An active network security defense system based on data analysis

By constructing a proactive network security defense system based on data analysis, the problem that existing network security defense systems cannot adapt to dynamic changes has been solved, achieving efficient threat detection and intelligent response, and improving the accuracy and efficiency of network security defense.

CN122394878APending Publication Date: 2026-07-14TIANJIN BOHAI VOCATIONAL TECHN COLLEGE

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
TIANJIN BOHAI VOCATIONAL TECHN COLLEGE
Filing Date
2026-04-20
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing technologies cannot effectively address network security issues: network security defense systems rely on static rules, which cannot adapt to dynamic changes in the network environment, resulting in high false alarms or missed alarms. They are unable to perform proactive defense, lack real-time performance and accuracy in threat detection, cannot implement layered collaborative mechanisms, and have limited alarm and response strategies.

Method used

A proactive network security defense system based on data analysis is adopted. Through the collaborative work of the collection unit, processing unit, baseline unit, fast detection unit, deep detection unit, analysis unit and defense unit, a short-term dynamic baseline and a long-term behavioral profile baseline are constructed. Combined with unsupervised models, reconstruction error detection and time-series anomaly detection, multi-dimensional threat identification and intelligent response are achieved.

Benefits of technology

It improves the accuracy of anomaly detection and proactive defense capabilities, reduces false alarm rates, enables rapid screening and multi-dimensional in-depth analysis of network threats, enhances security operation efficiency and accuracy, and supports a combination of automatic blocking and manual review responses.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394878A_ABST
    Figure CN122394878A_ABST
Patent Text Reader

Abstract

The application relates to the technical field of network security, and discloses an active network security defense system based on data analysis. A collecting unit is used for data collection; a processing unit converts the collected data into a security sequence event after processing; a baseline unit provides a baseline threshold JY; a fast detection unit receives the security sequence event and calculates a connection number SL per minute; a deep detection unit calculates an analysis value FX; an analysis unit analyzes the analysis value FX and a suspicious threshold KY; an alarm unit issues an alarm and extracts a threat event and a suspicious event; and a defense unit defends the threat event and the suspicious event. According to the application, the baseline unit divides data subsets according to entity dimensions, and constructs a short-term dynamic baseline and a long-term behavior portrait baseline; the system can learn and depict normal behavior patterns; the baseline threshold JY is dynamically calculated based on the mean value and the standard deviation; abnormal detection is quantitatively compared; false positives caused by fixed thresholds are reduced; and the active defense capability is improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and more specifically to a proactive network security defense system based on data analysis. Background Technology

[0002] With the rapid development of information technology, the security situation in cyberspace is becoming increasingly severe, thus requiring network security defense. The current network security defense system is mainly based on feature matching and rule engines, which is a passive response mode. A network security defense system refers to a technical system built to prevent computer networks from being attacked and to ensure information security. It mainly includes components such as firewalls, intrusion detection systems, and intrusion prevention systems. Firewalls act as network boundary barriers, controlling access traffic. Intrusion detection systems monitor and analyze network traffic to identify potential attacks, while intrusion prevention systems proactively block attack behaviors based on detection. These protective measures achieve multi-layered protection through policy-controlled traffic, monitoring of abnormal behavior, and real-time blocking of attacks. Currently, defense relies heavily on static rules or fixed thresholds, making it difficult to characterize the normal behavioral patterns of users, devices, and traffic. This makes it unsuitable for adapting to dynamic changes in the network environment, leading to high false positives or false negatives and hindering proactive defense. In threat detection, single detection methods often fail to balance real-time performance and accuracy, lack layered collaborative mechanisms, and struggle to quickly filter anomalies in high-speed traffic and conduct in-depth multi-dimensional analysis. Furthermore, current security systems employ simplistic alarm and response strategies, failing to categorize threats based on confidence levels, resulting in high false positive rates that interfere with security operations and negatively impact operational efficiency and accuracy. Summary of the Invention

[0003] In order to overcome the above-mentioned defects of the prior art, the embodiments of the present invention provide a proactive network security defense system based on data analysis to solve the technical problems mentioned in the background art.

