Network security multi-objective monitoring method, device and medium for software-defined network flow

By constructing a three-tier SDN architecture, utilizing data plane preprocessing, control plane multi-target detection, and application plane coordinated defense, the problem of insufficient coordination in traditional SDN security monitoring is solved, achieving efficient attack detection and network service quality assurance.

CN122179183APending Publication Date: 2026-06-09LIAONING INST OF SCI & ENG

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
LIAONING INST OF SCI & ENG
Filing Date
2026-03-16
Publication Date
2026-06-09

Smart Images

  • Figure CN122179183A_ABST
    Figure CN122179183A_ABST
Patent Text Reader

Abstract

This invention discloses a software-defined network flow multi-target monitoring method, device, and medium for network security, belonging to the field of computer network security technology. The method is implemented based on a three-tier SDN architecture, including: the data plane collects network flow data through a programmable switch and performs edge preprocessing, extracting a subset of core features and compressing suspected abnormal data before uploading; the control plane employs a distributed controller cluster, analyzes the data through a detection model that integrates unsupervised learning, reinforcement learning, and rule-based matching, determines the attack type and risk level, and generates defense and traffic scheduling strategies based on a multi-target optimization model; the application plane updates the rule base according to the strategies, coordinates with security devices, optimizes traffic paths, and generates a security posture report. This invention achieves deep collaboration between the data plane, control plane, and application plane, improving attack detection accuracy and coverage while effectively reducing controller load, detection latency, and false alarm rate.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of computer network technology, specifically to a software-defined network flow-based multi-target network security monitoring method, device, and medium. Background Technology

[0002] Software-defined networking (SDN), as a novel network architecture, separates the control plane from the data plane, enabling centralized programmable control of the network and providing technical support for flexible deployment, dynamic adjustment, and intelligent management. However, this "control-control separation" architecture also brings new security challenges: the centralization of the control plane makes it a prime target for attacks, the open programmability of the data plane easily introduces third-party vulnerabilities, and traditional security solutions based on fixed thresholds and single detection targets are difficult to adapt to the dynamically changing traffic characteristics and diverse attack methods of SDN networks.

[0003] Traditional SDN security monitoring solutions typically follow a linear process of data collection, analysis, and response. However, this process reveals a fundamental deficiency in systematic coordination when dealing with large-scale, dynamic, and ever-changing modern network attacks. Specifically, the data plane is only responsible for collecting and uploading raw traffic. The control plane, while handling core tasks such as global topology management and flow table distribution, also needs to process massive amounts of unfiltered raw traffic data for security analysis. This leads to excessive load on the control plane and a significant increase in decision-making latency. Meanwhile, security applications in the application plane often run independently, lacking efficient and automated closed-loop linkage with the detection decisions of the control plane and the real-time processing of the data plane. This functional fragmentation in the three-tier architecture makes it difficult for security monitoring to achieve effective coordination and dynamic balance among multiple key objectives such as attack detection accuracy, system resource overhead (especially control plane load), network service quality assurance, and real-time response. As a result, current methods often face a dilemma when dealing with complex attacks: if improving the detection rate is the primary goal, it often leads to a significant decline in overall system performance; conversely, if service continuity is prioritized, the coverage and depth of security monitoring must be reduced. Summary of the Invention

[0004] The purpose of this invention is to provide a method, device, and medium for multi-target network security monitoring of software-defined network flows. By constructing a three-level architecture of data plane edge preprocessing, control plane global decision-making, and application plane collaborative defense, it achieves collaborative optimization of multiple objectives such as attack detection accuracy, false alarm rate, detection latency, controller load, and network bandwidth utilization, thereby improving the ability to identify known attacks and unknown threats. At the same time, it links traffic scheduling strategies to ensure network security and service quality.

