CN117596009A - Local security management system and method - Google Patents

Abstract

The invention discloses a local security management system and method, and relates to the technical field of network security. The invention sets the neuron unit, will grasp a series of detection devices in the user environment and respond to the use data and network data of the product fast; the detection analysis unit and the cloud service unit are respectively used for providing security retrieval and updating security service; the neuron unit classifies and collects dotting data and sample data, eliminates a safety island and monitors the safety state of each component in the network in real time; the command operation unit is used for carrying out security situation analysis, security event management, traceability analysis, response treatment, evaluation improvement and command scheduling, so that internal dangers can be found rapidly and accurately, attack traceability evidence collection is realized, security products and big data information are covered for monitoring through the arrangement, the current security situation is intuitively and intuitively obtained, the security state of each component in the security island real-time monitoring network is eliminated, the internal dangers are found rapidly and accurately, and attack traceability evidence collection is realized.

Description

A local security management system and method

Technical field

The invention relates to the field of network security technology, in particular to a local security management system and method.

Background technique

At present, traditional local security protection measures basically cover the network layer, host layer, application layer and data layer, but existing network security risks still exist.

The main requirement is security situation awareness: to form an overall security situation awareness and a short-term prediction for the future based on the entire scope of the unit network or a specific time. Situation analysis can provide a good insight into the overall security status within the unit, which requires quantitative evaluation. Indicators can intuitively understand the current situation; network threat detection requirements: real-time network threat detection, eliminating data fragmentation problems caused by security islands, and being able to monitor the security status of each component in the network in real time, including IPS (Intrusion Prevention System, Intrusion Prevention System) unilaterally monitors security incidents, and high-risk network behaviors are frequently discovered in association with IPS and audit systems.

There is also a need for internal threat detection: Internal security threats are generally difficult to detect and prevent, but statistics show that more than 2/3 of security attacks and data leaks originate from within the organization. The local platform needs to be able to establish various scenario-based Security model to quickly and accurately discover various insider violations or high-risk operations; attack source traceability and evidence collection requirements: It is currently difficult to find the source of security events, discover the attack process, and understand the security attack status. Therefore, it is necessary to implement attack source tracing and evidence collection for security incidents.

Therefore, there is an urgent need for a local security management platform that can intuitively gain insight into the current security situation, eliminate security islands, monitor the security status of each component in the network in real time, quickly and accurately discover internal dangers, and achieve attack source traceability and evidence collection.

Contents of the invention

In view of the problems existing in the existing network security risks, the present invention is proposed.

Therefore, the problem to be solved by the present invention is how to find the source of a security event and discover the attack process, so as to realize attack source traceability and evidence collection.

In order to solve the above technical problems, the present invention provides the following technical solutions:

In a first aspect, embodiments of the present invention provide a local security management system, which includes a command operation unit including a security situation analysis module, a security event management module, a traceability analysis module, a response processing module, an assessment and improvement module, and a command and dispatch module; security The situation analysis module is used to set and display the data types that the detection analysis unit and command operation unit need to display and analyze; the security event management module is used to configure query conditions, and configure the association table of security events with severity levels and threat scores to trace the source. The analysis module has multiple built-in threat tracing methods, the response processing module is used to visually orchestrate security policies, and the command and dispatch module is used to build in task planning content packages; and the detection and analysis unit includes multiple engine tools and detection tools for analyzing neuron units. The recorded spot data and sample data are tested and analyzed.

