Adaptive resource dynamic scheduling method based on multi-modal behavior feature processing
By constructing a visitor behavior time-series database and using multimodal feature processing, and dynamically adjusting resource allocation strategies, the problems of lagging access behavior identification and inflexible resource scheduling in existing technologies are solved. This enables continuous analysis of access behavior and refined management of resources, thereby improving the system's operational stability and security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- XIAMEN KUAIKUAI NETWORK TECH CO LTD
- Filing Date
- 2026-05-20
- Publication Date
- 2026-06-19
AI Technical Summary
Existing computer systems struggle to comprehensively analyze access behavior within a continuous time window when processing multi-source access behavior data, resulting in delayed identification, high misjudgment rates, and a lack of dynamic resource scheduling strategies, which affects system operating efficiency and stability.
By constructing a visitor behavior time series database, combining multimodal feature processing and adaptive resource scheduling methods, we collect and integrate network connection, time series features, protocol features and system resource data to conduct behavior modeling and risk assessment, dynamically adjust resource allocation strategies, and construct a closed-loop feedback mechanism for model updates.
It enables continuous characterization of access behavior and risk identification, improves the accuracy of anomaly detection and refined management of system resources, reduces the risk of resource contention and service quality degradation, and enhances the ability to respond to unknown threats.
Smart Images

Figure CN122241741A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of electronic digital data processing technology, specifically to an adaptive dynamic resource scheduling method based on multimodal behavioral feature processing. Background Technology
[0002] With the rapid development of cloud computing, edge computing, distributed application platforms, and multi-tenant computing environments, computer systems need to simultaneously handle a large number of access requests from different users, application sessions, and business scenarios. These access requests typically generate multi-source behavioral data within the computer system, including session identifiers, access time series, application state transitions, operation behavior records, system resource occupancy status, and historical risk tags. How to uniformly model, feature-represent, identify risks, and control resource scheduling for this type of multi-source behavioral data has become a crucial technical issue in the intelligent operation and management of computer systems.
[0003] Existing methods for handling computer access behavior typically focus on judging access requests based on a single access field, fixed permission rules, or static thresholds. For example, some systems only perform access control or anomaly identification based on user identity, access frequency, single operation type, or resource consumption. While these methods are simple to implement, they struggle to comprehensively analyze the evolution trend of access behavior over a continuous time window, state transition relationships, the degree of deviation from historical baseline behavior, and the correlation between multimodal features. When access behavior exhibits characteristics such as low-frequency gradual changes, cross-stage changes, disguised normal operations, or gradually abnormal resource consumption, existing methods are prone to problems such as recognition lag, high false positive rates, or difficulty in triggering timely scheduling control.
[0004] In computer system resource management, existing resource scheduling methods mostly rely on single operational status parameters such as CPU utilization, bandwidth utilization, task queue length, or address resource occupancy for scheduling decisions, lacking a mechanism to integrate access behavior risk assessment results with system resource status analysis. Since there is a dynamic correlation between the behavioral risk of access requests and resource scheduling status, when abnormal access behavior is accompanied by increased node load, address resource shortages, or abnormal traffic growth, using fixed resource allocation, uniform rate limiting, or a single blocking strategy can easily lead to insufficient resource guarantees for normal access requests, or allow abnormal access requests to continue consuming system resources, thereby affecting the overall operating efficiency and service stability of the computer system.
[0005] Furthermore, existing methods for identifying computer access behavior risks and scheduling resources typically lack a closed-loop feedback update mechanism. Risk assessment results, scheduling effectiveness, and changes in access behavior before and after scheduling are not effectively written back to the behavior database, nor are they further used to update the behavior baseline model and weight parameters. This results in models relying heavily on initial rules or historical static samples, making it difficult to adapt to changes in access behavior patterns and new abnormal behavior characteristics. Therefore, a dynamic scheduling control method for computer access behavior data processing is urgently needed. This method should be able to vectorize and model multi-source behavior data over time, perform risk quantification assessment based on behavior baseline trajectories, and generate adaptive scheduling strategies in conjunction with system resource status. This would enable the coordinated processing of access behavior risk identification, computing resource scheduling, and continuous model updates. Summary of the Invention
[0006] The purpose of this invention is to provide an adaptive dynamic resource scheduling method based on multimodal behavioral feature processing to solve the problems mentioned in the background art.
[0007] To achieve the above objectives, the present invention provides the following technical solution: The adaptive dynamic resource scheduling method based on multimodal behavioral feature processing includes the following steps: Step 1: Collect data packet 5-tuple information, message arrival time interval sequence data, TCP connection behavior data, protocol characteristic data, application state transition data, CPU utilization and bandwidth utilization data, address pool status data, and traffic growth data; and perform preprocessing to form a feature vector stream dataset. Step 2: Based on the feature vector stream dataset, construct a visitor behavior time series database, and establish a visitor normal behavior baseline trajectory model through state transition modeling and trajectory fitting. Combine vector matching, attention calculation and statistical analysis methods to obtain multi-dimensional behavior fusion parameters, including current behavior feature vector, historical baseline behavior vector, behavior state transition probability parameter, multimodal feature attention weight parameter, feature matching similarity parameter, time window weight parameter, historical risk label probability parameter, current node load rate parameter, address pool availability parameter and attack traffic growth rate parameter. Step 3: Based on the current behavior feature vector, historical baseline behavior vector, behavior state transition probability parameter and time window weight parameter obtained in Step 2, calculate the behavior evolution offset index to characterize the degree of deviation of the current behavior from the historical normal behavior baseline trajectory; and compare it with the behavior offset judgment threshold to determine whether the current access behavior is normal behavior. If it is abnormal, mark the behavior offset risk and trigger the intent risk coupling analysis process in Step 4. Step 4: Based on the behavior evolution offset index, combined with the multimodal feature attention weight parameter, feature matching similarity parameter and historical risk label probability parameter, calculate the intent risk coupling index to characterize the potential attack intent risk level of the current access behavior; and compare it with the intent risk judgment threshold to determine whether the current access behavior is trustworthy. If it is not trustworthy, generate a risk access mark for the current access behavior and trigger the dynamic scheduling decision process in Step 5. Step 5: Based on the intent risk coupling index, combined with the current node load rate parameter, address pool availability parameter, and attack traffic growth rate parameter, calculate the dynamic scheduling drift index. This index characterizes the degree of scheduling security deviation of the current access request under the combined effects of risk level, node load, address resource availability, and traffic growth trend. It is then compared with the scheduling drift judgment threshold to determine whether the current access request meets the scheduling security conditions. If it does not meet the conditions, a dynamic enhanced scheduling strategy is generated, including address allocation contraction, traffic rate limiting control, address space isolation, attack traffic suppression, and legitimate user protection. Step 6: Based on the evaluation results and scheduling execution feedback of the behavior evolution offset index, intention risk coupling index and dynamic scheduling drift index, construct a closed-loop feedback dataset and write it back to the visitor behavior time series database. Adaptively update the visitor normal behavior baseline trajectory model and carry out continuous learning and dynamic evolution.
