A centralized control station network security situation awareness method and system

Abstract

This application proposes a method and system for network security situation awareness at a centralized control station, belonging to the field of network security communication technology. The method includes: acquiring multi-source operational datasets corresponding to each sensing node in the centralized control station's sensing node set; extracting multi-dimensional feature vectors from each sensing node and performing feature offset analysis to obtain multi-dimensional offset feature vectors; calculating the degree of newness index of each sensing node; classifying the sensing node set into multiple levels by analyzing the degree of newness index to obtain multi-level sensing layers; constructing corresponding multi-level attack behavior detection models; and calling the multi-level attack behavior detection models to perform attack behavior risk detection on sensing nodes belonging to each level of sensing layer. By adaptively hierarchically modeling based on the degree of newness of sensing nodes, targeted attack behavior detection strategies are adopted for sensing nodes with different degrees of newness, thereby improving the accuracy and timeliness of network security situation awareness at the centralized control station in scenarios of dynamic node expansion.

Description

Technical Field

[0001] This invention relates to the field of network security communication technology, and in particular to a method and system for network security situation awareness of a centralized control station. Background Technology

[0002] As the core hub for regional power grid dispatching and monitoring, the network architecture of centralized control stations is becoming increasingly complex. In actual operation, new sensing nodes are constantly being generated due to the access of new equipment, the launch of new services, and the establishment of new communication connections. This dynamic expansion of sensing nodes is a normal characteristic of centralized control station network operation. However, each newly added sensing node means an increase in potential attack entry points, thus continuously expanding the network attack surface of the centralized control station.

[0003] Currently, the mainstream methods for network security situation awareness of centralized control stations typically rely on a pre-trained single detection model to perform a unified security situation assessment on all sensing nodes. This approach achieves good detection results under relatively stable network topology conditions, but its limitations become increasingly apparent in real-world scenarios where sensing nodes are continuously and dynamically expanding. On one hand, newly added sensing nodes, due to their short access time, insufficient historical operational data accumulation, and incomplete security management strategies, exhibit significantly different behavioral patterns and risk characteristics compared to existing, long-term stable nodes. On the other hand, the single detection model uses a uniform detection standard to perform indiscriminate analysis on all nodes, making it difficult to account for the security situation differences between nodes with varying degrees of newness. This can easily lead to missed detections of abnormal behavior from newly added nodes or false positives for normal behavior from existing nodes. Therefore, existing technologies suffer from the technical problem that the attack surface of centralized control stations continuously expands due to the dynamic expansion of sensing nodes, and traditional single detection models cannot provide differentiated security situation awareness for sensing nodes with varying degrees of newness. Summary of the Invention

[0004] This invention addresses the technical problem in existing technologies where the attack surface of a centralized control station continuously expands due to the dynamic expansion of sensing nodes, and traditional single detection models are unable to provide differentiated security situation awareness for sensing nodes with varying degrees of new additions. The invention provides a method and system for network security situation awareness in centralized control stations to solve this problem.

[0005] The technical solution of the present invention to solve the above-mentioned technical problems is as follows:

[0006] In a first aspect, the present invention provides a method for network security situation awareness of a centralized control station, comprising: acquiring a multi-source operational dataset corresponding to each sensing node in a set of sensing nodes of the centralized control station; extracting multi-dimensional feature vectors of each sensing node based on the multi-source operational dataset, wherein the multi-dimensional feature vectors include structural features, behavioral features, and security features; performing feature offset analysis on the multi-dimensional feature vectors of each sensing node to obtain multi-dimensional offset feature vectors; calculating a newness index of each sensing node according to the multi-dimensional offset feature vectors; classifying the set of sensing nodes into multiple levels by analyzing the newness index to obtain multiple-level sensing layers; constructing a multi-level attack behavior detection model corresponding to the multiple-level sensing layers; and calling the multi-level attack behavior detection model to perform attack behavior risk detection of the sensing nodes belonging to each level of the sensing layer.

[0007] Secondly, the present invention provides a network security situation awareness system for a centralized control station, comprising: a multi-dimensional feature extraction module, used to acquire a multi-source operational dataset corresponding to each sensing node in a set of sensing nodes in a centralized control station, and extract multi-dimensional feature vectors for each sensing node based on the multi-source operational dataset, wherein the multi-dimensional feature vectors include structural features, behavioral features, and security features; a feature offset analysis module, used to perform feature offset analysis on the multi-dimensional feature vectors of each sensing node to obtain multi-dimensional offset feature vectors; an index calculation module, used to calculate a newness index for each sensing node according to the multi-dimensional offset feature vectors; and a hierarchical detection module, used to classify the set of sensing nodes into hierarchical levels by analyzing the newness index to obtain multi-level sensing layers, construct a multi-level attack behavior detection model corresponding to the multi-level sensing layers, and call the multi-level attack behavior detection model to perform attack behavior risk detection on the sensing nodes belonging to each level of the sensing layer.

[0008] The beneficial effects of this invention are:

[0009] First, multi-source operational datasets corresponding to each sensing node in the control station's sensing node set are obtained. Multi-dimensional feature vectors are extracted from these datasets, including structural, behavioral, and security features. By characterizing the sensing nodes from multiple data sources, a comprehensive picture of each node's overall status in terms of network topology, operational behavior, and security protection can be achieved, laying a multi-dimensional data foundation for subsequent assessment of node addition. Next, feature offset analysis is performed on the multi-dimensional feature vectors of each sensing node to obtain multi-dimensional offset feature vectors. Since newly added sensing nodes inevitably deviate to varying degrees from existing, stable nodes in the control station in terms of structural, behavioral, and security features, feature offset analysis quantifies these differences, expressing the deviation of each sensing node relative to the existing node group as a multi-dimensional offset feature vector. Finally, the addition degree index of each sensing node is calculated based on the multi-dimensional offset feature vectors. The novelty index is a comprehensive measure of multi-dimensional offset feature vectors, intuitively representing the degree to which each sensing node deviates from the existing node group. A higher novelty index means that the node is more inclined to exhibit the characteristics of newly added nodes, its security management maturity is lower, and it faces greater attack risks. Subsequently, by analyzing the novelty index, the sensing node set is classified into multiple levels of sensing layers. A multi-level attack behavior detection model corresponding to each level of sensing layer is constructed, and this model is invoked to perform attack behavior risk detection on the sensing nodes belonging to each level. By dividing sensing nodes into different levels of sensing layers according to their novelty and constructing targeted attack behavior detection models for each level, nodes with higher novelty levels can be subject to more stringent and sensitive detection strategies, while mature nodes with lower novelty levels are subject to conventional detection strategies. This achieves adaptive hierarchical security situation awareness in scenarios where sensing nodes in the central control station are dynamically expanded.

[0010] The above technical solution addresses the dynamic expansion characteristics of sensing nodes in centralized control stations by quantifying the degree of newness of each sensing node based on multi-dimensional feature offset analysis. Based on this, sensing nodes are adaptively graded, and differentiated attack behavior detection models are matched to sensing nodes with different degrees of newness. This avoids the problems of missed detection of new nodes and false alarms of existing nodes caused by the indiscriminate detection of all nodes by traditional single detection models, thereby improving the accuracy and timeliness of network security situational awareness in scenarios of dynamic node expansion at centralized control stations. Attached Figure Description

[0011] Figure 1 A flowchart illustrating a network security situation awareness method for a centralized control station provided by the present invention;

[0012] Figure 2This is a schematic diagram of the structure of a centralized control station network security situation awareness system provided by the present invention.

[0013] In the attached diagram, the components represented by each number are as follows:

[0014] Multidimensional feature extraction module 11, feature offset analysis module 12, index calculation module 13, and hierarchical detection module 14. Detailed Implementation

[0015] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0016] In the description of this invention, the terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of indicated technical features. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of the stated features. In the description of this invention, "a plurality of" means two or more, unless otherwise explicitly specified.

[0017] In the description of this invention, the term "for example" is used to mean "used as an example, illustration, or description." Any embodiment described as "for example" in this invention is not necessarily to be construed as being more preferred or advantageous than other embodiments. The following description is provided to enable any person skilled in the art to make and use the invention. Details are set forth in the following description for purposes of explanation. It should be understood that those skilled in the art will recognize that the invention can be made without using these specific details. In other instances, well-known structures and processes will not be described in detail to avoid obscuring the description of the invention with unnecessary detail. Therefore, the invention is not intended to be limited to the embodiments shown, but is consistent with the broadest scope of the principles and features disclosed herein.

[0018] Example 1, as Figure 1 As shown, this embodiment of the invention provides a method for network security situation awareness of a centralized control station, including:

[0019] S1. Obtain the multi-source operation dataset corresponding to each sensing node in the set of sensing nodes of the central control station, and extract the multi-dimensional feature vector of each sensing node based on the multi-source operation dataset. The multi-dimensional feature vector includes structural features, behavioral features and security features.

[0020] Specifically, the central control station, as the core hub in the power system for centralized monitoring and remote operation of multiple subordinate substations, has a network environment deployed with numerous sensing nodes performing different functions. In the central control station network environment, a sensing node does not refer to a specific type of physical device, but rather to an abstract, unified modeling concept, referring to any network entity within the central control station network that can be included in the scope of security situation awareness. Specifically, sensing nodes include, but are not limited to, device nodes, service nodes, and the logical nodes corresponding to which communication connections are established. In this context, device nodes refer to physical or virtual device entities connected to the central control station network, such as deployed switches, servers, terminal workstations, security gateways, edge computing devices, and virtual device instances such as virtual machines, virtual firewalls, and virtual switches deployed through a virtualization platform. Each physical or virtual device is abstracted as a device-type perception node after connecting to the network. Service nodes refer to software services or business application instances running online in the central control station network, such as deployed data acquisition services, remote monitoring services, communication middleware services, and web management platforms. Each independently running service process is abstracted as a service-type perception node after going online. Logical nodes refer to the logical entities corresponding to the communication connections established in the central control station network, such as an SSH tunnel, a VPN tunnel, or a SCADA communication link established between two devices. Each established communication connection is abstracted as a logical-type perception node. By uniformly abstracting the above different types of network entities into perception nodes, consistent feature collection and situational analysis can be performed on all objects that may introduce security risks in the central control station network under a unified data model, avoiding coverage blind spots in subsequent classification and detection processes due to inconsistent modeling objects. As the centralized control station's operations continue to evolve, new devices are constantly being connected to the station's network, new services are continuously being launched, and new communication connections are constantly being established, causing the set of sensing nodes to be in a state of dynamic expansion. This dynamic expansion characteristic leads to a continuous increase in the network attack surface of the centralized control station. Therefore, it is necessary to comprehensively collect the operational status and characterize the features of each sensing node in the set of sensing nodes, laying a data foundation for subsequent assessment of the degree of addition of each node and the execution of differentiated attack behavior detection.

