CN106936637A - The panorama heuristic method for visualizing and device of a kind of cyberspace situation - Google Patents

Abstract

Panorama heuristic the present invention relates to cyberspace situation visualizes field.For the problem that prior art is present, there is provided a kind of method for visualizing and device.Man-machine interaction is carried out by graphical interfaces, by the basic situation data of cyberspace, the knowledge of situation data and the data representative of protection situation is attacked with visual means expression, user captures trickle situation and the change of emphasis of interest based on interaction exploring mode.The development law of cyberspace situation can be found from the different angles of different views.The present invention is set up according to time, space and situation element type using cyberspace situation data described in cyberspace situation data storing steps and indexed；Cyberspace situation drafting is carried out by datum mark setting steps, Set scale chi step, drafting base map step and key element Connection Step；User is observed cyberspace situation interface from Observer Pattern or the angle of searcher's pattern, receives the information of situation interface expression, fully understands event procedure.

Description

A panoramic exploratory visualization method and device for cyberspace situation

technical field

The invention relates to the field of panoramic exploratory visualization of cyberspace situation, in particular to a method and device for panoramic exploratory visualization of cyberspace situation.

Background technique

Cyberspace is a man-made complex giant system that is continuously evolving with the participation of various sensors, controllers, connectors, computing platforms, storage platforms, and human beings. In order to make more effective use of cyberspace, it is necessary to first accurately perceive and recognize cyberspace. Problems such as "unclear and unclear" of the cyberspace situation have long restricted my country's ability to control and transform cyberspace. In the fields of network management, security management, and emergency response, cyberspace situation visualization has achieved certain research and application results, but its mechanism is mainly based on statistical data, index systems, and simple calibration, and the effects are displayed at fixed angles, static displays, and view switching Demonstration-oriented, the level of technology and capability has not yet reached the international mainstream standards, and it is difficult to meet the needs of situational grasp, threat discovery, risk warning, and efficient operation and maintenance in the rapidly changing cyberspace. The current difficulties mainly include:

(1) Different from the presentation mechanism, principle, and method of a single subject plane in geographic space or virtual space, the data sources related to cyberspace situation are diverse, and its types cover a large amount of information obtained through the perception of geographic, logical, and cognitive layers. Therefore, the adapted visualization model, coordinate system and rendering algorithm need specialized and customized research;

(2) The compositional data of the cyberspace situation often exist in the form of massive, structured, and high-speed changes. Since the usual display devices are difficult to support and it is not necessary to display all elements at the same time, it is necessary to compare the data according to the user's focus and solution goals. The data is dynamically selected, mapped, arranged and laid out, and elements are refined, screened and composed based on the principle of the clearest display effect;

(3) Static and planar graphics are limited by mechanisms such as layer occlusion, field of view, and operating modes, and users lack immersive perception effects, especially for cyberspace with complex structures, numerous associations, and rich layers. For complex giant systems with complex and complex content, it is necessary to design an innovative and intuitive exploration mechanism for users, activate users' tacit knowledge, and form an important auxiliary support means for understanding the situation, controlling the situation, and judging the trend.

Contents of the invention

The technical problem to be solved by the present invention is to provide a panoramic exploratory visualization method and device for network space situation in view of the problems existing in the prior art. The technical problem to be solved by the present invention is mainly the panoramic exploratory visualization of the cyberspace situation, and a visualization exploration method for the spatial-temporal association between geographical space and cyberspace is proposed. Comprehensive display of the overall situation of cyberspace. Human-computer interaction is carried out through the graphical interface, and the knowledge represented by the basic cyberspace situation data, attack situation data and defense situation data is expressed in a visual way, and the user can capture the subtle situations and changes of the key points based on the interactive exploration method. On the one hand, it is possible to discover the evolution law of the cyberspace situation from different views and angles, and on the other hand, it is possible to compare the differences in the cyberspace situation between different regions and different network systems to form an overall, comprehensive and systematic situational awareness.

The technical scheme that the present invention adopts is as follows:

A panoramic exploratory visualization method of cyberspace situation includes:

Cyberspace situation data storage steps: The data provided by the data source is divided into log data, protocol data and stream-like sequential data according to the category, and the data is standardized with the help of the format dictionary; and then according to the defined parameters Configure and process the homogenized data to obtain the cyberspace situation data; then store the cyberspace situation data; divide the cyberspace situation data into basic situation, attack situation and protection situation; the basic situation refers to the daily operation status of the elements of cyberspace; The attack situation refers to the attack situation of the hostile party against our side, which is used to judge the situation of our side being affected and damaged; the defense situation refers to the situation of countering attacks within our monitoring range, which is used to assist our side to take defensive countermeasures.

