Network violation outreach detection method and system

By constructing a network topology sequence and utilizing a structural prediction model, the problem of insufficient accuracy and interpretability in the detection of illegal network connections in existing technologies is solved, enabling precise location and risk measurement of high-risk nodes.

CN122160094APending Publication Date: 2026-06-05INSTITUTE OF INFORMATION ENGINEERING CHINESE ACADEMY OF SCIENCES

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
INSTITUTE OF INFORMATION ENGINEERING CHINESE ACADEMY OF SCIENCES
Filing Date
2026-01-28
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing network violation detection technologies have shortcomings in terms of detection accuracy and interpretability. In particular, they are easily affected by factors such as offline terminals and firewall policies in complex network environments, leading to missed detections and difficulty in quantifying the contribution of specific nodes.

Method used

By constructing a network topology graph sequence, generating a prediction graph-level representation using a structure prediction model, calculating the structure prediction error, identifying target nodes, and constructing an intervention graph to calculate the error after intervention, the amount of error improvement is determined, thereby accurately locating high-risk nodes.

Benefits of technology

It significantly improves the accuracy and interpretability of detecting illegal external connections on the network, enabling it to keenly detect illegal behavior and accurately locate high-risk nodes, thus filling the blind spots of traditional detection methods.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160094A_ABST
    Figure CN122160094A_ABST
Patent Text Reader

Abstract

The application provides a network violation external connection detection method and system, and belongs to the technical field of network security. The method constructs a network topology graph sequence containing historical and current states according to time; a structure prediction model is used to process the historical sequence to generate a current time prediction graph level representation, and a structure prediction error of the current actual graph level representation is calculated; when it is determined that there is an anomaly, an intervention graph is constructed for a target node and an error after intervention is determined; a difference between the structure prediction error and the error after intervention is taken as an error improvement amount, and a node with an improvement amount greater than a threshold is determined as a high-risk node. The application introduces a reverse intervention mechanism based on the structure prediction error, quantifies the contribution degree of a specific node to the deviation of the overall structure evolution, realizes accurate positioning of the violation external connection node, and significantly improves the accuracy and interpretability of detection.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention relates to the field of network security technology, and particularly to a method and system for detecting illegal external connection of a network. Background Art

[0002] In a high-security network environment, it is strictly prohibited for internal terminals to connect to the Internet privately. Therefore, effective monitoring means need to be deployed to discover and block illegal external connection behaviors in a timely manner.

[0003] In the prior art, a detection scheme for illegal external connection based on dual-machine linkage is usually adopted. In this scheme, a monitoring end is deployed in the internal network, and an alarm end is deployed in the external network. The monitoring end in the internal network periodically sends detection packets with forged source addresses to terminals. If the alarm end in the external network receives the response of the packet, it is determined that the terminal has an illegal external connection. In addition, some schemes also attempt to use traffic statistical features or abnormal behavior rules to assist in identifying potential illegal connections.

[0004] However, the above prior art has deficiencies in the accuracy and interpretability of detection. Due to the complex and changeable network environment, simply relying on whether the detection packet is reachable is easily interfered by factors such as terminal offline and firewall policies, resulting in missed reports. At the same time, the detection methods based on traffic statistics or rules often can only give general abnormal alarms, and it is difficult to quantify the contribution degree of specific nodes to the overall abnormality from the root cause of network structure changes, resulting in that the operation and maintenance personnel cannot know the exact reason for the alarm and specific high-risk nodes, thus leading to poor accuracy and interpretability of the detection results. Summary of the Invention

[0005] The present invention provides a method and system for detecting illegal external connection of a network to solve the defects in the prior art and significantly improve the accuracy and interpretability of detecting illegal external connection of a network.

[0006] The present invention provides a method for detecting illegal external connection of a network, including the following steps: Based on the communication data of monitored objects in the network, construct a sequence of network topology graphs in chronological order; the sequence of network topology graphs includes a first historical network topology graph sequence and a current network topology graph; Use a structure prediction model to process the first historical network topology graph sequence to generate a first predicted graph-level representation at the current moment; According to the actual graph-level representation of the current network topology graph and the first predicted graph-level representation, determine a structure prediction error used to characterize the deviation degree of network structure evolution at the current moment; When it is determined that the sequence of network topology graphs is abnormal according to the structure prediction error, determine target nodes related to the structure prediction error; For any of the target nodes, an intervention map is constructed about the target node, and based on the intervention map, the post-intervention error is determined using the structural prediction model; The difference between the structural prediction error and the error after intervention is used as the error improvement amount of the target node, and the target node whose error improvement amount is greater than a preset threshold is identified as a high-risk node for illegal external connection.

[0007] According to the present invention, a method for detecting unauthorized external connections in a network includes processing the first historical network topology sequence using a structural prediction model to generate a first predicted graph-level representation at the current time, comprising: Each historical network topology map in the first historical network topology map sequence is input into the graph embedding extraction module. The node attribute features of each node in the graph are encoded by the graph convolutional network to obtain the node embedding vector of each node. Obtain the first discovery time of each node in the network; For any historical network topology, calculate the difference between the time corresponding to the historical network topology and the time of the first discovery, and use it as the node duration of each node in the historical network topology. The normalized importance weight of each node is calculated based on the node's duration of existence, wherein the normalized importance weight decreases as the node's duration of existence increases. The node embedding vectors are weighted and summed according to the normalized importance weights to generate historical graph-level representation vectors corresponding to each historical network topology graph; The historical graph-level representation vectors arranged in chronological order are input into the attention-based temporal modeling module to obtain the first predicted graph-level representation of the current moment output by the temporal modeling module.

[0008] According to a method for detecting unauthorized external connections in a network provided by the present invention, the step of determining the target node related to the structure prediction error includes: Obtain the set of active nodes in the current network topology graph; Identify the first node in the active node set that was inactive in the historical network topology graph at the previous moment, and add the first node to the candidate set; Identify a second node that was active in the historical network topology graph at the previous moment but inactive in the current network topology graph, and add the second node to the candidate set; The nodes in the candidate set are determined as the target nodes.

[0009] According to a method for detecting unauthorized external connections in a network provided by the present invention, when the target node is the first node, the step of constructing an intervention graph about the target node and determining the post-intervention error based on the intervention graph using the structural prediction model includes: Remove the first node and the edges connected to the first node from the current network topology graph to generate the intervention graph; Based on the intervention map, extract the intervention map-level representation; The distance between the first predicted graph-level representation and the intervention graph-level representation is calculated to obtain the post-intervention error.

[0010] According to a network unauthorized external connection detection method provided by the present invention, when the target node is the second node, the step of constructing an intervention graph about the target node and determining the post-intervention error based on the intervention graph using the structural prediction model includes: Determine the most recent historical network topology map in the first historical network topology map sequence that contains the second node; Remove the second node and the edges connected to the second node from the historical network topology graph to generate the intervention graph; Based on the intervention map, a second historical network topology map sequence is constructed; The structure prediction model is used to process the second historical network topology sequence to generate a second predicted graph-level representation at the current moment; The distance between the actual graph-level representation and the second predicted graph-level representation is calculated to obtain the post-intervention error.

[0011] According to the network unauthorized external connection detection method provided by the present invention, before determining that the network topology graph sequence is abnormal based on the structure prediction error, the method further includes: Maintain an error buffer queue, which stores the structural prediction errors calculated at the most recent N historical moments, where N is a positive integer; Calculate the statistical distribution characteristics of the values ​​in the error buffer queue, and select a preset percentile value; The quantile value is set as the anomaly determination threshold for determining whether the network topology graph sequence is abnormal; If the structural prediction error is greater than the anomaly determination threshold, then an anomaly is determined to exist.

[0012] According to the present invention, a method for detecting unauthorized external connections in a network, after identifying target nodes whose error improvement exceeds a preset threshold as high-risk nodes for unauthorized external connections, further includes: When there are multiple target nodes whose error improvement amount is greater than a preset threshold, all target nodes are sorted in descending order of error improvement amount; Select the target node that ranks in the top K positions of the sort as the priority object for processing, where K is a preset positive integer.

