Multimodal short message diversion number intelligent identification and interception system

The multimodal SMS referral number intelligent identification and interception system utilizes multimodal data acquisition, situational awareness, and real-time decision-making modules to achieve accurate identification and interception of SMS referral numbers, solving the problem of low information security in existing technologies and improving information security.

CN121357544BActive Publication Date: 2026-06-09深圳众投互联信息技术有限公司

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
深圳众投互联信息技术有限公司
Filing Date
2025-12-17
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing SMS blocking technologies are unable to accurately identify and intelligently block SMS referral numbers, resulting in low information security.

Method used

The system employs a multimodal SMS referral number intelligent identification and interception system, which includes a multimodal data acquisition and fusion module, a situational awareness intelligent identification module, and a real-time decision-making security interception module. By collecting multimodal SMS data, it performs fusion processing and semantic understanding based on natural language processing and artificial intelligence to identify and intercept potential SMS referral numbers in real time.

Benefits of technology

It enables accurate identification and intelligent blocking of numbers redirected via SMS, improving information security and preventing the impact of fraud and spam SMS.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121357544B_ABST
    Figure CN121357544B_ABST
Patent Text Reader

Abstract

The application discloses a multi-modal short message diversion number intelligent recognition and interception system and belongs to the technical field of short message interception. The system comprises a multi-modal data acquisition and fusion module, an attitude sensing intelligent recognition module and a real-time decision and security interception module. The multi-modal data acquisition and fusion module is used for acquiring multi-modal short message data, performing fusion processing on the multi-modal short message data based on natural language processing and forming multi-modal short message fusion data. The attitude sensing intelligent recognition module is used for constructing a short message number intelligent recognition model based on artificial intelligence, performing semantic understanding and analysis on the multi-modal short message fusion data, recognizing potential short message diversion numbers and determining a short message number intelligent recognition result. The real-time decision and security interception module is used for making corresponding real-time decisions and information security interception according to the short message number intelligent recognition result and ensuring information security. The application solves the problem that existing short message diversion numbers cannot be accurately recognized and intelligently intercepted, leading to low information security. The application can accurately recognize and intelligently intercept short message diversion numbers and improve information security.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of SMS interception technology, specifically a multimodal SMS referral number intelligent identification and interception system. Background Technology

[0002] With the rapid development of mobile communication technology and the widespread use of smartphones, users have significantly increased the frequency of communication and information exchange via SMS. As a basic service of mobile communication networks, SMS service provides users with convenient messaging services, but it also provides a channel for the spread of spam, resulting in a large number of spam messages and affecting the user experience.

[0003] Existing technology cannot accurately identify and intelligently block phone numbers used for SMS referrals, resulting in low information security. Summary of the Invention

[0004] The purpose of this invention is to provide a multimodal SMS referral number intelligent identification and interception system, which can accurately identify and intelligently intercept SMS referral numbers, improve information security, and solve the problems mentioned in the background art.

[0005] To achieve the above objectives, the present invention provides the following technical solution:

[0006] The multimodal SMS referral number intelligent identification and interception system includes:

[0007] The multimodal data acquisition and fusion module is used to acquire multimodal SMS data and fuse the acquired multimodal SMS data based on natural language processing to form multimodal SMS fusion data.

[0008] The situational awareness intelligent identification module is used to build an intelligent identification model for SMS numbers based on artificial intelligence, and to perform semantic understanding and analysis on multimodal SMS fusion data to identify potential SMS lead generation numbers and determine the intelligent identification result of SMS numbers;

[0009] The real-time decision-making security interception module is used to make corresponding real-time decisions and intercept information based on the intelligent identification results of SMS numbers, so as to ensure information security.

[0010] Preferably, the multimodal data acquisition and fusion module includes:

[0011] A multimodal data acquisition unit is used to monitor the status of SMS messages and collect multimodal SMS data.

[0012] Among them, based on data security, the body content of SMS messages is collected from the operator's gateway or terminal device, including keywords, links and wording patterns, to obtain the SMS text modality;

[0013] Based on data security, the attributes of the sending number are collected from the operator's gateway or terminal device, including whether it is a virtual number, the number segment ownership, and historical behavior, to obtain the SMS number modality;

[0014] Based on data security, the system collects users' SMS behavior from operator gateways or terminal devices, including sending frequency, sending time and target audience, to obtain SMS behavior modalities.

[0015] Based on data security, the system collects URLs embedded in SMS messages from operator gateways or terminal devices, including short link parsing, domain reputation, and whether they point to malicious app downloads, to obtain SMS link modalities.

[0016] Based on data security, collect the QR code images that may be contained in SMS messages from the operator's gateway or terminal device to obtain the SMS image modality;

[0017] Multimodal SMS data is generated based on SMS text modality, SMS number modality, SMS behavior modality, SMS link modality, and SMS image modality.

[0018] Preferably, the multimodal data acquisition and fusion module further includes:

[0019] The multimodal data fusion unit is used to fuse multimodal SMS data according to natural language processing to form multimodal SMS fusion data;

[0020] This includes cleaning the multimodal SMS data to remove noise and reduce its interference with the intelligent identification and interception of multimodal SMS lead numbers; identifying missing and outlier values ​​in the multimodal SMS data; and processing the identified missing and outlier values.

[0021] Normalize the multimodal SMS data to convert it into a unified data format, remove the differences in units between the multimodal SMS data, and form standardized multimodal SMS data.

[0022] Feature extraction is performed on multimodal SMS data. Text content, sending number, timestamp, and link features related to intelligent identification and interception of multimodal SMS traffic-driving numbers are extracted from the multimodal SMS data. The extracted features are then weighted and fused to form multimodal SMS fusion data.

