CN-121151034-B - Intelligent security identification and defense method based on end Bian Yun cooperation

Abstract

The invention relates to the technical field of intelligent security defense, and discloses an intelligent security identification and defense method based on end Bian Yun cooperation. The method comprises the steps of collecting original safety data at end side equipment, extracting equipment running states and environment interaction characteristics to generate end side threat feature vectors, enabling edge nodes to receive the vectors, completing behavior pattern matching by combining a node-level threat knowledge base, binding a result with equipment position information to generate a threat behavior mark group, enabling a cloud platform to call the mark group, fusing multi-edge node historical defense records to cooperatively analyze, generating threat confidence assessment values and cross-layer defense strategy instructions, triggering the instructions according to the assessment values, and dynamically configuring end side equipment interception rule base and edge node flow filtering thresholds. According to the method, the data processing is cooperatively optimized through the terminal Bian Yun, the threat identification accuracy is improved, the dynamic defense is realized, and the method is suitable for the safety protection of multi-terminal equipment.

Inventors

• GAO SHENGHUI
• GAO CHUNYUN
• LI XIN
• LIU QIANG
• WANG FENG
• Yin Yangfan
• WEN JINGJING
• NIU ZHIWEI
• WANG ZHIYUAN

Assignees

• 陕西榆能集团能源化工研究院有限公司
• 陕西榆林能源集团有限公司
• 北京龙田华远科技有限公司

Dates

Publication Date

20260512

Application Date

20250910

Claims (8)

1. 1. An intelligent security recognition and defense method based on end Bian Yun cooperation, which is characterized by comprising the following steps: Collecting original safety data at the terminal equipment, extracting equipment running state characteristics and environment interaction characteristics, and generating a terminal threat characteristic vector; Receiving the end-side threat feature vector at an edge node, performing behavior pattern matching by combining a node-level threat knowledge base, binding a matching result with equipment position information, and generating a threat behavior mark group; invoking the threat behavior mark group on a cloud platform, fusing historical defense records of the polygonal nodes to perform collaborative analysis, and generating a threat confidence assessment value and a cross-layer defense strategy instruction; Triggering the cross-layer defense strategy instruction according to the threat confidence evaluation value, and dynamically configuring a interception rule base of the end-side equipment and a flow filtering threshold of an edge node; the step of generating a threat behavior marker set includes: invoking the equipment running state characteristics in the end-side threat characteristic vector, and calculating the deviation degree of the characteristic value fluctuation amplitude in the continuous time window and the reference running interval; Screening abnormal feature fragments according to the deviation degree, and extracting the frequency distribution rule of the environment interaction features in the fragments; Performing similarity comparison on the frequency distribution rule and an attack mode sequence stored in a node-level threat knowledge base; When the similarity exceeds a dynamic matching threshold, extracting a corresponding attack mode code and equipment physical position coordinates, and binding the attack mode code and the equipment physical position coordinates into a threat behavior mark group; The step of generating the threat confidence assessment value includes: Invoking an attack mode code in the threat behavior mark group, and retrieving false alarm rate data of the same type of attack in a history defense record stored in a cloud platform; acquiring the space-time distribution density of the threat behavior mark group reported by the polygonal node, and calculating the regional threat aggregation strength; Based on the false alarm rate data and the regional threat aggregation strength, weighting and calculating a cooperative confidence evaluation value of the threat behavior mark group; And when the cooperative confidence evaluation value exceeds a level threshold, generating a cross-layer defense strategy instruction containing the end-side interception priority and the edge flow filtering coefficient.
2. 2. The method of claim 1, wherein the step of dynamically configuring the interception rule base of the end-side device comprises: Selecting a device identification set to be updated according to the end-side interception priority in the cross-layer defense strategy instruction; Extracting environment interaction characteristics corresponding to the equipment identification set from the threat behavior mark group, and generating a characteristic matching rule template; performing redundancy detection on the feature matching rule template and the current interception rule base, and writing the feature matching rule template and the current interception rule base into a newly added rule queue after eliminating repeated rules; and loading the newly added rule queues according to the interception priority order according to the resource occupancy rate of the terminal equipment.
3. 3. The method according to claim 2, wherein the step of configuring the traffic filtering threshold of the edge node comprises: Invoking an edge flow filtering coefficient in the cross-layer defense strategy instruction, and calculating a dynamic scaling of a node flow baseline value; Acquiring a space-time distribution density change gradient of the threat behavior marker set in an edge node coverage area; generating a real-time adjustment step length of a flow filtering threshold according to the dynamic scaling and the space-time distribution density variation gradient; and when the characteristic dimension of the node flow data packet hits the threat behavior mark group, updating the flow filtering threshold value by applying the real-time adjustment step length.
4. 4. A method according to claim 3, characterized in that the method further comprises: After the terminal side equipment executes the newly added rule queue, acquiring interception triggering frequency and false interception event data, and generating a rule effective feedback log; the rule effective feedback log is transmitted back to the edge node, and verification is carried out on the rule effective feedback log and the matching result of the node-level threat knowledge base; If the error interception event data exceeds the fault tolerance upper limit, a rule backtracking instruction is generated and sent to the cloud platform.
5. 5. The method according to claim 4, wherein the method further comprises: The cloud platform receives the rule backtracking instruction and retrieves the related cross-layer defense strategy instruction generation record; extracting the error interception event data distribution time sequence in the rule effective feedback log; correcting the calculation weight of the threat confidence evaluation value based on the false alarm rate change curve of the same type of strategies in the historical defense records; And outputting the updated cooperative confidence evaluation value to a cross-layer defense strategy instruction generation flow.
6. 6. The method of claim 5, wherein the method further comprises: the edge node monitors the node load state after the flow filtering threshold value is updated, and the resource occupancy rate and attack interception success rate are collected; when the resource occupancy rate exceeds a safety threshold, reducing the edge flow filtering coefficient and triggering cloud cooperative reallocation; comparing the attack interception success rate with an end-side rule validation feedback log, and calculating a defense strategy execution deviation value; And if the defense strategy execution deviation value exceeds the tolerance range, sending a strategy calibration request to the cloud platform.
7. 7. The method of claim 6, wherein the method further comprises: The cloud platform responds to the strategy calibration request and calls the defense strategy execution bias value reported by the polygonal node; recalculating space-time weight coefficients in the regional threat aggregation strength; generating an incremental cross-layer defense strategy instruction according to the updated regional threat aggregation strength and the collaborative confidence evaluation value; And distributing the incremental cross-layer defense strategy instruction to a target edge node and end-side equipment for incremental coverage.
8. 8. The method of claim 7, wherein the method further comprises: After receiving the incremental cross-layer defense strategy instruction, the terminal side equipment detects the version identification of the current interception rule base; if the version identification is not matched with the increment instruction, backtracking to an interception rule base of the latest effective version; Synchronously executing version rollback operation of the traffic filtering threshold value at the edge node; and sending a version conflict report to the cloud platform to trigger a full-volume policy reorganization process.