[0005] The technical solution of this invention is: A multi-target network security monitoring method for software-defined network flows, implemented based on a three-tier SDN architecture, includes the following steps: Data plane traffic acquisition and edge preprocessing: Deploy SDN switches supporting the P4 programmable protocol as acquisition nodes to capture network flow data in real time; perform edge preprocessing on the captured network flow data, which includes feature extraction, anomaly filtering and data compression, to filter core feature subsets, remove obviously normal traffic, and upload the compressed suspected abnormal traffic data to the control plane; Control plane multi-target detection and decision-making: A distributed multi-controller architecture is adopted, and data synchronization between controllers is achieved through Byzantine fault tolerance protocol; based on the suspected abnormal traffic data, unsupervised learning model, reinforcement learning model and rule base matching are used for fusion detection to determine the attack type and risk level; based on the detection results and real-time network status, a multi-target optimization decision model is constructed and solved to generate defense strategy and traffic scheduling strategy, and converted into standardized instructions for issuance; Application of integrated surface-level defense and traffic optimization: Update the attack signature rule base and blacklist according to the defense strategy, and strengthen defense by linking the firewall and intrusion prevention system; optimize network topology and flow table forwarding strategy according to the traffic scheduling strategy to achieve multi-path routing and load balancing; record and analyze relevant data, generate security posture report, and optimize system parameters.

[0006] Furthermore, the feature extraction includes: extracting three types of initial features: basic features, behavioral features, and correlation features; and selecting a core feature subset using mutual information, wherein the mutual information threshold is dynamically adjusted according to the network scenario; the anomaly filtering adopts an adaptive threshold algorithm based on a sliding window, setting a dynamic threshold range of [μ-2σ, μ+2σ] based on the mean μ and standard deviation σ of the features within the sliding window to mark suspected abnormal traffic; the traffic data marked as suspected abnormal is compressed using the LZ77 compression algorithm, storing frequently occurring feature combinations through a preset dictionary table to reduce data transmission volume, and the compressed data carries the switch identifier, collection timestamp, and feature type label, and is uploaded to the control plane through a secure channel.

[0007] Furthermore, the fusion detection specifically includes: The variational autoencoder (VAE) with an attention mechanism is used as the unsupervised learning model. Potential anomalies are identified by introducing the attention mechanism and calculating the reconstruction error. The reinforcement learning model built using Deep Q-Network (DQN) uses network state, detection results, and controller load as the state space, and adjusting detection parameters as the action space. The detection strategy is dynamically optimized through a preset reward function. The detection results are matched against a rule base containing known attack signature patterns; The detection results of the unsupervised learning model, reinforcement learning model, and rule base matching are fused using a weighted voting method, and the weights of each model are dynamically adjusted based on historical detection accuracy.

[0008] Furthermore, the decision objectives of the multi-objective optimization decision model include: maximizing the attack interception rate, minimizing the detection latency, minimizing the controller load, and maximizing the core business bandwidth guarantee rate; the defense strategy is determined according to the risk level, including: performing immediate interception and isolation for high-risk attacks, performing rate limiting and continuous monitoring for medium-risk anomalies, and performing observation and verification for low-risk suspected anomalies; the traffic scheduling strategy includes allocating high-priority paths for normal business traffic and allocating isolation paths or limiting forwarding priority for abnormal traffic.

[0009] A software-defined network flow network security multi-target monitoring device, comprising: The data plane acquisition unit includes an SDN switch that supports the P4 programmable protocol, used to acquire network flow data and perform edge preprocessing; The control plane processing unit includes a distributed multi-controller cluster, which is used to perform multi-model fusion detection, multi-objective optimization decision-making, and generate control commands. The application plane linkage unit includes a security management server, a traffic scheduling server, and a log analysis server, which are used to perform defense linkage, traffic optimization, and security posture analysis. The storage unit adopts a distributed storage architecture and is used to store system data; Each unit is connected via a dedicated SDN communication link.

[0010] Furthermore, the controller in the control plane processing unit is configured with a multi-core heterogeneous processor, including a CPU core for decision scheduling and data synchronization, and an FPGA acceleration core for accelerating parallel computing of multi-model fusion detection; the controller also includes an encryption module using the AES-256 encryption algorithm; the distributed multi-controller cluster includes a main controller, a backup controller and a collaborative controller, and the backup controller has a built-in hot backup module for automatic switching when the main controller fails.

[0011] A computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the method described above.

