CN118611997A - A method, system and device for perceptual security protection based on network port protection device - Google Patents

Abstract

Translated fromChinese

本发明公开了一种基于网口防护装置的感知安全防护方法、系统及设备，其中方法包括获取当前网口传输的网络传输事件的等级参数，根据网络攻击风险等级确定相对应的封堵网口粒度方案，采用0‑1整数规划方法调整网络拓扑中的端口通信策略；对封堵网口粒度方案和端口通信策略进行分析，控制网口防护装置接收分析结果，对待封堵网口进行封堵；根据网口防护装置数据和待封堵网口数据，构建多层级网口封堵模型，将实时检测到的网口传输事件数据输入至多层级网口封堵模型中，基于多层级网口封堵模型的输出结果，确定对应的封堵策略。本发明提出的方法，能够有效提高网络安全防护效率和响应速度，同时保障关键任务的顺利执行和网络系统的稳定运行。

The present invention discloses a method, system and device for perceptual security protection based on a network port protection device, wherein the method includes obtaining the level parameters of the network transmission event transmitted by the current network port, determining the corresponding blocking network port granularity scheme according to the network attack risk level, and adjusting the port communication strategy in the network topology by using a 0-1 integer programming method; analyzing the blocking network port granularity scheme and the port communication strategy, controlling the network port protection device to receive the analysis result, and blocking the network port to be blocked; constructing a multi-level network port blocking model according to the network port protection device data and the network port data to be blocked, inputting the network port transmission event data detected in real time into the multi-level network port blocking model, and determining the corresponding blocking strategy based on the output result of the multi-level network port blocking model. The method proposed by the present invention can effectively improve the efficiency and response speed of network security protection, while ensuring the smooth execution of key tasks and the stable operation of the network system.

Description

Translated fromChinese

一种基于网口防护装置的感知安全防护方法、系统及设备A method, system and device for perceptual security protection based on network port protection device

技术领域Technical Field

本发明涉及信息技术领域，尤其涉及一种基于网口防护装置的感知安全防护方法、系统及设备。The present invention relates to the field of information technology, and in particular to a perception security protection method, system and equipment based on a network port protection device.

背景技术Background Art

在当今信息化高度发展的社会，网络安全已成为各行各业不可忽视的重要议题。无论是企业、政府机构还是个人用户，都面临着来自网络空间的各类威胁，如黑客攻击、病毒传播、数据泄露等。为了有效应对这些威胁，保护关键信息资产的安全，网络安全防护手段不断创新与发展。网络端口（网口）作为网络设备与外界通信的接口，是潜在的安全隐患之一。许多网络攻击正是通过利用未封堵或未妥善管理的网口进行的。In today's highly information-based society, network security has become an important issue that cannot be ignored in all walks of life. Whether it is an enterprise, a government agency or an individual user, they are all facing various threats from cyberspace, such as hacker attacks, virus transmission, data leakage, etc. In order to effectively respond to these threats and protect the security of key information assets, network security protection methods are constantly innovating and developing. Network ports (network ports) are one of the potential security risks as interfaces for network devices to communicate with the outside world. Many network attacks are carried out by exploiting unblocked or improperly managed network ports.

目前，对于空闲网口的防护，主要采用人工封堵的方式，然而，这种方法存在诸多不足：At present, the protection of idle network ports mainly adopts manual blocking. However, this method has many shortcomings:

1、不便于管理：在大规模的网络环境中，手动封堵每一个闲置网口是一项繁琐且耗时的任务，难以有效管理。1. Inconvenient to manage: In a large-scale network environment, manually blocking each idle network port is a tedious and time-consuming task that is difficult to manage effectively.

2、不够灵活：随着网络拓扑和需求的变化，网口的使用情况也会发生变化。手动封堵方式无法快速适应这些变化，可能导致不必要的资源浪费或安全漏洞。2. Inflexible: As network topology and requirements change, the usage of network ports will also change. Manual blocking cannot quickly adapt to these changes, which may lead to unnecessary waste of resources or security vulnerabilities.

3、难以追踪和审计：手动封堵的方式难以进行追踪和审计，无法准确记录网口的封堵和开启情况，给安全管理和合规性带来挑战。3. Difficult to track and audit: Manual blocking is difficult to track and audit, and it is impossible to accurately record the blocking and opening of network ports, which brings challenges to security management and compliance.

发明内容Summary of the invention

本发明旨在提供一种基于网口防护装置的感知安全防护方法，以解决如何进行对网口防护装置进行自动管理的技术问题，从而实现提升网络安全防护能力的技术效果。The present invention aims to provide a perception security protection method based on a network port protection device to solve the technical problem of how to automatically manage the network port protection device, thereby achieving the technical effect of improving network security protection capabilities.

为了解决上述技术问题，本发明实施例提供了一种基于网口防护装置的感知安全防护方法，应用于连接有网口防护装置的网络拓扑中，包括以下步骤：In order to solve the above technical problems, an embodiment of the present invention provides a perception security protection method based on a network port protection device, which is applied to a network topology connected to a network port protection device, and includes the following steps:

获取当前网口传输的网络传输事件的等级参数，其中所述等级参数包括事件保密等级、事件时间等级和事件人员等级；Obtaining level parameters of the network transmission event currently transmitted by the network port, wherein the level parameters include event confidentiality level, event time level and event personnel level;

基于所述保密等级和风险矩阵法预测所述网络传输事件面临的网络攻击风险等级，根据所述网络攻击风险等级确定相对应的封堵网口粒度方案；Predicting the network attack risk level faced by the network transmission event based on the confidentiality level and risk matrix method, and determining the corresponding network port blocking granularity scheme according to the network attack risk level;

基于所述事件时间等级和所述事件人员等级，采用0-1整数规划方法调整所述网络拓扑中的端口通信策略；Based on the event time level and the event personnel level, a 0-1 integer programming method is used to adjust the port communication strategy in the network topology;

对所述封堵网口粒度方案和所述端口通信策略进行分析；Analyze the network port blocking granularity scheme and the port communication strategy;

控制所述网口防护装置接收分析结果，对待封堵网口进行封堵，并实时获取所述网口防护装置在所述网络拓扑中的位置分布和设备参数以及所述待封堵网口的流量特征和行为特征；Control the network port protection device to receive the analysis result, block the network port to be blocked, and obtain the location distribution and device parameters of the network port protection device in the network topology and the traffic characteristics and behavior characteristics of the network port to be blocked in real time;

根据所述位置分布、所述设备参数、所述流量特征和所述行为特征，构建多层级网口封堵模型；Constructing a multi-level network port blocking model according to the location distribution, the device parameters, the traffic characteristics, and the behavior characteristics;

在实际安全防护过程中，将实时检测到的网口传输事件数据输入至所述多层级网口封堵模型中，基于所述多层级网口封堵模型的输出结果，确定对应的封堵策略。In the actual security protection process, the network port transmission event data detected in real time is input into the multi-level network port blocking model, and the corresponding blocking strategy is determined based on the output result of the multi-level network port blocking model.

作为其中一种优选方案，在根据所述网络攻击风险等级确定相对应的封堵网口粒度方案后，还包括：As one of the preferred solutions, after determining the corresponding network port blocking granularity solution according to the network attack risk level, it also includes:

获取历史攻击信息，从所述历史攻击信息中提取影响封堵粒度选择的决策属性集；Acquire historical attack information, and extract a decision attribute set that affects the selection of blocking granularity from the historical attack information;

采用层次分析法对所述决策属性集中的各决策属性进行两两重要性比较，得到所述决策属性集中各个决策属性的权重；Using the hierarchical analysis method to compare the importance of each decision attribute in the decision attribute set, and obtain the weight of each decision attribute in the decision attribute set;

对所述决策属性集中的各个决策属性进行量化，根据量化后的值和对应权重构建模糊评判矩阵，通过模糊矩阵合成运算得到所述模糊评判矩阵各区域的综合评判隶属度；Quantifying each decision attribute in the decision attribute set, constructing a fuzzy evaluation matrix according to the quantized values and corresponding weights, and obtaining the comprehensive evaluation membership of each area of the fuzzy evaluation matrix through fuzzy matrix synthesis operation;

根据所述综合评判隶属度对所述封堵网口粒度方案进行优化。The network port blocking granularity scheme is optimized according to the comprehensive evaluation membership.

作为其中一种优选方案，所述基于所述事件时间等级和所述事件人员等级，采用0-1整数规划方法调整所述网络传输事件的网络拓扑中的端口通信策略，包括：As one of the preferred solutions, the port communication strategy in the network topology of the network transmission event is adjusted by using a 0-1 integer programming method based on the event time level and the event personnel level, including:

提取所述网络拓扑中各通信端口的流量指标，通过对所述流量指标进行相关性分析和统计建模，构建端口级联矩阵，其中所述端口级联矩阵反映各个端口间的依赖强度；Extracting the flow index of each communication port in the network topology, and constructing a port cascade matrix by performing correlation analysis and statistical modeling on the flow index, wherein the port cascade matrix reflects the dependency strength between each port;

基于所述端口级联矩阵的端口依赖约束、所述事件时间等级的约束和所述事件人员等级的约束，建立以端口为基本单位的0-1整数规划模型；Based on the port dependency constraints of the port cascade matrix, the event time level constraints and the event personnel level constraints, a 0-1 integer programming model with ports as basic units is established;

求解所述0-1整数规划模型，根据得到的最优解配置端口通信策略。Solve the 0-1 integer programming model and configure the port communication strategy according to the obtained optimal solution.

作为其中一种优选方案，所述网口防护装置包括电子安全锁和电子钥匙。As one preferred solution, the network port protection device includes an electronic safety lock and an electronic key.

作为其中一种优选方案，所述根据所述位置分布、所述设备参数、所述实时流量特征和所述实时行为特征，构建多层级网口封堵模型，包括：As one of the preferred solutions, the multi-level network port blocking model is constructed according to the location distribution, the device parameters, the real-time traffic characteristics and the real-time behavior characteristics, including:

融合位置分布、设备参数、流量特征和行为特征，运用支持向量机算法构建多层级网口封堵模型，其中，多层级网口封堵模型包括汇聚层模型、接入层模型、核心层模型，所述汇聚层模型用于关注源IP的对外连接频次，所述接入层模型用于关注目的IP的敏感端口扫描次数，核心层模型用于关注跨网段通信流量的突增幅度。The multi-level network port blocking model is constructed by integrating location distribution, equipment parameters, traffic characteristics and behavioral characteristics using the support vector machine algorithm. The multi-level network port blocking model includes a convergence layer model, an access layer model and a core layer model. The convergence layer model is used to focus on the frequency of external connections of the source IP, the access layer model is used to focus on the number of sensitive port scans of the destination IP, and the core layer model is used to focus on the sudden increase in cross-segment communication traffic.

作为其中一种优选方案，所述网口传输事件数据包括网络层级的网口传输事件数据，所述封堵策略包括丢弃处理；则，所述将实时检测到的网口传输事件数据输入至所述多层级网口封堵模型中，基于所述多层级网口封堵模型的输出结果，确定对应的封堵策略，包括：As one of the preferred solutions, the network port transmission event data includes network port transmission event data at the network layer, and the blocking strategy includes discarding processing; then, the network port transmission event data detected in real time is input into the multi-level network port blocking model, and the corresponding blocking strategy is determined based on the output result of the multi-level network port blocking model, including:

对不同网络层级的所述网口传输事件数据进行异常判断，根据异常判断结果设置与链路带宽和设备处理能力相匹配的动态阈值；Performing abnormality judgment on the network port transmission event data at different network layers, and setting a dynamic threshold matching the link bandwidth and the device processing capability according to the abnormality judgment result;

当所述多层级网口封堵模型检测到网络层级的网口传输事件数据的幅度超过所述动态阈值时，将所述网口传输事件数据识别为恶意流量数据，对所述恶意流量数据进行丢弃处理。When the multi-level network port blocking model detects that the amplitude of network port transmission event data at the network layer exceeds the dynamic threshold, the network port transmission event data is identified as malicious traffic data and the malicious traffic data is discarded.

作为其中一种优选方案，所述将实时检测到的网口传输事件数据输入至所述多层级网口封堵模型中，基于所述多层级网口封堵模型的输出结果，确定对应的封堵策略，还包括：As one preferred solution, the real-time detected network port transmission event data is input into the multi-level network port blocking model, and the corresponding blocking strategy is determined based on the output result of the multi-level network port blocking model, which further includes:

通过流量探针和日志关联，获取不同网络层级的网口防护装置阻断的恶意流量数据以及对所述恶意流量数据进行处置时的任务协同数据；Through the association of traffic probes and logs, malicious traffic data blocked by network port protection devices at different network levels and task coordination data when handling the malicious traffic data are obtained;

采用基于签名的IDS入侵检测系统，对所述恶意流量数据进行识别和分类，得到封堵效果数据；Using a signature-based IDS intrusion detection system to identify and classify the malicious traffic data and obtain blocking effect data;

基于所述任务协同数据和所述封堵效果数据，对所述封堵策略进行优化。The blocking strategy is optimized based on the task coordination data and the blocking effect data.

作为其中一种优选方案，所述基于所述任务协同数据和所述封堵效果数据，对所述多层级网口封堵模型进行优化，包括：As one of the preferred solutions, the multi-level network port blocking model is optimized based on the task collaboration data and the blocking effect data, including:

基于所述任务协同数据和所述封堵效果数据，采用Q-Learning强化学习算法，通过奖励值引导优化多层级网口封堵模型；Based on the task collaboration data and the blocking effect data, a Q-Learning reinforcement learning algorithm is used to guide and optimize a multi-level network port blocking model through reward values;

根据优化后的多层级网口封堵模型调整各层级封堵策略。Adjust the blocking strategies at each level based on the optimized multi-level network port blocking model.

作为其中一种优选方案，若所述多层级网口封堵模型监控到某一封堵设备出现异常事件时，通过流量镜像和会话保持方法快速切换备用设备，启动应急处置流程，并根据所述异常事件的严重程度进行流量限制和会话迁移。As one of the preferred solutions, if the multi-level network port blocking model monitors an abnormal event in a blocking device, the backup device is quickly switched through traffic mirroring and session persistence methods, the emergency response process is initiated, and traffic restrictions and session migration are performed according to the severity of the abnormal event.

本发明另一实施例提供了一种基于网口防护装置的感知安全防护系统，应用于连接有网口防护装置的网络拓扑中，包括以下模块：Another embodiment of the present invention provides a perception security protection system based on a network port protection device, which is applied to a network topology connected to the network port protection device, and includes the following modules:

获取模块，用于获取当前网口传输的网络传输事件的等级参数，其中所述等级参数包括事件保密等级、事件时间等级和事件人员等级；An acquisition module, used to acquire level parameters of the network transmission event currently transmitted by the network port, wherein the level parameters include event confidentiality level, event time level and event personnel level;

规划模块，用于基于所述保密等级和风险矩阵法预测所述网络传输事件面临的网络攻击风险等级，根据所述网络攻击风险等级确定相对应的封堵网口粒度方案；A planning module, used to predict the network attack risk level faced by the network transmission event based on the confidentiality level and risk matrix method, and determine the corresponding network port blocking granularity plan according to the network attack risk level;

调整模块，用于基于所述事件时间等级和所述事件人员等级，采用0-1整数规划方法调整所述网络传输事件的网络拓扑中的端口通信策略；An adjustment module, configured to adjust a port communication strategy in a network topology of the network transmission event by using a 0-1 integer programming method based on the event time level and the event personnel level;

封堵模块，用于根据所述封堵网口粒度方案和所述端口通信策略控制所述网口防护装置对待封堵网口进行封堵，并实时获取所述网口防护装置在所述网络拓扑中的位置分布和设备参数以及所述待封堵网口的流量特征和行为特征；A blocking module, used to control the network port protection device to block the network port to be blocked according to the blocking network port granularity scheme and the port communication strategy, and to obtain in real time the location distribution and device parameters of the network port protection device in the network topology and the traffic characteristics and behavior characteristics of the network port to be blocked;

构建模块，用于根据所述位置分布、所述设备参数、所述流量特征和所述行为特征，构建多层级网口封堵模型；A construction module, used to construct a multi-level network port blocking model according to the location distribution, the device parameters, the traffic characteristics and the behavior characteristics;

输出模块，用于在实际安全防护过程中，将实时检测到的网口传输事件数据输入至所述多层级网口封堵模型中，基于所述多层级网口封堵模型的输出结果，确定对应的封堵策略。The output module is used to input the real-time detected network port transmission event data into the multi-level network port blocking model during the actual security protection process, and determine the corresponding blocking strategy based on the output result of the multi-level network port blocking model.

作为其中一种优选方案，所述规划模块，还用于：As one preferred solution, the planning module is further used for:

获取历史攻击信息，从所述历史攻击信息中提取影响封堵粒度选择的决策属性集；Acquire historical attack information, and extract a decision attribute set that affects the selection of blocking granularity from the historical attack information;

采用层次分析法对所述决策属性集中的各决策属性进行两两重要性比较，得到所述决策属性集中各个决策属性的权重；Using the hierarchical analysis method to compare the importance of each decision attribute in the decision attribute set, and obtain the weight of each decision attribute in the decision attribute set;

对所述决策属性集中的各个决策属性进行量化，根据量化后的值和对应权重构建模糊评判矩阵，通过模糊矩阵合成运算得到所述模糊评判矩阵各区域的综合评判隶属度；Quantifying each decision attribute in the decision attribute set, constructing a fuzzy evaluation matrix according to the quantized values and corresponding weights, and obtaining the comprehensive evaluation membership of each area of the fuzzy evaluation matrix through fuzzy matrix synthesis operation;

根据所述综合评判隶属度对所述封堵网口粒度方案进行优化。The network port blocking granularity scheme is optimized according to the comprehensive evaluation membership.

作为其中一种优选方案，所述调整模块，具体用于：As one preferred solution, the adjustment module is specifically used for:

提取所述网络拓扑中各通信端口的流量指标，通过对所述流量指标进行相关性分析和统计建模，构建端口级联矩阵，其中所述端口级联矩阵反映各个端口间的依赖强度；Extracting the flow index of each communication port in the network topology, and constructing a port cascade matrix by performing correlation analysis and statistical modeling on the flow index, wherein the port cascade matrix reflects the dependency strength between each port;

基于所述端口级联矩阵的端口依赖约束、所述事件时间等级的约束和所述事件人员等级的约束，建立以端口为基本单位的0-1整数规划模型；Based on the port dependency constraints of the port cascade matrix, the event time level constraints and the event personnel level constraints, a 0-1 integer programming model with ports as basic units is established;

求解所述0-1整数规划模型，根据得到的最优解配置端口通信策略。Solve the 0-1 integer programming model and configure the port communication strategy according to the obtained optimal solution.

作为其中一种优选方案，所述构建模块，具体用于：As one preferred solution, the building block is specifically used for:

融合位置分布、设备参数、流量特征和行为特征，运用支持向量机算法构建多层级网口封堵模型，其中，多层级网口封堵模型包括汇聚层模型、接入层模型、核心层模型，所述汇聚层模型用于关注源IP的对外连接频次，所述接入层模型用于关注目的IP的敏感端口扫描次数，核心层模型用于关注跨网段通信流量的突增幅度。The multi-level network port blocking model is constructed by integrating location distribution, equipment parameters, traffic characteristics and behavioral characteristics using the support vector machine algorithm. The multi-level network port blocking model includes a convergence layer model, an access layer model and a core layer model. The convergence layer model is used to focus on the frequency of external connections of the source IP, the access layer model is used to focus on the number of sensitive port scans of the destination IP, and the core layer model is used to focus on the sudden increase in cross-segment communication traffic.

作为其中一种优选方案，所述网口传输事件数据包括网络层级的网口传输事件数据，所述封堵策略包括丢弃处理；则，所述输出模块，具体用于：As one preferred solution, the network port transmission event data includes network port transmission event data at the network level, and the blocking strategy includes discarding processing; then, the output module is specifically used to:

对不同网络层级的所述网口传输事件数据进行异常判断，根据异常判断结果设置与链路带宽和设备处理能力相匹配的动态阈值；Performing abnormality judgment on the network port transmission event data at different network layers, and setting a dynamic threshold matching the link bandwidth and the device processing capability according to the abnormality judgment result;

当所述多层级网口封堵模型检测到网络层级的网口传输事件数据的幅度超过所述动态阈值时，将所述网口传输事件数据识别为恶意流量数据，对所述恶意流量数据进行丢弃处理。When the multi-level network port blocking model detects that the amplitude of network port transmission event data at the network layer exceeds the dynamic threshold, the network port transmission event data is identified as malicious traffic data and the malicious traffic data is discarded.

