A machine learning based network security monitoring system

CN122179201APending Publication Date: 2026-06-09HANGZHOU TIANFANG XINAN TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HANGZHOU TIANFANG XINAN TECH CO LTD
Filing Date
2026-03-20
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing network security monitoring technologies struggle to accurately depict the continuous evolution of network security incidents over time and the interrelationships between different types of security incidents. This results in insufficiently refined characterization of network security risks, limiting the accuracy and foresight of monitoring results.

Method used

An improved neural Hawkes process is used to model the temporal triggering relationship between network security events. Security semantic constraints and cross-excitation modeling mechanisms are introduced to generate event triggering intensity and its evolution results. Anomaly indication information or network security status judgment results are output through time evolution analysis.

Benefits of technology

It improves the accuracy and temporal consistency of network security monitoring, effectively identifies complex abnormal behaviors and potential risks, and enhances the overall and forward-looking nature of network security monitoring.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122179201A_ABST
    Figure CN122179201A_ABST
Patent Text Reader

Abstract

The application discloses a network security monitoring system based on machine learning, comprising the following steps: a data acquisition module is used for collecting network operation data and recording time stamps; a network security event construction module is used for forming a network security event sequence; a network security event classification module is used for generating a multi-type network security event subsequence; a security trigger intensity modeling module is used for generating an event trigger intensity based on an improved neural Hawkes process; a security semantic constraint module is used for generating an event trigger intensity sequence after security constraints; a cross-excitation modeling module is used for generating an event trigger intensity evolution result; a time evolution analysis module is used for generating an event trigger intensity change feature; and a monitoring result output module is used for outputting abnormal indication information or a network security state judgment result. The application adopts an improved neural Hawkes process modeling to realize network security monitoring, and has the advantage of high abnormality recognition accuracy.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security monitoring technology, and in particular to a network security monitoring system based on machine learning. Background Technology

[0002] Existing network security monitoring technologies are typically based on rule matching, feature threshold determination, or statistical analysis of single network behaviors, processing or modeling network traffic, access behavior, authentication behavior, and security policy hit information separately or independently. Some methods introduce machine learning models to detect anomalies in network behavior, but these often use static feature vectors or fixed-time-window statistical features as input, making it difficult to depict the continuous evolution of network security events over time or reflect the interrelationships between different types of security events.

[0003] Under the aforementioned existing technological conditions, when complex abnormal behaviors arise in a network caused by multiple network security events triggered sequentially over time, existing methods often can only identify isolated events, making it difficult to accurately characterize the temporal triggering relationships between events and their impact on the overall network security status. Furthermore, the intensity of events in existing technologies often only reflects frequency or probability, lacking constraint mechanisms directly related to security semantics. This results in insufficiently refined characterization of network security risks, limiting the accuracy and foresight of monitoring results.

[0004] Therefore, how to provide a network security monitoring system based on machine learning is a problem that urgently needs to be solved by those skilled in the art. Summary of the Invention

[0005] One objective of this invention is to propose a network security monitoring system based on machine learning. This invention uses an improved neural Hawkes process model to achieve network security monitoring, which has the advantage of high accuracy in anomaly identification.

[0006] A machine learning-based network security monitoring system according to an embodiment of the present invention includes the following steps:

[0007] The data acquisition module is used to collect network operation data and record timestamps;

[0008] The network security event construction module is used to map network operation data into network security events and form a network security event sequence;

[0009] The network security incident classification module is used to generate multiple types of network security incident sub-sequences according to the incident type identifier;

[0010] The security trigger strength modeling module is used to model the temporal triggering relationship between network security events based on an improved neural Hawkes process, and generate event trigger strength.

[0011] The security semantic constraint module is used to apply security semantic constraints to the calculation process of event trigger strength and generate a security-constrained event trigger strength sequence.

[0012] The cross-triggering modeling module is used to model the cross-triggering relationships between different types of cybersecurity events and generate event triggering intensity evolution results.

[0013] The time evolution analysis module is used to generate event trigger intensity change characteristics;

[0014] The monitoring result output module is used to output abnormal indication information or network security status judgment results to realize network security monitoring.

[0015] Optionally, modules can be integrated using the following methods:

[0016] Collect network operation data generated during network operation;

[0017] The network operation data is cleaned, time aligned, and behavior parsed to map the network operation data into network security events with event type identifiers and occurrence time identifiers, and arranged in chronological order to form a network security event sequence.

[0018] Based on the event type identifier of network security events, network security event sequences are classified and organized to generate subsequences of multiple types of network security events;

[0019] By inputting a sequence of cybersecurity events into an improved neural Hawkes process, the occurrence time of cybersecurity events and the temporal triggering relationship between cybersecurity events are modeled to generate event triggering intensity.

[0020] A safety semantic constraint is introduced into the improved neural Hawkes process to limit the calculation process of event trigger strength and generate a safety-constrained event trigger strength sequence.

[0021] Based on subsequences of multiple types of network security events, the cross-triggering relationship between different types of network security events is modeled to generate event triggering intensity evolution results;

[0022] Perform time evolution analysis on the event trigger intensity sequence and the event trigger intensity evolution results after safety constraints to generate event trigger intensity change characteristics;

[0023] Based on the characteristics of changes in the intensity of event triggering, anomaly indication information or network security status determination results are generated and output to achieve network security monitoring.

[0024] Optionally, the network operation data generated during network operation includes network traffic data, access behavior data, authentication behavior data, and security policy hit data, and corresponding timestamps are recorded for each network operation data.

