A deception defense method for building network dream based on servo transformation and cross-layer entrapment

By constructing a network dream deception defense method based on dynamic transformation and cross-layer trapping, the problem of insufficient threat coverage and lack of dynamic evolution capability of traditional honeypot technology in complex network environments is solved, and efficient, covert and highly adaptable network security protection is achieved.

CN121967091BActive Publication Date: 2026-07-14SOFTPOLE NETWORK TECH (BEIJING) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SOFTPOLE NETWORK TECH (BEIJING) CO LTD
Filing Date
2026-04-01
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Traditional honeypot technology suffers from insufficient threat coverage depth, lack of dynamic evolution capabilities, and unbalanced countermeasure costs in complex network environments, making it difficult to meet the protection needs of new threats.

Method used

A network dream deception defense method based on dynamic transformation and cross-layer trapping is adopted. By constructing a trap network, pre-emptive deception and centralized trap control, virtual nodes are used to rebuild network connections. Intelligent decision engine-driven topology reconstruction and multi-layer expansion are implemented to form a dynamically evolving network dream, which prolongs the attacker's residence time and improves the defense effectiveness.

Benefits of technology

It achieves efficient, covert, and adaptable network security protection in complex network environments, balances defense and attack costs, and provides continuous and systematic defense capabilities.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121967091B_ABST
    Figure CN121967091B_ABST
Patent Text Reader

Abstract

The application discloses a deception defense method for constructing a network dream based on follow-up transformation and cross-layer entrapment, takes a follow-up transformation intelligent decision engine as a core, combines a high simulation trapping network with a preposition induction mechanism, implements luring on a real network side, implements transformation, superposition and entrapment in the trapping network, makes attack paths and visible assets continuously evolve with attack behaviors, constructs a dynamically evolved and multi-layer progressive network dream environment, and solves problems such as bait staticity, difficulty in follow-up transformation, and insufficient depth defense in traditional trapping defense, so as to prolong the residence time of attackers in the trapping environment, significantly improve attack cost, and completely collect attack behavior chains, thereby providing support for subsequent attack tracing and depth defense optimization, and realizing a sustainable evolution of systematic defense deception ability.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of information security technology, specifically relating to a deception defense method based on dynamic transformation and cross-layer trapping to construct a network dream. Background Technology

[0002] The core objective of traditional proactive deception defense systems is to provide a basis for defense decisions by capturing attacker behavior. Among them, honeypot technology, as a typical threat detection technique, mainly attracts attackers to access fake virtual targets by deploying them, and records their behavior to analyze their attack intentions and methods.

[0003] In enterprise networks, low-interaction honeypots and high-interaction honeypots are typically deployed in layers as independent devices or software. Low-interaction honeypots are deployed at the boundary layer to simulate common services and intercept initial penetration attempts. High-interaction honeypots are deployed at the core layer to simulate industrial protocols and capture targeted attacks. The traffic-driving layer uses optical mirroring or SDN technology to direct some traffic to honeypots to generate threat intelligence.

[0004] However, its technical characteristics are in significant conflict with actual needs, and it has three core defects in network security protection: static configuration leads to insufficient threat coverage depth, single-layer defense architecture leads to lack of dynamic evolution capability, and the imbalance of adversarial costs exacerbates the defense disadvantage. These defects seriously restrict its actual effectiveness in complex network environments, especially in critical information infrastructure protection scenarios.

[0005] Specifically, static configuration leads to insufficient threat coverage depth. Traditional honeypots employ a static spoofing model, where their topology, protocol interaction logic, and business data are all based on preset templates and fixed configurations. This design suffers from two fatal flaws in complex network environments: rigid protocol emulation and fixed business logic. Rigid protocol emulation means that dynamic state management and context awareness of critical protocols cannot be achieved, allowing attackers to identify spoofing characteristics simply by sending distorted packets. Fixed business logic means that when the protected target is upgraded with new functional modules, the honeypot, lacking a dynamic update mechanism, cannot cover the newly exposed attack surface. Attackers can then infer the upgrade content through publicly available intelligence and directly bypass the honeypot to attack real assets. Attackers only need simple protocol field analysis or publicly available information collection to identify spoofing characteristics such as abnormal honeypot response timing and missing instruction sets, leading to defense failure.

[0006] Single-layer defense architecture leads to a lack of dynamic evolution capabilities. The flat, single-layer deployment of traditional honeypots results in two problems: ineffective perimeter defense and a lack of buffer layers. Low-interaction honeypots can only simulate basic services and cannot cover the deep interaction logic of critical protocols. Attackers can quickly determine the authenticity of a honeypot through protocol field integrity checks, leading to perimeter defense failure. While high-interaction honeypots support complex protocol simulation, they lack a progressive trapping design. Furthermore, the lack of buffer layers allows attackers to directly access core assets after breaching the initial defenses, creating a passive situation of exposure and resistance. Experimental data shows that the exposure time of real assets is significantly shortened, enabling attackers to quickly carry out lateral movement and steal core data.

[0007] The imbalance between attack and defense costs exacerbates defensive disadvantages. The contradiction between high investment and low returns in traditional honeypots is mainly reflected in two aspects: the huge resource consumption of high-interaction honeypots and the limited effectiveness of low-interaction honeypots. High-interaction honeypots require complete simulation of the business system protocol stack, resulting in high annual costs for a single set of equipment and continuous investment in manpower to maintain the rule base; while low-interaction honeypots can only capture surface attack characteristics, with limited defensive value. Attackers can use low-cost tools to identify honeypot characteristics in batches, creating a natural dilemma of being easy to attack but difficult to defend.

[0008] In summary, the three major shortcomings of traditional honeypot technology stem from the fundamental conflict between static design concepts, dynamic attack and defense requirements, and high investment with low returns. These problems make it difficult for traditional honeypots to meet the threat detection needs in complex network environments and to cope with new threats. There is an urgent need for a new proactive deception defense solution that integrates intelligent simulation, dynamic evolution, and cost optimization to achieve a technological transformation from passive trapping to proactive deception and from fixed response to dynamic adaptation. Summary of the Invention

[0009] In view of this, the present invention provides a deception defense method based on dynamic transformation and cross-layer confinement to construct a network dream. It is implemented in collaboration with three parts: trap network construction, pre-emptive deception, and centralized trap control. On the real network side, external inducement and suspicious session diversion are implemented through pre-emptive nodes. Inside the trap network, the dynamic transformation intelligent decision engine drives topology reconstruction, multi-layer expansion, and long-term confinement, enabling attackers to stay continuously in the multi-layered evolving network dream and generate a complete behavioral chain.

[0010] The deception defense method for constructing a network dream based on dynamic transformation and cross-layer trapping provided by this invention includes the following steps:

[0011] The decoy network is constructed by reconstructing a virtual network with the same connection relationship as the target network using virtual nodes as network nodes. A template library of normal traffic generation topology and decoys is constructed, and a data acquisition and integration module, a dynamic intelligent decision engine, an execution control module, and a mapping management module are deployed. On the target network side, front-end nodes that expose the decoy entry point, traffic acquisition components, and rule judgment components are deployed. The decoy network is a dynamic system that is driven by strategy and continuously evolves.

[0012] When an attacker attempts to establish a network connection with a front-end node, the traffic collection component generates access logs and session records, marking the established sessions as potential attack behaviors and storing them in the log queue; the rule determination component calculates risk scores and adds sessions with scores greater than a threshold to the suspicious session table, determining the inducement strategy of the corresponding front-end node; the front-end node switches the relevant upstream target nodes in the suspicious session table to the entry nodes of the trap network according to the inducement strategy;

[0013] When the attacker interacts with the trapping network, the data acquisition and integration module collects dynamic data and integrates it with suspicious session information and log queues to form fused data. This data is then input into the dynamic transformation intelligent decision engine to obtain policy instructions. The execution control module matches templates from the template library according to the policy instructions and adjusts the trapping network to form a network dream.

