A network security-based server monitoring system and method

By using multi-source heterogeneous data collection and multi-dimensional threat detection technologies, the problem of real-time identification and accuracy of abnormal behavior in server security monitoring has been solved, improving the timeliness and accuracy of server security protection.

CN122160160APending Publication Date: 2026-06-05STATE GRID ENERGY XINJIANG ZHUNDONG COAL POWER CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
STATE GRID ENERGY XINJIANG ZHUNDONG COAL POWER CO LTD
Filing Date
2026-04-01
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing technologies cannot determine in real time whether a server is exhibiting abnormal behavior, resulting in insufficient accuracy and timeliness of security monitoring.

Method used

It employs modules for multi-source heterogeneous data acquisition, data processing and analysis, asset security management, threat detection and response, situational awareness and visualization, and system management, combined with various algorithms and models, to achieve comprehensive monitoring and threat detection of servers.

Benefits of technology

It enables comprehensive collection and real-time analysis of server operation data, improving the accuracy and timeliness of security monitoring, reducing false alarm rates, and minimizing the need for manual intervention.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160160A_ABST
    Figure CN122160160A_ABST
Patent Text Reader

Abstract

The application relates to the technical field of network security, and discloses a server monitoring system and method based on network security, which comprises a security data acquisition module, a data processing and analysis module, an asset security management module, a threat detection and response module, a situation awareness and visualization module and a system management module; server running state data is acquired through multi-source heterogeneous data acquisition technology; security analysis is carried out through normalization processing and machine learning algorithms; a server asset full life cycle management system is established; threat detection and automatic response are realized based on rule detection and behavior analysis technology; and the security situation is displayed through a visual interface and a compliance report is generated. The application reduces the false alarm rate of security events and the work load of security operation and maintenance, and improves the timeliness of server security protection and the level of enterprise network security protection.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, specifically to a server monitoring system and method based on network security. Background Technology

[0002] Network security refers to the protection of the hardware, software, and data of a network system from accidental or malicious damage, alteration, or disclosure, ensuring the continuous, reliable, and normal operation of the system and uninterrupted network services.

[0003] Currently, due to the increasingly complex server operating environment, the server operation data collected by the deployed monitoring system during real-time monitoring of server security status cannot determine whether there is any abnormal behavior on the server in real time. If the abnormal behavior is not detected in time, it will cause missed or false alarms of security incidents, and the accuracy of security monitoring cannot be guaranteed.

[0004] Therefore, a server monitoring system and method based on network security is proposed to solve the above problems. Summary of the Invention

[0005] To address the shortcomings of existing technologies, this invention provides a server monitoring system and method based on network security. This invention solves the problems mentioned in the background section regarding the inability to determine in real time whether a server is exhibiting abnormal behavior and the inability to guarantee the accuracy of security monitoring.

[0006] To achieve the above objectives, the present invention provides the following technical solution: a server monitoring system and method based on network security, the system comprising: The security data acquisition module is used to acquire server operation data through multi-source heterogeneous data acquisition technology, including an active scanning unit to acquire configuration information and vulnerability data, and a passive listening unit to receive operation status messages and security alarm information. The data processing and analysis module is used to perform normalization processing and correlation analysis on the data, including the data cleaning unit to remove invalid data, the feature extraction unit to extract attack feature vectors, and the threat modeling unit to build threat detection models. The asset security management module is used for server asset management, including an asset discovery unit to identify server assets, an asset profiling unit to build a 3D profile, and a risk assessment unit to calculate asset risk values. The threat detection and response module is used to detect and respond to security threats, including a rule detection unit for threat matching, a behavior analysis unit for detecting abnormal behavior, and an automated response unit for executing handling scripts. The situational awareness and visualization module is used to display the security situation, including the situational assessment unit calculating the security index, the large screen display unit providing a visual view, and the report generation unit generating compliance reports; The system management module is used for permission management and system configuration, including a role management unit to implement permission control and an audit log unit to record operation behavior.