[0025] Optionally, the formation of the network security event sequence includes:

[0026] The collected network operation data is cleaned to obtain cleaned network operation data.

[0027] Perform time alignment processing on the cleaned network operation data to generate network operation data arranged according to a unified time index;

[0028] Based on network operation data arranged by a unified time index, perform behavior parsing processing to generate behavior parsing results that correspond one-to-one with the network operation data.

[0029] Based on the behavioral analysis results, event mapping processing is performed on the network operation data to generate network security events with event type identifiers and occurrence time identifiers;

[0030] Cybersecurity events are arranged in chronological order of their occurrence to form a cybersecurity event sequence.

[0031] Optionally, the generation of the multi-type network security event subsequences includes:

[0032] Read the network security event sequence and obtain the event type identifier and occurrence time identifier corresponding to each network security event in the sequence;

[0033] Based on the event type identifier contained in the network security event sequence, a one-to-one correspondence between the event type identifier and the multi-type network security event sub-sequence is established, and a corresponding multi-type network security event sub-sequence is generated for each event type identifier.

[0034] Traverse the network security event sequence, and for each network security event, determine the corresponding multi-type network security event subsequence based on its event type identifier, and write the network security event into the corresponding multi-type network security event subsequence;

[0035] The network security events within each multi-type network security event subsequence are arranged in chronological order according to their occurrence time identifiers, generating a multi-type network security event subsequence arranged in chronological order according to their occurrence time identifiers.

[0036] Optionally, the generation of the event trigger strength includes:

[0037] The improvement of the neural Hawkes process is as follows: security semantic constraints are introduced into the calculation process of event trigger intensity, and a correspondence is established between the event type identifier and the value of the security semantic constraint to limit the calculation process of event trigger intensity. At the same time, a cross-excitation modeling mechanism between multiple types of network security events is introduced to jointly model the network security event subsequences corresponding to different event types, characterize the collaborative triggering relationship of multiple types of network security events in the time dimension, and generate the event trigger intensity evolution result.

[0038] Read the network security event sequence and obtain the event type identifier and occurrence time identifier corresponding to each network security event in the sequence;

[0039] The sequence of network security events is sorted according to the occurrence time identifier to form a time-ordered sequence of network security events arranged in chronological order of occurrence time identifier, and the event type identifier is converted into an event type input representation;

[0040] In the improved neural Hawkes process, for the current network security event in a time-ordered network security event sequence, the set of historical network security events preceding its occurrence time marker is determined, and a time interval sequence is generated based on the time difference between the occurrence time markers of each network security event in the historical network security event set and the occurrence time marker of the current network security event.

[0041] Based on the event type input representation and time interval sequence, the temporal triggering relationship between network security events is modeled in the improved neural Hawkes process, and the baseline triggering contribution and historical triggering contribution corresponding to the current network security event are calculated.

[0042] Based on baseline and historical trigger contributions, generate event trigger strength corresponding to the current cybersecurity event;

[0043] The event trigger strength generation process is executed sequentially for each network security event in the time-ordered network security event sequence, and the generated event trigger strengths are arranged in chronological order according to their occurrence time identifiers to form the event trigger strengths.

[0044] Optionally, the generation of the event triggering strength sequence after the security constraints includes:

[0045] In the improved neural Hawkes process, for each network security event, the event type identifier, occurrence time identifier, and event trigger strength generated by the baseline trigger contribution and historical trigger contribution are obtained.

[0046] The security semantic constraint values ​​corresponding to the network security event are determined based on the event type identifier;

[0047] The calculation process for event trigger strength is constrained to obtain the event trigger strength after safety constraints;

[0048] Perform interval limiting processing on the event trigger strength after safety constraints to obtain the interval-limited event trigger strength after safety constraints;

[0049] The event trigger strengths after the interval is defined are arranged according to the order of their occurrence time identifiers to form a sequence of event trigger strengths after the safety constraints are defined.

[0050] Optionally, the generation of the event trigger intensity evolution result includes:

[0051] Read subsequences of multiple types of network security events and obtain the event type identifier and occurrence time identifier corresponding to each network security event in each subsequence;

[0052] Based on subsequences of multiple types of network security events, cross-trigger relationships are established for different event type identifiers;

[0053] For the target event type identifier, locate the source event type identifier that is different from the target event type identifier, and locate the multi-type network security event sub-sequences corresponding to the source event type identifier and the multi-type network security event sub-sequences corresponding to the target event type identifier respectively;

[0054] Based on the multi-type network security event sub-sequences corresponding to the source event type identifier and the multi-type network security event sub-sequences corresponding to the target event type identifier, a cross time interval sequence is generated;

[0055] The cross-excitation contribution is calculated based on the cross-excitation time interval sequence and the cross-excitation relationship;

[0056] Based on cross-excitation contributions, the evolution of the event trigger intensity corresponding to the target event type identifier in the time dimension is modeled, and the event trigger intensity evolution results are generated by arranging them in the order of occurrence time identifiers.

[0057] Optionally, the generation of the event-triggered intensity change feature includes:

[0058] Read the event trigger strength sequence and event trigger strength evolution result after the safety constraint, and perform time alignment processing on the event trigger strength sequence and event trigger strength evolution result after the occurrence time identifier according to the occurrence time identifier to generate an aligned strength sequence arranged in order of occurrence time identifier;

[0059] Set a preset analysis time window on the alignment intensity sequence, and divide the alignment intensity sequence according to the preset analysis time window to generate multiple continuous time windows;

[0060] For each time window, the intensity increment is calculated based on the intensity values ​​arranged by occurrence time within that time window.

