Network information security vulnerability detection and active defense system for urban governance
The network information security vulnerability detection and proactive defense system for urban governance has solved the problems of data fragmentation across departments and poor traceability of risk tracing in urban governance scenarios. It has enabled proactive, precise and controllable handling of city-level network security, adapted to the business continuity requirements of urban governance scenarios, and formed a long-term governance mechanism that can be iteratively optimized.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- HANGZHOU JUGU TECHNOLOGY CO LTD
- Filing Date
- 2026-04-28
- Publication Date
- 2026-07-03
AI Technical Summary
Existing cybersecurity protection solutions for urban governance scenarios suffer from fragmented cross-departmental asset identification systems, insufficient cross-domain risk correlation analysis capabilities, poor risk tracing traceability, and a lack of city-level cross-domain risk propagation path determination and proactive defense closed-loop mechanisms, making them unsuitable for the business continuity requirements of urban governance scenarios.
The system adopts a network information security vulnerability detection and proactive defense system for urban governance, including a security fact unification module, a risk profiling and priority assessment module, a cross-domain correlation verification and calibration module, a proactive defense orchestration and handling module, and an effectiveness measurement and retesting closed-loop module. It forms a closed-loop governance process through unified asset key generation, risk item construction, attack and defense correlation graph inference, parameterized handling action generation, and gray-scale execution.
It has enabled proactive, precise, and controllable handling of city-level cybersecurity risks, built a standardized, highly reliable, and auditable security fact data foundation, accurately identified cross-domain cascading risks, ensured business continuity and compliance requirements in urban governance scenarios, and formed an iteratively optimizeable long-term governance mechanism.
Smart Images

Figure CN122339811A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the interdisciplinary field of network information security and smart city governance, and more specifically, to a vulnerability detection and proactive defense system for network information security in urban governance. Background Technology
[0002] With the deepening of digital governance in cities, city-level network assets are distributed across domains and business links are coordinated across departments. Network information security protection has become a core support for the modernization of the urban governance system and is directly related to the stable and reliable operation of critical information infrastructure and public services.
[0003] Existing cybersecurity protection solutions for urban governance scenarios largely rely on single-point vulnerability scanning and passive alarm response, exhibiting significant technical shortcomings. Firstly, multi-source security data lacks a unified and standardized processing mechanism, and cross-departmental asset identification systems are fragmented, failing to form a universally reliable security factual foundation. This makes them susceptible to misjudgments due to anomalies in data from a single source, resulting in poor traceability of risk origination. Secondly, they lack city-level cross-domain risk correlation analysis capabilities, making it impossible to accurately infer risk propagation paths across departments and systems. Risk priority determination lacks interpretable quantitative basis, easily leading to missed cascading risks. Thirdly, a complete proactive defense closed loop is not formed, and response actions lack quantitative assessment of business impact and controllable execution mechanisms, failing to meet the stringent business continuity requirements of urban governance scenarios.
[0004] To address the numerous shortcomings of existing technologies, this invention proposes a vulnerability detection and proactive defense system for network information security in urban governance. Summary of the Invention
[0005] In view of the shortcomings of existing technologies, the purpose of this invention is to provide a vulnerability detection and proactive defense system for network information security in urban governance.
[0006] To achieve the above objectives, the present invention provides the following technical solution: A vulnerability detection and proactive defense system for network information security in urban governance includes a security fact unification module, a risk profiling and priority assessment module, a cross-domain correlation verification and calibration module, a proactive defense orchestration and handling module, and an effectiveness measurement and retesting closed-loop module. The security fact normalization module is used to access multi-source security data across the entire urban governance domain, complete field normalization processing, generate a unique unified asset key across the entire domain, retain conflicting fact version chains and measure fact credibility, and output a standardized security fact dataset. The risk profiling and priority assessment module is used to construct risk entries with evidence chains based on a standardized safety fact dataset, complete the quantification of risk correlation features, scoring of disposal priority and root cause merging, and output graded disposal tasks. The cross-domain association verification and calibration module is used to construct a city-level attack and defense association graph, complete the propagation path inference, governance rule verification and deviation calibration, and output a set of verified high-risk propagation paths. The active defense orchestration and response module is used to generate and filter the optimal combination of response actions to complete hierarchical execution and process control. The effectiveness measurement and retest closed-loop module is used to complete the retesting of treatment, the quantification of governance effectiveness and the steady-state determination, and output calibration and optimization signals to the aforementioned modules.
[0007] Furthermore, the security fact unification module uses a combination of deterministic mapping and approximate merging to generate a globally unique unified asset key. It retains a fully traceable version chain for multiple security facts of the same type from multiple sources corresponding to the same asset, and completes the credible quantification of a single security fact based on the source status, observation coverage, data timeliness, and multi-source consistency.
[0008] Furthermore, the risk profiling and priority assessment module constructs an evidence chain containing at least two independent evidence types for each risk item, completes risk disposal priority scoring based on asset business attributes, risk exposure characteristics, and network reachability characteristics, and completes the merging and disposal task compilation of multiple risk items based on risk root cause signatures.
[0009] Furthermore, the cross-domain association verification and calibration module constructs an attack and defense association graph with assets, services, identities, and business units as nodes. Based on the risk starting node and relationship strength, it completes the inference of constrained propagation paths, performs multi-dimensional governance rule verification on the inferred paths, calculates path governance deviations, and marks deviation hotspot paths.