[0013] This invention also provides a network unauthorized external connection detection system, comprising the following modules: The temporal network topology construction module is used to construct a network topology map sequence in chronological order based on the communication data of the monitored objects within the network; the network topology map sequence includes a first historical network topology map sequence and the current network topology map. The inference module is used to process the first historical network topology graph sequence using the structural prediction model to generate the first predicted graph-level representation at the current moment; The structure prediction error calculation module is used to determine the structure prediction error, which characterizes the degree of deviation of the network structure evolution at the current moment, based on the actual graph-level representation of the current network topology and the first predicted graph-level representation. The reverse intervention positioning module is used to determine the target node related to the structural prediction error when the network topology sequence is determined to be abnormal based on the structural prediction error. The reverse intervention positioning module is also used to construct an intervention map about any of the target nodes, and to determine the post-intervention error based on the intervention map using the structural prediction model; An anomaly detection module is used to take the difference between the structural prediction error and the error after intervention as the error improvement amount of the target node, and to identify the target node whose error improvement amount is greater than a preset threshold as a high-risk node for illegal external connection.

[0014] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the network unauthorized external connection detection method as described above.

[0015] The present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the network unauthorized external connection detection method as described above.

[0016] The present invention also provides a computer program product, including a computer program that, when executed by a processor, implements the network unauthorized external connection detection method as described above.

[0017] In summary, one or more technical solutions provided in the embodiments of this application have at least the following technical effects or advantages: By constructing a network topology sequence containing historical and current states based on communication data in chronological order, and using a structural prediction model to generate a predicted graph-level representation of the current moment, a benchmark reflecting the normal evolution of the network is established, no longer limited to the detection of single points or single traffic flows. By calculating the structural prediction error between the actual graph-level representation and the predicted graph-level representation, it is possible to keenly perceive the overall structural evolution deviation in the network caused by violations such as covert access or physical network outages, effectively compensating for the blind spots that traditional probe packets cannot cover offline scenarios. Furthermore, by identifying target nodes when anomalies are detected, and constructing an intervention graph for the target nodes to calculate the error after intervention and the amount of error improvement, a reverse causal inference mechanism is introduced, transforming abstract global structural anomalies into risk measures for specific nodes. By identifying nodes whose removal (or simulated absence) can significantly reduce prediction errors, the accurate location of high-risk nodes for illegal external connections is achieved, significantly improving the accuracy and interpretability of network illegal external connection detection. Attached Figure Description

[0018] To more clearly illustrate the technical solutions in this invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.

[0019] Figure 1 This is a schematic diagram of the overall architecture of the network security external monitoring system provided by the present invention.

[0020] Figure 2 This is a flowchart illustrating the network unauthorized external connection detection method provided by the present invention.

[0021] Figure 3 This is a schematic diagram of the construction of the network topology graph sequence provided by the present invention.

[0022] Figure 4 This is a schematic diagram of the overall architecture and processing flow of the structural prediction model provided by the present invention.

[0023] Figure 5 This is a schematic diagram of the construction node removal intervention diagram provided by the present invention.

[0024] Figure 6 This is a schematic diagram of high-risk node visualization and sorting based on error improvement amount provided by the present invention.

[0025] Figure 7 This is a schematic diagram of the network unauthorized external connection detection system provided by the present invention.

[0026] Figure 8This is a schematic diagram of the structure of the electronic device provided by the present invention. Detailed Implementation

[0027] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.

[0028] It should be noted that in the description of this invention, the terms "comprising," "including," or any other variations thereof are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element. The terms "upper," "lower," etc., indicating orientation or positional relationships according to the accompanying drawings, are only for the convenience of describing the invention and for simplifying the description, and do not indicate or imply that the system or element referred to must have a specific orientation, or be constructed and operated in a specific orientation, and therefore should not be construed as a limitation of the invention. Those skilled in the art can understand the specific meaning of the above terms in this invention according to the specific circumstances.

[0029] The terms "first," "second," etc., used in this invention are used to distinguish similar objects, not to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that embodiments of the invention can be implemented in orders other than those illustrated or described herein, and the objects distinguished by "first," "second," etc., are generally of the same class, without limiting the number of objects; for example, a first object can be one or more. Furthermore, "and / or" indicates at least one of the connected objects, and the character " / " generally indicates that the preceding and following objects are in an "or" relationship.

[0030] The following is combined with Figures 1 to 8 This invention describes the network unauthorized external connection detection method, system, electronic device, storage medium, and computer program product provided by this invention.

[0031] In an embodiment of the present invention, the network violation external connection detection method can be applied to a network security external connection monitoring system that integrates dynamic topology modeling and collaborative evidence collection. Figure 1 This is a schematic diagram of the overall architecture of the network security external monitoring system provided by the present invention.

[0032] like Figure 1 As shown, the network security external monitoring system retains the existing "dual-machine / dual-center" architecture, mainly consisting of an internal network monitoring center deployed on the internal network side and an external network alarm center deployed on the Internet side. The two can be reached through the public network (e.g., through a secure interconnection via an IPSec tunnel).

[0033] The intranet monitoring center is installed within the organization's intranet and connected to the core switch or aggregation switch. Its traditional functional modules are responsible for generating probe packets according to a predetermined strategy and sending them to intranet hosts. Specifically, the intranet monitoring center periodically sends probe packets to various intranet terminals (including hosts, mobile devices, IoT terminals, etc.) by traversing intranet address ranges or host lists. The probe packets generally use frame probing, which can be ICMP echo request frames or constructed TCP probe frames, and the source address of the packet is spoofed as the public IP address of the external alarm center.

[0034] The external network alarm center is installed on the internet to receive and parse alarm information forwarded by internal network hosts and generate alarms. Its working principle is as follows: when an internal network host establishes a connection to the internet via dial-up devices, wireless network cards, router sharing, etc. (i.e., unauthorized external connection), its network protocol stack, upon receiving a probe packet with the source address "external network alarm center's public IP address," will send the response or forwarded data packet to the internet according to the current default route, ultimately reaching the external network alarm center. Once the external network alarm center receives a response from this host, it can determine that the host has engaged in unauthorized external connection behavior.

[0035] However, the aforementioned traditional mechanism has a blind spot for unauthorized offline external connections. That is, when a terminal physically disconnects from the intranet cable or shuts down its connection to the intranet and directly accesses the Internet using 4G / hotspot or other methods, the terminal will disappear from the intranet topology, and the detection packets of the intranet monitoring center will not be able to reach it, resulting in detection failure.

[0036] To address this blind spot, this invention introduces a new analysis link at the intranet monitoring center. Specifically, a temporal network topology construction module, a structure prediction model training and inference module, and a reverse intervention and positioning module based on structure prediction errors are added within the intranet monitoring center.

[0037] These new modules do not alter the original process of generating and sending probe messages, nor do they change the process of receiving and alarming at the external network alarm center; instead, they operate in parallel. They continuously collect mirrored traffic and log data from internal network switches, routers, and other devices to construct a network topology sequence and perform temporal modeling of the overall internal network communication structure. Using the structural prediction model, the system can identify nodes that "suddenly leave the internal network topology but should not have left based on historical behavior" (i.e., suspected offline unauthorized external connection terminals) and "new nodes that suddenly appear and cause significant structural changes" (i.e., suspected new nodes that have illegally accessed the internal network).

[0038] Once the reverse intervention positioning module identifies the aforementioned high-risk nodes, the intranet monitoring center will mark these nodes as high-risk objects and hand them over to the existing monitoring and blocking mechanisms for priority handling (such as priority auditing, high-frequency detection, or coordinated blocking). This forms a unified architecture that integrates "traditional dual-machine detection + temporal topology anomaly analysis," significantly improving the detection coverage of unauthorized external connection behaviors in complex scenarios.

[0039] In an embodiment of the present invention, a method for detecting unauthorized external network connections is provided. This detection method can be applied to various network security monitoring systems, and the executing entity is a computer device with data processing capabilities, such as an intranet monitoring center. The following detailed explanation of this technical solution uses the intranet monitoring center (hereinafter referred to as the system) as the executing entity.