[0014] When an attacker attempts to breach the current trapping layer, the adaptive intelligent decision engine determines, based on the fused data, that the attack should enter a multi-layer stacking stage and outputs a strategy instruction to guide the attacker to the deep trapping network. The execution control module matches the deep trapping topology template and the highly realistic decoy service template, instantiates the template to construct the deep trapping subnet, and the mapping management module issues routing rules to map the current attack session to the deep trapping subnet.

[0015] When an attacker performs an attack operation in the deep trapping subnet, the adaptive intelligent decision engine forms a strategy instruction for controlling the timing of the response based on the fused data. The execution control module matches the template to maintain the attacker's activity and advance awareness.

[0016] Furthermore, the adaptive transformation intelligent decision engine models the trapping network and the attack-defense interaction process as a partially observable multi-agent reinforcement learning environment. Where S is the state space, i.e. the real state of the environment, which includes the topology of the trap network, the attributes of the nodes and the decoys, and the attack stage. To attack the observation space of intelligent agents, To defend the observation space of intelligent agents, To attack the action space of an intelligent agent. The action space of the defensive agent; T is the state transition function, representing the rule that triggers changes in the environment state for offensive and defensive actions; Rewards for attackers Rewards for defenders; This is a discount factor used to balance short-term and long-term returns;

[0017] A GRU recursive structure is used to temporally encode historical observation sequences to generate belief states: ,in, This represents the belief state of the attacking side. This represents the belief state of the defensive side. and Both are GRU architectures. For multiple attacking agents to observe the observation space of the attacking agent, To defend against multiple defensive intelligent agent observations in the intelligent agent observation space;

[0018] The action space of an attacking agent includes strategic actions, which are mapped to tool calls and data packet operations at the environment layer; the action space of a defensive agent includes two main categories: topology reconstruction and decoy replacement.

[0019] Furthermore, the execution control module adopts a parameter parsing function. Build, to defend the actions of intelligent agents and the belief state of the defensive side Mapped to execution parameters , ,in, For the trapping topology map, For the decoy attribute matrix, For topology template library, Execution parameters for bait profiling and service template library The set of executable configurations in the control layer for dynamic transformation is used to drive virtualization, container orchestration, and network controller instantiation, connectivity adjustment, and decoy profile replacement.

[0020] Furthermore, set within a time window Within, the attacker's interaction with the trapping network generates session sets. Increment by attacker dwell time Incremental completeness of behavioral chain and the incremental complexity of lateral movement paths As a positive indicator, the number of incidents where traps were detected is used. Construct defensive-side rewards for negative indicators :

[0021]

[0022] in, , , and All are weighting coefficients.

[0023] Furthermore, the attacking agent and the defending agent constitute a zero-sum offensive and defensive adversarial process, and the attacking agent's reward function... Represented as This leads to a zero-sum optimization objective:

[0024]

[0025] in, For defense strategy networks, For attack strategy networks; In order to be in and Under the adversarial game, the expected optimization objective for the cumulative defense reward of the discount; The discount factor is denoted by t. Let be the actual state of the environment at time t. Let t be the action of the defensive agent. Let t be the action of the attacking agent. Let t be the instantaneous reward value obtained by the defensive agent at time t.

[0026] Furthermore, the defense strategy is trained using an Actor-Critic algorithm optimized for near-end strategies, specifically as follows:

[0027] Constructed as a state of defensive belief The input is the probability distribution of the high-level policy action, and the output is the parameter. Policy network The long-term trapping benefit of the current belief state is evaluated, with the following parameters: value network The policy network and the value network share the GRU temporal coding structure at the front end;

[0028] Under the current strategy Collect multiple rounds of attack and defense interaction trajectory data and construct probability ratios. :

[0029]

[0030] Calculate the advantage function using generalized advantage estimation :

[0031]

[0032] in, For timing difference error, To determine the reward that the defensive agent receives at time t. The defensive belief state at time t+1. The attenuation coefficient is the estimate of the generalized advantage. The length of the time window used for advantage estimation;

[0033] The policy parameter θ is updated using the PPO objective function based on the pruning probability ratio. The PPO objective function... for:

[0034]

[0035] in, For the expected value of the time step samples, For the clipping function, This is the clipping threshold;

[0036] By minimizing value error loss Update the value network parameters ω, where, Let t be the target value at time t.

[0037] Furthermore, during the offline training phase, configurable trapping topologies and bait templates are deployed in the simulation environment. Multiple rounds of attacks are launched by the attacking agent to generate rich attack and defense interaction trajectories. The defense strategy network iteratively optimizes the trajectory data and converges to a follow-up transformation strategy that maximizes long-term trapping benefits.

[0038] During the online deployment phase, only the trained and converged defense strategy network, value network, and parameter parsing module are loaded. During online runtime, attack behavior is collected in real time to update defense observations and belief states. The strategy network outputs actions that change accordingly, and the parameter parsing module generates execution parameters.

[0039] During online operation, the trapping revenue is statistically analyzed and fed back to the engine as a reward, continuously driving strategy optimization and enabling the trapping network to continuously adapt and evolve.

[0040] Furthermore, the method of reconstructing a virtual network with the same connection relationship as the target network using virtual nodes as network nodes is as follows: In a resource pool isolated from the real target network, virtual machine clusters and container clusters are used to instantiate virtual hosts and containerized service services into virtual nodes in batches according to a predefined topology template. Flow table rules are issued through virtual switches and SDN controllers to construct a virtual target network with the same connection relationship as the real target network using virtual nodes as network nodes.

[0041] Furthermore, the method for constructing normal traffic is as follows: normal traffic that conforms to the real time-series distribution is constructed by replaying existing typical business traffic and generating scripted traffic.

[0042] Furthermore, while redirecting suspicious sessions to the trapping network, access control policies or routing isolation rules are applied to the original access path on the real target network side.

[0043] Beneficial effects:

[0044] This invention is based on the fundamental idea of ​​constructing a simulated network, guiding attack traffic, and dynamically changing the defense array. It forms a multi-layered parallel simulated network by replicating or associating with the user's real network, and pre-deploys decoy nodes to guide attack traffic, avoiding direct exposure of the real system and forming a decoy network construction capability oriented towards real-world scenarios. Based on attack behavior analysis, it implements dynamic network transformation, dynamically adjusting the simulated network topology and interaction logic to form an evolutionary mechanism where the honeycomb array moves in response to the attacker's actions, preventing identification. Employing a deployment method of pre-decoy and centralized decoy, it disperses attack traffic and extends attack paths, achieving a systematic defense that responds to concealment with concealment, the unknown with the unknown, and the continuous with the continuous. This balances the adversarial costs for both the defender and the attacker, ultimately realizing a transformation from passive exposure to active decoy, from static defense to dynamic confrontation, and from high-cost game to equilibrium and balance, providing efficient, covert, and highly adaptable network security protection for critical information infrastructure. Attached Figure Description

[0045] Figure 1 This is a schematic diagram of the processing flow of the deception defense method for constructing a network dream based on dynamic transformation and cross-layer trapping provided by the present invention.

[0046] Figure 2 This is a schematic diagram of the follow-up transformation logic in the deception defense method for constructing a network dream based on follow-up transformation and cross-layer trapping provided by the present invention. Detailed Implementation

[0047] The present invention will be described in detail below with reference to the accompanying drawings and embodiments.

