Computer network security protection method and system based on data analysis

By generating session chain data and modeling semantic constraint sets in IT/OT converged industrial networks, the problem of joint constraints between business semantics, access paths, industrial instructions, and authentication sequences in cross-regional sessions is solved, achieving minimal intervention protection for abnormal segmentation and improving the reliability and stability of network security.

CN122339858APending Publication Date: 2026-07-03JIANGSU VOCATIONAL COLLEGE OF BUSINESS

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
JIANGSU VOCATIONAL COLLEGE OF BUSINESS
Filing Date
2026-06-05
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing technologies struggle to jointly constrain the business semantics of cross-regional sessions with access paths, industrial commands, and authentication sequences in IT/OT converged industrial networks, and to achieve minimal intervention protection for anomaly segments when anomalies occur.

Method used

By collecting network traffic, domain name resolution, authentication logs, host process summaries, and asset topology data, session chain data is generated. Based on multi-semantic pattern label data, a semantic constraint set is established, semantic enhancement parameters are calculated, semantic segmentation and risk assessment are performed, and segment-level protection strategies are generated to implement minimal intervention protection.

Benefits of technology

It enables accurate detection and minimal intervention of abnormal segments in IT/OT converged factory networks, reducing the risk of false alarms and production disruptions, and improving the reliability and stability of network security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122339858A_ABST
    Figure CN122339858A_ABST
Patent Text Reader

Abstract

This invention discloses a computer network security protection method and system based on data analysis, relating to the field of computer security technology. Targeting IT / OT converged factory networks, this invention aligns traffic, DNS, authentication, processes, topology, and industrial instructions into session chains, generating semantic patterns and semantic constraints. It enables baseline establishment based on semantic patterns, segmented output of evidence chains and risk scores, and the linkage of semantic enhancement parameters with acquisition frequency, rate limits, and micro-isolation range. This allows the control end to handle only the abnormal segments with minimal intervention, reducing false alarms and production disruption risks, and enabling closed-loop update strategies to be transmitted back.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of computer security technology, and in particular to a computer network security protection method and system based on data analysis. Background Technology

[0002] In IT / OT converged smart factory networks, necessary interconnection exists between the production control area, business management area, and maintenance access area. Existing network security measures mainly include signature-based intrusion detection, threshold-based traffic alerting, UEBA anomaly analysis, and zero-trust static access control. Due to the typical characteristics of industrial sites, such as maintenance windows, cross-area jumps, mixed industrial protocol read / write commands, and business peak-valley fluctuations, attackers often impersonate legitimate maintenance sessions to conduct low-frequency lateral movement or issue write commands. This makes detection relying solely on protocols, ports, or single anomaly scores prone to false positives. Static policies, on the other hand, struggle to achieve fine-grained blocking without affecting production line continuity, often resulting in a dilemma of either letting the network through or completely cutting it off.

[0003] Currently, Chinese invention patent application number CN202410826960.7 discloses a computer network security protection method, including the following steps: strengthening login control, formulating security policies, key generation, generating key one K1 and key two K2 in the data transmission process through key management service, extracting user code D, timestamp T and hash value H from key one K1 through system operation, generating key three K3 by combining key one K1 and according to timestamp T and user code D, data encryption, updating and maintaining the key encryption system, daily monitoring and recording, and effectively improving the security and unpredictability of data transmission by using multi-key encryption methods, introducing timestamps, using random salt values, adding random initialization vectors, combining encryption blocks and data blocks, and combining multi-layer encryption and verification information, thereby enhancing the effectiveness of computer network security protection.

[0004] The aforementioned technologies struggle to jointly constrain the business semantics of cross-regional sessions with access paths, industrial instructions, and authentication sequences in IT / OT converged industrial networks, and to implement minimal intervention protection for anomaly segments when anomalies occur. Summary of the Invention

[0005] The technical problem solved by this invention is that existing technologies have difficulty in jointly constraining and modeling the business semantics of cross-regional sessions with access paths, industrial instructions and authentication sequences in IT / OT converged industrial networks, and in implementing minimal intervention protection for anomaly segments when anomalies occur.

