Intelligent terminal network intrusion behavior recognition method and device based on deep learning
By constructing a dynamic spatiotemporal behavior map and using deep learning networks for intrusion behavior prediction, the accuracy problem of intrusion behavior identification in smart terminal networks in existing technologies is solved, and efficient intrusion behavior identification and tracing are achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- GUIZHOU INST OF TECH
- Filing Date
- 2026-03-31
- Publication Date
- 2026-06-19
AI Technical Summary
Existing technologies struggle to accurately identify network intrusion behavior from smart terminals from the perspectives of temporal evolution and cross-dimensional correlation, leading to frequent false alarms and missed alarms.
By constructing a dynamic spatiotemporal behavioral map that integrates network traffic and operation logs, a pre-trained deep network for intrusion behavior prediction is used to predict multi-level behavioral patterns and mine intrusion propagation paths, generating accurate intrusion behavior identification results.
It significantly improves the accuracy of identifying complex, multi-step intrusion behaviors and the ability to trace their origins, avoiding false alarms and missed alarms caused by a single data source, and achieving a precise closed loop from behavior discovery to verification to response.
Smart Images

Figure CN121940231B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of deep learning, and more specifically, to a method and device for identifying network intrusion behavior of intelligent terminals based on deep learning. Background Technology
[0002] Network intrusion behavior identification technology for smart terminals collects network traffic data by deploying monitoring systems, compares the access request characteristics in the traffic data with a preset intrusion behavior feature database, and identifies abnormal access behavior and triggers alarm responses based on the comparison results. However, actual intrusion behavior often exhibits multi-stage evolution and cross-dimensional propagation characteristics. During the evolution process, it will generate behavioral traces with inherent correlations at the network access and terminal operation levels. Existing identification technologies are difficult to accurately identify network intrusion behavior of smart terminals from the perspective of temporal evolution and cross-dimensional correlation. Summary of the Invention
[0003] In view of this, the present invention provides a method and device for identifying network intrusion behavior of intelligent terminals based on deep learning.
[0004] According to one aspect of the present invention, a method for identifying network intrusion behavior of intelligent terminals based on deep learning is provided, comprising:
[0005] Acquire the raw network traffic data set and the corresponding raw terminal operation log data set generated by the smart terminal to be identified within a preset monitoring period. The raw network traffic data set contains multiple network data packet units arranged in the order of collection time, and the raw terminal operation log data set contains multiple terminal operation record units aligned with the timestamps of the network data packet units.
[0006] Spatiotemporal behavior graphs are constructed from the original network traffic data set and the original terminal operation log data set to generate a dynamic spatiotemporal behavior graph of the intelligent terminal to be identified within a preset monitoring period. The dynamic spatiotemporal behavior graph contains multiple behavior nodes as well as temporal edges and association edges connecting the behavior nodes.
[0007] The dynamic behavior spatiotemporal graph is input into a pre-trained deep network for intrusion behavior prediction to perform multi-level behavior pattern prediction, thereby obtaining the probability distribution of intrusion possibility corresponding to each behavior node in the dynamic behavior spatiotemporal graph and the intrusion propagation path graph between behavior nodes.
[0008] Based on the probability distribution of intrusion possibility and the intrusion propagation path map, the intrusion behavior sequence is reconstructed to generate multiple candidate intrusion behavior sequences of the smart terminal to be identified within a preset monitoring period and a credibility score for each candidate intrusion behavior sequence.
[0009] Based on the credibility score, the target intrusion behavior sequence is selected from multiple candidate intrusion behavior sequences, and an intrusion behavior identification result response instruction containing terminal identifier and intrusion time period is generated according to the target intrusion behavior sequence.
[0010] According to another aspect of the present invention, a computer device is provided, comprising: a processor; and a memory, wherein the memory stores computer-readable code, which, when executed by the processor, causes the processor to perform the method described above.
[0011] The present invention provides a deep learning-based method for identifying network intrusion behavior in intelligent terminals. This method constructs a dynamic spatiotemporal behavior map that integrates network traffic and operation logs, and utilizes a pre-trained deep network for intrusion behavior prediction to predict multi-level behavior patterns and mine intrusion propagation paths. Then, based on probability distribution and propagation paths, it reconstructs behavior sequences and filters credibility, ultimately generating accurate intrusion behavior identification results and response instructions. This enables the entire identification process to extract complete intrusion behavior chains from spatiotemporal correlations across data sources, rather than just isolated anomalies. This significantly improves the accuracy and source tracing capabilities for identifying complex, multi-step intrusion behaviors, avoids false alarms and missed alarms caused by a single data source, and achieves a precise closed loop from behavior discovery to behavior verification to behavior response.
[0012] It should be understood that the above general description and the following detailed description are merely exemplary and explanatory, and are not intended to limit the technical solutions of the present invention. Attached Figure Description
[0013] Figure 1 This is a schematic diagram of an application scenario provided by the present invention;
[0014] Figure 2 This is a flowchart illustrating a method for identifying network intrusion behavior of intelligent terminals based on deep learning, provided by the present invention.
[0015] Figure 3 This is a schematic diagram of the structure of an intrusion detection device provided in an embodiment of the present invention;
[0016] Figure 4 This is a schematic diagram of the structure of a computer device provided in an embodiment of the present invention. Detailed Implementation
[0017] To facilitate a clearer understanding of this invention, we will first introduce the application scenarios of the deep learning-based intelligent terminal network intrusion behavior recognition method, such as... Figure 1 As shown, the application scenario of this invention includes computer device 10 and smart terminals; the number of smart terminals will not be limited here. Figure 1As shown, it may include smart terminal 1, smart terminal 2, ..., smart terminal n; it can be understood that smart terminal 1, smart terminal 2, smart terminal 3, ..., smart terminal n can all be connected to the computer device 10 via a network so that each smart terminal can interact with the computer device 10 via the network connection.
[0018] It is understood that computer device 10 can refer to a device that executes the deep learning-based intelligent terminal network intrusion behavior identification method provided in the embodiments of the present invention. Computer device 10 may be a server, such as a single physical server, or a server cluster or distributed system consisting of at least two physical servers. Intelligent terminals may specifically refer to industrial control computers, mobile communication terminals, or Internet of Things sensor nodes, etc., but are not limited to these. Various intelligent terminals and computer device 10 can be directly or indirectly connected via wired or wireless communication. Furthermore, the number of intelligent terminals and computer device 10 can be one or at least two; the present invention does not impose any limitations on this.
[0019] Further, please see Figure 2 This is a flowchart illustrating a method for identifying network intrusion behavior on a smart terminal based on deep learning, provided in an embodiment of the present invention. Figure 2 As shown, this method can be derived from... Figure 1 The method for identifying network intrusion behavior based on deep learning can be executed by computer device 10, and may include the following steps:
[0020] Step S100: Obtain the original network traffic data set and the corresponding original terminal operation log data set generated by the smart terminal to be identified within the preset monitoring period. The original network traffic data set contains multiple network data packet units arranged in the order of collection time, and the original terminal operation log data set contains multiple terminal operation record units aligned with the timestamps of the network data packet units.
[0021] The target intelligent terminal is the computing device that needs to be detected for intrusion behavior, including but not limited to industrial control computers, mobile communication terminals, or IoT sensor nodes. The raw network traffic data set is the collection of all data packets captured from the network link layer using network packet capture tools during the monitoring period. A network packet unit is the smallest unit in this set; each unit corresponds to a complete data frame, containing all raw byte information from the link layer header to the application layer payload, and each unit is marked with a precise capture timestamp. The raw terminal operation log data set is the collection of all log entries collected from the terminal's operating system log system, application log files, or security audit daemons during the same monitoring period. A terminal operation record unit is the smallest unit in this set, such as an audit record in a Linux system or an event log in a Windows system. Each record details a specific operation that occurred within the terminal, including the subject, object, type, and time of the operation. Timestamp alignment ensures that the timestamps of network packets and terminal operation logs have a unified time base through precise time protocols or network time services, enabling precise correspondence between the two data sources in the time dimension.
[0022] In practical implementation, a splitter can be deployed at the network egress of the smart terminal to be identified, copying the network traffic and sending it to a traffic acquisition server. The traffic acquisition server runs the Lippcap low-level packet capture library function, which sets the network card to promiscuous mode, directly captures raw data frames from the data link layer, and calls a function to obtain the system time for each captured data frame, generating a timestamp accurate to microseconds. The timestamp and data frame are then encapsulated together into a network data packet unit. Simultaneously, an auditing system, such as the Auditd daemon under Linux, is installed and configured on the terminal, configuring its rules to monitor critical events such as file access, process creation, and system calls. Auditd records each monitored event as a log entry according to a preset format, and each log entry is also stamped with a high-precision timestamp by the kernel during generation, resulting in a terminal operation record unit. Both the traffic acquisition server and the terminal synchronize their times using the same network time server to ensure consistent timestamp bases. After the acquisition process is complete, all network data packet units are arranged in chronological order by timestamp to generate a raw network traffic data set, and all terminal operation record units are also arranged in chronological order by timestamp to generate a raw terminal operation log data set.
[0023] Step S200: Construct a spatiotemporal behavior graph for the original network traffic data set and the original terminal operation log data set, and generate a dynamic spatiotemporal behavior graph of the intelligent terminal to be identified within a preset monitoring period. The dynamic spatiotemporal behavior graph contains multiple behavior nodes and temporal edges and association edges connecting the behavior nodes.
[0024] In one implementation, step S200 may specifically include:
[0025] Step S210: Parse the protocol field of each network packet unit in the original network traffic data set, extract the source Internet Protocol address, destination Internet Protocol address, transport layer protocol type and application layer payload content hash value of the network packet unit, and aggregate all network packet units with the same five-tuple information into network flow units according to the timestamp of the network packet unit.
[0026] Protocol field parsing is the process of disassembling captured raw network packets layer by layer according to the hierarchical structure of the network protocol stack. A network packet unit contains a complete encapsulation from the physical layer to the application layer. Parsing begins with the data link layer header, identifying the Ethernet type field to determine the upper-layer protocol type. If the upper layer is the Internet Protocol (IP), the IIP header is parsed further, extracting the source IIP address and destination IIP address fields. These two fields, each occupying 32 bits or 128 bits, are used to identify the sender and receiver of the data packet. Simultaneously, the protocol field is extracted from the IIP header. This field indicates the protocol type used by the transport layer; for example, a value of 6 represents Transmission Control Protocol (TCP), and a value of 17 represents User Datagram Protocol (UDP). Then, based on the transport layer protocol type indicated by the IIP header, the corresponding transport layer header is parsed. If it is TCP, the source port and destination port fields are extracted from the TCP header; if it is UDP, the source port and destination port fields are extracted from the UDP header. The source Internet Protocol address, destination Internet Protocol address, source port, destination port, and transport layer protocol type—these five fields together constitute the five-tuple information used to uniquely identify a session in network communication. The application layer payload hash value is the value obtained by calculating the digest of the application layer data portion following the transport layer header.
[0027] Step S220: Perform semantic parsing on each terminal operation record unit in the original terminal operation log data set, extract the operation type identifier, operation object path string, and operation return status code of the terminal operation record unit, and aggregate terminal operation record units initiated by the same process identifier within a continuous time interval into operation session units based on the timestamp of the terminal operation record unit.
[0028] Semantic parsing is the process of identifying and extracting key data elements with explicit semantic information from unstructured log text or structured log record fields. Terminal operation record units are typically stored in a defined format. For example, in a Linux audit log, a record may contain fields such as type, msg, uid, pid, ppid, syscall, and success. The semantic parsing process first needs to locate the field describing the operation type, such as a system call number or event type field, based on the log record format definition. The value of this field is then mapped to an understandable operation type identifier; for example, a system call number is mapped to an open file operation. Next, fields describing the operation object are parsed from the log record, such as file path, registry key, or process command line fields. The string value of this field is extracted as the operation object path string. Finally, the operation result status fields, such as success or failure flags or specific error codes, are parsed, and the value of this field is extracted as the operation return status code. This status code reflects whether the operation was successfully executed and the reason for failure. After extracting the core information of each terminal operation record unit, all terminal operation record units initiated by the same process identifier and appearing consecutively in time are aggregated into one operation session unit based on their timestamps. The process identifier is a unique number assigned by the operating system to each running process to distinguish different processes. The specific aggregation rule is as follows: starting with the first record belonging to a certain process identifier, subsequent records belonging to the same process identifier are continuously added to the current operation session unit until an exit record of the process is detected or the time interval between two consecutive records exceeds a preset threshold, such as 5 seconds, at which point the current activity session of that process is considered to have ended.
[0029] Step S230: Construct a first-layer behavior node based on the source Internet Protocol address and destination Internet Protocol address in the network flow unit, and associate each first-layer behavior node with its corresponding set of network flow units. Calculate the timestamp distribution entropy value of all network data packet units in the set of network flow units as the traffic fluctuation feature vector of the first-layer behavior node.
[0030] In one implementation, step S230 may specifically include:
[0031] Step S231: Extract all source Internet Protocol (IP) addresses and destination Internet Protocol (IP) addresses from the network flow units, use each unique source IP address or destination IP address as the identifier of the candidate Layer 1 behavior node, and assign a blank set of network flow units to each candidate Layer 1 behavior node.
[0032] First, iterate through all network flow units generated in step S220. For each network flow unit, obtain the binary or dotted decimal string value of the source Internet Protocol address field and the binary or dotted decimal string value of the destination Internet Protocol address field recorded in its header information. Establish a global hash table where the key is the string representation of the Internet Protocol address and the value is an empty list data structure. For each source and destination address encountered, check if an entry with that address as the key already exists in the hash table. If not, add a key-value pair to the hash table with the address as the key and a newly created empty list as the value.
