A system intrusion intention recognition method based on behavior clustering

By using structured processing of multi-source behavioral data and a time-enhanced deep clustering model, the shortcomings of existing intrusion detection methods in identifying unknown threats and complex intrusion intentions are addressed. This enables deep clustering analysis and anomaly detection of user entity behavior, thereby improving the proactiveness and accuracy of system security.

CN122160135APending Publication Date: 2026-06-05BEIJING HAISHUO INFORMATION TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING HAISHUO INFORMATION TECHNOLOGY CO LTD
Filing Date
2026-03-12
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing intrusion detection methods struggle to identify unknown threats, novel attacks, and highly concealed and complex intrusion intentions. In particular, in complex business systems and IoT scenarios, traditional methods suffer from high false alarm rates, slow response times, and insufficient generalization capabilities in multidimensional data spaces.

Method used

A system intrusion intent identification method based on behavior clustering is adopted. Through multi-source behavior data structuring, standardized feature modeling and temporal enhanced deep clustering model, deep clustering analysis and anomaly detection of user entity behavior are achieved. The anomaly detection threshold is dynamically adjusted to generate a set of low-dimensional potential fusion embedding vectors for anomalies.

Benefits of technology

It enhances the ability to identify unknown threats and complex intrusion intentions, reduces false alarm and false negative rates, enables real-time detection and fine-grained protection against advanced persistent threats, and enhances the initiative and accuracy of system security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160135A_ABST
    Figure CN122160135A_ABST
Patent Text Reader

Abstract

The application discloses a system intrusion intention recognition method based on behavior clustering, comprising the following steps: collecting user entity behavior original data and performing pretreatment; performing feature extraction to obtain a behavior feature vector set, performing standardization, and constructing a standardized behavior feature vector set; using a time sequence enhanced DEC clustering model to perform embedding mapping and clustering analysis to obtain a low-dimensional potential fusion embedding vector set, and generating a clustering label set and a clustering center set; performing abnormality discrimination on the low-dimensional potential fusion embedding vector set to generate an abnormal low-dimensional potential fusion embedding vector set; sorting the abnormal low-dimensional potential fusion embedding vector set according to user entities and time sequences to form an abnormal behavior time sequence, and determining whether an intrusion intention exists. The application fuses multi-source behavior data and a deep clustering model, realizes intelligent intrusion intention recognition, and has the advantages of strong adaptability and high precision and efficiency.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of information security, and in particular to a method for identifying system intrusion intent based on behavioral clustering. Background Technology

[0002] Most existing mainstream intrusion detection methods are based on feature rules, signature comparison, or shallow machine learning algorithms. They perform statistical modeling on multi-source behavioral data such as system call logs, network traffic logs, and operation sequence logs to detect known attack features or abnormal behavior patterns. Although these methods are effective in identifying known threats and fixed attack paths, they generally rely on manually defined feature libraries or pre-defined rules, and have limited ability to identify unknown threats, new attacks, or highly concealed and complex intrusion intentions.

[0003] In complex business systems, cloud platforms, and IoT scenarios, system intrusion behaviors often exhibit highly dynamic, multi-layered, and multi-time-window complex patterns. Traditional detection methods struggle to fully uncover the deep characteristics of user entity behavior and accurately characterize the evolution of behavior and attack intent. Furthermore, faced with a large amount of mixed normal and abnormal behavioral data, existing clustering and anomaly detection algorithms often suffer from prominent problems such as high false alarm rates, slow response times, and insufficient generalization capabilities in multi-dimensional data spaces, making it difficult to support real-time detection and fine-grained protection against advanced persistent threats, unknown attacks, and complex intrusion intents. Summary of the Invention

[0004] One objective of this invention is to propose a system intrusion intent identification method based on behavioral clustering. This invention integrates multi-source behavioral data with a deep clustering model to achieve intelligent identification of intrusion intent, and has the advantages of strong adaptability and high accuracy and efficiency.

[0005] A system intrusion intent identification method based on behavior clustering according to an embodiment of the present invention includes the following steps: Collect raw user entity behavior data and preprocess the raw user entity behavior data to generate structured behavior data; Feature extraction is performed on structured behavioral data to obtain a set of behavioral feature vectors, and the set of behavioral feature vectors is standardized to construct a standardized set of behavioral feature vectors. The time-enhanced DEC clustering model is used to perform embedding mapping and clustering analysis on the standardized behavioral feature vector set to obtain a low-dimensional latent fusion embedding vector set, and generate a cluster label set and a cluster center set. Anomaly detection is performed on the low-dimensional potential fusion embedding vector set based on the clustering label set and the cluster center set, generating an abnormal low-dimensional potential fusion embedding vector set; The set of potential low-dimensional fusion embedding vectors is sorted according to user entities and time order to form an abnormal behavior time series. The existence of intrusion intent is determined based on the number of consecutive abnormal behaviors.