[0008] Further, step one includes: S11. By deploying the network packet capture tool tcpdump, the network connection relationship in the incoming network traffic is monitored in real time, and the packet five-tuple information is obtained, including the source IP address, destination IP address, source port, destination port and protocol type, as well as session identification information. S12: By combining timestamp recording method with high-precision clock synchronization technology, the arrival process of data packets is monitored in real time to obtain the message arrival time interval sequence data; S13: Real-time monitoring of the connection establishment process is performed using TCP protocol stack state tracking technology to obtain TCP connection behavior data, including the number of TCP connection establishments, the number of SYN retries, the number of half-open connections, and the number of RST packets triggered. S14: Real-time monitoring of encrypted communication and application layer interaction processes is performed using the Wireshark deep message parsing engine to obtain protocol feature data, including TLS handshake fingerprint information, ALPN protocol list, certificate chain depth data, as well as HTTP request header information, URI path distribution data, and request parameter length data. S15: Real-time monitoring of application interaction flow using finite state machine modeling method to obtain application state transition data, including application layer state transition sequence data and duration data of each state; S16: Real-time monitoring of device operating status is performed through the host performance acquisition tool Linux / proc file system interface and sar monitoring tool to obtain CPU utilization and bandwidth utilization data. Resource and traffic changes are monitored through address pool counting method and sliding time window statistical method to obtain the total address pool, the number of allocated addresses and the traffic growth per unit time. S17: The acquired data are processed using the min-max normalization method, the equal-width discretization method, and the vector embedding encoding method to construct a multimodal feature vector with a unified dimension. The data is then aggregated based on a sliding time window to form a feature vector stream dataset.
[0009] Furthermore, step two includes: S21. Based on the feature vector stream dataset, a time-series storage method is used to organize and index the five-tuple information, message arrival time interval sequence data, TCP connection establishment count, SYN retries count, half-open connection count, RST message trigger count, TLS handshake fingerprint information, ALPN protocol list, certificate chain depth data, HTTP request header information, URI path distribution data, and request parameter length data corresponding to the same session identifier in chronological order, thereby constructing a visitor behavior time-series database. S22. Based on the visitor behavior time series database, the state transition statistics method is used to model the transition relationship between different access states, calculate the transition probability between each state, and construct the behavior state transition matrix; then, based on the behavior state transition matrix, the vector embedding encoding method is used to perform structural mapping processing on the multimodal feature sequence to generate a unified expression of the behavior trajectory vector set. S23. Based on the set of behavioral trajectory vectors, a trajectory fitting method is used to fit long-term stable access behavior and establish a baseline trajectory model for normal visitor behavior. Then, based on the baseline trajectory model for normal visitor behavior, a matching analysis is performed on the behavioral trajectory vectors within the current time window to obtain the current behavioral feature vector and the historical baseline behavioral vector. Statistical analysis is performed on the state evolution path of the behavioral trajectory at different time steps to obtain the behavioral state transition probability parameter. A multimodal feature cross-attention calculation method is used to weight the correlation strength between each modality feature to obtain the multimodal feature attention weight parameter. Similarity matching calculation is performed on the current behavioral feature vector and the historical normal behavioral trajectory vector to obtain the feature matching similarity parameter. S24. Based on the behavioral time series database, the time window statistical method is used to calculate the distribution of message arrival time interval sequence data and obtain the time window weight parameter; the historical tag statistical method is used to perform statistical analysis of historical risk tag data and obtain the historical risk tag probability parameter. S25. Based on CPU utilization and bandwidth utilization data, a load rate calculation method is used to perform a fusion calculation of CPU utilization and bandwidth utilization to obtain the current node load rate parameter; by collecting the total address pool and the number of allocated addresses, a resource utilization ratio calculation method is used to calculate the ratio of the total address pool to the number of allocated addresses to obtain the address pool availability parameter; by collecting the traffic growth rate per unit time, a time series trend analysis method is used to calculate the traffic growth change per unit time to obtain the attack traffic growth rate parameter. S26. Construct multi-dimensional behavior fusion parameters by combining the current behavior feature vector, historical baseline behavior vector, behavior state transition probability parameter, multimodal feature attention weight parameter, feature matching similarity parameter, time window weight parameter, historical risk label probability parameter, current node load rate parameter, address pool availability parameter, and attack traffic growth rate parameter.
[0010] Furthermore, step three includes: S31. By extracting the current behavior feature vector, historical baseline behavior vector, behavior state transition probability parameter and time window weight parameter, and after dimensionless processing, a weighted fusion distance calculation algorithm is used to calculate the offset between the current behavior feature and the historical baseline behavior to obtain the behavior evolution offset index.
[0011] Furthermore, step three also includes: S32. By setting a preset behavior deviation judgment threshold and comparing the behavior evolution deviation index with the behavior deviation judgment threshold, the first evaluation result is obtained, including: When the behavior evolution deviation index is less than the behavior deviation judgment threshold, the current access behavior is determined to be normal and there is no risk of behavior deviation; continuous monitoring is required. When the behavior evolution deviation index is greater than or equal to the behavior deviation judgment threshold, the current access behavior is determined to be abnormal and there is a risk of behavior evolution deviation; the first warning instruction is triggered, the first strategy is generated: the behavior deviation risk is marked, and the intent risk coupling analysis process in step four is triggered.
[0012] Furthermore, step four includes: S41. Execute the intention risk coupling analysis process. By calculating the obtained behavior evolution offset index, and combining it with multimodal feature attention weight parameters, feature matching similarity parameters, and historical risk label probability parameters, after dimensionless processing, a multi-factor weighted coupling calculation algorithm is used to perform a fusion calculation of the degree of behavior offset, feature correlation, and historical risk to obtain the intention risk coupling index.
[0013] Furthermore, step four also includes: S42. By setting a preset intent risk judgment threshold and comparing the intent risk coupling index with the intent risk judgment threshold, the second evaluation result is obtained, including: When the intent risk coupling index is less than the intent risk judgment threshold, the current access behavior is deemed trustworthy and has no intent risk; continuous monitoring is required. When the intent risk coupling index is greater than or equal to the intent risk judgment threshold, the current access behavior is determined to be untrustworthy and there is a risk of attack intent; a second warning instruction is triggered, and a second strategy is generated: a risk access mark is generated for the current access behavior, and the dynamic scheduling decision process in step five is triggered, so that the risk access behavior is input into step five for scheduling control processing.
[0014] Furthermore, step five includes: S51. Execute the dynamic scheduling decision process. Based on the calculated intention risk coupling index, combined with the current node load rate parameter, address pool availability parameter, and attack traffic growth rate parameter, after dimensionless processing, a multi-factor weighted dynamic scheduling calculation algorithm is used to perform a fusion calculation of risk level, system resource status, and traffic change trend to obtain the dynamic scheduling drift index.
[0015] Furthermore, step five also includes: S52. By setting a preset scheduling drift judgment threshold and comparing the dynamic scheduling drift index with the scheduling drift judgment threshold, the third evaluation result is obtained, including: When the dynamic scheduling drift index is less than the scheduling drift judgment threshold, the current access request is determined to meet the scheduling security conditions and there is no risk of resource scheduling or attack spread; continuous monitoring is required. When the dynamic scheduling drift index is greater than or equal to the scheduling drift judgment threshold, the current access request is determined to be inconsistent with the scheduling security conditions, posing a risk of resource scheduling and attack spread. A third early warning instruction is triggered, generating a third strategy: dynamic enhanced scheduling, including: address allocation contraction, reducing the address resource allocation ratio for access requests to 30%–50%, and prioritizing the allocation of remaining address resources to access requests that meet the scheduling security conditions; traffic rate limiting control, implementing bandwidth restrictions on the traffic corresponding to access requests, controlling bandwidth utilization at 20%–40%, and performing rate shaving for sudden traffic spikes; address space isolation, redirecting access requests to an isolated address pool, and controlling the capacity of the isolated address pool to 10%–20% of the total address space; attack traffic suppression, performing drop processing on abnormal traffic, setting the drop ratio to 40%–70%, and performing connection blocking processing on continuous abnormal requests; and legitimate user protection, maintaining an 80%–100% resource protection ratio for access requests that meet the scheduling security conditions, and performing seamless address migration for verified access requests to ensure business continuity.
