A computer network information security monitoring method

Abstract

The application discloses a kind of computer network information security monitoring methods, method includes: deployment sensing node, collection full-link security data, extract multimodal feature after pre-processing;Based on the multimodal feature, threat identification is carried out in multiple models cooperation, accurately identify known and unknown threats;Based on risk level and network scene type, generate different defense strategies, and defense operation is executed through SDN and terminal proxy cooperation;Attack propagation diagram is constructed, restore attack link, identify attack attribute, generate traceability report;Based on traceability report, defense effect evaluation is carried out, and detection model and defense strategy are continuously optimized.Its remarkable effect is: the closed-loop monitoring system of perception-analysis-decision-response-traceability is formed, and different network scene security requirements generate different defense strategies, and the balance of monitoring accuracy, response speed and resource consumption is also considered.

Description

Technical Field

[0001] This invention relates to the field of computer network security technology, specifically to a computer network information security monitoring method that integrates multi-dimensional threat perception, dynamic policy adaptation, and intelligent response. It is applicable to security protection in various scenarios such as enterprise intranets, cloud computing networks, and industrial control networks, and can realize real-time identification of network attacks, risk tracing, and proactive defense, ensuring the security of network data transmission and storage. Background Technology

[0002] With the rapid development of computer network technology, network attack methods are becoming more diversified, covert, and intelligent. Traditional network security monitoring methods are no longer sufficient to cope with complex threats. The specific reasons are as follows: 1. One-sided threat perception: It relies heavily on single-dimensional monitoring methods such as traffic analysis and virus scanning, and cannot integrate multi-source information such as endpoint behavior, network traffic, data interaction and user operation, resulting in a high rate of missed detection of hidden threats such as APT attacks and zero-day vulnerabilities; 2. Poor policy adaptability: Using fixed security policies such as static firewall rules and unified access control cannot be dynamically adjusted according to changes in network topology and the evolution of attack types, resulting in a high probability of defense failure when facing unknown attacks; 3. Delayed response mechanism: After an attack is identified, manual intervention is required to formulate a response plan. The average response time is more than 30 minutes, which cannot stop the spread of the attack in time, resulting in data leakage or system paralysis. 4. Difficulty in tracing the source of risks: It lacks the ability to trace the entire attack path, and can only locate the attack entry point, but cannot reconstruct the attack propagation process and the related affected devices, so subsequent protection optimization lacks data support; 5. Excessive resource consumption: The use of full-traffic deep inspection results in network bandwidth and computing resource utilization exceeding 30%, leading to increased latency in normal business data transmission.

[0003] In addition, while existing technologies have introduced AI algorithms to improve threat identification capabilities, they have not formed a closed-loop monitoring system of perception-analysis-decision-response-tracing, and have not been adapted to the security needs of different network scenarios, thus failing to balance monitoring accuracy, response speed and resource consumption.

[0004] Therefore, there is an urgent need for a network information security monitoring method that integrates multiple dimensions, adapts dynamically, and responds efficiently to address the aforementioned core pain points. Summary of the Invention

[0005] To address the shortcomings of existing technologies, the present invention aims to provide a computer network information security monitoring method. Through a closed-loop design that integrates multi-source data fusion sensing, dynamic policy intelligent generation, real-time attack chain blocking, and full-link risk tracing, it achieves accurate identification, rapid response, and in-depth tracing of network threats. At the same time, it adapts to the security needs of different network scenarios to balance monitoring accuracy and resource consumption, thus solving various defects of existing methods.

[0006] To achieve the above objectives, the technical solution adopted by the present invention is as follows: Firstly, this invention proposes a method for monitoring computer network information security, the key of which includes the following steps: Step 1: Deploy sensing nodes, collect end-to-end security data, and extract multimodal features after preprocessing; Step 2: Based on the multimodal features, perform multi-model collaborative threat identification to accurately identify known and unknown threats; Step 3: Generate differentiated defense strategies based on risk level and network scenario type, and execute defense operations in collaboration with SDN and terminal agents; Step 4: Construct an attack propagation graph, reconstruct the attack chain, identify attack attributes, and generate a source tracing report; Step 5: Evaluate the defense effectiveness based on the source tracing report and continuously optimize the detection model and defense strategy.

