An information storage system for a network security device
By constructing an adaptive optimization system and combining global metadata with dynamic risk assessment, attribute-based dynamic access control is achieved, solving the problem of rigid access control in existing technologies and improving the security and compliance of data access.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Filing Date
- 2026-05-28
- Publication Date
- 2026-07-14
AI Technical Summary
Existing role-based access control is too rigid when dealing with complex and dynamic security data. It cannot make fine-grained and dynamic permission judgments based on the real-time risk level of the data itself and the access context, which poses a risk of data leakage or abuse.
By employing components such as global metadata and consistency services, dynamic risk perception and assessment engine, elastic software-defined storage resource pool, unified intelligent access agent and policy enforcement gateway, trusted data acquisition and telemetry module, and security intelligent learning and decision-making center, an adaptive optimization system is constructed to achieve the dynamic combination of attribute-based dynamic access control and real-time data risk labels.
It significantly improves the security and compliance of data access, reduces the risk of data leakage through real-time risk assessment and dynamic access control, enhances the ability to optimize security strategies, and protects the security of enterprise information assets.
Smart Images

Figure CN122394953A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, and in particular to an information storage system for network security devices. Background Technology
[0002] In the context of the global digital revolution and cyberspace becoming a core infrastructure for national security, economic operation, and social life, and facing increasingly complex cyberattacks such as ransomware, advanced persistent threats (APTs), and frequent data breaches leading to corporate asset losses, privacy violations, and escalating security risks to critical national information infrastructure, a network security device information storage system aims to achieve efficient storage, rapid retrieval, and security protection of critical information such as security logs, threat intelligence, and user behavior data. This is achieved by constructing a comprehensive storage system based on a distributed storage architecture, integrating encryption algorithms and access control policies, and supporting real-time data acquisition and intelligent analysis. The core objective is to meet the needs of network security devices in threat detection and incident response. In scenarios such as compliance auditing and compliance, the stringent requirements for data reliability, integrity, and confidentiality ultimately enhance data storage availability (e.g., multiple copies for redundancy and rapid recovery), security (e.g., end-to-end encryption and least privilege access), and analytical value (e.g., association rule mining and anomaly behavior identification). This provides a solid data foundation for cybersecurity protection, supports the construction of a proactive defense and intelligent collaborative security ecosystem, reduces the risk of data leakage, shortens threat response time, and enhances security strategy optimization capabilities. At the same time, it effectively protects the security of enterprise information assets, safeguards individual privacy rights, and builds a solid technical barrier for the stable operation of national critical information infrastructure and the healthy and sustainable development of the digital economy. It has significant social, economic, and strategic value.
[0003] In existing systems, role-based access control is often used. However, traditional role-based access control is too rigid when dealing with complex and dynamic security data. It cannot make fine-grained and dynamic permission judgments based on the real-time risk level of the data itself and the access context, which poses a risk of data leakage or abuse. Therefore, an information storage system for network security devices is proposed. Summary of the Invention
[0004] The purpose of this invention is to address the shortcomings of existing technologies by proposing an information storage system for network security devices.
[0005] To achieve the above objectives, the present invention adopts the following technical solution: An information storage system for a network security device includes: Global metadata and consistency service: Maintains the mapping relationship between the logical storage location, dynamic risk labels, access policies and physical storage location of all data objects in the system; Dynamic Risk Perception and Assessment Engine: Performs real-time risk assessment on raw data generated by network security devices, generating dynamic risk scores and dynamic risk tags for each data object; Elastic software-defined storage resource pool: used to provide software-defined, elastically scalable physical storage resources, and dynamically allocate logical storage partitions of different performance levels to data objects with different dynamic risk labels according to policy instructions; Unified intelligent access proxy and policy enforcement gateway: As the only external access point, it distributes user query requests to the corresponding logical storage partitions in a federated manner according to the mapping relationship between the global metadata and the consistency service, and executes attribute-based dynamic access control. Trusted data acquisition and telemetry module: used to securely collect system performance indicators and user access behavior indicators from the elastic software-defined storage resource pool and the unified intelligent access agent and policy enforcement gateway; Security Intelligent Learning and Decision Center: Used to analyze collected indicators, predict system load and data risk migration trends, and generate resource scheduling and data migration strategy instructions; The dynamic risk labels output by the dynamic risk perception and assessment engine, the policy instructions generated by the security intelligent learning and decision-making center, and the mapping relationship maintained by the global metadata and consistency service work together to drive the elastic software-defined storage resource pool to complete the automatic classification, placement, and elastic migration of data, forming a closed-loop adaptive optimization system.
