CN-122027214-A - Self-adaptive network attack prediction and defense system and method based on artificial intelligence

Abstract

An artificial intelligence-based adaptive network attack prediction and defense system and method, wherein the system comprises a data acquisition module, a feature extraction module, an adaptive learning engine module, a real-time attack detection module, a dynamic defense deployment module and a feedback optimization mechanism module; the invention significantly improves the pertinence of attack identification by collecting network traffic and user behavior data in real time, extracting the precise characteristic driven by an attention mechanism and deeply mining the time sequence related characteristic of the attack, combines self-adaptive learning and real-time detection capability, dynamically optimizes an attack prediction model, precisely identifies attack type and severity, optimizes closed loop through dynamic defense and feedback, deploys defense measures as required and iterates parameters in real time, efficiently responds to attack evolution, and comprehensively strengthens the overall safety and defense efficiency of complex network attack scenes.

Inventors

• QIU SHUANG
• ZHANG CHENYAN
• HUANG CHENGXUAN
• LIU XINYI
• Song Feiyang
• Xu Yingsha
• HUANG JUNDONG
• YU ZHENG
• WANG YIXI
• Xia Shengdong
• LI GUORUI
• ZHANG YONG
• YAO TIANLU
• GUO FENG
• FENG HAO
• JIAO HANLIN
• ZHANG XIANFEI
• ZHANG XIONG
• Tong Yongfei
• ZHOU YUTING

Assignees

• 国网湖北省电力有限公司信息通信公司
• 湖北华中电力科技开发有限责任公司

Dates

Publication Date

20260512

Application Date

20251231

Claims (10)

