An active network intrusion detection and defense system based on artificial intelligence

By using an AI-based proactive network intrusion detection and prevention system, dynamic and smooth switching of protocol parameters and their encryption keys is achieved, solving the problems of delayed protection actions and inherent security weaknesses in existing technologies, and improving the real-time performance and protection capabilities of network security.

CN122316701APending Publication Date: 2026-06-30长沙市规划信息服务中心

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
长沙市规划信息服务中心
Filing Date
2026-03-30
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

In existing cybersecurity protection systems, the output of AI detection modules needs to be evaluated by humans or upper-level systems, which leads to delays in protection actions and lacks inherent security protection mechanisms, making it an easy vulnerability for attackers.

Method used

Design an AI-based proactive network intrusion detection and defense system. Through the closed-loop linkage of threat perception unit, intelligent decision-making unit, protocol execution unit and intrinsic security protection unit, the system achieves dynamic and smooth switching of protocol parameters and their encryption keys. Combined with reinforcement learning model and intrinsic security mechanism, it ensures real-time response and protection.

Benefits of technology

It enables dynamic adjustment of protocol parameters and encryption keys without interrupting existing network connections, reducing the response gap between detection and defense, enhancing protection against adversarial samples and model tampering, and improving the real-time performance and adaptability of network security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122316701A_ABST
    Figure CN122316701A_ABST
Patent Text Reader

Abstract

This invention belongs to the field of network security technology and discloses an artificial intelligence-based proactive network intrusion detection and prevention system, including a threat perception unit, an intelligent decision-making unit, a protocol execution unit, an intrinsic security protection unit, a security baseline policy unit, and an audit storage unit. The threat perception unit generates threat vectors based on a dual-channel neural network; the intelligent decision-making unit outputs dynamic protocol parameter combinations based on a hierarchical reinforcement learning algorithm; the protocol execution unit utilizes a resilience extension layer within the standard protocol stack to achieve seamless switching of parameters and keys without interruption through protocol resilience extension frames. The intrinsic security protection unit provides the AI ​​model with digital watermarking and integrity verification based on device identification, and in case of anomalies, it links with the security baseline policy unit to activate a fixed high-security configuration for fallback protection. This invention achieves a closed loop from intelligent perception to millisecond-level proactive defense at the protocol layer, improving the dynamic resilience of network protocols and the intrinsic security of AI.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and in particular to an artificial intelligence-based proactive network intrusion detection and prevention system. Background Technology

[0002] With the deepening of digital transformation, cyberspace has become a crucial carrier of critical infrastructure and core businesses. Cyberattack methods are exhibiting trends towards intelligence, concealment, and dynamism, with emerging threats such as DDoS attacks, adversarial sample injection, and model theft continuously evolving, placing higher demands on the real-time performance, adaptability, and security of cybersecurity protection systems. To address these threats, artificial intelligence technology is widely applied in network intrusion detection and prevention, using algorithms such as deep learning and reinforcement learning to achieve accurate threat identification and optimized decision-making. Meanwhile, standard network security protocols such as TLS / IPsec, as the security cornerstone of network communication, bear the core responsibilities of data encryption, identity authentication, and session protection. The integrated application of these two technologies has become the mainstream development direction for network security protection.

[0003] Existing solutions typically deploy AI detection modules as "add-ons" or "bypasses," requiring secondary evaluation by manual or upper-level management systems before statically distributing alerts to the protocol stack. This results in delays of minutes or even longer for protective actions, creating a critical gap between detection and defense. Furthermore, AI models lack necessary intrinsic security mechanisms, making them vulnerable to attacks such as adversarial sample injection and model poisoning. Summary of the Invention

[0004] The present invention aims to provide an artificial intelligence-based proactive network intrusion detection and defense system to solve the problems mentioned in the background art.