[0010] Furthermore, the cross-domain correlation verification and calibration module calculates the contribution of each correlation within the marked deviation hotspot path to the risk output, performs local calibration of the correlation strength based on the consistency of the contribution with the supporting facts, or initiates a supplementary verification request to the security fact normalization module to improve the supporting facts.
[0011] Furthermore, the proactive defense orchestration and handling module generates a parameterized set of candidate handling actions based on risk items and high-risk propagation paths, classifies actions according to the degree of business impact, selects the optimal action combination based on risk reduction benefits, business impact and implementation complexity as evaluation dimensions, and performs canary release in order of business criticality from low to high.
[0012] Furthermore, the proactive defense orchestration and handling module binds corresponding rollback conditions and rollback execution schemes to each handling action. During the gray-scale execution process, it continuously collects business health status and network status data. When the preset rollback conditions are met, it completes the configuration restoration in reverse order of execution and retains the full-link rollback record.
[0013] Furthermore, the effectiveness measurement and retesting closed-loop module executes a retesting plan bound to each action, writes the retesting results back to the security fact normalization module to update the security fact dataset, and completes the quantitative calculation of the governance effectiveness index based on multi-dimensional governance indicators, and completes the determination of the phased governance steady state by combining the effectiveness changes in continuous cycles.
[0014] Furthermore, when the effectiveness measurement and retesting closed-loop module fails to reach a stage of steady-state governance, it outputs a directional calibration signal to the corresponding upstream module based on the abnormal governance indicator type, triggering the corresponding module's strategy optimization and process re-execution, thus forming a full-process closed-loop iteration.
[0015] Compared with the prior art, the present invention has the following beneficial effects: 1. This invention employs an asset merging method that combines deterministic mapping with approximate merging to generate a globally unique unified asset key. This solves the core problems of fragmented identification of cross-departmental multi-source data assets and the inability to link facts in urban governance scenarios. Simultaneously, based on source status, observation coverage, data timeliness, and multi-source consistency, it completes the credible quantification of individual security facts and retains a fully traceable version chain for conflicting facts. This constructs a standardized, highly reliable, and auditable security fact data foundation, effectively reducing the risk of misjudgment caused by anomalies in data from a single source, and providing a unified data foundation for subsequent full-process risk governance. 2. This invention constructs a closed-loop governance process encompassing risk quantification and assessment, cross-domain correlation calibration, proactive defense orchestration, and effectiveness retesting and optimization. By constructing a city-level attack-defense correlation graph, it infers, verifies, and locally calibrates risk propagation paths, accurately identifying cross-domain cascading risks. Simultaneously, based on risk reduction benefits, business impact, and implementation complexity, it selects the optimal combination of handling actions, employing gray-scale execution and bound rollback schemes to ensure business continuity. Ultimately, it achieves proactive, precise, and controllable handling of city-level cybersecurity risks, forming an iteratively optimizeable long-term governance mechanism that adapts to the business continuity and compliance requirements of urban governance scenarios. Attached Figure Description
[0016] Figure 1 A module block diagram of a vulnerability detection and proactive defense system for network information security in urban governance. Figure 2 This is a flowchart illustrating the implementation of the risk profiling and priority assessment module of this invention. Figure 3 This is a flowchart illustrating the implementation of the cross-domain correlation verification and calibration module of the present invention. Detailed Implementation
[0017] Example, refer to Figure 1The vulnerability detection and proactive defense system for network information security in urban governance in this embodiment includes a security fact unification module, a risk profiling and priority assessment module, a cross-domain correlation verification and calibration module, a proactive defense orchestration and handling module, and an effectiveness measurement and retesting closed-loop module. For ease of explanation, the following basic data structures are defined. All data structures use standardized field formats and support cross-module and cross-node flow: 1. Unified Asset Key Used to uniquely identify an asset object within a city. Asset objects include hosts, network devices, cloud resource instances, application service instances, identity entities, etc. The unified asset key adopts a fixed-length string format, and the generation rules are consistent with the asset merging logic to ensure uniqueness across the entire domain. 2. Safety Fact Records This represents a traceable observation or conclusion, which includes at least a timestamp, responsibility domain identifier, security domain identifier, unified asset key, fact type, fact value, source identifier, evidence location information, and fact credibility. The enumeration range of fact types includes vulnerability clues, baseline deviations, access behaviors, authentication, change records, threat intelligence, and connectivity detection results. Fact values are stored in a standardized format corresponding to the fact type to ensure parsing and comparability. 3. Risk Items A vulnerability or baseline deviation object supported by one or more security fact records, which includes at least a unified asset key, risk category, evidence chain summary, business criticality, exposure characteristics, reachability characteristics, and handling status; wherein the enumeration range of risk category includes vulnerability risk, configuration risk, exposure surface risk, identity and privilege risk, and propagation path risk, and the enumeration range of handling status includes pending handling, handling, handled, retested, and rolled back. 4. Handling actions An execution unit for a risk item or propagation path must include at least an action type, a scope of affected objects, execution parameters, rollback conditions, and retest items. The enumeration range of action types includes patch repair, configuration hardening, access control tightening, credential expiration handling, permission contraction, virtual patching, rate limiting, micro-segmentation, traffic diversion in the isolation zone, and enhanced monitoring. Rollback conditions and retest items are bound one-to-one with action types to ensure a closed-loop execution. 5. Treatment cycle The system uses a closed-loop iteration cycle formed by a preset time slice or event triggering method to calculate the governance effectiveness and determine whether to enter a phased steady state. The cycle length of the time slice mode can be configured according to the governance objectives and business continuity requirements. The activation conditions of the event triggering mode include the addition of a high-risk alarm, the completion of a major change, and the identification of cross-domain propagation risks.
