An ai-based security component performance diagnosis and visualization method and system
By generating verifiable performance evidence through AI and cryptography, and combining it with blockchain and machine learning analysis, the credibility and relevance issues of security component performance diagnosis are resolved. This enables efficient and accurate performance diagnosis and report generation, ensuring the stability of the enterprise's network security architecture.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SUZHOU RUIYING INTELLIGENT COMPUTING TECHNOLOGY CO LTD
- Filing Date
- 2026-03-17
- Publication Date
- 2026-06-19
AI Technical Summary
Existing security component performance diagnostics suffer from issues such as low data reliability, difficulty in cross-component correlation, and inability to prove contract fulfillment, which impact the effectiveness of enterprise network security architecture and business experience.
By combining AI technology with cryptographic methods, multi-dimensional performance contracts are established, verifiable performance evidence is generated, and blockchain technology is used to ensure the immutability of the evidence. Combined with machine learning analysis of deviations and root cause localization, a visualized performance diagnostic report is generated.
It improves the reliability and accuracy of security component performance diagnosis, provides objective SLA audit basis, supports accountability in complex environments, meets the log audit requirements of ISO 27001 standard, and improves the efficiency and accuracy of diagnosis.
Smart Images

Figure CN122247677A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of enterprise network security technology, specifically to an AI-based method and system for diagnosing and visualizing the performance of security components, which is particularly suitable for multi-cloud environments, cross-organizational collaboration, and compliance audit scenarios. Background Technology
[0002] As enterprises deepen their digital transformation, network security architectures are becoming increasingly complex. A defense system comprised of various security components, such as perimeter firewalls, endpoint proxies, zero-trust gateways, and security management platforms, has become the cornerstone of ensuring business continuity. However, the performance status of these components directly determines the effectiveness of security protection and the business experience. Therefore, accurate and reliable performance diagnostics of security components have become an indispensable and crucial aspect of enterprise network security operations and maintenance.
[0003] Existing security component performance diagnostics typically rely on internally collected logs and metrics, but these methods suffer from the following drawbacks: Low data reliability: Internal logs are easily tampered with or forged, making them unsuitable for auditing. Difficulty in cross-component correlation: Each component is monitored independently, lacking unified and verifiable evidence for correlation. Inability to prove contract fulfillment: Performance metrics (such as latency and throughput) in Service Level Agreements (SLAs) lack objective and non-repudiable means of proof.
[0004] Therefore, existing security component performance diagnostics have significant shortcomings in terms of credibility, relevance, and probative value. Consequently, the market urgently needs a new technical solution that can not only leverage AI for intelligent anomaly detection and root cause localization, but also ensure the authenticity of evidence through cryptographic means (such as chains of evidence), ultimately generating a performance diagnostic report that can be trusted by both operations and auditing parties, thereby truly guaranteeing the efficient and stable operation of the enterprise's network security architecture. Summary of the Invention
[0005] This invention provides an AI-based method for diagnosing and visualizing the performance of security components, the method comprising the following steps: S1: Contract Definition Layer: Sets a multi-dimensional performance contract for each security component. The contract is stored in a structured form and includes: security component identifier, performance indicator threshold, performance evidence generation cycle, signature algorithm and public key certificate. S2: Generate verifiable performance evidence: Each security component has a built-in trusted execution environment or hardware security module that stores the security component's private key to ensure the security of signature operations; at the end of each evidence period, the security component collects real-time performance data and constructs a performance evidence block: S3: The diagnostic center or blockchain node collects performance evidence from each security component, verifies the validity of the signature using the public key of the security component, digitally signs the performance evidence block using the private key of the security component, packages multiple pieces of evidence, constructs a Merkle tree, and periodically writes the root hash to the blockchain; the blockchain provides an immutable timestamp and global order to ensure the auditability of the performance evidence sequence.
