A distributed network security performance quantitative verification method and system based on double-end closed-loop interaction

The distributed network security performance quantitative verification method with dual-end closed-loop interaction solves the problem that existing technologies cannot perform high-simulation, full-process, and quantifiable performance verification of security protection equipment in production environments. It realizes harmless testing and multi-dimensional quantitative evaluation of protection equipment and supports automated verification of encrypted traffic and multi-step attack chains.

CN122226501APending Publication Date: 2026-06-16HEFEI NETWORK INSTR TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HEFEI NETWORK INSTR TECH CO LTD
Filing Date
2026-05-12
Publication Date
2026-06-16

AI Technical Summary

Technical Problem

Existing technologies struggle to perform highly realistic, full-process, and quantifiable performance verification of security equipment in production environments without interfering with or disrupting real business operations, particularly lacking the ability to verify performance in encrypted communication environments and multi-step interconnected attack chains.

Method used

A distributed network security performance quantitative verification method based on dual-end closed-loop interaction is adopted. Through dual-end traffic feature comparison and in-band traffic labeling technology, the harmless testing of protection devices is realized. It supports encrypted traffic verification and automated orchestration of multi-step related attack chains, combined with a causal association attack graph orchestration engine and quantitative performance index calculation.

Benefits of technology

It achieves highly realistic, full-process, and quantifiable performance verification of protective equipment, breaks the black box status of defense, provides multi-dimensional quantitative evaluation results, reduces labor costs and technical barriers, and ensures that testing does not interfere with normal operation and maintenance.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122226501A_ABST
    Figure CN122226501A_ABST
Patent Text Reader

Abstract

The application discloses a kind of distributed network security efficiency quantitative verification method and system based on double-end closed-loop interaction, belong to network security technical field.The method is by central control node to the distributed agent node deployed in the two sides of the protection equipment to be measured to issue attack script, by upstream node reconstruct attack message and inject in-band label after sending out, by downstream node real-time capture to arrive message, then by central control node pull double-end data to carry out point-to-point alignment and feature comparison, finally, combined with the log of protection equipment, quantitative performance index is automatically calculated and output.The application realizes the accurate quantitative evaluation of the indicators such as interception rate, response delay and rule coverage of protection equipment through double-end closed-loop interaction architecture without touching real business assets, and has the advantages of high security, transparent evaluation, support for encrypted traffic verification and multi-step attack chain simulation.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and specifically to a method and system for quantitative verification of distributed network security performance based on dual-end closed-loop interaction. Background Technology

[0002] With increasingly fierce cybersecurity competition, traditional security effectiveness assessment methods have significant limitations.

[0003] First, non-destructive real-world verification is lacking. Traditional intrusion and attack simulation tools are mostly one-way traffic triggers, only able to send preset attack data packets, lacking bidirectional interaction logic with the target machine. This one-way testing method is difficult to simulate the entire process of real, multi-step vulnerability exploitation, and even more so, it cannot induce the deep detection mechanisms of defense devices, resulting in a significant deviation between the verification results and real attack and defense scenarios, and limiting the reference value of the evaluation conclusions.

[0004] Secondly, the assessment of intermediate link protection is a black box. In production networks, various security protection devices are deployed in the middle of the traffic link, and existing testing methods cannot compare the differences in traffic characteristics before and after passing through the protection devices in real time. Security operations personnel can only see whether the devices generate alarms, but cannot quantitatively analyze the interception delay of the protection devices, the accuracy of deep packet inspection, or whether there are any failure points in the protection strategy. This ambiguity in assessment makes the judgment of protection effectiveness rely on experience and subjective speculation for a long time.

[0005] Secondly, there are blind spots in the verification of encryption and complex attacks. With the widespread use of encrypted network communication, a large amount of traffic is transmitted encrypted using transport layer security protocols. Existing technologies struggle to handle protection verification in encrypted environments and cannot verify the true effectiveness of security devices in the decryption detection phase. Furthermore, real-world network attacks are often multi-step, causally related attack chains. Traditional tools can only simulate single attack actions and lack the ability to verify complete attack chains, making it impossible to assess the effectiveness of a defense system against complex attacks in depth.