[0023] Preferably, the situational awareness intelligent identification module includes:

[0024] The situational awareness model building unit is used to build an intelligent SMS number recognition model;

[0025] This involves collecting historical data on multimodal SMS messages and dividing the collected data into training and testing sets in a 7:3 ratio.

[0026] Based on artificial intelligence, a training set is used to train the deep learning model, enabling the deep learning model to autonomously learn the intelligent recognition behavior of SMS numbers from the training set, and identify potential SMS referral numbers, thus determining the intelligent recognition model of SMS numbers.

[0027] The SMS number intelligent recognition model was tested using a test set to evaluate its generalization performance and determine whether it could achieve the expected effect of identifying potential SMS referral numbers.

[0028] When the SMS number intelligent recognition model fails to achieve the expected effect of identifying potential SMS referral numbers, the parameters of the SMS number intelligent recognition model are adjusted and iteratively optimized until the SMS number intelligent recognition model can achieve the expected effect of identifying potential SMS referral numbers, and the optimal SMS number intelligent recognition model is determined.

[0029] Preferably, the situational awareness intelligent recognition module further includes:

[0030] Situational awareness security identification unit, used to identify potential SMS referral numbers;

[0031] The process involves inputting multimodal SMS fusion data into an intelligent SMS number recognition model, performing semantic understanding and analysis on the multimodal SMS fusion data based on the model, conducting real-time security detection to assess the risk of SMS numbers, identifying potential SMS referral numbers, and determining the intelligent SMS number recognition result.

[0032] Preferably, the real-time decision-making security interception module includes:

[0033] Real-time decision-making unit, used to formulate real-time decision-making plans;

[0034] The information security interception unit is used to securely intercept SMS redirection numbers;

[0035] Among them, a corresponding real-time decision-making plan is formulated based on the intelligent identification results of SMS numbers, and the SMS traffic-driving numbers are securely intercepted based on the formulated real-time decision-making plan;

[0036] If the risk assessment of a text message number is high, the text message number will be directly blocked so that the user cannot receive the text message from that number.

[0037] If the risk assessment of the SMS number is low, the SMS will be delivered normally so that the user receives the SMS.

[0038] Preferably, the SMS number is directly blocked, and the following operations are performed:

[0039] A filtering hook is pre-set on the message processing link of the SMS gateway. All incoming SMS messages will pass through the hook function. Based on the filtering hook, the API of the real-time decision engine is called synchronously, and the calling number, the called number, and the SMS content information are passed in as parameters.

[0040] The real-time decision engine returns the decision result within milliseconds. After receiving the interception instruction, the gateway directly replies to the sender with a successful delivery status and imports the SMS content into the audit log system. The real-time decision engine queries the blacklist and graylist cache of numbers in real time and makes a comprehensive judgment based on the real-time risk assessment to intercept and discard the SMS, preventing the user from receiving it.

[0041] Preferably, it also includes a visual management report module, which provides administrators with management reports in a visual format and displays interception statistics, risk assessments and analysis of new fraud patterns to assist administrators in making corresponding decisions and controls.

[0042] Preferably, the real-time decision-making security interception module is equipped with a flow dynamics circuit breaker unit, used to perform the following operations:

[0043] Before the situational awareness intelligent identification module outputs its results, it acquires the HTTP redirection hop count, joint information entropy, SMS text semantic vector, link landing page semantic vector, and sending acceleration.

[0044] Based on the obtained HTTP redirection hop count, joint information entropy, SMS text semantic vector, link landing page semantic vector, and sending acceleration, the traffic redirection impact kinetic energy index of the number to be detected is calculated. ;

[0045] The drainage impact kinetic energy index The calculation formula is as follows:

[0046]

[0047] in, The impact kinetic energy index represents the physical impact potential energy that the number causes to network security per unit time. To guide the quality of the payload, used to quantify the fraud density of the information itself; This refers to the number of HTTP redirect hops that occur during the process of resolving the domain name to the final landing page for the link embedded in the SMS message. The joint information entropy is the mixture of SMS text content and visible text on the linked landing page, used to characterize the complexity and obfuscation of the content; semantic vectors of SMS text semantic vectors of link landing pages Cosine similarity between them, range of values ; To prevent extremely small positive correction constants with a denominator of zero; Number of SMS messages sent to this number Regarding time The second derivative of the acceleration; The velocity square term in the simulated physical kinetic energy formula means that even if the payload mass is small, once the transmission behavior exhibits explosive acceleration, the total risk index will increase exponentially. These are preset dimensional normalization coefficients used to balance dimensions and introduce a time decay factor.

[0048] When calculated When the preset physical circuit breaker threshold is exceeded, the semantic analysis step is bypassed and the number is directly hard-blocked.

[0049] Preferably, the real-time decision-making security interception module further includes a digital twin-based mimicry differential trapping mechanism for identifying traffic redirection links with environmental awareness capabilities;

[0050] The mimicry differential trapping mechanism performs the following steps:

[0051] The interception module parses the device fingerprint metadata of the target receiving terminal of the SMS to be detected from the core network signaling. The device fingerprint metadata includes user agent, screen resolution, operating system version and current base station location information.

[0052] The system simultaneously launches two independent detection processes; the first is a baseline probe, which uses a standard data center IP and a general crawler User-Agent to access the URL in the SMS message; the second is a mimicry probe, which dynamically constructs a digital twin headless browser environment in an isolation sandbox that is completely consistent with the device's fingerprint metadata to access the same URL.

