A machine learning-based network security protocol deep parsing method and system
By collecting network security protocol data packet processing information and using machine learning convolutional kernels to identify abnormal call fragments and inter-kernel jump events, and dynamically adjusting processing strategies, the problem of insufficient perception and response capabilities for abnormal processing within protocols in existing technologies is solved, and effective detection and response to advanced threats are achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- NANJING YISHENG SAFETY TECH RES INST CO LTD
- Filing Date
- 2026-05-21
- Publication Date
- 2026-06-19
AI Technical Summary
Existing technologies lack the ability to detect and respond to anomalies in the internal processing of network security protocols, making it difficult to effectively detect advanced threats that do not carry explicit attack payloads.
By collecting function addresses, execution times, and cross-core scheduling paths during the processing of network security protocol data packets, a processing log is generated. Machine learning convolutional kernel scanning is used to identify abnormal call fragments and inter-core jump events, and the protocol packet processing queue is dynamically adjusted or forwarded to an isolated processor for rate limiting.
It enables accurate identification and response to anomalies within network security protocols, improving system stability and security, and effectively detecting covert attacks that are difficult to detect using traditional methods.
Smart Images

Figure CN122247766A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network security detection technology, and in particular to a method and system for deep analysis of network security protocols based on machine learning. Background Technology
[0002] Deep analysis of network security protocols is a key technology for ensuring network communication security, aiming to identify advanced threats hidden in legitimate data streams. As network attack methods become increasingly complex and covert, this technology has broad application prospects in high-performance computing, cloud computing, and critical information infrastructure.
[0003] Existing network security protocol parsing methods primarily rely on deep packet inspection (DPI) technology or network traffic statistical analysis. These methods identify malicious behavior by matching it against a pre-defined attack signature database or analyzing the statistical characteristics of data streams, such as detecting specific attack payloads or abnormal traffic patterns.
[0004] However, the aforementioned methods primarily focus on packet content or external traffic characteristics, lacking effective detection capabilities for attacks that do not carry explicit attack payloads but only induce abnormal internal system processing behavior. This allows attackers to exploit the complexity of protocol processing to evade detection, posing a potential threat to system security. Therefore, existing technologies suffer from insufficient ability to detect and respond to abnormal internal protocol processing. Summary of the Invention
[0005] The purpose of this application is to provide a method and system for deep analysis of network security protocols based on machine learning, so as to solve the technical problem that the existing technology has insufficient ability to detect and respond to anomalies in the internal processing of protocols.
[0006] To address the aforementioned technical problems, in a first aspect, this application provides a machine learning-based method for deep analysis of network security protocols, comprising: The system collects function addresses, execution times, and cross-core scheduling paths during the processing of network security protocol data packets, and generates processing logs based on the collected information; the processing logs include timestamps and inter-core jump markers. The processing logs are stream-processed, and the function addresses and execution times are statistically analyzed using a sliding window to obtain the calling patterns of different network security protocol types. Based on the cross-core scheduling path, the conditional probability matrix of task transfer between adjacent processor cores is calculated. A baseline for inter-core behavior is established based on the conditional probability matrix, and the processing log is scanned using machine learning convolutional kernels to detect anomalies. Specifically, a first convolutional kernel is used to compare high-frequency call segments based on the call patterns to identify abnormal call segments; and a second convolutional kernel is used to compare cross-core scheduling sequences based on the conditional probability matrix to detect abnormal inter-core jump events. When the abnormally dense call segments are identified, the scheduling strategy of the protocol packet processing queue is dynamically adjusted based on the inter-core behavior baseline; or, when the inter-core jump event is detected, the abnormal data stream that triggered the inter-core jump event is forwarded to the target isolated processor for rate limiting processing.
[0007] Optionally, establishing an inter-nuclear behavior baseline based on the conditional probability matrix includes: Based on the conditional probability matrix within the historical time period, a stable reference value for the task transfer probability between each processor core pair is calculated, and an inter-core behavior baseline is established based on the stable reference value.
[0008] The processing log is scanned using convolutional kernels to detect anomalies, including: Set the scan window parameters for the first and second convolution kernels; The first convolutional kernel is used to scan the processing log, and based on the calling pattern, the call density of the function address sequence within the window is compared to identify the abnormal call fragments. The second convolutional kernel is used to scan the processing log, calculate the probability of cross-core scheduling sequence occurrence within the window, and compare the occurrence probability with a preset threshold to detect the abnormal inter-core jump event based on the comparison result.
[0009] Optionally, the processing log is scanned using the second convolutional kernel to calculate the probability of cross-core scheduling sequences occurring within a window, and the probability of occurrence is compared with a preset threshold to detect abnormal inter-core jump events based on the comparison result, including: The second convolutional kernel is used for continuous scanning to record the cross-kernel scheduling sequence within the window; Each transfer event is read sequentially from the cross-core scheduling sequence, and the conditional probability matrix is queried to obtain the conditional probability value corresponding to each transfer event; The obtained conditional probability values are multiplied together to calculate the overall probability of occurrence of the cross-core scheduling sequence; The overall probability of occurrence is compared with a preset threshold. If the overall probability of occurrence is lower than the preset threshold, the cross-core scheduling sequence is determined to be the abnormal inter-core jump event.