[0021] First, the multi-source operational datasets corresponding to each sensing node in the control station's sensing node set are obtained. These multi-source operational datasets are comprehensive data collections gathered from multiple operational dimensions of the sensing nodes, covering network topology, traffic behavior, and security events. At the network topology level, data is obtained by actively probing the control station network or parsing the topology configuration information maintained in the network management system. The specific data collected includes the location coordinates of each sensing node in the network topology diagram, i.e., the network partition identifier and layer number of the sensing node, the list of directly connected neighboring nodes and their corresponding interface identifiers, the set of currently open communication ports of the node and the service protocol type corresponding to each port, and the IP address range of the node's network segment. This data is stored in a structured form representing node-edge relationships. At the traffic behavior level, data is acquired by deploying traffic acquisition probes on critical links of the central control station network or by calling the traffic mirroring interface of network devices. Specific data collected includes the number of inbound and outbound traffic bytes and their temporal sequence changes for each sensing node within a set statistical period, the types of protocols used in communication sessions and the session percentage of each protocol, the number of requests and responses initiated and received per unit time, the duration of each communication session, and the sequence of target addresses accessed by the node. This data is stored in the form of timestamped traffic log records. At the security event level, data is acquired by aggregating logs generated by the intrusion detection system, vulnerability scanning system, security audit system, and authentication management system deployed at the central control station. Specific data collected includes security alarm records triggered by each sensing node and their alarm types and severity levels, vulnerability numbers discovered by vulnerability scanning and their corresponding risk ratings, login success and failure records and reasons for failure during the authentication process, and access event records blocked or allowed by security policies. This data is stored in the form of structured security event logs.

[0022] Based on the aforementioned multi-source operational dataset, multi-dimensional feature vectors are extracted for each sensing node. These multi-dimensional feature vectors consist of sub-feature vectors representing three dimensions: structural features, behavioral features, and security features. They are used to quantitatively represent the operational state of the sensing nodes from different perspectives.

[0023] Structural features are feature vectors obtained by quantifying the static location and connectivity of sensing nodes within the central control station network based on data collected at the network topology level. Specifically, feature calculations are performed on the collected structured node-edge relationship data to extract feature components at the network topology level, including at least node degree, node hierarchy depth, port openness, and network segment node density. Node degree refers to the number of directly connected neighboring nodes, representing the node's connectivity breadth in the network; node hierarchy depth refers to the network hops from the sensing node to the central control station's core switching area, representing the node's position in the network's depth structure; port openness refers to the number of currently open communication ports and the distribution of service protocol types carried by each port, representing the richness of the node's exposed service interfaces; and network segment node density is the ratio of the total number of currently active sensing nodes within the IP network segment to the number of nodes the segment can accommodate, representing the congestion level of the network area where the node is located. These network topology-level feature components are combined in a preset order to constitute the structural features of the sensing node. Newly connected devices or newly established connections often exhibit significantly different distribution characteristics compared to existing stable nodes in terms of node degree, port open status, and network segment density. These structural characteristics reflect the exposure and reachability of sensing nodes within the network architecture, and are of significant reference value for subsequently determining whether a node is a new node.

[0024] Behavioral features are feature vectors obtained by quantifying and describing the dynamic communication behavior and business interaction patterns exhibited by sensing nodes during operation based on data collected at the traffic behavior level. Specifically, feature calculations are performed on the collected timestamp-marked traffic log records to extract feature components at the traffic behavior level, including at least traffic statistical features, protocol distribution entropy values, request frequency time-series features, session establishment and termination frequency, and access target diversity index. Among them, traffic statistics characteristics refer to the mean and variance of inbound and outbound traffic of the sensing node within a set statistical period, used to characterize the overall level and fluctuation of the node's communication traffic; protocol distribution entropy value refers to the information entropy of the proportion of each protocol type in the node's communication sessions, used to characterize the diversity and concentration of communication protocols used by the node; request frequency time-series characteristics refer to the statistical characteristics of the time sequence of the number of requests and responses initiated and received by the node within multiple consecutive statistical periods, including mean, peak, and periodic indicators, used to characterize the temporal regularity of the node's communication behavior; session establishment and termination frequency refers to the number of session establishments and disconnections initiated by the node per unit time, used to characterize the activity and stability of the node's communication connections; access target diversity index refers to the ratio of the number of different target addresses accessed by the node to the total number of accesses within the statistical period, used to characterize the dispersion of the node's communication objects. The above traffic behavior features are combined in a preset order to constitute the behavioral characteristics of the sensing node. Newly launched services or newly established communication connections often have not yet formed a stable communication pattern in the early stages of operation. Their behavioral characteristics, such as traffic fluctuations, protocol distribution, and access targets, will show significant differences from those of long-term stable nodes. These behavioral characteristics can characterize whether the communication behavior pattern of the sensing node conforms to the operating rules of the existing stable services of the central control station.

[0025] Security features are feature vectors obtained by quantifying the state of the sensing nodes at the security protection and security event levels based on data collected at the security event level. Specifically, feature calculations are performed on the collected structured security event log data to extract feature components at the security event level, including at least alarm triggering features, vulnerability risk features, authentication failure rate, security policy coverage, and the proportion of abnormal access events. Among them, alarm triggering characteristics refer to the total number of security alarms triggered by the sensing node within the statistical period and the distribution of the number of alarms of each alarm type, used to characterize the frequency and type characteristics of security events caused by the node; vulnerability risk characteristics refer to the number of unpatched vulnerabilities found by vulnerability scanning of the node and the distribution of the severity levels of each vulnerability, used to characterize the degree of security vulnerability of the node itself; authentication failure rate refers to the ratio of the number of authentication failures of the node to the total number of authentications within the statistical period, used to characterize the degree of abnormality of the node in the authentication process; security policy coverage refers to the ratio of the number of security policy rules configured and effective on the node to the total number of standard security policy rules of the central control station, used to characterize the completeness of the node's security control configuration; abnormal access event ratio refers to the ratio of the number of access events blocked by the security policy on the node to the total number of access events on the node, used to characterize the proportion of abnormal access suffered by the node. The above security event-level characteristic components are combined in a preset order to constitute the security characteristics of the sensing node. Newly connected devices or newly launched services often exhibit significant gaps in security characteristics compared to existing mature nodes, such as low security policy coverage and high vulnerability risks, due to incomplete security policy configurations and inadequate security hardening measures. These security characteristics can characterize the current level of security control and the level of security threats faced by the sensing node.

[0026] Subsequently, the structural, behavioral, and security features extracted from each sensing node are concatenated to form a complete multidimensional feature vector for that sensing node. Through this method, multidimensional feature vectors were extracted from each sensing node in the central control station's sensing node set, comprehensively depicting the current operational status of each node from three dimensions: network topology, operational communication behavior, and security protection status. This provides a foundation for subsequent steps such as feature offset analysis based on stable nodes, quantifying the degree of new node additions, and implementing graded differentiated attack behavior detection accordingly.

[0027] S2. Perform feature offset analysis on the multidimensional feature vectors of each sensing node to obtain the multidimensional offset feature vectors.

[0028] Specifically, after extracting the multidimensional feature vectors of each sensing node, feature offset analysis is performed on these multidimensional feature vectors to quantify the degree of deviation of each sensing node relative to the stable operating nodes in the central control station network. Specifically, the set of sensing nodes in the central control station includes both existing nodes that have been operating stably for a long time and newly added nodes due to equipment access, service launch, or communication connection establishment. Different nodes exhibit differences in structural, behavioral, and security characteristics. By establishing a feature benchmark for stable nodes and calculating the offset of each node from this benchmark, this difference is transformed into a quantifiable offset feature vector, providing a numerical basis for calculating the degree of new additions index.

[0029] First, a historical operational stability assessment is performed on the set of sensing nodes to select a baseline node set. This historical operational stability assessment involves retrospectively analyzing the historical operational data of each sensing node in the set, selecting nodes whose operational status has remained consistently stable over a longer observation period. The assessment criteria include, but are not limited to: the node's continuous runtime in the central control station network, the temporal fluctuation amplitude of the node's multidimensional feature vector within the historical observation period, and the frequency and severity of security events triggered by the node during its historical operation. Based on these assessment dimensions, sensing nodes that meet preset stability conditions are selected to form the baseline node set. The preset stability conditions are stability judgment conditions comprehensively set based on the node's continuous runtime, the temporal fluctuation amplitude of its multidimensional feature vector, and the triggering of historical security events. These conditions are used to select sensing nodes with consistently stable operational status as baseline nodes, and are configured by the central control station security management personnel according to the actual network operating environment and security control requirements. The baseline node set represents a group of nodes in the central control station network that have undergone long-term operational verification, have mature behavioral patterns, and have sound security controls; it serves as a reference standard for measuring the deviation of other nodes. Then, the multidimensional baseline feature vectors corresponding to the baseline node set are extracted. Specifically, the multidimensional feature vectors of each benchmark node in the benchmark node set are statistically aggregated across each feature dimension to obtain a multidimensional benchmark feature vector that represents the overall feature level of a stable node. The statistical aggregation can be achieved by averaging the same feature components of each node in the benchmark node set. Specifically, the mean values ​​of each component of the structural features of all benchmark nodes are calculated to form the structural benchmark feature vector, the mean values ​​of each component of the behavioral features are calculated to form the behavioral benchmark feature vector, and the mean values ​​of each component of the safety features are calculated to form the safety benchmark feature vector. These three benchmark feature vectors are then concatenated to obtain the complete multidimensional benchmark feature vector. This multidimensional benchmark feature vector represents the feature level that a typical stable node in the centralized control station network should exhibit in the three dimensions of structure, behavior, and safety, and serves as a reference baseline for feature offset analysis.

[0030] Based on the obtained multidimensional baseline feature vector, feature offset analysis is performed on the multidimensional feature vectors of each sensing node according to the multidimensional baseline feature vector to obtain multidimensional offset feature vectors. Specifically, for each sensing node in the sensing node set, its multidimensional feature vector is offset component by component with the multidimensional baseline feature vector in the corresponding feature dimension to obtain the offset vector in each feature dimension. In the structural feature dimension, the deviation ratio of each component value in the structural feature of the sensing node with the corresponding component value in the structural baseline feature vector is calculated to obtain the structural feature offset vector, which is used to quantify the degree of deviation of the node from stable nodes in terms of network topology connectivity. In the behavioral feature dimension, the deviation ratio of each component value in the behavioral feature of the sensing node with the corresponding component value in the behavioral baseline feature vector is calculated to obtain the behavioral feature offset vector, which is used to quantify the degree of deviation of the node from stable nodes in terms of communication behavior patterns. In the security feature dimension, the deviation ratio of each component value in the security feature of the sensing node with the corresponding component value in the security baseline feature vector is calculated to obtain the security feature offset vector, which is used to quantify the degree of deviation of the node from stable nodes in terms of security protection status. The deviation ratio refers to the ratio of the difference between the feature component value of each sensing node and the corresponding reference feature component value to the reference feature component value. Calculating the deviation ratio eliminates the incomparability caused by differences in units and numerical ranges between different feature components, ensuring that the degree of deviation of each dimension and component is expressed as a proportion relative to the reference, facilitating subsequent unified weighted calculations across dimensions. The deviation vectors of the three feature dimensions are concatenated—that is, the structural feature deviation vector, the behavioral feature deviation vector, and the safety feature deviation vector—to form the multidimensional deviation feature vector of the sensing node. This multidimensional deviation feature vector includes the structural feature deviation vector, the behavioral feature deviation vector, and the safety feature deviation vector.

