An abnormal traffic analysis device based on a knowledge graph
By preprocessing the raw instruction data stream and embedding cross-architecture semantics, an instruction association graph is constructed and consistency is measured. This solves the accuracy problem of abnormal traffic analysis in heterogeneous execution environments in existing technologies, and enables accurate identification and rapid handling of abnormal traffic.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- STATE GRID HENAN INFORMATION & TELECOMM CO
- Filing Date
- 2026-04-07
- Publication Date
- 2026-06-09
AI Technical Summary
Existing abnormal traffic analysis devices struggle to accurately characterize the execution logic and business semantics behind traffic in heterogeneous execution environments. They are prone to confusing normal architectural differences with real anomalies and lack attention to security-sensitive nodes and temporal causal relationships, leading to misjudgments and omissions.
By preprocessing the intercepted raw instruction data stream, extracting the instruction execution trajectory and performing cross-architecture semantic embedding and vectorization mapping, an instruction association graph is constructed. Combining functional labels and temporal relationships, consistency measurement and trust assessment are performed to generate anomaly trust scores, ultimately driving policy decisions.
It achieves a unified characterization of semantic differences across architectures, accurately identifies minor tampering and time-reversal behaviors of key nodes, supports reliable assessment and rapid linkage handling, and improves the accuracy and efficiency of abnormal traffic analysis.
Smart Images

Figure CN122179224A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network security technology, and more specifically, to an anomaly traffic analysis device based on knowledge graphs. Background Technology
[0002] With the continuous implementation of smart IoT networks, cloud-edge-device collaboration, and zero-trust architecture, power terminals, edge nodes, and application resources are exhibiting characteristics of massive access, heterogeneous parallelism, and continuous interaction. Abnormal traffic is no longer limited to sudden anomalies at the traditional message level, but increasingly manifests as deeper behavioral anomalies such as hijacking of execution logic, tampering of access links, and continuous drift of trust states. Especially in mimicry defense scenarios, the same business request is often processed in parallel by multiple heterogeneous executors. If individual executors suffer from code injection, memory hijacking, or authentication chain bypass attacks, the anomaly will directly affect dynamic authorization and access control decisions. Therefore, it is necessary to build a knowledge graph-based abnormal traffic analysis device that can characterize traffic from the levels of instruction semantics, control flow relationships, and behavioral correlations to support the continuous identification and trust quantification of abnormal behavior.
[0003] Most existing abnormal traffic analysis devices still rely primarily on comparisons of message characteristics, protocol fields, statistical thresholds, or baseline behavior. While some solutions incorporate graph models, they often remain at the session relationship or global topology level. In scenarios involving parallel processing of mimicking heterogeneous execution entities, it is generally difficult to eliminate the inherent differences caused by different instruction architectures, compilation optimizations, and runtime environments, leading to confusion between normal architectural differences and actual attack deviations. Furthermore, existing global unified graph matching methods typically treat all nodes equally, lacking enhanced characterization of the integrity of critical paths such as security-sensitive instructions, temporal causal constraints, and authentication chains. This makes it easy for small-scale targeted tampering of authentication nodes, permission check nodes, or critical control flows to be masked by the average effect of a large number of normal nodes, resulting in misjudgments and missed judgments. This makes it difficult to meet the needs for accurate analysis and rapid handling of abnormal traffic under zero-trust dynamic authorization.
[0004] Therefore, an optimized abnormal flow analysis device is desired. Summary of the Invention
[0005] To address the aforementioned technical problems, this application is proposed. Embodiments of this application provide a knowledge graph-based abnormal traffic analysis device, comprising: The preprocessing module is used to preprocess the intercepted raw instruction data stream to obtain the instruction execution trajectory; The semantic mapping module is used to perform cross-architecture instruction semantic embedding and vectorization mapping on instruction execution trajectories to obtain semantic fingerprint vector groups; The graph construction module is used to take each vector in the semantic fingerprint vector group as a graph node and inject its original instruction's functional label. Based on the jump address and timing relationship between instructions, directed connections are established between nodes to obtain the instruction association graph. The consistency measurement module is used to perform isomorphic consistency measurement on multiple instruction association graphs generated in parallel from different architecture executors to obtain an architecture similarity matrix. The trust assessment module is used to perform dynamic trust assessment and abnormal behavior quantification on the architecture similarity matrix based on the logical behavior baseline stored in the system and the weight factors of the current network environment to obtain an abnormal trust score. The strategy decision module is used to input the abnormal trust score into the strategy decision point. The strategy decision point determines whether the abnormal trust score is lower than the security threshold according to the preset zero-trust dynamic authorization rules. When it is determined to be lower than the security threshold, it issues a mimicry reset command to clean up and take down the damaged executor and outputs the access control decision to the security gateway for execution.
[0006] Compared with existing technologies, this application provides an abnormal traffic analysis device based on a knowledge graph. This solution extracts instruction execution trajectories that accurately represent the execution logic by performing context labeling, redundancy removal, and trajectory reconstruction on the intercepted raw instruction data stream. Then, it maps instructions from different architectures to semantic fingerprint vectors in a unified semantic space, and constructs an instruction association graph by combining function tags, jump addresses, and timing relationships. This graph represents the business logic and control path behind the traffic. Subsequently, it aligns and compares the graphs output by multiple executors, introducing security sensitivity layering, temporal causal constraints, and critical path deviation quantification mechanisms to obtain architecture similarity results that better reflect the actual logical deviation. It then generates an abnormal trust score by combining logical behavior baselines and environmental risks, ultimately driving policy decision points to output access control, session termination, and executor cleanup instructions. This achieves a unified characterization of cross-architecture semantic differences, accurate identification of minor tampering and timing reversal behaviors at key nodes, and reliable assessment and rapid coordinated handling of abnormal traffic. Attached Figure Description
[0007] The above and other objects, features, and advantages of this application will become more apparent from the more detailed description of the embodiments of this application in conjunction with the accompanying drawings. The drawings are provided to further illustrate the embodiments of this application and form part of the specification. They are used together with the embodiments of this application to explain this application and do not constitute a limitation thereof. In the drawings, the same reference numerals generally represent the same components or steps.
[0008] Figure 1 This is a system block diagram of a knowledge graph-based abnormal traffic analysis device according to an embodiment of this application; Figure 2This is a schematic diagram of data flow in a knowledge graph-based abnormal traffic analysis device according to an embodiment of this application; Figure 3 This is a block diagram of a knowledge graph-based abnormal traffic analysis device according to an embodiment of this application; Figure 4 This is a block diagram of a consistency measurement module in a knowledge graph-based abnormal traffic analysis device according to an embodiment of this application; Figure 5 This is a block diagram of a deviation measurement unit in a knowledge graph-based abnormal traffic analysis device according to an embodiment of this application; Figure 6 This is a block diagram of a strategy decision module in a knowledge graph-based abnormal traffic analysis device according to an embodiment of this application. Detailed Implementation
[0009] Hereinafter, exemplary embodiments according to this application will be described in detail with reference to the accompanying drawings. Obviously, the described embodiments are merely some embodiments of this application, and not all embodiments of this application. It should be understood that this application is not limited to the exemplary embodiments described herein.
[0010] As indicated in this application and claims, unless the context clearly indicates otherwise, the words "a," "an," "an," and / or "the" are not specifically singular and may include plural forms. Generally speaking, the terms "comprising" and "including" only indicate the inclusion of explicitly identified steps and elements, which do not constitute an exclusive list, and the method or apparatus may also include other steps or elements.
[0011] While this application makes various references to certain modules of the systems according to embodiments of this application, any number of different modules can be used and run on user terminals and / or servers. The modules described are merely illustrative, and different aspects of the systems and methods may use different modules.
[0012] Flowcharts are used in this application to illustrate the operations performed by the system according to embodiments of this application. It should be understood that the preceding or following operations are not necessarily performed in exact order. Instead, various steps can be processed in reverse order or simultaneously as needed. Furthermore, other operations can be added to these processes, or one or more steps can be removed from them.