作为其中一种优选方案，所述输出模块，具体用于：As one preferred solution, the output module is specifically used for:

通过流量探针和日志关联，获取不同网络层级的网络封堵设备阻断的恶意流量数据以及对所述恶意流量数据进行处置时的任务协同数据；Through the association of traffic probes and logs, malicious traffic data blocked by network blocking devices at different network levels and task coordination data when handling the malicious traffic data are obtained;

采用基于签名的IDS入侵检测系统，对所述恶意流量数据进行识别和分类，得到封堵效果数据；Using a signature-based IDS intrusion detection system to identify and classify the malicious traffic data and obtain blocking effect data;

基于所述任务协同数据和所述封堵效果数据，对所述封堵策略进行优化。The blocking strategy is optimized based on the task coordination data and the blocking effect data.

作为其中一种优选方案，所述输出模块，还具体用于：As one preferred solution, the output module is further specifically used for:

基于所述任务协同数据和所述封堵效果数据，采用Q-Learning强化学习算法，通过奖励值引导优化多层级网口封堵模型；Based on the task collaboration data and the blocking effect data, a Q-Learning reinforcement learning algorithm is used to guide and optimize a multi-level network port blocking model through reward values;

根据优化后的多层级网口封堵模型调整各层级封堵策略。Adjust the blocking strategies at each level based on the optimized multi-level network port blocking model.

作为其中一种优选方案，所述输出模块，还具体用于：As one preferred solution, the output module is further specifically used for:

若所述多层级网口封堵模型监控到某一封堵设备出现异常事件时，通过流量镜像和会话保持方法快速切换备用设备，启动应急处置流程，并根据所述异常事件的严重程度进行流量限制和会话迁移。If the multi-level network port blocking model monitors an abnormal event in a blocking device, the backup device is quickly switched through traffic mirroring and session preservation methods, the emergency response process is started, and traffic restriction and session migration are performed according to the severity of the abnormal event.

本发明又一实施例提供了一种基于网口防护装置的感知安全防护设备，包括处理器、存储器以及存储在所述存储器中且被配置为由所述处理器执行的计算机程序，所述处理器执行所述计算机程序时实现如上所述的基于网口防护装置的感知安全防护方法。Another embodiment of the present invention provides a perceptual security protection device based on a network port protection device, comprising a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, and when the processor executes the computer program, it implements the perceptual security protection method based on the network port protection device as described above.

本发明再一实施例提供了一种计算机可读存储介质，所述计算机可读存储介质存储有计算机程序，其中，所述计算机可读存储介质所在设备执行所述计算机程序时，实现如上所述的基于网口防护装置的感知安全防护方法。Yet another embodiment of the present invention provides a computer-readable storage medium, wherein the computer-readable storage medium stores a computer program, wherein when the device where the computer-readable storage medium is located executes the computer program, the perception security protection method based on the network port protection device as described above is implemented.

相比于现有技术，本发明实施例的有益效果在于以下所述中的至少一点：Compared with the prior art, the embodiments of the present invention have the following advantages:

（1）本发明提出的基于网口防护装置的安全防护方案能够有效阻止未经授权的设备通过网口接入网络，从而降低网络被非法入侵的风险，通过封堵未使用的网口，可以减少数据通过这些端口泄露的可能性，保护网络中的敏感信息不被窃取。(1) The security protection scheme based on the network port protection device proposed in the present invention can effectively prevent unauthorized devices from accessing the network through the network port, thereby reducing the risk of illegal intrusion into the network. By blocking unused network ports, the possibility of data leakage through these ports can be reduced, thereby protecting sensitive information in the network from being stolen.

（2）对于拥有大量网络设备的组织而言，本发明的方案通过使用网口防护装置可以大大减少手动封堵网口的工作量，提高管理效率。(2) For organizations with a large number of network devices, the solution of the present invention can greatly reduce the workload of manually blocking network ports by using a network port protection device, thereby improving management efficiency.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本发明其中一种实施例中的基于网口防护装置的感知安全防护方法的流程示意图；FIG1 is a schematic flow chart of a method for perceptual security protection based on a network port protection device in one embodiment of the present invention;

图2是本发明其中一种实施例中的网口防护装置的电子安全锁在插入物理网口之前的结构示意图；2 is a schematic diagram of the structure of an electronic safety lock of a network port protection device in one embodiment of the present invention before being inserted into a physical network port;

图3是本发明其中一种实施例中的网口防护装置的电子安全锁在插入物理网口之时的结构示意图；3 is a schematic diagram of the structure of an electronic safety lock of a network port protection device in one embodiment of the present invention when it is inserted into a physical network port;

图4是本发明其中一种实施例中的网口防护装置的电子安全锁在插入物理网口之后的结构示意图；4 is a schematic diagram of the structure of an electronic safety lock of a network port protection device in one embodiment of the present invention after being inserted into a physical network port;

图5是本发明其中一种实施例中的网口防护装置的基于线序识别的感知技术的原理示意图；5 is a schematic diagram of the principle of a sensing technology based on line sequence recognition of a network port protection device in one embodiment of the present invention;

图6是本发明其中一种实施例中的基于网口防护装置的感知安全防护系统的结构示意图；6 is a schematic diagram of the structure of a perception security protection system based on a network port protection device in one embodiment of the present invention;

图7是本发明其中一种实施例中的基于网口防护装置的感知安全防护设备示意图。FIG. 7 is a schematic diagram of a perception safety protection device based on a network port protection device in one embodiment of the present invention.

具体实施方式DETAILED DESCRIPTION

下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本发明一部分实施例，而不是全部的实施例，提供这些实施例的目的是使对本发明的公开内容更加透彻全面。基于本发明中的实施例，本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例，都属于本发明保护的范围。The following will be combined with the drawings in the embodiments of the present invention to clearly and completely describe the technical solutions in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of the embodiments. The purpose of providing these embodiments is to make the disclosure of the present invention more thorough and comprehensive. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

在本申请描述中，术语“第一”、“第二”、“第三”等仅用于描述目的，而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此，限定有“第一”、“第二”、“第三”等的特征可以明示或者隐含地包括一个或者更多个该特征。在本申请的描述中，除非另有说明，“多个”的含义是两个或两个以上。In the description of this application, the terms "first", "second", "third", etc. are used for descriptive purposes only and are not to be understood as indicating or implying relative importance or implicitly indicating the number of the indicated technical features. Thus, a feature defined as "first", "second", "third", etc. may explicitly or implicitly include one or more of the feature. In the description of this application, unless otherwise specified, "plurality" means two or more.

在本申请的描述中，需要说明的是，除非另有明确的规定和限定，术语“安装”、“相连”、“连接”应做广义理解，例如，可以是固定连接，也可以是可拆卸连接，或一体地连接；可以是机械连接，也可以是电连接；可以是直接相连，也可以通过中间媒介间接相连，可以是两个元件内部的连通。本文所使用的术语“垂直的”、“水平的”、“左”、“右”、“上”、“下”以及类似的表述只是为了说明的目的，而不是指示或暗示所指的装置或元件必须具有特定的方位、以特定的方位构造和操作，因此不能理解为对本发明的限制。本文所使用的术语“及/或”包括一个或多个相关的所列项目的任意的和所有的组合。对于本领域的普通技术人员而言，可以具体情况理解上述术语在本申请中的具体含义。In the description of the present application, it should be noted that, unless otherwise clearly specified and limited, the terms "installed", "connected", and "connected" should be understood in a broad sense. For example, it can be a fixed connection, a detachable connection, or an integral connection; it can be a mechanical connection or an electrical connection; it can be a direct connection, or it can be indirectly connected through an intermediate medium, or it can be a connection between the two elements. The terms "vertical", "horizontal", "left", "right", "upper", "lower" and similar expressions used herein are only for illustrative purposes, and do not indicate or imply that the device or element referred to must have a specific orientation, be constructed and operated in a specific orientation, and therefore cannot be understood as a limitation on the present invention. The term "and/or" used herein includes any and all combinations of one or more related listed items. For those of ordinary skill in the art, the specific meanings of the above terms in this application can be understood according to specific circumstances.

在本申请的描述中，需要说明的是，除非另有定义，本发明所使用的所有的技术和科学术语与属于本的技术领域的技术人员通常理解的含义相同。本发明中说明书中所使用的术语只是为了描述具体的实施例的目的，不是旨在于限制本发明，对于本领域的普通技术人员而言，可以具体情况理解上述术语在本申请中的具体含义。In the description of this application, it should be noted that, unless otherwise defined, all technical and scientific terms used in the present invention have the same meaning as those commonly understood by those skilled in the art. The terms used in the specification of the present invention are only for the purpose of describing specific embodiments and are not intended to limit the present invention. For those of ordinary skill in the art, the specific meanings of the above terms in this application can be understood by specific circumstances.

本发明一实施例提供了一种基于网口防护装置的感知安全防护方法，具体的，请参见图1，包括步骤S1~S7：An embodiment of the present invention provides a perception security protection method based on a network port protection device. Specifically, please refer to FIG. 1 , which includes steps S1 to S7:

S1、获取当前网口传输的网络传输事件的等级参数，其中所述等级参数包括事件保密等级、事件时间等级和事件人员等级；S1. Obtaining level parameters of the network transmission event currently transmitted by the network port, wherein the level parameters include the event confidentiality level, event time level and event personnel level;

S2、基于所述保密等级和风险矩阵法预测所述网络传输事件面临的网络攻击风险等级，根据所述网络攻击风险等级确定相对应的封堵网口粒度方案；S2. Predicting the network attack risk level faced by the network transmission event based on the confidentiality level and risk matrix method, and determining the corresponding network port blocking granularity scheme according to the network attack risk level;

具体的，根据网络传输事件的事件保密等级，采用风险评估矩阵方法，从网络攻击发生的可能性和攻击成功后的影响严重性两个维度进行风险分析和量化计算，得到各个任务空间区域面临的网络攻击风险等级。其中网络传输事件包括日常作业中的网络工作任务。Specifically, according to the confidentiality level of network transmission events, the risk assessment matrix method is used to conduct risk analysis and quantitative calculation from two dimensions: the possibility of network attacks and the severity of the impact after a successful attack, and the network attack risk level faced by each task space area is obtained. Network transmission events include network work tasks in daily operations.

举例而言，风险评估矩阵方法如下：For example, the risk assessment matrix approach is as follows:

首先，将攻击可能性和影响严重性分别划分为5个等级，如"极低、低、中、高、极高"，并赋予相应的数值权重1-5；First, the attack possibility and impact severity are divided into five levels, such as "very low, low, medium, high, and very high", and the corresponding numerical weights are assigned from 1 to 5;

然后，结合具体业务场景，收集历史安全事件数据，统计各类攻击手段的发生频率和造成损失的程度，填充矩阵中每个单元格的数值。例如，对于某关键核心系统，DDoS攻击发生概率为"高"(数值为4)，一旦成功可导致系统完全瘫痪，影响严重性为"极高"(数值为5)，风险值R=发生概率P×影响严重性I，则该攻击风险值4*5=20，属于高风险级别。Then, based on specific business scenarios, historical security event data is collected, the frequency of various attack methods and the extent of losses caused are counted, and the values of each cell in the matrix are filled in. For example, for a critical core system, the probability of DDoS attack is "high" (value 4), and once successful, it can cause the system to be completely paralyzed, and the severity of the impact is "extremely high" (value 5). The risk value R = probability of occurrence P × severity of impact I, then the risk value of this attack is 4*5=20, which is a high risk level.

在模糊综合评判时，可选择攻击成本、攻击难度、脆弱点数量等作为评价指标，针对指标重要程度计算权重向量A=(0.3，0.5，0.2)，再依次对每项指标打分形成模糊矩阵R，最后通过矩阵乘法B=AR计算综合隶属度，若结果值为0.75，则表明该区域面临的安全风险程度较高，需重点关注。In fuzzy comprehensive evaluation, attack cost, attack difficulty, number of vulnerable points, etc. can be selected as evaluation indicators. The weight vector A=(0.3, 0.5, 0.2) is calculated according to the importance of the indicators. Each indicator is scored in turn to form a fuzzy matrix R. Finally, the comprehensive membership is calculated through matrix multiplication B=AR. If the result value is 0.75, it indicates that the security risk level faced by the area is relatively high and requires special attention.

决策树算法可基于C4.5、CART等经典模型，构建多层树形结构。以"SQL注入攻击"为例，根节点可设置为"是否存在注入漏洞"，子节点分别为"是"和"否"，然后在"是"分支下继续细分为"防护措施部署情况"，叶子节点可能包含"WAF部署、黑白名单配置、代码审计"等防护手段。通过逐层向下递归，即可得到完整的SQL注入攻击防御决策树。The decision tree algorithm can build a multi-layer tree structure based on classic models such as C4.5 and CART. Taking "SQL injection attack" as an example, the root node can be set to "Is there an injection vulnerability?", and the child nodes are "Yes" and "No" respectively. Then, under the "Yes" branch, it is further subdivided into "Deployment of protection measures". The leaf nodes may include protection measures such as "WAF deployment, blacklist and whitelist configuration, code auditing". By recursively descending layer by layer, a complete SQL injection attack defense decision tree can be obtained.

攻击图构建过程中，可使用ASP、BLP等逻辑编程语言，根据资产信息描述节点属性，利用CVSS等标准刻画节点脆弱性状况，选择无向边时可依据常见的网络连通性方式，有向边则结合CVE等漏洞库中的攻击利用关系建立。在安全编排与自动化响应过程中，可预定义一系列响应动作原子，如"阻断IP、账户加锁、进程终止"等，针对不同的安全事件类型设计标准化的处置流程。当入侵检测系统发现可疑攻击行为时，通过特征向量与决策树模型匹配，识别出最可能采取的攻击路径，自动构建相应的防御编排，下发到安全设备执行阻断，整个过程耗时可控制在100ms以内。During the attack graph construction process, logical programming languages such as ASP and BLP can be used to describe node attributes based on asset information, and node vulnerability status can be characterized using standards such as CVSS. Undirected edges can be selected based on common network connectivity methods, and directed edges can be established based on attack and utilization relationships in vulnerability libraries such as CVE. During security orchestration and automated response, a series of response action atoms can be predefined, such as "blocking IP, locking accounts, and terminating processes", and standardized handling processes can be designed for different types of security incidents. When the intrusion detection system detects suspicious attack behavior, it matches the feature vector with the decision tree model to identify the most likely attack path, automatically build the corresponding defense orchestration, and send it to the security device for blocking. The entire process can be controlled within 100ms.

进一步地，将风险等级评估结果映射到模糊综合评判方法中，有效处理指标权重的不确定性和评估过程的主观性，提高风险评估的科学性和合理性。Furthermore, the risk level assessment results are mapped into the fuzzy comprehensive evaluation method to effectively deal with the uncertainty of indicator weights and the subjectivity of the assessment process, thereby improving the scientificity and rationality of risk assessment.

优选的，在本发明实施例中，在步骤S2根据所述网络攻击风险等级确定相对应的封堵网口粒度方案后，还包括：Preferably, in an embodiment of the present invention, after determining the corresponding network port blocking granularity scheme according to the network attack risk level in step S2, the method further includes:

S21、获取历史攻击信息，从所述历史攻击信息中提取影响封堵粒度选择的决策属性集；S21, obtaining historical attack information, and extracting a decision attribute set that affects the selection of blocking granularity from the historical attack information;

S22、采用层次分析法对所述决策属性集中的各决策属性进行两两重要性比较，得到所述决策属性集中各个决策属性的权重；S22, using the hierarchical analysis method to compare the importance of each decision attribute in the decision attribute set, and obtain the weight of each decision attribute in the decision attribute set;

S23、对所述决策属性集中的各个决策属性进行量化，根据量化后的值和对应权重构建模糊评判矩阵，通过模糊矩阵合成运算得到所述模糊评判矩阵各区域的综合评判隶属度；S23, quantifying each decision attribute in the decision attribute set, constructing a fuzzy evaluation matrix according to the quantized values and corresponding weights, and obtaining the comprehensive evaluation membership of each area of the fuzzy evaluation matrix through fuzzy matrix synthesis operation;

S24、根据所述综合评判隶属度对所述封堵网口粒度方案进行优化。S24, optimizing the network port blocking granularity scheme according to the comprehensive evaluation membership.

具体的，根据攻击者控制的网段范围信息，确定其可能发起攻击的源IP地址段，通过分析攻击流量的网络层特征，判断攻击者所处的网络层次。将攻击者信息与风险评估结果进行关联分析，综合考虑攻击来源、网络拓扑、业务重要性等多维度属性，形成影响封堵粒度选择的决策属性集。Specifically, based on the network segment range information controlled by the attacker, determine the source IP address segment from which the attacker may launch an attack, and by analyzing the network layer characteristics of the attack traffic, determine the network layer the attacker is in. Associate the attacker information with the risk assessment results, and comprehensively consider multi-dimensional attributes such as the attack source, network topology, and business importance to form a decision attribute set that affects the selection of blocking granularity.

采用层次分析法，对各决策属性进行两两重要性比较，构建判断矩阵。计算判断矩阵的最大特征值和对应的特征向量W=[w_1，w_2，…，w_n]，并进行一致性检验，根据CR=CI/RI<0.1的准则确定矩阵通过检验，CR为ConsistencyRatio一致性比率，CI为ConsistencyIndex一致性指数，RI为RandomIndex随机一致性指数，最终得到决策属性的权重分配。The hierarchical analysis method is used to compare the importance of each decision attribute pairwise and construct a judgment matrix. The maximum eigenvalue and corresponding eigenvector W=[w_1, w_2,…, w_n] of the judgment matrix are calculated, and a consistency test is performed. According to the criterion of CR=CI/RI<0.1, the matrix is determined to pass the test. CR is the consistency ratio, CI is the consistency index, and RI is the random consistency index. Finally, the weight distribution of the decision attributes is obtained.

将决策属性量化后的值与权重构成模糊评判矩阵R=【r_ij】，其中r_ij表示第i个区域在第j个属性上的隶属度，结合层次分析法得到的权重向量W，通过模糊矩阵合成运算B=W·R，R模糊评判矩阵，得到各区域的综合评判隶属度。在此基础上，结合加权平均法对隶属度较为接近的区域进一步判定，形成更加合理的封堵粒度策略。针对不同区域的网络结构复杂度、系统脆弱性分布、业务服务类型等差异化特征，设置相应的封堵阈值条件，对初选方案进行调整和优化。如核心业务区可适当提高封堵粒度、外部服务区可降低封堵粒度等，在全面评估防护效果和业务影响的基础上，制定更加精细化的封堵策略配置。The quantified values of the decision attributes and the weights form a fuzzy judgment matrix R=【r_ij】, where r_ij represents the membership of the i-th region on the j-th attribute. Combined with the weight vector W obtained by the hierarchical analysis method, the comprehensive judgment membership of each region is obtained through the fuzzy matrix synthesis operation B=W·R, R fuzzy judgment matrix. On this basis, the weighted average method is combined to further judge the areas with similar membership to form a more reasonable blocking granularity strategy. According to the differentiated characteristics of network structure complexity, system vulnerability distribution, business service type, etc. in different regions, the corresponding blocking threshold conditions are set, and the preliminary selection plan is adjusted and optimized. For example, the core business area can appropriately increase the blocking granularity, and the external service area can reduce the blocking granularity. On the basis of a comprehensive assessment of the protection effect and business impact, a more refined blocking strategy configuration is formulated.