[0016] Furthermore, step six includes: S61. Based on the evaluation results of the behavior evolution offset index, intention risk coupling index and dynamic scheduling drift index, as well as the third strategy and corresponding execution results, and combined with the feature vector flow dataset, the association analysis and annotation processing of the state changes of the access behavior before and after scheduling execution are carried out, and a closed-loop feedback dataset containing behavior feature evolution information, risk judgment results and scheduling execution effect is constructed. The closed-loop feedback dataset is then written back to the visitor behavior time series database for updating and storage. S62. Based on the updated visitor behavior time series database, an incremental learning method and dynamic weight optimization algorithm are used to adaptively adjust and iteratively update the behavior state transition matrix, the visitor normal behavior baseline trajectory model, and each weight coefficient. The calculation models of behavior evolution offset index, intention risk coupling index, and dynamic scheduling drift index are re-estimated and structurally optimized to achieve continuous learning and dynamic adaptation of access behavior patterns and potential attack characteristics.
[0017] Compared with the prior art, the beneficial effects of the present invention are: This invention achieves continuous characterization and analysis of the evolution of access behavior by fusing and modeling multimodal data such as network connection relationships, temporal features, protocol features, and application behavior, and constructing a visitor behavior time series database and behavior trajectory model. It overcomes the problem of insufficient recognition ability caused by relying on single features or static rules in the prior art, thereby effectively identifying low-speed attacks, disguised access behavior, and multi-stage attack behavior, and significantly improving the accuracy of anomaly detection in complex scenarios.
[0018] This invention also integrates the risk assessment results of access behavior with node load status, address resource usage, and traffic change trends, and dynamically adjusts address allocation, bandwidth control, and traffic processing strategies based on the assessment results. This overcomes the problems of coarse resource allocation and the separation of security and scheduling in traditional scheduling methods, thereby achieving refined resource allocation and dynamic optimization. While ensuring normal business continuity, it effectively reduces the risk of resource contention and service quality degradation, and improves the overall operational stability of the system.
[0019] This invention also constructs a closed-loop feedback mechanism to write back the risk assessment results and scheduling execution effects to the behavior time series database, and combines incremental learning and dynamic weight optimization methods to continuously update the behavior model and parameters. This overcomes the problems of static models and difficulty in adapting to new attacks in the prior art, thereby realizing continuous learning and dynamic evolution of access behavior patterns and potential attack characteristics, and improving the system's response capability to unknown threats and long-term protection effect. Attached Figure Description
[0020] Figure 1This is a schematic diagram of the overall method flow of the present invention. Detailed Implementation
[0021] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, the specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
[0022] Many specific details are set forth in the following description in order to provide a full understanding of the invention. However, the invention may also be practiced in other ways different from those described herein, and those skilled in the art can make similar extensions without departing from the spirit of the invention. Therefore, the invention is not limited to the specific embodiments disclosed below.
[0023] Example 1 Please see Figure 1 This invention provides a technical solution: an adaptive resource dynamic scheduling method based on multimodal behavioral feature processing, the specific steps of which include: Step 1: Collect data packet 5-tuple information, message arrival time interval sequence data, TCP connection behavior data, protocol characteristic data, application state transition data, CPU utilization and bandwidth utilization data, address pool status data, and traffic growth data; and perform preprocessing to form a feature vector stream dataset. Step 2: Based on the feature vector stream dataset, construct a visitor behavior time series database, and establish a visitor normal behavior baseline trajectory model through state transition modeling and trajectory fitting. Combine vector matching, attention calculation and statistical analysis methods to obtain multi-dimensional behavior fusion parameters, including current behavior feature vector, historical baseline behavior vector, behavior state transition probability parameter, multimodal feature attention weight parameter, feature matching similarity parameter, time window weight parameter, historical risk label probability parameter, current node load rate parameter, address pool availability parameter and attack traffic growth rate parameter. Step 3: Based on the current behavior feature vector, historical baseline behavior vector, behavior state transition probability parameter, and time window weight parameter obtained in Step 2, calculate the behavior evolution offset index to characterize the degree of deviation of the current behavior from the historical normal behavior baseline trajectory; compare it with the behavior offset judgment threshold to determine whether the current access behavior is normal behavior. If abnormal, mark the behavior offset risk and trigger the intent risk coupling analysis process in Step 4; Step 4: Based on the behavior evolution offset index, combined with the multimodal feature attention weight parameter, feature matching similarity parameter, and historical risk label probability parameter, calculate the intent risk coupling index to characterize the degree of potential attack intent risk of the current access behavior; compare it with the intent risk judgment threshold to determine whether the current access behavior is trustworthy. If untrustworthy, generate a risk access mark for the current access behavior and trigger the dynamic scheduling decision process in Step 5; Step 5: Based on the intent risk coupling index, combined with the current node load rate parameter, address pool availability parameter, and attack traffic growth rate parameter, calculate the dynamic scheduling drift index. This index characterizes the degree of scheduling security deviation of the current access request under the combined effects of risk level, node load, address resource availability, and traffic growth trend. It is then compared with the scheduling drift judgment threshold to determine whether the current access request meets the scheduling security conditions. If it does not meet the conditions, a dynamic enhanced scheduling strategy is generated, including address allocation contraction, traffic rate limiting control, address space isolation, attack traffic suppression, and legitimate user protection. Step 6: Based on the evaluation results and scheduling execution feedback of the behavior evolution offset index, intention risk coupling index and dynamic scheduling drift index, construct a closed-loop feedback dataset and write it back to the visitor behavior time series database. Adaptively update the visitor normal behavior baseline trajectory model and carry out continuous learning and dynamic evolution.
[0024] In this embodiment, by constructing a visitor behavior modeling mechanism that integrates multimodal features, and combining it with behavior evolution analysis, risk assessment, and dynamic scheduling control, real-time identification and adaptive resource scheduling of computer network access behavior are achieved. In the field of computer data processing and information security technology, compared with the existing technology that relies on static rules or single features for processing, this invention can simultaneously complete behavior analysis and resource scheduling decisions during data processing, effectively improving the data processing efficiency and security protection capabilities of computer systems in complex network environments, reducing the impact of abnormal access on system resource consumption and operational stability, thereby improving the overall intelligent management level and operational reliability of the computer system.