Graphical database building step: using the cyberspace situation data described in the cyberspace situation data storage step to establish indexes according to time, space and situation element types;

The situation drawing step is to draw the cyberspace situation through the steps of setting the reference point, setting the scale, drawing the base map and connecting the elements;

From the perspective of observer mode or explorer mode, users observe the cyberspace situation interface, receive information expressed on the situation interface, and fully understand the event process.

Further, the situation drawing step includes:

Reference point setting step: select the geographic origin of the reference point through the specified situation to form a cyberspace situation extending outward from this point; the user selects a certain parameter in the cyberspace situation data in the step of establishing the graph database as the reference point; Wherein said parameter can guide the user to select a certain city/area in the geographic information base as a reference point through the <select> control in the HTML to build a drop-down menu box; A domain name/IP address is used as a reference point, and then the public Internet domain name/IP address geographic mapping service is queried through the Ajax() asynchronous calling method in Javascript, and it is converted into a geographic location reference point;

Steps of setting the scale: build a drop-down menu box through the <select> control in HTML to guide the user to set the scale;

Base map drawing step: according to the datum point obtained in the datum point setting step and the scale obtained in the scale setting step, draw the geospatial map into the network space situation interface through the Canvas drawing mechanism in HTML, and obtain the base map;

Element connection step: Based on the base map obtained in the base map drawing step, different types of security events are drawn in the cyberspace situation interface through the positioning stage, layout stage and coloring stage, and then the elements with specific connections are drawn and connected ; Events drawn on the cyberspace situation interface are called elements.

Further, a panoramic exploratory visualization method of the cyberspace situation also includes the process of additionally labeling the elements in the cyberspace situation; drawing attributes includes several steps of attribute selection, attribute positioning and attribute layout; attribute selection is based on the current user Configuration, select one or more element attribute fields for display for drawing; attribute positioning is based on the location area of the entity, with the principle of non-blocking display, call the string display function above, below, left or right to draw the element Information; attribute layout is to fine-tune the position of attribute placement through the force-directed method according to the display congestion degree of the feature location area to achieve the best presentation effect.

Further, in the layout stage of the element connection step, the force-directed algorithm is used to adjust the positions of security events located in the same geographical area, so as to avoid overlapping and affecting the display effect; in the coloring stage, mark according to the type of security situation represented by the security event, and call the coloring function to The calibration of basic situational events, offensive situational events, and defensive situational events are marked in different colors.

Further, the drawing connection includes drawing a straight line and drawing a curve; the method of drawing a straight line is: calling a straight line function to draw between the X and Y coordinates of two elements; the method of drawing a curve is: calling a shell function between the X and Y coordinates of two elements Searle curve function drawing; the conditions for drawing connections include: 1) There is a close sequence relationship between the occurrence time of elements representing events; 2) The IP addresses of elements representing events have a superior-subordinate network relationship; 3) There is consistency in the description of elements representing events 4) There is a coupling relationship in the description of elements representing events. Draws straight lines when there is only one connection between two features, and draws curved lines when there are multiple connections.

Further, the data processing in the cyberspace situation data storage step includes cleaning, redundant merging, space-time registration and data classification; data cleaning takes the standardized format data after homogenization as input, and deletes missing field data and abnormal values The payload data is obtained from the data; the payload data is used as the input for redundant merging, and the data with the same occurrence time and content description are deleted to obtain non-duplicated data; the time-space registration takes the non-duplicated data as input, and the time in all data is The information is adjusted to the same time zone, and the place of occurrence information in all data is adjusted to a unified format to obtain data with standardized space-time tags; data classification takes the tagged data as input, and classifies the data according to the event types in the data.

Further, the geospatial map is obtained from the three-dimensional earth model using cylindrical projection, conical projection or azimuth projection method, the drawing process is to use the reference point as the center point, and the map is enlarged, reduced or enlarged according to the parameters of the scale in the step of setting the scale. Clipping, and finally calling the texture function, the map is drawn on the cyberspace situation interface.