[0007] Furthermore, the multi-source data mentioned in step 1 includes: terminal process behavior data, registry change data, and system call log data collected by the terminal sensing node; network traffic data and protocol parsing results collected by the network sensing node; and data interaction log data, user operation behavior, and sensitive data call records collected by the application sensing node.

[0008] Furthermore, the preprocessing and multimodal feature extraction in step 1 includes: Establish a unified data access interface to perform multi-dimensional identity verification and access collected multi-source data; A timestamp-based data alignment method is used to align multi-source data. Bloom filters are used for deduplication, Kalman filters for noise reduction, and the data is desensitized. Standardize the anonymized data; A deep residual network model is used to extract multidimensional features from standard data, forming multimodal features.

[0009] Furthermore, step 2, which involves multi-model collaborative threat identification and threat intelligence linkage based on the multi-modal features to accurately identify known and unknown threats, includes: Based on the aforementioned multimodal features, a lightweight model is used to identify known threats, a deep learning model is used to identify unknown threats, and a voting mechanism is used to fuse the identification results of the two models.

[0010] Furthermore, step 3, which involves generating differentiated defense strategies based on risk levels and network scenario types, and executing defense operations collaboratively through SDN and terminal agents, includes: Risk values ​​are calculated based on threat type, attack intensity, and scope of impact, and risk levels are determined based on these risk values. Based on risk level and network scenario, a rule-based reasoning engine is used to generate differentiated defense strategies; The SDN controller and the terminal agent work together to perform defense operations, which include traffic blocking, terminal cleanup, and permission freezing.

[0011] Furthermore, step 4, which involves constructing an attack propagation graph, reconstructing the attack chain, identifying attack attributes, and generating a source tracing report, includes: Based on the timestamps and correlations of multi-source data, a graph neural network is used to construct an attack propagation graph. Identify attack attributes by combining threat intelligence with attack signatures; Based on the attack propagation graph and attack attribute identification results, a source tracing report containing a visualized map and defense recommendations is generated.

[0012] Furthermore, step 5, which involves evaluating the defense effectiveness based on the source tracing report and continuously optimizing the detection model and defense strategy, includes: Establish a defense effectiveness evaluation index system; Based on the source tracing report, the defense effectiveness is evaluated using a defense effectiveness evaluation index system; The defense strategy is dynamically optimized based on the evaluation results of the defense effectiveness, and the resource utilization rate is adjusted accordingly.

[0013] In a second aspect, the present invention proposes a computer network information security monitoring system for implementing the method described in the first aspect, comprising: The data acquisition and processing module is used to deploy sensing nodes, collect end-to-end security data, and extract multimodal features after preprocessing. The threat identification module is used to perform multi-model collaborative threat identification based on the multimodal features, and to accurately identify known and unknown threats; The defense strategy generation and execution module generates differentiated defense strategies based on risk level and network scenario type, and executes defense operations in collaboration with SDN and terminal agents. The end-to-end source tracing module is used to construct attack propagation graphs, reconstruct attack chains, identify attack attributes, and generate source tracing reports. The strategy dynamic optimization module is used to evaluate the defense effectiveness based on the source tracing report and continuously optimize the detection model and defense strategy.

[0014] Thirdly, the present invention provides a computer device comprising a memory and a processor, the memory for storing a computer program, and the processor for calling and running the computer program from the memory, such that the computer device performs the method as described in the first aspect.

[0015] Fourthly, the present invention provides a computer-readable storage medium storing instructions or code that, when executed on a computer, cause the computer to perform the method described in the first aspect.

[0016] The significant effects of this invention are: Precise and efficient threat identification: Multi-model collaborative identification effectively improves the accuracy of known threat identification compared to traditional methods; Fast and flexible defense response: Adaptive defense strategy generation is quick, attack blocking latency is lower, and average response time is faster; Comprehensive source tracing capabilities: Full-chain attack source tracing can locate the attacking organization and intent, providing precise support for protection optimization and effectively reducing the recurrence rate of subsequent attacks; Low resource consumption: By adjusting the resource utilization rates of low-risk and high-risk scenarios, the latency of normal business data transmission is reduced, effectively balancing protection effectiveness and business efficiency. Attached Figure Description

[0017] Figure 1 This is a flowchart of the method of the present invention; Figure 2 This is a schematic diagram of the system described in this invention; Figure 3 This is a schematic diagram of the structure of the device described in this invention. Detailed Implementation

[0018] The specific embodiments and working principles of the present invention will be further described in detail below with reference to the accompanying drawings.

