CN-121984724-A - Zero trust detection method and system based on skeleton constraint diffusion and cross-architecture distillation

Abstract

The invention discloses a zero trust detection method and system based on skeleton constraint diffusion and cross-architecture distillation. Aiming at the problems of scarcity of malicious encrypted traffic samples and limited gateway computing power, the invention firstly utilizes an improved PLD algorithm to extract a protocol statistical skeleton of traffic, takes the skeleton as a conditional constraint to input a diffusion model, and generates a high-fidelity enhanced sample conforming to protocol specifications. Secondly, constructing a cross-architecture distillation frame, and guiding a lightweight student model by using a teacher model based on an adaptive burst flow graph (AFG) to realize dimension reduction knowledge migration from graph topological features to sequence features. And finally, introducing a zero trust identity label optimization self-adaptive sliding window algorithm in the detection stage to realize the accurate slicing of the long-period attack. The method and the device ensure that the detection model has high robustness and high precision, simultaneously obviously reduce the calculation cost of the gateway side, and are suitable for the deployment of the zero trust edge environment.

Inventors

• QIN YIFEI
• XIAO QINGJUN

Assignees

• 东南大学

Dates

Publication Date

20260505

Application Date

20260114

Claims (8)

1. 1. A zero trust detection method based on skeleton constraint diffusion and cross-architecture distillation is characterized by comprising the following steps: Step S1, diffusion data enhancement based on PLD skeleton constraint Extracting a protocol statistical skeleton of original encrypted traffic, taking the protocol statistical skeleton as a conditional constraint input conditional diffusion probability model, and performing diffusion generation on traffic time sequence and noise characteristics on the premise of keeping skeleton characteristics unchanged to construct an enhanced sample set; step S2 topology to sequence cross-architecture distillation An asymmetric teacher-student double-tower architecture is constructed, a teacher model adopts a high-dimensional topology representation architecture, a student model adopts a lightweight time sequence representation architecture, and inter-flow topology interaction features extracted by the teacher model are migrated to the student model through a distillation loss function; step S3, self-adaptive detection of identity anchoring The zero trust gateway adopts an identity-aware self-adaptive sliding window algorithm to slice real-time traffic, and a trained student model is utilized to identify malicious traffic.
2. 2. The zero-trust detection method based on skeleton constraint diffusion and cross-architecture distillation according to claim 1, wherein the step S1 comprises the following sub-steps: s1.1, counting a high-frequency packet length set of malicious software by adopting an improved PLD algorithm, calculating the distance between the data packet length and the high-frequency set, and mapping the data packet length and the high-frequency set into a high-frequency value if the distance is smaller than a preset threshold value, otherwise, mapping the data packet length and the high-frequency set into multiples of a fixed interval; S1.2, constructing a conditional diffusion model, wherein the packet length value in a standardized sequence is kept unchanged in a forward process, gaussian noise is only added to the arrival time interval and the filling load of a data packet, and the standardized sequence is injected into each layer of a denoising network as Embedding vectors in a reverse process; step S1.3, in the reasoning stage, a fixed malicious protocol skeleton is input, noise is randomly sampled, and an antagonistic sample with different timing characteristics is generated.
3. 3. The zero-trust detection method based on skeleton constraint diffusion and cross-architecture distillation according to claim 1, wherein the step S2 comprises the following sub-steps: Step S2.1, constructing a teacher model by adopting a self-adaptive burst flow graph at a cloud end, using flows in a session window as nodes, establishing a concurrent edge and a trigger edge, and performing feature aggregation on a graph structure by utilizing a graph attention network to obtain graph embedded features of each flow ; S2.2, constructing a student model by adopting DistilBERT or 1D-CNN in the zero trust gateway, inputting the sequence characteristics of a single stream, and outputting the sequence characteristics as sequence embedded characteristics ; Step S2.3, adopting topology to sequence dimension reduction distillation strategy by minimizing And The distance between the two streams is lost, so that the student model can implicitly contain the global inter-stream context information perceived by the teacher model through the graph structure when processing a single stream.
4. 4. The zero-trust detection method based on skeleton constraint diffusion and cross-architecture distillation of claim 3, wherein in step S2.3, the loss function is: , Wherein, the Cross entropy loss for conventional classification; For topology feature mapping loss, calculate And (3) with MSE or cosine distance between.
5. 5. The method for detecting zero trust based on framework constraint diffusion and cross-framework distillation according to claim 1, wherein in the step S3, an adaptive sliding window algorithm for identity perception is adopted, and the method comprises the steps of calculating inter-flow time intervals, introducing user identities as weight factors for window aggregation, and prolonging a current detection window when the inter-flow time intervals exceed a conventional threshold value, but the user identities are consistent and belong to high-risk users.
6. 6. The zero trust detection method based on skeleton constraint diffusion and cross-architecture distillation according to claim 1 or 5, wherein said step S3 comprises the following sub-steps: step 3.1, the zero trust gateway analyzes the User identity (User-ID) of the flow; Step 3.2, window slicing for newly arrived streams Calculate its and window Time interval of last wake If (1) And is also provided with Adding a window if But is provided with And the current credit score of the user is lower than a threshold value, the overtime judgment is avoided, and the window is forcedly prolonged; And 3.3, inputting the cut window sequence into a student model to obtain a detection result.
7. 7. The method for zero trust detection based on skeleton constraint diffusion and cross-architecture distillation of claim 6, wherein step 3.1 is implemented by parsing an authentication Token or an associated IP-User mapping table.
8. 8. The zero trust detection system based on skeleton constraint diffusion and cross-architecture distillation is characterized by being used for realizing the zero trust detection method based on skeleton constraint diffusion and cross-architecture distillation in any one of claims 1-7, and comprises a cloud control plane and a zero trust gateway, wherein the cloud is used for firstly improving a PLD algorithm to extract a protocol skeleton of malicious flow seeds, guiding a diffusion model to generate an enhanced sample conforming to a specification, then constructing a 'teacher-student' double-tower distillation framework, guiding a lightweight student model to learn inter-stream topological features by using the teacher model, receiving a trained student model, optimizing a sliding window slicing algorithm by combining a zero trust identity User-ID, and performing line speed detection on real-time flow by using the trained student model.