[0006] The above technical solution further includes: Furthermore, the dynamic risk perception and assessment engine includes: Enhanced feature extractor: used to extract multidimensional features from raw data, the multidimensional features including at least data content features, context state features of the device that generated the raw data, and historical behavior pattern features of associated users; Threat intelligence fusion engine: used to compare network entity identifiers in extracted features with internal and external threat intelligence databases in real time; Intelligent Risk Simulator: This is a deep learning model trained adversarially to calculate and output a continuous dynamic risk score of 0-100 based on the multidimensional features and threat intelligence fusion results, and generate an interpretable report explaining the key risk contribution characteristics. Adaptive classifier: used to classify and label data objects as multi-level dynamic risk labels based on the dynamic risk score, data access frequency and predefined strategies. The multi-level dynamic risk labels include core threat evidence, data requiring review, regular logs and archived data.
[0007] Furthermore, the unified intelligent access proxy and policy enforcement gateway includes: Query parsing and federation: Used to receive and parse user query requests, decompose a single query into sub-queries for multiple backend logical storage partitions based on the data location mapping recorded in the global metadata and consistency service, and aggregate and return the results; Dynamic access control engine: Used to implement attribute-based access control. When making decisions, it dynamically combines user identity attributes, request context attributes, and the current dynamic risk label of the data object to be queried, which is obtained in real time from the global metadata and consistency service, to determine whether access is allowed or whether additional authentication is required.
[0008] Furthermore, the elastic software-defined storage resource pool abstracts heterogeneous storage devices into a unified resource pool through storage virtualization technology, and dynamically divides it into a high-performance hot storage area, a standard-temperature storage area, and a low-cost cold storage area: The high-performance hot storage area consists of solid-state drives and is used to store data objects marked as core threat evidence and frequently accessed auditable computational data. The standard temperature storage area consists of a mechanical hard disk or distributed storage and is used to store auditable computational data that is marked as regular logs and infrequently accessed data. The low-cost cold storage area is used to store data objects marked as archived data; The resource pool manager automatically migrates data between high-performance hot storage areas, standard temperature storage areas, and low-cost cold storage areas, or horizontally expands the storage resources of specific partitions, according to the policy instructions issued by the security intelligent learning and decision-making center.
[0009] Furthermore, the trusted data acquisition and telemetry module includes a secure telemetry agent deployed on key components. The secure telemetry agent transmits the acquired data through an encrypted channel and adds a timestamped digital signature to the data packets to ensure transmission security and data integrity, thereby providing a tamper-resistant and reliable data source for the secure intelligent learning and decision-making center.
[0010] Furthermore, the secure intelligent learning and decision-making center includes: Anti-attack temporal prediction model: This is a temporal convolutional network or Transformer temporal model trained adversarially to analyze historical and real-time system performance indicators and generate predictive curves about the future storage load and data dynamic risk score change trends. Policy Engine: Used to receive the label output of the dynamic risk perception and assessment engine and the prediction results of the anti-attack time series prediction model, and generate resource orchestration and data migration instructions in combination with the predefined policy rule base. The data migration instructions are verified by querying the global metadata and consistency service before execution.
[0011] Furthermore, the global metadata and consistency service is specifically a highly available distributed key-value storage system based on the Raft or Paxos consensus algorithm, used to atomically update the metadata records of data objects, and to notify the unified intelligent access agent and policy enforcement gateway to update their routing information in real time through a publish-subscribe mechanism when the data location or risk label changes.
[0012] Furthermore, the deep learning model used in the intelligent risk simulator is a sequence model based on a long short-term memory network or a Transformer architecture. The output interpretability report is generated by performing attribution analysis on the multidimensional features using the SHAP method, which quantitatively displays the contribution of each feature to the final dynamic risk score.
[0013] Furthermore, during the determination process, if the dynamic access control engine identifies a user with legitimate permissions initiating a batch download request for core threat evidence data outside of working hours or from an unconventional network address, it will trigger an interception or mandatory secondary authentication process.
[0014] Furthermore, the data migration operation of the elastic software-defined storage resource pool is triggered by the policy engine and is executed before locking the metadata records of the relevant data objects in the global metadata and consistency service. After the migration is completed, its logical storage location mapping is atomically updated, and the unified intelligent access agent and policy enforcement gateway are notified, thereby ensuring data consistency and access transparency.