[0006] To solve the above-mentioned technical problems, the present invention provides the following technical solution: The computer network security protection method based on data analysis includes the following steps: Step S1: Collect network traffic session data, domain name resolution data, authentication log data, host process summary data, asset topology data, and industrial protocol instruction statistics, perform time synchronization and asset identification alignment, and obtain session chain data; Step S2: Generate multi-semantic pattern label data and semantic constraint set based on session chain data; Step S3: Calculate semantic enhancement parameters based on the confidence level of multi-semantic pattern tag data, the asset criticality index obtained from asset topology data, and the account credibility index obtained from authentication log data. Then, generate action intensity parameter data by mapping the semantic enhancement parameters. The action intensity parameter data includes the collection frequency increase factor, the speed limit ratio, and the isolation range parameter. Step S4: Perform semantic segmentation based on multi-semantic mode label data switching, access path sequence data jump, industrial protocol instruction category distribution data out of bounds, or authentication behavior sequence data deviation, to obtain semantic segmentation sequence data and generate evidence chain data. Step S5: Establish intra-segment baseline feature data based on multi-semantic pattern label data, calculate the deviation of semantic segment sequence data from intra-segment baseline feature data to obtain intra-segment anomaly score data, and combine semantic enhancement parameters to obtain weighted anomaly score data. Calculate the risk score by weighting the weighted anomaly score data with the violation level of the semantic constraint set in the evidence chain data, and output the risk assessment result. Step S6: Generate a segment-level protection strategy based on the risk assessment results and action intensity parameter data, and send it to the control terminal for execution; Step S3 includes the following sub-steps: Step S301: Obtain a semantic deterministic index based on the multi-semantic pattern label data. The semantic deterministic index is determined by the confidence level. Step S302: Obtain asset criticality index based on asset topology data and asset role data, and obtain account credibility index based on authentication log data. Step S303: Calculate semantic enhancement parameters based on semantic certainty indicators, asset criticality indicators, and account credibility indicators; Step S304: Map the semantic enhancement parameters to action intensity parameter data. Increasing the semantic enhancement parameters corresponds to increasing the acquisition frequency by a factor of 1, increasing the rate limiting ratio, and converging the isolation range parameter to the session chain range corresponding to the abnormal segmentation identifier. Step S4 includes the following sub-steps: Step S401: Set the segmentation principle and perform a line-by-line scan of the session chain data; Step S402: When the multi-semantic pattern label data changes, segmentation is triggered and segmentation boundaries are generated; Step S403: When the access path sequence data shows a newly added jump asset identifier, crosses a preset network boundary, or path rollback anomaly, segmentation is triggered and segment boundaries are generated. Step S404: When the distribution data of industrial protocol instruction categories exceeds the constraints of the allowed industrial protocol instruction set, or when the authentication behavior sequence data deviates from the constraints of the allowed authentication behavior sequence, segmentation is triggered and segmentation boundaries are generated. Step S405: Output semantic segment sequence data according to the segment boundaries, and generate evidence chain data for each segment. The evidence chain data includes an abnormal segment identifier, a trigger cause identifier, a reference to the corresponding session chain fragment, and a reference to the corresponding semantic constraint entry. The intra-segment anomaly detection in step S5 is as follows: Based on historical semantic segmented sequence data and multi-semantic mode label data, intra-segment baseline feature data are generated respectively. The intra-segment baseline feature data includes the statistical range of session rate, the statistical range of domain name category, the statistical range of authentication behavior, the range of process port association summary, and the distribution range of industrial protocol instruction category. The deviation between the corresponding features of the semantic segment sequence data to be detected and the baseline feature data within the segment is calculated, and the anomaly score data within the segment is output. The abnormal score data within a segment is weighted and fused with the semantic enhancement parameters to obtain weighted abnormal score data, and the segment is judged as abnormal if the weighted abnormal score data exceeds the preset abnormal threshold. The inter-segment consistency check in step S5 is as follows: Perform inter-segment consistency checks on semantic segmented sequence data. If an abnormal segment violates the allowed access path constraint, allowed industrial protocol instruction set constraint, or allowed authentication behavior sequence constraint, generate violation entry data. The data on violations and the chain of evidence are combined to output a risk assessment result. The risk assessment result includes a risk score, anomaly segmentation identifiers, and chain of evidence data. The risk score is calculated from the weighted anomaly score data and the violation level of the violation item data.

[0007] Preferably, step S1 includes the following sub-steps: Step S101: Obtain network traffic session data, domain name resolution data, authentication log data, host process summary data, asset topology data, and industrial protocol command statistics. Step S102: Time synchronization is performed on network traffic session data, domain name resolution data, authentication log data and host process digest data, and asset identifier alignment is performed on the above data based on asset topology data to obtain the original security awareness data. Step S103: Based on the association between the account identifier, source asset identifier, destination asset identifier and preset time neighborhood in the original security awareness data, cross-asset access is linked into session chain data.

[0008] Preferably, step S2 includes the following sub-steps: Step S201: Generate asset role data based on asset topology data. The asset role data includes production control role, operation and maintenance access role, and business management role. Step S202: Extract semantic discrimination feature data based on session chain data. The semantic discrimination feature data includes access path sequence data, domain name category statistics data, authentication behavior sequence data, process port association summary data, and industrial protocol instruction category distribution data. Step S203: Match the asset role data and semantic discrimination feature data to the preset multi-semantic pattern library, calculate the confidence of the session chain data for each semantic pattern, and output the multi-semantic pattern label data with the semantic pattern corresponding to the maximum confidence. Step S204: Generate a semantic constraint set based on multi-semantic pattern label data and asset topology data. The semantic constraint set includes allowed access path constraints, allowed industrial protocol instruction set constraints, and allowed authentication behavior sequence constraints.

[0009] Preferably, step S6 includes the following sub-steps: Step S601: Generate a segment-level protection strategy based on the risk assessment results and motion intensity parameter data. The segment-level protection strategy includes a maintenance strategy, a speed limiting strategy, a segment-level micro-isolation strategy, and a decoy tracking strategy. Step S602: Encode the segment-level protection strategy into control command data and send it to the control terminal. The control command data includes abnormal segment identifier, target account identifier, target asset identifier, target access path identifier, collection frequency increase factor, rate limiting ratio, isolation range parameters and policy validity period. In step S603, the control terminal performs rate limiting, blocking, temporary isolation, or decoy deployment only on the session chain range corresponding to the abnormal segment identifier based on the control command data, obtains the execution result data, and sends it back.

[0010] Preferably, the selection logic for the segment-level protection strategy is as follows: If the risk score is less than the preset first risk threshold, then the maintenance strategy is selected; If the risk score is at or above the first risk threshold and below the preset second risk threshold, a speed limiting strategy is selected, and the speed limiting ratio and the collection frequency increase factor are determined according to the action intensity parameter data. If the risk score is at or above the second risk threshold, or if the violation entry data contains violation entries that violate the constraints of the permitted industrial protocol instruction set, then the segment-level micro-segmentation strategy is selected, and the isolation range parameter is limited to the session chain range corresponding to the abnormal segment identifier according to the isolation range parameter. If the violation entry data contains violation entries that violate the allowed authentication behavior sequence constraints and the execution result data shows that the violation continues, then the decoy tracking strategy is selected based on the segment-level micro-segmentation strategy, and the execution result data is written into the evidence chain data to update the semantic constraint set.