[0006] S4: The diagnostic center aligns the validated evidence by timestamps to form a multidimensional time-series dataset. It compares the actual performance of each component with the performance metric thresholds in the contract to calculate the deviation. LSTM or Transformer models are used to model the historical performance of each component, predicting the normal range and identifying potential anomalies. A component dependency graph is constructed; when a global performance degradation is detected, random forest or causal forest is used to analyze the correlation between the deviation of each component and the overall performance, outputting the root cause probability. Combining the evidence chain, the evidence of each component at the time of the anomaly is traced to verify the root cause hypothesis.
[0007] S5: Determine whether the contract performance summary of each component conforms to the contract agreement, record the details of abnormal events and a complete list of relevant evidence to form a performance diagnostic report and display it visually. The entire report is digitally signed by the diagnostic center's private key to ensure the authenticity of the report.
[0008] This invention provides an AI-based security component performance diagnosis and visualization system, the system comprising: Contract definition module: Sets a multi-dimensional performance contract for each security component. The contract is stored in a structured form and includes: security component identifier, performance indicator threshold, performance evidence generation cycle, signature algorithm and public key certificate; Verifiable performance evidence generation module: Each security component has a built-in trusted execution environment or hardware security module that stores the security component's private key to ensure the security of signature operations; at the end of each evidence period, the security component collects real-time performance data and constructs a performance evidence block. Evidence on-chain module: The diagnostic center or blockchain node collects performance evidence of each security component, verifies the validity of the signature using the public key of the security component; digitally signs the performance evidence block using the private key of the security component, packages multiple pieces of evidence, constructs a Merkle tree, and periodically writes the root hash to the blockchain; the blockchain provides an immutable timestamp and global order to ensure the auditability of the performance evidence sequence.
[0009] Performance Deviation Analysis Module: The diagnostic center aligns validated evidence by timestamps to form a multidimensional time-series dataset. It compares the actual performance of each component with the performance metric thresholds in the contract to calculate the deviation. LSTM or Transformer models are used to model the historical performance of each component, predicting normal ranges and identifying potential anomalies. A component dependency graph is constructed; when a global performance degradation is detected, random forest or causal forest analysis is used to analyze the correlation between the deviation of each component and the overall performance, outputting the root cause probability. Combining the evidence chain, the evidence of each component at the time of the anomaly is traced to verify the root cause hypothesis.
[0010] Diagnostic report generation module: Determines whether the contract performance summary of each component conforms to the contract agreement, records the details of abnormal events and a complete list of relevant evidence to form a performance diagnostic report and visualize it. The entire report is digitally signed by the diagnostic center's private key to ensure the authenticity of the report.
[0011] An electronic device includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, implements the aforementioned AI-based security component performance diagnosis and visualization method.
[0012] A computer-readable storage medium storing a computer program that, when executed by a processor, implements the aforementioned AI-based security component performance diagnosis and visualization method.
[0013] Compared with the prior art, the beneficial effects of the present invention are as follows: 1. Transform abstract performance metrics into verifiable cryptographic evidence to provide objective evidence for SLA audits.
[0014] 2. By using signature and blockchain technologies, establish tamper-proof evidence links across components to support accountability in complex environments.
[0015] 3. Utilize machine learning to analyze deviations and pinpoint root causes, thereby improving diagnostic accuracy and efficiency.
[0016] 4. The generated auditable reports meet the requirements of standards such as ISO 27001 for log auditing. Attached Figure Description
[0017] To more clearly illustrate the technical solutions of the embodiments of this application, the drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0018] Figure 1This is a flowchart of this application; Detailed Implementation
[0019] The embodiments of this application will now be described in detail with reference to the accompanying drawings.