[0012] Compared with the prior art, the beneficial effects of the present invention are: This invention effectively solves the problem of multi-objective coordination imbalance caused by the fragmentation of functions at the three levels in traditional solutions by constructing a three-level collaborative architecture: data plane edge preprocessing, control plane multi-target detection and decision-making, and application plane linkage optimization. First, in the data plane, programmable switching equipment is used to perform real-time feature extraction, adaptive filtering, and efficient compression of raw traffic, significantly reducing the amount of data transmitted to the control plane, thereby alleviating controller load and shortening detection latency. In the control plane, a distributed multi-controller cluster is deployed, and a fusion detection model and multi-target optimization decision-making mechanism are introduced to achieve accurate identification of known attacks and proactive discovery of unknown threats. Simultaneously, defense and scheduling strategies are dynamically generated based on real-time network status and risk level. Building on this, the application plane further updates the rule base, links with external security devices, optimizes traffic paths, and performs visualization analysis, forming a closed-loop security enhancement and quality of service assurance system encompassing collection, preprocessing, detection, decision-making, defense, and optimization. Therefore, the monitoring method of this invention maintains high attack detection accuracy while significantly reducing false alarm rates, control plane load, and detection latency, and effectively ensuring core business bandwidth, achieving synergistic optimization of security performance and network service quality. Attached Figure Description

[0013] Figure 1 This is an architecture diagram of the network security multi-target monitoring system for software-defined network flows according to the present invention.

[0014] Figure 2 This is a schematic diagram of the multi-model fusion detection process of the present invention.

[0015] Figure 3 This is a flowchart of the solution process for the multi-objective optimization decision-making model of this invention.

[0016] Figure 4 This is a flowchart illustrating the overall implementation steps of the method of the present invention. Detailed Implementation

[0017] The following is combined with Figures 1 to 4 The specific embodiments of the present invention will be described in detail below.

[0018] It should be noted that the circuit connections involved in this invention all adopt conventional circuit connection methods and do not involve any innovation.

[0019] Example This embodiment implements a multi-target network security monitoring method for software-defined network flows based on an SDN network architecture.

[0020] The specific configuration is as follows: Data plane: Deploy 10 SDN switches (model Barefoot Tofino) supporting the P4 programmable protocol as traffic acquisition and edge processing nodes. The switch port speed is 100Gbps, supports the OpenFlow 1.3 protocol, and has built-in traffic acquisition and edge preprocessing modules. The sampling period is set to 1.5 seconds.

[0021] Control plane: A distributed cluster of three controllers is deployed. The primary and backup controllers are equipped with Intel Xeon Gold 6348 processors, 64GB of RAM, and 2TB SSDs, with a Xilinx Alveo U250 FPGA acceleration core. The co-controller is equipped with an Intel Xeon Silver 4314 processor, 32GB of RAM, and a 1TB SSD. Data is synchronized between controllers via a Byzantine fault-tolerant protocol, with synchronization latency controlled within 0.8 seconds.

[0022] Application plane: Deploy one security management server, one traffic scheduling server, and one log analysis server, all equipped with an Intel Xeon Gold 6348 processor, 64GB of memory, and a 4TB SSD, running the Ubuntu 20.04 operating system. The security management server is linked to the Huawei USG6000 firewall and IPS, the traffic scheduling server uses the traffic scheduling module of the OpenDayLight controller, and the log analysis server uses the ELK log analysis suite to provide visualization display functions.

[0023] Storage unit: Local storage uses an SSD array with a total capacity of 10TB and read / write speeds up to 2GB / s; like Figure 4 As shown, in an enterprise-level data center environment, the specific implementation steps of a software-defined network flow network security multi-target monitoring method in this embodiment are as follows: Step S1: Data plane traffic acquisition and edge preprocessing.

[0024] Ten SDN switches (model Barefoot Tofino) supporting the P4 programmable protocol are deployed in the network as traffic acquisition nodes for the data plane. These switches capture network flow data in real time, including OpenFlow flow table entries, packet header information (source / destination IP address, port, protocol type, etc.), port traffic statistics (inbound / outbound rate, packet forwarding rate), and link status parameters (bandwidth utilization, latency, packet loss rate).

[0025] Subsequently, edge preprocessing is performed locally on the switch on the captured raw data: Feature Extraction: First, based on the differences between attack behavior and normal traffic, multi-dimensional traffic features are extracted, divided into three categories: basic features, behavioral features, and correlation features, totaling 22 items. Basic features include flow duration, average packet size, and packet exchange frequency; behavioral features include source IP address packet concentration, destination IP address access dispersion, and port access frequency variation coefficient; correlation features include the difference between flow table entry generation rate and deletion rate, and the priority distribution entropy of flow table entries corresponding to the same source IP. The extracted initial features are screened using the mutual information method to remove redundant features and retain a core feature subset that is strongly correlated with attack detection. The screening criterion for the core feature subset is that the mutual information value is greater than a preset threshold (the preset threshold is dynamically adjusted according to the network scenario, with a value range of 0.6-0.8).