[0040] Reference Figure 2 , Figure 2 This is a flowchart illustrating the network unauthorized external connection detection method provided by the present invention. The process of the system executing the network unauthorized external connection detection method includes the following steps: Step 101: Based on the communication data of the monitored objects within the network, construct a network topology map sequence in chronological order; the network topology map sequence includes the first historical network topology map sequence and the current network topology map.

[0041] The system first needs to acquire basic data from the network environment. It continuously receives session records and status events from the internal network through various methods, including switch port mirroring, router log forwarding, Dynamic Host Configuration Protocol (DHCP) logs, and authentication logs. This communication data includes terminal online / offline records, five-tuple traffic details, and traffic statistics. The system cleans, aggregates, and normalizes data from different sources on a unified timeline, establishing a mapping between Internet Protocol addresses, Media Access Control (MAC) addresses, device fingerprints, and asset information.

[0042] To capture the dynamic evolution of the network structure over time, the system uses fixed time windows to discretize the intranet's operational status. For example, the time window length is set to a preset value, and at the end of each time window, a network topology graph with attributes is constructed using the traffic records and online / offline events collected within that window. Nodes in this network topology graph represent devices in the network, and edges represent communication relationships between devices. The system arranges multiple consecutively generated network topology graphs in chronological order to form a network topology graph sequence. This sequence includes several associated network topology graphs as historical reference data (the first historical network topology graph sequence) and the current network topology graph generated at the current moment.

[0043] More specifically, the network topology graph sequence is constructed using the following method.

[0044] A fixed time window is used to discretize the intranet's operational status. Let the time window length be... In this invention, Minute, the Each time window corresponds to a time interval At the end of each window, the system uses the traffic records and online / offline events collected within that window to construct a network topology graph with attributes. And form a graph sequence in chronological order. This serves as the input for subsequent graph neural networks. The network topology graph includes node attributes and edge attributes, where node attributes specifically include the following: 1. Device type coding: Node corresponding device type: PC, server, network device, other; 2. Security Domain Code: The node belongs to the following security domains: office network, production network, or management network. 3. Key Asset Indicator: Whether the node is a key asset; 4. Normalized internal neighbor count: The number of nodes that have established connections with other nodes in the same security domain (normalized). 5. Normalized value of cross-domain neighbor count: The number of nodes that have established connections with nodes in different security domains (normalized). 6. External Connection Ratio: The ratio of the number of connections initiated to the external network or border gateway to the total number of connections; 7. Normalized total number of bytes sent uplink: The total number of bytes sent by the node in the current window (normalized according to the single node's traffic limit); 8. Normalized total downlink bytes: The total number of bytes sent by the node within the current window (normalized according to the single node's traffic limit); 9. Normalized Session Count: The number of TCP / UDP sessions participated in by the node within the current window (normalized). 10. Target Port Diversity Normalized Value: The number of different target ports accessed within the current window (normalized). 11. Normalized maximum session duration: The longest session duration among all sessions of this node within the current window (normalized). 12. Online Time Percentage: The proportion of the online time of nodes within the current window to the length of the window; 13. Node age normalization value: The proportion of a node's lifespan since its first discovery to the preset maximum age.

[0045] The edge attributes specifically include the following attributes: 1. Normalized Session Count: The total number of TCP / UDP sessions between this node pair within the current window (normalized). 2. Normalized total bytes: The total number of bytes transferred bidirectionally between this node pair within the current window (normalized). 3. Directional Difference Normalized Value: The normalized result of the bidirectional byte count difference reflects whether there is a significant unidirectional large flow. 4. Protocol type one-hot encoding: The main protocol family used by this edge is TCP, UDP, and others; 5. Port Category One-Hot Encoding: The target port category for this side session: well-known port, registered port, dynamic port; 6. Normalized maximum session duration: The longest duration among all sessions on this edge within the current window (normalized).

[0046] For node attributes, in the time window Internally, the system first determines the set of nodes. The system pre-assigns a unique device identifier ID to each device using its IP address, MAC address, terminal fingerprint, and asset ledger information. If a device is in the window... If the memory contains at least one record of transmit / receive traffic, or has generated at least one online event (such as DHCP address acquisition or authentication login), then the device is considered to be in the window. If it is in an "active" state, add it to the node set. Window The number of active nodes is Then it can be written as: ; Among them, the first Nodes It corresponds to a specific device.

[0047] For each active node The system constructs a node feature vector of fixed length. In this invention, The meanings and value retrieval methods of each field are as follows.

[0048] First, device identity and network environment information. The device type field is represented using 4-dimensional one-hot encoding, with the following value set: personal terminal (PC), server, network device (including switches, routers, firewalls, etc., all uniformly categorized as Network Device), and other devices (such as printers, IoT terminals, etc., all uniformly categorized as Other). For example, when the device type is server, this 4-dimensional vector is: The security domain field is represented using 3D one-hot encoding, with values ​​including Office, Production, and Management networks. For example, the Office network corresponds to... Whether an asset is a key asset is indicated by a single Boolean field, with a value of 1 for key assets and 0 for ordinary assets. These three items together constitute the 8-dimensional "Identity and Network Environment" feature.

[0049] Second, statistical information on the connection relationships of nodes within the current window. The system calculates three scalar fields for each node: 1) Normalized value of internal neighbor count Statistics Window Inner nodes The number of different devices that have communicated with each other and are in the same security domain is denoted as . The upper bound constant of this value is preset to be Defined as: .

[0050] 2) Normalized value of cross-domain neighbor count Statistics Window Inner nodes The number of different devices that have communicated with each other and are in different security domains is denoted as . The upper bound constant is assumed to be Defined as: .

[0051] 3) External connection ratio Statistics Window internal nodes Number of connections initiated to external network address or border gateway and total number of connections .when When, it is defined as: ; when At that time, take .

[0052] Third, the node's traffic and session behavior statistics within the current window. This invention selects five scalar features: 1) Normalized value of total uplink bytes Statistics Window internal nodes Total bytes sent The preset upper limit constant for single-node bandwidth statistics is: Defined as: .

[0053] 2) Normalized value of total downlink bytes Statistics Window internal nodes Total number of bytes received Similarly, the following approach is adopted: .

[0054] 3) Normalized value of session count Statistics Window internal nodes Number of TCP / UDP sessions participated The preset maximum number of sessions per node is a constant. Defined as: .

[0055] 4) Target port diversity normalized value Statistics Window internal nodes Number of different target ports accessed Upper limit of the number of preset port types Defined as: .

[0056] 5) Normalized value of maximum session duration Statistics Window internal nodes The longest-lasting session among all sessions is denoted by its duration in seconds. Window length In seconds, defined as: .

[0057] Fourth, the lifecycle information of nodes over time. This invention uses two scalar fields: 1) Percentage of online time The system estimates nodes based on traffic and heartbeat records. In the window Online time (Unit: seconds), defined as: .

[0058] 2) Normalized value of node age Record nodes The time when it was first discovered in the system was The current window's end time is The original value for node duration is: .

[0059] Preset a maximum age constant (The number of seconds corresponding to 30 days), the normalized age is defined as: .

[0060] when A value close to 0 indicates that the node is a recently connected device; a value close to 1 indicates that the node is an older device that has been in existence for a long time.

[0061] In summary, regarding windows Each node within Node feature vectors It is composed of the above 18 fields concatenated sequentially: 4-dimensional device type one-hot encoding, 3-dimensional security domain one-hot encoding, 1-dimensional key asset marker, 3 connection statistics scalars, 5 traffic and session behavior scalars, and 2 lifecycle scalars. The system will assign all node feature vectors according to... The nodes are stacked sequentially to form a node attribute matrix. , of which A row is a node Its characteristics.

[0062] After determining the nodes and their attributes, the system is based on windows. Constructing an edge set from the session records within and edge attribute matrix For any two active nodes and If in the window There is at least one entry in memory from arrive Or from arrive For TCP / UDP sessions, an undirected edge is added to the graph to indicate that communication exists between the two within that window. For ease of indexing, the system uses a... An integer matrix stores the set of edges: ; Among them, the first OK Indicates the first The two nodes connected by the edge are respectively Subscript and The node, and They are considered as the same undirected edge.