[0020] The following specific examples illustrate the implementation of this application. Those skilled in the art can easily understand other advantages and effects of this application from the content disclosed in this specification. Obviously, the described embodiments are only a part of the embodiments of this application, and not all of them. This application can also be implemented or applied through other different specific embodiments, and the details in this specification can also be modified or changed based on different viewpoints and applications without departing from the spirit of this application. It should be noted that, in the absence of conflict, the following embodiments and features in the embodiments can be combined with each other. Based on the embodiments in this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0021] It should be noted that various aspects of embodiments within the scope of the appended claims are described below. It will be apparent that the aspects described herein can be embodied in a wide variety of forms, and any particular structure and / or function described herein is merely illustrative. Based on this application, those skilled in the art will understand that one aspect described herein can be implemented independently of any other aspect, and two or more of these aspects can be combined in various ways. For example, any number and aspects set forth herein can be used to implement the device and / or practice the method. Additionally, this device and / or method can be implemented using structures and / or functionalities other than one or more of the aspects set forth herein.
[0022] Additionally, specific details are provided in the following description to facilitate a thorough understanding of the examples. However, those skilled in the art will understand that practice can be carried out without these specific details.
[0023] This specification presents an AI-based method for diagnosing and visualizing the performance of security components. This method includes the following steps: S1: Contract Definition Layer: Sets a multi-dimensional performance contract for each security component. The contract is stored in a structured form and includes: security component identifier, performance indicator threshold, performance evidence generation cycle, signature algorithm and public key certificate. S2: Generate verifiable performance evidence: Each security component has a built-in trusted execution environment or hardware security module that stores the security component's private key to ensure the security of signature operations; at the end of each evidence period, the security component collects real-time performance data and constructs a performance evidence block: The performance evidence block contains the security component ID, timestamp, performance sample value, security component signature, and includes the hash of preceding performance evidence to form a chain structure.
[0024] S3: The diagnostic center or blockchain node collects performance evidence from each security component, verifies the validity of the signature using the public key of the security component, digitally signs the performance evidence block using the private key of the security component, packages multiple pieces of evidence, constructs a Merkle tree, and periodically writes the root hash to the blockchain; the blockchain provides an immutable timestamp and global order to ensure the auditability of the performance evidence sequence.
[0025] The diagnostic center aligns the verified evidence by timestamp to form a multidimensional time series dataset, which includes: collecting full-stack performance metrics of multiple security components. Since the timestamp precision of the data sources of each component is different, time series alignment based on interpolation is used to unify all metrics onto the same time axis to form a multidimensional time series dataset.
[0026] S4: The diagnostic center aligns the validated evidence by timestamps to form a multidimensional time-series dataset. It compares the actual performance of each component with the performance metric thresholds in the contract to calculate the deviation. LSTM or Transformer models are used to model the historical performance of each component, predicting the normal range and identifying potential anomalies. A component dependency graph is constructed; when a global performance degradation is detected, random forest or causal forest is used to analyze the correlation between the deviation of each component and the overall performance, outputting the root cause probability. Combining the evidence chain, the evidence of each component at the time of the anomaly is traced to verify the root cause hypothesis.
[0027] By combining the chain of evidence, tracing the evidence from each component at the time of the anomaly, and verifying the root cause hypothesis, the following steps are specifically included: S41: For the abnormal time period [Tstart, Tend], the diagnostic center extracts the original evidence of all candidate root cause components within that time window from the blockchain or local storage; where Tstart represents the start time of the abnormal time period and Tend represents the end time of the abnormal time period. S42: Verify the signature using the component's public key to ensure that the evidence has not been tampered with and was indeed generated by the component; S43: Compare the performance values in the evidence with the performance index thresholds in the contract to confirm whether the existence and magnitude of the deviation are consistent with the model input.
[0028] S44: By calculating the chronological order of the abnormal start times of each component, a causal time series diagram is constructed and cross-validated with the model results.
[0029] S5: Determine whether the contract performance summary of each component conforms to the contract agreement, record the details of abnormal events and a complete list of relevant evidence to form a performance diagnostic report and display it visually. The entire report is digitally signed by the diagnostic center's private key to ensure the authenticity of the report.
[0030] Details of the abnormal event include: time, component, deviation index, and root cause analysis results.