[0026] Anomaly Filtering: An adaptive threshold algorithm is used to initially filter a subset of core features, removing obviously normal traffic data and uploading only suspected abnormal traffic data to the control plane. The adaptive threshold algorithm uses a sliding window mechanism to statistically analyze the distribution range of each feature in real time. The window size is set to 5-10 sampling periods, with each sampling period lasting 1-2 seconds. The mean u and standard deviation 0 of each feature within the sliding window are calculated, and the dynamic threshold range is set to [u-20, u+20]. Traffic data exceeding this range is marked as suspected abnormal traffic.

[0027] Data compression: Traffic data marked as suspected abnormal is compressed using the LZ77 compression algorithm. Frequently occurring feature combinations are stored in a pre-set dictionary to reduce data transmission volume. The compressed data carries the switch identifier, collection timestamp, and feature type label, and is uploaded to the control plane through a secure channel.

[0028] Step S2: Control plane multi-target detection and decision-making.

[0029] like Figure 2 and Figure 3 As shown, the control plane adopts a distributed multi-controller architecture, deploying a cluster consisting of a main controller, a backup controller, and a cooperating controller. Each controller achieves data synchronization through a Byzantine fault-tolerant protocol.

[0030] Fusion detection: The control plane performs multi-model fusion analysis on the received suspected abnormal data. Unsupervised learning model: An anomaly detection model is constructed using a variational autoencoder (VAE) with an attention mechanism. A preprocessed subset of core features is used as input. The encoder with the attention mechanism learns the feature distribution of normal traffic, and the decoder reconstructs the input features, calculating the reconstruction error. A reconstruction error threshold of 0.05 is set; when the reconstruction error exceeds this threshold, the corresponding traffic is marked as a potential anomaly.

[0031] Reinforcement Learning Model: An adaptive detection model is constructed based on Deep Q-Network (DQN). Network state (e.g., link bandwidth utilization), detection results, and controller load are used as the state space, while adjusting detection thresholds and optimizing feature weights are used as the action space. The reward function is set as: Reward = 0.4 × Detection Accuracy - 0.3 × False Alarm Rate - 0.2 × Controller Load Rate + 0.1 × Core Service Bandwidth Guarantee Rate. The detection strategy is dynamically optimized through interaction with the network environment.

[0032] Rule base matching: The constructed attack feature rule base contains feature patterns of known attacks (such as DDoS attacks and Trojan intrusions). The output of the fusion detection model is matched with the rule base to determine the attack type and risk level (high risk, medium risk, low risk).

[0033] Results Fusion: A weighted voting method was used to fuse the detection results of the three sub-models. Initial weights for the unsupervised learning model, reinforcement learning model, and rule-based matching were set to 0.3, 0.4, and 0.3, respectively, and these weights were dynamically adjusted based on historical detection accuracy, with the sum of the weights being 1. When the fusion result was high-risk or medium-risk, it was determined to be abnormal traffic.

[0034] Multi-objective optimization decision-making and instruction generation: Based on detection results and combined with real-time network status (including controller load, link bandwidth utilization, and core service traffic proportion), a multi-objective optimization decision-making model is constructed. The decision objectives include: maximizing attack interception rate, minimizing detection latency, minimizing controller load, and maximizing core service bandwidth guarantee rate. The non-dominated sorting genetic algorithm (NSGA-III) is used to solve this optimization model and generate the optimal response strategy.

[0035] Defense strategy: Determined based on risk level. For attacks identified as high-risk (such as DDoS attacks), an immediate interception and isolation strategy is adopted to block the attack source connection and add its IP to the blacklist; for medium-risk anomalies, a rate limiting and monitoring strategy is adopted to limit its bandwidth usage and continuously monitor it; for low-risk suspected anomalies, an observation and verification strategy is adopted.

[0036] Traffic scheduling strategy: Leveraging the programmability advantages of SDN, the optimal forwarding path is allocated to normal traffic (especially core business traffic) to ensure service quality; and isolated paths or forwarding priority is allocated to abnormal traffic.

