A network security monitoring system and method

By employing dynamic behavior modeling and tiered response strategies, combined with data obfuscation and decoy techniques, the problem of identifying unknown threats in existing network security protection has been solved, enabling proactive defense and intelligence gathering, and improving network security protection capabilities and business continuity.

CN122268630APending Publication Date: 2026-06-23BEIJING SAFE MATERIAL NETWORK TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING SAFE MATERIAL NETWORK TECHNOLOGY CO LTD
Filing Date
2026-03-23
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Current network security protection relies on static rule bases, which makes it difficult to identify unknown attacks and advanced persistent threats, lacks proactive interference capabilities, and has a single response strategy, making it unable to effectively deal with complex network threats.

Method used

By employing dynamic behavior modeling and establishing a baseline model of normal behavior through unsupervised clustering algorithms, combined with a hierarchical dynamic response strategy, data obfuscation and decoy techniques are implemented to achieve proactive defense against unknown threats and intelligence gathering.

Benefits of technology

It enhances the ability to identify unknown threats, realizes the transformation from passive defense to active defense, reduces false alarm rate, increases attack cost, provides detailed attack intelligence, and enhances the depth and resilience of cybersecurity.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122268630A_ABST
    Figure CN122268630A_ABST
Patent Text Reader

Abstract

The application discloses a network security monitoring method, comprising collecting user access behavior data, establishing a normal behavior baseline model based on the behavior data; receiving a service access request, extracting a behavior feature sequence in the service access request; comparing the behavior feature sequence with the normal behavior baseline model, calculating a behavior deviation degree risk score; and executing a hierarchical dynamic response strategy according to the risk score; wherein the hierarchical dynamic response strategy comprises the application relates to the technical field of network security, and the network security monitoring system and method provided by the application fundamentally improve the detection capability of the system on unknown threats and variant attacks by adopting dynamic behavior modeling instead of static rule matching, change the traditional non-black or white blocking mode by implementing a three-level dynamic response strategy of normal processing, data confusion and luring guidance, and realize fine balance between security protection and business continuity.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, specifically to a network security monitoring system and method. Background Technology

[0002] With the widespread application of internet technology and the deep interconnection of various information systems, cybersecurity has become a core issue in ensuring enterprise operations, user privacy, and data asset security. Traditional cybersecurity protection often adopts a feature-based rule matching approach. For example, a rule base for known attack patterns (such as SQL injection, cross-site scripting, and cross-site request forgery) is pre-configured in a Web Application Firewall (WAF), and a proxy gateway deployed at the network boundary matches and filters incoming and outgoing traffic. This type of method compares request content with rule features and blocks requests that match the rules, thereby defending against known attacks to a certain extent.

[0003] However, protection systems relying on static rule bases have significant inherent limitations. First, their protective capabilities are highly dependent on the completeness and timeliness of the rule base. They often struggle to effectively identify and block unknown attack methods not yet included in the rule base, novel vulnerability exploits, or variations of existing attacks, creating blind spots in protection. Second, this type of method is essentially a passive response model, only taking action when a malicious request triggers the rule. It lacks the ability to proactively interfere with, mislead, or trace attackers, failing to increase the cost of attacks. Furthermore, its response strategy is typically a binary "allow" or "block" decision, lacking the ability to differentiate and progressively address threats based on their severity level, making it rigid in dealing with advanced persistent threats or probing attacks. Moreover, even if an attack request is blocked, attackers may still probe the actual business interfaces and data structures through other means; the risk of data leakage is not fundamentally eliminated by blocking a single request.

[0004] Therefore, there is an urgent need in the existing technology for a network security monitoring solution that can break through the dependence on known attack characteristics, realize the transformation from passive detection to proactive dynamic defense, and effectively interfere with the attacker's cognition and behavior, in order to cope with increasingly complex, covert and intelligent network threats and improve the depth and resilience of overall security protection. Summary of the Invention

[0005] (a) Technical problems to be solved To address the shortcomings of existing technologies, this invention provides a network security monitoring system and method. Existing network security solutions based on static rule bases suffer from passive defense, limited response strategies, and inability to effectively interfere with attackers and collect threat intelligence when facing unknown attacks and advanced persistent threats.