[0031] This invention deeply integrates the performance indicators of security components with evidentiary auditing, uses cryptographic means to ensure the authenticity and non-repudiation of data, and utilizes AI to improve the level of intelligent diagnosis, providing enterprises with a reliable and efficient performance diagnostic tool for network security operations and maintenance.
[0032] This invention provides an AI-based security component performance diagnosis and visualization system, the system comprising: Contract definition module: Sets a multi-dimensional performance contract for each security component. The contract is stored in a structured form and includes: security component identifier, performance indicator threshold, performance evidence generation cycle, signature algorithm and public key certificate; Verifiable performance evidence generation module: Each security component has a built-in trusted execution environment or hardware security module that stores the security component's private key to ensure the security of signature operations; at the end of each evidence period, the security component collects real-time performance data and constructs a performance evidence block. Evidence on-chain module: The diagnostic center or blockchain node collects performance evidence of each security component, verifies the validity of the signature using the public key of the security component; digitally signs the performance evidence block using the private key of the security component, packages multiple pieces of evidence, constructs a Merkle tree, and periodically writes the root hash to the blockchain; the blockchain provides an immutable timestamp and global order to ensure the auditability of the performance evidence sequence.
[0033] Performance Deviation Analysis Module: The diagnostic center aligns validated evidence by timestamps to form a multidimensional time-series dataset. It compares the actual performance of each component with the performance metric thresholds in the contract to calculate the deviation. LSTM or Transformer models are used to model the historical performance of each component, predicting normal ranges and identifying potential anomalies. A component dependency graph is constructed; when a global performance degradation is detected, random forest or causal forest analysis is used to analyze the correlation between the deviation of each component and the overall performance, outputting the root cause probability. Combining the evidence chain, the evidence of each component at the time of the anomaly is traced to verify the root cause hypothesis.
[0034] Diagnostic report generation module: Determines whether the contract performance summary of each component conforms to the contract agreement, records the details of abnormal events and a complete list of relevant evidence to form a performance diagnostic report and visualize it. The entire report is digitally signed by the diagnostic center's private key to ensure the authenticity of the report.
[0035] An electronic device includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, implements the aforementioned AI-based security component performance diagnosis and visualization method.
[0036] A computer-readable storage medium storing a computer program that, when executed by a processor, implements the aforementioned AI-based security component performance diagnosis and visualization method.
[0037] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, storage, databases, or other media used in the embodiments provided in this application can include non-volatile and / or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory can include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in various forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link DRAM (SLDRAM), Rambus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.
[0038] In this specification, the same or similar parts between the various embodiments can be referred to mutually. Each embodiment focuses on describing the differences from other embodiments. In particular, the descriptions of the embodiments described later are relatively simple, and relevant parts can be referred to the descriptions of the foregoing embodiments.
[0039] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. An AI-based method for performance diagnosis and visualization of security components, comprising the following steps: S1: Set a multi-dimensional performance contract for each security component. The contract is stored in a structured form and includes: security component identifier, performance indicator threshold, performance evidence generation cycle, signature algorithm and public key certificate. S2: Generate verifiable performance evidence: Each security component has a built-in trusted execution environment or hardware security module that stores the security component's private key to ensure the security of signature operations; at the end of each evidence period, the security component collects real-time performance data and constructs a performance evidence block: S3: The diagnostic center or blockchain node collects performance evidence of each security component, verifies the validity of the signature using the public key of the security component, digitally signs the performance evidence block using the private key of the security component, packages multiple pieces of evidence, constructs a Merkle tree, and periodically writes the root hash to the blockchain; Blockchain provides immutable timestamps and global order, ensuring the auditability of performance evidence sequences; S4: The diagnostic center aligns the verified evidence by timestamp to form a multidimensional time series dataset; compares the actual performance of each component with the performance index threshold in the contract to calculate the deviation; and uses LSTM or Transformer models to model the historical performance of each component, predict the normal range, and identify potential anomalies. Construct a component dependency graph. When a global performance degradation is detected, use random forest or causal forest to analyze the correlation between the deviation of each component and the overall performance, and output the root cause probability. Combine the evidence chain to trace the evidence of each component at the abnormal moment and verify the root cause hypothesis. S5: Determine whether the contract performance summary of each component conforms to the contract agreement, record the details of abnormal events and a complete list of relevant evidence to form a performance diagnostic report and display it visually. The entire report is digitally signed by the diagnostic center's private key to ensure the authenticity of the report.
