A method, device and equipment for intelligent defense of a CC attack based on a large language model

By semantically translating real-time network traffic and generating dynamic defense strategies through large language model inference, the limitations of existing CC attack protection methods are overcome, enabling precise response to complex attacks and self-evolving defense, thus improving the real-time performance and accuracy of the defense system.

CN122268655APending Publication Date: 2026-06-23XIAMEN KUAIKUAI NETWORK TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
XIAMEN KUAIKUAI NETWORK TECH CO LTD
Filing Date
2026-04-21
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Existing CC attack protection methods rely on static rule matching, which makes it difficult to identify complex attack intentions, cannot achieve real-time autonomous defense, and lacks self-evolution capabilities.

Method used

By semantically translating real-time network traffic to generate temporal behavior sequences and semantic description objects of contextual features, attack intent reasoning is performed using a domain-fine-tuned large language model to generate dynamic defense strategies, and the model is optimized by monitoring and evaluating execution results to build an autonomous closed-loop defense system.

Benefits of technology

It enables precise response and adaptive enhancement to complex attacks, reduces continuous investment in security operations and maintenance and manual intervention, has self-evolution capabilities, and significantly improves the real-time performance and accuracy of defense response.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122268655A_ABST
    Figure CN122268655A_ABST
Patent Text Reader

Abstract

The application discloses a CC attack intelligent defense method, device and equipment based on a large language model, comprising: performing traffic semantic translation on captured real-time network traffic to generate a semantic description object including a time sequence behavior sequence and context features; inputting the semantic description object into a domain fine-tuned large language model to perform attack intention reasoning to obtain a threat judgment result, generating a corresponding dynamic defense strategy description based on the threat judgment result; compiling the dynamic defense strategy description into an executable instruction sequence, and issuing the executable instruction sequence to a downstream security device to drive execution to obtain an execution result; based on the execution result, monitoring network traffic situation and business indicators after the downstream security device executes the strategy to generate strategy effect evaluation data; and optimizing the large language model based on whole-link data including the semantic description object, the threat judgment result, the dynamic defense strategy description and the strategy effect evaluation data.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and in particular to a method, apparatus, and device for intelligent defense against CC attacks based on a large language model. Background Technology

[0002] With the rapid development of internet technology, application-layer distributed denial-of-service (DDoS) attacks have become one of the major threats in the field of network security. The essence of a DDoS attack lies in the attacker simulating a massive number of legitimate business requests, exhausting server resources and causing normal service unavailability. Current mainstream protection technologies mainly rely on threshold-based rule matching or rate limiting mechanisms. These methods essentially fall under the category of "pattern recognition," meaning they make judgments by comparing predefined or statistically learned malicious patterns, making it difficult to deeply understand the true intent behind traffic behavior. Attackers can easily circumvent traditional threshold detection rules by using low-rate, highly distributed, and simulated normal user interactions, significantly reducing the effectiveness of defenses. At the same time, security operations personnel face the dilemma of alarm overload and frequent policy adjustments, making it difficult to cope with constantly evolving attack methods.

[0003] In recent years, large language models have demonstrated powerful capabilities in semantic understanding, logical reasoning, code generation, and tool invocation, providing new technical approaches for network security defense. Theoretically, large language models can understand the "behavioral language" and "attack scripts" contained in network traffic, thereby achieving deep understanding of complex attacks. However, there is currently no mature technical solution for how to deeply, efficiently, and securely integrate large language models into high-concurrency, low-latency real-time traffic processing pipelines and build a trustworthy, autonomous, closed-loop defense system. Existing technologies either treat large language models as offline auxiliary analysis tools, which are insufficient to meet real-time response requirements; or they are only used for simple text classification tasks, failing to fully utilize their decision-making and planning potential. Summary of the Invention

[0004] In view of this, the purpose of this invention is to propose a method, device and equipment for intelligent defense against CC attacks based on a large language model, which aims to solve the problems of existing CC attack protection methods, such as difficulty in identifying complex attack intentions due to reliance on static rule matching, inability to achieve real-time autonomous defense and lack of self-evolution capabilities.

[0005] To achieve the above objectives, this invention provides a smart defense method against CC attacks based on a large language model, the method comprising: The captured real-time network traffic is semantically translated to generate a semantic description object that includes a temporal behavior sequence and contextual features; The semantic description object is input into a domain-fine-tuned large language model to perform attack intent reasoning, and a threat determination result is obtained. Based on the threat determination result, a corresponding dynamic defense strategy description is generated. The dynamic defense strategy description is compiled into an executable instruction sequence, and the executable instruction sequence is sent to downstream security devices to drive execution and obtain the execution result; Based on the execution results, monitor the network traffic situation and business indicators of downstream security devices after executing the strategy, and generate strategy effect evaluation data. The large language model is optimized using full-link data, including the semantic description object, threat determination results, dynamic defense strategy description, and strategy effectiveness evaluation data.

[0006] To achieve the above objectives, the present invention also provides a smart defense device for CC attacks based on a large language model, the device comprising: The semantic translation unit is used to perform semantic translation of captured real-time network traffic, generating semantic description objects that include temporal behavior sequences and contextual features; The attack intent unit is used to input the semantic description object into a domain fine-tuning large language model to perform attack intent reasoning, obtain threat determination results, and generate corresponding dynamic defense strategy descriptions based on the threat determination results. The instruction compilation unit is used to compile the dynamic defense strategy description into an executable instruction sequence, and to send the executable instruction sequence to downstream security devices to drive execution and obtain execution results; The execution monitoring unit is used to monitor the network traffic situation and service indicators of downstream security devices after the execution of the policy based on the execution results, and generate policy effect evaluation data. The model optimization unit is used to optimize the large language model with the full-link data, including the semantic description object, threat determination result, dynamic defense strategy description, and strategy effect evaluation data.

[0007] To achieve the above objectives, the present invention also proposes a CC attack intelligent defense device based on a large language model, comprising a processor, a memory, and a computer program stored in the memory. The computer program is executed by the processor to implement the steps of a CC attack intelligent defense method based on a large language model as described in the above embodiments.

[0008] Beneficial effects: The above solution transforms raw traffic into semantic description objects containing temporal behavioral sequences and contextual features, enabling the large language model to understand the attack's behavioral logic. Dynamic defense strategies generated based on attack intent reasoning can accurately address various attack scenarios, significantly improving the accuracy and adaptability in dealing with new and variant attacks. Quantifiable feedback data is generated through execution result monitoring and effect evaluation. Finally, the large language model is optimized using end-to-end data, and handling cases are stored in a policy knowledge base, giving the system the ability to continuously evolve, thus achieving intelligent autonomous handling of CC attacks. This method overcomes the limitations of traditional pattern recognition, achieving a leap from "rule matching" to "intent understanding," while constructing an autonomous closed loop of perception-decision-execution-evolution, significantly reducing the need for continuous investment in security operations and maintenance and reliance on manual intervention.

[0009] Through adaptive session fingerprint generation, action vector extraction, and sliding window state machine analysis, the original HTTP request is transformed into a structured semantic description object, providing high-quality input data for subsequent LLM inference. A weighted hash algorithm is used to fuse multi-dimensional features such as source IP address, User-Agent entropy, Accept-Language stability, and TCP / IP protocol stack fingerprint to generate session fingerprints. This enables the system to effectively associate the behavior of the same attacking entity even after the attacker changes their IP address, enhancing the accuracy of attack tracing. Quantitative analysis of session behavior is performed from multiple dimensions, including precondition verification, behavior rhythm analysis, resource access entropy calculation, and funnel deviation calculation. This allows for accurate identification of attack behavior characteristics such as abnormal entry points, mechanical rhythm features, enumeration traversal patterns, and path deviation degrees, providing rich contextual evidence for LLM intent inference and significantly improving the ability to identify complex attacks such as slow CC attacks and simulated users.

