Security defense decision system and method applied to computer network

By constructing a security defense decision system, we have achieved accurate quantification and proactive perception of network risks, optimized the allocation of defense resources, addressed the shortcomings of traditional network security protection models, and improved the dynamic adaptability and protection effectiveness of the defense system.

CN122339833APending Publication Date: 2026-07-03广西农业职业技术大学 +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
广西农业职业技术大学
Filing Date
2026-05-22
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Traditional cybersecurity protection models are inadequate in terms of risk assessment, interception point selection, and dynamic adaptation of defense mechanisms. They are unable to cope with advanced persistent threats and diverse network risks, and lack the ability for accurate assessment, proactive perception, and closed-loop iteration.

Method used

A security defense decision system is constructed, including a network risk quantification module, an attack and path awareness module, and an interception and defense deployment module. Through full-domain data collection, multi-dimensional risk quantification, topology visualization, and closed-loop defense iteration, the system achieves optimal interception point selection and dynamic adaptation of defense strategies.

Benefits of technology

It improves the accuracy and proactivity of network security protection, reduces the difficulty and cost of operation and maintenance, and enables rapid location and dynamic defense of high-risk nodes and weak links, ensuring continuous protection capabilities.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122339833A_ABST
    Figure CN122339833A_ABST
Patent Text Reader

Abstract

This invention relates to the field of network security management technology, and in particular to a security defense decision-making system and method applied to computer networks. It performs full-coverage monitoring of all nodes within a target network area, constructs a unified security information dataset, and uses multi-dimensional weighted calculations based on traffic anomalies, access record anomalies, and vulnerability risk levels. Combined with node topology importance, it achieves dual quantitative classification of single-node and regional network risks. Using a digital twin model, it can quickly locate high-risk nodes and weak links, directly pinpointing the risk factors with the highest scores. It also senses attack trends and automatically generates primary and secondary attack paths. Simultaneously, it selects optimal interception points based on a priority list of intersection points and path interception filtering methods, outputs a defense deployment list, and establishes a closed-loop mechanism for interception execution, effect evaluation, and secondary defense. When ineffective, the strategy is automatically iterated, and multiple ineffective attempts trigger manual warnings, improving the efficiency and effectiveness of security protection in the network environment.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security management technology, and in particular to a security defense decision-making system and method applied to computer networks. Background Technology

[0002] With the deep popularization of digitalization and networking, computer networks have become the core support for government affairs, enterprises, and critical information infrastructure. As the network scale continues to expand, the number of access devices surges, and the business architecture becomes increasingly complex, traditional network security protection models are gradually revealing obvious shortcomings and are unable to cope with the diverse network risks such as advanced persistent threats, ransomware attacks, vulnerability exploitation, and abnormal intrusions.

[0003] Currently, mainstream network security monitoring and defense methods have the following technical shortcomings: 1. Inaccurate quantitative risk assessment and passive, lagging defense models, lacking perception capabilities: Conventional risk assessments do not take into account the importance of nodes in the network topology for differentiated calculations, making it difficult to accurately distinguish between single node risks and overall regional risks. Moreover, most protection technologies are based on "responding after an attack occurs," which cannot predict the probability, type, and time window of an attack, nor can they automatically perceive potential attack paths, making it difficult to achieve proactive interception. 2. Unreasonable selection of interception points, resulting in high defense costs and poor effectiveness: Interception nodes are mostly designated manually without comprehensive consideration of interception coverage, blocking effect, and deployment cost for quantitative optimization. This often leads to problems such as incomplete interception, waste of resources, and blind spots in protection. Faced with complex attack paths and ever-changing attack methods, it is impossible to form an optimal defense deployment plan. 3. Lack of closed-loop defense mechanism and weak dynamic adaptability: After the defense is executed, there is a lack of standardized effect evaluation and iteration mechanism. It is impossible to automatically determine the effectiveness of the interception and analyze the reasons for failure. When the attack path changes or the attack type evolves, the strategy and secondary defense cannot be updated quickly. After multiple defense failures, there is no manual intervention trigger mechanism. The defense system is prone to failure and difficult to operate continuously and stably.

[0004] In summary, traditional technologies have significant shortcomings in terms of accurate assessment, proactive perception, intelligent defense, and closed-loop iteration, and cannot meet the needs of efficient, accurate, dynamic, and proactive security protection in complex network environments. There is an urgent need for a network security protection solution that provides comprehensive monitoring, quantitative assessment, visualization, intelligent perception, and closed-loop defense. Summary of the Invention

[0005] To address the aforementioned technical deficiencies, this invention provides a security defense decision-making system and method for computer networks, which enables full-domain data collection, multi-dimensional risk quantification, topology visualization, attack trend and path awareness, optimal interception point selection, and closed-loop defense iteration, thereby improving the accuracy, proactivity, and efficiency of network security protection.

