CN-122001643-A - AI-fused multi-level network intrusion detection and cooperative linkage defense method

Abstract

The invention discloses an AI-fused multi-level network intrusion detection and cooperative linkage defense method, which relates to the technical field of network security, and comprises the steps of extracting initial flow packet characteristics and log events through protocol analysis to generate a structured multi-level threat characteristic vector; based on the structured multi-level threat feature vector, a probability finite state machine is called to generate an attack path inference rule chain and output a cross-layer attack association rule set, based on a defense operation instruction, a flow cleaning atomic operation and an execution process isolation atomic operation are triggered to output a defense operation evidence, the defense operation evidence and a real-time audit log are combined, secret sharing is applied to reconstruct defense rule weights, and optimized probability finite state machine parameters are output. The invention solves the problem of the staticization of the defense strategy through the lattice encryption algorithm and the dynamic adjustment mechanism of the equipment behavior entropy value, and strengthens the dynamic adaptability of the defense system.

Inventors

• DU HUANQIANG
• LIU JIANFENG
• GUO XIN

Assignees

• 浙江工业职业技术学院
• 杭州哲别科技有限公司

Dates

Publication Date

20260508

Application Date

20260129

Claims (10)

1. 1. An AI-fused multi-level network intrusion detection and cooperative linkage defense method is characterized by comprising the following steps of, Extracting initial flow packet characteristics and log events through protocol analysis, and generating a structured multi-level threat characteristic vector; based on the structured multi-level threat feature vector, a probability finite state machine is called to generate an attack path inference rule chain, and a cross-layer attack association rule set is output; packaging a defending instruction for a cross-layer attack association rule set by using a lattice encryption algorithm to obtain a defending strategy ciphertext package; decrypting the defending strategy ciphertext package through the trusted execution environment, and dynamically issuing an execution token based on the equipment behavior entropy value to generate a defending operation instruction; based on the defending operation instruction, triggering the flow cleaning atomic operation and the execution process isolating atomic operation, and outputting defending operation evidence; And combining the defense operation evidence and the real-time audit log, applying secret sharing to reconstruct the defense rule weight, and outputting the optimization probability finite state machine parameters.
2. 2. The AI-converged multi-level network intrusion detection and collaborative linkage defense method of claim 1, wherein the extracting of initial traffic packet features and log events by protocol parsing generates structured multi-level threat feature vectors comprising the steps of, Extracting initial flow packet characteristics through a protocol, carrying out deep packet analysis, synchronously analyzing a log event and a standardized timestamp, and outputting a protocol characteristic table and a log event table; based on the protocol feature table and the log event table, performing time alignment by adopting a dynamic time warping method, acquiring the communication frequency and the geographic association degree between nodes, and outputting a space-time feature set; and performing principal component analysis, dimension reduction and standardization on the time space feature set to generate a structured multi-level threat feature vector.
3. 3. The AI-fused multi-level network intrusion detection and collaborative linkage defense method of claim 2, wherein the structured multi-level threat feature vector-based method comprises invoking a probabilistic finite state machine to generate an attack path inference rule chain, outputting a cross-layer attack association rule set, comprising the following steps, Carrying out space-time correlation on the structured multi-level threat feature vectors to generate a fusion feature matrix; Generating an attack path inference rule chain by using a probability finite state machine, searching an optimal attack path by using a Viterbi algorithm, and generating an initial attack rule chain; based on the initial attack rule chain, using causal inspection and reinforcement learning, verifying cross-layer association and dynamically adjusting rule weights, and outputting a cross-layer attack association rule set.
4. 4. The AI-fused multi-level network intrusion detection and coordinated defense method of claim 3 wherein the cross-layer attack association rule set encapsulates a defense instruction using a trellis encryption algorithm to obtain a defense strategy ciphertext packet, comprising the steps of, Carrying out standardized conversion on a cross-layer attack association rule set by adopting binary codes, reducing data redundancy by using a lossless compression algorithm, and outputting a compact rule data block; generating an asymmetric key pair by using lattice cryptography, protecting an encryption key by using a lattice encryption method, and outputting a double encryption data packet; extracting data characteristics by using a cryptography abstraction method, carrying out identity binding by using a digital signature, and outputting an encryption strategy; Based on the encryption policy and the encryption data, a standardized package is used to output a defending policy ciphertext package.