[0004] To achieve the above objectives, the present invention provides the following technical solution: a proactive network security defense system based on data analysis, comprising a data acquisition unit, a processing unit, a baseline unit, a fast detection unit, a deep detection unit, an analysis unit, an alarm unit, and a defense unit. The data acquisition unit is used for data acquisition; the processing unit processes the acquired data and converts it into security sequence events; the baseline unit is used to provide a baseline threshold JY; the fast detection unit receives security sequence events and calculates the number of connections per minute SL; the deep detection unit calculates an analysis value FX; the analysis unit analyzes the analysis value FX with a suspicious threshold KY; the alarm unit is used to issue alarms and extract threat events and suspicious events; and the defense unit defends against threat events and suspicious events. The collection unit uses probes, proxies, and API interfaces to collect full traffic data, system and application logs, terminal behavior data, and threat intelligence data from external sources in real time. The processing unit cleans and denoises the collected data and unifies it into JSON format. Then, it associates the data with timestamps and key entities to transform the raw data into security sequence events.

[0005] In a preferred embodiment, the baseline unit receives a secure sequence event data stream, divides the data stream into independent data subsets of different entities according to the analysis dimensions of user entities, device entities, and network traffic entities, extracts time-series features for each entity's data subset, constructs feature vectors, and constructs short-term dynamic baselines and long-term behavioral profile baselines using a hierarchical baseline model based on the feature vectors, and stores the short-term dynamic baselines and long-term behavioral profile baselines.

[0006] In a preferred embodiment, the security sequence event data stream within the baseline unit is filtered and confirmed by the security administrator, with no confirmed security event alarms. The baseline unit is updated daily. After storing short-term dynamic baselines and long-term behavioral profile baselines, the baseline unit uses the maximum number of connections per minute for each baseline as the baseline threshold JY. The formula for calculating the baseline threshold JY is as follows: In the formula, μ is the average number of connections per minute. The standard deviation is denoted as .

[0007] In a preferred embodiment, the fast detection unit receives security events processed by the processing unit, and the fast detection unit extracts the real-time connection count per minute (SL) for each security event. The fast detection unit retrieves the baseline threshold (JY) corresponding to the security event from the baseline unit. The fast detection unit compares the real-time connection count per minute (SL) with the baseline threshold (JY). When the real-time connection count per minute (SL) > the baseline threshold (JY), the fast detection unit sends an alarm command to the alarm unit. When the real-time connection count per minute (SL) ≤ the baseline threshold (JY), the fast detection unit performs normal detection work.

[0008] In a preferred embodiment, the deep detection unit receives multiple indicators of entities within a time window from the security event processed by the processing unit, constructs a multi-dimensional feature vector, and performs unsupervised model detection, reconstruction error detection, and temporal anomaly detection on the multi-dimensional feature vector. For unsupervised model detection, the feature vector is input into an isolated forest model, and the average path length LC required for the feature vector to be isolated is calculated. For reconstruction error detection, the feature vector is input into a deep autoencoder, and the reconstruction mean square error CW between the original feature vector input and the reconstructed output feature vector is calculated. For temporal anomaly detection, the indicator values ​​at consecutive time points are used as the input sequence, and the sequence is input into an LSTM model to obtain the predicted value for the current time moment. The absolute error value JW between the predicted value and the actual observed value is calculated.

[0009] In a preferred embodiment, the deep detection unit sends the calculated average path length LC, reconstruction mean square error CW, and absolute error value JW to the analysis unit. The analysis unit receives the data sent by the deep detection unit and compares them with their respective thresholds. When the average path length LC, reconstruction mean square error CW, and absolute error value JW exceed their respective thresholds, the analysis unit sends an alarm command to the alarm unit. When the average path length LC, reconstruction mean square error CW, and absolute error value JW do not exceed their respective thresholds, the analysis unit calculates the analysis value FX.

[0010] In a preferred embodiment, when the analysis unit calculates the analysis value FX, the calculation formula for the analysis value FX is as follows: In the formula, k1, k2, and k3 are adjustable parameters, and k1, k2, and k3 are the proportions of the number of threats detected by unsupervised model detection, reconstruction error detection, and temporal anomaly detection to the total number of threats. The analysis unit compares the calculated analysis value FX with its internal suspicious threshold KY. When the analysis value FX > suspicious threshold KY, the analysis unit sends a suspicious instruction to the alarm unit. When the analysis value FX ≤ suspicious threshold KY, the analysis unit remains in working state.