[0033] Step S232: Traverse all network flow units. For each network flow unit, add a reference pointer of that network flow unit to the network flow unit set of the candidate first-layer behavior nodes corresponding to its source Internet Protocol address and destination Internet Protocol address, respectively.
[0034] After creating candidate nodes and assigning an empty set to each node, these sets are populated. All network flow units are traversed again. For each network flow unit currently traversed, its source Internet Protocol address is first obtained. Then, using this address as the key, a lookup is performed in the previously constructed hash table to locate the network flow unit set of the candidate first-level behavior node corresponding to that source address—that is, the empty list. Next, a reference pointer to this network flow unit is added to this list. A reference pointer is an address that points to the memory storage of the network flow unit's data structure. By adding a reference pointer, the unit can be associated with the node set without copying the entire network flow unit's data. After completing the source address operation, the destination Internet Protocol address of the current network flow unit is obtained. Again, using this address as the key, a lookup is performed in the hash table to locate the network flow unit set of the candidate first-level behavior node corresponding to the destination address, and the reference pointer of that network flow unit is also added to this set.
[0035] Step S233: Sort the timestamps of all network data packet units in the network flow unit set of each first-level behavior node to generate the timestamp sequence corresponding to the first-level behavior node.
[0036] For each first-level behavioral node, its associated network flow unit set contains reference pointers to multiple network flow units, and each network flow unit itself is composed of multiple network data packet units aggregated in chronological order. To analyze the overall communication time pattern of this node, it is necessary to merge the timestamps of all data packet units associated with it and belonging to different network flow units for processing. Specifically, each reference pointer in the node's network flow unit set is traversed, and the corresponding network flow unit data structure is accessed through each pointer. Each network flow unit maintains a list storing the timestamps of all network data packet units constituting the flow in ascending chronological order. All timestamps in this network flow unit list are extracted one by one and placed into a temporary global list. After traversing all network flow units associated with the node, this temporary list contains the arrival or sending timestamps of every data packet in all network communication activities in which the node participates. Then, a sorting operation is performed on this temporary global timestamp list, typically using quicksort or mergesort algorithms, to ensure that all timestamps are strictly arranged in ascending order. The ordered timestamp list obtained after sorting is the timestamp sequence of the first-level behavior node. This sequence is the projection of all network communication events of the node on the timeline.
[0037] Step S234: Divide the timestamp sequence into multiple continuous time window subsequences by sliding window according to a preset fixed time window length, count the number of network data packet units contained in each time window subsequence, and generate the traffic count time series of the first-level behavior node.
[0038] The preset fixed time window length is an empirical parameter, such as 1 second or 10 seconds. The sliding window segmentation operation moves a fixed-length time window along the time axis with a fixed step size, usually equal to the window length to ensure that windows do not overlap. For the timestamp sequence generated in step S233, first determine the start and end times of the entire monitoring period. Then, starting from the start time, divide the time into the first time window with a preset length, for example, from zero seconds to ten seconds. Next, count the number of timestamps in the timestamp sequence that fall within the closed interval of this time window. This number represents the total number of data packets sent or received by the first-level behavior node within those ten seconds. Record this count value and the corresponding start time or number of the time window. Then, slide the time window forward by one step. If the step size is equal to the window length, the next window is from ten seconds to twenty seconds, and the number of timestamps falling within this window is counted and recorded again. Repeat this process until the sliding window covers the entire monitoring period. Finally, by arranging the data packet counts obtained in each window according to the time window order, a one-dimensional numerical sequence is formed, which is the traffic count time series of the first-level behavioral node.
[0039] Step S235: Calculate the time entropy value of network data packet units arriving in each time window subsequence of the traffic counting time series, arrange the time entropy values of the time window subsequence in chronological order, and generate the time entropy sequence of the first layer of behavior nodes.
[0040] Traffic counting time series only reflects the number of packets within each window, but it cannot show the details of the arrival time distribution of packets within the window. Time entropy is used to measure the uniformity or randomness of packet arrival times within a time window. For each time window divided in step S234, the precise timestamps of all packets within that window are obtained. Assume there are N packets within the window, with timestamps t1, t2, and so on up to tN. To calculate the time entropy, these timestamps are first normalized. The earliest timestamp t within the window is found. min And the latest timestamp t max Define the window duration T as t max Subtract t min If there is only one data packet in the window or all data packets have the same timestamp, then T may be 0, in which case the time entropy is defined as 0. For the general case, the time interval di between adjacent data packets is calculated as t(i + 1) minus ti, where i ranges from 1 to N-1. The sum of these intervals di equals T. Then, the proportion pi of each interval to the total duration of the window is calculated as di divided by T. These proportions pi sum to 1, which can be considered a probability distribution. The calculation of time entropy H is based on the Shannon entropy concept in information theory, that is, for all pi, calculate the negative pi multiplied by the logarithm of pi to the base 2, and then sum all these values. The larger the entropy value H, the more uneven the data packet arrival intervals are, and the more random the distribution; the smaller the entropy value H, the more uniform the data packet arrival intervals are, or the data packets are concentrated in a few intervals, exhibiting a certain regularity. A time entropy value H is calculated for each time window, and then these entropy values are arranged in the order of their corresponding time windows to obtain the time entropy sequence of the first-level behavioral node. This sequence reflects the degree of regularity of the node's communication behavior over time.
[0041] Step S236: Perform a fast Fourier transform on the time entropy sequence, extract the amplitude values corresponding to the first few frequency components with the largest amplitude in the frequency domain as the periodic fluctuation features of the first layer of behavioral nodes, and concatenate the periodic fluctuation features with the mean and variance of the time entropy sequence to generate the flow fluctuation feature vector of the first layer of behavioral nodes.
[0042] The time entropy sequence obtained in step S235 is used as the input signal, with a sequence length of L, i.e., the number of time windows. A Fast Fourier Transform (FFT) algorithm is performed on this sequence. The algorithm uses a butterfly operation to decompose the discrete time-domain sequence into a superposition of sine and cosine waves of different frequencies, outputting a complex sequence of the same length as the input sequence, called the frequency domain representation. Each position in this complex sequence corresponds to a frequency, and the magnitude of the complex number at that position represents the intensity of the corresponding frequency component in the original signal. The frequency starts from 0 and increases sequentially until the Nyquist frequency. The larger the amplitude, the more obvious the periodic fluctuation of that frequency in the original signal. To extract the main periodic features, the obtained amplitude spectrum needs to be analyzed. The amplitude values corresponding to all frequency components are found, and the top K components with the largest amplitudes are selected, where K is a preset positive integer, for example, 5. The amplitude values of these K components are recorded. These amplitude values constitute the periodic fluctuation characteristics of the node, reflecting the most important activity cycle of the node's communication behavior. Simultaneously, the statistical characteristics of the original time entropy sequence are calculated, namely the arithmetic mean of all elements in the sequence and the average of the squares of the differences between all elements and the mean, i.e., the variance. The mean reflects the average level of the overall regularity of node communication, while the variance reflects the intensity of regular fluctuations. Finally, these K amplitude values, mean, and variance are concatenated in order to obtain a one-dimensional feature vector. This vector is the traffic fluctuation feature vector of the first-layer behavioral node, which comprehensively describes the temporal distribution characteristics, periodicity, and overall fluctuation of the node network communication behavior.
[0043] Step S240: Construct a second-layer behavior node based on the operation type identifier and operation object path string in the operation session unit, and associate each second-layer behavior node with its corresponding operation session unit set. Calculate the transition probability matrix of the operation type identifier in the operation session unit set as the behavior pattern feature matrix of the second-layer behavior node.
[0044] The second-layer behavior nodes represent the internal operation patterns of a terminal in the dynamic behavior spatiotemporal graph. The construction process first analyzes each operation session unit, extracting its multiple terminal operation record units. From these records, the core operation intent embodied by the operation session unit can be summarized. For example, an operation session unit may consist of a series of records such as creating a file, writing to a file, modifying file permissions, and executing a file. When constructing the second-layer behavior nodes, instead of creating a node for each process or session, a node is created for each type of operation session with similar operation patterns. Specifically, representative operation type identifier sequences and operation object path strings need to be extracted from the operation session units. The operation type identifier sequence is the chronological order of the operation types of all records in the session. The operation object path string sequence is the path to the files, directories, registry keys, etc., operated by these records. Based on this information, each operation session unit can be assigned a type label, such as a document editing session, software installation session, or malware intrusion session. Then, operation session units with the same type label are associated with the same second-layer behavior node. The behavior pattern feature matrix is used to quantitatively describe the internal behavior patterns of this type of operation session. For all operation session units associated with a second-level behavior node, the transition of operation type identifiers within all operation session units is statistically analyzed. The transition of operation type identifiers refers to the sequential relationship of changing from one operation type to the next within the same operation session unit. For example, from opening a file to reading a file, and then from reading a file to closing a file. By statistically analyzing all operation session units belonging to this node, a two-dimensional transition probability matrix can be constructed. The rows of the matrix represent the current operation type, and the columns represent the next operation type. Each element in the matrix represents the conditional probability that the next operation type is a specific type after observing the current operation type. The calculation method is to count the total number of occurrences of all adjacent operation type pairs in all operation session units to obtain a frequency matrix. Then, each row of the frequency matrix is normalized so that the sum of the probabilities in each row is 1. This transition probability matrix is the behavior pattern feature matrix of this second-level behavior node.
[0045] Step S250: Establish association edges based on the co-occurrence relationship between the first-layer behavior nodes and the second-layer behavior nodes on the time axis. The weight of the association edge is determined based on the mutual information between the network flow unit and the operation session unit within the co-occurrence time window. The mutual information is calculated based on the association frequency between the destination port of the data packet in the network flow unit and the operation object path in the operation session unit.
[0046] As one implementation method, step S250 may specifically include:
[0047] Step S251: Divide the preset monitoring period into multiple continuous and non-overlapping fixed-length time window units according to a fixed time length, and assign a unique time window index number to each fixed-length time window unit.
[0048] Step S252: For each fixed-length time window unit, select network flow units whose timestamps are located within the fixed-length time window unit from the set of network flow units associated with each first-level behavior node, forming a subset of network flow units for the first-level behavior node within the fixed-length time window unit. Also, select operation session units whose timestamps are located within the fixed-length time window unit from the set of operation session units associated with each second-level behavior node, forming a subset of operation session units for the second-level behavior node within the fixed-length time window unit.
[0049] After discretizing the timeline into a series of fixed windows, the activity of each node needs to be assigned to the corresponding window. For each first-level behavior node, all its associated network flow units are traversed. Each network flow unit contains a timestamp range, namely the timestamp of its first data packet and the timestamp of its last data packet. However, for simplification, the start or end timestamp of the network flow unit can usually be used to represent the occurrence time of the flow. For each network flow unit, check which fixed-length time window unit its representative timestamp falls within. Then, add the network flow unit to a temporary subset under the corresponding time window index. Finally, for each first-level behavior node, a series of subsets are obtained, each subset corresponding to a time window index, and the subset contains all the network flow units active within that time window. Similarly, for each second-level behavior node, all its associated operation session units are traversed. Each operation session unit also has a start timestamp and an end timestamp. Based on its start timestamp or a representative timestamp, it is assigned to the corresponding time window unit, resulting in the subset of operation session units for that second-level behavior node within each time window unit.
[0050] Step S253: Count the frequency of the destination port field value of all network data packet units in the network flow unit subset of each first-level behavior node within each fixed-length time window unit, and generate the destination port frequency distribution vector of each first-level behavior node in each fixed-length time window unit. At the same time, count the frequency of the operation object path field value of all terminal operation record units in the operation session unit subset of each second-level behavior node within each fixed-length time window unit, and generate the operation object path frequency distribution vector of each second-level behavior node in each fixed-length time window unit.
[0051] Based on the subsets defined for each node in step S252 for each time window, specific frequency statistics are performed to transform the raw data into a vector form usable for mutual information calculation. For each first-layer behavior node, for a given time window, a subset of network flow units within that window is obtained. This subset may contain 0, 1, or more network flow units. These network flow units are traversed, and each network flow unit contains multiple network packet units. For each network packet unit, its transport layer header is parsed, and the value of the destination port field is extracted. The port number is a 16-bit integer ranging from 0 to 65535. A dictionary or hash table is created, with the port number as the key and a counter as the value. Each time a packet unit is encountered, the counter value of the corresponding key in the dictionary is incremented by one according to its destination port number. After completing the statistics for all packet units within the window, the dictionary records the number of times the node used each destination port during communication within this time window. This dictionary is then transformed into a vector. The dimension of the vector could be the total number of all possible ports, but that would result in too high a dimensionality. A common approach is to only count ports that have appeared, or map them to a predefined set of common port categories. The result is a non-negative integer vector, where each element corresponds to a port or port category, and the element's value is the frequency of that port's occurrence. This vector represents the target port frequency distribution vector for the first-level behavior node within that time window. A similar process is performed for each second-level behavior node. For a given time window, a subset of the node's operation session units within that window is obtained. These operation session units are traversed, each containing multiple terminal operation record units. For each terminal operation record unit, the string of its operation object path field is extracted. The number of operation object paths can be very large and highly specific. To perform effective statistics, the paths need to be categorized or hashed. For example, only the top-level directory of the path can be extracted, or it can be categorized based on file extensions, or the complete path string can be hashed and mapped to a fixed-size bucket. A dictionary is created, with keys representing the processed path category or hash bucket index, and values representing counters. Each time an operation record unit is encountered, the counter value of the corresponding key in the dictionary is incremented by 1 based on the categorization result of its operation object path. After completing the statistics, the dictionary is converted into a vector to obtain the frequency distribution vector of the operation object path of the second-level behavior node in the time window.
