature nodes contained in a unit logical volume of this region); if the feature node distribution density of the local region is lower than the preset second threshold (the 50th percentile of the global feature node distribution density), then the local region is determined to be a potential area of drastic state change (meaning that the threat state of this region changes drastically, but the existing fixed node network has insufficient monitoring resolution for this region); if no local region consisting of multiple pairs of feature nodes whose internal threat gradient magnitude exceeds the preset first threshold is obtained, then the initial node-level threat field is output as the target node-level threat field.
[0110] S283: Within each potential region of state change, based on the spatial distribution (magnitude and direction) of its internal threat gradient, insert (one or more) new temporary feature nodes to form a redistributed feature node network (an enhanced computing network with higher local resolution temporarily generated in response to real-time state based on the current fixed distribution).
[0111] S284: Based on the redistributed feature node network, repeat the calculation process in step S281 until the target node-level threat field is obtained as the output.
[0112] It should be noted that, in the above-described embodiments of this application, for each feature node in the target feature node spatial distribution list set, within its preset sensing radius, two basic indicators—maximum traffic difference and maximum behavioral gradient—are calculated in real time. After normalizing these two indicators, they are weighted and summed with a logarithmic term reflecting the activity of known attack features, thus calculating the dynamic intensity of threat propagation for each logical monitoring point (feature node) in the network in real time. Then, the dynamic intensity values of threat propagation calculated by all feature nodes are collected and summarized to form a vector set associated with spatial coordinates. The discrete threat intensity assessments are integrated to form a structured threat situation field covering the virtual network space, i.e., the initial node-level threat field. Further, in the initial node-level threat field, the rate of change of threat intensity between adjacent nodes (internal threat gradient) is calculated to locate continuous areas with high gradient amplitude (drastic changes) but low feature node distribution density (insufficient monitoring resolution), thus identifying... Under the current threat situation, the monitoring network has visual blind spots or weak links, namely potential areas of drastic state change. Then, within each identified potential area of drastic state change, new temporary feature nodes are inserted according to the diffusion / convergence direction of the internal threat (internal threat gradient direction). By temporarily adding monitoring outposts in areas where the threat changes drastically and monitoring is insufficient, a redistributed feature node network is formed, thereby improving the state sampling rate and monitoring resolution of the area. Finally, based on the redistributed feature node network with enhanced monitoring capabilities, the calculation process of S281 is re-executed to calculate the dynamic intensity of threat propagation for all nodes (including original fixed nodes and newly added temporary nodes), forming an updated threat field. The output is the final node-level threat field for this period after dynamic optimization. Compared with the initial field, this final field has a more refined and accurate threat characterization capability in high-risk areas, providing higher quality input data for the subsequent global threat level assessment (S30).
[0113] Specifically, in step S283, within each potential region of state drastic change, based on the spatial distribution (magnitude and direction) of its internal threat gradient, one or more new temporary feature nodes are inserted to form a redistributed feature node network, including the following operational steps:
[0114] Step S2831: Calculate the average value of all internal threat gradients within the currently processed potential zone of drastic state change to obtain the average internal threat gradient magnitude; perform a weighted summation of the average internal threat gradient magnitude and the feature node distribution density (considering the threat dynamics and monitoring foundation of the region, generally, the larger the average internal threat gradient magnitude and the lower the feature node distribution density, the higher the priority processing score of the region should be. Among them, the average internal threat gradient magnitude is positively correlated with the priority processing score, and the feature node distribution density is negatively correlated with the priority processing score), to obtain the priority processing score of the potential zone of drastic state change.
[0115] The priority score N for the potential zone of drastic current state change is calculated as follows:
[0116] The priority score N for potential zones with drastic changes in the current state is calculated as: average internal threat gradient magnitude × threat weight coefficient - feature node distribution density × distribution weight coefficient. Here, both the distribution weight coefficient and the threat weight coefficient are preset empirical values.
