Network active defense method and system for network protection
By uniformly processing and combining network communication behavior, security risks, and operational status, and incorporating environmental disturbance correction, the system achieves proactive intervention and stable control of network protection, solving the problems of lag and crudeness in existing protection systems, and improving the foresight and operability of network protection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUANGZHOU TAIYUAN TECHNOLOGY CO LTD
- Filing Date
- 2026-04-03
- Publication Date
- 2026-06-19
Smart Images

Figure CN122247715A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of network security, and in particular relates to a proactive network defense method and system for network protection. Background Technology
[0002] With the deepening of informatization and networking, the scale and complexity of government and enterprise networks, operational networks, and various critical infrastructure networks continue to increase. Network protection targets have expanded from single boundary devices to a comprehensive protection system comprised of multiple security devices and management systems, including centralized firewall management, intrusion detection, APT detection, vulnerability scanning, security log auditing, and various traffic probes. In current network operations, these systems generate alarms, scores, or statistical results individually. While these can reflect risks from different perspectives, significant differences exist in data caliber, time granularity, and scale. Actual implementation often relies on manual experience for alarm confirmation and handling, making it difficult to form a unified, continuous, and executable proactive defense chain. Meanwhile, attacks are characterized by their initial covertness, gradual progression, and overlapping time windows, often meaning that by the time a single alarm is triggered, the optimal response window has already passed. Furthermore, in scenarios such as wireless networks and dedicated communication networks, network operation is also affected by external factors such as wireless interference, link jitter, and device switching. These disturbances alter the stability of traffic statistics and security detection results, causing inconsistencies in judgments based on fixed thresholds or static rules under different operating conditions. This can easily lead to frequent false alarms causing response fatigue, threshold increases resulting in missed alarms creating gaps, or overly tightened policies impacting business continuity. Existing multi-security systems typically rely on data aggregation or alarm correlation, lacking a judgment caliber that incorporates both "risk evolution level" and "operating environment conditions," and also lacking a mechanism to naturally map judgment results into tiered, auditable network control actions. This results in proactive defense often exhibiting two extremes in engineering: either conservative responses, relying on manual confirmation and thus lagging behind, or coarse responses, with one-time tightening of policies impacting business operations, making it difficult to balance proactiveness, stability, and operability under complex operating conditions. Summary of the Invention
[0003] The purpose of this invention is to design a network proactive defense method and system for network protection, which can realize hierarchical control of network communication paths, network access behavior or connection relationships, so that proactive defense can complete pre-emptive intervention before risks evolve into actual damage, and maintain stable judgment criteria, implementable and auditable control actions in complex operating environments, thereby improving the foresight and engineering availability of the existing network comprehensive protection system.
[0004] To achieve the above objectives, a network proactive defense method for network protection is provided in a first aspect of the present invention, the method comprising: Obtain statistical results of network communication behavior, network security risk status, and network operation status within the current time window; The network communication behavior statistics, network security risk status, and network operation status results are respectively subjected to scale alignment processing to obtain network communication behavior status components, network security risk status components, and network operation status components. Based on preset combination coefficients, the network communication behavior state component, network security risk state component and network operation state component are weighted and combined to generate a network defense state vector. The network protection stability index to be corrected is calculated based on the network defense status vector, the average value of the network defense status vector within the historical window, and the network defense status vector of the previous time window. Obtain the network operating environment disturbance amount within the current time window, and calculate the corrected network protection stability index by combining the network protection stability index to be corrected, the disturbance amplification coefficient, and the disturbance constraint coefficient. The corrected network protection stability index is compared with a preset judgment threshold to generate the final network protection judgment result. When the final network protection judgment result indicates that active defense needs to be triggered, the network active defense control strength parameter is calculated based on the deviation ratio between the corrected network protection stability index and the judgment threshold. Based on the network active defense control strength parameters, a corresponding control template is selected from the preset network active defense control template set, and the corresponding network control actions are executed through the firewall centralized management system.
[0005] Furthermore, the network communication behavior statistics include the connection activity and abnormal communication ratio summarized within a fixed time window.
[0006] Furthermore, the network security risk status result is output by the network security detection system and obtained through the alarm aggregation interface.
[0007] Furthermore, the network operation status results are output by the network operation management system to reflect the overall status of the network at the operation level.
[0008] Furthermore, the network operating environment disturbance is output by the wireless interference management platform or the network operation monitoring module, and is calculated based on the wireless interference intensity, interference duration, link jitter or operational fluctuation within the current time window.