[0015] The present invention has the following beneficial effects: This invention dynamically combines attribute-based access control with real-time data risk labeling. Access decisions not only consider who accesses what, but also incorporate the key dynamic attribute of the real-time risk of the accessed data. Access control policies are automatically upgraded, significantly improving the security and compliance of data access. Attached Figure Description
[0016] Figure 1 This is a system block diagram of an information storage system for a network security device proposed in this invention. Detailed Implementation
[0017] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0018] Please see Figure 1As shown, the present invention is an information storage system for a network security device, comprising: Global metadata and consistency service: Maintains the mapping relationship between the logical storage location, dynamic risk labels, access policies and physical storage location of all data objects in the system; Dynamic Risk Perception and Assessment Engine: Performs real-time risk assessment on raw data generated by network security devices, generating dynamic risk scores and dynamic risk tags for each data object; It should be noted that the specific analytical process for dynamic risk perception and assessment is as follows: Multidimensional features are extracted from raw data generated by network security devices using an enhanced feature extractor. These multidimensional features include at least data content features, context state features of the device that generated the raw data, and historical behavior pattern features of the associated user. The threat intelligence fusion engine compares the network entity identifiers in the extracted multi-dimensional features with the internal and external threat intelligence databases in real time. The intelligent risk simulator calculates and outputs a continuous dynamic risk score of 0-100 for each data object based on the multi-dimensional features and threat intelligence fusion results, and generates an interpretable report that describes the key risk contribution characteristics. The intelligent risk simulator is a deep learning model trained adversarially. Using an adaptive classifier, each data object is classified and labeled with a multi-level dynamic risk label based on the dynamic risk score, data access frequency, and predefined strategies. The multi-level dynamic risk label includes core threat evidence, data requiring review, regular logs, and archived data.
[0019] Elastic software-defined storage resource pool: used to provide software-defined, elastically scalable physical storage resources, and dynamically allocate logical storage partitions of different performance levels to data objects with different dynamic risk labels according to policy instructions; Unified intelligent access proxy and policy enforcement gateway: As the only external access point, it distributes user query requests to the corresponding logical storage partitions in a federated manner according to the mapping relationship between the global metadata and the consistency service, and executes attribute-based dynamic access control. It should be noted that the specific analysis process of network security data access control and query implemented by the intelligent access proxy and policy enforcement gateway is as follows: Receive data query requests from users regarding network security data; The data query request is authenticated based on a dynamic access control policy. The authentication process dynamically combines the user's identity attributes, the context attributes of the request, and the current dynamic risk label of the target data object to which the request is pointed, which is obtained in real time from the global metadata and consistency service. If the authentication is successful, the data query request will be parsed and distributed to the corresponding backend logical storage partition for query execution based on the mapping relationship between the global metadata and the logical storage location of the target data object recorded in the consistency service. The query sub-results from each logical storage partition are obtained, aggregated, and then the final query result is returned to the user.
[0020] Trusted data acquisition and telemetry module: used to securely collect system performance indicators and user access behavior indicators from the elastic software-defined storage resource pool and the unified intelligent access agent and policy enforcement gateway; Security Intelligent Learning and Decision Center: Used to analyze collected indicators, predict system load and data risk migration trends, and generate resource scheduling and data migration strategy instructions; The dynamic risk labels output by the dynamic risk perception and assessment engine, the policy instructions generated by the security intelligent learning and decision-making center, and the mapping relationship maintained by the global metadata and consistency service work together to drive the elastic software-defined storage resource pool to complete the automatic classification, placement, and elastic migration of data, forming a closed-loop adaptive optimization system.
[0021] In one embodiment, the dynamic risk perception and assessment engine includes: Enhanced feature extractor: used to extract multidimensional features from raw data, the multidimensional features including at least data content features, context state features of the device that generated the raw data, and historical behavior pattern features of associated users; It should be noted that the specific analysis process for the enhanced feature extractor to extract multidimensional features is as follows: Analyze the data content of the raw data and extract content features including log level, alarm type, and load characteristics; The operating status parameters of the device that generates the raw data and the network traffic baseline within the same time window are collected in real time through bypass or application programming interface integration, which together constitute the context status features. Retrieve and analyze the historical operation sequences and behavioral preferences of associated users who have processed or triggered the original data to form a description of their historical behavioral patterns. The content features, contextual state features, and historical behavior pattern features are standardized and vectorized, and combined to form a unified multidimensional feature vector for subsequent risk assessment.