[0011] A data-driven computer network security protection system includes a data acquisition module, a semantic constraint module, a parameter calculation module, a semantic segmentation module, a risk assessment module, and a protection execution module. The semantic constraint module is used to generate multi-semantic pattern label data based on session chain data and generate a semantic constraint set. The parameter calculation module is used to calculate semantic enhancement parameters based on the confidence of multi-semantic pattern label data, the asset criticality index obtained from asset topology data, and the account credibility index obtained from authentication log data. The semantic enhancement parameters are then mapped to generate action intensity parameter data, which includes the collection frequency increase factor, the speed limit ratio, and the isolation range parameter. The semantic segmentation module is used to perform semantic segmentation based on multi-semantic mode label data switching, access path sequence data jump, industrial protocol instruction category distribution data out of bounds, or authentication behavior sequence data deviation, to obtain semantic segmentation sequence data and generate evidence chain data. The risk assessment module is used to establish intra-segment baseline feature data based on multi-semantic pattern label data, calculate the deviation of semantic segment sequence data from intra-segment baseline feature data to obtain intra-segment anomaly score data, and combine semantic enhancement parameters to obtain weighted anomaly score data. The weighted anomaly score data is then weighted with the violation level of the semantic constraint set in the evidence chain data to calculate the risk score and output the risk assessment result. The protection execution module is used to generate segment-level protection strategies based on risk assessment results and action intensity parameter data, and then send them to the control terminal for execution.

[0012] The beneficial effects of this invention are as follows: This invention is aimed at IT / OT converged factory networks, aligning traffic, DNS, authentication, processes, topology and industrial instructions into a session chain, and generating semantic patterns and semantic constraints. It enables the establishment of baselines based on semantic patterns, the output of evidence chains and risk scores by segment, and the linkage of semantic enhancement parameters with collection frequency, rate limit and micro-isolation range. This allows the control end to only intervene with minimal intervention in abnormal segments, reducing the risk of false alarms and production interruptions, and can also transmit closed-loop update strategies back. Attached Figure Description

[0013] Figure 1 A flowchart illustrating the steps of a data analysis-based computer network security protection method according to an embodiment of the present invention; Figure 2 This is a basic flowchart of a data analysis-based computer network security protection system provided in one embodiment of the present invention. Detailed Implementation

[0014] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, the specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments.

[0015] Example 1, referring to Figure 1 It provides a data analysis-based computer network security protection method, including the following steps: Step S1: Collect network traffic session data, domain name resolution data, authentication log data, host process summary data, asset topology data, and industrial protocol instruction statistics, perform time synchronization and asset identification alignment, and obtain session chain data.

[0016] Step S2: Generate multi-semantic pattern label data and semantic constraint set based on session chain data.

[0017] Step S3: Calculate semantic enhancement parameters based on the confidence level of multi-semantic pattern label data, the asset criticality index obtained from asset topology data, and the account credibility index obtained from authentication log data. Then, generate action intensity parameter data by mapping the semantic enhancement parameters. The action intensity parameter data includes the collection frequency increase factor, the rate limit ratio, and the isolation range parameter.

[0018] Step S4: Semantic segmentation is performed based on multi-semantic mode label data switching, access path sequence data jump, industrial protocol instruction category distribution data out of bounds, or authentication behavior sequence data deviation, to obtain semantic segmentation sequence data and generate evidence chain data.

[0019] Step S5: Establish intra-segment baseline feature data based on multi-semantic pattern label data, calculate the deviation of semantic segment sequence data from intra-segment baseline feature data to obtain intra-segment anomaly score data, and combine semantic enhancement parameters to obtain weighted anomaly score data. Calculate the risk score by weighting the weighted anomaly score data with the violation level of the semantic constraint set in the evidence chain data, and output the risk assessment result.

[0020] Step S6: Generate a segment-level protection strategy based on the risk assessment results and action intensity parameter data, and send it to the control terminal for execution.

[0021] This embodiment is applicable to the IT / OT converged network of a smart factory. The network includes an operation and maintenance access area, a business management area, and a production control area. Asset topology data describes the network segments, connectivity relationships, and boundary policies of each asset. The control terminal is deployed on the gateway, firewall, and SDN controller to receive control command data and perform actions such as rate limiting, micro-segmentation, and decoy deployment.

[0022] Step S1 includes the following sub-steps: Step S101: Obtain network traffic session data, domain name resolution data, authentication log data, host process summary data, asset topology data, and industrial protocol instruction statistics.

[0023] Network traffic session data is collected at the session level and includes at least the source IP, destination IP, source port, destination port, protocol, session start and end time, uplink bytes, downlink bytes, packet count, retransmission rate, TLS fingerprint, JA3, HTTP method, and URI digest. Domain name resolution data includes at least the requester asset identifier, query domain name, response IP, DNS response code, and resolution time. Authentication log data includes at least the account identifier, authentication result, authentication method, source asset identifier, destination asset identifier, authentication time, and failure reason code. Host process summary data includes at least the asset identifier, process name hash, parent-child process relationship summary, listening port set, external destination asset identifier set, and summary time window. Asset topology data includes at least the asset identifier, asset network segment, asset role candidate, and adjacent connected edges (source asset identifier, destination asset identifier, and boundary type). Industrial protocol command statistics are aggregated at a fixed time window Δt and include at least the asset identifier, protocol type, command category count (read, write, configuration, diagnostic), and command address range summary.

[0024] Step S102: Time synchronization is performed on network traffic session data, domain name resolution data, authentication log data and host process summary data, and asset identifier alignment is performed on the above data based on asset topology data to obtain the original security awareness data.

[0025] Network traffic session data, domain name resolution data, authentication log data, and host process summary data are all uniformly stamped with NTP timestamps and mapped to the same timeline. Asset identifier alignment uses asset topology data as the primary key, mapping IP, MAC, and hostname to unique asset identifiers to obtain the original security awareness data. The alignment rules are as follows: If an IP address corresponds to a unique asset identifier in the asset topology data within the same time window, it is directly mapped; if NAT or DHCP migration exists, the mapping is completed using the switch port or MAC address and the account and host correspondence in the authentication log as auxiliary keys to avoid the appearance of data terms that have not appeared before.

[0026] Step S103: Based on the association between the account identifier, source asset identifier, destination asset identifier and preset time neighborhood in the original security awareness data, cross-asset access is linked into session chain data.