[0009] Furthermore, the network protection stability index to be corrected is obtained by linearly superimposing the offset term of the network defense state vector of the current time window and the average value of the network defense state vector in the historical window, as well as the difference trend term of the network defense state vector of the current time window and the previous time window.
[0010] Furthermore, the revised network protection stability index is obtained by adding an amplification term proportional to the disturbance amount of the network operating environment and an additional term proportional to the square of the disturbance amount of the network operating environment to the network protection stability index to be revised.
[0011] Furthermore, the network proactive defense control template set includes low-level templates, medium-level templates, and high-level templates. The low-level templates are used to limit the rate or the number of connections for specific communication types, the medium-level templates are used to tighten some access paths or reduce the set of accessible ports, and the high-level templates are used to block high-risk communication paths or temporarily isolate critical subnets.
[0012] Furthermore, the network active defense control strength parameter is set to zero when the final network protection judgment result indicates that active defense is not triggered.
[0013] A second aspect of the invention provides a proactive network defense system for network protection, the system comprising: The state awareness and fusion module is used to acquire the statistical results of network communication behavior, the results of network security risk status, and the results of network operation status within the current time window. The statistical results of network communication behavior, the results of network security risk status, and the results of network operation status are scale aligned to obtain network communication behavior state components, network security risk state components, and network operation state components. Based on preset combination coefficients, the network communication behavior state components, network security risk state components, and network operation state components are weighted and combined to generate a network defense state vector. The protection stability assessment module is used to calculate the network protection stability index to be corrected based on the network defense status vector, the average value of the network defense status vector within the historical window, and the network defense status vector of the previous time window. The disturbance correction and judgment module is used to obtain the disturbance amount of the network operating environment within the current time window, and calculate the corrected network protection stability index by combining the network protection stability index to be corrected, the disturbance amplification coefficient and the disturbance constraint coefficient. The corrected network protection stability index is then compared with a preset judgment threshold to generate the final network protection judgment result. The proactive defense execution module is used to calculate the network proactive defense control strength parameter based on the deviation ratio between the corrected network protection stability index and the judgment threshold when the final network protection judgment result indicates that proactive defense needs to be triggered, and to select the corresponding control template from the preset network proactive defense control template set according to the network proactive defense control strength parameter, and to execute the corresponding network control action through the firewall centralized management system.
[0014] The beneficial technical effects of the present invention are at least as follows: To address the aforementioned issues, this invention provides a proactive network defense method and system for network protection. It constructs a unified network protection state expression based on available outcome information from the existing network, combining statistical results of communication behavior, security risk status, and operational status from multiple systems on the same scale to form a network defense state quantity that can be directly used for subsequent calculations. Building upon this, a time-window-oriented stability measurement mechanism is introduced, comparing the current state with recent operational baselines and overlaying state change trends to characterize the offset strength and evolution direction of the network protection state relative to the normal state. Furthermore, it incorporates network operating environment disturbance information to compensate and constrain the stability measurement, ensuring that the same offset strength has consistent risk semantics under different disturbance conditions, thus forming the final protection judgment result. Finally, the final judgment result is correlated with the risk intensity to form an executable control strength. A pre-configured network protection control template is invoked through a centralized firewall management system to achieve hierarchical control of network communication paths, network access behavior, or connection relationships. This allows proactive defense to intervene before risks evolve into actual damage, maintaining stable judgment criteria, implementable and auditable control actions in complex operating environments, thereby improving the foresight and engineering usability of the existing comprehensive network protection system. Attached Figure Description
[0015] The present invention will be further described with reference to the accompanying drawings, but the embodiments in the drawings do not constitute any limitation on the present invention. For those skilled in the art, other drawings can be obtained based on the following drawings without creative effort.
[0016] Figure 1 This is a flowchart of the network proactive defense method for network protection according to the present invention.
[0017] Figure 2 This is a framework diagram of the network active defense system for network protection according to the present invention. Detailed Implementation
[0018] Embodiments of the present invention are described in detail below. Examples of these embodiments are shown in the accompanying drawings, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary and are only used to explain the present invention, and should not be construed as limiting the present invention.