[0061] For each time window, the intensity change rate is calculated based on the intensity increment value and the corresponding occurrence time identifier difference.

[0062] For each time window, the intensity fluctuation value is calculated based on the intensity value within that time window;

[0063] Arrange the intensity increment, intensity change rate, and intensity fluctuation values ​​corresponding to each time window in chronological order of occurrence time to generate event-triggered intensity change characteristics.

[0064] Optionally, the output anomaly indication information or network security status determination result includes:

[0065] Read the event trigger intensity change characteristics and obtain the occurrence time identifier corresponding to the event trigger intensity change characteristics;

[0066] Calculate the anomaly detection threshold based on the characteristics of event trigger intensity changes;

[0067] The event trigger intensity change characteristics and anomaly judgment thresholds are compared item by item according to the occurrence time identifier, and anomaly indication identifiers corresponding one-to-one with the occurrence time identifiers are generated based on the comparison results.

[0068] The anomaly indication markers are identified in consecutive segments according to the order of their occurrence time markers to generate anomaly occurrence time segments;

[0069] Anomaly indication information is generated based on anomaly indicator identifiers and anomaly occurrence time segments;

[0070] Generate network security status assessment results based on anomaly indicators;

[0071] Output anomaly indication information or network security status assessment results.

[0072] The beneficial effects of this invention are:

[0073] This invention fundamentally changes the traditional approach of network security monitoring, which focuses on isolated events or static features, by uniformly mapping multi-source network operation data generated during network operation into network security events with event type and occurrence time identifiers, and forming a network security event sequence over time. Based on an improved neural Hawkes process, it models the temporal triggering relationships between network security events, enabling network security monitoring to characterize the continuous evolution of events over time and reflect the mutual influence between different events. This allows monitoring results to move beyond passively identifying single abnormal behaviors and instead continuously perceive and comprehensively characterize the changing process of network security status.

[0074] Furthermore, this invention introduces security semantic constraints during the generation of event trigger intensity, directly associating event types with security semantics. This allows event trigger intensity to not only reflect the temporal characteristics of the event but also characterize the degree of impact of network security events on the network security status. Simultaneously, by modeling the cross-triggering relationships among multiple types of network security events, the synergistic triggering effect of different event types in the temporal dimension is incorporated into the analysis process, enabling the effective identification of complex abnormal behaviors formed by the continuous triggering of multiple events. Based on this, a temporal evolution analysis is performed on the event trigger intensity and its evolution results after security constraints, generating stable and continuous event trigger intensity change characteristics. Based on this, abnormal indication information or network security status judgment results are output, thereby improving the accuracy and temporal consistency of network security monitoring in identifying complex attack behaviors and potential risks, and enhancing the overall, forward-looking, and practical nature of network security monitoring. Attached Figure Description

[0075] The accompanying drawings are provided to further illustrate the invention and form part of the specification. They are used in conjunction with embodiments of the invention to explain the invention and do not constitute a limitation thereof. In the drawings:

[0076] Figure 1 This is an overall flowchart of a machine learning-based network security monitoring system proposed in this invention.

[0077] Figure 2 This is a schematic diagram illustrating the modeling of the time-triggered relationship of network security events based on an improved neural Hawkes process in a machine learning-based network security monitoring system proposed in this invention.

[0078] Figure 3 This is a schematic diagram illustrating how anomaly indication information or network security status determination results are generated based on event trigger intensity change characteristics in a network security monitoring system based on machine learning proposed in this invention. Detailed Implementation

[0079] The present invention will now be described in further detail with reference to the accompanying drawings. These drawings are simplified schematic diagrams, illustrating only the basic structure of the invention, and therefore only show the components relevant to the invention.

[0080] refer to Figures 1-3 A machine learning-based network security monitoring system includes the following steps:

[0081] The data acquisition module is used to collect network operation data and record timestamps;

[0082] The network security event construction module is used to map network operation data into network security events and form a network security event sequence;

[0083] The network security incident classification module is used to generate multiple types of network security incident sub-sequences according to the incident type identifier;

[0084] The security trigger strength modeling module is used to model the temporal triggering relationship between network security events based on an improved neural Hawkes process, and generate event trigger strength.

[0085] The security semantic constraint module is used to apply security semantic constraints to the calculation process of event trigger strength and generate a security-constrained event trigger strength sequence.

[0086] The cross-triggering modeling module is used to model the cross-triggering relationships between different types of cybersecurity events and generate event triggering intensity evolution results.

[0087] The time evolution analysis module is used to generate event trigger intensity change characteristics;

[0088] The monitoring result output module is used to output abnormal indication information or network security status judgment results to realize network security monitoring.

[0089] In this embodiment, the modules are interconnected using the following method:

[0090] Collect network operation data generated during network operation, including network traffic data, access behavior data, authentication behavior data, and security policy hit data, and record corresponding timestamps for each network operation data.

[0091] The network operation data is cleaned, time aligned, and behavior parsed to map the network operation data into network security events with event type identifiers and occurrence time identifiers, and arranged in chronological order to form a network security event sequence.

[0092] Based on the event type identifier of network security events, network security event sequences are classified and organized to generate subsequences of multiple types of network security events;

[0093] By inputting a sequence of cybersecurity events into an improved neural Hawkes process, the occurrence time of cybersecurity events and the temporal triggering relationship between cybersecurity events are modeled to generate event triggering intensity.

