Self-evolution network intrusion monitoring method, system and device facing unknown attacks

By fusing multimodal features and topology-preserving loss function through an open-set dual-stream detection model, the problem of insufficient identification capability and forgetting in network intrusion detection systems when identifying unknown attacks is solved, thus achieving efficient and automated network intrusion monitoring.

CN122160118APending Publication Date: 2026-06-05CHINA DATANG CORPORATION SCIENCE AND TECHNOLOGY GENERAL RESEARCH INSTITUTE +2

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA DATANG CORPORATION SCIENCE AND TECHNOLOGY GENERAL RESEARCH INSTITUTE
Filing Date
2026-03-04
Publication Date
2026-06-05

Smart Images

  • Figure CN122160118A_ABST
    Figure CN122160118A_ABST
Patent Text Reader

Abstract

The application provides a self-evolution network intrusion monitoring method, system and device facing unknown attacks, and the method comprises the following steps: acquiring traffic packets in real time at a network outlet, and cutting into sessions, converting unstructured original network traffic in the traffic packets into multi-modal traffic data; using a trained open set double-flow detection model to classify the preprocessed multi-modal traffic data, distinguishing known attacks from unknown attacks, triggering an alarm for the unknown attacks and storing the unknown attacks in a buffer; unsupervised clustering the unknown attacks in the buffer to identify potential attack clusters, and selecting a preset number of representative attacks in each attack cluster; judging whether the representative attacks are new attacks; mixing an incremental data set with old class attacks to form a mixed training set, and using a topology preservation loss function to fine-tune the open set double-flow detection model. The problem that network intrusion cannot be flexibly and quickly identified is solved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network intrusion technology, and in particular to self-evolving network intrusion detection methods, systems and devices for dealing with unknown attacks. Background Technology

[0002] With the continuous evolution of network attack techniques, new and variant attacks are emerging in an endless stream, posing a severe challenge to the security protection of open network environments. Traditional Network Intrusion Detection Systems (NIDS) mainly rely on rule-based feature matching mechanisms. Their core flaw is that they can only identify known attacks with preset rules, making it difficult to deal with zero-day attacks and variant attacks with unknown characteristics, resulting in significant defense lag.

[0003] In recent years, deep learning-based NIDS has gradually replaced traditional methods, significantly improving the detection accuracy of known attacks. However, such systems are usually trained based on the closed set assumption, which forces all input samples to be classified into categories already present in the training set. In real open network environments, they face problems such as insufficient open set recognition capability, prominent catastrophic forgetting problem, and high cost of manual annotation.

[0004] In response to the shortcomings of the existing technologies, there is an urgent need for a network intrusion detection solution that can efficiently identify unknown attacks, adaptively update models at low cost, and avoid catastrophic forgetting, in order to address the core pain point of defending against unknown threats in open network environments. Summary of the Invention

[0005] In view of this, the purpose of this application is to propose a self-evolving network intrusion detection method, system and device for facing unknown attacks, which solves the problem of the inability to flexibly and quickly identify network intrusions.

[0006] To achieve one of the aforementioned objectives, this application provides a self-evolving network intrusion detection method in the face of unknown attacks, the method comprising:

[0007] Traffic packets are acquired in real time at the network egress point and segmented into sessions. The unstructured raw network traffic in the traffic packets is converted into multimodal traffic data, which includes spatial modal data and temporal modal data. The pre-processed multimodal traffic data is classified using a trained open set dual-stream detection model to distinguish between known and unknown attacks. Known attacks trigger corresponding defense responses, while unknown attacks trigger alarms and are stored in a buffer. Unsupervised clustering is performed on the unknown attacks in the buffer to identify potential attack clusters. A comprehensive sampling value score is calculated, and a preset number of representative attacks are selected from each attack cluster according to the comprehensive sampling value score from high to low. The comprehensive sampling value score is used to evaluate the uncertainty and diversity of the unknown attacks. Determine whether the representative attack is a novel attack, assign category labels to the attack clusters corresponding to the confirmed novel attacks, and construct an incremental dataset based on the category labels; The incremental dataset is mixed with the old type of attack to form a hybrid training set. The open set dual-stream detection model is fine-tuned using the topology-preserving loss function. The fine-tuned model is then updated to the online detection engine and enters the next closed-loop cycle.

[0008] As a further improvement of one embodiment of this application, the spatial modal data is a grayscale image matrix obtained by byte mapping normalization of the data packet payload, and the temporal modal data is a multidimensional time series constructed by extracting the data packet arrival time interval and packet size sequence.