[0006] In conclusion, how to conduct highly realistic, full-process, and quantifiable performance verification of security protection equipment in the production environment without causing any interference or damage to real business operations has become an urgent technical problem to be solved in the field of cybersecurity assessment. Summary of the Invention

[0007] The purpose of this invention is to provide a distributed network security performance quantitative verification method and system based on dual-end closed-loop interaction. Through a dual-end closed-loop interaction architecture, an attack logic closed loop is formed between controlled nodes, achieving highly realistic security verification that is harmless to the production environment. The system achieves microsecond-level quantitative evaluation of indicators such as interception delay and load attenuation rate of protection devices by comparing dual-end traffic characteristics, breaking through the defense black box. Simultaneously, it supports the automated orchestration and execution of encrypted traffic verification and multi-step associated attack chains, transforming penetration testing into routine automated inspection, significantly improving the accuracy and practicality of security performance evaluation.

[0008] To achieve the above objectives, the technical solution adopted by the present invention is as follows: A quantitative verification method for distributed network security performance based on dual-end closed-loop interaction includes: Step 1: The central control node sends the attack script to the distributed proxy nodes deployed on both sides of the protection device under test, and performs clock synchronization between the two nodes; Step 2: The upstream distributed proxy node reconstructs the attack message according to the attack script, and after injecting a tag including a unique task identifier and a sending timestamp into the message header, sends the message to the protection device under test. Step 3: The downstream distributed proxy node captures the arriving packets processed by the protection device under test in real time within a specified window period, records the arrival timestamp, and extracts the packet payload. Step 4: The central control node pulls the raw data captured by the dual-end distributed agent nodes, performs point-to-point alignment based on the task identifier, and compares the differences in message payload characteristics between the sending and receiving ends using a digest algorithm. Step 5: Based on the comparison results and the interception logs of the protection device under test, the central control node automatically calculates and outputs quantitative performance indicators.

[0009] Furthermore, in step 1, the attack script is a traffic profile that defines the entire interaction sequence of a specific vulnerability exploitation process.

[0010] Furthermore, the distributed proxy node has the ability to dynamically reconstruct its dual identity as an attacker and a target machine. The central control node statically assigns or dynamically orchestrates the roles of the distributed proxy nodes according to the verification path, so that the nodes outside the firewall switch to attack mode and the nodes inside switch to target machine mode. The distributed proxy nodes in target machine mode construct a dynamic state machine based on the traffic profile and, according to the received attack payload, feed back the corresponding business response message according to the state machine logic.

[0011] Furthermore, in step 2, the label is an in-band traffic label, which is a non-destructive identity label injected by the distributed proxy node using IPv4 header custom options or specific offset bits in the TCP header when reconstructing the packet.

[0012] Furthermore, for HTTPS / TLS encrypted environments, the central control node synchronously distributes experimental certificates and session keys to the distributed proxy nodes at both ends; the distributed proxy node at the sending end simulates a client to perform an encrypted handshake, and the distributed proxy node at the receiving end simulates a server to perform decryption, which is used to verify the interception effectiveness of the protection device under test against malicious payloads in the decrypted state.

[0013] Furthermore, the attack script is generated using an automated heterogeneous signature packet conversion algorithm, specifically including: Perform deep packet inspection and protocol deconstruction on the original data packet file to extract the attack payload and key fields; Identify and analyze the timing relationship of bidirectional messages, and construct a causal timing chain of request-response; Dynamic fields in the message are identified as configurable variable placeholders and then parameterized and abstracted. Based on the obtained information, an interactive state machine containing state transition logic is synthesized and encapsulated as an attack script.

[0014] Furthermore, the quantitative performance indicators include interception rate, response latency, rule coverage, load reduction rate, and alarm fidelity.

[0015] This invention also provides a distributed network security performance quantitative verification system based on dual-end closed-loop interaction, comprising: The central control node is used to achieve unified scheduling, task distribution, data aggregation, and performance calculation. At least one set of distributed proxy nodes are deployed on both sides of the protection device under test. Each proxy node has a built-in interactive state machine engine to support the dynamic loading and switching of the dual identities of the attack engine and the virtual target machine. The traffic reconstruction and label injection unit is integrated into the distributed proxy node that acts as the sender. It is used to inject non-destructive in-band traffic labels containing task identifiers and sending timestamps when reconstructing packets. The dual-end traffic feature comparison unit, integrated into the central control node, is used to perform point-to-point alignment of packets captured from both ends based on task identifiers, and to calculate payload feature differences through digest and edit distance algorithms.