[0063] For each edge System statistics window internal nodes and Aggregate the features of all sessions between them to construct the edge feature vector. Specifically, it includes: 1) Normalized value of session count Statistics Window Internal node pairs Total number of conversations between Preset maximum number of sessions per side constant Defined as: .

[0064] 2) Normalized total number of bytes Statistics Window Internal node pairs Bidirectional byte sum: ; Preset one-sided flow limit constant Defined as: .

[0065] 3) Normalized value of directional difference Defined as: ; This is used to reflect whether there is a significant one-way large flow of communication on this side.

[0066] 4) Protocol type one-hot encoding The system determines the primary protocol family based on the IP protocol number in the session, classifying it into three categories: TCP, UDP, and others, and represents them using a 3D one-hot vector: when the primary protocol is TCP, the encoding is... The encoding is mainly for UDP. Other cases are coded as follows .

[0067] 5) Port category one-hot encoding The system categorizes ports into well-known ports (0-1023), registered ports (1024-49151), and dynamic / private ports (49152-65535) based on the target port of the session, and uses a 3D one-hot vector representation: when the target port is concentrated in well-known ports, it is encoded as follows: The main encoding is used when registering the port. The encoding is mainly used in dynamic porting. .

[0068] 6) Normalized value of maximum session duration Calculate the duration of all sessions along this edge and take the maximum value. Window length In seconds, defined as: .

[0069] The three scalar normalized traffic / frequency fields and one scalar duration field, along with the 3D protocol type one-hot encoding and the 3D port category one-hot encoding, together constitute a 10-dimensional edge feature vector. The system stacks all edge features by edge index to form an edge attribute matrix: , of which row correspondence The Middle Strip edge .

[0070] Therefore, time window The final network topology can be formally represented as: ; in For window The set of active device nodes within the system. Let be the set of undirected communication edges between nodes. This is a matrix of node attributes. This is the edge attribute matrix. As the time window progresses, the graph sequence... While preserving the internal network connection structure, explicit and normalized behavioral features are added to each node and edge, providing unified and quantitative input data for subsequent structure prediction and abnormal disturbance localization based on graph neural networks.

[0071] Further reference Figure 3 , Figure 3 This is a schematic diagram illustrating the construction of the network topology graph sequence provided by the present invention. For example... Figure 3 As shown, the system uses a fixed time window mechanism to discretize the intranet operating status. The time window length is set to a preset value, which is 15 minutes in this embodiment. The time interval corresponding to the t-th time window starts from t times the time window length and ends at t+1 times the time window length. At the end of each time window, the system uses the traffic records and device online / offline events collected within that window to construct an attributed network topology graph, denoted as [Graph showing the graph]. .

[0072] Constructing a network topology graph The specific process is as follows: First, the system determines the set of active nodes within the current time window. The system assigns a unique device identifier to each device based on its Internet Protocol address, Media Access Control address, terminal fingerprint, and asset ledger information. If a device has at least one transmit / receive traffic record within the current time window, or has generated at least one online event such as address acquisition or authentication login, the system considers the device active and adds it to the set of active nodes for the current window. . Figure 3 The diagram shows the changes in active nodes at different times (t-1 and t), where solid dots represent nodes in the network, and dots of different colors can represent different types of devices or different security domain affiliations.

[0073] Secondly, the system constructs node attribute features for each active node. To comprehensively characterize the device's behavior patterns, the system constructs a fixed-length node feature vector for each node. The node's feature vector contains multi-dimensional information, specifically including: First, there is the device identification and environmental information, such as the device type code, used to distinguish personal terminals, servers, network devices, etc.; the security domain code, used to distinguish office networks, production networks, management networks, etc.; and key asset markers.

[0074] Second, connection statistics, such as the normalized value of the number of internal neighbors, which reflects the number of connections with other nodes in the same security domain; the normalized value of the number of cross-domain neighbors, which reflects the number of connections with nodes in different security domains; and the proportion of external connections, which reflects the frequency with which nodes initiate connections to the external network or border gateway.

[0075] Thirdly, traffic and session behavior information, such as normalized values ​​for total uplink bytes, total downlink bytes, number of sessions, target port diversity, and maximum session duration.

[0076] Fourthly, lifecycle information, such as the percentage of online time and the normalized value of node age.

[0077] Next, the system determines the set of communication edges between nodes. After determining the nodes and their attributes, the system constructs the edge set based on the session records within the current time window. For any two active nodes, if they have at least one Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) session within the current time window, the system establishes an undirected edge in the graph to indicate that they have a communication relationship. Figure 3 The gray lines in the diagram represent the communication edges between nodes.

[0078] Finally, the system calculates the edge attribute features for each edge. For each edge, the system calculates the aggregate features of all sessions within the current time window for that edge, constructing an edge feature vector. The edge feature vector includes normalized values ​​for the number of sessions, total number of bytes, direction difference, protocol type one-hot encoding, port type one-hot encoding, and maximum session duration.

[0079] Through the above steps, the system generates a formalized representation of the network topology graph at the end of the time window t. A network topology graph contains a set of nodes, a set of edges, a node attribute matrix, and an edge attribute matrix. Over time, the system maintains a graph sequence in chronological order, for example, containing multiple consecutive network topology graphs from time tT to time t, forming a temporal network topology.

[0080] like Figure 3 As shown, from arrive The process demonstrates the dynamic evolution of the network structure. Over time, some nodes may disappear from the graph due to shutdown or network outage, while new nodes may join the network and appear in the graph. The connections between nodes also change with changes in service access. This graph-based modeling approach not only preserves the topological skeleton of the network connections but also integrates rich behavioral statistical features into the node and edge attributes.

[0081] Step 102: Process the first historical network topology graph sequence using the structural prediction model to generate the first predicted graph-level representation at the current moment.

[0082] This step aims to leverage artificial intelligence to learn the normal evolutionary patterns of network structures. The structure prediction model is a deep learning-based neural network model trained to predict the current network state based on past network states. The system inputs a sequence of first historical network topology graphs into the structure prediction model. The model first extracts features from each historical network topology graph in the sequence, transforming the complex graph structure into low-dimensional numerical vectors, i.e., graph-level representation vectors. Subsequently, the model uses a time-series analysis module to model the changing trends of these historical graph-level representation vectors, capturing the evolutionary patterns of the network topology over time. Based on these evolutionary patterns, the model outputs a vector representing its expectation of the network state at the current moment, i.e., the first predicted graph-level representation. This first predicted graph-level representation reflects the topological characteristics that the network should exhibit at the current moment when it is operating normally according to its existing patterns.

[0083] Step 103: Based on the actual graph-level representation of the current network topology and the first predicted graph-level representation, determine the structural prediction error used to characterize the degree of deviation of the network structure evolution at the current moment.

[0084] The system uses graph embedding extraction technology to process the current network topology graph constructed in step 101, obtaining an actual graph-level representation reflecting the true network structure at the current moment. To quantify the difference between the current state and the expected state, the system calculates the distance between the actual graph-level representation and the first predicted graph-level representation. This distance is the structure prediction error. In specific implementations, the squared Euclidean distance between vectors is used as the metric. This structure prediction error directly reflects the degree of deviation of the current network structure from its historical evolution. When the network operates stably according to its existing pattern, the structure prediction error remains at a low level. When abnormal nodes connect, critical nodes suddenly go offline, or abnormal changes occur in connection relationships, the structure prediction model struggles to accurately predict the current structure, leading to a significant increase in the structure prediction error.

[0085] Specifically, after completing graph embedding extraction and temporal modeling, the model at time... The output is the predicted graph-level representation vector of the network structure in the current time window, i.e., the first predicted graph-level representation. On the other hand, the system can process the actually observed topological map. The graph embedding extraction module calculates the corresponding graph-level representation vector, i.e., the actual graph-level representation. The basic goal of the model is to make the predictions represent... As close as possible to the true representation This characterizes "the predictive ability of historical structures for current structures under normal evolutionary patterns."