[0025] Example 2 This embodiment is based on the explanation of Embodiment 1. Specifically, step one includes: S11. By deploying the network packet capture tool tcpdump, the network connection relationship in the incoming network traffic is monitored in real time, and the packet five-tuple information is obtained, including the source IP address, destination IP address, source port, destination port and protocol type, as well as session identification information. S12: By combining timestamp recording method with high-precision clock synchronization technology, the arrival process of data packets is monitored in real time to obtain the message arrival time interval sequence data; S13: Real-time monitoring of the connection establishment process is performed using TCP protocol stack state tracking technology to obtain TCP connection behavior data, including the number of TCP connection establishments, the number of SYN retries, the number of half-open connections, and the number of RST packets triggered. S14: Real-time monitoring of encrypted communication and application layer interaction processes is performed using the Wireshark deep message parsing engine to obtain protocol feature data, including TLS handshake fingerprint information, ALPN protocol list, certificate chain depth data, as well as HTTP request header information, URI path distribution data, and request parameter length data. S15: Real-time monitoring of application interaction flow using finite state machine modeling method to obtain application state transition data, including application layer state transition sequence data and duration data of each state; S16: Real-time monitoring of device operating status is performed through the host performance acquisition tool Linux / proc file system interface and sar monitoring tool to obtain CPU utilization and bandwidth utilization data. Resource and traffic changes are monitored through address pool counting method and sliding time window statistical method to obtain the total address pool, the number of allocated addresses and the traffic growth per unit time. S17: The acquired data are processed using the min-max normalization method, the equal-width discretization method, and the vector embedding encoding method to construct a multimodal feature vector with a unified dimension. The data is then aggregated based on a sliding time window to form a feature vector stream dataset.
[0026] In this embodiment, by introducing multi-source data acquisition methods such as tcpdump packet capture, Wireshark deep analysis, TCP protocol stack state tracking, and Linux system performance collection, and combining time synchronization, finite state machine modeling, and multimodal feature processing methods, comprehensive and coordinated collection and unified expression of network connection behavior, protocol interaction behavior, time series features, and system resource status are achieved. This overcomes the problems of single data source and insufficient feature dimensions in the prior art, thereby significantly improving the completeness and granularity of access behavior representation and providing a high-quality data foundation for subsequent behavior modeling and risk identification.
[0027] Example 3 In the explanation of Example 2, this embodiment specifically includes the following steps: S21. Based on the feature vector stream dataset, a time-series storage method is used to organize and index the five-tuple information, message arrival time interval sequence data, TCP connection establishment count, SYN retries count, half-open connection count, RST message trigger count, TLS handshake fingerprint information, ALPN protocol list, certificate chain depth data, HTTP request header information, URI path distribution data, and request parameter length data corresponding to the same session identifier in chronological order, thereby constructing a visitor behavior time-series database. S22. Based on the visitor behavior time series database, the state transition statistics method is used to model the transition relationship between different access states, calculate the transition probability between each state, and construct the behavior state transition matrix; then, based on the behavior state transition matrix, the vector embedding encoding method is used to perform structural mapping processing on the multimodal feature sequence to generate a unified expression of the behavior trajectory vector set. S23. Based on the set of behavioral trajectory vectors, a trajectory fitting method is used to fit long-term stable access behaviors to establish a baseline trajectory model for normal visitor behavior. Then, based on this baseline model, a matching analysis is performed on the behavioral trajectory vectors within the current time window to obtain the current behavioral feature vector, denoted as Vc, and the historical baseline behavioral vector, denoted as Vh. Statistical analysis is performed on the state evolution paths of the behavioral trajectory at different time steps to obtain the behavioral state transition probability parameter, denoted as Ps. A multimodal feature cross-attention calculation method is used to weight the correlation strength between various modal features to obtain the multimodal feature attention weight parameter, denoted as Am. A similarity matching calculation is performed between the current behavioral feature vector and the historical normal behavioral trajectory vector to obtain the feature matching similarity parameter, denoted as Sv. S24. Based on the behavioral time series database, the time window statistical method is used to calculate the distribution of message arrival time interval sequence data and obtain the time window weight parameter, denoted as Wt; the historical label statistical method is used to perform statistical analysis of historical risk label data and obtain the historical risk label probability parameter, denoted as Pr. S25. Based on CPU utilization and bandwidth utilization data, a load rate calculation method is used to perform a fusion calculation of CPU utilization and bandwidth utilization to obtain the current node load rate parameter, denoted as Ln; by collecting the total address pool and the number of allocated addresses, a resource utilization ratio calculation method is used to calculate the ratio of the total address pool to the number of allocated addresses to obtain the address pool availability parameter, denoted as Up; by collecting the traffic growth rate per unit time, a time series trend analysis method is used to calculate the traffic growth change per unit time to obtain the attack traffic growth rate parameter, denoted as Ga. S26. Construct multi-dimensional behavior fusion parameters by combining the current behavior feature vector, historical baseline behavior vector, behavior state transition probability parameter, multimodal feature attention weight parameter, feature matching similarity parameter, time window weight parameter, historical risk label probability parameter, current node load rate parameter, address pool availability parameter, and attack traffic growth rate parameter.
[0028] In this embodiment, by constructing a visitor behavior time series database and combining state transition modeling, trajectory fitting, and multimodal feature cross-attention calculation methods, the visit behavior is structurally modeled and correlated. This overcomes the problem in existing technologies that it is difficult to characterize the behavioral evolution process and multi-feature correlations, thereby achieving continuous representation and deep semantic understanding of visit behavior. It can also simultaneously acquire behavioral features, state transition features, and system state parameters, providing unified and highly correlated parameter support for subsequent risk assessment and dynamic scheduling, and improving the overall analysis accuracy and decision reliability.
[0029] Example 4 In the explanation of Example 3, this embodiment specifically includes the following steps: S31. By extracting the current behavior feature vector Vc, the historical baseline behavior vector Vh, the behavior state transition probability parameter Ps, and the time window weight parameter Wt, and after dimensionless processing, a weighted fusion distance calculation algorithm is used to calculate the offset between the current behavior features and the historical baseline behavior, and the behavior evolution offset index, denoted as BEI, is obtained. The formula is as follows:
[0030] In the formula, w1, w2 and w3 represent weighting coefficients.
[0031] The term representing the difference between the current behavioral feature vector and the historical baseline behavioral vector has a dominant weight on the behavioral evolution deviation index. This term directly describes the degree of deviation between the current behavior and the normal behavioral baseline, and is the most intuitive manifestation of behavioral abnormality. When the difference increases, it indicates that the behavioral pattern has changed significantly. Therefore, it is given the highest weight to highlight its core discriminative role. The state transition probability characterizes the impact of the behavior state transition probability on the behavior evolution offset index and has the second highest weight. The state transition probability reflects the evolutionary stability of behavior over time. When the transition probability decreases, it indicates that the behavior path has been abnormally disturbed. However, its impact is slightly indirect compared to the difference between direct features, so it is set as the second highest weight. The time window weight represents the influence of the behavioral evolution deviation index and accounts for an auxiliary weight. The time window mainly reflects the temporal distribution characteristics of the occurrence of behavior and has a moderating effect on the impact of anomalies, but does not directly determine the degree of behavioral deviation, so it is given a relatively low weight. By constructing a Behavioral Evolutionary Migration Index (BEI) that is a weighted fusion of feature offset, state stability, and temporal distribution factors, the overall deviation of visiting behavior in terms of spatial characteristics and temporal evolution can be comprehensively reflected. When the BEI value increases, it indicates that the behavior deviates more from the baseline; when the BEI is low, it indicates that the behavior remains stable and consistent overall.
[0032] In this embodiment, by introducing the Behavior Evolution Offset Index (BEI), the difference between the current behavior feature vector and the historical baseline behavior vector, the probability of behavior state transition, and the time window features are weighted and fused to achieve a quantitative characterization of the degree of access behavior offset. This overcomes the problem of inaccurate judgment caused by relying on only a single feature or static threshold in the prior art, thereby enabling more precise identification of abnormal trends in the behavior evolution process, improving the sensitivity and stability of abnormal behavior detection, and providing a reliable basis for subsequent risk assessment and scheduling decisions.
