A web high-concealment attack adaptive defense method and device

Abstract

The application discloses a kind of Web high covert attack adaptive defense method and device, it is related to network security technical field.The method includes: kernel state is intercepted network traffic by eBPF probe, and original message is executed feature extraction and dimensionality reduction compression, generates fixed-length feature tensor and zero-copy transmission to user state;User state is carried out across package semantic association and intent reasoning to feature tensor sequence by lightweight Transform model, and outputs attack confidence probability;When probability exceeds threshold value, block information is issued to kernel state eBPF mapping table, and eBPF probe is discarded in real time matched message;PID feedback control is carried out simultaneously based on system load, and kernel state feature extraction depth and intercept threshold are dynamically adjusted.The application reduces system overhead, shortens detection delay, realizes the accurate identification of advanced covert attack, and provides continuity guarantee for business in high concurrency scenario.

Description

Technical Field

[0001] This invention relates to the field of network security technology, and in particular to an adaptive defense method and apparatus for highly covert web attacks. Background Technology

[0002] Web application firewalls, web application and API protection systems are core means of defending against web attacks. However, existing technologies have the following significant shortcomings when dealing with advanced persistent threats and complex, evolving attacks: First, regular expression-based detection engines suffer from performance bottlenecks and are easily bypassed. Traditional WAFs rely on user-space regular expressions for feature matching. Attackers often exploit techniques such as HTTP chunked transmission, multiple nested encodings, or inserting a large number of obfuscated characters to fragment malicious payloads, dispersing attack features across multiple data packets and thus bypassing regular expression detection. Furthermore, complex regular expression matching, when processing specifically crafted messages, can easily trigger regular expression denial-of-service attacks, leading to server CPU resource exhaustion.

[0003] Secondly, detection solutions incorporating artificial intelligence suffer from high latency and high resource consumption. Existing technologies that use large language models or deep neural networks for detection often rely on bypass full traffic capture or cloud API calls. Their detection latency is generally over several hundred milliseconds, and copying the entire network packet from kernel space to user space incurs significant context switching and memory copying overhead, failing to meet the microsecond-level low latency requirements of high-concurrency web application scenarios.

[0004] Secondly, existing security systems lack deep, underlying load awareness capabilities. When subjected to large-scale CC attacks or a sudden surge in normal business traffic, security detection processes often compete with core business processes for system resources, and the lack of dynamic adjustment mechanisms makes them highly susceptible to cascading failures that can lead to a complete business outage.

[0005] In summary, how to achieve low-latency, low-overhead detection of highly covert attacks in high-concurrency scenarios while ensuring business continuity is a technical problem that urgently needs to be solved in this field. Summary of the Invention

[0006] In view of the above-mentioned defects or deficiencies in the prior art, the present invention provides an adaptive defense method and apparatus for highly covert web attacks to solve the above-mentioned technical problems mentioned in the background art.

[0007] One aspect of the present invention provides an adaptive defense method against highly covert web attacks, comprising the following steps: Kernel-mode traffic interception and feature dimensionality reduction steps: Network traffic is intercepted in kernel mode through eBPF probe, and feature extraction and dimensionality reduction compression are performed on the original packets in eBPF probe to generate a fixed-length feature tensor. The feature tensor is then transferred to the operating system user mode in a zero-copy manner. User-space semantic association and reasoning steps: In user space, a pre-trained lightweight Transformer model is used to perform cross-data packet semantic association and intent reasoning on a sequence of feature tensors composed of multiple feature tensors, and output the attack confidence probability. Kernel-mode real-time blocking and adaptive degradation steps: When the attack confidence probability exceeds the preset blocking threshold, the user-mode blocking information is sent to the kernel-mode eBPF mapping table. The kernel-mode eBPF probe is used to read the eBPF mapping table, and matching packets are discarded in real time. In user mode, feedback control is performed based on the real-time system load. The depth of kernel-mode feature extraction is dynamically adjusted using the kernel-mode eBPF mapping table, and the blocking threshold is adjusted accordingly.

[0008] In another aspect, the present invention provides an adaptive defense device against highly covert web attacks, comprising: The kernel-mode traffic interception and feature dimensionality reduction module is used to intercept network traffic in the kernel mode through eBPF probes, and perform feature extraction and dimensionality reduction compression on the original packets in the eBPF probes to generate a fixed-length feature tensor, and transfer the feature tensor to the operating system user mode in a zero-copy manner. The user-space semantic association and reasoning module is used to perform cross-data packet semantic association and intent reasoning on a sequence of feature tensors composed of multiple feature tensors in user space using a pre-trained lightweight Transformer model, and output the attack confidence probability. The kernel-mode real-time blocking and adaptive degradation module is used to send user-mode blocking information to the kernel-mode eBPF mapping table when the attack confidence probability exceeds a preset blocking threshold. The kernel-mode eBPF probe reads the eBPF mapping table and discards matching packets in real time. In user mode, feedback control is performed based on the real-time system load. The kernel-mode eBPF mapping table is used to dynamically adjust the depth of kernel-mode feature extraction and adjust the blocking threshold.