[0094] Security semantic constraints are introduced into the improved neural Hawkes process to limit the calculation process of event trigger intensity and generate a security-constrained event trigger intensity sequence, so that the event trigger intensity characterizes the degree of impact of network security events on network security status.

[0095] Based on subsequences of multiple types of network security events, the cross-triggering relationship between different types of network security events is modeled to generate event triggering intensity evolution results;

[0096] Perform time evolution analysis on the event trigger intensity sequence and the event trigger intensity evolution results after safety constraints to generate event trigger intensity change characteristics;

[0097] Based on the characteristics of changes in the intensity of event triggering, anomaly indication information or network security status determination results are generated and output to achieve network security monitoring.

[0098] In this embodiment, the network operation data generated during network operation includes network traffic data, access behavior data, authentication behavior data, and security policy hit data, and a corresponding timestamp is recorded for each of the network operation data.

[0099] In this embodiment, the formation of the network security event sequence includes:

[0100] The collected network operation data is subjected to data cleaning processing, which includes deleting duplicate records, removing records with missing timestamps, completing records with incomplete fields according to preset field rules, and removing records with field values ​​that do not conform to preset legal ranges, so as to obtain cleaned network operation data.

[0101] The cleaned network operation data is subjected to time alignment processing. The time alignment processing includes mapping the timestamps in the network operation data to time indices corresponding to a unified time granularity, and associating the network operation data falling within the same time index according to a preset time alignment tolerance, thereby generating network operation data arranged according to a unified time index.

[0102] Behavior parsing processing is performed on network operation data arranged by a unified time index. The behavior parsing processing includes parsing network traffic data, access behavior data, authentication behavior data, and security policy hit data to generate behavior parsing results that correspond one-to-one with the network operation data.

[0103] Based on the behavior analysis results, event mapping processing is performed on the network operation data. The event type identifier corresponding to the network operation data is determined according to the behavior analysis results, and the time information corresponding to the unified time index is determined as the occurrence time identifier, generating a network security event with event type identifier and occurrence time identifier.

[0104] Cybersecurity events are arranged in chronological order of their occurrence to form a cybersecurity event sequence.

[0105] In this embodiment, the generation of the multi-type network security event sub-sequences includes:

[0106] Read the network security event sequence and obtain the event type identifier and occurrence time identifier corresponding to each network security event in the sequence;

[0107] Based on the event type identifier contained in the network security event sequence, a one-to-one correspondence between the event type identifier and the multi-type network security event sub-sequence is established, and a corresponding multi-type network security event sub-sequence is generated for each event type identifier.

[0108] The formation of the one-to-one correspondence includes: when processing the network security event sequence, firstly identifying the event type identifier contained in the network security event sequence, and creating a corresponding multi-type network security event sub-sequence for each event type identifier, using the event type identifier as a unique index, binding each event type identifier with the unique multi-type network security event sub-sequence to form a one-to-one correspondence;

[0109] Traverse the network security event sequence, and for each network security event, determine the corresponding multi-type network security event subsequence based on its event type identifier, and write the network security event into the corresponding multi-type network security event subsequence;

[0110] The network security events within each multi-type network security event subsequence are arranged in chronological order according to their occurrence time identifiers, generating a multi-type network security event subsequence arranged in chronological order according to their occurrence time identifiers.

[0111] In this embodiment, the generation of the event trigger intensity includes:

[0112] The improvement of the neural Hawkes process is as follows: security semantic constraints are introduced into the calculation process of event trigger intensity, and a correspondence is established between event type identifiers and security semantic constraint values ​​to limit the calculation process of event trigger intensity, so that event trigger intensity can directly reflect the impact of network security events on network security status. At the same time, a cross-excitation modeling mechanism between multiple types of network security events is introduced to jointly model the network security event subsequences corresponding to different event types, characterize the collaborative triggering relationship of multiple types of network security events in the time dimension, and generate the event trigger intensity evolution results.

[0113] Read the network security event sequence and obtain the event type identifier and occurrence time identifier corresponding to each network security event in the sequence;

[0114] The sequence of network security events is sorted according to the occurrence time identifier to form a time-ordered sequence of network security events arranged in chronological order of occurrence time identifier, and the event type identifier is converted into an event type input representation for computation by an improved neural Hawkes process;

[0115] In the improved neural Hawkes process, for the current network security event in a time-ordered network security event sequence, the set of historical network security events preceding its occurrence time marker is determined, and a time interval sequence is generated based on the time difference between the occurrence time markers of each network security event in the historical network security event set and the occurrence time marker of the current network security event.

[0116] Based on the event type input representation and time interval sequence, the temporal triggering relationship between network security events is modeled in the improved neural Hawkes process, and the baseline triggering contribution and historical triggering contribution corresponding to the current network security event are calculated.

[0117] The triggering relationship specifically includes: modeling the temporal triggering impact of historical network security events on current network security events based on event type input representation and time interval sequence, calculating the baseline triggering contribution and historical triggering contribution corresponding to the current network security event, and synthesizing the baseline triggering contribution and historical triggering contribution to generate the event triggering intensity corresponding to the current network security event, thereby characterizing the temporal triggering relationship between network security events;

[0118] Based on the baseline trigger contribution and historical trigger contribution, the event trigger strength corresponding to the current network security event is generated by summing the baseline trigger contribution and historical trigger contribution.

