A computer network data security protection system and method based on digital twinning

By combining digital twins and generative AI into a closed-loop protection system, the problem of insufficient unknown threat detection capabilities and passive updates to protection strategies in existing technologies has been solved. This system enables accurate detection of unknown threats and autonomous iteration of strategies, forming lifelong immune cybersecurity protection.

CN122160164APending Publication Date: 2026-06-05WUHAN SIPU TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
WUHAN SIPU TECH CO LTD
Filing Date
2026-04-07
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing computer network data security protection systems have shortcomings in dealing with unknown threats, low efficiency of data collaborative analysis, passive protection mode, insufficient self-evolution capability, and poor business adaptability. They cannot effectively detect zero-day attacks and advanced long-term threats, and the protection strategies require frequent manual updates, which can easily lead to business interruptions.

Method used

Adopting a fully closed-loop protection system based on digital twins, and combining generative AI, digital twins and federated learning technologies, it achieves non-intrusive data collection, analysis and policy updates throughout the entire process through multi-source non-intrusive data acquisition, data security preprocessing, digital twin simulation, AI intelligent analysis, intelligent decision response and immune memory evolution layer, forming proactive intelligent protection.

Benefits of technology

It achieves accurate detection of known and unknown threats, with an automated handling rate of up to 95%, a 95% reduction in policy deployment failure rate, and autonomous iteration of models and policies to achieve lifelong immunity from a single attack, ensuring the continuous security of the network environment and business continuity.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160164A_ABST
    Figure CN122160164A_ABST
Patent Text Reader

Abstract

The application provides a computer network data security protection system and method based on digital twinning, which is used for overcoming many defects accompanied by the prior art under the logic of a full closed-loop protection system of 'perception-preprocessing-analysis-decision-response-evolution', combining generative AI, digital twinning, federated learning and other technologies, realizing standardized and quantifiable operation of each link, non-invasive design throughout the process, guaranteeing normal operation of business, realizing active intelligent protection of network data security, making the system protection capability continuously evolve with the upgrading of attack means, forming a protection effect of one attack and lifelong immunity, and providing good security protection for a network environment.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security, specifically to a computer network data security protection system and method based on digital twins. Background Technology

[0002] Current computer network data security protection systems in the internet environment mostly adopt a technical architecture of static rules plus blacklist interception. The core relies on independent devices such as firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and log auditing systems to form a protection system. Technical methods primarily involve signature-based matching, fixed rule filtering, and manual log analysis. Some advanced systems introduce basic artificial intelligence (AI) algorithms for simple anomaly detection, but these only achieve single-dimensional data analysis, failing to integrate and correlate multi-source heterogeneous data, and the models lack iterative evolution capabilities. The overall protection logic is "threat detection - passive interception," requiring frequent manual updates to protection strategies and manual parameter adjustments to adapt to different business scenarios.

[0003] In this situation, existing computer network data security protection technologies have the following specific drawbacks: 1. Lack of unknown threat detection capability: It can only identify known threats that have been entered into the signature database. It cannot effectively detect signatureless threats such as zero-day attacks, advanced persistent threats (APT) attacks, and gray-scale covert attacks, resulting in a strong response lag. 2. Low efficiency of collaborative data analysis: Multi-source heterogeneous data such as traffic, terminal logs, asset information, and business data are isolated from each other, making it impossible to fully reconstruct the threat chain, and easily leading to missed detections and false alarms; 3. The protection mode is passive defense: the strategy needs to be adjusted after the threat is discovered manually. The efficiency of handling depends on human experience, the degree of automation is low, and it is easy to be unable to handle large-scale network attacks in a timely manner. 4. Lack of self-evolution capability: Updates to protection rules and detection models require manual intervention, handling experience cannot be effectively accumulated, cross-domain threat intelligence cannot be shared under the premise of privacy protection, and defense capabilities always lag behind attack techniques; 5. Poor business and protection adaptability: There is no real-world simulation mechanism before the new protection strategy goes live, which can easily lead to business interruption due to improper strategy settings, and the protection level cannot be dynamically adjusted according to business scenarios. Summary of the Invention

[0004] This application provides a computer network data security protection system and method based on digital twins. Under the conceived closed-loop protection system logic of "perception-preprocessing-analysis-decision-response-evolution", it combines generative AI, digital twins, federated learning and other technologies to overcome many defects of existing technologies. Each link is standardized and quantifiable, and the entire process is non-intrusive to ensure the normal operation of business. It realizes proactive and intelligent protection of network data security, and allows the system's protection capabilities to continuously evolve as attack methods upgrade, forming a protection effect of one attack and lifelong immunity, which can provide good security for the network environment.

[0005] Firstly, this application provides a computer network data security protection system based on digital twins, the system comprising: Multi-source, non-sensory acquisition layer collects network data from the deployed network environment; The data security preprocessing layer performs preprocessing and fusion operations on network data to obtain a standardized analysis dataset. The digital twin simulation layer updates the network state of the network environment model pre-built using the digital twin method based on the standardized analysis dataset. Then, it performs attack and defense scenario simulation and pre-verification of protection strategies based on the network environment model, and obtains simulation verification results containing effective strategies and simulation data. The AI ​​intelligent analysis layer calls the AI ​​detection model to analyze the corresponding known network threats, potential network threats and attack chains based on the simulation and verification results, and obtains decision-making references. The intelligent decision response layer matches decision references with handling strategies to advance decision response processing and collect response processing records. The immune memory evolution layer uses federated learning combined with response processing records to perform autonomous model iteration, and synchronizes the updated content to the AI ​​intelligent analysis layer and intelligent decision response layer for continuous evolution.

