A cyber defense information analysis system and apparatus
By collecting and analyzing network data, the impact of external attacks and device anomalies on network defense is quantified, and optimized solutions are generated. This solves the problem of incomplete assessment in existing technologies, realizes real-time visibility and trend predictability of network defense capabilities, and improves the initiative and accuracy of defense strategies.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- NANJING VOCATIONAL UNIV OF IND TECH
- Filing Date
- 2026-05-25
- Publication Date
- 2026-06-23
AI Technical Summary
Current technologies lack a systematic approach to assessing network defense capabilities, failing to comprehensively consider both external attack pressures and internal defense vulnerabilities, resulting in inaccurate assessment results and a lack of trend prediction capabilities.
By collecting network load characteristic data, network boundary traffic data, firewall device operation characteristic data, and network topology data, and conducting multi-dimensional comparisons and correlation analyses, the consumption level and impact of external attacks on the overall network defense resources are quantified. Combined with the degree of weakening of the overall defense capability by firewall device anomalies, targeted network defense optimization solutions are generated.
It enables real-time visibility of network defense capabilities and predictability of evolution trends, improves the initiative and accuracy of defense strategies, and reduces the risk of business damage after the network is attacked.
Smart Images

Figure CN122268679A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network security technology, and in particular to a network defense information analysis system and device. Background Technology
[0002] With the continuous evolution of cyberattack methods, new attack methods such as distributed denial-of-service attacks, application-layer attacks, and advanced persistent threats are emerging one after another, posing increasingly severe security challenges to network defense systems. Current technologies for assessing network defense capabilities have the following main shortcomings: First, most existing solutions only focus on the operational status of single devices such as firewalls, including metrics like CPU utilization, memory usage, and connection table usage, lacking a systematic assessment of the overall network defense capability. In fact, network defense capability is determined by both external attack pressure and internal defense vulnerabilities; the status of a single device cannot fully reflect the overall network defense posture. Second, existing solutions often analyze external attack intensity and attack methods separately from the abnormal state of internal devices, failing to organically combine the three. However, the depletion of network defense capability is the result of the combined effects of external attack pressure and internal defense resources; analyzing any one dimension in isolation makes it difficult to accurately assess the overall risk. Finally, there is a lack of ability to assess the evolution trend of defense capability. Most existing solutions only assess the current state, unable to determine whether defense capability is continuously deteriorating or gradually recovering, making it difficult to provide a basis for proactive defense decisions.
[0003] Therefore, there is an urgent need for a method that can comprehensively consider external attack pressure and internal defense vulnerability, objectively quantify the risk of loss of overall network defense capabilities, and predict evolution trends. Summary of the Invention
[0004] To overcome the above-mentioned drawbacks, this application provides a network defense information analysis system and apparatus, which aims to solve the problems of single evaluation object, isolated indicators, subjective methods and lack of trend prediction in the prior art.
[0005] To achieve the above objectives, this application adopts the following technical solution: Firstly, this application provides a network defense information analysis system, comprising: The data acquisition module is used to collect incoming network load characteristic data, network boundary traffic data, firewall device operation characteristic data, and network topology data. The resource consumption module is used to compare the characteristics of incoming network load in multiple dimensions, analyze the changes in the core indicators of incoming network load, and comprehensively quantify the level of external attacks on the overall network defense resources. The attack impact module is used to perform correlation analysis on inbound network load characteristic data and network boundary traffic data. By calculating the correlation between attack characteristics and defense capability characterization indicators, it quantifies the impact of attack traffic on the overall network defense capability. The device weakening module is used to extract abnormal indicators of firewall devices from the operational characteristic data of firewall devices, and combine them with network topology data to determine the degree of weakening of the overall network defense capability caused by the abnormality of firewall devices. The risk assessment module is used to integrate the level of external attacks on the overall network defense resources, the impact of attack traffic on the overall network defense capability, and the degree of weakening of the overall network defense capability by firewall-type device anomalies, to comprehensively judge the overall network defense risk and risk evolution trend. The optimization generation module is used to generate targeted network defense optimization solutions based on the overall network defense risks and risk evolution trends.
[0006] According to the above technical solution, the steps for collecting inbound network load characteristic data, network boundary traffic data, firewall device operating characteristic data, and network topology data include: Step S11: Obtain inbound network load characteristic data. Specifically, collect the inbound bandwidth utilization, new connection rate, number of SYN packets, total number of packets, and total network egress bandwidth capacity from the network ingress traffic probe at the current moment. Divide the inbound bandwidth utilization at the current moment by the total network egress bandwidth capacity. If the inbound bandwidth utilization is less than the total network egress bandwidth capacity, take the actual ratio; otherwise, take 1 to obtain the bandwidth utilization rate at the current moment. Divide the number of SYN packets by the total number of packets to obtain the SYN packet percentage at the current moment. At the same time, identify the time period in the past 30 days where no attacks occurred. Take the maximum value of the new connection rate during the time period as the historical normal peak value of the new connection rate. Calculate the average value of the bandwidth utilization rate and the SYN packet percentage during the time period as the historical baseline value of the bandwidth utilization rate and the historical baseline value of the SYN packet percentage. Step S12: Obtain network boundary traffic data. Specifically, collect the inbound traffic value, outbound traffic value, and duration of all flow records from the network boundary traffic probe at the current moment. Divide the difference between the inbound and outbound traffic values by the inbound traffic value to obtain the current network egress packet loss rate. Divide the sum of the durations of all flow records by the total number of flow records to obtain the current network average connection duration. At the same time, identify the time period in the past 30 days during which no attacks occurred, and calculate the average of the network egress packet loss rate and the network average connection duration within the time period as the historical baseline values for the network egress packet loss rate and the network average connection duration. Step S13: Obtain operational characteristic data of firewall devices. Specifically, collect three indicators from the firewall devices at the current moment: policy hit rate, half-open connection ratio, and policy matching time. These indicators are directly counted and reported by the firewall devices. At the same time, collect the status information and reuse status of each connection at the current moment from the firewall devices, and collect the real session information at the current moment from the network ingress traffic probe. Compare the connection status information recorded in the firewall status table with the real session information, count the number of inconsistent connections, divide by the total number of connections to obtain the current status table asynchrony rate. Count the number of reused connections in the firewall session table, divide by the total number of connections to obtain the current session table reuse rate. Simultaneously, identify the time period in the past 30 days during which no attacks occurred, and calculate the average value of the status table asynchrony rate, policy hit rate, half-open connection ratio, session table reuse rate, and policy matching time during the time period as the historical baseline value of these five indicators. Step S14: Obtain network topology data, specifically by obtaining information on all network nodes, link connections, and the number of IP addresses for each subnet node from the network topology management system.