[0048] The deception defense method based on dynamic transformation and cross-layer trapping, provided by this invention, is based on the core idea of ​​a network dream environment. This system uses a dynamic transformation intelligent decision engine as its core, combining a highly realistic decoy network with a pre-emptive inducement mechanism. By implementing inducement and attraction on the real network side and transformation, overlapping, and trapping within the decoy network, the attack path and visible assets continuously evolve with the attack behavior, constructing a dynamically evolving, multi-layered, progressive network dream environment. Addressing the problems of static decoys, difficulty in dynamic transformation, and insufficient defense-in-depth in traditional decoy defense, this method continuously adjusts the topology and decoy services in a controlled simulation environment, extending the attacker's dwell time in the decoy environment, significantly increasing attack costs, and fully collecting the attack behavior chain. This provides support for subsequent attack tracing and defense-in-depth optimization, thereby achieving a continuously evolving, systematic deception defense capability.

[0049] The deception defense method for constructing a network dream based on dynamic transformation and cross-layer trapping provided by this invention has the following processing flow: Figure 1 As shown, it includes:

[0050] Step 1: In a resource pool isolated from the real target network, virtual machine clusters and container clusters are used to instantiate virtual hosts and containerized service services into virtual nodes in batches according to predefined topology templates. Flow table rules are issued through virtual switches and SDN controllers to rebuild network connections consistent with the real target network using virtual nodes as network nodes. This virtual target network is then used as a decoy network. Existing typical service traffic replay and scripted traffic generation are used to construct a normal traffic background that conforms to the real time-series distribution, generating node attribute tables, link attribute tables, and topology and decoy templates. A centralized decoy control component is deployed in the decoy network, including a data acquisition and integration module, a dynamic intelligent decision engine, an execution control module, a mapping management module, an evaluation and optimization module, and a topology and decoy template library.

[0051] On the real target network side or in the DMZ area, a reverse proxy node is deployed as a front-end node to expose the constructed decoy entry point. At the same time, a traffic collection component and a rule judgment component are deployed. The front-end node, the traffic collection component, and the rule judgment component constitute the front-end inducement and deception part. The traffic collection component is used to continuously monitor all network data flowing to the decoy entry point, and the rule judgment component is used to calculate the risk score of the session and determine whether the session is a suspicious session based on the score result.

[0052] Specifically, the decoy network is a dynamic system that can evolve continuously driven by policies, rather than simply making single defensive adjustments when an attack occurs. This dynamic transformation becomes a continuous decision-making task driven by the attack sequence. On the virtual nodes of the constructed decoy network, databases, web services, and application middleware are deployed. Anonymized business data and configuration files are imported, and firewall policies, access control lists, and authentication configurations from the real environment are synchronized to generate security policy templates, which are then distributed to the virtual firewall. This ensures that the port openings and access control logic along the attack path are consistent with the real target network environment.

[0053] The front-end nodes are configured with independent domain names, IP ranges, or port combinations. The decoy entry points they construct include fingerprint features such as virtual sites and interfaces, customized service banners, TLS certificates, virtual directories, error page text, and weak password prompts, simulating high-value and easily breached attack surfaces to attract attackers to actively probe.

[0054] The data acquisition and integration module collects data from the decoy network side, including the decoy network topology map, node attribute table, link attribute table, and topology and decoy templates. It also collects data from the front-end nodes, including suspicious session tables, access logs, and referral results. The module then processes the collected multi-source data into standardized, structured data, providing unified input data for the dynamic intelligent decision-making engine. Specifically, the node attribute table includes information such as whether it is a decoy, system type, and attractiveness score; the link attribute table includes information such as bandwidth and latency; the suspicious session table includes information such as source IP, risk level, and triggering rules; the access logs include information such as path, request frequency, and parameters; and the referral results include information such as referral time and target entry node.

[0055] The adaptive intelligent decision engine models the trap network and the attack-defense interaction process as a partially observable multi-agent reinforcement learning environment. It takes the data output by the data acquisition and integration module as input to process policy instructions, so as to realize the real-time dynamic evolution of the trap network with the attack behavior. This allows the network topology and decoy services to continuously change under the attack behavior, forming a dynamic game-like deception defense where the defense changes with each step of the attack.

[0056] The execution control module transforms the received policy instructions from the adaptive intelligent decision engine into specific executable operations. The mapping management module maps sessions to the next-layer decoy subnet and configures routing and session mapping. The evaluation and optimization module statistically analyzes metrics such as dwell time, path complexity, behavior chain completeness, and decoy detection events to evaluate the effectiveness of centralized decoy control and serves as the basis for offline training and policy optimization of the adaptive intelligent decision engine. The topology decoy template library packages topology descriptions of different scales and key node layouts, along with various decoy images, into a template library, providing API calls to other modules.

[0057] Step 2: When attackers probe the decoy entry points exposed by the front-end nodes through port scanning, directory probing, vulnerability scanning, etc., and some of their actions establish formal network connections with the decoy entry points, the traffic acquisition component captures all network traffic related to the decoy entry points. The network traffic includes probe packets that have not established connections and interactive packets that have established connections, generating structured access logs and session records. The access logs and session records include basic data such as source IP, access path, request frequency, and access parameters. For sessions in the network traffic that establish connections with the decoy entry points, they are marked as potential attack behaviors, and their logs and traffic fragments are stored separately in the log queue for key tracking.

[0058] Step 3: The rule determination component periodically analyzes the collected access logs, session records and log queues, calculates the risk score for each session based on the built-in rules, adds sessions with risk scores greater than the preset threshold to the suspicious session table, and dynamically adjusts the inducement strategy of the corresponding front node for the session, and sends the inducement strategy to the corresponding front node to further attract attackers to deepen the interaction.

[0059] According to the inducement strategy, the front-end node switches the upstream target node of the source address and session identifier marked in the suspicious session table from the current front-end node to the entry node of the trap network. During the switching process, the domain name, URL structure and session identifier are kept unchanged through session persistence and connection reuse mechanisms to ensure that the attacker is unaware and mistakenly believes that he is still interacting with the initial target. At the same time, access control or routing isolation rules are applied on the real business network side to prevent suspicious sessions from reaching real assets. The session identifier, inducement time and triggering rules during the traffic diversion process are obtained as suspicious session information and reported to the data collection and integration module to provide a basis for the initialization of subsequent trap strategies.

[0060] Furthermore, while redirecting suspicious sessions to the trapping network, access control policies or routing isolation rules are applied to the original access path on the real business network side to prevent the session from continuing to reach the real business system.

[0061] Step 4: When an attacker enters the decoy network to perform further attack operations and continuously interacts with the virtual nodes and decoy services in the decoy network, the data acquisition and integration module collects dynamic data of the decoy network in real time, including the current topology map, node interaction logs, and attacker behavior trajectory. This data is then merged with the suspicious session information and attack behavior logs reported by the front-end nodes to form fused data. The fused data is input into the adaptive intelligent decision engine, which outputs policy instructions. After receiving the policy instructions, the execution control module calls the topology and decoy template library to obtain a matching topology and decoy template. Then, according to the policy instructions, it executes operations such as instantiating new virtual nodes, adjusting the flow table rules of virtual switches, and updating virtual firewall policies to complete the adjustment of the decoy network and create a network dream for the attacker.

[0062] Further attack operations performed by attackers include vulnerability exploitation, lateral movement, and privilege escalation.

[0063] Step 5: When an attacker attempts to breach the current trapping layer, the data acquisition and integration module collects dynamic data of the trapping network in real time and merges it with the previously reported suspicious session information and attack behavior logs to form fused data; the adaptive intelligent decision engine determines whether to enter the multi-layer stacking stage based on the fused data and outputs policy instructions to guide to the deep trapping network.

[0064] After receiving the policy instruction to guide to the deep trap network, the execution control module calls the topology and decoy template library, selects the deep trap topology template and high-fidelity decoy service template that match the current attack scenario, instantiates the selected template in the isolated resource pool of the trap network to build the deep trap subnet, and configures the connection relationship with the upper layer network.

[0065] The mapping management module dynamically distributes routing rules to seamlessly map the current attack session to the deep trapping subnet, while keeping the session identifier, URL structure, and interaction sequence unchanged to ensure that the attacker is unaware of it, and synchronously updates the session state to the data collection and integration module.