[0006] The objective of this invention can be achieved through the following technical solution: a security defense decision system applied to computer networks, including a network security defense center, a unified node data module, a network risk quantification module, a risk visualization module, an attack and path awareness module, an interception and defense deployment module, a defense assessment and countermeasure module, and a simulation and visualization module; The network risk quantification module calculates the corresponding indicator scores, combines them with dynamic weighting coefficients, calculates the risk score Fi of a single node and the regional risk score S, and determines the node risk level and the network risk level based on preset thresholds. The risk visualization module establishes a digital twin model, colors the node risk level and network risk level in the digital twin model to obtain a digital twin model risk map, and identifies the potential risk factors of high-risk nodes. The attack and path awareness module: constructs a basic dataset, performs network risk awareness on the target area, and generates a set of high-threat attack paths with high-risk core nodes as potential targets. The interception and defense deployment module: divides the path intersection points based on the set of high-threat attack paths, forms a priority list of intersection points, performs diverse screening and analysis of the optimal interception points based on the priority list of intersection points, and outputs a defense deployment list; The defense assessment and countermeasure module: performs interception based on the defense deployment list, records the interception execution log, calculates the interception assessment score to determine the effectiveness of the interception, and if the interception is invalid, it performs a second interception. If it is invalid again, it triggers a manual intervention warning.

[0007] Preferably, the process for classifying the node risk level and the network risk level is as follows: Based on the network node security information dataset, normalized traffic anomaly indicators, access record anomaly indicators, and vulnerability risk level indicators are extracted. Calculate scores for traffic anomaly indicators, access record anomaly indicators, and vulnerability risk levels. Retrieve the dynamic weighting coefficients of traffic anomaly index score, access record anomaly index score and vulnerability risk index score, and calculate the risk score Fi (i>0, where i is the node number) for each node in the network. Based on the risk score Fi, and combined with the importance weight of nodes in the network topology, the regional risk score S of the overall network is calculated.

[0008] Preferably, the risk score Fi and the regional risk score S are processed to determine the risk level of each node and the network risk level of the target area. Node risk levels include high risk, medium risk, and low-medium risk; network risk levels include high risk, medium risk, and low-medium risk.

[0009] Preferably, the analysis process of the risk map of the digital twin model is as follows: Collect node-related datasets, associate and bind them with network node security information datasets, and generate digital twin models based on node-related datasets; By combining the node risk level with the digital twin model, each node is marked on the digital twin model. At the same time, by combining the network risk level with the network risk level, the network risk level is marked on the digital twin model, resulting in a risk map of the digital twin model.

[0010] Preferably, based on the risk map of the digital twin model, the complete scoring records of each high-risk node in the risk map of the digital twin model are retrieved, the calculation details of the total risk score of the high-risk node are extracted, the specific scores of the high-risk node in the three dimensions of abnormal traffic, abnormal access records, and vulnerability risk level are clarified, the indicator dimension with the highest score is locked, and it is marked as a potential risk factor.

[0011] Preferably, the analysis process for the primary and secondary sensing attack paths is as follows: A basic dataset is constructed, and the preprocessed basic dataset is input into the fusion perception model to generate an attack trend report. Combined with the digital twin model, all core nodes are selected as target anchors, and the target anchors with risk scores Fi > preset risk scores max are selected as potential targets to be attacked. Based on the parent-child node hierarchy, complete paths are filtered and sorted according to the average risk score of the nodes on the path. The paths corresponding to the first and the three nodes after the first are taken as the primary and secondary attack paths of potential targets. All primary and secondary paths together constitute a set of high-threat attack paths.

[0012] Preferably, the construction and analysis process of the defense deployment list is as follows: Based on the primary and secondary perception attack paths, and combined with the digital twin model, each node on the path is labeled with a role. Common nodes that appear in two or more paths are marked and defined as path intersections. Path intersections are divided into first-level intersections, second-level intersections, and third-level intersections. Intersections are sorted in order of first-level > second-level > third-level to form a priority list of intersections. Construct a core candidate interception point pool. If there is a first-level intersection point in the core candidate interception point pool, it is directly designated as the optimal interception point. If there is no first-level intersection point, the second-level intersection point in the core candidate interception point pool is designated as the optimal interception point. If there are no primary or secondary intersection points, the path interception filtering method is used to filter the primary and secondary sensing attack paths and select the optimal interception point. For secondary sensing attack paths, the tertiary intersection point is set as the optimal interception point. If there are no intersection points, the path interception filtering method is used to select the optimal interception point.