[0007] Based on the above technical solution, the steps for multi-dimensional comparison of incoming network load characteristic data, analysis of changes in core indicators of incoming network load, and comprehensive quantification of the consumption level of external attacks on the overall network defense resources include: Step S21: Extract the current new connection rate value and the historical normal peak value of the new connection rate from the incoming network load characteristic data. If the current value is lower than the peak value, the current new connection rate exceedance level is set to 0. If the current value exceeds the peak value, calculate the multiple of the excess part relative to the peak value, and map the multiple to the 0 to 1 range through the arctangent function to obtain the current new connection rate exceedance level. Step S22: Extract the bandwidth utilization rate at the current moment from the incoming network load characteristic data, add the square of the bandwidth utilization rate at the current moment to the square of the degree of over-limit of the newly established connection rate at the current moment, divide by two, and then take the square root to obtain the attack traffic impact intensity.
[0008] Based on the above technical solution, the steps for performing correlation analysis on inbound network load characteristic data and network boundary traffic data, and quantifying the impact of attack traffic on the overall network defense capability by calculating the correlation between attack characteristics and defense capability characterization indicators, include: Step S31: Extract the current bandwidth utilization rate and SYN packet ratio from the incoming network load characteristic data. At the same time, extract the historical baseline values of bandwidth utilization rate and SYN packet ratio. Divide the difference between the current value of bandwidth utilization rate and the baseline value by the baseline value to obtain the bandwidth utilization rate offset. Divide the difference between the current value of SYN packet ratio and the baseline value by the baseline value to obtain the SYN packet ratio offset. Combine the two offsets to form the attack feature offset vector. Step S32: Extract the current network outbound packet loss rate and the average connection duration from the network boundary traffic data. At the same time, extract the historical baseline values of the network outbound packet loss rate and the average connection duration. Divide the difference between the current value of the network outbound packet loss rate and the baseline value by the baseline value to obtain the network outbound packet loss rate offset. Divide the difference between the current value of the average connection duration and the baseline value by the baseline value to obtain the connection duration offset. Combine the two offsets to form the defense capability offset vector. Step S33: Calculate the cosine similarity between the attack feature offset vector and the defense capability offset vector, and take the non-negative value as the attack traffic threat coefficient.
[0009] According to the above technical solution, the steps for extracting abnormal indicators of firewall devices from the operational characteristic data of firewall devices and determining the degree to which the abnormality of firewall devices weakens the overall network defense capability, combined with network topology data, include: Step S41: Extract five indicators of the firewall device at the current moment from the operating characteristic data of the firewall device: state table asynchronous rate, policy hit rate, half-open connection ratio, session table reuse rate, and policy matching time. At the same time, extract the historical baseline values of the five indicators of the firewall device. Then, use the exponential decay function to calculate the abnormal index of the five indicators of the firewall device at the current moment, combine them to form a five-dimensional vector, and calculate the Minkowski distance between the five-dimensional vector and the zero point in the five-dimensional space as the degree of abnormality of the firewall device itself. Step S42: Obtain information on all network nodes, link connections, and the number of IP addresses of each subnet node from the network topology data, and abstract the network topology into a directed graph; starting from firewall-type device nodes, use a breadth-first search algorithm to propagate the influence hop by hop along the links, multiplying the influence by a decay coefficient at each hop until the influence is lower than a preset threshold, and record all affected nodes; sum the number of IP addresses of subnet nodes in the affected nodes, divide by the total number of IP addresses in the entire network, and obtain the influence range coefficient of the firewall-type device, which is used to characterize the potential impact range of the device's anomaly on the overall network defense capability; Step S43: Couple the anomaly level of firewall devices with the impact range coefficient in an exponential form to obtain the network defense capability attenuation degree.
[0010] Based on the above technical solution, the steps to comprehensively assess the overall network defense risk and its evolution trend by integrating the level of external attacks on the overall network defense resources, the impact of attack traffic on the overall network defense capability, and the degree of weakening of the overall network defense capability by firewall-type device anomalies include: Step S51: Nonlinearly couple the attack traffic impact intensity, attack traffic threat coefficient, and network defense capability attenuation to obtain the overall network defense risk index; Step S52: Select the network overall defense risk index sequence for the most recent continuous period, use the quadratic exponential smoothing method to predict the network overall defense risk index at multiple future moments, and use the least squares method to fit the linear trend of the network overall defense risk index prediction sequence to obtain the slope of the network overall defense risk change.
[0011] Based on the above technical solution, and considering the overall network defense risks and their evolution trends, the steps for generating a targeted network defense optimization solution include: Step S61: Based on the overall network defense risk index, output the corresponding network defense optimization strategy direction: When the overall network defense risk index is less than or equal to the first boundary value, output the regular monitoring strategy direction, keep the existing defense configuration unchanged, and continuously observe risk changes; when the overall network defense risk index is in the middle range between the first boundary value and the second boundary value, output the preventive measure strategy direction, including starting traffic rate limiting, adjusting policy priority, and increasing the proportion of reserved critical resources; when the overall network defense risk index is greater than or equal to the second boundary value, output the emergency response strategy direction, including enabling backup link diversion, triggering attack source blacklist blocking, and switching to backup firewall; the boundary values of the above three levels are configured by the system administrator during deployment according to the actual network capacity, and different division standards can be adopted for different network environments; Step S62: Based on the slope of the overall network defense risk change, adjust the specific intensity of the network defense optimization strategy: When the slope of the overall network defense risk change is positive, it indicates that the overall network defense risk is on the rise and the overall network defense capability is continuously deteriorating. At this time, the intensity of the strategy execution should be increased based on the determined network defense optimization strategy direction: If the original strategy direction is routine monitoring, upgrade to preventive measures; if the original strategy direction is preventive measures, upgrade to emergency response; if the original strategy direction is emergency response, shorten the strategy execution interval and expand the scope of handling. When the slope of the overall network defense risk change is negative, it indicates that the overall network defense risk is on the decline and the overall network defense capability is gradually recovering. At this time, maintain the current network defense optimization strategy direction unchanged, and evaluate the strategy rollback after the overall network defense risk index drops to near 0. When the absolute value of the slope of the overall network defense risk change approaches 0, it indicates that the overall network defense risk is stabilizing. At this time, maintain the determined network defense optimization strategy direction unchanged. Step S63: Combine the network defense optimization strategy direction and strategy strength to generate a structured network defense optimization scheme, which specifically includes: the overall network defense risk index, the slope of the overall network defense risk change, the recommended network defense optimization strategy direction, the network defense optimization strategy execution strength, and the recommended execution duration.
[0012] Secondly, this application provides a network defense information analysis device, including a display and a host. The host includes a processor and a memory. The display is electrically connected to the host. The memory stores a computer program that can be called by the processor. The processor runs a network defense information analysis system by calling the computer program stored in the memory.
[0013] Thirdly, this application provides a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform a network defense information analysis system.