As a preferred solution of the local security management system of the present invention, the security event management module is specifically used to configure the engine tool of the query condition call detection analysis unit; continuously automatically analyzes and correlates and integrates attack-related security data information, and generates it according to the attack sequence. For security events, the severity level and threat score are obtained according to the correlation table, and the security event is marked with the severity level and threat score and then converted into a visual attack link diagram; threat tracing methods include various interactive retrieval analysis and automated threat tracing results display ;Interactive retrieval analysis is to set multiple field keywords for each threat type according to the threat type, customize the query for the time window, set the filter condition query, and perform the above query in the timeline dimension to trace the source and display the security event process and All contextual information, automatically and intelligently aggregate related log, traffic and alarm information, drill down on log and traffic data, and obtain the path to the source of threats; security policies include daily security tasks, response plans, alarms and event handling; daily security tasks It is used to detect all local threats on a daily basis through scheduled triggering or manual triggering; the preset action script of the response plan is used to link with a variety of mainstream equipment and systems to execute alarms and linkage to respond to mainstream equipment and systems for event handling; task planning content package Including the network protection phase, key tasks and descriptions of the network protection phase, planning, decomposition, allocation and tracking and scheduling of neuron units, detection analysis units, big data units and cloud service units according to the key tasks of the network protection phase; the evaluation and improvement module is used Evaluate and analyze safety time and provide improvement plans.

As a preferred solution of the local security management system of the present invention, the assessment improvement module is also used to provide visual BI analysis, asset analysis and assessment, intelligent dashboard display, automated reporting and continuous assessment functions; the visual BI analysis charts security events Display; chart display includes histograms, line charts, area charts, pie charts, and tables; dimensional information for asset analysis and evaluation includes asset importance, asset vulnerability, and asset threat attacks; intelligent dashboard display displays security events through the interface , will directly drill down to the event content of detailed security events, and drill down to associated assets and threat sources through the event content of security events; automated reporting is to automatically generate predefined reports based on the preset "macro" after configuring the reporting cycle. , the report provides statistics on security profiles, events, IP addresses, ports, services, severity levels and threat scores of security events, attack types, and users.

As a preferred solution of the local security management system of the present invention, the local security management system also includes a neuron unit for collecting point data and sample data through detection equipment and response product classification, and the neuron unit is configured according to the command operation unit. The schedule dynamically adjusts the scoring range of the scoring data and uploads the scoring data to the detection and analysis unit on demand; the cloud service unit interacts with the detection and analysis unit.

As a preferred solution of the local security management system of the present invention, the terminal neurons include terminal behavior data records and user behavior data records; the terminal behavior data records include file behavior data, registry behavior data, process operation behavior data, and file behavior data. Records of release behavior data, memory operation behavior data, and process network access behavior data; user behavior data records include user Web access data, user account login data, user application installation and operation data, and user peripheral usage data; network neurons Used to fully record network behaviors; network neurons support DPI and DFI analysis of network traffic, support high-speed large traffic collection, support network traffic bypass mirroring multi-network port collection in AF-PACKET or DPDK mode, and support traffic collection Black and white lists; supports various packet capture tools to automatically segment and extract the collected traffic, and converts all network traffic into standardized field storage; supports data storage of all original PCAP packets; supports transmission of multiple transmission protocols Restore executable files, document files, and compressed files.

As a preferred solution of the local security management system of the present invention, the killing cloud provides multi-dimensional detection and killing services through the cloud; the sandbox cloud is used to provide diversified cloud sandbox subscription services and includes services for different terminals, Sandboxes for different systems, different applications, and different scenarios combine behavioral analysis and traditional feature matching through automated or human-computer collaboration sandboxes to discover unknown threats; the analysis cloud enables external empowerment through API calls, and The Analysis Cloud develops and runs new analysis tools to provide platform services for external experts; the Knowledge Cloud is used to provide cloud subscription services for information on network attack techniques, tactics, attack tools, and attacker organizations.

As a preferred solution of the local security management system of the present invention, the vulnerability cloud is used to provide cloud subscription services for public vulnerability recruitment, enterprise-specific SRC, targeted vulnerability public testing, and threat intelligence based on vulnerability awareness; the intelligence cloud is Intelligence integration, in-depth analysis, and API provide threat intelligence query and cloud subscription services; the expert cloud is used to provide cloud subscription services for expert consultation; the actual combat cloud analyzes offensive and defensive techniques and tactics through the cloud attack behavior analysis center, outputs attack and defense results reports, and is also used It provides cloud subscription services for defense plan verification, emergency response training, security equipment assessment and in-depth assessment of information systems; the training cloud is used to provide cloud subscription services for security training courses.