[0053] Obtain the page document object model tree rendered by the baseline probe and the mimicry probe respectively, and calculate the graph edit distance between the two DOM trees;

[0054] If the calculated graph edit distance is greater than the preset isomorphism threshold, or if a URL Scheme protocol call attempting to invoke third-party instant messaging software is detected only in the loading log of the mimicry probe, it is determined that the link uses a disguised traffic redirection technique for a specific terminal environment, and an interception instruction is directly generated and the URL feature is added to the dynamic blacklist.

[0055] Compared with the prior art, the beneficial effects of the present invention are:

[0056] This invention collects multimodal SMS data from operator gateways or terminal devices based on data security, and fuses the collected multimodal SMS data using natural language processing to form multimodal SMS fusion data. It then constructs an intelligent SMS number recognition model based on artificial intelligence, performs semantic understanding and analysis on the multimodal SMS fusion data based on this model, conducts real-time security detection to assess the risk of SMS numbers, identifies potential SMS referral numbers, determines the intelligent SMS number recognition result, and makes corresponding real-time decisions and information security interception based on the result to ensure information security. This invention can accurately identify and intelligently intercept SMS referral numbers, thereby improving information security. Attached Figure Description

[0057] Figure 1 This is a block diagram of the multimodal SMS referral number intelligent identification and interception system of the present invention. Detailed Implementation

[0058] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0059] To address the current issue of inaccurate identification and intelligent blocking of SMS referral numbers, leading to compromised information security, please refer to [link / reference needed]. Figure 1 This embodiment provides the following technical solution:

[0060] The multimodal SMS referral number intelligent identification and interception system includes: a multimodal data acquisition and fusion module, a situational awareness intelligent identification module, and a real-time decision-making security interception module.

[0061] The multimodal data acquisition and fusion module is used to collect multimodal SMS data and perform fusion processing on the collected multimodal SMS data based on natural language processing to form multimodal SMS fusion data.

[0062] In this embodiment, the multimodal data acquisition and fusion module includes:

[0063] A multimodal data acquisition unit is used to monitor the status of SMS messages and collect multimodal SMS data.

[0064] Among them, based on data security, the body content of SMS messages is collected from the operator's gateway or terminal device, including keywords, links and wording patterns, to obtain the SMS text modality;

[0065] Based on data security, the attributes of the sending number are collected from the operator's gateway or terminal device, including whether it is a virtual number, the number segment ownership, and historical behavior, to obtain the SMS number modality;

[0066] Based on data security, the system collects users' SMS behavior from operator gateways or terminal devices, including sending frequency, sending time and target audience, to obtain SMS behavior modalities.

[0067] Based on data security, the system collects URLs embedded in SMS messages from operator gateways or terminal devices, including short link parsing, domain reputation, and whether they point to malicious app downloads, to obtain SMS link modalities.

[0068] Based on data security, collect the QR code images that may be contained in SMS messages from the operator's gateway or terminal device to obtain the SMS image modality;

[0069] Multimodal SMS data is generated based on SMS text modality, SMS number modality, SMS behavior modality, SMS link modality, and SMS image modality.

[0070] In this embodiment, the multimodal data acquisition and fusion module further includes:

[0071] The multimodal data fusion unit is used to fuse multimodal SMS data according to natural language processing to form multimodal SMS fusion data;

[0072] This includes cleaning the multimodal SMS data to remove noise and reduce its interference with the intelligent identification and interception of multimodal SMS lead numbers; identifying missing and outlier values ​​in the multimodal SMS data; and processing the identified missing and outlier values.

[0073] Normalize the multimodal SMS data to convert it into a unified data format, remove the differences in units between the multimodal SMS data, and form standardized multimodal SMS data.

[0074] Feature extraction is performed on multimodal SMS data. Text content, sending number, timestamp, and link features related to intelligent identification and interception of multimodal SMS traffic-driving numbers are extracted from the multimodal SMS data. The extracted features are then weighted and fused to form multimodal SMS fusion data.

[0075] Among them, the situational awareness intelligent identification module is used to build an intelligent identification model for SMS numbers based on artificial intelligence, and to perform semantic understanding and analysis on multimodal SMS fusion data to identify potential SMS lead generation numbers and determine the intelligent identification result of SMS numbers.

[0076] In this embodiment, the situational awareness intelligent identification module includes:

[0077] The situational awareness model building unit is used to build an intelligent SMS number recognition model;

[0078] This involves collecting historical data on multimodal SMS messages and dividing the collected data into training and testing sets in a 7:3 ratio.

[0079] Based on artificial intelligence, a training set is used to train the deep learning model, enabling the deep learning model to autonomously learn the intelligent recognition behavior of SMS numbers from the training set, and identify potential SMS referral numbers, thus determining the intelligent recognition model of SMS numbers.

[0080] The SMS number intelligent recognition model was tested using a test set to evaluate its generalization performance and determine whether it could achieve the expected effect of identifying potential SMS referral numbers.

[0081] When the SMS number intelligent recognition model fails to achieve the expected effect of identifying potential SMS referral numbers, the parameters of the SMS number intelligent recognition model are adjusted and iteratively optimized until the SMS number intelligent recognition model can achieve the expected effect of identifying potential SMS referral numbers, and the optimal SMS number intelligent recognition model is determined.

[0082] In this embodiment, the situational awareness intelligent identification module further includes:

[0083] Situational awareness security identification unit, used to identify potential SMS referral numbers;

[0084] The process involves inputting multimodal SMS fusion data into an intelligent SMS number recognition model, performing semantic understanding and analysis on the multimodal SMS fusion data based on the model, conducting real-time security detection to assess the risk of SMS numbers, identifying potential SMS referral numbers, and determining the intelligent SMS number recognition result.

[0085] It should be noted that SMS referral numbers refer to those numbers that induce users to add WeChat, QQ, follow public accounts, join group chats, or download apps in SMS messages for subsequent fraud or marketing. Therefore, accurate identification and intelligent blocking of SMS referral numbers can improve information security.