[0006] Optionally, the generation of the structured behavioral data includes: For each user entity, raw data of user entity behavior is continuously collected from the target system. The raw data of user entity behavior includes system call logs, network traffic logs, and operation sequence logs. The collected raw user entity behavior data is initially analyzed according to log type. For each type of log content, field structure identification, field segmentation, tag extraction and time alignment are performed to extract key field information and form structured log data with unified field specifications. The structured log data includes system call sequence, network communication event sequence and operation instruction sequence. Each structured log data contains the original log type, field content and event time attribute. Denoising is performed on structured log data, log data with abnormal values, illegal fields, format errors and duplicate records are filtered out, missing fields are filled in, and the time field of all log data is synchronized and corrected. The processed structured log data is grouped and organized according to user entity identifiers and timestamp information to form multidimensional structured behavioral data of user entity behavior.

[0007] Optionally, the construction of the standardized behavioral feature vector set includes: For structured behavioral data, for each user entity's structured behavioral data within each time window, the number of times system call types appear is extracted from system call logs, and the frequency of occurrence of multiple predefined ordered combination patterns of system calls within the time window is counted. The number of network connections, the average size of single network connection data packets, the distribution ratio of each network protocol type, and the frequency of target port usage are extracted from network traffic logs. The length of operation instruction sequences, the average time interval of operation events, and the total number of occurrences of all operation events are extracted from operation sequence logs to form a set of behavioral statistical features. All behavioral statistical features are concatenated into a set of behavioral feature vectors in a uniform order; For all features in the behavioral feature vector set, calculate the mean and standard deviation of each feature in the entire behavioral feature vector set. Subtract the mean from each feature value and then divide by the standard deviation to obtain the standardized behavioral feature vector set.

[0008] Optionally, the generation of the cluster label set and the cluster center set includes: The standardized behavioral feature vector set is input into the temporal enhanced DEC clustering model. For each user entity, the standardized behavioral feature vector sequence within multiple adjacent time windows is extracted, input into the temporal encoder, and the output temporal embedding feature vector is concatenated with the corresponding temporal embedding feature vector to generate a fused embedding vector. All fused embedding vectors form a fused embedding vector set. The temporally enhanced DEC clustering model includes a temporal encoder, an autoencoder, and K-Means clustering. The fusion embedding vector set is input into the autoencoder to obtain a low-dimensional latent fusion embedding vector set. The K-Means clustering method is used to perform initial clustering based on the low-dimensional latent fusion embedding vector set. The number of clusters is set to K to obtain an initial cluster center set. Each initial cluster center in the initial cluster center set is used to represent a typical behavior pattern. For the set of low-dimensional potential fusion embedding vectors and the set of initial cluster centers, calculate the assignment probability of each low-dimensional potential fusion embedding vector belonging to each initial cluster center; Calculate the target distribution probability based on the allocation probability; Construct a KL divergence loss function to measure the difference between the target distribution probability and the assignment probability; During each round of parameter iteration, for each initial cluster center in the initial cluster center set, the mean of the low-dimensional potential fusion embedding vector set currently assigned to the initial cluster center is calculated, and the mean is used as the updated cluster center. By minimizing the KL divergence loss function, the parameters of the temporal encoder, the parameters of the autoencoder, and the cluster center set are jointly and iteratively optimized. During the iteration process, the fusion embedding vector set, the cluster center set, the assignment probability, the target distribution probability, and the KL divergence loss function are updated synchronously at each step until the loss function converges or the maximum number of iterations is reached. Finally, the cluster label set and the cluster center set are output.

[0009] Optionally, the generation of the set of anomalous low-dimensional potential fusion embedding vectors includes: Anomaly detection is performed based on a set of low-dimensional potential fusion embedding vectors, a set of cluster labels, and a set of cluster centers. For each low-dimensional potential fusion embedding vector in the set of low-dimensional potential fusion embedding vectors, the cluster center corresponding to the cluster label is obtained from the set of cluster centers according to the cluster label, and the Euclidean distance between the low-dimensional potential fusion embedding vector and the cluster center in the low-dimensional potential fusion embedding space is calculated. For each cluster center in the cluster center set, based on the historical normal behavior feature vector set and the low-dimensional potential fusion embedding vector set currently assigned to the cluster center, the mean distance and standard deviation of the distance between the historical normal behavior feature vector set and the cluster center are calculated. Combined with the adjustment coefficient, the sum of the products of the mean distance and the standard deviation of the distance is used as the anomaly discrimination threshold. For each low-dimensional latent fusion embedding vector in the set of low-dimensional latent fusion embedding vectors, compare the Euclidean distance between the low-dimensional latent fusion embedding vector and the corresponding cluster center with the corresponding anomaly detection threshold. If the Euclidean distance is greater than the anomaly detection threshold, the low-dimensional latent fusion embedding vector is judged to be abnormal behavior; otherwise, it is judged to be normal behavior. The low-dimensional potential fusion embedding vectors that are judged to be abnormal behavior are grouped according to clustering labels to generate an abnormal low-dimensional potential fusion embedding vector set.