[0016] In summary, the present invention has at least one of the following beneficial technical effects: First, the verification security is extremely high. This invention constructs a simulated attack environment through a traffic profile state machine and dual-ended closed-loop technology, ensuring that the attack behavior forms a logical closed loop only between two controlled agent nodes. Throughout the verification process, the attack traffic does not touch, scan, or damage any real business assets, achieving completely harmless testing of the production environment and making routine security verification possible.

[0017] Second, the evaluation results are quantifiable and transparent. This invention completely breaks the black-box nature of traditional defense equipment evaluation. By synchronously capturing traffic and comparing features through proxy nodes located on both sides of the protection equipment, it achieves for the first time automated quantitative analysis of the multi-dimensional performance of security equipment, including interception rate, interception latency, missed detection features, and decryption detection capabilities. The evaluation results are verifiable and traceable, providing objective data support for security operation and maintenance decisions.

[0018] Third, the invention enhances the practicality and automation of testing capabilities. By combining a causal attack graph orchestration engine with an automated packet conversion algorithm, this invention transforms complex expert-level penetration testing actions into standardized, automatically executable verification tasks. The system supports automated verification of the effectiveness of multi-step attack chain defenses and rapid deployment in scenarios involving tens of thousands of intrusions, enabling routine practical drills and effectively reducing the manpower costs and technical barriers to security testing.

[0019] Fourth, it offers a user-friendly operational environment. This invention employs in-band traffic labeling technology to inject non-destructive identity tags into test packets. These tags can be automatically identified and filtered by the situational awareness platform to prevent triggering false alarms across the network during verification, while not affecting the normal identification of attack payload characteristics by protection devices. This technology effectively resolves the long-standing conflict between attack simulation verification traffic and security operation and maintenance alarms, ensuring that the verification process does not interfere with normal security monitoring work. Attached Figure Description

[0020] Figure 1 This is a flowchart illustrating the method of the present invention. Detailed Implementation

[0021] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the invention. Furthermore, the technical features involved in the various embodiments of this invention described below can be combined with each other as long as they do not conflict with each other.

[0022] This invention provides a distributed network security performance quantitative verification system based on dual-end closed-loop interaction, comprising: a central control node (CheckCenter, CC) and at least one set of distributed proxy nodes (CheckPoint, CP). The relevant technologies involved will be described in detail below: 1. Distributed proxy nodes It has the following technical features: (1) Dynamic Reconstruction of Attack-Target Dual Identity: The CP node does not run real business, but has a built-in interactive state machine engine. The distributed proxy node has dual logical functions of attack engine and virtual target. The system statically assigns or dynamically orchestrates the role of CheckPoint according to the verification path: the node outside the firewall switches to attack mode, and the node inside switches to target mode. The attack behavior only forms a logical closed loop between the two controlled nodes, physically circumventing real business assets.

[0023] (2) Profile-driven high-fidelity interaction: CP nodes do not rely on real OS images, but load specific traffic profiles. The profile defines the interaction sequence of the entire process of exploiting a specific vulnerability (e.g., the attacker sends a payload → the target machine replies with a specific status code / fingerprint → the attacker executes subsequent shellcode). The "virtual target machine" of this system builds a dynamic state machine based on the traffic profile. The profile presets the entire process message sequence of exploiting a specific vulnerability. During the verification process, the virtual target machine, based on the received attack payload, feeds back the corresponding business response message according to the state machine logic (e.g., successfully echoing the vulnerability overflow of a specific Web server), thereby realizing the deep induction of the bidirectional traffic detection capability of the defense device.

[0024] (3) Dual-end traffic feature alignment module: CP nodes deployed on both sides of the protection device under test, synchronously capture point-to-point interactive messages, and use them to calculate feature interception rate and latency.

[0025] 2. Central control node It has the following technical features: (1) Causal association attack graph (DAG) orchestration engine: Supports combining multiple atomic attacks into a directed acyclic graph. CC dynamically decides whether to trigger the next attack based on the feedback result (success / failure) of the receiving end CP node (e.g., after successfully obtaining privileges by exploiting the first Web vulnerability, the second step triggers the simulation of lateral movement within the intranet).