[0018] The implementation methods of each module are explained below; Mod1, Security Fact Unification Module: This module is used to form a data foundation that is comparable across departments and systems, and to provide a unified asset key and fact credibility for subsequent risk profiling and cross-domain association. The output of this module serves as input for risk entry construction on the one hand, and as a basis for calculating and verifying the strength of cross-domain association relationships on the other hand.
[0019] S1. Security Fact Access and Field Normalization: The data sources accessed by the system include at least vulnerability clues, configuration baseline verification results, asset inventory, boundary access logs, endpoint detection alarms, network traffic summaries, authentication logs, change ticket records, and threat intelligence; parsing and field mapping are performed on data sources of different formats to uniformly form a security fact record. The field set is used to write the original log location, original message digest or original file index into the evidence location information to ensure traceability and auditability; S2, Uniform Asset Key Generation: To avoid factual fragmentation caused by inconsistent asset identifiers across departmental data, the system employs a combination of deterministic mapping and approximate merging to generate unified asset keys. ; 1. Deterministic Mapping: When a fact record contains a stable identifier, it is directly mapped to a unified asset key. Stable identifiers include cloud resource instance identifiers, device serial numbers, certificate fingerprints, unique identifiers of the device management system, etc. When multiple fact records contain the same stable identifier, they are directly mapped to the same unified asset key. At the same time, the correspondence between identifiers from multiple sources is recorded to form a mapping backtracking chain. 2. Approximate Merging: When stable identifiers are missing, construct an asset feature vector for each fact. Asset feature vector It includes at least network address features, service port set features, hostname normalization features, protocol fingerprint features, certificate subject features, and organization affiliation features. All features are converted to dimensionless normalized values between 0 and 1 to ensure uniform vector dimensions. The system calculates the feature similarity between the object to be merged and the candidate asset object. The similarity calculation formula is as follows: ; in, This is the asset feature vector of the object to be merged. The asset feature vector of the candidate asset object is used. The similarity calculation result ranges from 0 to 1 and is a dimensionless quantity. When the similarity exceeds a preset threshold... When merged into a single unified asset key; threshold The determination method is as follows: In the initial stage of deployment, a batch of asset mapping samples that have been confirmed manually or by an authoritative system are extracted. The samples include positive samples and negative samples. Positive samples are feature vector pairs belonging to the same asset, and negative samples are feature vector pairs that do not belong to the same asset. Based on the sample set, the threshold candidate values in the range of 0 to 1 are traversed, and the false merging rate and the missed merging rate corresponding to each candidate value are calculated. The threshold that minimizes the combined value of the false merging rate and the missed merging rate is selected as the initial value. During the operation period, the threshold is self-calibrated and updated using an incremental learning method based on the proportion of subsequent retest receipts and conflict facts. The threshold value range is 0 to 1. S3, Conflict Fact Preservation and Version Chain: For similar facts under the same unified asset key, the system does not directly overwrite them, but retains a multi-source version chain. Each version chain records the source identifier, collection time, evidence location information and credibility. Subsequent modules select the fact version to participate in the calculation based on credibility and verification results, avoiding global misjudgment due to anomalies from a single source. The version chain is stored in reverse order of collection time, supporting quick filtering by source identifier and credibility range, while retaining a full-link backtracking record of version changes to meet audit requirements. S4. Calculation of factual credibility: To ensure the interpretability of subsequent risk scoring and correlation inference, the system calculates the credibility of each security fact. And write it as a field in the fact record; ; in, The degree of credibility of the fact ranges from 0 to 1. It is a dimensionless quantity, and the closer the value is to 1, the higher the degree of credibility of the fact. The observability factor reflects the visibility of the target object within the current responsibility domain, ranging from 0 to 1, and is a dimensionless quantity. Its determination method is as follows: the collection coverage status is decomposed into four independent sub-items: log integrity, probe online status, scan reachability, and link mirror coverage. Each sub-item is mapped to a normalized value between 0 and 1. A value of 1 indicates that the corresponding coverage status is fully satisfied, and a value of 0 indicates that the corresponding coverage status is completely missing. The arithmetic mean of the normalized values of the four sub-items is taken as the observability factor. The final value; The source health factor reflects the health status of the source system, with a value ranging from 0 to 1, and is a dimensionless quantity. Its determination method is as follows: the source system status is decomposed into four independent sub-items: heartbeat continuity, data loss rate, clock drift, and queue congestion status. Each sub-item is mapped to a normalized value between 0 and 1, where a value of 1 indicates a completely normal source system status, and a value of 0 indicates a completely abnormal source system status. The arithmetic mean of the normalized values of the four sub-items is taken as the... The final value; The timeliness factor reflects the freshness of facts, with a value range of 0 to 1, and is a dimensionless quantity. The method for determining it is as follows: the age of the fact is monotonically decreased and normalized by mapping it to a preset timeliness window. The age of the fact is the time difference between the current moment and the moment the fact was collected. The smaller the age of the fact, the larger the value. When the age of the fact exceeds the timeliness window, the value is 0. The length of the timeliness window can be configured by the type of fact and the governance objectives. The inter-source consistency factor reflects the degree of support from independent sources for the same fact. It ranges from 0 to 1 and is a dimensionless quantity. It is determined by calculating the ratio of the number of independent sources supporting the fact to the total number of available sources of the same type of fact. This ratio is then directly used as the inter-source consistency factor. The final value; The weights are set as parameters, satisfying non-negativity constraints, and can be normalized to make the sum of the weights equal to 1. The weights are determined as follows: In the initial deployment phase, the closed-loop treatment results are selected as the labeled dataset, which includes false positive and false negative samples that have been manually verified. Using the dataset as a supervision signal, a grid search method is used to traverse the feasible value space of the weight parameters, and the weight combination that minimizes the weighted sum of the false positive and false negative rates is selected as the initial configuration. During the operation period, the weight parameters can be iteratively adjusted according to the governance objectives based on the governance effectiveness index output by the effectiveness measurement module. The security fact unification module outputs a unified set of asset keys, a fact version chain, and fact credibility for subsequent modules to use.