[0010] By using a large language model to judge the conversational behavior described by semantic description objects, it can accurately distinguish between malicious attacks, benign crawlers, and normal business flows. After identifying a malicious attack, it further identifies the attack tactic type and, combined with a pre-defined security principle library, real-time business context, and system resource status, generates a defense strategy that matches the current attack scenario. The strategy parameters are jointly determined based on the real-time attack intensity, the criticality of the attacked resources, and the system load status, ensuring the accuracy and adaptability of the strategy. Finally, a predefined utility function library maps the defense strategy into atomic security operation instructions, realizing automated conversion from high-level strategy to low-level execution. This gives the LLM decision-making process a hierarchical and progressive logical structure, and the output dynamic defense strategy description can directly drive downstream security devices, significantly improving the real-time performance and accuracy of defense response.

[0011] By incorporating richer knowledge sources from external information fusion and historical experience, the accuracy of LLM attack intent reasoning and the global optimality of decision-making are enhanced through two dimensions. Specifically, by introducing external contextual information from threat intelligence platforms, asset management systems, or business monitoring systems, LLM can make comprehensive judgments based on a broader network security landscape, avoiding misjudgments that may result from relying solely on single traffic data. Furthermore, a hybrid retrieval strategy retrieves historical handling cases matching the current semantic description object from the policy knowledge base, and re-ranks the retrieval results based on predefined weighting rules in the graph node relationships. These ranked historical cases are then input into the LLM along with the current semantic description object, allowing the model to draw on past experience in handling similar attacks to assist in generating better dynamic defense strategies. Through multi-source information fusion and experience reuse, the overall perspective and scenario adaptability of LLM decision-making are significantly improved.

[0012] By constructing a Markov decision process based on reinforcement learning, the conversational behaviors described by the semantic description object and the effect evaluation data corresponding to the executed policies are used as states, and the next dynamic defense policy to be generated is used as an action. A reward function is designed, including an attack traffic suppression rate reward, a false interception penalty, and a policy response speed reward, to quantitatively evaluate the policy effect. A proximal policy optimization algorithm is used to periodically update the model parameters, enabling the large language model to generate better dynamic defense policies when facing similar attack scenarios. This achieves the system's self-evolution capability, allowing the protection effect to continuously improve with experience accumulation and to continuously iterate and strengthen itself as the confrontation with attackers continues, effectively responding to the continuous evolution of new attack methods. Attached Figure Description

[0013] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0014] Figure 1 This is a flowchart illustrating a method for intelligent defense against CC attacks based on a large language model, as provided in an embodiment of the present invention.

[0015] Figure 2 This is a schematic diagram of the structure of a CC attack intelligent defense system provided in an embodiment of the present invention.

[0016] Figure 3 This is a schematic diagram of a CC attack intelligent defense device based on a large language model, provided as an embodiment of the present invention.

[0017] The realization of the invention's objective, its functional characteristics, and advantages will be further explained in conjunction with the embodiments and with reference to the accompanying drawings. Detailed Implementation

[0018] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of the present invention, not all of them. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention. Therefore, the following detailed description of the embodiments of the present invention provided in the accompanying drawings is not intended to limit the scope of the claimed invention, but merely to represent selected embodiments of the invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0019] The present invention will be described in detail below with reference to the embodiments.

[0020] Reference Figure 1 The diagram shows a flowchart of a CC attack intelligent defense method based on a large language model according to an embodiment of the present invention. This method is not only applicable to general internet business protection, but also to the field of industrial security, providing intelligent CC attack defense capabilities for industrial web applications and industrial API services, ensuring the continuity and security of industrial production processes. In this embodiment, the method is implemented based on a CC attack intelligent defense system; see reference... Figure 2 As shown, the system includes: The traffic acquisition module is used to capture raw network traffic in real time and perform preliminary parsing of data packets to extract HTTP requests; The semantic translator, connected to the traffic acquisition module, receives extracted HTTP requests and aggregates them along the session dimension using an adaptive session fingerprint generation algorithm to generate a session request sequence. It then extracts the action vector for each HTTP request in the session request sequence, performs behavioral logic analysis on the action vector using a sliding window state machine, and generates behavioral feature analysis results. Finally, it combines the action vector sequence with the feature analysis results to generate a structured JSON object containing a temporal behavioral sequence and contextual features, which serves as a semantic description object. This semantic description object is then sent to the large language model cognitive decision engine. The large language model cognitive decision engine, connected to the semantic translator, is used to receive semantic description objects, perform attack intent reasoning through the built-in domain fine-tuning large language model, output threat judgment results, and generate corresponding dynamic defense strategy descriptions based on the threat judgment results. Furthermore, the large language model cognitive decision engine includes an intent cognition layer, a strategy generation layer, and a tool invocation layer, which are used for behavioral intent analysis, context-aware strategy synthesis, and strategy-to-tool instruction mapping planning, respectively, and send the generated dynamic defense strategy description to the strategy executor. Furthermore, the large language model cognitive decision engine also includes a strategy knowledge base, which stores the full-link data of historical handling cases. The full-link data includes semantic description objects, threat judgment results, dynamic defense strategy descriptions, and strategy effect evaluation data. The strategy knowledge base is organized using a heterogeneous graph structure. The node types include attack fingerprints, handling strategies, business contexts, and execution effects. The relationships between nodes include applicable relationships, causal relationships, or occurrence-period relationships to support efficient retrieval and case reuse. Furthermore, the large language model cognitive decision engine also includes a self-evolutionary feedback module, which is used to generate policy effect evaluation data based on network traffic status and business indicators after policy execution. The full-link data, including semantic description objects, threat judgment results, dynamic defense policy descriptions, and policy effect evaluation data, is sent to the policy knowledge base for storage. The full-link data is used to periodically optimize the large language model through a reinforcement learning mechanism, so that the system has a continuously evolving defense capability. The strategy executor, connected to the large language model cognitive decision engine, receives dynamic defense strategy descriptions, compiles them into executable instruction sequences, and calls corresponding tool functions in the underlying toolkit through standardized interfaces to drive downstream heterogeneous security devices to execute the strategies. At the same time, the strategy executor receives the real-time execution results returned by the downstream security devices and feeds the execution results back to the large language model cognitive decision engine. The toolset module, connected to the policy executor, contains a predefined tool function library. The tool function library corresponds one-to-one with the application programming interfaces of downstream security devices, including one or more of the following: rate limiting instruction interface, CAPTCHA issuance instruction interface, and virtual patch deployment instruction interface. It is used to convert dynamic defense policy descriptions into specific device-executable instruction sequences.

[0021] Specifically, the method includes: S11 performs semantic translation of the captured real-time network traffic to generate a semantic description object that includes a temporal behavior sequence and contextual features.

[0022] Furthermore, in step S11, the step of performing semantic translation on the captured real-time network traffic to generate a semantic description object including a temporal behavior sequence and contextual features includes: S11-1, Parse the data packets in the real-time network traffic to extract HTTP requests, and use the adaptive session fingerprint generation algorithm to calculate the HTTP requests and generate the session fingerprint of the corresponding HTTP requests. S11-2, Based on the session fingerprint, aggregate HTTP requests with the same session fingerprint to obtain a session request sequence; S11-3, Extract the action vector of each HTTP request in the session request sequence, wherein the action vector includes the resource type, interaction semantic features and response entropy value of the corresponding HTTP request; the resource type includes at least one of static resources, API read / write, and login page; the interaction semantic features include the parameter pattern of the request parameters; and the response entropy value is calculated based on the information entropy of the response content. S11-4, Use a sliding window state machine to perform behavioral logic analysis on the action vector and generate behavioral feature analysis results; S11-5, combine the action vector with the feature analysis results to generate a structured JSON object including a temporal behavior sequence and contextual features, and use the structured JSON object as the semantic description object.