[0009] As a further improvement to one embodiment of this application, the step of classifying the preprocessed multimodal traffic data using a trained open-set dual-stream detection model to distinguish between known and unknown attacks includes: A high-dimensional fusion feature is generated by fusing spatial image features and temporal features through a bidirectional cross-attention mechanism. Combined with a contrastive prototype learning and energy boundary determination mechanism, the known attack is distinguished from the unknown attack.

[0010] As a further improvement to one embodiment of this application, the step of mixing the incremental dataset with the old-type attack to form a hybrid training set includes: Obtain a data memory and extract the old attack types from the data memory; wherein the data memory is a priority buffer area, prioritizing the retention of the old attack types with high threat levels.

[0011] As a further improvement of one embodiment of this application, the open set dual-stream detection model includes a spatial stream, a temporal stream, and a bidirectional cross-attention fusion layer. The spatial stream uses an improved convolutional neural network to process the grayscale image matrix and output a spatial feature vector. The temporal stream uses a rotation position encoding to process the multidimensional time series and output a temporal feature vector. The fusion formula for the bidirectional cross-attention fusion layer is: ; in, This represents the final fused multimodal feature vector. This represents the image feature vector output by the spatial stream. This represents the sequence feature vector output by the time stream. This represents multi-head attention computation, where For query vector, For key vectors, For value vectors, Presentation layer normalization operation.

[0012] As a further improvement to one embodiment of this application, the step of calculating a comprehensive sampling value score and selecting a preset number of representative attacks from each attack cluster based on the comprehensive sampling value scores from high to low; wherein, the comprehensive sampling value score is used to evaluate the uncertainty and diversity of the unknown attacks, including: The uncertainty is quantified using the following formula: ; in, Let x be the energy fraction of the unknown attack. For temperature coefficient, This represents the total number of attack categories known in the current model. For a neural network to handle an unknown attack x, which belongs to the first... The Logits output value of the class.

[0013] As a further improvement to one embodiment of this application, the comprehensive sampling value score is expressed as follows: ; in, This represents the sampling value score of the unknown attack x. These represent preset weighting coefficients, which adjust the proportions of uncertainty and diversity, respectively. The information entropy function is represented by... This represents the model's predicted probability distribution for the unknown attack x. This refers to the unknown attack x and its cluster. center The Euclidean distance between them This represents the bandwidth parameter of the Gaussian kernel function, which controls the rate at which the influence of distance on the score decays.

[0014] As a further improvement of one embodiment of this application, the topology preservation loss function is expressed as: ; in, This indicates that the updated model is for the first... Feature vectors extracted from each replay sample This represents the feature vector extracted by the model from the same sample before the update. This represents the distance metric between feature vectors. These represent the average distances between all sample pairs in the current batch under the updated model and the model before the update, respectively.

[0015] Based on the same inventive concept, this application also provides a self-evolving network intrusion detection system for facing unknown attacks, the system comprising: The acquisition module is used to acquire traffic packets in real time at the network egress point, segment them into sessions, and convert the unstructured raw network traffic in the traffic packets into multimodal traffic data, which includes spatial modal data and temporal modal data. The classification module is used to classify the preprocessed multimodal traffic data using a trained open set dual-stream detection model, distinguishing between known attacks and unknown attacks. Known attacks trigger corresponding defense responses, while unknown attacks trigger alarms and are stored in a buffer. The filtering module is used to perform unsupervised clustering of the unknown attacks in the buffer, identify potential attack clusters, calculate a comprehensive sampling value score, and filter out a preset number of representative attacks from each attack cluster according to the comprehensive sampling value score from high to low; wherein, the comprehensive sampling value score is used to evaluate the uncertainty and diversity of the unknown attacks. The construction module is used to determine whether the representative attack is a new type of attack, assign category labels to the attack clusters corresponding to the confirmed new attacks, and construct an incremental dataset based on the category labels. The training module is used to mix the incremental dataset with the old type of attack to form a hybrid training set, and to fine-tune the open set dual-stream detection model using the topology-preserving loss function. The fine-tuned model is then updated to the online detection engine and enters the next closed-loop cycle.

[0016] Based on the same inventive concept, this application also provides an electronic device, including: a processor and a memory; the memory stores a computer program, which, when executed by the processor, causes the processor to perform the steps of the self-evolving network intrusion detection method in the face of unknown attacks.