1. 1. An artificial intelligence based adaptive cyber attack prediction and defense system, comprising: the data acquisition module is deployed at a network key node and is used for acquiring network flow data, system operation logs and user behavior data in real time and taking the network flow data, the system operation logs and the user behavior data as input data; The feature extraction module is used for extracting time sequence associated features of network attack behaviors from input data by adopting a multi-algorithm fusion strategy based on an attention mechanism, and screening and forming an attack feature subset with high identification degree; The self-adaptive learning engine module is used for constructing an attack prediction model, analyzing and learning the time-series association features and the attack feature subsets through a hybrid unsupervised-semi-supervised dynamic evolution learning framework, and iteratively optimizing parameters of the attack prediction model; the real-time attack detection module is used for analyzing network attack behaviors and identifying anomalies by adopting a flow time sequence enhanced isolated forest algorithm based on an attack prediction model, and confirming attack types and severity; The dynamic defense deployment module is used for deploying dynamic defense measures through an attack tracing-defense game layered response mechanism based on the attack type and the severity, and synchronizing attack evolution information to the feedback optimization mechanism module when the attack evolution is monitored; and the feedback optimization mechanism module is used for continuously collecting the defense effect data and completing parameter updating calculation based on a real-time online feedback mechanism enhanced by transfer learning, and carrying out real-time iterative optimization on the parameters of the self-adaptive learning engine module and the dynamic defense deployment module.
2. 2. The adaptive network attack prediction and defense system based on artificial intelligence of claim 1 wherein: the implementation of the feature extraction module function specifically comprises: preliminary judgment is carried out on the input data, and the attack type of the input data is determined; Aiming at the determined attack type, based on a multi-algorithm fusion strategy fused with a random forest, a support vector machine and a gradient lifting decision tree algorithm, the weight ratio of each algorithm in the multi-algorithm fusion strategy is dynamically adjusted through an attention mechanism, and the expression is as follows: ; Wherein: is the first The weight of the seed algorithm; is the first Historical extraction precision of the seed algorithm on the corresponding attack type; is the first The confidence coefficient of the seed algorithm; is the first The weight of the seed algorithm; is the first The confidence coefficient of the seed algorithm; Based on the adjusted multi-algorithm fusion strategy, introducing a time sequence feature extraction mechanism, setting a sliding time window, calculating the difference value and the ratio of the feature values of the input data in the adjacent windows, extracting the time sequence associated features of the input data and carrying out normalization processing; the time sequence association characteristics comprise a data packet size fluctuation coefficient, a source IP access frequency change rate, a protocol type duty ratio time sequence change, session duration distribution and login attempt failure time sequence change; Adopting a recursive feature elimination algorithm to perform preliminary screening on the time sequence association features, and eliminating the time sequence association features with the lowest importance; And (3) performing secondary screening on the time sequence correlation characteristics after the primary screening, calculating correlation coefficients of the time sequence correlation characteristics and the corresponding attack types, and reserving the time sequence correlation characteristics with the correlation coefficient not less than 0.6 to obtain a high-identification attack characteristic subset.
3. 3. The adaptive network attack prediction and defense system based on artificial intelligence of claim 1 wherein: The implementation of the self-adaptive learning engine module function specifically comprises the following steps: the dynamic evolution learning framework comprises an unsupervised exploration layer, a semi-supervised optimization layer and a reinforcement learning iteration layer from top to bottom; The unsupervised exploration layer performs cluster analysis on the attack feature subset based on a K-means clustering algorithm, determines a normal cluster and an abnormal cluster, performs feature purification on the abnormal cluster through a self-encoder, eliminates normal data points in the abnormal cluster, and primarily identifies a potential attack mode; The semi-supervised optimization layer takes a small amount of known attack samples and normal samples as labeling samples, calculates the distance between the labeling samples and the centers of all cluster clusters, and corrects the cluster boundaries of the unsupervised exploration layer; The reinforcement learning iterative layer takes attack detection accuracy, false alarm rate and unknown attack recognition rate as core reward functions by introducing reinforcement learning agents, dynamically adjusts clustering centers and clustering radiuses, and iteratively optimizes attack prediction model parameters, wherein the reward functions have the following expression: ; Wherein: Is a prize value; the attack detection accuracy is the attack detection accuracy; Is the false alarm rate; Identifying the rate for unknown attacks; 、 、 Are all weight coefficients; Introducing a time sequence differential learning mechanism to monitor the characteristic drift condition in real time, calculating the deviation between the mean value of the current attack characteristic data and the initial clustering center, and judging that the characteristic drift occurs when the deviation exceeds a deviation threshold value; if the characteristic drift is judged to occur, performing incremental training on the parameters of the attack prediction model based on attack characteristic data of the characteristic drift; after the incremental training is finished, performance evaluation is carried out on the attack prediction model, if the performance improvement is more than or equal to 5%, the attack prediction model parameters are automatically updated and deployed to the real-time attack detection module, and if the performance improvement is less than 5%, the original attack prediction model parameters are reserved, and meanwhile, the characteristic drift condition is recorded.
4. 4. The adaptive network attack prediction and defense system based on artificial intelligence of claim 1 wherein: The implementation of the functions of the real-time attack detection module specifically comprises the following steps: based on the dynamic adjustment of the decision tree and the enhancement of the time attenuation weight, optimizing an isolated forest algorithm; The decision tree is dynamically adjusted, and the depth of each decision tree in the isolated forest is adjusted in real time according to the network flow density, wherein the depth of the decision tree is set to 15 when the flow density is less than or equal to 1000 packets/second, 20 when the flow density is less than or equal to 1000 packets/second and is greater than or equal to 5000 packets/second, and 25 when the flow density is greater than 5000 packets/second; the time attenuation weight is enhanced, and the anomaly score is calculated by introducing a time attenuation weight function, wherein the expression of the time attenuation weight function is as follows: ; Wherein: as a function of the time-decay weight, Generating a difference value between the time and the current detection time for the data; the optimized anomaly score calculation expression is as follows: ; Wherein: is an anomaly score; For the sample Path length in an orphan tree; is the average path length of the isolated tree; Is the number of samples; Calculating an anomaly score based on the flow characteristics in the time sequence correlation characteristics, and judging whether the dimension of the flow characteristics is abnormal or not; judging whether the dimension of the behavior feature is abnormal or not through regular matching and statistical analysis based on the user behavior feature in the time sequence association feature; Triggering an attack alarm of the attack prediction model if the flow characteristic dimension and the behavior characteristic dimension are abnormal, and not triggering the attack alarm if only a single dimension in the flow characteristic dimension and the behavior characteristic dimension is abnormal, and marking suspicious behaviors for key monitoring; If the attack alarm of the attack prediction model is triggered, judging the attack type, calculating the matching degree of the attack characteristic data and the attack type, and evaluating the severity of the attack.