[0020] Mod2, Risk Profiling and Priority Assessment Module: such as Figure 2 As shown, this step transforms the normalized security facts into manageable risk entries within the responsibility domain and assigns interpretable priorities. It inherits the unified asset key and fact credibility, outputs a set of risk entries and their handling priorities, and provides entry nodes and a set of high-value target nodes for cross-domain association.
[0021] S1. Risk item construction and evidence chain formation: The system aggregates security fact records by responsibility domain, associating facts such as vulnerability clues, baseline deviations, open services, abnormal access behavior, and identity anomalies and change records to form risk entries. To reduce false alarms caused by drawing conclusions based on a single scan result, the system generates an evidence chain summary for each risk item. The evidence chain summary must contain a combination of at least two types of evidence, including version evidence, configuration evidence, patch evidence, access behavior evidence, and change conflict evidence. The evidence chain summary also records the source and credibility of the corresponding facts for subsequent verification. Risk items containing only a single type of evidence are marked as items to be verified and are not included in the high-priority handling scope. The corresponding evidence must be supplemented before the item construction is completed. S2. Calculation of Business Criticality, Exposure Characteristics, and Accessibility Characteristics: For each risk entry The system calculates the business criticality coefficient. Exposure surface coefficient With accessibility coefficient All of them are mapped to dimensionless quantities of 0 to 1; 1. The determination method is as follows: Based on factors such as the public service continuity requirements of the business unit to which the asset belongs, the number of cross-departmental dependencies, whether it is in a critical business link, and whether it belongs to a critical information infrastructure support object, each factor is mapped to a normalized value of 0 to 1, and the arithmetic mean of the normalized values of all factors is taken as the asset's value. The final value; the closer the value is to 1, the higher the business criticality of the asset; 2. The determination method is as follows: Based on factors such as the set of externally accessible services, cross-domain interface exposure, management entry point exposure, and weak authentication entry point exposure, each factor is mapped to a normalized value between 0 and 1. The arithmetic mean of the normalized values of all factors is then used as the standard value. The final value of ; the closer the value is to 1, the higher the degree of external exposure of the asset; 3. The determination method is as follows: a normalized mapping is performed based on access control rules, connectivity evidence observed from boundary logs, identity trust chain status, and path reachability evidence generated by the cross-domain association module. The value range is 0 to 1 and is a dimensionless quantity. The closer the value is to 1, the higher the network reachability of the asset. This coefficient can be updated after cross-domain verification and calibration. S3, Priority Scoring: The system calculates a priority score for each risk item. : ; in, Priority scores are assigned, with values ranging from 0 to 1. These scores are dimensionless, and the closer a value is to 1, the higher the priority of handling the risk item. The meaning and method of value determination are as described above; The availability coefficient, ranging from 0 to 1, is a dimensionless quantity. A value closer to 1 indicates a higher degree of risk availability. It is determined by mapping each factor to a normalized value between 0 and 1 based on factors such as the completeness of the evidence chain summary, the degree to which attack conditions are met, and the presence of suspicious exploitation clues. The arithmetic mean of all normalized values is then used as the basis for the calculation. The final value; The weights are set as parameters, satisfying non-negativity constraints, and can be normalized to make the sum of the weights equal to 1. The weights are determined as follows: during the initial deployment phase, closed-loop security events are replayed, and the actual priority of event handling is used as the labeling benchmark. The weight combination that minimizes the deviation between the scoring ranking and the actual handling priority is selected as the initial configuration. During the operation period, the weight parameters can be adjusted according to the governance objectives. S4, Root Cause Analysis and Task Compilation: The system performs root cause merging on risk entries to avoid duplicate handling at multiple points. Root cause merging is achieved through root cause signatures, which must include at least a vulnerability identifier or baseline item identifier, an affected component fingerprint, an affected service characteristic, and a responsibility domain identifier. Risk entries with the same root cause signature and overlapping target sets are merged into the same handling task. Each handling task output includes an action type, target scope, necessary approval fields, rollback conditions, and retesting items, providing input for proactive defense orchestration. The handling task is also associated with the evidence chain summary and priority score of the corresponding risk entry, ensuring that the entire handling process is traceable and explainable.
[0022] Mod3, Cross-Domain Association Verification and Calibration Module: such as Figure 3 As shown, this module is used to infer the propagation path of dispersed risk items within a city-level scope, and to reduce cross-domain inference distortion through governance rule verification and local calibration. This module takes over the risk items and their evidence chains, and outputs a set of high-risk propagation paths and key business impact surfaces after verification and calibration, for use in proactive defense orchestration.