[0013] Currently, most existing abnormal traffic analysis technologies focus on packet characteristics, protocol fields, or statistical behavior, making it difficult to accurately characterize the execution logic and business semantics behind the traffic. Furthermore, in heterogeneous execution environments, they can easily confuse normal architectural differences with genuine anomalies. At the same time, existing solutions do not pay sufficient attention to security-sensitive nodes, temporal causal relationships, and the integrity of critical paths, making it difficult to detect targeted tampering of critical locations such as the authentication chain and authorization chain in a timely manner. Therefore, this application proposes an abnormal traffic analysis device based on a knowledge graph. The system first preprocesses the intercepted raw instruction data stream, extracting instruction execution trajectories that reflect the actual execution process. Then, it performs cross-architecture semantic embedding and vectorization mapping on these trajectories, unifying instructions from different architectures into comparable semantic fingerprint vectors. It then constructs an instruction association graph by combining functional tags, jump relationships, and temporal relationships, representing the business logic behind the traffic in a graph-based manner. Subsequently, it measures the consistency of instruction association graphs generated by multiple executors, introducing node security weights, temporal causal constraints, and critical path deviation optimization to quantitatively analyze logical offsets between graphs, obtaining architecture similarity results. Further, it combines logical behavior baselines and current network environment factors to dynamically assess the degree of anomaly, generating an anomaly trust score. Finally, it outputs access control decisions based on zero-trust dynamic authorization rules, and cleans up and takes down damaged executors when necessary, thereby achieving accurate identification and coordinated protection against abnormal traffic.
[0014] Figure 1 This is a system block diagram of an abnormal traffic analysis device based on a knowledge graph, according to an embodiment of this application. Figure 2 This is a schematic diagram of data flow in a knowledge graph-based anomaly traffic analysis device according to an embodiment of this application. Figure 1 and Figure 2As shown, an abnormal traffic analysis device 100 based on a knowledge graph according to an embodiment of this application includes: a preprocessing module 110, used to preprocess the intercepted original instruction data stream to obtain the instruction execution trajectory; a semantic mapping module 120, used to perform cross-architecture instruction semantic embedding and vectorization mapping on the instruction execution trajectory to obtain a semantic fingerprint vector group; a graph construction module 130, used to take each vector in the semantic fingerprint vector group as a graph node and inject its original instruction's functional label, and establish directed connections between nodes based on the jump addresses and timing relationships between instructions to obtain an instruction association graph; and a consistency measurement module 140, used to measure the traffic from different architectures. Multiple instruction association graphs generated in parallel are subjected to isomorphic consistency measurement to obtain an architecture similarity matrix; the trust assessment module 150 is used to perform dynamic trust assessment and abnormal behavior quantification on the architecture similarity matrix based on the logical behavior baseline stored in the system and the weight factors of the current network environment to obtain an abnormal trust score; the policy decision module 160 is used to input the abnormal trust score into the policy decision point, wherein the policy decision point determines whether the abnormal trust score is lower than the security threshold according to the preset zero-trust dynamic authorization rules, and when it is determined to be lower than the security threshold, it issues a mimicry reset command to clean up and take down the damaged execution entity and outputs an access control decision to the security gateway for execution.
[0015] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the preprocessing module 110 is used to preprocess the intercepted original instruction data stream to obtain the instruction execution trajectory. It should be noted that abnormal traffic in smart IoT networks not only manifests as changes in message fields, but also as abnormal authentication call order, control flow jump offsets, and replacement of resource access instructions. If subsequent semantic analysis is performed directly on the intercepted original instruction data stream, discrete instructions lack execution context, and redundant content such as no-operations and stack balancing instructions will interfere with anomaly determination. Therefore, the technical solution of this application first performs context marking, redundancy cleaning, and trajectory reconstruction processing on the intercepted original instruction data stream to obtain the instruction execution trajectory corresponding to the actual execution process. Through the above processing, control flow changes and resource access behaviors related to abnormal traffic can be effectively preserved, thereby effectively improving the accuracy of subsequent cross-architecture semantic mapping, instruction association graph construction, and anomaly trust assessment.
[0016] More specifically, in a specific example of this application, the process of preprocessing the intercepted raw instruction data stream to obtain the instruction execution trajectory is implemented sequentially in the order of context marking, dynamic cleaning, and trajectory reconstruction. First, a correspondence is established between the raw instructions and the execution time and execution subject. Then, redundant instructions that do not participate in anomaly identification are removed from the data stream. Finally, an ordered instruction sequence is formed according to the actual execution order, thereby providing basic data for the subsequent graphical representation of the business logic behind the abnormal traffic. The implementation method of the context marking unit is as follows: a kernel probe is deployed on the kernel path that processes network packets to intercept each instruction code in the raw instruction data stream and simultaneously extract the physical timestamp and process identifier corresponding to the instruction. The instruction code, physical timestamp, and process identifier are bound to form a context instruction data stream, wherein the first... Each context instruction element is represented as ,in, Indicates the first Each context instruction element Indicates the first Original instruction code, This represents the physical timestamp corresponding to the instruction. This indicates the process identifier that triggered the execution of the instruction. Through this processing, the original instruction data stream is transformed into a context instruction data stream with timing and execution subject attributes, which can then be used to identify whether the abnormal access occurred before the authentication check and which execution subject triggered the abnormal call.
[0017] For the dynamic cleanup phase, each instruction in the context data stream is subjected to feature discrimination to identify whether it causes a control flow jump, triggers a system call, or belongs to a no-operation or stack balancing instruction. Based on the discrimination results, the instruction retention weight is calculated, and the weight calculation formula is as follows: in, Indicates the first The retention weight of each context instruction element, This represents the characteristic function of control flow variation; it takes a value of one when there is branching or jumping behavior, and a value of zero otherwise. This represents a system call characteristic function; it takes a value of one when a system call occurs, and a value of zero otherwise. The redundancy characteristic function takes a value of one when identified as a no-operation or stack-balancing instruction, and a value of zero otherwise. , , These represent the control flow feature weights, system call feature weights, and redundancy penalty weights, respectively. Then, based on preset thresholds, instruction elements with weights below the threshold are filtered out, retaining only the core instructions related to permission checks, resource access, and abnormal redirects, resulting in a core instruction set. Through this process, redundant noise is compressed, and the data entering subsequent processing focuses on the key behaviors required for abnormal traffic identification.
[0018] For the trajectory reconstruction process, the core instruction set is sorted in ascending order according to physical timestamps, and the auxiliary context fields used only for preprocessing are removed. The instruction code sequence arranged in order of execution is retained to obtain the instruction execution trajectory. This process is represented as follows: In the formula, Indicates the instruction execution trajectory. Represents the core instruction set. This indicates an operation that sorts the data according to its physical timestamp. This represents a serialization extraction operation used to remove auxiliary context fields and output an ordered sequence of instruction codes. Through this process, discrete core instructions are reconstructed into continuous, comparable execution trajectories, facilitating subsequent cross-architecture semantic embedding, control relationship modeling, and consistency analysis of abnormal traffic.
[0019] In the aforementioned knowledge graph-based anomaly traffic analysis device 100, the semantic mapping module 120 is used to perform cross-architecture instruction semantic embedding and vectorization mapping on the instruction execution trajectory to obtain a semantic fingerprint vector group. It should be noted that since heterogeneous executors use different instruction sets, register representations, and compilation results when processing the same business request, directly comparing anomalies based on instruction execution trajectories can easily misjudge architectural differences as anomaly offsets. Therefore, the technical solution of this application further performs cross-architecture instruction semantic embedding and vectorization mapping on the instruction execution trajectory to form a unified and comparable semantic fingerprint vector group. Through the above processing, the interference of underlying instruction representation differences on anomaly analysis can be effectively reduced, thereby effectively supporting subsequent instruction association graph construction and cross-executor consistency measurement.