[0009] The present invention provides an adaptive defense method and device for highly covert web attacks, which has the following beneficial effects: (1) Significantly reduced system overhead and shortened detection latency. This invention pushes the text preprocessing and feature dimensionality reduction operations in traffic detection down to the operating system kernel layer. It uses a one-dimensional spatiotemporal convolution operator in the eBPF probe to filter and compress massive traffic online, and only transmits the feature tensors of extremely small dimensions to the user space in a zero-copy manner. This avoids the full cross-state copy of the original HTTP / HTTPS message and the resulting context switching overhead, effectively solving the high latency problem caused by full traffic copying in existing AI security models.

[0010] (2) It has achieved accurate identification of advanced covert attacks. To address the covert attack methods employed by attackers who utilize HTTP / HTTPS chunked transmission technology to slice and disperse malicious payloads across multiple data packets to bypass single-packet detection, this invention leverages the multi-head self-attention mechanism of a lightweight Transformer model to construct a cross-data packet temporal memory space in user space. By semantically associating and weighted fusion of feature tensor sequences belonging to the same session, the fragmented malicious intent chain can be accurately reconstructed, achieving precise identification of advanced covert attacks such as chunked injection and slow-speed attacks.

[0011] (3) Provides continuity assurance for business in high-concurrency scenarios. This invention introduces an adaptive degradation mechanism based on PID load feedback control. By collecting low-level load indicators such as CPU soft interrupt latency in real time, it dynamically calculates the system stress state. When a sudden surge in traffic or a large-scale attack is detected, the system can proactively reduce resource consumption by decreasing the scanning depth of kernel-mode feature extraction and increasing the user-mode interception threshold, achieving a dynamic balance between security protection strength and system load. Under extreme pressure, the system can automatically trigger a circuit breaker bypass, prioritizing core business processing threads to obtain sufficient CPU resources. This eliminates the potential for security devices to overwhelm core business systems due to resource contention from the underlying architecture, providing reliable business continuity assurance for high-concurrency web applications. Attached Figure Description

[0012] Other features, objects, and advantages of this application will become more apparent from the following detailed description of non-limiting embodiments with reference to the accompanying drawings: Figure 1 This is a flowchart illustrating an embodiment of the adaptive defense method against highly covert web attacks provided in this application. Figure 2 This is a schematic diagram of the structure of an adaptive defense device against highly covert web attacks provided in one embodiment of this application; Figure 3 This is a schematic diagram of the structure of an electronic device provided in one embodiment of this application. Detailed Implementation

[0013] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0014] Terminology Definition To facilitate understanding of this invention, the key technical terms involved in this invention are first defined as follows: (1) eBPF A technique for running sandbox programs within a kernel virtual machine allows users to securely and efficiently extend kernel functionality without modifying the kernel source code or loading kernel modules. In this invention, eBPF is used to mount probes in kernel mode to intercept traffic and extract features.

[0015] (2) XDP The Linux kernel provides a high-performance, programmable network packet processing framework that processes packets directly at the network card driver layer, enabling early packet loss or forwarding.

[0016] (3) eBPF probe eBPF mount points are used to intercept data in the system kernel mode.

[0017] (4) Characteristic tensor Specifically, it refers to a fixed-length data structure generated by the kernel-mode eBPF probe after feature extraction and dimensionality reduction compression of the original message. It contains spatial feature scalars and temporal feature scalars and is the smallest data unit passed to user mode for inference.

[0018] (5) Feature tensor sequence A tensor is an ordered set of multiple feature tensors belonging to the same session arranged in chronological order, and is the input object of a user-space lightweight Transformer model.

[0019] (6) LRU hash map A cached data structure with an eviction mechanism is proposed, which prioritizes eviction of the least used entry when the mapping table is full. This invention is used to efficiently maintain session state and calculate packet arrival time differences in a kernel-mode eBPF environment.

[0020] (7) Fixed-point weight kernel This refers to quantizing the parameters of the floating-point convolution kernel trained offline to integers and pre-setting them in a static integer array in the eBPF program, which is used to perform one-dimensional convolution operations in a kernel environment that prohibits floating-point operations.

[0021] (8) Zero copy This refers to a technique that avoids the CPU performing data copying operations when data is transferred from kernel mode to user mode.