[0019] In one or more embodiments, such as Figure 1 As shown, a proactive network defense method for network protection is disclosed, the method comprising the following: S1: Obtain the statistical results of network communication behavior, the results of network security risk status, and the results of network operation status within the current time window; perform scale alignment processing on the statistical results of network communication behavior, the results of network security risk status, and the results of network operation status to obtain network communication behavior status components, network security risk status components, and network operation status components; based on preset combination coefficients, weight and combine the network communication behavior status components, network security risk status components, and network operation status components to generate a network defense status vector; Specifically, this step, centered on the goal of proactive network defense, integrates the resulting information already formed in the network into a unified network defense state expression, ensuring that subsequent calculations and judgments are based on stable and clear input. In the network environment, network communication behavior, network security risks, and network operational status are typically perceived separately by different devices and systems, resulting in differences in structure and scale. Directly using these outputs for subsequent processing can easily lead to inconsistent judgments. From an engineering implementation perspective, this step selects the three most representative types of result information for proactive defense, processes and combines them uniformly to form a single network defense state vector, used to characterize the current overall network protection status.
[0020] In the specific implementation process, firstly, periodically generated statistical results of network communication behavior are obtained from network protection devices or network traffic monitoring components. These results, such as connection activity and abnormal communication ratios summarized within a fixed time window, are read directly through device management interfaces or monitoring modules. Subsequently, network security risk status results are obtained from the network security detection system. These results typically represent a comprehensive reflection of multiple detection conclusions, reflecting the overall level of current network security risk, and can be obtained through alarm aggregation interfaces. Simultaneously, network operation status results are read from the network operation management system to reflect the overall status of the network at the operational level. For these three types of results, unified mapping rules are configured during the system deployment phase to perform scale alignment processing, ensuring they are within a comparable range, and thus constructing network communication behavior status components. Cybersecurity risk status components and network operating status components This provides a consistent basis for subsequent combinations.
[0021] After constructing the state components, a linear weighted combination method is used to generate the network defense state vector. This combination method originates from the mathematical concept of weighted summation for comprehensive evaluation of multiple indicators, and constraints on the number and structure of indicators are imposed in conjunction with the active network defense scenario. The calculation form of the network defense state vector is as follows: ; in, This represents the network defense state vector, used to uniformly characterize the overall defense status of the current network; It represents the state component of network communication behavior, and its value is obtained by mapping the communication statistics output by network protection equipment or traffic monitoring components. This represents a network security risk status component, the value of which is obtained by mapping the risk status results output by the network security detection system. This represents the network operating status component, the value of which is mapped from the operating status results output by the network operating management system; , , These are the combination coefficients configured during the system deployment phase, used to reflect the relative importance of different state components in a proactive network defense scenario. Taking a specific time window as an example, if after mapping... , , and configure , , Substituting these values into the calculation yields the network defense state vector. This result is a quantitative expression of the current network defense status, serving as the sole input basis for subsequent steps to calculate network protection stability indicators and trigger proactive network defense controls.
[0022] S2: Calculate the network protection stability index to be corrected based on the network defense state vector, the average value of the network defense state vector within the historical window, and the network defense state vector of the previous time window. Specifically, in a proactive network defense scenario, the network defense state vector formed in step one... This method is used to uniformly characterize the current network protection status, but from an engineering perspective, it is more necessary to answer the question: "Has the current status deviated significantly from the recent normal, and does it show a continuous trend of change?" Therefore, this step uses a time series approach. The system continuously calculates and records data according to a fixed time window. Each time the current window is obtained Then, simultaneously read the records from the previous time window. And within the preset history window, record The baseline value is obtained by averaging. This benchmark value is used to represent the recent normal level. The average calculation here is a routine statistical process, directly applied to historical data within a specific window. This can be achieved by summing the sequences and dividing by the number of samples. In practice, window data can be provided by log storage or a memory circular queue, and the calculation can be completed within the computing module of the controller or security management center.