[0010] Optionally, statistical analysis of the function address and execution time can be performed using a sliding window to obtain the calling patterns of different network security protocol types, including: A data connection is established between the data processing unit and the log generation end, and the processed logs are received through this data connection; Set the length and step size of the sliding time window, and segment the processing log based on the length and step size; The processing logs are classified according to network security protocol types; for each type of processing log, the frequency of occurrence of each function address is counted, and the execution time statistics of each function address are calculated. By integrating the frequency of occurrence and the statistical characteristics of execution time, a call pattern can be obtained.
[0011] Optionally, calculating the conditional probability matrix for task transfer between adjacent processor cores based on the cross-core scheduling path includes: Extract the cross-core scheduling path of the processing log within each time window, and count the number of task transfers between adjacent processor cores based on the cross-core scheduling path; Based on the number of occurrences, the frequency percentage of the transfer from the first processor core to the second processor core is calculated, and the frequency percentages of all adjacent processor core pairs are combined to form a conditional probability matrix.
[0012] Optionally, when the abnormally dense call segments are identified, the scheduling strategy of the protocol packet processing queue is dynamically adjusted based on the inter-core behavior baseline, including: Based on the timestamp and protocol 5-tuple of the abnormal call fragment, locate and mark the data stream that generated the abnormal call fragment as an abnormal data stream; Query the load metrics of the processor cores in the inter-core behavior baseline; The load index is input into a preset weight mapping function, and scheduling weights are generated based on the output of the weight mapping function. Based on the scheduling weight, the abnormal data stream is assigned a processing priority lower than the preset priority; Based on the processing priority, the execution order of the protocol packet processing queue is rearranged so that the processing task corresponding to the abnormal data stream is placed at the end of the queue.
[0013] Optionally, when the inter-core jump event is detected, the abnormal data stream that triggered the inter-core jump event is forwarded to the target isolated processor for rate limiting processing, including: Based on the timestamp and path of the abnormal inter-core jump event, locate the data stream that triggered the abnormal inter-core jump event, and use it as the abnormal data stream; Query the system resource configuration table to obtain the identifier of the isolated processor core, and generate a data flow forwarding instruction based on the identifier; According to the data stream forwarding instruction, subsequent data packets of the abnormal data stream are redirected to the isolated processor core; A maximum data processing rate is set on the isolated processor core, and the data packet processing speed is limited based on the maximum data processing rate.
[0014] Secondly, this application provides a machine learning-based deep analysis system for network security protocols, comprising: The data acquisition module is used to collect function addresses, execution times, and cross-core scheduling paths during the processing of network security protocol data packets, and to generate processing logs based on the collected information; the processing logs include timestamps and inter-core jump markers; The processing module is used to perform streaming processing on the processing logs, perform statistical analysis on the function addresses and execution times through a sliding window to obtain the calling patterns of different network security protocol types, and calculate the conditional probability matrix of task transfer between adjacent processor cores based on the cross-core scheduling path. The detection module is used to establish an inter-core behavior baseline based on the conditional probability matrix and to scan the processing log using machine learning convolutional kernels to detect anomalies. Specifically, a first convolutional kernel is used to compare high-frequency call segments based on the call patterns to identify abnormal call segments; and a second convolutional kernel is used to compare cross-core scheduling sequences based on the conditional probability matrix to detect abnormal inter-core jump events. The adjustment module is used to dynamically adjust the scheduling strategy of the protocol packet processing queue based on the inter-core behavior baseline when the abnormally dense call fragments are identified; or, when the inter-core jump event is detected, forward the abnormal data stream that triggers the inter-core jump event to the target isolated processor for rate limiting processing.
[0015] Thirdly, this application provides an electronic device, comprising: Memory, used to store computer programs; A processor, configured to implement the steps of a machine learning-based deep parsing method for network security protocols as described in the first aspect above, when executing the computer program.
[0016] Fourthly, this application provides a computer-readable storage medium storing a computer program that, when executed by a processor, can implement the steps of the machine learning-based network security protocol deep parsing method described in the first aspect above.
[0017] This application provides a machine learning-based deep analysis method for network security protocols. By collecting function addresses, execution times, and cross-core scheduling paths during network security protocol data packet processing, it generates processing logs containing timestamps and inter-core jump markers, thereby comprehensively capturing key operational information of the protocol processing. Through streaming processing of the processing logs, it determines the calling patterns of different network security protocol types and calculates the conditional probability matrix of inter-core task transfer, thereby uncovering the behavioral characteristics and scheduling patterns of the protocols during normal operation. By establishing an inter-core behavioral baseline based on the conditional probability matrix and scanning the processing logs using a first and second convolutional kernel, it identifies abnormal call segments and detects abnormal inter-core jump events, thereby achieving accurate identification of different types of internal processing anomalies. Furthermore, when abnormal call segments are identified, the scheduling strategy is dynamically adjusted, or when abnormal inter-core jump events are detected, the abnormal data stream is forwarded to an isolated core for rate-limiting processing, thus enabling targeted handling of anomalies to ensure the stability and security of system operation.