[0023] Furthermore, in step S11-1, the adaptive session fingerprint generation algorithm is a weighted hash algorithm; the step of using the adaptive session fingerprint generation algorithm to calculate the HTTP request and generate a session fingerprint corresponding to the HTTP request includes: The session fingerprint is generated by calculating the source IP address, User-Agent entropy value, Accept-Language stability, and TCP / IP protocol stack fingerprint extracted from the HTTP request using a weighted hash algorithm. The HTTP request header fields include Accept-Language stability, X-Requested-With header, and anonymized value of the advertising identifier.

[0024] Furthermore, in steps S11-4, the behavioral logic analysis includes at least one of the following: precondition verification, behavioral rhythm analysis, resource access entropy calculation, and funnel deviation calculation. Precondition validation is performed by checking whether the API call is missing a prerequisite page access or a correct Referer to determine whether it is an abnormal entry point. Behavioral rhythm analysis is performed by calculating the coefficient of variation of the time interval between adjacent HTTP requests in the session request sequence to determine whether it conforms to mechanical rhythm characteristics. If the coefficient of variation is less than the variation threshold, it is determined to be a mechanical rhythm characteristic. Resource access entropy calculation is performed by calculating the information entropy of the access path extracted from the session request sequence to determine whether an enumeration traversal mode exists. Specifically, path parameters and path structure are parsed from the URL path of each HTTP request. When the entropy value of the path parameter is higher than the first threshold and the entropy value of the path structure is lower than the second threshold, it is determined to be an enumeration traversal mode. The funnel deviation is calculated by quantifying the degree of deviation between the access path extracted from the session request sequence and the predefined business standard process path using the normalized edit distance or the longest common subsequence.

[0025] In this embodiment, HTTP / HTTPS traffic entering the target network is captured in real time, and the raw traffic data is input into a multimodal temporal behavior encoder (MT-BE). This encoder is the core processing unit of the traffic semantic translator, used to convert discrete HTTP requests into structured, semantic "behavioral stories." Inside the MT-BE, data packets in the traffic are parsed to extract each HTTP request. For each HTTP request, an adaptive session fingerprint generation algorithm is used to calculate the session fingerprint of its associated session. This adaptive session fingerprint generation algorithm is specifically a weighted hash algorithm, which uses the source IP address, the entropy value of the User-Agent string, the stability of the Accept-Language field, and the TCP / IP protocol stack fingerprint (including window size, TTL value, etc.) extracted from the HTTP request as weighted features to generate a fingerprint value that uniquely identifies the session to which the request belongs. For requests initiated by mobile devices, the anonymized values ​​of the X-Requested-With header and the advertising identifier are also extracted and included in the weighted hash calculation to ensure that even if the attacker frequently changes IP addresses, all requests from the same attack entity can still be aggregated into the same session through session fingerprint association.

[0026] Based on the generated session fingerprint, all HTTP requests with the same session fingerprint are aggregated to form a complete session request sequence. This sequence is arranged chronologically and records all access behaviors within the time window of the session. For each HTTP request in the session request sequence, its corresponding action vector is extracted. The action vector is a multi-dimensional feature vector that includes a resource type label, interaction semantic features, and a response entropy value. The resource type label identifies the type of resource accessed by the request, including static resources (such as images, CSS, and JavaScript files), API read / write interfaces (such as GET / POST operations of RESTful APIs), and login pages, etc. The interaction semantic features mainly reflect the parameter patterns of the request parameters, such as parameter names, parameter value types, and distributions. The response entropy value is calculated based on the information entropy of the response content returned by the server and is used to measure the randomness and complexity of the response data, thereby helping to identify abnormal response patterns.

[0027] After extracting the action vector for each HTTP request, the multimodal temporal behavior encoder further performs multi-dimensional quantitative feature calculations on the session request sequence, providing richer quantitative evidence for subsequent behavioral logic analysis. First, the Markov transition probability of the session request sequence is calculated: based on the normal traffic baseline, the system pre-calculates the probability P(j|i) of transitioning from page or resource type i to j, constructing a normal behavior transition probability matrix; for the current session request sequence, each page or resource type transition is identified, for example, from resource type A to resource type B; if a transition i→k occurs, the anomaly score for that transition is calculated. log(P(k|i)); When the abnormal score of a certain transfer exceeds the preset threshold, it indicates that the transfer deviates from the normal user behavior pattern and may indicate an attack; the overall transfer abnormal score of the session is the sum or average of all transfer abnormal scores. Secondly, calculate the access entropy of key business interfaces: For key business interfaces involved in the session request sequence (such as order interface, payment interface, user information query interface, etc.), calculate the parameter values ​​x of each interface. i The frequency of occurrence p(x) i ), and calculate the access entropy. When the distribution entropy of interface parameter values ​​is significantly higher than the normal baseline (e.g., parameter values ​​exhibit high randomization), it indicates a potential parameter traversal attack. Conversely, when the entropy is significantly lower than the normal baseline (e.g., all requests use the same parameters), it may indicate a replay attack or automated script behavior. Furthermore, a static resource loading integrity score is calculated: for each session, the total number of static resources that should be loaded (including images, CSS, JavaScript files, etc. referenced by the page) is compared with the number of static resources actually successfully loaded, and a weighted ratio is calculated as the static resource loading integrity score. A integrity score below the normal threshold may indicate that an attacker skips resource loading and directly accesses the API interface, or uses automated tools to simulate requests but does not simulate the complete resource loading process. This is one of the important characteristics distinguishing human users from automated scripts. The above quantitative feature calculation results, together with the aforementioned action vectors, constitute a multi-dimensional feature representation of session behavior.

[0028] After obtaining the action vectors and the aforementioned quantified characteristics of all HTTP requests in the session request sequence, a sliding window state machine is used to perform behavioral logic analysis on the action vector sequence to uncover hidden attack behavior characteristics. Behavioral logic analysis includes at least one of the following analysis rules: precondition verification, behavioral rhythm analysis, resource access entropy calculation, and funnel deviation calculation. Precondition verification detects whether API calls lack necessary pre-access pages or whether the request header lacks a correct Referer field; if such cases exist, the request is marked as an "abnormal entry point." Behavioral rhythm analysis assesses the mechanical nature of the access rhythm by calculating the coefficient of variation (i.e., the ratio of standard deviation to mean) of the time interval between adjacent HTTP requests in the session request sequence. If the coefficient of variation is less than a preset variation threshold (e.g., 0.3), the session is determined to exhibit "mechanical rhythm characteristics," suggesting it may be driven by automated scripts. Resource access entropy calculation is used to identify enumeration traversal attacks. The system parses the path parameters and path structure from the URL path of each HTTP request, and calculates the entropy values ​​of the path parameters and path structure respectively. If the entropy value of the path parameters is higher than the first threshold (indicating that the parameter changes are highly random), while the entropy value of the path structure is lower than the second threshold (indicating that the accessed interface structure is highly concentrated), it is determined to be an "enumeration traversal mode". Funnel deviation calculation compares the access path sequence of the current session with the predefined standard business process path sequence, and calculates the normalized edit distance (Levenshtein distance) or the longest common subsequence ratio between the two, thereby quantifying the degree of deviation of the current session behavior from the normal business funnel.

[0029] The action vector sequence obtained from the above analysis is combined with the behavioral feature analysis results to generate a structured JSON object as a semantic description object. This JSON object contains: a list of actions arranged in chronological order, with each action corresponding to an HTTP request and its action vector; and behavioral feature annotations, namely the various abnormal features marked in the aforementioned analysis (such as abnormal entry points, mechanical rhythms, enumeration traversal patterns, deviations, etc.). This semantic description object fully characterizes the temporal behavioral sequence of the session and its contextual features, providing high-quality input data for subsequent attack intent inference using a large language model.