[0052] Step S254: Using all fixed-length time window units as the sample space, treat the destination port frequency distribution vector and the operation object path frequency distribution vector as two discrete random variables, and calculate the mutual information between the two discrete random variables.
[0053] For each pair of first-level and second-level behavioral nodes whose correlation needs to be calculated, the destination port frequency distribution vector and the operation object path frequency distribution vector obtained over all time windows are used as input data for the analysis. First, the joint probability distribution of these two random variables is constructed. Assume there are W time window units. For each time window w, there is a port distribution vector V of the first-level node. pw A path distribution vector V of a second-level node ow To construct the joint distribution, the value spaces for ports and paths need to be defined. Typically, port numbers or port categories are considered discrete values, denoted as set P, with a size equal to the absolute value of P; the operation object path categories are considered discrete values, denoted as set O, with a size equal to the absolute value of O. The joint probability distribution is a P-row, O-column matrix, where the element p(i,j) in the i-th row and j-th column represents the port value p over all W time windows. i And the path value is 0 j The proportion of joint frequencies to the total number of windows. The method for calculating the joint frequency is: iterate through all time windows w, and for each window, set V... pw The corresponding port p in i frequency and V ow The corresponding path o j The frequency of the two events is multiplied, or more precisely, the smaller of the two frequencies is taken as the co-occurrence indicator, or other co-occurrence measures are used, and then the products of all windows are summed. However, this product is not directly equal to the joint frequency, because both may occur simultaneously multiple times within each window. Therefore, a more accurate approach is to treat the port distribution vector and path distribution vector as multiple sets of events within that window for each window. The joint count is the number of event pairs where a specific port and a specific path are observed simultaneously. For example, if port 80 occurs 5 times and path var log occurs 3 times within a window, then the joint event pair count of port 80 and path var log within that window can be considered as 15. Summing these products of all windows yields the port p. i and path o j The total number of joint events is calculated. Dividing this total by the total number of event pairs across all windows (i.e., the sum of the frequencies of all ports across all windows multiplied by the sum of the frequencies of all paths), or more simply, by the sum of the products of all windows, yields the joint probability p(i,j). After calculating all (i,j) pairs, the joint probability distribution matrix is obtained. Then, summing each row of the joint probability matrix yields the marginal probability distribution vector P for each port value. P Its element is p P(i) This is equivalent to summing p(i, j) over all j. Similarly, summing over each column yields the marginal probability distribution vector P for each path value. O Its element is pO(j) This is equivalent to summing p(i,j) over all i. Finally, it is calculated according to the definition of mutual information. For each pair (i,j), if p(i,j) is greater than 0, then p(i,j) is calculated by multiplying p(i,j) by p(i,j) with base 2 and dividing by p. P(i) Multiply by p O(j) The logarithm of the port entropy is used to sum the results of all such (i, j) pairs. This yields the mutual information I(P; O). This value measures the extent to which knowing the port distribution reduces the uncertainty about the path distribution, and vice versa. If the two are independent, the mutual information is 0; if they are perfectly correlated, the mutual information reaches its maximum value, which is the smaller of the port entropy and the path entropy.
[0054] Step S255: Use the calculated mutual information as the initial weight value of the associated edge between the first-layer behavior node and the second-layer behavior node. Normalize the initial weight values of all combinations of first-layer behavior nodes and second-layer behavior nodes by their maximum and minimum values. Use the normalized values as the final associated edge weights.
[0055] In step S254, a mutual information value is calculated for each pair of first-layer and second-layer behavior nodes. This value can theoretically be any non-negative real number, and its magnitude depends on the correlation between the two random variables. Directly using this raw value as the edge weight may lead to instability in subsequent graph neural network processing due to excessive differences in the mutual information value ranges of different node pairs. Therefore, normalization is required to map all edge weights to the same numerical range, such as between zero and one. Max-min normalization is a commonly used linear normalization method. First, it is necessary to determine the maximum value (Max) and minimum value (Min) of the calculated mutual information among all combinations of first-layer and second-layer behavior nodes. Then, for each pair of nodes, assuming their mutual information is I, normalization is calculated using the formula (I-Min) / (Max-Min). If Max equals Min, meaning all mutual information values are equal, then all normalized values can be defined as a preset constant, such as 0.5 or 1. After this transformation, all the original mutual information I is compressed into a closed interval between 0 and 1. The maximum value of the original mutual information is normalized to 1, the minimum value is normalized to 0, and the other values are linearly distributed between 0 and 1.
[0056] Step S256: In the dynamic behavior spatiotemporal graph, add a directed association edge from the first-layer behavior node to the second-layer behavior node between each pair of first-layer behavior nodes and second-layer behavior nodes, and use the final association edge weight as the attribute value of the directed association edge.
[0057] Following the preceding calculations, a normalized edge weight between zero and 1 has been obtained for each pair of first-layer and second-layer behavioral nodes. This weight quantifies the statistical correlation strength between network communication behavior, represented by the first-layer nodes, and terminal internal operational behavior, represented by the second-layer nodes. Now, this relationship needs to be practically represented in the data structure of the dynamic behavioral spatiotemporal graph. Dynamic behavioral spatiotemporal graphs are typically stored in a graph database or an in-memory graph data structure. Behavioral nodes already exist in this data structure. Next, for each pair of first-layer behavioral nodes u and second-layer behavioral nodes v, a directed edge is created in the graph, denoted as u pointing to v. The direction of the edge is fixed to point from the first-layer behavioral node to the second-layer behavioral node, implying an assumption of information flow or causal direction, namely that network communication activities may drive or correlate with internal operational activities. This newly created edge will be assigned one or more attributes, the most important of which is the weight, whose value is the numerical value calculated and normalized in step S255. In addition, other attributes can be added to the edge, such as the size of the time window used to calculate the weight, the original value of the mutual information calculation, etc., for reference in subsequent analysis.
[0058] Step S260: Establish temporal edges between first-layer behavior nodes according to the communication sequence between network flow units, establish temporal edges between second-layer behavior nodes according to the calling relationship between operation session units, and combine all first-layer behavior nodes, second-layer behavior nodes, associated edges and temporal edges to generate a dynamic behavior spatiotemporal graph.
[0059] For the first-level behavioral nodes, they represent Internet Protocol (IP) addresses. Communication between two different addresses is inherently time-sequential. For example, address A sends a synchronization packet to address B requesting a connection, which occurs at time t1; subsequently, address B replies with a synchronization acknowledgment packet to address A, which occurs at time t2. This back-and-forth interaction constitutes a temporal relationship between node A and node B. To construct temporal edges between first-level nodes, all network flow units need to be traversed, especially request and response flows belonging to the same Transmission Control Protocol (TCP) session. For a complete session, the request flow from the source address to the destination address and the response flow from the destination address back to the source address are temporally contiguous. A directed edge can be established from the timestamp of the last packet in the request flow to the timestamp of the first packet in the response flow, pointing from the requester to the responder, or more finely, multiple edges can be established based on each packet to represent a fine-grained message interaction order. Ultimately, a directed temporal network graph is obtained between the first-level nodes based on the order of communication. For the second-level behavioral nodes, they represent the type of operational session. There may also be calling relationships between different operation sessions. For example, a process performs a download operation, which belongs to the network download session type, and then starts another process to perform an installation operation, which belongs to the software installation session type.
[0060] This call relationship is typically represented by the inheritance relationship of process identifiers or the order of timestamps in session records. When constructing the temporal edges between second-level nodes, it is necessary to analyze the process identifier to which each operation session unit belongs and the start and end times of the session. If one process identifier creates another process identifier, i.e., a child process, then a directed edge is established between the node representing the parent process's operation session type and the node representing the child process's operation session type, in chronological order, with the direction from the parent process to the child process, representing the initiation and derivation relationship of the operation. Simultaneously, even without a direct process creation relationship, if two different types of operation sessions occur consecutively in time and no other type of session is inserted between them, a weak temporal edge can be considered to represent the normal evolution path of the operation flow. After completing the addition of temporal edges between first-level nodes and second-level nodes, combined with all the previously constructed first-level and second-level behavioral nodes and the associated edges connecting them, a complete, multi-level, multi-relationship type dynamic behavioral spatiotemporal graph is formed.
[0061] Step S300: Input the dynamic behavior spatiotemporal graph into the pre-trained intrusion behavior prediction deep network to perform multi-level behavior pattern prediction, and obtain the intrusion probability distribution corresponding to each behavior node in the dynamic behavior spatiotemporal graph and the intrusion propagation path graph between behavior nodes.
[0062] In one implementation, step S300 may specifically include:
[0063] Step S310: Input the dynamic behavior spatiotemporal map into the initial state encoding layer of the intrusion behavior prediction deep network. The initial state encoding layer performs joint encoding on the set of network flow units and operation session units associated with each behavior node to generate the initial behavior state vector of each behavior node on the initial time section. The initial behavior state vector is used to characterize the behavior pattern basis of the behavior node at the start of the preset monitoring period.
[0064] The initial state encoding layer is the first layer of the deep network for intrusion behavior prediction. Its role is to transform the raw associated data of each node in the original dynamic spatiotemporal graph of behavior into a fixed-length, information-rich vector representation, namely the initial behavior state vector. This vector aims to capture the baseline behavior pattern of the node at the beginning of the monitoring period. For first-layer behavior nodes, the associated data is their set of network flow units, including multiple network flow units, each of which consists of multiple data packet units, containing rich features such as traffic fluctuation feature vectors and destination port distribution. For second-layer behavior nodes, the associated data is their set of operational session units, including multiple operational session units, each containing a behavior pattern feature matrix, operational object path distribution, etc. Joint encoding means that data from both network and operational modalities need to be processed simultaneously and fused into a unified vector. One implementation approach is to design different encoder subnetworks for first-layer and second-layer nodes. For example, for a first-layer node, its traffic fluctuation feature vector, along with other higher-order statistics extracted from the network flow unit set, such as total flow count, average flow duration, and primary peer addresses, are input into a multilayer perceptron. This perceptron contains multiple fully connected layers and nonlinear activation functions, and through layer-by-layer nonlinear transformations, outputs an intermediate vector for the first-layer node. For a second-layer node, its behavior pattern feature matrix, i.e., the transition probability matrix, is flattened into a one-dimensional vector, and then concatenated with statistical features extracted from all operation session units under that node, such as total number of sessions, average session length, and primary operation types, before being input into another multilayer perceptron to obtain the intermediate vector for the second-layer node. Since the intermediate vectors of the two layers may have different dimensions, a mapping layer is needed to map them into the same common vector space. Furthermore, to fuse network and operation information, for node pairs with strong correlation edges, a graph neural network can be used to allow the vectors of the first-layer and second-layer nodes to exchange information during the encoding process. Finally, each behavior node, whether in the first or second layer, obtains an initial behavior state vector with the same dimension.
[0065] Step S320: Input the initial behavior state vector of each behavior node and the initial behavior state vector of its first-order neighboring behavior nodes in the dynamic behavior spatiotemporal graph into the spatiotemporal propagation prediction layer. The spatiotemporal propagation prediction layer contains multiple cascaded prediction units. Each prediction unit calculates the intrusion propagation impact received by each behavior node from its neighboring behavior nodes at the current prediction time step based on the behavior state vector output by the previous prediction unit and the weights and temporal directions of the associated edges between behavior nodes. The intrusion propagation impact is then nonlinearly fused with the behavior node's own state retention to generate the updated behavior state vector of each behavior node at the current prediction time step.
[0066] In one implementation, step S320 may specifically include:
[0067] Step S321: Combine the updated behavior state vectors output by all behavior nodes in the dynamic behavior spatiotemporal graph at the previous prediction time step into the state matrix of the previous time step. At the same time, obtain the weight matrix of all associated edges and the directional adjacency matrix of all temporal edges in the dynamic behavior spatiotemporal graph. Each element in the directional adjacency matrix indicates whether there is a temporal edge pointing from row to column between the corresponding row behavior node and the corresponding column behavior node.
[0068] Assume there are N behavior nodes in the dynamic behavior spatiotemporal graph, and the state vector of each behavior node has dimension D. After a certain prediction time step t-1, each node has an updated behavior state vector, denoted as h. i t-1 Stack these vectors in order of node number to obtain an N x D matrix H. t-1 This is the state matrix from the previous time step. Each row of the matrix corresponds to a node, and each column corresponds to a dimension of the state vector. Next, we need to extract graph structure information from the graph and convert it into matrix form for computation. Connection edges exist between nodes in the first and second layers and have weights. We construct an N x N connection weight matrix W. assoc For the element W in the matrix assoc [i][j] represents the element whose value is equal to the weight of an edge pointing from node i to node j, i.e., the normalized mutual information. If no edge exists, the value is zero. It's important to note that edges have direction, so this matrix is usually not symmetric. Temporal edges exist between nodes at the same level and have direction. Construct another N x N directional adjacency matrix A. temp This matrix is either a Boolean matrix or a binary matrix. For element A in the matrix... temp [i][j] represents a temporal edge that points from node i to node j, meaning i is a predecessor of j. The value of this element is 1 if such an edge exists; otherwise, it is 0. Since temporal edges are directed, A...temp Matrices are generally not symmetric.
[0069] Step S322: Calculate the first propagation influence received by each action node from all its associated neighbor action nodes based on the state matrix of the previous time step and the weight matrix of the associated edges. The first propagation influence is calculated as follows: For each action node, multiply the state vectors of all its associated neighbor action nodes in the previous time step by the corresponding associated edge weights and then sum them to obtain the first propagation influence vector of the action node.