[0031] Through the aforementioned feature offset analysis, each sensing node in the control station's sensing node set obtained a multidimensional offset feature vector. This multidimensional offset feature vector quantifies the degree of deviation between each node and stable nodes from three dimensions: structure, behavior, and security. For existing nodes that have been operating stably for a long time, the values ​​of each component of the offset vector are relatively small because their own characteristics are close to the baseline characteristics. However, for newly connected devices, newly launched services, or newly established communication connections, the values ​​of each component of the offset vector are relatively large because their operating modes are not yet mature and their security configurations are not yet perfect. The multidimensional offset feature vectors of each sensing node provide support for subsequent offset nonlinear enhancement processing and calculation of the degree of newness index of each node.

[0032] S3. Calculate the degree of newness index of each sensing node according to the multidimensional offset feature vector.

[0033] Specifically, after obtaining the multidimensional offset feature vectors of each sensing node, these vectors are transformed into a scalar index that comprehensively reflects the degree of newness of each sensing node, namely the degree of newness index. The degree of newness index is a numerical measure of the comprehensive degree of deviation of each sensing node from the stable benchmark. The larger the value, the more significant the difference between the sensing node and the stable node, and the higher the degree of newness. The smaller the value, the closer the operating state of the sensing node is to that of the stable node.

[0034] First, the multidimensional offset feature vector is subjected to offset nonlinear enhancement processing to obtain the processed multidimensional offset feature vector. Offset nonlinear enhancement processing refers to applying a nonlinear mapping transformation to the offset of each component in the multidimensional offset feature vector. The purpose is to improve the sensitivity to abrupt changes, so that the components with larger offsets are further amplified after nonlinear mapping, while the components with smaller offsets maintain a relatively smooth change, thereby enhancing the ability of the offset feature vector to distinguish between high-offset nodes and low-offset nodes.

[0035] Then, multi-dimensional offset weights are configured by analyzing the historical attack distribution of each sensing node. Since structural feature offset, behavioral feature offset, and security feature offset contribute differently to the degree of new identification nodes, and the risk indication significance of offsets in different attack scenarios varies, it is necessary to configure differentiated weights for the offset components of each dimension according to the historical attack distribution of each sensing node, so that the offset dimensions that are more closely related to attack behavior receive higher weights.

[0036] Next, the processed multidimensional offset feature vectors are weighted according to the multidimensional offset weights to obtain the newness index of each sensing node. Through weighted calculation, the offsets of each sensing node after nonlinear enhancement in the three dimensions of structure, behavior and security are combined according to their corresponding weights, and finally a scalar value is output as the newness index of the node.

[0037] In the above manner, each sensing node in the set of sensing nodes of the central control station obtains its own degree of newness index. This degree of newness index comprehensively reflects the degree to which each node deviates from the stable benchmark in the multi-dimensional feature space, providing a basis for subsequent classification of the sensing node set and construction of differentiated attack behavior detection models.

[0038] S4. By analyzing the degree of newness index, the set of sensing nodes is classified into multiple levels to obtain a multi-level sensing layer. A multi-level attack behavior detection model corresponding to the multi-level sensing layer is constructed, and the multi-level attack behavior detection model is called to perform attack behavior risk detection of the sensing nodes belonging to each level of the sensing layer.

[0039] Specifically, after obtaining the newness index of each sensing node, the sensing node set is divided into levels according to the newness index. The newness index of each sensing node is different. Nodes with a lower newness index are closer to the stable baseline, while nodes with a higher newness index deviate more from the stable baseline. The sensing node set is divided into multiple levels according to the newness index, forming a multi-level sensing layer, so that nodes within the same sensing layer have similar newness characteristics.

[0040] After completing the hierarchical classification, a multi-level attack behavior detection model corresponding to the multi-level perception layer is constructed. Due to the varying degrees of addition of perception nodes in different perception layers, they exhibit significant differences in attack behavior characteristics. A single detection model is insufficient to take into account the attack behavior characteristics of nodes at each level. Therefore, it is necessary to construct a targeted attack behavior detection model for each perception layer, forming a multi-level attack behavior detection model that corresponds one-to-one with the multi-level perception layer.

[0041] After the multi-level attack behavior detection model is constructed, it is invoked to perform attack behavior risk detection on the sensing nodes belonging to each level of the perception layer. For each level of the perception layer, the attack behavior detection model corresponding to that level is invoked to perform attack behavior risk detection on the sensing nodes belonging to that level. This ensures that the sensing nodes in each perception layer are identified by a detection model that matches their degree of expansion, thereby improving the accuracy and timeliness of network security situation awareness at the central control station in scenarios of dynamic node expansion.

[0042] Through the above steps, to address the issue of the attack surface continuously expanding due to the dynamic expansion of the sensing node set in the central control station, multi-source operational data collection and multi-dimensional feature vector extraction are first performed on each sensing node in the sensing node set. Then, feature offset analysis is performed on stable nodes to obtain multi-dimensional offset feature vectors. Subsequently, the multi-dimensional offset feature vectors are converted into a degree of newness index to quantify the degree of newness of each node. Then, the sensing nodes are classified according to the degree of newness index, and corresponding multi-level attack behavior detection models are constructed to perform differentiated attack behavior risk detection. This achieves adaptive hierarchical modeling and targeted security detection based on the degree of newness of sensing nodes. Compared with the method of using a single detection model to detect all nodes indiscriminately, by assigning nodes with different degrees of newness to different sensing layers and matching them with corresponding detection models, each level of node can obtain a detection strategy that is adapted to its own operational characteristics, thereby improving the accuracy and timeliness of network security situation awareness of the central control station in the scenario of dynamic node expansion.

[0043] Furthermore, the multi-level perception layer includes at least a stable node perception layer, a transition node perception layer, and a newly added node perception layer; a multi-level attack behavior detection model corresponding to the multi-level perception layer is constructed, including:

[0044] S41. Define an initial attack behavior detection model. Based on the stable node perception layer, the transition node perception layer, and the newly added node perception layer, perform differentiated model training on the initial attack behavior detection model to obtain the corresponding multi-level attack behavior detection model.

[0045] In a preferred embodiment, when the set of sensing nodes is hierarchically divided into multi-level sensing layers based on the degree of newness index, the multi-level sensing layers include at least a stable node sensing layer, a transitional node sensing layer, and a newly added node sensing layer. Specifically, the sensing nodes in the stable node sensing layer have a low degree of newness index; these nodes have been operating stably in the central control station network for a long time, exhibiting stable distribution characteristics in their structural, behavioral, and security features, with mature operating modes and well-developed security management configurations. The sensing nodes in the transitional node sensing layer have a moderate degree of newness index; these nodes have been operating in the central control station network for some time, and their operating characteristics are gradually stabilizing but have not yet fully converged, with some feature dimensions still showing some fluctuations, indicating a transition from a newly added state to a stable state. The sensing nodes in the newly added node sensing layer have a high degree of newness index; these nodes have only recently joined the central control station network, and their operating characteristics differ significantly from those of stable nodes. Their communication behavior patterns have not yet formed a regular pattern, their security policy configurations are not yet perfect, and they face relatively high security threat risks.

[0046] When constructing a multi-level attack behavior detection model corresponding to multiple perception layers based on three layers—stable node perception layer, transition node perception layer, and newly added node perception layer—the first step is to define an initial attack behavior detection model. This initial model is a general model with basic attack behavior detection capabilities defined before differentiated training. It uses a unified network structure and initialization parameters, can receive feature data from perception nodes, and output attack behavior risk assessment results, but has not yet been specifically optimized for the attack behavior characteristics of any particular perception layer. The initial attack behavior detection model serves as the starting point for differentiated training, providing a unified model foundation for subsequent targeted training for different perception layers. This ensures that the detection models at each level maintain consistency at the model architecture level, with differences only reflected in the training data and training strategies. Specifically, firstly, a general training dataset is constructed, aggregating historical operational data and attack behavior records accumulated in similar centralized control station network environments. Multidimensional feature vectors of each sensing node at different time periods are extracted as sample features. Simultaneously, historical attack behavior events recorded in the security management system are used to label each sample, marking samples exhibiting attack behavior as attack samples and those without attack behavior as normal samples, thus forming a general training dataset containing both attack and normal samples. Next, the attack behavior detection network structure is determined, for example, using a deep neural network. This network receives the multidimensional feature vectors of sensing nodes as input, and after multiple layers of feature transformation and abstraction, outputs the probability value of the node's potential attack behavior risk. The network structure includes an input layer, multiple hidden layers, and an output layer. The dimension of the input layer is consistent with the number of feature components of the multidimensional feature vector. The hidden layers use fully connected layers and non-linear activation functions for layer-by-layer feature abstraction and transformation. The output layer uses a sigmoid activation function to map the output to a probability value between zero and one, which represents the likelihood that the corresponding sensing node currently exhibits attack behavior risk. In one specific implementation, the hidden layers are configured as three fully connected layers, with the number of neurons in each hidden layer being 256, 128, and 64 respectively. ReLU is used as the activation function in each hidden layer. The network structure is then trained using a general training dataset, with binary cross-entropy as the loss function. The parameters are updated using the Adam optimizer with a learning rate of 0.001 and 200 training iterations. This allows the model to learn the general feature distinctions between attack samples and normal samples. The model obtained after the loss function converges is the initial attack behavior detection model. This initial attack behavior detection model already possesses basic recognition capabilities for common attack behavior types. However, its training data comes from a mixture of data from all sensing nodes and has not yet been specifically optimized for the attack behavior distribution characteristics of nodes with different levels of newness. Further differentiated training is needed based on this.

[0047] After defining the initial attack behavior detection model, differentiated model training was performed for the stable node perception layer, the transition node perception layer, and the newly added node perception layer. Differential model training refers to training the initial attack behavior detection model separately for each of the three perception layers using training data and strategies matched to the features of each layer. This ensures that the trained model can adapt to the attack behavior distribution patterns of the perception nodes in the corresponding perception layer. The three perception layers exhibit significant differences in attack behavior characteristics: nodes in the stable node perception layer, due to their mature and stable operation, experience a lower frequency of attacks, with a relatively concentrated distribution of attack types, and normally functioning samples dominate the data; nodes in the transition node perception layer, whose operation is still converging, experience a moderate frequency of attacks, and the distribution of attacks fluctuates significantly over time; nodes in the newly added node perception layer, due to imperfect security controls and unstable operating modes, experience a higher frequency of attacks, with diverse attack types and a higher proportion of abnormal samples in the data. Based on the above differences, the initial attack behavior detection model is trained in a targeted manner to obtain the stable node attack behavior detection model, the transition node attack behavior detection model, and the newly added node attack behavior detection model. The three together constitute the multi-level attack behavior detection model corresponding to the multi-level perception layer.

[0048] Using the above method, with the initial attack behavior detection model as a unified starting point, differentiated model training is carried out for the stable node perception layer, the transition node perception layer, and the newly added node perception layer. This allows each level of detection model to inherit the basic recognition ability of the initial attack behavior detection model for common attack behaviors, and on this basis, it is specially optimized for the attack behavior distribution characteristics of nodes at their respective levels, so as to more accurately identify the security threats faced by nodes with different degrees of newness.