[0030] S12, the semantic description object is input into the domain fine-tuning large language model to perform attack intent reasoning, and a threat determination result is obtained. Based on the threat determination result, a corresponding dynamic defense strategy description is generated.

[0031] Furthermore, in step S12, the step of inputting the semantic description object into a domain-fine-tuned large language model for attack intent reasoning to obtain a threat determination result, and generating a corresponding dynamic defense strategy description based on the threat determination result, includes: S12-1, Analyze the conversational behavior described by the semantic description object through the large language model, determine whether the corresponding conversational behavior belongs to malicious attack, benign crawler or normal business flow, and output the threat determination result; S12-2, When the threat determination result is a malicious attack, the big language model identifies the tactical type used in the current attack, and generates a defense strategy that matches the current attack scenario based on the tactical type combined with the preset security principle library, real-time business context and system resource status. The strategy parameters of the defense strategy are jointly determined by the big language model based on the real-time attack intensity, the criticality of the attacked resources and the current system load status. S12-3, the defense strategy is mapped to atomic security operation instructions through a predefined tool function library to obtain a dynamic defense strategy description including tool call instructions, wherein the tool function library corresponds one-to-one with the application programming interface of the downstream security device, and the security operation instructions include at least one of rate limiting instructions, verification code issuance instructions, and virtual patch deployment instructions.

[0032] In step S12-1, the analysis of the conversational behavior described by the semantic description object using a large language model includes: A pre-defined systematic cue word framework guides a large language model to perform attack intent reasoning tasks. This framework includes system role definitions, business context injection, thought chain requirements, and structured output format requirements. The system role definitions require the large language model to assume the responsibilities of a security analyst. Business context injection provides real-time information about the current network and business environment. The thought chain requirements mandate that the large language model follow the order of pattern recognition, intent inference, and impact assessment. The structured output format requirements ensure that the output threat assessment results can be parsed.

[0033] In this embodiment, the generated semantic description object is input into a domain-fine-tuned large language model, which then infers the attack intent from the conversational behavior described by the semantic description object. During the inference task, a pre-defined systematic prompting framework guides the large language model's analysis process. This framework includes system role definitions, business context injection, thought chain requirements, and structured output format requirements. Specifically, the system role definition explicitly requires the large language model to assume the role of a senior security analyst, analyzing from a cybersecurity perspective. Business context injection provides real-time information about the current network and business environment, such as whether it's a peak sales period, the criticality of the accessed resources, and the overall system load. The thought chain requirements guide the large language model to follow the reasoning sequence of "first identify patterns, then infer intent, and finally assess impact," ensuring the logical rigor of the analysis process. The structured output format requirements ensure that the threat assessment results output by the large language model are parsable, facilitating automated processing in subsequent steps.

[0034] Guided by the prompt word framework, the large language model comprehensively analyzes the temporal action list and behavioral feature annotations in the semantic description object to determine whether the current session behavior is a malicious attack, a benign crawler, or a normal business flow, and outputs the threat judgment result and corresponding reasoning basis; the threat judgment result includes behavior category label and confidence score. When the threat judgment result is a malicious attack, the system further triggers the large language model's tactical identification and strategy generation functions. The large language model first identifies the tactical type used in the current attack, such as API traversal attack, inventory depletion attack, slow CC attack, IP pool drift attack, etc. Based on the identified tactical type, combined with the preset security principle library, real-time business context, and system resource status, a defense strategy matching the current attack scenario is generated. Among them, the security principle library includes security operation principles such as "minimizing false positives" and "protecting core APIs"; the real-time business context includes the current business time period (such as whether it is in a flash sale) and the criticality of the attacked resource (such as core payment interface vs. ordinary query interface); the system resource status includes indicators such as current CPU load, network bandwidth usage, and number of connections. The defense strategy parameters are jointly optimized and determined by the large language model based on the real-time attack intensity, the criticality of the attacked resources, and the current system load. For example, for the same type of attack, a more aggressive rate-limiting threshold may be used when the system load is high, while during peak business periods, CAPTCHA challenges that have less impact on user experience may be prioritized.

[0035] The defense strategy is mapped to atomic security operation instructions through a predefined utility function library, ultimately resulting in a dynamic defense strategy description containing specific tool call instructions. The utility function library corresponds one-to-one with the application programming interfaces (APIs) of downstream heterogeneous security devices. The predefined utility functions include rate limiting instructions (such as apply_rate_limit), CAPTCHA issuance instructions (such as function names deploy_js_challenge and redirect_to_challenge), and virtual patch deployment instructions (such as deploy_virtual_patch). During the mapping process, the large language model converts the high-level description in the defense strategy (e.g., "apply CAPTCHA challenges to all sessions from ASN XXX with a behavior pattern of quickly browsing product detail pages but never loading images") into the corresponding utility function call sequence (e.g., deploy_js_challenge(segment=ASNXXX,condition=behavior_pattern)) and plans the expected verification steps (e.g., "after executing the CAPTCHA, the expected success rate of requests for this session group will drop to Y%)). The final output of the dynamic defense strategy description is in structured JSON format, which includes threat assessment results, confidence level, threat profile, and action plan containing specific tool invocation instructions. This description can be directly sent to the policy executor for compilation and distribution.

[0036] The large language model is trained on a network security instruction dataset using LoRA parameter efficient fine-tuning technology. The large language model achieves temporal position adaptive encoding by introducing a behavior step encoder. The behavior step encoder is used to inject the relative time interval between action vectors into each network layer of the model in an embedded form to perceive the time interval characteristics between HTTP requests.

[0037] In this embodiment, during the model training phase, the LoRA parameter efficient fine-tuning technique is used to fine-tune the basic large language model. LoRA technology inserts a low-rank adapter with a rank of 16 into the model's attention layer, updating only the adapter parameters while keeping the original parameters of the basic model frozen. This significantly reduces computational resource consumption while achieving model adaptation for specific tasks. The training data used for fine-tuning comes from a cybersecurity instruction dataset, which includes: historical alarm logs and traffic PCAP files (attack scripts precisely annotated by blue team experts), red team adversarial simulation data (attacker interaction records collected by a trapping system), and normal business traffic baselines (samples containing alarm rules that have been confirmed as normal human behavior). All data is anonymized and converted into an instruction fine-tuning format. Each data entry contains three fields: Instruction (analysis task description, such as "determine whether the following sessions are malicious attacks"), Input (the semantic description object to be analyzed in JSON format), and Output (the expected threat determination result and policy description in JSON format). During training, a hybrid fine-tuning strategy is adopted, mixing cybersecurity domain data with general security alignment data at a ratio of 3:1 to prevent security alignment collapse during domain adaptation and to ensure that the model has both professional cybersecurity knowledge and the ability to understand general instructions.

[0038] In terms of model network structure, to enhance the large language model's ability to perceive the time interval features between HTTP requests, a behavior step encoder is introduced on top of the standard Transformer architecture to achieve temporal position adaptive encoding. Traditional Transformer models typically only focus on the sequential position of elements in a sequence, failing to effectively perceive the actual time intervals between elements. The behavior step encoder is designed to address this issue: it converts the relative time intervals between action vectors (i.e., the time difference between adjacent HTTP requests) into high-dimensional embedding vectors and injects these embedding vectors into each network layer of the Transformer model. Specifically, before the self-attention calculation at each layer, the time interval embeddings are fused with the corresponding action vectors, allowing the model to consider both the content features of the requests and their temporal distances when calculating attention weights. Through this mechanism, the large language model can effectively distinguish between human operations and automated scripts. For example, human users typically have a cognitively consistent thought time when navigating between pages (such as waiting a few seconds after browsing a product page before clicking to buy), while automated scripts often exhibit a mechanical rhythm accurate to the millisecond level. The large language model enhanced by temporal and positional adaptive encoding can use "mechanical rhythm features" as an important basis for judging malicious behavior in subsequent attack intent inference, significantly improving the ability to identify complex attack methods such as slow CC attacks and simulated user attacks.