[0017] Compared to existing technologies, the technical advantages of this invention are as follows: By extracting multimodal features through a dual-stream spatiotemporal network and combining it with contrastive prototype learning and energy boundary determination mechanisms, the open set recognition capability is effectively improved, enabling accurate rejection of unknown attacks. The use of topology-preserving loss achieves continuous iteration of defense capabilities, overcoming the shortcomings of existing models that are prone to forgetting updates; it automatically summarizes unknown attack patterns and, combined with an uncertainty-diversity weighted sampling strategy, efficiently filters high-value samples for expert annotation, reducing manual costs; and it feeds the incrementally updated model back to the detection engine in real time, achieving automated and continuous evolution of defense capabilities. Attached Figure Description

[0018] To more clearly illustrate the technical solutions in this application or related technologies, the drawings used in the description of the implementation methods or related technologies will be briefly introduced below. Obviously, the drawings described below are only the implementation methods of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0019] Figure 1 A flowchart illustrating a self-evolving network intrusion detection method in response to unknown attacks, provided as an embodiment of this application; Figure 2 A schematic diagram of an open set dual-stream detection model provided for another embodiment of this application; Figure 3 A schematic diagram of a self-evolving network intrusion detection system in the face of unknown attacks, provided as another embodiment of this application; Figure 4 This is a schematic diagram of the hardware structure of an electronic device provided for another embodiment of this application. Detailed Implementation

[0020] The present invention will now be described in detail with reference to the specific embodiments shown in the accompanying drawings. However, these embodiments do not limit the present invention, and any structural, methodological, or functional modifications made by those skilled in the art based on these embodiments are included within the scope of protection of the present invention.

[0021] It should be noted that, unless otherwise defined, the technical or scientific terms used in the embodiments of this application should have the ordinary meaning understood by those skilled in the art to which this application pertains. The terms "first," "second," and similar terms used in the embodiments of this application do not indicate any order, quantity, or importance, but are merely used to distinguish different components. Terms such as "comprising" or "including" mean that the element or object preceding the word encompasses the elements or objects listed following the word and their equivalents, without excluding other elements or objects.

[0022] The existing open network environment faces three core problems: First, insufficient open-set identification capability: For unknown attacks not appearing in the training set, the model often misclassifies them with high confidence as a known security or attack category, lacking effective rejection capability, easily leading to missed or false positives, and failing to detect new threats in a timely manner. Second, the problem of catastrophic forgetting is prominent: To identify newly emerging attacks, new data needs to be collected to retrain the model. This process is not only time-consuming and labor-intensive, but also easily leads to the model forgetting old attack characteristics, resulting in the phenomenon of "learning new knowledge but forgetting old knowledge," which cannot achieve continuous iteration of defense capabilities. Third, the high cost of manual annotation: The massive amount of network traffic generated in open networks lacks an efficient high-value sample screening mechanism, forcing security experts to manually sift through a very small number of valid attack samples from massive logs and samples, resulting in low work efficiency and further exacerbating the response lag in the detection of unknown attacks.

[0023] To address the aforementioned problems, this application provides a self-evolving network intrusion detection method in the face of unknown attacks, such as...Figure 1 As shown, the method includes the following steps: Step S100: Obtain traffic packets in real time at the network egress point, segment them into sessions, and convert the unstructured raw network traffic in the traffic packets into multimodal traffic data, which includes spatial modal data and temporal modal data.

[0024] Specifically, traffic acquisition devices are deployed at the enterprise network egress to capture PCAP format traffic packets in real time. Using a network session segmentation algorithm, the raw traffic is segmented into independent network sessions according to a five-tuple (source IP, destination IP, source port, destination port, protocol type), with each session serving as a basic processing unit.

[0025] In one possible implementation of this application, the spatial modal data is a grayscale image matrix obtained by byte mapping normalization of the data packet payload, and the temporal modal data is a multidimensional time series constructed by extracting the data packet arrival time interval and packet size sequence.

[0026] Specifically, a multimodal transformation is performed on each network session: the payload of each data packet in the session is mapped to grayscale values ​​of 0-255 by bytes, normalized into a 32×32 grayscale image matrix, and spatial modal data is constructed to characterize the spatial structure and texture features of the attack code; the arrival time interval (IAT) and packet size sequence of data packets in each session are extracted, and after standardization of the sequence, a multidimensional time series of length 64 is constructed as temporal modal data to characterize the communication behavior patterns and statistical regularities of the attack.