[0005] To achieve the above objectives, the present invention provides the following technical solution: An artificial intelligence-based proactive network intrusion detection and prevention system includes: The threat perception unit integrates a first neural network model. This unit is configured to collect multi-granular features and protocol state information of network traffic and generate standardized threat vectors based on the first neural network model. The intelligent decision-making unit integrates a second reinforcement learning model. This unit is configured to receive a threat vector from the threat perception unit and, in combination with the current protocol parameters, predefined service level agreement requirements, and historical decision performance records, output the optimal combination of protocol parameters and corresponding parameter adjustment instructions through the second reinforcement learning model. The protocol execution unit is configured to obtain the optimal protocol parameter combination and parameter adjustment instructions from the intelligent decision unit, and generate and exchange protocol resilience extension frames; wherein the generation and exchange operations are performed in the resilience extension layer of the standard network protocol stack that works in cooperation with the communication peer, thereby realizing the dynamic and smooth switching of protocol parameters and their associated encryption key materials without interrupting the existing network connection. The intrinsic security protection unit is configured to perform integrity protection and verification on the first neural network model and the second reinforcement learning model based on the unique identifier of the device where this system is located. The security baseline policy unit has at least one fixed combination of encryption algorithms, key management parameters and authentication methods pre-stored. The audit storage unit is configured to store tamper-proof audit evidence records; The threat perception unit, intelligent decision-making unit, protocol execution unit, intrinsic security protection unit, security baseline policy unit, and audit storage unit communicate and are coupled to each other through a secure communication bus. The secure communication bus uses encrypted transmission to ensure the security of instructions and data between the units.

[0006] Preferably, the first neural network model is a dual-channel heterogeneous neural network, comprising: The temporal feature extraction subunit integrates a temporal convolutional network to extract key temporal pattern features such as message interval time and retransmission rate; The structural feature extraction subunit integrates a graph attention network to analyze the state transition graph features during the protocol handshake process; The feature fusion subunit uses an attention mechanism to dynamically weight and fuse temporal pattern features and state transition graph features to generate a threat vector.

[0007] Preferably, the second reinforcement learning model is constructed based on a hierarchical deep deterministic policy gradient algorithm and configured as follows: It receives state space input from the intelligent decision-making unit, which includes threat vector, current protocol parameter set, service level protocol indicator set, and historical decision performance records; Decisions are made in a hierarchical action space consisting of a cryptographic parameter subspace, a key management strategy subspace, and an authentication enhancement subspace; the key management strategy subspace contains parameter options related to key update cycle, key length, and forward secrecy. The reward function is based on a linear weighted sum of threat matching reward, performance and service protocol compliance reward, and exploration reward. The decision reward is calculated and the optimal combination of protocol parameters and parameter adjustment instructions are output.

[0008] Preferably, the data structure of the protocol resilience extension frame includes, in sequence: a type field, a version field, a sequence number field, a flag field, an action code field, a timestamp field, a digital signature field, and a parameter data field; The flag field includes: a response confirmation bit indicating whether receiver confirmation is required, a critical change bit indicating whether connection needs to be rebuilt, a smooth handover bit indicating whether uninterrupted connection is enabled, and a signature verification bit indicating whether a decision digital signature has been attached. The sequence number field is used to prevent frame replay attacks, the timestamp field is used to verify the freshness of the frame, and the digital signature field is used to verify the legality and integrity of the parameter adjustment command; each field of the protocol resilience extension frame is encoded according to a preset byte length to adapt to standard network protocol stack transmission.

[0009] Preferably, the protocol execution unit is configured to perform the following smooth switching process: Send a protocol resilience extension frame carrying new protocol configuration parameters corresponding to the optimal combination of protocol parameters to the communication peer. The new protocol configuration parameters include encryption algorithm, key management strategy and authentication method information. Based on the verified digital signature in the protocol resilience extension frame, negotiate with the peer to generate a new encryption key; The system collaborates with the peer to enter a parallel cryptographic context state, in which the current session encryption key is valid as both the old and new encryption keys. Within the switching time window, new transmitted data is encrypted using the new encryption key, while maintaining the ability to decrypt received data encrypted using the old encryption key. After confirming that all data encrypted with the old encryption key has been received, exchange a confirmation of handover completion with the other end; Clear the old encryption key and its associated context to fully switch to using the new encryption key.

