An attack-based network security performance attribution method

By collecting network traffic and system performance data to generate joint fingerprints and using hash value matching, the accuracy and efficiency problems of network attack attribution in existing technologies are solved, and fast and accurate attack identification and attribution are achieved.

CN122247718APending Publication Date: 2026-06-19SUZHOU RUIYING INTELLIGENT COMPUTING TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SUZHOU RUIYING INTELLIGENT COMPUTING TECHNOLOGY CO LTD
Filing Date
2026-04-07
Publication Date
2026-06-19

Smart Images

  • Figure CN122247718A_ABST
    Figure CN122247718A_ABST
Patent Text Reader

Abstract

This invention discloses an attack-based network security performance attribution method, belonging to the field of network security technology. The method includes: collecting network traffic data and system performance data of the attacked system, whereby the system performance data includes response time, throughput, and error rate; extracting features from the network traffic data to generate attack traffic fingerprints, and extracting patterns from the system performance data to generate performance degradation fingerprints; combining the attack traffic fingerprints and performance degradation fingerprints to generate a joint fingerprint and storing it in a fingerprint database; when a new attack event occurs, extracting the real-time traffic fingerprint and real-time performance fingerprint, calculating the hash value of the joint fingerprint, and quickly locating matching historical attribution records in the fingerprint database through hash comparison, outputting the attribution result. This invention achieves efficient and accurate attack attribution by fusing attack traffic features and system performance degradation features to construct a joint fingerprint, combined with a fast hash matching mechanism, providing reliable support for rapid response to network security incidents.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of network security technology, specifically relating to an attack-based network security performance attribution method. It is particularly suitable for quickly locating attack types and attribution records by fusing attack traffic characteristics and system performance degradation characteristics when subjected to network attacks, thus providing decision support for security response. Background Technology

[0002] With the increasing diversification and complexity of cyberattacks, the threats faced by enterprise information systems are constantly intensifying. Distributed Denial-of-Service (DDoS) attacks, malware injection, and zero-day exploits not only cause abnormal network traffic but also directly impact the performance of critical business systems, leading to phenomena such as a sharp increase in response time, a plunge in throughput, and a surge in error rates. How to quickly identify attack types and trace attack sources from massive amounts of alerts and performance data has become a core challenge in network security operations and maintenance.

[0003] Currently, existing attack attribution methods mainly suffer from the following shortcomings: First, relying on a single data source limits the accuracy of attribution. Traditional methods typically rely solely on network traffic analysis or system performance monitoring, making it difficult to comprehensively reflect the full picture of an attack. For example, some low-speed, slow attacks may not have obvious traffic-level characteristics, but they can significantly increase system response time; while some traffic flood attacks may have prominent traffic characteristics, but if only performance indicators are considered, it is difficult to distinguish whether they are caused by the attack or by peak business activity. Single-dimensional analysis methods often lead to misjudgments or omissions.

[0004] Second, the attribution process relies on manual analysis, which is inefficient. After a security incident, security operations personnel typically need to manually review logs, analyze traffic packets, and compare historical events. This process is time-consuming, labor-intensive, and highly dependent on expert experience. For large-scale distributed systems, manual attribution is insufficient to meet the needs of real-time response, leading to prolonged attack duration and increased losses.

[0005] Third, the lack of a rapid matching mechanism makes it difficult to cope with high-frequency attacks. Existing automated attribution systems often employ rule-based matching or machine learning classification methods, but rule formulation is time-consuming and model inference latency is high, making it difficult to achieve millisecond-level rapid matching in a massive number of attack events. When multiple attack events occur within the same time period, the system cannot efficiently distinguish the attribution records of different attacks, resulting in low response efficiency.

[0006] Fourth, the correlation between attack characteristics and performance degradation has not been fully utilized. Different types of attacks often have different impact patterns on system performance: DDoS attacks typically lead to throughput saturation and a surge in connection numbers; ransomware encryption operations cause disk I / O and CPU usage to spike; and web application attacks may cause an increase in error rates. Existing technologies have not systematically modeled attack traffic fingerprints and performance degradation fingerprints together, failing to form a knowledge base of attack-performance correlations, making it difficult to reuse historical experience.

[0007] Fifth, there is a lack of scalable fingerprint storage and comparison mechanisms. Existing attack signature databases mostly use database indexing or keyword matching methods. When the number of fingerprints increases, the retrieval efficiency drops sharply, making it difficult to support large-scale, high-concurrency real-time attribution requirements.