[0011] In a preferred embodiment, when the alarm unit receives an alarm command, the alarm unit extracts the event that triggered the alarm, marks the event as a threat event, and sends it to the defense unit. When the alarm unit receives a suspicious command, the alarm unit extracts the event, and while issuing an alarm, the alarm unit marks the event as a suspicious event. When marked as a suspicious event, the suspicious event is paused and sent to the defense unit.

[0012] In a preferred embodiment, when the defense unit receives a threat event, it blocks and isolates it. When the defense unit receives a suspicious event, it manually identifies the suspicious event. If the event is identified as a threat event, it blocks and isolates it. If the event is identified as a normal event, it records and issues an alarm. The data recorded by the defense unit is stored in the cloud.

[0013] The technical effects and advantages of this invention are as follows: 1. This invention divides data subsets by entity dimension through baseline units and constructs short-term dynamic baselines and long-term behavioral profile baselines. The system can learn and characterize normal behavior patterns. Based on the mean and standard deviation, the baseline threshold JY is dynamically calculated, which makes anomaly detection more accurate through quantitative comparison, reduces false alarms caused by fixed thresholds, and improves proactive defense capabilities. 2. This invention enables the fast detection unit and the deep detection unit to work together. The fast detection unit achieves real-time high-frequency detection based on simple indicators such as the number of connections, and quickly discovers obvious anomalies. The deep detection unit performs unsupervised and temporal anomaly detection by extracting multi-dimensional features and combining models such as isolated forest, autoencoder, and LSTM. It identifies hidden threats from multiple perspectives. The dual-layer mechanism takes into account both detection speed and depth, and effectively balances performance and detection capability. 3. The analysis unit of this invention integrates the output results of multiple models, obtains the analysis value FX through weighted calculation, and compares it with the suspicious threshold KY to realize intelligent judgment of threat level. The alarm unit initiates different response processes according to the two types of events: threat and suspicious. The defense unit supports a combination of automatic blocking, isolation and manual judgment, which not only ensures the rapid handling of high-threat events, but also provides a manual review channel for suspicious behavior, thereby improving the rationality of the response. Attached Figure Description

[0014] Figure 1 This is a schematic diagram of the overall system composition of the present invention. Detailed Implementation

[0015] The technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings. In addition, the forms of the various structures described in the following embodiments are merely illustrative. The proactive network security defense system based on data analysis involved in the present invention is not limited to the structures described in the following embodiments. All other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0016] Reference Figure 1This invention provides a proactive network security defense system based on data analysis, comprising a data acquisition unit, a processing unit, a baseline unit, a fast detection unit, a deep detection unit, an analysis unit, an alarm unit, and a defense unit. The data acquisition unit is used for data acquisition. The processing unit processes the acquired data and converts it into security sequence events. The baseline unit is used to provide a baseline threshold JY. The fast detection unit receives security sequence events and calculates the number of connections per minute SL. The deep detection unit calculates an analysis value FX. The analysis unit analyzes the analysis value FX with a suspicious threshold KY. The alarm unit is used to issue alarms and extract threat events and suspicious events. The defense unit defends against threat events and suspicious events.

[0017] In this embodiment, the application achieves full coverage from data collection to intelligent decision-making and then to collaborative response, integrating them into an organic whole. Through the connection of data flow and instruction flow between units, it realizes the automated discovery, assessment and handling of threats. This makes the application no longer an isolated set of detection points when conducting defense, but a whole with situational awareness, proactive judgment and linkage response capabilities.

[0018] Reference Figure 1 The collection unit uses probes, proxies, and API interfaces to collect full traffic data, system and application logs, terminal behavior data, and threat intelligence data from external sources in real time. The processing unit cleans and denoises the collected data and unifies it into JSON format. Then, it associates the data with timestamps and key entities to transform the raw data into security sequence events.

[0019] In this embodiment, the system constructs a three-dimensional data acquisition network by integrating three complementary acquisition methods: probes, proxies, and API interfaces. This ensures the comprehensiveness of data acquisition, cleans and denoises the data, and unifies it into JSON format, establishing a universal data language for the system, completely breaking down data silos, and facilitating subsequent processing.