[0006] Secondly, this application provides a computer network data security protection method based on digital twins, the method comprising: Network data from the deployed network environment is collected through a multi-source, non-sensory acquisition layer. A standardized analysis dataset is obtained by performing preprocessing and fusion operations on network data through a data security preprocessing layer. After updating the network state of the network environment model pre-built using the digital twin method based on the standardized analysis dataset through the digital twin simulation layer, attack and defense scenario simulation and protection strategy pre-verification are performed based on the network environment model to obtain simulation verification results containing effective strategies and simulation data. The AI ​​intelligent analysis layer calls the AI ​​detection model to analyze the corresponding known network threats, potential network threats and attack chains based on the simulation and verification results, and obtains decision-making references. The intelligent decision response layer matches decision references with handling strategies to advance decision response processing and collect response processing records. The immune memory evolution layer uses federated learning combined with response processing records to enable autonomous model iteration, and the updated content is synchronized to the AI ​​intelligent analysis layer and intelligent decision response layer for continuous evolution.

[0007] Thirdly, this application provides a computer-readable storage medium storing a plurality of instructions adapted for loading by a processor to execute the method provided in the second aspect of this application.

[0008] From the above, it can be concluded that this application has the following beneficial effects: To address the goal of protecting computer network data security, this application, based on a fully closed-loop protection system logic of "perception-preprocessing-analysis-decision-response-evolution," combines technologies such as generative AI, digital twins, and federated learning to overcome many shortcomings of existing technologies. Each step is standardized and quantifiable, with a non-intrusive design throughout, ensuring normal business operations and achieving proactive intelligent protection of network data security. This allows the system's protection capabilities to continuously evolve as attack methods upgrade, forming a protection effect of "one attack, lifelong immunity," providing excellent security for the network environment. Attached Figure Description

[0009] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0010] Figure 1 This is a schematic diagram of a system architecture for a computer network data security protection system based on digital twins, as described in this application. Figure 2 This is a functional logic diagram of a computer network data security protection system based on digital twins, as described in this application. Figure 3 This is a flowchart illustrating a computer network data security protection method based on digital twins, as described in this application. Detailed Implementation

[0011] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0012] The terms "first," "second," etc., used in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments described herein can be implemented in a sequence other than that illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or device that includes a series of steps or modules is not necessarily limited to those explicitly listed, but may include other steps or modules not explicitly listed or inherent to such processes, methods, products, or devices. The naming or numbering of steps appearing in this application does not imply that the steps in the method flow must be performed in the chronological / logical order indicated by the naming or numbering. The execution order of named or numbered process steps can be changed according to the desired technical purpose, as long as the same or similar technical effect is achieved.

[0013] The module division described in this application is a logical division. In practical applications, there may be other division methods. For example, multiple modules may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the shown or discussed mutual coupling, direct coupling, or communication connections may be through interfaces, and the indirect coupling or communication connections between modules may be electrical or other similar forms, none of which are limited in this application. Moreover, the modules or sub-modules described as separate components may or may not be physically separated, may or may not be physical modules, or may be distributed across multiple circuit modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in this application.

[0014] To address the goal of protecting computer network data security, this application proposes a fully closed-loop protection system of "perception-preprocessing-analysis-decision-response-evolution," which consists of three core parts: hardware acquisition nodes, edge processing modules, and cloud-based intelligent hubs. Each part achieves data interaction and command issuance through encrypted communication links. The system specifically includes six functional layers: multi-source non-sensory acquisition layer, data security preprocessing layer, digital twin simulation layer, AI intelligent analysis layer, intelligent decision response layer, and immune memory evolution layer. The components / modules at each layer work together to form an overall computer network data security protection system.

[0015] Further reference Figure 1 The diagram illustrates a system architecture of the computer network data security protection system based on digital twins, as described in this application. The system comprises six main components: a multi-source non-sensory acquisition layer, a data security preprocessing layer, a digital twin simulation layer, an AI intelligent analysis layer, an intelligent decision-making response layer, and an immune memory evolution layer. Specific details are as follows: 1) Multi-source sensorless acquisition layer The multi-source, non-sensory acquisition layer collects network data from the deployed network environment.

[0016] It is easy to see that the multi-source non-intrusive acquisition layer is responsible for collecting raw sensor data from various data sources in the network environment deployed by the system in a non-intrusive design. Corresponding to the computer network security protection target, it can specifically collect various types of network data.

[0017] As a specific implementation method, the following configuration may be involved in the process of the multi-source non-sensory acquisition layer collecting network data from the deployed network environment: In a non-intrusive design, network traffic data is collected through optical mirroring probes deployed at network egress or core switches, log and asset information is collected through edge collection nodes connected to various business systems, and terminal behavior data is collected through terminal agents deployed at terminal devices.

[0018] Among them, the optical mirror probe processes data at line speeds of 10Gbps~200Gbps with no packet loss; the terminal behavior data can specifically include process behavior, file behavior, network behavior, account and login behavior, etc. Compared with other network traffic data, log information and asset information, it has more flexible and more dispersed characteristics. This is mainly because the terminal user side involves more diverse Internet access behaviors, so fine-grained data collection can be carried out according to different types of Internet access behaviors.