[0010] Optionally, determining whether there is an intrusion intent includes: For each anomalous low-dimensional potential fusion embedding vector in the set of anomalous low-dimensional potential fusion embedding vectors, sort them according to the corresponding user entity and time order to form an anomalous behavior time series; The system counts the number and type of consecutive abnormal behaviors in a time series of abnormal behaviors. When the number of consecutive abnormal behaviors exceeds a preset threshold and the type of abnormal behavior matches a historically known intrusion intent pattern, it determines that the user entity corresponding to the time series of abnormal behaviors has an intrusion intent.

[0011] The beneficial effects of this invention are: This invention introduces multi-source behavioral data structuring, standardized feature modeling, and time-enhanced deep clustering algorithms to automatically fuse and express the behavioral features of user entities at multiple levels, including system calls, network communications, and operation commands. This effectively improves the comprehensiveness and accuracy of abnormal behavior identification. Compared to existing traditional detection methods that rely on fixed rules or shallow models, this invention utilizes a low-dimensional latent fusion embedding vector space to perform deep clustering analysis on complex behavioral sequences and dynamically adjusts the anomaly discrimination threshold based on the clustering results. This enhances the ability to identify unknown threats and complex intrusion intentions. Through the automatic generation of anomaly low-dimensional latent fusion embedding vector sets and multi-dimensional time-series evolution analysis, this invention can promptly capture persistent and highly concealed advanced intrusion behaviors, reduce false alarm and false negative rates, and achieve dynamic response and intelligent early warning for system security events. Attached Figure Description

[0012] The accompanying drawings are provided to further illustrate the invention and form part of the specification. They are used in conjunction with embodiments of the invention to explain the invention and do not constitute a limitation thereof. In the drawings: Figure 1This is a flowchart of a system intrusion intent identification method based on behavioral clustering proposed in this invention; Figure 2 This is a block diagram illustrating the structural principle of a temporally enhanced DEC clustering model for a system intrusion intent identification method based on behavioral clustering proposed in this invention. Detailed Implementation

[0013] The present invention will now be described in further detail with reference to the accompanying drawings. These drawings are simplified schematic diagrams, illustrating only the basic structure of the invention, and therefore only show the components relevant to the invention.

[0014] refer to Figure 1-2 A method for identifying system intrusion intent based on behavioral clustering includes the following steps: Collect raw user entity behavior data and preprocess the raw user entity behavior data to generate structured behavior data; Feature extraction is performed on structured behavioral data to obtain a set of behavioral feature vectors, and the set of behavioral feature vectors is standardized to construct a standardized set of behavioral feature vectors. The time-enhanced DEC clustering model is used to perform embedding mapping and clustering analysis on the standardized behavioral feature vector set to obtain a low-dimensional latent fusion embedding vector set, and generate a cluster label set and a cluster center set. Anomaly detection is performed on the low-dimensional potential fusion embedding vector set based on the clustering label set and the cluster center set, generating an abnormal low-dimensional potential fusion embedding vector set; The set of anomalous low-dimensional potential fusion embedding vectors is sorted according to user entities and time order to form an anomalous behavior time series. Based on the number of consecutively occurring anomalous behaviors, it is determined whether there is an intrusion intent and a set of intrusion intent identification results is generated.

[0015] The system intrusion intent identification method based on behavior clustering proposed in this invention can perform structured, feature-based, standardized, and deep clustering analysis on multi-source behavioral data, realizing full-process modeling of behaviors such as system calls, network traffic, and operation sequences. This enhances the comprehensive perception capability of abnormal behavior and intrusion intent in complex system environments. Through low-dimensional latent fusion embedding vector modeling and clustering analysis, it can dynamically identify and locate abnormal behavior patterns and automatically infer the intrusion intent of user entities. This effectively overcomes the problem of insufficient identification capability of traditional methods for unknown threats and multi-stage attacks, and improves the initiative and accuracy of security protection.

[0016] In this embodiment, the generation of structured behavioral data includes: For each user entity, raw data of user entity behavior is continuously collected from the target system. The raw data of user entity behavior includes system call logs, network traffic logs, and operation sequence logs. The collected raw user entity behavior data is initially analyzed according to log type. For each type of log content, field structure identification, field segmentation, tag extraction and time alignment are performed to extract key field information and form structured log data with unified field specifications. The structured log data includes system call sequence, network communication event sequence and operation instruction sequence. Each structured log data contains the original log type, field content and event time attribute. The structured log data is denoised, and log data with abnormal values, illegal fields, format errors and duplicate records are filtered out. Missing fields are filled in, and the time field of all log data is synchronized and corrected to ensure the consistency and integrity of the structured log data in terms of field content, data format and time order. The processed structured log data is grouped and organized according to user entity identifiers and timestamp information to form multidimensional structured behavioral data of user entity behavior. The multidimensional structured behavioral data is used to characterize all valid operation behaviors of each user entity within a given time window.