[0027] Step S200: Use the trained open set dual-stream detection model to classify the preprocessed multimodal traffic data, distinguish between known attacks and unknown attacks. Known attacks trigger corresponding defense responses, while unknown attacks trigger alarms and are stored in the buffer.

[0028] Specifically, cyberattacks typically exhibit anomalies in both payload content (such as malicious code snippets) and traffic behavior (such as heartbeat intervals). Using only a single modality can easily lead to missed detections. The open-set dual-stream detection model is designed to extract and fuse these two heterogeneous features to obtain a more comprehensive attack characterization.

[0029] In one possible implementation of this application, step S200 further includes: A high-dimensional fusion feature is generated by fusing spatial image features and temporal features through a bidirectional cross-attention mechanism. Combined with a contrastive prototype learning and energy boundary determination mechanism, it distinguishes between known and unknown attacks.

[0030] Specifically, the multimodal data preprocessed in step S100 is input into the trained open set dual-stream detection model. The spatial stream of the model uses an improved ConvNeXt-Tiny convolutional neural network to extract features from the grayscale images of the spatial modalities.

[0031] In one possible implementation of this application, such as Figure 2 As shown, the open set dual-stream detection model includes spatial stream, temporal stream, and bidirectional cross-attention fusion layer. The spatial stream uses an improved convolutional neural network to process the grayscale image matrix and output spatial feature vectors. The temporal stream uses rotation position encoding to process multidimensional time series and output temporal feature vectors. The fusion formula for the bidirectional cross-attention fusion layer is: ; in, This represents the final fused multimodal feature vector. This represents the image feature vector output by the spatial stream. This represents the sequence feature vector output by the time stream. This represents multi-head attention computation, where For query vector, For key vectors, For value vectors, Presentation layer normalization operation.

[0032] Specifically, the model fuses the input spatial image features with time series features to generate a high-dimensional feature vector. Known attack detection: Calculate characteristics Distance to each known class prototype. If the distance is less than a set threshold and the energy score is low, it is determined to be the corresponding known attack category. Unknown attack determination: If the feature energy fraction Exceeding the preset energy threshold This indicates that the sample is in a low-density region of the feature space (i.e., an out-of-distribution sample). The system identifies it as an unknown attack, triggers an alarm, and stores it in the buffer.

[0033] In a specific implementation, Spatial Stream is implemented by processing the payload image using an improved ConvNeXt convolutional neural network. It utilizes large convolutional kernels and depthwise separable convolutions to effectively extract malicious signatures or shellcode texture features with local correlations in the payload and outputs a spatial feature vector.

[0034] Temporal Stream is implemented by using a Transformer encoder with Rotated Position Encoding (RoPE) to process statistical sequences. It utilizes a self-attention mechanism to capture long-distance temporal dependencies in the flow sequence (such as heartbeat features of slow scanning or C&C communication) and outputs a temporal feature vector.

[0035] Step S300: Unsupervised clustering is performed on the unknown attacks in the buffer to identify potential attack clusters. A comprehensive sampling value score is calculated, and a preset number of representative attacks are selected from each attack cluster according to the comprehensive sampling value score from high to low. The comprehensive sampling value score is used to evaluate the uncertainty and diversity of unknown attacks.

[0036] Specifically, this step aims to efficiently filter out high-value samples from a large number of accumulated unknown samples for subsequent annotation, thereby reducing manual costs. Unsupervised clustering utilizes the HDBSCAN algorithm to cluster unknown samples in the buffer, automatically identifying potential attack clusters with similar feature patterns. High-value sample screening is also required, which involves calculating a comprehensive score for samples within each cluster. The scoring function combines "uncertainty" (difficult examples located at the decision boundary) and "diversity" (typical examples located at the cluster center), selecting the Top-K samples as representatives of that cluster.

[0037] In this specific implementation, uncertainty is quantified based on a contrastive prototype and energy boundary discrimination mechanism. Traditional Softmax classifiers often give incorrect high-confidence predictions when faced with unknown classes. This mechanism accurately rejects unknown attacks by constructing a compact intra-class distribution and an energy-based out-of-distribution detection mechanism. First, contrastive prototype learning is implemented by introducing supervised contrastive loss during the training phase. This forces samples of the same class to be highly clustered in the feature space, forming a compact class prototype, increasing the distance between different classes, and thus reserving feature space for unknown classes.

