A smart city communication security intelligent protection and abnormal disposal method

By employing multi-dimensional feature fusion and cross-domain collaborative protection technologies, the problem of identifying and handling complex attacks in smart city communication networks has been solved, achieving efficient security protection and dynamic resource management, and improving the security and stability of urban communication networks.

CN122268637APending Publication Date: 2026-06-23北京智筹汇知科技有限公司

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
北京智筹汇知科技有限公司
Filing Date
2026-03-31
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Existing smart city communication security protection technologies have deficiencies in terms of heterogeneity, cross-domain nature, and dynamism, resulting in weak ability to identify complex attacks, lack of cross-domain protection collaboration, and lag in attack tracing and handling, which cannot meet the security needs of high-quality development of smart cities.

Method used

By employing a spatiotemporal graph attention anomaly detection algorithm based on multi-dimensional feature fusion, a cross-domain communication security dynamic correlation graph, an attack tracing algorithm based on multi-source evidence fusion, and a dynamic collaborative handling strategy based on reinforcement learning, we can achieve accurate identification, cross-domain collaborative protection, and proactive handling of complex attacks.

Benefits of technology

It improved the accuracy of anomaly detection, reduced the false detection rate and false negative rate, realized the dynamic optimization and allocation of cross-domain protection resources and the thorough handling of attacks, and enhanced the security and stability of smart city communication networks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122268637A_ABST
    Figure CN122268637A_ABST
Patent Text Reader

Abstract

The application belongs to the field of artificial intelligence communication technology, and discloses a smart city communication security intelligent protection and abnormal disposal method and system, aiming at the specific technical problems of single abnormal detection dimension, lack of cross-domain security protection collaboration, attack tracing and disposal lag in the smart city communication network, through multi-dimensional communication security perception data fusion collection and feature mining, a cross-domain communication security correlation graph is constructed, an abnormal detection modeling method with spatiotemporal graph attention is designed, a dynamic protection strategy generation algorithm based on reinforcement learning is proposed, and an attack tracing and collaborative disposal mechanism with multi-source evidence fusion is established. Through accurate abnormal detection, dynamic protection scheduling and efficient tracing and disposal, the application realizes the whole-process intelligent management and control of smart city communication security, and greatly improves the attack resistance, abnormal response speed and cross-domain protection collaboration of the communication network.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of information technology, specifically relating to a smart city communication security intelligent protection and anomaly handling method. Background Technology

[0002] As the core carrier of urban data interaction, smart city communication networks integrate multiple technologies such as 5G, IoT, edge computing, and cloud computing. With massive numbers of terminal nodes, complex network topologies, and diverse service types, their security directly impacts the safety and stability of urban operations. Existing smart city communication security technologies are mostly based on traditional network security approaches and lack specific design considerations for the heterogeneity, cross-domain nature, and dynamic nature of smart city communication networks. In practical applications, three specific and urgent technical problems need to be addressed, as follows: Communication anomaly detection is limited by a single dimension and has a weak ability to identify complex attacks in heterogeneous and integrated networks: Existing anomaly detection technologies are mostly based on traffic characteristics (such as bandwidth and packet rate) or single behavioral characteristics, without integrating multi-dimensional information such as the behavioral characteristics of communication terminals, the transmission characteristics of network links, and the semantic characteristics of business data. They cannot identify complex attacks with spoofing and multi-step processes in heterogeneous communication networks in smart cities (such as spoofing attacks on IoT terminals and gradual traffic attacks on cross-domain links), and have low differentiation between attack behavior and normal business behavior, resulting in a high false detection rate and false negative rate.

[0003] The lack of coordination in cross-domain communication security protection results in each protection node operating in an "island-like" manner: Smart city communication networks are divided into multiple domains such as the city core network, edge access network, and IoT sensing network. The security protection devices (firewalls, intrusion detection systems, encryption gateways) of each domain are deployed and made independently. There is no cross-domain security status association and protection strategy coordination mechanism. When attacks spread across domains, the protection devices of each domain cannot respond in a coordinated manner, which can easily lead to a rapid expansion of the attack range. In addition, there are problems such as duplicate configuration of protection resources and insufficient protection resources in critical domains.