[0019] The terminal device is a user-side device that is pre-connected to the enterprise system, and can include devices such as smartphones, tablets, personal digital assistants (PDAs), all-in-one computers, desktop computers, and laptops.

[0020] As can be seen, this application specifically involves three major types of data acquisition links in this setup to form full-dimensional network data.

[0021] 2) Data security preprocessing layer The data security preprocessing layer performs preprocessing and fusion operations on network data to obtain a standardized analysis dataset.

[0022] Understandably, the data security preprocessing layer is responsible for improving the quality of various network data collected by the preceding multi-source non-sensory acquisition layer through data preprocessing, and then integrating them at the overall level, thereby providing good data input for the subsequent digital twin simulation layer and laying a good data foundation.

[0023] As a specific implementation method here, the data security preprocessing layer may involve the following configuration content during the preprocessing and fusion operations of network data: After decrypting, cleaning, and dynamically desensitizing the network data, multi-source data association and fusion are carried out. In the process of multi-source data association and fusion, the data is identified by the universal unique identifier of the terminal, the five-tuple information of the traffic, and the unique identifier of the asset.

[0024] As can be seen from this, before the multi-source seamless acquisition layer sends the collected network data back to the data security preprocessing layer, it also involves encrypting the network data to ensure data security.

[0025] To address this, the decryption process, corresponding to the encryption steps mentioned earlier, can be addressed first. For example, the SM4 encryption module can have a built-in GMSSL / SM2 / SM4 decryption interface to decrypt the SM4 encrypted data transmitted unidirectionally. After decryption, the data can be cleaned to remove abnormal or blank data. For instance, Flink streaming processing can be used to clean the data through deduplication, noise reduction, and completion. Then, sensitive data can be dynamically anonymized. For example, algorithms such as masking, replacement, hashing, or format-preserving encryption can be used based on real-time traffic parsing, automatic sensitive data identification, and rule engine technology to anonymize specified sensitive information such as ID cards, mobile phone numbers, bank cards, or names in real time (100% anonymization rate). Finally, the multi-source data fusion submodule can be used to achieve data association and matching of traffic, logs, assets, and terminal behavior to generate a standardized and structured analysis dataset.

[0026] During the integration process, the Universally Unique Identifier (UUID) of the terminal, the five-tuple information of the traffic (composed of source IP address, source port, destination IP address, destination port and transport layer protocol), and the unique identifier (ID) of the asset can be used as matching references. Alternatively, additional matching identifiers can be added after integration to facilitate better data use in the future.

[0027] Among them, the standardized analysis dataset obtained by final fusion may also involve format configuration. This custom format can be an existing format or a special, custom format, so as to further adapt to the characteristics of the application scenario of the solution.

[0028] 3) Digital Twin Simulation Layer The digital twin simulation layer updates the network state of the network environment model pre-built using the digital twin method based on the standardized analysis dataset. Then, it performs attack and defense scenario simulations and pre-verification of protection strategies based on the network environment model, obtaining simulation verification results that include effective strategies and simulation data.

[0029] As can be seen, the digital twin simulation layer is a core configuration of this application solution. It is responsible for simulating real business traffic and attack scenarios based on the network links configured in the digital twin model, while updating the digital twin model in real time, to restore network threat attacks and conduct attack and defense drills in computer network data security protection scenarios, thereby verifying the security protection performance of the corresponding security protection strategy.

[0030] In this regard, as a specific implementation method, the digital twin simulation layer, which is the network state of the network environment model, can be achieved by the digital twin engine updating the high-fidelity network virtual image based on the standardized analysis dataset. During the operation, it can detect whether there are model updates or new protection strategies that need to be implemented. If there are model updates or new protection strategies that need to be implemented, the attack and defense scenarios are simulated through the network virtual image of the model, and the protection effect and business impact of the new protection strategy are verified through the policy effectiveness verifier.

[0031] In practical operation, this application also designs a quantitative formula for the effectiveness of the protection strategy, in order to better quantify the protection effect and business impact of the new strategy, avoid business interruption after the strategy goes live, and provide quantitative direction for strategy optimization. The corresponding configuration content is as follows: Let the strategy effectiveness score be E, the threat interception rate be I (value 0~1, the number of target threats intercepted by the strategy in the simulation scenario / the total number of attacks), the business impact rate be M (value 0~1, the number of times the strategy blocks normal business in the simulation scenario / the total number of business requests, which is included in the score), and the strategy execution efficiency be T (value 0~1, the average handling time of the strategy / the maximum handling time required by the system, such as ≤10s on the edge side, if it exceeds, T=0). The three dimensions of threat interception rate I, business impact rate M and strategy execution efficiency T are assigned weights w1=0.6, w2=0.3 and w3=0.1 respectively (the specific weight values ​​can be dynamically adjusted according to the business scenario).

[0032] The formula for calculating the effectiveness score E of the corresponding protection strategy can be expressed as: , The corresponding criteria for determining the strategy to go live are: When E≥0.9, it is an effective strategy and should be implemented directly. When 0.7≤E<0.9, it is a strategy to be optimized. The parameters can be adjusted according to the M and T indices and then re-verified. When E < 0.7, it is an invalid strategy and should be discarded and redesigned.

[0033] At this point, the effective strategies, simulation data, and other deduction and verification results obtained can be transmitted as output to the subsequent AI intelligent analysis layer to promote further intelligent analysis.