[0070] First, the correlation weight matrix W assoc Transpose to get W assoc T W assoc T element W assoc T [i][j] equals W assoc [j][i] represents the weight of the associated edge from node j to node i. Then, the first propagation influence matrix P is calculated. assoc The dimension is N rows and D columns. P assoc equals W assoc T Multiplied by H t-1 In this matrix multiplication, the resulting matrix P assoc The i-th row, i.e., the first propagation influence vector of node i, is obtained by using W assoc T The i-th row, where the non-zero elements correspond to all associated neighbors j pointing to node i, and H t-1 Each row of W is obtained by weighted summation of the state vectors of each neighbor j. Specifically, for node i, iterate through all nodes j, if W... assoc T If [i][j] is not 0, then H t-1 The j-th row, i.e., the state vector of node j multiplied by W assoc T [i][j], and then sum all these weighted vectors together to finally obtain the first propagation influence vector of node i.
[0071] Step S323: Calculate the second propagation influence received by each action node from all its temporal neighbor action nodes based on the state matrix and directional adjacency matrix of the previous time step. The second propagation influence is calculated as follows: For each action node, sum and average the state vectors of all its temporal neighbor action nodes pointing to the action node in the previous time step to obtain the second propagation influence vector of the action node.
[0072] Temporal neighbors are nodes connected to the current node via temporal edges; these are nodes with temporal edges pointing to the current node, i.e., temporal predecessors. Unlike the calculation of associated edges, the influence of temporal edges is calculated by summing and averaging, rather than by weighted summation. This reflects that temporal influences are transmitted equally from each predecessor, or that the strength of temporal relationships is considered equal. The calculation process can also be implemented using matrix operations. First, ensure that the directional adjacency matrix A... temp Each row represents the source node, and each column represents the target node. Therefore, A... temp T Each row represents all the predecessor nodes pointing to the node in that row. Next, we need to calculate the number of predecessor nodes for each node, which will be used for subsequent averaging. We can calculate a degree vector `degin`, where `deg`... i n[i] equals A temp T The number of non-zero elements in the i-th row represents the number of temporal predecessors pointing to node i. To prevent division by zero errors, for nodes without predecessors, their degin[i] is set to 1, or they are skipped in subsequent processing. Then, the second propagation influence matrix P is calculated. temp First, calculate the unweighted sum: S temp Equals A temp T Multiplied by H t-1 The result matrix S obtained by this matrix multiplication is... temp The i-th row is the sum of the state vectors of all temporally preceding nodes of node i. Finally, for S... temp Average each row, that is, for node i, average its S. temp Dividing the i-th row vector by degin[i], if deg i If n[i] is greater than 0, the second propagation influence vector of node i is obtained. If degin[i] is 0, the second propagation influence vector of the node can be set to a vector of all zeros.
[0073] Step S324: Concatenate the first propagation influence vector and the second propagation influence vector of each behavior node to obtain the comprehensive propagation influence vector of the behavior node. Input the comprehensive propagation influence vector into the first nonlinear transformation layer. The comprehensive propagation influence vector is compressed and activated by the first nonlinear transformation layer to generate the standardized propagation influence vector of each behavior node.
[0074] The first nonlinear transformation layer is a small feedforward neural network whose function is to compress and refine high-dimensional, potentially redundant, comprehensive information, generating a more expressive, standardized vector with the same dimension as the original state vector, i.e., D-dimensional. The network structure can be designed as follows: a fully connected layer with a 2D input dimension and a D output dimension, whose weight matrix and bias terms are learnable parameters. The computation of the fully connected layer involves a linear transformation of the input vector, i.e., the output equals the input multiplied by the weight matrix plus the bias. Following the linear transformation is a nonlinear activation function, such as the hyperbolic tangent function or a linear rectified unit. The introduction of the activation function enables the network to learn complex nonlinear patterns. The comprehensive propagation influence vector C is then transformed. i The input to this fully connected layer undergoes a linear transformation, followed by a non-linear mapping using an activation function. The final output D-dimensional vector is the normalized propagation influence vector of node i, denoted as I. i .
[0075] Step S325: Obtain the updated behavior state vector output by each behavior node in the previous prediction time step as the self-state preservation basis of the behavior node, input the self-state preservation basis into the second nonlinear transformation layer, and perform forgetting gating on the self-state preservation basis through the second nonlinear transformation layer to generate the state preservation coefficient vector of each behavior node.
[0076] For each node i, its state-preserving basis is its output at the previous prediction time step, i.e., h. i t-1 The dimension is D. This D-dimensional vector is input into the second nonlinear transformation layer. The goal of the second nonlinear transformation layer is to generate a vector with dimension D. i t-1 The vectors have the same dimensions, but each element's value ranges from zero to one, used to control the proportion of information retained in the corresponding dimension. Therefore, the structure of the second nonlinear transformation layer is typically a fully connected layer followed by a sigmoid activation function. The fully connected layer has an input dimension of D and an output dimension of D, and its parameters, namely weights and biases, are learnable. h i t-1 The input to this fully connected layer undergoes a linear transformation, yielding a new D-dimensional vector. Then, each element of this new vector is mapped using the Sigmoid function. The Sigmoid function's output characteristic is that it compresses any real number into an open interval between zero and one, making it ideal as a gating signal. The resulting vector f after processing with the Sigmoid function... i That is, the state preservation coefficient vector of node i. iEach element in the matrix is between 0 and 1, representing the proportion of node i's state information in the corresponding dimension that should be retained. 1 indicates complete retention, zero indicates complete forgetting, and intermediate values indicate partial retention. In this way, the network can adaptively learn which historical state features of a node are important and need to be carried over during intrusion propagation, and which are outdated and should be replaced by new information.
[0077] Step S326: Perform element-wise multiplication of the standardized propagation influence vector of each behavior node with the corresponding state preservation coefficient vector to obtain the weighted propagation influence vector of the behavior node. Then, add the weighted propagation influence vector with its own state preservation basis element-wise and input the sum into the third nonlinear transformation layer for activation to generate the updated behavior state vector of each behavior node at the current prediction time step.
[0078] For node i, its normalized propagation influence vector I i Dimension D and state preservation coefficient vector f i Element-wise multiplication of dimension D, also known as the Hadamard product, yields a result denoted as G. i equals I i Multiply by f i This is the weighted propagation influence vector, representing the external information that, after filtering, truly contributes to the current state of the node. Then, the weighted propagation influence vector G... i The state preservation basis h of the node itself i t-1 Perform element-wise addition. This addition operation merges the old and new information, i.e., h. i t-1 Add G i The summation results in a new D-dimensional vector that blends historical and externally input information, but it's still a linear combination. To introduce non-linear expressive power and enable the model to learn more complex evolutionary patterns, this summation result needs to be input into a third non-linear transformation layer. This third non-linear transformation layer is typically a fully connected layer with D input and D output dimensions, followed by a non-linear activation function, such as a hyperbolic tangent or a linear rectified unit. This fully connected layer performs a linear transformation on the input vector, then a non-linear mapping through the activation function. The final output vector is the update behavior state vector h of node i at the current prediction time step t. i t h i t It integrates the historical state of a node, the propagation effects from associated and temporal neighbors, and has been refined through nonlinear transformation. It can be used as the input for the next prediction time step and continue to participate in the evolution.
[0079] Step S330: Arrange the updated behavior state vectors at all predicted time steps in chronological order to obtain the behavior state evolution trajectory matrix of each behavior node during the entire preset monitoring period. The rows of the behavior state evolution trajectory matrix correspond to the predicted time steps, and the columns correspond to the dimensions of the behavior state vectors.
[0080] After multiple cascaded prediction units, assuming a total of T prediction time steps, and corresponding to the processing of these T units, a sequence state vector is obtained for each behavior node in the dynamic behavior spatiotemporal graph. Taking node i as an example, its initial state vector is h. i 0 h is obtained from step S310 after passing through the first prediction unit. i 1 h is obtained after the second prediction unit. i 2 until h is obtained after the Tth prediction unit. i T Now, add a state vector to this T, including the initial state and T updated states arranged in chronological order of time steps. Specifically, h... i 0 As the first line, h i 1 As the second line, h i 2 As the third line, and so on, up to h i T Row T+1 yields a two-dimensional array. The number of rows in this array is the total number of prediction time steps, T+1, and the number of columns is the dimension D of the state vector. This two-dimensional array is the behavioral state evolution trajectory matrix of node i. Each row of the matrix represents a snapshot of the node's behavioral state at the prediction time step, while the columns show the evolution trend of each feature dimension throughout the monitoring period. For all N nodes in the graph, N such evolution trajectory matrices can be obtained. These matrices collectively record the complete trajectory of the entire system's behavior, starting from the initial state and evolving over time under the influence of simulated intrusion propagation.
[0081] Step S340: Input the behavior state evolution trajectory matrix into the intrusion intent parsing layer. The intrusion intent parsing layer performs global temporal pattern extraction on the behavior state evolution trajectory of each behavior node, identifies the mutation points, inflection points and periodic fluctuation patterns that appear in the behavior state vector during the evolution process, and matches the mutation points, inflection points and periodic fluctuation patterns with the preset intrusion behavior pattern template library to output the probability distribution of intrusion possibility at different time points within the preset monitoring period for each behavior node.
[0082] In one implementation, step S340 may specifically include:
[0083] Step S341: Perform a sliding window scan on the behavior state evolution trajectory matrix of each behavior node according to the time dimension. Extract a trajectory segment of fixed length at each sliding window position. Calculate the mean vector and standard deviation vector of the behavior state vector at all time points within the trajectory segment. Concatenate the mean vector and standard deviation vector to generate the local temporal statistical feature vector corresponding to the sliding window. Arrange all the local temporal statistical feature vectors corresponding to the sliding windows in chronological order to obtain the global temporal feature vector set for each behavior node.
[0084] For a given behavior node, its behavior state evolution trajectory matrix has T plus one row (time steps) and D columns (feature dimensions). First, a fixed window length L is set, where L is a positive integer less than the total number of time steps, for example, ten time steps. Then, a sliding step size S is set, such as 1, to achieve dense scanning. The sliding window scan starts from the first row of the matrix, i.e., time step 0, and extracts data from row 0 to row L minus one, resulting in a local submatrix of L rows and D columns—this is the first trajectory segment. Next, the window slides down S steps, starting from row S, and extracts data from row S to row S plus L minus one, resulting in the second trajectory segment. This process is repeated until the window slides to the last row of the matrix. For each extracted trajectory segment, its local temporal statistical features need to be calculated. First, along the time dimension (L rows), the mean of the behavior state vectors at all time steps within the segment is calculated. Specifically, for each of the D feature dimensions, the arithmetic mean of the L values in that dimension is calculated, resulting in a D-dimensional mean vector. Secondly, for each dimension, the standard deviation of the L values in that dimension is calculated. The standard deviation reflects the degree of fluctuation of that dimension within the local time window, resulting in a D-dimensional standard deviation vector. Then, the mean vector and the standard deviation vector are concatenated to obtain a 2D vector. This vector is the local temporal statistical feature vector corresponding to the sliding window, which simultaneously contains the average behavior level and behavior volatility within the local time window. Arranging the local temporal statistical feature vectors calculated for all windows in the chronological order of window sliding yields the global temporal feature vector set for that behavior node. This set is essentially a new sequence with a length equal to the number of window slides, where each element is a 2D vector describing the statistical characteristics of the node's behavior within each local time window.
[0085] Step S342: Input the global temporal feature vector set of each behavior node into the mutation point detection function. The mutation point detection function calculates the difference value of adjacent vectors in the global temporal feature vector set, identifies all time points whose difference value magnitude exceeds the preset mutation threshold as candidate mutation points, performs time density-based clustering on the candidate mutation points, takes the center time point of the cluster as the final behavior state mutation point, and records the behavior state vector value corresponding to each behavior state mutation point as a mutation point state snapshot.
[0086] Mutation point detection aims to identify moments when node behavior undergoes significant changes. The input is the set of global temporal feature vectors obtained in step S341, denoted as a sequence F[1], F[2], up to F[M], where M is the number of sliding windows, and each F[k] is a two-dimensional local statistical feature vector. The mutation point detection function first calculates the difference between adjacent vectors in the sequence. For k∈[1,M-1], the difference vector D[k]=F[k+1]-F[k] is calculated. This difference vector reflects the amount and direction of change of the behavioral statistical features from one window to the next. Then, the magnitude of each difference vector D[k] is calculated, which is the square root of the sum of the squares of the vector components, to obtain a non-negative real number diff. norm [k] represents the overall intensity of the change. Next, a preset mutation threshold needs to be set; this is an empirical value used to distinguish between normal fluctuations and significant mutations. Iterate through all diffs... norm [k], to diff those norm The time points corresponding to k values greater than the preset mutation threshold are typically the center time of the k-th window plus one window, or k can be directly used as a time index to mark them as candidate mutation points. Since noise can lead to isolated high-difference values, directly using these candidate points as the final mutation points may not be accurate enough. Therefore, clustering is required. A time-density-based clustering algorithm, such as DBSCAN, is used. This algorithm requires two parameters: the neighborhood radius ε and the minimum number of neighborhood points minPts. Starting from any candidate point, if it contains at least minPts other candidate points within its time neighborhood ε (e.g., within five windows before and after), these points form a core cluster, and all points with achievable density are included in this cluster. Finally, isolated, unclusterable candidate points are considered noise and removed. For each formed cluster, the average time point corresponding to all candidate points within the cluster is calculated as the center time point of the cluster. This center time point is considered the final behavioral state mutation point.