[0038] In one possible implementation of this application, based on extreme value theory (EVT), the uncertainty of the sample is quantified using the free energy function, and the uncertainty is quantified using the following formula: ; in, The energy score for the unknown attack x. For temperature coefficient, This represents the total number of attack categories known in the current model. For a neural network to handle an unknown attack x, which belongs to the first... The Logits output value of the class. A higher energy score indicates greater uncertainty. In one possible implementation of this application, step S300 further includes: The comprehensive sampling value score is expressed as follows: ; in, The sampling value score represents the unknown attack x. These represent preset weighting coefficients, which adjust the proportions of uncertainty and diversity, respectively. The information entropy function is represented by... This represents the model's predicted probability distribution for an unknown attack x. This represents an unknown attack x and its cluster. center The Euclidean distance between them This represents the bandwidth parameter of the Gaussian kernel function, which controls the rate at which the influence of distance on the score decays.

[0039] Specifically, manually analyzing each of the massive amounts of unknown attack alerts is impractical. This module aims to automatically summarize attack patterns through clustering algorithms and filter out the most informative samples using active learning algorithms, thereby minimizing the cost of manual annotation. The HDBSCAN algorithm is applied to the feature vectors of unknown attacks within the buffer. This algorithm does not require pre-specifying the number of clusters and can adapt to cluster densities of varying sizes, making it suitable for automatically discovering potential attack groups in noisy real-world network environments.

[0040] Step S400: Determine whether the representative attack is a new type of attack, assign category labels to the attack clusters corresponding to the confirmed new attacks, and construct an incremental dataset based on the category labels.

[0041] Specifically, this step involves confirming novel attacks through human-computer interaction and constructing an incremental training set. First, manual confirmation is required, with security experts reviewing representative samples selected by the system. Once experts confirm a cluster of samples as a novel attack, new labels are assigned. The system automatically labels the remaining high-confidence samples within that cluster as belonging to the same category, thus constructing the incremental dataset.

[0042] In step S500, the incremental dataset is mixed with the old type of attack to form a hybrid training set. The open set dual-stream detection model is fine-tuned using the topology-preserving loss function. The fine-tuned model is then updated to the online detection engine, and the next closed-loop cycle begins.

[0043] Specifically, this step aims to update the model to identify new attacks while maintaining its ability to detect older attacks. New class data is mixed with old class data replayed from memory. The model is then fine-tuned using a topology-preserving loss function. This method constrains the model to maintain the relative distances between old samples in the feature space when updating parameters, thus preventing drastic drift in the feature space. The updated model replaces the online detection engine, completing the evolution of the system's capabilities.

[0044] In one possible implementation of this application, step S500, which involves mixing the incremental dataset with the old-class attack to form a hybrid training set, further includes: Obtain the data memory and extract old attack types from it; the data memory is a priority buffer area that prioritizes the retention of old attacks with high threat levels.

[0045] Establish a priority memory buffer, prioritizing the retention of older attack types with high threat levels for replay training.

[0046] In one possible implementation of this application, step S500 further includes: The topology preservation loss function is expressed as: ; in, This indicates that the updated model is for the first... Feature vectors extracted from each replay sample This represents the feature vector extracted by the model from the same sample before the update. This represents the distance metric between feature vectors. These represent the average distances between all sample pairs in the current batch under the updated model and the model before the update, respectively.

[0047] The topology-preserving loss function mandates that the relative distance matrix between samples generated by the new model remain consistent with that of the old model. This rigid constraint locks in the geometry of the feature manifold, fundamentally suppressing feature space distortion caused by parameter updates, thereby avoiding catastrophic forgetting.

[0048] It should also be noted that deep learning models tend to change their parameters when learning new tasks, leading to a sharp decline in performance on older tasks (catastrophic forgetting). This module aims to ensure that the model maintains its ability to recognize old attacks while learning new ones by constraining the geometry of the feature space.