[0013] Preferably, the interception effectiveness analysis process is as follows: Based on the defense deployment list, the interception point devices respond in real time, record the interception execution process in real time, and form an interception execution log; Based on the interception execution log, obtain the change rate of the interception evaluation index before and after the first interception point. Retrieve the weight coefficient corresponding to the change rate of each interception evaluation index. Multiply the change rate of the interception evaluation index by the corresponding weight coefficient to obtain the contribution score of each interception evaluation index. Sum the contribution scores of each interception evaluation index to obtain the interception evaluation score. Then, perform discrimination processing on the interception evaluation score and output the valid interception or invalid interception. When an interception is determined to be invalid, the risk score of the node is recalculated, the interception execution log is analyzed, the cause of failure is determined, and the failure cause analysis results are output. Based on the latest risk score, attack path awareness is re-executed. On the newly generated attack path, candidate interception points are re-extracted, the interception point score coefficient is calculated, and the candidate interception point with the highest score is selected as the secondary primary interception point. According to the latest perceived attack type, the preset interception deployment decision is re-matched, and the interception evaluation score of the secondary interception is obtained. If invalid interception is still output, a manual intervention warning instruction is triggered.

[0014] The beneficial effects of this invention are as follows: (1) This invention reduces the impact of data on subsequent analysis by constructing a unified security information dataset. It extracts indicators from three dimensions: abnormal traffic, abnormal access records, and vulnerability risk level, and calculates them by weight to achieve dual quantification of single node risk Fi and overall regional risk S. It divides risk levels with clear score thresholds, replaces manual experience judgment, and greatly improves the accuracy, objectivity and consistency of risk assessment. In addition, combined with the digital twin model, it can quickly locate high-risk nodes and weak links, directly lock the risk factors with the highest score, and reduce the difficulty of network security operation and maintenance investigation and response time.

[0015] (2) This invention is designed to detect future attacks and automatically generate primary / secondary attack paths, thereby transforming from passive response to proactive detection and defense. This effectively reduces the losses caused by attacks. It also constructs a priority list of intersection points to complete the coarse matching of optimal interception points. Candidate interception points are extracted through node priority. The interception coverage, blocking effect, and deployment cost are comprehensively considered and normalized to calculate the score. The optimal interception point is selected in detail and matched with the defense deployment list. While ensuring the blocking effect, the defense resource configuration is optimized, and the deployment and maintenance costs are reduced. At the same time, a closed-loop mechanism of interception execution-effect evaluation-failure analysis-secondary defense is established, so that the defense system can dynamically adapt to changes in attacks and continuously maintain its protection capabilities. Attached Figure Description

[0016] The invention will now be further described with reference to the accompanying drawings; Figure 1 This is a flowchart of the system of the present invention; Figure 2 This is a reference diagram for the optimal interception point analysis of this invention; Figure 3 This is a reference diagram of the method of the present invention. Detailed Implementation