[0010] Preferably, the intelligent decision-making unit is further configured to: generate a corresponding audit proof record for each output protocol parameter combination decision; the audit proof record includes at least the input feature summary on which the decision is based, the model version identifier used, the decision logic path identifier, the output protocol parameters, and the digital signature.

[0011] Preferably, the intelligent decision-making unit is further configured to generate a security baseline trigger command when the confidence level of the threat vector output by the threat perception unit is lower than a preset threshold; The protocol execution unit is further configured to: in response to the security baseline triggering command, obtain a fixed combination from the security baseline policy unit, and perform protocol parameter switching based on the combination; the fixed combination ensures that forward confidentiality is enabled during execution.

[0012] Preferably, the intrinsic security protection unit is configured as follows: During the training phase of the first neural network model or the second reinforcement learning model, a random seed is generated or obtained, and an authentication pattern-type digital watermark is generated and embedded into the model weights based on the device's unique identifier and the random seed. During the operation phase, the integrity of the first neural network model and the second reinforcement learning model is verified by calculating the hash message authentication code of the model weight fragment and the device's unique identifier, and comparing it with the pre-stored benchmark value; the hash message authentication code is generated using a hash algorithm based on SHA256 or the national cryptographic SM3. When verifying the integrity of the first neural network model or the second reinforcement learning model fails, a model security alert is generated. The intelligent decision-making unit is also configured to generate a security baseline trigger command in response to the model security alarm.

[0013] Preferably, the embedding position of the digital watermark in the first neural network model or the second reinforcement learning model is dynamically calculated and determined by a key derivation function that takes the device identifier and a random seed as input, and the key derivation function adopts a hash-based key derivation algorithm.

[0014] Preferably, in the action space of the second reinforcement learning model, the cryptographic parameter subspace includes multiple symmetric encryption algorithm options; the key management strategy subspace includes multiple discrete key update cycle options, key length options, and forward secrecy function enable options; the authentication enhancement subspace includes multiple authentication strength strategy options; each subspace option is collaboratively filtered through a hierarchical deep deterministic strategy gradient algorithm to output a combination that adapts to the current threat and business requirements.

[0015] The beneficial effects of this technical solution compared to existing technologies are as follows: (1) This technical solution sets up a closed-loop linkage architecture consisting of a threat perception unit, an intelligent decision-making unit and a protocol execution unit through a secure communication bus. This allows the optimal protocol parameter combination and adjustment instructions generated by the second reinforcement learning model through the standardized threat vector to directly drive the protocol execution unit to generate and exchange protocol resilience extension frames in the resilience extension layer of the standard network protocol stack that works in collaboration with the communication peer. This enables the dynamic and smooth switching of protocol parameters and their associated encryption key materials without interrupting the existing network connection, thus completely eliminating the response gap between detection and execution.

[0016] (2) By setting up a second reinforcement learning model based on the layered deep deterministic policy gradient algorithm and a layered action space containing cryptographic parameters, key management policies and authentication enhancement subspaces, it can collaboratively filter in the layered action space composed of cryptographic parameter subspace, key management policy subspace and authentication enhancement subspace according to the real-time threat situation, output the optimal combination of protocol parameters that adapts to the current threat and business needs, and through the smooth switching process of the protocol execution unit and the in-session key negotiation, the core security elements of the protocol are transformed from static and fixed to dynamic and variable, which increases the difficulty of analysis and exploitation by attackers.

[0017] (3) By setting up an intrinsic security protection unit as the core, integrating a digital watermark generation and verification mechanism based on the device's unique identifier and a random seed, verifiable intrinsic integrity protection is provided for the core artificial intelligence model. During the training phase, this unit generates an authentication pattern-type digital watermark based on the device's unique identifier and a random seed and embeds it into the model weights; during the runtime phase, integrity verification is performed by calculating the hash message authentication code of the model weight fragment and the device's unique identifier. Combined with the preset combination fallback function of the security baseline strategy unit, the reliability and availability of the first neural network model and the second reinforcement learning model are ensured when facing adversarial examples or tampering attacks.