[0023] The fundamental origins of stability indices can be traced back to the original idea of "deviation measurement" in statistics, which uses the difference between the current value and the baseline value to characterize whether the state is abnormal. Simultaneously, it combines the common method of characterizing "trend of change" in time series analysis, which uses the difference between adjacent time points to characterize the intensity of short-term changes. In this scheme, these two classic measures correspond to "the intensity of deviation relative to the normal state" and "the intensity of short-term changes," respectively. To enable subsequent steps to regularly correct this indicator when network operating environment disturbances are introduced, this step combines the two in a linear superposition manner into a single network protection stability index to be corrected. This synthesis is a derivation of the classical bias measure and the first-order difference measure: first, the offset term is obtained, then the trend term is obtained, and finally, the two are unified under the same decision caliber through coefficients. The specific calculation form is as follows: ; In the formula, As a network protection stability indicator; The value of the network defense state vector output in step one within the current time window; Within the preset history window The average value is used to characterize the recent normal state; Recorded for the previous time window ; This is a trend enhancement factor, configured during system deployment, used to adjust the trend item pairing. The contribution. Due to This stems from the unified scaling of multi-source results in step one. , , On the same numerical scale, the absolute value difference term and the weighted difference term are additive on the same scale, and The coefficients do not introduce new scales, thus ensuring that the calculation remains consistent in an engineering sense.
[0024] To illustrate the algorithm's feasibility, a complete parameter substitution and calculation process is presented. Assume the system obtains the current... and read the previous window from storage. Simultaneously, a baseline is calculated within a preset historical window. If deployed configuration Then the offset term is The trend item is After substituting, we get The result, as the output of this step, is directly used in the next step for correction and judgment in conjunction with network operating environment disturbances, thereby advancing "state characterization" into "quantitative measurement of offset and trend," establishing a continuous computational chain for subsequent network active defense triggering.
[0025] S3: Obtain the network operating environment disturbance amount within the current time window, and calculate the corrected network protection stability index by combining the network protection stability index to be corrected, the disturbance amplification coefficient, and the disturbance constraint coefficient; compare the corrected network protection stability index with the preset judgment threshold to generate the final network protection judgment result. Specifically, this step focuses on the consistency of interpretation of network protection stability indicators under complex operating environments, and directly follows the network protection stability indicators output from step two. This is then combined with the network operating environment disturbance status within the same time window to form a final judgment result that truly reflects the level of protection risk under the current operating conditions. (Step Two) Network defense state vector has been used The offset magnitude and trend of the values characterize the evolution intensity of network protection status. However, in engineering practice, the network operating environment itself can significantly affect the risk meaning of this evolution intensity. For example, when wireless interference increases or link jitter intensifies, the same state change often implies higher protection uncertainty. This step incorporates the operating environment disturbance into the calculation, enabling the stability index to have consistent judgment semantics under different operating conditions, thereby providing a reliable basis for subsequent proactive network defense control.
[0026] The input for this step includes the network protection stability index obtained in step two. And the operating environment disturbance output by the network operating environment monitoring system. .in, The stability index is calculated within the current time window, and its source and meaning are consistent with those in step two; Outputted by the wireless interference management platform or network operation monitoring module within the same time window, this data can be statistically analyzed within the window to measure wireless interference intensity, duration, link jitter, or operational fluctuations. A uniformly scaled disturbance quantity can then be obtained according to the mapping rules configured during the deployment phase. This disturbance quantity characterizes the degree to which the current operating environment deviates from its normal state. This is achieved by aligning the time windows. and This ensures that the correction process addresses both the network protection status and the operating environment status at the same time.
[0027] In the specific calculation process, this step adopts the environmental compensation concept commonly used in engineering control to correct the stability index. Simultaneously, it introduces a disturbance constraint term in conjunction with the network active defense scenario, ensuring that the correction result reflects both the amplification effect of disturbances on risk and strengthens the characterization of the expansion of the potential risk window when disturbances are significant. This correction can be seen as a derivation of the classic linear compensation model: based on the original stability index... Based on this, introduce disturbance quantities A proportional amplification term is introduced, and an additional term that increases with the square of the disturbance is further introduced to reflect the nonlinear enhancement of risk under high disturbance conditions. This is the revised network protection stability index. The calculation form is as follows: ; in, This indicates the revised network protection stability index; The network protection stability index is output from step two; This represents the disturbance to the network operating environment within the current time window. This is the disturbance amplification factor, configured during the system deployment phase, used to adjust the degree to which environmental disturbances amplify the risk of stability offset. This is the perturbation constraint coefficient, used to introduce additional risk terms when perturbations are amplified, making the correction results more consistent with actual scenarios such as abnormal wireless interference masking and amplified security risks due to link instability. Because and All terms are now on a unified scale, and the linear amplification term and the quadratic term have consistent additivity in terms of value, thus ensuring the engineering rationality of the correction calculation.
