Search

CN-122027270-A - Internet application safety monitoring system and method based on multidimensional analysis

CN122027270ACN 122027270 ACN122027270 ACN 122027270ACN-122027270-A

Abstract

The invention discloses an internet application security monitoring system and method based on multidimensional analysis, which relate to the technical field of network security and comprise a data processing module, a multidimensional security analysis module and an intelligent response module, wherein the multidimensional security analysis module comprises a feature mapping unit and a map reasoning unit. According to the invention, a dynamic fused safety knowledge map is constructed through multi-source heterogeneous data standardization and real-time feature mapping, the information barriers among the network flow, user behaviors, system vulnerability and other dimensions are effectively broken, the map is inferred through a graph neural network, potential threat association and complex attack modes can be deeply excavated, the threat identification accuracy and early warning capability are remarkably improved, and the system can automatically generate and execute an optimized safety response instruction by combining with a deep reinforcement learning decision model, so that closed-loop management from situation awareness to intelligent disposal is realized, the safety operation efficiency is greatly improved, and the self-adaptability and the cooperative defense level of the whole protection are enhanced.

Inventors

  • LI XUEWU
  • Liang Zhanbu
  • HE MINGDONG
  • LI BO
  • Fu Gehua
  • LIU FENGZHENG
  • HU YIFAN

Assignees

  • 广东电网有限责任公司
  • 广东电网有限责任公司数智运营中心

Dates

Publication Date
20260512
Application Date
20260205

Claims (10)

  1. 1. An internet application security monitoring system based on multidimensional analysis is characterized by comprising: a data processing module configured to normalize the collected multi-source heterogeneous security data into a structured security event stream; a multi-dimensional security analysis module, coupled to the data processing module, comprising: the feature mapping unit is configured to map and fuse security analysis results from network traffic, user behaviors and system vulnerability dimensions in the structured security event stream into nodes and edges in a unified security knowledge graph in real time and in an incremental manner based on a predefined extensible entity relationship model; The map reasoning unit is connected to the feature mapping unit and is configured to infer the safety knowledge map by adopting a graph neural network algorithm, and nodes or subgraph embedding vectors used for representing potential threat association are generated by aggregating the features of the heterologous points and edges in the multi-hop neighborhood; the intelligent response module is connected with the multi-dimensional safety analysis module and is configured to input the association structure and the map topological structure vector output by the map reasoning unit into the trained deep reinforcement learning decision model so as to generate an optimized safety response instruction and trigger execution.
  2. 2. The Internet appliance security monitoring system of claim 1 wherein the entity relationship model is a modular component defined based on patterns, allowing dynamic expansion of entity types, relationship types, and attributes through declarative configuration without modification of system core code.
  3. 3. The Internet application security monitoring system based on multidimensional analysis of claim 1, wherein the graph inference unit is specifically configured to perform differential weighted aggregation according to feature importance of nodes of different dimensions in the neighborhood by using a graph attention network to generate nodes or sub-graph embedding vectors for representing potential threat associations.
  4. 4. The Internet application security monitoring system based on multidimensional analysis of claim 1, wherein the state space of the deep reinforcement learning decision model is composed of subgraph embedded vectors which are generated in real time by a graph reasoning unit and reflect the current threat correlation structure and severity.
  5. 5. The Internet application security monitoring system based on multidimensional analysis of claim 1, further comprising an offline training and simulation environment configured to pretrain and strategically evaluate a deep reinforcement learning decision model by utilizing security knowledge graph data and system interaction logs corresponding to historical attack scenarios, and continuously optimize model parameters in an online learning manner after deployment.
  6. 6. The Internet application security monitoring system based on multidimensional analysis as recited in claim 1, wherein the intelligent response module further comprises a verification and feedback unit configured to actively collect system security status feedback data to evaluate treatment effects after executing response instructions, and to feed the quantized evaluation results back to the training process of the decision model as reward signals to form a decision optimization closed loop.
  7. 7. The internet application safety monitoring method based on the multi-dimensional analysis is suitable for the internet application safety monitoring system based on the multi-dimensional analysis according to claims 1-6, and is characterized by comprising the following steps of: S1, carrying out standardized processing on collected multi-source heterogeneous security data to generate a structured security event stream; s2, performing network flow analysis, user behavior analysis and system vulnerability analysis on the structured security event stream in parallel to obtain basic security analysis results of all dimensions; S3, converting and fusing basic safety analysis results of each dimension into a unified safety knowledge map in real time and in an incremental mode according to a predefined and extensible entity relation model; s4, based on the safety knowledge graph, adopting a graph neural network algorithm to aggregate the characteristics of nodes and edges from different analysis dimensions in the multi-hop neighborhood, and generating a comprehensive embedded representation for distinguishing potential attack chains; s5, inputting the comprehensive embedded representation into a trained deep reinforcement learning decision model to generate an optimized safety response instruction sequence; S6, executing the safety response instruction, and performing effect verification and feedback based on the executed system safety state data.
  8. 8. The Internet application security monitoring method based on multidimensional analysis of claim 7, wherein the training data of the deep reinforcement learning decision model comprises knowledge graph structure snapshots corresponding to historical security events, manual or automatic response actions taken in the graph states, and security state change data after the actions are executed.
  9. 9. The method for monitoring Internet application security based on multidimensional analysis as claimed in claim 7, wherein the method further comprises dynamically presenting a security knowledge graph, an identified attack chain, an intelligent decision process and a response state through a visual interface with the graph as an interaction core, and supporting drill-down investigation and manual response intervention on any node and edge in the graph.
  10. 10. The method for monitoring Internet application security based on multidimensional analysis as recited in claim 7, wherein the effect verification and feedback comprises feeding a quantitative evaluation result of security state improvement after response execution back to an online learning process of the deep reinforcement learning decision model as a forward rewarding signal for optimizing policy network parameters in real time.