5. 5. The adaptive network attack prediction and defense system based on artificial intelligence of claim 1 wherein: the implementation of the dynamic defense deployment module function specifically comprises: Based on the attack characteristic data in the attack alarm, adopting a Bayesian network to trace the attack, confirming possible attack sources and attack paths and predicting attack intention; Verifying the tracing result of the attack intention by combining the existing threat information data, if the matching degree of the existing threat information data and the tracing result of the Bayesian network is more than or equal to 80%, confirming the tracing result, and if the matching degree is less than 80%, re-optimizing the Bayesian network model parameters, and carrying out attack tracing again; Determining the severity level of the attack by a hierarchical analysis method based on a tracing result, judging the attack as a high-severity attack if the severity level of the attack is more than or equal to 8 points, judging the attack as a medium-severity attack if the severity level of the attack is 4-7 points, and judging the attack as a low-severity attack if the severity level of the attack is 1-3 points; If the attack is judged to be high-severity, executing flow cleaning, dynamic bandwidth expansion and honeypot trapping to carry out cooperative defense measures, if the attack is judged to be medium-severity, executing characteristic interception and session isolation defense measures, and if the attack is judged to be low-severity, executing access frequency limitation and log marking defense measures; Simultaneously introducing an attack evolution tracking mechanism, monitoring attack feature changes in real time, continuously collecting flow features and user behavior features in the defense process, extracting attack features, comparing the attack features with initial attack features, and calculating feature similarity, wherein if the feature similarity is less than 70%, the attack type is judged to evolve; and if the attack type is judged to be evolved, automatically calling a defense rule corresponding to the attack type, and synchronously transmitting attack evolution information to a feedback optimization mechanism module.
6. 6. The adaptive network attack prediction and defense system based on artificial intelligence of claim 1 wherein: The implementation of the feedback optimization mechanism module function specifically comprises the following steps: Constructing a multi-scene defense experience library, integrating defense experience data of different network environments and different service types, and forming a standardized defense parameter template; calculating the similarity between the current network environment and each scene in the multi-scene defense experience library, and selecting the defense parameters of N scenes with the highest similarity as initial parameters; And continuously collecting defense effect data, calculating parameter updating quantity based on an improved random gradient descent algorithm when a parameter updating trigger threshold is reached, and carrying out parameter updating on initial parameters, wherein the expression is as follows: ; Wherein: Is the updated parameter; is a parameter before updating; is the learning rate; Gradient as a loss function; Is a predicted value; is the actual defending effect value; Learning weights for migration; Verifying the updated parameters, if the defending effect is improved by more than or equal to 5%, confirming that the parameter updating is effective, if the defending effect is improved by less than 5%, discarding the updated parameters, and re-updating the parameters after the learning rate is adjusted; if the parameter updating is effective, pushing the updated parameter to the self-adaptive learning engine module and the dynamic defense deployment module, and synchronously updating the parameter.
7. 7. The adaptive network attack prediction and defense system based on artificial intelligence of claim 1 wherein: The system also comprises a multi-objective optimization module, which is used for carrying out multi-objective optimization based on a non-dominant ranking genetic algorithm, taking minimized attack loss, minimized resource consumption and minimized false alarm rate as three major core optimization targets, screening out and outputting pareto optimal parameter combinations, and synchronizing to the self-adaptive learning engine module and the dynamic defense deployment module.
8. 8. An adaptive network attack prediction and defense method based on artificial intelligence, which is applied to the system of claim 1, the method comprising: collecting network flow data, system operation logs and user behavior data of network key nodes in real time as input data; Extracting time sequence associated features of network attack behaviors from input data by adopting a multi-algorithm fusion strategy based on an attention mechanism, and screening and forming an attack feature subset with high identification degree; constructing an attack prediction model, analyzing and learning time-series associated features and attack feature subsets through a hybrid unsupervised-semi-supervised dynamic evolution learning framework, and iteratively optimizing parameters of the attack prediction model; based on the attack prediction model, adopting a flow time sequence enhanced isolated forest algorithm to analyze network attack behaviors and identify anomalies, and confirming attack types and severity; Based on the attack type and severity, deploying dynamic defense measures through an attack tracing-defense game layered response mechanism, and synchronizing attack evolution information to a feedback optimization mechanism module when the attack evolution is monitored; Based on a real-time online feedback mechanism enhanced by transfer learning, continuously collecting defense effect data and completing parameter updating calculation, and performing real-time iterative optimization on parameters of the self-adaptive learning engine module and the dynamic defense deployment module.
9. 9. An adaptive network attack prediction and defense device based on artificial intelligence, which is characterized in that: The apparatus includes a processor and a memory; The memory is used for storing computer program codes and transmitting the computer program codes to the processor; the processor is configured to execute the artificial intelligence based adaptive network attack prediction and defense method of claim 8 according to instructions in the computer program code.
10. 10. A computer-readable storage medium, characterized by: The computer readable storage medium has stored therein computer executable instructions which, when executed on a computer, implement the artificial intelligence based adaptive network attack prediction and defense method of claim 8.

