Search

CN-122027351-A - Traffic attack identification and self-adaptive defense system based on anomaly detection AI model

CN122027351ACN 122027351 ACN122027351 ACN 122027351ACN-122027351-A

Abstract

The invention belongs to the technical field of information network security, and relates to a traffic attack identification and self-adaptive defense system based on an anomaly detection AI model, which has the main structure that an input module is used for acquiring a traffic construction instantaneous graph, extracting high-speed characteristics through graph convolution and time sequence pooling, and inputting a first pre-training model to obtain preliminary probability and category; the splicing module is used for processing session data according to the class optimization protocol analysis rule and the load entropy window when the probability exceeds a first threshold value, and splicing to obtain the depth content composite characteristic; the computing module is used for inputting the attack confidence coefficient into a second pre-training model, setting the attention temperature coefficient based on the preliminary probability to compute the attack confidence coefficient, the executing module is used for backtracking the activated neuron combination with the highest contribution degree in the model to generate a defense instruction in combination with a high-speed characteristic input strategy decision function when the confidence coefficient exceeds a second threshold value, and white box defense is realized through interpretability analysis, so that the defense accuracy can be improved.

Inventors

  • WANG LONG
  • HUO KE
  • XU HONGYI
  • SU LAI

Assignees

  • 西安明赋云计算股份有限公司

Dates

Publication Date
20260512
Application Date
20260409

Claims (10)

  1. 1. The traffic attack recognition and self-adaptive defense system based on the anomaly detection AI model is characterized by comprising the following modules: The input module is used for acquiring a network flow data packet, constructing an instantaneous graph structure representing a node communication relationship, extracting a high-speed feature vector containing flow topology and time sequence information through graph convolution and time sequence pooling operation; The splicing module is used for locking the flow session when the preliminary abnormal probability exceeds a first threshold value, selecting a plurality of corresponding field analysis rules and load entropy calculation windows from a preset protocol analysis rule base according to a plurality of components with highest values in the preliminary threat category vector, processing session data packets, and splicing processing results to obtain deep content composite characteristics; the computing module is used for inputting the depth content composite characteristic into a second pre-training model, wherein the temperature coefficient of an internal attention mechanism of the second pre-training model is set based on the preliminary abnormal probability, and attack judgment confidence is obtained through computing according to the temperature coefficient; And the execution module is used for backtracking the activated neuron combination with the highest contribution degree in the second pre-training model when the attack judgment confidence degree exceeds a second threshold value, inputting the activated neuron combination and the high-speed feature vector into a strategy decision function together, and calculating and executing a corresponding defending instruction.
  2. 2. The anomaly detection AI model traffic attack recognition and adaptation defense system of claim 1 wherein the constructing a transient map structure representing node communication relationships comprises: The method comprises the steps of taking 1 second as a time window, taking a source IP address and a destination IP address in the window as nodes of a graph, establishing a connecting edge if communication exists between the two nodes, and taking the protocol type, the number of data packets and the total number of bytes of communication as weight characteristics of the edge.
  3. 3. The anomaly detection AI model of claim 1 wherein the first pre-training model includes a multi-layer perceptron MLP, the output layer of which includes two branches: the first branch outputs the preliminary abnormal probability through a Sigmoid activation function; The second branch outputs the preliminary threat category vector through a Softmax activation function, and each component of the preliminary threat category vector corresponds to a probability of a preset threat type.
  4. 4. The anomaly detection AI model traffic attack recognition and adaptation defense system of claim 1 wherein the locking the traffic session when the preliminary anomaly probability exceeds a first threshold comprises: When the calculated value of the preliminary abnormal probability of the flow is larger than a first threshold value of the preliminary abnormal probability output by the first pre-training model, locking quintuple session information of a source IP, a destination IP, a source port, a destination port and a protocol number to which the flow belongs, and recording the information to a temporary storage area to wait for the subsequent defending instruction to call.
  5. 5. The traffic attack recognition and adaptive defense system according to the anomaly detection AI model of claim 1, wherein the selecting a corresponding plurality of field parsing rules and load entropy calculation windows from a preset protocol parsing rule base according to a plurality of components with highest values in the preliminary threat category vector, and processing session packets, includes: Extracting 2 components with highest numerical values in the preliminary threat category vector, selecting corresponding field analysis rules from a protocol analysis rule base according to indexes of the 2 components, calculating information entropy of content with a window size specified by a data packet load, and splicing the fields analyzed according to the rules with the calculated information entropy value.
  6. 6. The anomaly detection AI model of claim 1, wherein the temperature coefficient of the internal attention mechanism of the second pre-training model is set based on the preliminary anomaly probability, comprising: Let preliminary anomaly probability Then through the formula Calculating to obtain temperature coefficient Wherein To prevent the denominator from being zero, and utilize the temperature coefficient The value of the attention weight score before entering the Softmax function is adjusted.
  7. 7. The anomaly detection AI model traffic attack recognition and adaptation defense system of claim 1 wherein the attack decision confidence level exceeds a second threshold value comprises: And when the confidence coefficient calculated value is larger than a second threshold value of the attack judgment confidence coefficient output by the second pre-training model, triggering a backtracking and defending instruction calculating step, wherein the set value of the second threshold value is higher than the first threshold value.
  8. 8. The anomaly detection AI model of claim 1 wherein the backtracking of the most contributing active neuron combinations in the second pre-training model comprises: And (3) calculating the gradient of each neuron in the model output layer relative to the last convolution layer by adopting a gradient weighting type activation mapping method, and taking the neuron with the top 10 rank of the gradient value as the activation neuron combination with the highest contribution degree.
  9. 9. The anomaly detection AI model traffic attack recognition and adaptation defense system of claim 1 wherein the computing and executing corresponding defense instructions comprises: and inputting the activated neuron combination code with the highest contribution degree and the high-speed feature vector into the policy decision function, if the function output is a blocking instruction, generating an access control list rule based on quintuple information on a network fireproof wall for the locked flow session, and discarding all data packets matched with the quintuple.
  10. 10. The anomaly detection AI model traffic attack recognition and adaptation defense system of claim 9 wherein the generating an access control list rule based on quintuple information further comprises: Setting an effective time window for the access control list rule, and automatically withdrawing the rule on the network fireproof wall through invalidation operation after the time window expires.