[0006] (II) Technical Solution To achieve the above objectives, the present invention provides the following technical solution: In a first aspect, an embodiment of the present invention provides a network security monitoring method, comprising: collecting user access behavior data, establishing a normal behavior baseline model based on the behavior data; receiving a business access request, extracting a behavioral feature sequence from the business access request; comparing the behavioral feature sequence with the normal behavior baseline model, calculating a behavioral deviation risk score; and executing a graded dynamic response strategy and recording logs according to the risk score.

[0007] The network security monitoring method proposed in this invention establishes a dynamic behavioral baseline model through continuous learning, replacing the traditional static rule base. This enables the system to identify abnormal behaviors that deviate from normal patterns, thereby possessing the ability to respond to unknown threats. By introducing a hierarchical dynamic response mechanism: low-risk requests are allowed to proceed normally to ensure smooth business operations; for medium-risk requests, sensitive fields in the returned data are obfuscated in real time after processing, interfering with potential attackers' data theft and verification without disrupting business operations; for high-risk requests, they are seamlessly guided to a highly simulated trapping environment, recording the attacker's complete behavioral chain under complete isolation, achieving proactive defense and intelligence gathering. This method constructs a proactive security closed loop of perception-analysis-decision-response-optimization.

[0008] Optionally, the step of establishing a normal behavior baseline model based on behavioral data includes: performing cluster analysis on historical normal access logs using an unsupervised clustering algorithm to form at least one normal behavior cluster; and calculating feature centers and boundary ranges for each normal behavior cluster to constitute the normal behavior baseline model.

[0009] By employing unsupervised clustering algorithms, the system can automatically mine and summarize various normal behavior patterns from massive amounts of historical data without the need for manual pre-definition of rules, significantly improving the model's adaptability and deployment efficiency, and enabling it to continuously evolve with business development.

[0010] Optionally, the behavioral feature sequence includes at least one of the following features: access frequency, request time distribution, parameter combination pattern, API call order, and client fingerprint information.

[0011] By comprehensively extracting temporal features, sequence features, and contextual features, this method can characterize user behavior from multiple dimensions and in all aspects, significantly improving the accuracy of identifying spoofing behavior and slow attacks, and reducing the false positive rate.

[0012] Optionally, the dynamic obfuscation of preset sensitive fields in the returned results includes at least one of the following obfuscation operations: replacing the identifier field in the real data with a forged value that has no actual business meaning; performing random perturbation on numerical data within a preset range; performing partial character masking on text-type sensitive information; inserting invalid nodes or adjusting the node order in the returned data structure.

[0013] By implementing a field-level, configurable dynamic obfuscation strategy, this method can proactively "contaminate" sensitive information leaking from the system without modifying business logic or affecting the user experience of legitimate users. This effectively undermines the integrity and authenticity of the data obtained by attackers, making it difficult for them to conduct effective data correlation analysis or directly utilize the data, thus greatly increasing the cost of attacks.

[0014] Optionally, the trapping server cluster includes multiple simulated business nodes, used to: simulate the interfaces and logic of a real business system; generate false response data based on built-in false data; and record and upload all the user's operational behaviors within the trapping server cluster.

[0015] As an active defense component of this solution, the trapping server cluster lures attackers into revealing themselves through a highly simulated environment and records every step of their operation and every input. This provides security analysts with an intuitive and complete view of the attack chain and high-quality original attack samples, achieving an upgrade from passive interception to active trapping and source tracing analysis.

[0016] Optionally, after calculating the behavioral deviation risk score, the method further includes: receiving external threat intelligence; and dynamically correcting the risk score based on the threat intelligence.

[0017] By integrating external threat intelligence, this method achieves the fusion of behavioral anomaly analysis and threat intelligence indications. This enables the rapid marking and risk level enhancement of known malicious sources, resulting in earlier and more accurate warnings. It also provides external corroboration for behavior-based anomaly detection results, thereby improving the credibility of the overall risk assessment.