[0020] Reference Figure 1 The baseline unit receives a security sequence event data stream. Based on the analysis dimensions of user entities, device entities, and network traffic entities, it segments the data stream into independent data subsets for different entities. For each entity's data subset, it extracts temporal features and constructs feature vectors. These feature vectors are then used to construct short-term dynamic baselines and long-term behavioral profile baselines using a hierarchical baseline model. The short-term dynamic baselines and long-term behavioral profile baselines are stored. The security sequence event data stream within the baseline unit is filtered and confirmed by the security administrator, with no confirmed security event alarms. The baseline unit is updated daily. After storing the short-term dynamic baselines and long-term behavioral profile baselines, the baseline unit uses the maximum number of connections per minute for each baseline as the baseline threshold JY. The formula for calculating the baseline threshold JY is as follows: In the formula, μ is the average number of connections per minute. The standard deviation is denoted as .

[0021] In this embodiment, data is segmented and baselines are constructed independently according to different entity dimensions such as users, devices, and network traffic. This can accurately depict the normal behavior pattern of each entity and avoid the problem of behavioral feature ambiguity caused by hybrid modeling. The hierarchical model combining short-term dynamic baselines and long-term behavioral profile baselines can capture subtle changes in recent behavior and establish a stable behavioral profile based on long-term historical data, thereby improving the accuracy and targeting of anomaly detection. The baseline data of this application comes from security data streams without confirmed alarms, ensuring that the baseline reflects security event data and reducing the risk of false alarms from the source. The baseline threshold JY is dynamically calculated rather than manually set as a fixed value, so that the threshold can be automatically adjusted according to the fluctuation of the actual number of connections, ensuring its accuracy for long-term use.

[0022] Reference Figure 1 The fast detection unit receives security events processed by the processing unit, and extracts the real-time connection count SL for each security event. The fast detection unit retrieves the baseline threshold JY corresponding to the security event from the baseline unit. The fast detection unit compares the real-time connection count SL with the baseline threshold JY. When the real-time connection count SL > the baseline threshold JY, the fast detection unit sends an alarm command to the alarm unit. When the real-time connection count SL ≤ the baseline threshold JY, the fast detection unit performs normal detection work.

[0023] In this embodiment, the fast detection unit compares the number of connections per minute (SL) with the baseline threshold (JY) in real time, enabling it to quickly identify significant anomalies at the traffic level within milliseconds. This allows for rapid screening and alerting of a large number of obvious and high-intensity attacks at the entry point, greatly reducing the analysis load on the backend deep detection unit, optimizing the overall system resource allocation, and saving time for deep analysis, thus improving detection efficiency and reducing resource consumption.

[0024] Reference Figure 1The deep detection unit receives multiple indicators of entities within a time window from the security event processed by the processing unit, constructs a multi-dimensional feature vector, and performs unsupervised model detection, reconstruction error detection, and temporal anomaly detection on the multi-dimensional feature vector. Unsupervised model detection inputs the feature vector into an isolated forest model and calculates the average path length LC required for the feature vector to be isolated. Reconstruction error detection inputs the feature vector into a deep autoencoder and calculates the reconstruction mean square error CW between the original feature vector input and the reconstructed output feature vector. Temporal anomaly detection uses the indicator values ​​at consecutive time points as the input sequence, inputs the sequence into an LSTM model, obtains the predicted value for the current time, and calculates the absolute error JW between the predicted value and the actual observed value.

[0025] In this application embodiment, unsupervised model detection, reconstruction error detection, and temporal anomaly detection are used to address anomalies with different characteristics. Unsupervised model detection is good at finding sparse and isolated points in the feature space and can be used to detect behaviors that are very different from the overall pattern. Reconstruction error detection discovers pattern deviations that are difficult to describe with simple rules through reconstruction errors and is good at detecting novel and unknown composite anomalies. Temporal anomaly detection focuses on the continuity of time series and can effectively identify abnormal evolution of behavior in the time dimension, thereby improving the detection capability of this application for advanced threats such as APT attacks, insider threats, and zero-day exploits, and avoiding the limitation of detection.