[0004] The tracing and handling of attack behaviors are lagging behind, lacking proactive and collaborative handling capabilities: Existing technologies mostly rely on manual analysis of log data to trace the attack after it has caused substantial harm. The tracing process is time-consuming and has low accuracy. Moreover, the handling strategy is a static "blocking + isolation" approach, which does not take into account the attack tracing results, the real-time status of the communication network, and the priority of the business for dynamic handling. It also lacks the ability to adaptively handle continuously changing attack behaviors, resulting in incomplete attack handling and easy secondary attacks.

[0005] The aforementioned problems are specific technical defects in existing smart city communication security protection technologies, not macro-level issues. They directly lead to persistently high security risks faced by smart city communication networks, failing to meet the security needs of high-quality development of smart cities, and urgently require a targeted technical solution to address them. Summary of the Invention

[0006] The purpose of this invention is to overcome the aforementioned deficiencies of the prior art and provide a smart city communication security intelligent protection and anomaly handling method and system. It addresses the three specific problems raised in the background art one by one: For the problem of single anomaly detection dimensions and weak ability to identify complex attacks, it proposes a spatiotemporal graph attention anomaly detection modeling algorithm based on multi-dimensional feature fusion to achieve accurate identification of complex attacks; for the problem of lack of cross-domain protection collaboration, it constructs a cross-domain communication security dynamic correlation graph and a graph-based protection resource collaborative scheduling mechanism to break the "island-style" protection pattern; for the problem of delayed attack tracing and single handling strategies, it establishes a multi-source evidence fusion attack tracing algorithm and a reinforcement learning-based dynamic collaborative handling strategy generation mechanism to achieve accurate attack tracing and proactive handling.

[0007] The core technical solution of this invention includes six algorithms not reported in the prior art, all of which emphasize the modeling and solution process, specifically: A multi-dimensional feature fusion and extraction algorithm for smart city communication security is proposed, which integrates four dimensions of features: terminal behavior, link transmission, service semantics, and traffic statistics, to construct a highly discriminative security feature set and solve the problem that single-dimensional features cannot identify complex attacks. We design a cross-domain communication security dynamic association graph construction algorithm, which mines the security status association, protection node dependency, and attack propagation path features of different communication domains based on heterogeneous graph convolutional neural networks, and realizes the deep integration of cross-domain security information. A spatiotemporal graph attention-enhanced communication anomaly detection modeling algorithm is constructed, which integrates spatiotemporal features and graph structure features into the attention mechanism to achieve accurate identification of complex attacks in heterogeneous fusion networks and reduce false detection rate and false negative rate. A cross-domain collaborative scheduling algorithm for protection resources based on deep reinforcement learning is proposed. With protection effectiveness and resource utilization as dual objectives, it realizes dynamic optimization of protection resources and cross-domain linkage of protection strategies. Design a communication attack tracing algorithm that integrates multi-source evidence fusion, combining log data, traffic data, and node status data, and using Bayesian networks to achieve accurate tracing of attack sources, attack paths, and attack methods; Establish a reinforcement learning-based dynamic handling algorithm based on attack attribution results. Combine business priorities and real-time network status to generate adaptive collaborative handling strategies, thereby achieving thorough attack handling and prevention of secondary attacks.

[0008] A first aspect of this invention provides a method for intelligent protection and anomaly handling of communication security in smart cities, comprising the following three core steps: S1: Multi-dimensional communication security data collection and cross-domain feature fusion to construct a dynamic security correlation graph. By collecting multi-dimensional security data through a smart city communication security perception network, and performing intelligent preprocessing and feature fusion, the multi-dimensional feature fusion extraction algorithm (1) and the cross-domain association graph construction algorithm (2) are used to extract security feature sets and construct a cross-domain communication security dynamic association graph, breaking down the "islands" of protection in each domain and solving the problem of lack of cross-domain protection synergy.