[0019] Example 1: like Figure 1 As shown in the figure, this embodiment of the invention provides a computer network information security monitoring method, the specific steps of which are as follows: Step 1: Deploy sensing nodes, collect end-to-end security data, and extract multimodal features after preprocessing; In some specific implementations, the process of deploying sensing nodes, collecting end-to-end security data, and extracting multimodal features after preprocessing, described in this step, is as follows: Step 1.1: Deploy three types of sensing nodes: network, terminal, and application, and use full-link security data such as traffic data, process behavior, and data interaction logs at the network layer, terminal layer, and reference layer, respectively. It should be noted that the data collected by the terminal sensing node includes: terminal process behavior data, registry change data, and system call log data; the data collected by the network sensing node includes: network traffic data and protocol parsing results, such as TCP / UDP packets, port connection logs, traffic peaks, and abnormal protocol types. DPDK technology is used to accelerate data collection; the data collected by the application sensing node includes: data interaction log data, user operation behavior, and sensitive data call records.

[0020] Step 1.2: Establish a unified data access interface, and access the collected multi-source data after performing multi-dimensional identity verification; In this embodiment, the multi-dimensional identity verification process is as follows: First, construct a three-dimensional authentication system based on terminal hardware fingerprints, user biometrics, and device security status; It should be noted that the terminal hardware fingerprint is a hash value of an irreversible device fingerprint generated based on the CPU serial number, motherboard MAC address, and hard drive unique identifier; The user's biometric features include the user's fingerprints, face, voiceprint, and other biometric characteristics. The device security status is generated by detecting whether the terminal device has installed malicious software, whether the system patches have been updated, whether the firewall is enabled, etc. A security status score of not less than 80 points (out of 100) is required for access. Then, based on the three-dimensional authentication system, a two-factor authentication mechanism is used for identity verification. At least two of the verifications must be passed to pass the multi-dimensional identity verification.

[0021] This embodiment effectively reduces the success rate of unauthorized access through multi-dimensional trusted authentication, thereby helping to improve the security and reliability of the subsequently generated defense strategies.

[0022] Step 1.3: Use a timestamp-based data alignment method to align multi-source data; Step 1.4: Use Bloom filter for deduplication and Kalman filter for noise reduction, and perform data anonymization processing on the data; Step 1.5: Standardize the anonymized data according to "timestamp (milliseconds) - device ID - data type - security level"; Step 1.6: Use a deep residual network model to extract multidimensional features from the standard data to form multimodal features.

[0023] The ResNet-18 deep residual network model described in this example outputs a 256-dimensional fused feature vector, thereby forming multimodal features.

[0024] This embodiment uses a deep residual network to ensure the depth and stability of feature extraction, which can significantly improve the discriminative ability of feature representation, thereby contributing to the accuracy of subsequent threat identification.

[0025] Step 2: Based on the multimodal features, perform multi-model collaborative threat identification to accurately identify known and unknown threats; In some specific implementations, the process of achieving accurate identification of known and unknown threats through multi-model collaborative threat identification and threat intelligence linkage is as follows: Step 2.1: Input the multimodal features and use a decision tree or other lightweight model pre-trained based on data from the local threat intelligence database to identify known threats; Step 2.2: Input the multimodal features and use a pre-trained YOLOv8 deep learning model to identify unknown threats. This model captures covert attack patterns through temporal correlation analysis. Step 2.3: Connect to the global threat intelligence platform MITREATT&CK to update attack characteristics and tactical tags in real time, and train the two models mentioned above to improve the ability to identify network attacks; Step 2.4: Use a weighted voting mechanism to fuse the identification results of the two models.

[0026] This embodiment uses different models to identify known and unknown threats, which not only effectively improves the accuracy of the identification results, but also allows for the rational allocation of resources.