[0017] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0018] In this document, the term "embodiment" means that a particular feature, structure, or characteristic described in connection with an embodiment may be included in at least one embodiment of the invention. The appearance of this phrase in various places throughout the specification does not necessarily refer to the same embodiment, nor is it a separate or alternative embodiment mutually exclusive with other embodiments. It will be explicitly and implicitly understood by those skilled in the art that the embodiments described herein can be combined with other embodiments; Example 1: Please refer to Figures 1 to 3 As shown, the present invention is a security defense decision system applied to computer networks, including a network security defense center, a unified node data module, a network risk quantification module, a risk visualization module, an attack and path awareness module, an interception and defense deployment module, a defense assessment and countermeasure module, and a simulation visualization module. The unified node data module has a one-way communication connection with the network security defense center. The network security defense center has a one-way communication connection with the network risk quantification module, the attack and path awareness module, and the defense assessment and countermeasure module. The attack and path awareness module has a one-way communication connection with the interception and defense deployment module. The interception and defense deployment module has a one-way communication connection with the network security defense center. The network risk quantification module has a one-way communication connection with the risk visualization module. The risk visualization module has a one-way communication connection with the simulation visualization module. The defense assessment and countermeasure module is also connected to the network security defense center. The unified node data module is used to collect network traffic data, network access records, and network node vulnerability characteristics in the target area's computer network in real time. After preprocessing, it constructs a unified network node security information dataset and sends it to the network security defense center for storage. Specifically, this includes: Full coverage monitoring of all routing nodes, switching nodes, terminal hosts, servers and border gateways in the target area's computer network, real-time collection of network traffic data, including basic traffic characteristics such as traffic size, traffic direction, data packet protocol type, port information, connection duration, and abnormal packet frequency; Collect network access log information, including logs of abnormal behaviors such as user login behavior, unauthorized access attempts, abnormal file transfers, suspicious external IP access, and high-frequency access during non-working hours; Collect vulnerability feature information of network nodes, and obtain vulnerability data that can be exploited in real time, such as system version vulnerabilities, application vulnerabilities, weak passwords, unauthorized service openings, and configuration defects, through the vulnerability scanning engine; The collected network traffic data, network access record information and network node vulnerability feature information are standardized, cleaned and formatted to remove duplicate, invalid and interference data, and a unified network node security information dataset is constructed. The network risk quantification module extracts traffic anomaly indicators, access record anomaly indicators, and vulnerability risk level indicators from the network node security information dataset, calculates corresponding indicator scores, calculates the risk score Fi for a single node and the regional risk score S, and determines the node risk level and network risk level based on preset thresholds. Specifically, this includes: Based on the network node security information dataset, normalized traffic anomaly indicators (including the proportion of abnormal traffic (the ratio of suspicious traffic to total traffic), abnormal packet sending frequency (the number of data packets sent exceeding the normal threshold per minute), access record anomaly indicators (including the number of unauthorized access attempts, the number of unauthorized IP access attempts, etc.) and vulnerability risk indicators (including the number of vulnerabilities and the proportion of unpatched vulnerabilities) are extracted. Calculate scores for traffic anomaly indicators, access record anomaly indicators, and vulnerability risk levels. Traffic anomaly index score = Σ (parameter weight of each traffic anomaly index × corresponding parameter); Access record anomaly score = Σ (parameter weight of each access record anomaly score × corresponding parameter); Vulnerability risk level score = Σ (the weight of each vulnerability risk level indicator × the corresponding parameter); Retrieve the importance relationship table of traffic anomaly index score, access record anomaly index score and vulnerability risk index score. Traffic anomaly index score > vulnerability risk index score > access record anomaly score. Based on the importance relationship table, the traffic anomaly indicator scores are matched within a preset range, and the dynamic weight coefficients corresponding to the traffic anomaly indicator scores within the preset range are output. Retrieve the dynamic weighting coefficients of traffic anomaly indicator scores, access record anomaly indicator scores, and vulnerability risk level indicator scores, and calculate the risk score Fi (i>0, where i is the node number) for each node in the network (such as routers, terminals, servers, etc.). Risk score Fi = Σ (weight of each indicator score × score of that indicator). Based on the risk score Fi, combined with the importance of nodes in the network topology (core node weight a1, ordinary node weight a2, edge node weight a3, a1>a2>a3>0, such as core node weight 1.2, ordinary node weight 1.0, edge node weight 0.8), the regional risk score S of the entire network is calculated. The regional risk score S = [Σ(Fi×node importance weight)] / total number of nodes, realizing the dual quantification of risk for individual nodes and the overall network. The risk score Fi and the regional risk score S are processed to determine the risk level of each node and the network risk level of the target area. Node risk level: If the risk score Fi > the preset risk score max, it is judged as high risk; if the risk score Fi ∈ [preset risk score min, preset risk score max], it is judged as medium risk; if the risk score Fi < the preset risk score min, it is judged as low risk. Network risk level: If the regional risk score S > the preset regional risk score max, it is judged as high risk; if the regional risk score S ∈ [the preset regional risk score min, the preset regional risk score max], it is judged as medium risk; if the regional risk score S < the preset regional risk score min, it is judged as low risk. The risk visualization module is used to create the final topology map, color-coding the node risk level and network risk level in the topology map to obtain a regional network risk visualization view, and identifying the potential risk triggers for high-risk nodes, specifically including: Collect node association data, including each node's IP address, MAC address, device model, port connection relationship, parent-child node hierarchy (such as core node-aggregation node-edge node), and physical deployment location (such as data center number and floor), to form a complete node association dataset, which is then associated and bound with the network node security information dataset; Based on the node association dataset, a digital twin model is generated: the node name, IP address and device type are labeled to ensure that the digital twin model is consistent with the actual network architecture and clearly presents the communication links between nodes; Each node is marked on the digital twin model based on its risk level: high risk is marked in red, medium risk in yellow, and low risk in green. At the same time, the network risk level is marked on the digital twin model based on the network risk level, resulting in a risk map of the digital twin model. Based on the risk map of the digital twin model, the complete scoring records of each high-risk node in the risk map are retrieved, and the calculation details of the total risk score of the high-risk node are extracted. The specific scores of the high-risk node in the three dimensions of abnormal traffic, abnormal access records, and vulnerability risk level are clarified. The indicator dimension with the highest score is identified and marked as a potential risk factor. The simulation visualization module is used to display the risk map of the digital twin model and potential risk factors, so as to intuitively understand the regional network risk, node risk, and potential risk factors, so as to facilitate subsequent targeted management.