[0023] S1. Generation of attack and defense relationships: System construction attack and defense relationship diagram , where the set of nodes It includes asset nodes, service nodes, identity nodes, and business unit nodes, with all nodes associated with corresponding unified asset keys and risk priority information; edge set It includes network reachability relationships, identity trust relationships, service dependency relationships, shared component relationships, and shared credential relationships. Each relationship edge Associate a set of supporting fact records and calculate the strength of the relationship accordingly. ; Relationship strength The method for determining the relationship strength is as follows: the credibility of supporting facts is aggregated, and the aggregation method can be either weighted average or conservative selection. In the weighted average mode, the credibility of each supporting fact is used as the weight, and the weighted average of the credibility of all supporting facts is calculated as the relationship strength. In the conservative selection mode, the minimum value of the credibility of all supporting facts is taken as the relationship strength. The aggregation result is normalized to the range of 0 to 1, which is a dimensionless quantity. The closer the value is to 1, the higher the credibility of the relationship edge. S2. Propagation path inference and impact area calculation: Using externally exposed entry nodes and nodes associated with high-priority risk items as the starting set, the system performs constrained path expansion based on relationship strength, generating a set of candidate propagation paths. During the path expansion process, pruning is performed in the following situations: relationship strength is lower than a preset pruning threshold, crossing the boundary of a responsibility domain that does not meet authorization conditions, or significantly conflicting with observed access control facts. The pruning threshold ranges from 0 to 1 and can be determined through the path inference accuracy statistics during the initial deployment. For each candidate path, its influence surface is calculated. The influence surface is obtained by aggregating the set of key business unit nodes reachable by the path and their business criticality. The aggregation method is to take the business criticality coefficient of all key business unit nodes reachable by the path. The maximum value of is taken as the influence surface value of the path. The value ranges from 0 to 1 and is a dimensionless quantity. The closer the value is to 1, the larger the influence range of the path. S3. Verification of governance rules and calculation of governance deviations: After propagation path inference, the system performs governance rule verification, which includes at least connectivity consistency verification, business continuity verification, and audit element verification, and calculates path governance deviation accordingly. : ; in, For path The governance deviation, which ranges from 0 to 1, is a dimensionless quantity. The closer the value is to 1, the greater the deviation between the inferred path and the governance rules. The reachability deviation, ranging from 0 to 1, is a dimensionless quantity. It is determined by: verifying each jump relationship in the path against access control facts, log connectivity facts, or policy facts; calculating the ratio of the number of unsupported jump relationships to the total number of jump relationships in the path; and using this ratio as the accessibility deviation. The final value; This is a continuity deviation, ranging from 0 to 1, and is a dimensionless quantity. The determination method is as follows: combining business dependencies and the scope of action of candidate actions, calculate the ratio of the number of potentially affected critical business dependencies in the path to the total number of critical business dependencies in the path, and use this ratio as... The final value; The audit element deviation, ranging from 0 to 1, is a dimensionless quantity. The determination method is as follows: verify whether the relevant facts of the verification path and the candidate disposal tasks possess the necessary evidence location information, approval elements, and rollback elements; calculate the ratio of the number of missing elements to the total number of necessary elements; and use this ratio as the audit element deviation. The final value; The weights are set as parameters, satisfying the non-negativity constraint. The sum of the weights can be made equal to 1 through normalization. The weights are determined by configuring initial values based on the governance objectives, and can be adjusted during the operation period through feedback from the effectiveness measurement module.
[0024] when Exceeding the preset threshold When this happens, the path is marked as a deviation hotspot path; threshold The method for determining the threshold is as follows: statistical analysis of the path governance deviation distribution in the initial deployment phase, and initial values are determined based on the principle of balancing risk discovery and misjudgment control; during the operation period, adjustments can be made through feedback from the effectiveness measurement module, and the threshold value range is 0~1; S4. Relational Attribution and Local Calibration: For off-center hotspot paths, the system performs relationship attribution on the key relationships in the path, calculates the contribution of each relationship to the risk output of the target node, and performs local calibration accordingly. ; in, For relationship The contribution value ranges from 0 to 1 and is a dimensionless quantity. The closer the value is to 1, the higher the degree of influence of the relationship on the risk output of the target node. In the diagram Up to target node The comprehensive risk output value obtained through local re-inference, ranging from 0 to 1, is a dimensionless quantity; its determination method is as follows: ; This indicates the removal of a relationship from the graph. The new map obtained later; The local calibration rules are as follows: 1. When When the relationship is large and the consistency of supporting facts is low, reduce the relationship strength. It then sends a supplementary verification request to the security fact unification module. Supplementary verification can be achieved by adding connectivity detection, identity trust verification, or policy fact verification. After the supplementary verification is completed, the relationship strength and supporting fact chain are updated based on the new fact records. 2. When When the relationship is significant and the supporting facts are highly consistent, the priority of the relationship in the subsequent handling and arrangement should be increased, and it should be marked as a key risk transmission relationship and included in the scope of priority handling. 3. When the deviation is mainly caused by continuity deviation, the scope of candidate actions should be narrowed or low-impact actions should be used to avoid unacceptable impact on critical business links by utilizing business dependencies. Calibration is performed only within the bias hotspot correlation subplot and is recalculated after each round of calibration. When the deviation decreases and the change in relationship strength is less than the preset tolerance after several consecutive rounds of calibration, the local calibration ends and the calibrated high-risk propagation path and key business impact surface are output; the value of the tolerance can be determined by the statistical results of relationship strength fluctuations in the initial stage of deployment.