[0119] The event trigger strength generation process is executed sequentially for each network security event in the time-ordered network security event sequence, and the generated event trigger strengths are arranged in the order of their occurrence time identifiers to form the event trigger strengths;

[0120] The process of generating event trigger intensity specifically includes: obtaining the event type identifier and occurrence time identifier of the current network security event, determining the set of historical network security events prior to the occurrence time identifier, generating the time interval information between the historical network security events and the current network security event, calculating the baseline trigger contribution and historical trigger contribution corresponding to the current network security event based on the event type identifier and time interval information, and synthesizing the baseline trigger contribution and historical trigger contribution to obtain the event trigger intensity corresponding to the current network security event.

[0121] In this embodiment, the generation of the event triggering strength sequence after the security constraints includes:

[0122] In the improved neural Hawkes process, for each network security event, the event type identifier, occurrence time identifier, and event trigger strength generated by the baseline trigger contribution and historical trigger contribution are obtained.

[0123] The security semantic constraint value corresponding to the network security event is determined based on the event type identifier, and the security semantic constraint value is a deterministic value that corresponds one-to-one with the event type identifier;

[0124] The calculation process of event trigger intensity is constrained. The constraint includes constraining the participation of baseline trigger contribution and historical trigger contribution in the event trigger intensity generation process based on the value of security semantic constraint, so that the baseline trigger contribution and historical trigger contribution jointly generate the event trigger intensity after security constraint according to the participation ratio or participation conditions determined by the value of security semantic constraint, and thus obtain the event trigger intensity after security constraint.

[0125] The event triggering intensity after safety constraints is subjected to range limiting processing, which includes limiting the event triggering intensity after safety constraints to between a preset lower limit and a preset upper limit, to obtain the event triggering intensity after safety constraints with range limiting.

[0126] The event trigger strengths after the interval is defined are arranged according to the order of their occurrence time identifiers to form a sequence of event trigger strengths after the safety constraints are defined.

[0127] In this embodiment, the generation of the event trigger intensity evolution result includes:

[0128] Read subsequences of multiple types of network security events and obtain the event type identifier and occurrence time identifier corresponding to each network security event in each subsequence;

[0129] Based on multi-type network security event sub-sequences, cross-triggering relationships are established for different event type identifiers, so that each event type identifier and its corresponding other event type identifiers form a one-to-one cross-triggering relationship.

[0130] The establishment of cross-triggering relationships specifically includes: based on the event type identifiers contained in the subsequences of multiple types of network security events, for any target event type identifier, determining other event type identifiers that are different from it as source event type identifiers, and establishing corresponding interactive associations between the target event type identifier and each source event type identifier, recording the interactive associations as cross-triggering relationships, thereby forming a set of cross-triggering relationships between different event types to describe their mutual triggering effects;

[0131] For the target event type identifier, locate the source event type identifier that is different from the target event type identifier, and locate the multi-type network security event sub-sequences corresponding to the source event type identifier and the multi-type network security event sub-sequences corresponding to the target event type identifier respectively;

[0132] Based on the multi-type network security event subsequences corresponding to the source event type identifier and the multi-type network security event subsequences corresponding to the target event type identifier, taking the network security event corresponding to the target event type identifier as the benchmark, the occurrence time identifiers corresponding to the source event type identifiers that are earlier than the occurrence time identifiers of the network security event are matched to generate a cross time interval sequence. The cross time interval sequence is the time difference sequence between the source occurrence time identifier and the target occurrence time identifier.

[0133] The cross-excitation contribution is calculated based on the cross-interval sequence and the cross-excitation relationship. The cross-excitation contribution is used to limit the direction or magnitude of change of the event triggering intensity corresponding to the target event type identifier in the time dimension.

[0134] The calculation of the cross-excitation contribution specifically includes: for the network security event corresponding to the target event type identifier, determining the time difference between each source occurrence time identifier and the target occurrence time identifier based on the cross time interval sequence, and determining the excitation contribution value corresponding to the source event type identifier to the target event type identifier according to the cross-excitation relationship, and accumulating the excitation contribution values ​​corresponding to each time difference value to obtain the cross-excitation contribution corresponding to the network security event corresponding to the target event type identifier.

[0135] Based on cross-excitation contributions, the evolution of the event trigger intensity corresponding to the target event type identifier in the time dimension is modeled, and the event trigger intensity evolution results are generated by arranging them in the order of occurrence time identifiers.

[0136] In this embodiment, the generation of the event trigger intensity change characteristics includes:

[0137] Read the event trigger strength sequence and event trigger strength evolution result after the safety constraint, and perform time alignment processing on the event trigger strength sequence and event trigger strength evolution result after the occurrence time identifier according to the occurrence time identifier to generate an aligned strength sequence arranged in order of occurrence time identifier;

[0138] Set a preset analysis time window on the alignment intensity sequence, and divide the alignment intensity sequence according to the preset analysis time window to generate multiple continuous time windows;

[0139] For each time window, based on the intensity values ​​arranged by occurrence time identifier within that time window, an intensity increment value is calculated. The intensity increment value is the difference between the intensity values ​​corresponding to adjacent occurrence time identifiers. Based on the intensity increment value and the corresponding occurrence time identifier difference, an intensity change rate value is calculated.

[0140] For each time window, the intensity fluctuation value is calculated based on the intensity value within that time window. The intensity fluctuation value is obtained by calculating the mean value of the intensity values, calculating the deviation value between each intensity value and the mean value, squaring the deviation value and summing it, dividing the summation result by the number of intensity values ​​within the time window and taking the square root.

[0141] Arrange the intensity increment, intensity change rate, and intensity fluctuation values ​​corresponding to each time window in chronological order of occurrence time to generate event-triggered intensity change characteristics.