[0022] (9) Circular buffer zone A reusable first-in-first-out queue allocated in kernel space is used to implement asynchronous, zero-copy data transfer from kernel mode to user mode.

[0023] (10) Lightweight Transformer This refers to a Transformer model with a smaller parameter size after being compressed using techniques such as knowledge distillation, suitable for low-latency inference in user space. In this invention, it is used to perform cross-packet semantic association on feature tensor sequences.

[0024] (11) Multi-head self-attention mechanism The core component of the Transformer model captures long-distance dependencies by calculating the association weights between elements at different positions in the input sequence. In this invention, it is used to associate attack features scattered across different data packets.

[0025] (12) PID control algorithm Proportional-integral-derivative (PID) control is a classic feedback control algorithm that calculates the error between the current value and the target value, and outputs a control quantity based on the proportional, integral, and derivative terms to achieve smooth adjustment of the system. In this invention, it is used to dynamically adjust the detection strategy according to the system load.

[0026] (13) Soft interrupt The Linux kernel employs a mechanism to handle the bottom half of time-consuming interrupts. Network packet reception and processing are primarily handled by software interrupts; therefore, CPU software interrupt latency is a key metric for measuring network processing load.

[0027] Example 1 The technical solution of the present invention will be described in detail below with reference to the accompanying drawings. The present invention provides an adaptive defense method for highly covert Web attacks, which achieves real-time detection and adaptive defense against highly covert attacks through the collaborative work of kernel-mode eBPF and user-mode lightweight Transformer. For example... Figure 1 As shown, the method mainly includes the following steps.

[0028] Step S101: Kernel-mode traffic interception and feature dimensionality reduction.

[0029] This step aims to address the performance bottleneck caused by the full cross-space copying of traffic in traditional security solutions. Its core principle is to place the first stage of traffic processing in the operating system kernel space. Before data packets are sent to user-space applications, online interception and feature extraction are performed using eBPF technology. Only a very small number of feature tensors are passed to user space, thus avoiding a full copy of the original packets and significantly reducing system overhead.

[0030] Specifically, eBPF probes (kprobe / uprobe) are mounted at the XDP layer of the operating system kernel network stack, or at the system call layer of encryption / decryption library functions (such as OpenSSL). This places the XDP layer after the network card driver and before the kernel protocol stack, making it the earliest point where data packets can be processed. Mounting the probe at the system call layer allows for the direct acquisition of the protocol header and payload before the data packet is decrypted and read by the application layer. These two mounting methods ensure that this scheme can intercept raw, plaintext application layer data with minimal latency and resource consumption.

[0031] In the eBPF probe procedure, feature extraction and dimensionality reduction are performed. This requires overcoming the stringent security restrictions of the eBPF validator. The eBPF validator checks whether the program contains unsafe operations, such as infinite loops and floating-point operations. To address this technical challenge, this step employs the following key technical methods: First, a one-dimensional convolution operation is performed on the message payload using a pre-set fixed-point weight kernel to extract spatial feature scalars. Traditional neural network convolution relies on floating-point matrix multiplication, but the eBPF environment prohibits floating-point operations. This invention pre-quantizes the sensitivity weights of sensitive character features for Web attacks (such as single quotes, angle brackets, backslashes, etc.) from floating-point numbers into a fixed-point array and pre-sets it as static data in the eBPF program. During probe runtime, the character distribution entropy and sensitive symbol clustering degree of the local region of the payload are calculated through fixed-point multiplication and accumulation operations, thereby generating spatial feature scalars. This process achieves neural network-like feature extraction in a kernel-constrained environment.

[0032] Secondly, to circumvent the eBPF verifier's detection of loops, a compiler instruction is used to forcibly unroll the multiplication-accumulation loop. The eBPF verifier requires the program to complete execution within a finite time, prohibiting unknown loops that might cause the kernel to hang. This invention uses compiler macros (such as `#pragma unroll`) to forcibly unroll the loop in the convolution operation into a sequentially executed instruction sequence, and strictly limits the maximum scan depth (e.g., 128 bytes). In this way, the eBPF verifier sees a linear instruction stream without backsteps, thus allowing it to pass safely.

[0033] Secondly, a traffic state record table is constructed using eBPF's LRU hash map to extract time-series scalar features. Maintaining massive session states in kernel space requires efficient data structures and eviction mechanisms. The LRU hash map uses the client IP and session identifier as keys to record the timestamp of the session's most recent access. When a new packet arrives, the eBPF probe queries this map to obtain the last access time and calculates the time difference Δt between the current packet and the previous packet. Due to the LRU mechanism, when the map is full, the least used session entry is automatically evicted, ensuring that even under attacks from massive IPs, kernel-space memory will not run out, thus guaranteeing system stability.

