CN-121841863-B - Network security data transmission control method based on abnormal flow identification

Abstract

The invention relates to the technical field of computer network security and data transmission control, in particular to a network security data transmission control method based on abnormal flow identification, which comprises the steps of collecting an original data flow in a network transmission channel and generating a flow statistical feature vector; the method comprises the steps of constructing a micro-disturbance injector model to generate a modulation feedback stream with active time sequence characteristics, constructing a response behavior track of a source end to the active time sequence characteristics according to dynamic response data to form behavior differential characteristic representation, constructing a protocol stack behavior discriminator model to calculate fitting deviation degree between the source end behavior and a standard protocol stack, generating a transmission control instruction set based on the fitting deviation degree, executing physical layer intervention on a transmission channel of an original data stream according to the transmission control instruction set, updating stream statistics characteristic vectors according to channel states of interference, and completing closed loop control of data transmission.

Inventors

• SONG LONG

Assignees

• 重庆七彩虹数码科技有限公司

Dates

Publication Date

20260512

Application Date

20260313

Claims (5)

1. 1. The network security data transmission control method based on abnormal flow identification is characterized by comprising the following steps: S1, collecting an original data stream in a network transmission channel, carrying out stream session recombination and side channel feature extraction on the original data stream to generate a stream statistics feature vector, calculating a flow anomaly confidence coefficient based on the stream statistics feature vector, and marking the data stream with the flow anomaly confidence coefficient exceeding a preset gray threshold as a gray to-be-tested stream, wherein the S1 specifically comprises the following steps: S11, collecting an original data stream in a network transmission channel, wherein the original data stream is an encrypted transmission flow which is not decrypted; s12, performing quintuple-based flow table association on the original data flow, extracting the arrival time interval of the data packet, the load length sequence and the transmission window size, and forming a side channel physical characteristic set; S13, performing entropy calculation and distribution statistics on the side channel physical feature set to generate a stream statistics feature vector; S14, calculating the Mahalanobis distance between the flow statistical feature vector and a preset historical baseline model, and taking the Mahalanobis distance as the flow anomaly confidence; S15, presetting a blocking threshold and a gray threshold, wherein the blocking threshold is larger than the gray threshold, comparing the flow abnormal confidence with the gray threshold and the blocking threshold, and marking the corresponding data stream as a gray stream to be tested if the flow abnormal confidence is larger than or equal to the gray threshold and smaller than the blocking threshold; S2, constructing a micro-disturbance injector model, wherein the micro-disturbance injector model comprises a time sequence delay generation module and a feedback signal modulation module, control parameters of the micro-disturbance injector model comprise a basic delay step length, a jitter mode sequence and an injection intensity coefficient, and a downlink feedback data packet of a gray scale to-be-tested flow is input into the micro-disturbance injector model to generate a modulation feedback flow with an active time sequence characteristic; S3, extracting dynamic response data of a source end protocol stack from uplink data sent by a modulation feedback stream, and constructing a response behavior track of a source end to the active time sequence feature according to the dynamic response data to form behavior differential feature representation; S4, constructing a protocol stack behavior discriminator model, presetting theoretical response reference planes of a standard protocol stack in different network environments, mapping behavior differential characteristic representation to the theoretical response reference planes, and calculating fitting deviation degree between source terminal behaviors and the standard protocol stack, wherein the S4 specifically comprises the following steps: S41, loading a preset standard protocol stack congestion control algorithm model, wherein the congestion control algorithm model defines a theoretical transmission window adjustment curve under the input of specific round trip time jitter; S42, inputting a jitter pattern sequence generated by the perturbation injector model into a standard protocol stack congestion control algorithm model to generate a theoretical response reference plane; S43, calculating Euclidean distance and shape similarity between the behavior differential characteristic representation and a theoretical response reference plane, and carrying out normalization processing on the Euclidean distance and the shape similarity; S44, carrying out weighted summation calculation on the normalized Euclidean distance and the shape similarity by using a preset weight coefficient, and generating a fitting deviation degree for representing the authenticity probability of the source end protocol stack; S5, generating a transmission control instruction set based on the fitting deviation degree; s6, performing physical layer intervention on a transmission channel of the original data stream according to the transmission control instruction set, updating stream statistics feature vectors according to channel states of the interference, and completing closed-loop control of data transmission.
2. 2. The network security data transmission control method based on abnormal traffic identification according to claim 1, wherein the step S2 specifically comprises: S21, initializing a micro-disturbance injector model, and setting a jitter mode sequence in control parameters to be a non-random deterministic mathematical sequence; S22, intercepting a confirmation response data packet or a control message generated by the gray scale to-be-tested flow in a transmission layer; s23, calculating the additional residence time of each acknowledgement data packet according to the basic delay step length and the jitter pattern sequence by utilizing a time sequence delay generation module; S24, using a feedback signal modulation module, and on the premise of not modifying the load content of the acknowledgement data packet, executing physical layer transmission delay processing on the acknowledgement data packet according to the additional residence time; s25, recombining the confirmation response data packet after delay processing into a modulation feedback stream, and sending the modulation feedback stream to a source end of the gray scale stream to be tested.
3. 3. The network security data transmission control method based on abnormal traffic identification according to claim 2, wherein the step S3 specifically comprises: S31, after a modulation feedback stream is sent, a time observation window with a preset length is opened; S32, capturing a subsequent data packet sent by a source end in real time in a time observation window, and extracting the sending rate, the congestion window adjustment value and the retransmission count of the subsequent data packet; S33, arranging the change rate of the sending rate, the congestion window adjustment value and the retransmission count according to a time stamp sequence, and constructing a response behavior track of a source end aiming at the modulation feedback stream; s34, calculating a cross correlation coefficient of the response behavior trace relative to the jitter pattern sequence injected in the modulation feedback stream, and using the cross correlation coefficient as a behavior differential characteristic representation.
4. 4. The network security data transmission control method based on abnormal traffic identification according to claim 3, wherein the step S5 specifically comprises: S51, setting a release threshold and a blocking threshold of the fitting deviation degree, wherein the blocking threshold is larger than the release threshold; S52, if the fitting deviation degree is smaller than the release threshold, indicating that the source end has complete standard protocol stack behavior, and generating a release instruction for releasing disturbance and forwarding at full speed; s53, if the fitting deviation degree is larger than the blocking threshold value, the source end is shown to disregard network jitter or respond logic abnormality, and a blocking instruction for discarding the data packet or sending the reset message is generated; And S54, if the fitting deviation degree is between the release threshold and the blocking threshold, generating an instruction for enhancing the injection intensity coefficient, and triggering the micro-disturbance injector model to carry out the next round of iterative test.
5. 5. The network security data transmission control method based on abnormal traffic identification according to claim 4, wherein the step S6 specifically comprises: S61, analyzing a transmission control instruction set, and extracting bandwidth limiting parameters and connection state marks aiming at the current network quintuple; s62, transmitting the bandwidth limiting parameter to a traffic shaping queue of gateway equipment, and transmitting a connection state mark to a session management table; S63, continuously collecting flow statistics feature vectors of the dry prognosis while executing physical layer intervention, and releasing calculation resources occupied by the micro disturbance injector model if the flow statistics feature vectors show that the source end actively stops connection or flow features tend to be silent.