举例而言，通过对攻击流量的源IP地址和TTL值进行分析，发现90%的恶意流量来自海外的3个地址段，结合全球BGP路由拓扑数据，定位攻击者主要位于跨国运营商的骨干网络层，控制了约1000个IP地址。根据风险评估报告，这些地址段对应的攻击可导致关键业务中断6小时以上，平均损失达100万元/小时，风险等级为"高危"。依据内部安全防护标准，初步确定对这些地址段实施严格的IP级别封堵。利用层次分析法构建4*4判断矩阵，考虑攻击规模、攻击能力、脆弱点数量、资产重要性作为决策属性，计算权重向量W=[0.48，0.15，0.29，0.08]，CR=0.021<0.1时通过一致性检验。通过打分评估，得到各区域在4个属性上的隶属度矩阵，采用模糊加权平均合成算子B=W·R，结合熵权法进一步消除主观偏差，最终得到外部区域、DMZ区、办公区、核心区的综合隶属度分别为0.83、0.65、0.41、0.27，据此对初选方案进行微调，形成差异化封堵策略。对30类安全事件的多源特征进行融合，使用孤立森林算法筛选出13个关键特征子集，基于支持向量机构建攻击溯源和演化预测模型，置信度达85%。采用滑动窗口机制每日对模型进行增量更新，攻击变种识别响应时间缩短至4小时以内。经过半年运行优化，阻断恶意流量的同时，关键业务的可用性保持在99.99%以上，有效实现"高风险区严封堵、低风险区松管控"的动态防御目标。其中，若风险等级高，且攻击者可控制的网段范围大，则在网络层进行封堵；若风险等级低，且攻击者只能控制单一IP，则可以在传输层进行封堵。For example, by analyzing the source IP addresses and TTL values of attack traffic, it was found that 90% of malicious traffic came from three overseas address segments. Combined with global BGP routing topology data, the attackers were mainly located in the backbone network layer of multinational operators, controlling about 1,000 IP addresses. According to the risk assessment report, attacks corresponding to these address segments can cause key business interruption for more than 6 hours, with an average loss of 1 million yuan per hour, and the risk level is "high risk". Based on internal security protection standards, it was initially determined to implement strict IP-level blocking for these address segments. A 4*4 judgment matrix was constructed using the hierarchical analysis method, considering the attack scale, attack capability, number of vulnerabilities, and asset importance as decision attributes, and calculating the weight vector W=[0.48, 0.15, 0.29, 0.08]. The consistency test passed when CR=0.021<0.1. Through scoring and evaluation, the membership matrix of each area on the four attributes was obtained. The fuzzy weighted average synthesis operator B=W·R was used, combined with the entropy weight method to further eliminate subjective bias, and the comprehensive membership of the external area, DMZ area, office area, and core area was finally obtained to be 0.83, 0.65, 0.41, and 0.27, respectively. Based on this, the preliminary plan was fine-tuned to form a differentiated blocking strategy. The multi-source features of 30 types of security events were integrated, and 13 key feature subsets were selected using the isolation forest algorithm. The attack tracing and evolution prediction model was built based on the support vector machine with a confidence level of 85%. The sliding window mechanism was used to incrementally update the model every day, and the response time for attack variant identification was shortened to less than 4 hours. After half a year of operation optimization, while blocking malicious traffic, the availability of key services remained above 99.99%, effectively achieving the dynamic defense goal of "strict blocking in high-risk areas and loose control in low-risk areas". Among them, if the risk level is high and the attacker can control a large range of network segments, it will be blocked at the network layer; if the risk level is low and the attacker can only control a single IP, it can be blocked at the transport layer.

具体的，根据风险评估报告和攻击溯源分析结果，获取各个区域面临的安全风险等级，以及攻击者控制的网段范围信息。参考STRIDE威胁建模框架，从攻击可能性、攻击影响等维度出发，设计多指标风险量化体系，将定性的风险描述转换为可度量的风险值和网段覆盖度数据。采用网络拓扑发现和资产测绘工具，实时统计不同区域内的在线设备数量、开放端口、脆弱点分布等网络资产信息，将其与风险评估结果进行关联映射，为细化封堵粒度提供依据。通过流量镜像和数据包解析方法提取攻击流量的协议特征和端口分布情况，重点关注常见的基于TCP/UDP协议的应用层攻击手段，如SQL注入、远程代码执行、拒绝服务攻击等。若发现攻击者只能控制单一IP地址，且主要利用特定应用层协议实施攻击，则优先考虑在传输层进行封堵，通过限制可疑IP与目标端口的通信来实现对攻击的防范。在网络出口位置部署DPI设备，针对风险等级高且攻击网段范围广的区域，配置ACL策略，基于源IP地址和CIDR规则，丢弃来自可疑网段的所有流量，实现较为粗粒度的网络层封堵。Specifically, according to the risk assessment report and the attack source tracing analysis results, the security risk level faced by each area and the range of network segments controlled by the attacker are obtained. Referring to the STRIDE threat modeling framework, a multi-indicator risk quantification system is designed from the dimensions of attack possibility and attack impact, and the qualitative risk description is converted into measurable risk values and network segment coverage data. Network topology discovery and asset mapping tools are used to count the number of online devices, open ports, and vulnerability distribution in different areas in real time, and the network asset information is associated and mapped with the risk assessment results to provide a basis for refining the blocking granularity. The protocol characteristics and port distribution of the attack traffic are extracted through traffic mirroring and packet parsing methods, focusing on common application layer attack methods based on TCP/UDP protocols, such as SQL injection, remote code execution, and denial of service attacks. If it is found that the attacker can only control a single IP address and mainly uses specific application layer protocols to carry out attacks, priority is given to blocking at the transport layer, and the prevention of attacks is achieved by limiting the communication between suspicious IPs and target ports. Deploy DPI devices at the network egress and configure ACL policies for areas with high risk levels and wide attack network segments. Based on source IP addresses and CIDR rules, discard all traffic from suspicious network segments to achieve coarse-grained network layer blocking.

对于风险等级较低且可控IP数量有限的区域，则在核心交换机或边界路由器上应用五元组安全策略，根据源目IP、端口、协议等多维条件过滤流量，实现更加精细化的传输层封堵，ACL的配置和管理更加简单，但粒度较粗，易造成过度封堵，而五元组策略虽然规则更加复杂，但能够更精准地控制流量，减少误杀，因此需要根据实际场景和防护需求，灵活选择和搭配这两种封堵方式。For areas with lower risk levels and a limited number of controllable IP addresses, a five-tuple security policy is applied on the core switch or border router to filter traffic based on multi-dimensional conditions such as source and destination IP addresses, ports, and protocols to achieve more refined transport layer blocking. ACL configuration and management are simpler, but the granularity is coarser and can easily lead to excessive blocking. Although the five-tuple policy has more complex rules, it can control traffic more accurately and reduce false positives. Therefore, it is necessary to flexibly select and match these two blocking methods based on actual scenarios and protection needs.

为提高封堵的灵活性和精准性，通过引入SDN控制器实现封堵策略的动态调整。控制器实时监控网络流量和主机行为，识别可疑的流量模式和攻击事件，并结合最新的威胁情报对攻击风险进行动态评估，根据评估结果自动生成和优化封堵策略，调整策略的投放位置和生效范围，实现封堵粒度的动态优化。In order to improve the flexibility and accuracy of blocking, the SDN controller is introduced to achieve dynamic adjustment of blocking strategies. The controller monitors network traffic and host behavior in real time, identifies suspicious traffic patterns and attack events, and dynamically evaluates attack risks in combination with the latest threat intelligence. Based on the evaluation results, it automatically generates and optimizes blocking strategies, adjusts the placement and scope of the strategy, and achieves dynamic optimization of blocking granularity.

S3、基于所述事件时间等级和所述事件人员等级，采用0-1整数规划方法调整所述网络拓扑中的端口通信策略；S3, based on the event time level and the event personnel level, using a 0-1 integer programming method to adjust the port communication strategy in the network topology;

优选的，在本发明实施例中，所述基于所述事件时间等级和所述事件人员等级，采用0-1整数规划方法调整所述网络传输事件的网络拓扑中的端口通信策略，包括：Preferably, in an embodiment of the present invention, the step of adjusting the port communication strategy in the network topology of the network transmission event based on the event time level and the event personnel level by using a 0-1 integer programming method includes:

S31、提取所述网络拓扑中各通信端口的流量指标，通过对所述流量指标进行相关性分析和统计建模，构建端口级联矩阵，其中所述端口级联矩阵反映各个端口间的依赖强度；S31, extracting the flow index of each communication port in the network topology, and constructing a port cascade matrix by performing correlation analysis and statistical modeling on the flow index, wherein the port cascade matrix reflects the dependency strength between each port;

S32、基于所述端口级联矩阵的端口依赖约束、所述事件时间等级的约束和所述事件人员等级的约束，建立以端口为基本单位的0-1整数规划模型；S32, based on the port dependency constraint of the port cascade matrix, the constraint of the event time level and the constraint of the event personnel level, establish a 0-1 integer programming model with ports as basic units;

S33、求解所述0-1整数规划模型，根据得到的最优解配置端口通信策略。S33, solving the 0-1 integer programming model, and configuring the port communication strategy according to the obtained optimal solution.

具体的，根据工作任务的重要等级和紧急程度，量化评估任务完成的时间要求，结合任务的通信模式和频率，分析影响端到端时延的关键因素，如链路带宽、传输距离、交互次数等，据此设定端口选择的时延约束阈值。同时，统计任务所涉及的人员数量和地理分布情况，估算需要覆盖的通信网段范围。采用网络流量深度分析方法实时提取各类通信端口的流量指标，如包大小、包间隔、并发连接数等，通过相关性分析和统计建模，刻画不同端口之间在时延敏感度、流量模式、功能耦合度等方面的内在联系，构建端口级联矩阵。矩阵采用定量指标度量端口间的依赖强度，如将协议类型相似度、流量相关系数、应用共现频率等归一化至0-1区间，值越大表示关联越紧密。Specifically, according to the importance and urgency of the work task, the time requirement for task completion is quantitatively evaluated. Combined with the communication mode and frequency of the task, the key factors affecting the end-to-end delay, such as link bandwidth, transmission distance, number of interactions, etc., are analyzed, and the delay constraint threshold for port selection is set accordingly. At the same time, the number of personnel involved in the task and their geographical distribution are counted to estimate the range of communication network segments that need to be covered. The network traffic deep analysis method is used to extract the traffic indicators of various communication ports in real time, such as packet size, packet interval, number of concurrent connections, etc. Through correlation analysis and statistical modeling, the intrinsic connection between different ports in terms of delay sensitivity, traffic mode, functional coupling, etc. is characterized, and a port cascade matrix is constructed. The matrix uses quantitative indicators to measure the dependency strength between ports, such as normalizing the protocol type similarity, traffic correlation coefficient, application co-occurrence frequency, etc. to the 0-1 interval. The larger the value, the closer the association.

在此基础上，建立以端口为基本单位的0-1整数规划模型，定义：On this basis, a 0-1 integer programming model with ports as the basic unit is established, defining:

决策变量表示是否封堵端口i，目标函数设置为最小化防护效率损失，形式为：Decision variables Indicates whether to block port i. The objective function is set to minimize the protection efficiency loss in the form of:

，其中表示封堵端口i带来的效率损失权重。 ,in Represents the efficiency loss weight caused by blocking port i.

时延约束和覆盖面约束分别表示为和，其中和分别表示端口i的时延贡献和覆盖面贡献，T和C为相应的约束常数。The delay constraint and coverage constraint are expressed as and ,in and They represent the delay contribution and coverage contribution of port i respectively, and T and C are the corresponding constraint constants.

同时，根据端口级联矩阵引入一系列端口依赖约束，形如：At the same time, a series of port dependency constraints are introduced according to the port cascade matrix, such as:

，表示当端口j被封堵时，端口i也必须封堵。 , which means that when port j is blocked, port i must also be blocked.

求解该整数规划模型，采用分支定界算法进行隐式枚举，在搜索过程中利用线性松弛技术快速评估目标函数的下界，剪除不可行解，提高收敛速度。最终得到的近似最优解即为既满足时延和覆盖面要求、又能最大化网络安全防护效率的一组关键端口组合。To solve the integer programming model, the branch-and-bound algorithm is used for implicit enumeration. During the search process, the linear relaxation technique is used to quickly evaluate the lower bound of the objective function, prune infeasible solutions, and improve the convergence speed. The final approximate optimal solution is a set of key port combinations that meet the requirements of latency and coverage and maximize the efficiency of network security protection.

针对实时性要求极高的任务，如VoIP通话、在线交易等，通信时延容忍度通常在100ms量级，此时需要重点关注TCP/UDP的常用应用层端口，如HTTP的80端口、HTTPS的443端口、RDP的3389端口等。而对于跨地域协作、远程办公等场景，人员分布可能涵盖总部、分支机构、移动办公等多个网段，端口选择还需兼顾网络层如ICMP的连通性需求。通过端口镜像和旁路检测等流量控制手段，持续监测关键端口的流量变化趋势，使用基于机器学习的异常检测算法，建立端口流量的动态基线，及时发现异常偏移行为。一旦识别出端口响应时延、丢包率等指标超出阈值，即动态调整封堵端口范围，通过ACL、QoS等机制限制可疑端口的流量，缓解网络拥塞，保障核心端口的通信质量。在零信任安全框架指导下，端口封堵策略由独立的策略控制点统一下发，通过可信身份验证和动态授权机制，实现端口粒度的精细化访问控制管理，提升通信安全策略的一致性和可审计性。策略控制点根据不同任务的安全需求，配置相应的端口封堵策略模板，利用自动化编排工具和流程脚本，将模板中的约束参数与任务管理流程中的任务属性、人员属性等环境变量进行动态绑定，触发实时的策略更新。For tasks with extremely high real-time requirements, such as VoIP calls and online transactions, the communication delay tolerance is usually at the order of 100ms. At this time, it is necessary to focus on the commonly used application layer ports of TCP/UDP, such as HTTP port 80, HTTPS port 443, and RDP port 3389. For cross-regional collaboration, remote office and other scenarios, the distribution of personnel may cover multiple network segments such as headquarters, branches, and mobile offices. Port selection must also take into account the connectivity requirements of the network layer such as ICMP. Through traffic control methods such as port mirroring and bypass detection, the traffic change trend of key ports is continuously monitored, and the machine learning-based anomaly detection algorithm is used to establish a dynamic baseline for port traffic and detect abnormal deviation behavior in a timely manner. Once it is identified that indicators such as port response delay and packet loss rate exceed the threshold, the blocked port range is dynamically adjusted, and the traffic of suspicious ports is restricted through mechanisms such as ACL and QoS to alleviate network congestion and ensure the communication quality of core ports. Under the guidance of the zero-trust security framework, the port blocking policy is uniformly issued by an independent policy control point. Through trusted identity authentication and dynamic authorization mechanisms, refined access control management at the port granularity is achieved to improve the consistency and auditability of communication security policies. The policy control point configures the corresponding port blocking policy template according to the security requirements of different tasks, and uses automated orchestration tools and process scripts to dynamically bind the constraint parameters in the template with task attributes, personnel attributes and other environmental variables in the task management process to trigger real-time policy updates.

举例而言，以某关键业务系统的运维管理任务为例，通过对历史工单的统计分析发现，标准应急处置流程从接报到完成处置的平均耗时为15分钟，而相关人员分布在网管中心、机房、开发测试等5个不同的子网。通过旁路镜像对该业务的正常通信流量进行全量采集和特征分析，提取出53个TCP/UDP端口的流量统计指标，利用Pearson相关系数和Jaccard相似系数等算法，从协议语义、流量时序、目的端口分布等维度计算端口之间的关联强度，构建出53*53的端口级联矩阵。在此基础上，以150个二进制决策变量描述每个端口的封堵状态，构建0-1整数规划模型，通过Lingo软件求解该模型，在10秒内搜索到最优解，筛选出22个关键端口作为封堵对象。针对时延敏感的VoIP电话和视频会议等应用，将RTP和RTCP的端口范围缩小到8000-10000，同时开放ICMP流量，以支持跨网段的物理链路检测。通过与Zeek联动，基于端口的历史流量模板和异常检测算法，对关键端口的通信行为进行持续监控，及时识别DDOS攻击等异常流量，自动下发访问控制策略，对可疑端口限速，异常停止后再自动移除限制。利用iptables对TCPSyn、TCPAck等典型端口的访问行为进行细粒度记录与分析，用于评估封堵效果，优化策略。通过Python脚本将端口封堵模板的JSON文件与任务管理工具的REST接口进行集成，实现安全策略与人员行为的自动化联动。For example, taking the operation and maintenance management task of a key business system as an example, through the statistical analysis of historical work orders, it is found that the average time taken for the standard emergency response process from receiving the report to completing the response is 15 minutes, and the relevant personnel are distributed in 5 different subnets, such as the network management center, computer room, development and testing. Through bypass mirroring, the normal communication traffic of the business is fully collected and feature analyzed, and the traffic statistics of 53 TCP/UDP ports are extracted. The Pearson correlation coefficient and Jaccard similarity coefficient algorithms are used to calculate the correlation strength between ports from the dimensions of protocol semantics, traffic timing, and destination port distribution, and a 53*53 port cascade matrix is constructed. On this basis, 150 binary decision variables are used to describe the blocking status of each port, and a 0-1 integer programming model is constructed. The model is solved by Lingo software, and the optimal solution is searched within 10 seconds, and 22 key ports are selected as blocking objects. For applications such as VoIP calls and video conferencing that are sensitive to latency, the port range of RTP and RTCP is reduced to 8000-10000, and ICMP traffic is opened to support physical link detection across network segments. By linking with Zeek, the communication behavior of key ports is continuously monitored based on the port's historical traffic template and anomaly detection algorithm, abnormal traffic such as DDOS attacks is promptly identified, and access control policies are automatically issued to limit the speed of suspicious ports. After the abnormality stops, the restrictions are automatically removed. Use iptables to record and analyze the access behavior of typical ports such as TCPSyn and TCPAck in a fine-grained manner to evaluate the blocking effect and optimize the strategy. Use Python scripts to integrate the JSON file of the port blocking template with the REST interface of the task management tool to achieve automated linkage between security policies and personnel behavior.

进一步地，根据0-1整数规划模型求解结果，实时调整端口封堵策略，包括对可疑端口进行重点封堵，确保关键业务流量的优先通过；若任务实时性要求高，且参与人员规模大，则尽量减少封堵动态端口和私有端口。Furthermore, according to the solution results of the 0-1 integer programming model, the port blocking strategy is adjusted in real time, including focusing on blocking suspicious ports to ensure priority passage of critical business traffic; if the task has high real-time requirements and a large number of participants, the blocking of dynamic ports and private ports should be minimized.

以安全编排与自动化作为总体框架，统筹协调各项端口安全防护措施。通过SDN控制器实时获取0-1整数规划模型的求解结果，将返回的关键端口列表动态下发到网络中的安全设备，执行端口封堵策略的自动化调整，保障关键业务端口的优先级最高。对非关键端口的封堵策略采用基于风险的动态阈值机制，根据端口的威胁评分和流量模式变化，自适应地确定封堵力度，兼顾安全与性能。规则采用IF-THEN形式，设定多维条件组合；对端口的可疑程度进行量化评估和异常检测。With security orchestration and automation as the overall framework, coordinate various port security protection measures. Obtain the solution results of the 0-1 integer programming model in real time through the SDN controller, dynamically send the returned key port list to the security devices in the network, and perform automatic adjustment of the port blocking strategy to ensure that the key business ports have the highest priority. The blocking strategy for non-critical ports adopts a risk-based dynamic threshold mechanism, and adaptively determines the blocking intensity according to the threat score of the port and the change of traffic pattern, taking into account both security and performance. The rules adopt the IF-THEN form to set a multi-dimensional condition combination; quantitative evaluation and anomaly detection are performed on the suspicious degree of the port.