Description

Intelligent security identification and defense method based on end Bian Yun cooperation Technical Field The invention relates to the technical field of intelligent security defense, in particular to an intelligent security identification and defense method based on end Bian Yun cooperation. Background With the rapid development of technologies such as the Internet of things and the industrial Internet, the number of various terminal devices is exponentially increased, the scale of safety data generated in the running process of the devices is continuously enlarged, and the safety threat also has the characteristics of diversification, complicacy and cross-region propagation. Currently, most of the traditional security identification and defense methods are concentrated on a single equipment end or cloud end, and obvious limitations exist. At the device end level, most terminal devices are limited by hardware resources, have limited computing power and storage capacity, and are difficult to carry out deep analysis and complex threat identification on a large amount of collected original safety data. The method is generally capable of only performing simple local data filtering and basic security detection, and cannot discover and early warn in time for some security threats with strong concealment and multidimensional association, so that the threats are easily spread at the equipment end, and the normal operation of the equipment is affected. In the existing security system, the edge node often lacks a high-efficiency cooperative mechanism with the end-side equipment, and the threat knowledge base of the edge node is not updated timely and has limited coverage. After the edge node receives the data at the end side, due to the lack of a unified feature vector analysis standard, the behavior pattern matching is difficult to quickly and accurately perform. Meanwhile, the edge nodes also lack effective data interaction and collaborative analysis capability, and comprehensive research and judgment on security threats in cross-regional and multi-edge node coverage areas cannot be performed, so that the accuracy and timeliness of threat identification are greatly reduced, and an effective regional security protection barrier is difficult to form. The cloud platform has stronger computing and storage capabilities, but in the traditional mode, a large amount of original data of end sides and edge nodes needs to be received, the data transmission amount is large, the delay is high, and network bandwidth congestion is easy to cause. And the cloud platform can only carry out isolated analysis based on the historical data stored by the cloud platform, can not fully fuse the real-time threat information and the historical defense records of the polygonal nodes, and is difficult to comprehensively master the dynamic change and the propagation rule of the security threat. When the defense strategy is generated, accurate adaptation cannot be performed according to the actual running states of the end side equipment and the edge nodes, so that the defense strategy lacks pertinence and flexibility, cannot effectively cope with security threats in different scenes, and is poor in response speed and protection effect of the whole security defense system. Disclosure of Invention The invention aims to provide an intelligent safety recognition and defense method based on the cooperation of the terminals Bian Yun so as to solve the problems in the background technology. In order to achieve the above object, the present invention provides an intelligent security identification and defense method based on end Bian Yun cooperation, the method comprising: Collecting original safety data at the terminal equipment, extracting equipment running state characteristics and environment interaction characteristics, and generating a terminal threat characteristic vector; Receiving the end-side threat feature vector at an edge node, performing behavior pattern matching by combining a node-level threat knowledge base, binding a matching result with equipment position information, and generating a threat behavior mark group; invoking the threat behavior mark group on a cloud platform, fusing historical defense records of the polygonal nodes to perform collaborative analysis, and generating a threat confidence assessment value and a cross-layer defense strategy instruction; triggering the cross-layer defense strategy instruction according to the threat confidence evaluation value, and dynamically configuring a interception rule base of the end-side equipment and a flow filtering threshold of the edge node. Preferably, the step of generating a threat behavior flag set includes: invoking the equipment running state characteristics in the end-side threat characteristic vector, and calculating the deviation degree of the characteristic value fluctuation amplitude in the continuous time window and the reference running interval; Screening abnormal feat