[0020] More specifically, in a concrete example of this application, the process of cross-architecture instruction semantic embedding and vectorization mapping of the instruction execution trajectory involves first performing lexical analysis and symbol encoding on the disassembled instruction sequence, then projecting the encoding result onto a unified cross-architecture semantic space, followed by nonlinear compression and fingerprint refinement of the projected semantic tensor, ultimately obtaining a semantic fingerprint vector group. Through this processing, the instruction trajectory, which originally only had architecture dependencies, is transformed into a vector sequence with unified semantic expression capabilities, facilitating consistent analysis of IoT terminal access behavior, authentication call behavior, and resource access paths. During the lexical analysis and symbol encoding process, each disassembled instruction in the instruction execution trajectory is split, and the opcode and operand segments are extracted separately. Based on a preset instruction dictionary, the extracted fields are mapped to discrete numerical identifiers, and then combined according to the original execution order to form an encoded instruction sequence. The corresponding encoding formula is: in, Indicates the first The encoding vector corresponding to each instruction, This indicates a symbolic mapping operation used to convert opcodes or operands into numerical indices in a predefined dictionary. Indicates the first The opcode of the instruction. Indicates the first Operands of an instruction This indicates a cascading combination operation. Through this process, the original text instructions from different architectures are transformed into a structurally unified encoded representation, providing standard input for subsequent semantic projection. During the linear projection across the semantic space, the aforementioned encoded instruction sequence is input into shared semantic mapping parameters, and the encoded vectors of each instruction undergo a linear transformation, enabling semantically equivalent instructions from different architectures to obtain similar representations in a unified semantic space. The corresponding projection calculation method is as follows: in, Indicates the first The original semantic embedding results corresponding to each instruction Represents the cross-architecture semantic projection matrix. Indicates the first The encoding vector of the instruction, This represents the bias vector. Through this processing, instruction codes from different processor architectures are pulled into the same semantic space, allowing subsequent identification of whether business logic is consistent, no longer relying on the similarity of underlying machine instruction forms. In the semantic fingerprint refinement process, nonlinear mappings are applied to the features of each dimension in the original semantic embedding result to compress abnormal discrete values and retain stable semantic components, thereby outputting a set of semantic fingerprint vectors. The corresponding refinement formula is: in, Indicates the first The semantic fingerprint vector corresponding to each instruction. Indicates the first The original semantic embedding results corresponding to each instruction This represents the natural constant. Through this process, the projected semantic tensor is constrained within a stable interval, and fluctuations caused by compilation optimization, register allocation differences, and local noise are compressed, ultimately yielding a set of semantic fingerprint vectors that can be directly used for graph node construction.
[0021] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the graph construction module 130 is used to take each vector in the semantic fingerprint vector group as a graph node and inject its original instruction's functional label. Directed connections are established between nodes based on the jump addresses and temporal relationships between instructions to obtain an instruction association graph. It should be noted that, given that abnormal traffic in smart IoT networks and cloud-edge-device collaborative scenarios often corresponds to abnormal changes in authentication calls, resource access, control transfers, and business interaction links, simply relying on vector-level features is still insufficient to reflect the dependencies, jump relationships, and overall structure at the business semantic level between instructions, and it is also difficult to form a full-link understanding of the traffic and interaction relationships of complex cloud applications. Based on this, the technical solution of this application further takes each vector in the semantic fingerprint vector group as a graph node and injects its original instruction's functional label. Directed connections are established between nodes based on the jump addresses and temporal relationships between instructions to obtain an instruction association graph, thereby organizing the discrete instruction semantic features into a graph-based structure that can represent execution logic, access paths, and interaction topologies. Through the above processing, abnormal traffic analysis can be upgraded from isolated feature comparison to structured analysis oriented towards business logic association and control path evolution, thereby effectively characterizing the differences between normal execution links and abnormal execution links, and providing a reliable basis for subsequent graph consistency measurement, dynamic trust assessment and access control decisions.
[0022] Figure 3 This is a block diagram of the graph construction module in a knowledge graph-based abnormal traffic analysis device according to an embodiment of this application. Figure 3 As shown, the graph construction module 130 includes: an attribute encapsulation unit 131, used to encapsulate the node feature attributes of each instruction semantic vector and its corresponding instruction function classification attribute in the semantic fingerprint vector group to obtain an attributed node set; an edge mapping unit 132, used to perform dynamic control flow edge mapping on the attributed node set to obtain a basic topology graph; and a weight evaluation unit 133, used to perform adaptive evaluation of the topology edge weights on the basic topology graph to obtain an instruction association graph.
[0023] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the attribute encapsulation unit 131 is used to encapsulate the semantic vector of each instruction and its corresponding instruction function classification attribute in the semantic fingerprint vector group by performing node feature attribute encapsulation to obtain an attributed node set. It should be noted that since the semantic fingerprint vector only reflects the numerical characteristics of the instruction in a unified semantic space, it cannot directly distinguish the functional roles of permission verification, system call, sensitive resource access triggering instructions, and general arithmetic processing instructions. If graph nodes are directly constructed based on this, the key positions in the authentication chain, authorization chain, and access chain are difficult to accurately identify. Therefore, the technical solution of this application further encapsulates the semantic vector of each instruction and its corresponding instruction function classification attribute in the semantic fingerprint vector group by performing node feature attribute encapsulation to obtain an attributed node set. Through the above processing, cross-architecture semantic information and original instruction function information can be jointly written into the node features, thereby effectively improving the accuracy of subsequent jump relationship modeling, critical path identification, and graph consistency measurement.
[0024] More specifically, in a specific example of this application, the semantic fingerprint vector group is first read item by item, and based on the corresponding disassembly results, opcode types, and preset instruction classification rules, a corresponding functional classification attribute is matched for each instruction semantic vector, so that each vector has a clear functional identifier while retaining semantic expression. The functional classification attribute covers instruction categories related to abnormal traffic identification, such as control transfer, memory access processing, arithmetic operations, system calls, and permission verification. Subsequently, the functional classification attribute is mapped to a fixed-dimensional label encoding and concatenated with the corresponding instruction semantic vector to form a node feature with metadata tags. The node feature attribute encapsulation formula is as follows: in, Indicates the first Individual attributed node features, Indicates the first Each instruction semantic vector Indicates the first The functional classification attribute code corresponding to each instruction This indicates a cascading concatenation operation. After all node features are encapsulated, the features of each node are aggregated according to the original instruction index order to form an attributed node set. This allows the subsequent establishment of directed connections to not only reflect the sequential execution relationship and jump relationship between instructions, but also to distinguish the different roles of authentication check nodes, resource access nodes, and ordinary processing nodes in the business logic.
[0025] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the edge mapping unit 132 is used to perform dynamic control flow edge mapping on the attributed node set to obtain a basic topology graph. It should be noted that since the attributed node set only provides the semantic features and functional attributes of each instruction node, and has not yet established the execution sequence, jump relationships, and access path relationships between nodes, it cannot directly reflect the propagation links of authentication verification, resource access, and control transfer in abnormal traffic. Based on this, the technical solution of this application further performs dynamic control flow edge mapping on the attributed node set to obtain a basic topology graph. Through the above processing, discrete nodes can be organized into a directed topology structure with temporal causality and control dependency, thereby effectively supporting subsequent critical path identification, graph consistency measurement, and abnormal behavior determination.
[0026] More specifically, in a concrete example of this application, the nodes in the attributed node set are first read in relation to each other according to the original instruction index, jump target address, and execution time order. The disassembly results are then used to identify whether there are sequential execution relationships or explicit jump relationships between the nodes. Sequential execution relationships represent that after the previous instruction completes, the next instruction continues execution according to a predetermined flow. Explicit jump relationships represent control flow transfer behaviors such as conditional branches, unconditional jumps, and function call returns. After identifying the relationships, node pairs that can form control dependencies are established as directed edges, and the edge directions are recorded according to the source node pointing to the target node. This preserves the control flow relationships from permission verification nodes to resource access nodes, from condition judgment nodes to branch processing nodes, and from function call nodes to the entry node of the called process. Subsequently, all node relationships are written into the adjacency matrix to obtain a basic topology graph. This topology graph reflects the main flow and branch paths in the execution chain and provides a structural basis for subsequent identification of abnormal jump insertions, authentication pre-relationship corruption, and access chain offsets. During the process of writing relationships into the adjacency matrix, the dynamic control flow edge mapping formula is: in, The basic topology diagram represents nodes. Pointing to node The adjacency matrix elements, This is an indicator function that takes the value of 1 when a given condition is true and 0 when the condition is false. Represents a node With nodes The result of the determination that there is a sequential execution relationship. Represents a node With nodes The result of the determination that there is an explicit jump relationship. This represents a logical OR operation. According to this calculation method, as long as two nodes satisfy either a sequential execution relationship or an explicit jump relationship, a directed connection is established at the corresponding position; otherwise, they remain disconnected. The resulting basic topology diagram retains both the continuous call path in cloud-edge-device business processing and the branch jump structure required for abnormal traffic analysis.
[0027] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the weight evaluation unit 133 is used to perform adaptive evaluation of topological edge weights on the basic topology graph to obtain an instruction association graph. It should be noted that since the basic topology graph only represents whether there is a connectivity relationship between nodes, it cannot distinguish the semantic tightness of the directed edges in the authentication verification link, authorization link, and resource access link. If subsequent consistency measurements are performed directly using an unweighted graph, the differences in importance between different execution paths will be difficult to reflect. Based on this, the technical solution of this application further performs adaptive evaluation of topological edge weights on the basic topology graph to obtain an instruction association graph. Through the above processing, the control dependencies between nodes can be further quantified into comparable continuous value relationships, thereby effectively improving the targeting of subsequent graph comparison, critical path identification, and abnormal behavior judgment.