5. 5. The AI-converged multi-level network intrusion detection and cooperative linkage defense method of claim 4, wherein the decrypting of the defending policy ciphertext package by the trusted execution environment and the dynamic issuing of the execution token based on the device behavior entropy value generates the defending operation instruction by the following steps, Verifying timeliness through lattice decryption to obtain a plaintext defense rule set, and generating a dynamic entropy value of decryption equipment; Carrying out weighted fusion on the plaintext defense rule set and the dynamic entropy value of the equipment to obtain a fusion risk value, and issuing a timeout token if the fusion risk value exceeds a risk threshold; based on the operation type matching atomic operation chain in the issuing timeout token, a defending operation instruction is generated after zero knowledge proof is added.
6. 6. The AI-fused multi-level network intrusion detection and cooperative linkage defense method of claim 5, wherein the steps of triggering a traffic purge atomic operation and an execution process isolation atomic operation based on a defense operation instruction, outputting a defense operation proof are as follows, Decrypting the defending operation instruction by using a lattice decryption algorithm, verifying the integrity and the authenticity of the data by using a digital signature, and outputting a plaintext defending rule set; based on the plaintext defense rule set and real-time equipment data, acquiring a risk difference value, embedding a quantum random number, and outputting a structured token; and matching an optimal atomic operation chain by using a neural network according to the structured token and the plaintext defense rule set, embedding a zero knowledge proof identifier, and outputting a defense operation proof.
7. 7. The AI-fused multi-level network intrusion detection and collaborative linkage defense method of claim 6, wherein the combined defense operation evidence and real-time audit log are combined, secret sharing is applied to reconstruct defense rule weights, optimized probability finite state machine parameters are output, and the method comprises the following specific steps of, Based on the defending operation evidence, verifying the instruction validity through the secure execution environment, extracting operation information and outputting an operation record; Verifying operation records and real-time audit logs by adopting a time sequence matching algorithm, establishing the association between the operation and the event, and generating a security event association map; according to the security event association map, rule weight adjustment quantity is calculated cooperatively among a plurality of security nodes through secret sharing, and weight fragment data are output; decrypting the weight fragment data, updating the state transition probability, and outputting the optimization probability finite state machine parameters.
8. 8. The AI-converged multi-level network intrusion detection and cooperative linkage defense method of claim 7, wherein the generating of the asymmetric key pair using lattice cryptography, the protecting of the encryption key by lattice cryptography, the outputting of the double-encrypted data packet, comprises the steps of, Generating an asymmetric key pair by using lattice cryptography according to a compact rule data block, storing a private key in a trusted execution environment, and outputting an anti-quantum encryption public key; based on the quantum-resistant encryption public key, the compact regular data block is encrypted by using a symmetric encryption algorithm, the encryption key is protected by adopting a lattice-based encryption method, and a double-encryption data packet is output.
9. 9. The AI-fused multi-level network intrusion detection and collaborative linkage defense method of claim 8, wherein the time-efficient acquisition of the plaintext defense rule set by trellis decryption verification and the generation of the device decryption dynamic entropy value comprises the steps of, Verifying timeliness of the defending strategy ciphertext package through lattice decryption, and outputting a plaintext defending rule set; And acquiring a target device list, network data and quantum random numbers based on the plaintext defense rule set, and generating a dynamic entropy value of the decryption device.
10. 10. The AI-fused multilevel network intrusion detection and cooperative linkage defense method of claim 9, wherein the method comprises acquiring risk difference values and embedding quantum random numbers based on plaintext defense rule sets and real-time device data, outputting structured tokens, Based on a plaintext defense rule set and real-time equipment data, weighting and fusing by using a fixed threshold method to obtain a risk difference value, and outputting a risk level by using risk mapping; And acquiring an inverse aging token based on the risk level, embedding a quantum random number, and outputting a structured token.