[0018] (4) By incorporating a set of service level agreement indicators into the state space input of the intelligent decision-making unit and linearly weighting the threat matching degree reward and performance compliance degree reward in its reward function, it is possible to dynamically select different security level protocol parameter combinations based on real-time service performance requirements and threat levels, thereby strengthening security in high-threat scenarios and optimizing efficiency in low-risk or high-performance demand scenarios.

[0019] (5) By setting up a mechanism in which the intelligent decision-making unit generates audit proof records and the audit storage unit stores them in an anti-tampering manner, each protocol parameter adjustment decision generates an audit proof record containing input feature summary, model version, decision path, output parameters and digital signature. This record provides a reliable data foundation for security incident tracing, compliance auditing and policy optimization, and forms a positive cycle of security capability closed-loop evolution and operation and maintenance management transparency. Attached Figure Description

[0020] Figure 1 This is a system architecture diagram of the present invention; Figure 2 This is a flowchart of the process of the present invention; Detailed Implementation The present invention will now be described in further detail with reference to the accompanying drawings and embodiments: like Figure 1-2The system shown is an artificial intelligence-based proactive network intrusion detection and prevention system, which mainly includes six functional units that are interconnected and coupled through a secure communication bus.

[0021] System components: Threat Awareness Unit: Integrates a first neural network model. This unit is configured to collect multi-granular features and protocol state information of network traffic, and generate standardized threat vectors based on the first neural network model. The first neural network model is a dual-channel heterogeneous neural network, using a temporal convolutional network to extract key temporal pattern features, using a graph attention network to analyze protocol handshake state transition graph features, and performing feature fusion through an attention mechanism.

[0022] Intelligent Decision-Making Unit: This unit integrates a second reinforcement learning model. It is configured to receive the threat vector from the threat perception unit, combine it with current protocol parameters, predefined service level agreement requirements, and historical decision performance records to form a complete state space input, which is then provided to the second reinforcement learning model. The second reinforcement learning model performs multi-objective optimization decisions, and the intelligent decision-making unit ultimately outputs the optimal protocol parameter combination and corresponding parameter adjustment instructions. The second reinforcement learning model is constructed based on the Hierarchical Deep Deterministic Policy Gradient (H-DDPG) algorithm. The protocol parameter combination includes encryption algorithm identifiers, key management strategies, and authentication methods. This unit is also configured to generate a corresponding audit proof record for each output protocol parameter combination decision. The record includes at least the input feature summary on which the decision was based, the model version identifier used, the decision logic path identifier, the output protocol parameters, and a digital signature generated by the unit itself, ensuring the decision-making process is traceable and verifiable. Simultaneously, when the confidence level of the threat vector output by the threat perception unit is lower than a preset threshold, this unit will generate a security baseline trigger instruction, triggering the emergency protection mechanism of the security baseline policy unit.

[0023] Protocol Execution Unit: Configured to obtain the optimal combination of protocol parameters and parameter adjustment instructions from the intelligent decision unit, and generate and exchange protocol resilience extension frames in the resilience extension layer of the standard network protocol stack that works in collaboration with the communication peer, thereby realizing the dynamic and smooth switching of protocol parameters and their associated encryption key materials without interrupting the existing network connection.

[0024] The Protocol Resilience Extension (PRE) frame is a dedicated data structure designed to carry dynamically adjusted instructions. Its data fields are encoded in preset byte lengths to adapt to the transmission of standard network protocol stacks. The frame structure includes, in sequence: a type field, a version field, a sequence number field (to prevent replay attacks), a flag field (containing key flags such as response confirmation, critical changes, smooth handover, and signature verification), an action code field, a timestamp field (to verify the frame's freshness), a digital signature field (to verify the legality and integrity of the instructions), and a parameter data field (to carry specific protocol configuration information).