As a preferred solution of the local security management system of the present invention, the big data unit includes a data collection module, a data analysis module, a data standardization module, a data enrichment module, a data storage module, and a data retrieval and calculation module; a data collection module , by collecting data in different formats from various data sources, the data analysis module parses and extracts the collected raw data;

The data standardization module is used to standardize the processed and converted data to the prescribed data format and model; the data enrichment module is used to add more background information and contextual data to the data; the data storage module is responsible for the persistent storage of data , and supports data compression and indexing; the data retrieval and calculation module, through complex calculation and analysis processing of query, statistics and mining of stored data, and extracts value from the data in real-time or batch mode; the data service module, through external Provide data services and return analysis and calculation results.

As a preferred solution of the local security management system of the present invention, the engine tool includes at least one of the following: the engine tool includes a killing engine, an API detection engine, a terminal behavior analysis engine, a network behavior analysis engine, a sandbox detection engine, and an association engine. Analysis engine, intelligence detection engine and AI analysis engine; detection tools include sample cloud detection and ATT&CK detection.

In the second aspect, embodiments of the present invention provide a local security management platform method, which includes: the big data unit adopts a distributed storage architecture and includes the following steps: data preprocessing, cleaning, denoising and formatting of the original data set. Preprocessing, processing the data into a structured data format; segmenting the data, dividing the large data set into multiple data blocks according to certain rules; creating metadata, recording the data source, data format and storage location of each data block Meta information of the data, and store the metadata in the Master node; store data blocks, copy the data blocks to multiple data nodes in the cluster, and set the number of copies; read the data, and the calculation program runs in parallel from the data nodes based on the metadata Read the data blocks that need to be processed; calculate and analyze, perform distributed calculation and analysis on the data according to business logic; return the results, summarize the calculation results of all data nodes, and return the final assembled results to the user or application.

The beneficial effects of the present invention are: the present invention sets neuron units to quickly capture the usage data and network data of a series of detection equipment and response products in the user environment; the big data unit is used to obtain data based on the neuron units; detection and analysis The unit and cloud service unit are respectively used to provide secure retrieval and update to improve security services; the neuron unit collects management data and sample data in categories, which will eliminate security islands and monitor the security status of each component in the network in real time; the command operation unit can perform Security situation analysis, security event management, traceability analysis, response processing, assessment improvement, and command and dispatch are used to quickly and accurately discover internal dangers and realize attack source traceability and evidence collection; and through the above settings, cover security products and big data information for monitoring, and can Intuitively gain insight into the current security situation, eliminate security islands, monitor the security status of each component in the network in real time, quickly and accurately discover internal dangers, and achieve attack source traceability and evidence collection.

Description of drawings

In order to explain the technical solutions of the embodiments of the present invention more clearly, the drawings needed to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. Those of ordinary skill in the art can also obtain other drawings based on these drawings without exerting creative efforts. in:

Figure 1 is a system framework diagram of the local security management platform system in Embodiment 1.

Figure 2 is a large-screen display interface of the command and operation center of the local security management platform system in Embodiment 1.

Figure 3 is a large-screen display interface of the big data center of the local security management platform system in Embodiment 1.

Figure 4 is a large-screen display interface of the detection and analysis center of the local security management platform system in Embodiment 1.

Figure 5 Embodiment 2 is a local security large-screen display interface of the local security management platform system.

Detailed ways

In order to make the above objects, features and advantages of the present invention more obvious and understandable, the specific implementation modes of the present invention will be described in detail below with reference to the accompanying drawings.

Many specific details are set forth in the following description to fully understand the present invention. However, the present invention can also be implemented in other ways different from those described here. Those skilled in the art can do so without departing from the connotation of the present invention. Similar generalizations are made, and therefore the present invention is not limited to the specific embodiments disclosed below.

Second, reference herein to "one embodiment" or "an embodiment" refers to a specific feature, structure, or characteristic that may be included in at least one implementation of the present invention. "In one embodiment" appearing in different places in this specification does not all refer to the same embodiment, nor is it a separate or selective embodiment that is mutually exclusive with other embodiments.