[0034] 4) AI Intelligent Analysis Layer The AI ​​intelligent analysis layer calls upon AI detection models to analyze known network threats, potential network threats, and attack chains based on the simulation and verification results, thereby providing decision-making references.

[0035] As can be seen, the AI ​​intelligent analysis layer here can use one or more AI models to perform specific analysis on specific objects, namely known network threats, potential network threats, and attack chains.

[0036] It is important to note that the so-called unknown / potential cyber threats do not mean undetectable cyber threats, but rather cyber threats that have not yet been formally identified as known cyber threats and have an uncertain nature. For example, whether a threat is formally identified as a known cyber threat requires consideration of factors such as the classification of the cyber threat, the severity of the threat, the level of importance attached to the response, and the direction of the response.

[0037] This section may also involve cloud-based applications to better deploy AI models.

[0038] Specifically, as an example implementation here, the AI ​​intelligent analysis layer, in the process of calling the AI ​​detection model to analyze the corresponding known network threats, potential network threats, and attack chains based on the inference verification results, may involve the following configuration content: 4.1) Based on the simulation and verification results, the security big model configured by the Large Language Model (LLM) combines feature matching and semantic analysis to detect known threats; Understandably, large language models have powerful language understanding and generation capabilities, making them well-suited for analyzing specific targets such as known threats, and they have excellent detection accuracy (≥99%).

[0039] 4.2) The detection module configured by the Bayesian deep learning network detects unknown threats by combining the inference and verification results with the learning of normal business behavior baselines; Understandably, Bayesian deep learning networks, compared to large language models, have the ability to model uncertainty and can dynamically infer abnormal patterns based on prior knowledge and observation data, rather than relying on a large number of labeled samples for pattern matching. Thus, for low-probability, covert unknown network threats, combined with learning the baseline of normal business behavior, they can have excellent detection performance.

[0040] In practical operation, this section specifically addresses featureless and unknown threats such as zero-day attacks and APT attacks. It combines the behavioral baseline analysis results from the Bayesian deep learning detection module to design a confidence formula for unknown threat detection, quantifying the reliability of the detection results and providing a basis for subsequent decision-making. The corresponding configuration includes the following: Let the behavior to be detected be X, and the baseline feature set of normal business behavior be... , Let i be the behavioral characteristic (such as traffic transmission frequency, number of process calls, port access patterns, etc.). for The probability of occurrence in normal behavior for The probability of occurrence in attack behavior (which can be iteratively updated by the federated learning model). This represents the prior probability of normal behavior. Let be the prior probability of the attack behavior. .

[0041] Corresponding Unknown Threat Detection Confidence The formula for calculating can be expressed as: , in, , ; The corresponding confidence level criteria are: When C(X) ≥ 80%, it is an unknown threat; When 50%≤C(X)<80%, it is considered suspicious behavior; When C(X) < 50%, it is considered normal behavior.

[0042] By integrating this with the previously known threat detection results, the overall threat detection can be quantitatively graded.

[0043] 4.3) Based on the simulation and verification results, the threat chain analyzer configured by the graph neural network reconstructs the attack source, propagation path and attack target of the attack chain; It is easy to understand that graph neural networks analyze attack chains based on the propagation paths of networks with topological characteristics. They have a high degree of matching and can effectively deduce the attack source, propagation path, and attack target of the attack chain.

[0044] Furthermore, based on the attack chain deduction, this application also considers the temporary and persistent impacts that may arise from the related operations of the operation and maintenance work in actual situations (the temporary operations configured for operation and maintenance needs are not remembered to be restored and remain in a hidden and persistent manner). Therefore, it can make targeted further updates to the network status and network propagation paths, thereby better deducing the attack chain that is difficult to detect and highly concealed.

[0045] In response, this section addresses the attack chain reconstruction process and can also incorporate work order information to capture the network link impact caused by temporary operations by maintenance personnel.

[0046] Understandably, the network link impact caused by maintenance work, i.e., temporary and / or persistent impact, can be addressed not only through lower system update intervals (i.e., faster system update efficiency, specifically by increasing the data collection frequency of the multi-source non-sensory acquisition layer) or by directly updating the paths involved in the digital twin model, but also by using work order information related to maintenance work as a reference. Understandably, some information may not be included or is difficult to include directly in network data. Therefore, having work order information as a reference point helps to better analyze the network propagation path and attack chain for the network link impact caused by the temporary operations of maintenance personnel.

[0047] Furthermore, in more detailed aspects, this application can also introduce an operation and maintenance prediction mechanism, which, based on the AI ​​model (mainly a deep learning model) and combined with historical operation and maintenance work, can predict the network link impact accompanying the operation and maintenance work of the operation and maintenance personnel group at the overall level, and also predict the network link impact accompanying the operation and maintenance work of different operation and maintenance personnel at the individual level.

[0048] The main difference between the former and the latter lies in whether or not the work style and operation method of individual operation and maintenance personnel are considered. The historical operation and maintenance work can be either related to the operation and maintenance work inside and outside the enterprise or related to the operation and maintenance work within the enterprise.

[0049] 4) After obtaining the processing results from the three aspects, the risk classification results with confidence level are confirmed by using the multi-source evidence cross-number method.

[0050] Understandably, after obtaining the processing results of known threat detection, unknown threat detection, and attack chain detection (mainly attack source, propagation path, and attack target), further result fusion can be involved. Specifically, multi-source evidence cross-validation can be combined to generate risk classification results with confidence levels (used to quantify the degree of credibility). The risk situation quantified by level helps to directly match the corresponding response / handling strategies, thereby efficiently and accurately advancing the specific response and handling.