结合全局威胁情报，对未知或可疑端口流量进行相似度计算和异常评分，超出预设阈值则自动纳入重点封堵对象。针对时延敏感的关键业务应用，识别其对应的端口，并在封堵策略中预留独占的优先级资源池。借助DiffServ、IntServ等服务质量保障机制，通过端口识别关键业务流，对其报文进行优先级标记、专用队列调度、预留带宽资源等处理，提升端到端通信质量。当任务参与人员规模较大时，引入风险自适应的身份认证机制，结合用户行为的异常程度、操作风险等级等因素，动态调整认证强度。对合法用户授权的例外放行端口，通过用户身份确认和行为分析，在确保安全的前提下最小化额外开销，提升用户体验。采用入侵检测与防护联动的纵深防御架构，将各安全设备识别出的可疑端口信息同步至安全信息和事件管理系统。利用频繁项集挖掘算法Apriori和FP-growth，从海量端口访问日志中挖掘可疑端口组合模式，构建威胁情报图谱；应用STL和SARIMA等时间序列异常检测算法，从端口流量时间序列中及时发现突变点、周期性异常等模式，实现端口威胁的多维度综合研判。Combined with global threat intelligence, similarity calculation and anomaly scoring are performed on unknown or suspicious port traffic. If it exceeds the preset threshold, it will be automatically included in the key blocking targets. For latency-sensitive key business applications, the corresponding ports are identified, and exclusive priority resource pools are reserved in the blocking strategy. With the help of service quality assurance mechanisms such as DiffServ and IntServ, key business flows are identified through ports, and priority marking, dedicated queue scheduling, and reserved bandwidth resources are performed on their messages to improve end-to-end communication quality. When the number of task participants is large, a risk-adaptive identity authentication mechanism is introduced to dynamically adjust the authentication strength based on factors such as the degree of abnormality of user behavior and the level of operational risk. For the exception release ports authorized by legitimate users, user identity confirmation and behavior analysis are performed to minimize additional overhead while ensuring security and improve user experience. A defense-in-depth architecture with intrusion detection and protection linkage is adopted to synchronize suspicious port information identified by each security device to the security information and event management system. The frequent item set mining algorithms Apriori and FP-growth are used to mine suspicious port combination patterns from massive port access logs and build a threat intelligence map. Time series anomaly detection algorithms such as STL and SARIMA are applied to timely discover mutation points, periodic anomalies and other patterns from the port traffic time series, thus realizing multi-dimensional comprehensive analysis of port threats.

举例而言，通过分析全网Top100的业务应用系统，发现85%的关键业务使用1024以下的知名端口，基于0-1整数规划求得的Top20端口列表作为优先保障对象，在SDN控制器中创建高优先级的端口组。对于剩余非关键端口，根据过去3个月的流量统计数据，采用Jenks自然断裂法将其异常行为评分划分为5个等级，对于评分4级以上的高风险端口动态加入重点封堵列表，并通知安全管理员审核。通过日志解析提取端口访问的40余项多维特征，利用孤立森林算法构建异常检测模型，对可疑端口进行实时预警，准确率达90%。针对Nginx代理的Web服务，将TCP80、443端口映射到DiffServ服务等级EF和AF，保障Web流量的低延迟转发，链路利用率控制在75%以内。接入LDAP实现用户身份认证与PAM授权，对于开发人员的FTP21端口和数据库管理员的1521端口，在双因素认证通过后动态加入白名单。同时应用Apriori算法从1个月的NIDS日志中挖掘出可疑端口组合{445，4444，4899}，在FP-growth算法中构建频繁模式树，对攻击者的横向渗透行为形成预警，实现端口威胁情报的自动化关联。For example, by analyzing the top 100 business application systems in the entire network, it was found that 85% of key businesses use well-known ports below 1024. The top 20 port list obtained based on 0-1 integer programming is used as a priority protection object, and a high-priority port group is created in the SDN controller. For the remaining non-critical ports, based on the traffic statistics of the past three months, the Jenks natural fracture method is used to divide their abnormal behavior scores into 5 levels. For high-risk ports with a score of 4 or above, they are dynamically added to the key blocking list and notified to the security administrator for review. More than 40 multi-dimensional features of port access are extracted through log analysis, and an anomaly detection model is built using the isolation forest algorithm to issue real-time warnings for suspicious ports with an accuracy rate of 90%. For the Web service of Nginx proxy, TCP80 and 443 ports are mapped to DiffServ service levels EF and AF to ensure low-latency forwarding of Web traffic and control link utilization within 75%. Access LDAP to implement user authentication and PAM authorization. For the FTP21 port of developers and the 1521 port of database administrators, they are dynamically added to the whitelist after passing the two-factor authentication. At the same time, the Apriori algorithm is used to mine suspicious port combinations {445, 4444, 4899} from NIDS logs for one month, and a frequent pattern tree is constructed in the FP-growth algorithm to form an early warning for the attacker's lateral penetration behavior and realize the automatic association of port threat intelligence.

S4、根据所述封堵网口粒度方案和所述端口通信策略控制所述网口防护装置对待封堵网口进行封堵，并分别获取所述网口防护装置在所述网络拓扑中的位置分布、设备参数、所述待封堵网口的实时流量特征和实时行为特征；S4, controlling the network port protection device to block the network port to be blocked according to the blocking network port granularity scheme and the port communication strategy, and respectively obtaining the location distribution, device parameters, real-time traffic characteristics and real-time behavior characteristics of the network port to be blocked of the network port protection device in the network topology;

具体的，封堵网口粒度方案指的是在何种详细程度上对网口进行限制或封堵，端口通信策略定义了哪些端口应该被允许或封禁。通过步骤S2、S3中得到的封堵网口粒度方案和端口控制策略进行向所述网口防护装置发送控制信号，通过控制信号控制所述网口防护装置对待封堵网口进行封堵。Specifically, the blocking network port granularity scheme refers to the level of detail at which network ports are restricted or blocked, and the port communication strategy defines which ports should be allowed or blocked. The blocking network port granularity scheme and the port control strategy obtained in steps S2 and S3 are used to send a control signal to the network port protection device, and the network port protection device is controlled by the control signal to block the network port to be blocked.

优选的，在本发明实施例中，所述网口防护装置包括电子安全锁和电子钥匙。Preferably, in an embodiment of the present invention, the network port protection device includes an electronic safety lock and an electronic key.

其中，所述网口防护装置参见图2、图3、图4，图2示出为本发明的网口防护装置的电子安全锁在插入物理网口之前的结构示意图，图3示出为本发明的网口防护装置的电子安全锁在插入物理网口之前的结构示意图，图4示出为本发明的网口防护装置的电子安全锁在插入物理网口之后的结构示意图。该网口防护装置由电子安全锁和电子钥匙组成，电子安全锁采用防反插布局设计，插入物理网口后自动弹出铁芯锁定，闭锁状态下电子安全锁无法拔出，实现装置的闭锁功能；电子钥匙采用授权开锁设计，连接电子安全锁后通过身份认证密钥进行匹配，身份匹配成功后控制记忆合金弹簧形变带动铁芯上下运动，实现装置的开锁功能。Wherein, the network port protection device is shown in Figures 2, 3 and 4. Figure 2 shows a schematic diagram of the structure of the electronic safety lock of the network port protection device of the present invention before being inserted into the physical network port, Figure 3 shows a schematic diagram of the structure of the electronic safety lock of the network port protection device of the present invention before being inserted into the physical network port, and Figure 4 shows a schematic diagram of the structure of the electronic safety lock of the network port protection device of the present invention after being inserted into the physical network port. The network port protection device is composed of an electronic safety lock and an electronic key. The electronic safety lock adopts an anti-reverse insertion layout design. After being inserted into the physical network port, the iron core automatically pops out and locks. The electronic safety lock cannot be pulled out in the locked state, realizing the locking function of the device; the electronic key adopts an authorized unlocking design. After connecting the electronic safety lock, it is matched through the identity authentication key. After the identity matching is successful, the memory alloy spring is controlled to deform and drive the iron core to move up and down, realizing the unlocking function of the device.

为了实现网口防护装置的感知，本发明基于线序识别的感知技术主要依托定制模块，具体的，请参见图5，图5示出是本发明的网口防护装置的基于线序识别的感知技术的原理示意图。包括：在网络端口一端的连接模块上，通过随机8位排线顺序形成新的排列组合，正常通信需要对端同样线序才能解序使用，即使网线被黑客截获也无法使用，以达到防入侵的安全防护目标，首次实现了基于网线线序识别的端口防护感知。基于网络连接的感知技术采用定向加密验证算法生成数据包，通过实时网络发送数据包验证装置在线状态，精准监测装置异常情况，实现了网络连接状态实时感知。In order to realize the perception of the network port protection device, the perception technology based on line sequence recognition of the present invention mainly relies on the customized module. Specifically, please refer to Figure 5, which shows a schematic diagram of the principle of the perception technology based on line sequence recognition of the network port protection device of the present invention. It includes: on the connection module at one end of the network port, a new arrangement and combination is formed by a random 8-bit wiring sequence. Normal communication requires the same line sequence at the other end to be de-sequenced and used. Even if the network cable is intercepted by a hacker, it cannot be used, so as to achieve the security protection goal of anti-intrusion. For the first time, port protection perception based on network cable line sequence recognition is realized. The perception technology based on network connection uses a directional encryption verification algorithm to generate data packets, sends data packets through the real-time network to verify the online status of the device, accurately monitors device abnormalities, and realizes real-time perception of network connection status.

具体的，通过网络拓扑发现工具，获取全网范围内部署的防火墙、IPS、WAF等网口防护装置的位置分布信息，包括所处网络区域、子网划分、上下游连接关系等；利用D3.js可视化工具，生成封堵设备的逻辑拓扑视图；在网络架构中部署蜜罐、欺骗防御等对抗式检测机制，捕获网络中的扫描、入侵等可疑行为，提取攻击者的操作手法、使用工具、频繁IP地址等行为特征。采用密度聚类算法DBSCAN对行为数据进行聚类，识别出不同的恶意行为模式。对聚类结果进行轮廓系数评估，通过t-SNE等降维算法将多维行为特征映射到二维平面，直观展现不同类型恶意行为在特征空间的分布情况。采用NetFlow、sFlow等流量监测协议，对网络出口位置的流量进行采样分析。针对DDoS攻击场景，提取流量的源地址分布、协议类型、包长度等关键特征；针对端口扫描行为，重点分析目的端口号的频数分布规律。Specifically, through the network topology discovery tool, the location distribution information of network port protection devices such as firewalls, IPS, and WAF deployed throughout the network is obtained, including the network area, subnet division, upstream and downstream connection relationship, etc.; the D3.js visualization tool is used to generate a logical topology view of the blocking device; adversarial detection mechanisms such as honeypots and deception defense are deployed in the network architecture to capture suspicious behaviors such as scanning and intrusion in the network, and extract the attacker's operation methods, tools used, frequent IP addresses and other behavioral characteristics. The density clustering algorithm DBSCAN is used to cluster the behavioral data and identify different malicious behavior patterns. The silhouette coefficient of the clustering results is evaluated, and the multi-dimensional behavioral features are mapped to a two-dimensional plane through dimensionality reduction algorithms such as t-SNE, which intuitively shows the distribution of different types of malicious behaviors in the feature space. NetFlow, sFlow and other traffic monitoring protocols are used to sample and analyze the traffic at the network exit location. For DDoS attack scenarios, key features such as source address distribution, protocol type, and packet length of the traffic are extracted; for port scanning behavior, the frequency distribution law of the destination port number is analyzed.

S5、根据所述位置分布、所述设备参数、所述流量特征和所述行为特征，构建多层级网口封堵模型；S5. Construct a multi-level network port blocking model according to the location distribution, the device parameters, the traffic characteristics, and the behavior characteristics;

优选的，在本发明实施例中，所述根据所述位置分布、所述设备参数、所述实时流量特征和所述实时行为特征，构建多层级网口封堵模型，包括：融合位置分布、设备参数、流量特征和行为特征，运用支持向量机算法构建多层级网口封堵模型。其中，汇聚层模型侧重源IP的对外连接频次，接入层模型重点关注目的IP的敏感端口扫描次数，而核心层模型则聚焦跨网段通信流量的突增幅度。Preferably, in an embodiment of the present invention, the multi-level network port blocking model is constructed based on the location distribution, the device parameters, the real-time traffic characteristics and the real-time behavior characteristics, including: integrating the location distribution, device parameters, traffic characteristics and behavior characteristics, and using the support vector machine algorithm to construct a multi-level network port blocking model. Among them, the aggregation layer model focuses on the frequency of external connections of the source IP, the access layer model focuses on the number of sensitive port scans of the destination IP, and the core layer model focuses on the sudden increase in cross-segment communication traffic.

S6、在实际安全防护过程中，将实时检测到的网口传输事件数据输入至所述多层级网口封堵模型中，基于所述多层级网口封堵模型的输出结果，确定对应的封堵策略。S6. In the actual security protection process, the network port transmission event data detected in real time is input into the multi-level network port blocking model, and the corresponding blocking strategy is determined based on the output result of the multi-level network port blocking model.

优选的，在本发明实施例中，所述网口传输事件数据包括网络层级的网口传输事件数据，所述封堵策略包括丢弃处理；则，所述将实时检测到的网口传输事件数据输入至所述多层级网口封堵模型中，基于所述多层级网口封堵模型的输出结果，确定对应的封堵策略，包括：Preferably, in an embodiment of the present invention, the network port transmission event data includes network port transmission event data at the network layer, and the blocking strategy includes discarding processing; then, the network port transmission event data detected in real time is input into the multi-level network port blocking model, and the corresponding blocking strategy is determined based on the output result of the multi-level network port blocking model, including:

对不同网络层级的所述网口传输事件数据进行异常判断，根据异常判断结果设置与链路带宽和设备处理能力相匹配的动态阈值；Performing abnormality judgment on the network port transmission event data at different network layers, and setting a dynamic threshold matching the link bandwidth and the device processing capability according to the abnormality judgment result;

当所述多层级网口封堵模型检测到网络层级的网口传输事件数据的幅度超过所述动态阈值时，将所述网口传输事件数据识别为恶意流量数据，对所述恶意流量数据进行丢弃处理。When the multi-level network port blocking model detects that the amplitude of network port transmission event data at the network layer exceeds the dynamic threshold, the network port transmission event data is identified as malicious traffic data and the malicious traffic data is discarded.

具体地，当突增流量幅度超过预设值时，将可疑流引导至基于DPI的清洗模块，提取HTTP请求头、DNS查询域名等应用层信息，综合判断恶意程度，对攻击强度较低的仅做限速处理，而对于确定的恶意流则直接丢弃。针对密集的端口扫描、Web扫描等行为，采用信誉度机制动态调整防御强度；将异常检测模型封装为标准VNF，MANO编排器从虚拟资源池中调度计算、存储、带宽资源，完成VNF的实例化和配置。利用Kafka等消息队列，将各VNF产生的异常事件实时发送给中心控制器，通过Drools等策略引擎快速匹配封堵规则，对接SDN控制器，采用OpenFlow南向接口，在毫秒级完成封堵路由的灰度下发。对各层级模型输出的恶意流量和可疑行为进行关联分析，利用图算法和社交网络分析等技术，发现僵尸网络、APT等组织化威胁的攻击链路。Specifically, when the sudden increase in traffic exceeds the preset value, the suspicious flow is directed to the DPI-based cleaning module, which extracts application layer information such as HTTP request headers and DNS query domain names, comprehensively judges the maliciousness, and only limits the speed of attacks with low attack intensity, while directly discarding confirmed malicious flows. For intensive port scanning, Web scanning and other behaviors, the reputation mechanism is used to dynamically adjust the defense strength; the anomaly detection model is encapsulated as a standard VNF, and the MANO orchestrator schedules computing, storage, and bandwidth resources from the virtual resource pool to complete the instantiation and configuration of the VNF. Using message queues such as Kafka, the abnormal events generated by each VNF are sent to the central controller in real time, and the blocking rules are quickly matched through policy engines such as Drools. The SDN controller is connected, and the OpenFlow southbound interface is used to complete the grayscale delivery of blocking routes at the millisecond level. The malicious traffic and suspicious behaviors output by the models at each level are correlated and analyzed, and the attack links of organized threats such as botnets and APTs are discovered using graph algorithms and social network analysis.

示例性的，通过部署112个高交互蜜罐，获取攻击者的行为日志数据，使用Word2Vec算法将操作命令嵌入128维实数向量空间，利用DBSCAN算法对嵌入向量进行聚类，参数选取ε=0.2，MinPts=5，得到18个典型的恶意行为簇。在核心交换机的SPAN端口上，利用sFlow采样512个数据包中的1个，分析源IP在一分钟内与不同目的IP通信的次数，若超过100次则将相应流量镜像到异常检测VNF中。SVM模型使用RBF核函数，通过网格搜索获得最优参数C=15，γ=0.08，对新增样本的检出率稳定在95%以上。检测到可疑流量后，DPI模块提取HTTP请求的URL路径，对比已知webshell特征库，若匹配度超过0.9则将源IP加入30分钟黑名单，限速至10KB/s。MANO平台利用模板化的TOSCA文件，编排封堵VNF所需的2个vCPU、4GB内存、1Gbps带宽等虚拟资源，结合异常检测结果动态扩缩容VNF实例数量。采用基于Elasticsearch的Kibana平台，设计多维度安全态势可视化视图。通过等高线图呈现一周内各区域内攻击事件数量的时序分布，用雷达图展示威胁行为在不同维度的危害占比，结合攻击者画像辅助管理员快速研判态势，评估防御成效。将各层级检测日志回流至异常检测模型，利用在线学习机制持续优化模型效果，提升复杂环境下的检出率，降低误报率。Kibana前端设计攻击事件地域分布的热力图，可下钻到各省市的告警数量占比，配合攻击者终端的操作系统、浏览器等画像信息，辅助研判最新手法。异常检测的日志数据通过Kafka队列流式回灌到模型训练集中，采用梯度下降法进行参数微调，平均每个周期提升检出率1.5个百分点，误报率降低0.8个百分点。For example, 112 high-interaction honeypots were deployed to obtain the attacker's behavior log data, and the Word2Vec algorithm was used to embed the operation commands into a 128-dimensional real vector space. The embedded vectors were clustered using the DBSCAN algorithm, with parameters selected as ε=0.2 and MinPts=5, to obtain 18 typical malicious behavior clusters. On the SPAN port of the core switch, sFlow was used to sample 1 of the 512 data packets, and the number of times the source IP communicated with different destination IPs within one minute was analyzed. If the number exceeded 100, the corresponding traffic was mirrored to the anomaly detection VNF. The SVM model used the RBF kernel function, and the optimal parameters C=15 and γ=0.08 were obtained through grid search. The detection rate of new samples was stable at more than 95%. After detecting suspicious traffic, the DPI module extracted the URL path of the HTTP request and compared it with the known webshell feature library. If the matching degree exceeded 0.9, the source IP was added to the blacklist for 30 minutes and the speed was limited to 10KB/s. The MANO platform uses templated TOSCA files to orchestrate virtual resources such as 2 vCPUs, 4GB memory, and 1Gbps bandwidth required to block VNFs, and dynamically scales the number of VNF instances based on anomaly detection results. The Kibana platform based on Elasticsearch is used to design a multi-dimensional security situation visualization view. The time series distribution of the number of attack events in each region within a week is presented through contour maps, and the proportion of threatening behaviors in different dimensions is displayed with radar maps. Combined with the attacker's portrait, the administrator is assisted in quickly judging the situation and evaluating the effectiveness of defense. The detection logs at all levels are returned to the anomaly detection model, and the model effect is continuously optimized using the online learning mechanism to improve the detection rate in complex environments and reduce the false alarm rate. The Kibana front-end designs a heat map of the regional distribution of attack events, which can drill down to the proportion of the number of alarms in each province and city, and assist in judging the latest methods with the operating system, browser and other portrait information of the attacker's terminal. The log data of anomaly detection is streamed back to the model training set through the Kafka queue, and the gradient descent method is used to fine-tune the parameters, which increases the detection rate by 1.5 percentage points and reduces the false alarm rate by 0.8 percentage points on average per cycle.