[0018] Furthermore, this application establishes the inter-kernel behavior baseline by calculating a reference value for task transition probability based on historical data; and configures the parameters of short-scale and long-scale convolutional kernels to compare function call density and calculate the probability of occurrence of cross-kernel scheduling sequences, respectively. Anomalies are then detected by comparing this probability with a preset threshold. Through the above refinement of the baseline establishment method, convolutional kernel configuration, and detection logic, the accuracy and reliability of abnormal behavior identification can be further improved. Attached Figure Description
[0019] To more clearly illustrate the technical solutions of the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0020] Figure 1 A flowchart illustrating a machine learning-based deep analysis method for network security protocols provided in this application embodiment;
[0021] Figure 2 A flowchart illustrating a specific implementation of a machine learning-based deep analysis method for network security protocols provided in this application embodiment;
[0022] Figure 3 This is a schematic diagram of the structure of a machine learning-based network security protocol deep analysis system provided in an embodiment of this application. Detailed Implementation
[0023] The network security methods mentioned in the background typically focus monitoring on external characteristics such as packet content or network traffic. However, with the evolution of attack methods, many advanced threats no longer rely on obvious attack payloads, but instead achieve their attack objectives by cleverly exploiting system resources and disrupting internal processing flows. Because these attacks have inconspicuous external characteristics, they often evade traditional detection methods. Therefore, how to delve into the system's internal workings and perceive and respond to these covert threats at the level of processing behavior is a technical problem that urgently needs to be solved by existing technologies.
[0024] In view of this, this application provides a machine learning-based method for parsing network security protocols. This method delves into the internal workings of protocol processing, collecting internal operational information such as function calls, execution times, and task scheduling paths between processor cores. It then utilizes machine learning techniques to establish an accurate behavioral baseline model for the normal processing behavior of the protocol. Once the current processing behavior deviates from this baseline, this method can quickly identify the anomaly and automatically take response measures such as dynamically adjusting the priority of processing tasks or redirecting suspicious data streams to an isolated environment for restricted processing. By monitoring and analyzing the internal processing behavior of the system, rather than relying solely on external data features, this method can effectively identify and handle covert attacks that are difficult to detect using traditional methods, thus solving the technical problem of insufficient perception and response capabilities for anomalies in the internal processing of protocols in existing technologies.
[0025] To enable those skilled in the art to better understand the present application, the present application will be further described in detail below with reference to the accompanying drawings and specific embodiments. Obviously, the described embodiments are merely some embodiments of the present application, and not all embodiments. Based on the embodiments in this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0026] The core of this application is to provide a deep analysis method for network security protocols based on machine learning, and a flowchart of one specific implementation is shown below. Figure 1 As shown, the method includes:
[0027] S101. Collect the function address, execution time, and cross-core scheduling path during the network security protocol data packet processing, and generate a processing log based on the collected information.
[0028] The processing log is a record of key operational information generated during the processing of network security protocol data packets. The processing log includes timestamps and inter-core jump markers. The timestamps are used to mark the specific time of information collection, and the inter-core jump markers indicate the switching status of tasks between different processor cores.
[0029] The function address refers to the location of the specific program instruction being executed, the execution time is the runtime of each instruction, and the cross-core scheduling path is the route a task takes when switching between multiple processor cores.
[0030] In one specific implementation, when the network security protocol processes data packets by receiving, parsing, and responding, it simultaneously collects three types of key information: function address, execution time, and cross-core scheduling path. This information is then organized and summarized in a unified format to form a processing log containing timestamps and inter-core jump markers.
[0031] S102. Perform streaming processing on the processing logs, perform statistical analysis on function addresses and execution times through a sliding window to obtain the calling patterns of different network security protocol types, and calculate the conditional probability matrix of task transfer between adjacent processor cores based on cross-core scheduling paths.
[0032] Among them, the calling pattern is a set of frequency distributions and execution time characteristics of function calls during the runtime of different network security protocols; the conditional probability matrix is a two-dimensional table that records the probability of task transfer between adjacent processor cores, used to quantify the normal patterns of inter-core scheduling.
[0033] Optionally, the specific process of "performing statistical analysis of function addresses and execution times through a sliding window to obtain the calling patterns of different network security protocol types" in step S102 includes:
[0034] A data connection is established between the data processing unit and the log generation end, and the processing logs are received through this data connection; the length and step size of the sliding time window are set, and the processing logs are segmented based on the length and step size; the processing logs are classified according to network security protocol types; for each type of processing log, the frequency of occurrence of each function address is counted, and the execution time statistics of each function address are calculated; the frequency of occurrence and execution time statistics are integrated to obtain the calling pattern.
[0035] In one specific implementation, firstly, a stable data transmission channel can be established between the module responsible for data processing and the device generating the processing logs, based on parameters such as the network system's hardware configuration and data transmission bandwidth. This channel allows for real-time and continuous reception of log records, ensuring that every log entry containing a timestamp and inter-core jump marker is promptly obtained. For example, in a network security protection system, the data processing unit establishes a connection with the log generation end via the TCP protocol, continuously receiving logs at a rate of 1000 entries per second, ensuring that log data is transmitted without delay or loss.