[0039] In another embodiment, step S12, which involves inputting the semantic description object into a domain-fine-tuned large language model for attack intent inference, further includes: It receives external context information, including threat intelligence platforms, asset management systems, or business monitoring systems, and inputs the external context information and the semantic description object into a large language model for attack intent reasoning.

[0040] In this embodiment, external contextual information is introduced to enhance the decision-making accuracy of the large language model. Specifically, while inputting the semantic description object into the large language model for attack intent reasoning, multi-source contextual information from external systems is also received and input together with the semantic description object into the large language model, enabling the model to make threat judgments based on more comprehensive information.

[0041] Specifically, the system accesses external context information in real time through external knowledge integration interfaces, including: threat intelligence data from threat intelligence platforms (including a database of known malicious IP addresses, a list of malicious domains, fingerprint characteristics of attack tools, and the latest attack tactics intelligence), asset information from asset management systems (including criticality tags of accessed resources (such as core payment interfaces, user databases, and ordinary static resources), the business line to which the resource belongs, and the normal access baseline of the resource), and business context from business monitoring systems (including whether it is currently during a major promotional event, historical fluctuation patterns of business traffic, and normal response time thresholds for each business).

[0042] The aforementioned external contextual information, together with the semantic description object, constitutes the enhanced input data. This data is fed into a domain-fine-tuned large language model for inference. The inference process not only analyzes the temporal behavioral characteristics of the current session but also incorporates external intelligence to determine whether the request source IP has been marked as malicious, whether the attacked resource is a core asset, and whether the current business period is likely to become an attack target, among other multi-dimensional information. For example, when the semantic description object shows that a session is frequently accessing a user information interface, if the external asset management system marks this interface as a core sensitive interface, and the threat intelligence platform indicates that there have been recent data crawling attacks targeting this interface, the large language model will use the aforementioned external information as an important weighting factor to increase the confidence level of the threat assessment for that session. By integrating external contextual information, the attack intent inference of the large language model can overcome the limitations of relying solely on single traffic data, achieving more accurate threat identification and more reasonable strategy generation.

[0043] In another embodiment, step S12, which involves inputting the semantic description object into a domain-fine-tuned large language model for attack intent inference, further includes: A hybrid retrieval strategy is employed to retrieve historical handling cases matching the semantic description object from the strategy knowledge base. The sorted historical handling cases and the semantic description object are then input into the large language model for attack intent reasoning to assist in generating the dynamic defense strategy description. Specifically, the top K historical handling cases similar to the semantic description object are retrieved using vector similarity, and the retrieval results are re-sorted based on predefined weighting rules in the graph node relationships of the strategy knowledge base to obtain the sorted historical handling cases.

[0044] In this embodiment, a historical experience reuse mechanism based on a policy knowledge base is introduced. Specifically, a hybrid retrieval strategy is used to retrieve historical handling cases from the policy knowledge base that match the current semantic description object. These ranked historical cases, along with the current semantic description object, are then input into a large language model to assist in generating a better dynamic defense strategy description.

[0045] First, the semantic description object is vectorized by converting it into a semantic feature vector using a pre-trained embedding model. Then, a hybrid retrieval strategy is used to retrieve relevant historical disposal cases from the policy knowledge base. The hybrid retrieval strategy consists of two stages: the first stage is vector similarity retrieval, which uses a vector indexing tool (such as FAISS) to retrieve the top K historical disposal cases with the highest similarity to the current semantic feature vector in the policy knowledge base. These cases have a high similarity to the current session in terms of behavioral patterns. The second stage is re-ranking based on graph reasoning rules, which uses the heterogeneous graph structure stored in the policy knowledge base to perform a secondary ranking of the K cases retrieved in the first stage.

[0046] The strategy knowledge base is constructed using a heterogeneous graph. Node types in the graph include attack fingerprints (such as behavioral rhythm characteristics, resource access entropy values, access path patterns, etc.), handling strategies (such as rate limiting strategies, CAPTCHA strategies, virtual patching strategies, etc.), business contexts (such as business time periods, resource criticality), and execution effects (such as attack suppression rate, false interception rate). Relationships between nodes include applicability relationships (indicating that a certain attack fingerprint is applicable to a certain handling strategy), causal relationships (indicating that a certain strategy leads to a certain execution effect), and occurrence period relationships (indicating that a certain case occurred during a certain business time period). The graph inference rules are based on predefined weighted rules of these node relationships, such as "if the attack tactic type involved in a historical case is the same as the current attack tactic type, the weight is multiplied by 1.5," "if the historical case occurred during a flash sale and the current business is also during a flash sale, the weight is multiplied by 1.3," and "if the false interception rate in the execution effect of a historical case is low, the weight is multiplied by 1.2," etc. Based on these weighted rules, the system comprehensively scores and re-ranks the K cases retrieved in the first stage to obtain the ranked historical handling cases that best match the current scenario.

[0047] The sorted historical handling cases and the current semantic description object are input into the large language model. These historical cases contain complete records of handling similar attacks in the past, including the threat assessment results at the time, the generated dynamic defense strategy descriptions, and the post-execution effect evaluation data. When reasoning about the current attack, the large language model can draw on the successful experiences in historical cases, such as referring to effective strategy parameter settings in similar attack scenarios and avoiding strategy choices that led to false positives in historical cases. Through this historical experience reuse mechanism, the large language model can generate more accurate and less false positive dynamic defense strategy descriptions based on historical experience when dealing with new attacks, achieving continuous accumulation and evolution of system protection capabilities.

[0048] S13, the dynamic defense strategy description is compiled into an executable instruction sequence, and the executable instruction sequence is sent to downstream security devices to drive execution and obtain the execution result.

[0049] In this embodiment, the system inputs the generated dynamic defense strategy description to the policy automation executor. This dynamic defense strategy description is in structured JSON format, containing threat assessment results, confidence levels, threat profiles, and action plans including specific tool invocation instructions. The tool invocation instructions explicitly specify the name of the tool function to be invoked and its parameters. The policy automation executor internally maintains a predefined tool function library, which corresponds one-to-one with the application programming interfaces (APIs) of downstream heterogeneous security devices. The executor parses the tool invocation instructions in the dynamic defense strategy description, searches for the corresponding tool function in the tool function library, maps the parameters in the instructions to specific API call parameters, and compiles them into an executable instruction sequence recognizable by the target security device. For example, for a rate-limiting instruction, the executor converts it into a rate-limiting rule configuration command for the WAF device; for a CAPTCHA issuance instruction, the executor converts it into a CAPTCHA challenge configuration for the gateway device; and for a virtual patch deployment instruction, the executor converts it into access control rules for the corresponding API port.

[0050] After compilation, the policy automation executor distributes the executable instruction sequence to the corresponding downstream security devices (including WAF, gateways, load balancers, etc.) through standardized interfaces (such as REST APIs and configuration management interfaces), driving the corresponding devices to execute application policies. After executing the instructions, the corresponding devices return immediate execution results (including whether the instruction execution was successful, the rule ID, and the actual effective threshold parameters). The executor receives these execution results and feeds them back to the large language model cognitive decision engine as the basis for subsequent effect evaluation and model optimization.

[0051] S14. Based on the execution results, monitor the network traffic situation and business indicators of downstream security devices after executing the strategy, and generate strategy effect evaluation data.

[0052] The strategy effectiveness evaluation data includes at least one of the following indicators: attack traffic suppression rate, false interception rate, and changes in service response time.