[0027] Session chain data is constructed based on cross-asset accesses triggered within a preset time neighborhood Tw using the same account identifier. Specifically, the original security awareness data is grouped by account identifier, and each group is sorted by time. If two adjacent accesses satisfy the condition that the source asset identifier of the later access is equal to the destination asset identifier of the earlier access, or that both are located in the same operation and maintenance access role asset but have different destination asset identifiers, then a link continuation is considered to exist. Access sequences that satisfy the continuation relationship are concatenated into a session chain data. Tw is used to limit the span of the chain, for example, Tw=10 minutes. If the time exceeds Tw, a new session chain is started to ensure that subsequent semantic segmentation does not mix unrelated operations together.

[0028] Step S2 includes the following sub-steps: Step S201: Generate asset role data based on asset topology data. The asset role data includes production control role, operation and maintenance access role, and business management role.

[0029] Asset role data is generated for each asset identifier based on asset topology data. The generation rules are as follows: if an asset is located in the production control network segment and has a stable association with industrial protocol instruction statistics, it is marked as a production control role; if an asset is located in the operation and maintenance access network segment and has high-frequency remote login and redirection behavior in the authentication log data, it is marked as an operation and maintenance access role; if an asset is located in the business management network segment and has stable business access with domain name resolution data and HTTP / database sessions, it is marked as a business management role. For assets with unclear boundaries, a voting method is used: each of the three rules gives a score, and the one with the highest score is the asset role data. If the score difference is less than a threshold, the candidate role set is retained for subsequent semantic pattern confidence calculation.

[0030] Step S202: Extract semantic discrimination feature data based on session chain data. The semantic discrimination feature data includes access path sequence data, domain name category statistics, authentication behavior sequence data, process port association summary data, and industrial protocol instruction category distribution data.

[0031] Semantic discrimination feature data is extracted from each session chain. Access path sequence data is defined as an ordered sequence of asset identifiers in the session chain. Domain name category statistics are obtained by statistically analyzing domain names according to categories such as whitelist, business domain, public cloud, unknown, and dynamic DNS to obtain a count vector. Authentication behavior sequence data is the serialized encoding of authentication events (success or failure, method, target type) while retaining the interval between adjacent events. Process port association summary data is a set of triplets of process name hash, port, and external destination asset role and their occurrence frequency. Industrial protocol instruction category distribution data is a distribution vector obtained by normalizing the instruction category counts of relevant production control role assets within the time range covered by the session chain (the proportion of read, write, configuration, and diagnosis).

[0032] Step S203: Match the asset role data and semantic discrimination feature data to the preset multi-semantic pattern library, calculate the confidence of the session chain data for each semantic pattern, and output the multi-semantic pattern label data with the semantic pattern corresponding to the highest confidence.

[0033] A pre-defined multi-semantic pattern library is provided, with patterns including at least remote operation and maintenance mode, production control mode, business synchronization mode, backup window mode, and visual feedback mode. A feature vector is constructed for each session chain. (Concatenated and normalized from the statistics in step S202), for each semantic pattern Maintain a prototype vector With scale matrix (Estimated from historical normal samples; see similar methods in step S5 for baseline establishment); Calculate similarity scores. : ; in, for The transpose operation; Then use softmax to calculate the confidence level. : ; in, For semantic pattern indexing, take The largest As multi-semantic pattern label data The corresponding maximum confidence value serves as the source for subsequent semantic determinism metrics. The advantage of doing this is that the same session chain is forced to fall under a single business intent, rather than being coarsely classified based solely on port or protocol.

[0034] Step S204: Generate a semantic constraint set based on multi-semantic pattern label data and asset topology data. The semantic constraint set includes allowed access path constraints, allowed industrial protocol instruction set constraints, and allowed authentication behavior sequence constraints.

[0035] Using multi-semantic pattern label data as an index, three types of constraints are extracted from historical normal session chain samples to form a semantic constraint set. Allowed access path constraints: The frequency of access path sequence data under each semantic pattern is counted, and the data with the highest coverage is selected. The set of high-frequency paths (e.g., 95%) constitutes the allowed access path constraint; the allowed industrial protocol instruction set constraint is: the mean distribution of industrial protocol instruction category data under this semantic pattern is taken. and will account for more than The instruction categories constitute the allowed instruction set, and the allowed percentage range of each category is recorded. Allowed authentication behavior sequence constraints: Construct an n-gram statistical table using authentication behavior sequence data, retain authentication fragments that appear more frequently than a threshold as the set of allowed authentication fragments, and record their typical time interval range.

[0036] Step S3 includes the following sub-steps: Step S301: Obtain a semantic deterministic index based on the multi-semantic pattern label data. The semantic deterministic index is determined by the confidence level.

[0037] The semantic determinism metric is defined as the maximum confidence level of the current session chain. And perform linear normalization to This is used to characterize whether a tag is reliable. When a semantic pattern library struggles to distinguish between different tags... The distribution will be close to uniform, and subsequent semantic enhancement parameters will automatically decrease to avoid false alarms leading to over-isolation.

[0038] Step S302: Obtain asset criticality index based on asset topology data and asset role data, and obtain account credibility index based on authentication log data.

[0039] Key Asset Indicators Calculated from asset topology data and asset role data, it is defined as: ; in, The asset role score is obtained by mapping asset role data. The boundary score reflects whether the asset is located at a cross-boundary or critical point. If the asset connects to different security domains and network segments (such as a jumper, domain controller, OT gateway, or firewall side-mounted between the operations and maintenance area and the production area), it is assigned a high score (e.g., 1.0). If the asset only communicates within a single area, it is assigned a low score (e.g., 0.2~0.4). The topological centrality score, in this embodiment, refers to the normalized result of betweenness centrality. Betweenness centrality: the degree to which a node lies on the shortest path between other nodes. Normalization: scaling the betweenness centrality to the [0,1] interval. , and These are weighting coefficients. Assign higher value to the production control role. Assign higher values ​​to cross-boundary assets (such as maintenance jumpers, domain controllers, and OT gateways). It is the normalized result of the betweenness centrality of assets in the topology graph; the account credibility index is calculated from authentication log data, first defining account risk. The account credibility index is calculated by weighting the failure rate, abnormal login rate, and cross-role access rate and normalizing it to [0,1]. .