[0049] The beneficial effects of the self-evolving network intrusion detection method against unknown attacks disclosed in the embodiments of this application are as follows: High accuracy in identifying unknown attacks: By extracting multimodal features through a dual-stream spatiotemporal network and combining comparative prototype learning and energy boundary determination mechanisms, the open set identification capability is effectively improved. It can accurately reject unknown attacks, avoid misclassifying unknown attacks as known categories, significantly reduce false positive and false negative rates, and solve the problem of difficulty in identifying zero-day attacks and variant attacks in existing technologies. Completely solve the problem of catastrophic forgetting: adopt a hybrid incremental learning framework that preserves topology. By dynamically and elastically replaying old class samples and using topology-preserving loss constraints, the model ensures that it can maintain the ability to recognize old attack features when updating parameters and learning new attack features, thus achieving continuous iteration of defense capabilities and overcoming the shortcomings of existing models that are prone to forgetting during updates. Significantly reduce manual annotation costs: By automatically summarizing unknown attack patterns through HDBSCAN clustering and combining uncertainty-diversity weighted sampling strategy, high-value samples are efficiently screened for expert annotation, eliminating the need for experts to screen through massive amounts of samples one by one, significantly improving annotation efficiency, reducing manual costs, and solving the problem of low efficiency of manual annotation in existing technologies. Achieve closed-loop self-evolution: Construct a closed-loop adaptive framework of "detection-discovery-learning" to feed the incrementally updated model back to the detection engine in real time, so as to realize the automated and continuous evolution of defense capabilities, complete model iteration without manual intervention, and adapt to the dynamic evolution of attack technologies in open network environments. Highly practical and widely adaptable: It adopts a real-time preprocessing mechanism for all traffic, which can adapt to the traffic characteristics of various open network environments. The core module adopts an improved mainstream algorithm, which has high computing efficiency, can realize hot system updates, does not affect the normal operation of the network, and is easy to implement in engineering and promote application.

[0050] Another embodiment of this application discloses a self-evolving network intrusion detection system for dealing with unknown attacks, such as Figure 3 As shown, it includes: The acquisition module is used to acquire traffic packets in real time at the network egress point, segment them into sessions, and convert the unstructured raw network traffic in the traffic packets into multimodal traffic data, which includes spatial modal data and temporal modal data. The classification module is used to classify the pre-processed multimodal traffic data using the trained open set dual-stream detection model, distinguish between known attacks and unknown attacks. Known attacks trigger corresponding defense responses, while unknown attacks trigger alarms and are stored in the buffer. The filtering module is used to perform unsupervised clustering of unknown attacks in the buffer, identify potential attack clusters, and filter out a preset number of representative attacks from each attack cluster according to the comprehensive sampling value score from high to low; wherein, the comprehensive sampling value score is used to evaluate the uncertainty and diversity of unknown attacks. The module is used to determine whether a representative attack is a new type of attack, assign category labels to the attack clusters corresponding to confirmed new attacks, and build an incremental dataset based on the category labels. The training module is used to mix the incremental dataset with the old type of attack to form a hybrid training set. The open set dual-stream detection model is fine-tuned using the topology-preserving loss function. The fine-tuned model is then updated to the online detection engine and enters the next closed loop.

[0051] Figure 4 This diagram illustrates a more specific hardware structure of an electronic device provided in this embodiment. The device may include: a processor 1010, a memory 1020, an input / output interface 1030, a communication interface 1040, and a bus 1050. The processor 1010, memory 1020, input / output interface 1030, and communication interface 1040 are interconnected internally via the bus 1050.

[0052] The processor 1010 can be implemented using a general-purpose CPU (Central Processing Unit), microprocessor, application-specific integrated circuit (ASIC), or one or more integrated circuits, and is used to execute relevant programs to implement the technical solutions provided in the embodiments of this specification.

[0053] The memory 1020 can be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory), static storage device, dynamic storage device, etc. The memory 1020 can store the operating system and other application programs. When the technical solutions provided in the embodiments of this specification are implemented by software or firmware, the relevant program code is stored in the memory 1020 and is called and executed by the processor 1010.

[0054] The input / output interface 1030 is used to connect input / output modules to realize information input and output. The input / output modules can be configured as components in the device (not shown in the figure) or externally connected to the device to provide corresponding functions. Input devices may include keyboards, mice, touch screens, microphones, various sensors, etc., and output devices may include displays, speakers, vibrators, indicator lights, etc.

[0055] The communication interface 1040 is used to connect the communication module (not shown in the figure) to enable communication between this device and other devices. The communication module can communicate via wired means (such as USB, network cable, etc.) or wireless means (such as mobile network, WIFI, Bluetooth, radio (shortwave / ultra-shortwave) communication, satellite communication, data link communication, etc.).

[0056] Bus 1050 includes pathways for transmitting information between various components of the device, such as processor 1010, memory 1020, input / output interface 1030, and communication interface 1040.

[0057] It should be noted that although the above-described device only shows the processor 1010, memory 1020, input / output interface 1030, communication interface 1040, and bus 1050, in specific implementations, the device may also include other components necessary for normal operation. Furthermore, those skilled in the art will understand that the above-described device may only include the components necessary for implementing the embodiments described in this specification, and need not include all the components shown in the figures.