[0007] Preferably, the security data acquisition module further includes: The protocol parsing unit supports parsing more than 20 network protocols, including HTTP, HTTPS, DNS, SMTP, FTP, SSH, and RDP. The data buffer unit uses a circular buffer structure to temporarily store the collected data and prevent data loss. Its normalized storage efficiency satisfies the formula: ; in, To normalize buffer efficiency, Data storage time, in seconds. Total data collection time, in seconds. The environmental correction factor is set to a threshold range of 0.92 to 0.98. The encrypted transmission unit uses the national cryptographic algorithm SM4 to encrypt the transmission of sensitive data; The load balancing unit dynamically adjusts the data collection frequency and the number of threads to avoid impacting server performance.

[0008] Preferably, the data processing and analysis module further includes: The real-time analytics engine uses a streaming computing framework to process real-time data with latency controlled in the millisecond range. The historical analysis engine uses a distributed computing framework to process batch data, supporting petabyte-level data storage and analysis. The association analysis unit establishes event relationships through graph database technology and supports multi-hop association analysis. The machine learning unit integrates multiple algorithm models, including Random Forest, XGBoost, and LSTM, and supports online model training and updates. Its normalized detection accuracy satisfies the formula: ; in, To normalize the accuracy, To accurately detect the number of threats, the unit is individuals. Total number of threats, in units. The threshold range for the model correction coefficient is set to 1.03~1.07.

[0009] Preferably, the asset security management module further includes: The automatic asset discovery unit discovers server assets in the network through ARP scanning, ICMP probing, and port scanning technologies. The asset change detection unit uses a difference comparison algorithm to detect changes in asset configuration. The asset topology display unit automatically generates server network topology diagrams and supports topology search and path analysis. The asset tag management unit supports custom tag classification and labeling, enabling multi-dimensional asset classification management.

[0010] Preferably, the threat detection and response module further includes: The threat intelligence unit integrates multiple threat intelligence sources and supports IOC metric matching. The sandbox detection unit detects suspicious files and URLs within a virtualized environment; Attack chain reconstruction unit, which reconstructs the entire attack process based on the Kill Chain model; The disposal strategy library contains more than 50 predefined standardized disposal strategies.

[0011] Preferably, the situational awareness and visualization module further includes: The risk warning unit predicts security risk trends based on time series analysis. The hotspot analysis unit identifies high-frequency attack sources and high-risk vulnerabilities. The comparative analysis unit supports comparative analysis of data across multiple time dimensions. Customizable report units, supporting drag-and-drop report design and scheduled generation.

[0012] Preferably, the method includes the following steps: S1. Acquire server operation data through multi-source data acquisition technology, including actively scanning server configuration information and passively receiving security logs; S2. Perform normalization processing on the collected data, including data cleaning, field mapping, and format conversion; S3. Construct a knowledge graph of server assets, including asset attribute extraction, business relationship analysis, and security risk assessment; S4. Employ multi-dimensional threat detection technologies to analyze security incidents, including rule matching, behavioral analysis, and machine learning detection; S5. Generate response strategies based on threat analysis results, including automatic blocking, alarm escalation, and manual handling; S6. Visualize the security situation, including real-time monitoring dashboards, risk heatmaps, and trend analysis charts; S7. Generate a security compliance report, including vulnerability statistics, threat analysis, and remediation recommendations; S8. Regularly evaluate the system's operational effectiveness, including detection coverage, alarm accuracy, and response timeliness.

[0013] Preferably, step S1 specifically includes: S11. Configure the data acquisition strategy, including acquisition frequency, data range and sampling ratio; S12. Establish a data acquisition channel, including support for multiple protocols such as Syslog, SNMP, NetFlow, and JDBC; S13. Perform data preprocessing, including data deduplication, field extraction, and preliminary filtering; S14. Monitor data acquisition status, including acquisition success rate, latency, and resource usage.

[0014] Preferably, step S4 specifically includes: S41. Detect known threats based on a rule engine, including feature matching and pattern recognition; S42. Employ UEBA technology to detect abnormal behavior, including baseline modeling and deviation analysis; S43. Use deep learning algorithms to detect unknown threats, including automatic feature extraction and anomaly scoring; S44. Combine threat intelligence to verify attacks, including IOC matching and TTP analysis; S45. Assess the severity of the threat, including its scope of impact, business criticality, and difficulty of remediation.