[0008] Therefore, there is an urgent need for a method that can integrate attack traffic characteristics with system performance degradation characteristics and achieve rapid attribution through an efficient hash matching mechanism, so as to improve the accuracy and timeliness of network security response. Summary of the Invention

[0009] This invention provides an attack-based network security performance attribution method, which collects network traffic data and system performance data of the attacked system, including response time, throughput, and error rate; the method includes the following steps: S1: Extract features from network traffic data to generate attack traffic fingerprints; extract patterns from system performance data to generate performance degradation fingerprints; S2: Combine the attack traffic fingerprint and the performance degradation fingerprint to generate a joint fingerprint, and store the joint fingerprint in the fingerprint database; S3: When a new attack event occurs, extract the real-time traffic fingerprint and the real-time performance fingerprint, and calculate the hash value of the combined fingerprint using the following formula: H = SHA-256(H_attack || H_performance) Where H is the hash value of the joint fingerprint, H_attack is the hash value of the attack traffic fingerprint, H_performance is the hash value of the performance degradation fingerprint, and || represents the string concatenation operation; S4: Quickly compare the calculated hash value with the fingerprint database to locate the matching historical attribution record and output the attribution result.

[0010] This invention provides an attack-based network security performance attribution system, the system comprising: The data acquisition module is used to collect network traffic data and system performance data of the attacked system. The system performance data includes response time, throughput and error rate. The feature extraction module is used to extract features from network traffic data to generate attack traffic fingerprints and to extract patterns from system performance data to generate performance degradation fingerprints. The joint fingerprint generation module is used to combine attack traffic fingerprints and performance degradation fingerprints to generate a joint fingerprint, and store the joint fingerprint in the fingerprint database; The hash calculation module is used to extract real-time traffic fingerprints and real-time performance fingerprints when a new attack event occurs, and calculate the hash value of the joint fingerprint according to the following formula: H = SHA-256(H_attack H_performance), where H is the hash value of the joint fingerprint, H_attack is the hash value of the attack traffic fingerprint, H_performance is the hash value of the performance degradation fingerprint, and represents the string concatenation operation. The fast comparison module is used to quickly compare the calculated hash value with the fingerprint database, locate the matching historical attribution records, and output the attribution results.

[0011] An electronic device includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, implements an attack-based network security performance attribution method.

[0012] A computer-readable storage medium storing a computer program that, when executed by a processor, implements an attack-based network security performance attribution method.

[0013] Compared with the prior art, the beneficial effects of the present invention are as follows: 1. This invention simultaneously collects network traffic data and system performance data of the attacked system, extracts attack traffic fingerprints and performance degradation fingerprints respectively, and combines the two to generate a joint fingerprint. This mechanism fully utilizes the dual characteristics of attack behavior at the network layer and application layer, overcoming the limitations of analysis from a single data source. For example, when an attack causes a surge in system response time, the system can combine traffic fingerprints to determine whether it is a DDoS attack, or combine error rate characteristics to determine whether it is a Web application attack, significantly improving the accuracy of attribution.

[0014] 2. This invention innovatively employs a joint hash value as the index for fingerprint matching, generating a unique and fixed-length hash value. This hash value possesses the characteristics of high computational efficiency and low collision rate, enabling fast comparisons in the fingerprint database with constant time complexity, maintaining millisecond-level response even when the number of fingerprints reaches tens of millions. This provides technical support for real-time attribution and automated response to security incidents.

[0015] 3. This invention solidifies the experience of historical attack events into joint fingerprints, which are stored in a fingerprint database, forming a reusable and evolvable attack-performance correlation knowledge base. When a similar attack occurs again, the system can quickly locate historical attribution records through hash comparison, directly outputting information such as attack type and handling suggestions, avoiding redundant analysis and significantly improving operational efficiency.

[0016] 4. By integrating traffic fingerprints and performance fingerprints, this method can effectively distinguish between performance anomalies caused by attacks and normal fluctuations such as peak business traffic. For example, during peak business periods, even if the traffic characteristics are similar to those of an attack, the performance degradation mode (such as error rate and response time) may still be within the normal range. The system can identify the differences by comparing the joint fingerprints, avoiding false alarms and reducing the unnecessary workload of operations and maintenance personnel.