[0025] The intrinsic security protection unit is configured to protect and verify the integrity of the first neural network model and the second reinforcement learning model based on the unique identifier of the device on which the system resides. During model training, this unit generates or acquires a random seed and, based on the device's unique identifier and the random seed, generates an authentication information-type digital watermark and embeds it into the model weights. The watermark embedding position is dynamically calculated and determined by a key derivation function with the device identifier and the random seed as input. During model execution, this unit verifies the integrity of the first and second models by calculating the cryptographic hash message authentication code of the model weight fragment and the device's unique identifier, and comparing it with a pre-stored baseline value. Simultaneously, this unit has a built-in model integrity anomaly alarm and linkage mechanism. For example, when a model integrity verification failure, a digital watermark anomaly, or a threat to the model's operating environment is detected, a corresponding alarm will be triggered according to the severity level of the anomaly. The alarm will trigger the intelligent decision-making unit to generate a security baseline trigger command, triggering the emergency protection mechanism of the security baseline policy unit.

[0026] Security Baseline Policy Unit: This unit pre-stores at least one fixed combination of encryption algorithms, key management parameters, and authentication methods (including encryption algorithms, key management parameters, and authentication methods). Upon receiving a security baseline trigger command from the intelligent decision unit, this unit immediately provides the pre-stored fixed high-security combination to the protocol execution unit. This fixed combination ensures that critical security functions such as forward secrecy are enabled during execution.

[0027] Audit storage unit: Configured to store tamper-proof audit logs. The logs include, but are not limited to, threat awareness logs, intelligent decision-making logs (including audit proof logs), protocol switching logs, intrinsic security alarm logs, and security baseline call logs. All audit logs include a timestamp, the operation subject, the operation content, and verification information, and are stored using a tamper-proof storage mechanism (e.g., integrity protection based on cryptographic hash chains) to ensure the integrity and reliability of the audit trail.

[0028] The resilience extension layer is an additional layer added to the standard network protocol stack to enable dynamic defense and work in conjunction with the communication peer. This layer is responsible for processing protocol resilience extension frames and executing smooth handover protocols. A protocol resilience extension frame is a data structure used to transmit protocol adjustment instructions. It contains fields such as type, version, sequence number, flags, action code, timestamp, digital signature, and parameter data. The sequence number field is used to prevent replay attacks, the timestamp field is used to verify freshness, and the digital signature field is used to verify the legality and integrity of the instructions. The protocol execution unit drives the resilience extension layer to execute the following process: sending a protocol resilience extension frame carrying new protocol configuration parameters to the peer; negotiating and generating a new encryption key with the peer based on the verified digital signature; both parties enter a parallel cryptographic context state, allowing the old and new keys to coexist; gradually transitioning to the new key within the handover time window, and finally clearing the old key to complete a seamless handover.

[0029] An audit verification record is a tamper-proof data record used to fully document the context, process, and outcome of a single intelligent decision, ensuring the traceability and verifiability of the decision.

[0030] The specific implementation process is as follows: In this embodiment, the system is deployed on the core gateway device of the enterprise network.

[0031] 1. System Initialization After system startup, each functional unit completes self-testing and interconnection. The intrinsic security protection unit, based on the device's unique hardware identifier, executes the initialization security process of the core artificial intelligence model. Specifically, this unit generates or obtains a random seed and, based on the device identifier and the random seed, embeds a unique authentication token (i.e., a digital watermark) into the weight parameters of the first neural network model of the threat perception unit and the second reinforcement learning model of the intelligent decision-making unit using a specific algorithm. Simultaneously, it calculates and stores the cryptographic hash value of the model weights as a benchmark for subsequent integrity verification. The security baseline policy unit loads a predefined set of high-security protocol configuration combinations. The audit storage unit completes the initialization of the log storage environment.