[0025] Mod4, Proactive Defense Orchestration and Response Module: This module is used to transform verified and calibrated high-risk propagation paths and risk priorities into actionable responses, and to ensure that the impact of these responses on critical business operations is controlled, retestable, and rollbackable. This module receives risk entries, propagation paths, and deviation hotspot information, and outputs response plans and retesting plans for use by the effectiveness measurement module.
[0026] S1. Candidate Action Generation and Classification: The system generates a set of candidate actions based on the risk item category, exposure characteristics, and key relationships of the propagation path. Candidate actions include at least patch repair, configuration hardening, access control tightening, credential expiration handling, permission contraction, virtual patching, rate limiting, micro-segmentation, traffic redirection to isolated areas, and enhanced monitoring. Candidate action generation is achieved using parameterized rule templates. The rule template takes the risk category and target characteristics as input, outputs the action type and action parameter constraints, and binds rollback conditions and retest items. The parameter constraints and binding rules of the rule template can be configured according to governance objectives and business continuity requirements. The system also classifies actions by impact, forming a three-tiered sequence of low-impact, medium-impact, and high-impact actions for subsequent canary rollout and gradual escalation. The classification criteria include whether the action changes connectivity, whether it changes the authentication and authorization chain, and whether it affects critical business dependencies. Low-impact actions refer to actions that do not change business connectivity or affect the operation of critical businesses; medium-impact actions refer to actions that may slightly change connectivity but do not interrupt critical businesses; and high-impact actions refer to actions that may interrupt business connectivity or change the core authorization chain. S2. Evaluation and selection of action combinations: The system aims to sever key relationships in high-risk transmission pathways and generates several action combinations from a set of candidate actions. The evaluation function is defined as follows: The action combinations are then comprehensively evaluated. ; in, This is the overall evaluation value of the action combination. It is a dimensionless quantity, and the larger the value, the better the overall effect of the action combination. The risk reduction benefit, ranging from 0 to 1, is a dimensionless quantity. Its determination method is as follows: assess the degree to which the action combination blocks high-risk propagation paths and protects critical business units. The arithmetic mean of the ratio of blocked high-risk paths to the total number of high-risk paths, and the ratio of protected critical business units to the total number of affected critical business units, is then normalized and used as the basis for the determination. The final value; The business impact factor, ranging from 0 to 1, is a dimensionless quantity. Its determination method involves assessing the number of critical business dependencies potentially affected within the scope of the action combination, the risk of health detection, and the degree of continuity constraint violation. Each impact factor is then mapped to a normalized value between 0 and 1, and the arithmetic mean is taken as the final value. The final value; To determine the complexity, the value ranges from 0 to 1 and is dimensionless. The method for determining this complexity is as follows: assess the number of actions, the complexity of cross-domain collaboration, the requirements for approval elements, and the difficulty of rollback; map each complexity factor to a normalized value between 0 and 1, and then take the arithmetic mean as the final value. The final value; The weights are set as parameters, satisfying the non-negativity constraint. The sum of the weights can be made equal to 1 through normalization. The method for determining the weights is as follows: initial values are configured according to the governance objectives, and adjustments can be made during the operation period based on feedback from the effectiveness measurement module. Under the premise of meeting business continuity constraints and the integrity of audit elements, the system selects... The largest combination of actions forms a solution and outputs the order of action execution, which follows the principle of progressive execution from low impact to high impact. S3, Gray-scale execution, rollback, and receipt: Before the action plan is executed, the system performs conflict verification on the action parameters. The conflict verification includes at least policy conflict verification and critical business whitelist verification to avoid rule conflicts between actions or to avoid affecting the operation of critical businesses. Rollback conditions and rollback execution scripts are bound to each action. The implementation will be carried out in batches using a gray-scale approach. The method for determining the gray-scale batches is based on the business criticality coefficient of the assets within the responsibility domain. Sort the assets in ascending order and divide them into several consecutive batches. The number of assets in each batch can be determined by the total number of assets in the responsibility domain and business continuity requirements. Prioritize the execution of actions in non-critical object batches with lower business criticality coefficients to verify the effectiveness of the actions and their business impact. During the canary rollout, the system continuously collects business health probe results and connectivity changes. A rollback of the corresponding action is triggered when any of the following conditions occur: 1. If critical business health detection results show continuous anomalies, the anomaly judgment criteria can be pre-configured through business continuity requirements; 2. The connectivity status of the corresponding asset deviates from the baseline status before the action is executed, exceeding the preset tolerance range; 3. The number of abnormal alarms within the corresponding responsibility domain shows a continuous increase that exceeds the baseline fluctuation range; During rollback execution, the system restores the configuration state before execution in reverse order of action execution, and records the rollback reason, execution time and evidence location information. The rollback record will serve as input data for subsequent fact credibility calculation and correlation calibration. After the action is completed, the system generates an execution receipt, which records the execution time, execution result, business impact and evidence location information, and synchronizes it to the effectiveness measurement and retesting closed-loop module.