[0087] Step S343: Input the global temporal feature vector set of each behavior node into the inflection point detection function. The inflection point detection function performs second-order difference operation on the global temporal feature vector set to identify all time points where the positive and negative signs of the second-order difference value change as candidate inflection points. Non-maximum suppression is performed on the candidate inflection points, and the maximum value point in the local range is retained as the final behavior state inflection point. The rate of change of the behavior state vector corresponding to each behavior state inflection point is recorded as the inflection point change intensity.
[0088] Inflection point detection focuses on the turning point of behavioral change trends, that is, the point where the rate of change changes from increasing to decreasing or from decreasing to increasing. The input is also a set of global time-series feature vectors, from F[1] to F[M]. First, the sequence is first-order differencing to obtain the rate of change sequence R[1] to R[M-1], where R[k] = F[k+1] - F[k]. R[k] is also a 2D vector, representing the rate of change between window k and k+1. Then, the first-order difference sequence is differencing again to obtain the second-order difference sequence S[1] to S[M-2], where S[k] equals R[k+1] - R[k]. The sign change of the second-order difference reflects the increasing or decreasing trend of the rate of change itself. The key to inflection point detection is to identify the sign change of the second-order difference vector S[k]. Since S[k] is a multi-dimensional vector, it needs to be integrated into a scalar index. One approach is to calculate the magnitude of S[k] and record its sign change, or consider the voting of sign changes across dimensions. A more refined approach is to perform sign detection separately for each dimension of S[k]. For a time point k+1, corresponding to the intersection of R[k] and R[k+1], if at least one dimension's second-order difference value changes from negative to positive, or from positive to negative, then this point is considered a candidate inflection point. This time point k+1 signifies a reversal of the trend in the rate of change along that dimension. All window indices corresponding to k+1 that satisfy the condition are recorded as candidate inflection points. Since trend changes may be detected consecutively in neighboring windows, multiple candidate inflection points may cluster together. To accurately locate the point of most dramatic trend change, non-maximum suppression (NMS) is needed. NMS is a local maximum search algorithm. For each candidate inflection point, a local neighborhood is examined, such as all candidate inflection points within two windows before and after it. The intensity of change at each candidate inflection point is calculated; for example, the magnitude of the first-order difference vector R at that point can represent the rate of change. Within the local neighborhood, only the candidate inflection point with the largest magnitude is retained, while other points with smaller magnitudes are suppressed and eliminated. After non-maximum suppression, the remaining points are the final behavioral state inflection points. For each final inflection point, its inflection point change intensity needs to be recorded, that is, the magnitude of the first-order difference vector R at that point. The larger this value, the more drastic the change in behavior at the inflection point.
[0089] Step S344: Perform autocorrelation analysis on the behavior state evolution trajectory matrix of each behavior node, calculate the autocorrelation coefficient sequence of the time series of each dimension in the behavior state evolution trajectory matrix, perform peak detection on the autocorrelation coefficient sequence, extract the time delay value corresponding to all peak points whose peak height exceeds the preset peak threshold as candidate period length, perform cluster analysis on the candidate period length, take the candidate period length with the highest frequency as the main period of the behavior state of the behavior node, and calculate the periodic fluctuation intensity based on the peak height of the autocorrelation coefficient corresponding to the main period.
[0090] Autocorrelation analysis measures the similarity between a time series and its replicas at different time lags. For a given dimension, suppose its time series is x[0], x[1], up to x[T]. Calculate its similarity at lags λ, where λ ranges from 0 to a maximum lag L. max For example, the autocorrelation coefficient of T / 2. The formula for calculating the autocorrelation coefficient is based on the mean and variance of the sequence, and is usually obtained by calculating the correlation between the sequence with lag λ and the original sequence. The autocorrelation coefficient ranges from [-1, 1], and the closer the absolute value is to 1, the stronger the correlation. For each lag λ, an autocorrelation coefficient is calculated, thus obtaining the autocorrelation coefficient sequence acf[0], acf[1], up to acf[L] in that dimension. max ]. acf[0] is always 1, indicating that the sequence is perfectly correlated with itself. Next, peak detection is performed on the autocorrelation coefficient sequence. The goal of peak detection is to find local maxima in the sequence. The lag λ corresponding to these points indicates that the sequence exhibits strong correlation after an interval of λ time steps, that is, there may be a regularity with a period of λ. Peak detection needs to exclude the peak acf[0]. For each detected peak, record its corresponding lag λ and peak height, that is, the autocorrelation coefficient value. Then, set a preset peak threshold and only retain those peak points whose peak height exceeds the preset peak threshold. The lag λ corresponding to these retained peak points is used as the candidate period length. Since noise and each dimension may have different periods, the candidate period lengths generated by all dimensions will form a set. Perform cluster analysis on this set, such as using K-means clustering or mean drift clustering, to cluster similar λ values into one class. After clustering is completed, count the number of candidate period lengths contained in each cluster, that is, the frequency. The cluster with the highest frequency is selected, and its cluster center, or the average of all values with the highest λ within that cluster, is determined as the principal period of the node's behavior. This principal period represents the most significant recurring pattern in the node's behavior. Finally, the intensity of periodic fluctuations is calculated based on the peak height of the autocorrelation coefficient corresponding to the principal period. The peak height corresponding to the principal period is the average of the autocorrelation coefficients of all dimensions over that period length, or simply the average height of all peak values within the cluster containing that period. The larger this intensity value, the more significant the periodicity of the node's behavior.
[0091] Step S345: For each behavior node, the behavior state mutation point and its mutation point state snapshot, behavior state inflection point and its inflection point change intensity, behavior state main period and periodic fluctuation intensity are concatenated to generate a comprehensive temporal pattern feature vector for that behavior node. The comprehensive temporal pattern feature vector is input into a preset intrusion behavior pattern template library for template matching. Each template in the intrusion behavior pattern template library corresponds to an intrusion behavior type and stores the standard temporal pattern feature vector under that type.
[0092] After extracting mutation points, inflection points, and periodic features separately, these heterogeneous features need to be integrated into a unified representation for matching. For a behavior node, suppose P mutation points are detected in step S342, each with a mutation point state snapshot, i.e., a D-dimensional vector. Q inflection points are detected in step S343, each with an inflection point change intensity, i.e., a scalar. Step S344 yields a main period length, i.e., a scalar, and a periodic fluctuation intensity, i.e., a scalar. Since the numbers P and Q may vary from node to node, they cannot be directly concatenated into a fixed-length vector. Therefore, further aggregation of mutation point and inflection point information is required. For example, the average of all mutation point state snapshots can be used to obtain an average mutation state vector, i.e., D-dimensional; the number of mutation points P can be counted as a feature; the average of all inflection point change intensities can be used to obtain an average inflection point intensity, i.e., a scalar; or the number of inflection points Q can be counted. In this way, all information can be integrated into a fixed-length comprehensive temporal pattern feature vector. This vector can contain the following components: average mutation state vector (D-dimensional), number of mutation points (one-dimensional), average inflection point intensity (one-dimensional), number of inflection points (one-dimensional), main period length (one-dimensional), and periodic fluctuation intensity (one-dimensional). Therefore, the total dimension of the comprehensive feature vector is D plus five. Next, this feature vector is input into a pre-defined intrusion behavior pattern template library for matching. This template library is a structured database, and its construction process is as follows: First, a large number of known intrusion behavior samples are collected, each sample corresponding to a specific intrusion type, such as denial-of-service attacks, privilege escalation, and data leakage. For each sample, the same steps S100 to S340 are performed to extract its comprehensive temporal pattern feature vector, which serves as the standard template vector for that intrusion type. These standard template vectors are stored and associated with intrusion type labels. The matching process involves calculating the similarity between the comprehensive temporal pattern feature vector of the node under test and each standard template vector in the library.
[0093] Step S346: Calculate the cosine similarity between the comprehensive temporal pattern feature vector of each behavior node and each standard temporal pattern feature vector in the intrusion behavior pattern template library. Take the intrusion behavior types corresponding to the top few templates with the highest cosine similarity as the candidate intrusion types of the behavior node. Then, perform weighted fusion on the candidate intrusion types according to the cosine similarity to generate the intrusion probability distribution of each behavior node at different time points within the preset monitoring period. The probability value at each time point in the intrusion probability distribution is determined by the weight of the intrusion behavior type obtained by the sliding window matching to which the time point belongs.
[0094] Step S350: Based on the transmission relationship of the updated behavior state vectors of all behavior nodes between adjacent prediction time steps, construct a two-dimensional propagation tensor with the prediction time step as the horizontal axis and the behavior node as the vertical axis. Perform path tracing on the two-dimensional propagation tensor to extract the path trajectory of the intrusion probability propagating between behavior nodes along the time axis. Combine the path trajectories according to the propagation direction and propagation intensity to generate an intrusion propagation path map between behavior nodes in the dynamic behavior spatiotemporal graph.
[0095] First, construct a three-dimensional tensor with dimensions equal to the prediction time step, the number of rows, and the number of nodes. For each prediction time step t, from 1 to T, consider the propagation from time step t-1 to t. In step S320, the update vector h of node i at time step t... i t It is based on the vector h of its neighbor node j at time step t-1. j t-1 The magnitude of the propagation impact can be considered as the information flow from j to i. One approximation method is to calculate h. i t For h j t-1 The degree of sensitivity or dependence can be calculated by h. j t-1 For h i t The contribution weight is used to measure the flow of information. In steps S322 and S323, the original impact quantities of correlation propagation and temporal propagation have been calculated, and these impact quantities themselves can serve as a measure of information flow. Therefore, a two-dimensional matrix Flow can be constructed. t The dimension is N times N, where the element Flow t [j][i] represents the amount of influence propagated from node j to node i at time step t, which can be a combination of the first and second propagation influences. This represents the flow across all time steps. tThe matrices, stacked sequentially over time, form a three-dimensional propagation tensor of dimension T×N×N. Next, path tracing is performed on this tensor to discover the propagation path of the intrusion probability along the time axis between nodes. Path tracing can start from nodes with a high probability of intrusion and trace back to their information source. For example, at a certain time step t, node i has a high intrusion probability, originating from step S346; therefore, the flow can be examined... t In the i-th column, find the predecessor node j that contributes the most to i, i.e., Flow t [j][i] represents the node with the largest value. Then, backtracking to time step t-1, we examine the high-probability information sources of node j, and so on, until we trace back to the starting node of the intrusion. In this way, we can construct one or more propagation paths from each high-probability node. These paths consist of a series of nodes and directed edges between them, with each edge carrying a propagation strength, i.e., a value in the Flow matrix. Finally, we combine and deduplicate all the traced paths to obtain a subgraph, which is the intrusion propagation path graph between behavioral nodes in the dynamic behavior spatiotemporal graph.
[0096] Step S400: Reconstruct the intrusion behavior sequence based on the intrusion probability distribution and intrusion propagation path map, and generate multiple candidate intrusion behavior sequences of the smart terminal to be identified within a preset monitoring period, as well as a credibility score for each candidate intrusion behavior sequence.
[0097] In one implementation, step S400 may specifically include:
[0098] Step S410: Extract all behavioral nodes and their corresponding intrusion probability distributions from the intrusion propagation path graph, and mark all behavioral nodes whose maximum probability value in the intrusion probability distribution exceeds a preset probability threshold as candidate intrusion behavioral nodes.
[0099] Each behavioral node in the dynamic behavior spatiotemporal graph is accompanied by an intrusion probability distribution generated in step S346. This distribution gives the probability that the node belongs to different intrusion types at various time points within the monitoring period. For each node, its entire probability distribution is first analyzed, and the maximum value is found, which is the highest probability value that the node is most likely to belong to a certain intrusion type throughout the entire period, denoted as P. max Then, a preset probability threshold is set. This threshold is an empirical parameter used to distinguish between normal behavior and suspicious intrusion behavior. All P... maxNodes with a probability greater than or equal to the preset probability threshold are selected. These nodes are considered to have significant intrusion suspicion because the model is highly certain, at least at some point, that they are experiencing an intrusion. These selected nodes are candidate intrusion behavior nodes. They constitute the seed nodes for subsequent intrusion sequence reconstruction. And those P... max Nodes consistently below a threshold are considered to have performed normally in this analysis and will not participate in subsequent sequence construction. This screening effectively reduces the complexity of subsequent analysis, allowing attention to be focused on the most suspicious activities.
[0100] Step S420: Perform time-density-based clustering on the distribution of candidate intrusion behavior nodes on the time axis, and cluster candidate intrusion behavior nodes that are continuous in time and whose temporal evolution embedding similarity between behavior nodes exceeds a preset similarity threshold into the same candidate intrusion event segment.
[0101] The candidate intrusion behavior nodes selected in step S410 may come from different locations in the graph and be distributed at different time points. To initially group these discrete nodes into a group that may belong to the same attack event, cluster analysis is required. This clustering process considers two factors: temporal proximity of nodes and similarity of node behavioral states. Temporal proximity refers to the closeness of the nodes' active times. Behavioral state similarity is measured based on the node's temporal evolution embedding. The temporal evolution embedding can be the updated behavioral state vector of the node at a key time step generated in step S320, or the average of the global temporal feature vector set generated in step S341. For every two candidate intrusion behavior nodes, the time difference between their active times and the similarity between their temporal evolution embedding vectors, such as cosine similarity, are calculated. Only when the time difference is less than a preset time window threshold and the vector similarity is greater than a preset similarity threshold, are the two nodes considered to likely belong to the same event segment. Then, a density-based clustering algorithm, such as DBSCAN, is used. Nodes are treated as sample points, and the distance between them, calculated using a combination of temporal difference and feature similarity, is used as the distance metric to group nodes that meet the density-connected condition into a single cluster. The clustering result is several clusters, where nodes within each cluster are temporally continuous and exhibit similar behavioral patterns. Together, these clusters constitute a candidate intrusion event segment. A candidate intrusion event segment represents a series of suspicious activities that may have been initiated by the same attacker and are temporally and behaviorally related.