[0049] Furthermore, the multi-level perception layer is communicatively connected to the node-level state transition model, and the method includes:

[0050] S51. The node-level state transition model is used to perform multi-dimensional offset feature vector time-series analysis on each sensing node of the current multi-level perception layer to obtain the level state transition instruction.

[0051] S52. Perform hierarchical transfer on the sensing nodes belonging to the multi-level sensing layer according to the level state transfer instruction, and update the multi-level sensing layer in real time.

[0052] In a preferred embodiment, the set of sensing nodes is divided into a stable node sensing layer, a transitional node sensing layer, and a newly added node sensing layer based on a newness index, and a corresponding multi-level attack behavior detection model is constructed for differentiated detection. However, the operating state of sensing nodes is not static. Over time, newly connected nodes gradually accumulate stable communication behavior patterns and improved security policy configurations during continuous operation, and their operating characteristics gradually converge towards those of stable nodes. Similarly, nodes that were originally operating stably may experience shifts in their operating characteristics due to system upgrades, business changes, or attacks, leading to an increase in their newness index. If the hierarchical division of sensing nodes remains unchanged, some nodes will use detection models that are incompatible with their current actual operating state for extended periods, affecting the accuracy of situational awareness. Therefore, a node-level state transition model is introduced to dynamically adjust the hierarchical affiliation of each sensing node in the multi-level sensing layer, enabling the division of the sensing layer to be updated in real time following changes in the node's operating state. The node-level state transition model is a rule-based time-series trend determination model independent of the multi-level attack behavior detection model. Its function is to continuously monitor the operational state changes of each sensing node in the multi-level perception layer and automatically generate a level transition command when a substantial change in the node's operational state is detected. This node-level state transition model maintains a communication connection with the multi-level perception layer, enabling it to acquire real-time updates of the multi-dimensional offset feature vectors of each sensing node in each perception layer. The model internally pre-sets judgment rules such as the observation window length, linear regression fitting strategy, and trend change threshold. By performing trend analysis on the time-series sequence of the multi-dimensional offset feature vectors of each sensing node within the observation window, it automatically determines whether each node needs to undergo a level transition and the direction of the transition based on the pre-set rules, and outputs the corresponding level-level state transition command.

[0053] First, the node-level state transition model continuously acquires the multidimensional offset feature vectors of each sensing node over multiple consecutive time periods, forming a time series sequence of multidimensional offset feature vectors for each node. An observation window is set for this time series sequence, with a length equal to the preset number of consecutive time periods. At the end of each observation window, the node-level state transition model performs trend analysis on the time series sequence of multidimensional offset feature vectors within that window. During trend analysis, firstly, a linear regression is performed on the comprehensive offset of the multidimensional offset feature vectors for each time period within the observation window. Based on the regression slope obtained, the offset trend of the node within the observation window is determined. A negative regression slope indicates a decreasing offset trend, meaning the node's operational characteristics are converging towards a stable baseline; a positive regression slope indicates an increasing offset trend, meaning the node's operational characteristics are deviating from a stable baseline. When the absolute value of the regression slope exceeds the preset trend change threshold, the node-level state transition model determines that the node's operating state has undergone a substantial change and generates a corresponding level state transition command accordingly. When the absolute value of the regression slope does not exceed the preset trend change threshold, it is considered a normal operating fluctuation and does not trigger a level transition, thus avoiding frequent jumps between different levels due to occasional feature fluctuations. The trend change threshold is a slope judgment threshold preset by the central control station security management personnel based on the actual network operating environment, used to distinguish between substantial changes in node offset characteristics and normal operating fluctuations. The setting of the trend change threshold needs to balance transition sensitivity and transition stability. A threshold that is too small will cause even slight operating fluctuations to trigger a level transition, leading to frequent jumps between different perception layers. A threshold that is too large will cause the node's operating state to have changed significantly but fail to trigger a level transition, causing the node to remain in a perception layer that does not match its current actual state for an extended period.

[0054] For a sensing node currently in the newly added node perception layer, if the regression slope within the observation window is negative and its absolute value exceeds the trend change threshold, it indicates that the node's operational characteristics are continuously converging towards a stable baseline. The node-level state transition model generates a level state transition instruction to transfer the node from the newly added node perception layer to the transition node perception layer. For a sensing node currently in the transition node perception layer, if the regression slope within the observation window is negative and its absolute value exceeds the trend change threshold, it indicates that the node has essentially completed the transition from newly added to stable. The node-level state transition model generates a level state transition instruction to transfer the node from the transition node perception layer to the stable node perception layer. Conversely, for a sensing node currently in the stable sensing layer, if the regression slope within the observation window is positive and its absolute value exceeds the trend change threshold, it indicates that the node's operating state has deviated. The node-level state transition model generates a level-level state transition instruction to transfer the node from the stable sensing layer to the transitional sensing layer. For a sensing node currently in the transitional sensing layer, if the regression slope within the observation window is positive and its absolute value exceeds the trend change threshold, the node-level state transition model generates a level-level state transition instruction to transfer the node from the transitional sensing layer to the newly added sensing layer. The above-mentioned hierarchical transfer follows the principle of sequential transfer between adjacent levels, that is, sensing nodes can only transfer between two adjacent sensing layers, and cross-level jumps are not allowed, ensuring the smoothness and rationality of the hierarchical transfer process.

[0055] Subsequently, the hierarchical transfer of the sensing nodes belonging to the multi-level sensing layer is performed according to the hierarchical state transfer instructions, and the multi-level sensing layer is updated in real time. Specifically, after the node hierarchical state transfer model generates the hierarchical state transfer instructions, the hierarchical transfer operation is performed on the corresponding sensing nodes according to the instructions. The sensing node to be transferred is removed from its current sensing layer and incorporated into the target sensing layer specified by the instructions. At the same time, the attack behavior detection model corresponding to the node is updated. That is, the transferred sensing node is no longer detected by the detection model of the original level, but by the attack behavior detection model corresponding to the target level. Through the above dynamic hierarchical transfer mechanism, the node composition of the multi-level sensing layer can be updated in real time as the operating status of each sensing node evolves. This ensures that each sensing node is in a sensing layer that matches its current actual increase in size at any given time, and is detected by the attack behavior detection model corresponding to that level. This ensures that the network security situational awareness of the central control station remains accurate and effective throughout the dynamic evolution of the sensing nodes.

[0056] Furthermore, feature offset analysis is performed on the multidimensional feature vectors of each sensing node to obtain multidimensional offset feature vectors. The methods include:

[0057] S21. Perform historical operational stability assessment on the set of sensing nodes to filter the set of benchmark nodes, and extract the multi-dimensional benchmark feature vector corresponding to the set of benchmark nodes.

[0058] S22. Based on the multidimensional reference feature vector corresponding to the reference node set, perform feature offset analysis on the multidimensional feature vector of each sensing node to obtain a multidimensional offset feature vector, wherein the multidimensional offset feature vector includes a structural feature offset vector, a behavioral feature offset vector, and a safety feature offset vector.

[0059] In one specific implementation, firstly, a baseline node set is selected by evaluating the historical operational stability of the sensing node set, and the corresponding multidimensional baseline feature vector is extracted. Specifically, for each sensing node in the sensing node set, a quantitative evaluation of historical operational stability is performed from the dimensions of continuous runtime, feature temporal fluctuation, and historical security events. Specifically, in the dimension of continuous runtime, the cumulative online runtime of the sensing node from its initial inclusion in the sensing node set to the current moment is calculated. A longer runtime indicates that the node has existed in the central control station network for a longer period, has undergone more operational cycles of verification, and its operational mode is more mature. In the dimension of feature temporal fluctuation, the multidimensional feature vectors extracted from the sensing node in each time period within the historical observation period are traced back, and the temporal fluctuation amplitude of each component of structural features, behavioral features, and security features is calculated. This fluctuation amplitude is calculated by calculating the standard deviation of each feature component in each historical time period, and then averaging the standard deviations of each component to obtain the overall fluctuation amplitude of the node's multidimensional feature vector. A smaller fluctuation amplitude indicates that the node has maintained a high degree of consistency in its various dimensions of features during historical operation, and its operational state is more stable. In terms of historical security events, the total number of security alarms triggered by the sensing node during its historical operation, the distribution of each alarm type, and the highest alarm severity level are statistically analyzed. Nodes with fewer historical security events and lower alarm severity levels indicate that they have not experienced significant security anomalies during historical operation, and their operational security has been verified over a long period. After completing the quantitative assessment of the above three dimensions, the stability of each sensing node is determined by combining the assessment results of the three dimensions. Sensing nodes that simultaneously meet the preset stability conditions are selected to form a baseline node set. The preset stability conditions are: the continuous operating time of the node is not less than the preset minimum operating time threshold, the overall fluctuation amplitude of the node's multi-dimensional feature vector does not exceed the preset fluctuation tolerance threshold, the cumulative frequency of security alarms triggered by the node during historical operation does not exceed the preset security event frequency threshold, and no security alarm events of a preset severity level or higher have occurred. These thresholds are configured by the central control station security management personnel according to the actual network operating environment and security control requirements.

[0060] Then, the multidimensional benchmark feature vectors corresponding to the benchmark node set are extracted. Specifically, the multidimensional feature vectors of each benchmark node in the benchmark node set are statistically aggregated along each feature dimension. The mean of each component of the structural features of all benchmark nodes is calculated to form the structural benchmark feature vector; the mean of each component of the behavioral features of all benchmark nodes is calculated to form the behavioral benchmark feature vector; and the mean of each component of the safety features of all benchmark nodes is calculated to form the safety benchmark feature vector. The structural benchmark feature vector, behavioral benchmark feature vector, and safety benchmark feature vector are concatenated to obtain the complete multidimensional benchmark feature vector. This multidimensional benchmark feature vector represents the feature level that a typical stable node in the centralized control station network should exhibit in the three dimensions of structure, behavior, and safety, serving as a reference baseline for subsequent feature offset analysis of each sensing node.

[0061] Next, based on the multidimensional baseline feature vectors corresponding to the baseline node set, feature offset analysis is performed on the multidimensional feature vectors of each sensing node to obtain multidimensional offset feature vectors. Specifically, for each sensing node in the sensing node set, the deviation ratio between its multidimensional feature vector and the multidimensional baseline feature vector is calculated component by component in the corresponding feature dimension to obtain the offset vector in each feature dimension. The deviation ratio is calculated as follows: for a certain feature component, the difference between the feature component value of the sensing node and the corresponding baseline feature component value is divided by the baseline feature component value; the resulting ratio is the deviation ratio of that component. Calculating the deviation ratio eliminates the incomparability caused by differences in dimensions and numerical ranges between different feature components, ensuring that the degree of offset of each component in each dimension is expressed as a proportion relative to the baseline. Specifically, in the structural feature dimension, the deviation ratio between each component value in the structural feature of the sensing node and the corresponding component value in the structural baseline feature vector is calculated to obtain the structural feature offset vector. The deviation ratio of each component in the structural feature offset vector reflects the degree of deviation of the node from stable nodes in terms of network topology, such as node degree, node hierarchy depth, port openness, and network segment node density. A larger absolute value of the deviation ratio indicates a more significant difference between the node's network connectivity and that of stable nodes. In the behavioral feature dimension, the deviation ratio of each component value in the perceived node's behavioral features is calculated compared to the corresponding component value in the behavioral baseline feature vector, resulting in the behavioral feature offset vector. The deviation ratio of each component in the behavioral feature offset vector reflects the degree of deviation of the node from stable nodes in terms of communication behavior patterns, such as traffic statistics, protocol distribution entropy, request frequency timing characteristics, session establishment and termination frequency, and access target diversity index. A larger absolute value of the deviation ratio indicates a more significant difference between the node's communication behavior patterns and that of stable nodes. In the security feature dimension, the deviation ratio of each component value in the perceived node's security features is calculated compared to the corresponding component value in the security baseline feature vector, resulting in the security feature offset vector. The deviation ratio of each component in the security feature offset vector reflects the degree of deviation of the node from stable nodes in terms of security protection status, such as alarm triggering characteristics, vulnerability risk characteristics, authentication failure rate, security policy coverage, and the proportion of abnormal access events. The larger the absolute value of the deviation ratio, the more significant the difference between the node's security control status and that of stable nodes. The offset vectors of the above three feature dimensions are concatenated—that is, the structural feature offset vector, the behavioral feature offset vector, and the security feature offset vector are concatenated—to form the multi-dimensional offset feature vector of the sensing node.