[0032] 2. Threat Perception and Dynamic Decision-Making Process During network operation, the threat perception unit continuously collects network traffic characteristics (such as connection frequency, packet size distribution, and protocol interaction timing) and protocol session states (such as handshake success rate and key update time) flowing through the gateway. These multi-dimensional features are input into the first neural network model for processing. The model outputs a standardized threat vector, which quantifies the potential risks currently facing the network from multiple dimensions, such as the identified attack type tendency, the confidence level of the judgment result, the rate of abnormal activity, and its impact on system resources.

[0033] The threat vector is transmitted to the intelligent decision-making unit. The intelligent decision-making unit integrates a second reinforcement learning model, constructed based on a hierarchical deep deterministic policy gradient algorithm. The decision-making unit combines the threat vector with the actual operating parameters of the current network protocol, predefined performance requirements of the service, and historical defense effectiveness records to form the state input for decision-making. The second reinforcement learning model evaluates and selects within its hierarchical action space, which includes multiple subspaces such as cryptographic parameters, key management strategies, and authentication enhancement methods. Finally, the decision-making unit outputs a set of protocol parameter combinations and adjustment instructions optimized for the current threat scenario, such as instructing the encryption algorithm to be upgraded to a higher strength, shortening the session key update cycle, or enabling a more stringent authentication method.

[0034] 3. Seamless switching of protocol parameters without interruption After receiving instructions from the intelligent decision-making unit, the protocol execution unit initiates a dynamic switching process. This unit operates within the standard network protocol stack that works in collaboration with the communication peer, through a newly added resilience extension layer.

[0035] First, the protocol execution unit generates a protocol resilience extension frame. This frame is a data structure specifically designed to transmit dynamic adjustment instructions. It includes fields such as type, sequence number (to prevent replay), timestamp (to keep it fresh), flags (to indicate mode switching), digital signature (to ensure validity), and a data area carrying the new protocol configuration parameters. Each field is encoded according to a preset byte length to ensure that it can be properly encapsulated and transmitted by the standard protocol stack.

[0036] Subsequently, the frame is sent to the communicating end. After verifying the validity of the digital signature in the frame, both parties generate new encryption key material through a secure negotiation mechanism based on the new key management strategy carried within the frame. Afterward, both parties enter a "parallel cryptographic context" state. In this state, the old encryption key currently in use and the newly negotiated encryption key are both valid simultaneously. The system sets a brief switching window during which newly transmitted data is encrypted using the new key, while the other end must retain the ability to decrypt previously transmitted data encrypted using the old key.

[0037] Once it is confirmed that all data encrypted with the old key has been properly received, both parties exchange a final handover confirmation message. Subsequently, both parties securely clear the old key and related cryptographic context, and the network connection is completely switched to communication using the new key and new protocol parameters. The entire handover process is completed within milliseconds, maintaining the connectivity of existing network sessions without any impact on services.

[0038] 4. Intrinsic security and emergency backup mechanism During system operation, the intrinsic security protection unit continuously monitors the integrity of the first neural network model and the second reinforcement learning model. This unit periodically or upon triggering calculates the cryptographic hash values ​​of key weight segments of the models and compares them with baseline values ​​stored during the initialization phase. If a significant deviation is detected, it determines that the model may have been tampered with and immediately triggers a security alert.

[0039] Meanwhile, the system has dual safety fallback trigger conditions: the first is an abnormal model alarm issued by the intrinsic security protection unit; the second is that the threat vector confidence output by the threat perception unit is too low (below a preset reliability threshold). When either of the above conditions is met, the intelligent decision-making unit will pause the decision-making process that relies on the real-time model and generate a security baseline trigger command.

[0040] In response to this instruction, the protocol execution unit ceases executing the real-time decision output from the intelligent decision-making unit. Instead, it retrieves a pre-stored, fixed high-security protocol configuration combination from the security baseline policy unit (this combination typically includes strong encryption algorithms, short key periods, and strong authentication methods, ensuring forward secrecy is enabled), and immediately drives the protocol stack to switch to this baseline configuration. This mechanism ensures that even in extreme cases where core AI components are attacked or make inaccurate judgments, the system maintains a basic but reliable level of security.