[0051] In practical operation, this application also incorporates three dimensions—threat severity, value of affected assets, and business importance—to design a comprehensive network risk rating formula, classifying risks into three levels: high-risk, medium-risk, and low-risk. This provides a quantitative basis for matching response strategies in the intelligent decision-making layer, avoiding subjective classification bias. The corresponding configuration includes the following: Let the comprehensive risk score be R, the threat severity coefficient S (ranging from 0.1 to 1.0, quantified by attack type, propagation capability, and degree of damage, such as APT attack S=1.0, port scanning S=0.3), the asset value coefficient V (ranging from 0.1 to 1.0, quantified by asset type and data sensitivity, such as core database V=1.0, ordinary terminal V=0.2), the business importance coefficient B (ranging from 0.1 to 1.0, quantified by business continuity requirements and scope of impact, such as core business of industrial production B=1.0, office auxiliary business B=0.2), and the threat detection confidence C (ranging from 0 to 1, derived from the above detection model).

[0052] The formula for calculating the corresponding network risk comprehensive score R can be expressed as: , The corresponding risk level assessment criteria are as follows: When R ≥ 80, it is considered a high-risk threat level; When 40≤R<80, it is classified as a medium-risk threat level; When R < 40, it is considered a low-risk threat level.

[0053] 5) Intelligent Decision Response Layer The intelligent decision response layer matches decision references with handling strategies to advance decision response processing and collect response processing records.

[0054] Understandably, after the AI ​​intelligent analysis layer has obtained decision references (such as the risk classification results obtained by fusion in the exemplary setting), the edge processing module can be combined here to advance the matching and processing of further specific disposal strategies, so as to determine the specific disposal strategies that can be executed and execute them, so as to obtain the response processing records used by the subsequent immune memory evolution layer for immune memory evolution.

[0055] Specifically, as one implementation method here, the intelligent decision response layer matches decision references with handling strategies to advance the decision response process, and may involve the following configuration: 5.1) The dynamic strategy engine determines the target handling strategy based on the risk classification results with confidence levels used as a decision reference, and determines the target handling strategy when different preset handling strategies are adapted to different risk levels, and triggers the automatic handling script to perform the corresponding decision response processing. Understandably, different risk levels are directly matched with different preset handling strategies, which can achieve a very efficient matching effect.

[0056] The adaptation relationship involved here can be configured through mapping tables or other methods.

[0057] 5.2.1) For high-risk levels, directly and autonomously execute corresponding decision-making and response measures, including blocking suspicious IPs, freezing abnormal processes, or initiating data backup; 5.2.2) For medium-risk and low-risk levels, the corresponding decision-making and response processes shall be implemented after manual collaborative review.

[0058] The specific decision-making and response procedures for medium / low risk levels can refer to the decision-making and response procedures for high risk levels, or may involve more lenient decision-making and response procedures. These can be further adjusted according to the actual situation.

[0059] As can be seen, the specific decision-making response processing for medium / low risk levels involves a manual collaborative review process, achieving both automated response and manual fallback review. In specific operations, the review information for the current decision-making response processing content for medium or low risk levels needs to be pushed to the manual collaborative review interface on the reviewer's side for confirmation or manual adjustment.

[0060] As an example, a risk level R≥80 is considered a high-risk threat, which directly triggers automated handling scripts (such as blocking suspicious IPs and freezing abnormal processes); 40≤R<80 is considered a medium-risk level, and R<40 is considered a low-risk level. In these cases, the corresponding threat will be pushed to a human co-reviewer. Once the review is approved, the handling will be carried out, with an automated handling rate of ≥95%.

[0061] 6) Immune Memory Evolutionary Layer The immune memory evolution layer uses federated learning combined with response processing records to perform autonomous model iteration, and synchronizes the updated content to the AI ​​intelligent analysis layer and intelligent decision response layer for continuous evolution.

[0062] Understandably, the immune memory evolution layer targets the AI ​​models involved in the preceding AI intelligent analysis layer and the security protection strategies involved in the intelligent decision response layer. Based on the response processing records recorded by the intelligent decision response layer during or after the execution of threat response work, corresponding model / policy update content is generated under the federated learning mechanism to achieve continuous evolution of the system's protection capabilities.

[0063] As a specific implementation method here, the immune memory evolution layer, through federated learning combined with response processing records, can involve the following configurations during the model's autonomous iteration process: Based on the local immune memory bank, which records and stores full information about the threat, including attack characteristics, attack routes, handling methods, risk scores, and attribution results, the federated learning model iteration module combines the memory bank data from the local immune memory bank and other immune memory banks of cross-domain collaborative nodes to perform incremental iterations of AI detection models and handling strategies under the constraint of protecting data privacy.

[0064] The response processing records contain a wealth of information about the threat, including attack characteristics, attack routes, handling methods, risk scores, and source tracing results. They can also be combined with the network data obtained at the beginning to provide a reference for the original data.

[0065] As an example, the incremental learning iteration cycle is ≤24h, and the cross-domain collaborative iteration cycle is ≤7d.

[0066] As can be seen from the details, this application also involves the co-evolution of cross-domain cooperative nodes under the federated learning mechanism, and completes cross-domain threat intelligence sharing under the premise of privacy protection, which helps to achieve a more refined and generalized update and evolution effect.