[0086] The real-time decision-making security interception module is used to make corresponding real-time decisions and intercept information security based on the intelligent identification results of SMS numbers, so as to ensure information security.

[0087] In this embodiment, the real-time decision-making security interception module includes:

[0088] Real-time decision-making unit, used to formulate real-time decision-making plans;

[0089] The information security interception unit is used to securely intercept SMS redirection numbers;

[0090] Among them, a corresponding real-time decision-making plan is formulated based on the intelligent identification results of SMS numbers, and the SMS traffic-driving numbers are securely intercepted based on the formulated real-time decision-making plan;

[0091] If the risk assessment of a text message number is high, the text message number will be directly blocked so that the user cannot receive the text message from that number.

[0092] If the risk assessment of the SMS number is low, the SMS will be delivered normally so that the user receives the SMS.

[0093] In this embodiment, the SMS number is directly blocked by performing the following operations:

[0094] A filtering hook is pre-set on the message processing link of the SMS gateway. All incoming SMS messages will pass through the hook function. Based on the filtering hook, the API of the real-time decision engine is called synchronously, and the calling number, the called number, and the SMS content information are passed in as parameters.

[0095] The real-time decision engine returns the decision result within milliseconds. After receiving the interception instruction, the gateway directly replies to the sender with a successful delivery status and imports the SMS content into the audit log system. The real-time decision engine queries the blacklist and graylist cache of numbers in real time and makes a comprehensive judgment based on the real-time risk assessment to intercept and discard the SMS, preventing the user from receiving it.

[0096] It's important to note that a filter hook is a mechanism used in program development to intercept, modify, or extend data streams. It allows developers to insert custom logic at specific stages of data processing or output, thereby filtering or transforming the data. In web development frameworks, filter hooks are widely used to modify output content, form data, user input, etc. For example, filter hooks can be used to change login error messages, customize password-protected article forms, filter usernames, or modify email sender addresses.

[0097] In this embodiment, a visualization management report module is also included, which provides management reports to administrators in a visual form and displays interception statistics, risk assessments, and analysis of new fraud patterns to assist administrators in making corresponding decisions and controls.

[0098] In summary, this method collects multimodal SMS data from operator gateways or terminal devices based on data security, and fuses this data using natural language processing to form multimodal SMS fusion data. It then constructs an intelligent SMS number recognition model based on artificial intelligence, performs semantic understanding and analysis on the multimodal SMS fusion data based on this model, conducts real-time security detection to assess the risk of SMS numbers, identifies potential SMS referral numbers, determines the intelligent SMS number recognition result, and makes corresponding real-time decisions and information security interception based on the result to ensure information security. This method can effectively target SMS referral numbers. Accurate identification and intelligent interception can improve information security and can be widely used in the following scenarios: 1) Communication security protection: At the individual user level, it is used to block spam SMS, fraudulent SMS and harassing calls, protecting users from information harassment and financial loss. At the enterprise level, it is used to prevent malicious SMS attacks and protect enterprise data security and user privacy; 2) Intelligent customer service and marketing optimization: In SMS marketing, the intelligent SMS reconstruction module optimizes SMS content, improves the success rate of sending, and avoids being blocked due to inappropriate content; 3) Traffic and safety monitoring: Combined with IoT technology, it is used in traffic management to identify malicious SMS and prevent the spread of malicious code.

[0099] In this embodiment, the real-time decision-making security interception module is equipped with a flow dynamics circuit breaker unit, which is used to perform the following operations:

[0100] Before the situational awareness intelligent identification module outputs its results, it acquires the HTTP redirection hop count, joint information entropy, SMS text semantic vector, link landing page semantic vector, and sending acceleration.

[0101] Based on the obtained HTTP redirection hop count, joint information entropy, SMS text semantic vector, link landing page semantic vector, and sending acceleration, the traffic redirection impact kinetic energy index of the number to be detected is calculated. ;

[0102] The drainage impact kinetic energy index The calculation formula is as follows:

[0103]

[0104] in, The impact kinetic energy index is measured in units of risk potential energy, representing the physical impact potential energy of the number on network security per unit time. The derivation load mass (m) is used to quantify the fraud density of the information itself; This refers to the number of HTTP redirect hops that occur during the process of resolving the domain name to the final landing page for the link embedded in the SMS message. The joint entropy is the combined information entropy of the SMS text content and the visible text on the link landing page, used to characterize the complexity and obfuscation of the content; semantic vectors of SMS text semantic vectors of link landing pages Cosine similarity between them, range of values This term serves as the denominator: when the semantics of the SMS text and the landing page content are extremely inconsistent, the denominator approaches 0, leading to a non-linear surge in risk momentum. To prevent extremely small positive correction constants with a denominator of zero; Number of SMS messages sent to this number Regarding time The second derivative of the acceleration; The velocity square term in the simulated physical kinetic energy formula means that even if the payload mass is small, once the transmission behavior exhibits explosive acceleration, the total risk index will increase exponentially. These are preset dimensional normalization coefficients used to balance dimensions and introduce a time decay factor.

[0105] When calculated When the preset physical circuit breaker threshold is exceeded, the semantic analysis step is bypassed and the number is directly hard-blocked.