[0066] Step 6: When the attacker repeatedly performs attack operations in the deep trap subnet, the data acquisition and integration module continuously collects the attacker's behavioral data, including command sequences, access frequency, and target nodes, to form fused data. The adaptive intelligent decision engine forms strategy instructions such as control response timing, increasing false cue density, or fine-tuning the decoy profile based on the fused data. The execution control module calls the decoy template library in the trap network to complete the execution of strategy instructions, maintain the attacker's activity and advance awareness, thereby spontaneously extending the dwell time and continuously trying new attack paths, achieving the effect of trapping the attacker.

[0067] Furthermore, this invention constructs a dynamically changing intelligent decision-making engine based on a multi-agent reinforcement learning environment, with processing logic as follows: Figure 2 As shown. Specifically, the trapping network and the attack-defense interaction process are modeled as a partially observable multi-agent reinforcement learning environment, denoted as: Where S is the state space, i.e. the real state of the environment, which includes the topology of the trap network, the attributes of the nodes and the decoys, and the attack stage. To attack the observation space of intelligent agents, To defend the observation space of intelligent agents, To attack the action space of an intelligent agent. The action space of the defensive agent; T is the state transition function, representing the rule that triggers changes in the environment state for offensive and defensive actions; Rewards for attackers Rewards for defenders; This is a discount factor used to balance short-term and long-term gains. For example, defenders won't expose their decoys to extend their stay by one minute in the short term; instead, they prioritize ensuring a sustained, long-term hold. Its purpose is to make the strategy focus more on long-term benefits.

[0068] Specifically, at every moment state space It consists of three parts: the trapping topology map Node and decoy attribute matrix and attack phase label vectors .in, This is the set of currently available hosts and service nodes. This refers to the connection relationships between nodes. for The feature matrix is ​​3D, with each row containing features such as whether a node is a decoy, the type of operating system it runs on, the type of business it provides, and its attractiveness score to attackers. This represents the currently inferred attack phase, such as scanning, exploitation, lateral movement, or privilege escalation. The aforementioned true state exists only within the environment; neither the attacking nor the defending agent can directly observe it, but can only obtain partial states through their own observations.

[0069] Observation of attacking intelligent agents The network view and interaction results currently visible to the user, including the set of currently reachable nodes, open ports and service identifiers observable on that set, response codes from historical scans and exploit attempts, round-trip latency statistics, etc., form discrete and continuous information. The discrete information includes the set of reachable nodes, ports, protocols and service types, response codes and event types, while the continuous information includes statistics such as round-trip latency, response time, request frequency, and failure rate. This invention encodes this discrete and continuous information into vectors. , as input to the attacking agent. Indicates time The network visible subgraph observable by the attacker. For the set of reachable nodes, The observable connections on it; Indicates the attacker's actions up to the specified time. The sequence of interaction logs includes the probe or exploit actions initiated and the response codes, error types, latency, and key fields returned; This is an observation encoding function used to characterize, normalize, and fuse network visible topology information with discrete event features and continuous statistical features from interaction logs, generating a fixed-dimensional observation vector. Corresponding instances are used on the attack and defense sides respectively. and Implement this encoding process.

[0070] Observation of defensive intelligent agents The data comes from attack behavior logs and topology status collected from the network side, including the number of attack requests within a time window, the frequency distribution of access to different hosts, and the feature embeddings of suspected malicious commands or payloads. These observations are encoded into vectors. This serves as a moment-to-moment observation for the defensive side. Among them, For a moment Trapping network topology, The log sequence collected by the defense side includes request counts, target distribution, alarm types, payload or command fragment characteristics, etc.

[0071] Since observations at a single moment cannot fully characterize attack intent and trapping effects, this invention employs a time-series encoding module to construct belief states. The attacking and defending sides utilize parameterized recursive structures respectively. and Generate belief states by encoding historical observation sequences:

[0072]

[0073] in, This represents the belief state of the attacking side. This represents the belief state of the defensive side. and This can be specifically implemented as a GRU structure, for example, using it on the defense side:

[0074]

[0075] Thus, the state of belief on the defensive side The explicit preservation of the attack behavior evolution trajectory and past trapping effects allows subsequent strategy decisions to consider cross-time dependencies rather than greedy responses based on single-step attack behavior.

[0076] Regarding the action space, this invention abstracts attack and defense behaviors into a finite number of policy-level action templates to avoid state-action space explosion caused by excessively fine-grained underlying operations. (Action space of the attacking agent) This includes strategic actions such as scanning, vulnerability exploitation, lateral movement, brute-force attacks, privilege escalation, data leakage, and waiting. These actions are mapped to specific tool calls and data packet manipulations at the environment layer. This constitutes the action space of the defensive agent. This discussion focuses solely on two core directions of the follower transformation: topology reconstruction and decoy replacement. These are further subdivided into several subtypes: Topology reconstruction includes topology addition. Key node reconstruction Reconnecting to the path The direction of decoy replacement includes decoy image replacement. Improved bait simulation With reduced decoy simulation .

[0077] At the strategy layer, the defense strategy network Receive the belief state of the defensive side It outputs the high-level action category, which is the strategy instruction. In this context, the belief state on the defense side represents a comprehensive posterior representation of the defense's situation based on historical observation sequences, considering factors such as attack phases, attack hotspot distribution, attack depth, decoy effectiveness, and detection risk—all aspects of the attack landscape that cannot be fully observed. This output does not directly generate parameters such as which specific host to operate on, how many nodes to add, or which business system to replace it with; the specific execution details are automatically derived by the subsequent execution control module based on the current network status and attack distribution.

[0078] Furthermore, in order to map policy instructions into executable follow-up transformations, this invention employs a parameter parsing function. Build an execution control module, Mapped to execution parameters , ,in, For topology template library, This is a library of decoy profiles and service templates. Execution parameters. This is a set of executable configurations at the control layer that dynamically adapt to changes, driving virtualization, container orchestration, and network controllers to complete instantiation, connectivity adjustments, and decoy profile replacement. It includes target node and link sets, template and image selection identifiers, routing and session mapping parameters, service and masquerade configuration parameters, etc. Taking topology addition as an example, when... At that time, the execution control module first assesses the current attack popularity and risk by selecting a set of candidate network nodes. Calculate the trapping priority score:

[0079]

[0080] in, Represents a node Probability estimate of whether it is accessed or used for lateral movement during the current attack phase. This indicates the attractiveness of the node to an attacker when it is set as a new topology branch or decoy entry point. This indicates the resource cost of expanding a new subnet or service at that node location. , and All of these are weights. Taking into account the resource quotas required to expand new subnets or services at node locations and the estimated instantiation time, all of the above can be obtained from the resource quotas of the virtualization platform and the container orchestration platform, as well as the historical startup statistics of the images.

[0081] The execution control module selects a set of target nodes from multiple nodes in the candidate network node set whose scores are greater than a threshold to form the target node set. Each target node is assigned a topology template and a service template, which together form the specific parameters for adding new topology actions. .

[0082] Similarly, when or At that time, the execution control module will select from the deployed decoy nodes those nodes that are currently being frequently probed or are close to the path of the critical asset. Based on a predefined decoy profile library and simulation level, new system profiles and business configuration parameters are generated, enabling gradual replacement or enhancement from low-value decoys to high-value decoys. In this architecture, the defense strategy network does not directly make specific decisions for each node, but rather outputs strategic choices regarding the direction of action in different transformations. The specific objects and configurations are automatically selected by the parameter parsing module in the current state. This decoupling of the strategy layer and the parameter layer makes the action space dimension primarily determined by… The decision is made by the number of nodes, ports, decoy templates, etc., rather than by the number of combinations, which greatly reduces the search space of reinforcement learning and improves policy convergence and feasibility.