[0028] To illustrate the feasibility of this corrective calculation in a real system, a complete parameter substitution example is given. Assume that within a certain time window, the network protection stability index output in step two is... The disturbance output by the wireless interference management platform or operation monitoring module is mapped to... and configure during the system deployment phase. , Substituting into the above formula, we can obtain... This result indicates that, under the current operating environment disturbance conditions, the stability deviation of the network protection state is compared to the original state. It is further amplified for subsequent judgment.
[0029] The revised stability index Then, this step generates the final network protection judgment result based on the pre-configured judgment rules. This decision rule originates from the classic threshold decision-making concept, which compares a continuous quantity with a preset threshold and outputs a discrete decision result to drive subsequent control actions. The decision form is as follows: ; in, This indicates the final network protection assessment result. This indicates that the current network protection status has reached the conditions that require triggering proactive network defense controls. This indicates that the current protection status will be maintained; The aforementioned revised network protection stability indicators; This is a threshold value configured during the system deployment phase to distinguish between stable and critical states. Continuing the example above, if configured... ,but satisfy , corresponding to The result of this determination serves as the final output of this step and is directly provided to the next step for implementing proactive network defense control, thereby organically linking stability quantification, operational environment disturbance correction, and final protection determination.
[0030] S4: When the final network protection judgment result indicates that active defense needs to be triggered, calculate the network active defense control strength parameter based on the deviation ratio between the corrected network protection stability index and the judgment threshold; select the corresponding control template from the preset network active defense control template set according to the network active defense control strength parameter, and execute the corresponding network control action through the firewall centralized management system. Specifically, this step will use the final network protection assessment result obtained in step three. This is transformed into proactive defense control actions that can be directly executed in a real network, and control command generation and policy distribution are completed within the same time window. In step three, By the revised network protection stability index With threshold The comparison yielded, therefore The value of already corresponds to the explicit meaning of "whether to enter active defense mode"; at the same time, As a process quantity, it reflects the degree of deviation of the current risk intensity from the threshold, and is suitable for determining the strength level of control actions. This step uses... and As input, generate control intensity parameters It also uses a firewall centralized management system to call pre-configured control templates to achieve actual control over network communication paths, network access behavior, or connection relationships.
[0031] Control strength parameters The calculations are derived from the classic proportional control concept in engineering control, where the control output is proportional to the error, and the output is saturated to ensure executability. In this scheme, the error term is taken from... relative threshold The deviation ratio, and using As a trigger gating mechanism, the control only takes effect when the active defense state is determined to be entered. This leads to the following calculation form: ; in, This indicates the network proactive defense control strength parameter, used to select the control template level and determine the range of adjustable parameters in the template; The final network protection assessment result is output from step three. This indicates that the system has entered an active defense state. This indicates that the system will not enter an active defense state. The corrected network protection stability index is obtained from step three. For use in step three to form The determination threshold. Because... and They are all on the same scale. For dimensionless proportions, The resulting value also remains in the dimensionless range, multiplied by back The control intensity parameters remain at the same scale, thus ensuring the consistency of the calculation in an engineering sense, and if step three is obtained within a certain time window... Simultaneously record The threshold is configured as follows ,but saturation constraint is obtained ,thereby If in another time window and ,but saturation constraint is obtained ,thereby If within a certain time window Then regardless Why, The calculation result is generated by the security management center or control module and is passed to the firewall centralized management system as the sole strength parameter for policy enforcement.
[0032] At the policy execution level, the firewall centralized management system maintains a set of pre-configured network proactive defense control templates. Each template corresponds to a type of network control measure that can be directly issued, and provides a small number of adjustable parameters within the template to adapt to different risk intensities. The template set can be organized in a hierarchical structure: low-level templates are used for lightweight control (e.g., rate limiting or connection limit for specific communication types), medium-level templates are used for scope tightening (e.g., tightening some access paths or narrowing the set of accessible ports), and high-level templates are used for strong isolation control (e.g., blocking high-risk communication paths or implementing temporary isolation of critical subnets). The control module receives... Afterwards, Mapped to template level and template parameter magnitude, for example, Divide into several intervals, and select different level templates accordingly; at the same time... As a scaling factor within the template, it is used to set the rate limiting threshold, connection limit, or policy tightening ratio, thereby achieving graded and continuous adjustment of control intensity. For example, the system can select a medium-level template and adjust its parameter range according to... Proportional application; with For example, the system can select a high-level template and execute it at the maximum level. The firewall centralized management system then pushes the selected template to the corresponding network protection device or enables the deployed policy rules through the policy distribution interface, so that network control takes effect within this time window and has a direct impact on network communication.