[0018] In a second aspect, embodiments of the present invention provide a network security monitoring system for implementing the method described in the first aspect, comprising: The behavior collection and modeling module is used to collect user access behavior data and establish and update a normal behavior baseline model based on the behavior data. The real-time risk analysis module is used to receive business access requests, extract behavioral feature sequences, compare them, and calculate risk scores. The strategy decision-making and scheduling module is used to generate hierarchical dynamic response strategy instructions based on risk scores. The dynamic data obfuscation engine is used to dynamically obfuscate preset sensitive fields in the returned data in response to instructions. The server cluster is used to receive redirected business access requests in response to instructions and provide false response data. The security log storage module is used to record processing logs, risk scores, and response actions.

[0019] Through modular design, the system decouples functions such as behavior analysis, strategy decision-making, dynamic response, and intelligence gathering. Each module can be deployed and expanded independently. The system can be flexibly connected to the existing network architecture in a bypass or serial manner, with minimal intrusion into business operations, and achieves real-time, intelligent, and proactive security monitoring of network traffic.

[0020] Optionally, the dynamic data obfuscation engine supports pluggable obfuscation operators, which are used to perform at least one of the following operations: field replacement, data perturbation, partial hiding, and logical structure obfuscation.

[0021] The plug-in design gives the dynamic data obfuscation engine a high degree of flexibility and scalability. Security administrators or business developers can customize and combine different obfuscation operators like building blocks according to the data structure and security requirements of different API interfaces, so as to achieve fine-grained protection of specific data fields and enable security policies to closely fit the actual business.

[0022] Optionally, the simulation service nodes in the trapping server cluster have built-in behavior tracking scripts to record the visitor's operation steps, input content, and session information in the trapping environment, and upload the recorded data to the security log storage module.

[0023] The behavior tracking script built into the trap node runs in a seamless way, either on the front end or the back end. It can capture the attacker's clickstream, input content, session cookies, and even tool usage traces in the trap environment, forming a detailed attacker profile and attack script. This provides practical data for subsequent threat hunting, attack method research, and defense strategy optimization.

[0024] (III) Beneficial Effects The beneficial effects of this invention are as follows: The network security monitoring system and method provided by this invention, by adopting dynamic behavior modeling instead of static rule matching, fundamentally improve the system's ability to detect unknown threats and variant attacks. Through the implementation of a three-tiered dynamic response strategy—normal processing, data obfuscation, and decoy guidance—it changes the traditional black-and-white blocking model, achieving a fine balance between security protection and business continuity. In particular, the combination of dynamic obfuscation and proactive decoy techniques not only effectively protects real data and assets but also, by interfering with attackers' cognition and collecting attack intelligence, achieves a shift from passive defense to proactive countermeasures. The entire solution possesses self-learning and adaptive capabilities, continuously optimizing as business and threats evolve, providing an effective technical means for building a deep, intelligent, and proactive network security defense system. Attached Figure Description

[0025] Figure 1 This is a schematic diagram of the system structure of the present invention. Detailed Implementation

[0026] To better explain and facilitate understanding of the present invention, the present invention will be described in detail below with reference to the accompanying drawings and specific embodiments.

[0027] The network security monitoring system and method based on behavior analysis and dynamic obfuscation proposed in this invention identifies abnormal access through a dynamic behavior model and implements differentiated proactive responses according to risk levels. Specifically, the system first establishes a baseline of normal user behavior through a learning phase; during runtime, it extracts multi-dimensional behavioral features and calculates a risk score for each business access request; based on the score results, it executes a three-level response strategy of "normal access," "data obfuscation return," or "guided to a trapping environment"; and logs are recorded throughout the process for auditing and model optimization. This solution realizes the transformation from passive rule matching to proactive intelligent defense, effectively responding to unknown threats and interfering with attackers.

[0028] To better understand the above technical solutions, exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention can be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that the present invention can be understood more clearly and thoroughly, and that the scope of the present invention can be fully conveyed to those skilled in the art.