[0058] The electronic devices described above are used to implement the corresponding self-evolving network intrusion detection method for facing unknown attacks in any of the foregoing embodiments, and have the beneficial effects of the corresponding method implementation methods, which will not be elaborated here.

[0059] Based on the same inventive concept, corresponding to any of the above-described embodiments, this application also provides a non-transitory computer-readable storage medium storing computer instructions for causing the computer to execute the self-evolving network intrusion detection method against unknown attacks as described in any of the above embodiments.

[0060] The computer-readable medium in this embodiment includes permanent and non-permanent, removable and non-removable media, and information storage can be implemented by any method or technology. Information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic magnetic disk storage or other magnetic storage devices, or any other non-transfer medium that can be used to store information accessible by a computing device.

[0061] The computer instructions stored in the storage medium of the above embodiments are used to cause the computer to execute the self-evolving network intrusion detection method in the face of unknown attacks as described in any of the above embodiments, and have the beneficial effects of the corresponding method implementation, which will not be repeated here.

[0062] Those skilled in the art should understand that the discussion of any of the above embodiments is merely exemplary and is not intended to imply that the scope of this application (including the claims) is limited to these examples; this manner of description is merely for clarity, and those skilled in the art should consider the specification as a whole. Within the framework of this application, the above embodiments or the technical features of different embodiments can also be appropriately combined, the steps can be implemented in any order, and there are many other variations of different aspects of the embodiments of this application as described above, which are not provided in the details for the sake of brevity.

[0063] Additionally, to simplify the description and discussion, and to avoid obscuring the embodiments of this application, the well-known power / ground connections to integrated circuit (IC) chips and other components may or may not be shown in the provided drawings. Furthermore, the apparatus may be shown in block diagram form to avoid obscuring the embodiments of this application, and this also takes into account the fact that the details of the implementation of these block diagram apparatuses are highly dependent on the platform on which the embodiments of this application will be implemented (i.e., these details should be entirely within the understanding of those skilled in the art). While specific details (e.g., circuits) are set forth to describe exemplary embodiments of this application, it will be apparent to those skilled in the art that the embodiments of this application can be implemented without these specific details or with variations thereof. Therefore, these descriptions should be considered illustrative rather than restrictive.

[0064] Although this application has been described in conjunction with specific embodiments thereof, many substitutions, modifications, and variations of these embodiments will be apparent to those skilled in the art from the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may use the embodiments discussed.

[0065] The embodiments described herein are intended to cover all such substitutions, modifications, and variations that fall within the broad scope of the appended claims. Therefore, any omissions, modifications, equivalent substitutions, improvements, etc., made without departing from the spirit and principles of the embodiments described herein should be included within the protection scope of this application.

Claims

1. A self-evolving network intrusion detection method for facing unknown attacks, characterized in that, The method includes: Traffic packets are acquired in real time at the network egress point and segmented into sessions. The unstructured raw network traffic in the traffic packets is converted into multimodal traffic data, which includes spatial modal data and temporal modal data. The pre-processed multimodal traffic data is classified using a trained open set dual-stream detection model to distinguish between known and unknown attacks. The known attacks are used to trigger corresponding defense responses, while the unknown attacks are used to trigger alarms and be stored in a buffer. Unsupervised clustering is performed on the unknown attacks in the buffer to identify potential attack clusters. A comprehensive sampling value score is calculated, and a preset number of representative attacks are selected from each attack cluster according to the comprehensive sampling value score from high to low. The comprehensive sampling value score is used to evaluate the uncertainty and diversity of the unknown attacks. Determine whether the representative attack is a novel attack, assign category labels to the attack clusters corresponding to the confirmed novel attacks, and construct an incremental dataset based on the category labels; The incremental dataset is mixed with the old type of attack to form a hybrid training set. The open set dual-stream detection model is fine-tuned using the topology-preserving loss function. The fine-tuned model is then updated to the online detection engine and enters the next closed-loop cycle.

2. The self-evolving network intrusion detection method for facing unknown attacks according to claim 1, characterized in that, The spatial modal data is a grayscale image matrix obtained by normalizing the packet payload through byte mapping, and the temporal modal data is a multidimensional time series constructed by extracting the packet arrival time interval and packet size sequence.