[0117] Step S2832: Select the potential region of state change with the highest priority processing score as the target debugging region; extract the gradient direction of all internal threat gradients within the target debugging region; perform clustering based on the gradient direction to obtain multiple threat propagation direction subsets (that is, divide the internal threat gradients that are close to each other in the unknown space and have similar gradient directions into a subset, and each threat propagation direction subset represents a threat diffusion trend in the region); calculate the mean value of the internal threat gradient within each threat propagation direction subset to obtain the threat change intensity of the subset;
[0118] Step S2833: Traverse each threat propagation direction subset. Based on the coordinates of each feature node in the current threat propagation direction subset, determine the insertion curve of the current threat propagation direction subset by linear fitting along the average gradient of the internal threat gradient of each feature node in the current threat propagation direction subset (this insertion curve represents the potential propagation path of the dominant threat trend of this sub-cluster).
[0119] Step S2834: Calculate the number of inserted nodes based on the subset threat change intensity of the current threat propagation direction subset (the number of inserted nodes is the maximum possible number of new temporary feature nodes, which can be simply calculated as ceil(K× subset threat change intensity), where ceil() is the floor function, and K is an adjustable coefficient used to map the subset threat change intensity to the number of nodes. The initial value of K is determined through offline grid search and is adjusted during the runtime based on the actual contribution of temporary nodes, with a typical value range between 0.5 and 5.0).
[0120] Step S2835: Perform equidistant sampling along the insertion curve to obtain candidate positions for the number of inserted nodes; compare each candidate position with the network topology distance between all feature nodes in the virtual network space; if the network topology distance between any candidate position and any feature node is less than the minimum node spacing threshold (set to 2 network topology distances (hops) to avoid excessive node aggregation), then filter out the candidate position (otherwise, insert directly), thus retaining the last candidate position as the target position (the number of this target position is ultimately less than or equal to the number of inserted nodes mentioned above); insert new temporary feature nodes at each target position to form a redistributed feature node network.
[0121] It should be noted that, in the above-described embodiments of this application, the average internal threat gradient magnitude of all potential areas with drastic state changes identified in the current period is calculated, and combined with the distribution density of their own feature nodes, a comprehensive priority processing score is obtained by weighted summation. The importance of multiple areas to be processed is ranked, and the severity of threat changes (gradient magnitude) and the weakness of existing monitoring (distribution density) of the areas are comprehensively considered to determine the order of resource optimization allocation.
[0122] Then, the region with the highest priority score is selected as the target debugging region. The gradient directions of all internal threat gradients in this region are extracted and clustered to form multiple threat propagation direction subsets. The subset threat change intensity of each subset is calculated to lock the single region that needs to be dealt with most at present. The one or more dominant threat propagation trends (direction subsets) that may exist in it and their respective intensities are analyzed to provide a clear basis for subsequent enhanced monitoring along specific directions.
[0123] Furthermore, for each subset of threat propagation directions within the target debugging area, a linear fit is performed along the average gradient direction of that subset, using the coordinates of its internal feature nodes as the base point, to obtain an insertion curve. This transforms the abstract threat propagation direction (gradient direction) into a concrete and operable path (insertion curve) in the virtual cyberspace. This curve represents the logical path along which the threat is most likely to propagate, serving as a guideline for deploying new monitoring points. Then, based on the subset threat change intensity of each threat propagation direction subset, the number of insertion nodes corresponding to that subset is calculated. This determines the expected number of new temporary feature nodes to be deployed to monitor the threat propagation trend; the higher the intensity, the more nodes are allocated. The larger the quantity, the higher the resolution monitoring of high-intensity threat changes. Next, candidate positions are generated at equal intervals on the insertion curve, equal to the number of inserted nodes. The network topology distance between each candidate position and all existing feature nodes in the virtual network space is calculated. If it is less than the minimum node spacing threshold, it is eliminated. The candidate positions retained after screening are determined as target positions, and new temporary feature nodes are inserted at these positions. The insertion strategy is implemented on specific logical coordinates, and the injection of temporary nodes is completed. Distance screening ensures the reasonable distribution of new nodes and existing nodes in the logical space (avoiding redundancy due to excessive proximity). Finally, a redistributed feature node network with improved monitoring resolution is formed.