[0033] In one or more embodiments, such as Figure 2 As shown, a proactive network defense system for network protection is disclosed, the system comprising: The state awareness and fusion module is used to acquire the statistical results of network communication behavior, the results of network security risk status, and the results of network operation status within the current time window. The statistical results of network communication behavior, the results of network security risk status, and the results of network operation status are scale aligned to obtain network communication behavior state components, network security risk state components, and network operation state components. Based on preset combination coefficients, the network communication behavior state components, network security risk state components, and network operation state components are weighted and combined to generate a network defense state vector. The protection stability assessment module is used to calculate the network protection stability index to be corrected based on the network defense status vector, the average value of the network defense status vector within the historical window, and the network defense status vector of the previous time window. The disturbance correction and judgment module is used to obtain the disturbance amount of the network operating environment within the current time window, and calculate the corrected network protection stability index by combining the network protection stability index to be corrected, the disturbance amplification coefficient and the disturbance constraint coefficient. The corrected network protection stability index is then compared with a preset judgment threshold to generate the final network protection judgment result. The proactive defense execution module is used to calculate the network proactive defense control strength parameter based on the deviation ratio between the corrected network protection stability index and the judgment threshold when the final network protection judgment result indicates that proactive defense needs to be triggered, and to select the corresponding control template from the preset network proactive defense control template set according to the network proactive defense control strength parameter, and to execute the corresponding network control action through the firewall centralized management system.
[0034] It is worth noting that the specific workflow of the network active defense system for network protection provided in this embodiment is the same as that of the network active defense method for network protection described in the above embodiments, and will not be repeated here.
[0035] This invention also provides a network proactive defense device for network protection, including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor. When the processor executes the computer program, it implements the steps described in the above embodiments of the network proactive defense method for network protection, for example... Figure 1 The steps S1 to S4 described above; or, when the processor executes the computer program, it implements the functions of each module in the above system embodiments.
[0036] For example, the computer program may be divided into one or more modules, which are stored in the memory and executed by the processor to complete the present invention. The one or more modules may be a series of computer program instruction segments capable of performing specific functions, which describe the execution process of the computer program in the network active defense device for network protection.
[0037] The network active defense device for network protection can be a computing device such as a desktop computer, laptop, handheld computer, or cloud server. The network active defense device for network protection may include, but is not limited to, a processor and memory. Those skilled in the art will understand that the network active defense device for network protection may also include input / output devices, network access devices, buses, etc.
[0038] The processor can be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor or any conventional processor. The processor is the control center of the network active defense device for network protection, connecting all parts of the device via various interfaces and lines.
[0039] The memory can be used to store the computer programs and / or modules. The processor implements various functions of the network active defense device for network protection by running or executing the computer programs and / or modules stored in the memory and calling the data stored in the memory. The memory may mainly include a program storage area and a data storage area. The program storage area may store the operating system, at least one application program required for a function, etc.; the data storage area may store data created based on the operation of the air conditioner controller, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as hard disk, memory, plug-in hard disk, smart media card (SMC), secure digital card (SD), flash card, at least one disk storage device, flash memory device, or other volatile solid-state storage devices.
[0040] The network active defense device integrated for network protection, if implemented as a software functional unit and sold or used as an independent product, can be stored in a computer-readable storage medium. Based on this understanding, all or part of the processes in the above embodiments can also be implemented by a computer program instructing related hardware. The computer program can be stored in a computer-readable storage medium, and when executed by a processor, it can implement the steps of the various method embodiments described above. The computer program includes computer program code, which can be in the form of source code, object code, executable files, or certain intermediate forms. The computer-readable medium can include any entity or device capable of carrying the computer program code, a recording medium, a USB flash drive, a portable hard drive, a magnetic disk, an optical disk, a computer memory, a read-only memory (ROM), a random access memory (RAM), an electrical carrier signal, a telecommunication signal, and a software distribution medium, etc.
[0041] Those skilled in the art will understand that all or part of the processes in the above embodiments can be implemented by a computer program instructing related hardware. The program can be stored in a computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. The storage medium can be a magnetic disk, optical disk, read-only memory (ROM), or random access memory (RAM), etc.
[0042] The above description represents the preferred embodiments of the present invention. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principles of the present invention, and these improvements and modifications are also considered to be within the scope of protection of the present invention.