Further, the scale is set to four levels of "city level", "city level", "provincial level" and "national level"; the larger the scale setting, the larger the geographical area that can be accommodated in the cyberspace situation interface, and the situation The comprehensiveness of the presentation is improved; the smaller the scale is set, the smaller the geographical area that can be accommodated in the cyberspace situation interface, and the finerness of the situation presentation is improved.

Further, the observer mode refers to the five types of views used in the observer process: global view, basic situation view, attack situation view, protection situation view and hot event view; The view obtained by drawing three types of security events: attack situation, protection situation and basic situation; the basic situation view is obtained by drawing only the basic situation security events in the drawing element step; the attack situation view is obtained by drawing only the attack situation in the situation drawing step Situation security events are obtained; the protection situation view is obtained by only drawing the protection situation security incidents in the situation drawing step; the hot event view is obtained by only drawing the security incidents that occurred in the past time T in the drawing element step;

In the polling of the observer process, the switching time of the five types of views is specified by the user through the text box, which can be set within the time P range; when the previous view has displayed the set switching time, the system automatically switches to the next view a view.

A panoramic exploratory visualization device of cyberspace situation includes:

Cyberspace situation data storage module: The data provided by the data source is divided into log data, protocol data and stream-like sequential data according to the category, and the data is standardized with the help of the format dictionary; then according to the defined parameters Configure and process the homogenized data to obtain the cyberspace situation data; then store the cyberspace situation data; divide the cyberspace situation data into basic situation, attack situation and protection situation; the basic situation refers to the daily operation status of the elements of cyberspace; The attack situation refers to the attack situation of the hostile party against our side, which is used to judge the situation of our side being affected and damaged; the defense situation refers to the situation of countering attacks within our monitoring range, which is used to assist our side to take defensive countermeasures.

Graphical database building module: use the cyberspace situation data described in the cyberspace situation data storage module to build indexes according to time, space and situation element types;

The situation drawing module is used to draw the cyberspace situation through the reference point setting module, the scale setting module, the base map drawing module and the element connection module;

From the perspective of observer mode or explorer mode, users observe the cyberspace situation interface, receive information expressed on the situation interface, and fully understand the event process.

In summary, owing to adopting above-mentioned technical scheme, the beneficial effect of the present invention is:

(1) Visual structure conversion capability of cyberspace situational data. Integrating different characteristic information of cyberspace surveying and mapping log, protocol and sequence data sources, formalize data from the perspective of visual processing, and form a standardized data set that supports retrieval, operation, reasoning and management.

(2) View-oriented situational data extraction and provisioning capabilities.

According to the logical characteristics and presentation goals of the required view, extract and map the cyberspace situation data set, including data cleaning, redundancy merging, space-time registration, data classification and entity mapping under the control of target parameters, etc. Transform cyberspace situational datasets into the refined data needed for a panorama.

(3) Panoramic exploratory visualization display capability. Construct a panoramic, deep and multi-level data visual perception system based on characteristics such as time, space, and attributes, meet the specific needs of cyberspace situational awareness, visualize security data information, integrate human perception, and greatly improve management 1. The comprehensiveness and accuracy of the operator's perception of the cyberspace situation and development trend.

Description of drawings

The invention will be illustrated by way of example with reference to the accompanying drawings, in which:

Figure 1 is the structural framework of the cyberspace visualization system.

Figure 2 is a flowchart of cyberspace situation data preparation.

Figure 3 is a flowchart of cyberspace situation drawing.

Figure 4 is a flow chart of cyberspace situational panorama exploration.

detailed description

All features disclosed in this specification, or steps in all methods or processes disclosed, may be combined in any manner, except for mutually exclusive features and/or steps.

Any feature disclosed in this specification, unless specifically stated, can be replaced by other alternative features that are equivalent or have similar purposes. That is, unless expressly stated otherwise, each feature is one example only of a series of equivalent or similar features.

Data classification takes the marked data as input, and classifies the data according to the event type in the data. If the event type takes the value of "warning" or "attack", it is classified as an attack situation, and if the value of the event type is "notification" or "basic". It is classified as the basic situation, and the value is "management" and it is classified as the defensive situation;

The present invention comprises a data warehouse layer, a data service layer, a data analysis processing layer and a graphical interface layer, as shown in Figure 1;

●Data Warehouse: Provide data support for geographic information base, cyberspace information base and security knowledge base based on big data.