[0014] Compared with the prior art, this application has the following advantages and beneficial effects: This application establishes a closed-loop mechanism covering the entire process from network data collection, multi-dimensional risk quantification, dynamic trend prediction to defense strategy generation. It realizes a fundamental shift in network defense capability assessment from single device status monitoring to overall defense situation awareness. This not only significantly improves the real-time knowability and predictability of network defense capability loss risks, but also transforms multi-dimensional risk quantification results into targeted defense optimization instructions. This enhances the initiative and accuracy of response at the defense strategy level, reduces the risk of business damage after network attacks, and drives the dynamic optimization of defense strategies based on real-time situation. Attached Figure Description
[0015] Other features, objects, and advantages of this application will become more apparent from the following detailed description of non-limiting embodiments with reference to the accompanying drawings: Figure 1 This is an overall structural diagram of a network defense information analysis system provided in an embodiment of this application; Figure 2 This is a data acquisition flowchart provided in an embodiment of this application; Figure 3 This is a flowchart illustrating the quantitative analysis of overall network defense resource consumption levels provided in this application embodiment; Figure 4 This is a flowchart illustrating the impact analysis of network defense capabilities provided in this application embodiment; Figure 5 This is a flowchart of the assessment of the overall network defense capability weakening provided in the embodiments of this application; Figure 6This application provides a flowchart for comprehensive evaluation of overall network defense capabilities; Figure 7 This is a flowchart illustrating the generation process of the network defense optimization scheme provided in this application embodiment. Detailed Implementation
[0016] The technical solution of this application will be further described in detail below with reference to the accompanying drawings and specific embodiments, so as to facilitate understanding and implementation by those skilled in the art. It should be understood that the specific embodiments described herein are only for explaining this application and are not intended to limit this application.
[0017] This application provides a network defense information analysis device, including a display and a host. The host includes a processor and a memory. The display is electrically connected to the host. The memory stores a computer program that can be called by the processor. The processor runs a network defense information analysis system by calling the computer program stored in the memory.
[0018] Please see Figure 1 , Figure 1 This is an overall structural diagram of a network defense information analysis system provided in an embodiment of this application, which specifically includes the following modules: The data acquisition module is used to collect incoming network load characteristic data, network boundary traffic data, firewall device operation characteristic data, and network topology data.
[0019] Please see Figure 2 , Figure 2 The complete technical process for data acquisition in the embodiments of this application is illustrated, and the specific steps are as follows: Step S11: Obtain inbound network load characteristic data. Specifically, collect the inbound bandwidth utilization, new connection rate, number of SYN packets, total number of packets, and total network egress bandwidth capacity from the network ingress traffic probe at the current moment. Divide the inbound bandwidth utilization at the current moment by the total network egress bandwidth capacity. If the inbound bandwidth utilization is less than the total network egress bandwidth capacity, take the actual ratio; otherwise, take 1 to obtain the bandwidth utilization rate at the current moment. Divide the number of SYN packets by the total number of packets to obtain the SYN packet percentage at the current moment. At the same time, identify the time period in the past 30 days where no attacks occurred. Take the maximum value of the new connection rate during the time period as the historical normal peak value of the new connection rate. Calculate the average value of the bandwidth utilization rate and the SYN packet percentage during the time period as the historical baseline value of the bandwidth utilization rate and the historical baseline value of the SYN packet percentage. Step S12: Obtain network boundary traffic data. Specifically, collect the inbound traffic value, outbound traffic value, and duration of all flow records from the network boundary traffic probe at the current moment. Divide the difference between the inbound and outbound traffic values by the inbound traffic value to obtain the current network egress packet loss rate. Divide the sum of the durations of all flow records by the total number of flow records to obtain the current network average connection duration. At the same time, identify the time period in the past 30 days during which no attacks occurred, and calculate the average of the network egress packet loss rate and the network average connection duration within the time period as the historical baseline values for the network egress packet loss rate and the network average connection duration. Step S13: Obtain operational characteristic data of firewall devices. Specifically, collect three indicators from the firewall devices at the current moment: policy hit rate, half-open connection ratio, and policy matching time. These indicators are directly counted and reported by the firewall devices. At the same time, collect the status information and reuse status of each connection at the current moment from the firewall devices, and collect the real session information at the current moment from the network ingress traffic probe. Compare the connection status information recorded in the firewall status table with the real session information, count the number of inconsistent connections, divide by the total number of connections to obtain the current status table asynchrony rate. Count the number of reused connections in the firewall session table, divide by the total number of connections to obtain the current session table reuse rate. Simultaneously, identify the time period in the past 30 days during which no attacks occurred, and calculate the average value of the status table asynchrony rate, policy hit rate, half-open connection ratio, session table reuse rate, and policy matching time during the time period as the historical baseline value of these five indicators. Step S14: Obtain network topology data, specifically by obtaining information on all network nodes, link connections, and the number of IP addresses for each subnet node from the network topology management system. The data acquisition process in this embodiment unifies and aligns heterogeneous data that were originally scattered across network entry points, boundaries, devices, and topologies, providing a complete and accurate data foundation for subsequent multi-dimensional risk quantification and ensuring that the assessment results can fully reflect the true state of the network's overall defense capabilities.
[0020] The resource consumption module is used to compare the characteristics of incoming network load from multiple dimensions, analyze the changes in the core indicators of incoming network load, and comprehensively quantify the level of external attacks on the overall network defense resources.
[0021] Please see Figure 3 , Figure 3 This is a flowchart illustrating the quantification of overall network defense resource consumption levels provided in this application embodiment. The specific steps are as follows: Step S21: Extract the current new connection rate and the historical normal peak value of the new connection rate from the incoming network load characteristic data. If the current value is lower than the peak value, the current new connection rate exceedance level is set to 0; if the current value exceeds the peak value, calculate the multiple of the excess portion relative to the peak value, and map this multiple to the interval between 0 and 1 using the arctangent function to obtain the current new connection rate exceedance level.
[0022] In the formula, The value ranges from [0,1) to indicate the extent to which the rate of newly established connections exceeds the limit, representing the impact of attack traffic on the network's ability to maintain its state. This represents the rate of new connections established at the current moment. This represents the peak rate of new connections during periods of no attack over the past 30 days. It is the arctangent function; This embodiment uses a piecewise function to calculate the degree of over-limit of the newly established connection rate. The reason is that when the newly established connection rate does not exceed the historical normal peak, the network device can stably process the current request and will not have a substantial impact on the network defense capability. Therefore, the degree of over-limit is 0. Only when the newly established connection rate exceeds the historical normal peak does it mean that the network has entered an abnormal overload state. At this time, it is necessary to quantify its degree of over-limit. For the portion exceeding the limit, first calculate the relative multiple by which the rate of newly established connections exceeds the peak value. This value characterizes the severity of the exceedance. Secondly, since this relative multiple can theoretically be infinitely large, it needs to be mapped to a finite numerical range for subsequent calculations. Therefore, the arctangent function is introduced. This is because, in the field of network security, there is a non-linear relationship between the degree to which the new connection rate exceeds the limit and the degradation of device processing capacity: when the new connection rate slightly exceeds the limit, the efficiency of connection table lookups in devices such as firewalls will decrease significantly, and some new requests will begin to experience delays; when the new connection rate moderately exceeds the limit, the device's connection table is close to saturation, and a large number of new requests are dropped; when the new connection rate severely exceeds the limit, the device's connection table is completely saturated, and all new requests are rejected. At this point, further increases in the degree of exceeding the limit will not lead to more serious consequences, and the arctangent function can precisely characterize this characteristic—when the exceedance multiple is small, the function value increases rapidly, reflecting the significant impact of slight exceedance; finally, multiply by Normalize the mapping results to The interval is used to determine the extent to which the rate of new connections exceeds the limit at the current moment. ; Step S22: Extract the bandwidth utilization rate at the current moment from the incoming network load characteristic data, add the square of the bandwidth utilization rate at the current moment to the square of the degree of over-limit of the new connection rate at the current moment, divide by two, and then take the square root to obtain the attack traffic impact intensity. The network overall defense resource consumption level quantification process in this embodiment quantifies the level of external attacks on the overall network defense resources from two core dimensions: bandwidth resources and connection resources. This avoids the one-sidedness of evaluation by a single indicator and can more comprehensively reflect the resource stress of the network under different types of attacks. At the same time, it uses Euclidean norm for fusion calculation, which effectively characterizes the bottleneck effect and superimposed impact of multi-dimensional resource consumption. This makes the quantification results more in line with the actual operation law of network security defense and provides a reliable input basis for subsequent risk assessment of defense capability loss.