[0062] In this way, each sensing node in the sensing node set obtains a multi-dimensional offset feature vector containing structural feature offset vector, behavioral feature offset vector, and security feature offset vector. This quantifies the degree of deviation between each node and the stable benchmark from three dimensions: network topology, communication behavior pattern, and security protection status, providing support for the subsequent calculation of the degree of addition of each node.

[0063] Furthermore, the method for calculating the degree of newness index of each sensing node according to the multidimensional offset feature vector includes:

[0064] S31. Perform offset nonlinear enhancement processing on the multidimensional offset feature vector to obtain the processed multidimensional offset feature vector.

[0065] S32. Configure multi-dimensional offset weights by analyzing the historical attack distribution weights of each sensing node;

[0066] S33. Perform weighted calculation on the processed multidimensional offset feature vector according to the multidimensional offset weight to obtain the degree of newness index of each sensing node.

[0067] In a preferred embodiment, the deviation ratio of each component in the multidimensional offset feature vector of each sensing node directly reflects the degree of deviation of each node from the stable baseline in each feature dimension. However, the original deviation ratio is linearly distributed, and the distinction between the deviation ratios of nodes with low to medium offset levels and nodes with high offset levels is not significant enough. In a real-world centralized control station network environment, nodes with small offsets are usually within the normal operating fluctuation range and do not require much attention; while nodes with large offsets are likely newly connected devices, newly launched services, or abnormal nodes that have been attacked, and require close monitoring. Therefore, it is necessary to perform offset nonlinear enhancement processing on the multidimensional offset feature vector, amplifying the distinction between high and low offset components through nonlinear mapping transformation, and improving the sensitivity to abnormal changes. Specifically, a nonlinear mapping function is applied to the deviation ratio of each component in the multidimensional offset feature vector for transformation. For example, an exponential mapping function is used as the nonlinear mapping function, i.e., f(d) = exp(d) - 1, where d is the deviation ratio of a certain component in the multidimensional offset feature vector, exp(d) is the exponential operation of d with the natural constant e as the base, and f(d) is the enhanced offset obtained after the nonlinear mapping of this component. When d is small, the value of f(d) is close to d itself, and the offset basically remains at the original level; when d is large, the value of f(d) is much larger than d, and the offset is greatly amplified, thus significantly widening the gap between high-offset components and low-offset components. The above nonlinear mapping transformation is performed on all components of the structural feature offset vector, behavioral feature offset vector, and safety feature offset vector in the multidimensional offset feature vector. The transformed components are then recombined to obtain the processed multidimensional offset feature vector. Compared with the original multidimensional offset feature vector, the processed multidimensional offset feature vector, while retaining the offset direction information of each component, enhances the sensitivity to distinguish high-offset nodes, so that the newly calculated degree index can more sensitively reflect the abnormal degree of node deviation from the stable benchmark.

[0068] After completing the nonlinear enhancement processing, differentiated weights are assigned to the offset components of each dimension in the processed multidimensional offset feature vector. The contributions of structural feature offset, behavioral feature offset, and security feature offset to the degree of node addition are not equal. In different attack scenarios, attack behavior may be more reflected in the anomalies of a particular dimension. For example, some attacks are mainly manifested through abnormal communication behavior patterns, in which case behavioral feature offset is more indicative of node security risk; while other attacks may be mainly launched by exploiting weaknesses in security policy configurations, in which case security feature offset is more indicative. Therefore, it is necessary to assign weights to each dimension that match the degree of correlation with attack behavior based on the historical attack distribution of each sensing node, resulting in multidimensional offset weights. This ensures that the offset dimensions that are more indicative of attack behavior have a greater weight in the calculation of the degree of addition index. Specifically, the configuration of multidimensional offset weights is based on the analysis of the historical attack distribution of the central control station. The historical attack distribution refers to the offset distribution pattern of attack behavior in the three dimensions of structural features, behavioral features, and security features when historical attack events occur, i.e., in which feature dimension the attack behavior is more likely to cause significant offsets. First, historical attack event records from the central control station are analyzed. For each historical attack event, the multi-dimensional offset feature vector of the corresponding sensing node at the time of the event is traced back. The average deviation ratios of each component of the structural feature offset vector, the behavioral feature offset vector, and the security feature offset vector at the time of the attack are calculated and used as the offset contribution of the attack event in the three dimensions. Then, the offset contributions of all historical attack events in the three dimensions are summed to obtain the cumulative offset contribution of the structural dimension, the cumulative offset contribution of the behavioral dimension, and the cumulative offset contribution of the security dimension. Next, the cumulative offset contributions of the three dimensions are normalized by dividing the cumulative offset contribution of each dimension by the sum of the cumulative offset contributions of the three dimensions, resulting in the structural feature offset weight, the behavioral feature offset weight, and the security feature offset weight. The sum of these three is 1, constituting the multi-dimensional offset weight. Through this method, the feature dimension with a higher offset contribution in the historical attack event receives a larger weight, allowing the multi-dimensional offset weight to objectively reflect the correlation strength between the offsets of each dimension and the attack behavior. For example, in the statistics of historical attack events at a certain central control station, the cumulative offset contribution of the behavioral feature dimension is the highest when the attack occurs, followed by the security feature dimension, and the structural feature dimension is the lowest. After normalization, the structural feature offset weight is 0.2, the behavioral feature offset weight is 0.5, and the security feature offset weight is 0.3.This indicates that in the historical attack scenarios of this control station, attack behaviors were more often manifested through abnormal communication patterns, such as abnormal traffic surges, frequent use of unconventional protocols, and drastic changes in access targets. Therefore, behavioral feature offsets received the highest weight. Simultaneously, attackers tended to exploit nodes with inadequate security policy configurations as entry points, resulting in security feature offsets receiving the second highest weight. Structural feature offsets, on the other hand, showed relatively insignificant changes during attacks, thus receiving the lowest weight. The above weight configuration is merely an example; the specific multi-dimensional offset weights are calculated by each control station based on the actual distribution of its historical attack events. Different control stations may have different weight allocations due to variations in network architecture, service type, and attack threat characteristics.

[0069] Next, the processed multidimensional offset feature vectors are weighted according to the multidimensional offset weights to obtain the newness index of each sensing node. Specifically, for each sensing node in the set of sensing nodes, its processed multidimensional offset feature vectors are weighted according to the multidimensional offset weights. First, the mean of all components in the processed structural feature offset vector of the node is calculated to obtain the comprehensive structural dimension offset of the node; the mean of all components in the processed behavioral feature offset vector is calculated to obtain the comprehensive behavioral dimension offset of the node; the mean of all components in the processed safety feature offset vector is calculated to obtain the comprehensive safety dimension offset of the node. Then, the comprehensive structural dimension offset is multiplied by the structural feature offset weight, the comprehensive behavioral dimension offset is multiplied by the behavioral feature offset weight, and the comprehensive safety dimension offset is multiplied by the safety feature offset weight. The sum of these three products gives the scalar value, which is the newness index of the sensing node. The formula for calculating the newness index is: Newness Index = Structural Feature Offset Weight × Comprehensive Structural Dimension Offset + Behavioral Feature Offset Weight × Comprehensive Behavioral Dimension Offset + Safety Feature Offset Weight × Comprehensive Safety Dimension Offset.

[0070] Through the above methods, the multidimensional offset information of each sensing node is compressed into a scalar-form novelty index after nonlinear enhancement, differentiated weight configuration, and weighted synthesis. This novelty index comprehensively considers the degree of deviation of each node from the stable baseline in three dimensions: structure, behavior, and security. Nonlinear enhancement improves the sensitivity to high-offset anomaly nodes, and historical attack distribution weights give a greater contribution to offset dimensions more closely related to attack behavior. Therefore, the novelty index can accurately quantify the novelty of each sensing node, providing a reliable quantitative basis for subsequent hierarchical classification of the sensing node set and the construction of differentiated attack behavior detection models.

[0071] Furthermore, the initial attack behavior detection model is trained using differentiated models based on the stable node perception layer, the transition node perception layer, and the newly added node perception layer. The method includes:

[0072] S411. Construct a corresponding multi-level training dataset based on the historical attack behavior events of the multi-level perception layer. The multi-level training dataset includes a stable node training dataset composed of labeled attack samples and normal samples, a transition node training dataset composed of labeled attack samples and normal samples, and a newly added node training dataset composed of labeled attack samples and normal samples.

[0073] S412. Align the stable node training dataset, the transition node training dataset, and the newly added node training dataset in the attack behavior feature space to obtain a multi-level aligned training dataset.

[0074] S413. Train the initial attack behavior detection model differentially according to the multi-level aligned training dataset to obtain the corresponding multi-level attack behavior detection model.

[0075] In a preferred embodiment, the prerequisite for differential model training is to construct a training dataset for each perception layer that matches its attack behavior characteristics. Since the perception nodes in the three perception layers differ significantly in their degree of addition, their historical attack events exhibit different statistical characteristics in terms of attack frequency, attack type distribution, and the ratio of normal samples to attack samples. Therefore, it is necessary to construct a dedicated training dataset for each perception layer so that each training dataset can accurately reflect the attack behavior distribution patterns of the perception nodes in the corresponding perception layer. Specifically, when constructing the multi-level training dataset, firstly, the data from the historical operation data of the central control station is categorized according to the perception layer to which each perception node belongs in each historical time period. The multidimensional feature vectors of perception nodes belonging to the stable node perception layer and their corresponding attack behavior annotation records in each time period are included in the stable node historical data; the corresponding data of perception nodes belonging to the transition node perception layer are included in the transition node historical data; and the corresponding data of perception nodes belonging to the newly added node perception layer are included in the newly added node historical data. Then, training samples were constructed and labeled for the three types of historical data respectively: For each historical data record, the multi-dimensional feature vector of the sensing node in the corresponding time period was used as the sample feature, and whether the node had an attack event in the time period was used as the sample label. The label of the node with an attack event was the attack sample, and the label of the node without an attack event was the normal sample. These constituted the stable node training dataset, the transition node training dataset, and the newly added node training dataset respectively.