[0142] In this embodiment, the output of abnormal indication information or network security status determination results includes:

[0143] Read the event trigger intensity change characteristics and obtain the occurrence time identifier corresponding to the event trigger intensity change characteristics;

[0144] The anomaly determination threshold is calculated based on the event trigger intensity change characteristics. The anomaly determination threshold is calculated by calculating the mean and standard deviation of the intensity increment, intensity change rate and intensity fluctuation values ​​in the event trigger intensity change characteristics, and then summing the mean and standard deviation values ​​according to a preset weighting coefficient.

[0145] The event trigger intensity change characteristics and anomaly judgment thresholds are compared item by item according to the occurrence time identifier, and anomaly indication identifiers corresponding one-to-one with the occurrence time identifiers are generated based on the comparison results.

[0146] The anomaly indication markers are identified in consecutive segments according to the order of their occurrence time markers to generate anomaly occurrence time segments;

[0147] Anomaly indication information is generated based on anomaly indication identifiers and anomaly occurrence time segments. The anomaly indication information includes anomaly occurrence time segments and anomaly indication identifiers corresponding to the anomaly occurrence time segments.

[0148] A network security status determination result is generated based on the anomaly indication identifier. The network security status determination result includes a security status identifier or a risk status identifier, and the anomaly indication information or network security status determination result is output.

[0149] Example 1: To verify the feasibility of this invention in practice, it was applied to a large enterprise campus network environment. This network environment covers multiple office and business areas, with a complex internal network structure, a large number of terminals, and diverse business system types. During network operation, a large amount of network traffic data, access behavior data, authentication behavior data, and security policy hit data are continuously generated. With the expansion of network scale and the dynamic changes in business access patterns, different types of security-related behaviors in the network exhibit highly intertwined characteristics over time. Traditional network security monitoring methods based on static rules or isolated event analysis gradually reveal their insufficient ability to identify complex abnormal behaviors in this environment, making it difficult to reflect the changes in network security status in a timely and accurate manner.

[0150] After deploying the machine learning-based network security monitoring system of this invention in this scenario, the system first collects network operation data continuously generated during network operation and records corresponding time information for various types of data. The collected data sources include traffic records generated during network communication, user or device access behavior records, authentication behavior records, and hit records generated during security policy triggering. The system performs unified processing on the above network operation data, aggregating network behaviors scattered across different data sources to provide a complete data foundation for subsequent analysis.

[0151] After network operation data enters the system, the system performs data cleaning, time alignment, and behavior analysis on the collected data. Data cleaning removes duplicate, missing, or incomplete records, ensuring the availability and consistency of the network operation data. Time alignment maps network operation data from different sources to a unified time scale, enabling various behaviors to be correlated on the same timeline. Behavior analysis parses the raw network operation data into behavioral results with clear security implications. Based on this, the system maps the processed network operation data into network security events with event type and occurrence time identifiers, forming a network security event sequence according to the order of occurrence, allowing the network operation status to be expressed in the form of an event sequence.

[0152] Subsequently, the system categorizes and organizes the network security event sequences based on their event type identifiers, assigning different types of network security events to their corresponding multi-type network security event subsequences. In this way, different types of network security events are organized separately along the time dimension while maintaining their correlation with the overall event sequence, providing a clear data structure to support subsequent characterization of the interactions between different event types.

[0153] After constructing the event sequence and sub-sequences of various types of cybersecurity events, the system inputs the cybersecurity event sequence into an improved neural Hawkes process to model the occurrence time of cybersecurity events and the temporal triggering relationships between events. During the modeling process, the system not only considers the time interval relationship between current cybersecurity events and historical cybersecurity events, but also introduces security semantic constraints to limit the calculation process of event trigger intensity, ensuring that the event trigger intensity reflects the degree of impact of different types of cybersecurity events on the cybersecurity status. This modeling approach can more accurately characterize the triggering characteristics of cybersecurity events in the time dimension and their security implications.

[0154] Meanwhile, based on subsequences of multiple types of network security events, the system models the cross-induction relationships between different types of network security events. In actual network operation, access behavior, authentication behavior, and security policy hit behavior often do not occur independently, but rather influence and trigger each other in time. By modeling the cross-induction relationships between different types of events, the system can depict complex behavioral chains formed by the continuous triggering of multiple types of events and generate event trigger intensity evolution results that reflect this process. This allows network security monitoring to be upgraded from the single event level to the multi-event collaborative evolution level.

[0155] Based on the above modeling, the system further performs time evolution analysis on the event trigger intensity sequence and the evolution results of the event trigger intensity after security constraints, generating event trigger intensity change characteristics. These characteristics comprehensively reflect the changing trends of network security events over time, enabling the system to continuously track the evolution of network security status, rather than being limited to static judgments of abnormal behavior at a single moment. Based on the generated event trigger intensity change characteristics, the system can output anomaly indication information or network security status judgment results, providing network administrators with intuitive and continuous security posture feedback.

[0156] During continuous application of this invention in the network environment, it can be observed that the system can maintain stable monitoring of changes in network operating status. When network behavior patterns change, the system can reflect the changing trend of network security status through the intensity of event triggers and their evolution characteristics, enabling managers to notice potential risks at an earlier stage. By incorporating the mutual influence of multiple types of network security events over time into the analysis, the system effectively solves the problem that traditional methods struggle to characterize complex event triggering relationships, improving the integrity and continuity of network security monitoring.