[0083] At the strategy optimization level, this invention constructs a zero-sum offensive-defensive adversarial process, causing the attacking agent and the defending agent to engage in a strategic game around the benefits of trapping. (Defensive side reward function) It does not depend on whether the parameters of a particular topology reconstruction or decoy replacement step are optimal, but is defined based on the change in the trapping effect within a windowed time period. Let the time window be... Within, the attacker's interaction with the trapping network generated a session set. This invention uses the attacker's dwell time increment. Incremental completeness of behavioral chain and the incremental complexity of lateral movement paths The primary positive indicator is the number of incidents where trapping was detected. Construct defensive rewards for negative indicators:

[0084]

[0085] in, This can be obtained by comparing the average difference between the current window and the historical baseline window duration of the attack session. It can be measured by statistically analyzing the changes in ATT&CK attack phase coverage and attack step sequence length. It can be estimated from the changes in the length of the lateral path and the number of branches generated by the attacker in the trap network. This can be obtained by counting the number of events in the attacker's access behavior that clearly exhibit decoy-like characteristics. The reward for the attacking agent is defined as follows: This leads to a zero-sum optimization objective:

[0086]

[0087] make defensive strategies It converges to a dynamic, adaptive behavior pattern that maximizes the benefits of trapping in long-term interactions, rather than responding locally optimally to a single attack event.

[0088] Furthermore, this invention employs an Actor-Critic structure based on Proximal Policy Optimization (PPO) to optimize the defense strategy. In order to defend the state of belief The policy network is the input. As corresponding value networks, both share the front-end temporal coding structure. During the training process, this invention first applies the current strategy. Collect multiple attack and defense interaction trajectory data and construct the probability ratio for each step:

[0089]

[0090] Calculate the advantage function using generalized advantage estimation:

[0091]

[0092] in, This represents the advantage estimate at time t. For timing difference error, This represents the immediate reward received by the defensive agent at time t. For parameters The value network estimates the long-term payoff for a given belief state. These represent the defensive belief states at times t and t+1, respectively. This is a discount factor used to weigh short-term and long-term returns. The attenuation coefficient is the estimate of the generalized advantage. The length of the time window used for advantage estimation.

[0093] And using the PPO objective function based on the pruning probability ratio:

[0094]

[0095] Policy network parameters Update while minimizing value error loss. Update value network parameters .in, This represents the expectation for the samples at time step. This represents the probability ratio between the current policy and the old policy. The pruning function is used to limit the update range of the probability ratio. The pruning threshold is used to control the policy update step size. Let t be the target value. This optimization process improves the trapping reward while ensuring the policy update step size is controlled, enabling the defensive agent to stably learn effective adaptive policies in complex POMDP environments.

[0096] In a multi-agent extended setting, this invention adopts a centralized value assessment approach, which integrates the belief states of both the attacker and defender. They are input into the value network for joint evaluation, and each is targeted separately. and PPO updates are applied to achieve self-game optimization of attack and defense strategies within a zero-sum Markov game framework. In the actual deployment phase, only the trained and converged defense strategy network is loaded. The corresponding value network no longer runs the attack strategy network, thus avoiding the introduction of additional attack traffic into the real environment.

[0097] In practical implementation, the adaptive intelligent decision engine adopts a combined approach of offline training and online deployment. During the training phase, configurable decoy topologies and bait templates are deployed in a simulation environment. Multiple rounds of attacks are conducted on the network using scripted or learning-based attack agents, generating rich attack-defense interaction trajectory data. The defense strategy network iteratively optimizes this trajectory data based on the aforementioned PPO algorithm, gradually learning to select appropriate topology reconstruction or decoy replacement directions at different attack stages. After training convergence, only the trained defense strategy network is loaded during the actual deployment phase. In conjunction with the execution control module, when running online, the decoy network detects new attack behaviors and updates its observations. Then, the encoding module updates the belief state. The policy network calculates the follow-up action. The execution control module generates specific execution parameters. Subsequently, the execution module gradually adjusts the underlying topology or decoy profile without interrupting or significantly interfering with the current attack session, causing the network structure from the attacker's perspective to evolve continuously rather than change abruptly. The execution of actions does not directly generate command-style feedback for the next round of decisions, but rather reflects the evolutionary trend of the attacker's behavior in the reward signal over a longer time scale, driving the continuous evolution of the strategy.

[0098] Example:

[0099] This embodiment employs the deception defense method based on dynamic transformation and cross-layer trapping to construct a network dreamscape provided by the present invention. With the cooperation of the dynamic transformation intelligent decision engine strategy, a progressively advancing network dreamscape is formed to achieve cross-layer trapping of attackers. Specifically, it includes the following steps:

[0100] S1. Construct a highly realistic and dynamically adjustable decoy network. In a resource pool isolated from the real business network, utilize a KVM-based virtual machine cluster and a Kubernetes-based container cluster to batch instantiate virtual hosts and containerized business services according to a predefined JSON topology template. Rebuild Layer 2 and Layer 3 connectivity consistent with the real network by issuing flow table rules through Open vSwitch virtual switches and SDN controllers. Deploy databases, web services, and application middleware on virtual nodes using scripts, and import anonymized business data and configuration files. Simultaneously, synchronize firewall policies, access control lists, and authentication configurations from the real environment to generate security policy templates, which are then distributed to the virtual firewall to ensure that port openings and access control logic along the attack path are consistent with the real environment. Combine typical business PCAP traffic replay and scripted traffic generation to construct a normal traffic background that conforms to real-time distribution. During the construction process, generate node attribute tables, link attribute tables, and various topology and decoy template libraries, providing a simulation runtime environment and a searchable topology parameter space for subsequent dynamic intelligent decision-making engine calls.

[0101] S2. Collect front-end node traffic and interaction logs to identify potential attack behaviors. Deploy reverse proxy nodes for the front-end deception component on the real network side or in the DMZ area, and deploy traffic collection components as needed to continuously monitor externally-facing decoy entry points. The front-end nodes record information such as the access path, request frequency, request method, and typical parameters for each source address. The traffic collection components capture network traffic related to the decoy entry point, generating access logs and session records locally to provide raw data for subsequent rule-based behavior determination. Sessions that establish connections with the decoy entry point are considered potential probes or attacks by default, and their access logs and traffic fragments are stored in a log queue to support the identification of scanning traversal, abnormally high-frequency requests, and unconventional path probes.

[0102] S3. Determine attack intent and generate inducement responses based on front-end node behavior analysis. The front-end inducement and deception part periodically analyzes the collected front-end node access logs. Using built-in rule-based judgment logic, it identifies scanning, brute-force attempts, and other abnormal access patterns based on indicators such as request frequency, path patterns, and parameter characteristics. A risk score is calculated for each session and written to the suspicious session table. When the risk score exceeds a preset threshold, the session is marked as a suspicious session, and the response strategy of the front-end node is adjusted. For example, it may return a weak fingerprint banner, expose a seemingly vulnerable virtual directory, or a fake login interface to enhance its attractiveness to attackers and guide them to continue deepening their interaction. At the same time, the behavioral characteristics of the session are continuously supplemented and updated to provide a basis for subsequent traffic diversion and trapping strategies.

[0103] S4. Redirect suspicious attacks to the decoy network and implement isolation and protection. When the front-end deception and deception unit determines a session is suspicious and prepares to decoy it, it dynamically adjusts the upstream target of the reverse proxy node based on the suspicious session table. For the marked source address and session identifier, its upstream target is switched from the local simple decoy response to the decoy network entry node. While maintaining the exposed domain name, URL structure, and session identifier, a path switch that is imperceptible to the attacker is achieved through session persistence and connection reuse mechanisms. Simultaneously, access control policies or routing isolation rules are applied to the original access path on the real business network side to prevent the session from continuing to reach the real business system. Information such as session identifier, redirection time, and triggering rules during the redirection process is structured and reported to the centralized decoy control unit as one of the inputs for subsequent decoy strategy initialization and dynamic change decisions.