[0015] Preferably, step S5 specifically includes: S51. Select the response method based on the threat type, including automatic blocking, alarm notification, and manual review; S52. Execute the pre-defined response script, including isolating the affected system, blocking malicious traffic, and patching security vulnerabilities; S53. Record the response process and results, including operation logs, handling effects, and follow-up recommendations; S54. Evaluate the effectiveness of the response, including response time, accuracy of handling, and business impact; S55. Optimize response strategies, including rule adjustments, process improvements, and contingency plan updates.

[0016] Compared with existing technologies, the present invention provides a server monitoring system and method based on network security, which has the following beneficial effects: 1. In this invention, by establishing a unified data collection standard and setting differentiated collection strategies for different types of servers, the comprehensiveness of data collection from various servers is ensured. At the same time, the collected data is verified and filtered in real time, which can identify and eliminate abnormal data interference, ensuring the accuracy and reliability of server monitoring data and reducing the false alarm rate of security incidents.

[0017] 2. In this invention, by constructing a multi-dimensional threat detection model, the deviation between server operation behavior and security baseline is analyzed in real time, enabling the system to promptly detect potential security threats. When abnormal behavior is detected, the system can automatically trigger corresponding contingency plans based on the threat level, ensuring rapid response and handling of security incidents and improving the timeliness of server security protection.

[0018] 3. In this invention, through a predefined standardized handling process, security operations such as threat isolation and vulnerability repair are performed in real time, enabling the system to complete closed-loop processing of common security incidents without human intervention, reducing the workload of security operations and maintenance, and continuously improving the accuracy of server security protection by continuously optimizing response strategies. Attached Figure Description

[0019] Figure 1 This is a schematic diagram of the architecture of a server monitoring system based on network security according to the present invention; Figure 2 This is a flowchart illustrating the steps of a server monitoring method based on network security according to the present invention. Detailed Implementation