[0029] Please see Figure 1 This invention provides a technical solution: the network security monitoring system of this invention can be deployed in software form at key nodes of a business network, for example, in the form of a front-end gateway plugin, a business service bypass proxy, or a microservice sidecar, and it mainly consists of the following logical modules working together: 1. Behavior Acquisition and Modeling Module This module is responsible for data collection and the construction of basic models. During the initialization or periodic learning phase, the module collects business access logs marked as normal within the historical period. The module has a built-in feature engineering unit that extracts structured multi-dimensional behavioral feature vectors from the raw logs. These features can cover multiple dimensions such as time-series features, sequence features, content features, and environmental features to comprehensively characterize user access patterns.

[0030] Subsequently, the module uses an unsupervised clustering algorithm to automatically cluster these multidimensional feature vectors. The algorithm outputs several "normal behavior clusters", each cluster representing a typical user behavior pattern. The system calculates the center point and boundary range of the multidimensional feature space for each cluster. The set of these clusters constitutes a dynamic "normal behavior baseline model". This model supports online incremental updates and can continuously evolve with business development and the evolution of normal behavior patterns.

[0031] 2. Real-time risk analysis module This module is deployed on the real-time processing chain of business requests. When a business access request arrives, the module immediately intercepts and analyzes it.

[0032] Feature extraction: Using the same logic as the modeling phase, quickly extract the real-time behavioral feature sequence of this request.

[0033] Risk Calculation: The real-time feature vector is compared with all "normal behavior clusters" in the baseline model to calculate its behavioral deviation. The system uses a preset mapping function to quantify this deviation into a comprehensive "behavioral deviation risk score". In addition, this module can integrate a threat intelligence interface. If certain requested features match external threat intelligence, the basic score can be dynamically corrected to achieve the fusion of intelligence and behavioral analysis.

[0034] 3. Strategy Decision-Making and Scheduling Module This module uses the risk score provided by the real-time risk analysis module to make automated decisions based on a pre-configured hierarchical strategy table. The strategy table defines the response actions corresponding to different risk score ranges, mainly divided into three levels: low-risk range corresponds to the "normal processing" instruction; medium-risk range corresponds to the "normal processing but obfuscated return data" instruction; and high-risk range corresponds to the "guide to the trap cluster" instruction. This module is responsible for accurately issuing decision instructions to the corresponding execution units.

[0035] 4. Dynamic Data Obfuscation Engine The engine is a pluggable data processing component. When it receives an obfuscation instruction for a medium-risk request, it intervenes to process the request after the business service generates the original response and before returning it to the client.

[0036] Plug-in obfuscation operators: The engine supports loading a variety of predefined obfuscation operator plugins, such as operators for field value replacement, numerical perturbation, partial information hiding, and data structure obfuscation.

[0037] Rule-driven: Obfuscation behavior is precisely controlled by predefined rule configuration files. Rules can specify which combination of obfuscation operators to apply to different business interfaces and specific data fields, thereby achieving fine-grained and controllable "pollution" and interference of outgoing sensitive information.

[0038] 5. Trapping server clusters This is a standalone, highly simulated isolated environment.

[0039] Simulation Nodes: The cluster consists of multiple simulation business nodes. Each node replicates the interface, logic, and interactive experience of the real business system, but its backend data is completely independent and fictitious.

[0040] Behavior tracking: The node embeds a behavior tracking mechanism for both the front-end and back-end, which can seamlessly and completely record all interactive operations, input content, request sequences and session states of visitors in the trapping environment.

[0041] Traffic redirection: After the decision module issues a redirection command, the network scheduling component will transparently redirect the subsequent traffic of the specified high-risk session to a node in the trapping cluster, allowing attackers to enter a completely controlled fake environment without their knowledge.

[0042] 6. Security Log Storage Module This module centrally stores all security-related data generated during system operation, including request metadata, behavioral characteristics, risk scores, decision instructions, obfuscation operation details, and the complete attacker behavior chain recorded in the trapping environment. This data constitutes a security data lake, which is used for real-time monitoring, post-event auditing, attack depth tracing, and provides a data foundation for the periodic iterative optimization of the behavioral baseline model.