[0086] To measure the deviation between the two, the structural prediction error is... Defined as the squared Euclidean distance between the predicted vector and the actual graph-level representation, i.e.: The prediction error of this structure directly reflects the degree of deviation of the current network structure from the historical evolution pattern: when the network is running stably according to the existing mode, It is usually maintained at a low level; however, when there is an abnormal node access, a critical node suddenly goes offline, or an abnormal change in the connection relationship occurs... Difficult to predict accurately This leads to A significant increase can serve as a basic indicator for anomaly detection.

[0087] Step 104: When the network topology sequence is found to be abnormal based on the structural prediction error, the target node related to the structural prediction error is determined.

[0088] The system has pre-defined anomaly detection logic, such as comparing the structural prediction error with statistical thresholds based on historical data. When the structural prediction error exceeds the allowable range, the system determines that the network topology sequence is abnormal, indicating that an unauthorized external connection or offline external connection event may have occurred in the network at the current moment. In this case, the system needs to further pinpoint the specific device causing the anomaly. Based on the node changes in the network topology, the system selects nodes closely related to the current structural evolution as target nodes. These target nodes include, but are not limited to, nodes newly appearing at the current moment, or nodes that existed at the previous moment but disappeared at the current moment.

[0089] Step 105: For any target node, construct an intervention map about the target node, and based on the intervention map, use a structural prediction model to determine the post-intervention error.

[0090] This step employs an attribution analysis method based on structural inversion. To verify whether a specific target node is the main cause of increased structural prediction errors, the system performs hypothetical intervention on that target node.

[0091] Specifically, the system constructs one or more modified intervention graphs. The logic behind constructing the intervention graph is to eliminate the structural mutations caused by the target node. For example, if the target node is newly connected, the intervention graph is the graph after removing the node from the current network topology; if the target node is suspected of being offline, the intervention graph is the graph simulating that the node has not been lost.

[0092] Subsequently, the system uses a structural prediction model to further process the data containing the intervention map. This processing involves recalculating the model's prediction accuracy for the current structure under the assumption that the intervention is effective, thus obtaining the post-intervention error. The post-intervention error reflects the degree of deviation in the network structure's evolution after excluding abnormal interference factors from the target node.

[0093] Step 106: The difference between the structural prediction error and the error after intervention is used as the error improvement amount of the target node, and the target node with the error improvement amount greater than the preset threshold is identified as a high-risk node for illegal external connection.

[0094] The system calculates the difference between the initial structural prediction error and the error after intervention; this difference is defined as the error improvement amount. The error improvement amount intuitively characterizes the contribution of the target node to the current overall structural anomaly.

[0095] If the error improvement of a target node is a large positive value, exceeding a preset threshold, it indicates that the model's prediction error has significantly decreased after intervention on that node, meaning the network structure has returned to a normal state consistent with historical patterns. This suggests that the behavior of that target node (such as abnormal access or abnormal offline) is the key reason for the deviation in the current network structure evolution. Therefore, the system marks the target node that meets the criteria as a high-risk node for unauthorized external connections and outputs it to subsequent alarm or handling procedures.

[0096] The network illegal external connection detection method provided in this embodiment achieves the technical effect of perceiving network anomalies from the overall structural level by constructing a network temporal topology graph sequence and using a structural prediction model for evolutionary analysis. In particular, it introduces a localization mechanism based on structural prediction error and reverse intervention, which can not only detect conventional online illegal external connections but also effectively detect offline illegal external connection behaviors caused by physical network outages of terminals. By calculating the error improvement before and after intervention, this method can accurately locate high-risk nodes causing structural anomalies from numerous network nodes, solving the problem that traditional methods struggle to pinpoint the root causes of structural anomalies and improving the coverage and accuracy of illegal external connection detection.

[0097] In embodiments of the present invention, the specific process of processing the first historical network topology sequence using a structural prediction model is described in detail. (Refer to...) Figure 4 , Figure 4 This is a schematic diagram illustrating the overall architecture and processing flow of the structural prediction model provided by this invention. For example... Figure 4 As shown, this process is mainly completed collaboratively by the graph embedding module and the time series prediction module, aiming to extract high-dimensional features with temporal evolution significance from complex graph structures.

[0098] At the end of each time window, the system constructs a network topology graph: ,in For window The set of active nodes within, Let be a set of undirected edges. This is a matrix of node attributes. Let be the edge attribute matrix. Let the current prediction time be... The system selects a length of The historical window is used as model input in this invention. This corresponds to the historical state over the past 6 hours. Therefore, the input for each round of prediction is the graph sequence: .

[0099] Since the number of nodes and connection density of the graph may differ at different times, it is necessary to first process each graph... ( Mapped to a fixed-dimensional graph-level representation vector Then the vector sequence Input the timing modeling module.

[0100] The goal of the graph embedding extraction module is to extract graphs of any size. Mapped to a fixed-dimensional graph-level representation vector In this invention, the following is taken: .like Figure 4 As shown, the graph embedding extraction module first encodes node features using a graph convolutional network (GCN), and then aggregates the node embeddings into a graph-level representation through weighted pooling, which is a weighted readout mechanism that assigns higher weights to newly connected nodes.

[0101] For time windows The diagram inside Its node attribute matrix is ​​denoted as edge set Endpoint index pairs Composition, and constructing the adjacency matrix accordingly. If node and There are edges between them Otherwise, it is 0. To facilitate graph convolution calculation, an adjacency matrix with self-loops is introduced: ,in for The identity matrix, and the corresponding degree matrix are Its diagonal element is .

[0102] Given a graph convolutional network, there are a total of Layer, node represents the first layer. The layer representation matrix is ,in . No. The update rule for layer graph convolution is: ; in For the first The learnable weight matrix of the layer, This is an element-wise nonlinear activation function (e.g., ReLU). After... After layer graph convolutional encoding, the node embedding matrix is ​​obtained: ; No. OK For nodes In the time window The final embedding vector within.

[0103] To aggregate node representations into graph-level representation vectors This invention introduces a weighted readout mechanism based on node "network entry time," assigning higher aggregation weights to recently joined nodes. (Node record...) The time when it was first discovered in the system was Time window The end time is Then the node is in the window Duration of a node at any given moment for: .

[0104] To ensure that newly connected nodes receive higher weights while maintaining that weights decay over time, the system first considers the node's duration of existence. Calculate the unnormalized importance score : ; in This is a scaling factor used to control the initial upper limit of the weight of new nodes. Control the rate at which the weights decay over time. Inflection point parameters (e.g., can be taken as follows) (minutes), making the node's network access time less than [times]. The time weight is significantly larger, exceeding The weights then gradually decay to near 1. Subsequently, the importance scores of all nodes are normalized to obtain normalized importance weights that sum to 1. : .

[0105] Based on this, the historical graph-level representation vectors corresponding to each historical network topology graph Defined as the weighted sum of the embedding vectors of all nodes: .

[0106] because The weighting mechanism, which monotonically decays as the node joins the network, makes the graph representation more sensitive to "recently joined nodes" and their connection changes. In other words, when constructing the graph representation for structure prediction, the impact of new nodes and their neighborhood structure changes is consciously amplified, which is beneficial for subsequent identification of temporal topology disturbances caused by abnormal network access or malicious deployment of equipment.

[0107] After obtaining the graph-level representation vectors of continuous time windows, the system performs temporal modeling to learn the long-term evolution trend and mutation patterns of the network structure. For the current prediction time... First, let's talk about history. The graph-level representation vectors of each window are stacked in time order to form the input tensor. .

[0108] This invention employs a Transformer architecture based on a self-attention mechanism. Perform sequence modeling.

[0109] Specifically, the Transformer module includes the following components: 1) Input linear mapping layer. Convert the graph vector at each time step... Mapped to internal modeling dimensions via fully connected layers In this invention, ,get: .

[0110] 2) Positional Encoding. To incorporate temporal sequence information, the system adds a fixed positional encoding vector based on a sine / cosine function to each time step. ,get: 3) Multi-Head Self-Attention Layer. The sequence... As input, the representation at each time step is modeled for its correlation with the whole sequence, resulting in an intermediate representation sequence that takes into account both long-term and short-term dependencies.