[0019] Example 2: The attack and path awareness module is used to build a basic dataset, perform network risk awareness on the target area, identify high-risk core nodes as potential targets, and generate a set of high-threat attack paths, specifically including: Historical data of the target area's computer network is collected, including attack type, attack time, attack path, vulnerability exploitation method, and attack result. Combined with the network node security information dataset, a basic dataset is constructed. The preprocessed basic dataset is input into the fusion prediction model. Through time series analysis, the probability of network attacks occurring and the attack type (such as port scanning, SQL injection, ransomware attacks, etc.) within a set future time frame (e.g., 2 hours) are predicted. An attack trend report is generated, which clarifies the time window for attack occurrence (e.g., the next 1 hour), high-probability attack types, and intensity levels (high / medium / low). By combining the digital twin model, all core nodes are selected as target anchors, and the target anchors with risk scores Fi > preset risk scores max are selected as potential targets to be attacked. Collect node association data, including each node's IP address, MAC address, device model, port connection relationship, parent-child node hierarchy (such as core node-aggregation node-edge node), and physical deployment location (such as data center number and floor), to form a complete node association dataset, which is then associated and bound with the network node security information dataset; Based on the parent-child node hierarchy, a reverse connectivity graph is constructed from the potential target to the edge. Starting from the potential target, all directly connected nodes are searched up one level (in the direction of the parent node), and the complete path is combined according to the filtering results. The nodes on the path are sorted according to their average risk score. The average risk score is the sum of the risk scores of the path nodes / the number of path nodes. The paths corresponding to the average risk scores of the first and the three nodes after the first are taken as the primary and secondary predicted attack paths of potential targets. All primary and secondary paths together constitute a set of high-threat attack paths. The interception and defense deployment module divides the path intersections based on the set of high-threat attack paths, forming a priority list of intersection points. Based on this priority list, it performs diverse filtering and analysis of optimal interception points and outputs a defense deployment list, specifically including: Based on the primary and secondary predicted attack paths, and combined with the digital twin model, each node on the path is labeled with a role: node name, IP address, node type, role classification, and position in the path. A common node that appears in two or more paths is marked and defined as a path intersection point. Path intersection points are divided into three levels: first-level intersection points, second-level intersection points, and third-level intersection points. Intersection points are sorted in order of first-level > second-level > third-level to form a priority list of intersection points. Junction points are categorized by the number of covered paths: Primary junction point: covers the main path and all secondary paths; Secondary junction: covers the main path plus one or more secondary paths; Level 3 junctions: only cover multiple secondary paths; Prioritize extracting intersection points as core candidate interception points, then extract key bottleneck nodes on the main path that are not intersection points (such as entry points, jump points, and nodes preceding core targets) as supplementary candidates, and eliminate high-risk nodes that have been compromised, nodes with ineffective protection, and nodes that are likely to cause business interruption to obtain a pool of core candidate interception points; If there is a primary intersection point in the core candidate interception point pool, it is directly designated as the optimal interception point. If there is no primary intersection point, the secondary intersection point in the core candidate interception point pool is designated as the optimal interception point. If there are no primary or secondary intersection points, the path interception filtering method is used to filter the primary and secondary predicted attack paths and select the optimal interception point. For secondary predicted attack paths, the tertiary intersection point is set as the optimal interception point. If there are no intersection points, the path interception filtering method is used to select the optimal interception point. Path interception and filtering methods include: Priority of nodes to be retrieved: Gateway node / border node > Router node > Critical forwarding node > Edge access node > Target node itself; Based on node priority, candidate interception points are extracted for the main and secondary predicted attack paths. The interception coverage (representing the number of nodes that can be protected), the degree of blocking effect (representing the thoroughness of cutting off the attack path: boundary = 1.0, routing = 0.9, forwarding = 0.7, terminal = 0.5) and deployment cost (representing the total cost required to implement the interception) of the candidate interception points are obtained. After normalization, the interception coverage area × preset range coefficient + blocking effect level × preset effect coefficient + (1 - deployment cost) × preset cost coefficient is calculated to obtain the interception point score coefficient. Then, the candidate interception point corresponding to the maximum interception point score coefficient is set as the optimal interception point. Based on the predicted attack type, combined with the preset attack type-interception deployment decision, the preset interception deployment decision is matched, including the distribution channel, interception method, etc., and outputs the optimal interception point for the main and secondary predicted attack paths, the preset interception deployment decision and other defense deployment list.