[0157] Table 1. Performance comparison between the network security monitoring method based on the improved neural Hawkes process and traditional methods.

[0158] Comparison Methods Anomaly detection accuracy (%) False alarm rate (%) Missed Reporting Rate (%) Average detection latency (ms) Stability rating in complex scenarios Traditional rule-based methods 86.4 9.8 12.6 420 0.72 Conventional machine learning methods 90.1 7.3 9.4 360 0.78 Method of the present invention 91.8 5.9 4.7 210 0.88

[0159] As shown in Table 1, the rule-based traditional method achieves an anomaly detection accuracy of only 86.4%, with both false positive and false negative rates remaining high. In environments where network behavior changes frequently, it is easily affected by short-term traffic fluctuations, leading to unstable anomaly identification. Conventional machine learning methods improve accuracy, but due to a lack of characterization of event temporal triggering relationships, their false negative rate remains high, and their ability to identify complex anomalies across time and event types is limited.

[0160] In comparison, the anomaly detection accuracy of the method of this invention is improved to 91.8%, the false positive rate is reduced to 5.9%, and the false negative rate is controlled within 4.7%, indicating that the system has a stronger anomaly judgment capability under complex network operating conditions. This improvement mainly comes from the introduction of an improved neural Hawkes process, which models the temporal triggering relationship between network security events, enabling the cumulative effect of abnormal behavior over time to be continuously captured.

[0161] Regarding detection latency, the average detection latency of the method in this invention is significantly lower than that of the comparative methods, indicating that the event trigger intensity variation characteristics can directly support anomaly judgment, avoiding the additional computational overhead caused by high-dimensional feature reconstruction. Meanwhile, the improved stability score in complex scenarios demonstrates that, through security semantic constraints and cross-excitation modeling, the system can maintain stable monitoring performance even when facing concurrent multi-source network security events.

[0162] The above description is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any equivalent substitutions or modifications made by those skilled in the art within the scope of the technology disclosed in the present invention, based on the technical solution and inventive concept of the present invention, should be covered within the scope of protection of the present invention.

Claims

1. A network security monitoring system based on machine learning, characterized in that, Includes the following steps: The data acquisition module is used to collect network operation data and record timestamps; The network security event construction module is used to map network operation data into network security events and form a network security event sequence; The network security incident classification module is used to generate multiple types of network security incident sub-sequences according to the incident type identifier; The security trigger strength modeling module is used to model the temporal triggering relationship between network security events based on an improved neural Hawkes process, and generate event trigger strength. The security semantic constraint module is used to apply security semantic constraints to the calculation process of event trigger strength and generate a security-constrained event trigger strength sequence. The cross-triggering modeling module is used to model the cross-triggering relationships between different types of cybersecurity events and generate event triggering intensity evolution results. The time evolution analysis module is used to generate event trigger intensity change characteristics; The monitoring result output module is used to output abnormal indication information or network security status judgment results to realize network security monitoring.

2. The machine learning-based network security monitoring system according to claim 1, characterized in that, The modules are connected in the following way: Collect network operation data generated during network operation; The network operation data is cleaned, time aligned, and behavior parsed to map the network operation data into network security events with event type identifiers and occurrence time identifiers, and arranged in chronological order to form a network security event sequence. Based on the event type identifier of network security events, network security event sequences are classified and organized to generate subsequences of multiple types of network security events; By inputting a sequence of cybersecurity events into an improved neural Hawkes process, the occurrence time of cybersecurity events and the temporal triggering relationship between cybersecurity events are modeled to generate event triggering intensity. A safety semantic constraint is introduced into the improved neural Hawkes process to limit the calculation process of event trigger strength and generate a safety-constrained event trigger strength sequence. Based on subsequences of multiple types of network security events, the cross-triggering relationship between different types of network security events is modeled to generate event triggering intensity evolution results; Perform time evolution analysis on the event trigger intensity sequence and the event trigger intensity evolution results after safety constraints to generate event trigger intensity change characteristics; Based on the characteristics of changes in the intensity of event triggering, anomaly indication information or network security status determination results are generated and output to achieve network security monitoring.

3. The machine learning-based network security monitoring system according to claim 2, characterized in that, The network operation data collected during network operation includes network traffic data, access behavior data, authentication behavior data, and security policy hit data, and a corresponding timestamp is recorded for each of the network operation data.

4. The network security monitoring system based on machine learning according to claim 2, characterized in that, The formation of the network security event sequence includes: The collected network operation data is cleaned to obtain cleaned network operation data. Perform time alignment processing on the cleaned network operation data to generate network operation data arranged according to a unified time index; Based on network operation data arranged by a unified time index, perform behavior parsing processing to generate behavior parsing results that correspond one-to-one with the network operation data. Based on the behavioral analysis results, event mapping processing is performed on the network operation data to generate network security events with event type identifiers and occurrence time identifiers; Cybersecurity events are arranged in chronological order of their occurrence to form a cybersecurity event sequence.

5. A machine learning-based network security monitoring system according to claim 2, characterized in that, The generation of the multi-type network security event sub-sequences includes: Read the network security event sequence and obtain the event type identifier and occurrence time identifier corresponding to each network security event in the sequence; Based on the event type identifier contained in the network security event sequence, a one-to-one correspondence between the event type identifier and the multi-type network security event sub-sequence is established, and a corresponding multi-type network security event sub-sequence is generated for each event type identifier. Traverse the network security event sequence, and for each network security event, determine the corresponding multi-type network security event subsequence based on its event type identifier, and write the network security event into the corresponding multi-type network security event subsequence; The network security events within each multi-type network security event subsequence are arranged in chronological order according to their occurrence time identifiers, generating a multi-type network security event subsequence arranged in chronological order according to their occurrence time identifiers.