Description

AI-fused multi-level network intrusion detection and cooperative linkage defense method Technical Field The invention discloses a secret and safe communication device, belongs to the field of network security, and particularly relates to an AI-fused multi-level network intrusion detection and cooperative linkage defense method. Background At present, the network intrusion detection and defense technology is an important component in the field of network security, and also belongs to a secret and secure communication device, and various mature technical schemes are developed at present. The prior art mainly adopts a detection method based on signature and a detection method based on abnormal behavior. The signature-based method is to perform threat identification by matching a known attack feature library, and the abnormal behavior-based method is to alarm activities deviating from a baseline by establishing a normal behavior baseline. The traditional scheme mostly utilizes a layered defense architecture, which comprises components such as a network layer firewall, a host layer intrusion prevention system and the like, and meanwhile, the components share information and respond in a linkage way through a standardized protocol. The prior art has the defects that the prior art generally processes data of all levels respectively, a unified space-time correlation analysis mechanism is lacked, so that the accuracy of attack path inference is limited, and the prior art mostly adopts a static permission allocation mechanism and cannot dynamically adjust the defense strength according to real-time risks. Disclosure of Invention The present invention has been made in view of the above-described problems occurring in the prior art. Therefore, the invention provides an AI-fused multi-level network intrusion detection and cooperative linkage defense method, which solves the problems of insufficient analysis of cross-level attack relevance and limited dynamic adaptability of defense strategies. In order to solve the technical problems, the invention provides the following technical scheme: the invention provides an AI-fused multi-level network intrusion detection and cooperative linkage defense method, which comprises the following steps of, Extracting initial flow packet characteristics and log events through protocol analysis, and generating a structured multi-level threat characteristic vector; based on the structured multi-level threat feature vector, a probability finite state machine is called to generate an attack path inference rule chain, and a cross-layer attack association rule set is output; packaging a defending instruction for a cross-layer attack association rule set by using a lattice encryption algorithm to obtain a defending strategy ciphertext package; decrypting the defending strategy ciphertext package through the trusted execution environment, and dynamically issuing an execution token based on the equipment behavior entropy value to generate a defending operation instruction; based on the defending operation instruction, triggering the flow cleaning atomic operation and the execution process isolating atomic operation, and outputting defending operation evidence; And combining the defense operation evidence and the real-time audit log, applying secret sharing to reconstruct the defense rule weight, and outputting the optimization probability finite state machine parameters. As a preferable scheme of the AI-fused multi-level network intrusion detection and cooperative linkage defense method, the invention extracts the initial flow packet characteristics and log events through protocol analysis to generate a structured multi-level threat characteristic vector, specifically comprising the following steps, Extracting initial flow packet characteristics through a protocol, carrying out deep packet analysis, synchronously analyzing a log event and a standardized timestamp, and outputting a protocol characteristic table and a log event table; based on the protocol feature table and the log event table, performing time alignment by adopting a dynamic time warping method, acquiring the communication frequency and the geographic association degree between nodes, and outputting a space-time feature set; and performing principal component analysis, dimension reduction and standardization on the time space feature set to generate a structured multi-level threat feature vector. As a preferable scheme of the AI-fused multi-level network intrusion detection and cooperative linkage defense method, the invention comprises the steps of calling a probability finite state machine to generate an attack path inference rule chain based on a structured multi-level threat feature vector, outputting a cross-layer attack association rule set, and specifically comprises the following steps of, Carrying out space-time correlation on the structured multi-level threat feature vectors to generate a fusion feature matrix; Generatin