[0020] Example 3: The defense assessment and countermeasure module is used to perform interception based on the defense deployment list, record the interception execution log, calculate the interception assessment score to determine the effectiveness of the interception, and if the interception is invalid, a second interception is performed. If it is still invalid, a manual intervention warning is triggered. Specifically, it includes: Based on the defense deployment list, the interception point devices respond in real time, blocking or restricting suspicious traffic, abnormal connections and malicious access behaviors on the main and secondary predicted attack paths, and recording the interception execution process in real time, including the instruction issuance time, execution status, blocked traffic information, abnormal behavior handling results, etc., forming an interception execution log; Based on the interception execution log, obtain the rate of change of interception evaluation indicators before and after the optimal interception point. The interception evaluation indicators include risk score, number of unauthorized access attempts, number of external suspicious IP accesses, etc. Retrieve the weight coefficients corresponding to the rate of change of each interception evaluation indicator, multiply the rate of change of the interception evaluation indicator by the corresponding weight coefficient to obtain the contribution score of each interception evaluation indicator, sum the contribution scores of each interception evaluation indicator to obtain the interception evaluation score, and perform discrimination processing on the interception evaluation score. If the interception evaluation score is greater than the preset interception evaluation score threshold, it is determined to be a valid interception; if the interception evaluation score is less than or equal to the preset interception evaluation score threshold, it is determined to be an invalid interception. When an invalid interception is determined, the latest network node security information dataset is retrieved, and the node's risk score is recalculated. Analyze the interception execution logs to determine the cause of failure: the interception point device did not respond correctly (such as the forwarding channel failed or the interception rules did not take effect), the attack path changed (the original path is no longer active and a new path has appeared), the attack type evolved (such as from port scanning to SQL injection), and the interception coverage was insufficient (failure to cover key forwarding nodes). Output the failure cause analysis results. Based on the latest risk score, attack path prediction is re-executed. On the newly generated attack path, candidate interception points are re-extracted, the interception point score coefficient is calculated, and the candidate interception point with the highest score is selected as the secondary optimal interception point. Based on the latest predicted attack types, the preset interception deployment decisions are re-matched, and the interception evaluation score of the secondary interception is obtained. If the invalid interception is still output, a manual intervention warning instruction is triggered. The simulation visualization module is used to display the preset warning operation corresponding to the manual intervention warning instruction, so as to promptly remind humans to intervene and intercept, thereby improving network security.