[0106] In a preferred embodiment of the present invention, to overcome the performance bottlenecks and blind spots in existing technologies when dealing with advanced persistent threats (APTs) and large-scale automated pulse attacks, especially when facing millisecond-level burst traffic and chameleon-like malicious links with environmental awareness, the system embeds and activates two independent subsystems based on deep physics principles and cybernetics game theory between the original situational awareness intelligent identification module and real-time decision-making security interception module: a kinetic energy circuit breaking subsystem based on flow dynamics and a mimicry differential trapping subsystem based on digital twin technology. These two subsystems complement each other; the former uses the energy principle of classical mechanics to solve extremely rapid burst attacks in the time dimension, while the latter uses game theory and virtualization technology to solve environmental camouflage attacks in the spatial dimension, together forming an asymmetric dynamic defense architecture.

[0107] First, for the kinetic energy-based circuit breaker subsystem based on flow dynamics, its core design logic is not based on traditional static threshold matching or time-consuming deep learning inference, but innovatively introduces the kinetic energy theorem from physics as a mathematical model for flow risk assessment. In existing mobile communication network security defense systems, conventional firewalls typically limit the transmission frequency based on transmissions per second (TPS), but this speed-based first-order defense logic has a significant lag. Cybercriminal attackers often exploit the time window of system computing resources, unleashing massive amounts of data in pulses within a very short period of a few seconds. By the time the system completes complex deep learning inference and issues interception commands, the SMS has already penetrated the gateway and reached the user terminal. To solve this fundamental problem of computational lag, this system abstracts the SMS data stream in cyberspace into a physical stream with physical properties, and determines whether to trigger a hardware-level circuit breaker mechanism by calculating its impact kinetic energy index in real time. The calculation process of this index strictly follows the logical framework of the physical kinetic energy formula, that is, kinetic energy equals half the mass multiplied by the square of the velocity (corrected to acceleration in the nonlinear impact model). Therefore, the system's processing flow is decomposed into two parallel pipelines: the quantitative calculation of the flow load mass and the high-order differential calculation of the flow motion state.

[0108] In the computational pipeline for referral payload quality, the system aims to quantify the fraud density and inducing potential inherent in the content of a single text message. This physical quantity is derived from parameters in three core dimensions through nonlinear coupling, and the extraction of each parameter corresponds to a sophisticated set of data processing logic.

[0109] The first dimension is the transport layer hop depth of the link. When an SMS message flows through the gateway, the built-in high-concurrency lightweight protocol parser immediately extracts the Uniform Resource Locator (URL) and uses asynchronous non-blocking network probing technology to track the redirection trajectory of the link in the internet backbone. To ensure real-time probing, the system does not download the massive webpage content, but only captures the status code and location field in the server response header by sending a Hypertext Transfer Protocol (HTTP) header request (HEAD method). In the black market chain of traffic redirection fraud, in order to hide the real malicious server's Internet Protocol (IP) address and evade scanning of static blacklists, attackers often set up as many as four or five layers of domain name redirection, or even use shared domains of cloud storage services as stepping stones. This system recursively parses each redirection instruction, recording in detail the number of all intermediate redirection nodes from the initial short link to the final landing page. This number is considered one of the inertial mass components of the information; the more redirections, the stronger the intention of the information to evade regulation, and the heavier its corresponding physical mass. The system uses the natural logarithm function to smooth the number of jumps, which preserves the contribution of the jump level to the risk and prevents numerical distortion caused by a few outliers.

[0110] The second dimension is the mixed joint entropy of information. This is a thermodynamic indicator that measures the disorder and complexity of information content, directly reflecting the internal energy of the payload. Normal business notifications or personal text messages typically conform to the grammatical norms of natural language, and their character distribution follows specific statistical patterns, resulting in low information entropy. However, to circumvent keyword filtering systems, lead generation text messages often heavily incorporate irregular characters, Martian language, invisible zero-width characters, emoticons, and illogical pinyin abbreviations. This artificial obfuscation leads to a more uniform character probability distribution, causing a sharp increase in information entropy. The system not only calculates the Shannon entropy of the text message but also simultaneously acquires the title tag, meta description tag, and the first two hundred characters of the linked landing page, merging the text message and webpage text into a single character stream to calculate their joint information entropy. This high entropy value directly reflects the unnatural attributes and high obfuscation of the information content, constituting the numerator of the payload quality.

[0111] The third and most crucial quality amplifier is the inverse measure of semantic consistency. The system incorporates a lightweight semantic vector model (such as DistilBERT or ALBERT) that has undergone distillation and pruning. This model resides in the cache and can map text to numerical vectors in a high-dimensional space within milliseconds. The system extracts the semantic vectors of the SMS text and the core content of the landing page, respectively, and calculates the cosine similarity of these two vectors in Euclidean space. Physically, this represents the angle between appearance and reality. In normal business scenarios, an SMS claims to be delivering a package, while the landing page displays logistics tracking; the angle between their semantic vectors is extremely small, and the cosine similarity is close to one. However, in fraudulent scenarios, SMS messages often use topics related to public welfare, such as expired ETC or social security registration, as bait, but the landing page actually displays a download for an illegal online fraudulent application. The semantics of these two are completely disconnected, causing the cosine similarity of their semantic vectors to approach zero. In the system's computational logic, this similarity is placed in the denominator of the calculation formula, with a very small correction factor added to prevent division by zero errors. The deeper meaning of this mathematical design is that when the content of the SMS message is seriously inconsistent with the actual landing page content, the denominator tends to zero, which will cause the value of the entire traffic load quality to show an explosive growth in a hyperbolic form.