[0034] Finally, the extracted spatial feature scalars (such as scores representing the clustering of sensitive characters within a single packet) are concatenated with temporal feature scalars (such as the time interval between adjacent packets in the same session) to generate a fixed-length feature tensor. This feature tensor is a highly abstract and compressed representation of the original traffic. Subsequently, the eBPF probe asynchronously pushes this feature tensor to user space via a lock-free circular buffer (BPF_MAP_TYPE_RINGBUF). The lock-free circular buffer is a memory area shared by kernel space and user space. Through memory mapping technology, user-space programs can directly read data in this buffer without calling system calls such as read, and without the CPU performing data copying, thus achieving true zero-copy transmission and minimizing the overhead of cross-space data transmission.

[0035] The above-mentioned technical means can be summarized into the following method and process: Step S1011: Mount an eBPF probe at the XDP layer or system call layer to intercept decrypted HTTP or HTTPS messages. Step S1012: In the eBPF probe, a one-dimensional convolution operation is performed on the message payload using a preset fixed-point weight kernel to extract spatial feature scalars. Step S1013: Use the LRU hash mapping table of eBPF to maintain the session state, calculate the time difference of arrival of HTTP or HTTPS messages, and extract the time-series feature scalar. Step S1014: The spatial feature scalar and the temporal feature scalar are concatenated into a fixed-length feature tensor, which is then asynchronously transmitted to the user space through a lock-free circular buffer.

[0036] Through the above steps, the processing of massive network traffic is transformed into lightweight feature tensor generation and transmission, which solves the performance bottleneck problem caused by full-traffic cross-state copying in traditional solutions and lays the foundation for subsequent real-time inference.

[0037] Step S102: User-state semantic association and intent reasoning.

[0038] This step aims to address the technical challenges of bypassing single-packet detection in highly covert attacks using methods such as chunked transmission and multiple obfuscation. Its core principle is to organize multiple feature tensors from the same session, transmitted from kernel space, into a sequence of feature tensors in chronological order. Then, utilizing the attention mechanism of a lightweight Transformer, it captures long-term dependencies across data packets at the sequence level, thereby reconstructing the semantics of the fragmented attack payload and achieving accurate intent reasoning.

[0039] Specifically, a dedicated small-parameter model (SLM) optimized by knowledge distillation is deployed in user space. This model receives a sequence of feature tensors from kernel space and performs the following processing: First, the embedding layer performs positional and temporal difference encoding on the feature tensor sequence. The Transformer model itself lacks the ability to process sequence order, therefore explicit injection of positional information is necessary. Positional encoding assigns a unique vector representation to each position in the sequence (i.e., each feature tensor), which is added to the feature tensor itself, enabling the model to perceive the order of data packets. Simultaneously, since the temporal difference Δt has already been extracted in step S101, the embedding layer also encodes Δt, allowing the model to perceive the time interval between adjacent data packets. This addresses the problem in chunked transmission attacks where attackers deliberately control packet transmission timing to disrupt detection.

[0040] Then, the association weights between feature tensors at different positions in the feature tensor sequence are calculated using a multi-head self-attention mechanism. Multi-head self-attention is the core of the Transformer; for each feature tensor (query Q) in the sequence, it calculates its similarity score with all feature tensors in the sequence to obtain attention weights. These weights are then used to weight and sum the values ​​of all feature tensors to obtain the context-aware representation of that position. Through this multi-head mechanism, the model can learn different types of dependencies from multiple different subspaces. In this invention, this means that even if an attacker splits the SQL injection statement into package A (containing 1' UN) and package B (containing ION SEL), the tail features of package A and the head features of package B are semantically strongly correlated, and therefore will be given higher weights in the attention matrix.

[0041] Next, the calculated attention weights are used to weight and fuse the feature tensor sequence to generate a comprehensive feature vector representing the complete session attack intent. Specifically, after multiple layers of attention calculation, the feature representation at each position in the model output has incorporated the contextual information of the entire sequence. Typically, the model sets a special classification label ([CLS]) at the first position of the sequence. After multiple transformations, the output vector corresponding to this label gathers the global information of the entire sequence, forming a comprehensive feature vector. This vector is no longer a simple stacking of features from individual data packets, but a complete representation of the fragmented malicious intent reconstructed in the hidden space.

[0042] Finally, based on the obtained comprehensive feature vector, a nonlinear classifier (such as a multilayer perceptron) is used to output the confidence probability that the current session request sequence is a malicious attack. This probability is a value between 0 and 1, representing the likelihood that the current session belongs to an attack behavior.

[0043] Through the above steps, the detection system is endowed with cross-data packet memory and semantic understanding capabilities, which can effectively overcome the technical means of slicing malicious payloads using HTTP Chunked, slow attacks, etc., thereby raising the detection rate of advanced stealth attacks to a new level.