[0124] In summary, the security threat perception and detection method for network devices proposed in this invention first synchronously collects network traffic data, behavior log data, and attack characteristic data, providing necessary multi-dimensional factual evidence for all subsequent analyses. Then, it optimizes the distribution of feature nodes in the virtual network topology using a fireworks algorithm to find the coordinate set that allows for the most efficient deployment of feature node coordinates. Based on this coordinate set, it calculates the dynamic intensity of threat propagation at each feature node. The intensity values of all nodes collectively constitute a node-level threat field, quantifying the uneven distribution and local intensity of threats in the network logical space, thus achieving the transformation from massive data to a computable threat situation. Furthermore, it extracts node-level threat peak indicators, mean indicators, and dispersion indicators from the node-level threat field. The system identifies the internal statistical characteristics of the threat field. It calculates global behavioral load indicators, threat polarization indicators, and cumulative threat indicators from raw, multi-dimensional security status data to reflect the overall network load and attack pressure. These six indicators are then integrated into a six-dimensional comprehensive state vector, which is input into a pre-trained global threat level classification model. Based on historical experience (data), the model categorizes and judges the current complex state, outputting a discrete global threat level to provide a basis for subsequent decision-making. Finally, based on the global threat level, corresponding target protection instructions are generated, such as adjusting firewall rules, updating the intrusion detection signature database, restricting specific network traffic, or enabling / disabling network segmentation isolation. This allows network security configurations to dynamically and automatically adjust with changes in the threat landscape, ensuring that protection measures always match the current risk level.
[0125] In the specific execution process, the fireworks algorithm is used to optimize the deployment location of logical monitoring points (feature nodes) in the virtual network space, and obtain the optimal set of feature node coordinates (target feature node spatial distribution list set) that can most efficiently represent the spatial distribution of network threats. This optimizes the problem that traditional monitoring point deployment is static and cannot adapt to dynamic changes in threats. Furthermore, by analyzing historical data, the correlation degree of each feature node and the overall threat response rate of all nodes are calculated. Based on this, the spatial allocation capability of the deployment scheme (individual fireworks) is comprehensively evaluated, providing the fireworks algorithm with a precise standard for quantitatively evaluating the merits of deployment schemes. This ensures that the final selected scheme can comprehensively and sensitively capture the unevenness of threat status and make up for the shortcomings of traditional experience-based deployment.
[0126] In addition, by calculating the dynamic intensity of threat propagation, multi-source and heterogeneous security data (abnormal network load, abnormal behavior, and known attack intelligence) are uniformly quantified into a comprehensive threat intensity index for a local area, providing a standardized basic data unit for constructing a threat field;
[0127] By identifying potential areas of drastic state change with insufficient monitoring resolution through internal threat gradients of the node-level threat field, and inserting temporary feature nodes according to the gradient direction and intensity, the monitoring computing resources can be precisely scheduled, forming a monitoring network with dynamically enhanced resolution. This optimizes the problems of rigid resource scheduling and delayed response in traditional systems when facing sudden threat areas.
[0128] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; those skilled in the art can modify the technical solutions described in the foregoing embodiments, or make equivalent substitutions for some or all of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of the present invention.