[0040] Step S303: Calculate semantic enhancement parameters based on semantic certainty indicators, asset criticality indicators, and account credibility indicators.

[0041] The semantic enhancement parameter is used to uniformly adjust the detection sensitivity and action intensity, and its value ranges from [0,1]. It is calculated as follows: ; in, Based on the value, , and For weight values, The parameter is used to truncate to [0,1]. This means that the more certain the semantics, the more critical the asset, and the less trustworthy the account, the larger the semantic enhancement parameter will be, and the stronger the subsequent collection frequency, rate limiting and isolation actions will be.

[0042] Step S304: Map the semantic enhancement parameters to action intensity parameter data. Increasing the semantic enhancement parameters corresponds to increasing the acquisition frequency by a factor of 1, increasing the rate limiting ratio, and converging the isolation range parameter to the session chain range corresponding to the abnormal segmentation identifier.

[0043] Mapping semantic enhancement parameters to action intensity parameter data includes at least the acquisition frequency boost factor, rate limiting ratio, and isolation range parameters. The acquisition frequency boost factor is defined as: ; in, To maximize the speed increase, the speed limit ratio is defined as follows: ; in, This indicates the strength of the rate limiting for abnormal segments. This is the minimum value of the speed limit ratio. The isolation range parameter is the maximum value of the rate limiting ratio. Instead of being spread across the entire network, it converges to the session chain range corresponding to the abnormal segment identifier. Specifically, the isolation range parameter is the intersection constraint of the account identifier, target asset identifier, and target access path identifier that appear in the abnormal segment identifier, ensuring that the action only applies to the abnormal segment.

[0044] Step S4 includes the following sub-steps: Step S401: Set the segmentation principle and perform a line-by-line scan of the session chain data.

[0045] Each session chain data is scanned in chronological order, and the segmentation principle consists of semantic switching trigger, path jump trigger, instruction out-of-bounds trigger, and authentication deviation trigger.

[0046] During scanning, the system maintains in real time the multi-semantic pattern tag data, access path sequence data increment, industrial protocol instruction category distribution data increment, and authentication behavior sequence data increment for each access record.

[0047] Step S402: When the multi-semantic pattern label data changes, segmentation is triggered and segmentation boundaries are generated.

[0048] Recalculate the multi-semantic pattern label data for the session chain fragments within the sliding window, when the label moves from... Become And the confidence level difference exceeds the threshold When a segmentation boundary is triggered, the cause is identified as a mode switch. This threshold can be obtained through statistical analysis of tag stability within the same maintenance work order in historical normal samples, making the segmentation reproducible. To obtain new semantic pattern labels after sliding the window backward and recalculating the multi-semantic pattern label data, Step S403: When the access path sequence data shows a newly added jump asset identifier, crosses a preset network boundary, or a path rollback anomaly, segmentation is triggered and segment boundaries are generated.

[0049] When a new jump asset identifier appears in the access path sequence data, crosses a preset network boundary (given by the boundary type of the asset topology data), or a path rollback anomaly occurs (e.g., A→B→C then returns to B and accesses a new D), a segmentation boundary is triggered, and the reason is recorded as a path jump. Here, a new jump asset is determined by the appearance of a new operation and maintenance access role asset identifier in the path sequence.

[0050] Step S404: When the distribution data of industrial protocol instruction categories exceeds the constraints of the allowed industrial protocol instruction set, or when the authentication behavior sequence data deviates from the constraints of the allowed authentication behavior sequence, segmentation is triggered and segmentation boundaries are generated.

[0051] Instruction out-of-bounds triggering is determined by distribution difference: Let the distribution of industrial protocol instruction categories in the current segment be as follows: The mean distribution of the allowed intervals for the corresponding semantic pattern is as follows: Calculate the KL divergence: ; when Segmentation is triggered when the value exceeds a threshold or when an instruction category not included in the allowed industrial protocol instruction set constraints occurs; authentication deviation triggering uses sequence likelihood determination: based on the n-gram probability of the allowed authentication segment set, the log-likelihood of the current segment's authentication sequence is calculated. Segmentation is triggered when the value is less than the threshold or when an unacceptable segment appears.

[0052] Step S405: Output semantic segment sequence data based on segment boundaries, and generate evidence chain data for each segment. The evidence chain data includes an abnormal segment identifier, a trigger cause identifier, a reference to the corresponding session chain fragment, and a reference to the corresponding semantic constraint entry.

[0053] Based on the above segmentation boundaries, output semantic segmentation sequence data. Each segment records its abnormal segment identifier, corresponding session chain fragment reference (start and end time and included access record index), and triggering reason identifier. Generate evidence chain data, which includes at least the abnormal segment identifier, triggering reason identifier, corresponding semantic constraint entry reference (referring to the specific entry ID in the allowed access path constraint, allowed instruction set constraint, and allowed authentication fragment set), and reference index of the original security awareness data, to ensure that the original record can be traced back during auditing.

[0054] The intra-segment anomaly detection in step S5 is as follows: Based on historical semantic segmented sequence data and multi-semantic pattern label data, intra-segment baseline feature data are generated respectively. Intra-segment baseline feature data includes session rate statistics range, domain name category statistics range, authentication behavior statistics range, process port association summary range, and industrial protocol instruction category distribution range.

[0055] The deviation between the corresponding features of the semantic segment sequence data to be detected and the baseline feature data within the segment is calculated, and the anomaly score data within the segment is output.

[0056] The abnormal score data within a segment is weighted and fused with the semantic enhancement parameters to obtain weighted abnormal score data, and the segment is judged as abnormal if the weighted abnormal score data exceeds the preset abnormal threshold.

[0057] Baseline feature data within each segment is established based on the multi-semantic pattern label data. For each semantic pattern... Collect historical normal semantic segmented sequence data and extract feature vectors with the same caliber as in step S202. Calculate the mean With covariance Form baseline feature data within the segment; for the segment to be detected, calculate the Mahalanobis distance as the anomaly score data within the segment: ; The segment-level anomaly scores are then fused with the semantic enhancement parameters to obtain weighted anomaly scores: ; in, This is the magnification factor; when When the threshold for abnormality is exceeded, the segment is determined to be an abnormal segment. The preset threshold for abnormality is determined by the 99th percentile of historical normal segments.