[0112] At the other end of the parallel processing, the traffic motion state calculation pipeline focuses on the temporal characteristics of sending behavior, which is the core means of this solution to deal with pulse attacks. Traditional interception logic only looks at speed (the first derivative of the sending volume with respect to time), while this system delves into acceleration (the second derivative of the sending volume with respect to time). The system maintains a high-precision circular sliding window in the in-memory database for each active sending number. This window records the sending count of that number in the past several millisecond-level time slices. The system first obtains the current sending rate through differential operation, and then performs differential operation on the rates of adjacent time slices to obtain the rate of change of the sending rate, i.e., acceleration. In physics, the impact force is often determined by acceleration. For SMS attacks, the most dangerous are not those botnets that send spam SMS at a constant speed (easily captured by frequency control rules), but those pulse attack sources that are silent and suddenly increase the sending volume to a peak in a very short time. Such attack sources have extremely high positive acceleration. In the kinetic energy index calculation formula of this system, the acceleration term is given a square weight. This is based on the physical analogy of the velocity square term in the kinetic energy theorem, which means that the contribution of the intensity of the traffic burst to system risk is non-linear. Even if the payload quality of the information is relatively small (for example, the text is written in a very subtle way), as long as its transmission behavior exhibits extreme and illogical acceleration characteristics, after being amplified by the square operation, its final traffic impact kinetic energy index will instantly break through the safety red line.

[0113] When the aforementioned load mass is multiplied by the square of the acceleration and then normalized (introducing a time decay factor to balance historical risks), the system obtains a real-time kinetic energy index value. This value is immediately compared with the system's preset physical circuit breaker threshold. Once the threshold is exceeded, the system determines that the current traffic has destructive physical potential energy. At this point, the real-time decision-making security interception module will no longer send the data to the subsequent deep learning model for semantic analysis, nor will it wait for the image recognition results. Instead, it will directly issue a highest-priority drop command to the gateway data plane and mark it as a kinetic circuit breaker interception in the log. This mechanism utilizes the extremely high efficiency of pure mathematical operations to cut off attacks within microseconds, completely solving the defense window problem caused by AI model inference latency.

[0114] In this embodiment, the real-time decision-making security interception module also includes a digital twin-based mimicry differential trapping mechanism for identifying traffic redirection links with environmental awareness capabilities.

[0115] The mimicry differential trapping mechanism performs the following steps:

[0116] The interception module parses the device fingerprint metadata of the target receiving terminal of the SMS to be detected from the core network signaling. The device fingerprint metadata includes user-agent, screen resolution, operating system version and current base station location information.

[0117] The system simultaneously launches two independent detection processes; the first is a baseline probe, which uses a standard data center IP and a general crawler User-Agent to access the URL in the SMS message; the second is a mimicry probe, which dynamically constructs a digital twin headless browser environment in an isolation sandbox that is completely consistent with the device's fingerprint metadata to access the same URL.

[0118] Obtain the page document object model (DOM) trees rendered by the baseline probe and the mimicry probe respectively, and calculate the graph edit distance between the two DOM trees.

[0119] If the calculated graph edit distance is greater than the preset isomorphism threshold, or if a URL Scheme protocol call attempting to invoke third-party instant messaging software is detected only in the loading log of the mimicry probe, it is determined that the link uses a disguised traffic redirection technique for a specific terminal environment, and an interception instruction is directly generated and the URL feature is added to the dynamic blacklist.

[0120] To address infrequently sent but highly deceptive environment-aware referral links, the system introduces a digital twin-based mimicry-differential trapping subsystem. Modern sophisticated cybercriminals deploy complex anti-crawling systems to evade security scanning, dynamically displaying different content based on the visitor's IP address, browser fingerprint, device model, etc.: showing news to crawlers and fraudulent pages to victims. To detect this deception, this system constructs a parallel detection architecture based on the victim's perspective.

[0121] The operation of this subsystem begins with the precise extraction of the recipient's fingerprint. When an SMS message flows through the core network, the system interacts with core network signaling monitoring probes (such as S6a or Gn interface monitoring devices) to deeply analyze the target receiving terminal's device metadata. This data constitutes the victim's digital DNA, including but not limited to the specific mobile phone model corresponding to the International Mobile Equipment Identity (IMEI), the operating system version number (accurate to the sub-version), screen resolution and pixel density, the geographical coordinates of the currently accessed base station, the network standard (5G / 4G), and the browser user agent string corresponding to the user's historical internet browsing behavior characteristics. The system encapsulates these features into a standardized fingerprint data packet in memory for subsequent twin construction.

[0122] Subsequently, the system enters a double-blind parallel probing phase. Utilizing containerization technology (such as Docker or lightweight virtual machines), the system dynamically instantiates a mimicry probe within an isolated sandbox cluster. This probe's runtime environment is configured in real-time to perfectly match the victim's device fingerprint: it loads the operating system kernel simulation layer of the corresponding phone model, modifies the TCP / IP fingerprint of the network protocol stack, adjusts the browser viewport size and rendering ratio, and even routes the exit IP address to the victim's base station area via a dynamic proxy network. From the network side's perspective, this mimicry probe is the victim themselves. Simultaneously, the system launches a baseline probe, configured in a standard data center server environment, using a generic crawler identifier without any disguise. The system controls these two probes to concurrently access the URL link in the SMS message within the same millisecond. At this point, if the target link is a normal commercial page, regardless of the visitor, the returned page structure should be consistent. However, if it is an environment-aware malicious link, the attacker's server will identify it based on characteristics: return a simple static page (such as system maintenance or an unrelated essay) to the baseline probe, and return a complex dynamic page (including form submissions, instant messaging plugins, payment inducement buttons, etc.) to the mimicry probe.

[0123] To accurately capture these differences, the system doesn't rely on simple text comparison but performs deep, structured differential analysis. The browser kernel generates a Document Object Model (DOM) tree when rendering a page. The system extracts the DOM trees generated by the two probes and transforms them into graph structures. Then, the system uses the Tree EditDistance algorithm from graph theory to calculate the minimum number of operations (node ​​insertion, deletion, and replacement) required to transform the baseline probe's DOM tree into the mimic probe's DOM tree. This edit distance visually quantifies the structural differences between the two pages. For example, if the baseline probe's DOM tree has only 10 nodes, while the mimic probe's DOM tree has 500 nodes and contains a large number of script execution nodes, the graph edit distance will be very large. If the difference exceeds a preset isomorphism threshold, the system can determine that the link displays different content for different environments, indicating malicious environment spoofing.