[0102] Step S430: Sort the candidate intrusion behavior nodes in each candidate intrusion event segment according to the chronological order to generate an initial intrusion behavior node sequence, and embed the temporal evolution of each node as the feature vector of that node.
[0103] After clustering candidate intrusion behavior nodes into multiple event segments, the nodes within each segment need to be sorted to form an ordered sequence. For each candidate intrusion event segment, a list of all candidate intrusion behavior nodes within that segment is obtained. Then, based on the most representative timestamp associated with each node, such as the time point when it first appears with a high probability in the intrusion propagation path graph, or the time index of a key prediction time step in step S320, these nodes are sorted in ascending order of timestamp. After sorting, an ordered list of nodes is obtained, which is the initial sequence of intrusion behavior nodes for that event segment. This sequence reflects the approximate chronological order of candidate intrusion behaviors on the timeline, but it may not be complete or continuous due to possible missing nodes. To preserve the rich information of each node, its feature vector is associated with each node in the sequence, i.e., the temporal evolution embedding of that node, which has already been used in step S420, is adopted.
[0104] Step S440: Input the initial intrusion behavior node sequence into the sequence reconstruction network. The sequence reconstruction network includes an encoder and a decoder. The encoder encodes the initial sequence into a latent space vector, and the decoder generates a complete intrusion behavior node sequence step by step based on the latent space vector. The complete intrusion behavior node sequence includes the intermediate nodes that are missing in the initial sequence.
[0105] In one implementation, step S440 may specifically include:
[0106] Step S441: Arrange the temporal evolution embeddings of each node in the initial intrusion behavior node sequence in order to generate the initial node embedding sequence. The length of the initial node embedding sequence may be less than the expected length of the complete sequence.
[0107] Step S442: Embed the initial node into the recurrent neural network layer of the sequence input encoder. Process the embedding of each node step by step through the recurrent neural network layer and update the hidden state. Finally, obtain the context vector of the entire sequence as the hidden space vector.
[0108] Step S443: Input the latent space vector into the recurrent neural network layer of the decoder as the initial hidden state of the decoder. The decoder generates an output vector at each time step and uses the output vector of the previous time step as the input of the current time step.
[0109] Step S444: At each time step, the similarity between the vector output by the decoder and each node embedding in the preset node embedding dictionary is calculated. The node with the highest similarity is selected as the generated node for the current time step, and the embedding of that node is used as the input for the next time step.
[0110] The decoder generates the output vector o at each time step tIt is a continuous vector representing the characteristics of an ideal node at that time step. However, what is ultimately needed is a discrete node identifier to find the corresponding node in the intrusion propagation path graph. Therefore, a pre-defined node embedding dictionary needs to be maintained. This dictionary is a lookup table containing identifiers of all possible behavioral nodes in the dynamic behavior spatiotemporal graph and their corresponding embedding vectors. These embedding vectors can be the initial behavioral state vector generated in step S310, or the update vector at a key time step in step S320; they are pre-calculated and stored. At each generation time step t, the decoder's output vector o is... t Similarity is calculated between the similarity vector and the embedding vector of each node in the dictionary, typically using dot product or cosine similarity. The result of the similarity calculation is a real number, representing o. t The degree of matching with the node embedding is determined. Then, the node with the highest similarity from the dictionary, such as node v, is selected as the generated node for the current time step. This node v is the node that the decoder predicts should appear at the current sequence position. To proceed with the next generation step, the embedding vector of node v needs to be obtained, denoted as vem. embed and this v embed As input to the decoder at the next time step.
[0111] Step S445: Repeat the decoding process until the generated node is a termination symbol or the preset maximum sequence length is reached. Arrange all the nodes generated by the decoder in chronological order to obtain a complete sequence of intrusion behavior nodes.
[0112] Step S446: After processing the complete sequence of intrusion behavior nodes, replace the nodes that are inconsistent with the corresponding nodes in the initial sequence of intrusion behavior nodes with the initial nodes, ensuring that the position of the initial nodes remains unchanged in the final sequence.
[0113] Step S450: Perform intent-oriented analysis on each node in the complete intrusion behavior node sequence, and aggregate the features of the neighboring nodes around the node in the intrusion propagation path graph through a graph convolutional network to generate an intent-oriented label for each node.
[0114] In one implementation, step S450 may specifically include:
[0115] Step S451: Extract the set of neighboring nodes for each behavior node from the intrusion propagation path graph. The set of neighboring nodes includes all nodes that are directly connected to the node by a directed edge in the intrusion propagation path graph.
[0116] The intrusion propagation path graph is a directed graph generated in step S350. For each behavior node in the graph, its neighborhood structure needs to be defined. The set of neighboring nodes consists of all nodes that have direct connections to that node. Since it is a directed graph, it is usually necessary to distinguish between incoming and outgoing neighbors. An incoming neighbor is a node to which an edge points, and an outgoing neighbor is a node to which an edge points. When aggregating features, both incoming and outgoing neighbors can be considered simultaneously or processed separately. For each node in the complete sequence of intrusion behavior nodes, by querying the edge information of the intrusion propagation path graph, a list of identifiers for all its incoming and outgoing neighbor nodes can be quickly obtained. The features of these neighboring nodes will be aggregated onto the current node in subsequent graph convolution operations, providing the current node with its propagation context information.
[0117] Step S452: Embed the temporal evolution of each node in the complete intrusion behavior node sequence as the initial feature vector of that node. For each node in the sequence, obtain the initial feature vectors of all neighboring nodes from its set of neighboring nodes.
[0118] For each node in the complete intrusion behavior node sequence, its temporal evolution embedding used in step S430 is used as its initial feature vector input to the graph convolutional network. This feature vector already contains the node's own behavioral evolution information. Next, for the currently processed node, based on its neighbor node set obtained in step S451, each neighbor node in the set is traversed, and the initial feature vectors corresponding to these neighbor nodes are retrieved from the data storage. These neighbor node feature vectors, together with the current node's feature vector, are used as input to the graph convolution operation. If some neighbor nodes are not in the complete intrusion behavior node sequence but exist in the intrusion propagation path graph, their feature vectors also need to be extracted, as they may provide important context.
[0119] Step S453: The first layer of the graph convolutional network performs an aggregation operation on the feature vector of the current node and the feature vectors of its neighboring nodes. The aggregation operation includes average pooling of the feature vectors of the neighboring nodes, concatenating the average pooling result with the feature vector of the current node, and then performing linear transformation and nonlinear activation to obtain the first layer aggregated features of the current node.
[0120] Step S454: Repeat the multi-layer graph convolution operation, aggregating the features of neighboring nodes of the previous layer in each layer to obtain the multi-layer aggregated features of the current node.
[0121] Step S455: Input the multi-layer aggregated features of the current node into the fully connected layer, and output the probability distribution of the node belonging to multiple preset intent-pointing categories through the softmax function.
[0122] Step S456: Select the intent pointing category with the highest probability from the probability distribution as the intent pointing label of the current node, and record the confidence score corresponding to the label.
[0123] Step S460: Combine the complete sequence of intrusion behavior nodes and their corresponding intent pointing labels to generate a candidate intrusion behavior sequence, and calculate the credibility score of the candidate intrusion behavior sequence based on the intrusion probability of each node in the candidate intrusion behavior sequence and the consistency of the intent pointing labels.
[0124] After completing the sequence completion and node intent analysis, all information can be integrated to obtain the final candidate intrusion behavior sequence. For a complete intrusion behavior node sequence, such as nodes v1, v2, ..., vL, each node vi already has two key attributes: one is the probability of intrusion at a certain key time point obtained from step S346, denoted as p. i The first probability, nv(vi), reflects the likelihood that the node itself is malicious. The second is the intent label of the node obtained from step S456, denoted as label(vi), and the corresponding confidence score, conf(vi). A candidate intrusion behavior sequence is an ordered list composed of these nodes and their attributes. Next, an overall confidence score needs to be calculated for this sequence to measure the probability that this sequence represents a real intrusion process. The score can combine multiple factors. For example, the average intrusion probability of all nodes in the sequence can be calculated. It can also be considered whether the transition of intent labels between adjacent nodes in the sequence conforms to common attack chain patterns, such as scanning is usually followed by exploitation, and exploitation is usually followed by privilege escalation. This consistency can be evaluated using a predefined attack stage transition matrix. The confidence score of each node's intent label can also be used as a weight to perform a weighted average of the node probabilities. The final confidence score can be a value that combines the average node probability, the coherence score of the intent label sequence, and the weighted confidence score. The higher the score, the more credible the sequence is.
[0125] Step S500: Based on the credibility score, select the target intrusion behavior sequence from multiple candidate intrusion behavior sequences, and generate an intrusion behavior identification result response instruction containing the terminal identifier and the intrusion time period according to the target intrusion behavior sequence.
[0126] As one implementation method, step S500 may specifically include:
[0127] Step S510: Obtain all candidate intrusion behavior sequences and their corresponding credibility scores, sort the credibility scores in descending order, and generate a credibility score descending sequence list.
[0128] Step S520: Select the top-ranked preset number of candidate intrusion behavior sequences from the credibility score descending sequence list as the target candidate sequence set.
[0129] Step S530: Perform integrity verification on each candidate intrusion behavior sequence in the target candidate sequence set. Integrity verification includes checking whether the sequence contains a start node and an end node, and whether the time span of the sequence covers the complete intrusion lifecycle.
[0130] As one implementation method, step S530 may specifically include:
[0131] Step S531: Obtain a list of all behavior node identifiers marked as starting nodes and a list of all behavior node identifiers marked as ending nodes from the intrusion propagation path graph.
[0132] When constructing the intrusion propagation path map or defining node intents, certain types of nodes have already been assigned special roles. For example, in the intent pointing label in step S456, nodes of the scanning and probing types can be pre-defined as starting nodes, and nodes of the data transmission and persistence types can be pre-defined as ending nodes. During the system initialization phase, two lists are established: a starting node identifier list and an ending node identifier list. These two lists store the node identifiers corresponding to all node types that may serve as the starting point of an intrusion, and the node identifiers corresponding to all node types that may serve as the ending point of an intrusion, respectively. During sequence verification, these two lists need to be queried to determine whether the nodes in the sequence meet the starting and ending role requirements.
[0133] Step S532: For each candidate intrusion behavior sequence in the target candidate sequence set, extract the identifier of the first behavior node and the identifier of the last behavior node in the sequence.
[0134] For a candidate sequence in the target candidate sequence set, assume its node order is v1, v2, ..., vL. Here, v1 is the earliest node in the sequence, and vL is the latest node. Extract the node identifier of v1, which could be, for example, IP address A or process B, and the node identifier of vL. These two identifiers will be used to compare with the list obtained in step S531.
[0135] Step S533: Determine whether the identifier of the first behavior node exists in the starting node identifier list. If it exists, mark the starting node as valid; otherwise, mark it as invalid.
[0136] The identifier of the first behavior node v1 extracted in step S532 is matched against the list of starting node identifiers. If an identifier identical to v1 is found in the list of starting node identifiers, it means that v1 belongs to the preset intrusion initiation type, and therefore the starting node verification passes. If no identifier is found, it means that the sequence does not start from a typical intrusion initiation step, and the early stage of the attack may be missing, therefore the starting node verification fails.
[0137] Step S534: Determine whether the identifier of the last behavior node exists in the termination node identifier list. If it exists, mark the termination node as valid; otherwise, mark it as invalid.
[0138] Similarly, the identifier of the last action node vL is matched against the list of termination node identifiers. If an identifier matching vL is found in the list of termination node identifiers, it means that vL belongs to the preset intrusion termination type, and therefore the termination node verification passes. If not found, it means that the last node of the sequence is not a typical intrusion termination step, the sequence may have been truncated or the intrusion may not have been completed, and therefore the termination node verification fails.
[0139] Step S535: Calculate the time difference between the timestamp of the last behavior node and the timestamp of the first behavior node in the candidate intrusion behavior sequence. Compare the time difference with the preset minimum intrusion duration threshold. If the time difference is greater than or equal to the minimum intrusion duration threshold, mark the time span verification as passed; otherwise, mark it as failed.
[0140] Step S536: When the start node verification, end node verification, and time span verification all pass, the candidate intrusion behavior sequence is determined to have passed the integrity verification.
[0141] For a candidate intrusion behavior sequence, the sequence is only considered to have passed the integrity check if the start node check in step S533, the end node check in step S534, and the time span check in step S535 are all marked as passed. If any one of the checks fails, the sequence is considered structurally incomplete and unsuitable as the final output.
[0142] Step S540: Remove the candidate intrusion behavior sequences that fail the integrity check from the target candidate sequence set, and select the candidate intrusion behavior sequence with the highest confidence score from the remaining sequences as the final target intrusion behavior sequence.
[0143] Step S550: Analyze the target intrusion behavior sequence, extract the timestamp of the first behavior node in the sequence as the intrusion start time, and the timestamp of the last behavior node as the intrusion end time. Combine the intrusion start time and the intrusion end time to generate the intrusion time period.
[0144] Once the final target intrusion sequence is determined, key spatiotemporal information needs to be extracted, i.e., the time period during which the intrusion occurred. For this sequence, the first action node v1 corresponds to the initial action of the entire attack chain, such as the first scan of external addresses. The timestamp of v1 is obtained, and this timestamp is defined as the intrusion start time. The last action node vL corresponds to the final action of the attack chain, such as the outward transmission of sensitive internal data. The timestamp of vL is obtained, and this timestamp is defined as the intrusion end time. Combining these two timestamps yields a time interval, i.e., the intrusion time period. This time period precisely characterizes the entire duration of the intrusion activity from initiation to completion.