Example 1

Referring to Figures 1 to 4, a first embodiment of the present invention is shown. This embodiment provides a local security management system, including a neuron unit, a cloud service unit, a detection analysis unit, a big data unit and a command and operation unit. The neuron unit is connected to the big data unit, the big data unit is connected to the detection and analysis unit and the command and operation unit respectively, and the cloud service unit is connected to the detection and analysis unit and the command and operation unit respectively.

Specifically, the command operation unit includes a security situation analysis module, a security event management module, a traceability analysis module, a response and disposal module, an assessment and improvement module, and a command and dispatch module. Among them, the security situation analysis module is used to set the data types that the detection analysis unit and the command operation unit need to display and analyze and display them.

Further, the security event management module is used to configure query conditions and configure the association table of security events with severity levels and threat scores; call the engine tool of the detection analysis unit based on the query conditions; continuously and automatically analyze and associate and integrate attack-related security data Information, security events are generated according to the attack sequence, the severity level and threat score are obtained according to the correlation table, and the security events are marked with severity level and threat score and converted into a visual attack link diagram.

Furthermore, the traceability analysis module has built-in multiple threat traceability methods. Threat traceability methods include various types of interactive search analysis and automated threat traceability result display; interactive search analysis sets multiple fields for each threat type according to the threat type. Keywords, customize the query for the time window, set the filter condition query, perform the above query in the timeline dimension, trace the source and display the security event process and all contextual information, automatically and intelligently aggregate the associated logs, traffic and alarm information, and analyze the logs and traffic Drill down the data to obtain the path to the source of the threat.

Specifically, the response processing module is used to visually organize security policies; security policies include daily security tasks, response plans, alarms, and event handling; daily security tasks are triggered regularly or manually to detect all local threats on a daily basis; response plans are preset Action scripts are used to link with a variety of mainstream devices and systems to execute alarms and linkage to respond to mainstream devices and systems for event handling.

Further, the command and dispatch module is used to build a mission planning content package; the mission planning content package includes the network protection stage, key tasks and instructions in the network protection stage, and the neuron unit, detection analysis unit, big data unit and The cloud service unit performs planning, decomposition, allocation and tracking scheduling.

Furthermore, the evaluation and improvement module is used to evaluate and analyze safety time and provide improvement plans.

Specifically, the assessment improvement module is also used to provide visual BI analysis, asset analysis and assessment, intelligent dashboard display, automated reporting and continuous assessment functions.

It should be noted that visual BI analysis displays security events in charts; chart displays include histograms, line charts, area charts, pie charts, and tables; dimensional information in asset analysis and evaluation includes asset importance, asset vulnerability, and asset threats. Attack status; the intelligent dashboard display displays security events through the interface, and drills directly into the event content of detailed security events, and drills down to associated assets and threat sources through the event content of security events; automated reporting is based on the configured reporting cycle. The preset "macro" automatically generates predefined reports, which provide statistics on security profiles, events, IP addresses, ports, services, security event severity and threat scores, attack types, and users.

Specifically, the detection and analysis unit includes multiple engine tools and detection tools, which are used to detect and analyze the point data and sample data recorded by the neuron unit.

Further, the engine tools include anti-virus engine, API detection engine, terminal behavior analysis engine, network behavior analysis engine, sandbox detection engine, correlation analysis engine, intelligence detection engine and AI analysis engine; detection tools include sample cloud detection, ATT&CK detection .

Specifically, after analysis and processing by the intelligence detection engine, the following intelligence is formed: Compromise detection intelligence, information about the attacker's remote command and control server, used to discover compromised hosts internally controlled by API organizations, botnets, Trojan software, backdoor tools, etc. This type of intelligence will be pushed to the threat intelligence platform to ensure high-speed query needs.