优选的，在本发明实施例中，所述步骤6、将实时检测到的网口传输事件数据输入至所述多层级网口封堵模型中，基于所述多层级网口封堵模型的输出结果，确定对应的封堵策略，还包括：Preferably, in an embodiment of the present invention, the step 6, inputting the real-time detected network port transmission event data into the multi-level network port blocking model, and determining the corresponding blocking strategy based on the output result of the multi-level network port blocking model, further includes:

S61、通过流量探针和日志关联，获取不同网络层级的网口防护装置阻断的恶意流量数据以及对所述恶意流量数据进行处置时的任务协同数据；S61, obtaining malicious traffic data blocked by network port protection devices at different network levels and task coordination data when handling the malicious traffic data through traffic probes and log association;

S62、采用基于签名的IDS入侵检测系统，对所述恶意流量数据进行识别和分类，得到封堵效果数据；S62, using a signature-based IDS intrusion detection system to identify and classify the malicious traffic data to obtain blocking effect data;

S63、基于所述任务协同数据和所述封堵效果数据，对所述封堵策略进行优化。S63. Optimize the blocking strategy based on the task coordination data and the blocking effect data.

优选的，在本发明实施例中，所述步骤S63、基于所述任务协同数据和所述封堵效果数据，对所述多层级网口封堵模型进行优化，包括：Preferably, in an embodiment of the present invention, the step S63, optimizing the multi-level network port blocking model based on the task collaboration data and the blocking effect data, includes:

S631、基于所述任务协同数据和所述封堵效果数据，采用Q-Learning强化学习算法，通过奖励值引导优化多层级网口封堵模型；S631, based on the task collaboration data and the blocking effect data, using a Q-Learning reinforcement learning algorithm to guide and optimize a multi-level network port blocking model through a reward value;

S632、根据优化后的多层级网口封堵模型调整各层级封堵策略。S632. Adjust the blocking strategies at each level according to the optimized multi-level network port blocking model.

优选的，在本发明实施例中，还包括：Preferably, in the embodiment of the present invention, it also includes:

若多层级网口封堵模型监控到某一封堵设备出现异常事件时，通过流量镜像和会话保持方法快速切换备用设备，启动应急处置流程，并根据所述异常事件的严重程度进行流量限制和会话迁移。If the multi-level network port blocking model monitors an abnormal event in a blocking device, it will quickly switch to a backup device through traffic mirroring and session preservation methods, start the emergency response process, and perform traffic restriction and session migration according to the severity of the abnormal event.

具体而言，通过流量探针和日志关联，获取不同网络层级的封堵设备阻断的恶意流量数据，包括攻击事件数量、攻击流量大小、封堵响应时间等。采用基于签名的IDS入侵检测系统，对恶意流量进行精细化识别和分类，按照攻击者IP归属地、攻击持续时长等维度，统计各层级封堵成效差异性特征，形成全网封堵效果评估报告。Specifically, through the flow probe and log association, the malicious traffic data blocked by the blocking devices at different network levels are obtained, including the number of attack events, the size of attack traffic, the blocking response time, etc. The signature-based IDS intrusion detection system is used to finely identify and classify malicious traffic, and the difference characteristics of the blocking effect at each level are statistically analyzed according to the dimensions such as the attacker's IP location and the duration of the attack, so as to form a blocking effect evaluation report for the entire network.

应用关联规则挖掘Apriori算法，将攻击类型、攻击强度等封堵效果数据和任务处置人员配合响应时间等协同数据作为商品项，以最小支持度0.2、最小置信度0.8为参数，挖掘两类数据间的强关联规则，建立起封堵效果与任务协同的关联模型。参考博弈论中的纳什均衡，构建多层级封堵措施的效用函数，对规则触发的不同封堵策略组合进行收益成本分析，形成封堵策略的量化评估体系。搭建网络对抗仿真环境，使用Mininet构建拓扑，通过Ostinato流量生成器模拟多种攻击场景。Apply the Apriori algorithm for association rule mining, take the blocking effect data such as attack type and attack intensity and the coordination data such as the response time of task handling personnel as commodity items, and use the minimum support of 0.2 and the minimum confidence of 0.8 as parameters to mine the strong association rules between the two types of data, and establish an association model between blocking effect and task coordination. Refer to the Nash equilibrium in game theory, construct the utility function of multi-level blocking measures, conduct a benefit-cost analysis on different blocking strategy combinations triggered by the rules, and form a quantitative evaluation system for blocking strategies. Build a network confrontation simulation environment, use Mininet to build the topology, and simulate various attack scenarios through the Ostinato traffic generator.

对强化学习模型进行训练，状态空间包含各层级封堵设备的阻断率、负载、策略配置等多个属性，动作空间定义为各设备的安全策略参数调整范围。采用即时奖励和长期奖励相结合的方式设计回报函数，短期内累积封堵量越大奖励越高，长期内误封率和漏封率稳定在可接受水平则奖励收敛，通过不断试错，学习出最优封堵策略组合。结合强化学习的策略梯度方法，自适应调整各层级封堵动作的选择概率分布，在接入层自动优化黑名单的时间衰减速率，在汇聚层实时调节会话表的老化时间，在核心层动态变更流异常检测的阈值，实现端口封堵粒度的连续优化。The reinforcement learning model is trained. The state space includes multiple attributes such as the blocking rate, load, and policy configuration of each level of blocking equipment. The action space is defined as the adjustment range of the security policy parameters of each device. The reward function is designed by combining immediate rewards and long-term rewards. The greater the cumulative blocking volume in the short term, the higher the reward. The reward converges when the false blocking rate and missed blocking rate are stable at an acceptable level in the long term. Through continuous trial and error, the optimal blocking strategy combination is learned. Combined with the policy gradient method of reinforcement learning, the selection probability distribution of blocking actions at each level is adaptively adjusted, the time decay rate of the blacklist is automatically optimized at the access layer, the aging time of the session table is adjusted in real time at the aggregation layer, and the threshold of flow anomaly detection is dynamically changed at the core layer to achieve continuous optimization of port blocking granularity.

引入元学习理念，超参数K作为元优化目标，自动选择强化学习模型中智能体的数量、探索率等，快速适应不同防护场景。使用迁移学习算法，将已训练好的智能体模型在相似网络环境间复用，通过少量增量训练即可实现封堵策略的快速部署。在树状拓扑中自顶向下进行访问控制，由接入交换机到核心交换机再到安全域边界，逐层严格认证授权。利用蜜罐诱捕、威胁情报溯源等手段，抢先发现攻击源头，改变被动防御为主动狙击。在汇聚层部署基于SOAR的自动化响应编排，综合研判多层级告警信息，动态调度安全资源，形成全局最优的综合防护方案，利用区块链构建可信的群智联防网络，在链上共享各节点的封堵效果评估，通过智能合约实现联防策略的实时迭代更新。The meta-learning concept is introduced, and the hyperparameter K is used as the meta-optimization target to automatically select the number of agents and exploration rate in the reinforcement learning model to quickly adapt to different protection scenarios. Using the transfer learning algorithm, the trained agent model can be reused between similar network environments, and the blocking strategy can be quickly deployed through a small amount of incremental training. Access control is performed from top to bottom in the tree topology, from the access switch to the core switch and then to the security domain boundary, and authentication and authorization are strictly performed layer by layer. Honeypot trapping, threat intelligence tracing and other means are used to preemptively discover the source of the attack and change passive defense to active sniping. Deploy SOAR-based automated response orchestration at the aggregation layer, comprehensively analyze and judge multi-level alarm information, dynamically schedule security resources, form a globally optimal comprehensive protection plan, use blockchain to build a trusted group intelligence joint defense network, share the blocking effect evaluation of each node on the chain, and realize real-time iterative updates of the joint defense strategy through smart contracts.

示例性的，在接入层交换机上部署流量探针，采集到该设备在过去1小时内阻断的DDoS攻击流量为5Gbps，攻击事件有200次。同时在核心路由器上关联NetFlow日志，发现在同一时间段内其封堵的相同攻击流量为2Gbps，事件数为150次，平均封堵响应时间为200ms。采用基于签名的Snort入侵检测系统，通过特征库匹配对恶意流量进行精细化识别和分类，检测到来自某国的SQL注入攻击流量50MB，持续时长为15分钟。使用Apriori关联规则挖掘算法，设置最小支持度2、最小置信度8，发现“SQL注入攻击“与“响应时间大于1分钟“的关联规则置信度为85%，即SQL注入攻击发生时，任务处置人员配合响应时间较长的概率很大。For example, a flow probe is deployed on the access layer switch, and the DDoS attack traffic blocked by the device in the past hour is collected to be 5Gbps, and there are 200 attack events. At the same time, the NetFlow log is associated with the core router, and it is found that the same attack traffic blocked in the same time period is 2Gbps, the number of events is 150, and the average blocking response time is 200ms. The signature-based Snort intrusion detection system is used to finely identify and classify malicious traffic through feature library matching, and 50MB of SQL injection attack traffic from a certain country is detected, which lasts for 15 minutes. Using the Apriori association rule mining algorithm, the minimum support is set to 2 and the minimum confidence is set to 8. It is found that the confidence of the association rule between "SQL injection attack" and "response time greater than 1 minute" is 85%, that is, when an SQL injection attack occurs, there is a high probability that the task handling personnel will cooperate with a long response time.

参考博弈论中的纳什均衡，假设不同封堵措施的效用函数服从指数分布，通过数值求解纳什均衡点，可得到最优的封堵策略组合。接入层的黑名单过滤效用为6，汇聚层的会话表限制效用为3，核心层的流异常检测效用为1，则联合防护的整体效用达到753，高于各自单独部署。搭建Mininet网络仿真环境，通过Ostinato流量生成器模拟DDoS、漏洞利用等多种攻击场景，对强化学习模型进行训练，接入层封堵设备的状态属性包括阻断率、负载、黑名单配置等，动作为调整黑名单的时间衰减速率，当前值为8。Referring to the Nash equilibrium in game theory, assuming that the utility functions of different blocking measures obey exponential distribution, the optimal combination of blocking strategies can be obtained by numerically solving the Nash equilibrium point. The blacklist filtering utility of the access layer is 6, the session table restriction utility of the aggregation layer is 3, and the flow anomaly detection utility of the core layer is 1. The overall utility of the joint protection reaches 753, which is higher than the deployment of each separately. A Mininet network simulation environment is built, and the Ostinato traffic generator is used to simulate various attack scenarios such as DDoS and vulnerability exploitation to train the reinforcement learning model. The state attributes of the access layer blocking device include blocking rate, load, blacklist configuration, etc. The action is to adjust the time decay rate of the blacklist, and the current value is 8.

通过梯度下降等优化算法最小化长期累积奖励，经过10000轮迭代训练，找到最优衰减速率为9，此时端口封堵粒度达到最优。引入元学习，设置超参数K为强化学习模型中智能体的数量，通过网格搜索自动选择最佳的K值，在DDoS防护场景中，将K设为4个，分别部署在接入层、汇聚层、核心层和安全域边界，协同优化封堵策略。Through optimization algorithms such as gradient descent to minimize long-term cumulative rewards, after 10,000 rounds of iterative training, the optimal decay rate is found to be 9, at which point the port blocking granularity is optimal. Meta-learning is introduced, and the hyperparameter K is set to the number of agents in the reinforcement learning model. The best K value is automatically selected through grid search. In the DDoS protection scenario, K is set to 4, which are deployed at the access layer, aggregation layer, core layer, and security domain boundary, respectively, to coordinate and optimize the blocking strategy.

使用迁移学习算法，将DDoS场景下训练好的智能体模型，迁移到漏洞利用攻击的防护中，通过少量增量训练快速适应。在树状拓扑中自顶向下进行访问控制，先在核心交换机上严格认证源IP的合法性，再在汇聚交换机上严格鉴别用户身份，最后在接入交换机上严格审计用户行为。利用蜜罐诱捕、威胁情报溯源等手段，抢先发现攻击源头。部署的一台高交互蜜罐，伪装成Struts2服务，记录所有攻击类型、来源IP等信息，实时推送到威胁情报平台。在汇聚层部署基于SOAR的自动化响应编排，设置20条业务联动规则，实现安全事件的自动化处置。利用区块链构建可信的群智联防网络，在链上部署5个节点作为联防成员，共享各自的封堵效果评估，当联防节点的策略配置发生变更时，自动触发智能合约，对联防策略进行实时迭代更新，提升全网的整体防护水平。Using the transfer learning algorithm, the intelligent agent model trained in the DDoS scenario is migrated to the protection of vulnerability exploitation attacks, and quickly adapts through a small amount of incremental training. Access control is performed from top to bottom in the tree topology. First, the legitimacy of the source IP is strictly authenticated on the core switch, then the user identity is strictly identified on the aggregation switch, and finally the user behavior is strictly audited on the access switch. Honeypot trapping, threat intelligence tracing and other means are used to preemptively discover the source of the attack. A high-interaction honeypot is deployed, disguised as a Struts2 service, to record all attack types, source IP and other information, and push it to the threat intelligence platform in real time. Deploy SOAR-based automated response orchestration at the aggregation layer, set 20 business linkage rules, and realize the automated handling of security incidents. Use blockchain to build a trusted group intelligence joint defense network, deploy 5 nodes on the chain as joint defense members, share their respective blocking effect evaluations, and automatically trigger smart contracts when the policy configuration of the joint defense node changes, and iterate and update the joint defense strategy in real time to improve the overall protection level of the entire network.

进一步地，若封堵效果数据满足任务协同要求，则通过强化学习模型得到正向奖励值；若封堵效果数据影响任务协同效率，则通过强化学习模型得到负向奖励值。Furthermore, if the blocking effect data meets the task coordination requirements, a positive reward value is obtained through the reinforcement learning model; if the blocking effect data affects the task coordination efficiency, a negative reward value is obtained through the reinforcement learning model.

具体的，根据历史数据总结出任务协同的关键需求指标，如应用响应时间、并发处理能力、带宽利用率等，采用层次分析法计算各指标权重；采用模糊综合评判法，选择常见的三角形隶属度函数，将封堵效果数据映射到关键指标的隶属度值，再通过加权平均计算综合匹配度，量化封堵效果对任务协同需求的满足程度。在强化学习模型中设计奖励值档位，综合匹配度和各项资源消耗指标，划分为四个级别的即时奖励值。Specifically, the key demand indicators of task collaboration, such as application response time, concurrent processing capability, bandwidth utilization, etc., are summarized based on historical data, and the weights of each indicator are calculated using the hierarchical analysis method; the fuzzy comprehensive evaluation method is used to select the common triangle membership function, and the blocking effect data is mapped to the membership value of the key indicator, and then the comprehensive matching degree is calculated by weighted average to quantify the degree to which the blocking effect meets the task collaboration requirements. The reward value level is designed in the reinforcement learning model, and the comprehensive matching degree and various resource consumption indicators are divided into four levels of instant reward values.

通过关联分析和Granger因果检验，筛选出封堵措施影响任务绩效的关键因子，并判断其中的因果关系，若封堵引擎的规则命中率与业务请求超时率存在显著的因果关系，将规则命中率纳入奖励函数的动态调节因子，当命中率低于预设值时，将负向奖励的惩罚强度提高预设值。采用滑动窗口机制对网络流日志进行多粒度特征提取，针对协同任务涉及的关键网络路径和设备节点，设置差异化的窗口长度，构建层次化的流量状态特征空间。Through correlation analysis and Granger causality test, the key factors that affect task performance due to blocking measures are screened out, and the causal relationship is determined. If there is a significant causal relationship between the rule hit rate of the blocking engine and the business request timeout rate, the rule hit rate is included in the dynamic adjustment factor of the reward function. When the hit rate is lower than the preset value, the penalty intensity of the negative reward is increased by the preset value. The sliding window mechanism is used to extract multi-granular features from network flow logs. Differentiated window lengths are set for key network paths and device nodes involved in collaborative tasks to construct a hierarchical traffic state feature space.

当任务出现严重异常如服务中断、数据丢失等情况时，触发强化学习模型的风险防范机制。采用指数衰减的遗忘机制动态放大负向奖励，遗忘因子随异常持续时间指数级增大，同时启用保守的探索策略，降低探索率，固化当前最优策略，暂停对新策略的尝试，直至异常状态解除后再恢复正常学习。实时评估环境风险和智能体探索水平，超出阈值时自动切换为安全模式。基于领域知识构建奖励值的先验分布，针对已知的常见异常场景，预置对应的奖励值变化趋势，在强化学习模型训练过程中，将先验分布作为奖励函数的正则项，加快收敛速度；采用自适应动态规划算法对未来一段时间的累积奖励进行滚动预测，自动调节折扣因子，权衡近期收益和长期收益，使策略更加鲁棒。When a task has serious anomalies such as service interruption or data loss, the risk prevention mechanism of the reinforcement learning model is triggered. An exponentially decaying forgetting mechanism is used to dynamically amplify negative rewards. The forgetting factor increases exponentially with the duration of the anomaly. At the same time, a conservative exploration strategy is enabled to reduce the exploration rate, solidify the current optimal strategy, and suspend attempts at new strategies until the abnormal state is resolved before resuming normal learning. Real-time assessment of environmental risks and agent exploration levels, automatically switching to safe mode when thresholds are exceeded. Construct a prior distribution of reward values based on domain knowledge, preset corresponding reward value change trends for known common abnormal scenarios, and use the prior distribution as a regular term of the reward function during the training of the reinforcement learning model to accelerate convergence. Adopt an adaptive dynamic programming algorithm to make rolling predictions of cumulative rewards for a period of time in the future, automatically adjust the discount factor, and weigh short-term and long-term benefits to make the strategy more robust.

示例性的，通过对任务协同过程中的用户反馈、系统日志、网络流量等多源数据进行分析，提取出15个关键绩效指标，采用层次分析法构建指标两两判断矩阵，计算CR=0.05<0.1，通过一致性检验，最终确定各指标权重，如响应时间0.25、错误率0.15、吞吐量0.2。选择折线型、梯形等5种常用隶属度函数形式，对应不同的任务满意度变化趋势。当封堵导致响应时间由0.3s恶化至1.5s、错误率由0.1%上升至2%时，通过加权平均计算匹配度由0.95下降至0.6。根据匹配度与系统SLA的对应关系，将奖励值映射至四档，优为0.9-1.0，+1分，良为0.7-0.9，+0.5分，中为0.4-0.7，-0.5分，差为0-0.4，-1分。同时每消耗1%的CPU资源、10MB的内存、2%的带宽，额外扣减0.1分。For example, by analyzing multi-source data such as user feedback, system logs, and network traffic in the task collaboration process, 15 key performance indicators were extracted, and the hierarchical analysis method was used to construct a pairwise judgment matrix of indicators, and CR=0.05<0.1 was calculated. Through consistency test, the weights of each indicator were finally determined, such as response time 0.25, error rate 0.15, and throughput 0.2. Five commonly used membership function forms such as broken line and trapezoid were selected to correspond to different trends in task satisfaction. When blocking caused the response time to deteriorate from 0.3s to 1.5s and the error rate to rise from 0.1% to 2%, the matching degree decreased from 0.95 to 0.6 through weighted average calculation. According to the corresponding relationship between the matching degree and the system SLA, the reward value was mapped to four levels, with excellent being 0.9-1.0, +1 point, good being 0.7-0.9, +0.5 point, medium being 0.4-0.7, -0.5 point, and poor being 0-0.4, -1 point. At the same time, for every 1% of CPU resources, 10MB of memory, and 2% of bandwidth consumed, an additional 0.1 point will be deducted.

基于Pearson相关分析发现封堵规则命中率与业务超时率相关系数为0.8，Granger因果检验P值为0.01<0.05，因果关系显著。当命中率由80%降至20%时，动态提高惩罚强度至1.5倍，引导模型调整。针对边界交换机、接入交换机、汇聚交换机的流量数据，分别按照秒、分、5分钟设置滑动窗口，提取流速、包速等18个特征，重构状态空间。当检测到业务中断超过1分钟、网络时延高于500ms持续5分钟时，将遗忘因子由0.9调高至0.99，负向奖励翻倍，探索率降低90%，进入保守学习状态。针对DDoS攻击场景，设置奖励先验，取最近10次攻击的平均奖励值作为先验均值，标准差设为均值的20%，构建高斯分布。Based on Pearson correlation analysis, it is found that the correlation coefficient between the blocking rule hit rate and the service timeout rate is 0.8, and the Granger causality test P value is 0.01<0.05, indicating a significant causal relationship. When the hit rate drops from 80% to 20%, the penalty intensity is dynamically increased to 1.5 times to guide model adjustment. For the traffic data of the border switch, access switch, and aggregation switch, sliding windows are set according to seconds, minutes, and 5 minutes, respectively, and 18 features such as flow rate and packet rate are extracted to reconstruct the state space. When it is detected that the service interruption exceeds 1 minute and the network delay is higher than 500ms for 5 minutes, the forgetting factor is increased from 0.9 to 0.99, the negative reward is doubled, the exploration rate is reduced by 90%, and the conservative learning state is entered. For the DDoS attack scenario, a reward prior is set, and the average reward value of the last 10 attacks is taken as the prior mean. The standard deviation is set to 20% of the mean to construct a Gaussian distribution.