[0076] The three training datasets exhibit significant differences in data distribution characteristics, reflecting different attack behavior patterns at each perception layer. Specifically, in the stable node training dataset, because the nodes in the stable node perception layer have been running stably for a long time with sound security management configurations, the probability of being attacked is low. Therefore, the proportion of attack samples in this dataset is low, with normal samples dominating and possessing high confidence levels. In terms of temporal distribution, attack events are sparsely distributed across statistical periods, exhibiting a low-frequency, long-term stable distribution. Attack types are relatively concentrated, primarily targeting known vulnerabilities. In the transition node training dataset, because the nodes in the transition node perception layer are in the transition phase from a newly added state to a stable state, their operational characteristics are still converging, and the frequency of attack events is at a moderate level. In terms of temporal distribution, the distribution of attack events fluctuates significantly, with higher attack frequencies in some time periods and lower frequencies in others, showing a dynamic trend of decreasing attack frequencies as the node's operational state gradually converges. Attack types are more diverse than those in the stable node dataset, including attacks targeting known vulnerabilities as well as probing attacks exploiting imperfect node configurations. In the newly added node training dataset, because the nodes in the perception layer have only recently been connected to the central control station network, their security policy configurations are not yet complete, and their communication behavior patterns are not yet stable, making them more susceptible to attacks. Therefore, the proportion of attack samples in this dataset is significantly higher than in the other two datasets, and abnormal samples constitute a higher percentage of the data. The attack types are the most diverse, covering various attack methods such as port scanning, brute-force attacks, protocol vulnerability exploitation, and unauthorized access, and the attack frequency is high, with a dense distribution of multiple attack events occurring within a short period. These three training datasets together constitute a multi-level training dataset, providing a data foundation for subsequent feature space alignment and differential model training.

[0077] Then, the stable node training dataset, transition node training dataset, and newly added node training dataset are aligned in attack behavior feature space to obtain a multi-level aligned training dataset. Since the stable node training dataset, transition node training dataset, and newly added node training dataset originate from historical data of different perception layers, there are significant differences in the frequency of attack behavior occurrence, the distribution of attack types, and the fluctuation characteristics of attack behavior over time in each dataset. If these original datasets are directly used to train the initial attack behavior detection model, the models trained at different levels may have inconsistencies in the expression space of attack behavior features, leading to deviations in the judgment criteria for the same type of attack behavior by each level of detection model. Therefore, before training the differentiated model, the attack behavior feature space of the three training datasets is aligned, ensuring that the three datasets have a unified reference framework in the feature representation of attack behavior. This ensures that the model differences generated by subsequent differentiated training stem only from the different distribution characteristics of attack behavior at each level, rather than deviations caused by inconsistencies in the feature space.

[0078] After aligning the attack behavior feature space, the initial attack behavior detection model was differentially trained using the aligned stable node training dataset, transition node training dataset, and newly added node training dataset. Differential training refers to training the initial attack behavior detection model separately based on the different distribution characteristics of attack behaviors in each perception layer, introducing training mechanisms that match the features of each layer. This allows the trained model to adapt to the attack behavior patterns of the perception nodes in the corresponding perception layer. Through differential training, stable node attack behavior detection models, transition node attack behavior detection models, and newly added node attack behavior detection models are obtained, collectively forming a multi-level attack behavior detection model corresponding to the multi-level perception layers.

[0079] Furthermore, the stable node training dataset, the transition node training dataset, and the newly added node training dataset are aligned in the attack behavior feature space, which includes the frequency of attack behavior occurrence, the distribution of attack types, and the fluctuation characteristics of attack time.

[0080] In a preferred embodiment, the stable node training dataset, the transition node training dataset, and the newly added node training dataset are derived from historical data of different perception layers. Perception nodes in different perception layers exhibit significant differences in attack frequency, attack type distribution, and attack time fluctuation characteristics. The purpose of attack behavior feature space alignment is to uniformly calibrate each training dataset across these three dimensions, ensuring that each dataset has a comparable reference framework in representing attack behavior features. This eliminates the feature space bias caused by excessive differences in attack behavior distribution across perception layers during subsequent differentiated training.

[0081] The attack behavior feature space consists of three dimensions: attack behavior frequency, attack type distribution, and attack time fluctuation characteristics. Attack behavior frequency refers to the ratio of attack samples to the total number of samples in each training dataset, reflecting the density of attack events in the corresponding perception layer. The attack behavior frequency is low in the stable node training dataset, moderate in the transition node training dataset, and high in the newly added node training dataset. Without alignment, the significant differences in attack behavior frequency will lead to a severe imbalance in the learning emphasis on attack samples among different levels of models during training. The stable node model will have insufficient ability to identify attack behaviors due to too few attack samples, while the newly added node model will have an increased misclassification rate for normal behaviors due to an excessive proportion of attack samples. The alignment method for the attack behavior frequency dimension is to uniformly adjust the ratio of attack samples to normal samples in the three training datasets by oversampling the dataset with fewer attack samples or undersampling the dataset with more attack samples, so that the ratio of attack samples to normal samples in the three datasets is adjusted to the same preset range. After adjustments, the three datasets have a comparable sample distribution in terms of the frequency of attack behavior, and each level of model can learn the attack behavior characteristics of its own level under similar sample ratios during training.

[0082] Attack type distribution refers to the variety of attack types covered by the attack samples in each training dataset and the proportion of each attack type. The attack types in the stable node training dataset are relatively concentrated, mainly consisting of a few targeted attacks against known vulnerabilities; the attack types in the transition node training dataset are more diverse, including both targeted and probing attacks; the attack types in the newly added node training dataset are the most diverse, covering port scanning, brute-force attacks, protocol vulnerability exploitation, unauthorized access, and other attack methods. Without alignment, the differences in attack type coverage will lead to inconsistent attack type recognition ranges across different model levels. The stable node model may only be able to recognize a few attack types, resulting in insufficient detection capabilities against other types of attacks. The alignment method for the attack type distribution dimension is as follows: First, establish a unified attack type coding system for the central control station, encoding and labeling all historical attack events according to a unified attack type classification standard to ensure consistent labeling standards for attack types across the three datasets. Then, supplement any missing attack types in each dataset. If a dataset lacks samples of a certain attack type, samples of that attack type are extracted from other datasets as supplementary samples to ensure consistency in attack type coverage across the three datasets. The number of supplementary samples was controlled according to the proportion of the overall attack sample size of the dataset to avoid introducing too many non-current level samples that would distort the data distribution. After adjustment, the three datasets maintained consistency in the coverage of attack types, and each level of model was able to learn the feature representations of all attack types. The only difference was the proportion of each attack type.

[0083] Attack temporal fluctuation characteristics refer to the degree of fluctuation in the distribution of attack events in each training dataset over time, reflecting the changing pattern of attack density across different statistical periods. In stable node training datasets, attack events are distributed relatively evenly across statistical periods with small temporal fluctuations. In transitional node training datasets, the temporal distribution of attack events shows significant fluctuations, with some periods exhibiting dense attacks while others remain relatively calm. In newly added node training datasets, attack events tend to erupt in the initial stages of node integration, then gradually decrease, exhibiting significant unevenness in temporal distribution. Without alignment, differences in temporal fluctuation characteristics can lead to inconsistent learning benchmarks for attack temporal patterns across different model levels, affecting the consistency of model judgments regarding time-related attacks. The alignment method for the attack temporal fluctuation feature dimension is as follows: samples from the three training datasets are grouped according to time periods; the variance of the attack samples within each dataset in each time period is calculated as a temporal fluctuation index; then, the temporal fluctuation index is normalized to map the temporal fluctuation index of each dataset to a uniform numerical range; and the normalized temporal fluctuation index is added as an additional feature dimension to the feature vector of each training sample. After adjustments, the training samples of the three datasets all contain standardized attack time fluctuation information, enabling each level of the model to learn the temporal patterns of attack behavior at its respective level within a unified temporal fluctuation feature representation framework during training.

[0084] After the feature space alignment processing of the above three dimensions, a unified reference framework was established for the stable node training dataset, the transition node training dataset, and the newly added node training dataset in terms of attack frequency, attack type distribution, and attack time fluctuation characteristics. This resulted in a multi-level aligned training dataset, which provides a reliable and feature space-consistent data foundation for subsequent differential model training.

[0085] Furthermore, the initial attack behavior detection model is trained using differentiated models based on the multi-level aligned training dataset, the method including:

[0086] S4131. According to the stable node training dataset, a low-frequency steady-state constraint mechanism is introduced to train the initial attack behavior detection model to obtain the stable node attack behavior detection model.

[0087] S4132. According to the transition node training dataset, introduce a distribution fluctuation adaptive mechanism to train the initial attack behavior detection model to obtain the transition node attack behavior detection model.

[0088] S4133. Based on the newly added node training dataset, a high-frequency sensitivity enhancement mechanism is introduced to train the initial attack behavior detection model to obtain the newly added node attack behavior detection model.

[0089] In a preferred embodiment, firstly, a low-frequency steady-state constraint mechanism is introduced to train the initial attack behavior detection model based on the stable node training dataset, resulting in a stable node attack behavior detection model. The sensing nodes in the stable node perception layer have been running stably for a long time, and their attack behavior occurs at a low frequency. Normally functioning samples dominate the data, and the distribution of attack events over time is relatively sparse. In this low-frequency attack scenario, the main risk faced by the detection model is not missed attacks, but rather misjudging slight fluctuations in normal behavior as attack behavior, i.e., a high false positive rate. Therefore, training on the stable node training dataset requires the introduction of a low-frequency steady-state constraint mechanism. The core objective is to suppress the model's oversensitivity to fluctuations in normal behavior and reduce the false positive rate while maintaining basic attack behavior recognition capabilities. Specifically, the low-frequency steady-state constraint mechanism adjusts the initial attack behavior detection model during training in the following ways: First, a false positive penalty term is introduced into the loss function. A penalty weight for false positive samples is added to the original binary cross-entropy loss function of the initial attack behavior detection model. When the model misclassifies a normal sample as an attack sample, the loss value caused by this misclassification is amplified by a penalty coefficient greater than 1. This causes the model to incur a greater optimization cost for false positives during training, thus driving the model to be more conservative in adjusting the decision boundary and reducing false positives for normal behavior. The specific value of the penalty coefficient is set based on the ratio of normal samples to attack samples in the stable node training dataset; the higher the proportion of normal samples, the larger the penalty coefficient. Second, a feature fluctuation tolerance threshold is introduced. A feature fluctuation tolerance threshold is set in the model's decision logic. When the deviation between the multidimensional feature vector of the input sample and the historical feature mean of the node is within the tolerance threshold range, even if the attack risk probability value output by the model exceeds the general decision threshold, it is not judged as an attack behavior, but rather as a reasonable fluctuation under normal operating conditions. The feature fluctuation tolerance threshold is set based on the statistical analysis of the feature fluctuation amplitude of normal samples in the stable node training dataset, taking the preset quantile of the distribution of the feature fluctuation amplitude of normal samples as the tolerance threshold to ensure that the vast majority of normal fluctuations fall within the tolerance range. Third, a conservative decision threshold strategy is adopted. The attack detection threshold for the stable node attack behavior detection model is set higher than the default threshold of the initial attack behavior detection model. This means the model's output attack risk probability value needs to reach a higher level before being considered as having an attack. By increasing the threshold, the model adopts a more cautious decision-making strategy when facing stable nodes, triggering an attack only when the attack features are very significant, further reducing the false positive rate. Using the aligned stable node training dataset, the initial attack behavior detection model is trained under the aforementioned low-frequency steady-state constraint mechanism until the loss function converges, thus obtaining the stable node attack behavior detection model.While inheriting the basic ability of the initialization model to identify all attack types, this model has the ability to effectively suppress false alarms in stable node scenarios with low-frequency attacks and a high proportion of normal samples by introducing a low-frequency steady-state constraint mechanism.