[0026] Reference Figure 1 The deep detection unit sends the calculated average path length LC, reconstruction mean square error CW, and absolute error value JW to the analysis unit. The analysis unit receives the data sent by the deep detection unit and compares it with their respective thresholds. When the average path length LC, reconstruction mean square error CW, and absolute error value JW exceed their respective thresholds, the analysis unit sends an alarm command to the alarm unit. When the average path length LC, reconstruction mean square error CW, and absolute error value JW do not exceed their respective thresholds, the analysis unit calculates the analysis value FX. The formula for calculating the analysis value FX is as follows: In the formula, k1, k2, and k3 are adjustable parameters, and k1, k2, and k3 are the proportions of the number of threats detected by unsupervised model detection, reconstruction error detection, and temporal anomaly detection to the total number of threats. The analysis unit compares the calculated analysis value FX with its internal suspicious threshold KY. When the analysis value FX > suspicious threshold KY, the analysis unit sends a suspicious instruction to the alarm unit. When the analysis value FX ≤ suspicious threshold KY, the analysis unit remains in working state.

[0027] In this embodiment, the analysis unit first compares the average path length LC, the reconstructed mean square error CW, and the absolute error value JW with their respective thresholds. Each model has an independent sensitivity setting, which can effectively reduce alarms caused by misjudgment by a single model. When no alarm is triggered, the next step is to calculate the analysis value FX. During the calculation of the analysis value FX, the adjustable parameters k1, k2, and k3 are dynamically adjusted according to the historical detection effects of each model, thus enabling self-optimization. In actual operation, the influence of detection models that are more effective in the current network environment is continuously strengthened. After calculation, the results are compared with the suspicious threshold KY. This application can make a final judgment on events in the gray area, improving the intelligence and accuracy of threat assessment, and proactively defending after the judgment is made.

[0028] Reference Figure 1 When the alarm unit receives an alarm command, it extracts the event that triggered the alarm, marks the event as a threat event, and sends it to the defense unit. When the alarm unit receives a suspicious command, it extracts the event and simultaneously issues an alarm and marks the event as a suspicious event. When marked as a suspicious event, the suspicious event is paused and sent to the defense unit. When the defense unit receives a threat event, it blocks and isolates it. When the defense unit receives a suspicious event, it manually identifies the suspicious event. If identified as a threat event, it blocks and isolates it. If identified as a normal event, it records and issues an alarm. The data recorded by the defense unit is stored in the cloud.

[0029] In this embodiment, threat events and suspicious events are treated with different measures. Threat events are immediately marked and forwarded for handling, while suspicious events are handled with an alert and suspension strategy. At this time, security personnel within the defense unit intervene before the suspicious operation causes substantial damage, thus gaining a time window for manual judgment. Suspicious events are introduced into a manual identification process. Based on the results of manual judgment, it is decided whether to escalate them into threat events for blocking or to record them as normal events for alerting, thereby balancing the needs of security protection and business continuity. Finally, all handling records are stored in the cloud to form a security knowledge base, which can be used for event backtracking, attack chain analysis, model training, and compliance auditing, truly realizing closed-loop management and continuous learning of the defense process.

[0030] The above embodiments can be implemented, in whole or in part, by software, hardware, firmware, or any other combination thereof. When implemented in software, the above embodiments can be implemented, in whole or in part, as a computer program product. The units and algorithm steps of the various examples described in the embodiments can be implemented in electronic hardware or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

[0031] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.

[0032] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

[0033] In conclusion, the above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the protection scope of the present invention.

Claims

1. A proactive network security defense system based on data analysis, characterized in that: The system includes a data acquisition unit, a processing unit, a baseline unit, a fast detection unit, a deep detection unit, an analysis unit, an alarm unit, and a defense unit. The data acquisition unit is used for data acquisition. The processing unit processes the acquired data and converts it into secure sequence events. The baseline unit is used to provide a baseline threshold JY. The fast detection unit receives secure sequence events and calculates the number of connections per minute SL. The deep detection unit calculates an analysis value FX. The analysis unit analyzes the analysis value FX with a suspicious threshold KY. The alarm unit is used to issue alarms and extract threat events and suspicious events. The defense unit defends against threat events and suspicious events. The collection unit uses probes, proxies, and API interfaces to collect full traffic data, system and application logs, terminal behavior data, and threat intelligence data from external sources in real time. The processing unit cleans and denoises the collected data and unifies it into JSON format. Then, it associates the data with timestamps and key entities to transform the raw data into security sequence events.