[0027] Mod5, Effectiveness Measurement and Retesting Closed-Loop Module: This module is used to elevate a single treatment to a sustainable optimization governance closed loop. It drives the next round of optimization through retesting and governance effectiveness index. This module takes over the treatment plan and retesting plan, outputs the governance effectiveness index and steady-state judgment results, and feeds back the calibration signal to the aforementioned modules.
[0028] S1. Retest execution and result write-back: The system executes a retest plan associated with each action. The retest plan includes at least exposure surface verification, connectivity verification, critical business health detection, alarm status change verification, and rollback availability verification. The time window for retest execution can be configured by action type and risk level. Low-impact actions can be retested immediately after execution, while high-impact actions can have a buffer window set before retesting. The retest results are written back to the security fact unification module in the form of security fact records, and the corresponding fact version chain and credibility are updated to ensure that the latest facts are used in the next round of risk profiling and cross-domain association; the retest results are also synchronized to the corresponding risk items to update the handling status and retest conclusions of the risk items. S2. Normalization of governance effectiveness indicators and calculation of effectiveness index: The system maintenance and governance effectiveness indicator set includes at least the exposure index. Path cutting level Level of handling coverage Level of accidental injury and recurrence level Each indicator is transformed into a dimensionless quantity of 0 to 1 through normalization mapping to ensure the consistency of the formula dimensions; the basis for normalization is the baseline statistics at the initial stage of deployment and the steady-state interval statistics during the operation period, and the mapping function adopts a monotonic function to ensure that the direction of indicator change is consistent with the governance goal. The specific calculation and normalization methods for each indicator are as follows: Exposure Index Statistics The average exposure coefficient of all assets within a governance cycle is mapped to a dimensionless quantity of 0 to 1. The smaller the value, the better the convergence effect of the exposure surface of the entire domain. Path cut-off level Statistics The ratio of the number of high-risk transmission paths successfully blocked within a governance cycle to the total number of high-risk transmission paths is mapped to a dimensionless quantity of 0 to 1. The closer the value is to 1, the better the path blocking effect. Disposal coverage level Statistics The ratio of the number of high-priority risk items that have been closed-loop handled within a governance cycle to the total number of high-priority risk items is mapped to a dimensionless quantity of 0 to 1. The closer the value is to 1, the more comprehensive the risk handling coverage. accidental injury level Statistics The ratio of the number of assets that were rolled back due to disposal actions within a governance cycle to the total number of assets disposed of is mapped to a dimensionless quantity of 0 to 1. The smaller the value, the lower the false alarm rate of the disposal actions. recurrence level Statistics The ratio of the number of recurrences of risk items that have been treated within a governance cycle to the total number of risk items that have been treated is mapped to a dimensionless quantity of 0 to 1. The smaller the value, the better the sustainability of the treatment effect. The system calculates the governance effectiveness index. : ; in, For the first The governance effectiveness index for each governance cycle is a dimensionless quantity. The smaller the value, the closer the governance status is to the target. to The weights are set as parameters, satisfying the non-negativity constraint. They can be normalized to make the sum of the weights equal to 1. The method for determining these weights is as follows: initial values are configured based on the governance objectives, and adjustments can be made during the operation period based on the retest feedback and the distribution of governance deviations. S3. Steady-state determination and reflux strategy: The system according to The changing trend and retest results determine whether a stage of governance steady state has been reached; the specific steps for steady state determination are as follows: 1. Collect governance effectiveness indexes for several consecutive governance cycles. The number of sequences and governance cycles can be determined by the baseline fluctuation statistics at the initial stage of deployment; 2. Calculate the coefficient of variation of the sequence. The coefficient of variation is the ratio of the standard deviation of the sequence to the mean of the sequence. 3. When the coefficient of variation is less than the tolerance range determined based on historical fluctuations, and all critical business health checks pass stably during the same period, and the false alarm level and recurrence level do not show a continuous upward trend, the system is determined to have entered a phased governance steady state and outputs the phased governance results; the value of the tolerance range can be determined by the baseline fluctuation statistics and business continuity requirements in the initial deployment stage. If steady state is not reached, the reflux path is selected based on the type of indicator anomaly: 1. When the exposure index improvement is insufficient or the path cut-off level is insufficient, the data is redirected to the cross-domain correlation verification and calibration module to trigger re-verification and local calibration of the propagation path and key relationships. 2. When the level of accidental injury increases, the system returns to the active defense programming and handling module, narrows the scope of action, increases the grayscale ratio, and prioritizes the use of low-impact actions. 3. When the recurrence level rises, return to the risk profiling and priority assessment module, strengthen the requirements for evidence chain formation, and adjust the root cause attribution strategy; 4. When the coverage level of the treatment does not meet the governance requirements, the process is returned to the S4 root cause attribution and task preparation stage of the risk profiling and priority assessment module to optimize the parallel action strategy and the order of approval field completeness verification, thereby reducing unnecessary waiting. Through the aforementioned feedback mechanism, the system forms a continuous closed loop of fact unification, risk profiling, cross-domain calibration, proactive handling, retesting and writing back, and effectiveness evaluation. After steady-state determination, it outputs an auditable risk list, handling plan, and retesting results.