[0033] Example 5 In the explanation of Example 4, specifically, step three further includes: S32. By setting a preset behavior deviation judgment threshold, denoted as Bth, and comparing and analyzing the behavior evolution deviation index BEI with the behavior deviation judgment threshold Bth, the first evaluation result is obtained, including: When the Behavior Evolution Deviation Index BEI is less than the Behavior Deviation Judgment Threshold Bth, the current access behavior is determined to be normal and there is no risk of behavior deviation; continuous monitoring is required. When the Behavior Evolution Deviation Index (BEI) is greater than or equal to the Behavior Deviation Judgment Thres (Bth), the current access behavior is determined to be abnormal and there is a risk of behavior evolution deviation. The first warning instruction is triggered, the first strategy is generated: the behavior deviation risk is marked, and the intent risk coupling analysis process in step four is triggered.
[0034] The method for obtaining the behavior deviation judgment threshold Bth: The calibration process of the behavior deviation judgment threshold Bth aims to determine the critical behavior evolution deviation index BEI value that can effectively distinguish between "steady behavior state" and "behavioral deviation state". First, a visitor behavior sample database is constructed. This database is based on the feature vector stream dataset and is formed by collecting behavioral data under different access modes. The sample size is no less than 1000 groups, covering various situations such as normal access behavior, slightly fluctuating behavior, and significantly abnormal behavior. Each sample in the database includes the current behavior feature vector Vc, the historical baseline behavior vector Vh, the behavior state transition probability parameter Ps, and the time window weight parameter Wt.
[0035] Simultaneously, three or more researchers with experience in cybersecurity analysis performed "gold standard" labeling on each sample, classifying them into "behavioral stable states" or "behavioral shift states" based on behavioral continuity, state transition stability, and time distribution characteristics. Then, using the BEI calculation formula from step three, a unified calculation was performed on all samples to obtain the corresponding behavioral evolution shift index distribution. Further statistical analysis was conducted on the BEI values of the two types of samples, and probability density distribution curves were plotted.
[0036] Based on this, the classification performance was evaluated by constructing an ROC curve, and the point with the largest Youden index was selected as the optimal segmentation threshold. Comprehensive experimental analysis determined that the optimal behavioral shift judgment threshold Bth was 0.6. When BEI ≥ 0.6, a behavioral shift trend was determined; otherwise, the behavior was considered stable.
[0037] In this embodiment, by setting a behavior deviation judgment threshold Bth and comparing the behavior evolution deviation index BEI with the threshold, quantitative judgment and hierarchical response to the access behavior status are achieved. This overcomes the problems of lack of unified judgment standards and delayed early warning triggering in the prior art. Thus, it can promptly identify and trigger the early warning mechanism when the behavior shows a deviation trend. At the same time, by generating a strategy to mark abnormal behavior and link it with subsequent analysis processes, the timeliness of risk response and the continuity of handling are improved.
[0038] Example 6 In the explanation of Example 5, specifically, step four includes: S41. Execute the intention-risk coupling analysis process. The calculated Behavioral Evolutionary Shift Index (BEI) is combined with the multimodal feature attention weight parameter Am, feature matching similarity parameter Sv, and historical risk label probability parameter Pr. After dimensionless processing, a multi-factor weighted coupling calculation algorithm is used to fuse the degree of behavioral shift with feature correlation and historical risk, obtaining the intention-risk coupling index, denoted as IRI. The formula is as follows:
[0039] In the formula, a1, a2, a3 and a4 represent weighting coefficients.
[0040] The behavioral evolution deviation index represents the influence of the intention-risk coupling index and has the dominant weight. The degree of behavioral deviation is the basis for judging potential risk intentions. When the behavioral deviation is significant, it is usually accompanied by an increase in risk. Therefore, it is given a high weight to reflect its fundamental role. This parameter represents the impact of multimodal feature attention weights on the intent-risk coupling index and has a relatively high weight. It reflects the strength of the association between different features. When the association is abnormally enhanced, it may indicate the coordinated occurrence of abnormal behaviors, so it is given a high weight. The similarity of characterization feature matching has a moderate weight on the intention-risk coupling index. Similarity is used to measure the consistency between the current behavior and the normal pattern. Its decrease will indicate potential risks, but its role has been partially reflected in BEI, so its weight is appropriate. : Represents the impact of historical risk label probability on the intention risk coupling index, accounting for auxiliary weight; historical risk information is used to provide prior reference, but does not directly determine current behavioral attributes, so it is given a lower weight; By constructing an Intent-Risk Coupling Index (IRI) that is a weighted fusion of behavioral deviation degree, feature association strength, matching consistency, and historical risk information, the potential risk intent of access behavior can be comprehensively reflected. When the IRI value increases, it indicates that the behavior has a higher risk tendency; when the IRI is low, it indicates that the behavior generally conforms to normal access characteristics.
[0041] In this embodiment, by constructing the Intent Risk Coupling Index (IRI), the degree of behavioral evolution deviation, the strength of multimodal feature association, feature matching similarity, and historical risk information are weighted and fused by multiple factors to achieve a comprehensive characterization of the potential intent of access behavior. This overcomes the problem in existing technologies that it is difficult to accurately identify complex attack intents based on only a single dimension. As a result, it can identify potential risk trends before the behavior is completely abnormal, improve the ability to identify covert attacks and progressive abnormal behaviors, and provide a more forward-looking risk basis for subsequent scheduling decisions.
[0042] Example 7 In the explanation of Example Six, specifically, step four further includes: S42. By setting a preset intent risk judgment threshold, denoted as Ith, and comparing the intent risk coupling index IRI with the intent risk judgment threshold Ith, the second evaluation results are obtained, including: When the Intent Risk Coupling Index (IRI) is less than the Intent Risk Judgment Threshold (Ith), the current access behavior is deemed trustworthy and carries no intent risk; continuous monitoring is required. When the Intent Risk Coupling Index IRI is greater than or equal to the Intent Risk Judgment Threshold Ith, the current access behavior is determined to be untrustworthy and there is a risk of attack intent; a second warning instruction is triggered, and a second strategy is generated: a risk access mark is generated for the current access behavior, and the dynamic scheduling decision process in step five is triggered, so that the risk access behavior is input into step five for scheduling control processing.
[0043] The method for obtaining the intent risk assessment threshold Ith: The calibration process of the intent risk assessment threshold Ith aims to determine the critical intent risk coupling index IRI value that can effectively distinguish between "behavioral credibility state" and "intent risk state". First, based on the already labeled behavioral sample database, an expanded dataset containing multimodal association information and historical risk labels is constructed, with a sample size of no less than 1000 groups, covering normal access, gray-area behavior, and access behavior with malicious intent. Each sample in the database includes BEI, attention weight parameter Am, feature matching similarity parameter Sv, and historical risk label probability parameter Pr.
[0044] Multiple cybersecurity experts used a "gold standard" approach, combining behavioral context consistency, feature matching degree, and historical risk records, to label the samples, classifying them into either "behavioral trustworthiness state" or "intent risk state." Subsequently, based on the IRI calculation formula in step four, a unified calculation was performed on all samples to obtain the intent risk coupling index distribution.
[0045] Further statistical modeling was performed on the IRI values of the two types of samples, and probability density curves were plotted. The classification performance was analyzed using ROC curves, and the point with the maximum Youden index was selected as the optimal threshold. The intent risk judgment threshold Ith was determined to be 0.7. When IRI ≥ 0.7, intent risk was judged to exist; otherwise, the behavior was judged to be trustworthy.