[0043] The monitoring method flow of the present invention will be described in detail below with reference to the above system components: Step S1: System initialization and baseline establishment.

[0044] In the initial deployment phase, the behavior collection and modeling module is trained based on historical normal access logs, generating an initial "normal behavior baseline model" through feature engineering and unsupervised clustering. Simultaneously, the dynamic data obfuscation engine loads predefined field-level obfuscation rules.

[0045] Step S2: Real-time request analysis and risk assessment. When a business access request arrives: The real-time risk analysis module intercepted the request.

[0046] The module extracts the multidimensional behavioral feature sequence corresponding to the request.

[0047] The module compares this feature sequence with an established baseline model of normal behavior to calculate a quantified risk score for behavioral deviation. It can also selectively incorporate external threat intelligence to refine this score.

[0048] Step S3: Hierarchical strategy decision-making and scheduling. The strategy decision-making and scheduling module receives the risk score and automatically makes a decision based on the preset threshold strategy table, generating corresponding response instructions (normal processing, obfuscation processing, or guidance to trapping).

[0049] Step S4: Dynamic response strategy execution. Based on different decision instructions, the system executes the corresponding branch: Normal processing: The request is directly allowed to the backend business service, and the unmodified real response is returned to the client.

[0050] After obfuscation, the request is allowed to proceed to the backend business service and receive actual processing. However, before the response is returned, the dynamic data obfuscation engine, according to rules, calls the corresponding obfuscation operators to transform the preset sensitive fields in the response message in real time, returning the obfuscated data to the client, thereby interfering with potential attackers while maintaining business functionality.

[0051] Redirected to the decoy cluster: The request and subsequent traffic of its associated session are transparently redirected to the decoy server cluster by the network scheduling mechanism. The attacker will interact with the simulated decoy nodes, receiving completely fake responses, while all their actions are thoroughly logged.

[0052] Step S5: Full-process log recording and model iteration.

[0053] Regardless of which response branch is executed, the complete context information of this request processing, including the original request, risk score, decision actions, and execution details (such as obfuscated fields or trapping behavior records), is systematically recorded in the security log storage module.

[0054] Based on the continuously accumulating log data, the system can periodically retrain or incrementally update the behavioral baseline model, using new normal samples and attack samples to optimize model performance and enable it to have the ability to evolve adaptively.

[0055] In the description of this invention, it should be understood that the terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of indicated technical features. Therefore, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of this invention, "a plurality of" means two or more, unless otherwise explicitly specified.

[0056] In this invention, unless otherwise explicitly specified and limited, the terms "installation," "connection," "linking," and "fixing," etc., should be interpreted broadly. For example, they can refer to a fixed connection, a detachable connection, or an integral part; they can refer to a mechanical connection or an electrical connection; they can refer to a direct connection or an indirect connection through an intermediate medium; they can refer to the internal communication of two components or the interaction between two components. Those skilled in the art can understand the specific meaning of the above terms in this invention according to the specific circumstances.

[0057] In this invention, unless otherwise explicitly specified and limited, "above" or "below" the second feature can mean that the first and second features are in direct contact, or that they are in indirect contact through an intermediate medium. Furthermore, "above," "over," or "on top" the second feature can mean that the first feature is directly above or diagonally above the second feature, or simply indicates that the first feature is at a higher horizontal level than the second feature. "Below," "below," or "beneath" the second feature can mean that the first feature is directly below or diagonally below the second feature, or simply indicates that the first feature is at a lower horizontal level than the second feature.

[0058] In the description of this specification, the terms "one embodiment," "some embodiments," "embodiment," "example," "specific example," or "some examples," etc., refer to specific features, structures, materials, or characteristics described in connection with that embodiment or example, which are included in at least one embodiment or example of the present invention. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples. Moreover, without contradiction, those skilled in the art can combine and integrate the different embodiments or examples described in this specification, as well as the features of different embodiments or examples.