Description

Network security data transmission control method based on abnormal flow identification Technical Field The invention relates to the technical field of computer network security and data transmission control, in particular to a network security data transmission control method based on abnormal flow identification. Background With the rapid development of modern network communication technology, advanced encryption protocols such as TLS1.3, QUIC and the like have become the main stream of data transmission, and the trend of encryption ensures the privacy of information, but also makes network security defense face more complex challenges; At present, supervision on encrypted traffic mainly depends on a passive detection scheme, a security system utilizes traffic statistics characteristics or feature code matching to identify malicious behaviors by capturing original traffic data in a network, however, a traditional passive monitoring method has obvious hysteresis, the identification accuracy is greatly reduced in a data load complete encryption environment, normal users following a standard congestion control protocol and automatic attack scripts without complete protocol stack logic are difficult to distinguish due to incapability of directly acquiring load contents, and effective means are lacked for carrying out secondary identification on gray traffic which shows statistical abnormality but does not reach blocking standard, so that a defense system always faces the dilemma of miskilling normal traffic or missing potential threats when handling high-concealment attacks, and therefore, on the premise of guaranteeing the integrity of encrypted data, the problem of actively and real-time identifying the real response behavior of a source protocol stack and realizing closed-loop control becomes a problem to be solved in the field. Disclosure of Invention In order to solve the technical problems, the invention provides a network security data transmission control method based on abnormal traffic identification, and specifically, the technical scheme of the invention comprises the following steps: s1, collecting an original data stream in a network transmission channel, carrying out stream session recombination and side channel feature extraction on the original data stream to generate a stream statistics feature vector, calculating a flow anomaly confidence coefficient based on the stream statistics feature vector, and marking the data stream with the flow anomaly confidence coefficient exceeding a preset gray threshold as a gray to-be-tested stream; S2, constructing a micro-disturbance injector model, wherein the micro-disturbance injector model comprises a time sequence delay generation module and a feedback signal modulation module, control parameters of the micro-disturbance injector model comprise a basic delay step length, a jitter mode sequence and an injection intensity coefficient, and a downlink feedback data packet of a gray scale to-be-tested flow is input into the micro-disturbance injector model to generate a modulation feedback flow with an active time sequence characteristic; S3, extracting dynamic response data of a source end protocol stack from uplink data sent by a modulation feedback stream, and constructing a response behavior track of a source end to the active time sequence feature according to the dynamic response data to form behavior differential feature representation; S4, constructing a protocol stack behavior discriminator model, presetting theoretical response reference planes of a standard protocol stack in different network environments, mapping behavior differential characteristic representation to the theoretical response reference planes, and calculating fitting deviation between source terminal behaviors and the standard protocol stack; S5, generating a transmission control instruction set based on the fitting deviation degree; s6, performing physical layer intervention on a transmission channel of the original data stream according to the transmission control instruction set, updating stream statistics feature vectors according to channel states of the interference, and completing closed-loop control of data transmission. Preferably, S1 specifically includes: S11, collecting an original data stream in a network transmission channel, wherein the original data stream is an encrypted transmission flow which is not decrypted; s12, performing quintuple-based flow table association on the original data flow, extracting the arrival time interval of the data packet, the load length sequence and the transmission window size, and forming a side channel physical characteristic set; S13, performing entropy calculation and distribution statistics on the side channel physical feature set to generate a stream statistics feature vector; S14, calculating the Mahalanobis distance between the flow statistical feature vector and a preset historical baseline model, and taking the Mahalanobis