[0058] The inter-segment consistency check in step S5 is as follows: Perform inter-segment consistency checks on semantic segmented sequence data. If an abnormal segment violates the allowed access path constraint, allowed industrial protocol instruction set constraint, or allowed authentication behavior sequence constraint, then generate violation entry data.

[0059] The data on violations and the chain of evidence are combined to output a risk assessment result. The risk assessment result includes a risk score, anomaly segmentation identifiers, and chain of evidence data. The risk score is calculated from the weighted anomaly score data and the violation level of the violation item data.

[0060] Perform semantic constraint set verification on the segments corresponding to the abnormal segmentation identifiers: if the access path sequence data does not belong to the allowed access path constraints, generate violation entry data (type is path violation, level is high). If the industrial protocol instruction category distribution data shows that an unacceptable category or its proportion exceeds the allowable range, then violation entry data will be generated (type: instruction violation, level: high). If the authentication behavior sequence data contains an unacceptable segment or the log-likelihood is below the threshold, violation entry data (type: authentication violation, level: medium or high) is generated. The violation entry data is then merged with the evidence chain data to calculate a risk score. The calculation is as follows: ; in, and As weight, The result is a numerical representation of the violation level (high=3, medium=2, low=1). The final output risk assessment result includes at least a risk score, anomaly segment location (anomaly segment identifier), and evidence chain data.

[0061] Step S6 includes the following sub-steps: Step S601: Generate a segment-level protection strategy based on the risk assessment results and action intensity parameter data. The segment-level protection strategy includes a maintenance strategy, a speed limiting strategy, a segment-level micro-isolation strategy, and a decoy tracking strategy.

[0062] Based on the risk assessment results and action intensity parameter data, a segment-level protection strategy is generated. If the risk score is low, a maintenance strategy is selected, temporarily increasing the sampling of assets related to the abnormal segment identifier by only a sampling frequency increase factor M; if the risk score is medium, a rate limiting strategy is selected, and a rate limiting ratio L is used to limit the bandwidth and connection count of the session chain range corresponding to the abnormal segment identifier; if the risk score is high or there are command violation entries, a segment-level micro-isolation strategy is selected, temporarily blocking the account identifier, target asset identifier, and target access path identifier involved in the abnormal segment identifier according to the isolation range parameters; if there is authentication violation and it continues to occur, a decoy tracking strategy is superimposed, deploying marked decoy resources to the session chain range corresponding to the abnormal segment identifier and recording access backlinks.

[0063] Step S602: Encode the segment-level protection strategy into control command data and send it to the control terminal. The control command data includes abnormal segment identifier, target account identifier, target asset identifier, target access path identifier, collection frequency increase factor, rate limit ratio, isolation range parameters and policy validity period.

[0064] The segment-level protection policy is encoded into control command data and sent to the control terminal. The control command data includes at least the abnormal segment identifier, target account identifier, target asset identifier, target access path identifier, collection frequency increase factor, rate limiting ratio, isolation range parameters, and policy validity period. The control terminal can directly implement these fields into ACLs, SDN flow tables, or firewall session policies.

[0065] In step S603, the control terminal performs rate limiting, blocking, temporary isolation, or decoy deployment only on the session chain range corresponding to the abnormal segment identifier based on the control command data, obtains the execution result data, and sends it back.

[0066] The selection logic for segment-level protection strategies is as follows: If the risk score is less than the preset first risk threshold, then the maintenance strategy is selected.

[0067] If the risk score is at or above the first risk threshold but below the preset second risk threshold, a speed limiting strategy is selected, and the speed limiting ratio and the collection frequency increase factor are determined according to the action intensity parameter data.

[0068] If the risk score is at or above the second risk threshold, or if the violation entry data contains violation entries that violate the constraints of the permitted industrial protocol instruction set, then a segment-level micro-segmentation strategy is selected, and the isolation range parameter is limited to the session chain range corresponding to the abnormal segment identifier according to the isolation range parameter.

[0069] If the violation entry data contains violation entries that violate the allowed authentication behavior sequence constraints and the execution result data shows that the violation continues, then the decoy tracking strategy is selected based on the segment-level micro-segmentation strategy, and the execution result data is written into the evidence chain data to update the semantic constraint set.

[0070] The control terminal only applies rate limiting, blocking, temporary isolation, or decoy deployment to the session chain range corresponding to the abnormal segment identifier, generating execution result data and sending it back. The execution result data includes at least the action type, the number of hit sessions, the effective time of blocking or rate limiting, and whether subsequent violation entries still appear. If the execution result data shows that the violation continues, the execution result data is written into the evidence chain data, triggering an update of the semantic constraint set: newly appearing but confirmed legitimate access paths or authentication fragments are added to the allowed set, or confirmed attack pattern fragments are added to the blacklist constraint, thereby forming a continuously converging closed loop.

[0071] Example 2, refer to Figure 2 It provides a computer network security protection system based on data analysis, including a data acquisition module, a semantic constraint module, a parameter calculation module, a semantic segmentation module, a risk assessment module, and a protection execution module.

[0072] The data acquisition module is used to collect network traffic session data, domain name resolution data, authentication log data, host process summary data, asset topology data, and industrial protocol instruction statistics, and to perform time synchronization and asset identification alignment to obtain session chain data.

[0073] The semantic constraint module is used to generate multi-semantic pattern label data and semantic constraint sets based on session chain data.

[0074] The parameter calculation module is used to calculate semantic enhancement parameters based on the confidence level of multi-semantic pattern label data, the asset criticality index obtained from asset topology data, and the account credibility index obtained from authentication log data. The semantic enhancement parameters are then mapped to generate action intensity parameter data, which includes the collection frequency increase factor, the rate limit ratio, and the isolation range parameter.

[0075] The semantic segmentation module is used to perform semantic segmentation based on multi-semantic mode label data switching, access path sequence data jump, industrial protocol instruction category distribution data out of bounds, or authentication behavior sequence data deviation, to obtain semantic segmentation sequence data and generate evidence chain data.