[0022] Threat intelligence fusion engine: used to compare network entity identifiers in extracted features with internal and external threat intelligence databases in real time; It should be noted that the specific analysis process for real-time comparison using the threat intelligence fusion engine is as follows: Key network entity identifiers are automatically parsed and extracted from the multidimensional features. These network entity identifiers specifically include Internet Protocol addresses, domain names, file hash values, and process identifiers. The extracted network entity identifiers are matched concurrently with the real-time updated internal threat intelligence database and the external threat intelligence database subscribed from external security service providers. When a known threat entry is matched, a threat intelligence fusion result is generated, which includes the matched threat type, confidence level, and intelligence source. This result is then input into the intelligent risk simulator as a key risk factor to significantly enhance the ability to identify known threats.
[0023] Intelligent Risk Simulator: This is a deep learning model trained adversarially to calculate and output a continuous dynamic risk score of 0-100 based on the multidimensional features and threat intelligence fusion results, and generate an interpretable report explaining the key risk contribution characteristics. It should be noted that the specific analytical process for calculating dynamic risk scores and generating interpretable reports using the intelligent risk simulator is as follows: The preprocessed multidimensional feature vectors and the structured threat intelligence fusion results are input into a deep learning model trained adversarially. The model is a sequence model based on a long short-term memory network or a Transformer architecture. The deep learning model encodes and transforms the input sequence through its internal multi-layer neural network, and finally outputs a continuous value between 0 and 100 that represents the comprehensive risk level, which serves as the dynamic risk score of the data object. While generating the score, the SHAP attribution explanation framework is used to analyze the output of the deep learning model, quantify the contribution of each input feature to the final dynamic risk score, and generate a structured interpretability report that clearly indicates the key risk contribution feature with the highest contribution and its positive or negative influence direction.
[0024] Adaptive classifier: used to classify and label data objects as multi-level dynamic risk labels based on the dynamic risk score, data access frequency and predefined strategies. The multi-level dynamic risk labels include core threat evidence, data requiring review, regular logs and archived data.
[0025] It should be noted that the specific analysis process for labeling dynamic risk tags using an adaptive classifier is as follows: Receive dynamic risk scores from the intelligent risk simulator and continuously monitor the real-time and historical access frequency of the data object in the storage system to determine the hot / cold level of its data access frequency. Invoke a pre-configured predefined policy rule base, which defines the mapping relationship between dynamic risk scoring threshold, access frequency threshold and dynamic risk label; Based on whether the dynamic risk score exceeds the first high-risk threshold and whether the data access frequency is high-frequency, the data objects that meet the conditions are classified and labeled as core threat evidence tags. Based on whether the dynamic risk score is in the medium risk range, or whether the score is high but the data access frequency is low, the data objects that meet the conditions are classified and labeled as data requiring review. Based on whether the dynamic risk score is lower than the second low risk threshold and the access pattern conforms to normal expectations, the data objects that meet the conditions are classified and labeled as regular log tags. Based on the extremely low dynamic risk score and the fact that the minimum access frequency threshold has not been reached for a long time, the data objects that meet the conditions are classified and labeled as archived data, thereby completing a multi-level classification decision based on risk and access patterns.
[0026] In one embodiment, the unified intelligent access proxy and policy enforcement gateway includes: Query parsing and federation: Used to receive and parse user query requests, decompose a single query into sub-queries for multiple backend logical storage partitions based on the data location mapping recorded in the global metadata and consistency service, and aggregate and return the results; It should be noted that the specific analysis process of query parsing and federation execution is as follows: The query parser and federator perform syntax parsing on the received data query request to identify the target data object involved. The query parser and federator determine the logical storage partition where each target data object is currently stored based on the data catalog maintained in the global metadata and consistency service. The logical storage partition includes at least a high-performance hot storage area, a standard temperature storage area, or a low-cost cold storage area. The query parser and federator rewrites and decomposes the original single data query request into multiple sub-query requests targeting different logical storage partitions based on the actual distribution location of the data, and sends each sub-query request to the corresponding storage partition for execution in parallel.
[0027] Dynamic access control engine: Used to implement attribute-based access control. When making decisions, it dynamically combines user identity attributes, request context attributes, and the current dynamic risk label of the data object to be queried, which is obtained in real time from the global metadata and consistency service, to determine whether access is allowed or whether additional authentication is required.