[0067] The specific triggering mechanism for the autonomous iteration involved here can be flexibly configured according to actual needs, and is not limited to being triggered by the current response processing. It can also involve triggering conditions such as manual triggering and external triggering conditions.

[0068] In practice, for the model iteration stage of the immune memory evolution layer, a formula for the effect of federated learning model iteration is designed to quantify the performance improvement after incremental model iteration / cross-domain collaborative iteration, ensure the effectiveness of model iteration, and avoid system resource consumption caused by ineffective iteration.

[0069] Set a score for the model iteration effect. Accuracy of unknown threat detection after iteration Accuracy of unknown threat detection before iteration False positive rate after iteration False positive rate before iteration Model inference efficiency (Values ​​range from 0 to 1. If the average inference time of the model after iteration / the average inference time of the model before iteration ≤ 1, then...) =1 indicates that efficiency has not decreased.

[0070] Corresponding federated learning model iteration performance score The calculation formula can be expressed as: , The corresponding model update criteria are: when When the accuracy rate is ≥10%, for effective iteration, the updated model will be synchronized to the AI ​​intelligent analysis layer; When 0≤ When the percentage is less than 10%, it is an inefficient iteration, and the data is only retained on the local node without cross-domain synchronization. when When the result is less than 0, it is an invalid iteration, the iteration result is discarded, and the original model is used.

[0071] At the same time, the scheme settings involved in the above systems can also be combined with Figure 2 The diagram shown below illustrates a functional logic of a computer network data security protection system based on digital twins, as presented in this application, to provide a more intuitive understanding.

[0072] At the same time, we can further understand this by combining it with the following set of core technical parameter examples.

[0073] 1. Traffic acquisition capability: 10Gbps~200Gbps line-speed processing, no packet loss; 2. Threat detection response time: ≤10s at the edge, ≤500ms in the cloud; 3. Threat detection accuracy: Known threats ≥ 99%, unknown threats ≥ 85%; 4. Automation rate: ≥95%; 5. Model iteration cycle: Incremental learning ≤ 24h, federated collaborative iteration ≤ 7d; 6. Encryption standards: SM2 / SM4 / SM9, compatible with AES-256 and RSA-2048; 7. Supported protocols: TCP / IP, HTTP / HTTPS, and 40+ industrial communication protocols (Modbus, Profinet, etc.).

[0074] In conclusion, regarding the above solutions, this application, in addressing the goal of computer network data security protection, utilizes a fully closed-loop protection system based on the concept of "perception-preprocessing-analysis-decision-response-evolution." It combines generative AI, digital twins, federated learning, and other technologies to overcome numerous shortcomings of existing technologies. Each stage is standardized and quantifiable, with a non-intrusive design throughout, ensuring normal business operations and achieving proactive intelligent protection of network data security. This allows the system's protection capabilities to continuously evolve as attack methods upgrade, resulting in a protection effect of "one attack, lifelong immunity," providing excellent security for the network environment.

[0075] The beneficial effects that can be achieved in terms of details are as follows: 1. Enhanced Detection Capabilities: By integrating generative AI and deep learning technologies, it achieves accurate detection of known / unknown threats, with an unknown threat detection accuracy of ≥85% and a zero-day attack response latency of ≤500ms, completely solving the problem of traditional systems missing detection of featureless threats; 2. Optimized protection efficiency: The cloud-edge-device collaborative architecture enables hierarchical handling, with temporary handling completed within 10 seconds at the edge and in-depth analysis in the cloud. The automation rate is ≥95%, and the workload of manual judgment is reduced by more than 80%, significantly improving the efficiency of threat handling. 3. Enhanced business compatibility: The non-intrusive data collection design ensures zero impact on business operations, and the digital twin strategy pre-verification mechanism reduces the failure rate of strategy deployment by 95%, avoiding business interruptions caused by inappropriate strategies. At the same time, it supports dynamic adjustment of protection levels according to business scenarios, significantly improving adaptability. 4. Achieve autonomous evolution: The immune memory bank accumulates and processes experience, and federated learning technology enables autonomous iteration of models and strategies. The incremental learning cycle is ≤24 hours, achieving "one attack, lifelong immunity" without the need for frequent manual rule updates, thus reducing security operation costs. 5. Data security and compliance assurance: Algorithm encryption is used throughout the entire process, and sensitive data is dynamically de-identified to meet relevant compliance requirements. At the same time, privacy computing technology enables cross-domain threat intelligence sharing, balancing intelligence value and data privacy. 6. Full lifecycle protection: Covering the entire lifecycle of data collection, transmission, processing, storage, and use, it achieves full-domain, all-time, and intelligent protection of network data security, solving the problems of traditional systems having single protection dimensions and security blind spots.

[0076] The above is an introduction to the computer network data security protection system based on digital twins provided in this application. Correspondingly, this application also provides a computer network data security protection method based on digital twins, starting from the system workflow.