[0041] 5. Audit and Closed-Loop Optimization All critical activities of the entire system are recorded by the audit storage unit. The intelligent decision-making unit generates an audit evidence record for each parameter adjustment decision, including a summary of the decision input, the model version used, a summary of the decision logic, the output result, and a digital signature. The verification results and alarm events of the intrinsic security protection unit, as well as the switching operation logs of the protocol execution unit, are also recorded synchronously.

[0042] The above descriptions are merely embodiments of the present invention, and common knowledge such as specific technical solutions and / or characteristics are not described in detail here. It should be noted that those skilled in the art can make various modifications and improvements without departing from the technical solutions of the present invention, and these should also be considered within the scope of protection of the present invention. These modifications and improvements will not affect the effectiveness of the implementation of the present invention or the practicality of the patent. The scope of protection claimed in this application should be determined by the content of its claims, and the specific embodiments described in the specification can be used to interpret the content of the claims.

Claims

1. An artificial intelligence-based proactive network intrusion detection and prevention system, characterized in that, include: The threat perception unit integrates a first neural network model. This unit is configured to collect multi-granular features and protocol state information of network traffic and generate standardized threat vectors based on the first neural network model. The intelligent decision-making unit integrates a second reinforcement learning model. This unit is configured to receive a threat vector from the threat perception unit and, in combination with the current protocol parameters, predefined service level agreement requirements, and historical decision performance records, output the optimal combination of protocol parameters and corresponding parameter adjustment instructions through the second reinforcement learning model. The protocol execution unit is configured to obtain the optimal protocol parameter combination and parameter adjustment instructions from the intelligent decision unit, and generate and exchange protocol resilience extension frames; wherein the generation and exchange operations are performed in the resilience extension layer of the standard network protocol stack that works in cooperation with the communication peer, thereby realizing the dynamic and smooth switching of protocol parameters and their associated encryption key materials without interrupting the existing network connection. The intrinsic security protection unit is configured to perform integrity protection and verification on the first neural network model and the second reinforcement learning model based on the unique identifier of the device where this system is located. The security baseline policy unit has at least one fixed combination of encryption algorithms, key management parameters and authentication methods pre-stored. The audit storage unit is configured to store tamper-proof audit evidence records; The threat perception unit, intelligent decision-making unit, protocol execution unit, intrinsic security protection unit, security baseline policy unit, and audit storage unit communicate and are coupled to each other through a secure communication bus. The secure communication bus uses encrypted transmission to ensure the security of instructions and data between the units.

2. The artificial intelligence-based proactive network intrusion detection and prevention system as described in claim 1, characterized in that, The first neural network model is a dual-channel heterogeneous neural network, including: The temporal feature extraction subunit integrates a temporal convolutional network to extract key temporal pattern features such as message interval time and retransmission rate; The structural feature extraction subunit integrates a graph attention network to analyze the state transition graph features during the protocol handshake process; The feature fusion subunit uses an attention mechanism to dynamically weight and fuse temporal pattern features and state transition graph features to generate a threat vector.

3. The artificial intelligence-based proactive network intrusion detection and prevention system as described in claim 1, characterized in that, The second reinforcement learning model is constructed based on a hierarchical deep deterministic policy gradient algorithm and configured as follows: It receives state space input from the intelligent decision-making unit, which includes threat vector, current protocol parameter set, service level protocol indicator set, and historical decision performance records; Decisions are made in a hierarchical action space consisting of a cryptographic parameter subspace, a key management policy subspace, and an authentication enhancement subspace. The key management strategy subspace includes parameter options related to key update cycle, key length, and forward secrecy; The reward function is based on a linear weighted sum of threat matching reward, performance and service protocol compliance reward, and exploration reward. The decision reward is calculated and the optimal combination of protocol parameters and parameter adjustment instructions are output.