[0020] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0021] Please see Figure 1-2 The specific implementation of this server monitoring system and method based on network security is as follows: The system includes: The security data acquisition module is used to acquire server operation data through multi-source heterogeneous data acquisition technology, including an active scanning unit to acquire configuration information and vulnerability data, and a passive listening unit to receive operation status messages and security alarm information. The data processing and analysis module is used to perform normalization processing and correlation analysis on the data, including the data cleaning unit to remove invalid data, the feature extraction unit to extract attack feature vectors, and the threat modeling unit to build threat detection models. The asset security management module is used for server asset management, including an asset discovery unit to identify server assets, an asset profiling unit to build a 3D profile, and a risk assessment unit to calculate asset risk values. The threat detection and response module is used to detect and respond to security threats, including a rule detection unit for threat matching, a behavior analysis unit for detecting abnormal behavior, and an automated response unit for executing handling scripts. The situational awareness and visualization module is used to display the security situation, including the situational assessment unit calculating the security index, the large screen display unit providing a visual view, and the report generation unit generating compliance reports; The system management module is used for permission management and system configuration, including a role management unit to implement permission control and an audit log unit to record operation behavior; The secure data acquisition module also includes: The protocol parsing unit supports parsing more than 20 network protocols, including HTTP, HTTPS, DNS, SMTP, FTP, SSH, and RDP. The data buffer unit uses a circular buffer structure to temporarily store the collected data and prevent data loss. Its normalized storage efficiency satisfies the formula: ; in, To normalize buffer efficiency, Data storage time, in seconds. Total data collection time, in seconds. The environmental correction factor is set to a threshold range of 0.92 to 0.98. The encrypted transmission unit uses the national cryptographic algorithm SM4 to encrypt the transmission of sensitive data; The load balancing unit dynamically adjusts the data collection frequency and the number of threads to avoid impacting server performance; The data processing and analysis module also includes: The real-time analytics engine uses a streaming computing framework to process real-time data with latency controlled in the millisecond range. The historical analysis engine uses a distributed computing framework to process batch data, supporting petabyte-level data storage and analysis. The association analysis unit establishes event relationships through graph database technology and supports multi-hop association analysis. The machine learning unit integrates multiple algorithm models, including Random Forest, XGBoost, and LSTM, and supports online model training and updates. Its normalized detection accuracy satisfies the formula: ; in, To normalize the accuracy, To accurately detect the number of threats, the unit is individuals. Total number of threats, in units. The threshold range for the model correction coefficients is set to 1.03~1.07; The asset security management module also includes: The automatic asset discovery unit discovers server assets in the network through ARP scanning, ICMP probing, and port scanning technologies. Its normalized asset coverage satisfies the formula: ; in, For normalized coverage, The number of discovered assets is in units. This represents the total actual assets, expressed in units of [number]. This is a network topology correction factor, with a threshold range of 1.01~1.03; The asset change detection unit uses a difference comparison algorithm to detect changes in asset configuration. The asset topology display unit automatically generates server network topology diagrams and supports topology search and path analysis. The asset tag management unit supports custom tag classification and labeling, enabling multi-dimensional asset classification management; The threat detection and response module also includes: The threat intelligence unit integrates multiple threat intelligence sources and supports IOC metric matching. The sandbox detection unit detects suspicious files and URLs within a virtualized environment; The attack chain reconstruction unit reconstructs the entire attack process based on the Kill Chain model, and its normalized attack stage identification rate satisfies the formula: ; in, To normalize the recognition rate, To correctly identify the number of stages, the unit is "one". This represents the actual total number of stages, expressed in units of [number]. The threshold range is set to 0.96~1.00 as an attack complexity correction factor. The disposal strategy library contains more than 50 predefined standardized disposal strategies; The situational awareness and visualization module also includes: The risk warning unit predicts security risk trends based on time series analysis. The hotspot analysis unit identifies high-frequency attack sources and high-risk vulnerabilities. The comparative analysis unit supports comparative analysis of data across multiple time dimensions. Customizable report units, supporting drag-and-drop report design and scheduled generation; The method includes the following steps: S1. Acquire server operation data through multi-source data acquisition technology, including actively scanning server configuration information and passively receiving security logs; S2. Normalize the collected data, including data cleaning, field mapping, and format conversion. The timeliness of the normalization process should meet the following formula: ; in, To normalize processing time, This represents the amount of data processed, in GB. Total data volume, in GB. Bit processing time, in seconds per GB. The reference time constant is expressed in seconds per GB, and the threshold range is set to 0.40 to 0.50. S3. Construct a knowledge graph of server assets, including asset attribute extraction, business relationship analysis, and security risk assessment; S4. Employ multi-dimensional threat detection technologies to analyze security incidents, including rule matching, behavioral analysis, and machine learning detection; S5. Generate response strategies based on threat analysis results, including automatic blocking, alarm escalation, and manual handling; S6. Visualize the security situation, including real-time monitoring dashboards, risk heatmaps, and trend analysis charts; S7. Generate a security compliance report, including vulnerability statistics, threat analysis, and remediation recommendations; S8. Regularly evaluate the system's operational performance, including detection coverage, alarm accuracy, and response timeliness; S11. Configure the data acquisition strategy, including acquisition frequency, data range and sampling ratio; S12. Establish a data acquisition channel, including support for multiple protocols such as Syslog, SNMP, NetFlow, and JDBC; S13. Perform data preprocessing, including data deduplication, field extraction, and preliminary filtering; S14. Monitor data acquisition status, including acquisition success rate, latency, and resource usage; S41. Detect known threats based on a rule engine, including feature matching and pattern recognition; S42. UEBA technology is used to detect abnormal behavior, including baseline modeling and deviation analysis. Its normalized anomaly detection rate satisfies the formula: ; in, To normalize the detection rate, The number of outliers detected is expressed in units of individuals. This represents the total number of actual anomalies, expressed in units of individuals. This is the baseline correction factor for behavior, with a threshold range set between 1.05 and 1.15. S43. Use deep learning algorithms to detect unknown threats, including automatic feature extraction and anomaly scoring; S44. Combine threat intelligence to verify attacks, including IOC matching and TTP analysis; S45. Assess the severity of the threat, including its scope of impact, business criticality, and difficulty of remediation; S51. Select the response method based on the threat type, including automatic blocking, alarm notification, and manual review; S52. Execute the pre-defined response script, including isolating the affected system, blocking malicious traffic, and patching security vulnerabilities. Its normalized response efficiency satisfies the formula: ; in, To normalize the response efficiency, Standard response time, in seconds. This is the actual response time, expressed in seconds. The threshold range for the scene complexity correction factor is set to 0.92~0.98; S53. Record the response process and results, including operation logs, handling effects, and follow-up recommendations; S54. Evaluate the effectiveness of the response, including response time, accuracy of handling, and business impact; S55. Optimize response strategies, including rule adjustments, process improvements, and contingency plan updates.