[0009] S2: Spatiotemporal graph attention-driven collaborative scheduling of anomaly detection and protection resources to achieve accurate detection and dynamic protection. Based on the security dynamic association graph constructed by S1, the spatiotemporal graph attention anomaly detection algorithm of 3 is used to achieve accurate identification of complex attacks. Then, the deep reinforcement learning protection resource scheduling algorithm of 4 is used to realize the dynamic optimization configuration of cross-domain protection resources and the linkage execution of protection strategies, which solves the problems of single anomaly detection dimension and weak ability to identify complex attacks.

[0010] S3: Attack attribution fusion using multi-source evidence and dynamic reinforcement learning for efficient attribution and proactive handling. For abnormal attack behaviors detected by S2, the multi-source evidence fusion tracing algorithm of 5 is used to accurately trace the attack source, path and means. Then, the reinforcement learning dynamic handling algorithm of 6 is used to generate an adaptive collaborative handling strategy in combination with business priorities, so as to achieve thorough handling of the attack and prevention of secondary attacks, and solve the problem of delayed attack tracing and handling.

[0011] A second aspect of this invention provides a smart city communication security intelligent protection and anomaly handling system, comprising three core units, each corresponding to one of the three steps of the above method. Each unit implements a corresponding innovative algorithm, and together they complete the intelligent protection and anomaly handling of smart city communication security.

[0012] A third aspect of the present invention provides an electronic device, including a processor and a memory, wherein the processor invokes instructions stored in the memory to execute the above-described method.

[0013] A fourth aspect of the present invention provides a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, implement the above-described method. Attached Figure Description

[0014] Figure 1 Flowchart of the principle of this invention. Detailed Implementation

[0015] To make the objectives, technical solutions, and advantages of the present invention clearer, the technical solutions of the present invention will be described in detail below with reference to specific embodiments. These embodiments are only used to explain the present invention and are not intended to limit the present invention. Furthermore, the embodiments can be combined with each other, and the same or similar concepts will not be repeated.

[0016] In the four embodiments of the present invention, Embodiment 1 includes formulas and focuses on the modeling and solution process of the communication anomaly detection algorithm with spatiotemporal graph attention enhancement; Embodiments 2, 3, and 4 do not include formulas and respectively describe the algorithm steps and efficiency enhancement principles of cross-domain communication security dynamic association graph construction, attack tracing through multi-source evidence fusion, and reinforcement learning-driven dynamic collaborative handling; each embodiment describes specific steps and qualitatively explains the efficiency enhancement principle by comparing with the prior art, without involving specific data support, and focuses on highlighting the algorithm efficiency enhancement principle and modeling innovation principle.

[0017] Example 1: A communication anomaly detection algorithm enhanced with spatiotemporal graph attention This embodiment addresses the issues of limited anomaly detection dimensions and weak ability to identify complex attacks. It combines the multi-dimensional feature fusion extraction algorithm (1) and the spatiotemporal graph attention anomaly detection algorithm (3) to achieve accurate identification of complex attacks in heterogeneous communication networks of smart cities. The specific steps are as follows: Step 1: Multi-dimensional communication security data acquisition and feature fusion extraction Data Acquisition: Through security sensing nodes deployed in the core network, edge access network, and IoT sensing network, communication security data is collected from four dimensions: terminal behavior characteristics (terminal access frequency, command sending patterns, identity authentication information), link transmission characteristics (link latency jitter, packet loss rate changes, transmission rate changes), business semantic characteristics (business data format, interaction logic, data encryption status), and traffic statistics characteristics (packet size distribution, packet rate, bandwidth utilization). Feature preprocessing: Normalization eliminates the influence of dimensions, mutual information feature selection algorithm removes redundant features, and principal component analysis (PCA) is used to reduce feature dimensionality, resulting in a low-dimensional, high-discrimination multi-dimensional fusion security feature set. ,in For feature dimensions.