[0028] It should be noted that the specific analysis process of the dynamic access control engine in authenticating and determining data query requests is as follows: The dynamic access control engine extracts user identity attributes carried in or obtained through association from the data query request. The user identity attributes include at least user role and department affiliation. The dynamic access control engine extracts the context attributes of the data query request, which include at least the request initiation time, the source IP address, and the request operation type; The dynamic access control engine queries the global metadata and consistency service in real time for the current dynamic risk label marked on the target data object; The dynamic access control engine takes the user identity attribute, the context attribute, and the current dynamic risk tag as input, calculates and outputs access control decisions based on pre-configured attribute-based access control policy rules, and the access control decisions include allowing access, denying access, or requiring additional authentication.
[0029] In one embodiment, the elastic software-defined storage resource pool abstracts heterogeneous storage devices into a unified resource pool using storage virtualization technology, and dynamically divides it into a high-performance hot storage area, a standard-temperature storage area, and a low-cost cold storage area. The high-performance hot storage area consists of solid-state drives and is used to store data objects marked as core threat evidence and frequently accessed auditable computational data. The standard temperature storage area consists of a mechanical hard disk or distributed storage and is used to store auditable computational data that is marked as regular logs and infrequently accessed data. The low-cost cold storage area is used to store data objects marked as archived data; The resource pool manager automatically migrates data between high-performance hot storage areas, standard temperature storage areas, and low-cost cold storage areas, or horizontally expands the storage resources of specific partitions, according to the policy instructions issued by the security intelligent learning and decision-making center.
[0030] In one embodiment, the trusted data acquisition and telemetry module includes a secure telemetry agent deployed on a key component. The secure telemetry agent transmits the acquired data through an encrypted channel and adds a timestamped digital signature to the data packets to ensure transmission security and data integrity, thereby providing a tamper-resistant and reliable data source for the secure intelligent learning and decision-making center.
[0031] In one embodiment, the secure intelligent learning and decision-making center includes: Anti-attack temporal prediction model: This is a temporal convolutional network or Transformer temporal model trained adversarially to analyze historical and real-time system performance indicators and generate predictive curves about the future storage load and data dynamic risk score change trends. Policy Engine: Used to receive the label output of the dynamic risk perception and assessment engine and the prediction results of the anti-attack time series prediction model, and generate resource orchestration and data migration instructions in combination with the predefined policy rule base. The data migration instructions are verified by querying the global metadata and consistency service before execution.
[0032] In one embodiment, the global metadata and consistency service is specifically a highly available distributed key-value storage system based on the Raft or Paxos consensus algorithm, used to atomically update the metadata records of data objects, and to notify the unified intelligent access agent and policy enforcement gateway to update their routing information in real time through a publish-subscribe mechanism when the data location or risk label changes.
[0033] In one embodiment, the deep learning model used by the intelligent risk simulator is a sequence model based on a long short-term memory network or a Transformer architecture. The output interpretability report is generated by performing attribution analysis on the multidimensional features using the SHAP method, which quantitatively displays the contribution of each feature to the final dynamic risk score.
[0034] In one embodiment, if the dynamic access control engine identifies a user with legitimate permissions making a batch download request for core threat evidence data outside of working hours or from an unconventional network address during the determination process, it triggers an interception or mandatory secondary authentication process.
[0035] In one embodiment, the data migration operation of the elastic software-defined storage resource pool is triggered by the policy engine and executed before locking the metadata records of the relevant data objects in the global metadata and consistency service. After the migration is completed, its logical storage location mapping is atomically updated, and the unified intelligent access agent and policy enforcement gateway are notified, thereby ensuring data consistency and access transparency.
[0036] All data obtained in this invention has been authorized by the user.
[0037] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and variations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.
Claims
1. An information storage system for a network security device, characterized in that, include: Global metadata and consistency service: Maintains the mapping relationship between the logical storage location, dynamic risk labels, access policies and physical storage location of all data objects in the system; Dynamic Risk Perception and Assessment Engine: Performs real-time risk assessment on raw data generated by network security devices, generating dynamic risk scores and dynamic risk tags for each data object; Elastic software-defined storage resource pool: used to provide physical storage resources and dynamically allocate logical storage partitions of different performance levels to data objects with different dynamic risk labels according to policy instructions; Unified intelligent access proxy and policy enforcement gateway: Based on the mapping relationship between the global metadata and the consistency service, it distributes user query requests to the corresponding logical storage partitions in a federated manner and executes attribute-based dynamic access control. Trusted data acquisition and telemetry module: used to securely collect system performance indicators and user access behavior indicators from the elastic software-defined storage resource pool and the unified intelligent access agent and policy enforcement gateway; Security Intelligent Learning and Decision Center: Used to analyze collected indicators, predict system load and data risk migration trends, and generate resource scheduling and data migration strategy instructions; The dynamic risk labels output by the dynamic risk perception and assessment engine, the policy instructions generated by the security intelligent learning and decision-making center, and the mapping relationship maintained by the global metadata and consistency service work together to drive the elastic software-defined storage resource pool to complete the automated classification, placement, and elastic migration of data.