3. The self-evolving network intrusion detection method for facing unknown attacks according to claim 2, characterized in that, The process of classifying the preprocessed multimodal traffic data using a trained open-set dual-stream detection model to distinguish between known and unknown attacks includes: A high-dimensional fusion feature is generated by fusing spatial image features and temporal features through a bidirectional cross-attention mechanism. Combined with a contrastive prototype learning and energy boundary determination mechanism, the known attack is distinguished from the unknown attack.

4. The self-evolving network intrusion detection method for facing unknown attacks according to claim 1, characterized in that, The step of mixing the incremental dataset with the old-type attack to form a hybrid training set includes: Obtain a data memory and extract the old attack types from the data memory; wherein the data memory is a priority buffer area, prioritizing the retention of the old attack types with high threat levels.

5. The self-evolving network intrusion detection method for facing unknown attacks according to claim 2, characterized in that, The open set dual-stream detection model includes a spatial stream, a temporal stream, and a bidirectional cross-attention fusion layer. The spatial stream uses an improved convolutional neural network to process the grayscale image matrix and output a spatial feature vector. The temporal stream uses rotation position encoding to process the multidimensional time series and output a temporal feature vector. The fusion formula for the bidirectional cross-attention fusion layer is: ; in, This represents the final fused multimodal feature vector. This represents the image feature vector output by the spatial stream. This represents the sequence feature vector output by the time stream. This represents multi-head attention computation, where For query vector, For key vectors, For value vectors, Presentation layer normalization operation.

6. The self-evolving network intrusion detection method for facing unknown attacks according to claim 1, characterized in that, The calculation of a comprehensive sampling value score, and the selection of a predetermined number of representative attacks from each attack cluster based on the comprehensive sampling value score from high to low; wherein, the comprehensive sampling value score is used to evaluate the uncertainty and diversity of the unknown attacks, including: The uncertainty is quantified using the following formula: ; in, Let x be the energy fraction of the unknown attack. For temperature coefficient, This represents the total number of attack categories known in the current model. For a neural network to handle an unknown attack x, which belongs to the first... The Logits output value of the class.

7. The self-evolving network intrusion detection method for facing unknown attacks according to claim 1, characterized in that, The comprehensive sampling value score is expressed as follows: ; in, This represents the sampling value score of the unknown attack x. These represent preset weighting coefficients, which adjust the proportions of uncertainty and diversity, respectively. The information entropy function is represented by... This represents the model's predicted probability distribution for the unknown attack x. This refers to the unknown attack x and its cluster. center The Euclidean distance between them This represents the bandwidth parameter of the Gaussian kernel function, which controls the rate at which the influence of distance on the score decays.

8. The self-evolving network intrusion detection method for facing unknown attacks according to claim 1, characterized in that, The topology preservation loss function is expressed as: ; in, This indicates that the updated model is for the first... Feature vectors extracted from each replay sample This represents the feature vector extracted by the model from the same sample before the update. This represents the distance metric between feature vectors. These represent the average distances between all sample pairs in the current batch under the updated model and the model before the update, respectively.

9. A self-evolving network intrusion detection system for dealing with unknown attacks, characterized in that, The system includes: The acquisition module is used to acquire traffic packets in real time at the network egress point, segment them into sessions, and convert the unstructured raw network traffic in the traffic packets into multimodal traffic data, which includes spatial modal data and temporal modal data. The classification module is used to classify the preprocessed multimodal traffic data using a trained open set dual-stream detection model, distinguishing between known attacks and unknown attacks. Known attacks trigger corresponding defense responses, while unknown attacks trigger alarms and are stored in a buffer. The filtering module is used to perform unsupervised clustering of the unknown attacks in the buffer, identify potential attack clusters, calculate a comprehensive sampling value score, and filter out a preset number of representative attacks from each attack cluster according to the comprehensive sampling value score from high to low; wherein, the comprehensive sampling value score is used to evaluate the uncertainty and diversity of the unknown attacks. The construction module is used to determine whether the representative attack is a new type of attack, assign category labels to the attack clusters corresponding to the confirmed new attacks, and construct an incremental dataset based on the category labels. The training module is used to mix the incremental dataset with the old type of attack to form a hybrid training set, and to fine-tune the open set dual-stream detection model using the topology-preserving loss function. The fine-tuned model is then updated to the online detection engine and enters the next closed-loop cycle.

10. An electronic device, characterized in that, include: Processor and memory; The memory stores a computer program that, when executed by the processor, causes the processor to perform the steps of the self-evolving network intrusion detection method for facing unknown attacks as described in any one of claims 1 to 8.