[0018] Step 2: Construct a security feature model of the spatiotemporal graph structure Each node of the smart city communication network (core network node, edge node, IoT terminal) is treated as a node in a graph. The node features are the multi-dimensional fused security feature set obtained in step 1. Treat the communication links between nodes as edges of the graph. Edge weights represent the strength of communication interactions and the correlation of security states between nodes; a time dimension is introduced. Construct a spatiotemporal graph security feature model ,in for The node feature matrix at each time step reflects the changes in network security status at different time steps.

[0019] Step 3: Modeling and Solving Anomaly Detection Based on Spatiotemporal Graph Attention Enhancement The design incorporates a spatiotemporal graph attention layer to encode the spatiotemporal graph security feature model. This layer adaptively captures the spatiotemporal association features and graph structure features of nodes, enabling accurate classification of anomalous attacks. The core formula is as follows: in: for Time Node For neighboring nodes The spatiotemporal graph attention weights reflect the nodes State changes affect nodes The degree of contribution of anomaly detection; , , These are query, key, and value weight matrices, respectively. The dimension of the key vector. The edge weights between nodes. The temporal attention coefficient reflects the importance of features at different time steps; For nodes The set of neighboring nodes, For the encoded node Spatiotemporal graph fusion features Pass weight matrix to time features. It is the ReLU activation function; This is the output layer weight matrix. For bias terms, For nodes The probability of being in an abnormal attack state is considered abnormal when the probability exceeds a preset threshold.

[0020] Step 4: Identification of Subcategories of Abnormal Attack Types Based on the spatiotemporal graph attention feature encoding, a fully connected layer and a Softmax classification layer are added to classify abnormal attacks into specific types such as spoofing attacks, traffic attacks, data tampering attacks, and cross-domain propagation attacks, providing accurate attack feature basis for subsequent tracing and handling.

[0021] Efficiency Enhancement Principle Existing technologies only perform anomaly detection based on single-dimensional features, which cannot capture the multi-dimensional feature associations of complex attacks. This embodiment innovates the modeling of multi-dimensional feature fusion extraction algorithms, integrating features from four dimensions: terminal, link, service, and traffic, to construct a highly discriminative feature set, thus solving the problem of weak recognition capability of complex attacks from the feature level. Existing technologies do not consider the graph structure characteristics and spatiotemporal dynamic changes of smart city communication networks. This embodiment constructs a spatiotemporal graph security feature model, which incorporates the spatial association and temporal evolution characteristics of nodes into the model, thereby capturing the spatiotemporal propagation characteristics of attack behaviors. Existing technologies use statically assigned feature weights, which cannot adaptively identify key attack features. This embodiment innovates by modeling the spatiotemporal graph attention layer, adaptively calculating the spatiotemporal attention weights between nodes, strengthening key attack-related features, and weakening irrelevant features of normal business, thereby significantly improving the accuracy of anomaly detection and reducing false positive and false negative rates.

[0022] Example 2: Without Formulas—An Algorithm for Constructing a Secure Dynamic Association Graph for Cross-Domain Communication This embodiment addresses the issues of lack of cross-domain protection collaboration and the isolated operation of each protection node. It combines the cross-domain communication security dynamic association graph construction algorithm from step 2 to achieve deep fusion and state association of cross-domain security information, providing a foundation for cross-domain collaborative protection. The specific steps are as follows: Step 1: Defining Nodes and Domain Boundaries in Cross-Domain Communication Networks The smart city communication network is divided into three core domains: core network domain, edge access network domain, and IoT sensing network domain. Security protection nodes (firewalls, IDS / IPS, encryption gateways), communication nodes, and terminal nodes in each domain serve as the basic nodes of the network map. Define domain boundary nodes (such as cross-domain routers and edge gateways) as nodes for information exchange and security protection linkage between domains, and clarify the basic attributes of each node, such as its domain, node type, and security protection capabilities.