[0044] Step S103: Real-time blocking and adaptive degradation in kernel mode.

[0045] This step aims to resolve the conflict between security protection and business continuity in high-concurrency scenarios. Its core principle is to establish a fast blocking channel for user-mode decision-making and kernel-mode execution, and to introduce an adaptive degradation mechanism based on PID load feedback to ensure that under extreme traffic pressure, the system can proactively reduce the resource consumption of security detection and prioritize the availability of core services.

[0046] Specifically, this step includes two core sub-steps: real-time blocking and adaptive degradation.

[0047] (1) Real-time blocking When the attack confidence probability output in step S102 exceeds the preset interception threshold, the user-space adaptive control and blocking module writes the blocking information of the session (such as source IP and session ID) into the kernel-space eBPF blocking mapping table via the bpf() system call. The eBPF blocking mapping table is a hash table shared by kernel and user space. Subsequently, when subsequent packets belonging to this session arrive, the eBPF probe running at the XDP layer or system call layer will first query this blocking mapping table. If the packet characteristics match, the probe will directly execute the XDP_DROP action, discarding the packet at the network interface card driver layer. The technical principle of this process is that it decentralizes the blocking decision from user space to the lowest level of kernel space, achieving microsecond-level real-time response, and the blocking action does not involve any user-space context switching, having almost no impact on the processing path of normal services.

[0048] (2) Adaptive degradation To ensure the stability of the system under sudden large flow rates, this invention introduces a load feedback mechanism based on PID control.

[0049] First, deploy performance probes to periodically (e.g., every 10 milliseconds) collect the current CPU soft interrupt latency of the host machine. Soft interrupts are the main mechanism for the Linux kernel to process network packets, and their latency directly reflects the degree to which network processing consumes CPU resources.

[0050] Then, in user mode, the PID controller uses the acquired CPU soft interrupt time as the current value and a preset safety target value (e.g., 70%) as the expected value, and calculates the error between the two. The PID control algorithm integrates the current error (proportional term P), historical error accumulation (integral term I), and error change trend (derivative term D), outputting a smooth and stable descent coefficient. This mechanism solves the system oscillation problem caused by simple threshold triggering.

[0051] Based on the sag coefficient output by the PID controller, the user-mode control module performs the following two dynamic adjustments: First, the depth of kernel-mode feature extraction is dynamically adjusted. Specifically, the user-mode control module writes the new scan byte length value into a dedicated eBPF configuration mapping table. During each round of packet processing, the kernel-mode eBPF probe dynamically reads the latest scan depth value from this configuration mapping table and determines the number of bytes for feature extraction of the packet payload (e.g., reducing it from 128 bytes to 64 bytes). This adjustment directly reduces the computational load on the eBPF probe, thereby reducing the CPU soft interrupt load.

[0052] Second, the interception threshold in user space is dynamically adjusted. The user-space control module directly modifies the interception threshold parameters stored in its memory space (e.g., increasing it from 0.85 to 0.95). This means the system becomes more conservative, only intercepting lethal attacks with extremely high confidence, while temporarily tolerating low-risk probing attacks, thus allocating valuable CPU time slices to core business processing threads. Furthermore, as a protection measure in extreme cases, when the system load continues to deteriorate and the CPU soft interrupt time exceeds the preset circuit breaker threshold, the user-space control module will automatically suspend the inference process of the lightweight Transformer model and bypass all traffic. This circuit breaker mechanism ensures that even if the security system itself cannot function properly due to extreme load, it will not cripple core business operations, fundamentally eliminating the potential for cascading failures caused by security devices.

[0053] Through the aforementioned adaptive degradation mechanism, this step constructs a closed loop of perception-decision-response at the system's underlying layer, achieving a dynamic balance between security protection strength and system load, and providing stable continuity assurance for high-concurrency services.

[0054] The following example of a specific network attack scenario fully demonstrates the workflow of the method of this invention.

[0055] (1) Scene setting An online trading platform deployed the defense system of this invention. An attacker attempted to bypass traditional single-packet detection WAFs by splitting an SQL injection statement "1' UNION SELECT credit_card FROM users –" into three separate data packets using HTTP chunked transmission technology.

[0056] (2) Data packet sequence Example: Packet 1 (at time T0): contains the request line and part of the header, with the Body part being "1' UN".

[0057] Example: Package 2 (T0+5ms): contains subsequent blocks, with the Body part being "ION SEL".

[0058] Example: Packet 3 (T0+10ms): Contains the last block, with the Body section being "ECT credit_cardFROM users –".