[0036] Secondly, the length and step size of the sliding time window are set, and the processed logs are segmented based on the length and step size. The length of the sliding time window refers to the time span or number of log entries corresponding to the log data contained in a single window, and the sliding step size refers to the time interval or number of log entries the window moves along the time axis. In one specific implementation, if the average processing cycle of protocol data packets is 1 second, and anomaly detection needs to respond within 0.5 seconds, the window length can be set to 2 seconds and the sliding step size to 0.5 seconds. According to the set parameters, starting from the first log entry, a continuous 2-second log segment is extracted as the first window. Then, the window moves every 0.5 seconds to extract a new 2-second log segment, achieving continuous segmented processing of the log stream.
[0037] Then, the processing logs are categorized according to network security protocol types. For each category, the frequency of occurrence of each function address is statistically analyzed, and the execution time statistics for each function address are calculated. Finally, the frequency and execution time statistics are integrated to obtain the calling pattern. The execution time statistics may include the average, median, and standard deviation of the execution time. For example, for TCP protocol packets, statistics show that function A appears 100 times with an average execution time of 0.2 milliseconds, and function B appears 80 times with an average execution time of 0.3 milliseconds. After integration, it can be seen that function A is a core calling function in the TCP protocol and has high execution efficiency. This pattern accurately reflects the function call preferences and execution efficiency characteristics of the TCP protocol when processing data.
[0038] Optionally, the specific process of "calculating the conditional probability matrix of task transfer between adjacent processor cores based on the cross-core scheduling path" in step S102 includes:
[0039] Extract the cross-core scheduling path of the processing log within each time window, and count the number of task transfers between adjacent processor cores based on the cross-core scheduling path; calculate the frequency percentage of transfers from the first processor core to the second processor core based on the number of occurrences, and combine the frequency percentages of all adjacent processor core pairs to form a conditional probability matrix.
[0040] First, extract the cross-core scheduling paths of the processing logs within each time window, and then count the number of task transfers between adjacent processor cores based on these paths. For example, if the cross-core scheduling paths within a certain window include core 1 to core 2, core 2 to core 3, core 1 to core 2, and core 3 to core 1, the count of transfers from core 1 to core 2 is 2, from core 2 to core 3 is 1, and from core 3 to core 1 is 1.
[0041] Then, based on the number of occurrences, the frequency percentage of transfers from the first processor core to the second processor core is calculated, and the frequency percentages of all adjacent processor core pairs are combined to form a conditional probability matrix. Specifically, this process is as follows: For each pair of adjacent processor cores with a task transfer relationship, first, the total number of task transfers originating from the first processor core in the pair is counted; then, the ratio of the number of transfers from the first processor core to the second processor core in the pair to the total number of transfers is calculated to obtain the transfer frequency percentage of that processor core pair; the transfer frequency percentages of all processor core pairs are then filled into a two-dimensional table according to the correspondence between the source and target processor cores; finally, each row of the two-dimensional table is normalized so that the sum of the values in each row is one, and the normalized two-dimensional table is used as the conditional probability matrix.
[0042] To clearly illustrate the calculation process, let's take a system with three processor cores as an example:
[0043] The first step is to count the total number of transfers between cores: Core 1 has a total of 10 transfers, of which 6 were to Core 2 and 4 were to Core 3; Core 2 has a total of 8 transfers, of which 3 were to Core 1 and 5 were to Core 3; Core 3 has a total of 6 transfers, of which 2 were to Core 1 and 4 were to Core 2.
[0044] The second step is to calculate the proportion of transfer frequencies:
[0045] The proportion of core 1 to core 2 The proportion of core 1 to core 3 The proportion of core 2 to core 1 The proportion of core 2 to core 3 The proportion of core 3 to core 1 The proportion of core 3 to core 2 .
[0046] The third step is to construct and normalize a two-dimensional table: In this example, the calculation results already satisfy the condition that the sum of each row is 1, so no additional normalization is needed. The resulting conditional probability matrix is shown in Table 1.
[0047] Table 1
[0048] Source Core\Target Core Core 1 Core 2 Core 3 Core 1 0 0.6 0.4 Core 2 0.375 0 0.625 Core 3 0.333 0.667 0
[0049] In Table 1 above, the first row corresponds to source core 1, which has no transfer to itself. Therefore, the value in the column corresponding to core 1 is 0, the value in the column corresponding to core 2 is 0.6 (the proportion of core 1 to core 2), and the value in the column corresponding to core 3 is 0.4 (the proportion of core 1 to core 3). The second row corresponds to source core 2, which has no transfer to itself. The value in the column corresponding to core 1 is 0.375 (the proportion of core 2 to core 1), and the value in the column corresponding to core 3 is 0.625 (the proportion of core 2 to core 3). The third row corresponds to source core 3, which has no transfer to itself. The value in the column corresponding to core 1 is 0.333 (the proportion of core 3 to core 1), and the value in the column corresponding to core 2 is 0.667 (the proportion of core 3 to core 2). The above example is only one example of this application. In actual applications, the number of processor cores can be adjusted according to the system configuration, while the calculation logic remains consistent. This application does not limit this.
[0050] This application combines streaming processing with sliding windows to achieve real-time continuous analysis of log data, breaking through the limitations of traditional offline analysis; it characterizes protocol behavior and inter-core scheduling patterns from multiple dimensions, making up for the shortcomings of single-dimensional analysis; and it quantifies inter-core scheduling characteristics through conditional probability matrices, providing accurate judgment criteria.