当新策略的奖励值低于先验均值2个标准差时，触发人工指导探索方向。采用自适应动态规划，初始折扣因子设为0.9，每成功避免一次异常，折扣因子减小0.05，每失败一次，折扣因子加大0.1，权衡短期奖励和长期奖励，提高策略的适应性。When the reward value of the new strategy is lower than the prior mean by 2 standard deviations, the manual guidance exploration direction is triggered. Adaptive dynamic programming is used, and the initial discount factor is set to 0.9. For each successful avoidance of an exception, the discount factor is reduced by 0.05, and for each failure, the discount factor is increased by 0.1. The short-term and long-term rewards are weighed to improve the adaptability of the strategy.

具体的，通过网络流量镜像和深度包检测方法实时提取不同网络区域内的主机通信行为特征，包括IP地址、端口号、协议类型、报文长度等。基于攻击图构建区域威胁评估模型，综合考虑攻击者能力、脆弱点分布、攻击路径等因素，设计威胁评分指标体系，对各区域的安全状况进行量化分析，得到区域威胁指数，作为动态调整封堵等级的依据。Specifically, the communication behavior characteristics of hosts in different network areas are extracted in real time through network traffic mirroring and deep packet inspection methods, including IP addresses, port numbers, protocol types, message lengths, etc. A regional threat assessment model is built based on the attack graph, and a threat scoring index system is designed by comprehensively considering factors such as attacker capabilities, vulnerability distribution, and attack paths. The security status of each area is quantitatively analyzed to obtain a regional threat index as a basis for dynamically adjusting the blocking level.

根据Q-Learning算法的学习结果，分析各防御环节应对常见攻击的异常流量模式，对于DDoS攻击，在边界防护上采取更严格的封堵措施，对于端口扫描，在接入认证环节强化源IP限制。通过评估各环节遭受不同攻击的可能性，对边界防护、接入认证、流量清洗等防御手段的封堵等级进行差异化调整。According to the learning results of the Q-Learning algorithm, the abnormal traffic patterns of each defense link in response to common attacks are analyzed. For DDoS attacks, stricter blocking measures are taken in border protection. For port scanning, source IP restrictions are strengthened in the access authentication link. By evaluating the possibility of different attacks in each link, the blocking level of defense measures such as border protection, access authentication, and traffic cleaning is adjusted differently.

采用图形化建模工具，绘制任务执行流程图，标注不同阶段涉及的地理位置分布和协同方式。通过结构化分析提取本地协同、异地协同等数据流向模式，构建针对性放行的跨区域通信白名单。若任务以同地协同为主，则在网络准入阶段对源IP与目的IP同属本地网段的流量进行身份认证和合法性检查，设置为可信流量，在流量监管和QoS保障时适当放宽封堵等级。若任务以异地协同为主，则采用IPSec等安全隧道技术，对跨地域的业务流量进行加密传输。Use graphical modeling tools to draw task execution flow charts, marking the geographical location distribution and collaboration methods involved in different stages. Through structured analysis, extract data flow patterns such as local collaboration and remote collaboration, and build a cross-regional communication whitelist for targeted release. If the task is mainly in the same location, perform identity authentication and legitimacy checks on the traffic whose source IP and destination IP belong to the same local network segment during the network access phase, set it as trusted traffic, and appropriately relax the blocking level during traffic supervision and QoS assurance. If the task is mainly remote collaboration, use secure tunneling technologies such as IPSec to encrypt and transmit cross-regional business traffic.

基于用户和设备的可信程度，对跨地域流量进行细粒度访问控制和安全策略管理，包括在流量调度环节设置独立的异地访问通道，进行必要的流量放行。融合任务的时间进度和关键节点，对跨区域流量的放行策略进行动态调整，包括采用强化学习算法实时优化放行规则，根据任务进度和风险评估动态调整奖惩函数，权衡放行带来的效益和风险，自适应生成最优策略。利用马尔可夫决策过程、蒙特卡洛树搜索等算法评估和优化跨区域流量管控措施，提升策略制定的实时性和有效性。Based on the trustworthiness of users and devices, fine-grained access control and security policy management are performed on cross-regional traffic, including setting up independent remote access channels in the traffic scheduling link to release necessary traffic. The time schedule and key nodes of the integrated tasks are used to dynamically adjust the release strategy for cross-regional traffic, including using reinforcement learning algorithms to optimize the release rules in real time, dynamically adjusting the reward and punishment functions according to the task progress and risk assessment, weighing the benefits and risks brought by the release, and adaptively generating the optimal strategy. Algorithms such as Markov decision process and Monte Carlo tree search are used to evaluate and optimize cross-regional traffic control measures to improve the real-time and effectiveness of strategy formulation.

举例而言，基于攻击图构建区域威胁评估模型，通过资产测绘、漏洞扫描等方式获取网络拓扑和脆弱点信息，并从威胁情报库中提取5000条攻击事件，利用神经网络算法训练攻击路径预测模型，对各区域的威胁评分进行计算，生成0-100分的威胁指数。当指数大于80时，将DDoS防护规则的封堵阈值调低20%，当指数小于20时，将阈值调高30%。通过对TCPSyn、TCPAck等数据包的频次、时序特征进行分析，利用隔离森林算法检测DDoS攻击，对于置信度大于99%的攻击流量，在接入交换机处直接丢弃。For example, a regional threat assessment model is built based on the attack graph. Network topology and vulnerability information is obtained through asset mapping, vulnerability scanning, etc., and 5,000 attack events are extracted from the threat intelligence library. The attack path prediction model is trained using a neural network algorithm, and the threat score of each region is calculated to generate a threat index of 0-100. When the index is greater than 80, the blocking threshold of the DDoS protection rule is lowered by 20%, and when the index is less than 20, the threshold is increased by 30%. By analyzing the frequency and timing characteristics of data packets such as TCPSyn and TCPAck, the isolation forest algorithm is used to detect DDoS attacks. For attack traffic with a confidence level greater than 99%, it is directly discarded at the access switch.

采用Visio绘制跨区域协同的任务流程图，对文件共享、远程会议等关键场景进行标注。利用业务流程挖掘算法分析不同部门之间的数据交换模式，得到部门A到部门B的数据请求占比为78%，且多为大文件传输，因此针对性放行A、B内网之间的TCP1个G以上的流量，并通过DLP系统过滤敏感数据。对于跨地域的VPN链路，部署IPSec隧道并采用国密SM2、SM4算法进行加密认证。基于RBAC模型和ABAC模型相结合的思路，设计细粒度跨域访问控制策略，通过分析近7天的用户行为，利用关联规则挖掘算法识别出20条高置信度的异常访问模式。Visio is used to draw task flow charts for cross-regional collaboration, and key scenarios such as file sharing and remote meetings are marked. Business process mining algorithms are used to analyze the data exchange patterns between different departments, and it is found that the data request from department A to department B accounts for 78%, and most of them are large file transfers. Therefore, TCP traffic of more than 1G between the A and B intranets is specifically released, and sensitive data is filtered through the DLP system. For cross-regional VPN links, IPSec tunnels are deployed and the national secret SM2 and SM4 algorithms are used for encryption and authentication. Based on the idea of combining the RBAC model and the ABAC model, a fine-grained cross-domain access control strategy is designed. By analyzing user behavior in the past 7 days, 20 high-confidence abnormal access patterns are identified using the association rule mining algorithm.

采用强化学习中的PPO算法，每隔30分钟更新一次放行策略，状态空间包含威胁指数、流量统计、任务进度等18个特征，奖励函数综合考虑任务完成率、延时抖动率、安全事件数等因素，经过1000轮训练，平均奖励值从0.2提升至0.9。The PPO algorithm in reinforcement learning is used to update the release strategy every 30 minutes. The state space contains 18 features such as threat index, traffic statistics, and task progress. The reward function comprehensively considers factors such as task completion rate, delay jitter rate, and number of security incidents. After 1,000 rounds of training, the average reward value increased from 0.2 to 0.9.

构建基于区块链的可信策略协同机制和联邦学习驱动的安全模型共享机制；通过联邦学习框架，在保护数据隐私的前提下，实现跨区域的威胁情报共享和安全模型协同训练，进一步增强机器学习算法的检测性能和泛化能力，从而显著提升系统应对区域突发事件的整体安全防护水平。在以太坊平台搭建区块链网络，利用Solidity语言编写身份认证和授权管理智能合约，并使用Truffle框架进行自动化测试。通过联邦学习框架PySyft，在不泄露原始数据的情况下，实现跨区域的异常检测模型训练，模型准确率从85%提升至。Build a trusted strategy coordination mechanism based on blockchain and a security model sharing mechanism driven by federated learning; through the federated learning framework, realize cross-regional threat intelligence sharing and security model collaborative training under the premise of protecting data privacy, further enhance the detection performance and generalization ability of machine learning algorithms, and thus significantly improve the overall security protection level of the system in response to regional emergencies. Build a blockchain network on the Ethereum platform, use the Solidity language to write identity authentication and authorization management smart contracts, and use the Truffle framework for automated testing. Through the federated learning framework PySyft, cross-regional anomaly detection model training is realized without leaking original data, and the model accuracy rate is increased from 85% to.

进一步地，进行网口封堵运行的监控，制定性能评估指标和异常告警规则；若某一封堵设备出现超过预设并发连接数阈值的性能瓶颈或异常中断时，通过流量镜像和会话保持方法快速切换备用设备，启动应急处置流程；同时根据事件的严重程度，进行流量限制和会话迁移。Furthermore, the operation of network port blocking is monitored, and performance evaluation indicators and abnormal alarm rules are formulated. If a blocking device encounters a performance bottleneck or abnormal interruption that exceeds the preset concurrent connection threshold, the backup device is quickly switched through traffic mirroring and session persistence methods, and the emergency response process is initiated. At the same time, traffic restrictions and session migration are performed according to the severity of the incident.

具体的，采用SNMP、Syslog等协议，从防火墙、IDS、WAF等不同类型的网口防护装置中采集CPU利用率、内存占用率、新建连接速率、并发会话数、连接表项利用率等关键性能指标和运行状态数据，上报至监控平台进行集中分析和可视化展示。针对不同类型设备制定差异化的告警规则，采用机器学习算法对设备历史性能基线进行动态学习和刷新，通过多指标联合分析及时发现异常波动和变化趋势，超过阈值时自动触发告警并根据偏离程度划分告警等级。Specifically, SNMP, Syslog and other protocols are used to collect key performance indicators and operating status data such as CPU utilization, memory occupancy, new connection rate, number of concurrent sessions, and connection table utilization from different types of network port protection devices such as firewalls, IDS, and WAF, and report them to the monitoring platform for centralized analysis and visual display. Differentiated alarm rules are formulated for different types of equipment, and machine learning algorithms are used to dynamically learn and refresh the historical performance baseline of the equipment. Abnormal fluctuations and change trends are discovered in a timely manner through multi-indicator joint analysis. When the threshold is exceeded, an alarm is automatically triggered and the alarm level is divided according to the degree of deviation.

在流量汇聚点部署基于NETCONF协议的SDN控制器，通过下发标准的OpenFlow流表规则，以一定的采样粒度对疑似攻击流量进行镜像，利用会话保持的哈希策略、负载均衡算法将镜像流量引流至DPI深度检测集群，实现全流量的实时分析和异常行为识别，并与IPS等安全设备联动形成闭环的异常流量处置。对于识别出的DDoS攻击、端口扫描等恶意流量，自动生成精细化的过滤规则，调用封堵设备厂商提供的管理接口或定制工具，快速下发和部署安全策略，对关键业务流量进行优先保护。Deploy an SDN controller based on the NETCONF protocol at the traffic convergence point, mirror suspected attack traffic with a certain sampling granularity by issuing standard OpenFlow flow table rules, and use the session-maintained hash strategy and load balancing algorithm to divert the mirrored traffic to the DPI deep detection cluster to achieve real-time analysis of all traffic and abnormal behavior identification, and link with security devices such as IPS to form a closed-loop abnormal traffic disposal. For identified malicious traffic such as DDoS attacks and port scans, automatically generate refined filtering rules, call the management interface or customized tools provided by the blocking device manufacturer, quickly issue and deploy security policies, and give priority protection to key business traffic.

结合业务优先级和风险等级，对异常会话进行差异化的限速、离线、重定向等处置，灵活运用灰名单、黑白名单、信誉分值等机制实现精细化的流量管控。搭建高可用的主备架构，在封堵设备出现故障或严重性能瓶颈时，利用Keepalived、Pacemaker等工具实现故障切换和状态同步。通过VRRP协议完成虚拟IP地址的快速漂移，保证业务流量的无缝迁移。根据事件严重程度启动应急预案，制定量化的事件评估标准，综合考虑影响范围、持续时间、攻击强度、业务损失等多个维度因素，明确不同等级事件所对应的应急处置措施；将告警、分析、决策、处置等环节进行标准化和自动化，通过预定义的工作流和剧本实现应急响应流程的自动编排和执行，大幅缩短事件处理时间。事后复盘整个应急处置过程，梳理问题和不足，结合故障原因分析，对封堵设备的配置参数、保护策略、告警阈值等进行优化调整。Combined with the business priority and risk level, differentiated speed limit, offline, redirection and other treatments are carried out for abnormal sessions, and gray list, blacklist, whitelist, reputation score and other mechanisms are flexibly used to achieve refined traffic control. Build a highly available master-slave architecture, and use tools such as Keepalived and Pacemaker to achieve fault switching and state synchronization when the blocking device fails or has serious performance bottlenecks. The rapid drift of virtual IP addresses is completed through the VRRP protocol to ensure seamless migration of business traffic. Initiate emergency plans according to the severity of the incident, formulate quantitative event evaluation standards, comprehensively consider multiple dimensional factors such as the scope of impact, duration, attack intensity, business loss, etc., and clarify the emergency response measures corresponding to events of different levels; standardize and automate the alarm, analysis, decision-making, and disposal links, and realize automatic orchestration and execution of emergency response processes through predefined workflows and scripts, greatly shortening the event processing time. Afterwards, review the entire emergency response process, sort out problems and deficiencies, and optimize and adjust the configuration parameters, protection strategies, and alarm thresholds of the blocking device in combination with the cause analysis of the failure.

示例性的，通过部署ZabbixAgent采集网口防护装置核心指标，每5秒上报一次数据。防火墙聚焦CPU利用率、内存使用率等，IDS聚焦新建连接速率、解析HTTP请求耗时等，WAF聚焦并发会话峰值、响应错误率等。利用ONE算法对各指标进行无监督异常检测，置信度达到4σ以上触发高级告警，同时启用K-Means聚类识别告警根因。SDN控制器每30秒从核心交换机镜像1:1000的流量比例至旁路检测集群，检测节点基于DPDK加速并通过RSS、RPS等实现多核负载均衡。DPI引擎基于nDPI协议解析库，结合XDP技术过滤明显的扫描探测行为，对剩余可疑流量匹配自定义Hyperscan特征库，威胁情报命中率>80%的流量自动下发SuricataIPS阻断。对于未知威胁，联动SIEM将相关会话信息(AppID、Url、Cookie等)与全局安全日志关联溯源。WAF针对常见OWASPTop10漏洞进行特征工程，提取62个流量统计特征(流速、MTU等)和89个HTTP特征(User-Agent、POST包长度等)，搭建LightGBM分类模型实现实时检测和风险评分。For example, by deploying ZabbixAgent to collect the core indicators of the network port protection device, the data is reported every 5 seconds. The firewall focuses on CPU utilization, memory usage, etc., the IDS focuses on the rate of new connections, the time taken to parse HTTP requests, etc., and the WAF focuses on the peak of concurrent sessions, the response error rate, etc. The ONE algorithm is used to perform unsupervised anomaly detection on each indicator. When the confidence reaches 4σ or above, an advanced alarm is triggered, and K-Means clustering is enabled to identify the root cause of the alarm. The SDN controller mirrors the traffic ratio of 1:1000 from the core switch to the bypass detection cluster every 30 seconds. The detection node is accelerated based on DPDK and realizes multi-core load balancing through RSS, RPS, etc. The DPI engine is based on the nDPI protocol parsing library, combined with XDP technology to filter obvious scanning and detection behaviors, and matches the remaining suspicious traffic with a custom Hyperscan feature library. Traffic with a threat intelligence hit rate of >80% is automatically sent to SuricataIPS for blocking. For unknown threats, the SIEM is linked to associate the relevant session information (AppID, Url, Cookie, etc.) with the global security log for source tracing. WAF performs feature engineering on common OWASP Top 10 vulnerabilities, extracts 62 traffic statistical features (flow rate, MTU, etc.) and 89 HTTP features (User-Agent, POST packet length, etc.), and builds a LightGBM classification model to achieve real-time detection and risk scoring.

事件严重性评估时，采用层次分析法构建判断矩阵，在漏洞评分、流量占比、关键资产三个维度打分，计算权重向量[0.2，0.5，0.3]，然后对每个维度各选取5个二级指标，如流量占比的二级指标包含当前带宽利用率、异常流量的环比增长率等，最终加权得到事件严重性得分，超过85分启动应急处置。联动Ansible自动化分发本地回源或跨机房切换等应急预案，流程编排引擎解析BPMN2.0标准的事件定义，实现异常流量限速、阻断、重定向的快速决策响应。复盘阶段利用Neo4j图数据库构建知识图谱，节点包括设备、事件、人员、环境等，边关系包括处置、影响、触发等，使用Cypher查询语言快速定位管理薄弱点。在数字孪生平台按照4:1的设备配比构建仿真环境，基于Locust流量生成引擎回放攻击流量，对防护方案进行攻防对抗评估。利用自研的强化学习引擎持续迭代优化封堵策略，通过环境交互获取状态(流量统计、CPU负载等)，执行动作(阻断、限速、告警等)，由奖励函数(考虑业务连续性、威胁覆盖面等)指导学习，平均每1万次迭代将事件检出率和处置效率提升5%，实现策略的自适应动态调优。When evaluating the severity of an incident, we use the analytic hierarchy process to construct a judgment matrix, score the vulnerability score, traffic share, and key assets, calculate the weight vector [0.2, 0.5, 0.3], and then select 5 secondary indicators for each dimension. For example, the secondary indicator of traffic share includes the current bandwidth utilization rate, the month-on-month growth rate of abnormal traffic, etc. Finally, the weighted score of the incident severity is obtained. If the score exceeds 85 points, emergency disposal is initiated. Link Ansible to automatically distribute emergency plans such as local back-source or cross-computer room switching. The process orchestration engine parses the event definition of the BPMN2.0 standard to achieve rapid decision-making response for abnormal traffic speed limit, blocking, and redirection. In the review stage, the Neo4j graph database is used to build a knowledge graph. The nodes include equipment, events, personnel, environment, etc., and the edge relationships include disposal, impact, trigger, etc. The Cypher query language is used to quickly locate management weaknesses. On the digital twin platform, a simulation environment is built according to the 4:1 device ratio. The attack traffic is replayed based on the Locust traffic generation engine to evaluate the attack and defense confrontation of the protection plan. We use our self-developed reinforcement learning engine to continuously iterate and optimize blocking strategies, obtain status (traffic statistics, CPU load, etc.) through environmental interaction, execute actions (blocking, speed limiting, alarming, etc.), and use reward functions (taking into account business continuity, threat coverage, etc.) to guide learning. On average, the event detection rate and handling efficiency are improved by 5% every 10,000 iterations, achieving adaptive dynamic tuning of the strategy.