[0111] 4) Feedforward Network Layer. The attention output at each time step is projected through two fully connected layers and a non-linear activation function to enhance the model's expressive power.

[0112] 5) Residual Connections and Layer Normalization. Residual paths and LayerNorms are introduced in both the self-attention layer and the feedforward network layer to alleviate gradient vanishing and stabilize the training process.

[0113] By stacking several layers of the above structure, the Transformer module transforms the input sequence Mapped to output sequence The system takes the output vector of the last time step as the first predicted graph-level representation of the network structure at the current time step: The subscript " "" indicates taking the last item in the Transformer output sequence. This first prediction graph level representation With the actual topology graph Graph-level representation obtained by the graph embedding extraction module By comparing the results, the structural prediction error of the current time window can be constructed, providing a basis for subsequent anomaly detection and anomaly node localization based on reverse intervention.

[0114] Furthermore, the structural prediction model employs an unsupervised training mechanism to model the temporal evolution of the network structure under normal operating conditions. Assuming that the network is in a normal state without serious violations during the initial system deployment or a certain period confirmed by operations personnel, the graph sequences continuously collected during that period can be utilized. Construct a training sample set.

[0115] The training samples are constructed as follows: a sliding window of length is selected. Continuous graph sequence: Among them, the former Zhang Tu The last figure serves as the input to the structural prediction model. Corresponding to the prediction target. For each training sample, the graph-level representation vector at each time step is first calculated using the graph embedding extraction module: ; Then The input graph represents the time series modeling module, which obtains the predicted value of the graph representation at the current time step: .

[0116] Based on the structural prediction error defined above This is used as the loss function value for that sample. The loss function is minimized over all training samples. The graph convolutional network weights, node weighted readout parameters, and Transformer temporal modeling network parameters (collectively referred to as the parameter set) Joint optimization is performed to achieve end-to-end unsupervised training.

[0117] Because the training process relies solely on "normal operation" data, without requiring manual annotation of specific abnormal time points or anomaly types, it features low deployment costs and strong adaptability. After the system goes live, incremental updates or periodic retraining can be used to fine-tune the model parameters using newly collected normal data to adapt to the slow changes in network behavior.

[0118] Meanwhile, the system continuously maintains the latest updates during the online phase. The set of structural prediction errors for each time window is dynamically updated to determine the anomaly threshold. This allows for adaptive adjustment of the anomaly detection criteria while maintaining model structural stability, making the structural prediction error both a training objective and a key scoring criterion for online detection.

[0119] Based on this, to achieve automated alarms, it is necessary to estimate the statistical distribution of structure prediction errors based on historical normal operation data, and set anomaly detection threshold accordingly. Before determining whether a network topology sequence is abnormal based on structure prediction errors, the following steps are also included: Maintain an error buffer queue, which stores the structure prediction errors calculated at the most recent N historical moments, where N is a positive integer; Calculate the statistical distribution characteristics of the values ​​in the error buffer queue and select the quantile values ​​of the preset percentile. The quantile value is set as the anomaly detection threshold for determining whether the network topology graph sequence is abnormal; If the structural prediction error is greater than the anomaly detection threshold, then an anomaly is determined to exist.

[0120] Specifically, after the structural prediction model is trained and put into online operation, the system maintains a length of An error buffer queue is used to store the most recent The structural prediction error value for each time window In this invention, the following is taken: When the system is in the calibration phase, which is considered to be operating normally, its empirical quantiles are calculated by sorting the error values ​​in the buffer; for example, taking the 1st... Quantiles as anomaly detection thresholds: ; in Represents the sample set Quantile operator. Subsequently, during the online detection phase, for any new time window... If its structural prediction error satisfies: If the network structure deviates abnormally within the current time window, a structural anomaly alarm is triggered; if If the error is not detected, the current structural offset is considered to be within the normal fluctuation range, and the error is recorded only as a reference indicator. Through this dynamic anomaly detection threshold setting method based on quantiles, the system can adaptively adjust the alarm sensitivity according to the error distribution of the actual network environment, reducing the risk of false alarms or missed alarms caused by fixed thresholds.

[0121] In an embodiment of the present invention, when an anomaly is determined in the network topology graph sequence (i.e., the structure prediction error exceeds the anomaly determination threshold), After that, the system needs to further filter out key nodes that may cause anomalies from the massive number of network nodes in order to perform refined localization analysis. The specific process for determining the target nodes related to the structural prediction error is as follows: First, the system obtains the set of active nodes in the current network topology graph. Active nodes are device nodes that have generated communication behaviors such as traffic records, DHCP logs, or authentication events within the current time window, and are thus included in the current network topology graph.

[0122] Next, the system filters for "abnormal additions." The system identifies the first inactive node in the active node set that was inactive in the previous time step's historical network topology graph. Here, the "previous time step's historical network topology graph" refers to the graph immediately preceding the current network topology graph in the time series. If a node is active at the current time step but was absent or inactive in the previous time step, it indicates that it is a newly joined or re-connected node, posing a potential risk of causing structural changes. The system adds this type of first node to the candidate set, marking it as a suspected new node candidate.

[0123] In one possible implementation, the system uses the node's first occurrence time and normalized age. Information such as these is constructed in the window. Candidate set of "suspected new nodes": ,definition ,in Let be a constant representing the "new access" threshold.

[0124] Meanwhile, the system filters for "abnormal offline" scenarios. It identifies a second node that was active in the historical network topology graph of the previous timeframe but inactive in the current network topology graph. These nodes were communicating normally in the previous time window but suddenly disappeared or went silent in the current window. This situation may correspond to abnormal events such as physical disconnection, forced network outage, or equipment failure. These events can also cause unexpected changes in the network topology, leading to increased prediction errors. The system adds these second nodes to the candidate set, marking them as suspected offline node candidates.

[0125] In one possible implementation, the set of nodes in the previous time window is recorded as: The system first constructs a candidate set of "suspected offline nodes". Defined as: ; This includes nodes that were active in the previous window but have completely disappeared from the current window or whose online time has significantly decreased.

[0126] Finally, the system identifies the target nodes from the candidate set. Through the above steps, the system narrows the scope of the investigation from all nodes in the entire network to a small number of nodes that have undergone state transitions (from nothing to something or from something to nothing).

[0127] This embodiment constructs a comprehensive set of anomaly candidates by separately identifying the first node that "suddenly becomes active" and the second node that "suddenly disappears." This screening strategy not only focuses on traditional unauthorized access behaviors but also keenly captures offline behaviors such as physical network outages. This ensures that the subsequent location mechanism based on reverse intervention can cover various forms of unauthorized external connections, effectively avoiding missed reports. At the same time, by narrowing the target scope, it significantly reduces the computational workload of subsequent intervention error calculations.

[0128] In an embodiment of the present invention, when the selected target node is a suspected newly added first node, the system employs an "inbound path intervention" strategy to assess whether the node's access behavior is the main cause of the increased network structure prediction error. The specific processing steps are as follows: First, the system removes the first node and all edges connected to it from the current network topology graph, generating an intervention graph. This operation aims to simulate a "hypothetical scenario": what would the network topology look like if the first node had never been connected to the current network? Specifically, at the data structure level, the system removes the node's attribute information and all edge records with that node as an endpoint, resulting in a corrected topology graph that does not include the first node at the current moment—the intervention graph.

[0129] In one possible implementation, refer to Figure 5 , Figure 5 This is a schematic diagram of the construction node removal intervention diagram provided by the present invention. For example... Figure 5 As shown, for each first node The system is in the current diagram Up (i.e.) Figure 5 (Left side) Constructing the intervention diagram for "Remove this node" (Right now Figure 5 (Right side) ; in, , From Delete all related to The set of edges obtained by connecting the edges. and This is the attribute matrix that has been re-indexed and rearranged after the corresponding nodes and edges have been deleted.

[0130] Next, the system extracts the intervention map-level representation based on the intervention map. This step reuses the function of the aforementioned graph embedding extraction module. The system inputs the generated intervention map into feature extraction modules such as graph convolutional networks, and after processing such as node attribute encoding and weighted readout, calculates a vector that can represent the overall structural features of the intervention map, i.e., the intervention map-level representation.