[0022] The operational steps of a server monitoring system and method based on network security are as follows: Step 1, Data Acquisition Phase: By combining active scanning with passive monitoring, real-time data collection is conducted on server operating status, network traffic, and system logs to establish a complete data acquisition system.

[0023] Step 2, Data Processing Stage: The collected raw data is cleaned, filtered, and standardized to extract key feature information, providing a standardized data foundation for subsequent analysis.

[0024] Step 3, Asset Management Phase: Automatically identify server assets in the network, construct asset profiles, assess asset risk levels, and establish a full lifecycle management system for server assets.

[0025] Step 4, Threat Detection Phase: Based on rule matching, behavior analysis, and machine learning technologies, perform multi-dimensional security analysis of the server's operating status to identify potential security threats.

[0026] Step 5, Response and Handling Phase: Based on the threat detection results, the predefined response strategy is automatically triggered to execute security measures such as blocking, isolation, and alarms.

[0027] Step Six, Situation Awareness Phase: Integrate multi-dimensional data such as assets, vulnerabilities, and threats to generate a visualized security situation report, providing risk warnings and trend predictions.

[0028] Step 7, System Maintenance Phase: Perform system configuration management, access control, and operation monitoring to ensure the stability and security of the monitoring system itself.

[0029] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0030] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.

Claims

1. A server monitoring system based on network security, characterized in that: include: The security data acquisition module is used to acquire server operation data through multi-source heterogeneous data acquisition technology, including an active scanning unit to acquire configuration information and vulnerability data, and a passive listening unit to receive operation status messages and security alarm information. The data processing and analysis module is used to perform normalization processing and correlation analysis on the data, including the data cleaning unit to remove invalid data, the feature extraction unit to extract attack feature vectors, and the threat modeling unit to build threat detection models. The asset security management module is used for server asset management, including an asset discovery unit to identify server assets, an asset profiling unit to build a 3D profile, and a risk assessment unit to calculate asset risk values. The threat detection and response module is used to detect and respond to security threats, including a rule detection unit for threat matching, a behavior analysis unit for detecting abnormal behavior, and an automated response unit for executing handling scripts. The situational awareness and visualization module is used to display the security situation, including the situational assessment unit calculating the security index, the large screen display unit providing a visual view, and the report generation unit generating compliance reports; The system management module is used for permission management and system configuration, including a role management unit to implement permission control and an audit log unit to record operation behavior.

2. The server monitoring system based on network security according to claim 1, characterized in that: The security data acquisition module also includes: The protocol parsing unit supports parsing more than 20 network protocols, including HTTP, HTTPS, DNS, SMTP, FTP, SSH, and RDP. The data buffer unit uses a circular buffer structure to temporarily store the collected data and prevent data loss. Its normalized storage efficiency satisfies the formula: ; in, To normalize buffer efficiency, Data storage time, in seconds. Total data collection time, in seconds. The environmental correction factor is set to a threshold range of 0.92 to 0.

98. The encrypted transmission unit uses the national cryptographic algorithm SM4 to encrypt the transmission of sensitive data; The load balancing unit dynamically adjusts the data collection frequency and the number of threads to avoid impacting server performance.