[0090] Simultaneously, based on the transition node training dataset, an adaptive distribution fluctuation mechanism is introduced to train the initial attack behavior detection model, resulting in the transition node attack behavior detection model. The perception nodes in the transition node perception layer are transitioning from a newly added state to a stable state. Their attack behavior frequency is at a moderate level, and the distribution of attack behavior fluctuates significantly over time, with higher attack frequencies in some time periods and lower frequencies in others. In this scenario of fluctuating distribution, the main challenge for the detection model lies in the constantly changing statistical characteristics of attack behavior. If the model can only adapt to a fixed attack distribution pattern, the detection accuracy will decrease when the attack distribution fluctuates. Therefore, training the transition node training dataset requires introducing an adaptive distribution fluctuation mechanism. The core objective is to enable the model to perceive the temporal changes in attack behavior distribution and dynamically adjust its judgment strategy, maintaining stable detection performance in scenarios with fluctuating distribution. Specifically, the adaptive distribution fluctuation mechanism adjusts the initial attack behavior detection model during training in the following ways: First, a time window segmentation training strategy is introduced. The transition node training dataset is divided into multiple time window subsets according to time periods, with each time window subset containing training samples from several consecutive statistical periods. During training, subsets are fed into the model sequentially according to the time window sequence. This allows the model to gradually encounter data with constantly changing attack distributions over time, rather than receiving all data at once for mixed training. By training in segments within time windows, the model can perceive the fluctuations in attack behavior distribution over time and gradually learn the ability to identify attacks under different distribution conditions. Second, a distribution consistency regularization term is introduced into the loss function. During training within each time window, the difference between the model's predicted distribution of attack and normal samples within the current time window and the predicted distribution within the previous time window is calculated and added as a regularization term to the loss function. When the difference in predicted distribution between adjacent time windows is too large, the regularization term generates a large loss value, constraining the model from drastic parameter adjustments due to sudden changes in data distribution within a single time window. This avoids drastic fluctuations in the decision strategy during distribution fluctuations, maintaining the continuity and stability of the decision logic. Third, a dynamic decision threshold adjustment mechanism is introduced. After model training is complete, the attack decision threshold of the transition node attack behavior detection model is not a fixed value but is dynamically adjusted based on the changing trend of attack behavior frequency over several recent statistical periods. When the frequency of recent attacks shows an upward trend, the decision threshold should be appropriately lowered to improve detection sensitivity; when the frequency of recent attacks shows a downward trend, the decision threshold should be appropriately raised to reduce false alarms. By dynamically adjusting the decision threshold, the model can adaptively adjust the detection strategy in accordance with the fluctuation trend of attack distribution during actual detection.Using the aligned transition node training dataset, the initial attack behavior detection model is trained under the constraints of the aforementioned distribution fluctuation adaptive mechanism. Training continues until the loss function converges, resulting in the transition node attack behavior detection model. This model inherits the initial model's basic ability to identify all attack types, and through the introduction of the distribution fluctuation adaptive mechanism, it possesses the ability to adaptively adjust the detection strategy in transition node scenarios where attack behavior distribution exhibits temporal fluctuations.

[0091] Furthermore, based on the newly added node training dataset, a high-frequency sensitivity enhancement mechanism is introduced to train the initial attack behavior detection model, resulting in the new node attack behavior detection model. The sensing nodes in the new node perception layer have only recently connected to the central control station network; their security policy configurations are not yet complete, and their communication behavior patterns are not yet stable, making them highly susceptible to attacks. These attacks are diverse in type and frequent, potentially resulting in a dense distribution of multiple different types of attack events within a short period. In this scenario of high-frequency and diverse attacks, the main risk faced by the detection model is missed detections. This means that due to the diversity and rapid changes in attack types, the model may fail to adequately identify certain uncommon attack types or novel attack patterns, leading to omissions. Therefore, training the new node training dataset requires the introduction of a high-frequency sensitivity enhancement mechanism. The core objective is to improve the model's sensitivity to various attack behaviors, especially low-frequency attack types and abnormal patterns, minimizing missed detections. Specifically, the high-frequency sensitivity enhancement mechanism adjusts the initial attack behavior detection model during training in the following ways: First, a missed detection penalty term is introduced into the loss function. Based on the original binary cross-entropy loss function of the initial attack behavior detection model, a penalty weight for missed samples is added. When the model misclassifies an attack sample as a normal sample, the loss value caused by this misclassification is amplified by a penalty coefficient greater than 1. This causes the model to incur a greater optimization cost for missed detections during training, driving the model to be more proactive in adjusting the decision boundary and improving the detection rate of attack behaviors. The specific value of the penalty coefficient is set according to the diversity of attack samples in the training dataset of newly added nodes; the more diverse the attack types, the larger the penalty coefficient. Second, oversampling enhancement for low-frequency attack types is introduced. Oversampling enhancement is performed on attack type samples that appear less frequently in the training dataset of newly added nodes, increasing the frequency of these low-frequency attack type samples in the training data. This gives the model more opportunities to learn the feature patterns of low-frequency attack types during training, avoiding weak recognition ability of certain attack types due to insufficient sample quantity. The oversampling factor is determined based on the ratio of the number of samples of each attack type to the average number of samples of each attack type in the dataset; the smaller the sample quantity of an attack type, the larger the oversampling factor. Third, an aggressive decision threshold strategy is adopted. The attack detection threshold for the new node attack behavior detection model is set lower than the default threshold when the model is initialized. This means that the attack risk probability value output by the model only needs to reach a relatively low level to trigger an attack detection. By lowering the threshold, the model adopts a more proactive detection strategy when facing new nodes, prioritizing reporting suspected attacks rather than letting them slip through, thus minimizing the risk of missed detections. Although this strategy may lead to a slight increase in the false positive rate, for new nodes with incomplete security controls, the risk of missed detections far outweighs the cost of false positives.Using the aligned new node training dataset, the initial attack behavior detection model is trained under the constraints of the aforementioned high-frequency sensitivity enhancement mechanism. Training continues until the loss function converges, resulting in the new node attack behavior detection model. This model inherits the initial model's basic ability to identify all attack types, while the introduction of the high-frequency sensitivity enhancement mechanism enables it to minimize false negatives in scenarios with high-frequency and diverse new node attacks.

[0092] Through the above steps, based on the attack behavior characteristics of the stable node perception layer, the transition node perception layer, and the newly added node perception layer, a low-frequency steady-state constraint mechanism, a distribution fluctuation adaptive mechanism, and a high-frequency sensitivity enhancement mechanism are introduced to differentiate the initial attack behavior detection model, resulting in stable node attack behavior detection models, transition node attack behavior detection models, and newly added node attack behavior detection models. The three models share the same network architecture and basic recognition capability for all attack types. The differences lie in their respective optimized detection strategies for different attack behavior distribution characteristics: the stable node model focuses on suppressing false positives, the transition node model focuses on adapting to distribution fluctuations, and the newly added node model focuses on reducing false negatives, thus enabling nodes at each level to obtain detection services that match their attack behavior characteristics.

[0093] Furthermore, by analyzing the degree of newness index, the set of sensing nodes is classified into multiple levels to obtain a multi-level sensing layer. The method includes:

[0094] Specifically, perception nodes with a value less than the first newness index threshold are classified as stable node perception layers, perception nodes with a value greater than or equal to the first newness index threshold and less than or equal to the second newness index threshold are classified as transition node perception layers, and perception nodes with a value greater than the second newness index threshold are classified as new node perception layers.

[0095] In a preferred embodiment, the degree of newness index of each sensing node in the acquired sensing node set is comprehensively reflected in the form of a scalar value, reflecting the degree of deviation of each node from the stable baseline. To divide the sensing node set into a stable node sensing layer, a transition node sensing layer, and a new node sensing layer, two hierarchical thresholds need to be set: a first degree of newness index threshold and a second degree of newness index threshold, wherein the first degree of newness index threshold is less than the second degree of newness index threshold.

[0096] Specifically, sensing nodes with a newness index lower than the first newness index threshold are classified as stable node sensing layers. These nodes have a low newness index, indicating that their deviation from the stable benchmark in terms of structure, behavior, and security is small, and their operation is approaching maturity and stability. Sensing nodes with a newness index greater than or equal to the first newness index threshold and less than or equal to the second newness index threshold are classified as transitional node sensing layers. These nodes have an intermediate newness index, indicating that their operation characteristics deviate from the stable benchmark to some extent but have not yet reached a significant level, and they are in the transitional stage from a new state to a stable state. Sensing nodes with a newness index greater than the second newness index threshold are classified as new node sensing layers. These nodes have a high newness index, indicating that their operation characteristics differ significantly from the stable benchmark, and they are newly connected or their operation is not yet stable.

[0097] The first and second threshold values ​​for the new node addition index are set based on the statistical distribution of the new node addition index of each sensing node in the historical operation data of the central control station. Specifically, the distribution of the new node addition index of all sensing nodes during the historical operation of the central control station is statistically analyzed. The new node addition indices are sorted according to their numerical values, and the new node addition index value at a preset low quantile is taken as the first threshold value, and the new node addition index value at a preset high quantile is taken as the second threshold value. For example, taking the 30th quantile of the new node addition index distribution as the first threshold value and the 70th quantile as the second threshold value ensures that approximately 30% of the nodes in the historical data are classified into the stable node sensing layer, approximately 40% of the nodes are classified into the transitional node sensing layer, and approximately 30% of the nodes are classified into the new node sensing layer. The specific values ​​of the above quantiles are configured by the security management personnel of the central control station according to the proportional distribution of various types of nodes in the actual network environment and the security control requirements. Different central control stations can adjust the classification ratio according to their own dynamic node expansion situation.

[0098] Through the above-mentioned hierarchical method, each sensing node in the sensing node set is classified into the corresponding sensing level according to its degree of newness index, forming a three-level sensing layer structure of stable node sensing layer, transitional node sensing layer and newly added node sensing layer. This provides a clear node classification for subsequent use of the attack behavior detection model of the corresponding level for differentiated detection.

[0099] Example 2, as Figure 2 As shown, based on the same inventive concept as the centralized control station network security situation awareness method provided in Embodiment 1, this embodiment of the invention also provides a centralized control station network security situation awareness system, including:

[0100] The multi-dimensional feature extraction module 11 is used to obtain the multi-source operation dataset corresponding to each sensing node in the set of sensing nodes of the central control station, and extract the multi-dimensional feature vector of each sensing node according to the multi-source operation dataset. The multi-dimensional feature vector includes structural features, behavioral features and security features.