[0104] S5. The dynamic transformation of the decoy network is triggered by a dynamic transformation intelligent decision engine. When an attacker enters the decoy network and engages in continuous interaction, the centralized decoy control unit inputs the topology state, node attribute table, and template library provided by the decoy network construction unit, along with suspicious session information and attack behavior logs reported by the pre-deception and inducement unit, into the dynamic transformation intelligent decision engine. This treats the current decoy network and the attack-defense process as a partially observable dynamic game environment. The engine models a partially observable Markov decision process and uses a time-series encoding module to temporally encode the defense-side observations, forming a defense belief state that includes the evolution trajectory of attack behavior and past decoy effects. Driven by a reinforcement learning policy network, it selects appropriate dynamic transformation strategies in high-level actions such as topology reconstruction and decoy replacement. The centralized trapping control unit generates specific transformation instructions such as adding new branches, reconnecting paths, replacing decoy profiles, and adjusting simulation levels based on the strategy. It calls the API provided by the trapping network construction unit to gradually adjust the underlying topology and decoy services without interrupting the current session. This ensures that the network view and visible assets change with each step the attacker takes, thus forming a dynamic game-like trapping process where the attack changes with each step of defense.

[0105] S6. Expanding the multi-layered decoy network to form a progressive dream stack. As the attack deepens and the decoy process progresses, the centralized decoy control unit, based on the topology reconstruction-type transformation strategy output by the adaptive transformation intelligent decision engine, combined with operational indicators such as the current session's dwell time, access path depth, and key node reach, determines whether to guide the attack session to a deeper layer of the decoy network. When preset conditions are met, a deep decoy topology and clue layout matching the current attack scenario are selected from the topology template library. A new subnet and decoy service are instantiated in the resource pool provided by the decoy network construction unit, and corresponding routing and session mapping rules are configured. The current attack session is switched to the next layer of the decoy subnet, while maintaining the continuity of the attacker's perspective, making it difficult for them to judge the true boundary and depth position, thus continuously consuming time and resources in the progressive dream.

[0106] S7. Continuous interaction enables sustained containment and restraint of attackers. Once attackers are guided into a deeper layer of the trapping network, the centralized trapping control unit, guided by the long-term trapping strategy output by the adaptive intelligent decision engine, coordinates the interaction scripts and response strategies within the trapping network. It finely controls the response timing, returned content, clue density, and distribution of false targets, ensuring attackers continuously perceive attack progress and expected gains within the multi-layered trapping environment. This leads attackers to spontaneously extend their dwell time and continuously attempt new attack paths. The system continuously tracks metrics such as dwell time, lateral movement path complexity, attack behavior chain completeness, and decoy detection events. The incremental trapping gains within a windowed time period are fed back to the adaptive intelligent decision engine as a defense-side reward. Under the framework of attack and defense game theory and reinforcement learning algorithm optimization, the adaptive strategy is continuously adjusted, allowing the trapping network to continuously evolve in actual operation, forming a long-term containment, restraint, and control effect on attackers. This provides complete and usable attack behavior data for subsequent attack tracing, threat intelligence generation, and optimization of the defense-in-depth system.

[0107] The Inception-style defense deception system proposed in this invention is structurally composed of a decoy network construction component, a pre-emptive deception component, and a centralized decoy control component. The decoy network construction component builds a highly realistic and dynamically adjustable decoy network in a resource pool isolated from the real business network, based on server virtualization and container orchestration technologies. This provides a simulated operating environment and topology template foundation for attack induction and dynamic transformation. The pre-emptive deception component is deployed on the real network side or in the DMZ area, completing the "luring" and "leading" phases for external attackers. It constructs an attractive attack surface through exposed decoy entry points to induce attacks. When a session is deemed suspicious, a reverse proxy is used to redirect it to the decoy network entry point, and the relevant session and its behavioral characteristics are reported to the decoy side. The centralized decoy control component is located on one side of the decoy network. Based on a dynamically changing intelligent decision engine, it dynamically controls the decoy topology and decoy services according to the logic of "change, overlap, and trap," achieving topology reconstruction, multi-layer expansion, and long-term containment.

[0108] The decoy network construction component serves as the foundational operating environment for this invention. It constructs a highly realistic and dynamically adjustable virtual target network within a resource pool isolated from the real business network, based on server virtualization and container orchestration technologies. By periodically synchronizing the target network's routing table, switching configuration, subnetting, and asset inventory, virtual hosts and containerized business services are batch-instantiated according to a predefined JSON topology template using a virtualization platform (a KVM-based virtual machine cluster) and a container platform (a Kubernetes-based container cluster). Furthermore, the Layer 2 and Layer 3 connectivity relationships, consistent with the real network, are reconstructed using Open vSwitch virtual switches combined with flow table rules issued by the SDN controller. At the business level, a scripted installer installs components such as databases, web services, and application middleware on the virtual nodes, importing anonymized business data and configuration files, ensuring that the decoy nodes present the same interface and response behavior as the real system. At the security level, by reading the real firewall policies, access control lists (ACLs), and authentication configurations, corresponding security policy templates are generated and distributed to the virtual firewall, ensuring that the port openings and access control logic observed on the attack path remain consistent with the real environment. To enhance realism, this section also simulates user behavior through a combination of traffic replay and synthesis. Traffic replay is performed using pre-collected typical business PCAPs, and operations such as login, query, and file transfer are periodically initiated through traffic generation scripts to construct a normal traffic background that conforms to real-time distribution. During the construction process, information such as system type, business role, whether it is marked as a decoy, and available resource quota for each virtual node is organized into a node attribute table. Information such as link bandwidth, latency, and access constraints is organized into a link attribute table. Furthermore, topology descriptions of different scales and key node layouts, along with various decoy images, are packaged into a template library and provided to the dynamic change intelligent decision engine in the form of an API. This allows the engine to quickly create, destroy, or adjust virtual nodes and links based on these templates when it determines that a topology reconstruction or decoy replacement strategy is needed, thereby achieving dynamic adjustment of the decoy network's scale and structure.

[0109] The pre-deception and deception component is deployed on the real network side or in the DMZ area, serving as a decoy entry point exposed to external attackers. A reverse proxy server is used to implement pre-deception and traffic redirection control in two phases: "luring" and "leading." In the "luring" phase, by configuring independent domain names, IP ranges, or port combinations for the pre-nodes, virtual sites and interfaces are deployed on them. Customized service banners, TLS certificate information, directory structures, error page text, and weak password hints are used to create a fingerprint-like attack surface that appears vulnerable and valuable in port scanning, directory probing, and vulnerability scanning tools. The pre-nodes continuously record the access paths, request frequencies, request methods, and typical parameters of each source address. Through built-in rule-based judgment logic, patterns such as scanning traversal, abnormally high-frequency requests, unconventional path probing, and suspected brute-force attempts are scored. When the risk score of a session exceeds a preset threshold, it is marked as a suspicious session and written to the suspicious session table. During the "luring" phase, the front-end node dynamically adjusts the upstream target of the reverse proxy based on the suspicious session table. For marked source addresses and session identifiers, the front-end node no longer generates simple decoy responses locally; instead, its upstream target is switched to the entry node of the trap network. Simultaneously, the exposed domain name, URL structure, and session identifier remain unchanged. Session persistence and connection reuse mechanisms ensure the continuity of interaction with the attacker's end, making the path switching from the front-end node to the trap network imperceptible to the attacker. During operation, the front-end deception component outputs structured front-end node access logs, suspicious session markings, and redirection results, including source IP, access path, trigger rules, risk level, and redirection time, to the centralized trap control unit for subsequent attack phase judgment and strategy initialization.