[0076] The risk assessment module is used to establish intra-segment baseline feature data based on multi-semantic pattern label data, calculate the deviation of semantic segment sequence data from intra-segment baseline feature data to obtain intra-segment anomaly score data, and combine semantic enhancement parameters to obtain weighted anomaly score data. The weighted anomaly score data is then weighted with the violation level of the semantic constraint set in the evidence chain data to calculate the risk score and output the risk assessment result.

[0077] The protection execution module is used to generate segment-level protection strategies based on risk assessment results and action intensity parameter data, and then send them to the control terminal for execution.

[0078] This invention generates multi-semantic pattern label data through session chain data, and establishes the detection baseline by semantic pattern clustering, avoiding misjudging normal fluctuations such as production peaks, backup windows, and batch operation and maintenance as attacks, thereby reducing false alarms and alarm storms from the source.

[0079] By using semantic constraint sets to construct allowed access paths, allowed industrial protocol instruction sets, and allowed authentication behavior sequences in a data-driven manner, behaviors such as lateral movement of disguised operations and maintenance, cross-regional unauthorized access, and writing instructions outside the window period can be stably identified in the form of constraint violation entries and evidence chain data, rather than relying on easily drifting single threshold anomaly scores.

[0080] The semantic enhancement parameters are calculated by combining semantic certainty, asset criticality, and account credibility, and mapped to parameters such as collection frequency increase factor, rate limit ratio, and isolation range. This enables critical assets and high-risk accounts to trigger stronger protection, while remaining conservative for low-certainty scenarios to avoid accidental isolation that could affect production.

[0081] By using reproducible segmentation principles such as semantic switching, path hopping, instruction out-of-bounds, and authentication deviation, semantic segmented sequence data is output. The control end only applies rate limiting, micro-isolation, and decoy tracking to the session chain range corresponding to the abnormal segment identifier, achieving precise handling without interrupting the entire production line network.

[0082] The evidence chain data is bound to the triggering cause and semantic constraint entry reference, and the execution result data of the control end is sent back to update the semantic constraint set and policy parameters. Under the same factory scenario, a stable semantic policy template is gradually formed to improve long-term availability and interpretability.

[0083] By integrating and aligning asset topology data, industrial protocol command statistics, and traditional IT logs, the system can maintain consistent detection logic when network topology is adjusted, assets are replaced, or maintenance paths change. It does not rely on a single protocol deep packet signature library, resulting in lower deployment and migration costs.

[0084] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product implemented on one or more computer-usable storage media containing computer-usable program code. The storage medium can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic storage, flash memory, magnetic disk, or optical disk. These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0085] It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to limit it. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, and all such modifications or substitutions should be covered within the protection scope of the present invention.

Claims

1. A computer network security protection method based on data analysis, characterized in that, Includes the following steps: Step S1: Collect network traffic session data, domain name resolution data, authentication log data, host process summary data, asset topology data, and industrial protocol instruction statistics, perform time synchronization and asset identification alignment, and obtain session chain data; Step S2: Generate multi-semantic pattern label data and semantic constraint set based on session chain data; Step S3: Calculate semantic enhancement parameters based on the confidence level of multi-semantic pattern tag data, the asset criticality index obtained from asset topology data, and the account credibility index obtained from authentication log data. Then, generate action intensity parameter data by mapping the semantic enhancement parameters. The action intensity parameter data includes the collection frequency increase factor, the speed limit ratio, and the isolation range parameter. Step S4: Perform semantic segmentation based on multi-semantic mode label data switching, access path sequence data jump, industrial protocol instruction category distribution data out of bounds, or authentication behavior sequence data deviation, to obtain semantic segmentation sequence data and generate evidence chain data. Step S5: Establish intra-segment baseline feature data based on multi-semantic pattern label data, calculate the deviation of semantic segment sequence data from intra-segment baseline feature data to obtain intra-segment anomaly score data, and combine semantic enhancement parameters to obtain weighted anomaly score data. Calculate the risk score by weighting the weighted anomaly score data with the violation level of the semantic constraint set in the evidence chain data, and output the risk assessment result. Step S6: Generate a segment-level protection strategy based on the risk assessment results and action intensity parameter data, and send it to the control terminal for execution; Step S3 includes the following sub-steps: Step S301: Obtain a semantic deterministic index based on the multi-semantic pattern label data. The semantic deterministic index is determined by the confidence level. Step S302: Obtain asset criticality index based on asset topology data and asset role data, and obtain account credibility index based on authentication log data. Step S303: Calculate semantic enhancement parameters based on semantic certainty indicators, asset criticality indicators, and account credibility indicators; Step S304: Map the semantic enhancement parameters to action intensity parameter data. Increasing the semantic enhancement parameters corresponds to increasing the acquisition frequency by a factor of 1, increasing the rate limiting ratio, and converging the isolation range parameter to the session chain range corresponding to the abnormal segmentation identifier. Step S4 includes the following sub-steps: Step S401: Set the segmentation principle and perform a line-by-line scan of the session chain data; Step S402: When the multi-semantic pattern label data changes, segmentation is triggered and segmentation boundaries are generated; Step S403: When the access path sequence data shows a newly added jump asset identifier, crosses a preset network boundary, or path rollback anomaly, segmentation is triggered and segment boundaries are generated. Step S404: When the distribution data of industrial protocol instruction categories exceeds the constraints of the allowed industrial protocol instruction set, or when the authentication behavior sequence data deviates from the constraints of the allowed authentication behavior sequence, segmentation is triggered and segmentation boundaries are generated. Step S405: Output semantic segment sequence data according to the segment boundaries, and generate evidence chain data for each segment. The evidence chain data includes an abnormal segment identifier, a trigger cause identifier, a reference to the corresponding session chain fragment, and a reference to the corresponding semantic constraint entry. The intra-segment anomaly detection in step S5 is as follows: Based on historical semantic segmented sequence data and multi-semantic mode label data, intra-segment baseline feature data are generated respectively. The intra-segment baseline feature data includes the statistical range of session rate, the statistical range of domain name category, the statistical range of authentication behavior, the range of process port association summary, and the distribution range of industrial protocol instruction category. The deviation between the corresponding features of the semantic segment sequence data to be detected and the baseline feature data within the segment is calculated, and the anomaly score data within the segment is output. The abnormal score data within a segment is weighted and fused with the semantic enhancement parameters to obtain weighted abnormal score data, and the segment is judged as abnormal if the weighted abnormal score data exceeds the preset abnormal threshold. The inter-segment consistency check in step S5 is as follows: Perform inter-segment consistency checks on semantic segmented sequence data. If an abnormal segment violates the allowed access path constraint, allowed industrial protocol instruction set constraint, or allowed authentication behavior sequence constraint, generate violation entry data. The data on violations and the chain of evidence are combined to output a risk assessment result. The risk assessment result includes a risk score, anomaly segmentation identifiers, and chain of evidence data. The risk score is calculated from the weighted anomaly score data and the violation level of the violation item data.