●Data service layer: Shield the implementation details of specific data warehouse operations, and provide unified and easy-to-use data query, data access and data update services for data analysis and processing layer and graphic interface layer related to information related to cyberspace situation.

●Data analysis and processing layer: select, organize and process the data obtained from the data service layer according to the user's current view and exploration mode, and obtain consistent situational data that can be used for graphical interface presentation.

● Graphical interface layer: Provide users with the display effect of the network space situation, and receive user interaction instructions at the same time, to realize the ability to actively explore the network space.

This method includes:

The panoramic exploratory visualization method of cyberspace situation consists of three parts: data preparation, situation drawing and exploration interaction.

(1) Data preparation

Data preparation is the process of converting and upgrading the raw data in the data source into high-quality situational data after processing, and storing it in the data warehouse. The flow of data preparation is shown in Figure 2.

The data sources of the cyberspace situation are terminals, servers, communication and security devices that exist widely in the network. The original data provided by the data sources are divided into log data, protocol data and stream-like sequential data according to the category and content. In the format With the aid of the dictionary, the data is standardized and processed; then, according to the defined parameter configuration, the homogenized data is cleaned, redundantly merged, space-time registered, data classified, and entity mapped to obtain the data that can be used for the presentation of cyberspace situation data. structured information.

Specifically, data cleaning takes standardized format data after format standardization as input, and obtains payload data by deleting missing field data and abnormal value data. Redundant merging takes payload data as input, deletes data with consistent occurrence time and content description, and obtains no duplicate data; space-time registration takes no duplicate data as input, and adjusts the time information in all data to the same time zone, Adjust the place of occurrence information in all data into a unified format to obtain data with standardized spatio-temporal labels; data classification takes the labeled data as input, and classifies the data according to the event type in the data, such as the event type is "warning" or " If the event type is "Notification" or "Basic", it is classified as the basic situation; if the event type is "Management", it is classified as the defensive situation.

Cyberspace situation data consists of three types of security events, namely basic situation events, attack situation events and protection situation events. The three types of security events in the situation data include common fields such as event ID, occurrence time, termination time, occurrence location, IP address, event description, remarks, etc., and add special fields related to this type of situation. Among them, the basic situation refers to the daily operation status of the elements of cyberspace, and fields such as resource attributes, protocols, identifications, and characteristics are added; the attack situation refers to the attack situation that the hostile party adopts against us, and fields such as attack behavior, means, goals, and effects are added. , which is used to identify the impact and damage of our side; the protection situation refers to the situation of countering attacks within our monitoring range, adding fields such as security force distribution, security policy execution, security task development, and security protection goals to assist us take defensive measures.

After the completion of the data preparation phase, the data is stored in the cyberspace information database in the data warehouse, and indexes are established according to time, space, and situational element types to improve operational performance in the drawing element stage of subsequent situational drawing.

(2) Situation drawing

The overall process of situation drawing includes steps such as selecting a reference point, setting a scale, drawing a base map, drawing elements, drawing connections, and drawing attributes. The flow chart is shown in Figure 3.

1) Select the datum point

Select the reference point to form a cyberspace situation centered on this point and extending outward by specifying the geographic origin of the situation presentation. The user can select a certain city/region in the geographic information database as the reference point through the drop-down menu box, or enter a certain domain name/IP address in the cyberspace information database as the reference point through the input in the text box, and then publish it through query Internet domain name/IP address geo-mapping service to convert it into a geographic reference point.

2) Set the scale

Setting the scale is the process of determining the zoom level of a situation. Through the drop-down menu box, the user can set the scale to four levels: "district level", "city level", "provincial level" and "national level". The larger the scale setting, the larger the geographical area that can be accommodated on the screen, and the comprehensiveness of the situation presentation will be improved; the smaller the scale setting, the smaller the geographical area that can be accommodated on the screen, and the finerness of the situation presentation will be improved.

3) Draw the base map

Basemapping is the process of drawing a geospatial map to the screen based on datum points and scale bars. The geospatial map is obtained from the three-dimensional earth model using cylindrical projection, conical projection, or azimuth projection. The drawing process is to use the reference point as the center point, zoom in, zoom out, or cut the map according to the scale parameters in the previous step, and finally call Texture function, the map is drawn on the screen.

4) Drawing elements

Drawing elements is the process of drawing different types of security events on the screen, and the events that have been drawn on the screen are called elements. Drawing elements includes three steps of positioning, layout and coloring.

