Search

CN-122027350-A - Security assessment management and control method, system, equipment and medium for controlled network environment

CN122027350ACN 122027350 ACN122027350 ACN 122027350ACN-122027350-A

Abstract

The invention relates to a security assessment management and control method, a system, equipment and a medium of a controlled network environment, belonging to the technical field of network security. The method comprises the steps of collecting and preprocessing multi-source heterogeneous data, outputting standardized multi-source heterogeneous data, matching the service types according to service feature templates, optimizing the weight and combination of a basic risk assessment index system to obtain a customized index system, inputting the standardized multi-source heterogeneous data into the system for quantification, outputting a current risk assessment result and a future risk trend prediction result, extracting multi-mode features, carrying out abnormal behavior detection after being fused through an attention mechanism, outputting a detection result, inputting the assessment, prediction and detection results into a reinforcement learning management and control model, executing an initial strategy, calculating the risk reduction rate and the service influence degree, dynamically adjusting a reward function, optimizing a loss function and outputting a dynamic strategy. The invention takes into account the dual core requirements of the controlled network environment on accurate risk prevention and control and continuous operation of the service.

Inventors

  • ZHOU HAOHAO
  • DAI CHAOFAN
  • MA WUBIN
  • WU YAHUI

Assignees

  • 中国人民解放军国防科技大学

Dates

Publication Date
20260512
Application Date
20260408

Claims (10)