[0023] Step 2: Extraction and quantification of cross-domain security association features Extract the security association characteristics of each node, including the frequency of communication and interaction between nodes, the linkage relationship of security policies, the potential path of attack propagation, and the ability to share protection resources; The fuzzy comprehensive evaluation method is used to quantify the security association characteristics, and obtain the security association degree between nodes and the cross-domain coordination coefficient between domains. The security association degree reflects the degree of security status dependence between nodes, and the cross-domain coordination coefficient reflects the linkage capability of protection strategies between domains.

[0024] Step 3: Graph Initialization of Heterogeneous Graph Convolutional Neural Network Construct a cross-domain communication security heterogeneous graph, using nodes from different domains and of different types as nodes in the heterogeneous graph. The node attributes consist of the node's basic attributes, multi-dimensional fused security features, and security association features. The security association degree between nodes is used as the edge weight, and the edge weights between nodes at the domain boundary are superimposed with the cross-domain collaboration coefficient to initialize the node feature matrix and edge weight matrix of the heterogeneous graph. Heterogeneous Graph Convolutional Neural Network (HGCN) is used to aggregate features of the initial heterogeneous graph. Domain-specific convolutional kernels and cross-domain convolutional kernels are designed to extract local security features within each domain and global security features across domains, respectively, to achieve deep fusion of cross-domain node features.

[0025] Step 4: Real-time updating and maintenance of the security dynamic association graph Set a graph update time window and dynamically update the feature attributes of nodes and the weights of edges based on the real-time security status data of the communication network: update the feature matrix when the security status of a node changes; update the edge weights when the communication interaction or security association between nodes changes. A graph pruning mechanism is introduced to remove invalid edges with a correlation degree lower than a preset threshold, ensuring the sparsity and effectiveness of the graph; at the same time, new nodes and edges are added to adapt to the dynamic changes in the topology of the smart city communication network.

[0026] Efficiency Enhancement Principle Existing technologies do not perform associated modeling of the security status of cross-domain communication networks, and each domain protection node operates independently. This embodiment extracts and quantifies cross-domain security association features, and mines the security association relationships between each domain and each node from the modeling level, providing a data foundation for cross-domain collaborative protection. Existing technologies use homogeneous graph modeling, which cannot adapt to the heterogeneity (different domains, different node types) of smart city communication networks. This embodiment uses heterogeneous graph convolutional neural networks, designs domain-specific and cross-domain convolutional kernels, realizes deep fusion of heterogeneous node features, and solves the modeling problem of heterogeneous networks. Existing network models are static and cannot adapt to the dynamic changes in communication networks. The security dynamic association graph constructed in this embodiment supports real-time updates and pruning maintenance, and can accurately reflect the dynamic evolution of network security status, providing accurate graph support for dynamic protection resource scheduling.

[0027] Example 3: Communication Attack Source Tracing Algorithm Without Formulas—Multi-Source Evidence Fusion (Corresponding to 5) This embodiment addresses the issues of delayed and low-accuracy attack attribution tracing. It combines a multi-source evidence fusion attack attribution algorithm (based on 5GbE) to integrate multi-dimensional data, achieving precise attribution of attack sources, attack paths, and attack methods. This provides a basis for subsequent attack handling. The specific steps are as follows: Step 1: Construction of a Multi-Source Evidence Set for Attack Tracing In response to the abnormal attack behavior detected in Example 2, three main categories of source tracing evidence data were collected to construct a multi-source evidence set: Log evidence: Audit logs, access logs, and handling logs of each protection node, including the time, node, and operation records of the attack; Traffic evidence: Traffic data corresponding to the attack, including the source IP, destination IP, transmission path, and packet characteristics; Node status evidence: Real-time status data of the attacked node and related nodes, including node resource utilization, process running status, and data tampering traces.