In the positioning phase, for each geographical area of the base map, use the index established in the data preparation phase to quickly query the security incidents that occurred in the area and to be displayed, set the zoom factor according to the current scale, and finally call the icon function to draw on the base map on the graph.

In the layout stage, the force-directed method is used to adjust the location of security incidents located in the same geographical area, so as to avoid overlapping and affecting the display effect.

In the coloring stage, mark according to the type of security situation represented by the security event, and call the coloring function, in which the basic situation event is marked as blue, the attack situation event is marked as red, and the protection situation event is marked as green.

5) Draw connections

Drawing connections is to further draw straight lines and curved connections between elements under the condition that there are specific connections between elements to enhance the cognitive effect.

The method of drawing a straight line is: call the straight line function to draw between the X and Y coordinates of two elements.

The method of drawing the curve is: call the Bezier curve function to draw between the X and Y coordinates of the two elements.

The conditions for drawing connections include: 1) There is a close sequence relationship between the occurrence time of elements representing events; 2) The IP addresses of elements representing events have a superior-subordinate network relationship; 3) There is a consistency relationship between the descriptions of elements representing events; 4) Elements represent There is a coupling relationship in the description of the event. Draws straight lines when there is only one connection between two features, and draws curved lines when there are multiple connections.

6) Draw attributes

Mapping attributes is the process of additional labeling of elements in the cyberspace situation. Drawing attributes includes several steps of attribute selection, attribute positioning and attribute layout. Attribute selection is to select one or more element attribute fields for display according to the current user configuration for drawing. Attribute positioning is based on the location area of the entity, with the principle of non-blocking display, call the string display function to draw information above, below, left or right of the element. Attribute layout is based on the degree of display congestion in the element location area, and through the force-directed method, fine-tunes the position of the attribute placement to achieve the best presentation effect.

(3) Explore interaction

Exploration interaction is the main way for users to interact with the situation interface. From the perspective of observers or explorers, users observe the situation in cyberspace, receive information expressed on the situation interface, fully understand the event process, and transform it into their own Knowledge. Exploration interaction methods include observer process and explorer process, and users can choose or switch when using them.

Its flow chart is shown in Figure 4.

1) Observer process

In the observer mode, the user's focus is on the detailed observation of the network space, and it is necessary to take into account the overall situation and hotspot areas. Five types of views are used in the observer process: global view, basic situation view, attack situation view, protection situation view, and hotspot event view.

The global view is obtained by drawing all three types of security events of attack, defense and basic in the step of situation drawing.

The basic situation view is obtained by drawing only basic security events in the situation drawing step.

The attack situation view is obtained by drawing only attack security events in the situation drawing step.

The protection situation view is obtained by drawing only protection-type security events in the situation drawing step.

The hotspot event view is obtained by drawing all three types of security events that occurred in the past 10 minutes in the step of situation mapping: attack, protection, and basic.

In the polling of the observer process, the switching time of the five types of views is specified by the user through text box input, which can be set within the range of 5 seconds to 180 seconds. When the previous view has displayed the set switching time, the system will automatically switch to the next view.

2) Explorer process

In the explorer mode, users focus on the acquisition and discovery of new knowledge in cyberspace. The characteristic laws of the cyberspace situation need to be explored in an immersive and focused manner. In the explorer process, the user configures three types of parameters: time exploration, space exploration, and attribute exploration through the drop-down box selection and text box input, and then conducts free situation exploration through operations such as panning, zooming in, zooming out, and clicking.

Time exploration parameter setting: In the time exploration view, the user can set a time period and only display the situation events that occurred in this time period; in the space exploration parameter setting: the user can set two areas, the screen is divided into two, The cyberspace situation of these two areas is displayed on the left and right for comparison and observation; attribute exploration parameter setting: the user can set the value range of one or more attributes of interest, and only situational events with these attributes will be displayed.

Pan operation: the user drags the situation map with the mouse, and the map will expand new content toward the direction the user drags; zoom operation: the user uses the mouse wheel to zoom in on the situation map, and the map will reduce the scale, displaying fewer images in the same screen area. Content; zoom out operation: the user uses the mouse wheel to zoom out the situation map, and the map will increase the scale to display more content in the same screen area; click operation: the user clicks a situation element, and the complete information about all attributes of the element will be displayed next to the element information.