[0023] The attack impact module is used to perform correlation analysis on inbound network load characteristic data and network boundary traffic data. By calculating the correlation between attack characteristics and defense capability characterization indicators, it quantifies the impact of attack traffic on the overall network defense capability.
[0024] Please see Figure 4 , Figure 4 This is a flowchart illustrating the impact analysis of network defense capabilities provided in this application embodiment. The specific steps are as follows: Step S31: Extract the current bandwidth utilization rate and SYN packet ratio from the incoming network load characteristic data. At the same time, extract the historical baseline values of bandwidth utilization rate and SYN packet ratio. Divide the difference between the current value of bandwidth utilization rate and the baseline value by the baseline value to obtain the bandwidth utilization rate offset. Divide the difference between the current value of SYN packet ratio and the baseline value by the baseline value to obtain the SYN packet ratio offset. Combine the two offsets to form the attack feature offset vector. Step S32: Extract the current network-wide outbound packet loss rate and the average connection duration from the network boundary traffic data. Simultaneously, extract the historical baseline values of the network-wide outbound packet loss rate and the average connection duration. Divide the difference between the current value of the network-wide outbound packet loss rate and the baseline value by the baseline value to obtain the network-wide outbound packet loss rate offset. Divide the difference between the current value of the network-wide average connection duration and the baseline value by the baseline value to obtain the connection duration offset. Combine the two offsets to form the defense capability offset vector. Step S33: Calculate the cosine similarity between the attack feature offset vector and the defense capability offset vector, and take the non-negative value as the attack traffic threat coefficient.
[0025] In the formula, The attack traffic threat coefficient represents the impact of attack traffic on the overall network defense capability, and its value ranges from [0,1]. This is the attack feature offset vector; This is the defensive capability offset vector; and These are the magnitudes of the two vectors, respectively. This indicates taking the maximum value within the parentheses; In the field of network security, increased bandwidth utilization usually directly leads to increased packet loss rate, and an increased proportion of SYN packets usually leads to abnormal connection duration. Therefore, there is a positive correlation between attack characteristics and defense capabilities. When the attack characteristic offset vector and the defense capability offset vector are in the same direction, their cosine similarity approaches 1, indicating that the current attack pattern has a significant impact on defense capabilities. Conversely, when their directions are not the same, their cosine similarity approaches 0, indicating that changes in attack characteristics have not yet had a substantial impact on defense capabilities. Based on this positive correlation, the influence degree value formula in this embodiment first calculates the cosine similarity between the feature offset vector and the defense capability offset vector, and then... Negative values of cosine similarity are truncated to 0 to characterize the impact of attack traffic on the overall network defense capability. Since negative values indicate that the defense capability improves when the attack characteristics increase, which contradicts the basic logic of network attacks, they are not included in the degree of impact. The network defense capability impact analysis process in this embodiment is based entirely on real-time collected network traffic data and historical baseline data. It can adapt to different network environments and attack scenarios, accurately reflect the correlation strength between changes in attack characteristics and the decline in defense capabilities, and provide a reliable basis for the comprehensive assessment of subsequent defense capability loss risks.
[0026] The device weakening module is used to extract abnormal indicators of firewall devices from the operational characteristic data of firewall devices, and combine them with network topology data to determine the degree to which the abnormality of firewall devices weakens the overall network defense capability.
[0027] Please see Figure 5 , Figure 5 This is a flowchart of the network overall defense capability weakening assessment provided in the embodiments of this application. The specific steps are as follows: Step S41: Extract five metrics for the firewall device at the current moment from the firewall device's operational characteristic data: state table asynchronous rate, policy hit rate, half-open connection percentage, session table reuse rate, and policy matching time. Simultaneously, extract the historical baseline values of these five metrics. Then, use an exponential decay function to calculate the anomaly index of these five metrics at the current moment, combine them to form a five-dimensional vector, and calculate the Minkowski distance between this five-dimensional vector and the zero point in the five-dimensional space, which serves as the degree of anomaly of the firewall device itself. The specific steps are as follows: First, for indicators such as state table asynchronous rate, half-connection ratio, and policy matching time, where an increase in these values indicates a worsening of anomalies, an exponential decay function is used to map the ratio of the current value to the historical baseline value to the interval between 0 and 1, yielding the anomaly index for each indicator. The calculation formula is as follows: ; For metrics like strategy hit rate and session table reuse rate, where a decrease indicates an aggravated anomaly, an exponential decay function is used to map the ratio of the historical baseline value to the current value to a range of 0 to 1, yielding the anomaly index for each metric. The calculation formula is as follows:
[0028] In the formula, This represents the anomaly index of the i-th metric for firewall devices, with a value range of [0,1]. The closer the value is to 1, the more severe the abnormality of the indicator. ; This represents the current value of the i-th metric for firewall devices. Let be the historical baseline value of the i-th metric for firewall devices; e is a natural constant. Secondly, the abnormal indices of five indicators of firewall devices at the current moment are combined to form a five-dimensional vector. ,calculate The Minkowski distance to the zero point in five-dimensional space is used, and p=3 is taken as the distance parameter to obtain the degree of abnormality of the firewall-type device itself;