[0077] refer to Figure 3 The diagram illustrates a flowchart of a computer network data security protection method based on digital twins, as described in this application. Specifically, the computer network data security protection method based on digital twins provided by this application includes the following steps S301 to S306: Step S301: Collect network data of the deployed network environment through the multi-source non-sensory acquisition layer; Step S302: Perform preprocessing and fusion operations on the network data through the data security preprocessing layer to obtain a standardized analysis dataset; Step S303: After updating the network state of the network environment model pre-built using the digital twin method based on the standardized analysis dataset through the digital twin simulation layer, attack and defense scenario simulation and protection strategy pre-verification are performed based on the network environment model to obtain simulation verification results containing effective strategies and simulation data. Step S304: The AI ​​intelligent analysis layer calls the AI ​​detection model to analyze the corresponding known network threats, potential network threats and attack chains based on the simulation verification results, and obtains decision references. Step S305: The intelligent decision response layer matches the decision reference with the handling strategy to advance the decision response processing and collect response processing records. In step S306, the immune memory evolution layer uses federated learning combined with response processing records to perform autonomous model iteration, and synchronizes the updated content to the AI ​​intelligent analysis layer and intelligent decision response layer for continuous evolution.

[0078] As an exemplary embodiment, the following configuration is involved in the process of the multi-source non-sensory acquisition layer collecting network data from the deployed network environment: In a non-intrusive design, network traffic data is collected through optical mirroring probes deployed at network egress points or core switches, log and asset information is collected through edge collection nodes connected to various business systems, and terminal behavior data is collected through terminal intelligent agents deployed at terminal devices.

[0079] As another exemplary embodiment, the data security preprocessing layer involves the following configuration details during the preprocessing and fusion operations performed on network data: After decrypting, cleaning, and dynamically desensitizing the network data, multi-source data association and fusion are carried out. In the process of multi-source data association and fusion, the data is identified by the universal unique identifier of the terminal, the five-tuple information of the traffic, and the unique identifier of the asset.

[0080] As another exemplary embodiment, for the digital twin simulation layer, the network state of the network environment model is specifically implemented by the digital twin engine updating the network virtual image based on the standardized analysis dataset. If there is a model update or a new protection strategy that needs to be implemented, the attack and defense scenario is simulated through the network virtual image, and the protection effect and business impact of the new protection strategy are verified through the policy effectiveness verifier.

[0081] As another exemplary embodiment, the process of the AI ​​intelligent analysis layer calling the AI ​​detection model to analyze the corresponding known network threats, potential network threats, and attack chains based on the inference verification results involves the following configuration: Based on the simulation and verification results, the security big model configured by the big language model combines feature matching and semantic analysis to detect known threats. The detection module, configured by a Bayesian deep learning network, detects unknown threats by combining the results of the inference and verification with the baseline of normal business behavior. Based on the simulation and verification results, the threat chain analyzer configured by the graph neural network reconstructs the attack source, propagation path and attack target of the attack chain; After obtaining the results from the three aspects, the risk classification result with confidence level is further confirmed by the multi-source evidence cross-number method.

[0082] As another exemplary embodiment, the attack chain reconstruction process is combined with the work order information to capture the network link impact caused by the temporary operations of maintenance personnel.

[0083] As another exemplary embodiment, the intelligent decision response layer involves the following configuration elements in the process of advancing decision response processing by matching decision references with handling strategies: Based on the risk classification results with confidence levels used as a decision reference, the dynamic strategy engine determines the target handling strategy and triggers the automatic handling script to perform the corresponding decision response processing when different preset handling strategies are adapted to different risk levels. For high-risk levels, the corresponding decision-making and response measures can be implemented autonomously, including blocking suspicious IPs, freezing abnormal processes, or initiating data backup. For medium-risk and low-risk levels, the corresponding decision-making and response processes are implemented after manual collaborative review.

[0084] As another exemplary embodiment, the immune memory evolution layer involves the following configuration during the autonomous iteration of the model through federated learning combined with response processing records: Based on the local immune memory bank, which records and stores the full information of this threat, including attack characteristics, attack routes, handling methods, risk scores, and source tracing results, the federated learning model iteration module combines the memory bank data of the local immune memory bank and other immune memory banks of cross-domain collaborative nodes to perform incremental iterations of AI detection models and handling strategies under the constraint of protecting data privacy.

[0085] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working process of the above-described digital twin-based computer network data security protection method can be found in [reference needed]. Figure 1 The specific details of the computer network data security protection system based on digital twins in the corresponding embodiments will not be repeated here.

[0086] Those skilled in the art will understand that all or part of the steps in the various methods of the above embodiments can be performed by instructions, or by instructions controlling related hardware. These instructions can be stored in a computer-readable storage medium and loaded and executed by a processor.

[0087] Therefore, this application provides a computer-readable storage medium storing a plurality of instructions that can be loaded by a processor to execute the present application. Figure 3 The steps of the computer network data security protection method based on digital twins in the corresponding embodiments can be referred to as follows for specific operations. Figure 3 The description of the computer network data security protection method based on digital twins in the corresponding embodiments will not be repeated here.

[0088] The computer-readable storage medium may include: read-only memory (ROM), random access memory (RAM), disk or optical disk, etc.

[0089] Because of the instructions stored in the computer-readable storage medium, the present application can be executed as described above. Figure 3 The steps of the computer network data security protection method based on digital twins in the corresponding embodiments can therefore achieve the results of this application. Figure 3 The beneficial effects that the digital twin-based computer network data security protection method can achieve in the corresponding embodiments are detailed in the preceding description and will not be repeated here.

[0090] The foregoing has provided a detailed description of the computer network data security protection system, method, and computer-readable storage medium based on digital twins provided in this application. Specific examples have been used to illustrate the principles and implementation methods of this application. The descriptions of the embodiments above are only for the purpose of helping to understand the core ideas of this application; furthermore, those skilled in the art will recognize that, based on the ideas of this application, there will be changes in the specific implementation methods and application scope. Therefore, the content of this specification should not be construed as a limitation of this application.