[0028] More specifically, in a concrete example of this application, the node feature information and adjacency information of the basic topology graph are first read. Directed edges with established connectivity are located one by one, and the source node feature vector and target node feature vector corresponding to each directed edge are extracted. Then, based on the similarity between the two endpoints in the unified semantic space, edge weights are calculated on the existing topological edges. This ensures that nodes with close connections in the control flow receive higher association strength, while nodes with only formal connectivity and weak semantic continuity receive lower association strength. This expands the original binary topological relationship into a weighted topological relationship. The calculation method for the topological edge weights is as follows: in, Represents a node Pointing to node edge weights, Represents a node Attributed feature vectors, Represents a node Attributed feature vectors, This represents the dot product of the eigenvectors of two nodes. and These represent the magnitudes of the corresponding eigenvectors. This represents a smoothing constant to prevent the denominator from being zero. This represents the adjacency matrix element in the basic topology graph, used to indicate nodes. With nodes Whether there are directed connections between them; after calculating the weights of all directed edges, the node set, adjacency matrix and edge weight matrix are uniformly encapsulated to obtain the instruction association graph. This graph not only preserves the temporal and jump relationships between instructions, but also further reflects the semantic association strength of different execution paths, providing a structured basis for subsequent analysis of the logical consistency of heterogeneous execution entities and dynamic trust assessment of abnormal traffic.
[0029] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the consistency measurement module 140 is used to perform isomorphic consistency measurement on multiple instruction association graphs generated in parallel from different architecture executors to obtain an architecture similarity matrix. It should be noted that, given that multiple heterogeneous executors in a mimicry defense architecture will process the same business request in parallel, different executors have inherent differences in instruction sets, compilation methods, and operating environments. Without a unified graph consistency measurement mechanism, it is difficult to determine whether the differences between graphs originate from normal heterogeneity or from abnormal logical offsets caused by tampering with the authentication chain, authorization chain, or resource access chain. Furthermore, it is difficult to provide a reliable basis for subsequent zero-trust dynamic authorization. Based on this, the technical solution of this application further performs isomorphic consistency measurement on multiple instruction association graphs generated in parallel from different architecture executors to obtain an architecture similarity matrix. By uniformly quantifying the semantic differences of nodes, topological differences, and the degree of deviation of key execution paths between graphs, a comparable consistency result between executors is formed. Through the above processing, the processing results of heterogeneous executors for the same traffic request can be transformed into quantifiable similarity relationships, thereby effectively identifying logical deviations caused by code injection, memory hijacking, abnormal jump insertion, and timing inversion, and providing basic data for subsequent dynamic trust assessment, abnormal behavior quantification, and access control decisions.
[0030] Figure 4 This is a block diagram of a consistency measurement module in a knowledge graph-based abnormal traffic analysis device according to an embodiment of this application. Figure 4 As shown, the consistency measurement module 140 includes: a graph receiving unit 141, used to receive a set of instruction association graphs output in parallel from multiple heterogeneous executors under the mimicry defense architecture; an alignment evaluation unit 142, used to perform heterogeneous graph alignment and node cost evaluation on the set of instruction association graphs to obtain heterogeneous graph matching pairs; a deviation measurement unit 143, used to perform structural topology deviation measurement on the heterogeneous graph matching pairs to obtain isomorphic deviation feature vectors; and an aggregation unit 144, used to perform global aggregation of similarity matrices on each distance deviation component in the isomorphic deviation feature vectors to obtain an architecture similarity matrix.
[0031] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the graph receiving unit 141 is used to receive a set of instruction association graphs output in parallel by multiple heterogeneous executors under a mimicry defense architecture. It should be noted that, since the same access request under a mimicry defense architecture is distributed to multiple heterogeneous executors for parallel processing, and the instruction association graphs generated by each executor are scattered across different execution channels and different running contexts, if unified reception and aggregation cannot be completed within the same request boundary, subsequent graph comparisons will lose their correspondence. Based on this, the technical solution of this application further receives a set of instruction association graphs output in parallel by multiple heterogeneous executors under a mimicry defense architecture. Through the above processing, it is possible to effectively ensure that the graphs participating in consistency measurement have consistent sources, consistent timing, and consistent tasks, thereby effectively providing basic input for subsequent heterogeneous graph alignment, deviation measurement, and similarity aggregation.
[0032] More specifically, in a concrete example of this application, the output results from different heterogeneous executors are first merged and received based on the session identifier, execution batch identifier, and time window corresponding to the same business request in the mimicry defense architecture, so that each instruction association graph is uniquely associated with the corresponding access request; then, the source verification and integrity verification of each received instruction association graph are performed to confirm that the graph contains node sets, adjacency relationships, and edge weight information, and the corresponding processor architecture type, runtime instance identifier, and generation sequence information are recorded according to the executor identifier, so that the same request is processed by different executors. The obtained graphs can be organized into a unified data set. After the aggregation is completed, each graph is numbered and sorted according to a preset order to form a set of instruction association graphs for the same abnormal traffic analysis task. The preset order is arranged according to the execution entity identifier or the graph generation time to ensure that each graph has a stable correspondence when pairing and consistency measurement are performed in the future. This avoids graphs generated by different requests, different batches or different time periods being mistakenly merged into the same analysis process, and ensures that the parallel output results of multiple execution entities in the mimicry execution environment can be used as the direct input for homogeneous consistency measurement.
[0033] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the alignment evaluation unit 142 is used to perform heterogeneous graph alignment and node cost evaluation on the instruction association graph set to obtain heterogeneous graph matching pairs. It should be noted that, since the same business request is processed in parallel by multiple heterogeneous executors under a mimicry defense architecture, the instruction association graphs formed by different executors differ in the number of nodes, node order, and local representation. If graph deviation calculation is performed directly without completing the corresponding node alignment, normal architecture differences and abnormal logic offsets will be mixed together. Based on this, the technical solution of this application further performs heterogeneous graph alignment and node cost evaluation on the instruction association graph set to obtain heterogeneous graph matching pairs. Through the above processing, a comparable relationship between graphs of different executors can be effectively established, thereby effectively providing a unified basis for subsequent structural topology deviation measurement and architecture similarity calculation.
[0034] More specifically, in a specific example of this application, the collected instruction association graph set is first paired according to the executable identifier corresponding to the same access request, so that each set of graphs to be compared originates from the parallel processing results of the same request on different heterogeneous executables. After the graph pairing is completed, the node features, edge connections, and graph identifier information in each graph are further extracted, and the nodes in each graph are standardized and organized according to the preset node index order to ensure that the node feature dimensions in different graphs are consistent, thereby forming the basic alignment data that can be used for subsequent cost calculation. In the heterogeneous graph alignment process, a pair of graphs to be compared are first denoted as Graph 1 and Graph 2, and then each node in Graph 1 is compared with each node in Graph 2 one by one. The comparison is based on the attributed node feature vector obtained in the previous steps, so that the alignment between nodes no longer depends on the underlying processor architecture, register representation, or specific instruction encoding, but is uniformly based on the semantic feature level. Subsequently, the matching cost is calculated for all node combinations, and the results are written into the node cost matrix to characterize the degree of difference between any pair of nodes in the two graphs. The node cost evaluation formula is: in, Indicates originating from the executor The first map Each node and from the execution body The second map The matching cost between nodes The first diagram in the diagram represents the... The attributed feature vectors of each node The second diagram represents the first... The attributed feature vectors of each node The Euclidean norm is used to measure the distance between two nodes in a unified semantic space. A smaller cost value indicates that the two nodes are closer in functional semantics and business roles, while a larger cost value indicates a more significant semantic deviation between the two nodes. After constructing the node cost matrix, Graph 1, Graph 2, and their corresponding node cost matrices are associated and encapsulated to obtain heterogeneous graph matching pairs. This allows subsequent processing to read both the topological relationships of the two graphs to be compared and the semantic matching costs at the node level. Therefore, in scenarios such as smart IoT terminal access control, authentication verification, and resource invocation, even if the local control flow expressions formed by different heterogeneous executors for the same business request are not completely consistent, alignment preparation can still be completed based on semantic similarity before proceeding to the subsequent topological deviation analysis process. This avoids directly misjudging normal heterogeneous differences as abnormal behavior.