[0046] In this embodiment, by setting an intent risk judgment threshold Ith and comparing the intent risk coupling index IRI with the threshold, a quantitative assessment and graded response to the credibility of access behavior is achieved. This overcomes the problem of difficulty in timely identification of potential attack intent and the fragmentation of response mechanisms in existing technologies. Thus, when access behavior that does not meet the credibility conditions is detected, an early warning instruction is triggered in a timely manner and a corresponding policy is generated. The relevant access behavior is marked and linked to the dynamic scheduling decision-making process, realizing the coordinated linkage of risk identification and resource regulation, and improving the initiative and continuity of overall security protection.
[0047] Example 8 In the explanation of Example 7, specifically, step five includes: S51. Execute the dynamic scheduling decision process. Based on the calculated intention risk coupling index IRI, combined with the current node load rate parameter Ln, address pool availability parameter Up, and attack traffic growth rate parameter Ga, after dimensionless processing, a multi-factor weighted dynamic scheduling calculation algorithm is used to perform a fusion calculation of risk level, system resource status, and traffic change trend to obtain the dynamic scheduling drift index, denoted as DSI, with the following formula:
[0048] In the formula, s1, s2, s3 and s4 represent weighting coefficients.
[0049] The risk coupling index, which represents the intention, has the dominant weight in influencing the dynamic scheduling drift index. This parameter directly reflects the risk level of access behavior and is an important basis for scheduling decisions, hence it is given a high weight. : Characterizes the impact of node load rate on dynamic scheduling drift index, and has a high weight; node load directly affects the system's processing capacity, and scheduling risk increases with increasing load, so it is given a high weight; The address pool availability represents the impact of the dynamic scheduling drift index and has a medium weight; the sufficiency of address resources affects the scheduling space, but its changes are relatively gradual, so it is given a medium weight. The attack traffic growth rate represents the impact of the dynamic scheduling drift index and has a medium weight. The traffic growth trend reflects the potential impact risk. When the growth is too fast, it may cause system anomalies, but its impact needs to be judged in combination with other factors, so the weight is moderate. By constructing a dynamic scheduling drift index (DSI) that weights and integrates risk level, system load status, resource availability, and traffic change trends, the stability and risk level of the current scheduling environment can be comprehensively reflected. When the DSI value increases, it indicates that the system scheduling pressure and risk are rising simultaneously; when the DSI is low, it indicates that the system is operating in a relatively stable state.
[0050] In this embodiment, by constructing a Dynamic Scheduling Drift Index (DSI), the intention risk coupling index is weighted and fused with node load rate, address pool availability, and traffic growth trend to achieve a collaborative quantitative analysis of the risk level of access requests and the status of system resources. This overcomes the problem in existing technologies where scheduling decisions rely solely on a single load or static strategy, making it difficult to balance security and resource utilization. As a result, dynamic perception and comprehensive evaluation based on risk and resource changes can be performed, providing a basis for subsequent refined scheduling control and improving the rationality and stability of system scheduling.
[0051] Example 9 In the explanation of Example 8, specifically, step five further includes: S52. By setting a preset scheduling drift judgment threshold, denoted as Dth, and comparing the dynamic scheduling drift index DSI with the scheduling drift judgment threshold Dth, the third evaluation results are obtained, including: When the Dynamic Scheduling Drift Index (DSI) is less than the Scheduling Drift Judgment Threshold (Dth), the current access request is determined to meet the scheduling security conditions and there is no risk of resource scheduling or attack spread; continuous monitoring is required. When the Dynamic Scheduling Drift Index (DSI) is greater than or equal to the scheduling drift threshold (Dth), the current access request is determined to be inconsistent with scheduling security conditions, posing a risk of resource scheduling disruption and attack propagation. A third early warning instruction is triggered, generating a third strategy: dynamic enhanced scheduling, including: address allocation contraction, reducing the address resource allocation ratio for access requests to 30%–50%, and prioritizing the allocation of remaining address resources to access requests that meet scheduling security conditions; traffic rate limiting, implementing bandwidth restrictions on the traffic corresponding to access requests, controlling bandwidth utilization at 20%–40%, and performing rate shaving for sudden traffic spikes; address space isolation, redirecting access requests to an isolated address pool, and controlling the capacity of the isolated address pool to 10%–20% of the total address space; attack traffic suppression, discarding abnormal traffic at a rate of 40%–70%, and blocking connections for persistent abnormal requests; and legitimate user protection, maintaining an 80%–100% resource protection ratio for access requests that meet scheduling security conditions, and performing seamless address migration for verified access requests to ensure business continuity.
[0052] Method for obtaining the scheduling drift judgment threshold Dth: The calibration process of the scheduling drift judgment threshold Dth aims to determine the critical dynamic scheduling drift index DSI value that can effectively distinguish between "scheduling safe state" and "scheduling risk state". First, a scheduling behavior sample database is constructed. This database combines access behavior data and system operation status data, with a sample size of no less than 1000 groups, covering situations such as stable resource state, load fluctuation state, and abnormal scheduling state. Each sample in the database includes IRI, node load rate parameter Ln, address pool availability parameter Up, and attack traffic growth rate parameter Ga.
[0053] System operation and maintenance experts and network security experts jointly categorize the samples into "scheduling safe state" or "scheduling risk state" based on resource utilization efficiency, service stability, and the impact of abnormal traffic, using a "gold standard" label. Then, according to the DSI calculation formula in step five, the dynamic scheduling drift index distribution is calculated for all samples.
[0054] Statistical analysis of the DSI values of the two types of samples was performed, and probability density function curves were plotted. The model's discriminative ability was evaluated using ROC curves, and the point with the largest Youden index was selected as the optimal threshold. Based on the experimental results, the optimal scheduling drift judgment threshold Dth was set at 0.75. When DSI ≥ 0.75, a scheduling risk was determined; otherwise, the scheduling was considered safe.
[0055] In this embodiment, by setting a scheduling drift judgment threshold Dth and comparing the dynamic scheduling drift index DSI with the threshold, a quantitative assessment and hierarchical control of the security status of access request scheduling is achieved. When it is determined that the scheduling security conditions are not met, a dynamic enhanced scheduling strategy including address allocation contraction, traffic rate limiting control, address space isolation, attack traffic suppression, and access protection is triggered. This overcomes the problems of single scheduling strategies, lack of specificity, and difficulty in simultaneously taking into account security protection and business continuity in the prior art. Thus, it achieves effective constraint and isolation of abnormal access, while ensuring the resource supply and service stability of normal access requests, thereby improving the overall security and scheduling robustness of the system.
[0056] Example 10 In the explanation of Example 9, specifically, step six includes: S61. Based on the evaluation results of the Behavioral Evolutionary Shift Index (BEI), the Intent Risk Coupling Index (IRI), and the Dynamic Scheduling Drift Index (DSI), as well as the third strategy and its corresponding execution results, and combined with the feature vector flow dataset, the association analysis and annotation processing of the state changes of the access behavior before and after scheduling execution are carried out. A closed-loop feedback dataset containing behavioral feature evolution information, risk judgment results, and scheduling execution effects is constructed, and the closed-loop feedback dataset is written back to the visitor behavior time series database for updating and storage. S62. Based on the updated visitor behavior time series database, an incremental learning method and a dynamic weight optimization algorithm are used to adaptively adjust and iteratively update the behavior state transition matrix, the visitor normal behavior baseline trajectory model, and each weight coefficient. The calculation models of the behavior evolution offset index BEI, intention risk coupling index IRI, and dynamic scheduling drift index DSI are re-estimated and structurally optimized to achieve continuous learning and dynamic adaptation of access behavior patterns and potential attack characteristics.