[0027] Step 3: Generate differentiated defense strategies based on risk level and network scenario type, and execute defense operations in collaboration with SDN and terminal agents; In some specific implementations, the process of generating differentiated defense strategies based on risk level and network scenario type, and then collaboratively executing defense operations through SDN and terminal agents, as described in this step, is as follows: Step 3.1: Calculate the risk value based on the threat type, attack intensity, and scope of impact, and determine the risk level based on the risk value; The calculation formula is: R = α·T + β·S + γ·I: Where T represents the threat type (known threat 0.3, unknown threat 0.7, APT attack 1.0); S represents the attack intensity (quantified by attack frequency and packet volume, ranging from 0 to 1); I represents the scope of impact (single terminal 0.1, local network 0.5, entire network 1.0); α=0.4, β=0.3, γ=0.3 are weighting coefficients, and the risk value R is divided into low risk (R<0.3), medium risk (0.3≤R<0.6), and high risk (R≥0.6).

[0028] Step 3.2: Based on risk level and network scenario, generate differentiated defense strategies using a rule-based reasoning engine; In practical implementation, the network scenarios can be enterprise intranets, cloud computing platforms, or the industrial internet. Therefore, the differentiated defense strategies based on these network scenarios are as follows: Enterprise intranet (focusing on data security): When the risk is low, update the virus database; when the risk is medium, block attacking IPs and restrict access to sensitive data; when the risk is high, isolate the attacked terminal and start data backup. Cloud computing platform (focusing on elastic defense): Enable elastic bandwidth allocation when the risk is low, dynamically adjust security group rules and expand protection nodes when the risk is medium, and trigger cloud resource migration and close abnormal ports when the risk is high. Industrial Internet (focus on availability): Strengthen protocol verification when the risk is low, isolate attack links and retain production data transmission when the risk is medium, and switch to backup links and suspend non-core business when the risk is high. The strategy generation uses a rule reasoning engine based on the Prolog language.

[0029] Step 3.3: The SDN (Software-Defined Networking) controller and the terminal agent work together to perform defense operations, which are as follows: Network layer: Flow tables are distributed through the SDN controller to block attacking IPs / ports and divert abnormal traffic to the sandbox for analysis; Terminal layer: The terminal agent closes abnormal processes, deletes malicious files, and fixes system vulnerabilities; Application layer: Intercept malicious API calls, terminate illegal transmission of sensitive data, and freeze abnormal accounts; It should be noted that the defense strategy described in this embodiment also supports manual intervention, and the administrator can adjust the defense strategy through a visual interface.

[0030] Step 4: Construct an attack propagation graph, reconstruct the attack chain, identify attack attributes, and generate a source tracing report; In some specific implementations, the specific steps for constructing an attack propagation graph, reconstructing the attack chain, identifying attack attributes, and generating a source tracing report are as follows: Step 4.1: Based on the timestamps and correlations of multi-source data, a graph neural network is used to construct an attack propagation graph to reconstruct the entire chain of attack entry, lateral movement, and target penetration. The attack propagation diagram: Nodes represent network devices such as terminals, switches, and servers, as well as attack targets such as data, applications, and ports; Edges: Data interaction relationships and attack propagation paths, used to mark attack methods, time intervals, and vulnerability types; Therefore, an exemplary full-process restoration attack is as follows: attack entry point (such as a terminal logged in with a weak password) → lateral movement (such as spreading through remote desktop protocols) → target penetration (such as database intrusion).

[0031] Step 4.2: Combining threat intelligence and attack characteristics, identify attack attributes such as attack source, organization, and intent, and match MITREATT&CK tactical tags to identify attack attributes; For example, the attack attributes are as follows: Source of the attack: Locate the region of the attacking IP address, the ISP service provider, and clues such as the characteristics of the attack tools and the dark web attack links related to ransomware families; Attack Groups: Match MITREATT&CK tactical tags to identify attack group types such as hacker gangs and APT groups; Attack intent: Based on the attack targets such as core business data and industrial control systems, determine the attack intent (data theft, system destruction, extortion).

[0032] Step 4.3: Based on the attack propagation graph and attack attribute identification results, generate a source tracing report that includes a visual map of the attack chain, attack attribute details, impact scope assessment, and defense recommendations.