[0017] This invention effectively integrates system call logs, network traffic logs, and operation sequence logs through meticulous collection and multi-layered structured processing of raw user entity behavior data. This achieves unified management and format standardization of multi-source heterogeneous behavior data, reducing the complexity of subsequent feature extraction and analysis. The generation process of structured behavior data covers preliminary log parsing, field identification, label extraction, time alignment, and data denoising and completion, ensuring the integrity and accuracy of the data foundation and helping to improve the reliability of overall behavior analysis and the performance of subsequent intelligent discrimination algorithms.

[0018] In this embodiment, the construction of the standardized behavioral feature vector set includes: For structured behavioral data, for each user entity's structured behavioral data within each time window, the number of times system call types appear is extracted from system call logs, and the frequency of occurrence of multiple predefined ordered combination patterns of system calls within the time window is counted. The number of network connections, the average size of single network connection data packets, the distribution ratio of each network protocol type, and the frequency of target port usage are extracted from network traffic logs. The length of operation instruction sequences, the average time interval of operation events, and the total number of occurrences of all operation events are extracted from operation sequence logs to form a set of behavioral statistical features. All behavioral statistical features are concatenated in a uniform order to form a set of behavioral feature vectors, which are used to characterize the structured behavioral features of each user entity within the corresponding time window. For all features in the behavioral feature vector set, calculate the mean and standard deviation of each feature in the entire behavioral feature vector set. Subtract the mean from each feature value and then divide by the standard deviation to obtain the standardized behavioral feature vector set.

[0019] This invention scientifically designs and extracts multi-dimensional and multi-granular behavioral statistical features for different types of structured behavioral data, and then uniformly constructs a standardized set of behavioral feature vectors. This set can comprehensively reflect the complex behavioral characteristics of user entities at different times. By using mean and standard deviation standardization, the influence of different dimensions and distribution biases between different features are effectively eliminated, making the subsequent clustering analysis process more stable and efficient, and improving the model's sensitivity and generalization ability to abnormal behavior and potential intrusion behavior.

[0020] In this embodiment, the generation of the cluster label set and the cluster center set includes: The standardized behavioral feature vector set is input into the temporal enhanced DEC clustering model. For each user entity, the standardized behavioral feature vector sequence within multiple adjacent time windows is extracted, input into the temporal encoder, and the output temporal embedding feature vector is concatenated with the corresponding temporal embedding feature vector to generate a fused embedding vector. All fused embedding vectors form a fused embedding vector set. The temporally enhanced DEC clustering model includes a temporal encoder, an autoencoder, and K-Means clustering. The timing encoder is based on a Transformer network; The fusion embedding vector set is input into the autoencoder to obtain a low-dimensional latent fusion embedding vector set. The K-Means clustering method is used to perform initial clustering based on the low-dimensional latent fusion embedding vector set. The number of clusters is set to K to obtain an initial cluster center set. Each initial cluster center in the initial cluster center set is used to represent a typical behavior pattern. Given a set of low-dimensional potential fusion embedding vectors and an initial set of cluster centers, calculate the probability that each low-dimensional potential fusion embedding vector belongs to each initial cluster center: ; in, This represents the probability that the i-th low-dimensional potential fusion embedding vector belongs to the j-th initial cluster center. Let i represent the i-th low-dimensional potential fusion embedding vector. Let j represent the j-th initial cluster center. This represents the j'-th initial cluster center. Indicates the degrees of freedom of the distribution. Indicates Euclidean distance; Calculate the target distribution probability based on the allocation probability: ; in, This represents the target distribution probability that the i-th low-dimensional potential fusion embedding vector belongs to the j-th initial cluster center. Represents the assignment probability of all j-th initial cluster centers. The cumulative value, This represents the probability that the i-th low-dimensional potential fusion embedding vector belongs to the j'-th initial cluster center. Indicates all the first The probability of assigning each initial cluster center The accumulated value; Construct the KL divergence loss function to measure the difference between the target distribution probability and the assignment probability: ; Where L represents the KL divergence loss function; During each round of parameter iteration, for each initial cluster center in the initial cluster center set, the mean of the low-dimensional potential fusion embedding vector set currently assigned to the initial cluster center is calculated, and the mean is used as the updated cluster center. By minimizing the KL divergence loss function, the parameters of the temporal encoder, the parameters of the autoencoder, and the cluster center set are jointly and iteratively optimized. During the iteration process, the fusion embedding vector set, the cluster center set, the assignment probability, the target distribution probability, and the KL divergence loss function are updated synchronously at each step until the loss function converges or the maximum number of iterations is reached. Finally, the cluster label set and the cluster center set are output. The clustering label represents the number corresponding to the clustering center with the highest allocation probability selected by comparing the allocation probability of each low-dimensional potential fusion embedding vector with each clustering center in the embedding space, and is assigned to the current sample. The number is the clustering label of the current sample. The clustering label set assigns a unique clustering label to each vector in the standardized behavioral feature vector set, and the cluster center set is used to characterize the typical behavioral patterns corresponding to each cluster.