Description

Self-adaptive network attack prediction and defense system and method based on artificial intelligence Technical Field The invention relates to a network attack prediction and defense means, belongs to the technical field of network security, and particularly relates to an artificial intelligence-based self-adaptive network attack prediction and defense system and method. Background With the rapid development of internet technology and the wide spread of applications, network security issues are becoming increasingly a global focus of attention, and network attacks, including but not limited to forms of malware, phishing attacks, distributed denial of service (DDoS) attacks, etc., pose a serious threat to personal privacy and enterprise assets. With the continuous progress of attacker technology, attack means become more hidden and complex, traditional security measures are often difficult to discover and effectively defend against the novel attacks in time, and in addition, with the proliferation of internet of things (IoT) devices, network boundaries expand, network environments become more complex, and traditional security solutions are also struggling when dealing with large-scale and diversified network traffic. Thus, there is a need for a more intelligent and adaptive network security solution to improve the detection and defense capabilities against unknown threats. Because of their advantages in pattern recognition, self-learning, and self-adaptation, artificial Intelligence (AI) technology is widely regarded as a key technology for improving network security protection capability, and can learn a normal network behavior pattern by analyzing a large amount of network data and recognize abnormal behaviors deviating from the normal pattern, so as to predict and recognize potential network attacks, and can automatically adjust and optimize a defense strategy according to changes of network environments and evolution of attack patterns, so as to realize dynamic defense against network threats, but still has weak recognition capability for unknown attacks, low dynamic adaptation and iteration efficiency of models, and insufficient pertinence of defense responses, and is difficult to cope with complex and changeable network attack scenarios. Disclosure of Invention The invention aims to overcome the defects and problems in the prior art and provide an artificial intelligence-based adaptive network attack prediction and defense system and method so as to improve the overall security and defense capability of complex network attack scenes. In order to achieve the above purpose, the technical solution of the present invention is an artificial intelligence based adaptive network attack prediction and defense system, comprising: the data acquisition module is deployed at a network key node and is used for acquiring network flow data, system operation logs and user behavior data in real time and taking the network flow data, the system operation logs and the user behavior data as input data; The feature extraction module is used for extracting time sequence associated features of network attack behaviors from input data by adopting a multi-algorithm fusion strategy based on an attention mechanism, and screening and forming an attack feature subset with high identification degree; The self-adaptive learning engine module is used for constructing an attack prediction model, analyzing and learning the time-series association features and the attack feature subsets through a hybrid unsupervised-semi-supervised dynamic evolution learning framework, and iteratively optimizing parameters of the attack prediction model; the real-time attack detection module is used for analyzing network attack behaviors and identifying anomalies by adopting a flow time sequence enhanced isolated forest algorithm based on an attack prediction model, and confirming attack types and severity; The dynamic defense deployment module is used for deploying dynamic defense measures through an attack tracing-defense game layered response mechanism based on the attack type and the severity, and synchronizing attack evolution information to the feedback optimization mechanism module when the attack evolution is monitored; and the feedback optimization mechanism module is used for continuously collecting the defense effect data and completing parameter updating calculation based on a real-time online feedback mechanism enhanced by transfer learning, and carrying out real-time iterative optimization on the parameters of the self-adaptive learning engine module and the dynamic defense deployment module. Preferably, the implementation of the feature extraction module function specifically includes: preliminary judgment is carried out on the input data, and the attack type of the input data is determined; Aiming at the determined attack type, based on a multi-algorithm fusion strategy fused with a random forest, a support vector machine and a gradient