[0110] The centralized trapping control unit, serving as the global scheduling and strategy decision-making center of this invention, utilizes a dynamic transformation intelligent decision engine. After an attacker enters the trapping network, it employs dynamic transformation and layered containment based on the logic of "change, layering, and trapping" to achieve continuous restraint. During the "change" phase, the centralized trapping control unit receives the topology state, node attribute table, and template library provided by the trapping network construction unit, as well as suspicious session markers and access behavior records output by the pre-deception and induction unit. It models the current trapping network and the attack-defense interaction process as a partially observable dynamic game environment. The dynamic transformation intelligent decision engine, based on partially observable Markov decision processes and reinforcement learning, performs temporal encoding of attack behavior logs and trapping effects. It selects appropriate dynamic transformation strategies in high-level actions such as topology reconstruction and decoy replacement, generating transformation instructions such as adding branches. The execution control module then uses the aforementioned API calls to gradually adjust the trapping network, causing the network structure and visible assets to evolve with the attacker's behavior, forming a dynamic game-like deception defense. In the "stacking" phase, based on the transformation strategy of the adaptive transformation intelligent decision engine and combined with operational metrics such as the current session's dwell time, access path depth, and key node reach, it is determined whether the attack session needs to be guided to a deeper layer of the decoy network. When the triggering conditions are met, the corresponding decoy topology and clue layout are selected from the topology template library, the session is mapped to the next layer of the decoy subnet, and routing and session mapping configurations are completed, realizing multi-layered dream stacking and cross-layer trapping as the attack progresses. In the "trapping" phase, this part, based on the long-term decoy strategy output by the adaptive transformation intelligent decision engine, coordinates the interaction scripts and response strategies in the decoy network to control the response timing, returned content, and clue density, maintaining the attacker's activity and progress awareness in the multi-layered decoy network, extending their dwell time, and guiding them to generate a more complete attack behavior chain. At the same time, metrics such as dwell time, path complexity, behavior chain completeness, and decoy detection events are statistically analyzed to evaluate the effect of centralized decoy control and serve as the basis for offline training and strategy optimization of the adaptive transformation intelligent decision engine.

[0111] By combining the external attraction of "enticement" and the imperceptible flow of "guidance," along with the dynamic transformation of "change," the multi-layered expansion of "overlay," and the long-term restraint of "trapping," this invention constructs a layered defense system similar to "Inception," making it difficult for attackers to discern the real boundaries in a dynamically evolving dream environment. This extends the attack dwell time, increases the attack cost, and achieves a continuous and in-depth defense deception effect.

[0112] The dynamic transformation mechanism proposed in this invention is implemented by a dynamic transformation intelligent decision engine. Its core lies in the defense system's ability to continuously adjust the structure and defense methods of the decoy network as the attack progresses. Specifically, when an attacker performs port scanning, vulnerability exploitation, or lateral movement, the defense system, driven by the dynamic transformation strategy output by the intelligent decision engine, automatically triggers network topology reconstruction and decoy service replacement, ensuring the attacker faces a new and dynamically changing environment at every step. This dynamic adjustment not only disrupts the attacker's existing understanding of the network but also prevents them from quickly identifying the false environment through experience or tools. Compared to traditional static honeypots, dynamic transformation makes each attacker's attempt uncertain and unpredictable, significantly increasing the difficulty and cost of the attack. Simultaneously, the defender can obtain longer-term attack data, including complete command chains, tool usage traces, and behavioral characteristics, through continuous dynamic interactions coordinated by a centralized decoy control unit, providing more valuable evidence for subsequent attribution and strategy optimization.

[0113] This invention designs a multi-layered simulated trapping network environment, forming a progressively advancing "network dreamscape" with the assistance of a dynamically changing intelligent decision engine strategy, achieving cross-layered trapping of attackers. Initially, attackers may only encounter shallow decoy targets, such as basic forged services or interfaces. As they attempt to penetrate deeper, the system guides them into deeper virtual spaces according to the logic of "change, layering, and trapping." These spaces contain more complex business logic, forged data, and the illusion of high-value targets. Each layer has entry conditions and control mechanisms, ensuring that attackers need to continuously expend time, computing resources, and even new tools to advance to the next layer. This progressively layered design allows attackers to be unknowingly drawn into deeper traps, ultimately resulting in a long-term, cross-stage, continuous trapping. During this process, the defender can not only observe the attacker's complete behavioral path but also collect multi-dimensional evidence at different levels, including lateral movement techniques, privilege escalation attempts, and the usage patterns of attack toolchains. Compared to single-layer static honeypots, this multi-layered dream environment, constructed through the integrated synergy of "luring, attracting, changing, overlapping, and trapping," greatly enhances the trapping effect, prolonging the attacker's stay time and consuming their resources, thus reducing the risk of attack on the real network.

[0114] Compared with existing technologies, the technical solution proposed in this invention establishes a dream-space-style defense deception system based on dynamic transformation and cross-layer confinement to construct a network dreamscape, significantly improving network security protection effectiveness through systematic technological innovation. Specifically, this invention relies on dynamic trapping driven by a dynamic transformation intelligent decision engine to achieve precise coverage of the evolution process of attack behavior. Through multi-layered progressive network dreamscapes and cross-layer confinement design, it effectively extends the attack confrontation cycle and significantly increases the complexity of attack paths. Relying on a defense system composed of trapping network construction, pre-emptive deception, and centralized trapping control, it solves the technical contradictions of traditional honeypots: "static configuration leads to resource redundancy, single-layer architecture is easily bypassed, and high cost investment is difficult to sustain," providing a new paradigm of efficient, covert, and sustainably evolving network security protection for critical information infrastructure.

[0115] Finally, it should be noted that those skilled in the art can obviously make various modifications and variations to this invention without departing from its spirit and scope. Therefore, if these modifications and variations fall within the scope of the claims and their equivalents, this invention also intends to include these modifications and variations.

[0116] The above description is merely one embodiment of the present invention, and should not be construed as limiting the scope of the invention. Any structural changes made based on the present invention, as long as they do not depart from the essence of the invention, should be considered as falling within the protection scope of the present invention and subject to its restrictions. Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working process and related descriptions of the method described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.

[0117] The term "comprising" or any other similar term is intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus / method that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent in such process, method, article, or apparatus / method.

[0118] The technical solutions of the present invention have been described above with reference to the accompanying drawings and further embodiments. However, it will be readily understood by those skilled in the art that the scope of protection of the present invention is obviously not limited to these specific embodiments. Without departing from the principles of the present invention, those skilled in the art can make equivalent changes or substitutions to the relevant technical features, and the technical solutions after such changes or substitutions will all fall within the scope of protection of the present invention.

[0119] In summary, the above are merely preferred embodiments of the present invention and are not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.