Furthermore, the file reputation and sample reputation database rely on its powerful sample collection capabilities and advanced machine learning capabilities to identify malware. Using the file's HASH as an index, including information such as whether it is a white file, whether it is malicious, malicious type, family information, etc., corresponding network IOC information is provided for known Trojans and worm-like malware. The sample reputation data will maintain a Cache library locally, and the data that cannot be hit will be queried in the cloud.

Further, IP intelligence refers to intelligence information from Internet attack IP addresses, including: whether there are historical attacks, whether it is an IDC host, whether it is a puppet host, whether it is a proxy or Tor network host, whether it may be a scanning robot, etc. It is used to filter out attack events with higher (or lower) priority, or to understand the background information of attackers. IP intelligence is huge in quantity and updated quickly, and is mainly queried on the cloud.

Specifically, TTP intelligence refers to information about attacker tools, techniques, technical and tactical methods, including analysis reports and early warning notices on customer-related attack events, malicious samples, software vulnerabilities, etc. The content generally includes event hazards, scope of impact, and attacks. Mechanisms, prevention or inspection mechanism capabilities. It can help organizations prevent attacks in advance and enhance security architecture in a targeted manner.

Further, sample cloud detection includes terminal file landing detection, terminal file landing detection, virus engine detection, and malicious sample detection.

It should be noted that the AI analysis engine uses AI technology to implement advanced threat detection tasks. The implementation process is divided into two steps: the first step is to use feature engineering and other technologies to perform feature combination, feature selection, etc. to construct an appropriate feature set; the second step is to Select appropriate machine learning or deep learning techniques for training based on feature sets. Commonly used malicious sample characteristics include statistical characteristics and category characteristics such as connection duration, number of data packets, number of bytes, protocol type, and network traffic length.

Specifically, the neuron unit is used to collect scoring data and sample data through detection equipment and response product classification; the neuron unit dynamically adjusts the scoring range of the scoring data according to the dispatch of the command operation unit and uploads the scoring data to the detection and analysis unit on demand.

Further, terminal neurons include terminal behavior data records and user behavior data records; terminal behavior data records include file behavior data, registry behavior data, process operation behavior data, file release behavior data, memory operation behavior data, and process network access Recording of behavioral data; user behavior data records include user Web access data, user account login data, user application installation and operation data, and user peripheral device usage data.

Furthermore, network neurons are used to fully record network behaviors; network neurons support DPI and DFI analysis of network traffic, support high-speed large traffic collection, and support multiple network traffic bypass mirrors in AF-PACKET or DPDK mode. Network port collection supports traffic collection black and white lists; supports various packet capture tools to automatically segment and extract the collected traffic, such as WireShark, etc., to convert the full amount of network traffic into standardized field storage; supports the full amount of original PCAP packets Data storage; supports restoration of executable files, document files and compressed files transmitted through SMTP, POP3, IMAP, HTTP, FTP and SMB protocols.

Specifically, the cloud service unit includes a killing cloud, a sandbox cloud, an analysis cloud, a knowledge cloud, a vulnerability cloud, an intelligence cloud, an expert cloud, a combat cloud and a training cloud, which interact with the detection and analysis unit.

Furthermore, the killing cloud provides multi-dimensional detection and killing services through the cloud; the sandbox cloud is used to provide cloud sandbox subscription services and includes sandboxes for terminals, systems, applications and scenarios, and combines behavioral analysis with traditional Feature matching is combined with automated or human-machine collaborative sandboxes to discover unknown threats; the analysis cloud empowers external forces through API calls and provides platform services to external experts by developing and running new analysis tools in the analysis cloud; knowledge cloud It is used to provide cloud subscription services for information about network attack techniques and tactics, attack tools, and attacker organizations; the Vulnerability Cloud is used to provide public vulnerability recruitment, enterprise-specific SRC, targeted vulnerability public testing, and vulnerability awareness-based threat intelligence. Subscription service; Intelligence Cloud provides threat intelligence query and cloud subscription services through intelligence integration, in-depth analysis, and API; Expert Cloud is used to provide cloud subscription services for expert consultation; Practical Cloud analyzes offensive and defensive techniques and tactics through the cloud attack behavior analysis center, and outputs attack and defense The results report is also used to provide cloud subscription services for defense plan verification, emergency response training, security equipment assessment, and in-depth assessment of information systems; the training cloud is used to provide cloud subscription services for security training courses.