[0021] This invention introduces a temporally enhanced DEC clustering model, organically integrating temporal features, deep autoencoder dimensionality reduction, and clustering analysis. This model can accurately capture the temporal dependencies and evolutionary patterns of user entity behavior data, improving the ability to cluster complex behavioral patterns. The model employs a joint optimization strategy to synchronously iterate the temporal encoder, autoencoder, and cluster center set, enabling multi-perspective and multi-scale behavioral clustering and cluster label assignment. This enhances the ability to detect system anomalies and novel attack behaviors, ensuring the basic quality of subsequent anomaly detection and intrusion reasoning.

[0022] In this embodiment, the generation of the abnormally low-dimensional potential fusion embedding vector set includes: Anomaly detection is performed based on a set of low-dimensional potential fusion embedding vectors, a set of cluster labels, and a set of cluster centers. For each low-dimensional potential fusion embedding vector in the set of low-dimensional potential fusion embedding vectors, the cluster center corresponding to the cluster label is obtained from the set of cluster centers according to the cluster label, and the Euclidean distance between the low-dimensional potential fusion embedding vector and the cluster center in the low-dimensional potential fusion embedding space is calculated. For each cluster center in the cluster center set, based on the historical normal behavior feature vector set and the low-dimensional potential fusion embedding vector set currently assigned to the cluster center, the mean distance and standard deviation of the distance between the historical normal behavior feature vector set and the cluster center are calculated. Combined with the adjustment coefficient, the sum of the products of the mean distance and the standard deviation of the distance is used as the anomaly discrimination threshold. For each low-dimensional latent fusion embedding vector in the set of low-dimensional latent fusion embedding vectors, compare the Euclidean distance between the low-dimensional latent fusion embedding vector and the corresponding cluster center with the corresponding anomaly detection threshold. If the Euclidean distance is greater than the anomaly detection threshold, the low-dimensional latent fusion embedding vector is judged to be abnormal behavior; otherwise, it is judged to be normal behavior. The low-dimensional potential fusion embedding vectors that are judged to be abnormal behavior are grouped according to clustering labels to generate an abnormal low-dimensional potential fusion embedding vector set.

[0023] This invention achieves multi-scale adaptive anomaly detection based on a set of low-dimensional latent fusion embedding vectors, a set of cluster labels, and a set of cluster centers. It can combine historical normal behavior feature distribution to accurately and dynamically set anomaly detection threshold, enabling efficient screening and accurate separation of various abnormal behaviors. By grouping the low-dimensional latent fusion embedding vectors that are judged to be abnormal to generate an abnormal low-dimensional latent fusion embedding vector set, it provides a highly reliable and traceable data foundation for subsequent intrusion intent identification and system security response, thereby improving the overall intelligent protection capability of the system.

[0024] In this embodiment, determining whether there is an intrusion intent includes: For each anomalous low-dimensional potential fusion embedding vector in the set of anomalous low-dimensional potential fusion embedding vectors, sort them according to the corresponding user entity and time order to form an anomalous behavior time series; The system counts the number and type of consecutive abnormal behaviors in a time series of abnormal behaviors. When the number of consecutive abnormal behaviors exceeds a preset threshold and the type of abnormal behavior matches a historically known intrusion intent pattern, it determines that the user entity corresponding to the time series of abnormal behaviors has an intrusion intent.

[0025] This invention employs an intrusion intent identification method based on anomaly low-dimensional potential fusion embedding vector sets. By performing continuity and type analysis on the time series of abnormal behaviors, it can promptly discover the evolution trend and attack chain of potential intrusion behaviors, and achieve automatic inference and accurate identification of complex intrusion intents. This method can reduce manual intervention, improve the response speed and discrimination accuracy to unknown threats and advanced attack scenarios, and enhance the system's adaptive security protection capabilities and intelligent intrusion response level.

[0026] Example 1: To verify the practical application effect of the present invention, it was applied to the information security operation and maintenance scenario of a certain enterprise. The enterprise has a large-scale server cluster and terminal devices deployed internally, generating a large number of system call logs, network traffic logs and user operation sequence logs on a daily basis, involving multiple key business processes such as production scheduling, financial settlement, remote collaboration, and core database access. In recent years, the enterprise has faced more and more advanced persistent threats and unknown attacks. Not only do traditional rule detection systems have high false alarm rates and slow response times, but they also lack the ability to perform multi-source log analysis, abnormal behavior correlation identification, and complex intrusion intent tracing. Therefore, there is an urgent need for an intelligent identification method that can automatically adapt to the changing attack environment and accurately capture abnormal behavior and intrusion attempts.