2. The proactive network security defense system based on data analysis according to claim 1, characterized in that: The baseline unit receives the security sequence event data stream, and divides the data stream into independent data subsets of different entities according to the analysis dimensions of user entities, device entities, and network traffic entities. For each entity's data subset, time-series features are extracted, feature vectors are constructed, and the feature vectors are used to construct short-term dynamic baselines and long-term behavioral profile baselines using a hierarchical baseline model. The short-term dynamic baselines and long-term behavioral profile baselines are then stored.

3. The proactive network security defense system based on data analysis according to claim 1, characterized in that: The security sequence event data stream within the baseline unit is filtered and confirmed by the security administrator, with no confirmed security event alarms. The baseline unit is updated daily. After storing short-term dynamic baselines and long-term behavioral profile baselines, the baseline unit uses the maximum number of connections per minute for each baseline as the baseline threshold JY. The formula for calculating the baseline threshold JY is as follows: In the formula, μ is the average number of connections per minute. The standard deviation is denoted as .

4. The proactive network security defense system based on data analysis according to claim 1, characterized in that: The fast detection unit receives security events processed by the processing unit, and extracts the real-time connection count SL for each security event. The fast detection unit retrieves the baseline threshold JY corresponding to the security event from the baseline unit. The fast detection unit compares the real-time connection count SL with the baseline threshold JY. When the real-time connection count SL > the baseline threshold JY, the fast detection unit sends an alarm command to the alarm unit. When the real-time connection count SL ≤ the baseline threshold JY, the fast detection unit performs normal detection work.

5. The proactive network security defense system based on data analysis according to claim 1, characterized in that: The deep detection unit receives multiple indicators of entities within a time window from the security event processed by the processing unit, constructs a multi-dimensional feature vector, and performs unsupervised model detection, reconstruction error detection, and temporal anomaly detection on the multi-dimensional feature vector. For unsupervised model detection, the feature vector is input into an isolated forest model, and the average path length LC required for the feature vector to be isolated is calculated. For reconstruction error detection, the feature vector is input into a deep autoencoder, and the reconstruction mean square error CW between the original feature vector input and the reconstructed output feature vector is calculated. For temporal anomaly detection, the indicator values ​​at consecutive time points are used as the input sequence, and the sequence is input into an LSTM model to obtain the predicted value for the current time moment. The absolute error value JW between the predicted value and the actual observed value is calculated.

6. The proactive network security defense system based on data analysis according to claim 5, characterized in that: The deep detection unit sends the calculated average path length LC, reconstruction mean square error CW, and absolute error value JW to the analysis unit. The analysis unit receives the data sent by the deep detection unit and compares them with their respective thresholds. When the average path length LC, reconstruction mean square error CW, and absolute error value JW exceed their respective thresholds, the analysis unit sends an alarm command to the alarm unit. When the average path length LC, reconstruction mean square error CW, and absolute error value JW do not exceed their respective thresholds, the analysis unit calculates the analysis value FX.

7. A proactive network security defense system based on data analysis according to claim 6, characterized in that: When the analysis unit calculates the analysis value FX, the formula for calculating the analysis value FX is as follows: In the formula, k1, k2, and k3 are adjustable parameters, and k1, k2, and k3 are the proportions of the number of threats detected by unsupervised model detection, reconstruction error detection, and temporal anomaly detection to the total number of threats. The analysis unit compares the calculated analysis value FX with its internal suspicious threshold KY. When the analysis value FX > suspicious threshold KY, the analysis unit sends a suspicious instruction to the alarm unit. When the analysis value FX ≤ suspicious threshold KY, the analysis unit remains in working state.

8. The proactive network security defense system based on data analysis according to claim 1, characterized in that: When the alarm unit receives an alarm command, it extracts the event that triggered the alarm, marks the event as a threat event, and sends it to the defense unit. When the alarm unit receives a suspicious command, it extracts the event and marks it as a suspicious event while issuing an alarm. When marked as a suspicious event, the alarm unit pauses the suspicious event and sends it to the defense unit.

9. A proactive network security defense system based on data analysis according to claim 1, characterized in that: When the defense unit receives a threat event, it blocks and isolates it. When the defense unit receives a suspicious event, it manually identifies the suspicious event. If the event is identified as a threat event, it blocks and isolates it. If the event is identified as a normal event, it records and issues an alarm. The data recorded by the defense unit is stored in the cloud.