Specifically, the big data unit includes a data collection module, a data analysis module, a data standardization module, a data enrichment module, a data storage module, and a data retrieval and calculation module.

It should be noted that the data collection module collects data in different formats from various data sources; the data parsing module parses and extracts the collected raw data; the data standardization module standardizes the processed and converted data to the specified Data format and model; data enrichment module, which adds more background information and contextual data to the data; data storage module, which is responsible for the persistent storage of data and supports data compression and indexing; data retrieval and calculation module, through the storage The data performs complex calculation and analysis processing of query, statistics and mining, and extracts value from the data in real-time or batch mode; the data service module returns analysis and calculation results by providing external data services.

This embodiment also provides a computer device, which is suitable for local security management systems, including a memory and a processor; the memory is used to store computer executable instructions, and the processor is used to execute computer executable instructions to implement what is proposed in the above embodiment. Local security management system.

The computer device may be a terminal, and the computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected through a system bus. Wherein, the processor of the computer device is used to provide computing and control capabilities. The memory of the computer device includes non-volatile storage media and internal memory. The non-volatile storage medium stores operating systems and computer programs. This internal memory provides an environment for the execution of operating systems and computer programs in non-volatile storage media. The communication interface of the computer device is used for wired or wireless communication with external terminals. The wireless mode can be implemented through WIFI, operator network, NFC (Near Field Communication) or other technologies. The display screen of the computer device may be a liquid crystal display or an electronic ink display. The input device of the computer device may be a touch layer covered on the display screen, or may be a button, trackball or touch pad provided on the computer device shell. , it can also be an external keyboard, trackpad or mouse, etc.

This embodiment also provides a storage medium on which a computer program is stored. When the program is executed by the processor, the following steps are implemented: including: the command operation unit includes a security situation analysis module, a security event management module, a traceability analysis module, and a response processing module. module, assessment improvement module, and command and dispatch module; the security situation analysis module is used to set and display the data types that the detection analysis unit and the command operation unit need to display and analyze; the security event management module is used to configure query conditions, and configure security events and There is a correlation table between severity levels and threat scores. The traceability analysis module has built-in multiple threat traceability methods. The response processing module is used to visually arrange security policies. The command and dispatch module is used to build in task planning content packages; and the detection and analysis unit includes multiple engines. Tools and detection tools are used to detect and analyze the point data and sample data recorded by neuron units.

In summary, the present invention sets up neuron units to quickly capture usage data and network data of a series of detection devices and response products in the user environment; the big data unit is used to obtain data based on the neuron units; the detection analysis unit and the cloud The service units are respectively used to provide security retrieval and update to improve security services; the neuron unit collects point data and sample data by classification, which will eliminate security islands and monitor the security status of each component in the network in real time; the command operation unit can conduct security situation analysis , security event management, traceability analysis, response processing, assessment improvement, and command and dispatch, used to quickly and accurately discover internal dangers and achieve attack source traceability and evidence collection; and through the above settings, cover security products and big data information for monitoring, allowing intuitive insight into the current situation Security posture, eliminate security islands, monitor the security status of each component in the network in real time, quickly and accurately discover internal dangers, and achieve attack source traceability and evidence collection.

Example 2

Referring to Figure 5, a second embodiment of the present invention is shown. This embodiment provides a local security management platform method. In order to verify the beneficial effects of the present invention, scientific demonstration is carried out through economic benefit calculation and simulation experiments.

Specifically, this embodiment also provides a local security management method, including: the big data unit adopts a distributed storage architecture, including the following steps: data preprocessing, preprocessing of cleaning, denoising and formatting the original data set, and Process the data into a structured data format; segment the data and divide the large data set into multiple data blocks according to certain rules; create metadata and record the metainformation of the data source, data format and storage location metadata of each data block , and store metadata in the Master node; store data blocks, copy the data blocks to multiple data nodes in the cluster, and set the number of copies; read data, and the calculation program reads the metadata from the data nodes in parallel and needs to be processed Data blocks; calculation and analysis, perform distributed calculation and analysis on data according to business logic; return results, summarize the calculation results of all data nodes, and return the final assembled results to the user or application.