[0029] In the formula, This represents the degree of abnormality of the firewall device itself, with a value range of [0,1]. The closer the value is to 1, the more severe the anomaly of the firewall device itself; During the operation of firewall devices, various indicators do not exist in isolation. For example, an increase in the asynchronous rate of the state table can lead to the failure of state queries during policy matching, which in turn causes a decrease in the policy hit rate. An increase in the proportion of half-open connections can squeeze connection table resources, resulting in a decrease in the session table reuse rate. These coupling mechanisms indicate that there is a mutual amplification effect among the five abnormal indices calculated in this embodiment. That is, when one abnormality is severe, other indicators will also deteriorate. Therefore, the degree of abnormality of firewall devices should give higher weight to the larger abnormal indices, so that the severe abnormal indicators dominate the results, while still retaining consideration for other abnormal indicators. To achieve this goal, this embodiment uses Minkowski distance to calculate the distance between the five-dimensional vector and the zero point. This is because the sensitivity of the Minkowski distance to the larger values among the various anomaly indices of firewall devices can be flexibly controlled by adjusting the parameter p. When the value of p is larger, the distance calculation is more sensitive to the larger components of the anomaly indices, and the larger components play a stronger dominant role in the result. This characteristic is consistent with the actual operating rules of firewall devices: when any one of the five indicators of a firewall device is seriously abnormal, the abnormality will be transmitted to other indicators through functional dependence, causing multiple indicators to deteriorate simultaneously. Therefore, the serious abnormality should dominate the calculation result of the anomaly degree of the firewall device itself. When p=1, the calculated anomaly level of firewall devices is the arithmetic sum of the anomaly indices of each indicator. This is easily averaged out due to the large number of indicators, failing to reflect the dominant role of severe anomalies in firewall devices. When p=2, the calculated anomaly level of firewall devices is the Euclidean distance between the anomaly indices of each indicator. It has moderate sensitivity to larger values, but may still be diluted by multiple medium anomalies. When p=3, the calculated anomaly level of firewall devices is more sensitive to the larger values of the anomaly indices of each indicator, making the severe anomaly indicators of firewall devices dominate the results, while still retaining consideration for other anomaly indicators. Therefore, the Minkowski distance formula with p=3 is used to calculate the anomaly level of firewall devices. Step S42: Obtain information on all network nodes, link connections, and the number of IP addresses for each subnet node from the network topology data, and abstract the network topology into a directed graph; starting with firewall-type device nodes, use a breadth-first search algorithm to propagate the influence hop-by-hop along the links, multiplying the influence by a decay coefficient at each hop until the influence is below a preset threshold, and record all affected nodes; sum the number of IP addresses of subnet nodes among the affected nodes, divide by the total number of IP addresses in the entire network, and obtain the influence range coefficient of the firewall-type device, which is used to characterize the potential impact range of the device's anomaly on the overall network defense capability; the specific steps are as follows: First, since the impact of device failures in a network topology gradually decreases with increasing propagation distance, the impact on nodes farther away is smaller, and this attenuation usually exhibits an exponential characteristic, meaning that the impact decreases by a fixed proportion with each hop; therefore, this embodiment uses an exponential attenuation model to simulate the propagation process of firewall-type device anomalies in the topology, setting the propagation attenuation coefficient to 0.5, indicating that the impact is halved with each hop; at the same time, the impact truncation threshold is set to 0.01, and when the impact attenuates to less than 1% of the initial impact, the impact is considered negligible. This ensures that the main impact area is fully covered, while avoiding excessive computation due to excessive propagation distance; Based on the above settings, the network topology is abstracted as a directed graph, where nodes include firewall devices, routers, switches, and subnets, and links represent the connections between nodes. The initial influence of a firewall device node is defined as 1, and then the influence propagates along the links to neighboring nodes, multiplying by a decay factor of 0.5 for each hop. The specific propagation process uses a breadth-first search algorithm: starting with a firewall device node, all its neighbor nodes are added to a queue, with the influence being the initial influence multiplied by 0.5; then, each node in the queue is processed, its neighbor nodes are added to the queue, and the influence is the current node's influence multiplied by 0.5; this process is repeated until either the queue is empty or the current influence is below a threshold of 0.01, at which point propagation stops; after propagation, all nodes with an influence greater than 0.01 are recorded, forming the affected node set. Add up the number of IP addresses of all subnet nodes in the affected node set to get the total number of affected IP addresses. Add up the number of IP addresses of all subnet nodes in the entire network to get the total number of IP addresses in the entire network. Divide the total number of affected IP addresses by the total number of IP addresses in the entire network to get the impact range coefficient of the firewall device. The value of this coefficient ranges from 0 to 1. The closer the value is to 1, the wider the impact range of the firewall device anomaly. Step S43: Couple the anomaly level of firewall devices with the impact range coefficient in an exponential form to obtain the network defense capability attenuation degree:
[0030] In the formula, The network defense capability attenuation level represents the degree to which anomalies in firewall devices weaken the overall network defense capability, with a value range of [0,1]. This represents the degree of abnormality of the firewall device itself, with a value range of [0,1]. It reflects the saturation level of the firewall device's CPU, memory, and the most strained resources in the connection table. This is the influence range coefficient for firewall devices, with a value range of [0,1]. It reflects the degree of influence of the position of firewall devices in the network topology on the overall defense. Because firewall devices play a core defensive role in the network, their degree of abnormality is significant when they are functioning normally. It does not weaken the overall defensive capability in any way; after substituting into the formula, we get... Since the single entry point node has no redundant backups, its anomaly will directly lead to a proportional decrease in the overall network defense capability. Therefore, when... hour, Because in multi-link or local subnet scenarios, other links and defense nodes can buffer the impact of failures, and the buffering effect accelerates and strengthens as the scope of impact shrinks, therefore when When using exponential form, Follow The reduction and acceleration of decay, rather than the nonlinear decay, is more in line with the buffering characteristics of redundancy mechanisms for local faults in actual networks. The network overall defense capability weakening assessment process in this embodiment makes the assessment results more in line with the nonlinear law of defense capability attenuation in the actual network environment, providing an objective and quantifiable input basis for the subsequent comprehensive assessment of overall risk, and effectively solving the problems of equipment anomaly assessment being disconnected from the overall network, strong subjectivity, and inability to reflect topology impact in the prior art.
[0031] The risk assessment module integrates the level of external attacks on the overall network defense resources, the impact of attack traffic on the overall network defense capabilities, and the degree of weakening of the overall network defense capabilities by firewall-type device anomalies, to comprehensively judge the overall network defense risks and risk evolution trends.
[0032] Please see Figure 6 , Figure 6 This is a flowchart of the comprehensive evaluation process for overall network defense capabilities provided in this application embodiment. The specific steps are as follows: Step S51: Nonlinearly couple the attack traffic impact intensity, attack traffic threat coefficient, and network defense capability attenuation to obtain the overall network defense risk index.