[0026] (2) Performance quantitative analysis model: Based on the dual-end traffic comparison model, the blocking rate, detection rate and mean response time (MTTI) are automatically calculated.

[0027] 3. Closed-loop comparison mechanism based on point-to-point traffic reconstruction The system achieves microsecond-level quantitative monitoring of the protection effectiveness of the intermediate link through dual-end collaboration, specifically including the following: (1) In-band traffic label avoidance technology: During the traffic reconstruction phase, the distributed proxy node at the sending end injects a non-destructive identity label using IPv4 header custom options or specific offset bits in the TCP header when reassembling packets. This label is used to automatically filter and verify traffic in the SOC / situation awareness platform to prevent triggering false alarms across the entire network during testing, while not affecting the defense equipment's identification of payload characteristics.

[0028] (2) Transparent verification of encrypted traffic: For HTTPS / TLS environments, the system supports a synchronous certificate pair loading mechanism. CheckCenter sends experimental certificates and session key synchronization protocols to both proxy nodes. The sending CP simulates a client handshake, and the receiving CP simulates server decryption, thereby verifying the interception effectiveness of intermediate defense devices (such as SSL decryption gateways) against malicious payloads in the decrypted state.

[0029] (3) Closed-loop comparison and performance calculation: The sending end records the precise timestamp of the sent message, and the receiving end captures the arriving message in real time and performs feature alignment. By comparing the feature differences of the sent / received messages (such as whether the payload is truncated or the signature is replaced), the system automatically calculates the interception rate and rule coverage rate, and calculates the response delay of the defense device based on the dual-end clock synchronization mechanism.

[0030] 4. Malicious code behavior simulation and interaction For defense verification at the host side (EDR / antivirus software) and email gateway, the system employs behavioral mirroring technology, which specifically includes the following: (1) Controlled environment behavior simulation: The agent node integrates a lightweight virtual execution environment. When simulating a specific Trojan or ransomware, the system does not execute real destructive system calls, but instead generates corresponding interactive traffic (such as specific heartbeat sequences of reverse shells, C2 command issuance characteristics, and simulated traffic for reading sensitive files) through the behavior simulation engine, thereby inducing the dynamic detection logic of the defense system.

[0031] (2) Multi-dimensional feature triggering: Through sandbox or microservice components, simulate the logical features of registry modification and file write operation after infection to generate real lateral movement simulation traffic and verify the defense system's ability to perceive "behavior after being compromised".

[0032] 5. Automated conversion algorithm from heterogeneous signature packets to attack scripts The system has a built-in parsing engine that enables rapid loading of attack scenarios and complex link orchestration, specifically including the following: (1) Payload deconstruction and parameterized mapping: The algorithm supports deep deconstruction of the original Pcap file or custom feature string, automatically extracts the attack payload, key fields and time series relationships, and maps them to the task model. It supports parameterized random transformation of fields such as source / destination IP, port and User-Agent to improve the coverage of verification.

[0033] (2) Causal Association Attack Graph (DAG) Orchestration: The algorithm not only supports single-step attack transformation, but also supports the construction of association attack graphs with causal logic. The system can automatically trigger the next stage of attack tasks (such as performing database injection simulation in step B) based on the real-time feedback results of the receiving end proxy node (such as successfully bypassing the firewall in step A), thereby realizing the automated verification of the effectiveness of protection against multi-step attack links.

[0034] The overall steps of the algorithm will be explained in detail in the subsequent methods.

[0035] like Figure 1 As shown, the present invention also provides a method for quantitative verification of distributed network security performance based on dual-ended closed-loop interaction, applied to the aforementioned system for quantitative verification of distributed network security performance based on dual-ended closed-loop interaction, comprising: Step 1: The central control node sends the attack script to the distributed proxy nodes deployed on both sides of the protection device under test, and performs clock synchronization between the two nodes; Step 2: The upstream distributed proxy node reconstructs the attack message according to the attack script, and after injecting a tag including a unique task identifier and a sending timestamp into the message header, sends the message to the protection device under test. Step 3: The downstream distributed proxy node captures the arriving packets processed by the protection device under test in real time within a specified window period, records the arrival timestamp, and extracts the packet payload. Step 4: The central control node pulls the raw data captured by the dual-end distributed agent nodes, performs point-to-point alignment based on the task identifier, and compares the differences in message payload characteristics between the sending and receiving ends using a digest algorithm. Step 5: Based on the comparison results and the interception logs of the protection device under test, the central control node automatically calculates and outputs quantitative performance indicators.