[0035] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the deviation measurement unit 143 is used to measure the structural topology deviation of heterogeneous graph matching pairs to obtain homogeneous deviation feature vectors. It should be noted that, given that under a mimicry defense architecture, graphs generated by different heterogeneous actors for the same access request may still exhibit structural differences even when the overall business logic is consistent, and existing global average graph matching methods struggle to highlight local anomalies in security-critical subgraphs such as authentication chains, authorization chains, and encryption chains, especially failing to identify logical hijacking caused by the replacement of permission verification nodes, the reversal of resource access order, and the insertion of jump instructions into critical control paths, simply completing heterogeneous graph alignment and node cost evaluation is insufficient to support accurate judgment of abnormal traffic. Based on this, the technical solution of this application further measures the structural topology deviation of heterogeneous graph matching pairs to obtain homogeneous deviation feature vectors. By jointly quantifying the topological adjacency differences, node matching costs, and critical path deviations between graphs, and combining security sensitivity and temporal causality to constrain the deviation results, the processing results of different executors for the same business request are transformed into feature vectors that reflect the true degree of logical offset. Through the above processing, normal architectural differences can be distinguished from abnormal deviations caused by code injection, memory hijacking, authentication bypass, and control flow tampering, thereby effectively improving the reliability of subsequent architectural similarity aggregation, dynamic trust assessment, and zero-trust access control decisions.
[0036] Figure 5 This is a block diagram of a deviation measurement unit in a knowledge graph-based abnormal traffic analysis device according to an embodiment of this application. Figure 5As shown, the deviation measurement unit 143 includes: a weight determination subunit 1431, used to determine the node safety weight matrix based on the heterogeneous graph matching pair; a constraint extraction subunit 1432, used to extract the temporal causal constraint matrix from the heterogeneous graph matching pair; and a weighted deviation optimization subunit 1433, used to perform multi-objective weighted deviation optimization on the heterogeneous graph matching pair based on the temporal causal constraint matrix and the node safety weight matrix to obtain the isomorphic deviation feature vector.
[0037] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the weight determination subunit 1431 is used to determine the node security weight matrix based on heterogeneous graph matching pairs. It should be noted that, given the differences in security significance among nodes in a heterogeneous graph matching pair, if authentication verification nodes, system call nodes, critical control transfer nodes, and ordinary arithmetic nodes are given uniform weights for subsequent deviation calculations, local tampering in the critical path can easily be masked by normal fluctuations in general nodes. Therefore, the technical solution of this application further determines the node security weight matrix based on heterogeneous graph matching pairs. Through the above processing, key nodes in the authentication chain, authorization chain, and sensitive resource access chain can be effectively highlighted, thereby effectively improving the ability of subsequent structural topology deviation measurement to identify targeted tampering, logical hijacking, and abnormal jump behaviors.
[0038] More specifically, in a concrete example of this application, the original instruction type labels corresponding to each node are first extracted from the heterogeneous graph matching pairs, and the basic security weights are determined by combining them with a preset security sensitivity mapping relationship. In the power IoT scenario, instruction types include system call types, memory operation types, arithmetic operation types, control transfer types, etc., among which system call instructions are given higher weights because they directly cross the boundary between user mode and kernel mode, while ordinary arithmetic instructions are given a baseline weight. Subsequently, the topology centrality score of each node is calculated using the PageRank method based on the connection relationship in the control flow graph to reflect the pivotal position of the node in the authentication process, authorization process, and resource access process. Then, the basic security weights and topology centrality scores are nonlinearly fused, and the formula for calculating the comprehensive security weight of the node is as follows: in, Represents a node The overall security weight, Represents a node The basic security sensitivity weight is determined by the instruction type. Represents a node The topological centrality score; after completing the comprehensive security weight calculation of all nodes, the node security weight matrix is written in the order of node index, so that the permission check node, key system call node and important control transfer node located in the core position of the authentication process will get higher weight in the subsequent matching process, thereby realizing the differentiated representation of key nodes and avoiding the weakening of a small number of anomalies in the critical path by the global average effect. In a specific scenario, when an IoT terminal initiates a sensitive resource access request to the property management platform, the request processing sequentially goes through identity verification instructions, permission check instructions, resource location instructions, and data reading instructions. Different heterogeneous executors form corresponding instruction association graphs. If one of the executors is hijacked at the permission check position, causing the permission judgment instruction that should have been executed to be replaced by an abnormal jump instruction, then although the corresponding node at this position is only a minority in number, it receives a higher weight in the node security weight matrix because it belongs to the high-sensitivity instruction type and is on the critical path of the authentication chain and the authorization chain. When performing structural topology deviation measurement, the semantic deviation and path deviation of this node will be preferentially amplified and included in the isomorphic deviation feature vector. In contrast, even if there are slight fluctuations in general nodes located in the log recording branch or ordinary arithmetic processing path, they will not have the same impact on the overall deviation result. This allows us to distinguish between targeted tampering at the authentication core position and general execution disturbances.
[0039] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the constraint extraction subunit 1432 is used to extract a temporal causal constraint matrix from heterogeneous graph matching pairs. It should be noted that, given that heterogeneous graph matching pairs only provide node correspondences and node costs, they cannot express the inviolable sequential constraints during instruction execution. If temporal causal relationships such as write before read, authentication before access, and conditional branches before subsequent paths are ignored in subsequent deviation optimization, abnormal execution caused by causal inversion can easily be misjudged as normal heterogeneous differences. Based on this, the technical solution of this application further extracts a temporal causal constraint matrix from heterogeneous graph matching pairs. Through the above processing, the mandatory temporal rules in the authentication chain, authorization chain, and sensitive data processing chain can be effectively characterized, thereby effectively improving the ability of subsequent structural topology deviation measurement to identify control flow hijacking, code injection, and abnormal reordering behaviors.
[0040] More specifically, in a concrete example of this application, the directed edge set and the read-write relationship information, jump relationship information, and dominance relationship information between nodes are first extracted from the heterogeneous graph matching pairs. Then, node pairs with a mandatory sequential order are identified, and two types of causal relationships are distinguished: data dependency and control dependency. In the instruction execution flow, temporal dependencies mainly originate from two types of constraints: data dependency and control dependency. The former is reflected in the write-before-read, read-before-write, and write-before-write constraints in register or memory access, while the latter is reflected in the dominance constraint of conditional branch nodes on their subsequent basic blocks. After completing the causal relationship identification, node pairs that must precede the execution condition are written into the temporal causal constraint matrix, and corresponding penalty strength coefficients are assigned according to the causal relationship type. Considering the difference in severity between different types of causal relationships, a higher penalty strength coefficient is assigned to data dependency edges, because the inversion of data dependency will directly lead to program logic errors, while the reordering of general control flow may only affect execution efficiency in some cases. The elements of the temporal causal constraint matrix are calculated as follows: in, Represents the first digit in the temporal causality constraint matrix. Line number The elements of the column are used to represent the nodes. With nodes The temporal constraint strength between them This indicates an indicator function that takes the value 1 if the condition within the parentheses is true, and 0 otherwise. Represents a node To the node The criteria for determining the existence of a causal dependency are obtained through data flow analysis or control flow dominance analysis. Represents a node With nodes The penalty intensity coefficients corresponding to the causal relationship types between them are calculated. After all matrix elements are calculated, a temporal causal constraint matrix consistent with the node sequence of the heterogeneous graph matching pairs is formed, which serves as the constraint input for subsequent multi-objective weighted bias optimization. This matrix explicitly encodes the inviolable temporal rules in the instruction execution flow, thus enabling subsequent bias optimization to not only compare whether the structures are similar, but also to check whether the execution order has been violated.
[0041] For example, when an IoT terminal initiates a request to access sensitive resources, the request processing chain sequentially passes through processing nodes such as identity authentication, permission verification, key retrieval, data reading, and result feedback. If an attacker uses memory hijacking to insert a write operation for sensitive data or a resource access operation before the permission check operation, the causal relationship that should have been satisfied between the corresponding node pairs is reversed. During the constraint extraction process, the relationship that the permission check node precedes the resource access node and the key preparation node precedes the data processing node will be written into the temporal causal constraint matrix, and a higher penalty coefficient will be assigned to node pairs involving data dependencies. Thus, additional constraints will be imposed on such reversed behaviors during subsequent deviation optimization to avoid misjudging abnormal execution paths such as access before verification and use before preparation as normal execution paths.
[0042] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the weighted deviation optimization subunit 1433 is used to perform multi-objective weighted deviation optimization on heterogeneous graph matching pairs based on the temporal causal constraint matrix and the node security weight matrix to obtain a homogeneous deviation feature vector. It should be noted that, given that the semantic cost and topological differences of nodes in heterogeneous graph matching pairs can only reflect general structural shifts, they are insufficient to distinguish between ordinary node disturbances and targeted tampering on critical paths such as authentication chains, authorization chains, and encryption chains, and are also difficult to constrain non-reversible temporal logic such as authentication before access and preparation before invocation. Based on this, the technical solution of this application further performs multi-objective weighted deviation optimization on heterogeneous graph matching pairs based on the temporal causal constraint matrix and the node security weight matrix to obtain a homogeneous deviation feature vector. Through the above processing, the impact of critical node anomalies and causal inversion anomalies on the overall deviation can be effectively amplified, thereby effectively improving the accuracy of identifying logic hijacking, code injection, and control flow tampering behaviors.