[0033] In the formula, This represents the overall network defense risk index, with a value range of [0,1]. The closer it is to 1, the higher the risk of attack on the network defense from the current external traffic, and the greater the possibility of the defense failing; In the comprehensive risk index calculation formula of this embodiment, firstly, considering that the attack traffic impact intensity reflects the degree of attack's occupation of network bandwidth and connection resources, and the attack traffic threat coefficient reflects the degree of attack methods' impact on firewall policy caching and state inspection capabilities, the two together determine the actual destructive power of the attack. When the attack traffic impact intensity is large but the threat coefficient is low, such as in a large-scale attack, the attack can still cause an impact by exhausting bandwidth; when the attack traffic threat coefficient is high but the impact intensity is low, such as in precise vulnerability detection, the attack can still cause an impact by bypassing strategies. Therefore, a geometric average is used to calculate the attack pressure. This can both make the two compensate for each other and avoid completely underestimating the attack pressure due to a low single dimension. Secondly, the network defense capability attenuation reflects the degree of wear and tear on critical resources of the firewall device, such as CPU, memory, and connection tables. A higher value indicates that the firewall device is closer to the brink of collapse. However, in network security practice, the process of defense capability from healthy to collapsing exhibits a non-linear characteristic. That is, when the firewall device is still in good condition, increasing the attenuation by the same amount has a relatively small impact on risk; but when the firewall device is close to its limit, even a small increase in attenuation can lead to a sharp increase in risk. Therefore, adopting... As an amplification factor, the amplification factor is 1 when D=0 and e when D=1, which can accurately characterize this nonlinear amplification effect. Finally, after multiplying the attack pressure by the amplification factor, and then... Mapping to the 0-1 range yields the overall network defense risk index. This function shows rapid output growth when the input is small and slows down when the input is large, consistent with the objective law that the attack risk of external traffic on network defense gradually saturates from low to high: when both attack pressure and defense attenuation are at low levels, the overall network defense risk increases rapidly with both; when the overall network defense risk approaches its limit, the aggravating effect of either increased attack pressure or further defense attenuation on the overall network defense risk gradually weakens. Step S52: Select the network overall defense risk index sequence for a recent continuous period, use the quadratic exponential smoothing method to predict the network overall defense risk index at multiple future moments, and fit the linear trend of the predicted network overall defense risk index sequence using the least squares method to obtain the slope of the network overall defense risk change, which is used to determine the evolution trend of the network overall defense risk; the specific steps are as follows: First, in cybersecurity practice, when an attack is ongoing, the attack traffic impact intensity and attack traffic threat coefficient usually remain high, causing the risk index to rise continuously; when the attack subsides or the defense capability is restored, the risk index continues to decline. Thus, the change in the overall network defense risk index has a trend characteristic, and a predictive method that can capture trend changes is needed for research. The quadratic exponential smoothing method balances the influence of historical data and current data through a smoothing coefficient, which can effectively filter short-term fluctuations and extract the long-term trend of the sequence, and is suitable for short-term prediction with linear trends. Secondly, based on the above principle, the average of the first 5 sampling periods of the network overall defense risk index sequence from the most recent 30 consecutive sampling periods is taken as the initial value for smoothing. and the initial value of quadratic smoothing Then set the smoothing coefficient. This value assigns 70% weight to historical trend information and 30% weight to the current state, which preserves trend characteristics while avoiding excessive reliance on single-point data that could lead to large fluctuations in predictions. Next, starting from the 6th sampling period of the overall network defense risk index sequence, the first and second smoothing values for each sampling period are calculated sequentially until the 30th sampling period, which is the current sampling period; for the 6th sampling period... Each sampling period ( From 6 to 30), the formula for calculating the first smoothing value is: The formula for calculating the quadratic smoothing value is: When k=6, , That is, using the initial smoothing value to calculate the smoothing result of the 6th sampling period; when If the result is not found, the smoothing result of the previous sampling period is used to recursively calculate the smoothing result of the current sampling period; through the above recursion, the first smoothing value of the current sampling period is calculated successively. and quadratic smoothing value ; Based on the first smoothing value of the current sampling period and quadratic smoothing value Calculate and obtain the prediction baseline value An estimate used to reflect the current overall network defense risk level, predicting trend values. This is used to reflect the change in the overall network defense risk per unit of time; from this, future... Formula for predicting the overall network defense risk index during the sampling period Repeat the above calculations to obtain the predicted risk index values for the next 5 sampling periods. ; Finally, since single-point predictions are easily affected by prediction errors, directly comparing trends between adjacent sampling periods may lead to misjudgments. Therefore, it is necessary to integrate information from multiple prediction points to assess the overall direction of change in the network's overall defense risk. This embodiment uses the least squares method to fit the linear trend of the predictions over the next five sampling periods to obtain the slope of the overall network defense risk change. According to the slope The sign and magnitude of the value indicate the evolution trend of overall network defense risk; The comprehensive network defense capability assessment process in this embodiment enables the quantification of overall network defense risk to objectively reflect the nonlinear coupling relationship between attack pressure and defense vulnerability, and also has the ability to predict the evolution trend of risk, providing an accurate and reliable decision-making basis for the formulation of subsequent defense optimization schemes.
[0034] The optimization generation module is used to generate targeted network defense optimization solutions based on the overall network defense risks and risk evolution trends.
[0035] Please see Figure 7 , Figure 7This is a flowchart illustrating the generation process of the network defense optimization scheme provided in this application embodiment. The specific steps are as follows: Step S61: Based on the overall network defense risk index, output the corresponding network defense optimization strategy direction: When the overall network defense risk index is less than or equal to the first boundary value, output the regular monitoring strategy direction, keeping the existing defense configuration unchanged and continuously observing risk changes; when the overall network defense risk index is in the middle range between the first and second boundary values, output the preventive measures strategy direction, including starting traffic rate limiting, adjusting policy priority, and increasing the proportion of reserved critical resources; when the overall network defense risk index is greater than or equal to the second boundary value, output the emergency response strategy direction, including enabling backup link traffic diversion, triggering attack source blacklist blocking, and switching to backup firewall; the boundary values of the above three levels... Configured by the system administrator during deployment based on the actual network capacity. Different network environments can use different boundary standards, with the first boundary value ranging from 0 to 0.15 and the second boundary value ranging from 0.85 to 1. The core of response level boundary division is to quantify the risk based on the acceptable level of impact on the business. Routine monitoring should ensure that the business is unaware of the impact. Preventive measures allow for a controllable impact on non-core businesses or user experience. Emergency response is the last line of defense when core businesses face the risk of interruption. Specific values need to be determined through rigorous stress testing to understand the system limits, combined with business impact analysis from historical failure data, and finally aligned with the business stakeholders to determine their tolerance duration and values for various service interruptions. Step S62: Based on the slope of the overall network defense risk change, adjust the specific intensity of the network defense optimization strategy: When the slope of the overall network defense risk change is positive, it indicates that the overall network defense risk is on the rise and the overall network defense capability is continuously deteriorating. At this time, the intensity of the strategy execution should be increased based on the determined network defense optimization strategy direction: If the original strategy direction is routine monitoring, upgrade to preventive measures; if the original strategy direction is preventive measures, upgrade to emergency response; if the original strategy direction is emergency response, shorten the strategy execution interval and expand the scope of handling. When the slope of the overall network defense risk change is negative, it indicates that the overall network defense risk is on the decline and the overall network defense capability is gradually recovering. At this time, maintain the current network defense optimization strategy direction unchanged, and evaluate the strategy rollback after the overall network defense risk index drops to near 0. When the absolute value of the slope of the overall network defense risk change approaches 0, it indicates that the overall network defense risk is stabilizing. At this time, maintain the determined network defense optimization strategy direction unchanged. Step S63: Combine the network defense optimization strategy direction and strategy strength to generate a structured network defense optimization scheme, which specifically includes: the overall network defense risk index, the slope of the overall network defense risk change, the recommended network defense optimization strategy direction, the network defense optimization strategy execution strength, and the recommended execution duration. The network defense optimization scheme generation process in this embodiment enables the network defense optimization scheme to determine the strategy type based on the current risk level and adjust the execution intensity according to the risk change trend. This provides network administrators with a clear, operable and forward-looking decision-making basis, effectively supporting the proactive response capability of network defense.