It should be noted that the above embodiments are only used to illustrate the technical solution of the present invention rather than to limit it. Although the present invention has been described in detail with reference to the preferred embodiments, those of ordinary skill in the art should understand that the technical solution of the present invention can be carried out. Modifications or equivalent substitutions without departing from the spirit and scope of the technical solution of the present invention shall be included in the scope of the claims of the present invention.

Claims (10)

1. A local security management system, characterized by: including, The command operation unit includes a security situation analysis module, a security event management module, a traceability analysis module, a response processing module, an assessment improvement module, and a command and dispatch module; the security situation analysis module is used to set the detection analysis unit and the command operation unit to display The analyzed data types are displayed; the security event management module is used to configure query conditions, and configure the association table of security events with severity levels and threat scores; the traceability analysis module has built-in multiple threat traceability methods; the response The processing module is used to visually organize security policies, and the command and dispatch module is used to build in mission planning content packages; and, The detection and analysis unit includes multiple engine tools and detection tools, which are used to detect and analyze the point data and sample data recorded by the neuron unit. 2. The local security management system according to claim 1, characterized in that: the security event management module includes an engine tool specifically used to configure the query condition call detection and analysis unit, and continuously automatically analyzes and correlates the security related to integrated attacks. Data information, security events are generated according to the attack sequence, the severity level and threat score are obtained according to the correlation table, and the security events are marked with severity level and threat score and converted into a visual attack link diagram; The threat tracing methods include various types of interactive retrieval analysis and automated threat tracing results display; the interactive retrieval analysis is to set multiple field keywords for each threat type according to the threat type, and customize the query for the time window. Set filter conditions to query, perform the above query in the timeline dimension, trace the source and display the security event process and all contextual information, automatically and intelligently aggregate the associated logs, traffic and alarm information, drill down on the log and traffic data, and obtain the source of the threat. path; The security policy includes daily security tasks, response plans, alarms, and event handling; the daily security tasks are triggered regularly or manually to detect all local threats on a daily basis; the preset action script of the response plan is used to communicate with Linkage with a variety of mainstream equipment and systems to execute alarms and linkage to respond to mainstream equipment and systems for event handling; The task planning content package includes the network protection stage, key tasks and descriptions of the network protection stage, and the neuron unit, the detection analysis unit, the big data unit and the cloud service unit are planned, decomposed, and analyzed according to the key tasks of the network protection stage. Assign and track scheduling; The evaluation and improvement module is used to evaluate and analyze safety time and provide improvement plans. 3. The local security management system according to claim 2, characterized in that: the evaluation improvement module is also used to provide visual BI analysis, asset analysis and evaluation, intelligent dashboard display, automated reporting and continuous evaluation functions; The visual BI analysis displays security events in charts; the dimensional information of the asset analysis and evaluation includes asset importance, asset vulnerability and asset threat attacks; the intelligent dashboard display displays security events through an interface, which will directly Drill down to the event content of detailed security events, and drill down to associated assets and threat sources through the event content of security events; the automated report is to automatically generate a predefined report based on the preset macro after configuring the reporting cycle, and the report is Statistics on security profiles, events, IP addresses, ports, services, severity levels and threat scores of security events, attack types, and users. 