Claims

1. A deception defense method for constructing a network dream based on dynamic transformation and cross-layer confinement, characterized in that, Includes the following steps: The virtual network, which is reconstructed with virtual nodes as network nodes and has the same connection relationship as the target network, is used as the decoy network. A template library for generating normal traffic topology and decoys is constructed. Topology descriptions of different scales and different key node layouts and various decoy images are packaged into a template library and provided to other modules in the form of API. A data acquisition and integration module, a dynamic change intelligent decision engine, an execution control module and a mapping management module are deployed. On the target network side, a front-end node exposing the decoy entry point, a traffic acquisition component, and a rule determination component are deployed. A reverse proxy node is used as the front-end node, configured with an independent domain name, IP range, or port combination. The decoy network is a policy-driven, continuously evolving dynamic system. The adaptive intelligent decision engine models the decoy network and the attack-defense interaction process as a partially observable multi-agent reinforcement learning environment. It processes the data output from the data acquisition and integration module as input to obtain policy instructions, enabling the decoy network to evolve dynamically in real-time according to attack behavior. The execution control module converts the received policy instructions from the adaptive intelligent decision engine into specific executable operations. The mapping management module maps sessions to the next-layer decoy subnet and completes routing and session mapping configuration. When an attacker attempts to establish a network connection with a front-end node, the traffic collection component generates access logs and session records, marking the established sessions as potential attack behaviors and storing them in the log queue; the rule determination component calculates risk scores and adds sessions with scores greater than a threshold to the suspicious session table, determining the inducement strategy of the corresponding front-end node; The front-end node switches the upstream target node related to the suspicious session table to the entry node of the trapping network according to the inducement strategy; When an attacker interacts with the decoy network, the dynamic data collected by the data acquisition and integration module includes the current topology map, node interaction logs, and attacker behavior trajectory. This data is integrated with suspicious session information and log queues to form fused data. The data is then input into the adaptive intelligent decision engine to obtain policy instructions. The execution control module calls the topology and decoy template library API according to the policy instructions to gradually adjust the underlying topology and decoy services without interrupting the current session. This ensures that as the attacker takes a step forward in the attack, the network view and visible assets change accordingly, thus forming a dynamic game-like decoy process where the attack changes step by step and the defense changes step by step, creating a network dream for the attacker. When an attacker attempts to breach the current decoy layer, the adaptive intelligent decision engine, based on fused data, determines whether to enter a multi-layer stacking stage and outputs policy instructions guiding the attacker to the deep decoy network. The execution control module selects a deep decoy topology template and a highly realistic decoy service template that match the current attack scenario, instantiates the selected template in the decoy isolation resource pool to construct a deep decoy subnet, and configures its connection relationship with the upper-layer network. The mapping management module dynamically distributes routing rules to seamlessly map the current attack session to the deep decoy subnet while maintaining the session identifier, URL structure, and interaction sequence unchanged. When an attacker executes an attack within the deep trapping subnet, the data acquisition and integration module continuously collects the attacker's behavioral data, including command sequences, access frequencies, and target nodes, forming fused data. The adaptive intelligent decision engine then uses this fused data to generate policy instructions that control response timing, increase false cue density, or fine-tune the decoy profile. The execution control module calls the decoy template library in the trapping network to execute these policy instructions, maintaining the attacker's activity and awareness of their progress. This causes the attacker to spontaneously extend their dwell time and continuously try new attack paths, thus trapping them.

2. The deception defense method for constructing a network dream based on dynamic transformation and cross-layer trapping as described in claim 1, characterized in that, The adaptive intelligent decision engine models the trapping network and the attack-defense interaction process as a partially observable multi-agent reinforcement learning environment. Where S is the state space, i.e. the real state of the environment, which includes the topology of the trap network, the attributes of the nodes and the decoys, and the attack stage. To attack the observation space of intelligent agents, To defend the observation space of intelligent agents, To attack the action space of an intelligent agent. The action space of the defensive agent; T is the state transition function, representing the rule that triggers changes in the environment state for offensive and defensive actions; Rewards for attackers Rewards for defenders; This is a discount factor used to balance short-term and long-term returns; A GRU recursive structure is used to temporally encode historical observation sequences to generate belief states: ,in, This represents the belief state of the attacking side. This represents the belief state of the defensive side. and Both are GRU architectures. For multiple attacking agents to observe the observation space of the attacking agent, To defend against multiple defensive intelligent agent observations in the intelligent agent observation space; The action space of an attacking agent includes strategic actions, which are mapped to tool calls and data packet operations at the environment layer; the action space of a defensive agent includes two main categories: topology reconstruction and decoy replacement.

3. The deception defense method for constructing a network dream based on dynamic transformation and cross-layer trapping as described in claim 2, characterized in that, The execution control module uses a parameter parsing function. Build, to defend the actions of intelligent agents and the belief state of the defensive side Mapped to execution parameters , ,in, For the trapping topology map, For the decoy attribute matrix, For topology template library, Execution parameters for bait profiling and service template library The set of executable configurations in the control layer for dynamic transformation is used to drive virtualization, container orchestration, and network controller instantiation, connectivity adjustment, and decoy profile replacement.

4. The deception defense method for constructing a network dream based on dynamic transformation and cross-layer trapping as described in claim 2, characterized in that, Set in time window Within, the attacker's interaction with the trapping network generates session sets. Increment by attacker dwell time Incremental completeness of behavioral chain and the incremental complexity of lateral movement paths As a positive indicator, the number of incidents where traps were detected is used. Construct defensive-side rewards for negative indicators : , in, , , and All are weighting coefficients.

5. The deception defense method for constructing a network dream based on dynamic transformation and cross-layer trapping as described in claim 4, characterized in that, The attacking agent and the defending agent engage in a zero-sum offensive and defensive confrontation process, with the attacking agent having a reward function. Represented as This leads to a zero-sum optimization objective: , in, For defense strategy networks, For attack strategy networks; In order to be in and Under the adversarial game, the expected optimization objective for the cumulative defense reward of the discount; Let be the discount factor at time t. Let be the actual state of the environment at time t. Let t be the action of the defensive agent. Let t be the action of the attacking agent. Let t be the instantaneous reward value obtained by the defensive agent at time t.

6. The deception defense method for constructing a network dream based on dynamic transformation and cross-layer trapping as described in claim 2, characterized in that, The defense strategy is trained using an Actor-Critic algorithm optimized for near-end strategies, specifically as follows: Constructed as a state of defensive belief The input is the probability distribution of the high-level policy action, and the output is the parameter. Policy network The long-term trapping benefit of the current belief state is evaluated, with the following parameters: value network The policy network and value network share the GRU temporal coding structure at the front end. Let t be the action of the defensive agent. Under the current strategy Collect multiple rounds of attack and defense interaction trajectory data and construct probability ratios. : , Calculate the advantage function using generalized advantage estimation : , in, For timing difference error, To determine the reward that the defensive agent receives at time t. The defensive belief state at time t+1. The attenuation coefficient is the estimate of the generalized advantage. The length of the time window used for advantage estimation; The policy parameter θ is updated using the PPO objective function based on the pruning probability ratio. The PPO objective function... for: , in, For the expected value of the time step samples, For the clipping function, This is the clipping threshold; By minimizing value error loss Update the value network parameters ω, where, Let t be the target value at time t.

7. The deception defense method for constructing a network dream based on dynamic transformation and cross-layer trapping as described in claim 2, characterized in that, During the offline training phase, configurable trapping topologies and bait templates are deployed in the simulation environment. Multiple rounds of attacks are launched by the attacking agent to generate rich attack and defense interaction trajectories. The defense strategy network iteratively optimizes the trajectory data and converges to the follow-up transformation strategy that maximizes the long-term trapping benefits. During the online deployment phase, only the trained and converged defense strategy network, value network, and parameter parsing module are loaded. During online runtime, attack behavior is collected in real time to update defense observations and belief states. The strategy network outputs actions that change accordingly, and the parameter parsing module generates execution parameters. During online operation, the trapping revenue is statistically analyzed and fed back to the engine as a reward, continuously driving strategy optimization and enabling the trapping network to continuously adapt and evolve.

8. The deception defense method for constructing a network dream based on dynamic transformation and cross-layer trapping as described in claim 1, characterized in that, The method of rebuilding a virtual network with the same connection relationship as the target network using virtual nodes as network nodes is as follows: In a resource pool isolated from the real target network, virtual machine clusters and container clusters are used to instantiate virtual hosts and containerized business services in batches according to a predefined topology template. Flow table rules are issued through virtual switches and SDN controllers to rebuild a virtual target network with the same connection relationship as the real target network using virtual nodes as network nodes.

9. The deception defense method for constructing a network dream based on dynamic transformation and cross-layer trapping as described in claim 1, characterized in that, The method for constructing normal traffic is as follows: normal traffic that conforms to the actual time sequence distribution is constructed by replaying existing typical business traffic and generating scripted traffic.

10. The deception defense method for constructing a network dream based on dynamic transformation and cross-layer trapping as described in claim 1, characterized in that, While redirecting suspicious sessions to the trap network, access control policies or routing isolation rules are applied to the original access path on the real target network side.