[0059] (3) System processing flow Step S1: When the three data packets arrive at the server's network interface card (NIC) sequentially, the eBPF probe mounted on the XDP layer intercepts them respectively. For each data packet, the probe performs the following processing: ① Read the first 128 bytes of the message payload (default scan depth).

[0060] ② Perform one-dimensional convolution operations using a pre-set fixed-point weight kernel. This weight kernel is trained... It exhibits a high response to common sensitive characters in SQL injection (such as single quotes, spaces, UNION, SELECT, etc.). For packet 1, the convolution output detects local features of "1'" and "UN", generating a spatial feature scalar a1.

[0061] ③ Query the LRU hash mapping table with the source IP as the key. For packet 1, no historical record was found, so the time feature scalar Δt1 is set to 0. After processing packet 1, the current time T0 is stored in the mapping table.

[0062] ④ Concatenate a1 and Δt1=0 to generate the feature tensor T1, and send it to the user space through the circular buffer.

[0063] When packet 2 arrives, the probe calculates its spatial feature scalar a2 (e.g., detecting "ON SEL"), looks up the last access time as T0 from the LRU mapping table, calculates Δt2 = 5ms, and generates the feature tensor T2. Similarly, packet 3 generates the feature tensor T3 (containing features such as "ECT...") and Δt3 = 5ms.

[0064] Step S2: The lightweight Transformer model in user space continuously reads feature tensors from the circular buffer and organizes T1, T2, and T3 into a feature tensor sequence [T1, T2, T3] according to the session ID, and performs the following processing: ① The embedding layer performs position encoding (assigning positions 0, 1, and 2) and time difference encoding (Δt value) on T1, T2, and T3.

[0065] ② The multi-head self-attention mechanism is used for computation. When computing the representation of T2, the attention weights of T1 and T3 are analyzed. Since T1 contains "UN" and T2 contains "ION SEL", they have strong semantic coherence, so the attention weight between T2 and T1 is very high. Similarly, there is also a high weight between T2 and T3.

[0066] ③ Through multi-layer attention calculation and weighted fusion, the model generates a comprehensive feature vector at the [CLS] marker. This vector has completely reconstructed the key semantic information such as "UNION SELECT" in the three blocks.

[0067] ④ Based on this comprehensive feature vector, the nonlinear classifier outputs an attack confidence probability of 0.98.

[0068] Step S3: The user-space control module detects that the probability value of 0.98 exceeds the currently set interception threshold (let's say 0.90), and performs the following processing: ① Real-time blocking: The control module immediately writes the attacker's source IP into the kernel-mode eBPF blocking mapping table.

[0069] ② Adaptive Degradation: Simultaneously, the performance probe detects that the current CPU soft interrupt time is 65%, slightly lower than the target value of 70%, and the PID controller outputs a reduction coefficient of 1 (i.e., no adjustment). The system is in a stable detection state.

[0070] Step S4: Assume the attacker continues to send packet 4 (containing some junk data to mask the attack) belonging to the same session. When packet 4 arrives at the network interface card (NIC), the eBPF probe at the XDP layer first queries the blocking mapping table before processing it. Finding that the source IP is already in the blacklist, it immediately executes XDP_DROP, dropping packet 4 at the NIC driver layer. The entire blocking process is completed in microseconds, with almost no impact on normal service processing paths.

[0071] As can be seen from this embodiment, the method of the present invention successfully performs semantic recombination and identification of SQL injection statements transmitted in chunks in user space, and achieves rapid blocking in kernel space, verifying its effectiveness in combating highly covert attacks.

[0072] Example 2 See Figure 2 Another embodiment of the present invention provides a Web high-stealth attack adaptive defense device 200, including a kernel-mode traffic interception and feature reduction module 201, a user-mode semantic association and reasoning module 202, and a kernel-mode real-time blocking and adaptive degradation module 203. This Web high-stealth attack adaptive defense device 200 is capable of executing the Web high-stealth attack adaptive defense method in the above-described method embodiments.

[0073] Specifically, the Web high-stealth attack adaptive defense device 200 includes: The kernel-mode traffic interception and feature dimensionality reduction module 201 is used to intercept network traffic in the kernel mode through an eBPF probe, and perform feature extraction and dimensionality reduction compression on the original packets in the eBPF probe to generate a fixed-length feature tensor, and transfer the feature tensor to the operating system user mode in a zero-copy manner. The user-space semantic association and reasoning module 202 is used to perform cross-data packet semantic association and intent reasoning on a sequence of feature tensors composed of multiple feature tensors in user space through a pre-trained lightweight Transformer model, and output the attack confidence probability. The kernel-mode real-time blocking and adaptive degradation module 203 is used to send user-mode blocking information to the kernel-mode eBPF mapping table when the attack confidence probability exceeds a preset blocking threshold, read the eBPF mapping table using a kernel-mode eBPF probe, and discard matching packets in real time; in user mode, feedback control is performed based on the real-time system load, and the depth of kernel-mode feature extraction is dynamically adjusted using the kernel-mode eBPF mapping table, and the blocking threshold is adjusted.