6. A machine learning-based network security monitoring system according to claim 2, characterized in that, The generation of the event trigger strength includes: The improvement of the neural Hawkes process is as follows: security semantic constraints are introduced into the calculation process of event trigger intensity, and a correspondence is established between the event type identifier and the value of the security semantic constraint to limit the calculation process of event trigger intensity. At the same time, a cross-excitation modeling mechanism between multiple types of network security events is introduced to jointly model the network security event subsequences corresponding to different event types, characterize the collaborative triggering relationship of multiple types of network security events in the time dimension, and generate the event trigger intensity evolution result. Read the network security event sequence and obtain the event type identifier and occurrence time identifier corresponding to each network security event in the sequence; The sequence of network security events is sorted according to the occurrence time identifier to form a time-ordered sequence of network security events arranged in chronological order of occurrence time identifier, and the event type identifier is converted into an event type input representation; In the improved neural Hawkes process, for the current network security event in a time-ordered network security event sequence, the set of historical network security events preceding its occurrence time marker is determined, and a time interval sequence is generated based on the time difference between the occurrence time markers of each network security event in the historical network security event set and the occurrence time marker of the current network security event. Based on the event type input representation and time interval sequence, the temporal triggering relationship between network security events is modeled in the improved neural Hawkes process, and the baseline triggering contribution and historical triggering contribution corresponding to the current network security event are calculated. Based on baseline and historical trigger contributions, generate event trigger strength corresponding to the current cybersecurity event; The event trigger strength generation process is executed sequentially for each network security event in the time-ordered network security event sequence, and the generated event trigger strengths are arranged in chronological order according to their occurrence time identifiers to form the event trigger strengths.

7. A machine learning-based network security monitoring system according to claim 2, characterized in that, The generation of the event triggering strength sequence after the security constraints includes: In the improved neural Hawkes process, for each network security event, the event type identifier, occurrence time identifier, and event trigger strength generated by the baseline trigger contribution and historical trigger contribution are obtained. The security semantic constraint values ​​corresponding to the network security event are determined based on the event type identifier; The calculation process for event trigger strength is constrained to obtain the event trigger strength after safety constraints; Perform interval limiting processing on the event trigger strength after safety constraints to obtain the interval-limited event trigger strength after safety constraints; The event trigger strengths after the interval is defined are arranged according to the order of their occurrence time identifiers to form a sequence of event trigger strengths after the safety constraints are defined.

8. A machine learning-based network security monitoring system according to claim 2, characterized in that, The generation of the event trigger intensity evolution result includes: Read subsequences of multiple types of network security events and obtain the event type identifier and occurrence time identifier corresponding to each network security event in each subsequence; Based on subsequences of multiple types of network security events, cross-trigger relationships are established for different event type identifiers; For the target event type identifier, locate the source event type identifier that is different from the target event type identifier, and locate the multi-type network security event sub-sequences corresponding to the source event type identifier and the multi-type network security event sub-sequences corresponding to the target event type identifier respectively; Based on the multi-type network security event sub-sequences corresponding to the source event type identifier and the multi-type network security event sub-sequences corresponding to the target event type identifier, a cross time interval sequence is generated; The cross-excitation contribution is calculated based on the cross-excitation time interval sequence and the cross-excitation relationship; Based on cross-excitation contributions, the evolution of the event trigger intensity corresponding to the target event type identifier in the time dimension is modeled, and the event trigger intensity evolution results are generated by arranging them in the order of occurrence time identifiers.

9. A machine learning-based network security monitoring system according to claim 2, characterized in that, The generation of the event trigger intensity change characteristics includes: Read the event trigger strength sequence and event trigger strength evolution result after the safety constraint, and perform time alignment processing on the event trigger strength sequence and event trigger strength evolution result after the occurrence time identifier according to the occurrence time identifier to generate an aligned strength sequence arranged in order of occurrence time identifier; Set a preset analysis time window on the alignment intensity sequence, and divide the alignment intensity sequence according to the preset analysis time window to generate multiple continuous time windows; For each time window, the intensity increment is calculated based on the intensity values ​​arranged by occurrence time within that time window. For each time window, the intensity change rate is calculated based on the intensity increment value and the corresponding occurrence time identifier difference. For each time window, the intensity fluctuation value is calculated based on the intensity value within that time window; Arrange the intensity increment, intensity change rate, and intensity fluctuation values ​​corresponding to each time window in chronological order of occurrence time to generate event-triggered intensity change characteristics.

10. A machine learning-based network security monitoring system according to claim 2, characterized in that, The output anomaly indication information or network security status determination result includes: Read the event trigger intensity change characteristics and obtain the occurrence time identifier corresponding to the event trigger intensity change characteristics; Calculate the anomaly detection threshold based on the characteristics of event trigger intensity changes; The event trigger intensity change characteristics and anomaly judgment thresholds are compared item by item according to the occurrence time identifier, and anomaly indication identifiers corresponding one-to-one with the occurrence time identifiers are generated based on the comparison results. The anomaly indication markers are identified in consecutive segments according to the order of their occurrence time markers to generate anomaly occurrence time segments; Anomaly indication information is generated based on anomaly indicator identifiers and anomaly occurrence time segments; Generate network security status assessment results based on anomaly indicators; Output anomaly indication information or network security status assessment results.