Active defense system and method for unknown threat

What is claimed is: 1 . An active defense system for an unknown threat, applied to a power information network, the active defense system comprising: at least one processor; and a memory storing instructions executable by the at least one processor, the instructions being configured to cause the system to perform operations comprising: intelligent threat early-warning processing; performing threat prediction on a power grid situation data set collected from the power information network in real time to obtain threat early-warning information and sending the threat early-warning information to unknown threat detection processing, unknown threat detection processing: upon receiving the threat early-warning information, performing threat detection and analysis on collected unknown threat network data to generate a threat analysis report and sending the threat analysis report to self-adaptive defense disposal processing; and self-adaptive defense disposal processing: triggering a defense disposal operation corresponding to a preset threat defense strategy according to the threat analysis report, wherein the intelligent threat early-warning processing comprises early-warning processing based on situation perception prediction, early-warning processing based on big data prediction, early-warning processing based on alliance chain intelligence sharing and joint early-warning processing, wherein the early-warning processing predicted based on the situation perception comprises predicting a collected multi-source power grid situation data set through a pre-trained situation prediction model to obtain a situation prediction result and generate first threat early-warning information according to the situation prediction result, the early-warning processing predicted based on the big data comprises processing collected log data of a device through a pre-trained data mining model and feature extraction model to obtain a threat prediction result and generate second threat early-warning information according to the threat prediction result; the early-warning processing shared based on the alliance chain intelligence comprises acquiring threat intelligence data of a threatened node in the power information network through an alliance chain and determining third threat early-warning information according to the threat intelligence data; and the joint early-warning processing comprises generating joint early-warning information according to the first threat early-warning information, the second threat early-warning information and the third threat early-warning information and sending the joint early-warning information to the unknown threat detection processing. 2 . The system according to claim 1 , wherein the early-warning processing predicted based on the situation perception comprises multi-source power grid situation data processing, situation prediction processing and threat early-warning processing, wherein the multi-source power grid situation data processing comprises collecting multi-source power grid situation data and performing data conversion and data preprocessing on the multi-source power grid situation data to obtain the multi-source power grid situation data set; the situation prediction processing comprises inputting the multi-source power grid situation data set into the pre-trained situation prediction model to obtain the situation prediction result; and the threat early-warning processing comprises comparing the situation prediction result with a situation critical value and generating the first threat early-warning information according to the compared result. 3 . The system according to claim 1 , wherein the unknown threat detection processing comprises threat detection processing based on encrypted traffic, threat detection processing based on a complex-event processing framework and behavior deep learning analysis processing, wherein the threat detection processing based on the encrypted traffic comprises performing threat detection on collected first unknown threat network data to obtain a first threat detection result, wherein the first unknown threat network data comprises: encrypted communication malicious traffic data, an encrypted attack behavior, or a malicious application; the threat detection processing based on the complex-event processing framework comprises performing threat analysis on collected second unknown threat network data according to a threat event detection rule based on the complex-event processing framework to obtain a second threat detection result, and the second unknown threat network data comprises log data of a threatened device; and the threat analysis processing based on the behavior deep learning comprises performing deep learning on the first threat detection result and the second threat detection result to obtain the threat analysis report. 4 . The system according to claim 3 , wherein the threat analysis processing based on the behavior deep learning comprises warning log generation processing, deconstruction processing and analysis processing, wherein the warning log generation processing comprises generating warning information according to the first threat detection result and the second threat detection result, generating a warning log according to the warning information and inputting the warning log into the deconstruction processing; the deconstruction processing comprises forming a threat chain according to the warning log; and the analysis processing comprises performing negative causal association pruning and non-secondary event noise reduction on the threat chain to form the threat analysis report. 5 . The system according to claim 1 , wherein the self-adaption defense processing comprises self-adaption device linkage processing and automation processing, wherein the self-adaption device linkage processing comprises determining associated information between a device node and a link according to a constructed network topology model, updating the threat defense strategy according to the associated information and triggering a processing operation corresponding to the updated threat defense strategy according to the threat analysis report; and the automation processing comprises triggering a security device to perform the processing operation according to the threat analysis report and a workflow of a pre-constructed threat event. 6 . An active defense method for an unknown threat, comprising: intelligent threat early-warning processing: performing threat prediction on a power grid situation data set collected from a power information network in real time to obtain threat early-warning information and sending the threat early-warning information to unknown threat detection processing; unknown threat detection processing: upon receiving the threat early-warning information, performing threat detection and analysis on collected unknown threat network data to generate a threat analysis report and sending the threat analysis report to self-adaptive defense disposal processing; and self-adaptive defense disposal processing: triggering a defense disposal operation corresponding to a preset threat defense strategy according to the threat analysis report, wherein the intelligent threat early-warning processing comprises early-warning processing based on situation perception prediction, early-warning processing based on big data prediction, early-warning processing based on alliance chain intelligence sharing and joint early-warning processing, wherein the early-warning processing predicted based on the situation perception comprises predicting a collected multi-source power grid situation dataset through a pre-trained situation prediction model to obtain a situation prediction result and generate first threat early-warning i