[0033] Step 5: Evaluate the defense effectiveness based on the source tracing report, and continuously optimize the detection model and defense strategy. Specifically: Step 5.1: Establish a multi-dimensional defense effectiveness evaluation index system, which includes: threat interception rate, response time, resource utilization rate, and business impact. Set evaluation thresholds for each index in the system. Specifically, the process of establishing a multi-dimensional defense effectiveness evaluation index system is as follows: Core defense indicators and auxiliary support indicators are selected to form a comprehensive evaluation system. The Analytic Hierarchy Process (AHP) is used to determine the weights of the indicators to avoid the one-sidedness of a single indicator. Core defense metrics (70% weighting): Threat interception rate (0.3), attack miss rate (0.2), attack response time (0.15), and vulnerability remediation success rate (0.05), directly reflecting core defense capabilities; Auxiliary support indicators (weight 30%): Business impact (weight 0.15), resource utilization (weight 0.1), and strategy misjudgment rate (weight 0.05), balancing defense effectiveness and business continuity; Each indicator has a set quantitative threshold, such as threat interception rate ≥90%, attack response time ≤1 minute, and resource utilization rate ≤25%.

[0034] Step 5.2: Based on the source tracing report, evaluate the defense effectiveness using the defense effectiveness evaluation index system; The calculation method for the defense effectiveness assessment is as follows: The weighted summation formula is: in, For the first i The weight of each indicator, denoted as the indicator value, and n as the number of indicators. A score ≥85 is considered excellent, 60-84 is considered satisfactory, and <60 is considered unsatisfactory.

[0035] Step 5.3: Dynamically optimize the defense strategy based on the defense effectiveness evaluation results and adjust the resource utilization rate. The specific process is as follows: In this example, the specific steps for dynamically optimizing the defense strategy based on the defense effectiveness evaluation results are as follows: First, compare the overall score with the indicator thresholds to identify optimization directions and create a problem list: If the threat interception rate is lower than the threshold: the problem is incomplete coverage of defense rules, requiring the addition of an attack signature database and optimization of firewall rules; If the attack response time is too long: the problem is redundancy in the policy execution chain, requiring simplification of the response process and prioritization of defense operations; If the policy misjudgment rate is too high: the problem is insufficient rule matching accuracy, requiring refinement of rule conditions and introduction of AI models to optimize the matching algorithm. Then, a dual-drive optimization architecture consisting of a rule-based inference engine and a reinforcement learning model is constructed to adapt to different network scenarios, wherein: Rule reasoning engine: Based on the Prolog language, a policy optimization rule base is built, directly outputting optimization solutions for specific problems. For example, when "port scanning attacks have a high failure rate," a firewall rule is automatically added that "block access to ≥20 uncommon ports by a single IP within 1 minute." Reinforcement learning model: For complex and unknown problems such as poor APT attack defense, the reward function is "maximizing the comprehensive evaluation score", and the strategy parameters such as adjusting the threat intelligence update frequency and abnormal traffic detection threshold are iteratively optimized. Scenario-specific adaptation: Enterprise intranets focus on optimizing sensitive data protection strategies, cloud computing platforms focus on adjusting elastic security group rules, and industrial internet focuses on strengthening protocol verification strategies.

[0036] Finally, the optimized defense strategy was first verified in the test environment. The defense effect was tested by simulating attack scenarios to ensure that the overall score improved by ≥10% without affecting new business. After verification, a gray-scale deployment was adopted, initially covering 10% of network devices. After running for 24 hours without any abnormalities, the full deployment was gradually carried out to avoid system instability caused by sudden changes in the strategy.

[0037] In this example, the specific process for adjusting resource utilization is as follows: First, based on network scenarios and service priorities, a dynamic resource utilization baseline is established, divided into three levels of resource allocation standards: High-priority services (such as core databases and industrial control nodes): resource usage capped at 30% during high-risk periods and 10% during low-risk periods; Medium-priority services (such as ordinary office terminals and enterprise intranet servers): resource usage capped at 25% during high-risk periods and 15% during low-risk periods; Low-priority services (such as guest networks and backup servers): resource usage capped at 20% during high-risk periods and 20% during low-risk periods.

[0038] Then, based on the optimization results of the defense strategy and the real-time risk level, resource allocation is adjusted collaboratively by the SDN controller and the resource management platform: High-risk scenarios (assessment score < 60 points): Prioritize defense resources, increase CPU and bandwidth quotas for security protection nodes, initiate full-dimensional threat detection, and limit the use of non-core business resources to ensure attack interception capabilities; Medium-risk scenario (assessment score 60-84): Maintain core defense resources, disable redundant detection modules, and release some computing resources for business use; Low-risk scenarios (assessment score ≥ 85): Reduce the sampling frequency of perception nodes, turn off the deep learning detection model, retain only the lightweight defense module, and keep the resource utilization rate within 10% to maximize the efficiency of business operation.