[0057] In this embodiment, a closed-loop feedback dataset based on BEI, IRI, and DSI evaluation results and scheduling execution feedback is constructed. Combined with incremental learning and dynamic weight optimization algorithms, adaptive updates of the behavior state transition matrix, normal behavior baseline trajectory model, and various weight parameters are achieved. This overcomes the problems of static models and difficulty in adapting to new access behaviors and attack patterns in existing technologies. As a result, the risk assessment and scheduling decision model can be continuously optimized, enabling the system to have dynamic learning capabilities and long-term evolution capabilities for behavior changes, thereby improving the accuracy and robustness of overall protection.
[0058] It should be noted that all calculation formulas in this application employ regression analysis, including but not limited to machine learning algorithms, to deeply analyze the collected parameters and identify their natural trends and interrelationships. Specialized software, such as Python's Scikit-learn library or the R language, is used to automatically generate mathematical models that match the data. Then, cross-validation and other methods are used to objectively evaluate the model performance, and continuous feedback and optimization are combined to ensure that the created formulas truly reflect the inherent laws of the data, thereby guaranteeing their effectiveness and accuracy. In all calculation formulas in this application, the parameters in each formula undergo dimensionless processing within a consistent range to ensure that different physical quantities are compared on the same scale; dimensionless processing techniques include, but are not limited to, min-max-normalization and Z-score standardization. The algorithm of this invention is implemented as a Python script. Before executing the core logic, the program first executes a data loading module (e.g., using the widely used pandas library in Python) configured to read the aforementioned spreadsheet file and load its contents into the program's working memory (e.g., a DataFrame data structure). Subsequent algorithm steps will directly query and retrieve the required configuration parameters from this in-memory data structure.
[0059] It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to limit it. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, and all such modifications or substitutions should be covered within the scope of the claims of the present invention.
Claims
1. An adaptive resource dynamic scheduling method based on multimodal behavioral feature processing, characterized in that: The specific steps include: Step 1: Collect data packet 5-tuple information, message arrival time interval sequence data, TCP connection behavior data, protocol characteristic data, application state transition data, CPU utilization and bandwidth utilization data, address pool status data, and traffic growth data; and perform preprocessing to form a feature vector stream dataset. Step 2: Based on the feature vector stream dataset, construct a visitor behavior time series database, and establish a visitor normal behavior baseline trajectory model through state transition modeling and trajectory fitting. Combine vector matching, attention calculation and statistical analysis methods to obtain multi-dimensional behavior fusion parameters, including current behavior feature vector, historical baseline behavior vector, behavior state transition probability parameter, multimodal feature attention weight parameter, feature matching similarity parameter, time window weight parameter, historical risk label probability parameter, current node load rate parameter, address pool availability parameter and attack traffic growth rate parameter. Step 3: Based on the current behavior feature vector, historical baseline behavior vector, behavior state transition probability parameter and time window weight parameter obtained in Step 2, calculate the behavior evolution offset index to characterize the degree of deviation of the current behavior from the historical normal behavior baseline trajectory; and compare it with the behavior offset judgment threshold to determine whether the current access behavior is normal behavior. If it is abnormal, mark the behavior offset risk and trigger the intent risk coupling analysis process in Step 4. Step 4: Based on the behavior evolution offset index, combined with the multimodal feature attention weight parameter, feature matching similarity parameter and historical risk label probability parameter, calculate the intent risk coupling index to characterize the potential attack intent risk level of the current access behavior; and compare it with the intent risk judgment threshold to determine whether the current access behavior is trustworthy. If it is not trustworthy, generate a risk access mark for the current access behavior and trigger the dynamic scheduling decision process in Step 5. Step 5: Based on the intent risk coupling index, combined with the current node load rate parameter, address pool availability parameter, and attack traffic growth rate parameter, calculate the dynamic scheduling drift index. This index characterizes the degree of scheduling security deviation of the current access request under the combined effects of risk level, node load, address resource availability, and traffic growth trend. It is then compared with the scheduling drift judgment threshold to determine whether the current access request meets the scheduling security conditions. If it does not meet the conditions, a dynamic enhanced scheduling strategy is generated, including address allocation contraction, traffic rate limiting control, address space isolation, attack traffic suppression, and legitimate user protection. Step 6: Based on the evaluation results and scheduling execution feedback of the behavior evolution offset index, intention risk coupling index and dynamic scheduling drift index, construct a closed-loop feedback dataset and write it back to the visitor behavior time series database. Adaptively update the visitor normal behavior baseline trajectory model and carry out continuous learning and dynamic evolution.
2. The adaptive resource dynamic scheduling method based on multimodal behavioral feature processing according to claim 1, characterized in that: Step one includes: S11. By deploying the network packet capture tool tcpdump, the network connection relationship in the incoming network traffic is monitored in real time, and the packet five-tuple information is obtained, including the source IP address, destination IP address, source port, destination port and protocol type, as well as session identification information. S12: By combining timestamp recording method with high-precision clock synchronization technology, the arrival process of data packets is monitored in real time to obtain the message arrival time interval sequence data; S13: Real-time monitoring of the connection establishment process is performed using TCP protocol stack state tracking technology to obtain TCP connection behavior data, including the number of TCP connection establishments, the number of SYN retries, the number of half-open connections, and the number of RST packets triggered. S14: Real-time monitoring of encrypted communication and application layer interaction processes is performed using the Wireshark deep message parsing engine to obtain protocol feature data, including TLS handshake fingerprint information, ALPN protocol list, certificate chain depth data, as well as HTTP request header information, URI path distribution data, and request parameter length data. S15: Real-time monitoring of application interaction flow using finite state machine modeling method to obtain application state transition data, including application layer state transition sequence data and duration data of each state; S16: Real-time monitoring of device operating status is performed through the host performance acquisition tool Linux / proc file system interface and sar monitoring tool to obtain CPU utilization and bandwidth utilization data. Resource and traffic changes are monitored through address pool counting method and sliding time window statistical method to obtain the total address pool, the number of allocated addresses and the traffic growth per unit time. S17: The acquired data are processed using the min-max normalization method, the equal-width discretization method, and the vector embedding encoding method to construct a multimodal feature vector with a unified dimension. The data is then aggregated based on a sliding time window to form a feature vector stream dataset.