2. The information storage system for a network security device according to claim 1, characterized in that, The dynamic risk perception and assessment engine includes: Enhanced feature extractor: used to extract multidimensional features from raw data, the multidimensional features including at least data content features, context state features of the device that generated the raw data, and historical behavior pattern features of associated users; Threat intelligence fusion engine: used to compare network entity identifiers in extracted features with internal and external threat intelligence databases in real time; Intelligent Risk Simulator: Based on the multi-dimensional features and threat intelligence fusion results, it calculates and outputs dynamic risk scores and generates an interpretable report explaining the key risk contribution characteristics. Adaptive classifier: used to classify and label data objects as multi-level dynamic risk labels based on the dynamic risk score, data access frequency and predefined strategies. The multi-level dynamic risk labels include core threat evidence, data requiring review, regular logs and archived data.
3. The information storage system for a network security device according to claim 1, characterized in that, The unified intelligent access proxy and policy enforcement gateway includes: Query parsing and federation: Used to receive and parse user query requests, decompose a single query into sub-queries for multiple backend logical storage partitions based on the data location mapping recorded in the global metadata and consistency service, and aggregate and return the results; Dynamic access control engine: Used to implement attribute-based access control. When making decisions, it dynamically combines user identity attributes, request context attributes, and the current dynamic risk label of the data object to be queried, which is obtained in real time from the global metadata and consistency service, to determine whether access is allowed or whether additional authentication is required.
4. The information storage system for a network security device according to claim 1, characterized in that, The elastic software-defined storage resource pool uses storage virtualization technology to abstract heterogeneous storage devices into a unified resource pool, and dynamically divides it into a high-performance hot storage area, a standard-temperature storage area, and a low-cost cold storage area. The high-performance hot storage area consists of solid-state drives and is used to store data objects marked as core threat evidence and frequently accessed auditable computational data. The standard temperature storage area consists of a mechanical hard disk or distributed storage and is used to store auditable computational data that is marked as regular logs and infrequently accessed data. The low-cost cold storage area is used to store data objects marked as archived data; The resource pool manager automatically migrates data between the high-performance hot storage area, the standard temperature storage area, and the low-cost cold storage area according to the policy instructions issued by the security intelligent learning and decision-making center.
5. The information storage system for a network security device according to claim 1, characterized in that, The trusted data acquisition and telemetry module includes a secure telemetry agent, which transmits the acquired data through an encrypted channel and adds a timestamped digital signature to the data packets.
6. The information storage system of a network security device according to claim 4, characterized in that, The secure intelligent learning and decision-making center includes: Anti-attack timing prediction model: used to analyze historical and real-time system performance indicators and generate prediction curves about the future storage load and data dynamic risk score change trends; Policy Engine: Used to receive the label output of the dynamic risk perception and assessment engine and the prediction results of the anti-attack time series prediction model, and generate resource orchestration and data migration instructions in combination with the predefined policy rule base. The data migration instructions are verified by querying the global metadata and consistency service before execution.
7. The information storage system of a network security device according to claim 1, characterized in that, The global metadata and consistency service is used to atomically update the metadata records of data objects, and to notify the unified intelligent access agent and policy enforcement gateway to update their routing information in real time through a publish-subscribe mechanism when the data location or risk label changes.
8. The information storage system of a network security device according to claim 2, characterized in that, The intelligent risk simulator uses a deep learning model based on a long short-term memory network or a sequence model based on the Transformer architecture. The output interpretability report is generated by performing attribution analysis on the multidimensional features using the SHAP method, which quantitatively displays the contribution of each feature to the final dynamic risk score.
9. The information storage system of a network security device according to claim 3, characterized in that, During the determination process, if the dynamic access control engine identifies a user with legitimate permissions who initiates a batch download request for core threat evidence data outside of working hours or from an unconventional network address, it will trigger an interception or mandatory secondary authentication process.
10. The information storage system of a network security device according to claim 6, characterized in that, The data migration operation of the elastic software-defined storage resource pool is triggered by the policy engine and is performed before locking the metadata records of the relevant data objects in the global metadata and consistency service. After the migration is completed, its logical storage location mapping is atomically updated and the unified intelligent access agent and policy enforcement gateway are notified.