Claims
1. A method for detecting and sensing security threats in a global network device, characterized in that, The following steps are included: Real-time acquisition of multi-dimensional security status data from network security monitoring systems; Based on multi-dimensional security status data, the node-level threat field of the network security monitoring system is constructed and solved by combining the firework algorithm with the dynamic intensity analysis of threat propagation of each characteristic node in the virtual network topology of the network security monitoring system. Global security status data is extracted from multi-dimensional security status data, and combined with the dynamic intensity of threat propagation of all feature nodes in the node-level threat field to generate the global threat level of the network security monitoring system at the current moment. Adjust the target protection commands of the network security monitoring system based on the overall threat level of the network security monitoring system; Based on multi-dimensional security status data, this paper constructs and solves the node-level threat field of the network security monitoring system by combining the Fireworks Algorithm with the dynamic intensity analysis of threat propagation of each characteristic node in the virtual network topology of the network security monitoring system. The steps include: Based on the network topology of the network security monitoring system, a corresponding virtual network space is defined; the virtual network space is uniformly discretized along each logical dimension and divided into discrete logical grid units. Initialize the fireworks algorithm population, which contains N fireworks individuals, each representing a list of feature node spatial distributions; initialize the iteration parameters, including the initial population's optimal spatial allocation capability strength, convergence threshold, iteration counter, and maximum iteration count threshold; the iteration count of the iteration counter is initially set to 0; Collect historical threat detection datasets; the historical threat detection datasets include sequences of all network traffic data, all behavior log data, and attack feature data that change synchronously over time during multiple complete network attacks; Traverse each individual firework, and traverse each feature node in the spatial distribution list of feature nodes in the current individual firework. Based on the preset perception radius of the current feature node and the threat response rate analysis of feature nodes based on the historical threat detection dataset, calculate the spatial allocation capability strength of the current individual firework. Based on the spatial allocation capability strength combined with the maximum number of iterations threshold and the convergence threshold, the target feature node spatial distribution list is obtained through iteration. The threat propagation intensity value of each feature node is calculated by combining the spatial distribution list of target feature nodes with multi-dimensional security status data analysis; the vector set of threat propagation intensity values of all feature nodes constitutes a real-time node-level threat field.
2. The security threat perception and detection method for a global network device according to claim 1, characterized in that, Based on the spatial allocation capability strength, combined with the maximum number of iterations threshold and the convergence threshold, the target feature node spatial distribution list is obtained through iteration, including the following steps: When the iteration termination condition is met, the output is a list of spatial distributions of target feature nodes. Otherwise, the number of explosion sparks and the explosion amplitude of each firework individual are calculated based on the spatial distribution capability of each individual firework. For each individual firework, the explosion direction is randomly superimposed on the position coordinates of each feature node within the corresponding explosion amplitude to generate an explosion individual with a number of explosion sparks. Multiple mutant individuals are randomly generated with a fixed probability. The explosion individuals and mutant individuals together constitute a new firework individual to be determined. The initial node density uniformity is calculated based on the network topology distance between the position coordinates of every two feature nodes in the new firework individual to be determined; when the initial node density uniformity is lower than the preset uniformity threshold, the position of the feature nodes in the new firework individual to be determined is fine-tuned to obtain the target new firework individual. Increment the iteration counter by 1 to obtain the current iteration count; return to the above operation for each target new firework individual to calculate the spatial allocation ability strength; after sorting each target new firework individual in descending order of spatial allocation ability strength, select the top m target new firework individuals and return to the above operation, and use the current optimal spatial allocation ability strength of the population as the initial spatial allocation ability strength for re-iteration until the target feature node spatial distribution list is obtained.