[0028] Step 2: Evidence Preprocessing and Characterization Preprocessing of multi-source evidence data: removing invalid logs from log evidence and filling in missing information; performing flow reconstruction and feature extraction on traffic evidence; and locating abnormal features in node status evidence; The preprocessed evidence data is characterized and converted into a unified source-tracing evidence feature vector, which includes the temporal features, spatial features, behavioral features, and correlation features of the evidence, thereby achieving a standardized representation of multi-source evidence.

[0029] Step 3: Evidence fusion and source tracing modeling based on Bayesian networks A Bayesian network model for attack attribution is constructed, with attack source, attack path, and attack method as latent variables and multi-source evidence features as explicit variables. Based on domain knowledge and historical attack data, the node conditional probability table (CPT) of the Bayesian network is initialized. The Gibbs sampling algorithm is used to perform inference on the Bayesian network. The feature vectors of multi-source evidence are input into the model to update the posterior probability distribution of the latent variables, thereby achieving deep fusion of multi-source evidence and quantifying the probability of each potential attack source, attack path, and attack method.

[0030] Step 4: Precise determination and visualization of attack attribution results The potential attack source with the highest posterior probability is selected as the precise attack source, and the path with the highest probability is selected as the attack propagation path. The attack method is determined by combining attack behavior characteristics and evidence matching results. Based on the cross-domain communication security dynamic association graph, the attack source tracing results can be visualized, marking the location of the attack source, the cross-domain propagation path, and the range of attacked nodes, providing intuitive visual support for subsequent collaborative handling.

[0031] Efficiency Enhancement Principle Existing technologies mostly rely on single log evidence for attack attribution, resulting in limited evidence dimensions and low accuracy. This embodiment constructs a multi-source evidence set, integrating three major categories of evidence: logs, traffic, and node status, thereby improving the comprehensiveness and accuracy of attribution at the evidence level. Existing evidence fusion technologies often employ simple splicing or weighting methods, failing to consider the correlation and uncertainty between evidence. This embodiment uses Bayesian networks for evidence fusion reasoning, which can effectively handle the uncertainty and correlation of evidence, achieve deep fusion of multi-source evidence, and significantly improve the accuracy of tracing the source. Existing technologies provide source tracing results as abstract character information, which lacks intuitiveness. This embodiment visualizes source tracing results based on cross-domain security dynamic association graphs, which can accurately mark the source, path, and affected scope of the attack, providing an intuitive and accurate decision-making basis for subsequent collaborative handling, and solving the problem of the disconnect between source tracing results and handling strategies.

[0032] Example 4: Without Formulas—A Reinforcement Learning-Driven Cross-Domain Collaborative Dynamic Handling Algorithm (Corresponding to 4 and 6) This embodiment addresses the problems of delayed attack response, simplistic strategies, and lack of adaptive capabilities. It combines the deep reinforcement learning-based resource scheduling algorithm (4) and the reinforcement learning-based dynamic response algorithm (6) to achieve cross-domain collaborative dynamic response based on attack attribution results. The specific steps are as follows: Step 1: Prioritizing Business and Protection Nodes Based on the importance, real-time performance, and security requirements of smart city communication services, the Analytic Hierarchy Process (AHP) is used to divide the services into three levels: core services (urban emergency command, security monitoring), important services (government data interaction, public services), and general services (public WiFi, general data transmission). Priority weights are assigned to each level of services, with core services having the highest weight. Based on the cross-domain communication security dynamic association graph, the protection nodes are divided into two levels according to their protection capabilities, location, and number of associated nodes: core protection nodes (domain boundary, core network node) and ordinary protection nodes (edge ​​access node, IoT gateway). Core protection nodes are given priority in the allocation of protection resources.

[0033] Step 2: Define the state and action space of the reinforcement learning disposition model State space S: The attack tracing results (attack source, path, method), real-time network security status (attacked nodes, remaining protection resources), and service priority weights are used as the state space for reinforcement learning, reflecting the current attack situation and network status. Action Space A: The executable actions are divided into four categories: blocking (IP blocking, port blocking), isolation (node ​​isolation, domain isolation), hardening (encryption hardening, identity authentication hardening), and source tracing (continuously tracking the behavior of the attack source). Each action corresponds to a specific execution node and execution parameters. Reward function R: Design a multi-objective weighted reward function, including attack handling effect reward (whether the attack is blocked or its scope is reduced), business impact reward (the degree of impact of the handling action on normal business), and resource utilization reward (the efficiency of the use of protection resources), so that maximizing the reward function corresponds to the optimal handling effect, the minimum business impact, and the highest resource utilization.