  1. 1. A security assessment management method for a controlled network environment, the method comprising: step 1, collecting multi-source heterogeneous data in a controlled network environment, preprocessing the multi-source heterogeneous data, and outputting standardized multi-source heterogeneous data; Step 2, identifying service attributes of the standardized multi-source heterogeneous data based on a preset service feature template, matching service types, optimizing weights and combinations of a preset basic risk assessment index system according to an adaptation rule of the service types, and outputting a customized risk assessment index system; Step 3, inputting the standardized multi-source heterogeneous data into the customized risk assessment index system for index quantification to obtain quantified index data; carrying out security risk level assessment and future risk trend prediction in a preset period according to the quantitative index data to obtain a current risk assessment result and a future risk trend prediction result; Step 4, extracting multi-modal characteristics of the standardized multi-source heterogeneous data, and carrying out dynamic weight distribution and deep fusion on the multi-modal characteristics based on an attention mechanism to obtain fusion characteristic data; And 5, inputting the current risk assessment result, the future risk trend prediction result and the abnormal behavior detection result into a reinforcement learning management and control model, matching and executing an initial management and control strategy, collecting risk and business operation data after the strategy is executed, calculating the risk reduction rate and business influence degree, dynamically adjusting a reward function and optimizing a loss function, realizing closed-loop self-optimization of the management and control strategy, and outputting the dynamic management and control strategy.
  2. 2. The method for controlling security assessment of a controlled network environment according to claim 1, wherein in step 2, the method for controlling security assessment of a controlled network environment is characterized in that, based on a preset service feature template, identifying service attributes of the standardized multi-source heterogeneous data and matching service types, optimizing weights and combinations of a preset basic risk assessment index system according to adaptation rules of the service types, and comprises: Step 201, extracting flow characteristics and port characteristics from the standardized multi-source heterogeneous data, matching the flow characteristics, the port characteristics and characteristic parameters in the preset service characteristic template, and identifying and determining the service type of the controlled network environment; step 202, calculating a first-level index service association degree in a preset basic risk assessment index system based on an entropy weight method; Step 203, constructing a service attribute vector corresponding to the service association degree of each primary index, constructing a diagonal matrix according to the service attribute vector, and performing dot product operation on the diagonal matrix and an initial judgment matrix to obtain a corrected judgment matrix; Step 204, performing new adding, deleting or replacing operations on the secondary indexes in the basic risk assessment index system according to the index combination optimization rule corresponding to the service type, so as to obtain a secondary index system matched with the service type; and 205, fusing the secondary index system with the adjusted primary index weight, and constructing and outputting a customized risk assessment index system.
  3. 3. The method for controlling security assessment of a controlled network environment according to claim 2, wherein in step 3, performing security risk level assessment and future risk trend prediction in a preset period according to the quantitative index data to obtain a current risk assessment result and a future risk trend prediction result, includes: Step 301, performing weight distribution calculation on the quantized index data based on the corrected judgment matrix, and performing normalization processing after iteratively solving the maximum eigenvalue of the corrected judgment matrix by a power method to obtain the dynamic weight of each index; step 302, consistency test is carried out on the dynamic weights, if the preset threshold is not met, the scoring elements of the relative importance among indexes in the corrected judgment matrix are adjusted and recalculated until the threshold requirement is met, and qualified dynamic weights are obtained; Step 303, constructing a comment set, defining the membership degree of the quantitative index data to the comment set through a triangle fuzzy number, and generating a membership degree matrix; step 304, extracting membership evaluation values corresponding to all indexes from the membership matrix to form a membership vector, and calculating the qualified dynamic weight and the membership vector by adopting a weighted average operator to obtain a current risk evaluation result; and 305, extracting multidimensional risk related features from the quantitative index data, forming input features, inputting a time sequence prediction model, and calculating and outputting a future risk trend prediction result through the time sequence prediction model.
  4. 4. The method for controlling security assessment of a controlled network environment according to claim 1, wherein in step 4, the multimode characteristics of the standardized multi-source heterogeneous data are extracted, dynamic weight allocation and deep fusion are performed on the multimode characteristics based on an attention mechanism, and fusion characteristic data are obtained, and the method comprises the following steps: Step 401, extracting features of corresponding modes from each data level of the standardized multi-source heterogeneous data to obtain multi-mode features, and mapping the multi-mode features into preset dimension feature vectors; Step 402, performing attention weight calculation on the preset dimension feature vector based on an attention mechanism to obtain attention weight; step 403, performing weighted fusion operation on the preset dimension feature vector according to the attention weight to obtain initial fusion feature data; And step 404, performing dimension reduction processing on the initial fusion characteristic data, reserving characteristic information of a preset proportion, and processing the dimension reduced multi-mode characteristic data through a sample balance algorithm to obtain the fusion characteristic data.
  5. 5. The method according to any one of claims 1 to 4, wherein in step 5, inputting the current risk assessment result, the future risk trend prediction result, and the abnormal behavior detection result into a reinforcement learning management model, matching and executing an initial management policy, collecting risk and business operation data after executing the policy, and calculating a risk reduction rate and business influence, including: Step 501, inputting the current risk assessment result, the future risk trend prediction result and the abnormal behavior detection result into a reinforcement learning management and control model, and matching and executing a corresponding initial management and control strategy according to a preset matching rule; step 502, collecting risk level before executing the initial control strategy Business response time Risk level after execution Business response time ; Step 503, according to the risk level before the execution of the initial control strategy Business response time Risk level after execution Business response time And calculating the risk reduction rate and the business influence degree.
  6. 6. The method for controlling security assessment of a controlled network environment according to claim 5, wherein in step 5, dynamically adjusting a reward function and optimizing a loss function to implement closed-loop self-optimization of a control policy and output a dynamic control policy comprises: Step 511, constructing a reward function according to the risk reduction rate and the business influence degree, where the expression is: ; In the formula, Representing a reward function; Representing a risk reduction rate; Representing the business influence degree; 、 representing a bonus function weighting factor; step 512, constructing a combined loss function, with the expression: ; ; ; In the formula, Representing a total loss function; representing risk prediction error loss; representing business impact prediction error loss; 、 representing a loss function weight coefficient; representing a predicted risk level; Representing an actual risk level; Representing a predicted traffic response time; Representing actual service response time; representing the data sample size; step 513, performing optimization operation on the combined loss function by using a preset optimizer, and dynamically adjusting the weight coefficient of the reward function according to the optimization result to obtain an adjustment result; step 514, dividing different iteration periods according to the current risk assessment result, feeding back the execution effect of the initial management and control strategy according to the iteration periods, and outputting effect feedback data; And step 515, updating the action space selection logic of the reinforcement learning management and control model according to the adjustment result and the effect feedback data, and optimizing the initial management and control strategy to obtain a dynamic management and control strategy.
  7. 7. The method for security assessment management of a controlled network environment according to any one of claims 1 to 4, further comprising performing differentiated pre-warning and emergency response of traffic adaptation based on the current risk assessment result, the future risk trend prediction result, and the matched traffic type, comprising: Step 601, mapping the matched service type into a corresponding service priority, and determining a corresponding data importance degree, a preset recovery time target, a recovery point target and a basic alarm intensity threshold according to the service priority; Step 602, collecting the operation time period characteristics of the controlled network environment, and dynamically adjusting the basic alarm intensity threshold of each service priority by combining the data importance, the recovery time target and the recovery point target to generate a dynamic alarm threshold corresponding to each service type; Step 603, comparing the current risk assessment result with the dynamic alarm threshold, if the current risk assessment result reaches the dynamic alarm threshold, triggering an early warning mechanism adapted to the service priority, and outputting an early warning mechanism triggering result; step 604, combining the dynamic management and control strategy and the early warning mechanism triggering result, and executing differentiated emergency response flows aiming at different service priorities.
  8. 8. A security assessment management apparatus for a controlled network environment, the apparatus comprising: the data acquisition module is used for acquiring and preprocessing multi-source heterogeneous data in a controlled network environment and outputting standardized multi-source heterogeneous data; the index system customizing module is used for identifying the service attribute of the standardized multi-source heterogeneous data based on a preset service characteristic template, matching the service type, optimizing the weight and combination of a preset basic risk assessment index system according to the adaptation rule of the service type, and outputting a customized risk assessment index system; The risk assessment and prediction module is used for inputting the standardized multi-source heterogeneous data into the customized risk assessment index system to carry out index quantification to obtain quantitative index data; the multi-mode fusion module is used for extracting multi-mode characteristics of the standardized multi-source heterogeneous data, and carrying out dynamic weight distribution and deep fusion on the multi-mode characteristics based on an attention mechanism to obtain fusion characteristic data; The reinforcement learning module is used for inputting the current risk assessment result, the future risk trend prediction result and the abnormal behavior detection result into a reinforcement learning management and control model, matching and executing an initial management and control strategy, collecting risk and business operation data after the strategy is executed, calculating risk reduction rate and business influence degree, dynamically adjusting a reward function and optimizing a loss function, realizing closed-loop self-optimization of the management and control strategy and outputting the dynamic management and control strategy.
  9. 9. A computer device comprising a memory and a processor, characterized in that the memory stores a computer program, the processor implementing the steps of the security assessment management method of a controlled network environment according to any one of claims 1 to 7 when the computer program is executed.
  10. 10. A computer-readable storage medium, characterized in that a computer program is stored thereon, which, when being executed by a processor, implements the steps of the security assessment management method of a controlled network environment according to any one of claims 1 to 7.