3. The security threat perception and detection method for a global network device according to claim 2, characterized in that, Based on the preset perception radius of the current feature node and combined with the threat response rate analysis of feature nodes based on historical threat detection datasets, the spatial allocation capability strength of the current individual firework is obtained, including the following steps: Based on the network traffic data value and behavior feature value of behavior log data within the preset perception radius of the current feature node at each sampling moment in the historical threat detection dataset, the maximum traffic difference and the maximum behavior gradient value are calculated respectively, and then state change rate analysis is performed to obtain the historical state change rate sequence. Extract the local average traffic time series of the current feature node, analyze it in conjunction with the total traffic time series of the entire network to obtain the traffic lag time series, and then perform correlation analysis in conjunction with the feature data time series to obtain the single node correlation degree of the current feature node. Extract the attack feature step moments from the attack feature data time series; split the attack feature data time series by all attack feature step moments to obtain the pre-step interval time series and the post-step interval time series; calculate the pre-step steady-state value and the post-step steady-state value according to the historical state change rate of the pre-step interval time series and the post-step interval time series respectively. Based on the total change from the steady-state value before the step to the steady-state value after the step at each attack feature step moment, calculate the target state value of the current feature node at the attack feature step moment; based on the target state value, search backward from the attack feature step moment to obtain the actual arrival time of the feature node in this step event. The threat response rate is calculated by analyzing the difference between the step time of each attack feature and the actual arrival time, and the spatial allocation capability strength is obtained by combining the single-node correlation degree.
4. The security threat perception and detection method for a global network device according to claim 3, characterized in that, The threat response rate is calculated based on the difference between the step time and the actual arrival time of each attack feature. The resulting spatial allocation capability strength is calculated by combining the single-node correlation degree with the calculated value. The process includes the following steps: For each attack feature step time of the current feature node, calculate the difference between the actual arrival time and the attack feature step time to obtain the single delay time of the current feature node to the attack feature step time; after traversing all feature nodes, obtain the average event delay time based on the arithmetic mean of all single delay times of all feature nodes under the same attack feature step time. Sum the average event latency times corresponding to the step moments of all attack features of all feature nodes to obtain the cumulative average latency time. The threat response rate is obtained by taking the reciprocal of the cumulative average latency. The spatial allocation capability strength is calculated by using the single-node correlation degree and threat response rate of each feature node.
5. The security threat perception and detection method for a global network device according to claim 4, characterized in that, Based on the network traffic data values and behavioral feature values of the behavior log data within the preset perception radius of the current feature node at each sampling time in the historical threat detection dataset, the maximum traffic difference and the maximum behavior gradient value are calculated respectively. Then, state change rate analysis is performed to obtain the historical state change rate sequence, including the following steps: At each sampling moment of the historical threat detection dataset, acquire all network traffic data values within the preset perception radius of the current feature node; and simultaneously acquire the behavioral feature values of the behavioral log data within the preset perception radius of the current feature node. Calculate the maximum traffic difference between all network traffic monitoring points; Simultaneously calculate the maximum behavioral gradient value in each direction for all behavioral log data; Multiply the maximum flow difference by the maximum behavior gradient value to calculate the historical state change rate corresponding to the sampling time; use the historical state change rates of all sampling times in the historical threat detection dataset to construct a historical state change rate sequence.
6. The security threat perception and detection method for a global network device according to claim 5, characterized in that, In the historical threat detection dataset, the local average traffic time series of the current feature node is extracted and analyzed in conjunction with the total network traffic time series to obtain the traffic lag time series. Then, correlation analysis is performed with the feature data time series to obtain the single-node correlation degree of the current feature node. The steps include the following: In the historical threat detection dataset, the average value of all traffic sensors within the preset sensing radius of the current feature node is extracted to form a local average traffic time series; the total network traffic time series is extracted, and the cross-correlation function between the local average traffic time series and the total network traffic time series is calculated. The time delay that maximizes the cross-correlation function value is found to obtain the traffic lag time; the traffic lag time series is obtained based on the traffic lag time; the average reading sequence of all behavior log sensors within the preset sensing radius of the current feature node is used as the behavior feature data time series. The absolute value of the Pearson correlation coefficient between the historical state change rate time series and the flow lag time series of the current feature node is the first correlation coefficient; the absolute value of the Pearson correlation coefficient between the historical state change rate time series and the behavioral feature data time series of the current feature node is the second correlation coefficient; the first correlation coefficient and the second correlation coefficient are added together to obtain the single-node correlation degree of the current feature node.