[0021] Example 4: This invention also proposes a security defense decision-making method for computer networks, comprising the following steps: Step 1: Data collection, processing and construction of network node security information dataset, namely, real-time collection of network traffic data, network access record information and network node vulnerability feature information in the target area computer network, and construction of a unified network node security information dataset after preprocessing; Step 2: The process of classifying node risk level and network risk level based on the network node security information dataset, namely, extracting traffic anomaly indicators, access record anomaly indicators, and vulnerability risk level indicators from the network node security information dataset, calculating the corresponding indicator scores, calculating the risk score Fi of a single node and the regional risk score S, and determining the node risk level and network risk level according to the preset threshold. Step 3: Establish a digital twin model risk map and identify potential risk factors for high-risk nodes. This involves establishing a digital twin model, color-coding the node risk level and network risk level within the digital twin model to obtain a digital twin model risk map, and identifying potential risk factors for high-risk nodes. Step 4: Constructing a basic dataset and generating a set of high-threat attack paths. This involves constructing a basic dataset, performing network risk perception on the target area, identifying high-risk core nodes as potential targets, and generating primary and secondary perceived attack paths. Step 5: Constructing the convergence point priority list and determining the optimal interception point by setting node priorities, outputting the defense deployment list, that is, constructing the convergence point priority list, completing the selection of the optimal interception point based on the convergence point priority list, combining node priorities, calculating the interception point scoring coefficient, selecting the optimal interception point, matching the preset interception deployment decision, and outputting the defense deployment list. Step Six: Initial interception defense effectiveness assessment and secondary interception feedback, i.e., execute interception based on the defense deployment checklist, record the interception execution log, calculate the interception evaluation score to determine the interception effectiveness. If the interception is ineffective, a secondary interception will be performed. If it is ineffective again, a manual intervention warning will be triggered. In summary, by constructing a unified security information dataset, the impact of data on subsequent analysis is reduced. Indicators are extracted from three dimensions—abnormal traffic, abnormal access records, and vulnerability risk—and weighted calculations are performed to achieve dual quantification of single-node risk (Fi) and overall regional risk (S). Risk levels are classified with clear score thresholds, replacing manual experience-based judgments. This significantly improves the accuracy, objectivity, and consistency of risk assessment. Furthermore, combined with a digital twin model, high-risk nodes and weak links can be quickly located, directly identifying the risk factors with the highest scores, reducing the difficulty and response time of network security operations and maintenance. Simultaneously, it senses future attacks, automatically generates primary / secondary attack paths, and transforms from passive response to proactive awareness and defense, effectively reducing the losses caused by attacks. It also constructs a priority list of intersection points to complete the coarse matching of optimal interception points, extracts candidate interception points through node priority, and calculates scores by normalizing the interception coverage, blocking effect, and deployment cost. It then selects the optimal interception point in detail and matches it with the defense deployment list, optimizing the allocation of defense resources while ensuring the blocking effect and reducing deployment and maintenance costs. At the same time, it establishes a closed-loop mechanism of interception execution - effect evaluation - failure analysis - secondary defense, allowing the defense system to dynamically adapt to changes in attacks and continuously maintain its protective capabilities.

[0022] The threshold is set for result comparison and analysis to determine whether it is good or bad. The value of the threshold is determined by a combination of large-scale model analysis of the sample data and human experience, and can also be adjusted appropriately based on seasonal or common-sense influencing factors. The above description is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any equivalent substitutions or modifications made by those skilled in the art within the scope of the technology disclosed in the present invention, based on the technical solution and inventive concept of the present invention, should be covered within the scope of protection of the present invention.

Claims

1. A security defense decision-making system applied to computer networks, characterized in that, It includes a network security defense center, a unified node data module, a network risk quantification module, a risk visualization module, an attack and path awareness module, an interception and defense deployment module, a defense assessment and countermeasure module, and a simulation visualization module; The network risk quantification module calculates the corresponding indicator scores, combines them with dynamic weighting coefficients, calculates the risk score Fi of a single node and the regional risk score S, and determines the node risk level and the network risk level based on preset thresholds. The risk visualization module establishes a digital twin model, colors the node risk level and network risk level in the digital twin model to obtain a digital twin model risk map, and identifies the potential risk factors of high-risk nodes. The attack and path awareness module: constructs a basic dataset, performs network risk awareness on the target area, and generates a set of high-threat attack paths with high-risk core nodes as potential targets. The interception and defense deployment module: divides the path intersection points based on the set of high-threat attack paths, forms a priority list of intersection points, performs diverse screening and analysis of the optimal interception points based on the priority list of intersection points, and outputs a defense deployment list; The defense assessment and countermeasure module: performs interception based on the defense deployment list, records the interception execution log, calculates the interception assessment score to determine the effectiveness of the interception, and if the interception is invalid, it performs a second interception. If it is invalid again, it triggers a manual intervention warning.

2. The security defense decision system applied to computer networks according to claim 1, characterized in that, The process for classifying node risk levels and network risk levels is as follows: Based on the network node security information dataset, normalized traffic anomaly indicators, access record anomaly indicators, and vulnerability risk level indicators are extracted. Calculate scores for traffic anomaly indicators, access record anomaly indicators, and vulnerability risk levels. Retrieve the dynamic weighting coefficients of traffic anomaly index score, access record anomaly index score and vulnerability risk index score, and calculate the risk score Fi (i>0, where i is the node number) for each node in the network. Based on the risk score Fi, and combined with the importance weight of nodes in the network topology, the regional risk score S of the overall network is calculated.

3. The security defense decision-making system applied to computer networks according to claim 2, characterized in that, The risk score Fi and the regional risk score S are processed to determine the risk level of each node and the network risk level of the target area. Node risk levels include high risk, medium risk, and low-medium risk; network risk levels include high risk, medium risk, and low-medium risk.