Claims
1. A proactive network defense method for network protection, characterized in that, The method includes: Obtain statistical results of network communication behavior, network security risk status, and network operation status within the current time window; The network communication behavior statistics, network security risk status, and network operation status results are respectively subjected to scale alignment processing to obtain network communication behavior status components, network security risk status components, and network operation status components. Based on preset combination coefficients, the network communication behavior state component, network security risk state component and network operation state component are weighted and combined to generate a network defense state vector. The network protection stability index to be corrected is calculated based on the network defense status vector, the average value of the network defense status vector within the historical window, and the network defense status vector of the previous time window. Obtain the network operating environment disturbance amount within the current time window, and calculate the corrected network protection stability index by combining the network protection stability index to be corrected, the disturbance amplification coefficient, and the disturbance constraint coefficient. The corrected network protection stability index is compared with a preset judgment threshold to generate the final network protection judgment result. When the final network protection judgment result indicates that active defense needs to be triggered, the network active defense control strength parameter is calculated based on the deviation ratio between the corrected network protection stability index and the judgment threshold. Based on the network active defense control strength parameters, a corresponding control template is selected from the preset network active defense control template set, and the corresponding network control actions are executed through the firewall centralized management system.
2. The network active defense method for network protection according to claim 1, characterized in that, The network communication behavior statistics include the connection activity and the proportion of abnormal communication within a fixed time window.
3. The network active defense method for network protection according to claim 1, characterized in that, The network security risk status results are output by the network security detection system and obtained through the alarm aggregation interface.
4. The network active defense method for network protection according to claim 1, characterized in that, The network operation status results are output by the network operation management system and are used to reflect the overall status of the network at the operation level.
5. The network active defense method for network protection according to claim 1, characterized in that, The network operating environment disturbance is output by the wireless interference management platform or the network operation monitoring module, and is calculated based on the wireless interference intensity, interference duration, link jitter or operational fluctuation within the current time window.
6. The network active defense method for network protection according to claim 1, characterized in that, The network protection stability index to be corrected is obtained by linearly superimposing the offset term of the network defense state vector of the current time window and the average value of the network defense state vector in the historical window, and the difference trend term of the network defense state vector of the current time window and the previous time window.
7. The network active defense method for network protection according to claim 1, characterized in that, The revised network protection stability index is obtained by adding an amplification term proportional to the disturbance of the network operating environment and an additional term proportional to the square of the disturbance of the network operating environment to the network protection stability index to be revised.
8. The network active defense method for network protection according to claim 1, characterized in that, The network proactive defense control template set includes low-level templates, medium-level templates, and high-level templates. Low-level templates are used to limit the rate or number of connections for specific communication types, medium-level templates are used to tighten some access paths or reduce the set of accessible ports, and high-level templates are used to block high-risk communication paths or temporarily isolate critical subnets.
9. The network active defense method for network protection according to claim 1, characterized in that, The network active defense control strength parameter is set to zero when the final network protection judgment result indicates that active defense is not triggered.
10. A proactive network defense system for network protection, characterized in that, The system includes: The state awareness and fusion module is used to acquire the statistical results of network communication behavior, the results of network security risk status, and the results of network operation status within the current time window. The statistical results of network communication behavior, the results of network security risk status, and the results of network operation status are scale aligned to obtain network communication behavior state components, network security risk state components, and network operation state components. Based on preset combination coefficients, the network communication behavior state components, network security risk state components, and network operation state components are weighted and combined to generate a network defense state vector. The protection stability assessment module is used to calculate the network protection stability index to be corrected based on the network defense status vector, the average value of the network defense status vector within the historical window, and the network defense status vector of the previous time window. The disturbance correction and judgment module is used to obtain the disturbance amount of the network operating environment within the current time window, and calculate the corrected network protection stability index by combining the network protection stability index to be corrected, the disturbance amplification coefficient and the disturbance constraint coefficient. The corrected network protection stability index is then compared with a preset judgment threshold to generate the final network protection judgment result. The proactive defense execution module is used to calculate the network proactive defense control strength parameter based on the deviation ratio between the corrected network protection stability index and the judgment threshold when the final network protection judgment result indicates that proactive defense needs to be triggered, and to select the corresponding control template from the preset network proactive defense control template set according to the network proactive defense control strength parameter, and to execute the corresponding network control action through the firewall centralized management system.