7. The security threat perception and detection method for a global network device according to claim 6, characterized in that, The threat propagation intensity value of each feature node is calculated based on a list of spatial distributions of target feature nodes and multi-dimensional security status data analysis, including the following steps: Using the spatial distribution list of target feature nodes as the initial computational network, each feature node is traversed, and the preset sensing radius is determined based on the network spatial coordinates of that feature node. From multi-dimensional security status data, extract readings from all network traffic sensors within the preset sensing radius and calculate the maximum traffic difference; extract readings from all behavior log sensors within the same preset sensing radius and calculate the maximum behavior gradient; combine the real-time maximum traffic difference and the maximum behavior gradient to obtain the dynamic intensity of threat propagation at the current feature node. By traversing all feature nodes, a vector set of threat propagation intensity values is obtained, which constitutes the initial node-level threat field for the current calculation cycle; The difference in the vector of threat propagation intensity values between any two adjacent feature nodes in the virtual network space is calculated and then divided by the network topology distance between the nodes to obtain the internal threat gradient. Local regions consisting of multiple pairs of feature nodes whose internal threat gradient magnitude exceeds a preset first threshold are identified, and the feature node distribution density of these local regions is calculated. If the feature node distribution density of a local region is lower than a preset second threshold, the local region is determined to be a potential region for drastic state change. If no local regions consisting of multiple pairs of feature nodes whose internal threat gradient magnitude exceeds the preset first threshold are obtained, the initial node-level threat field is output as the target node-level threat field. Within each potential region of state drastic change, new temporary feature nodes are inserted according to the spatial distribution of the internal threat gradient, forming a redistributed feature node network. Based on the redistributed feature node network, the above calculation process is repeated until the target node-level threat field is obtained as the output.
8. The security threat perception and detection method for a global network device according to claim 7, characterized in that, The calculation method for the dynamic intensity of threat propagation is as follows: The real-time maximum flow difference is normalized to obtain the normalized value of the flow difference; the maximum behavior gradient is normalized to obtain the normalized value of the behavior gradient. Based on the frequency of occurrence of each attack feature according to the feature node, and combined with the baseline security frequency of each attack feature obtained from historical normal business data, the logarithmic term of the ratio is calculated; the normalized value of the traffic difference, the normalized value of the behavior gradient, and the logarithmic term are multiplied by the preset weight coefficients and then summed to obtain the dynamic intensity of threat propagation.
9. A security threat perception and detection method for a global network device according to claim 8, characterized in that, Within each potential region of drastic state change, new temporary feature nodes are inserted based on the spatial distribution of the internal threat gradient to form a redistributed feature node network, including the following steps: The average internal threat gradient magnitude is obtained by averaging all internal threat gradients within the current state-changing potential region. The average internal threat gradient magnitude and the feature node distribution density are then weighted and summed to obtain the priority processing score for the current state-changing potential region. Select the potential region with the highest state change score as the target debugging region; extract the gradient direction of all internal threat gradients within the target debugging region; Clustering is performed based on the gradient direction to obtain multiple threat propagation direction subsets; the mean internal threat gradient within each threat propagation direction subset is calculated to obtain the threat change intensity of the subset; Traverse each threat propagation direction subset, and based on the coordinates of each feature node in the current threat propagation direction subset, determine the insertion curve of the current threat propagation direction subset by linear fitting along the average gradient of the internal threat gradient of each feature node in the current threat propagation direction subset. The number of inserted nodes is calculated based on the intensity of the subset threat change in the current threat propagation direction subset; Equidistant sampling is performed along the insertion curve to obtain candidate positions for the number of insertion nodes. When the network topology distance between each candidate position and all feature nodes in the virtual network space is less than the minimum node spacing threshold, the candidate position is eliminated, and the remaining candidate positions are determined as target positions. New temporary feature nodes are inserted at each target position to form a redistributed feature node network.