Description

Traffic attack identification and self-adaptive defense system based on anomaly detection AI model Technical Field The invention belongs to the technical field of electronic information network security, and particularly relates to a traffic attack identification and self-adaptive defense system based on an anomaly detection AI model, which is used for real-time detection of unknown attacks of mass traffic in a high-speed network environment and an automatic defense scene, can give consideration to the real-time performance and depth of anomaly traffic detection, realizes the closed loop from black box judgment to white box defense, and remarkably improves the accuracy, intelligence and operability of network boundary defense. Background In the technical field of electronic information transmission preprocessing, the network attack detection technology is usually matched based on a known attack pattern library, and although the method is quick in response to the known attack, the method cannot be used for zero-day attack, advanced persistent threat unknown or variant attack, and in addition, based on a detection method of statistical anomaly, the behavior deviating from the baseline is identified as anomaly by establishing a normal behavior baseline of network traffic, but in the prior art, the method is poor in adaptability to traffic change, easy to generate false alarm, difficult to distinguish benign anomaly from malicious attack, and incapable of providing specific information of attack types. In seeking to solve the problems with the prior art described above, machine learning and deep learning techniques have been introduced that are capable of identifying unknown attacks by learning flow characteristics from massive data. For example, chinese patent application CN110719279a discloses a network anomaly detection system and detection method based on neural network, and proposes to process network data by using a multi-layer perceptron neural network to obtain an anomaly prediction result. However, the improvement of the prior art has drawbacks in practical application. First, conventional deep learning models often process a single weblog or data packet in isolation, and cannot fully mine topology association and time-series evolution information among nodes in network traffic. In order to extract topological features and time sequence information, a part of technologies introduce graph networks and staged processing, for example, a graph neural network-based cellular network anomaly detection method disclosed in China patent application CN114513367B is utilized to perform anomaly detection by utilizing graph convolution network fusion node features, and a network situation awareness-based real-time flow detection method disclosed in China patent application CN115811440A is utilized to provide a two-stage network architecture for capturing space-time features. However, in the method, a single severe model is generally adopted to carry out depth analysis on all flows, or the stage division of the method cannot realize effective isolation between lightweight primary screening and depth content research and judgment, so that the real-time performance and the depth of detection under massive flows are difficult to be considered. Secondly, most deep learning model decision processes lack interpretability, exhibit a 'black box' characteristic, only give a 'yes' or 'no' decision result, and cannot reveal the characteristics and the inherent principles of the attack. Because of the lack of interpretable judgment basis, the security system cannot automatically generate fine granularity defense rules aiming at specific malicious loads or protocol fields, and only coarse granularity blocking measures such as IP blocking and the like can be adopted, so that normal services are easy to be accidentally injured. Therefore, how to design a method which can integrate flow topology time sequence information, realize staged processing from rapid preliminary screening to deep research and judgment, has decision-making interpretability and guiding defense is a technical problem to be solved in the current network security field. Disclosure of Invention The invention aims to overcome the defects of the prior art, solve the problems of poor accuracy and operability of network defense in the prior art, and provide a traffic attack identification and self-adaptive defense system based on an anomaly detection AI model. In order to achieve the above object, the traffic attack recognition and self-adaptive defense system based on the anomaly detection AI model provided by the present invention comprises the following modules: The system comprises a network flow data packet, an input module, a splicing module, a calculation module and an execution module, wherein the network flow data packet is used for acquiring a transient graph structure representing a node communication relation, extracting a high-speed feature vector contain