[0036] This application provides a network defense information analysis device, including a display and a host. The host includes a memory, a processor, and a communication bus. The display is electrically connected to the host. The memory and the processor are connected via the communication bus. The memory stores a network defense information analysis system as provided in the above embodiment that can be loaded and executed by the processor.
[0037] The memory can be used to store instructions, programs, code, code sets, or instruction sets; the memory may include a program storage area and a data storage area, wherein the program storage area may store instructions for implementing an operating system, instructions for at least one function, and instructions for implementing a network defense information analysis system provided in the above embodiments, etc.; the data storage area may store data involved in the network defense information analysis system provided in the above embodiments, etc.
[0038] The processor may include one or more processing cores; the processor executes or runs instructions, programs, code sets or instruction sets stored in memory, calls data stored in memory, and performs various functions and processes data in this application; the processor may be at least one of the following: Application-Specific Integrated Circuit (ASIC), Digital Signal Processor (DSP), Digital Signal Processing Device (DSPD), Programmable Logic Device (PLD), Field Programmable Gate Array (FPGA), Central Processing Unit (CPU), controller, microcontroller and microprocessor; it is understood that for different devices, the electronic device used to implement the above processor functions may also be other, and the embodiments of this application do not specifically limit it.
[0039] A communication bus may include a path for transmitting information between the aforementioned components; the communication bus may be a PCI (Peripheral Component Interconnect) bus or an EISA (Extended Industry Standard Architecture) bus, etc.; the communication bus may be divided into address bus, data bus, control bus, etc.
[0040] The display can be a liquid crystal display, an organic light-emitting diode display, or other types of display devices, used to present the analysis results generated by the processor to the network administrator in a visual interface, so that the administrator can intuitively understand the current network defense situation and make corresponding decisions.
[0041] This application provides a computer-readable storage medium storing a computer program that can be loaded by a processor and executed as described in the above embodiments, representing a network defense information analysis system.
[0042] In this embodiment, a computer-readable storage medium can be a tangible device that holds and stores instructions used by an instruction execution device; a computer-readable storage medium can be, but is not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any combination thereof; specifically, a computer-readable storage medium can be a portable computer disk, a hard disk, a USB flash drive, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital multifunction disc (DVD), a memory stick, a floppy disk, an optical disk, a magnetic disk, a mechanical encoding device, or any combination thereof.
[0043] The terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus.
[0044] The above description is merely a preferred embodiment of this application and an explanation of the technical principles used. Those skilled in the art should understand that the scope of this application is not limited to the technical solutions formed by a specific combination of the above-mentioned technical features, but should also cover other technical solutions formed by any combination of the above-mentioned technical features or their equivalent features without departing from the foregoing application concept; for example, technical solutions formed by replacing the above-mentioned features with (but not limited to) technical features with similar functions applied in this application.
Claims
1. A network defense information analysis system, characterized in that, The system includes: The data acquisition module is used to collect incoming network load characteristic data, network boundary traffic data, firewall device operation characteristic data, and network topology data. The resource consumption module is used to compare the characteristics of incoming network load in multiple dimensions, analyze the changes in the core indicators of incoming network load, and comprehensively quantify the level of external attacks on the overall network defense resources. The attack impact module is used to perform correlation analysis on inbound network load characteristic data and network boundary traffic data. By calculating the correlation between attack characteristics and defense capability characterization indicators, it quantifies the impact of attack traffic on the overall network defense capability. The device weakening module is used to extract abnormal indicators of firewall devices from the operational characteristic data of firewall devices, and combine them with network topology data to determine the degree of weakening of the overall network defense capability caused by the abnormality of firewall devices. The risk assessment module is used to integrate the level of external attacks on the overall network defense resources, the impact of attack traffic on the overall network defense capability, and the degree of weakening of the overall network defense capability by firewall-type device anomalies, to comprehensively judge the overall network defense risk and risk evolution trend. The optimization generation module is used to generate targeted network defense optimization solutions based on the overall network defense risks and risk evolution trends.
2. The network defense information analysis system according to claim 1, characterized in that, The collected inbound network load characteristic data, network boundary traffic data, firewall device operating characteristic data, and network topology data include the following specific contents: Obtain inbound network load characteristic data, specifically by collecting the current inbound bandwidth utilization, new connection rate, number of SYN packets, total number of packets, and total network egress bandwidth capacity from the network ingress traffic probe; divide the current inbound bandwidth utilization by the total network egress bandwidth capacity, taking the actual ratio if the inbound bandwidth utilization is less than the total network egress bandwidth capacity, otherwise taking 1, to obtain the bandwidth utilization rate at the current moment; divide the number of SYN packets by the total number of packets to obtain the SYN packet percentage at the current moment; Simultaneously, identify time periods in the past 30 days where no attacks occurred, take the maximum value of the new connection rate within the time period as the historical normal peak value of the new connection rate, and calculate the average value of the bandwidth utilization rate and SYN packet ratio within the time period as the historical baseline value of the bandwidth utilization rate and the historical baseline value of the SYN packet ratio. Obtain network boundary traffic data, specifically by collecting the current inbound and outbound traffic values, as well as the duration of all flow records, from the network boundary traffic probe; Divide the difference between the inbound and outbound traffic values by the inbound traffic value to obtain the current network outbound packet loss rate; divide the sum of the durations of all flow records by the total number of flow records to obtain the current network average connection duration; at the same time, identify the time period in the past 30 days during which no attacks occurred, and calculate the average of the network outbound packet loss rate and the network average connection duration during the time period as the historical baseline values for the network outbound packet loss rate and the network average connection duration. Obtain operational characteristic data of firewall devices, specifically collecting three indicators from firewall devices at the current moment: policy hit rate, half-open connection ratio, and policy matching time. These indicators are directly counted and reported by the firewall devices. At the same time, collect the status information and multiplexing status of each connection at the current moment from firewall devices, and collect the real session information at the current moment from network ingress traffic probes. The connection state information recorded in the firewall state table is compared with the actual session information. The number of inconsistent connections is counted and divided by the total number of connections to obtain the current state table asynchrony rate. The number of reused connections in the firewall session table is counted and divided by the total number of connections to obtain the current session table reuse rate. At the same time, identify the time period in the past 30 days during which no attacks occurred, and calculate the average value of the state table asynchronous rate, policy hit rate, half-connection ratio, session table reuse rate and policy matching time consumption during the time period, which will be used as the historical baseline value of these five indicators. Obtain network topology data, specifically by retrieving information on all network nodes, link connections, and the number of IP addresses for each subnet node from the network topology management system.