[0124] Furthermore, the mimicry-based differential trapping subsystem includes monitoring logic for mobile-specific attack methods, namely URL Scheme protocol call monitoring. Many new types of fraudulent traffic redirection no longer rely on webpage content but instead attempt to directly launch applications such as WeChat, Alipay, and QQ on the user's mobile phone and redirect them to a designated group chat or transfer interface. This launch operation is implemented through specific private protocols (such as weixin: / / , alipays: / / ). In a standard benchmark probe environment, due to the lack of a corresponding mobile application environment, such protocol calls are usually ignored or report errors. However, in the mimicry probe's simulated environment, the system injects special hook functions at the operating system level, capable of capturing and recording all launch requests (Intents) to external applications. Once the system detects that an instruction to launch social media or payment software appears in the mimicry probe's runtime logs but not in the benchmark probe, or that the parameters of the two calls are inconsistent, the system will immediately classify this behavior as the highest risk level.

[0125] Based on the structural difference determination of graph edit distance and the behavioral difference determination of URL Scheme, once the link is confirmed to be maliciously disguised, the system will immediately generate an interception command and push the extracted malicious link characteristics (domain name, path characteristics, parameter patterns) to the dynamic blacklist of the entire network in real time, so as to achieve one-point detection and network-wide immunity.

[0126] In summary, by employing a flow dynamics-based circuit breaker mechanism to physically block sudden attacks in the time dimension, and a mimicry-based differential trapping mechanism to game-level detection of spoofing attacks in the spatial dimension, this invention constructs a three-dimensional defense system that combines dynamic and static elements, fast and slow approaches, and software and hardware collaboration. This system not only theoretically addresses the logical vulnerabilities of existing technologies but also, through sophisticated algorithm design and hardware acceleration solutions, achieves extremely accurate identification and efficient interception of multimodal SMS referral numbers in engineering practice, providing a solid technical guarantee for the security of mobile communication networks.

[0127] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus.

[0128] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.

Claims

1. A multimodal SMS referral number intelligent identification and interception system, characterized in that, include: The multimodal data acquisition and fusion module is used to acquire multimodal SMS data and fuse the acquired multimodal SMS data based on natural language processing to form multimodal SMS fusion data. Specifically, text content, sending number, timestamp, and link features related to intelligent identification and interception of multimodal SMS traffic-driving numbers are extracted from multimodal SMS data, and the extracted features are weighted and fused to form multimodal SMS fusion data; The situational awareness intelligent identification module is used to build an intelligent identification model for SMS numbers based on artificial intelligence, and to perform semantic understanding and analysis on multimodal SMS fusion data to identify potential SMS lead generation numbers and determine the intelligent identification result of SMS numbers; The real-time decision-making security interception module is used to make corresponding real-time decisions and information security interception based on the intelligent identification results of SMS numbers. Among them, message filtering and interception are based on filter hooks. The real-time decision-making security interception module is equipped with a flow dynamics circuit breaker unit, which is used to perform the following operations: Before the situational awareness intelligent identification module outputs its results, it acquires the HTTP redirection hop count, joint information entropy, SMS text semantic vector, link landing page semantic vector, and sending acceleration. Based on the obtained HTTP redirection hop count, joint information entropy, SMS text semantic vector, link landing page semantic vector, and sending acceleration, the traffic redirection impact kinetic energy index of the number to be detected is calculated. ; The drainage impact kinetic energy index The calculation formula is as follows: in, The impact kinetic energy index represents the physical impact potential energy that the number causes to network security per unit time. The quality of the payload is used to quantify the fraud density of the information itself; e is the base of the natural logarithm. This refers to the number of HTTP redirect hops that occur during the process of resolving the domain name to the final landing page for the link embedded in the SMS message. The joint information entropy is the mixture of SMS text content and visible text on the linked landing page, used to characterize the complexity and obfuscation of the content; semantic vectors of SMS text semantic vectors of link landing pages Cosine similarity between them; To prevent extremely small positive correction constants with a denominator of zero; Number of SMS messages sent to this number Regarding time The second derivative of the acceleration; The velocity square term in the simulated physical kinetic energy formula means that even if the payload mass is small, once the transmission behavior exhibits explosive acceleration, the total risk index will increase exponentially. These are preset dimensional normalization coefficients used to balance dimensions and introduce a time decay factor. When calculated When the preset physical circuit breaker threshold is exceeded, the semantic analysis step is bypassed and the number is directly hard-blocked.

2. The multimodal SMS referral number intelligent identification and interception system according to claim 1, characterized in that, The multimodal data acquisition and fusion module includes: A multimodal data acquisition unit is used to monitor the status of SMS messages and collect multimodal SMS data. Among them, based on data security, the body content of SMS messages is collected from the operator's gateway or terminal device, including keywords, links and wording patterns, to obtain the SMS text modality; Based on data security, the attributes of the sending number are collected from the operator's gateway or terminal device, including whether it is a virtual number, the number segment ownership, and historical behavior, to obtain the SMS number modality; Based on data security, the system collects users' SMS behavior from operator gateways or terminal devices, including sending frequency, sending time and target audience, to obtain SMS behavior modalities. Based on data security, the system collects URLs embedded in SMS messages from operator gateways or terminal devices, including short link parsing, domain reputation, and whether they point to malicious app downloads, to obtain SMS link modalities. Based on data security, collect the QR code images that may be included in SMS messages from the operator's gateway or terminal device to obtain the SMS image modality; Multimodal SMS data is generated based on SMS text modality, SMS number modality, SMS behavior modality, SMS link modality, and SMS image modality.