Description

Security assessment management and control method, system, equipment and medium for controlled network environment Technical Field The present invention relates to the field of network security technologies, and in particular, to a security assessment management and control method, system, device, and medium for a controlled network environment. Background In controlled network environments such as enterprise office collaboration, industrial control networks, government cloud platforms and the like, confidentiality, integrity and availability of data are directly related to daily operation efficiency of enterprises and legal rights and interests of users, and safety protection requirements are very important. Traditional data security risk assessment and management schemes have difficulty adapting to complex security requirements. The traditional risk assessment index system is mainly fixedly arranged, dynamic adjustment weight and index combination cannot be realized according to service attributes diversified in application fields, the traditional risk assessment index system is difficult to adapt to different requirements, the assessment result is lack of pertinence and flexibility is insufficient, in addition, the traditional risk assessment index system can only quantitatively analyze the current safety state, dynamic deduction and prediction capability of future risk trend are lacked, burst safety risks which occur at high frequency are difficult to avoid in advance, further, an abnormal detection means in the traditional risk assessment index system depends on single mode data or simple baseline deviation judgment, the traditional risk assessment index system is not effectively associated with multi-source heterogeneous data such as services, equipment and environment in a network, the false alarm rate and the false alarm rate are high, the safety control strategy in the traditional risk assessment index system is mainly static configuration or relies on manual adjustment, a closed loop self-optimization mechanism of risks, strategies and effects is lacked, the response is delayed to the safety risks which are rapidly changed in scenes, the dynamic protection requirements under different service scenes cannot be timely adapted, the early warning response in the traditional risk assessment index system adopts unified fixed level logic, the continuity requirements of services are not differentially adjusted, the core risk is likely to be insufficient, the service is difficult to be fully influenced by the fact that the service is difficult to continuously respond to the normal safety alarm efficiency and the normal business is difficult to be influenced by the normal business. Disclosure of Invention Based on the above, it is necessary to provide a security assessment management and control method, system, device and medium for a controlled network environment, which can solve the problems of risk assessment and service scene disconnection, low abnormality detection accuracy, no self-optimization capability of management and control policy, and the like. A security assessment management method of a controlled network environment, the method comprising: step 1, collecting multi-source heterogeneous data in a controlled network environment, preprocessing the multi-source heterogeneous data, and outputting standardized multi-source heterogeneous data; Step 2, identifying service attributes of the standardized multi-source heterogeneous data based on a preset service feature template, matching service types, optimizing weights and combinations of a preset basic risk assessment index system according to an adaptation rule of the service types, and outputting a customized risk assessment index system; Step 3, inputting the standardized multi-source heterogeneous data into the customized risk assessment index system for index quantification to obtain quantified index data; carrying out security risk level assessment and future risk trend prediction in a preset period according to the quantitative index data to obtain a current risk assessment result and a future risk trend prediction result; Step 4, extracting multi-modal characteristics of the standardized multi-source heterogeneous data, and carrying out dynamic weight distribution and deep fusion on the multi-modal characteristics based on an attention mechanism to obtain fusion characteristic data; And 5, inputting the current risk assessment result, the future risk trend prediction result and the abnormal behavior detection result into a reinforcement learning management and control model, matching and executing an initial management and control strategy, collecting risk and business operation data after the strategy is executed, calculating the risk reduction rate and business influence degree, dynamically adjusting a reward function and optimizing a loss function, realizing closed-loop self-optimization of the management and control strategy, and outpu