[0059] Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention. Those skilled in the art can make modifications, alterations, substitutions and variations to the above embodiments within the scope of the present invention.

Claims

1. A network security monitoring method, characterized in that, This includes collecting user access behavior data and establishing a normal behavior baseline model based on the behavior data; Receive a service access request and extract the behavioral feature sequence from the service access request; The behavioral feature sequence is compared with the normal behavior baseline model to calculate the behavioral deviation risk score; Based on the risk score, a tiered dynamic response strategy is implemented; wherein the tiered dynamic response strategy includes: When the risk score is lower than the first threshold, the business access request is processed normally and the real data is returned. When the risk score is between the first threshold and the second threshold, the business access request is processed normally, and the preset sensitive fields in the returned result are dynamically obfuscated before being returned. When the risk score is higher than the second threshold, the business access request is redirected to the trap server cluster and false response data is returned; Record the processing logs and response actions for the aforementioned service access requests.

2. The network security monitoring method according to claim 1, characterized in that, The establishment of a normal behavior baseline model based on behavioral data includes: The historical normal access logs are clustered and analyzed using an unsupervised clustering algorithm to form at least one cluster of normal behavior. For each of the normal behavior clusters, the feature center and boundary range are calculated to form the normal behavior baseline model.

3. The network security monitoring method according to claim 1, characterized in that, The behavioral feature sequence includes at least one of the following features: access frequency, request time distribution, parameter combination pattern, API call order, and client fingerprint information.

4. The network security monitoring method according to claim 3, characterized in that, The dynamic obfuscation of preset sensitive fields in the returned results includes at least one of the following obfuscation operations: Replace the identifier field in the real data with a fake value that has no actual business meaning; Apply random perturbation to numerical data within a preset range; Partial character masking is applied to sensitive text-based information. Insert invalid nodes or rearrange the node order in the returned data structure.

5. The network security monitoring method according to claim 1, characterized in that, The trapping server cluster includes multiple simulation service nodes, which are used for: Simulate the interfaces and logic of a real business system; The fake response data is generated based on built-in fake data; Record and upload all user actions within the trapping server cluster.

6. The network security monitoring method according to claim 1, characterized in that, After calculating the behavioral deviation risk score, the method further includes: Receive external threat intelligence; The risk score is dynamically adjusted based on the threat intelligence.

7. A network security monitoring system, based on the network security monitoring method according to any one of claims 1 to 6, characterized in that, include: The behavior collection and modeling module is used to collect user access behavior data and establish and update a normal behavior baseline model based on the behavior data. The real-time risk analysis module is used to receive business access requests, extract behavioral feature sequences from the business access requests, compare the behavioral feature sequences with the normal behavior baseline model, and calculate the behavioral deviation risk score. The strategy decision-making and scheduling module is used to generate hierarchical dynamic response strategy instructions based on the risk score; A dynamic data obfuscation engine is used to respond to the instructions of the strategy decision and scheduling module to dynamically obfuscate preset sensitive fields in the real data returned by the business service. The trap server cluster is used to respond to the instructions of the policy decision and scheduling module, receive the guided business access request, and provide completely false response data; The security log storage module is used to record the processing logs, risk scores, and response actions of the business access requests.

8. The network security monitoring system according to claim 7, characterized in that, The behavior acquisition and modeling module is specifically used for: The historical normal access logs are clustered and analyzed using an unsupervised clustering algorithm to form at least one cluster of normal behavior. For each of the normal behavior clusters, the feature center and boundary range are calculated to form the normal behavior baseline model.

9. The network security monitoring system according to claim 7, characterized in that, The dynamic data obfuscation engine supports pluggable obfuscation operators, which are used to perform at least one of the following operations: field replacement, data perturbation, partial hiding, and logical structure obfuscation.

10. The network security monitoring system according to claim 7, characterized in that, The simulated business nodes in the trapping server cluster have built-in behavior tracking scripts to record the visitor's operation steps, input content, and session information in the trapping environment, and upload the recorded data to the security log storage module.