[0051] S103. Establish an inter-kernel behavior baseline based on the conditional probability matrix, and use machine learning convolutional kernels to scan the processing logs to detect anomalies.
[0052] Among them, the inter-core behavior baseline is a normal behavior reference standard formed based on the historical inter-core task transfer probability, used to determine whether the current inter-core scheduling conforms to the normal pattern; convolutional kernels are tools used for feature extraction in machine learning, and convolutional kernels of different scales correspond to different scanning ranges. Abnormal call fragments refer to continuous log fragments in which the frequency of function calls far exceeds the normal call pattern; abnormal inter-core jump events refer to the behavior of inter-core scheduling sequences that deviate from the normal scheduling pattern and have a lower probability of occurrence than the normal threshold.
[0053] The convolution kernel includes a first convolution kernel (i.e., a short-scale convolution kernel) and a second convolution kernel (i.e., a long-scale convolution kernel). The first convolution kernel is used to identify abnormal call segments by comparing high-frequency call segments based on call patterns. The second convolution kernel is used to detect abnormal inter-kernel jump events by comparing cross-kernel scheduling sequences based on conditional probability matrices.
[0054] Specifically, the method for establishing an inter-core behavior baseline based on the conditional probability matrix is as follows: Based on the conditional probability matrix over a historical period, a stable reference value for the task transition probability between each processor core pair can be calculated, and the inter-core behavior baseline can be established based on this stable reference value. The stable reference value is a stable value obtained by statistically analyzing the transition probabilities of the same core pair in multiple conditional probability matrices over a historical period. For example, for the core pair from core 1 to core 2, the transition probabilities in the five historical conditional probability matrices are 0.58, 0.62, 0.59, 0.61, and 0.60, respectively. The average value is 0.60, which is the stable reference value for core 1 to core 2. The stable reference values of all core pairs together constitute the inter-core behavior baseline.
[0055] The specific methods for using machine learning convolutional kernels to scan processing logs to detect anomalies include: Figure 2 As shown, the scanning window parameters of the first and second convolution kernels can be set; the first convolution kernel is used to scan the processing log, and based on the calling pattern, the call density of the function address sequence within the window is compared to identify abnormal call segments; the second convolution kernel is used to scan the processing log, calculate the probability of occurrence of cross-core scheduling sequences within the window, and compare the probability of occurrence with a preset threshold to detect abnormal inter-core jump events based on the comparison results.
[0056] In one specific implementation, the scanning window parameters of two convolutional kernels are first configured based on the function call cycle and cross-core scheduling sequence length of the network security protocol. For example, for the short sequence characteristics of function calls, the window size of the first convolutional kernel is set to contain 5 consecutive logs, and the step length is 1 log; for the long sequence characteristics of cross-core scheduling, the window size of the second convolutional kernel is set to contain 20 consecutive logs, and the step length is 2 logs.
[0057] During operation, the first convolutional kernel scans the processing log segment by segment according to the set window size and step size. For each window scanned, the function address sequence within the window is extracted, the number of function calls per unit time is counted, and this is compared with the corresponding protocol call patterns obtained in step S102. If the number of function calls within the window significantly exceeds the normal call frequency range of the protocol, the log segment corresponding to that window is determined to be an abnormal call segment. For example, if the average number of function calls per unit time in the normal call pattern of the TCP protocol is 50, while the number of function calls per unit time within a certain window is 150, then the segment corresponding to that window is identified as an abnormal call segment.
[0058] Next, a second convolution kernel is used for continuous scanning to record the cross-core scheduling sequence within the window; each transfer event is read sequentially from the cross-core scheduling sequence, and the conditional probability matrix is queried to obtain the conditional probability value corresponding to each transfer event; the obtained conditional probability values are multiplied to calculate the overall occurrence probability of the cross-core scheduling sequence; the overall occurrence probability is compared with a preset threshold, and if the overall occurrence probability is lower than the preset threshold, the cross-core scheduling sequence is determined to be an abnormal inter-core jump event.
[0059] In one specific implementation, an example is given based on the conditional probability matrix formed in step S102 (probability of core 1 to core 2: 0.6, probability of core 2 to core 3: 0.625, probability of core 3 to core 2: 0.667, etc.):
[0060] The first step is to scan a window using the second convolutional kernel and extract the cross-core scheduling sequence as: core 1 → core 2 → core 3 → core 2.
[0061] The second step is to query the conditional probability matrix in sequence to obtain the probability values of each transition event: P(core1→core2)=0.6, P(core2→core3)=0.625, P(core3→core2)=0.667.
[0062] The third step is to calculate the overall probability of occurrence, using the following formula: ;
[0063] in, The overall probability of a cross-core scheduling sequence occurring. These are the conditional probability values corresponding to each transition event in the sequence. This represents the number of transition events. Substitute the values into the calculation: .
[0064] Fourth step: If the preset threshold is 0.3, since the calculated overall probability of occurrence is 0.250 which is lower than the threshold, the cross-core scheduling sequence in the window is determined to be an abnormal inter-core jump event.
[0065] This application establishes an inter-kernel behavior baseline and configures convolutional kernels of different scales. It identifies abnormal call segments through the first convolutional kernel and detects abnormal inter-kernel jump events through the second convolutional kernel, thereby achieving accurate and efficient identification of different types of abnormal behaviors in the operation of network security protocols.