3. The server monitoring system based on network security according to claim 1, characterized in that: The data processing and analysis module also includes: The real-time analytics engine uses a streaming computing framework to process real-time data with latency controlled in the millisecond range. The historical analysis engine uses a distributed computing framework to process batch data, supporting petabyte-level data storage and analysis. The association analysis unit establishes event relationships through graph database technology and supports multi-hop association analysis. The machine learning unit integrates multiple algorithm models, including Random Forest, XGBoost, and LSTM, and supports online model training and updates. Its normalized detection accuracy satisfies the formula: ; in, To normalize the accuracy, To accurately detect the number of threats, the unit is individuals. Total number of threats, in units. The threshold range for the model correction coefficient is set to 1.03~1.

07.

4. The server monitoring system based on network security according to claim 1, characterized in that: The asset security management module also includes: The asset auto-discovery unit discovers server assets in the network through ARP scanning, ICMP probing, and port scanning technologies. The asset change detection unit uses a difference comparison algorithm to detect changes in asset configuration. The asset topology display unit automatically generates server network topology diagrams and supports topology search and path analysis. The asset tag management unit supports custom tag classification and labeling, enabling multi-dimensional asset classification management.

5. A server monitoring system based on network security according to claim 1, characterized in that: The threat detection and response module also includes: The threat intelligence unit integrates multiple threat intelligence sources and supports IOC metric matching. The sandbox detection unit detects suspicious files and URLs within a virtualized environment; Attack chain reconstruction unit, which reconstructs the entire attack process based on the Kill Chain model; The disposal strategy library contains more than 50 predefined standardized disposal strategies.

6. A server monitoring system based on network security according to claim 1, characterized in that: The situational awareness and visualization module also includes: The risk warning unit predicts security risk trends based on time series analysis. The hotspot analysis unit identifies high-frequency attack sources and high-risk vulnerabilities. The comparative analysis unit supports comparative analysis of data across multiple time dimensions. Customizable report units, supporting drag-and-drop report design and scheduled generation.

7. A server monitoring method based on network security, characterized in that: Includes the following steps: S1. Acquire server operation data through multi-source data acquisition technology, including actively scanning server configuration information and passively receiving security logs; S2. Perform normalization processing on the collected data, including data cleaning, field mapping, and format conversion; S3. Construct a knowledge graph of server assets, including asset attribute extraction, business relationship analysis, and security risk assessment; S4. Employ multi-dimensional threat detection technologies to analyze security incidents, including rule matching, behavioral analysis, and machine learning detection; S5. Generate response strategies based on threat analysis results, including automatic blocking, alarm escalation, and manual handling; S6. Visualize the security situation, including real-time monitoring dashboards, risk heatmaps, and trend analysis charts; S7. Generate a security compliance report, including vulnerability statistics, threat analysis, and remediation recommendations; S8. Regularly evaluate the system's operational effectiveness, including detection coverage, alarm accuracy, and response timeliness.

8. A server monitoring method based on network security according to claim 7, characterized in that: Step S1 specifically includes: S11. Configure the data acquisition strategy, including acquisition frequency, data range and sampling ratio; S12. Establish a data acquisition channel, including support for multiple protocols such as Syslog, SNMP, NetFlow, and JDBC; S13. Perform data preprocessing, including data deduplication, field extraction, and preliminary filtering; S14. Monitor data acquisition status, including acquisition success rate, latency, and resource usage.

9. A server monitoring method based on network security according to claim 7, characterized in that: Step S4 specifically includes: S41. Detect known threats based on a rule engine, including feature matching and pattern recognition; S42. Employ UEBA technology to detect abnormal behavior, including baseline modeling and deviation analysis; S43. Use deep learning algorithms to detect unknown threats, including automatic feature extraction and anomaly scoring; S44. Combine threat intelligence to verify attacks, including IOC matching and TTP analysis; S45. Assess the severity of the threat, including its scope of impact, business criticality, and difficulty of remediation.

10. A server monitoring method based on network security according to claim 7, characterized in that: Step S5 specifically includes: S51. Select the response method based on the threat type, including automatic blocking, alarm notification, and manual review; S52. Execute the pre-defined response script, including isolating the affected system, blocking malicious traffic, and patching security vulnerabilities; S53. Record the response process and results, including operation logs, handling effects, and follow-up recommendations; S54. Evaluate the effectiveness of the response, including response time, accuracy of handling, and business impact; S55. Optimize response strategies, including rule adjustments, process improvements, and contingency plan updates.