4. The local security management system according to claim 1, characterized in that: the local security management system further includes: Neuron unit is used to collect scoring data and sample data through detection equipment and response product classification, and the neuron unit dynamically adjusts the scoring range of the scoring data according to the scheduling of the command operation unit and uploads the scoring data to the said Detection and analysis unit; The cloud service unit interacts with the detection and analysis unit. 5. The local security management system according to claim 4, characterized in that: the neuron unit includes terminal neurons and network neurons; The terminal neurons include terminal behavior data records and user behavior data records; the terminal behavior data records include file behavior data, registry behavior data, process operation behavior data, file release behavior data, memory operation behavior data and process Recording of network access behavior data; the data records of user behavior include records of user Web access data, user account login data, user application installation and operation data, and user peripheral device usage data; The network neurons are used to fully record network behaviors; the network neurons support DPI and DFI analysis of network traffic, support high-speed large traffic collection, and support network traffic bypass mirroring in AF-PACKET or DPDK mode. Multi-network port collection supports traffic collection black and white lists; supports various packet capture tools to automatically segment and extract the collected traffic, and converts the full amount of network traffic into standardized field storage; supports data storage of the full amount of original PCAP packets; Supports restoration of executable files, document files, and compressed files across multiple transport protocols. 6. The local security management system of claim 4, wherein the cloud service unit includes a killing cloud, a sandbox cloud, an analysis cloud, a knowledge cloud, a vulnerability cloud, an intelligence cloud, an expert cloud, and a combat cloud. training cloud; The detection and killing cloud provides multi-dimensional detection and killing services through the cloud; The sandbox cloud is used to provide cloud sandbox subscription services and includes sandboxes for terminals, systems, applications and scenarios, and combines behavioral analysis and traditional feature matching through automated or human-machine collaborative sandboxes to discover unknown threats; The analysis cloud enables external empowerment through API calls and provides platform services to external experts by developing and running new analysis tools in the analysis cloud; The knowledge cloud is used to provide cloud subscription services for information on network attack techniques and tactics, attack tools, and attacker organizations. 7. The local security management system according to claim 6, characterized in that: The vulnerability cloud is used to provide cloud subscription services for public vulnerability recruitment, enterprise-specific SRC, targeted vulnerability public testing, and threat intelligence based on vulnerability awareness; The intelligence cloud provides threat intelligence query and cloud subscription services through intelligence integration, in-depth analysis, and API; The expert cloud is used to provide cloud subscription services for expert consultation; The actual combat cloud analyzes offensive and defensive techniques and tactics through the cloud attack behavior analysis center, outputs attack and defense results reports, and is also used to provide cloud subscription services for defense plan verification, emergency response training, security equipment assessment, and in-depth assessment of information systems; The training cloud is used to provide cloud subscription services for security training courses. 8. The local security management system of claim 1, wherein the local security management system further includes: The big data unit includes data acquisition module, data analysis module, data standardization module, data enrichment module, data storage module, and data retrieval and calculation module; Data collection module, by collecting data from various data sources; The data analysis module analyzes and extracts the collected raw data; Data standardization module, used to standardize processed and converted data to prescribed data formats and models; The data enrichment module is used to add more background information and contextual data to the data; the data storage module is responsible for the persistent storage of data and supports data compression and indexing; The data retrieval and calculation module performs complex calculation and analysis processing on query, statistics and mining of stored data, and extracts value from the data in real-time or batch mode; The data service module provides external data services and returns analysis and calculation results. 9. The local security management system of claim 1, wherein the engine tool includes at least one of the following: a killing engine, an API detection engine, a terminal behavior analysis engine, a network behavior analysis engine, and a sandbox detection engine. , correlation analysis engine, intelligence detection engine and AI analysis engine; the detection tools include sample cloud detection and ATT&CK detection. 10. A multi-source power grid information fusion method based on the Internet of Things, based on the multi-source power grid information fusion system based on the Internet of Things according to any one of claims 1 to 9, characterized in that: the big data unit adopts a distributed storage architecture including Following steps: Preprocess the original data set and process the data into a structured data format; Divide large data sets into multiple data blocks according to certain rules; Record the metainformation of the data source, data format and storage location metadata of each data block, and store the metadata in the Master node; Copy data blocks to multiple data nodes in the cluster and set the number of copies; The computing program reads the data blocks that need to be processed from the data nodes in parallel according to the metadata; Perform distributed calculation and analysis of data based on business logic; Summarize the calculation results of all data nodes and return the assembled final result to the user or application.