[0036] In step 1, the attack script is a traffic profile that defines the entire interaction sequence of a specific vulnerability exploitation process.

[0037] In step 2, the label is an in-band traffic label. When the distributed proxy node reconstructs the packet, it injects a non-destructive identity label using IPv4 header custom options or specific offset bits in the TCP header.

[0038] In step 3, the processing of messages by the protection device under test includes filtering, cleaning, rewriting, or blocking operations.

[0039] In step 4, the digest algorithm is MD5 and fuzzy hash.

[0040] In step 5, the central control node reconciles logs with the protection device under test. The central control node accesses the interception logs of the protection device under test, matches the source IP, destination IP and characteristic actions, and obtains the protection rule hit ID.

[0041] In step 5, in addition to quantitative performance indicators, the output also includes an interception path diagram.

[0042] Next, we will first introduce the quantitative performance indicators: 1. Interception rate: Reflects the actual interception effect of security equipment; ; In the formula, This refers to the total number of attack scripts sent. The number of attack scripts whose features have not been tampered with, received by the target machine.

[0043] 2. Response delay: Reflects the processing time for security equipment to perform identification; ; In the formula, and These represent the timestamps for receiving and sending data, respectively. To compensate for the synchronization residual, a clock skew compensation value based on the PTP (1588v2) protocol is introduced. To mitigate dynamic link bias, a set of non-attack probe packets is sent before sending attack packets to measure the current link baseline latency in real time.

[0044] 3. Rule Coverage: Measures how many of the tested attack features are covered by the current policy rules; ; In the formula, This indicates the number of unique rule IDs of the defense device that were triggered during the verification task (after deduplication). This indicates the total number of different CVE IDs or attack categories included in a single verification task.

[0045] 4. Payload Attenuation Rate: Some WAFs do not directly block connections but instead remove malicious code from packets. This metric quantifies the security device's ability to accurately clean packets. It uses string edit distance to calculate the payload of attack-side A packets. Target drone B message payload The similarity is: .

[0046] 5. Alarm fidelity: Compare the consistency between the attack tags issued by CheckCenter and the attack categories in the security device logs; ; In the formula, This indicates the number of attack tags that match the attack categories in the security device logs. This indicates the total number of alarms from security equipment.

[0047] It should also be noted that the attack script is generated using an automated heterogeneous signature packet conversion algorithm, specifically including: Message preprocessing and deep packet inspection. The engine reads the raw Pcap file and uses a protocol parsing engine (supporting HTTP / TCP / UDP / ICM protocols, etc.) to restore the bitstream into structured protocol fields; Attack payload stripping. Identify control and data flow in packets, automatically locate and extract key payloads for exploiting vulnerabilities (such as overflow strings, shellcode, and malicious commands); Timing relationships and session reassembly. Analyze the interaction sequence and time intervals of bidirectional messages to construct a causal timing chain of "Request-Response"; Parameterized variable abstraction. The engine automatically identifies dynamic fields in the message (such as IP address, port number, cookie, sessionID) and converts them into configurable variable placeholders; State machine script synthesis. Based on the above characteristics, an interactive state machine is synthesized: Logic: State 0 (standby) → Action 1 (send payload) → State 1 (await response) → If a signature is received (enter state 2, trigger the next step); Task Profile Export. The state machine logic is encapsulated into a lightweight JSON format profile and distributed to CP nodes for loading and execution.

[0048] Embodiments of the present invention may be provided as methods, systems, or computer program products. Therefore, the present invention may take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0049] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0050] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0051] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0052] Contents not described in detail in this specification are prior art known to those skilled in the art. It is hereby indicated that the above description is intended to help those skilled in the art understand this invention, but does not limit the scope of protection of this invention. Any equivalent substitutions, modifications, improvements, or simplifications of the above descriptions that do not depart from the essential content of this invention fall within the scope of protection of this invention.