[0131] In one possible implementation, the intervention map The input graph embedding extraction module recalculates the graph-level representation to obtain the intervention graph-level representation. Finally, the system calculates the distance between the first predicted graph-level representation and the intervention graph-level representation to obtain the post-intervention error. Here, the "first predicted graph-level representation" is the vector predicted by the model based on the historical sequence in step 102, representing the expected normal evolution of the network. By calculating the distance between the predicted vector and the intervention graph vector (e.g., squared Euclidean distance), the system evaluates the degree of agreement between the actual structure of the network (i.e., the intervention graph) and the expected structure of the model (i.e., the predicted representation) after removing the first node.

[0132] In one possible implementation, while maintaining the output of the timing modeling module... Under the premise of not changing, calculate in "removing nodes" "Post-intervention error under assumptions" : Furthermore, for all first nodes After performing the above operations, the system obtains a set of error metrics. To visually represent the "contribution" of each node to the current anomaly, an error improvement amount can be defined. : If removing a node significantly reduces the structural prediction error, that is... If the value is significantly greater than zero, it indicates that the node's access behavior plays a major role in the structural deviation within the current time window.

[0133] It should be noted that, in scenarios where it is necessary to locate a single, most suspicious newly added node, the system can select the node with the largest error improvement as a candidate for "abnormal newly added node": ; It also includes a judgment on whether the improvement of the node exceeds a preset threshold. ,Right now: ; If the above conditions are met, then Returning as the primary candidate for "abnormally added node" in the current time window.

[0134] In scenarios requiring the output of multiple suspicious newly added nodes, the system can... Sort the results in a sorted list from largest to smallest: And select the previous The set of nodes whose improvement exceeds the threshold is considered as the candidate set for abnormally added nodes: when In this case, the above set will degenerate into a single most suspicious node.

[0135] The technical advantage of this embodiment is that if the access of the first node is illegal or abnormal, then it is a "noise source" causing the current network structure to deviate from its historical evolution. When this noise source is removed from the intervention graph, the remaining network structure should better match the model's predictions; therefore, the calculated post-intervention error should be significantly smaller than the structural prediction error before removal. In this way, this embodiment can quantitatively evaluate the contribution of the first node's access behavior to the overall structural anomaly, thereby achieving accurate anomaly localization.

[0136] In an embodiment of the present invention, when the selected target node is a suspected offline second node, the system adopts a "missing path intervention" strategy. Since the second node has already disappeared from the network at the current moment (e.g., due to a network cable being unplugged), directly operating on the current topology graph cannot assess its impact. Therefore, this embodiment uses a method of tracing back history and simulating the missing path, with the specific steps as follows: First, the system determines the most recent historical network topology graph in the first historical network topology graph sequence that contains the second node. Typically, this is the network topology graph corresponding to the previous time window immediately adjacent to the current moment, at which point the second node is still active.

[0137] Next, the system removes the second node and the edges connected to it from the historical network topology graph, generating an intervention graph. This operation aims to construct a counterfactual historical state: assuming that the node had already left the network in the previous time step.

[0138] In one possible implementation, for each second node In the previous window's image Construct the intervention graph for "Remove this node" above: in , From Delete all related to The set of edges obtained by connecting the edges. and This is the attribute matrix that has been re-indexed and rearranged after the corresponding nodes and edges have been deleted.

[0139] Then, based on the intervention map, the system constructs a second historical network topology map sequence.

[0140] In one possible implementation, the intervention map The input graph embedding extraction module obtains the modified graph-level representation of the previous time step. Subsequently, the system constructs a second historical network topology sequence: ; Keeping the graph-level representation of earlier time steps in the sequence unchanged, only using Replace the original This results in a new time series data that reflects the hypothesis of "early missing nodes".

[0141] Subsequently, the system uses a structural prediction model to process the second historical network topology sequence, generating a second predicted graph-level representation for the current moment. Here, the structural prediction model re-performs temporal extrapolation based on the modified historical sequence, predicting the structural characteristics the network should exhibit at the current moment under the assumption that "this node no longer exists in the previous time step".

[0142] In one possible implementation, the second historical network topology sequence is input into the time-series modeling module to obtain the sequence at the "node". Under the assumption of "missing previous window", the second prediction graph-level representation of the structure at the current time step. : Finally, the system calculates the actual graph-level representation. With the second prediction graph level representation The distance between them, and the error after intervention. , The actual graph-level representation is calculated based on the current real network topology (where the node has disappeared).

[0143] Furthermore, for all second nodes By performing the above operations, a set of error values ​​is obtained. And similarly define the error improvement amount. : It should be noted that when only one most likely malfunctioning node needs to be identified, the system can select the candidate node with the largest error improvement: And in ( When the preset threshold is used, Output the "most likely missing abnormal node" for the current time window.

[0144] In scenarios requiring the return of multiple suspected offline nodes, the system can... Sort in descending order to get And select the previous The set of nodes whose improvement exceeds the threshold: Similarly, when At that point, the above set degenerates into a single most suspicious off-network node.

[0145] The technical advantage of this embodiment is that if the sudden offline status of the second node is the main cause of the current structural anomaly, then by "simulating" the premature loss of this node in historical data, the model can "adapt" to this loss, thereby making more accurate predictions. In this case, the second predicted graph-level representation based on the corrected historical predictions should be very close to the actual graph-level representation where the node is currently missing, resulting in a significant reduction in error after intervention. This method cleverly solves the problem of attribution analysis for "non-existent" nodes, effectively locating offline and unauthorized external connections.

[0146] In embodiments of the present invention, in real-world network security monitoring scenarios, multiple nodes suspected of being abnormal may appear simultaneously. To improve operational efficiency, the system needs to classify and handle high-risk nodes identified as having unauthorized external connections. The specific optimization process is as follows: Reference Figure 6 , Figure 6 This is a schematic diagram of high-risk node visualization and sorting based on error improvement amount provided by the present invention.

[0147] In embodiments of the present invention, the system can not only locate a single abnormal node, but also supports sorting and hierarchical display of multiple potential high-risk nodes to assist operation and maintenance personnel or upper-layer security policy engines in formulating differentiated handling strategies.

[0148] like Figure 6 As shown, after detecting network structure anomalies and calculating the error improvement amount for each target node, the system generates a risk distribution map reflecting the risk level of each node. Figure 6 In the diagram, the network topology is visualized, with the color intensity of each node corresponding to the amount of error improvement (i.e., ...) of that node. The value of ) is shown in the legend on the right. The darker the color (such as dark red), the greater the improvement in error of the node. That is, the more significant the reduction in the prediction error of the structure prediction model after assuming the removal of the node and its related edges. This intuitively shows that the higher the contribution of the node to the abnormal evolution of the network temporal topology at the current moment, the higher the risk level of its involvement in unauthorized external connections (such as unauthorized access or unauthorized offline).

[0149] Based on the above calculation results, the system executes the following sorting and optimization process: First, when there are multiple target nodes whose error improvement is greater than a preset threshold, the system arranges these target nodes in descending order of error improvement, generating an ordered candidate node list with decreasing risk weight.

[0150] Secondly, the system selects the target nodes ranked in the top K positions as priority processing objects according to preset configuration parameters, where K is a preset positive integer. This parameter K (denoted as ) is used when adding new nodes. When dealing with offline nodes, it is recorded as It supports flexible adjustments based on actual operation and maintenance needs.

[0151] Specifically, when the security operations and maintenance strategy aims to focus on verifying a few high-risk objects to achieve rapid response, the system sets the parameter K to a small value (e.g., 1 or 3). In this case, the system only identifies and outputs a few core nodes with the greatest improvement, allowing operations and maintenance personnel to focus on the most likely sources of structural anomalies.

[0152] When security operations and maintenance strategies require expanding the scope of investigation to avoid missed detections, the system sets the parameter K to a larger value. In this case, the system outputs a list containing more candidate nodes, presented strictly in descending order of risk, providing operations and maintenance personnel with more comprehensive investigation clues.