[0053] In this embodiment, based on the immediate execution results returned by the device (confirming successful policy deployment), the system continuously collects network traffic status and business indicator data within a preset monitoring period to achieve monitoring. Network traffic status monitoring focuses on changes in attack traffic after the policy takes effect. Specifically, it uses a traffic collection module deployed at the network ingress to statistically analyze the request volume, request success rate, and response time of the target protected object (such as a specific IP segment, specific API interface, or session group corresponding to a specific behavioral fingerprint) in real time, comparing this data with baseline data before policy execution. The attack traffic suppression rate is calculated as: Attack Traffic Suppression Rate = (Attack Request Volume Before Policy Execution - Attack Request Volume After Policy Execution) / Attack Request Volume Before Policy Execution × 100%. For example, for a virtual patch deployed against an API traversal attack, the system monitors whether the request volume of that API interface significantly decreases and calculates the actual suppression effect. Business indicator monitoring mainly focuses on whether policy execution interferes with normal business operations. This is achieved by collecting two core indicators through the business monitoring system: false interception rate and changes in business response time. The false interception rate is calculated as follows: False Interception Rate = (Number of Falsely Intercepted Normal Requests / Total Number of Normal Requests) × 100%. By comparing the success rate of normal user requests after policy implementation with the historical baseline, it is possible to identify situations where normal requests are mistakenly identified as attacks and blocked. Changes in business response time are quantified by monitoring metrics such as the average response time and 95th percentile response time of core business interfaces and comparing them with the baseline before policy implementation. For example, if a rate-limiting policy significantly increases the latency of legitimate user requests, the change in business response time will reflect this impact.

[0054] The various indicators collected during the aforementioned monitoring period are aggregated and calculated to generate structured strategy effectiveness evaluation data. This evaluation data includes one or more indicators such as attack traffic suppression rate, false interception rate, and changes in business response time. Together with the semantic description object, threat judgment result, and dynamic defense strategy description of this action, it constitutes complete end-to-end data, providing quantitative basis for subsequent large language model optimization and strategy knowledge base storage.

[0055] S15, optimize the large language model with the full-link data including the semantic description object, threat determination result, dynamic defense strategy description and strategy effect evaluation data; at the same time, store the full-link data in the strategy knowledge base.

[0056] Furthermore, in step S15, optimizing the large language model with the full-link data, including the semantic description object, threat determination result, dynamic defense strategy description, and strategy effectiveness evaluation data, includes: S15-1, Using the full-link data as training samples, construct a Markov decision process for reinforcement learning based on the training samples, wherein the session behavior described by the semantic description object and the policy effect evaluation data corresponding to the executed dynamic defense policy description are used as states, and the next dynamic defense policy description to be generated is used as an action. S15-2, Design a reward function to quantify the strategy effect evaluation data, wherein the reward function includes attack traffic suppression rate related reward items, false interception penalty items, and strategy response speed reward items; S15-3, using the near-end policy optimization algorithm, the parameters of the large language model are updated based on the reward function, and the optimized dynamic defense strategy description is generated when processing subsequent attacks using the large language model with updated parameters.

[0057] In this embodiment, the generated end-to-end data, including semantic description objects (describing the temporal behavior sequence and contextual features of the current session), threat determination results and dynamic defense strategy descriptions, real-time execution results, and strategy effectiveness evaluation data (including at least one or more indicators among attack traffic suppression rate, false interception rate, and changes in business response time), is used as training samples to optimize the large language model through reinforcement learning.

[0058] First, a Markov Decision Process (MDP) for reinforcement learning is constructed based on the training samples described above. In this MDP, the state is defined as the session behavior features described by the current semantic description object, and the policy effect evaluation data corresponding to the executed dynamic defense policy description (i.e., the actual effect produced after the policy is executed). The action is defined as the next dynamic defense policy description to be generated, that is, the structured policy containing specific tool invocation instructions that the system needs to output from the large language model when facing subsequent attacks.

[0059] Secondly, a reward function is designed to quantify the strategy effectiveness evaluation data. The reward function includes: a reward item related to the attack traffic suppression rate (denoted as R). main This is used to positively incentivize strategies that effectively reduce the number of attack requests. The specific calculation method is the percentage decrease in attack requests multiplied by a weighting coefficient (e.g., 0.5); a false interception penalty term (denoted as R) is also included. cost This is used to impose negative penalties on policies that mistakenly block legitimate requests, specifically calculated as the ratio of the negative number of falsely blocked legitimate requests to the total number of legitimate requests multiplied by a penalty coefficient (e.g., -100); a policy response speed reward item (denoted as R) is also included. efficiency The reward function is used to incentivize policies that respond quickly and take effect, specifically quantified based on the delay time from policy generation to effectiveness. The overall expression for the reward function is R. total = R main + R cost + Refficiency This function transforms the multidimensional effects of policy execution into a single reward signal, which guides the direction of model optimization.

[0060] Finally, the Proximal Policy Optimization (PPO) algorithm is used to update the parameters of the large language model based on the aforementioned reward function. The PPO algorithm collects a certain number of state-action-reward samples in each iteration, calculates the advantage function, and employs a pruning mechanism to limit the magnitude of policy updates, ensuring the stability of the training process. During the update process, only the low-rank adapter parameters inserted into the model using LoRA technology are updated, while the original parameters of the base model are kept frozen, thus achieving efficient and stable model optimization. After multiple rounds of iterative updates, the system, utilizing the parameter-updated large language model, can generate more accurate, less false positive, and faster-responding optimized dynamic defense strategy descriptions when dealing with subsequent attacks, achieving continuous evolution of the system's protection capabilities.

[0061] The following examples illustrate this technical solution.

[0062] Example 1: Countering a slow CC attack based on API traversal. An attacker calls a large number of different API endpoints (e.g., / api / users / [1-10000] / profile) at a low rate (e.g., twice per minute) to exhaust database resources.

[0063] The multimodal temporal behavior encoder performs semantic translation on the captured real-time network traffic, generating the following semantic description object: "Session group G (IP pool from segment I) made sequential requests to the path / api / users / {id} / profile at fixed intervals of 30 seconds in the past hour, where {id} is a continuous non-repeating value. All requests were successful, but the session never accessed any front-end pages or associated resources." Behavioral rhythm analysis revealed a mechanical rhythm variation coefficient of 0.05 (far below the preset threshold of 0.3), resource access entropy close to uniform distribution (indicating enumeration traversal), and a funnel deviation as high as 0.95 (severely deviating from the normal user behavior funnel).

[0064] The large language model receives the semantic description object and, combined with a pre-defined security principle library (such as "protecting user privacy data"), infers the attack intent, determining that the behavior is a "slow API traversal attack." Subsequently, the model generates a corresponding defense strategy: "For sessions originating from ASN segment I, satisfying the condition of traversing APIs at fixed intervals and without prior page access characteristics, deploy a virtual patch and return a 403 error or fake data." This defense strategy is mapped to atomic instructions through a utility function library. [deploy_virtual_patch(api_path=" / api / users / * / profile", The dynamic defense strategy description is obtained by using condition="request_rate>1 / min per session AND no_referer_from_ui" and alert_security_team(threat="possible data scraping")].

[0065] The policy automation executor compiles the above instructions into virtual patch rules recognizable by the WAF and sends them to the WAF for execution; the execution result returns success, and the rules have taken effect. By monitoring the network traffic situation after the policy execution, it was found that abnormal requests to / api / users / * / profile decreased to 0, and no normal requests were mistakenly blocked. The attack traffic suppression rate reached 100%, the false blocking rate was 0, and the business response time did not change significantly. Policy effect evaluation data was generated.

[0066] The entire data from this incident (including semantic description objects, threat assessment results, dynamic defense strategy descriptions, execution results, and effectiveness evaluation data) was stored in the policy knowledge base as a positive case (high attack suppression rate, no business impact). This case was used for subsequent reinforcement learning fine-tuning, with a positive reward function to enable the model to generate effective strategies more quickly when facing similar attacks in the future.