[0037] The main controller converts the optimized strategy into standardized instructions (such as flow table update instructions and path adjustment instructions), distributes them to the data plane switch via the OpenFlow protocol, and synchronizes them to the application plane.

[0038] Step S3: Apply plane defense linkage and traffic optimization.

[0039] Deploy security management applications, traffic scheduling applications, and log analysis applications on the application plane to achieve linkage and coordination: Enhanced defense strategy: Based on the detection results sent by the control plane, the security management application updates the attack feature rule library and the blacklist. Newly discovered unknown attack features are added to the rule library to achieve incremental updates of the detection model. At the same time, it links with firewalls and intrusion prevention systems (IPS) to strengthen perimeter protection.

[0040] Dynamic traffic optimization: Based on the path adjustment instructions from the control plane, the traffic scheduling application interacts with the controller through the northbound API to optimize the network topology and flow table forwarding strategy in real time. Using a multi-path routing algorithm, core business traffic is allocated to links with sufficient bandwidth and low latency, and non-core business traffic is load-balanced.

[0041] Log and situation analysis: The log analysis application records detection results, defense actions, and traffic change data, generates a security situation report, and displays it through a visual interface. At the same time, historical data is regularly analyzed to optimize the parameters of the detection model and the weights of multi-objective decision-making.

[0042] The effects of the present invention are verified through comparative experiments. The control group uses the existing SDN anomaly detection method based on a single machine learning model (random forest). The experimental indicators include detection accuracy, false alarm rate, detection latency, controller load rate, and core business bandwidth guarantee rate. The results are shown in the following table: Through the above steps, this embodiment realizes a complete process from data plane preprocessing load reduction, control plane intelligent collaborative decision-making to application plane closed-loop response optimization, verifying the feasibility of the method of the present invention in improving the comprehensive efficiency of security detection and guaranteeing service quality in a real network environment.

[0043] As Figure 1 shown, a network security multi-objective monitoring device for software-defined network flows includes: Data plane acquisition unit: Composed of SDN switches that support the P4 programmable protocol. Each switch is built with a traffic acquisition module, an edge preprocessing module (for performing feature extraction, anomaly filtering, and data compression), and a communication module.

[0044] Control plane processing unit: Composed of a distributed multi-controller cluster, including a primary controller, a standby controller, and a collaborative controller. Each controller is configured with a multi-core heterogeneous processor (including CPU cores and FPGA acceleration cores), memory, network interfaces, and an encryption module using the AES-256 encryption algorithm. The primary controller is built with a multi-model fusion detection module, a multi-objective optimization decision module, and an instruction generation module. The standby controller is built with a hot backup module for automatic switching in case of failure. The collaborative controller is responsible for regional data analysis.

[0045] Application plane linkage unit: includes security management server (deploys security management application), traffic scheduling server (deploys traffic scheduling application), and log analysis server (deploys log analysis application).

[0046] Storage unit: It adopts a distributed storage architecture, including local SSD storage for storing real-time data, and cloud backup storage for storing historical data, rule base, etc.

[0047] Each unit is connected via a dedicated SDN communication link.

[0048] A computer-readable storage medium, such as a solid-state drive (SSD) configured in an SDN controller, stores a computer program containing executable instruction code. When the processor of the main controller loads and executes these instructions, all steps of the network security multi-target monitoring method for software-defined network flows described above are fully implemented. Similarly, this program can also be deployed on the processor of a data plane switch (for performing edge preprocessing logic) or an application plane server to collaboratively implement the monitoring, defense, and optimization functions of this invention.

[0049] The above-disclosed embodiments are merely preferred embodiments of the present invention. However, the embodiments of the present invention are not limited thereto, and any variations that can be conceived by those skilled in the art should fall within the protection scope of the present invention.