[0074] It should be noted that the technical solutions corresponding to the Web high-stealth attack adaptive defense device 200 provided in this embodiment, which can be used to execute various method embodiments, have similar implementation principles and technical effects to the methods, and will not be repeated here.

[0075] Example 3 See Figure 3 This embodiment also provides a structural schematic diagram of an electronic device 300, which is used to implement the adaptive defense method against highly covert web attacks in the method embodiment. The electronic device 300 in this embodiment may include a smart terminal, PC, laptop, server, dedicated network security equipment, edge computing node, etc. Figure 3 The electronic device 300 shown is merely an example and should not be construed as limiting the functionality and scope of use of the embodiments of the present invention.

[0076] like Figure 3 As shown, the electronic device 300 may include a processing device (e.g., a central processing unit, a graphics processing unit, etc.) 301, which can perform various appropriate actions and processes to implement the methods of the embodiments described herein, based on a program stored in a read-only memory (ROM) 302 or a program loaded from a storage device 308 into a random access memory (RAM) 303. The RAM 303 also stores various programs and data required for the operation of the electronic device 300. The processing device 301, ROM 302, and RAM 303 are interconnected via a bus 305. An input / output (I / O) interface 304 is also connected to the bus 305.

[0077] Typically, the following devices can be connected to I / O interface 304: input devices 306 including, for example, touchscreens, touchpads, keyboards, mice, cameras, microphones, accelerometers, gyroscopes, etc.; output devices 307 including, for example, liquid crystal displays (LCDs), speakers, vibrators, etc.; storage devices 308 including, for example, magnetic tapes, hard disks, etc.; and communication devices 309. Communication device 309 allows electronic device 300 to communicate wirelessly or wiredly with other devices to exchange data. Although Figure 3An electronic device 300 with various devices is shown; however, it should be understood that it is not required to implement or possess all of the devices shown. More or fewer devices may be implemented or possessed alternatively.

[0078] The above description is merely a preferred embodiment of the present invention. Those skilled in the art should understand that the scope of disclosure in this invention is not limited to the specific combination of the above-described technical features, but should also cover other technical solutions formed by any combination of the above-described technical features or their equivalents without departing from the above-described concept. For example, technical solutions formed by substituting the above features with (but not limited to) technical features with similar functions disclosed in this invention.

Claims

1. An adaptive defense method for highly covert web attacks, characterized in that, Includes the following steps: Kernel-mode traffic interception and feature dimensionality reduction steps: Network traffic is intercepted in kernel mode through eBPF probe, and feature extraction and dimensionality reduction compression are performed on the original packets in eBPF probe to generate a fixed-length feature tensor. The feature tensor is then transferred to the operating system user mode in a zero-copy manner. User-space semantic association and reasoning steps: In user space, a pre-trained lightweight Transformer model is used to perform cross-data packet semantic association and intent reasoning on a sequence of feature tensors composed of multiple feature tensors, and output the attack confidence probability. Kernel-mode real-time blocking and adaptive degradation steps: When the attack confidence probability exceeds the preset blocking threshold, the user-mode blocking information is sent to the kernel-mode eBPF mapping table. The kernel-mode eBPF probe is used to read the eBPF mapping table, and matching packets are discarded in real time. In user mode, feedback control is performed based on the real-time system load. The depth of kernel-mode feature extraction is dynamically adjusted using the kernel-mode eBPF mapping table, and the blocking threshold is adjusted accordingly.

2. The adaptive defense method for highly covert web attacks according to claim 1, characterized in that, The kernel-mode traffic interception and feature dimensionality reduction steps specifically include: Mount an eBPF probe at the XDP layer or system call layer to intercept decrypted HTTP or HTTPS messages; In the eBPF probe, a one-dimensional convolution operation is performed on the message payload using a pre-set fixed-point weight kernel to extract spatial feature scalars. The session state is maintained using the LRU hash map of eBPF, the time difference of arrival of HTTP or HTTPS messages is calculated, and the time-series feature scalar is extracted. The spatial feature scalar and the temporal feature scalar are concatenated into a fixed-length feature tensor, which is then asynchronously transmitted to the user space through a lock-free circular buffer.