[0043] More specifically, in a concrete example of this application, the node security weight matrix and temporal causality constraint matrix obtained in the preceding steps are first received. Combined with the topological adjacency matrix and node semantic matching cost matrix in the heterogeneous graph matching pairs, a unified multi-objective optimization function is constructed. While retaining the topological difference term and node matching cost term, a weighted matching cost term for security-sensitive nodes and a temporal causality violation penalty term are further introduced. This allows minor deviations of authentication check nodes, critical system call nodes, and important control transfer nodes to receive higher weights in the objective function. Simultaneously, a penalty is applied to any reversal of the order after the permutation. Subsequently, the optimal node permutation matrix is solved using gradient descent or an extended form of the Hungarian algorithm, and the global isomorphism deviation value between each pair of heterogeneous graphs is obtained accordingly. Finally, the deviation values of all execution pairs are concatenated in a preset order to form an isomorphism deviation feature vector. The improved optimization objective function is: in, Representation diagram With Figure The improved global isomorphism deviation values between them are set to form the output isomorphism deviation eigenvector. This represents the node permutation matrix to be optimized. and The diagrams are shown below. With Figure The topological adjacency matrix, The Frobenius norm is used to measure the overall topological variation. This represents the weight coefficient of the safety-weighted node matching cost term. Represents a node The overall security weight, Represents a node With nodes The semantic matching cost, This represents the weighting coefficient of the penalty term for violation of temporal causality. Represents a node To the node The strength of the temporal causal constraint, Indicates the indicator function, when the node is replaced Mapping to location ,node Mapping to location Furthermore, the value is 1 when causality is reversed, and 0 otherwise. , , These represent the mapping coefficients at corresponding positions in the permutation matrix. Through this processing, two new constraint terms are added to the original topological structure difference term and node matching cost term to enhance the monitoring of key nodes and temporal relationships. This ensures that the resulting isomorphic deviation feature vector reflects not only the overall structural differences but also the degree of deviation in key nodes and the disruption of causal relationships.
[0044] For example, when an IoT terminal initiates a request to access sensitive resources, the request processing chain sequentially passes through processing nodes such as identity authentication, permission check, key invocation, data reading, and log recording. If a heterogeneous executor only modifies the jump target of the authentication function, causing the resource access node to be executed prematurely, this anomaly may only manifest as a small number of node deviations under ordinary global average measurement. However, in the aforementioned optimization process, the semantic deviation of the authentication check node, due to its higher security weight, will be preferentially amplified. At the same time, after the causal constraint that permission check precedes resource access is broken, the temporal causal violation penalty term increases synchronously, thereby increasing the global isomorphic deviation value between this executor and other executors and entering the isomorphic deviation feature vector. In the security sensitivity dimension, minor tampering of critical nodes is no longer masked by the global average effect. In the temporal causal dimension, the constraint that strictly prohibits the reversal of causal relationships ensures the conservation of logical integrity. In the critical path dimension, through the dual-dimensional fusion of topological centrality and security attributes, the monitoring of security critical subgraphs such as authentication chains, authorization chains, and encryption chains is automatically identified and strengthened, so that the destruction of local critical paths can be effectively extracted from the overall graph.
[0045] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the aggregation unit 144 is used to perform global similarity matrix aggregation on each distance deviation component in the isomorphic deviation feature vector to obtain an architecture similarity matrix. It should be noted that since each distance deviation component in the isomorphic deviation feature vector only represents the degree of deviation between pairs of heterogeneous executors, it cannot directly reflect the overall consistency state of all executors around the same access request, nor is it convenient to conduct dynamic trust assessment by combining logical behavior baselines and network environment factors. Based on this, the technical solution of this application further performs global similarity matrix aggregation on each distance deviation component in the isomorphic deviation feature vector to obtain an architecture similarity matrix. Through the above processing, discrete deviation results can be uniformly transformed into comparable similarity relationships, thereby effectively characterizing the processing consistency of multiple heterogeneous executors for the same business request, and providing direct input for subsequent abnormal trust scoring calculations.
[0046] More specifically, in a concrete example of this application, the deviation values corresponding to each execution entity pair in the isomorphic deviation feature vector are first read, and a row and column index correspondence is established based on the execution entity identifier. Then, a similarity mapping process is performed on each deviation component, so that execution entity pairs with smaller deviation values receive higher similarity scores, and execution entity pairs with larger deviation values receive lower similarity scores. Subsequently, each similarity score is written into the global matrix according to the execution entity pairing position to form an architecture similarity matrix reflecting the logical consistency of all heterogeneous execution entities. To maintain the continuity and comparability of similarity measurement, an exponential decay method is used to complete the mapping from deviation to similarity, and the corresponding calculation method is as follows: in, Indicates the execution body With the executor Similarity score between them Indicates the execution body With the executor The corresponding isomorphism deviation value, This represents the natural exponential function. The smoothing factor is used to adjust the attenuation magnitude when mapping deviation values to similarity values. After mapping all deviation components, the resulting scores are filled into a symmetric matrix, and the diagonal elements are set to one to indicate that the same executor's processing results are completely consistent with its own. Through this processing, the overall consistency of multiple heterogeneous executors in the authentication, authorization, data access, and control transfer processes under the mimicry defense architecture is centrally expressed in a unified matrix form. This enables the direct identification of abnormal executors that deviate from the group consensus and supports continuous trust assessment and access control decisions under the zero-trust architecture.
[0047] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the trust assessment module 150 is used to dynamically assess the architecture similarity matrix and quantify abnormal behavior based on the logical behavior baseline stored in the system and the weighting factors of the current network environment to obtain an abnormal trust score. It should be noted that since the architecture similarity matrix only reflects the graph consistency status among heterogeneous executors surrounding the same access request, it cannot directly determine whether the current deviation exceeds the normal business fluctuation range, nor can it reflect the impact of the access environment, access object, and runtime context on the degree of risk. Based on this, the technical solution of this application further performs dynamic trust assessment and abnormal behavior quantification on the architecture similarity matrix based on the logical behavior baseline stored in the system and the weighting factors of the current network environment to obtain an abnormal trust score. Through the above processing, graph consistency differences can be transformed into quantitative results that can be used for zero-trust authorization decisions, thereby effectively supporting the hierarchical judgment and coordinated handling of abnormal access requests.
[0048] More specifically, in a specific example of this application, the architecture similarity matrix corresponding to the current access request is first compared with a pre-stored logical behavior baseline to identify executors that deviate from normal collaborative characteristics. Then, the degree of deviation is amplified or suppressed by combining the risk weight factor in the current network environment. Finally, the comprehensive risk result is mapped to an abnormal trust score, so that the graph consistency information from different heterogeneous executors is uniformly transformed into a trust quantity that can directly participate in dynamic authorization. In the asymmetric logical deviation detection process, the reference similarity matrix corresponding to the current business type, access resource type, and processing link is first read from the logical behavior baseline. Then, the difference between the current architecture similarity matrix and the reference matrix is calculated row by row to identify the degree of deviation of a single executor relative to other executors. Since anomalies in the mimicry defense scenario often manifest as local logical drift in a few executors, the mean error of each executor is used to form a deviation penalty feature group to reflect the degree of deviation of each executor from the group consensus. The calculation formula for the deviation penalty feature is: in, Indicates the first Deviation penalty features corresponding to each executor This indicates the number of heterogeneous execution entities participating in parallel processing. Indicates the first element in the current architecture similarity matrix. Line number Column similarity elements, This represents the reference similarity element at the corresponding position in the logical behavior baseline. This represents absolute value operations. This processing allows for the extraction of abnormal offsets from individual executors from the overall matrix, preventing local anomalies from being weakened by the global average. In the multi-source environmental risk weighted fusion process, network environment information for the current access request is further read, and the access location, terminal identity trust status, access resource sensitivity level, access time period risk level, and external threat perception results are aggregated into an environmental risk coefficient. Then, the maximum deviation component is extracted from the deviation penalty feature group to characterize the state of the executor with the highest risk in this request, thus obtaining the comprehensive risk assessment scalar. The comprehensive risk assessment formula is: in, This represents a comprehensive risk assessment scalar. This represents the risk weighting factor corresponding to the current network environment. This indicates the operation of finding the maximum value. Indicates the first Deviation penalty features corresponding to each executor This indicates the number of heterogeneous executors. Through this processing, the graph deviation results, along with terminal identity, business compliance, and access context, are jointly incorporated into the risk assessment process, making the determination of abnormal requests in high-risk scenarios more aligned with actual access control needs. In the dynamic trust scoring quantification process, the comprehensive risk assessment scalar is input into the trust decay function, and interval mapping is completed according to preset tolerance thresholds and decay rate parameters to obtain the abnormal trust score used for access control decisions. The scoring quantification formula is: in, Indicates an abnormal trust score. Represents the natural constant. This represents the rate of score decay parameter. This represents a comprehensive risk assessment scalar. This represents the risk tolerance threshold. Through this process, the continuously changing overall risk is converted into a trust score on a uniform scale, enabling subsequent strategic decisions to directly implement release, blocking, or cleanup actions based on the score.