[0027] In the implementation of this invention, system call logs, network traffic logs, and operation sequence logs of all types of devices across the enterprise network were first uniformly collected. After efficient data denoising, missing data completion, and time synchronization, all log data was parsed and standardized into structured behavioral data. For the behavioral records of different devices and different business users, this invention automatically extracts features to transform various behaviors within each time window into multi-dimensional behavioral feature vectors, and eliminates data distribution differences between devices and time periods through standardized operations. Based on the standardized behavioral feature vectors, this invention utilizes a temporally enhanced DEC clustering model to fully integrate temporal variation features and multi-source behavioral features, mapping all behavioral vectors to a unified low-dimensional latent fusion embedding space, and dynamically dividing them into multiple clusters to achieve adaptive clustering representation of normal and abnormal behaviors.

[0028] In actual operation, the model can automatically identify various abnormal behaviors that do not conform to daily business logic based on the distribution of cluster centers and historical normal behaviors. For behaviors identified as abnormal, the system further combines user entities, operation sequences, and time sequences to automatically generate abnormal behavior time series, analyze the continuity, link correlation, and evolution trend of abnormal behaviors. When consecutive abnormal behaviors exhibit a pattern highly similar to previously known intrusion intentions, the system can promptly output warnings, infer the potential intrusion intention type, and link security response strategies, such as restricting account permissions, triggering blocking measures, or prompting security personnel to conduct in-depth tracing. The entire process does not rely on a fixed attack rule base or expert-preset manual thresholds, and can dynamically adapt to unknown attacks, variant methods, and highly concealed intrusion links, effectively solving the problems of high false alarm rates, untimely response, and lack of awareness of new threats.

[0029] In long-term practical applications, enterprises, through retrospective analysis of security operation and maintenance logs, have found that the method of this invention can not only accurately identify advanced intrusion behaviors that were previously undetected, but also significantly reduce the number of false alarms in security alerts, improving the work efficiency of security personnel. Through continuous monitoring and practical feedback, the information security team has confirmed that after adopting the method of this invention, the system's ability to perceive complex intrusion paths such as multi-stage penetration, lateral movement, and sensitive data theft has been significantly improved. At the same time, it has no significant impact on normal business operations and users' daily operations, ensuring a balance between business continuity and security. Through the continuous application of this invention, the speed of enterprise network security incident discovery and handling has been significantly improved, security risks have been effectively controlled, and management's satisfaction with overall protection capabilities and system reliability has significantly increased, fully demonstrating the beneficial effects and application value of this invention in real-world complex environments.

[0030] To verify the performance of the present invention in practice, it was compared with traditional methods, and the results are shown in Table 1.

[0031] Table 1. Performance Comparison of Behavioral Clustering-Based System Intrusion Intent Recognition Methods with Traditional Methods

[0032] The method of this invention achieves a 90.4% detection rate for unknown threats, higher than the 54.2% of traditional rule-based methods and the 72.1% of traditional shallow machine learning methods. This improvement is mainly due to the invention's ability to automatically fuse multi-source log data and deeply learn user behavior features without the need for a pre-set attack signature database. Through time-enhanced clustering, it dynamically discovers abnormal behavior patterns. The method has a stronger generalization ability to identify new types of attacks, variant attacks, and advanced persistent threats, making it less susceptible to being bypassed by attackers. It can make up for the shortcomings of traditional methods in dealing with unknown threats and effectively ensure system security.

[0033] In terms of complex intrusion intent recognition rate, the method of this invention achieves 89.8%, while traditional rule-based methods and shallow machine learning methods achieve 50.6% and 69.8%, respectively. This invention constructs a low-dimensional latent fusion embedding space, combining the temporal evolution characteristics and clustering distribution of behavioral sequences to achieve automatic induction and reasoning of multi-stage, multi-link intrusion behaviors. Compared with traditional methods that rely solely on static rules or shallow features, it can accurately reconstruct the behavioral links and intent evolution trajectory during the attack process, improving the intelligent recognition capability of complex attack strategies and effectively intercepting highly concealed multi-stage intrusions.

[0034] Regarding the false positive rate, the method of this invention has a false positive rate of only 2.7%, while traditional rule-based methods have a rate as high as 15.9%, and traditional shallow machine learning methods have a rate of 9.8%. This invention utilizes deep clustering of multi-dimensional behavioral features and adaptively adjusts the anomaly detection threshold, which can effectively distinguish between normal business fluctuations and truly abnormal behaviors, reducing false positives caused by business changes or environmental noise. Traditional methods, due to their coarse rules or limited model generalization ability, often mistakenly report non-threatening behaviors as intrusions, increasing the burden on security teams. The advantage of this invention is that it reduces the false positive rate, allowing security personnel to focus their efforts on real threats.