3. The adaptive defense method for highly covert web attacks according to claim 2, characterized in that, The kernel-mode traffic interception and feature dimensionality reduction steps also include: When performing one-dimensional convolution operations on the message payload, the multiplication accumulation loop is forcibly unrolled through compiler instructions to avoid loop detection by the eBPF verifier, and the fixed-point weight kernel is pre-quantized to avoid floating-point operation limitations.

4. The adaptive defense method for highly covert web attacks according to claim 1, characterized in that, The user-state semantic association and reasoning steps specifically include: In the user-space lightweight Transformer model's embedding layer, the received feature tensor sequence is encoded by position and temporal difference. The attention weights between feature tensors at different positions in the feature tensor sequence are calculated through its multi-head self-attention mechanism. The feature tensor sequence is then weighted and fused using these attention weights to generate a comprehensive feature vector representing the complete session attack intent. Based on the comprehensive feature vector, an attack confidence probability is output through a nonlinear classifier.

5. The adaptive defense method for highly covert web attacks according to claim 1, characterized in that, The kernel-mode real-time blocking and adaptive degradation steps also include: The host CPU soft interrupt time is periodically collected in user mode. The error between the current CPU soft interrupt time and the preset target value is calculated using a PID control algorithm to output a reduction coefficient. Based on the reduction coefficient, the scanning byte length of the kernel-mode eBPF probe on the packet payload is dynamically reduced, and the interception threshold of the attack confidence probability is increased simultaneously.

6. The adaptive defense method for highly covert web attacks according to claim 5, characterized in that, Also includes: When the host CPU soft interrupt time exceeds the preset limit threshold, the inference process of the lightweight Transformer model in user space is automatically suspended, and all traffic is bypassed.

7. A highly covert web attack adaptive defense device, characterized in that, include: The kernel-mode traffic interception and feature dimensionality reduction module is used to intercept network traffic in the kernel mode through eBPF probes, and perform feature extraction and dimensionality reduction compression on the original packets in the eBPF probes to generate a fixed-length feature tensor, and transfer the feature tensor to the operating system user mode in a zero-copy manner. The user-space semantic association and reasoning module is used to perform cross-data packet semantic association and intent reasoning on a sequence of feature tensors composed of multiple feature tensors in user space using a pre-trained lightweight Transformer model, and output the attack confidence probability. The kernel-mode real-time blocking and adaptive degradation module is used to send user-mode blocking information to the kernel-mode eBPF mapping table when the attack confidence probability exceeds a preset blocking threshold. The kernel-mode eBPF probe reads the eBPF mapping table and discards matching packets in real time. In user mode, feedback control is performed based on the real-time system load. The kernel-mode eBPF mapping table is used to dynamically adjust the depth of kernel-mode feature extraction and adjust the blocking threshold.

8. The adaptive defense device for highly covert web attacks according to claim 7, characterized in that, The kernel-mode traffic interception and feature dimensionality reduction module is specifically used for: Mount an eBPF probe at the XDP layer or system call layer to intercept decrypted HTTP or HTTPS messages; In the eBPF probe, a one-dimensional convolution operation is performed on the message payload using a pre-set fixed-point weight kernel to extract spatial feature scalars. The session state is maintained using the LRU hash map of eBPF, the time difference of arrival of HTTP or HTTPS messages is calculated, and the time-series feature scalar is extracted. The spatial feature scalar and the temporal feature scalar are concatenated into a fixed-length feature tensor, which is then asynchronously transmitted to the user space through a lock-free circular buffer.

9. The adaptive defense device for highly covert web attacks according to claim 8, characterized in that, The kernel-mode traffic interception and feature reduction module is also used for: When performing one-dimensional convolution operations on the message payload, the multiplication accumulation loop is forcibly unrolled through compiler instructions to avoid loop detection by the eBPF verifier, and the fixed-point weight kernel is pre-quantized to avoid floating-point operation limitations.

10. The adaptive defense device for highly covert web attacks according to claim 7, characterized in that: The user-state semantic association and reasoning module is used to perform positional encoding and temporal difference encoding on the received feature tensor sequence in the embedding layer of the lightweight Transformer model in user state. It calculates the attention weights between feature tensors at different positions in the feature tensor sequence through its multi-head self-attention mechanism, and uses the attention weights to perform weighted fusion on the feature tensor sequence to generate a comprehensive feature vector representing the complete session attack intent. Based on the comprehensive feature vector, it outputs the attack confidence probability through a nonlinear classifier. The kernel-mode real-time blocking and adaptive degradation module is used to periodically collect the host CPU soft interrupt time in user mode, calculate the error between the current CPU soft interrupt time and the preset target value using a PID control algorithm, and output the degradation coefficient; according to the degradation coefficient, the scanning byte length of the kernel-mode eBPF probe on the packet payload is dynamically reduced, and the interception threshold of the attack confidence probability is increased simultaneously.

Images