[0049] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the policy decision module 160 is used to input the abnormal trust score into the policy decision point. The policy decision point determines whether the abnormal trust score is below a security threshold based on preset zero-trust dynamic authorization rules. If the score is below the security threshold, a mimicry reset command is issued to clean up and take down the damaged execution entity, and an access control decision is output to the security gateway for execution. It should be noted that since the abnormal trust score obtained from the preceding processing only quantifies the risk level of the current access request, without a policy decision process that connects with the zero-trust dynamic authorization rules, it is difficult to promptly transform the abnormal identification results into actual control over network connectivity, resource access, and the state of the damaged execution entity. Especially under a mimicry defense architecture, if the abnormal execution entity continues to participate in parallel processing, it will continuously affect the reliability of authentication, authorization, and access control. Based on this, the technical solution of this application further inputs the abnormal trust score into the policy decision point. The policy decision point determines whether the abnormal trust score is below a security threshold according to preset zero-trust dynamic authorization rules. If it is determined to be below the security threshold, a mimicry reset command is issued to clean up and take offline the damaged execution entity, and an access control decision is output to the security gateway for execution. This creates a closed-loop linkage between abnormal traffic analysis results, dynamic authorization, access blocking, and execution entity governance. Through the above processing, the results of graph consistency analysis and dynamic trust assessment can be directly transformed into real-time handling measures for abnormal access, thereby effectively blocking abnormal connections, restricting unauthorized access, and maintaining the continuous and trustworthy operation of other execution entities under the mimicry architecture.
[0050] Figure 6This is a block diagram of a strategy decision module in a knowledge graph-based abnormal traffic analysis device according to an embodiment of this application. Figure 6 As shown, the strategy decision module 160 includes: a level mapping unit 161, used to input the abnormal trust score to the strategy decision point of the control plane for trust threshold determination and level mapping to obtain a risk handling level identifier; a strategy generation unit 162, used to convert the risk handling level identifier into a one-hot encoded feature vector, and multiply the action mapping feature matrix and the one-hot feature vector by the inner product to obtain a multi-dimensional control strategy set; and an execution control unit 163, used to drive the underlying layer to complete the session termination or hot restart operation of the heterogeneous execution entity based on the multi-dimensional control strategy set.
[0051] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the level mapping unit 161 is used to input the abnormal trust score to the policy decision point of the control plane for trust threshold determination and level mapping to obtain a risk handling level identifier. It should be noted that since the abnormal trust score is a continuously quantified result, it cannot directly correspond to actions such as allowing, blocking, or resetting. Without a unified threshold determination and level mapping process, it is difficult to stably transform the results of the preceding knowledge graph analysis and dynamic trust assessment into access control policies under a zero-trust architecture. Based on this, the technical solution of this application further inputs the abnormal trust score to the policy decision point of the control plane for trust threshold determination and level mapping to obtain a risk handling level identifier. Through the above processing, continuously changing risk results can be converted into discrete and executable handling levels, thereby effectively supporting the subsequent generation of control policies and the coordinated execution of security gateways.
[0052] More specifically, in a concrete example of this application, the anomaly trust score is first compared with a preset security alarm threshold and a mimicry degradation threshold in the control plane. The security alarm threshold distinguishes between normal and abnormal access, while the mimicry degradation threshold distinguishes between general anomalies and high-risk anomalies caused by compromised executors. Then, based on the comparison results, the current access request is mapped to a risk level. When the anomaly trust score is not lower than the security alarm threshold, the current request is marked as low-risk. When the anomaly trust score is lower than the security alarm threshold but not lower than the mimicry degradation threshold, the current request is marked as medium-risk. When the anomaly trust score is lower than the mimicry degradation threshold, the current request is marked as high-risk, and the corresponding risk handling level identifier is output. This ensures that anomaly requests arising from logical offsets in the authentication chain, authorization chain, or resource access chain can obtain a unified level expression in the control plane. The formula for determining the risk handling level identifier is: in, This indicates the risk level, with values of 0, 1, or 2, corresponding to low, medium, and high risk levels, respectively. Indicates an abnormal trust score. Indicates the security alarm threshold. This indicates the mimicry degradation threshold; after completing the level mapping, the risk handling level identifier is output to the subsequent policy generation process so as to implement differentiated handling for IoT terminal access to core business resources, calling sensitive interfaces or initiating control commands, thereby ensuring a stable and clear correspondence between abnormal scores and access control actions.
[0053] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the policy generation unit 162 is used to convert risk handling level identifiers into one-hot encoded feature vectors, and multiply the action mapping feature matrix with the one-hot feature vectors by an inner product to obtain a multi-dimensional control policy set. It should be noted that since the risk handling level identifier only represents the risk level of the current access request and cannot directly reflect the combination relationship between specific handling actions such as network access permission, session blocking, execution body cleaning, and reset, without a unified policy mapping process, subsequent control execution will be difficult to maintain consistency. Based on this, the technical solution of this application further converts the risk handling level identifier into a one-hot encoded feature vector, and multiplies the action mapping feature matrix with the one-hot feature vectors by an inner product to obtain a multi-dimensional control policy set. Through the above processing, discrete risk levels can be stably mapped to executable multi-dimensional handling policies, thereby effectively supporting subsequent security gateway control and mimic execution body handling.
[0054] More specifically, in a specific example of this application, the risk handling level identifier is first converted into a one-hot encoded feature vector, so that different risk levels have a unique position representation in the vector space. Low risk level corresponds to only allowing the pass bit being valid, medium risk level corresponds to blocking-related control bits being valid, and high risk level corresponds to both blocking and execution body reset-related control bits being valid. Then, an action mapping feature matrix is pre-constructed, where each row of the matrix corresponds to handling dimensions such as network connection control, access session control, execution body cleaning control, and execution body offline control, and each column corresponds to the action configuration for different risk levels. After completing the one-hot encoding, the action mapping feature matrix and the one-hot encoded feature vector are multiplied together to obtain a multi-dimensional control strategy set that corresponds one-to-one with the current access request, thus establishing a clear correspondence between risk levels and subsequent control actions. The calculation formula for the multi-dimensional control strategy set is: in, This represents a set of multi-dimensional control strategies. Represents the action mapping feature matrix. Indicates the risk management level identifier The transformed one-hot encoded feature vectors have elements in the matrix multiplication result that correspond to action switches or action weights on different control dimensions. After the strategy set is generated, the results are output to the subsequent execution control process so that when IoT terminals access core business resources, call sensitive interfaces, or trigger abnormal execution paths, they can perform release, blocking, cleaning, or offline operations according to the predetermined strategy, thereby realizing the structured transformation of risk classification results into specific control actions.
[0055] In the aforementioned knowledge graph-based abnormal traffic analysis device 100, the execution control unit 163 is used to drive the underlying layer to complete session termination or hot restart operations of heterogeneous execution entities based on a multi-dimensional control strategy set. It should be noted that, since the multi-dimensional control strategy set only provides the combined results of handling actions, it has not yet established a one-to-one correspondence with specific abnormal sessions and specific damaged execution entities, nor has it formed a control load that can be directly executed by the data plane. Based on this, the technical solution of this application further drives the underlying layer to complete session termination or hot restart operations of heterogeneous execution entities based on a multi-dimensional control strategy set. Through the above processing, the preliminary risk assessment results can be implemented into actual control behaviors oriented towards session connections and execution entity states, thereby effectively blocking abnormal access and completing the handling of damaged execution entities.