[0039] It should be noted that this embodiment also deploys an effect monitoring module to track changes in defense indicators and resource utilization in real time after optimization, compare data before and after optimization, and ensure that the improvement of core indicators meets preset standards; at the same time, a dual mechanism of regular iteration and emergency iteration is established, and a comprehensive evaluation and strategy optimization are carried out once a month under normal circumstances; when a major attack event (such as a ransomware outbreak) occurs and the evaluation score drops sharply to <60 points, emergency optimization is triggered within 48 hours to ensure that the defense system can quickly adapt to sudden threats.

[0040] Example 2: like Figure 2 As shown, this embodiment of the invention provides a computer network information security monitoring system, including: The data acquisition and processing module is used to deploy sensing nodes, collect end-to-end security data, and extract multimodal features after preprocessing. The threat identification module is used to perform multi-model collaborative threat identification based on the multimodal features, and to accurately identify known and unknown threats; The defense strategy generation and execution module generates differentiated defense strategies based on risk level and network scenario type, and executes defense operations in collaboration with SDN and terminal agents. The end-to-end source tracing module is used to construct attack propagation graphs, reconstruct attack chains, identify attack attributes, and generate source tracing reports. The strategy dynamic optimization module is used to evaluate the defense effectiveness based on the source tracing report and continuously optimize the detection model and defense strategy.

[0041] Example 3: like Figure 3 As shown, an embodiment of the present invention provides a computer device, one embodiment of which includes: One or more central processing units, one or more power supplies, one or more operating systems, one or more computer programs, one or more databases, memory, one or more network interfaces and one or more input / output interfaces.

[0042] The central processing unit is capable of executing the steps described in the aforementioned embodiment 1, which will not be repeated here.

[0043] This power supply can meet the power requirements of computer equipment for normal operation or overclocking.

[0044] The operating system, for example When choosing an operating system, such as TM, MacOSXTM, UnixTM, LinuxTM, etc., pay attention to the compatibility between the version of the code being run and the operating system.

[0045] The memory stores one or more computer programs and can be volatile or persistent storage. The program stored in the memory comprises one or more modules, each capable of executing a series of instructions on the computer device. The central processing unit (CPU) can communicate with the memory and execute the series of instructions stored in the memory on the computer device.

[0046] Finally, this embodiment of the invention also proposes a computer-readable storage medium storing instructions or code that, when executed on a computer, cause the computer to perform the method described in Embodiment 1.

[0047] Obviously, the technical solution of this application, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. The computer software product is stored in a readable storage medium, which includes various media that can store program code, such as a USB flash drive, a portable hard drive, a read-only memory, a random access memory, or an optical disc. It includes several instructions to cause a computer device, such as a personal computer, a server, or a network device, to execute all or part of the steps of the methods described in the various embodiments of this application.

[0048] In summary, this invention achieves accurate identification, rapid response, and in-depth tracing of network threats through a closed-loop design that integrates multi-source data fusion sensing, dynamic policy intelligent generation, real-time attack chain blocking, and full-link risk tracing. It also adapts to the security needs of different network scenarios to balance monitoring accuracy and resource consumption. This not only effectively improves the accuracy of known threat identification through multi-model collaborative recognition, but also reduces the time required for adaptive defense policy generation, minimizes attack blocking latency, and accelerates the average response time. Furthermore, by tracing the entire attack chain to pinpoint the attacking organization and intent, it provides precise support for protection optimization and effectively reduces the recurrence rate of subsequent attacks. Finally, by adjusting resource utilization in low-risk and high-risk scenarios, it minimizes the latency of normal business data transmission, effectively balancing protection effectiveness and business efficiency.

[0049] The technical solution provided by this invention has been described in detail above. Specific examples have been used to illustrate the principles and implementation methods of this invention. The descriptions of the embodiments above are only for the purpose of helping to understand the method and core ideas of this invention. It should be noted that those skilled in the art can make several improvements and modifications to this invention without departing from the principles of this invention, and these improvements and modifications also fall within the protection scope of the claims of this invention.