2. The computer network security protection method based on data analysis as described in claim 1, characterized in that, Step S1 includes the following sub-steps: Step S101: Obtain network traffic session data, domain name resolution data, authentication log data, host process summary data, asset topology data, and industrial protocol command statistics. Step S102: Time synchronization is performed on network traffic session data, domain name resolution data, authentication log data and host process digest data, and asset identifier alignment is performed on the above data based on asset topology data to obtain the original security awareness data. Step S103: Based on the association between the account identifier, source asset identifier, destination asset identifier and preset time neighborhood in the original security awareness data, cross-asset access is linked into session chain data.

3. The computer network security protection method based on data analysis as described in claim 2, characterized in that, Step S2 includes the following sub-steps: Step S201: Generate asset role data based on asset topology data. The asset role data includes production control role, operation and maintenance access role, and business management role. Step S202: Extract semantic discrimination feature data based on session chain data. The semantic discrimination feature data includes access path sequence data, domain name category statistics data, authentication behavior sequence data, process port association summary data, and industrial protocol instruction category distribution data. Step S203: Match the asset role data and semantic discrimination feature data to the preset multi-semantic pattern library, calculate the confidence of the session chain data for each semantic pattern, and output the multi-semantic pattern label data with the semantic pattern corresponding to the maximum confidence. Step S204: Generate a semantic constraint set based on multi-semantic pattern label data and asset topology data. The semantic constraint set includes allowed access path constraints, allowed industrial protocol instruction set constraints, and allowed authentication behavior sequence constraints.

4. The computer network security protection method based on data analysis as described in claim 3, characterized in that, Step S6 includes the following sub-steps: Step S601: Generate a segment-level protection strategy based on the risk assessment results and motion intensity parameter data. The segment-level protection strategy includes a maintenance strategy, a speed limiting strategy, a segment-level micro-isolation strategy, and a decoy tracking strategy. Step S602: Encode the segment-level protection strategy into control command data and send it to the control terminal. The control command data includes abnormal segment identifier, target account identifier, target asset identifier, target access path identifier, collection frequency increase factor, rate limiting ratio, isolation range parameters and policy validity period. In step S603, the control terminal performs rate limiting, blocking, temporary isolation, or decoy deployment only on the session chain range corresponding to the abnormal segment identifier based on the control command data, obtains the execution result data, and sends it back.

5. The computer network security protection method based on data analysis as described in claim 4, characterized in that, The selection logic for the segment-level protection strategy is as follows: If the risk score is less than the preset first risk threshold, then the maintenance strategy is selected; If the risk score is at or above the first risk threshold and below the preset second risk threshold, a speed limiting strategy is selected, and the speed limiting ratio and the collection frequency increase factor are determined according to the action intensity parameter data. If the risk score is at or above the second risk threshold, or if the violation entry data contains violation entries that violate the constraints of the allowed industrial protocol instruction set, then the segment-level micro-segmentation strategy is selected, and the isolation range parameter is limited to the session chain range corresponding to the abnormal segment identifier according to the isolation range parameter. If the violation entry data contains violation entries that violate the allowed authentication behavior sequence constraints and the execution result data shows that the violation continues, then the decoy tracking strategy is selected based on the segment-level micro-segmentation strategy, and the execution result data is written into the evidence chain data to update the semantic constraint set.

6. A data analysis-based computer network security protection system, applied in any one of the data analysis-based computer network security protection methods as described in claims 1-5, characterized in that, It includes a data acquisition module, a semantic constraint module, a parameter calculation module, a semantic segmentation module, a risk assessment module, and a protection execution module; The data acquisition module is used to collect network traffic session data, domain name resolution data, authentication log data, host process summary data, asset topology data, and industrial protocol instruction statistics, and to perform time synchronization and asset identification alignment to obtain session chain data. The semantic constraint module is used to generate multi-semantic pattern label data based on session chain data and generate a semantic constraint set. The parameter calculation module is used to calculate semantic enhancement parameters based on the confidence level of multi-semantic pattern tag data, the asset criticality index obtained from asset topology data, and the account credibility index obtained from authentication log data. The semantic enhancement parameters are then mapped to generate action intensity parameter data, which includes the collection frequency increase factor, the speed limit ratio, and the isolation range parameter. The semantic segmentation module is used to perform semantic segmentation based on multi-semantic mode label data switching, access path sequence data jump, industrial protocol instruction category distribution data out of bounds, or authentication behavior sequence data deviation, to obtain semantic segmentation sequence data and generate evidence chain data. The risk assessment module is used to establish intra-segment baseline feature data based on multi-semantic pattern label data, calculate the deviation of semantic segment sequence data from intra-segment baseline feature data to obtain intra-segment anomaly score data, and combine semantic enhancement parameters to obtain weighted anomaly score data. The weighted anomaly score data is then weighted with the violation level of the semantic constraint set in the evidence chain data to calculate the risk score and output the risk assessment result. The protection execution module is used to generate segment-level protection strategies based on risk assessment results and action intensity parameter data, and then send them to the control terminal for execution.