Claims

1. A computer network data security protection system based on digital twins, characterized in that, The system includes: Multi-source, non-sensory acquisition layer collects network data from the deployed network environment; The data security preprocessing layer performs preprocessing and fusion operations on the network data to obtain a standardized analysis dataset. The digital twin simulation layer updates the network state of the network environment model pre-built using the digital twin method based on the standardized analysis dataset. Then, it performs attack and defense scenario simulation and protection strategy pre-verification based on the network environment model to obtain simulation verification results containing effective strategies and simulation data. The AI ​​intelligent analysis layer calls the AI ​​detection model to analyze the corresponding known network threats, potential network threats and attack chains based on the inference and verification results, and obtains decision references. The intelligent decision response layer matches the decision reference with the handling strategy to advance the decision response process and collect response processing records. The immune memory evolution layer uses federated learning to combine the response processing records to perform autonomous model iteration, and synchronizes the updated content to the AI ​​intelligent analysis layer and the intelligent decision response layer for continuous evolution.

2. The system according to claim 1, characterized in that, The following configuration details are involved in the process of the multi-source non-sensory acquisition layer acquiring network data from the deployed network environment: In a non-intrusive design, network traffic data is collected through optical mirroring probes deployed at network egress points or core switches, log and asset information is collected through edge collection nodes connected to various business systems, and terminal behavior data is collected through terminal intelligent agents deployed at terminal devices.

3. The system according to claim 1, characterized in that, During the process of the data security preprocessing layer performing the preprocessing operation and the fusion operation on the network data, the following configuration content is involved: After decrypting, cleaning, and dynamically desensitizing the network data, multi-source data association and fusion are carried out. In the process of multi-source data association and fusion, the data is identified by the universal unique identifier of the terminal, the five-tuple information of the traffic, and the unique identifier of the asset.

4. The system according to claim 1, characterized in that, For the digital twin simulation layer, the network state of the network environment model is specifically implemented by the digital twin engine updating the network virtual image based on the standardized analysis dataset. If there is a model update or a new protection strategy that needs to be implemented, the attack and defense scenario is simulated through the network virtual image, and the protection effect and business impact of the new protection strategy are verified through the policy effectiveness verifier.

5. The system according to claim 1, characterized in that, The AI ​​intelligent analysis layer involves the following configuration when it calls the AI ​​detection model to analyze the corresponding known network threats, potential network threats, and attack chains based on the inference and verification results: Based on the aforementioned inference and verification results, the security big model configured by the big language model combines feature matching and semantic analysis to detect the known threats. The detection module, configured by a Bayesian deep learning network, detects the unknown threat based on the inference and verification results and by learning a baseline of normal business behavior. Based on the simulation and verification results, the threat chain analyzer configured by the graph neural network reconstructs the attack source, propagation path and attack target of the attack chain. After obtaining the processing results from the three aspects, the risk classification result with confidence level is further confirmed by the multi-source evidence cross-number method, which serves as the final decision reference output.

6. The system according to claim 5, characterized in that, The corresponding attack chain is restored and processed, and the network link impact caused by temporary operations by maintenance personnel is captured by combining work order information.

7. The system according to claim 1, characterized in that, The intelligent decision response layer matches the decision reference with the handling strategy to advance the decision response process, involving the following configuration: Based on the risk classification results with confidence levels, which serve as a reference for the decision-making process, the dynamic strategy engine determines the target handling strategy and triggers an automatic handling script to perform the corresponding decision response processing when different preset handling strategies are adapted to different risk levels. For high-risk levels, the corresponding decision-making and response processes will be executed automatically, including blocking suspicious IPs, freezing abnormal processes, or initiating data backup. For medium-risk and low-risk levels, the corresponding decision response process will be implemented after manual collaborative review.

8. The system according to claim 1, characterized in that, The immune memory evolution layer involves the following configuration during the autonomous model iteration process through federated learning and response processing records: Based on the local immune memory bank, which records and stores the full information of this threat, including attack characteristics, attack routes, handling methods, risk scores, and source tracing results, the federated learning model iteration module combines the memory bank data of the local immune memory bank and other immune memory banks of cross-domain cooperative nodes to perform incremental iterations of the AI ​​detection model and the handling strategy under the constraint of protecting data privacy.

9. A method for protecting computer network data security based on digital twins, characterized in that, The method includes: Network data from the deployed network environment is collected through a multi-source, non-sensory acquisition layer. The network data is preprocessed and fused using a data security preprocessing layer to obtain a standardized analysis dataset. After updating the network state of the network environment model pre-built using the digital twin method based on the standardized analysis dataset through the digital twin simulation layer, attack and defense scenario simulation and protection strategy pre-verification are performed based on the network environment model to obtain simulation verification results containing effective strategies and simulation data. The AI ​​intelligent analysis layer calls the AI ​​detection model to analyze the corresponding known network threats, potential network threats and attack chains based on the inference and verification results, and obtains decision references. The intelligent decision response layer matches the decision reference with the handling strategy to advance the decision response process and collect response processing records. The immune memory evolution layer uses federated learning combined with the response processing records to perform autonomous model iteration, and synchronizes the updated content to the AI ​​intelligent analysis layer and the intelligent decision response layer for continuous evolution.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a plurality of instructions adapted for loading by a processor to execute the method described in claim 9.