[0066] S104. When an abnormally dense call segment is identified, the scheduling strategy of the protocol packet processing queue is dynamically adjusted based on the inter-core behavior baseline; or, when an inter-core jump event is detected, the abnormal data stream that triggered the inter-core jump event is forwarded to the target isolated processor for rate limiting processing.
[0067] Among them, the protocol packet processing queue is a task queue of network data packets to be processed arranged in a certain order; the scheduling policy is a rule system that determines the priority and execution order of data packet processing; the abnormal data stream refers to the network data transmission stream that contains abnormal call fragments or triggers abnormal inter-core jump events; the isolated processor core is an independent processor core in the system that is specially allocated to process abnormal data; and the maximum data processing rate is a critical value that limits the data processing speed of the isolated core.
[0068] Optionally, the specific process of "dynamically adjusting the scheduling strategy of the protocol packet processing queue based on the inter-core behavior baseline when abnormally dense call segments are identified" includes:
[0069] Based on the timestamp and protocol 5-tuple of the abnormal call fragment, locate and mark the data stream that generated the abnormal call fragment as an abnormal data stream; query the load index of the processor core in the inter-core behavior baseline; input the load index into a preset weight mapping function and generate scheduling weights based on the output of the weight mapping function; assign a processing priority lower than the preset priority to the abnormal data stream according to the scheduling weights; rearrange the execution order of the protocol packet processing queue according to the processing priority so that the processing task corresponding to the abnormal data stream is placed at the end of the queue.
[0070] First, based on the timestamps and protocol 5-tuples of the abnormal call fragments, the data streams that generated these fragments are located and marked as abnormal data streams. The protocol 5-tuple is the core identifier for identifying network data streams, including the source IP address, destination IP address, source port number, destination port number, and transport protocol type. For example, if the timestamps of abnormal call fragments are concentrated within a certain minute, and the corresponding protocol 5-tuple is {source IP: 192.168.1.100, destination IP: 203.0.113.5, source port: 54321, destination port: 80, protocol: TCP}, then this TCP data stream can be accurately identified as an abnormal data stream.
[0071] Next, query the load metrics of the processor cores in the inter-core behavior baseline; input the load metrics into a preset weight mapping function, and generate scheduling weights based on the output of the weight mapping function. The load metrics reflect the current workload of the processor cores, such as core utilization and task queue length. For example, the load metrics of each core can be input into the preset weight mapping function to calculate the scheduling weight of each core, where the weight mapping function is shown below:
[0072] in, Let be the scheduling weight parameter for the i-th core. The utilization rate of the i-th core is converted into a decimal between 0 and 1. Let be the length of the task queue for the i-th core. The maximum task queue length set for the system.
[0073] Then, based on the scheduling weight, a processing priority lower than the preset priority is assigned to the abnormal data stream. For example, the system presets the basic processing priority of normal data streams to be 10, and the priority of abnormal data streams can be calculated according to the formula "basic priority - (1 - scheduling weight) × 5", thereby assigning a lower processing priority to the abnormal data stream that is adapted to the core load.
[0074] Finally, based on processing priority, the execution order of the protocol packet processing queues is rearranged to place the processing tasks corresponding to abnormal data streams at the end of the queue. This ensures that tasks for normal data streams are processed first, while tasks for abnormal data streams are processed later.
[0075] Optionally, the specific process of "forwarding the abnormal data stream that triggered the inter-core jump event to the target isolated processor for rate limiting processing when an inter-core jump event is detected" includes:
[0076] Based on the timestamp and path of the abnormal inter-core jump event, locate the data stream that triggered the abnormal inter-core jump event and designate it as the abnormal data stream; query the system resource configuration table to obtain the identifier of the isolated processor core, and generate a data stream forwarding instruction based on the identifier; according to the data stream forwarding instruction, redirect subsequent data packets of the abnormal data stream to the isolated processor core; set the maximum data processing rate on the isolated processor core, and limit the data packet processing speed based on the maximum data processing rate.
[0077] First, based on the timestamp and path of the abnormal inter-core jump event, the data stream that triggered the abnormal inter-core jump event is located and identified as the abnormal data stream. For example, if the timestamp of an abnormal inter-core jump event is a certain moment, and the path is core 1 → core 3 → core 2, by querying the logs near that time point, it is found that data packets with this path characteristic all correspond to the same five-tuple characteristic {source IP: 172.16.0.200, destination IP: 198.51.100.10, protocol: UDP,...}, then the UDP data stream can be clearly identified as the abnormal data stream.
[0078] Secondly, a system resource configuration table is queried to obtain the identifier of an isolated processor core, and a data flow forwarding instruction is generated based on the identifier. For example, if the system resource configuration table shows that core 4 is an isolated core (identified as "CPU-4"), then the instruction can be generated: "Forward the data flow with the characteristics {source IP:172.16.0.200,...} to CPU-4 for processing."
[0079] Then, according to the data flow forwarding instruction, all subsequent data packets of the abnormal data flow are redirected to the isolation processor core. After receiving this instruction, the network data transmission module will change the processing path of all subsequent data packets matching the characteristics of the abnormal data flow, so that they directly enter the processing channel of the isolation core.