3. The multimodal SMS referral number intelligent identification and interception system according to claim 2, characterized in that, The multimodal data acquisition and fusion module also includes: The multimodal data fusion unit is used to fuse multimodal SMS data according to natural language processing to form multimodal SMS fusion data; This includes cleaning the multimodal SMS data to remove noise and reduce its interference with the intelligent identification and interception of multimodal SMS lead numbers; identifying missing and outlier values ​​in the multimodal SMS data; and processing the identified missing and outlier values. Normalize the multimodal SMS data to convert it into a unified data format, remove the differences in units between the multimodal SMS data, and form standardized multimodal SMS data. Feature extraction is performed on multimodal SMS data. Text content, sending number, timestamp, and link features related to intelligent identification and interception of multimodal SMS traffic-driving numbers are extracted from the multimodal SMS data. The extracted features are then weighted and fused to form multimodal SMS fusion data.

4. The multimodal SMS referral number intelligent identification and interception system according to claim 3, characterized in that, The situational awareness intelligent identification module includes: The situational awareness model building unit is used to build an intelligent SMS number recognition model; This involves collecting historical data on multimodal SMS messages and dividing the collected data into training and testing sets in a 7:3 ratio. Based on artificial intelligence, a training set is used to train the deep learning model, enabling the deep learning model to autonomously learn the intelligent recognition behavior of SMS numbers from the training set, and identify potential SMS referral numbers, thus determining the intelligent recognition model of SMS numbers. The SMS number intelligent recognition model was tested using a test set to evaluate its generalization performance and determine whether it could achieve the expected effect of identifying potential SMS referral numbers. When the SMS number intelligent recognition model fails to achieve the expected effect of identifying potential SMS referral numbers, the parameters of the SMS number intelligent recognition model are adjusted and iteratively optimized until the SMS number intelligent recognition model can achieve the expected effect of identifying potential SMS referral numbers, and the optimal SMS number intelligent recognition model is determined.

5. The multimodal SMS referral number intelligent identification and interception system according to claim 4, characterized in that, The situational awareness intelligent recognition module also includes: Situational awareness security identification unit, used to identify potential SMS referral numbers; The process involves inputting multimodal SMS fusion data into an intelligent SMS number recognition model, performing semantic understanding and analysis on the multimodal SMS fusion data based on the model, conducting real-time security detection to assess the risk of SMS numbers, identifying potential SMS referral numbers, and determining the intelligent SMS number recognition result.

6. The multimodal SMS referral number intelligent identification and interception system according to claim 5, characterized in that, The real-time decision-making security interception module includes: Real-time decision-making unit, used to formulate real-time decision-making plans; The information security interception unit is used to securely intercept SMS redirection numbers; Among them, a corresponding real-time decision-making plan is formulated based on the intelligent identification results of SMS numbers, and the SMS traffic-driving numbers are securely intercepted based on the formulated real-time decision-making plan; If the risk assessment of a text message number is high, the text message number will be directly blocked so that the user cannot receive the text message from that number. If the risk assessment of the SMS number is low, the SMS will be delivered normally so that the user receives the SMS.

7. The multimodal SMS referral number intelligent identification and interception system according to claim 6, characterized in that, To directly block SMS messages from a specific number, perform the following actions: A filtering hook is pre-set on the message processing link of the SMS gateway. All incoming SMS messages will pass through the hook function. Based on the filtering hook, the API of the real-time decision engine is called synchronously, and the calling number, the called number, and the SMS content information are passed in as parameters. The real-time decision engine returns the decision result within milliseconds. After receiving the interception instruction, the gateway directly replies to the sender with a successful delivery status and imports the SMS content into the audit log system. The real-time decision engine queries the blacklist and graylist cache of numbers in real time and makes a comprehensive judgment based on the real-time risk assessment to intercept and discard the SMS, preventing the user from receiving it.

8. The multimodal SMS referral number intelligent identification and interception system according to claim 7, characterized in that, It also includes a visual management report module, which provides administrators with management reports in a visual format and displays interception statistics, risk assessments, and analysis of new fraud patterns to assist administrators in making corresponding decisions and controls.

9. The multimodal SMS referral number intelligent identification and interception system according to claim 7, characterized in that, The real-time decision-making security interception module also includes a digital twin-based mimicry differential trapping mechanism for identifying traffic redirection links with environmental awareness capabilities. The mimicry differential trapping mechanism performs the following steps: The interception module parses the device fingerprint metadata of the target receiving terminal of the SMS to be detected from the core network signaling. The device fingerprint metadata includes user agent, screen resolution, operating system version and current base station location information. The system simultaneously initiates two independent detection processes; The first route serves as a baseline probe, using a standard data center IP and a generic crawler User-Agent to access the URL in the SMS message; The second approach is a mimicry probe, which dynamically constructs a headless digital twin browser environment in an isolation sandbox that is completely consistent with the device's fingerprint metadata to access the same URL; Obtain the page document object model tree rendered by the baseline probe and the mimicry probe respectively, and calculate the graph edit distance between the two DOM trees; If the calculated graph edit distance is greater than the preset isomorphism threshold, or if the URL Scheme protocol call attempting to invoke third-party instant messaging software is only detected in the loading log of the mimicry probe, it is determined that the link uses a disguised traffic redirection technique for a specific terminal environment, and an interception instruction is directly generated and the URL feature is added to the dynamic blacklist.