The present invention is not limited to the foregoing specific embodiments. The present invention extends to any new feature or any new combination disclosed in this specification, and any new method or process step or any new combination disclosed.

Claims (10)

1. A panoramic exploratory visualization method of cyberspace situation, characterized in that it comprises: Cyberspace situation data storage steps: The data provided by the data source is divided into log data, protocol data and stream-like sequential data according to the category, and the data is standardized with the help of the format dictionary; and then according to the defined parameters After configuring and processing the homogenized data, the cyberspace situation data is obtained; then the cyberspace situation data is classified and stored according to the basic situation, attack situation and protection situation; the basic situation refers to the daily operation status of the elements of cyberspace; the attack situation refers to the hostile The attack situation adopted by us is used to judge the situation of our influence and damage; the protection posture refers to the situation of countering attacks within our monitoring range, which is used to assist us in taking defensive countermeasures; Graphical database building step: using the cyberspace situation data described in the cyberspace situation data storage step to establish indexes according to time, space and situation element types; The situation drawing step is to draw the cyberspace situation through the steps of setting the reference point, setting the scale, drawing the base map and connecting the elements; From the perspective of observer mode or explorer mode, users observe the cyberspace situation interface, receive information expressed on the situation interface, and fully understand the event process. 2. The panoramic exploratory visualization method of a kind of cyberspace situation according to claim 1, characterized in that the situation drawing step comprises: Datum point setting step: select the geographic origin of the datum point and specify the situation to form a cyberspace situation centered on this point and extending outward; The user selects a parameter in the cyberspace situation data in the step of establishing the graphical database as a reference point; wherein the parameter can guide the user to select a certain city/ region as the geographic reference point; or input through the text box, specify a domain name/IP address in the cyberspace information database as the reference point, and then query the public Internet domain name/IP address geographic location through the Ajax() asynchronous call method in Javascript Mapping service, which converts it to a geolocation reference point; Steps of setting the scale: build a drop-down menu box through the <select> control in HTML to guide the user to set the scale; Draw the base map step: draw the geospatial map into the network space situation interface through the Canvas drawing mechanism in HTML according to the reference point obtained in the reference point setting step and the scale obtained in the setting scale step, and obtain the drawing base map; Element connection step: Based on the base map obtained in the base map drawing step, different types of security events are drawn in the cyberspace situation interface through the positioning stage, layout stage and coloring stage, and then the elements with specific connections are drawn and connected ; Events drawn on the cyberspace situation interface are called elements. 3. A panoramic exploratory visualization method of cyberspace situation according to claim 2, characterized in that it also includes the process of additionally labeling the elements in the cyberspace situation; drawing attributes includes attribute selection, attribute positioning and attribute layout Several steps; attribute selection is based on the current user configuration, select one or more element attribute fields for display for drawing; attribute positioning is based on the location area of the entity, with the principle of non-blocking display, on the top, bottom, left of the element Call the string display function drawing information on the right side or the right side; the attribute layout is based on the display congestion degree of the element location area, and through the force-directed method, the position of the attribute placement is fine-tuned to achieve the best rendering effect. 4. A panoramic exploratory visualization method of cyberspace situation according to claim 2, characterized in that in the element connection step, the layout stage uses a force-directed algorithm to adjust the positions of security incidents located in the same geographical area, so as to avoid overlapping influences Show the effect; the coloring stage is marked according to the type of security situation represented by the security event, and the coloring function is called to mark the basic situation event, attack situation event and protection situation event into different colors. 5. The panoramic exploratory visualization method of cyberspace situation according to claim 2, characterized in that said drawing connection includes drawing a straight line and drawing a curve; the method of drawing a straight line is: calling between the X and Y coordinates of two elements Draw a straight line function; the method of drawing a curve is: call the Bezier curve function to draw between the X and Y coordinates of two elements; the conditions for drawing the connection include: 1) There is a close relationship between the occurrence time of the elements representing events; 2) The elements The IP address representing the event has a superior-subordinate network relationship; 3) The description of the element representing the event has a consistency relationship; 4) The description of the element representing the event has a coupling relationship; when there is only one connection between the two elements, a straight line is drawn, and there is Draw a curve with multiple connections. 