本发明公开的基于网口防护装置的感知安全防护方法，首先通过风险评估矩阵方法从攻击可能性和影响严重性两个维度评估各个任务空间区域面临的网络攻击风险等级。然后，使用模糊综合评判方法，结合风险评估报告中的风险等级，通过攻击者控制的网段范围和封堵对象的网络层次作为评判因素，构建模糊评判矩阵，确定需要封堵的网口粒度。在此基础上，本发明采用0-1整数规划模型，根据工作任务的时间要求和人员规模，获取通信端口号范囗，以任务实时性和通信覆盖为约束条件，优化网络安全防护效率，合理选择封堵对象的通信端口类型。此外，根据网口防护装置的网络拓扑位置和性能参数，利用支持向量机模型融合封堵对象的流量和行为特征，部署多层级网口封堵模型，实时监控和阻断异常网络流量。为了提高封堵效率，本发明还通过Q-Learning强化学习算法，将网口封堵的效果数据与任务的协同方式进行关联分析。通过奖励值引导模型自适应调整封堵策略的严格程度和端口粒度，以达到最佳的网络安全防护效果。同时制定性能评估指标和异常告警规则，一旦封堵设备出现性能瓶颈或异常中断，立即采用流量镜像和会话保持技术快速切换备用设备，并根据事件严重程度采取流量限制和会话迁移措施。总体来说，本发明能够有效提高网络安全防护效率和响应速度，同时保障关键任务的顺利执行和网络系统的稳定运行。The perceptual security protection method based on the network port protection device disclosed in the present invention first evaluates the network attack risk level faced by each task space area from the two dimensions of attack possibility and impact severity through the risk assessment matrix method. Then, the fuzzy comprehensive evaluation method is used, combined with the risk level in the risk assessment report, and the network segment range controlled by the attacker and the network level of the blocked object are used as evaluation factors to construct a fuzzy evaluation matrix to determine the network port granularity that needs to be blocked. On this basis, the present invention adopts a 0-1 integer programming model to obtain the communication port number range according to the time requirements and personnel scale of the work task, and optimizes the network security protection efficiency with the task real-time and communication coverage as constraints, and reasonably selects the communication port type of the blocked object. In addition, according to the network topology position and performance parameters of the network port protection device, the support vector machine model is used to fuse the traffic and behavior characteristics of the blocked object, and a multi-level network port blocking model is deployed to monitor and block abnormal network traffic in real time. In order to improve the blocking efficiency, the present invention also uses the Q-Learning reinforcement learning algorithm to associate and analyze the effect data of the network port blocking with the collaborative mode of the task. The reward value guides the model to adaptively adjust the strictness and port granularity of the blocking strategy to achieve the best network security protection effect. At the same time, performance evaluation indicators and abnormal alarm rules are formulated. Once the blocking device encounters a performance bottleneck or abnormal interruption, the traffic mirroring and session persistence technology are immediately used to quickly switch to the backup device, and traffic restriction and session migration measures are taken according to the severity of the incident. In general, the present invention can effectively improve the efficiency and response speed of network security protection, while ensuring the smooth execution of key tasks and the stable operation of the network system.

本发明另一实施例提供了一种基于网口防护装置的感知安全防护系统，具体的，请参见图6，图6示出为本发明其中一种实施例中的提供的基于网口防护装置的感知安全防护系统的结构示意图。其包括以下模块：获取模块11，规划模块12，调整模块13，封堵模块14，构建模块15，输出模块16，其中，Another embodiment of the present invention provides a perception security protection system based on a network port protection device. For details, please refer to FIG6 , which shows a schematic diagram of the structure of a perception security protection system based on a network port protection device provided in one embodiment of the present invention. It includes the following modules: an acquisition module 11, a planning module 12, an adjustment module 13, a blocking module 14, a construction module 15, and an output module 16, wherein:

获取模块，用于获取当前网口传输的网络传输事件的等级参数，其中所述等级参数包括事件保密等级、事件时间等级和事件人员等级；An acquisition module, used to acquire level parameters of the network transmission event currently transmitted by the network port, wherein the level parameters include event confidentiality level, event time level and event personnel level;

规划模块，用于基于所述保密等级和风险矩阵法预测所述网络传输事件面临的网络攻击风险等级，根据所述网络攻击风险等级确定相对应的封堵网口粒度方案；A planning module, used to predict the network attack risk level faced by the network transmission event based on the confidentiality level and risk matrix method, and determine the corresponding network port blocking granularity plan according to the network attack risk level;

调整模块，用于基于所述事件时间等级和所述事件人员等级，采用0-1整数规划方法调整所述网络传输事件的网络拓扑中的端口通信策略；An adjustment module, configured to adjust a port communication strategy in a network topology of the network transmission event by using a 0-1 integer programming method based on the event time level and the event personnel level;

封堵模块，用于根据所述封堵网口粒度方案和所述端口通信策略控制所述网口防护装置对待封堵网口进行封堵，并实时获取所述网口防护装置在所述网络拓扑中的位置分布和设备参数以及所述待封堵网口的流量特征和行为特征；A blocking module, used to control the network port protection device to block the network port to be blocked according to the blocking network port granularity scheme and the port communication strategy, and to obtain in real time the location distribution and device parameters of the network port protection device in the network topology and the traffic characteristics and behavior characteristics of the network port to be blocked;

构建模块，用于根据所述位置分布、所述设备参数、所述流量特征和所述行为特征，构建多层级网口封堵模型；A construction module, used to construct a multi-level network port blocking model according to the location distribution, the device parameters, the traffic characteristics and the behavior characteristics;

输出模块，用于在实际安全防护过程中，将实时检测到的网口传输事件数据输入至所述多层级网口封堵模型中，基于所述多层级网口封堵模型的输出结果，确定对应的封堵策略。The output module is used to input the real-time detected network port transmission event data into the multi-level network port blocking model during the actual security protection process, and determine the corresponding blocking strategy based on the output result of the multi-level network port blocking model.

优选的，在本发明实施例中，所述规划模块，还用于：Preferably, in the embodiment of the present invention, the planning module is further used for:

获取历史攻击信息，从所述历史攻击信息中提取影响封堵粒度选择的决策属性集；Acquire historical attack information, and extract a decision attribute set that affects the selection of blocking granularity from the historical attack information;

采用层次分析法对所述决策属性集中的各决策属性进行两两重要性比较，得到所述决策属性集中各个决策属性的权重；Using the hierarchical analysis method to compare the importance of each decision attribute in the decision attribute set, and obtain the weight of each decision attribute in the decision attribute set;

对所述决策属性集中的各个决策属性进行量化，根据量化后的值和对应权重构建模糊评判矩阵，通过模糊矩阵合成运算得到所述模糊评判矩阵各区域的综合评判隶属度；Quantifying each decision attribute in the decision attribute set, constructing a fuzzy evaluation matrix according to the quantized values and corresponding weights, and obtaining the comprehensive evaluation membership of each area of the fuzzy evaluation matrix through fuzzy matrix synthesis operation;

根据所述综合评判隶属度对所述封堵网口粒度方案进行优化。The network port blocking granularity scheme is optimized according to the comprehensive evaluation membership.

优选的，在本发明实施例中，所述调整模块，具体用于：Preferably, in the embodiment of the present invention, the adjustment module is specifically used for:

提取所述网络拓扑中各通信端口的流量指标，通过对所述流量指标进行相关性分析和统计建模，构建端口级联矩阵，其中所述端口级联矩阵反映各个端口间的依赖强度；Extracting the flow index of each communication port in the network topology, and constructing a port cascade matrix by performing correlation analysis and statistical modeling on the flow index, wherein the port cascade matrix reflects the dependency strength between each port;

基于所述端口级联矩阵的端口依赖约束、所述事件时间等级的约束和所述事件人员等级的约束，建立以端口为基本单位的0-1整数规划模型；Based on the port dependency constraints of the port cascade matrix, the event time level constraints and the event personnel level constraints, a 0-1 integer programming model with ports as basic units is established;

求解所述0-1整数规划模型，根据得到的最优解配置端口通信策略。Solve the 0-1 integer programming model and configure the port communication strategy according to the obtained optimal solution.

优选的，在本发明实施例中，所述网口防护装置包括电子安全锁和电子钥匙。Preferably, in an embodiment of the present invention, the network port protection device includes an electronic safety lock and an electronic key.

优选的，在本发明实施例中，所述构建模块，具体用于：Preferably, in the embodiment of the present invention, the building module is specifically used for:

融合位置分布、设备参数、流量特征和行为特征，运用支持向量机算法构建多层级网口封堵模型，其中，多层级网口封堵模型包括汇聚层模型、接入层模型、核心层模型，所述汇聚层模型用于关注源IP的对外连接频次，所述接入层模型用于关注目的IP的敏感端口扫描次数，核心层模型用于关注跨网段通信流量的突增幅度。The multi-level network port blocking model is constructed by integrating location distribution, equipment parameters, traffic characteristics and behavioral characteristics using the support vector machine algorithm. The multi-level network port blocking model includes a convergence layer model, an access layer model and a core layer model. The convergence layer model is used to focus on the frequency of external connections of the source IP, the access layer model is used to focus on the number of sensitive port scans of the destination IP, and the core layer model is used to focus on the sudden increase in cross-segment communication traffic.

优选的，在本发明实施例中，所述网口传输事件数据包括网络层级的网口传输事件数据，所述封堵策略包括丢弃处理；则，所述输出模块，具体用于：Preferably, in an embodiment of the present invention, the network port transmission event data includes network port transmission event data at the network level, and the blocking strategy includes discarding processing; then, the output module is specifically used to:

对不同网络层级的所述网口传输事件数据进行异常判断，根据异常判断结果设置与链路带宽和设备处理能力相匹配的动态阈值；Performing abnormality judgment on the network port transmission event data at different network layers, and setting a dynamic threshold matching the link bandwidth and the device processing capability according to the abnormality judgment result;

当所述多层级网口封堵模型检测到网络层级的网口传输事件数据的幅度超过所述动态阈值时，将所述网口传输事件数据识别为恶意流量数据，对所述恶意流量数据进行丢弃处理。When the multi-level network port blocking model detects that the amplitude of network port transmission event data at the network layer exceeds the dynamic threshold, the network port transmission event data is identified as malicious traffic data and the malicious traffic data is discarded.

优选的，在本发明实施例中，所述输出模块，具体用于：Preferably, in the embodiment of the present invention, the output module is specifically used for:

通过流量探针和日志关联，获取不同网络层级的网络封堵设备阻断的恶意流量数据以及对所述恶意流量数据进行处置时的任务协同数据；Through the association of traffic probes and logs, malicious traffic data blocked by network blocking devices at different network levels and task coordination data when handling the malicious traffic data are obtained;

采用基于签名的IDS入侵检测系统，对所述恶意流量数据进行识别和分类，得到封堵效果数据；Using a signature-based IDS intrusion detection system to identify and classify the malicious traffic data and obtain blocking effect data;

基于所述任务协同数据和所述封堵效果数据，对所述封堵策略进行优化。The blocking strategy is optimized based on the task coordination data and the blocking effect data.

优选的，在本发明实施例中，所述输出模块，还具体用于：Preferably, in the embodiment of the present invention, the output module is further specifically used for:

基于所述任务协同数据和所述封堵效果数据，采用Q-Learning强化学习算法，通过奖励值引导优化多层级网口封堵模型；Based on the task collaboration data and the blocking effect data, a Q-Learning reinforcement learning algorithm is used to guide and optimize a multi-level network port blocking model through reward values;

根据优化后的多层级网口封堵模型调整各层级封堵策略。Adjust the blocking strategies at each level based on the optimized multi-level network port blocking model.

优选的，在本发明实施例中，所述输出模块，还具体用于：Preferably, in the embodiment of the present invention, the output module is further specifically used for:

若监控到某一封堵设备出现异常事件时，通过流量镜像和会话保持方法快速切换备用设备，启动应急处置流程，并根据所述异常事件的严重程度进行流量限制和会话迁移。If an abnormal event is detected on a blocking device, the backup device is quickly switched through traffic mirroring and session preservation methods, the emergency response process is initiated, and traffic restriction and session migration are performed according to the severity of the abnormal event.

本发明另一实施例提供了一种基于网口防护装置的感知安全防护设备，具体的，请参见图7，图7示出为本发明其中一种实施例中的提供的基于网口防护装置的感知安全防护设备示意图，包括处理器21、存储器22以及存储在所述存储器22中且被配置为由所述处理器21执行的计算机程序，所述处理器21执行所述计算机程序时实现如上述基于网口防护装置的感知安全防护方法实施例中的步骤，例如图1中所述的步骤S1~S7；或者，所述处理器21执行所述计算机程序时实现上述各装置实施例中各模块的功能，例如获取模块11。Another embodiment of the present invention provides a perceptual security protection device based on a network port protection device. Specifically, please refer to Figure 7, which shows a schematic diagram of a perceptual security protection device based on a network port protection device provided in one of the embodiments of the present invention, including a processor 21, a memory 22, and a computer program stored in the memory 22 and configured to be executed by the processor 21. When the processor 21 executes the computer program, it implements the steps in the above-mentioned perceptual security protection method embodiment based on the network port protection device, such as steps S1~S7 described in Figure 1; or, when the processor 21 executes the computer program, it implements the functions of each module in the above-mentioned device embodiments, such as the acquisition module 11.

示例性的，所述计算机程序可以被分割成一个或多个模块，所述一个或者多个模块被存储在所述存储器22中，并由所述处理器21执行，以完成本发明。所述一个或多个模块可以是能够完成特定功能的一系列计算机程序指令段，该指令段用于描述所述计算机程序在所述基于网口防护装置的感知安全防护设备中的执行过程。例如，所述计算机程序可以被分割成获取模块11，规划模块12，调整模块13，封堵模块14，构建模块15，输出模块16。Exemplarily, the computer program can be divided into one or more modules, and the one or more modules are stored in the memory 22 and executed by the processor 21 to complete the present invention. The one or more modules can be a series of computer program instruction segments that can complete specific functions, and the instruction segments are used to describe the execution process of the computer program in the perception security protection device based on the network port protection device. For example, the computer program can be divided into an acquisition module 11, a planning module 12, an adjustment module 13, a blocking module 14, a construction module 15, and an output module 16.

所述处理器21可以是中央处理单元(CentralProcessingUnit，CPU)，还可以是其他通用处理器、数字信号处理器(DigitalSignalProcessor，DSP)、专用集成电路(ApplicationSpecificIntegratedCircuit，ASIC)、现成可编程门阵列(Field-ProgrammableGateArray，FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等，所述处理器21是所述基于网口防护装置的感知安全防护设备的控制中心，利用各种接口和线路连接整个基于网口防护装置的感知安全防护设备的各个部分。The processor 21 may be a central processing unit (CPU), or other general-purpose processors, digital signal processors (DSP), application-specific integrated circuits (ASIC), field-programmable gate arrays (FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or any conventional processor, etc. The processor 21 is the control center of the perception safety protection device based on the network port protection device, and uses various interfaces and lines to connect the various parts of the entire perception safety protection device based on the network port protection device.

所述存储器22可用于存储所述计算机程序和/或模块，所述处理器21通过运行或执行存储在所述存储器22内的计算机程序和/或模块，以及调用存储在存储器22内的数据，实现所述基于网口防护装置的感知安全防护设备的各种功能。所述存储器22可主要包括存储程序区和存储数据区，其中，存储程序区可存储操作系统、至少一个功能所需的应用程序（比如声音播放功能、图像播放功能等）等；存储数据区可存储根据手机的使用所创建的数据（比如音频数据、电话本等）等。此外，存储器22可以包括高速随机存取存储器，还可以包括非易失性存储器，例如硬盘、内存、插接式硬盘，智能存储卡（SmartMediaCard，SMC），安全数字（SecureDigital，SD）卡，闪存卡（FlashCard）、至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。The memory 22 can be used to store the computer program and/or module. The processor 21 realizes various functions of the perception safety protection device based on the network port protection device by running or executing the computer program and/or module stored in the memory 22 and calling the data stored in the memory 22. The memory 22 can mainly include a program storage area and a data storage area, wherein the program storage area can store an operating system, an application required for at least one function (such as a sound playback function, an image playback function, etc.); the data storage area can store data created according to the use of the mobile phone (such as audio data, a phone book, etc.). In addition, the memory 22 can include a high-speed random access memory, and can also include a non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a smart memory card (SmartMediaCard, SMC), a secure digital (SecureDigital, SD) card, a flash card (FlashCard), at least one disk storage device, a flash memory device, or other volatile solid-state storage devices.

其中，所述基于网口防护装置的感知安全防护设备集成的模块如果以软件功能单元的形式实现并作为独立的产品销售或使用时，可以存储在一个计算机可读取存储介质中。基于这样的理解，本发明实现上述实施例方法中的全部或部分流程，也可以通过计算机程序来指令相关的硬件来完成，所述的计算机程序可存储于一计算机可读存储介质中，该计算机程序在被处理器执行时，可实现上述各个方法实施例的步骤。其中，所述计算机程序包括计算机程序代码，所述计算机程序代码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。所述计算机可读介质可以包括：能够携带所述计算机程序代码的任何实体或装置、记录介质、U盘、移动硬盘、磁碟、光盘、计算机存储器、只读存储器（ROM，Read-OnlyMemory）、随机存取存储器（RAM，RandomAccessMemory）、电载波信号、电信信号以及软件分发介质等。Wherein, if the module integrated with the perception safety protection device based on the network port protection device is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on such an understanding, the present invention implements all or part of the processes in the above-mentioned embodiment method, and can also be completed by instructing the relevant hardware through a computer program. The computer program can be stored in a computer-readable storage medium, and the computer program can implement the steps of the above-mentioned various method embodiments when executed by the processor. Wherein, the computer program includes computer program code, and the computer program code can be in source code form, object code form, executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U disk, mobile hard disk, disk, optical disk, computer memory, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), electric carrier signal, telecommunication signal and software distribution medium, etc.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程，是可以通过计算机程序来指令相关的硬件来完成，所述的程序可存储于一计算机可读取存储介质中，该程序在执行时，可包括如上述各方法的实施例的流程。其中，所述的存储介质可为磁碟、光盘、只读存储记忆体（Read-OnlyMemory，ROM）或随机存储记忆体（RandomAccessMemory，RAM）等。Those skilled in the art can understand that all or part of the processes in the above-mentioned embodiments can be implemented by instructing the relevant hardware through a computer program, and the program can be stored in a computer-readable storage medium, and when the program is executed, it can include the processes of the embodiments of the above-mentioned methods. The storage medium can be a disk, an optical disk, a read-only memory (ROM) or a random access memory (RAM), etc.

相应地，本发明实施例提供一种计算机可读存储介质，所述计算机可读存储介质包括存储的计算机程序，其中，在所述计算机程序运行时控制所述计算机可读存储介质所在设备执行如上述实施例的基于网口防护装置的感知安全防护方法中的步骤，例如图1中所述的步骤S1~S7。Accordingly, an embodiment of the present invention provides a computer-readable storage medium, which includes a stored computer program, wherein when the computer program is running, the device where the computer-readable storage medium is located is controlled to execute the steps of the perception security protection method based on the network port protection device in the above embodiment, such as steps S1 to S7 described in Figure 1.

以上所述实施例仅表达了本发明的几种实施方式，其描述较为具体和详细，但并不能因此而理解为对本发明专利范围的限制。应当指出的是，对于本领域的普通技术人员来说，在不脱离本发明构思的前提下，还可以做出若干变形和改进，这些都属于本发明的保护范围。因此，本发明专利的保护范围应以所附权利要求为准。The above-mentioned embodiments only express several implementation methods of the present invention, and the descriptions thereof are relatively specific and detailed, but they cannot be understood as limiting the scope of the patent of the present invention. It should be pointed out that, for ordinary technicians in this field, several variations and improvements can be made without departing from the concept of the present invention, and these all belong to the protection scope of the present invention. Therefore, the protection scope of the patent of the present invention shall be subject to the attached claims.