[0101] The feature offset analysis module 12 is used to perform feature offset analysis on the multidimensional feature vectors of each sensing node to obtain multidimensional offset feature vectors.

[0102] The index calculation module 13 is used to calculate the degree of newness index of each sensing node according to the multidimensional offset feature vector.

[0103] The hierarchical detection module 14 is used to classify the set of sensing nodes by analyzing the degree of newness index to obtain a multi-level sensing layer, construct a multi-level attack behavior detection model corresponding to the multi-level sensing layer, and call the multi-level attack behavior detection model to perform attack behavior risk detection of the sensing nodes to which each level of sensing layer belongs.

[0104] Furthermore, the multi-level perception layer includes at least a stable node perception layer, a transition node perception layer, and a newly added node perception layer; the execution steps of the hierarchical detection module 14 include:

[0105] Define an initial attack behavior detection model, and train a differentiated model based on the stable node perception layer, the transition node perception layer, and the newly added node perception layer to obtain the corresponding multi-level attack behavior detection model.

[0106] Furthermore, the multi-level perception layer is communicatively connected to the node-level state transition model; the execution steps of the hierarchical detection module 14 also include:

[0107] The node-level state transition model is used to perform multi-dimensional offset feature vector time-series analysis on each sensing node of the current multi-level perception layer to obtain the level state transition instruction.

[0108] According to the level state transition instruction, the sensing nodes belonging to the multi-level sensing layer are transferred hierarchically, and the multi-level sensing layer is updated in real time.

[0109] Furthermore, the execution steps of the feature offset analysis module 12 include:

[0110] The set of sensing nodes is evaluated for historical operational stability to select a set of benchmark nodes, and the multidimensional benchmark feature vector corresponding to the set of benchmark nodes is extracted.

[0111] Based on the multidimensional baseline feature vector corresponding to the set of baseline nodes, feature offset analysis is performed on the multidimensional feature vector of each sensing node to obtain a multidimensional offset feature vector, wherein the multidimensional offset feature vector includes a structural feature offset vector, a behavioral feature offset vector, and a safety feature offset vector.

[0112] Furthermore, the execution steps of the index calculation module 13 include:

[0113] The multidimensional offset feature vector is subjected to offset nonlinear enhancement processing to obtain the processed multidimensional offset feature vector.

[0114] Multidimensional offset weights are configured by analyzing the historical attack distribution weights of each sensing node.

[0115] The processed multidimensional offset feature vector is weighted according to the multidimensional offset weight to obtain the newness index of each sensing node.

[0116] Furthermore, the execution steps of the grading detection module 14 also include:

[0117] Based on the historical attack events of the multi-level perception layer, a corresponding multi-level training dataset is constructed. The multi-level training dataset includes a stable node training dataset composed of labeled attack samples and normal samples, a transition node training dataset composed of labeled attack samples and normal samples, and a new node training dataset composed of labeled attack samples and normal samples.

[0118] The stable node training dataset, the transition node training dataset, and the newly added node training dataset are aligned in the attack behavior feature space to obtain a multi-level aligned training dataset.

[0119] The initial attack behavior detection model is trained using the multi-level aligned training dataset to obtain the corresponding multi-level attack behavior detection model.

[0120] Furthermore, the execution steps of the grading detection module 14 also include:

[0121] The stable node training dataset, the transition node training dataset, and the newly added node training dataset are aligned in the attack behavior feature space, which includes the frequency of attack behavior, the distribution of attack types, and the fluctuation characteristics of attack time.

[0122] Furthermore, the execution steps of the grading detection module 14 also include:

[0123] Based on the stable node training dataset, a low-frequency steady-state constraint mechanism is introduced to train the initial attack behavior detection model, thereby obtaining the stable node attack behavior detection model.

[0124] Based on the aforementioned transition node training dataset, an adaptive distribution fluctuation mechanism is introduced to train the initial attack behavior detection model, thereby obtaining the transition node attack behavior detection model.

[0125] Based on the newly added node training dataset, a high-frequency sensitivity enhancement mechanism is introduced to train the initial attack behavior detection model, thereby obtaining the newly added node attack behavior detection model.

[0126] Furthermore, the execution steps of the grading detection module 14 also include:

[0127] Specifically, perception nodes with a value less than the first newness index threshold are classified as stable node perception layers, perception nodes with a value greater than or equal to the first newness index threshold and less than or equal to the second newness index threshold are classified as transition node perception layers, and perception nodes with a value greater than the second newness index threshold are classified as new node perception layers.

[0128] It should be noted that the descriptions of each embodiment in the above embodiments have different focuses. For parts that are not described in detail in a certain embodiment, please refer to the relevant descriptions in other embodiments.

[0129] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0130] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0131] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0132] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0133] Although preferred embodiments of the invention have been described, those skilled in the art, once they have learned the basic inventive concept, can make other changes and modifications to these embodiments.

[0134] Obviously, those skilled in the art can make various modifications and variations to this invention without departing from its spirit and scope. Therefore, if these modifications and variations fall within the scope of this invention and its equivalents, this invention also intends to include these modifications and variations.

Claims

1. A method for network security situation awareness at a centralized control station, characterized in that, The method includes: Obtain the multi-source operational dataset corresponding to each sensing node in the set of sensing nodes of the central control station, and extract the multi-dimensional feature vector of each sensing node based on the multi-source operational dataset. The multi-dimensional feature vector includes structural features, behavioral features and security features. Perform feature offset analysis on the multidimensional feature vectors of each sensing node to obtain multidimensional offset feature vectors; The degree of newness index of each sensing node is calculated based on the multidimensional offset feature vector. The set of sensing nodes is classified into multiple levels by analyzing the degree of newness index, resulting in a multi-level sensing layer. A multi-level attack behavior detection model corresponding to the multi-level sensing layer is constructed, and the multi-level attack behavior detection model is called to perform attack behavior risk detection on the sensing nodes belonging to each level of the sensing layer.

2. The network security situation awareness method for centralized control stations as described in claim 1, characterized in that, Construct a multi-level attack behavior detection model corresponding to the multi-level perception layer, wherein the multi-level perception layer includes at least a stable node perception layer, a transition node perception layer, and a newly added node perception layer. Define an initial attack behavior detection model, and train a differentiated model based on the stable node perception layer, the transition node perception layer, and the newly added node perception layer to obtain the corresponding multi-level attack behavior detection model.

3. The network security situation awareness method for centralized control stations as described in claim 2, characterized in that, The multi-level perception layer is communicatively connected to the node-level state transition model, and the method includes: The node-level state transition model is used to perform multi-dimensional offset feature vector time-series analysis on each sensing node of the current multi-level perception layer to obtain the level state transition instruction. According to the level state transition instruction, the sensing nodes belonging to the multi-level sensing layer are transferred hierarchically, and the multi-level sensing layer is updated in real time.

4. The network security situation awareness method for centralized control stations as described in claim 1, characterized in that, Feature offset analysis is performed on the multidimensional feature vectors of each sensing node to obtain multidimensional offset feature vectors. The methods include: The set of sensing nodes is evaluated for historical operational stability to select a set of benchmark nodes, and the multidimensional benchmark feature vector corresponding to the set of benchmark nodes is extracted. Based on the multidimensional baseline feature vector corresponding to the set of baseline nodes, feature offset analysis is performed on the multidimensional feature vector of each sensing node to obtain a multidimensional offset feature vector, wherein the multidimensional offset feature vector includes a structural feature offset vector, a behavioral feature offset vector, and a safety feature offset vector.

5. The network security situation awareness method for centralized control stations as described in claim 4, characterized in that, The method for calculating the degree of newness index of each sensing node based on the multidimensional offset feature vector includes: The multidimensional offset feature vector is subjected to offset nonlinear enhancement processing to obtain the processed multidimensional offset feature vector. Multidimensional offset weights are configured by analyzing the historical attack distribution weights of each sensing node. The processed multidimensional offset feature vector is weighted according to the multidimensional offset weight to obtain the newness index of each sensing node.

6. The network security situation awareness method for centralized control stations as described in claim 2, characterized in that, The method for training a differentiated model of the initial attack behavior detection model based on the stable node perception layer, the transition node perception layer, and the newly added node perception layer includes: Based on the historical attack events of the multi-level perception layer, a corresponding multi-level training dataset is constructed. The multi-level training dataset includes a stable node training dataset composed of labeled attack samples and normal samples, a transition node training dataset composed of labeled attack samples and normal samples, and a new node training dataset composed of labeled attack samples and normal samples. The stable node training dataset, the transition node training dataset, and the newly added node training dataset are aligned in the attack behavior feature space to obtain a multi-level aligned training dataset. The initial attack behavior detection model is trained using the multi-level aligned training dataset to obtain the corresponding multi-level attack behavior detection model.

7. The network security situation awareness method for centralized control stations as described in claim 6, characterized in that, The stable node training dataset, the transition node training dataset, and the newly added node training dataset are aligned in the attack behavior feature space, which includes the frequency of attack behavior, the distribution of attack types, and the fluctuation characteristics of attack time.

8. The network security situation awareness method for centralized control stations as described in claim 6, characterized in that, The method involves training the initial attack behavior detection model using the multi-level aligned training dataset in a differentiated manner, including: Based on the stable node training dataset, a low-frequency steady-state constraint mechanism is introduced to train the initial attack behavior detection model, thereby obtaining the stable node attack behavior detection model. Based on the aforementioned transition node training dataset, an adaptive distribution fluctuation mechanism is introduced to train the initial attack behavior detection model, thereby obtaining the transition node attack behavior detection model. Based on the newly added node training dataset, a high-frequency sensitivity enhancement mechanism is introduced to train the initial attack behavior detection model, thereby obtaining the newly added node attack behavior detection model.

9. The network security situation awareness method for centralized control stations as described in claim 1, characterized in that, The set of sensing nodes is classified into multiple levels by analyzing the degree of newness index, resulting in a multi-level sensing layer. include: Specifically, perception nodes with a value less than the first newness index threshold are classified as stable node perception layers, perception nodes with a value greater than or equal to the first newness index threshold and less than or equal to the second newness index threshold are classified as transition node perception layers, and perception nodes with a value greater than the second newness index threshold are classified as new node perception layers.

10. A network security situation awareness system for a centralized control station, characterized in that, The system is used to implement the centralized control station network security situation awareness method as described in any one of claims 1 to 9, the system comprising: The multi-dimensional feature extraction module is used to obtain the multi-source operation dataset corresponding to each sensing node in the set of sensing nodes of the central control station, and extract the multi-dimensional feature vector of each sensing node based on the multi-source operation dataset. The multi-dimensional feature vector includes structural features, behavioral features and security features. The feature offset analysis module is used to perform feature offset analysis on the multidimensional feature vectors of each sensing node to obtain multidimensional offset feature vectors. The index calculation module is used to calculate the degree of newness index of each sensing node according to the multidimensional offset feature vector; The hierarchical detection module is used to classify the set of sensing nodes by analyzing the degree of newness index to obtain a multi-level sensing layer, construct a multi-level attack behavior detection model corresponding to the multi-level sensing layer, and call the multi-level attack behavior detection model to perform attack behavior risk detection of the sensing nodes to which each level of sensing layer belongs.

Images