Claims

1. A method for monitoring computer network information security, characterized in that, Includes the following steps: Step 1: Deploy sensing nodes, collect end-to-end security data, and extract multimodal features after preprocessing; Step 2: Based on the multimodal features, perform multi-model collaborative threat identification to accurately identify known and unknown threats; Step 3: Generate differentiated defense strategies based on risk level and network scenario type, and execute defense operations in collaboration with SDN and terminal agents; Step 4: Construct an attack propagation graph, reconstruct the attack chain, identify attack attributes, and generate a source tracing report; Step 5: Evaluate the defense effectiveness based on the source tracing report and continuously optimize the detection model and defense strategy.

2. The computer network information security monitoring method according to claim 1, characterized in that: The multi-source data mentioned in step 1 includes: terminal process behavior data, registry change data, and system call log data collected by the terminal sensing node; network traffic data and protocol parsing results collected by the network sensing node; and data interaction log data, user operation behavior, and sensitive data call records collected by the application sensing node.

3. The computer network information security monitoring method according to claim 2, characterized in that: Step 1, which involves preprocessing and extracting multimodal features, includes: Establish a unified data access interface to perform multi-dimensional identity verification and access collected multi-source data; A timestamp-based data alignment method is used to align multi-source data. Bloom filters are used for deduplication, Kalman filters for noise reduction, and the data is desensitized. Standardize the anonymized data; A deep residual network model is used to extract multidimensional features from standard data, forming multimodal features.

4. The computer network information security monitoring method according to claim 1, characterized in that: Step 2, which involves multi-model collaborative threat identification and threat intelligence linkage based on the multi-modal features to accurately identify known and unknown threats, includes: Based on the aforementioned multimodal features, a lightweight model is used to identify known threats, a deep learning model is used to identify unknown threats, and a voting mechanism is used to fuse the identification results of the two models.

5. The computer network information security monitoring method according to claim 1, characterized in that: Step 3, which involves generating differentiated defense strategies based on risk level and network scenario type, and executing defense operations collaboratively through SDN and terminal agents, includes: Risk values ​​are calculated based on threat type, attack intensity, and scope of impact, and risk levels are determined based on these risk values. Based on risk level and network scenario, a rule-based reasoning engine is used to generate differentiated defense strategies; The SDN controller and the terminal agent work together to perform defense operations, which include traffic blocking, terminal cleanup, and permission freezing.

6. The computer network information security monitoring method according to claim 1, characterized in that: Step 4, which involves constructing an attack propagation graph, reconstructing the attack chain, identifying attack attributes, and generating a source tracing report, includes: Based on the timestamps and correlations of multi-source data, a graph neural network is used to construct an attack propagation graph. Identify attack attributes by combining threat intelligence with attack signatures; Based on the attack propagation graph and attack attribute identification results, a source tracing report containing a visualized map and defense recommendations is generated.

7. The computer network information security monitoring method according to claim 1, characterized in that: Step 5, which involves evaluating the defense effectiveness based on the source tracing report and continuously optimizing the detection model and defense strategy, includes: Establish a defense effectiveness evaluation index system; Based on the source tracing report, the defense effectiveness is evaluated using a defense effectiveness evaluation index system; The defense strategy is dynamically optimized based on the evaluation results of the defense effectiveness, and the resource utilization rate is adjusted accordingly.

8. A computer network information security monitoring system, used to implement the method as described in any one of claims 1-7, characterized in that, include: The data acquisition and processing module is used to deploy sensing nodes, collect end-to-end security data, and extract multimodal features after preprocessing. The threat identification module is used to perform multi-model collaborative threat identification based on the multimodal features, and to accurately identify known and unknown threats; The defense strategy generation and execution module generates differentiated defense strategies based on risk level and network scenario type, and executes defense operations in collaboration with SDN and terminal agents. The end-to-end source tracing module is used to construct attack propagation graphs, reconstruct attack chains, identify attack attributes, and generate source tracing reports. The strategy dynamic optimization module is used to evaluate the defense effectiveness based on the source tracing report and continuously optimize the detection model and defense strategy.

9. A computer device, characterized in that, The computer device includes a memory and a processor, the memory for storing computer programs, and the processor for calling and running the computer programs from the memory, causing the computer device to perform the method as described in any one of claims 1 to 7.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores instructions or code that, when executed on a computer, cause the computer to perform the method as described in any one of claims 1 to 7.

Images