Claims (20)

Translated fromChinese

1.一种基于网口防护装置的感知安全防护方法，其特征在于，应用于连接有网口防护装置的网络拓扑中，所述基于网口防护装置的感知安全方法包括以下步骤：1. A perception security protection method based on a network port protection device, characterized in that it is applied to a network topology connected to a network port protection device, and the perception security method based on the network port protection device comprises the following steps:获取当前网口传输的网络传输事件的等级参数，其中所述等级参数包括事件保密等级、事件时间等级和事件人员等级；Obtaining level parameters of the network transmission event currently transmitted by the network port, wherein the level parameters include event confidentiality level, event time level and event personnel level;基于所述保密等级和风险矩阵法预测所述网络传输事件面临的网络攻击风险等级，根据所述网络攻击风险等级确定相对应的封堵网口粒度方案；Predicting the network attack risk level faced by the network transmission event based on the confidentiality level and risk matrix method, and determining the corresponding network port blocking granularity scheme according to the network attack risk level;基于所述事件时间等级和所述事件人员等级，采用0-1整数规划方法调整所述网络拓扑中的端口通信策略；Based on the event time level and the event personnel level, a 0-1 integer programming method is used to adjust the port communication strategy in the network topology;根据所述封堵网口粒度方案和所述端口通信策略控制所述网口防护装置对待封堵网口进行封堵，并分别获取所述网口防护装置在所述网络拓扑中的位置分布、设备参数、所述待封堵网口的实时流量特征和实时行为特征；Controlling the network port protection device to block the network port to be blocked according to the network port blocking granularity scheme and the port communication strategy, and respectively obtaining the location distribution, device parameters, real-time traffic characteristics and real-time behavior characteristics of the network port to be blocked of the network port protection device in the network topology;根据所述位置分布、所述设备参数、所述实时流量特征和所述实时行为特征，构建多层级网口封堵模型；Constructing a multi-level network port blocking model according to the location distribution, the device parameters, the real-time traffic characteristics, and the real-time behavior characteristics;在实际安全防护过程中，将实时检测到的网口传输事件数据输入至所述多层级网口封堵模型中，基于所述多层级网口封堵模型的输出结果，确定对应的封堵策略。In the actual security protection process, the network port transmission event data detected in real time is input into the multi-level network port blocking model, and the corresponding blocking strategy is determined based on the output result of the multi-level network port blocking model.2.根据权利要求1所述的基于网口防护装置的感知安全防护方法，其特征在于，在根据所述网络攻击风险等级确定相对应的封堵网口粒度方案后，还包括：2. The method for perceptual security protection based on a network port protection device according to claim 1 is characterized in that after determining the corresponding network port blocking granularity scheme according to the network attack risk level, it also includes:获取历史攻击信息，从所述历史攻击信息中提取影响封堵粒度选择的决策属性集；Acquire historical attack information, and extract a decision attribute set that affects the selection of blocking granularity from the historical attack information;采用层次分析法对所述决策属性集中的各决策属性进行两两重要性比较，得到所述决策属性集中各个决策属性的权重；Using the hierarchical analysis method to compare the importance of each decision attribute in the decision attribute set, and obtain the weight of each decision attribute in the decision attribute set;对所述决策属性集中的各个决策属性进行量化，根据量化后的值和对应权重构建模糊评判矩阵，通过模糊矩阵合成运算得到所述模糊评判矩阵各区域的综合评判隶属度；Quantifying each decision attribute in the decision attribute set, constructing a fuzzy evaluation matrix according to the quantized values and corresponding weights, and obtaining the comprehensive evaluation membership of each area of the fuzzy evaluation matrix through fuzzy matrix synthesis operation;根据所述综合评判隶属度对所述封堵网口粒度方案进行优化。The network port blocking granularity scheme is optimized according to the comprehensive evaluation membership.3.根据权利要求1所述的基于网口防护装置的感知安全防护方法，其特征在于，所述基于所述事件时间等级和所述事件人员等级，采用0-1整数规划方法调整所述网络传输事件的网络拓扑中的端口通信策略，包括：3. The method for perceptual security protection based on a network port protection device according to claim 1 is characterized in that the method of adjusting the port communication strategy in the network topology of the network transmission event based on the event time level and the event personnel level by using a 0-1 integer programming method comprises:提取所述网络拓扑中各通信端口的流量指标，通过对所述流量指标进行相关性分析和统计建模，构建端口级联矩阵，其中所述端口级联矩阵反映各个端口间的依赖强度；Extracting the flow index of each communication port in the network topology, and constructing a port cascade matrix by performing correlation analysis and statistical modeling on the flow index, wherein the port cascade matrix reflects the dependency strength between each port;基于所述端口级联矩阵的端口依赖约束、所述事件时间等级的约束和所述事件人员等级的约束，建立以端口为基本单位的0-1整数规划模型；Based on the port dependency constraints of the port cascade matrix, the event time level constraints and the event personnel level constraints, a 0-1 integer programming model with ports as basic units is established;求解所述0-1整数规划模型，根据得到的最优解配置端口通信策略。Solve the 0-1 integer programming model and configure the port communication strategy according to the obtained optimal solution.4.根据权利要求1所述的基于网口防护装置的感知安全防护方法，其特征在于，所述网口防护装置包括电子安全锁和电子钥匙。4. The perception security protection method based on the network port protection device according to claim 1 is characterized in that the network port protection device includes an electronic security lock and an electronic key.5.根据权利要求1所述的基于网口防护装置的感知安全防护方法，其特征在于，所述根据所述位置分布、所述设备参数、所述实时流量特征和所述实时行为特征，构建多层级网口封堵模型，包括：5. The method for perceptual security protection based on a network port protection device according to claim 1 is characterized in that the multi-level network port blocking model is constructed according to the location distribution, the device parameters, the real-time traffic characteristics and the real-time behavior characteristics, including:融合位置分布、设备参数、流量特征和行为特征，运用支持向量机算法构建多层级网口封堵模型，其中，多层级网口封堵模型包括汇聚层模型、接入层模型、核心层模型，所述汇聚层模型用于关注源IP的对外连接频次，所述接入层模型用于关注目的IP的敏感端口扫描次数，核心层模型用于关注跨网段通信流量的突增幅度。The multi-level network port blocking model is constructed by integrating location distribution, equipment parameters, traffic characteristics and behavioral characteristics using the support vector machine algorithm. The multi-level network port blocking model includes a convergence layer model, an access layer model and a core layer model. The convergence layer model is used to focus on the frequency of external connections of the source IP, the access layer model is used to focus on the number of sensitive port scans of the destination IP, and the core layer model is used to focus on the sudden increase in cross-segment communication traffic.6.根据权利要求1所述的基于网口防护装置的感知安全防护方法，其特征在于，所述网口传输事件数据包括网络层级的网口传输事件数据，所述封堵策略包括丢弃处理；则，所述将实时检测到的网口传输事件数据输入至所述多层级网口封堵模型中，基于所述多层级网口封堵模型的输出结果，确定对应的封堵策略，包括：6. According to the perception security protection method based on the network port protection device of claim 1, it is characterized in that the network port transmission event data includes network port transmission event data at the network layer, and the blocking strategy includes discarding processing; then, the network port transmission event data detected in real time is input into the multi-level network port blocking model, and the corresponding blocking strategy is determined based on the output result of the multi-level network port blocking model, including:对不同网络层级的所述网口传输事件数据进行异常判断，根据异常判断结果设置与链路带宽和设备处理能力相匹配的动态阈值；Performing abnormality judgment on the network port transmission event data at different network layers, and setting a dynamic threshold matching the link bandwidth and the device processing capability according to the abnormality judgment result;当所述多层级网口封堵模型检测到网络层级的网口传输事件数据的幅度超过所述动态阈值时，将所述网口传输事件数据识别为恶意流量数据，对所述恶意流量数据进行丢弃处理。When the multi-level network port blocking model detects that the amplitude of network port transmission event data at the network layer exceeds the dynamic threshold, the network port transmission event data is identified as malicious traffic data and the malicious traffic data is discarded.7.根据权利要求1所述的基于网口防护装置的感知安全防护方法，其特征在于，在将实时检测到的网口传输事件数据输入至所述多层级网口封堵模型中，基于所述多层级网口封堵模型的输出结果，确定对应的封堵策略后，还包括：7. The method for perceptual security protection based on a network port protection device according to claim 1 is characterized in that after inputting the real-time detected network port transmission event data into the multi-level network port blocking model and determining the corresponding blocking strategy based on the output result of the multi-level network port blocking model, it further comprises:通过流量探针和日志关联，获取不同网络层级的网口防护装置阻断的恶意流量数据以及对所述恶意流量数据进行处置时的任务协同数据；Through the association of traffic probes and logs, malicious traffic data blocked by network port protection devices at different network levels and task coordination data when handling the malicious traffic data are obtained;采用基于签名的IDS入侵检测系统，对所述恶意流量数据进行识别和分类，得到封堵效果数据；Using a signature-based IDS intrusion detection system to identify and classify the malicious traffic data and obtain blocking effect data;基于所述任务协同数据和所述封堵效果数据，对所述封堵策略进行优化。The blocking strategy is optimized based on the task coordination data and the blocking effect data.8.根据权利要求7所述的基于网口防护装置的感知安全防护方法，其特征在于，所述基于所述任务协同数据和所述封堵效果数据，对所述多层级网口封堵模型进行优化，包括：8. The method for perceptual security protection based on a network port protection device according to claim 7, characterized in that the optimization of the multi-level network port blocking model based on the task collaboration data and the blocking effect data comprises:基于所述任务协同数据和所述封堵效果数据，采用Q-Learning强化学习算法，通过奖励值引导优化多层级网口封堵模型；Based on the task collaboration data and the blocking effect data, a Q-Learning reinforcement learning algorithm is used to guide and optimize a multi-level network port blocking model through reward values;根据优化后的多层级网口封堵模型调整各层级封堵策略。Adjust the blocking strategies at each level based on the optimized multi-level network port blocking model.9.根据权利要求8所述的基于网口防护装置的感知安全防护方法，其特征在于，还包括：9. The method for perceptual security protection based on a network port protection device according to claim 8, characterized in that it also includes:若所述多层级网口封堵模型监控到某一封堵设备出现异常事件时，通过流量镜像和会话保持方法快速切换备用设备，启动应急处置流程，并根据所述异常事件的严重程度进行流量限制和会话迁移。If the multi-level network port blocking model monitors an abnormal event in a blocking device, the backup device is quickly switched through traffic mirroring and session preservation methods, the emergency response process is started, and traffic restriction and session migration are performed according to the severity of the abnormal event.10.一种基于网口防护装置的感知安全防护系统，其特征在于，应用于连接有网口防护装置的网络拓扑中，所述基于网口防护装置的感知安全防护系统包括以下模块：10. A perception security protection system based on a network port protection device, characterized in that it is applied to a network topology connected to a network port protection device, and the perception security protection system based on the network port protection device includes the following modules:获取模块，用于获取当前网口传输的网络传输事件的等级参数，其中所述等级参数包括事件保密等级、事件时间等级和事件人员等级；An acquisition module, used to acquire level parameters of the network transmission event currently transmitted by the network port, wherein the level parameters include event confidentiality level, event time level and event personnel level;规划模块，用于基于所述保密等级和风险矩阵法预测所述网络传输事件面临的网络攻击风险等级，根据所述网络攻击风险等级确定相对应的封堵网口粒度方案；A planning module, used to predict the network attack risk level faced by the network transmission event based on the confidentiality level and risk matrix method, and determine the corresponding network port blocking granularity plan according to the network attack risk level;调整模块，用于基于所述事件时间等级和所述事件人员等级，采用0-1整数规划方法调整所述网络传输事件的网络拓扑中的端口通信策略；An adjustment module, configured to adjust a port communication strategy in a network topology of the network transmission event by using a 0-1 integer programming method based on the event time level and the event personnel level;封堵模块，用于根据所述封堵网口粒度方案和所述端口通信策略控制所述网口防护装置对待封堵网口进行封堵，并实时获取所述网口防护装置在所述网络拓扑中的位置分布和设备参数以及所述待封堵网口的流量特征和行为特征；A blocking module, used to control the network port protection device to block the network port to be blocked according to the blocking network port granularity scheme and the port communication strategy, and to obtain in real time the location distribution and device parameters of the network port protection device in the network topology and the traffic characteristics and behavior characteristics of the network port to be blocked;构建模块，用于根据所述位置分布、所述设备参数、所述流量特征和所述行为特征，构建多层级网口封堵模型；A construction module, used to construct a multi-level network port blocking model according to the location distribution, the device parameters, the traffic characteristics and the behavior characteristics;输出模块，用于在实际安全防护过程中，将实时检测到的网口传输事件数据输入至所述多层级网口封堵模型中，基于所述多层级网口封堵模型的输出结果，确定对应的封堵策略。The output module is used to input the real-time detected network port transmission event data into the multi-level network port blocking model during the actual security protection process, and determine the corresponding blocking strategy based on the output result of the multi-level network port blocking model.11.根据权利要求10所述的基于网口防护装置的感知安全防护系统，其特征在于，所述规划模块，还用于：11. The perception security protection system based on the network port protection device according to claim 10, characterized in that the planning module is also used for:获取历史攻击信息，从所述历史攻击信息中提取影响封堵粒度选择的决策属性集；Acquire historical attack information, and extract a decision attribute set that affects the selection of blocking granularity from the historical attack information;采用层次分析法对所述决策属性集中的各决策属性进行两两重要性比较，得到所述决策属性集中各个决策属性的权重；Using the hierarchical analysis method to compare the importance of each decision attribute in the decision attribute set, and obtain the weight of each decision attribute in the decision attribute set;对所述决策属性集中的各个决策属性进行量化，根据量化后的值和对应权重构建模糊评判矩阵，通过模糊矩阵合成运算得到所述模糊评判矩阵各区域的综合评判隶属度；Quantifying each decision attribute in the decision attribute set, constructing a fuzzy evaluation matrix according to the quantized values and corresponding weights, and obtaining the comprehensive evaluation membership of each area of the fuzzy evaluation matrix through fuzzy matrix synthesis operation;根据所述综合评判隶属度对所述封堵网口粒度方案进行优化。The network port blocking granularity scheme is optimized according to the comprehensive evaluation membership.12.根据权利要求10所述的基于网口防护装置的感知安全防护系统，其特征在于，所述调整模块，具体用于：12. The perception security protection system based on the network port protection device according to claim 10, characterized in that the adjustment module is specifically used to:提取所述网络拓扑中各通信端口的流量指标，通过对所述流量指标进行相关性分析和统计建模，构建端口级联矩阵，其中所述端口级联矩阵反映各个端口间的依赖强度；Extracting the flow index of each communication port in the network topology, and constructing a port cascade matrix by performing correlation analysis and statistical modeling on the flow index, wherein the port cascade matrix reflects the dependency strength between each port;基于所述端口级联矩阵的端口依赖约束、所述事件时间等级的约束和所述事件人员等级的约束，建立以端口为基本单位的0-1整数规划模型；Based on the port dependency constraints of the port cascade matrix, the event time level constraints and the event personnel level constraints, a 0-1 integer programming model with ports as basic units is established;求解所述0-1整数规划模型，根据得到的最优解配置端口通信策略。Solve the 0-1 integer programming model and configure the port communication strategy according to the obtained optimal solution.13.根据权利要求10所述的基于网口防护装置的感知安全防护系统，其特征在于，所述网口防护装置包括电子安全锁和电子钥匙。13. The perception security protection system based on the network port protection device according to claim 10, characterized in that the network port protection device includes an electronic security lock and an electronic key.14.根据权利要求10所述的基于网口防护装置的感知安全防护系统，其特征在于，所述构建模块，具体用于：14. The perception security protection system based on the network port protection device according to claim 10, characterized in that the construction module is specifically used to:融合位置分布、设备参数、流量特征和行为特征，运用支持向量机算法构建多层级网口封堵模型，其中，多层级网口封堵模型包括汇聚层模型、接入层模型、核心层模型，所述汇聚层模型用于关注源IP的对外连接频次，所述接入层模型用于关注目的IP的敏感端口扫描次数，核心层模型用于关注跨网段通信流量的突增幅度。The multi-level network port blocking model is constructed by integrating location distribution, equipment parameters, traffic characteristics and behavioral characteristics using the support vector machine algorithm. The multi-level network port blocking model includes a convergence layer model, an access layer model and a core layer model. The convergence layer model is used to focus on the frequency of external connections of the source IP, the access layer model is used to focus on the number of sensitive port scans of the destination IP, and the core layer model is used to focus on the sudden increase in cross-segment communication traffic.15.根据权利要求10所述的基于网口防护装置的感知安全防护系统，其特征在于，所述网口传输事件数据包括网络层级的网口传输事件数据，所述封堵策略包括丢弃处理；则，所述输出模块，具体用于：15. The perception security protection system based on the network port protection device according to claim 10, characterized in that the network port transmission event data includes network port transmission event data at the network level, and the blocking strategy includes discarding processing; then, the output module is specifically used to:对不同网络层级的所述网口传输事件数据进行异常判断，根据异常判断结果设置与链路带宽和设备处理能力相匹配的动态阈值；Performing abnormality judgment on the network port transmission event data at different network layers, and setting a dynamic threshold matching the link bandwidth and the device processing capability according to the abnormality judgment result;当所述多层级网口封堵模型检测到网络层级的网口传输事件数据的幅度超过所述动态阈值时，将所述网口传输事件数据识别为恶意流量数据，对所述恶意流量数据进行丢弃处理。When the multi-level network port blocking model detects that the amplitude of network port transmission event data at the network layer exceeds the dynamic threshold, the network port transmission event data is identified as malicious traffic data and the malicious traffic data is discarded.16.根据权利要求10所述的基于网口防护装置的感知安全防护系统，其特征在于，所述输出模块，具体用于：16. The perception safety protection system based on the network port protection device according to claim 10, characterized in that the output module is specifically used to:通过流量探针和日志关联，获取不同网络层级的网络封堵设备阻断的恶意流量数据以及对所述恶意流量数据进行处置时的任务协同数据；Through the association of traffic probes and logs, malicious traffic data blocked by network blocking devices at different network levels and task coordination data when handling the malicious traffic data are obtained;采用基于签名的IDS入侵检测系统，对所述恶意流量数据进行识别和分类，得到封堵效果数据；Using a signature-based IDS intrusion detection system to identify and classify the malicious traffic data and obtain blocking effect data;基于所述任务协同数据和所述封堵效果数据，对所述封堵策略进行优化。The blocking strategy is optimized based on the task coordination data and the blocking effect data.17.根据权利要求16所述的基于网口防护装置的感知安全防护系统，其特征在于，所述输出模块，还具体用于：17. The perception safety protection system based on the network port protection device according to claim 16, characterized in that the output module is further specifically used for:基于所述任务协同数据和所述封堵效果数据，采用Q-Learning强化学习算法，通过奖励值引导优化多层级网口封堵模型；Based on the task collaboration data and the blocking effect data, a Q-Learning reinforcement learning algorithm is used to guide and optimize a multi-level network port blocking model through reward values;根据优化后的多层级网口封堵模型调整各层级封堵策略。Adjust the blocking strategies at each level based on the optimized multi-level network port blocking model.18.根据权利要求17所述的基于网口防护装置的感知安全防护系统，其特征在于，所述输出模块，还具体用于：18. The perception safety protection system based on the network port protection device according to claim 17, characterized in that the output module is further specifically used for:若所述多层级网口封堵模型监控到某一封堵设备出现异常事件时，通过流量镜像和会话保持方法快速切换备用设备，启动应急处置流程，并根据所述异常事件的严重程度进行流量限制和会话迁移。If the multi-level network port blocking model monitors an abnormal event in a blocking device, the backup device is quickly switched through traffic mirroring and session preservation methods, the emergency response process is started, and traffic restriction and session migration are performed according to the severity of the abnormal event.19.一种基于网口防护装置的感知安全防护设备，其特征在于，包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序，所述处理器执行所述计算机程序时，实现如权利要求1-9中任一所述的基于网口防护装置的感知安全防护方法。19. A perception security protection device based on a network port protection device, characterized in that it includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, it implements the perception security protection method based on the network port protection device as described in any one of claims 1-9.20.一种计算机可读存储介质，其上存储有计算机程序，其特征在于，所述计算机程序被处理器执行时实现如权利要求1-9任一所述的基于网口防护装置的感知安全防护方法。20. A computer-readable storage medium having a computer program stored thereon, wherein when the computer program is executed by a processor, the method for perceptual security protection based on a network port protection device as described in any one of claims 1 to 9 is implemented.