[0080] Finally, a maximum data processing rate is set on the isolated processor core, and the packet processing speed is limited based on this maximum rate. For example, a rate cap of 100 packets per second can be set for the isolated core. When the arrival rate of abnormal data stream packets exceeds this value, the excess packets will be buffered or dropped. This mandatory limitation prevents abnormal data streams from exhausting system resources, thereby suppressing the spread of attacks.
[0081] This application employs differentiated protection strategies for different types of anomalies: for abnormal call fragments, their processing priority is dynamically reduced to minimize their impact on normal business operations; for abnormal inter-core jumps, their resource consumption is suppressed by forwarding them to isolated cores for rate-limiting processing. This approach achieves precise suppression of potential attacks, ensuring efficient processing of normal data while improving the overall security and stability of the system.
[0082] Figure 3 This application provides a schematic diagram illustrating a specific implementation of a machine learning-based network security protocol deep analysis system, with reference to... Figure 3 The system may include:
[0083] The acquisition module 31 is used to acquire function addresses, execution times, and cross-core scheduling paths during the processing of network security protocol data packets, and generate processing logs based on the acquired information; the processing logs include timestamps and inter-core jump markers;
[0084] Processing module 32 is used to perform streaming processing on the processing logs, perform statistical analysis on function addresses and execution times through a sliding window to obtain the calling patterns of different network security protocol types, and calculate the conditional probability matrix of task transfer between adjacent processor cores based on cross-core scheduling paths;
[0085] The detection module 33 is used to establish an inter-core behavior baseline based on the conditional probability matrix and to scan the processing log using machine learning convolutional kernels to detect anomalies. Specifically, the first convolutional kernel is used to compare high-frequency call segments based on call patterns to identify abnormal call segments; the second convolutional kernel is used to compare cross-core scheduling sequences based on the conditional probability matrix to detect abnormal inter-core jump events.
[0086] The adjustment module 34 is used to dynamically adjust the scheduling strategy of the protocol packet processing queue based on the inter-core behavior baseline when an abnormally dense call segment is identified; or, when an inter-core jump event is detected, forward the abnormal data stream that triggers the inter-core jump event to the target isolated processor for rate limiting processing.
[0087] The machine learning-based network security protocol deep parsing system of this application embodiment is used to implement the aforementioned machine learning-based network security protocol deep parsing method. Therefore, the specific implementation of the machine learning-based network security protocol deep parsing system can be found in the embodiment section of the machine learning-based network security protocol deep parsing method above. The specific implementation can be referred to the description of the corresponding embodiment, and will not be repeated here.
[0088] This application also provides an electronic device, including: a memory for storing a computer program; and a processor for executing the computer program to implement the steps of the machine learning-based network security protocol deep analysis method described above.
[0089] This application also provides a computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps of any of the above-described machine learning-based network security protocol deep parsing methods.
[0090] In one exemplary embodiment, the aforementioned computer-readable storage medium may include, but is not limited to, various media capable of storing computer programs, such as USB flash drives, read-only memory, random access memory, portable hard drives, magnetic disks, or optical disks.
[0091] Embodiments of the present invention also provide a computer program product, which includes a computer program that, when executed by a processor, implements the steps in any of the embodiments of the machine learning-based network security protocol deep analysis method described above.
[0092] Those skilled in the art will further recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementations should not be considered beyond the scope of this invention.
[0093] The foregoing has provided a detailed description of the machine learning-based deep analysis method and system for network security protocols provided in this application. Specific examples have been used to illustrate the principles and implementation methods of this application. The descriptions of the embodiments above are merely for the purpose of helping to understand the method and its core ideas. It should be noted that those skilled in the art can make various improvements and modifications to this application without departing from its principles, and these improvements and modifications also fall within the protection scope of this application.
Claims
1. A deep analysis method for network security protocols based on machine learning, characterized in that, include: The system collects function addresses, execution times, and cross-core scheduling paths during the processing of network security protocol data packets, and generates processing logs based on the collected information; the processing logs include timestamps and inter-core jump markers. The processing logs are stream-processed, and the function addresses and execution times are statistically analyzed using a sliding window to obtain the calling patterns of different network security protocol types. Based on the cross-core scheduling path, the conditional probability matrix of task transfer between adjacent processor cores is calculated. A baseline for inter-core behavior is established based on the conditional probability matrix, and the processing log is scanned using machine learning convolutional kernels to detect anomalies. Specifically, a first convolutional kernel is used to compare high-frequency call segments based on the call patterns to identify abnormal call segments; and a second convolutional kernel is used to compare cross-core scheduling sequences based on the conditional probability matrix to detect abnormal inter-core jump events. When the abnormally dense call segments are identified, the scheduling strategy of the protocol packet processing queue is dynamically adjusted based on the inter-core behavior baseline; or, when the inter-core jump event is detected, the abnormal data stream that triggered the inter-core jump event is forwarded to the target isolated processor for rate limiting processing.