[0056] More specifically, in a specific example of this application, during session extraction, a session identifier is first extracted from the currently detected network traffic connection, and the physical timestamp that triggered the current action is read simultaneously, establishing a unique correspondence between the abnormal access request and its occurrence time. Through this process, the subsequently generated control information can be accurately bound to the target connection, preventing the action from being applied to non-target sessions. During fingerprint generation, a session feature fingerprint is constructed based on the previously extracted session identifier and physical timestamp, ensuring that the same access connection forms a unique identification result at the current action time. The session feature fingerprint is used to characterize the identity and time characteristics of the current abnormal traffic object, ensuring that the target of subsequent control messages is clear and providing a basis for the anti-replay and verifiable nature of access control decisions. During message construction, the session feature fingerprint is combined and encoded with a multi-dimensional management and control policy set to form a control message, carrying both network connection control information and execution body action information. The access control decision is constructed as follows: in, This indicates the final access control decision corresponding to the issued control message. Indicates digital signature processing, This represents a set of multi-dimensional control strategies. This indicates a cascaded combination operation. Indicates hash digest processing, Indicates the session identifier. Represents a physical timestamp. This indicates a sequential concatenation operation; through this processing, the control message simultaneously possesses target binding and policy carrying capabilities. During the decision output process, the control message is sent to the software-defined border gateway and the mimic scheduler in the data plane. The software-defined border gateway executes session termination or access blocking based on the connection control information in the message, while the mimic scheduler executes the offline, cleanup, and hot restart of damaged heterogeneous execution entities based on the execution entity control information in the message. This ensures that abnormal connections are isolated in a timely manner, and that abnormal execution entities exit the current processing link, thereby maintaining the continuous processing capability of the remaining execution entities.
[0057] In summary, an abnormal traffic analysis device based on a knowledge graph, according to an embodiment of this application, is described. First, the intercepted original instruction data stream is sequentially subjected to context marking, redundancy removal, and trajectory reconstruction to obtain an instruction execution trajectory that reflects the actual execution process. Then, instructions under different architectures are uniformly semantically embedded and vectorized, converting discrete instructions into comparable semantic fingerprints. An instruction association graph is constructed by combining instruction function tags, jump relationships, and temporal associations. Subsequently, consistency measurement, deviation aggregation, and dynamic trust assessment are performed on the graphs generated by multiple executors, outputting an abnormal trust score and driving zero-trust policy decisions to complete access control, session termination, or executor reset. Through the above concept, the ability of abnormal traffic analysis to identify deep semantic deviations, hidden logic tampering, and critical link damage can be effectively improved, avoiding interference from normal heterogeneous differences in anomaly judgment, enhancing the quantitative assessment and coordinated handling of abnormal behavior, thereby achieving accurate analysis, reliable judgment, and dynamic protection of abnormal traffic.
Claims
1. An abnormal traffic analysis device based on knowledge graph, characterized in that, include: The preprocessing module is used to preprocess the intercepted raw instruction data stream to obtain the instruction execution trajectory; The semantic mapping module is used to perform cross-architecture instruction semantic embedding and vectorization mapping on instruction execution trajectories to obtain semantic fingerprint vector groups; The graph construction module is used to take each vector in the semantic fingerprint vector group as a graph node and inject its original instruction's functional label. Based on the jump address and timing relationship between instructions, directed connections are established between nodes to obtain the instruction association graph. The consistency measurement module is used to perform isomorphic consistency measurement on multiple instruction association graphs generated in parallel from different architecture executors to obtain an architecture similarity matrix. The trust assessment module is used to perform dynamic trust assessment and abnormal behavior quantification on the architecture similarity matrix based on the logical behavior baseline stored in the system and the weight factors of the current network environment to obtain an abnormal trust score. The strategy decision module is used to input the abnormal trust score into the strategy decision point. The strategy decision point determines whether the abnormal trust score is lower than the security threshold according to the preset zero-trust dynamic authorization rules. When it is determined to be lower than the security threshold, it issues a mimicry reset command to clean up and take down the damaged executor and outputs the access control decision to the security gateway for execution.
2. The knowledge graph-based abnormal traffic analysis device according to claim 1, characterized in that, The preprocessing module includes: The context marking unit is used to perform kernel probe-based instruction stream context marking on each instruction code in the original instruction data stream to obtain the context instruction data stream; The dynamic cleaning unit is used to dynamically clean redundant instruction features from the context instruction data stream to obtain the core instruction set. The trajectory reconstruction unit is used to reconstruct the execution trajectory of the core instruction set to obtain the instruction execution trajectory.
3. The knowledge graph-based abnormal traffic analysis device according to claim 1, characterized in that, The semantic mapping module includes: The lexical encoding unit is used to perform instruction lexical parsing and symbol encoding on each disassembled instruction in the instruction execution trajectory through the word segmentation engine to obtain the encoded instruction sequence. Linear projection unit is used to perform linear projection of the encoded instruction sequence across the architecture semantic space to obtain the original semantic embedding tensor; The fingerprint thinning unit is used to perform nonlinear noise suppression and semantic fingerprint thinning on the projected semantic tensor of each term in the original semantic embedding tensor to obtain a set of semantic fingerprint vectors.
4. The knowledge graph-based abnormal traffic analysis device according to claim 1, characterized in that, The map construction module includes: The attribute encapsulation unit is used to encapsulate the node feature attributes of each instruction semantic vector and its corresponding instruction function classification attribute in the semantic fingerprint vector group to obtain an attributed node set. The edge mapping unit is used to perform dynamic control flow edge mapping on the attributed node set to obtain the basic topology graph. The weight evaluation unit is used to adaptively evaluate the topological edge weights of the basic topology graph to obtain the instruction association graph.
5. The knowledge graph-based abnormal traffic analysis device according to claim 1, characterized in that, The consistency measurement module includes: The graph receiving unit is used to receive the instruction association graph set from the parallel output of multiple heterogeneous executors under the mimicry defense architecture; The alignment evaluation unit is used to perform heterogeneous graph alignment and node cost evaluation on the instruction association graph set to obtain heterogeneous graph matching pairs. The deviation measurement unit is used to measure the structural topological deviation of heterogeneous graph matching pairs to obtain the isomorphic deviation feature vector. The aggregation unit is used to perform global aggregation of the similarity matrix for each distance deviation component in the isomorphic deviation feature vector to obtain the architecture similarity matrix.
6. The knowledge graph-based abnormal traffic analysis device according to claim 1, characterized in that, The trust assessment module includes: The deviation detection unit is used to perform asymmetric logical deviation detection on the architecture similarity matrix to obtain the deviation penalty feature group. The risk fusion unit is used to perform multi-source environmental risk weighted fusion of the deviation penalty feature group to obtain a comprehensive risk assessment scalar. The scoring quantification unit is used to dynamically quantify the trust score of the comprehensive risk assessment scalar to obtain the abnormal trust score.
7. The knowledge graph-based abnormal traffic analysis device according to claim 1, characterized in that, The strategy decision-making module includes: The level mapping unit is used to input the abnormal trust score into the strategy decision point of the control plane to determine the trust threshold and map the level to obtain the risk treatment level identifier. The strategy generation unit is used to convert the risk treatment level identifier into a one-hot encoded feature vector, and multiply the action mapping feature matrix with the one-hot feature vector by the inner product to obtain a multi-dimensional control strategy set. The execution control unit is used to drive the underlying layer to complete session termination or hot restart of heterogeneous execution entities based on a multi-dimensional management and control strategy set.
8. The knowledge graph-based abnormal traffic analysis device according to claim 7, characterized in that, The execution control unit includes: The session extraction subunit is used to extract the session identifier corresponding to the currently detected network traffic connection and the current system's physical timestamp. The fingerprint generation subunit is used to generate session feature fingerprints based on the session identifier and the current system's physical timestamp; The message construction subunit is used to construct and send control messages based on session feature fingerprints and multi-dimensional management and control policy sets. The decision output subunit is used to output the issued control messages as access control decisions to the software-defined boundary gateway and mimic scheduler in the data plane to drive the underlying layer to complete the session termination or hot restart operation of heterogeneous execution entities.
9. The knowledge graph-based abnormal traffic analysis device according to claim 5, characterized in that, The deviation measurement unit includes: The weight determination sub-unit is used to determine the node security weight matrix based on heterogeneous graph matching pairs; The constraint extraction subunit is used to extract the temporal causal constraint matrix from heterogeneous graph matching pairs; The weighted bias optimization subunit is used to perform multi-objective weighted bias optimization on heterogeneous graph matching pairs based on the temporal causal constraint matrix and the node safety weight matrix to obtain the isomorphic bias feature vector.