Claims

1. A method for quantitatively verifying the effectiveness of distributed network security based on dual-end closed-loop interaction, characterized in that, include: Step 1: The central control node sends the attack script to the distributed proxy nodes deployed on both sides of the protection device under test, and performs clock synchronization between the two nodes; Step 2: The upstream distributed proxy node reconstructs the attack message according to the attack script, and after injecting a tag including a unique task identifier and a sending timestamp into the message header, sends the message to the protection device under test. Step 3: The downstream distributed proxy node captures the arriving packets processed by the protection device under test in real time within a specified window period, records the arrival timestamp, and extracts the packet payload. Step 4: The central control node pulls the raw data captured by the dual-end distributed agent nodes, performs point-to-point alignment based on the task identifier, and compares the differences in message payload characteristics between the sending and receiving ends using a digest algorithm. Step 5: Based on the comparison results and the interception logs of the protection device under test, the central control node automatically calculates and outputs quantitative performance indicators.

2. The method for quantitatively verifying the effectiveness of distributed network security based on dual-end closed-loop interaction according to claim 1, characterized in that, In step 1, the attack script is a traffic profile that defines the entire interaction sequence of a specific vulnerability exploitation process.

3. The method for quantitatively verifying the effectiveness of distributed network security based on dual-end closed-loop interaction according to claim 2, characterized in that, The distributed proxy node has the ability to dynamically reconstruct its dual identity as an attacker and a target machine. The central control node statically assigns or dynamically orchestrates the roles of the distributed proxy node according to the verification path, so that the nodes outside the firewall switch to attack mode and the nodes inside switch to target machine mode. The distributed proxy node in target machine mode builds a dynamic state machine based on the traffic profile and feeds back the corresponding business response message according to the received attack payload and the state machine logic.

4. The method for quantitatively verifying the effectiveness of distributed network security based on dual-end closed-loop interaction according to claim 1, characterized in that, In step 2, the label is an in-band traffic label. When the distributed proxy node reconstructs the packet, it injects a non-destructive identity label using IPv4 header custom options or specific offset bits in the TCP header.

5. The method for quantitatively verifying the effectiveness of distributed network security based on dual-end closed-loop interaction according to claim 1, characterized in that, For HTTPS / TLS encrypted environments, the central control node synchronously sends experimental certificates and session keys to the distributed proxy nodes at both ends; the distributed proxy node at the sending end simulates a client to perform an encrypted handshake, and the distributed proxy node at the receiving end simulates a server to perform decryption, which is used to verify the interception effectiveness of the protection device under test against malicious payloads in the decrypted state.

6. The method for quantitatively verifying the effectiveness of distributed network security based on dual-end closed-loop interaction according to claim 2, characterized in that, The attack script is generated using an automated heterogeneous signature packet conversion algorithm, specifically including: Perform deep packet inspection and protocol deconstruction on the original data packet file to extract the attack payload and key fields; Identify and analyze the timing relationship of bidirectional messages, and construct a causal timing chain of request-response; Dynamic fields in the message are identified as configurable variable placeholders and then parameterized and abstracted. Based on the obtained information, an interactive state machine containing state transition logic is synthesized and encapsulated as an attack script.

7. The method for quantitatively verifying the effectiveness of distributed network security based on dual-end closed-loop interaction according to claim 1, characterized in that, The quantitative performance indicators include interception rate, response latency, rule coverage, load reduction rate, and alarm fidelity.

8. A distributed network security performance quantitative verification system based on dual-ended closed-loop interaction, applied to the distributed network security performance quantitative verification method based on dual-ended closed-loop interaction as described in any one of claims 1-7, characterized in that, include: The central control node is used to achieve unified scheduling, task distribution, data aggregation, and performance calculation. At least one set of distributed proxy nodes are deployed on both sides of the protection device under test. Each proxy node has a built-in interactive state machine engine to support the dynamic loading and switching of the dual identities of the attack engine and the virtual target machine. The traffic reconstruction and label injection unit is integrated into the distributed proxy node that acts as the sender. It is used to inject non-destructive in-band traffic labels containing task identifiers and sending timestamps when reconstructing packets. The dual-end traffic feature comparison unit, integrated into the central control node, is used to perform point-to-point alignment of packets captured from both ends based on task identifiers, and to calculate payload feature differences through digest and edit distance algorithms.