4. The security defense decision-making system applied to computer networks according to claim 1, characterized in that, The analysis process of the risk map of the digital twin model is as follows: Collect node-related datasets, associate and bind them with network node security information datasets, and generate digital twin models based on node-related datasets; By combining the node risk level with the digital twin model, each node is marked on the digital twin model. At the same time, by combining the network risk level with the network risk level, the network risk level is marked on the digital twin model, resulting in a risk map of the digital twin model.

5. The security defense decision-making system applied to computer networks according to claim 4, characterized in that, Based on the risk map of the digital twin model, the complete scoring records of each high-risk node in the risk map of the digital twin model are retrieved, the calculation details of the total risk score of the high-risk node are extracted, the specific scores of the high-risk node in the three dimensions of abnormal traffic, abnormal access records, and vulnerability risk level are clarified, the indicator dimension with the highest score is identified, and it is marked as a potential risk factor.

6. The security defense decision-making system applied to computer networks according to claim 1, characterized in that, The analysis process for the primary and secondary perception attack paths is as follows: A basic dataset is constructed, and the preprocessed basic dataset is input into the fusion perception model to generate an attack trend report. Combined with the digital twin model, all core nodes are selected as target anchors, and the target anchors with risk scores Fi > preset risk scores max are selected as potential targets to be attacked. Based on the parent-child node hierarchy, complete paths are filtered and sorted according to the average risk score of the nodes on the path. The paths corresponding to the first and the three nodes after the first are taken as the primary and secondary attack paths of potential targets. All primary and secondary paths together constitute a set of high-threat attack paths.

7. The security defense decision-making system applied to computer networks according to claim 1, characterized in that, The process of constructing and analyzing the defense deployment list is as follows: Based on the primary and secondary perception attack paths, and combined with the digital twin model, each node on the path is labeled with a role. Common nodes that appear in two or more paths are marked and defined as path intersections. Path intersections are divided into first-level intersections, second-level intersections, and third-level intersections. Intersections are sorted in order of first-level > second-level > third-level to form a priority list of intersections. Construct a core candidate interception point pool. If there is a first-level intersection point in the core candidate interception point pool, it is directly designated as the optimal interception point. If there is no first-level intersection point, the second-level intersection point in the core candidate interception point pool is designated as the optimal interception point. If there are no primary or secondary intersection points, the path interception filtering method is used to filter the primary and secondary sensing attack paths and select the optimal interception point. For secondary sensing attack paths, the tertiary intersection point is set as the optimal interception point. If there are no intersection points, the path interception filtering method is used to select the optimal interception point.

8. The security defense decision-making system applied to computer networks according to claim 1, characterized in that, The interception effectiveness analysis process is as follows: Based on the defense deployment list, the interception point devices respond in real time, record the interception execution process in real time, and form an interception execution log; Based on the interception execution log, obtain the change rate of the interception evaluation index before and after the first interception point. Retrieve the weight coefficient corresponding to the change rate of each interception evaluation index. Multiply the change rate of the interception evaluation index by the corresponding weight coefficient to obtain the contribution score of each interception evaluation index. Sum the contribution scores of each interception evaluation index to obtain the interception evaluation score. Then, perform discrimination processing on the interception evaluation score and output the valid interception or invalid interception. When an interception is determined to be invalid, the risk score of the node is recalculated, the interception execution log is analyzed, the cause of failure is determined, and the failure cause analysis results are output. Based on the latest risk score, attack path awareness is re-executed. On the newly generated attack path, candidate interception points are re-extracted, the interception point score coefficient is calculated, and the candidate interception point with the highest score is selected as the secondary primary interception point. According to the latest perceived attack type, the preset interception deployment decision is re-matched, and the interception evaluation score of the secondary interception is obtained. If invalid interception is still output, a manual intervention warning instruction is triggered.

9. A security defense decision-making method for computer networks, wherein the method is applied to a security defense decision-making system for computer networks as described in any one of claims 1-8, characterized in that, Includes the following steps: Step 1: Data collection, processing, and construction of the network node security information dataset; Step 2: The process of classifying node risk levels and network risk levels based on the network node security information dataset; Step 3: Establish a digital twin model risk map and identify potential risk factors for high-risk nodes; Step 4: Constructing a basic dataset and generating a set of high-threat attack paths for awareness; Step 5: Construct the priority list of intersection points and determine the optimal interception points by setting node priorities, and output the defense deployment list; Step Six: Initial interception defense effectiveness assessment and secondary interception feedback.