Description

Zero trust detection method and system based on skeleton constraint diffusion and cross-architecture distillation Technical Field The invention belongs to the field of network security, relates to an artificial intelligence technology, and particularly relates to a zero trust detection method and system based on skeleton constraint diffusion and cross-architecture distillation. Background With the widespread use of Transport Layer Security (TLS), malware commonly employs encrypted channels for command control and data transmission. In a zero trust network architecture (ZTA), a zero trust gateway is used as a core policy enforcement point and bears the heavy duty of real-time security detection on massive encrypted traffic. However, existing detection techniques face a serious "triangle paradox" in engineering landing: 1. The rarity and the generation quality of the malicious samples are low, and high-value attack samples (such as APT attack) are extremely rarer. Existing data enhancement methods (such as GAN or common diffusion models) typically treat traffic as a pure time series or image, lacking constraints on the physical laws of the network protocol. This results in the fact that the generated samples often have "illusions" such as "non-integer packet length" or "handshake timing disorder", and cannot be used for training a high-precision detection model. While there are standardized methods based on power law Partitioning (PLD) in the prior art, they are used only for preprocessing of the recognition phase, and have not been used to guide the generation model in building synthetic samples that meet the protocol specifications. 2. Contradiction of detection accuracy and gateway computational power in order to capture complex inter-flow interactions in encrypted traffic, advanced detection schemes (e.g., TRANSGRAPHNET) typically construct complex traffic relationships graphs (e.g., adaptive burst flow graph (AFG)), and combine BERT and graph neural networks (GAT) for modeling. The model has extremely high detection precision, but has huge parameter quantity and high reasoning delay, and can not be deployed on a zero trust gateway with limited resources (such as an embedded NPU/FPGA) for line speed forwarding. 3. Traffic slicing and identity-aware splitting, in which the traditional traffic slicing method is mostly based on a fixed time window or a simple time interval self-adaptive window, so that the same attacker can easily split the attack behavior of the same attacker across a long period. In a zero trust environment, existing User identity (User-ID) information is not fully utilized to optimize traffic slicing logic, resulting in loss of context information. Therefore, a detection method capable of generating high-quality samples by using protocol skeleton constraints, realizing dimension reduction from a graph model to a sequence model by cross-architecture distillation, and performing accurate slicing by combining zero-trust identities is needed. Disclosure of Invention The invention provides an encryption traffic detection method and system for realizing gateway lightweight deployment by utilizing a diffusion model constrained by a protocol framework under a zero trust network architecture and by cross-architecture knowledge distillation, aiming at solving the problems that in the prior art, encryption traffic malicious samples are low in generation quality, a high-precision graph neural network model is difficult to deploy at the edge of a gateway and traffic slices lack of identity context association. Aiming at the problems of scarcity of malicious encrypted traffic samples and limited gateway computing power, the invention firstly utilizes an improved PLD algorithm to extract a protocol statistical skeleton of traffic, takes the skeleton as a conditional constraint to input a diffusion model, and generates a high-fidelity enhanced sample conforming to protocol specifications. Secondly, constructing a cross-architecture distillation frame, and guiding a lightweight student model by using a teacher model based on an adaptive burst flow graph (AFG) to realize dimension reduction knowledge migration from graph topological features to sequence features. And finally, introducing a zero trust identity label optimization self-adaptive sliding window algorithm in the detection stage to realize the accurate slicing of the long-period attack. In order to achieve the above purpose, the technical scheme adopted by the invention is as follows: A zero trust detection method based on skeleton constraint diffusion and cross-architecture distillation comprises the following steps: Step S1, diffusion data enhancement based on PLD skeleton constraint Extracting a protocol statistical skeleton of original encrypted traffic, taking the protocol statistical skeleton as a conditional constraint input conditional diffusion probability model, and performing diffusion generation on traffic time sequence and noise char