Claims

1. A method for multi-target network security monitoring of software-defined network flows, characterized in that, The implementation of a three-tier architecture based on Software-Defined Networking (SDN) includes the following steps: Data plane traffic acquisition and edge preprocessing: Deploy SDN switches supporting the P4 programmable protocol as acquisition nodes to capture network flow data in real time; perform edge preprocessing on the captured network flow data, which includes feature extraction, anomaly filtering and data compression, to filter core feature subsets, remove obviously normal traffic, and upload the compressed suspected abnormal traffic data to the control plane; Control plane multi-target detection and decision-making: A distributed multi-controller architecture is adopted, and data synchronization between controllers is achieved through Byzantine fault tolerance protocol; based on the suspected abnormal traffic data, unsupervised learning model, reinforcement learning model and rule base matching are used for fusion detection to determine the attack type and risk level; based on the detection results and real-time network status, a multi-target optimization decision model is constructed and solved to generate defense strategy and traffic scheduling strategy, and converted into standardized instructions for issuance; Application of integrated surface-level defense and traffic optimization: Update the attack signature rule base and blacklist according to the defense strategy, and strengthen defense by linking the firewall and intrusion prevention system; optimize network topology and flow table forwarding strategy according to the traffic scheduling strategy to achieve multi-path routing and load balancing; record and analyze relevant data, generate security posture report, and optimize system parameters.

2. The method for multi-target network security monitoring of software-defined network flows according to claim 1, characterized in that, The feature extraction includes: extracting three types of initial features: basic features, behavioral features, and correlation features; and filtering out a core feature subset using mutual information, wherein the mutual information threshold is dynamically adjusted according to the network scenario. The anomaly filtering adopts an adaptive threshold algorithm based on a sliding window. Based on the mean μ and standard deviation σ of the features within the sliding window, a dynamic threshold range of [μ-2σ, μ+2σ] is set to mark suspected abnormal traffic. The traffic data marked as suspected abnormal is compressed using the LZ77 compression algorithm. High-frequency feature combinations are stored in a preset dictionary to reduce the amount of data transmitted. The compressed data carries the switch identifier, collection timestamp, and feature type label, and is uploaded to the control plane through a secure channel.

3. The method for multi-target network security monitoring of software-defined network flows according to claim 1, characterized in that, The fusion detection includes the following steps: The variational autoencoder (VAE) with an attention mechanism is used as the unsupervised learning model. Potential anomalies are identified by introducing the attention mechanism and calculating the reconstruction error. The reinforcement learning model built using Deep Q-Network (DQN) uses network state, detection results, and controller load as the state space, and adjusting detection parameters as the action space. The detection strategy is dynamically optimized through a preset reward function. The detection results are matched against a rule base containing known attack signature patterns; The detection results of the unsupervised learning model, reinforcement learning model, and rule base matching are fused using a weighted voting method, and the weights of each model are dynamically adjusted based on historical detection accuracy.

4. The method for multi-target network security monitoring of software-defined network flows according to claim 1, characterized in that, The decision objectives of the multi-objective optimization decision model include: maximizing the attack interception rate, minimizing detection latency, minimizing controller load, and maximizing the core business bandwidth guarantee rate; the defense strategy is determined according to the risk level, including: immediately intercepting and isolating high-risk attacks, implementing rate limiting and continuous monitoring for medium-risk anomalies, and observing and verifying low-risk suspected anomalies; the traffic scheduling strategy includes allocating high-priority paths for normal business traffic and allocating isolation paths or restricting forwarding priority for abnormal traffic.

5. A software-defined network flow multi-target network security monitoring device, characterized in that, Monitoring based on the method described in any one of claims 1-4 includes: The data plane acquisition unit includes: an SDN switch supporting the P4 programmable protocol, used to acquire network flow data and perform edge preprocessing; The control plane processing unit includes: a distributed multi-controller cluster, used to perform multi-model fusion detection, multi-objective optimization decision-making, and generate control commands; The application plane linkage unit includes: a security management server, a traffic scheduling server, and a log analysis server, which are used to perform defense linkage, traffic optimization, and security posture analysis; The storage unit adopts a distributed storage architecture and is used to store system data; The data plane acquisition unit, control plane processing unit, and application plane linkage unit are all connected through a dedicated SDN communication link.

6. A software-defined network flow network security multi-target monitoring device according to claim 5, characterized in that, The controller in the control plane processing unit is configured with a multi-core heterogeneous processor, including a CPU core for decision scheduling and data synchronization, and an FPGA acceleration core for accelerating parallel computing of multi-model fusion detection; the controller also includes an encryption module using the AES-256 encryption algorithm; the distributed multi-controller cluster includes a main controller, a backup controller and a cooperative controller, and the backup controller has a built-in hot backup module for automatic switching when the main controller fails.

7. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method as described in any one of claims 1 to 4.