[0034] Step 3: Training and Generation of Disposition Strategies in Deep Reinforcement Learning The Deep Deterministic Policy Gradient (DDPG) algorithm is used to train the disposition policy network. The state space S is used as input and the output is the probability distribution of the disposition action. The network parameters are continuously updated through interaction with the environment (execution of disposition action and acquisition of network state feedback) to maximize the cumulative reward function. The real-time attack attribution results and network security status are input into the trained policy network to generate an initial response policy, specifying the execution actions, execution time, and execution parameters for each protection node.

[0035] Step 4: Execution and Adaptive Adjustment of Cross-Domain Collaborative Processing Based on the cross-domain communication security dynamic correlation graph, the initial handling strategy is distributed to the protection nodes of each domain to achieve cross-domain collaborative handling: core protection nodes prioritize blocking and isolation actions to block the cross-domain propagation of attacks; ordinary protection nodes perform hardening and source tracing actions to eliminate local attack risks; The system monitors the network security status in real time after the attack. If the attack behavior changes or the response is not as expected, it adaptively adjusts the response strategy based on the online learning capability of reinforcement learning, adds new response actions or adjusts the execution parameters until the attack behavior is completely blocked and normal business communication is restored.

[0036] Efficiency Enhancement Principle The existing technology's handling strategy is static blocking and isolation, which does not consider business priorities and is prone to causing core business interruptions. This embodiment prioritizes business and protection nodes to ensure the normal operation of core businesses during the handling process, minimizing the impact of handling actions on the city's critical businesses. Existing technologies employ a single-node independent execution strategy without cross-domain collaboration. This embodiment achieves cross-domain collaborative handling based on a cross-domain security dynamic association graph. Core protection nodes and ordinary protection nodes work together to block attacks from the entire propagation path, thus solving the problem of incomplete cross-domain attack handling. Existing technologies lack adaptive handling capabilities against mutation attacks. This embodiment employs the deep reinforcement learning DDPG algorithm to train the handling strategy network, which has online learning and adaptive adjustment capabilities. It can adjust the handling strategy in real time according to the mutation characteristics of the attack and changes in the network state, thereby achieving effective prevention against mutation attacks and secondary attacks. Existing technologies allocate protection resources statically, which can easily lead to resource waste or insufficient resources in critical domains. This embodiment incorporates the utilization rate of protection resources into a multi-objective reward function, enabling the disposal strategy to achieve optimal allocation of protection resources while handling attacks, thereby improving resource utilization.

Claims

1. A method for intelligent protection and anomaly handling of communication security in smart cities, characterized in that, include: S1: Collect multi-dimensional security data of smart city communication network, including terminal behavior, link transmission, service semantics, and traffic statistics. After preprocessing and feature fusion, obtain a multi-dimensional fused security feature set. Construct a cross-domain communication security dynamic association graph based on heterogeneous graph convolutional neural network. The graph includes nodes and edges of core network domain, edge access network domain, and IoT sensing network domain. The edge weights are the security association degree between nodes and the cross-domain collaboration coefficient. S2: Construct a spatiotemporal graph security feature model based on the cross-domain communication security dynamic correlation graph. An anomaly detection algorithm enhanced by spatiotemporal graph attention is used to identify and classify anomaly attacks. Then, dynamic collaborative scheduling of cross-domain protection resources is achieved based on deep reinforcement learning. The core formula of the spatiotemporal graph attention-enhanced anomaly detection algorithm is: ; S3: For detected abnormal attack behavior, collect multi-source tracing evidence such as logs, traffic, and node status and construct an evidence set. Based on Bayesian network, realize multi-source evidence fusion reasoning to obtain accurate tracing results of attack source, attack path, and attack method. Then, combined with the priority division of business and protection nodes, construct a reinforcement learning handling model based on deep deterministic policy gradient algorithm, generate and execute cross-domain collaborative dynamic handling strategy, monitor and adaptively adjust the strategy in real time until the attack is blocked and normal business is restored.