3. The network defense information analysis system according to claim 2, characterized in that, The process of comparing incoming network load characteristic data from multiple dimensions, analyzing changes in core indicators of incoming network load, and comprehensively quantifying the level of external attacks' consumption of overall network defense resources includes the following specific content: Extract the current new connection rate and the historical normal peak value of the new connection rate from the incoming network load characteristic data. If the current value is lower than the peak value, the current new connection rate exceedance level is set to 0. If the current value exceeds the peak value, calculate the multiple of the excess portion relative to the peak value, and map this multiple to the interval between 0 and 1 using the arctangent function to obtain the degree of over-limit of the new connection rate at the current moment; Extract the bandwidth utilization rate at the current moment from the incoming network load characteristic data, add the square of the bandwidth utilization rate at the current moment to the square of the degree of over-limit of the newly established connection rate at the current moment, divide by two, and then take the square root to obtain the attack traffic impact intensity.
4. The network defense information analysis system according to claim 3, characterized in that, The correlation analysis of inbound network load characteristic data and network boundary traffic data, by calculating the correlation between attack characteristics and defense capability characterization indicators, quantifies the impact of attack traffic on the overall network defense capability, including the following specific contents: The bandwidth utilization and SYN packet ratio at the current moment are extracted from the incoming network load characteristic data. At the same time, the historical baseline values of bandwidth utilization and SYN packet ratio are extracted. The difference between the current value of bandwidth utilization and the baseline value is divided by the baseline value to obtain the bandwidth utilization offset. The difference between the current value of SYN packet ratio and the baseline value is divided by the baseline value to obtain the SYN packet ratio offset. The two offsets are then combined to form the attack feature offset vector. Extract the current network outbound packet loss rate and the average connection duration from the network boundary traffic data. At the same time, extract the historical baseline values of the network outbound packet loss rate and the average connection duration. Divide the difference between the current value of the network outbound packet loss rate and the baseline value by the baseline value to obtain the network outbound packet loss rate offset. Divide the difference between the current value of the average connection duration and the baseline value by the baseline value to obtain the connection duration offset. Then combine the two offsets to form the defense capability offset vector. Calculate the cosine similarity between the attack feature offset vector and the defense capability offset vector, and take the non-negative value as the attack traffic threat coefficient.
5. A network defense information analysis system according to claim 4, characterized in that, The process of extracting abnormal indicators of firewall devices from their operational characteristic data and combining this with network topology data to determine the degree to which these anomalies weaken the overall network defense capability includes the following specific aspects: Five indicators of firewall devices at the current moment are extracted from the operational characteristic data of firewall devices: state table asynchronous rate, policy hit rate, half-open connection ratio, session table reuse rate, and policy matching time. At the same time, the historical baseline values of the five indicators of firewall devices are extracted. Then, the exponential decay function is used to calculate the abnormal index of the five indicators of firewall devices at the current moment. The index is combined to form a five-dimensional vector. The Minkowski distance between the five-dimensional vector and the zero point in the five-dimensional space is calculated as the degree of abnormality of the firewall device itself. The network topology data is used to extract information on all network nodes, link connections, and the number of IP addresses of each subnet node, and the network topology is abstracted into a directed graph. Starting with firewall-type device nodes, the influence is propagated hop-by-hop along the link using a breadth-first search algorithm. The influence is multiplied by a decay coefficient at each hop until the influence is below a preset threshold. All affected nodes are recorded. The number of IP addresses of subnet nodes in the affected nodes is summed and divided by the total number of IP addresses in the entire network to obtain the influence range coefficient of the firewall-type device, which is used to characterize the potential impact range of the device's anomaly on the overall network defense capability. By coupling the degree of anomaly of firewall devices with the coefficient of their impact range in an exponential form, the network defense capability attenuation degree can be obtained.
6. The network defense information analysis system according to claim 5, characterized in that, The assessment integrates the level of external attacks on the overall network defense resources, the impact of attack traffic on the overall network defense capability, and the degree of weakening of the overall network defense capability by firewall anomalies, to comprehensively judge the overall network defense risk and risk evolution trend, including the following specific contents: By nonlinearly coupling the attack traffic impact intensity, the attack traffic threat coefficient, and the network defense capability attenuation, an overall network defense risk index is obtained. The network overall defense risk index sequence for a recent continuous period is selected, and the quadratic exponential smoothing method is used to predict the network overall defense risk index at multiple future moments. The linear trend of the network overall defense risk index prediction sequence is then fitted by the least squares method to obtain the slope of the network overall defense risk change.
7. A network defense information analysis system according to claim 6, characterized in that, Based on the overall network defense risks and their evolution trends, a targeted network defense optimization plan is generated, including the following steps: Based on the overall network defense risk index, the corresponding network defense optimization strategy directions are output: When the overall network defense risk index is less than or equal to the first boundary value, the regular monitoring strategy direction is output, maintaining the existing defense configuration unchanged and continuously observing risk changes; when the overall network defense risk index is in the middle range between the first and second boundary values, the preventive measures strategy direction is output, including enabling traffic rate limiting, adjusting policy priorities, and increasing the proportion of reserved critical resources; when the overall network defense risk index is greater than or equal to the second boundary value, the emergency response strategy direction is output, including enabling backup link traffic diversion, triggering attack source blacklist blocking, and switching to backup firewalls; the boundary values of the above three levels are configured by the system administrator during deployment according to the actual network capacity, and different division standards can be adopted for different network environments; Based on the slope of the overall network defense risk change, adjust the specific intensity of the network defense optimization strategy: When the slope of the overall network defense risk change is positive, it indicates that the overall network defense risk is on the rise and the overall network defense capability is continuously deteriorating. At this time, the intensity of the strategy should be increased based on the determined network defense optimization strategy direction: if the original strategy direction is routine monitoring, upgrade to preventive measures; if the original strategy direction is preventive measures, upgrade to emergency response; if the original strategy direction is emergency response, shorten the strategy execution interval and expand the scope of handling. When the slope of the overall network defense risk change is negative, it indicates that the overall network defense risk is on the decline and the overall network defense capability is gradually recovering. At this time, maintain the current network defense optimization strategy direction unchanged, and evaluate the strategy rollback after the overall network defense risk index drops to near 0. When the absolute value of the slope of the overall network defense risk change approaches 0, it indicates that the overall network defense risk is stabilizing. At this time, maintain the determined network defense optimization strategy direction unchanged. The network defense optimization strategy direction and strategy strength are combined to generate a structured network defense optimization scheme, which includes: the overall network defense risk index, the slope of the overall network defense risk change, the recommended network defense optimization strategy direction, the network defense optimization strategy execution strength, and the recommended execution duration.
8. A network defense information analysis device, comprising a display and a host, the host including a processor and a memory, characterized in that, The display is electrically connected to the host computer; the memory stores a computer program that can be called by the processor; the processor runs a network defense information analysis system as described in any one of claims 1-7 by calling the computer program stored in the memory.
9. A computer-readable storage medium storing instructions, characterized in that, When the instructions are executed on a computer, the computer causes the computer to perform a network defense information analysis system as described in any one of claims 1-7.