[0017] 5. When new types of attacks or variations of existing attacks occur, the system can extract their combined fingerprints and store them in the fingerprint database, enabling dynamic expansion of the knowledge base. Simultaneously, through version management and similarity clustering of the fingerprint database, analysts can be assisted in identifying attack evolution trends, providing data support for the continuous optimization of security strategies.

[0018] 6. This method does not rely on complex artificial intelligence model reasoning. It only requires adding a fingerprint extraction and hash comparison module to the existing network traffic monitoring and system performance monitoring to achieve rapid attribution. It has low deployment cost and is easy to integrate with the existing security operation and maintenance system. Attached Figure Description

[0019] To more clearly illustrate the technical solutions of the embodiments of this application, the drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0020] Figure 1 This is a flowchart of this application; Detailed Implementation

[0021] The embodiments of this application will now be described in detail with reference to the accompanying drawings.

[0022] The following specific examples illustrate the implementation of this application. Those skilled in the art can easily understand other advantages and effects of this application from the content disclosed in this specification. Obviously, the described embodiments are only a part of the embodiments of this application, and not all of them. This application can also be implemented or applied through other different specific embodiments, and the details in this specification can also be modified or changed based on different viewpoints and applications without departing from the spirit of this application. It should be noted that, in the absence of conflict, the following embodiments and features in the embodiments can be combined with each other. Based on the embodiments in this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0023] It should be noted that various aspects of embodiments within the scope of the appended claims are described below. It will be apparent that the aspects described herein can be embodied in a wide variety of forms, and any particular structure and / or function described herein is merely illustrative. Based on this application, those skilled in the art will understand that one aspect described herein can be implemented independently of any other aspect, and two or more of these aspects can be combined in various ways. For example, any number and aspects set forth herein can be used to implement the device and / or practice the method. Additionally, this device and / or method can be implemented using structures and / or functionalities other than one or more of the aspects set forth herein.

[0024] Additionally, specific details are provided in the following description to facilitate a thorough understanding of the examples. However, those skilled in the art will understand that practice can be carried out without these specific details.

[0025] This specification proposes an attack-based network security performance attribution method to collect network traffic data and system performance data of the attacked system. The system performance data includes response time, throughput, and error rate. The method includes the following steps: S1: Extract features from network traffic data to generate attack traffic fingerprints; extract patterns from system performance data to generate performance degradation fingerprints; Specifically, the following steps are included: S11: Extract packet-level features from network traffic data. Packet-level features include 5-tuple information, payload length flag, and protocol fields. S12: Perform flow-level aggregation on packet-level features and calculate flow-level statistical features, including the number of packets, average packet interval, total number of bytes, and retransmission rate. S13: A pre-trained traffic coding model is used to map the flow-level statistical features into a fixed-dimensional attack traffic feature vector; S14: Dimensionality reduction is performed on the attack traffic feature vector to obtain the attack traffic fingerprint.

[0026] S15: Divide the system performance data into time windows, with each time window lasting for T seconds, where T ranges from 30 to 300 seconds; S16: Calculate performance degradation metrics within each time window. Performance degradation metrics include response time growth rate, throughput decline rate, and error rate increase rate. S17: Normalize the performance degradation index to obtain a normalized performance degradation vector; S18: Principal component analysis is used to reduce the dimensionality of the normalized performance degradation vector to obtain the performance degradation fingerprint.

[0027] S2: Combine the attack traffic fingerprint and performance degradation fingerprint to generate a joint fingerprint, and store the joint fingerprint in the fingerprint database: Specifically, the following steps are included: S21: Base64 encode the attack traffic fingerprint and the performance degradation fingerprint respectively to obtain the encoded traffic fingerprint string and performance fingerprint string; S22: Concatenate the traffic fingerprint string and the performance fingerprint string according to the preset concatenation format, which is traffic fingerprint:performance fingerprint:timestamp; S23: Use the concatenated string as the original data for the joint fingerprint; S24: Perform SHA-256 hash calculation on the original data of the joint fingerprint to obtain the hash value of the joint fingerprint, and store the original data of the joint fingerprint together with the hash value.

[0028] S3: When a new attack event occurs, extract the real-time traffic fingerprint and the real-time performance fingerprint, and calculate the hash value of the combined fingerprint using the following formula: H = SHA-256(H_attack || H_performance) Where H is the hash value of the joint fingerprint, H_attack is the hash value of the attack traffic fingerprint, H_performance is the hash value of the performance degradation fingerprint, and || represents the string concatenation operation; S4: Quickly compare the calculated hash value with the fingerprint database to locate the matching historical attribution record and output the attribution result.