6. The panoramic exploratory visualization method of a kind of cyberspace situation according to claim 1, characterized in that in the cyberspace situation data storage step, data processing includes cleaning, redundant merging, space-time registration and data classification; Cleaning takes the homogenized standard format data as input, and obtains the payload data by deleting missing field data and abnormal value data; redundant merging takes the payload data as input, and deletes the data with the same occurrence time and consistent content description, Obtain non-repeated data; space-time registration takes non-repeated data as input, adjusts the time information in all data to the same time zone, adjusts the place of occurrence information in all data to a unified format, and obtains data with standardized time-space markers; data classification Taking labeled data as input, classify the data according to the types of events in the data. 7. The panoramic exploratory visualization method of a cyberspace situation according to claim 2, wherein the geospatial map is obtained by a three-dimensional earth model using cylindrical projection, conical projection or azimuth projection, and the drawing process is to The reference point is used as the center point, and the map is enlarged, reduced, or cropped according to the scale parameters in the step of setting the scale, and finally the texture function is called, and the map is drawn on the network space situation interface. 8. According to the panoramic exploratory visualization method of a kind of cyberspace situation according to claim 2, it is characterized in that the scale is set to four levels: "city level", "city level", "provincial level" and "national level". The larger the scale setting, the larger the geographical area that can be accommodated in the cyberspace situation interface, and the comprehensiveness of the situation presentation will be improved; the smaller the scale setting, the smaller the geographical area that can be accommodated in the cyberspace situation interface, and the better the situation presentation Fineness improved. 9. According to claim 2, a panoramic exploratory visualization method of cyberspace situation, characterized in that the observer mode refers to the use of global view, basic situation view, attack situation view, protection There are five types of views: situation view and hotspot event view; the global view is the view obtained by drawing three types of security events: attack situation, defense situation and basic situation in the step of drawing elements of the situation; the basic situation view is obtained by drawing the elements in the step of drawing elements, Only draw the basic situation security events; the attack situation view is obtained by drawing only the attack situation security events in the situation drawing step; the protection situation view is obtained by drawing only the protection situation security events in the situation drawing step; The event view is obtained by drawing only the security events that occurred in the past time T in the step of drawing elements; in the polling of the observer process, the switching time of the five types of views is specified by the user through the text box input and can be set to the time P range within; when the previous view has displayed the set switching time, the system will automatically switch to the next view; Exploring mode means that the user configures three types of parameters: time exploration, space exploration, and attribute exploration through the drop-down box selection and text box input, and then conducts free situation exploration through panning, zooming in, zooming out, and clicking operations; time exploration parameter settings: at time In the exploration view, the user can set a time period, and only display the situational events that occurred in this time period; in the space exploration parameter setting: the user can set two areas, the screen is divided into two, and the two areas are displayed on the left and right respectively. Regional cyberspace situation for comparison and observation; attribute exploration parameter setting: users can set the value range of one or more attributes of interest, and only situational events with these attributes will be displayed. Pan operation: the user drags the situation map with the mouse, and the map will expand new content toward the direction the user drags; zoom operation: the user uses the mouse wheel to zoom in on the situation map, and the map will reduce the scale, displaying fewer images in the same screen area. Content; zoom out operation: the user uses the mouse wheel to zoom out the situation map, and the map will increase the scale to display more content in the same screen area; click operation: the user clicks a situation element, and the complete information about all attributes of the element will be displayed next to the element information. 10. A panoramic exploratory visualization device of cyberspace situation, characterized in that it comprises: Cyberspace situation data storage module: The data provided by the data source is divided into log data, protocol data and stream-like sequential data according to the category, and the data is standardized with the help of the format dictionary; then according to the defined parameters Configure and process the homogenized data to obtain the cyberspace situation data; then store the cyberspace situation data; divide the cyberspace situation data into basic situation, attack situation and protection situation; the basic situation refers to the daily operation status of the elements of cyberspace; The attack situation refers to the attack situation of the hostile party against our side, which is used to judge the situation of our side being affected and damaged; the defense situation refers to the situation of countering attacks within our monitoring range, which is used to assist our side to take defensive countermeasures. Graphical database building module: use the cyberspace situation data described in the cyberspace situation data storage module to build indexes according to time, space and situation element types; The situation drawing module is used to draw the cyberspace situation through the reference point setting module, the scale setting module, the base map drawing module and the element connection module; From the perspective of observer mode or explorer mode, users observe the cyberspace situation interface, receive information expressed on the situation interface, and fully understand the event process.