[0153] By using this mechanism of sorting based on error improvement and Top-K selection, this embodiment transforms the complex graph neural network prediction results into an intuitive and operable set of high-risk nodes, effectively improving the interpretability and processing efficiency of network violation external connection detection results.

[0154] Reference Figure 7 , Figure 7 This is a schematic diagram of the network unauthorized external connection detection system provided by the present invention. The system includes: The temporal network topology construction module is used to construct a network topology map sequence in chronological order based on the communication data of the monitored objects within the network; the network topology map sequence includes a first historical network topology map sequence and the current network topology map. The inference module is used to process the first historical network topology graph sequence using the structural prediction model to generate the first predicted graph-level representation at the current moment; The structure prediction error calculation module is used to determine the structure prediction error, which characterizes the degree of deviation of the network structure evolution at the current moment, based on the actual graph-level representation of the current network topology and the first predicted graph-level representation. The reverse intervention positioning module is used to determine the target node related to the structural prediction error when the network topology sequence is determined to be abnormal based on the structural prediction error. The reverse intervention positioning module is also used to construct an intervention map about any of the target nodes, and to determine the post-intervention error based on the intervention map using the structural prediction model; An anomaly detection module is used to take the difference between the structural prediction error and the error after intervention as the error improvement amount of the target node, and to identify the target node whose error improvement amount is greater than a preset threshold as a high-risk node for illegal external connection.

[0155] It should be noted that the network illegal external connection detection system provided by the present invention can execute the network illegal external connection detection method of any of the above embodiments during specific operation, which will not be elaborated in this embodiment.

[0156] Figure 8 This is a schematic diagram of the structure of the electronic device provided by the present invention, such as... Figure 8 As shown, the electronic device may include a processor 810, a communications interface 820, a memory 830, and a communication bus 840. The processor 810, communications interface 820, and memory 830 communicate with each other via the communication bus 840. The processor 810 can call logical instructions in the memory 830 to execute the network unauthorized external connection detection method provided in the above embodiments.

[0157] Furthermore, the logical instructions in the aforementioned memory 830 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods of the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0158] On the other hand, the present invention also provides a computer program product, which includes a computer program stored on a non-transitory computer-readable storage medium. The computer program includes program instructions, and when the program instructions are executed by a computer, the computer is able to execute the network unauthorized external connection detection method provided in the above embodiments.

[0159] In another aspect, the present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, is implemented to perform the network unauthorized external connection detection method provided in the above embodiments.

[0160] The system embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.

[0161] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods of various embodiments or some parts of embodiments.

[0162] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A method for detecting unauthorized external network connections, characterized in that, include: Based on the communication data of the monitored objects within the network, a network topology sequence is constructed in chronological order. The network topology sequence includes a first historical network topology sequence and the current network topology sequence; The first historical network topology sequence is processed using a structural prediction model to generate the first predicted graph-level representation at the current moment; Based on the actual graph-level representation of the current network topology and the first predicted graph-level representation, a structural prediction error is determined to characterize the degree of deviation in the network structure evolution at the current moment. When the network topology sequence is determined to be abnormal based on the structure prediction error, the target node related to the structure prediction error is identified. For any of the target nodes, an intervention map is constructed about the target node, and based on the intervention map, the post-intervention error is determined using the structural prediction model; The difference between the structural prediction error and the error after intervention is used as the error improvement amount of the target node, and the target node whose error improvement amount is greater than a preset threshold is identified as a high-risk node for illegal external connection.

2. The method for detecting unauthorized external network connections according to claim 1, characterized in that, The process of using a structural prediction model to process the first historical network topology sequence to generate a first predicted graph-level representation at the current moment includes: Each historical network topology map in the first historical network topology map sequence is input into the graph embedding extraction module. The node attribute features of each node in the graph are encoded by the graph convolutional network to obtain the node embedding vector of each node. Obtain the first discovery time of each node in the network; For any historical network topology, calculate the difference between the time corresponding to the historical network topology and the time of the first discovery, and use it as the node duration of each node in the historical network topology. The normalized importance weight of each node is calculated based on the node's duration of existence, wherein the normalized importance weight decreases as the node's duration of existence increases. The node embedding vectors are weighted and summed according to the normalized importance weights to generate historical graph-level representation vectors corresponding to each historical network topology graph; The historical graph-level representation vectors arranged in chronological order are input into the attention-based temporal modeling module to obtain the first predicted graph-level representation of the current moment output by the temporal modeling module.

3. The method for detecting unauthorized external network connections according to claim 1, characterized in that, The determination of the target node related to the structural prediction error includes: Obtain the set of active nodes in the current network topology graph; Identify the first node in the active node set that was inactive in the historical network topology graph at the previous moment, and add the first node to the candidate set; Identify a second node that was active in the historical network topology graph at the previous moment but inactive in the current network topology graph, and add the second node to the candidate set; The nodes in the candidate set are determined as the target nodes.

4. The method for detecting unauthorized external network connections according to claim 3, characterized in that, When the target node is the first node, the step of constructing an intervention map about the target node and determining the post-intervention error based on the intervention map using the structural prediction model includes: Remove the first node and the edges connected to the first node from the current network topology graph to generate the intervention graph; Based on the intervention map, extract the intervention map-level representation; The distance between the first predicted graph-level representation and the intervention graph-level representation is calculated to obtain the post-intervention error.

5. The method for detecting unauthorized external network connections according to claim 3, characterized in that, When the target node is the second node, the process of constructing an intervention map about the target node and determining the post-intervention error based on the intervention map using the structural prediction model includes: Determine the most recent historical network topology map in the first historical network topology map sequence that contains the second node; Remove the second node and the edges connected to the second node from the historical network topology graph to generate the intervention graph; Based on the intervention map, a second historical network topology map sequence is constructed; The structure prediction model is used to process the second historical network topology sequence to generate a second predicted graph-level representation at the current moment; The distance between the actual graph-level representation and the second predicted graph-level representation is calculated to obtain the post-intervention error.

6. The method for detecting unauthorized external network connections according to claim 1, characterized in that, Before determining that the network topology sequence is abnormal based on the structural prediction error, the method further includes: Maintain an error buffer queue, which stores the structural prediction errors calculated at the most recent N historical moments, where N is a positive integer; Calculate the statistical distribution characteristics of the values ​​in the error buffer queue, and select a preset percentile value; The quantile value is set as the anomaly determination threshold for determining whether the network topology graph sequence is abnormal; If the structural prediction error is greater than the anomaly determination threshold, then an anomaly is determined to exist.

7. The method for detecting unauthorized external network connections according to claim 1, characterized in that, After identifying target nodes whose error improvement exceeds a preset threshold as high-risk nodes for unauthorized external connections, the process further includes: When there are multiple target nodes whose error improvement amount is greater than a preset threshold, all target nodes are sorted in descending order of error improvement amount; Select the target node that ranks in the top K positions of the sort as the priority object for processing, where K is a preset positive integer.

8. A network unauthorized external connection detection system, characterized in that, include: The temporal network topology construction module is used to construct a sequence of network topology diagrams in chronological order based on the communication data of the monitored objects within the network. The network topology sequence includes a first historical network topology sequence and the current network topology sequence; The inference module is used to process the first historical network topology graph sequence using the structural prediction model to generate the first predicted graph-level representation at the current moment; The structure prediction error calculation module is used to determine the structure prediction error, which characterizes the degree of deviation of the network structure evolution at the current moment, based on the actual graph-level representation of the current network topology and the first predicted graph-level representation. The reverse intervention positioning module is used to determine the target node related to the structural prediction error when the network topology sequence is determined to be abnormal based on the structural prediction error. The reverse intervention positioning module is also used to construct an intervention map about any of the target nodes, and to determine the post-intervention error based on the intervention map using the structural prediction model; An anomaly detection module is used to take the difference between the structural prediction error and the error after intervention as the error improvement amount of the target node, and to identify the target node whose error improvement amount is greater than a preset threshold as a high-risk node for illegal external connection.

9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and running on the processor, characterized in that, When the processor executes the computer program, it implements the network unauthorized external connection detection method as described in any one of claims 1 to 7.

10. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the network unauthorized external connection detection method as described in any one of claims 1 to 7.