[0029] Specifically, the following steps are included: S41: A fingerprint database is constructed using a hash table structure. The key of the hash table is the hash value of the combined fingerprint, and the value is the corresponding historical attribution record. S42: When a new attack event occurs, calculate the real-time hash value and directly query the hash table to locate the historical attribution record; S43: When multiple matching historical attribution records are found, calculate the Euclidean distance between the real-time performance degradation fingerprint and each historical performance degradation fingerprint, and select the historical attribution record with the smallest distance as the attribution result. S44: When no matching historical attribution record is found, the real-time combined fingerprint is added to the fingerprint database as a new fingerprint entry and marked as an attribution to be confirmed.

[0030] It also includes incremental update steps for the fingerprint database: S51: Periodically perform access frequency statistics on fingerprint entries in the fingerprint database and calculate the most recent access timestamp for each fingerprint entry; S52: When the most recent access timestamp of a fingerprint entry exceeds a preset expiration threshold, the fingerprint entry is removed from the fingerprint database. The expiration threshold ranges from 7 to 90 days. S53: When the fingerprint database reaches the preset capacity limit, the fingerprint entry with the lowest access frequency is eliminated according to the least recently used strategy. S54: Archive and store obsolete fingerprint entries, and retain archived data for no less than 90 days.

[0031] This invention achieves efficient, accurate, and scalable network security performance attribution through joint modeling and hash-based fast matching of attack traffic fingerprints and performance degradation fingerprints, providing reliable technical support for rapid response and automated handling of security incidents.

[0032] This invention provides an attack-based network security performance attribution system, the system comprising: The data acquisition module is used to collect network traffic data and system performance data of the attacked system. The system performance data includes response time, throughput and error rate. The feature extraction module is used to extract features from network traffic data to generate attack traffic fingerprints and to extract patterns from system performance data to generate performance degradation fingerprints. The joint fingerprint generation module is used to combine attack traffic fingerprints and performance degradation fingerprints to generate a joint fingerprint, and store the joint fingerprint in the fingerprint database; The hash calculation module is used to extract real-time traffic fingerprints and real-time performance fingerprints when a new attack event occurs, and calculate the hash value of the joint fingerprint according to the following formula: H = SHA-256(H_attack H_performance), where H is the hash value of the joint fingerprint, H_attack is the hash value of the attack traffic fingerprint, H_performance is the hash value of the performance degradation fingerprint, and represents the string concatenation operation. The fast comparison module is used to quickly compare the calculated hash value with the fingerprint database, locate the matching historical attribution records, and output the attribution results.

[0033] An electronic device includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, implements the aforementioned attack-based network security performance attribution method.

[0034] A computer-readable storage medium storing a computer program that, when executed by a processor, implements the aforementioned attack-based network security performance attribution method.

[0035] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, storage, databases, or other media used in the embodiments provided in this application can include non-volatile and / or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory can include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in various forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link DRAM (SLDRAM), Rambus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.

[0036] In this specification, the same or similar parts between the various embodiments can be referred to mutually. Each embodiment focuses on describing the differences from other embodiments. In particular, the descriptions of the embodiments described later are relatively simple, and relevant parts can be referred to the descriptions of the foregoing embodiments.

[0037] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. An attack-based network security performance attribution method, which collects network traffic data and system performance data of the attacked system, including response time, throughput, and error rate; the method includes the following steps: S1: Extract features from network traffic data to generate attack traffic fingerprints; Pattern extraction is performed on system performance data to generate performance degradation fingerprints; S2: Combine the attack traffic fingerprint and the performance degradation fingerprint to generate a joint fingerprint, and store the joint fingerprint in the fingerprint database; S3: When a new attack event occurs, extract the real-time traffic fingerprint and the real-time performance fingerprint, and calculate the hash value of the combined fingerprint using the following formula: H = SHA-256(H_attack || H_performance) Where H is the hash value of the joint fingerprint, H_attack is the hash value of the attack traffic fingerprint, H_performance is the hash value of the performance degradation fingerprint, and || represents the string concatenation operation; S4: Quickly compare the calculated hash value with the fingerprint database to locate the matching historical attribution record and output the attribution result.