[0029] Through the detailed description of the above embodiments, the vulnerability detection and proactive defense system for network information security in urban governance of the present invention, through the synergistic linkage of five core modules, constructs a city-level network security governance system covering the entire process of "data unification, risk assessment, cross-domain verification, proactive handling, and retesting and optimization." Based on unified asset keys and trusted security facts, the system addresses the pain points of cross-domain data fragmentation and high misjudgment rates in urban governance scenarios; with an attack-defense correlation graph at its core, it achieves accurate identification and calibration of cross-departmental risk propagation paths; with business-controllable orchestration and handling as a key approach, it ensures the continuity of public services during risk handling; and with effectiveness measurement and closed-loop feedback as support, it achieves continuous iterative optimization of governance capabilities, providing reliable network security guarantees for the stable operation of critical urban infrastructure and public services.
[0030] The preset parameters in the above formulas shall be set by those skilled in the art according to the actual situation.
[0031] The above embodiments can be implemented, in whole or in part, by software, hardware, firmware, or any other combination thereof. When implemented using software, the above embodiments can be implemented, in whole or in part, as a computer program product. The computer program product includes one or more computer instructions or computer programs. When the computer instructions or computer programs are loaded or executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that includes one or more sets of available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. A semiconductor medium can be a solid-state drive.
[0032] It should be understood that in the various embodiments of this application, the order of the above-mentioned processes does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this application.
[0033] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.
[0034] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0035] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.
[0036] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0037] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. A vulnerability detection and proactive defense system for network information security in urban governance, characterized in that: It includes a security fact unification module, a risk profiling and priority assessment module, a cross-domain correlation verification and calibration module, an active defense orchestration and response module, and an effectiveness measurement and retesting closed-loop module; The security fact normalization module is used to access multi-source security data across the entire urban governance domain, complete field normalization processing, generate a unique unified asset key across the entire domain, retain conflicting fact version chains and measure fact credibility, and output a standardized security fact dataset. The risk profiling and priority assessment module is used to construct risk entries with evidence chains based on a standardized safety fact dataset, complete the quantification of risk correlation features, scoring of disposal priority and root cause merging, and output graded disposal tasks. The cross-domain association verification and calibration module is used to construct a city-level attack and defense association graph, complete the propagation path inference, governance rule verification and deviation calibration, and output a set of verified high-risk propagation paths. The active defense orchestration and response module is used to generate and filter the optimal combination of response actions to complete hierarchical execution and process control. The effectiveness measurement and retest closed-loop module is used to complete the retesting of treatment, the quantification of governance effectiveness and the steady-state determination, and output calibration and optimization signals to the aforementioned modules.
2. The vulnerability detection and proactive defense system for network information security in urban governance according to claim 1, characterized in that, The security fact unification module uses a combination of deterministic mapping and approximate merging to generate a globally unique unified asset key. It retains a fully traceable version chain for multiple security facts of the same type from multiple sources corresponding to the same asset, and completes the credible quantification of a single security fact based on source status, observation coverage, data timeliness, and multi-source consistency.
3. The vulnerability detection and proactive defense system for network information security in urban governance according to claim 1, characterized in that, The risk profiling and priority assessment module constructs an evidence chain containing at least two independent evidence types for each risk item, completes risk disposal priority scoring based on asset business attributes, risk exposure characteristics, and network reachability characteristics, and completes the merging and disposal task compilation of multiple risk items based on risk root cause signatures.
4. The vulnerability detection and proactive defense system for network information security in urban governance according to claim 1, characterized in that, The cross-domain association verification and calibration module constructs an attack and defense association graph with assets, services, identities, and business units as nodes. Based on the risk starting node and relationship strength, it completes the inference of constrained propagation paths, performs multi-dimensional governance rule verification on the inferred paths, calculates path governance deviations, and marks deviation hotspot paths.
5. The vulnerability detection and proactive defense system for network information security in urban governance according to claim 4, characterized in that, The cross-domain correlation verification and calibration module calculates the contribution of each correlation within the marked deviation hotspot path to the risk output, performs local calibration of the correlation strength based on the consistency of the contribution with the supporting facts, or initiates a supplementary verification request to the safety fact unification module to improve the supporting facts.
6. The vulnerability detection and proactive defense system for network information security in urban governance according to claim 1, characterized in that, The proactive defense orchestration and handling module generates a parameterized set of candidate handling actions based on risk items and high-risk propagation paths. It classifies actions according to their impact on business, selects the optimal action combination based on risk reduction benefits, business impact, and implementation complexity, and performs canary releases in order of business criticality from low to high.
7. The vulnerability detection and proactive defense system for network information security in urban governance according to claim 6, characterized in that, The proactive defense orchestration and handling module binds corresponding rollback conditions and rollback execution schemes to each handling action. During the gray-scale execution process, it continuously collects business health status and network status data. When the preset rollback conditions are met, it completes the configuration restoration in reverse order of execution and retains the full-link rollback record.
8. The vulnerability detection and proactive defense system for network information security in urban governance according to claim 1, characterized in that, The effectiveness measurement and retesting closed-loop module executes a retesting plan bound to each action, writes the retesting results back to the security fact normalization module to update the security fact dataset, and completes the quantitative calculation of the governance effectiveness index based on multi-dimensional governance indicators. It also determines the stage-based governance steady state by combining the effectiveness changes over a continuous period.
9. The vulnerability detection and proactive defense system for network information security in urban governance according to claim 8, characterized in that, When the effectiveness measurement and retesting closed-loop module fails to reach a stage of stable governance, it outputs a directional calibration signal to the corresponding upstream module based on the abnormal governance indicator type, triggering the corresponding module's strategy optimization and process re-execution, thus forming a full-process closed-loop iteration.