Description

Internet application safety monitoring system and method based on multidimensional analysis Technical Field The invention relates to the technical field of network security, in particular to an internet application security monitoring system and method based on multidimensional analysis. Background With the increasing complexity of internet application and increasing advanced and hidden network attacks, the traditional security monitoring system based on single-point and single-dimension rules is difficult to deal with, the prior art generally performs independent analysis on network traffic, logs or vulnerability information, and lacks effective association and deep insight on a cross-dimension attack chain, and in addition, the response strategy of the traditional system often depends on a predefined static rule and cannot adapt to rapidly-changing attack laws and network environments, so that response lag or misoperation is caused. The existing internet application security monitoring has the following defects: 1. The patent document CN119675911A discloses a network security monitoring system and a network security monitoring method, and the invention discloses the network security monitoring system and the network security monitoring method, belongs to the technical field of network security, and aims to solve the technical problem of how to detect the network security of an online Internet financial website. The system comprises a network threat discovery subsystem, a website vulnerability scanning subsystem and a mobile APP security detection subsystem, wherein the network threat discovery subsystem is used for analyzing a sample of network attacks of an Internet financial platform, extracting event rules, carrying out inspection on the Internet financial platform, discovering network threat events aiming at the Internet financial platform based on the event rules and inspection results, and recording the network threat events, the website vulnerability scanning subsystem is used for carrying out asset detection and vulnerability scanning on Internet financial websites to discover security vulnerabilities, and the mobile APP security detection subsystem is used for carrying out security detection and risk analysis on Internet financial mobile applications to discover security vulnerabilities and transaction security risks, but the security inspection system in the file is lack of effective standardized and real-time fusion mechanisms among multi-source heterogeneous data such as network traffic, user behaviors, system vulnerabilities and the like, so that information barriers are formed, and the technical problems of single dimension or simple rule dependence on threat identification, difficulty in discovering trans-dimension potential threat association and complex attack modes, and insufficient accuracy and early warning timeliness are caused. Disclosure of Invention The invention aims to provide an Internet application safety monitoring system and method based on multidimensional analysis, which are used for solving the technical problems in the background technology. In order to achieve the purpose, the invention provides the following technical scheme that the Internet application safety monitoring system based on multidimensional analysis comprises: a data processing module configured to normalize the collected multi-source heterogeneous security data into a structured security event stream; a multi-dimensional security analysis module, coupled to the data processing module, comprising: the feature mapping unit is configured to map and fuse security analysis results from network traffic, user behaviors and system vulnerability dimensions in the structured security event stream into nodes and edges in a unified security knowledge graph in real time and in an incremental manner based on a predefined extensible entity relationship model; the map reasoning unit is connected to the feature mapping unit and is configured to infer the safety knowledge map by adopting a graph neural network algorithm, and the feature of the alien points and edges in the multi-hop neighborhood is aggregated to generate an embedding vector for representing the potential threat association and the node or the subgraph; the intelligent response module is connected with the multi-dimensional safety analysis module and is configured to input the association structure and the map topological structure vector output by the map reasoning unit into the trained deep reinforcement learning decision model so as to generate an optimized safety response instruction and trigger execution. Preferably, the entity relationship model is a modular component based on schema definition that allows dynamic expansion of entity types, relationship types, and attributes through declarative configuration without modifying system core code. Preferably, the graph inference unit is specifically configured to perform differential weighted aggregation