2. The method according to claim 1, characterized in that, The preprocessing of the multi-dimensional security data in step S1 includes: eliminating the influence of dimensions through normalization, removing redundant features through mutual information feature selection algorithm, and achieving feature dimensionality reduction through principal component analysis; the cross-domain communication security dynamic association graph also includes a real-time update and pruning mechanism, which dynamically updates node features and edge weights according to the network security status and removes invalid edges.

3. The method according to claim 1, characterized in that, The construction of the spatiotemporal graph security feature model in step S2 includes: taking communication network nodes as graph nodes, node features as a multi-dimensional fused security feature set, communication links between nodes as graph edges, edge weights as communication interaction strength and security state correlation, and introducing a time dimension to reflect the changes in network security state at different time steps.

4. The method according to claim 1, characterized in that, The cross-domain protection resource scheduling of deep reinforcement learning described in step S2 includes: taking protection effect and resource utilization as dual objectives, using network security status and attack characteristics as the state space and protection resource allocation strategy as the action space, designing a weighted reward function, and training the policy network through a near-end policy optimization algorithm to achieve dynamic optimization of protection resource allocation.

5. The method according to claim 1, characterized in that, The preprocessing and characterization of multi-source tracing evidence in step S3 includes: removing invalid logs, completing missing information, restoring traffic data from the flow, locating abnormal node status features, and converting the preprocessed evidence into a unified tracing evidence feature vector containing time, space, behavior, and correlation features.

6. The method according to claim 1, characterized in that, The evidence fusion reasoning based on Bayesian networks described in step S3 includes: using attack source, attack path, and attack method as latent variables, using multi-source evidence features as manifest variables, initializing the node conditional probability table, updating the posterior probability distribution of latent variables using the Gibbs sampling algorithm, and selecting the result with the highest posterior probability as the accurate source tracing result.

7. The method according to claim 1, characterized in that, The priority division of business and protection nodes in step S3 includes: using the hierarchical analysis method to divide business into three levels: core, important, and general, and protection nodes into two levels: core and ordinary. Priority weights are assigned to each level of business and node, and core business and core protection nodes are given priority in the allocation of processing resources.

8. The method according to claim 1, characterized in that, The construction of the reinforcement learning response model in step S3 includes: using the attack tracing results, real-time network status, and business priority weights as the state space, and using blocking, isolation, hardening, and tracing actions as the action space, and designing a multi-objective weighted reward function that includes attack response effect, business impact, and resource utilization.

9. A smart city communication security intelligent protection and anomaly handling system, characterized in that, To implement the method of any one of claims 1-8, comprising: Unit 1: Used for the collection, preprocessing and feature fusion of multi-dimensional communication security data, to construct a dynamic correlation graph of cross-domain communication security, and to achieve deep integration of cross-domain security information; The second unit is used to construct a spatiotemporal graph security feature model, identify abnormal attacks through a spatiotemporal graph attention-enhanced anomaly detection algorithm, and realize dynamic collaborative scheduling of cross-domain protection resources based on deep reinforcement learning. The third unit is used to collect multi-source tracing evidence, achieve accurate attack tracing based on Bayesian networks, build a reinforcement learning handling model in combination with business priorities, generate and execute cross-domain collaborative dynamic handling strategies, and achieve attack blocking and business recovery.

10. An electronic device, characterized in that, include: processor; Memory used to store processor-executable instructions; The processor is configured to invoke instructions stored in the memory to execute the smart city communication security intelligent protection and anomaly handling method according to any one of claims 1 to 8.