2. The attack-based network security performance attribution method according to claim 1, characterized in that, The steps for extracting features from network traffic data to generate attack traffic fingerprints include: S11: Extract packet-level features from network traffic data. Packet-level features include 5-tuple information, payload length flag, and protocol fields. S12: Perform flow-level aggregation on packet-level features and calculate flow-level statistical features, including the number of packets, average packet interval, total number of bytes, and retransmission rate. S13: A pre-trained traffic coding model is used to map the flow-level statistical features into a fixed-dimensional attack traffic feature vector; S14: Dimensionality reduction is performed on the attack traffic feature vector to obtain the attack traffic fingerprint.

3. The attack-based network security performance attribution method according to claim 1, characterized in that, The steps for generating performance degradation fingerprints by extracting patterns from system performance data include: S15: Divide the system performance data into time windows, with each time window lasting for T seconds, where T ranges from 30 to 300 seconds; S16: Calculate performance degradation metrics within each time window. Performance degradation metrics include response time growth rate, throughput decline rate, and error rate increase rate. S17: Normalize the performance degradation index to obtain a normalized performance degradation vector; S18: Principal component analysis is used to reduce the dimensionality of the normalized performance degradation vector to obtain the performance degradation fingerprint.

4. The attack-based network security performance attribution method according to claim 1, characterized in that, The steps to combine attack traffic fingerprints and performance degradation fingerprints to generate a joint fingerprint include: S21: Base64 encode the attack traffic fingerprint and the performance degradation fingerprint respectively to obtain the encoded traffic fingerprint string and performance fingerprint string; S22: Concatenate the traffic fingerprint string and the performance fingerprint string according to the preset concatenation format, which is traffic fingerprint:performance fingerprint:timestamp; S23: Use the concatenated string as the original data for the joint fingerprint; S24: Perform SHA-256 hash calculation on the original data of the joint fingerprint to obtain the hash value of the joint fingerprint, and store the original data of the joint fingerprint together with the hash value.

5. The attack-based network security performance attribution method according to claim 1, characterized in that, The steps for quickly comparing the calculated hash value in the fingerprint database include: S41: A fingerprint database is constructed using a hash table structure. The key of the hash table is the hash value of the combined fingerprint, and the value is the corresponding historical attribution record. S42: When a new attack event occurs, calculate the real-time hash value and directly query the hash table to locate the historical attribution record; S43: When multiple matching historical attribution records are found, calculate the Euclidean distance between the real-time performance degradation fingerprint and each historical performance degradation fingerprint, and select the historical attribution record with the smallest distance as the attribution result. S44: When no matching historical attribution record is found, the real-time combined fingerprint is added to the fingerprint database as a new fingerprint entry and marked as an attribution to be confirmed.

6. The attack-based network security performance attribution method according to claim 1, characterized in that, It also includes incremental update steps for the fingerprint database: S51: Periodically perform access frequency statistics on fingerprint entries in the fingerprint database and calculate the most recent access timestamp for each fingerprint entry; S52: When the most recent access timestamp of a fingerprint entry exceeds a preset expiration threshold, the fingerprint entry is removed from the fingerprint database. The expiration threshold ranges from 7 to 90 days. S53: When the fingerprint database reaches the preset capacity limit, the fingerprint entry with the lowest access frequency is eliminated according to the least recently used strategy. S54: Archive and store obsolete fingerprint entries, and retain archived data for no less than 90 days.

7. An attack-based network security performance attribution system, the system comprising: The data acquisition module is used to collect network traffic data and system performance data of the attacked system. The system performance data includes response time, throughput and error rate. The feature extraction module is used to extract features from network traffic data to generate attack traffic fingerprints and to extract patterns from system performance data to generate performance degradation fingerprints. The joint fingerprint generation module is used to combine attack traffic fingerprints and performance degradation fingerprints to generate a joint fingerprint, and store the joint fingerprint in the fingerprint database; The hash calculation module is used to extract real-time traffic fingerprints and real-time performance fingerprints when a new attack event occurs, and calculate the hash value of the joint fingerprint according to the following formula: H = SHA-256(H_attack H_performance), where H is the hash value of the joint fingerprint, H_attack is the hash value of the attack traffic fingerprint, H_performance is the hash value of the performance degradation fingerprint, and represents the string concatenation operation. The fast comparison module is used to quickly compare the calculated hash value with the fingerprint database, locate the matching historical attribution records, and output the attribution results.

8. An electronic device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, implements an attack-based network security performance attribution method as claimed in any one of claims 1 to 6.

9. A computer-readable storage medium storing a computer program that, when executed by a processor, implements an attack-based network security performance attribution method as claimed in any one of claims 1 to 6.