2. The method according to claim 1, characterized in that, Establishing an internuclear behavior baseline based on the conditional probability matrix includes: Based on the conditional probability matrix within the historical time period, a stable reference value for the task transfer probability between each processor core pair is calculated, and an inter-core behavior baseline is established based on the stable reference value. The processing log is scanned using convolutional kernels to detect anomalies, including: Set the scan window parameters for the first and second convolution kernels; The first convolutional kernel is used to scan the processing log, and based on the calling pattern, the call density of the function address sequence within the window is compared to identify the abnormal call fragments. The second convolutional kernel is used to scan the processing log, calculate the probability of cross-core scheduling sequence occurrence within the window, and compare the occurrence probability with a preset threshold to detect the abnormal inter-core jump event based on the comparison result.
3. The method according to claim 2, characterized in that, The processing log is scanned using the second convolutional kernel to calculate the probability of cross-core scheduling sequences occurring within a window, and the probability of occurrence is compared with a preset threshold to detect abnormal inter-core jump events based on the comparison result, including: The second convolutional kernel is used for continuous scanning to record the cross-kernel scheduling sequence within the window; Each transfer event is read sequentially from the cross-core scheduling sequence, and the conditional probability matrix is queried to obtain the conditional probability value corresponding to each transfer event; The obtained conditional probability values are multiplied together to calculate the overall probability of occurrence of the cross-core scheduling sequence; The overall probability of occurrence is compared with a preset threshold. If the overall probability of occurrence is lower than the preset threshold, the cross-core scheduling sequence is determined to be the abnormal inter-core jump event.
4. The method according to claim 1, characterized in that, By performing statistical analysis on the function address and execution time using a sliding window, the calling patterns of different network security protocol types were obtained, including: A data connection is established between the data processing unit and the log generation end, and the processed logs are received through this data connection; Set the length and step size of the sliding time window, and segment the processing log based on the length and step size; The processing logs are classified according to network security protocol types; for each type of processing log, the frequency of occurrence of each function address is counted, and the execution time statistics of each function address are calculated. By integrating the frequency of occurrence and the statistical characteristics of execution time, a call pattern can be obtained.
5. The method according to claim 1, characterized in that, The conditional probability matrix for task transfer between adjacent processor cores is calculated based on the cross-core scheduling path, including: Extract the cross-core scheduling path of the processing log within each time window, and count the number of task transfers between adjacent processor cores based on the cross-core scheduling path; Based on the number of occurrences, the frequency percentage of the transfer from the first processor core to the second processor core is calculated, and the frequency percentages of all adjacent processor core pairs are combined to form a conditional probability matrix.
6. The method according to claim 1, characterized in that, When the abnormally dense call segments are identified, the scheduling strategy of the protocol packet processing queue is dynamically adjusted based on the inter-core behavior baseline, including: Based on the timestamp and protocol 5-tuple of the abnormal call fragment, locate and mark the data stream that generated the abnormal call fragment as an abnormal data stream; Query the load metrics of the processor cores in the inter-core behavior baseline; The load index is input into a preset weight mapping function, and scheduling weights are generated based on the output of the weight mapping function. Based on the scheduling weight, the abnormal data stream is assigned a processing priority lower than the preset priority; Based on the processing priority, the execution order of the protocol packet processing queue is rearranged so that the processing task corresponding to the abnormal data stream is placed at the end of the queue.
7. The method according to claim 1, characterized in that, When the inter-core jump event is detected, the abnormal data stream that triggered the inter-core jump event is forwarded to the target isolated processor for rate limiting processing, including: Based on the timestamp and path of the abnormal inter-core jump event, locate the data stream that triggered the abnormal inter-core jump event, and use it as the abnormal data stream; Query the system resource configuration table to obtain the identifier of the isolated processor core, and generate a data flow forwarding instruction based on the identifier; According to the data stream forwarding instruction, subsequent data packets of the abnormal data stream are redirected to the isolated processor core; A maximum data processing rate is set on the isolated processor core, and the data packet processing speed is limited based on the maximum data processing rate.
8. A deep analysis system for network security protocols based on machine learning, characterized in that, include: The data acquisition module is used to collect function addresses, execution times, and cross-core scheduling paths during the processing of network security protocol data packets, and to generate processing logs based on the collected information; the processing logs include timestamps and inter-core jump markers; The processing module is used to perform streaming processing on the processing logs, perform statistical analysis on the function addresses and execution times through a sliding window to obtain the calling patterns of different network security protocol types, and calculate the conditional probability matrix of task transfer between adjacent processor cores based on the cross-core scheduling path. The detection module is used to establish an inter-core behavior baseline based on the conditional probability matrix and to scan the processing log using machine learning convolutional kernels to detect anomalies. Specifically, a first convolutional kernel is used to compare high-frequency call segments based on the call patterns to identify abnormal call segments; and a second convolutional kernel is used to compare cross-core scheduling sequences based on the conditional probability matrix to detect abnormal inter-core jump events. The adjustment module is used to dynamically adjust the scheduling strategy of the protocol packet processing queue based on the inter-core behavior baseline when the abnormally dense call fragments are identified; or, when the inter-core jump event is detected, forward the abnormal data stream that triggers the inter-core jump event to the target isolated processor for rate limiting processing.
9. An electronic device, characterized in that, include: Memory, used to store computer programs; A processor, configured to implement the steps of the machine learning-based network security protocol deep parsing method as described in any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, enables the implementation of the machine learning-based deep parsing method for network security protocols as described in any one of claims 1 to 7.