[0035] Regarding response latency, the average response time of the method of this invention is only 2.3 seconds, while the traditional rule-based method and shallow machine learning method are 13.5 seconds and 7.8 seconds, respectively. This invention realizes end-to-end automation of data acquisition, feature processing, cluster analysis and intrusion reasoning, and can analyze and provide feedback on abnormal behavior and intrusion intent in real time, which greatly shortens the cycle from anomaly detection to security response. Compared with traditional methods that rely on manual confirmation or batch processing, this invention effectively improves the response efficiency of security operation and maintenance, and provides the system with more agile and proactive protection capabilities.

[0036] This invention demonstrates a high level of automated analysis capabilities, enabling the automatic execution of multi-source log data collection, feature extraction, clustering modeling, anomaly detection, and intrusion reasoning throughout the entire process without human intervention. Traditional rule-based methods have low automation levels and require manual maintenance of rule bases and comparison of each rule. While shallow machine learning methods offer some automation, they still require frequent manual feature design and parameter adjustments. This invention, through deep learning and adaptive mechanisms, reduces the burden of manual operation and maintenance and improves security management efficiency in large-scale scenarios.

[0037] In terms of business impact, this invention has a lower impact on business performance than traditional methods. By adopting efficient data structures and streaming processing mechanisms, it can minimize the consumption of production system resources while ensuring real-time detection. In contrast, traditional rule-based methods often require a full scan of all traffic and logs, resulting in high processing pressure and impacting business response. Shallow machine learning methods also have certain resource overhead due to feature dimension design and batch processing. This invention provides high-quality security protection in a low-interference manner, achieving a balance between business continuity and security.

[0038] This invention possesses strong versatility and adaptability, supporting various system platforms, business types, and data formats. It can be efficiently deployed and run in multiple scenarios such as enterprise-level, cloud platforms, and the Internet of Things. Traditional rule-based methods have a narrow scope of application and are difficult to adapt to business changes and new log structures. Shallow machine learning methods have limitations in feature engineering and model generalization. This invention, through deep fusion and temporal modeling technology, achieves unified modeling of various behavioral patterns, which can flexibly adapt to different environments and needs, providing a solid technical foundation for enterprise information security.

[0039] Regarding ongoing maintenance costs, the relative value of this invention is 0.6, lower than the 1.0 of traditional rule-based methods and the 0.9 of shallow machine learning methods. Due to the high degree of automation and intelligence of the method, frequent manual rule maintenance and parameter tuning are unnecessary, saving on maintenance costs. Traditional methods require continuous updates to the feature library and manual intervention, resulting in high long-term maintenance costs. This invention reduces manpower and time consumption through model adaptive learning and automatic anomaly detection, improving the economy and sustainability of overall security management.

[0040] The above description is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any equivalent substitutions or modifications made by those skilled in the art within the scope of the technology disclosed in the present invention, based on the technical solution and inventive concept of the present invention, should be covered within the scope of protection of the present invention.

Claims

1. A method for identifying system intrusion intent based on behavioral clustering, characterized in that, Includes the following steps: Collect raw user entity behavior data and preprocess the raw user entity behavior data to generate structured behavior data; Feature extraction is performed on structured behavioral data to obtain a set of behavioral feature vectors, and the set of behavioral feature vectors is standardized to construct a standardized set of behavioral feature vectors. The time-enhanced DEC clustering model is used to perform embedding mapping and clustering analysis on the standardized behavioral feature vector set to obtain a low-dimensional latent fusion embedding vector set, and generate a cluster label set and a cluster center set. Anomaly detection is performed on the low-dimensional potential fusion embedding vector set based on the clustering label set and the cluster center set, generating an abnormal low-dimensional potential fusion embedding vector set; The set of potential low-dimensional fusion embedding vectors is sorted according to user entities and time order to form an abnormal behavior time series. The existence of intrusion intent is determined based on the number of consecutive abnormal behaviors.

2. The system intrusion intent identification method based on behavioral clustering according to claim 1, characterized in that, The generation of the structured behavioral data includes: For each user entity, raw data of user entity behavior is continuously collected from the target system. The raw data of user entity behavior includes system call logs, network traffic logs, and operation sequence logs. The collected raw user entity behavior data is initially analyzed according to log type. For each type of log content, field structure identification, field segmentation, tag extraction and time alignment are performed to extract key field information and form structured log data with unified field specifications. The structured log data includes system call sequence, network communication event sequence and operation instruction sequence. Each structured log data contains the original log type, field content and event time attribute. Denoising is performed on structured log data, log data with abnormal values, illegal fields, format errors and duplicate records are filtered out, missing fields are filled in, and the time field of all log data is synchronized and corrected. The processed structured log data is grouped and organized according to user entity identifiers and timestamp information to form multidimensional structured behavioral data of user entity behavior.