[0067] Example 2: Differentiating between malicious order manipulation and genuine purchases (e-commerce flash sale scenario). In e-commerce flash sales, the behavior of genuine users and malicious bots is extremely similar, and traditional rules are prone to false positives. The system achieves accurate differentiation through the following steps.

[0068] The traffic semantic translator generates semantic description objects for two sessions. Session S1: "After the flash sale starts, visit the product page → wait 15 seconds → click the button," with a time interval variation coefficient of 0.8 (consistent with human thought processes) and low funnel deviation. Session S2: "Directly access the order API from an external link, with timestamps accurate to milliseconds," with a time interval variation coefficient of 0.02 (representing a mechanical rhythm), lacking a preceding page visit, and high funnel deviation.

[0069] The large language model, combined with the business context of the "flash sale scenario," analyzed that session S1 conformed to the human cognitive load model and was determined to be a normal user; S2 exhibited precise timing and skipped pre-step characteristics, and was determined to be a malicious bot. A defense strategy was generated: "Apply an interactive CAPTCHA challenge to session S2," mapped as `redirect_to_challenge(session_id=S2, challenge_type="interactive_puzzle")`, while allowing S1 to proceed. The strategy executor sent the instruction to the gateway device, redirecting subsequent requests from S2 to the CAPTCHA page, which executed successfully. Monitoring showed that subsequent requests from S2 were blocked and verified, and no further access to the order API was made; S1 completed the order normally, the business conversion rate was unaffected, the false interception rate was 0, and the attack traffic suppression rate reached 100%. This successful case was stored in the strategy knowledge base, and a positive reward was given in the reward function, strengthening the model's sensitivity to "behavioral rhythm + pre-conditions" in flash sale scenarios and improving the decision-making accuracy for similar scenarios in the future.

[0070] Example 3: Dynamic optimization of the strategy (to address IP pool drift). Attackers employ IP pool drift tactics, expanding the IP pool to circumvent single-IP rate limiting. The system upgrades its strategy through a self-evolving feedback loop.

[0071] Initial Phase: The large language model generates a rate-limiting policy "limiting to 10 requests per minute" for the attacking IP segment A, as described in steps S11-S13 above. Monitoring reveals that the request success rate for IP segment A drops to 5% (partially effective), but the overall attack traffic does not decrease significantly. The attacker has expanded its IP pool, and the attack traffic suppression rate is only locally effective, while the global attack volume remains unchanged. The self-evolutionary feedback loop feeds the evaluation data of "the policy being locally effective but globally ineffective" back to the large language model. The model performs secondary reasoning, identifying that the attacker has adopted an "IP pool drifting" tactic, and then generates an upgraded policy: "global aggregation rate limiting based on behavioral fingerprints rather than IPs." This is specifically mapped to tool calls: The `tag_and_cluster(attacker_behavior_fingerprint="X")` and `apply_global_rate_limit_on_behavior_fingerprint("X", threshold=1000 / min)` methods were used. This new strategy was deployed and successfully suppressed global attack traffic. This case study (including the original strategy, effect evaluation, tactical identification, and escalation strategy) was fully stored in the strategy knowledge base. The reward function provides a positive reward based on the final global suppression effect, strengthening the model's ability to identify tactical evolution and enabling the system to self-evolve.

[0072] The three examples above fully demonstrate the effectiveness of this method in dealing with different CC attack scenarios, as well as its ability to achieve continuous optimization through a self-evolving feedback loop.

[0073] Reference Figure 3 The diagram shown is a structural schematic of a CC attack intelligent defense device based on a large language model provided in an embodiment of the present invention.

[0074] In this embodiment, the device 20 includes: Semantic translation unit 21 is used to perform semantic translation of captured real-time network traffic to generate a semantic description object that includes a temporal behavior sequence and contextual features; The attack intent unit 22 is used to input the semantic description object into the domain fine-tuning large language model to perform attack intent reasoning, obtain threat determination results, and generate corresponding dynamic defense strategy descriptions based on the threat determination results. The instruction compilation unit 23 is used to compile the dynamic defense strategy description into an executable instruction sequence, and send the executable instruction sequence to downstream security devices to drive execution and obtain execution results; The execution monitoring unit 24 is used to monitor the network traffic situation and service indicators of downstream security devices after the execution of the strategy based on the execution result, and generate strategy effect evaluation data. The model optimization unit 25 is used to optimize the large language model with the full-link data including the semantic description object, threat determination result, dynamic defense strategy description and strategy effect evaluation data.

[0075] Each unit module of the device 20 can execute the corresponding steps in the above method embodiment, so the details of each unit module will not be elaborated here. Please refer to the description of the corresponding steps above for details.

[0076] This invention also provides a CC attack intelligent defense device based on a large language model. The device includes the CC attack intelligent defense apparatus based on a large language model as described above. The CC attack intelligent defense apparatus based on a large language model can employ... Figure 3 The structure of the embodiment, correspondingly, can be executed Figure 1 The technical solutions of the method embodiments shown are similar in implementation principle and technical effect. For details, please refer to the relevant records in the above embodiments, which will not be repeated here.

[0077] The device includes: a mobile phone, digital camera, or tablet computer, or other device with a camera function; or a device with an image processing function; or a device with an image display function. The device may include components such as a memory, processor, input unit, display unit, and power supply.

[0078] The memory can be used to store software programs and modules. The processor executes various functional applications and data processing by running the software programs and modules stored in the memory. The memory can mainly include a program storage area and a data storage area. The program storage area can store the operating system, applications required for at least one function, etc.; the data storage area can store data created according to the use of the device, etc. In addition, the memory can include high-speed random access memory, and can also include non-volatile memory, such as at least one disk storage device, flash memory device, or other volatile solid-state storage device. Accordingly, the memory can also include a memory controller to provide access to the memory for the processor and input units.

[0079] The input unit can be used to receive input numerical, character, or image information, and to generate keyboard, mouse, joystick, optical, or trackball signal inputs related to user settings and function control. Specifically, in addition to a camera, the input unit of this embodiment may also include a touch-sensitive surface (e.g., a touch screen) and other input devices.

[0080] The display unit can be used to display information input by the user or information provided to the user, as well as various graphical user interfaces of the device. These graphical user interfaces can be composed of graphics, text, icons, video, and any combination thereof. The display unit may include a display panel, optionally configured as an LCD (Liquid Crystal Display), OLED (Organic Light-Emitting Diode), or other similar display panel. Furthermore, a touch-sensitive surface may cover the display panel. When the touch-sensitive surface detects a touch operation on or near it, it transmits the information to the processor to determine the type of touch event. Subsequently, the processor provides corresponding visual output on the display panel based on the type of touch event.

[0081] This invention also provides a computer-readable storage medium, which may be a computer-readable storage medium included in the memory described in the above embodiments; or it may be a standalone computer-readable storage medium not assembled into a device. The computer-readable storage medium stores at least one instruction, which is loaded and executed by a processor to implement... Figure 1 The illustrated method is a smart defense method against CC attacks based on a large language model. The computer-readable storage medium can be a read-only memory, a hard disk, or an optical disk, etc.

[0082] This invention also provides a computer program product, including a computer program / instructions, which are loaded and executed by a processor to implement... Figure 1 This paper presents a smart defense method against CC attacks based on a large language model.

[0083] It should be noted that the various embodiments in this specification are described in a progressive manner, with each embodiment focusing on the differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. For the device embodiments, equipment embodiments, and storage medium embodiments, since they are basically similar to the method embodiments, the descriptions are relatively simple, and relevant parts can be referred to the descriptions in the method embodiments.

[0084] Furthermore, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0085] The foregoing description illustrates and describes preferred embodiments of the present invention. It should be understood that the present invention is not limited to the forms disclosed herein and should not be construed as excluding other embodiments. It can be used in various other combinations, modifications, and environments, and can be altered within the scope of the inventive concept by means of the foregoing teachings or techniques or knowledge in related fields. Any modifications and variations made by those skilled in the art that do not depart from the spirit and scope of the present invention should be within the protection scope of the appended claims.