3. The adaptive resource dynamic scheduling method based on multimodal behavioral feature processing according to claim 2, characterized in that: Step two includes: S21. Based on the feature vector stream dataset, a time-series storage method is used to organize and index the five-tuple information, message arrival time interval sequence data, TCP connection establishment count, SYN retries count, half-open connection count, RST message trigger count, TLS handshake fingerprint information, ALPN protocol list, certificate chain depth data, HTTP request header information, URI path distribution data, and request parameter length data corresponding to the same session identifier in chronological order, thereby constructing a visitor behavior time-series database. S22. Based on the visitor behavior time series database, the state transition statistics method is used to model the transition relationship between different access states, calculate the transition probability between each state, and construct the behavior state transition matrix; then, based on the behavior state transition matrix, the vector embedding encoding method is used to perform structural mapping processing on the multimodal feature sequence to generate a unified expression of the behavior trajectory vector set. S23. Based on the set of behavioral trajectory vectors, a trajectory fitting method is used to fit long-term stable access behavior and establish a baseline trajectory model for normal visitor behavior. Then, based on the baseline trajectory model for normal visitor behavior, a matching analysis is performed on the behavioral trajectory vectors within the current time window to obtain the current behavioral feature vector and the historical baseline behavioral vector. Statistical analysis is performed on the state evolution path of the behavioral trajectory at different time steps to obtain the behavioral state transition probability parameter. A multimodal feature cross-attention calculation method is used to weight the correlation strength between each modality feature to obtain the multimodal feature attention weight parameter. Similarity matching calculation is performed on the current behavioral feature vector and the historical normal behavioral trajectory vector to obtain the feature matching similarity parameter. S24. Based on the behavioral time series database, the time window statistical method is used to calculate the distribution of message arrival time interval sequence data and obtain the time window weight parameter; the historical tag statistical method is used to perform statistical analysis of historical risk tag data and obtain the historical risk tag probability parameter. S25. Based on CPU utilization and bandwidth utilization data, a load rate calculation method is used to perform a fusion calculation of CPU utilization and bandwidth utilization to obtain the current node load rate parameter; by collecting the total address pool and the number of allocated addresses, a resource utilization ratio calculation method is used to calculate the ratio of the total address pool to the number of allocated addresses to obtain the address pool availability parameter; by collecting the traffic growth rate per unit time, a time series trend analysis method is used to calculate the traffic growth change per unit time to obtain the attack traffic growth rate parameter. S26. Construct multi-dimensional behavior fusion parameters by combining the current behavior feature vector, historical baseline behavior vector, behavior state transition probability parameter, multimodal feature attention weight parameter, feature matching similarity parameter, time window weight parameter, historical risk label probability parameter, current node load rate parameter, address pool availability parameter, and attack traffic growth rate parameter.
4. The adaptive resource dynamic scheduling method based on multimodal behavioral feature processing according to claim 3, characterized in that: Step three includes: S31. By extracting the current behavior feature vector, historical baseline behavior vector, behavior state transition probability parameter and time window weight parameter, and after dimensionless processing, a weighted fusion distance calculation algorithm is used to calculate the offset between the current behavior feature and the historical baseline behavior to obtain the behavior evolution offset index.
5. The adaptive resource dynamic scheduling method based on multimodal behavioral feature processing according to claim 4, characterized in that: Step three also includes: S32. By setting a preset behavior deviation judgment threshold and comparing the behavior evolution deviation index with the behavior deviation judgment threshold, the first evaluation result is obtained, including: When the behavior evolution deviation index is less than the behavior deviation judgment threshold, the current access behavior is determined to be normal and there is no risk of behavior deviation; continuous monitoring is required. When the behavior evolution deviation index is greater than or equal to the behavior deviation judgment threshold, the current access behavior is determined to be abnormal and there is a risk of behavior evolution deviation; the first warning instruction is triggered, the first strategy is generated: the behavior deviation risk is marked, and the intent risk coupling analysis process in step four is triggered.
6. The adaptive resource dynamic scheduling method based on multimodal behavioral feature processing according to claim 5, characterized in that: Step four includes: S41. Execute the intention risk coupling analysis process. By calculating the obtained behavior evolution offset index, and combining it with multimodal feature attention weight parameters, feature matching similarity parameters, and historical risk label probability parameters, after dimensionless processing, a multi-factor weighted coupling calculation algorithm is used to perform a fusion calculation of the degree of behavior offset, feature correlation, and historical risk to obtain the intention risk coupling index.
7. The adaptive resource dynamic scheduling method based on multimodal behavioral feature processing according to claim 6, characterized in that: Step four also includes: S42. By setting a preset intent risk judgment threshold and comparing the intent risk coupling index with the intent risk judgment threshold, the second evaluation result is obtained, including: When the intent risk coupling index is less than the intent risk judgment threshold, the current access behavior is determined to be trustworthy and without intent risk; continuous monitoring is required. When the intent risk coupling index is greater than or equal to the intent risk judgment threshold, the current access behavior is determined to be untrustworthy and there is a risk of attack intent; a second warning instruction is triggered, and a second strategy is generated: a risk access mark is generated for the current access behavior, and the dynamic scheduling decision process in step five is triggered, so that the risk access behavior is input into step five for scheduling control processing.
8. The adaptive resource dynamic scheduling method based on multimodal behavioral feature processing according to claim 7, characterized in that: Step five includes: S51. Execute the dynamic scheduling decision process. Based on the calculated intention risk coupling index, combined with the current node load rate parameter, address pool availability parameter, and attack traffic growth rate parameter, after dimensionless processing, use a multi-factor weighted dynamic scheduling calculation algorithm to perform a fusion calculation of risk level, system resource status, and traffic change trend to obtain the dynamic scheduling drift index.
9. The adaptive resource dynamic scheduling method based on multimodal behavioral feature processing according to claim 8, characterized in that: Step five also includes: S52. By setting a preset scheduling drift judgment threshold and comparing the dynamic scheduling drift index with the scheduling drift judgment threshold, the third evaluation result is obtained, including: When the dynamic scheduling drift index is less than the scheduling drift judgment threshold, the current access request is determined to meet the scheduling security conditions and there is no risk of resource scheduling or attack spread; continuous monitoring is required. When the dynamic scheduling drift index is greater than or equal to the scheduling drift judgment threshold, the current access request is determined to be inconsistent with the scheduling security conditions, posing a risk of resource scheduling and attack spread. A third early warning instruction is triggered, generating a third strategy: dynamic enhanced scheduling, including: address allocation contraction, reducing the address resource allocation ratio for access requests to 30%–50%, and prioritizing the allocation of remaining address resources to access requests that meet the scheduling security conditions; traffic rate limiting control, implementing bandwidth restrictions on the traffic corresponding to access requests, controlling bandwidth utilization at 20%–40%, and performing rate shaving for sudden traffic spikes; address space isolation, redirecting access requests to an isolated address pool, and controlling the capacity of the isolated address pool to 10%–20% of the total address space; attack traffic suppression, performing drop processing on abnormal traffic, setting the drop ratio to 40%–70%, and performing connection blocking processing on continuous abnormal requests; and legitimate user protection, maintaining an 80%–100% resource protection ratio for access requests that meet the scheduling security conditions, and performing seamless address migration for verified access requests to ensure business continuity.
10. The adaptive resource dynamic scheduling method based on multimodal behavioral feature processing according to claim 9, characterized in that: Step six includes: S61. Based on the evaluation results of the behavior evolution offset index, intention risk coupling index and dynamic scheduling drift index, as well as the third strategy and corresponding execution results, and combined with the feature vector flow dataset, the association analysis and annotation processing of the state changes of the access behavior before and after scheduling execution are carried out, and a closed-loop feedback dataset containing behavior feature evolution information, risk judgment results and scheduling execution effect is constructed. The closed-loop feedback dataset is then written back to the visitor behavior time series database for updating and storage. S62. Based on the updated visitor behavior time series database, an incremental learning method and dynamic weight optimization algorithm are used to adaptively adjust and iteratively update the behavior state transition matrix, the visitor normal behavior baseline trajectory model, and each weight coefficient. The calculation models of behavior evolution offset index, intention risk coupling index, and dynamic scheduling drift index are re-estimated and structurally optimized to achieve continuous learning and dynamic adaptation of access behavior patterns and potential attack characteristics.