[0145] Step S560: Obtain the unique terminal identifier of the smart terminal to be identified, encapsulate the unique terminal identifier with the intrusion time period, generate an intrusion behavior identification result data packet containing the terminal identifier field and the intrusion time period field, and convert the data packet into an intrusion behavior identification result response instruction according to the preset response strategy.
[0146] As one implementation method, step S560 may specifically include:
[0147] Step S561: Convert the unique terminal identifier into a byte sequence in a preset format, and add a terminal identifier type identifier before the byte sequence to generate a standardized terminal identifier data block.
[0148] To ensure that data packets can be correctly parsed across different systems, each field needs to be standardized. The first step is to process the unique terminal identifier. Assume the unique terminal identifier is a string, such as a MAC address like aa:bb:cc:dd:ee:ff. Depending on the preset format, it may need to be converted into a binary byte sequence. Simultaneously, to indicate what type of identifier this byte sequence represents, a terminal identifier type identifier needs to be added before the byte sequence. For example, one byte can be used to represent the type: 01 for the MAC address, 02 for the IP address, and 03 for the sequence number. Therefore, the final standardized terminal identifier data block consists of two parts: a one-byte type identifier, followed by the converted identifier byte sequence. For example, the type identifier 01 is followed by six bytes converted from the MAC address.
[0149] Step S562: Convert the intrusion start time and intrusion end time in the intrusion time period into strings of a unified coordinated time format, connect the two time strings with a preset delimiter, and add a time period type identifier to the beginning of the connected string to generate a standardized intrusion time period data block.
[0150] Intrusion start and end times are typically high-precision timestamps. To facilitate cross-platform parsing, these are uniformly converted into strings in a harmonic time format, such as 2026-03-11T10:30:25Z. Then, using a preset separator, such as a comma or a vertical bar, these two time strings are concatenated to obtain a longer string, such as 2026-03-11T10:30:25Z, 2026-03-11T11:45:10Z. Similarly, to indicate that the content of this data block is an intrusion period, a time period type identifier needs to be added before it, for example, using 02. The final standardized intrusion time period data block consists of the type identifier and the concatenated time strings.
[0151] Step S563: Query the preset response policy mapping table, obtain the corresponding permission adjustment policy code according to the behavior type label of the target intrusion behavior sequence, convert the permission adjustment policy code into a code string of preset length, add a policy code type identifier before the code string, and generate a standardized permission adjustment policy code data block.
[0152] The pre-defined response policy mapping table is a key-value database. The key is a behavior type label, such as privilege escalation or data leakage, and the value is the corresponding permission adjustment policy code, such as a 16-bit integer. Once the final target intrusion behavior sequence is determined, the overall behavior type of the sequence can be parsed. This can be done by analyzing the intent-pointing labels of most nodes in the sequence, or by analyzing the overall evolution pattern of the sequence, to determine a general behavior type label. This label is used to query the mapping table to obtain a policy code, such as 0x00A1. This integer code is then converted into a fixed-length encoded string, for example, represented by four bytes. Similarly, a policy code type identifier, such as 03, is added before the string. This generates a standardized permission adjustment policy code data block.
[0153] Step S564: According to the preset instruction message format, the standardized terminal identification data block, intrusion time period data block and permission adjustment policy encoding data block are sequentially concatenated, and an instruction start identifier is added to the header of the concatenated data block, an instruction end identifier and a cyclic redundancy check code are added to the tail, and a complete intrusion behavior identification result response instruction message is generated.
[0154] Step S565: Symmetrically encrypt the complete intrusion behavior identification result response command message to generate an encrypted intrusion behavior identification result response command. The encrypted intrusion behavior identification result response command is used to send to the smart terminal security management platform through a secure channel.
[0155] Please see Figure 3This is a schematic diagram of an intrusion detection device provided in an embodiment of the present invention. The aforementioned intrusion detection device can be a computer program (including program code) running on a network device; for example, the intrusion detection device is application software. This device can be used to execute corresponding steps in the method provided in the embodiments of the present invention. Figure 3 As shown, the intrusion detection device 300 may include:
[0156] The data acquisition module 310 is used to acquire the original network traffic data set and the corresponding original terminal operation log data set generated by the smart terminal to be identified within a preset monitoring period. The original network traffic data set contains multiple network data packet units arranged in the order of collection time, and the original terminal operation log data set contains multiple terminal operation record units aligned with the timestamps of the network data packet units.
[0157] The graph construction module 320 is used to construct a spatiotemporal behavior graph from the original network traffic data set and the original terminal operation log data set, and generate a dynamic spatiotemporal behavior graph of the intelligent terminal to be identified within a preset monitoring period. The dynamic spatiotemporal behavior graph contains multiple behavior nodes and temporal edges and association edges connecting the behavior nodes.
[0158] The pattern prediction module 330 is used to input the dynamic behavior spatiotemporal map into the pre-trained intrusion behavior prediction deep network to perform multi-level behavior pattern prediction, and obtain the intrusion probability distribution corresponding to each behavior node in the dynamic behavior spatiotemporal map and the intrusion propagation path map between behavior nodes.
[0159] The sequence reconstruction module 340 is used to reconstruct the intrusion behavior sequence based on the probability distribution of intrusion possibility and the intrusion propagation path map, and generate multiple candidate intrusion behavior sequences of the smart terminal to be identified within a preset monitoring period and a credibility score for each candidate intrusion behavior sequence.
[0160] The instruction generation module 350 is used to filter out the target intrusion behavior sequence from multiple candidate intrusion behavior sequences based on the credibility score, and generate an intrusion behavior identification result response instruction containing the terminal identifier and the intrusion time period according to the target intrusion behavior sequence.
[0161] According to one embodiment of the present invention, Figure 2 The steps involved in the deep learning-based intelligent terminal network intrusion behavior identification method shown can be derived from... Figure 3 The intrusion detection device shown is executed by the various modules within it.
[0162] According to one embodiment of the present invention, Figure 3The modules in the intrusion detection device shown can be individually or entirely combined into one or more units, or one or more of these units can be further divided into at least two functionally smaller sub-units to achieve the same operation without affecting the technical effects of the embodiments of the present invention. The above modules are based on logical functional division. In practical applications, the function of one module can be implemented by at least two units, or the function of at least two modules can be implemented by one unit. In other embodiments of the present invention, the intrusion detection device may also include other units. In practical applications, these functions can also be implemented with the assistance of other units, and can be implemented collaboratively by at least two units.
[0163] This invention also provides a computer device, including a memory and a processor. The memory stores a computer program that can run on the processor. When the processor executes the program, it implements the steps in the deep learning-based intelligent terminal network intrusion behavior identification method provided in this invention.
[0164] Please see details. Figure 4 This is a schematic diagram of the structure of a computer device provided in an embodiment of the present invention. Figure 4 As shown, the computer device 10 described above may include: a processor 11, a network interface 14, and a memory 15. Furthermore, the computer device 10 may also include: a user interface 13, and at least one communication bus 12. The communication bus 12 is used to implement communication between these components. The user interface 13 may include a standard wired interface or a wireless interface. The network interface 14 may optionally include a standard wired interface or a wireless interface (such as a Wi-Fi interface). The memory 15 may be high-speed RAM or non-volatile memory, such as at least one disk storage device. Optionally, the memory 15 may also be at least one storage device located remotely from the aforementioned processor 11. Figure 4 As shown, the memory 15, which is a computer-readable storage medium, may include an operating system, a network communication module, a user interface module, and a device control application.
[0165] exist Figure 4 In the computer device 10 shown, the network interface 14 can provide network communication functions; the user interface 13 is mainly used to provide an input interface; and the processor 11 can be used to call the device control application stored in the memory 15 to implement the methods provided in the above embodiments.
Claims
1. A method for identifying network intrusion behavior of intelligent terminals based on deep learning, characterized in that, include: The system acquires the original network traffic data set and the corresponding original terminal operation log data set generated by the smart terminal to be identified within a preset monitoring period. The original network traffic data set contains multiple network data packet units arranged in order of collection time, and the original terminal operation log data set contains multiple terminal operation record units aligned with the timestamps of the network data packet units. Spatiotemporal behavior graphs are constructed from the original network traffic data set and the original terminal operation log data set to generate a dynamic spatiotemporal behavior graph of the intelligent terminal to be identified within the preset monitoring period. The dynamic spatiotemporal behavior graph includes multiple behavior nodes and temporal edges and association edges connecting the behavior nodes. The dynamic behavior spatiotemporal graph is input into a pre-trained deep network for intrusion behavior prediction to perform multi-level behavior pattern prediction, thereby obtaining the intrusion probability distribution corresponding to each behavior node in the dynamic behavior spatiotemporal graph and the intrusion propagation path graph between behavior nodes. Based on the intrusion probability distribution and the intrusion propagation path diagram, the intrusion behavior sequence is reconstructed to generate multiple candidate intrusion behavior sequences of the smart terminal to be identified within the preset monitoring period and a credibility score for each candidate intrusion behavior sequence. Based on the credibility score, a target intrusion behavior sequence is selected from the multiple candidate intrusion behavior sequences, and an intrusion behavior identification result response instruction containing terminal identifier and intrusion time period is generated according to the target intrusion behavior sequence.
2. The method according to claim 1, characterized in that, The step of constructing a spatiotemporal behavior map from the original network traffic data set and the original terminal operation log data set to generate a dynamic spatiotemporal behavior map of the intelligent terminal to be identified within the preset monitoring period includes: The protocol field of each network data packet unit in the original network traffic data set is parsed to extract the source Internet Protocol address, destination Internet Protocol address, transport layer protocol type and application layer payload content hash value of the network data packet unit. All network data packet units with the same five-tuple information are aggregated into network flow units according to the timestamp of the network data packet unit. Semantic parsing is performed on each terminal operation record unit in the original terminal operation log data set to extract the operation type identifier, operation object path string, and operation return status code of the terminal operation record unit. Based on the timestamp of the terminal operation record unit, terminal operation record units initiated by the same process identifier within a continuous time interval are aggregated into operation session units. First-layer behavior nodes are constructed based on the source Internet Protocol address and destination Internet Protocol address in the network flow unit, and each first-layer behavior node is associated with its corresponding set of network flow units. The timestamp distribution entropy value of all network data packet units in the set of network flow units is calculated as the traffic fluctuation feature vector of the first-layer behavior node. A second-layer behavior node is constructed based on the operation type identifier and operation object path string in the operation session unit, and each second-layer behavior node is associated with its corresponding set of operation session units. The transition probability matrix of the operation type identifier in the set of operation session units is calculated as the behavior pattern feature matrix of the second-layer behavior node. An association edge is established based on the co-occurrence relationship between the first-layer behavior node and the second-layer behavior node on the time axis. The weight of the association edge is determined based on the mutual information between the network flow unit and the operation session unit within the co-occurrence time window. The mutual information is calculated based on the association frequency between the destination port of the data packet in the network flow unit and the operation object path in the operation session unit. Establish temporal edges between the first-layer behavior nodes according to the communication sequence between the network flow units, establish temporal edges between the second-layer behavior nodes according to the calling relationship between the operation session units, and combine all the first-layer behavior nodes, second-layer behavior nodes, associated edges, and temporal edges to generate the dynamic behavior spatiotemporal graph.
3. The method according to claim 2, characterized in that, The step of constructing a first-layer behavior node based on the source and destination Internet Protocol (IP) addresses in the network flow units, associating each first-layer behavior node with its corresponding set of network flow units, and calculating the timestamp distribution entropy value of all network data packet units in the set of network flow units as the traffic fluctuation feature vector of the first-layer behavior node includes: Extract all source Internet Protocol (IP) addresses and destination Internet Protocol (IP) addresses from the network flow units, use each unique source IP address or destination IP address as the identifier of a candidate Layer 1 behavior node, and assign a blank set of network flow units to each candidate Layer 1 behavior node. Iterate through all network flow units. For each network flow unit, add a reference pointer to the network flow unit in the set of candidate first-layer behavior nodes corresponding to its source Internet Protocol address and destination Internet Protocol address, respectively. Sort the timestamps of all network packet units in the network flow unit set of each first-level behavior node to generate a timestamp sequence corresponding to the first-level behavior node; The timestamp sequence is divided into multiple consecutive time window subsequences by sliding window according to a preset fixed time window length. The number of network data packet units contained in each time window subsequence is counted to generate the traffic count time series of the first layer behavior node. Calculate the time entropy value of network data packet unit arrival within each time window subsequence in the traffic counting time series, arrange the time entropy values of the time window subsequence in chronological order, and generate the time entropy sequence of the first layer of behavior nodes; Perform a Fast Fourier Transform on the time entropy sequence, extract the amplitude values corresponding to the first few frequency components with the largest amplitude in the frequency domain as the periodic fluctuation features of the first layer of behavioral nodes, and concatenate the periodic fluctuation features with the mean and variance of the time entropy sequence to generate the flow fluctuation feature vector of the first layer of behavioral nodes.