Claims

1. A method for intelligent defense against CC attacks based on a large language model, characterized in that, The method includes: The captured real-time network traffic is semantically translated to generate a semantic description object that includes a temporal behavior sequence and contextual features; The semantic description object is input into a domain-fine-tuned large language model to perform attack intent reasoning, and a threat determination result is obtained. Based on the threat determination result, a corresponding dynamic defense strategy description is generated. The dynamic defense strategy description is compiled into an executable instruction sequence, and the executable instruction sequence is sent to downstream security devices to drive execution and obtain the execution result; Based on the execution results, monitor the network traffic situation and business indicators of downstream security devices after executing the strategy, and generate strategy effect evaluation data. The large language model is optimized using full-link data, including the semantic description object, threat determination results, dynamic defense strategy description, and strategy effectiveness evaluation data.

2. The intelligent defense method against CC attacks based on a large language model according to claim 1, characterized in that, The step of performing semantic translation on the captured real-time network traffic to generate a semantic description object including a temporal behavior sequence and contextual features includes: The data packets in the real-time network traffic are parsed to extract HTTP requests, and the HTTP requests are calculated using an adaptive session fingerprint generation algorithm to generate the session fingerprint of the corresponding HTTP request. Based on the session fingerprint, HTTP requests with the same session fingerprint are aggregated to obtain a session request sequence; Extract the action vector of each HTTP request in the session request sequence, wherein the action vector includes the resource type, interaction semantic features and response entropy value of the corresponding HTTP request; the resource type includes at least one of static resources, API read / write, and login page; the interaction semantic features include the parameter pattern of the request parameters; and the response entropy value is calculated based on the information entropy of the response content. The action vector is analyzed using a sliding window state machine to generate behavioral feature analysis results. The action vector is combined with the feature analysis results to generate a structured JSON object that includes a temporal behavior sequence and contextual features, and the structured JSON object is used as the semantic description object.

3. The intelligent defense method against CC attacks based on a large language model according to claim 2, characterized in that, The adaptive session fingerprint generation algorithm is a weighted hash algorithm; the step of using the adaptive session fingerprint generation algorithm to calculate the session fingerprint of the corresponding HTTP request includes: The session fingerprint is generated by calculating the source IP address, User-Agent entropy value, Accept-Language stability, and TCP / IP protocol stack fingerprint extracted from the HTTP request using a weighted hash algorithm. The HTTP request header fields include Accept-Language stability, X-Requested-With header, and anonymized value of the advertising identifier.

4. The intelligent defense method against CC attacks based on a large language model according to claim 2, characterized in that, The behavioral logic analysis includes at least one of the following: precondition verification, behavioral rhythm analysis, resource access entropy calculation, and funnel deviation calculation. Precondition validation is performed by checking whether the API call is missing a prerequisite page access or a correct Referer to determine whether it is an abnormal entry point. Behavioral rhythm analysis is performed by calculating the coefficient of variation of the time interval between adjacent HTTP requests in the session request sequence to determine whether it conforms to mechanical rhythm characteristics. If the coefficient of variation is less than the variation threshold, it is determined to be a mechanical rhythm characteristic. Resource access entropy calculation is performed by calculating the information entropy of the access path extracted from the session request sequence to determine whether an enumeration traversal mode exists. Specifically, path parameters and path structure are parsed from the URL path of each HTTP request. When the entropy value of the path parameter is higher than the first threshold and the entropy value of the path structure is lower than the second threshold, it is determined to be an enumeration traversal mode. The funnel deviation is calculated by quantifying the degree of deviation between the access path extracted from the session request sequence and the predefined business standard process path using the normalized edit distance or the longest common subsequence.

5. The intelligent defense method against CC attacks based on a large language model according to claim 1, characterized in that, The step involves inputting the semantic description object into a domain-fine-tuned large language model for attack intent reasoning to obtain a threat determination result, and generating a corresponding dynamic defense strategy description based on the threat determination result, including: The large language model is used to analyze the conversational behavior described by the semantic description object, determine whether the corresponding conversational behavior belongs to malicious attack, benign crawler or normal business flow, and output the threat determination result. When the threat assessment result is a malicious attack, the big language model identifies the tactical type used in the current attack, and generates a defense strategy that matches the current attack scenario based on the tactical type combined with a preset security principle library, real-time business context and system resource status. The strategy parameters of the defense strategy are jointly determined by the big language model based on the real-time attack intensity, the criticality of the attacked resources and the current system load status. The defense strategy is mapped to atomic security operation instructions through a predefined tool function library to obtain a dynamic defense strategy description including tool call instructions. The tool function library corresponds one-to-one with the application programming interface of the downstream security device. The security operation instructions include at least one of rate limiting instructions, CAPTCHA issuance instructions, and virtual patch deployment instructions.

6. The intelligent defense method against CC attacks based on a large language model according to claim 1, characterized in that, The step of inputting the semantic description object into a domain-fine-tuned large language model for attack intent inference also includes: It receives external context information, including threat intelligence platforms, asset management systems, or business monitoring systems, and inputs the external context information and the semantic description object into a large language model for attack intent reasoning.

7. The intelligent defense method against CC attacks based on a large language model according to claim 1, characterized in that, The step of inputting the semantic description object into a domain-fine-tuned large language model for attack intent inference also includes: A hybrid retrieval strategy is employed to retrieve historical handling cases matching the semantic description object from the strategy knowledge base. The sorted historical handling cases and the semantic description object are then input into the large language model for attack intent reasoning to assist in generating the dynamic defense strategy description. Specifically, the top K historical handling cases similar to the semantic description object are retrieved using vector similarity, and the retrieval results are re-sorted based on predefined weighting rules in the graph node relationships of the strategy knowledge base to obtain the sorted historical handling cases.

8. The intelligent defense method against CC attacks based on a large language model according to claim 1, characterized in that, The optimization of the large language model using end-to-end data, including the semantic description object, threat determination results, dynamic defense strategy description, and strategy effectiveness evaluation data, includes: The full-link data is used as training samples, and a Markov decision process for reinforcement learning is constructed based on the training samples. The session behavior described by the semantic description object and the policy effect evaluation data corresponding to the executed dynamic defense policy description are used as states, and the next dynamic defense policy description to be generated is used as an action. The design of the reward function quantifies the strategy effectiveness evaluation data, wherein the reward function includes reward items related to attack traffic suppression rate, false interception penalty items, and strategy response speed reward items; The near-end policy optimization algorithm is used to update the parameters of the large language model based on the reward function, and the optimized dynamic defense strategy description is generated when processing subsequent attacks using the large language model with updated parameters.

9. A smart defense device against CC attacks based on a large language model, characterized in that, The device includes: The semantic translation unit is used to perform semantic translation of captured real-time network traffic, generating semantic description objects that include temporal behavior sequences and contextual features; The attack intent unit is used to input the semantic description object into a domain fine-tuning large language model to perform attack intent reasoning, obtain threat determination results, and generate corresponding dynamic defense strategy descriptions based on the threat determination results. The instruction compilation unit is used to compile the dynamic defense strategy description into an executable instruction sequence, and to send the executable instruction sequence to downstream security devices to drive execution and obtain execution results; The execution monitoring unit is used to monitor the network traffic situation and service indicators of downstream security devices after the execution of the policy based on the execution results, and generate policy effect evaluation data. The model optimization unit is used to optimize the large language model with the full-link data, including the semantic description object, threat determination result, dynamic defense strategy description, and strategy effect evaluation data.

10. A smart defense device against CC attacks based on a large language model, characterized in that, It includes a processor, a memory, and a computer program stored in the memory, wherein when the computer program is executed by the processor, it implements the steps of a CC attack intelligent defense method based on a large language model as described in any one of claims 1 to 8.