2. The AI-based security component performance diagnosis and visualization method according to claim 1, characterized in that, The performance evidence block contains the security component ID, timestamp, performance sample value, security component signature, and includes the hash of preceding performance evidence to form a chain structure.
3. The AI-based security component performance diagnosis and visualization method according to claim 1, characterized in that, The diagnostic center aligns the verified evidence by timestamp to form a multidimensional time series dataset, which includes: collecting full-stack performance metrics of multiple security components. Since the timestamp precision of the data sources of each component is different, time series alignment based on interpolation is used to unify all metrics onto the same time axis to form a multidimensional time series dataset.
4. The AI-based security component performance diagnosis and visualization method according to claim 1, characterized in that, By combining the chain of evidence, tracing the evidence from each component at the time of the anomaly, and verifying the root cause hypothesis, the following steps are specifically included: S41: For the abnormal time period [Tstart, Tend], the diagnostic center extracts the original evidence of all candidate root cause components within that time window from the blockchain or local storage; where Tstart represents the start time of the abnormal time period and Tend represents the end time of the abnormal time period. S42: Verify the signature using the component's public key to ensure that the evidence has not been tampered with and was indeed generated by the component; S43: Compare the performance values in the evidence with the performance index thresholds in the contract to confirm whether the existence and magnitude of the deviation are consistent with the model input; S44: By calculating the chronological order of the abnormal start times of each component, a causal time series diagram is constructed and cross-validated with the model results.
5. The AI-based security component performance diagnosis and visualization method according to claim 1, characterized in that, Details of the abnormal event include: time, component, deviation index, and root cause analysis results.
6. An AI-based security component performance diagnosis and visualization system, the system comprising: Contract definition module: Sets a multi-dimensional performance contract for each security component. The contract is stored in a structured form and includes: security component identifier, performance indicator threshold, performance evidence generation cycle, signature algorithm and public key certificate; Verifiable performance evidence generation module: Each security component has a built-in trusted execution environment or hardware security module that stores the security component's private key to ensure the security of signature operations; at the end of each evidence period, the security component collects real-time performance data and constructs a performance evidence block. Evidence on-chain module: The diagnostic center or blockchain node collects performance evidence of each security component, verifies the validity of the signature using the public key of the security component; digitally signs the performance evidence block using the private key of the security component, packages multiple pieces of evidence, constructs a Merkle tree, and periodically writes the root hash to the blockchain; the blockchain provides an immutable timestamp and global order to ensure the auditability of the performance evidence sequence; Performance Deviation Analysis Module: The diagnostic center aligns the verified evidence by timestamp to form a multidimensional time series dataset; compares the actual performance of each component with the performance index threshold in the contract to calculate the deviation; and uses LSTM or Transformer models to model the historical performance of each component, predict the normal range, and identify potential anomalies. Construct a component dependency graph. When a global performance degradation is detected, use random forest or causal forest to analyze the correlation between the deviation of each component and the overall performance, and output the root cause probability. Combine the evidence chain to trace the evidence of each component at the abnormal moment and verify the root cause hypothesis. Diagnostic report generation module: Determines whether the contract performance summary of each component conforms to the contract agreement, records the details of abnormal events and a complete list of relevant evidence to form a performance diagnostic report and visualize it. The entire report is digitally signed by the diagnostic center's private key to ensure the authenticity of the report.
7. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, implements an AI-based security component performance diagnosis and visualization method as described in any one of claims 1 to 5.
8. A computer-readable storage medium storing a computer program that, when executed by a processor, implements an AI-based security component performance diagnosis and visualization method as described in any one of claims 1 to 5.