4. The method according to claim 2, characterized in that, The step of establishing association edges based on the co-occurrence relationship between the first-layer behavior nodes and the second-layer behavior nodes on the time axis, wherein the weight of the association edge is determined based on the mutual information between the network flow unit and the operation session unit within the co-occurrence time window, includes: The preset monitoring period is divided into multiple continuous and non-overlapping fixed-length time window units, and a unique time window index number is assigned to each fixed-length time window unit. For each fixed-length time window unit, network flow units whose timestamps are located within the fixed-length time window unit are selected from the set of network flow units associated with each first-level behavior node, forming a subset of network flow units for the first-level behavior node within the fixed-length time window unit. Similarly, operation session units whose timestamps are located within the fixed-length time window unit are selected from the set of operation session units associated with each second-level behavior node, forming a subset of operation session units for the second-level behavior node within the fixed-length time window unit. The frequency of the destination port field value of all network data packet units in the network flow unit subset of each first-level behavior node within each fixed-length time window unit is counted, generating a destination port frequency distribution vector for each first-level behavior node in each fixed-length time window unit. At the same time, the frequency of the operation object path field value of all terminal operation record units in the operation session unit subset of each second-level behavior node within each fixed-length time window unit is counted, generating an operation object path frequency distribution vector for each second-level behavior node in each fixed-length time window unit. Using all fixed-length time window units as the sample space, the frequency distribution vector of the destination port and the frequency distribution vector of the operation object path are regarded as two discrete random variables, and the mutual information between the two discrete random variables is calculated. The calculated mutual information is used as the initial weight value of the associated edge between the first-layer behavior node and the second-layer behavior node. The initial weight values of all combinations of first-layer behavior nodes and second-layer behavior nodes are normalized by the maximum and minimum values. The normalized values are used as the final associated edge weights. In the dynamic behavior spatiotemporal graph, a directed association edge is added between each pair of first-layer behavior nodes and second-layer behavior nodes, pointing from the first-layer behavior node to the second-layer behavior node, and the final association edge weight is used as the attribute value of the directed association edge.
5. The method according to claim 1, characterized in that, The step of inputting the dynamic behavior spatiotemporal graph into a pre-trained deep network for intrusion behavior prediction to perform multi-level behavior pattern prediction, thereby obtaining the intrusion probability distribution corresponding to each behavior node in the dynamic behavior spatiotemporal graph and the intrusion propagation path graph between behavior nodes, includes: The dynamic behavior spatiotemporal map is input into the initial state encoding layer of the intrusion behavior prediction deep network. The initial state encoding layer performs joint encoding on the set of network flow units and the set of operation session units associated with each behavior node to generate an initial behavior state vector of each behavior node on the initial time section. The initial behavior state vector is used to characterize the behavior pattern basis of the behavior node at the start of the preset monitoring period. The initial behavior state vector of each behavior node and the initial behavior state vector of its first-order neighboring behavior nodes in the dynamic behavior spatiotemporal graph are input into the spatiotemporal propagation prediction layer. The spatiotemporal propagation prediction layer contains multiple cascaded prediction units. Each prediction unit calculates the intrusion propagation impact received by each behavior node from its neighboring behavior nodes at the current prediction time step based on the behavior state vector output by the previous prediction unit and the weight of the associated edge and the temporal edge direction between behavior nodes. The intrusion propagation impact is then nonlinearly fused with the behavior node's own state retention to generate the updated behavior state vector of each behavior node at the current prediction time step. Arrange the updated behavior state vectors at all predicted time steps in chronological order to obtain the behavior state evolution trajectory matrix of each behavior node during the entire preset monitoring period. The rows of the behavior state evolution trajectory matrix correspond to the predicted time steps, and the columns correspond to the dimensions of the behavior state vectors. The behavior state evolution trajectory matrix is input into the intrusion intent parsing layer. The intrusion intent parsing layer performs global temporal pattern extraction on the behavior state evolution trajectory of each behavior node, identifies the mutation points, inflection points and periodic fluctuation patterns that appear in the behavior state vector during the evolution process, and matches the mutation points, inflection points and periodic fluctuation patterns with the preset intrusion behavior pattern template library to output the probability distribution of intrusion possibility at different time points within the preset monitoring period for each behavior node. Based on the transmission relationship of the updated behavior state vectors of all behavior nodes between adjacent prediction time steps, a two-dimensional propagation tensor is constructed with the prediction time step as the horizontal axis and the behavior node as the vertical axis. Path tracing is performed on the two-dimensional propagation tensor to extract the path trajectory of the intrusion probability propagating between behavior nodes along the time axis. The path trajectory is combined according to the propagation direction and propagation intensity to generate the intrusion propagation path map between behavior nodes in the dynamic behavior spatiotemporal map.
6. The method according to claim 5, characterized in that, The initial behavior state vector of each behavior node and the initial behavior state vectors of its first-order neighboring behavior nodes in the dynamic behavior spatiotemporal graph are input into the spatiotemporal propagation prediction layer. The spatiotemporal propagation prediction layer contains multiple cascaded prediction units. Each prediction unit calculates the intrusion propagation impact received by each behavior node from its neighboring behavior nodes at the current prediction time step based on the behavior state vector output by the previous prediction unit and the weights and temporal directions of the associated edges between behavior nodes. The intrusion propagation impact is then nonlinearly fused with the behavior node's own state retention value to generate an updated behavior state vector for each behavior node at the current prediction time step, including: The updated behavior state vectors output by all behavior nodes in the dynamic behavior spatiotemporal graph at the previous prediction time step are combined into the state matrix of the previous time step. At the same time, the weight matrix of all associated edges and the directional adjacency matrix of all temporal edges in the dynamic behavior spatiotemporal graph are obtained. Each element in the directional adjacency matrix indicates whether there is a temporal edge pointing from row to column between the corresponding row behavior node and the corresponding column behavior node. The first propagation influence received by each action node from all its associated neighbor action nodes is calculated based on the state matrix of the previous time step and the weight matrix of the associated edges. Calculate the second propagation influence received by each action node from all its temporal neighbor action nodes based on the state matrix of the previous time step and the directional adjacency matrix; The first and second propagation influence vectors of each behavior node are concatenated to obtain the comprehensive propagation influence vector of that behavior node. The comprehensive propagation influence vector is then input into the first nonlinear transformation layer. The comprehensive propagation influence vector is dimensionally compressed and activated by the first nonlinear transformation layer to generate the standardized propagation influence vector of each behavior node. The updated behavior state vector output by each behavior node at the previous prediction time step is obtained as the self-state preservation basis of the behavior node. The self-state preservation basis is input into the second nonlinear transformation layer. The forgetting gate is applied to the self-state preservation basis through the second nonlinear transformation layer to generate the state preservation coefficient vector of each behavior node. The standardized propagation influence vector of each behavior node is multiplied element-wise with the corresponding state preservation coefficient vector to obtain the weighted propagation influence vector of that behavior node. The weighted propagation influence vector is then added element-wise with its own state preservation basis, and the sum is input into the third nonlinear transformation layer for activation to generate the updated behavior state vector of each behavior node at the current prediction time step.
7. The method according to claim 5, characterized in that, The process involves inputting the behavioral state evolution trajectory matrix into the intrusion intent parsing layer. This layer then performs global temporal pattern extraction on the behavioral state evolution trajectory of each behavioral node, identifying abrupt changes, inflection points, and periodic fluctuation patterns in the behavioral state vector during its evolution. Finally, it matches these abrupt changes, inflection points, and periodic fluctuation patterns with a pre-defined intrusion behavior pattern template library, outputting the probability distribution of intrusion likelihood for each behavioral node at different time points within a pre-defined monitoring period. The behavior state evolution trajectory matrix of each behavior node is scanned by a sliding window along the time dimension. A fixed-length trajectory segment is extracted at each sliding window position. The mean vector and standard deviation vector of the behavior state vector at all time points within the trajectory segment are calculated. The mean vector and standard deviation vector are concatenated to generate the local temporal statistical feature vector corresponding to the sliding window. All local temporal statistical feature vectors corresponding to the sliding windows are arranged in chronological order to obtain the global temporal feature vector set of each behavior node. The global temporal feature vector set of each behavior node is input into the mutation point detection function. The mutation point detection function calculates the difference value of adjacent vectors in the global temporal feature vector set, identifies all time points whose difference value magnitude exceeds the preset mutation threshold as candidate mutation points, performs time density-based clustering on the candidate mutation points, takes the center time point of the cluster as the final behavior state mutation point, and records the behavior state vector value corresponding to each behavior state mutation point as a mutation point state snapshot. The global temporal feature vector set of each behavior node is input into the inflection point detection function. The inflection point detection function performs a second-order difference operation on the global temporal feature vector set to identify all time points where the positive and negative signs of the second-order difference values change as candidate inflection points. Non-maximum suppression is applied to the candidate inflection points, and the maximum value point in the local range is retained as the final behavior state inflection point. The rate of change of the behavior state vector corresponding to each behavior state inflection point is recorded as the inflection point change intensity. Autocorrelation analysis is performed on the behavior state evolution trajectory matrix of each behavior node. The autocorrelation coefficient sequence of the time series of each dimension in the behavior state evolution trajectory matrix is calculated. Peak detection is performed on the autocorrelation coefficient sequence. The time delay values corresponding to all peak points whose peak height exceeds the preset peak threshold are extracted as candidate period lengths. Cluster analysis is performed on the candidate period lengths. The candidate period length with the highest frequency is taken as the main period of the behavior state of the behavior node. The periodic fluctuation intensity is calculated based on the peak height of the autocorrelation coefficient corresponding to the main period. The behavior state mutation point and its mutation point state snapshot, behavior state inflection point and its inflection point change intensity, behavior state main period and periodic fluctuation intensity of each behavior node are spliced together to generate a comprehensive temporal pattern feature vector of the behavior node. The comprehensive temporal pattern feature vector is input into a preset intrusion behavior pattern template library for template matching. Each template in the intrusion behavior pattern template library corresponds to an intrusion behavior type and stores the standard temporal pattern feature vector under that type. Calculate the cosine similarity between the comprehensive temporal pattern feature vector of each behavior node and the feature vector of each standard temporal pattern in the intrusion behavior pattern template library. Select the intrusion behavior types corresponding to the top few templates with the highest cosine similarity as candidate intrusion types for that behavior node. Then, perform weighted fusion on the candidate intrusion types based on the cosine similarity to generate the intrusion probability distribution of each behavior node at different time points within a preset monitoring period. The probability value at each time point in the intrusion probability distribution is determined by the weight of the intrusion behavior type obtained by matching the sliding window to which that time point belongs.
8. The method according to claim 1, characterized in that, The step of reconstructing the intrusion behavior sequence based on the intrusion probability distribution and the intrusion propagation path map, and generating multiple candidate intrusion behavior sequences of the smart terminal to be identified within the preset monitoring period, as well as a credibility score for each candidate intrusion behavior sequence, includes: Extract all behavioral nodes and their corresponding intrusion probability distributions from the intrusion propagation path graph, and mark all behavioral nodes whose maximum probability value in the intrusion probability distribution exceeds a preset probability threshold as candidate intrusion behavioral nodes. The distribution of the candidate intrusion behavior nodes on the time axis is clustered based on time density. Candidate intrusion behavior nodes that are continuous in time and whose temporal evolution embedding similarity between behavior nodes exceeds a preset similarity threshold are clustered into the same candidate intrusion event segment. The candidate intrusion behavior nodes within each candidate intrusion event segment are sorted in chronological order to generate an initial sequence of intrusion behavior nodes, and the temporal evolution of each node is embedded as the feature vector of that node. The initial intrusion behavior node sequence is input into a sequence reconstruction network, which includes an encoder and a decoder. The encoder encodes the initial sequence into a latent space vector, and the decoder generates a complete intrusion behavior node sequence step by step based on the latent space vector. The complete intrusion behavior node sequence includes the intermediate nodes that are missing in the initial sequence. For each node in the complete intrusion behavior node sequence, perform intent orientation analysis, and aggregate the features of the neighboring nodes around the node in the intrusion propagation path graph through a graph convolutional network to generate an intent orientation label for each node; The complete sequence of intrusion behavior nodes and their corresponding intent pointing tags are combined to generate a candidate intrusion behavior sequence. The credibility score of the candidate intrusion behavior sequence is calculated based on the intrusion probability of each node in the candidate intrusion behavior sequence and the consistency of the intent pointing tags.
9. The method according to claim 8, characterized in that, The initial intrusion behavior node sequence is input into a sequence reconstruction network, which includes an encoder and a decoder. The encoder encodes the initial sequence into a latent space vector, and the decoder generates a complete intrusion behavior node sequence step by step based on the latent space vector, including: The temporal evolution embeddings of each node in the initial intrusion behavior node sequence are arranged sequentially to generate an initial node embedding sequence. The length of the initial node embedding sequence may be less than the expected length of the complete sequence. The initial node embedding sequence is input into the recurrent neural network layer of the encoder. The recurrent neural network layer processes the embedding of each node step by step and updates the hidden state, finally obtaining the context vector of the entire sequence as the hidden space vector. The latent space vector is input into the recurrent neural network layer of the decoder as the initial hidden state of the decoder. The decoder generates an output vector at each time step and uses the output vector of the previous time step as the input of the current time step. At each time step, the vector output by the decoder is compared with the embedding of each node in the preset node embedding dictionary. The node with the highest similarity is selected as the generated node for the current time step, and the embedding of that node is used as the input for the next time step. Repeat the decoding process until a node is a termination symbol or the preset maximum sequence length is reached. Arrange all nodes generated by the decoder in chronological order to obtain a complete sequence of intrusion behavior nodes. The complete sequence of intrusion behavior nodes is post-processed, and nodes whose positions are inconsistent with those in the initial sequence of intrusion behavior nodes are replaced with the initial nodes to ensure that the position of the initial nodes in the final sequence remains unchanged.
10. A computer device, characterized in that, include: processor; And a memory, wherein the memory stores computer-readable code that, when executed by the processor, causes the processor to perform the method as described in any one of claims 1 to 9.