3. The system intrusion intent identification method based on behavioral clustering according to claim 1, characterized in that, The construction of the standardized behavioral feature vector set includes: For structured behavioral data, for each user entity's structured behavioral data within each time window, the number of times system call types appear is extracted from system call logs, and the frequency of occurrence of multiple predefined ordered combination patterns of system calls within the time window is counted. The number of network connections, the average size of single network connection data packets, the distribution ratio of each network protocol type, and the frequency of target port usage are extracted from network traffic logs. The length of operation instruction sequences, the average time interval of operation events, and the total number of occurrences of all operation events are extracted from operation sequence logs to form a set of behavioral statistical features. All behavioral statistical features are concatenated into a set of behavioral feature vectors in a uniform order; For all features in the behavioral feature vector set, calculate the mean and standard deviation of each feature in the entire behavioral feature vector set. Subtract the mean from each feature value and then divide by the standard deviation to obtain the standardized behavioral feature vector set.

4. The system intrusion intent identification method based on behavioral clustering according to claim 1, characterized in that, The generation of the cluster label set and the cluster center set includes: The standardized behavioral feature vector set is input into the temporal enhanced DEC clustering model. For each user entity, the standardized behavioral feature vector sequence within multiple adjacent time windows is extracted, input into the temporal encoder, and the output temporal embedding feature vector is concatenated with the corresponding temporal embedding feature vector to generate a fused embedding vector. All fused embedding vectors form a fused embedding vector set. The temporally enhanced DEC clustering model includes a temporal encoder, an autoencoder, and K-Means clustering. The fusion embedding vector set is input into the autoencoder to obtain a low-dimensional latent fusion embedding vector set. The K-Means clustering method is used to perform initial clustering based on the low-dimensional latent fusion embedding vector set. The number of clusters is set to K to obtain an initial cluster center set. Each initial cluster center in the initial cluster center set is used to represent a typical behavior pattern. For the set of low-dimensional potential fusion embedding vectors and the set of initial cluster centers, calculate the assignment probability of each low-dimensional potential fusion embedding vector belonging to each initial cluster center; Calculate the target distribution probability based on the allocation probability; Construct a KL divergence loss function to measure the difference between the target distribution probability and the assignment probability; During each round of parameter iteration, for each initial cluster center in the initial cluster center set, the mean of the low-dimensional potential fusion embedding vector set currently assigned to the initial cluster center is calculated, and the mean is used as the updated cluster center. By minimizing the KL divergence loss function, the parameters of the temporal encoder, the parameters of the autoencoder, and the cluster center set are jointly and iteratively optimized. During the iteration process, the fusion embedding vector set, the cluster center set, the assignment probability, the target distribution probability, and the KL divergence loss function are updated synchronously at each step until the loss function converges or the maximum number of iterations is reached. Finally, the cluster label set and the cluster center set are output.

5. The system intrusion intent identification method based on behavioral clustering according to claim 1, characterized in that, The generation of the anomalous low-dimensional potential fusion embedding vector set includes: Anomaly detection is performed based on a set of low-dimensional potential fusion embedding vectors, a set of cluster labels, and a set of cluster centers. For each low-dimensional potential fusion embedding vector in the set of low-dimensional potential fusion embedding vectors, the cluster center corresponding to the cluster label is obtained from the set of cluster centers according to the cluster label, and the Euclidean distance between the low-dimensional potential fusion embedding vector and the cluster center in the low-dimensional potential fusion embedding space is calculated. For each cluster center in the cluster center set, based on the historical normal behavior feature vector set and the low-dimensional potential fusion embedding vector set currently assigned to the cluster center, the mean distance and standard deviation of the distance between the historical normal behavior feature vector set and the cluster center are calculated. Combined with the adjustment coefficient, the sum of the products of the mean distance and the standard deviation of the distance is used as the anomaly discrimination threshold. For each low-dimensional latent fusion embedding vector in the set of low-dimensional latent fusion embedding vectors, compare the Euclidean distance between the low-dimensional latent fusion embedding vector and the corresponding cluster center with the corresponding anomaly detection threshold. If the Euclidean distance is greater than the anomaly detection threshold, the low-dimensional latent fusion embedding vector is judged to be abnormal behavior; otherwise, it is judged to be normal behavior. The low-dimensional potential fusion embedding vectors that are judged to be abnormal behavior are grouped according to clustering labels to generate an abnormal low-dimensional potential fusion embedding vector set.

6. The system intrusion intent identification method based on behavioral clustering according to claim 1, characterized in that, The determination of whether there is an intent to intrude includes: For each anomalous low-dimensional potential fusion embedding vector in the set of anomalous low-dimensional potential fusion embedding vectors, sort them according to the corresponding user entity and time order to form an anomalous behavior time series; The system counts the number and type of consecutive abnormal behaviors in a time series of abnormal behaviors. When the number of consecutive abnormal behaviors exceeds a preset threshold and the type of abnormal behavior matches a historically known intrusion intent pattern, it determines that the user entity corresponding to the time series of abnormal behaviors has an intrusion intent.