4. The artificial intelligence-based proactive network intrusion detection and prevention system as described in claim 1, characterized in that, The data structure of the protocol resilience extension frame includes, in sequence: type field, version field, serial number field, flag field, action code field, timestamp field, digital signature field, and parameter data field; The flag field includes: a response confirmation bit indicating whether receiver confirmation is required, a critical change bit indicating whether connection needs to be rebuilt, a smooth handover bit indicating whether uninterrupted connection is enabled, and a signature verification bit indicating whether a decision digital signature has been attached. The sequence number field is used to prevent frame replay attacks, the timestamp field is used to verify the freshness of the frame, and the digital signature field is used to verify the legality and integrity of the parameter adjustment command; each field of the protocol resilience extension frame is encoded according to a preset byte length to adapt to standard network protocol stack transmission.

5. The artificial intelligence-based proactive network intrusion detection and prevention system as described in claim 1, characterized in that, The protocol execution unit is configured to perform the following smooth switching process: Send a protocol resilience extension frame carrying new protocol configuration parameters corresponding to the optimal combination of protocol parameters to the communication peer. The new protocol configuration parameters include encryption algorithm, key management strategy and authentication method information. Based on the verified digital signature in the protocol resilience extension frame, negotiate with the peer to generate a new encryption key; The system collaborates with the peer to enter a parallel cryptographic context state, in which the current session encryption key is valid as both the old and new encryption keys. Within the switching time window, new transmitted data is encrypted using the new encryption key, while maintaining the ability to decrypt received data encrypted using the old encryption key. After confirming that all data encrypted with the old encryption key has been received, exchange a confirmation of handover completion with the other end; Clear the old encryption key and its associated context to fully switch to using the new encryption key.

6. The artificial intelligence-based proactive network intrusion detection and prevention system as described in claim 1, characterized in that, The intelligent decision-making unit is further configured to generate a corresponding audit proof record for each combination of output protocol parameters; the audit proof record includes at least the input feature summary on which the decision is based, the model version identifier used, the decision logic path identifier, the output protocol parameters, and the digital signature.

7. The artificial intelligence-based proactive network intrusion detection and prevention system as described in claim 1, characterized in that, The intelligent decision-making unit is further configured to generate a security baseline trigger command when the confidence level of the threat vector output by the threat perception unit is lower than a preset threshold. The protocol execution unit is further configured to: in response to the security baseline triggering command, obtain a fixed combination from the security baseline policy unit, and perform protocol parameter switching based on the combination; the fixed combination ensures that forward confidentiality is enabled during execution.

8. The artificial intelligence-based proactive network intrusion detection and prevention system as described in claim 7, characterized in that, The intrinsic security protection unit is configured as follows: During the training phase of the first neural network model or the second reinforcement learning model, a random seed is generated or obtained, and an authentication pattern-type digital watermark is generated and embedded into the model weights based on the device's unique identifier and the random seed. During the operation phase, the integrity of the first neural network model and the second reinforcement learning model is verified by calculating the hash message authentication code of the model weight fragment and the device's unique identifier, and comparing it with the pre-stored benchmark value; the hash message authentication code is generated using a hash algorithm based on SHA256 or the national cryptographic SM3. When verifying the integrity of the first neural network model or the second reinforcement learning model fails, a model security alert is generated. The intelligent decision-making unit is also configured to generate a security baseline trigger command in response to the model security alarm.

9. The artificial intelligence-based proactive network intrusion detection and prevention system as described in claim 8, characterized in that, The embedding position of the digital watermark in the first neural network model or the second reinforcement learning model is dynamically calculated and determined by a key derivation function that takes the device identifier and a random seed as input. The key derivation function adopts a hash-based key derivation algorithm.

10. The artificial intelligence-based proactive network intrusion detection and prevention system as described in claim 3, characterized in that, In the action space of the second reinforcement learning model, the cryptographic parameter subspace includes multiple symmetric encryption algorithm options; the key management strategy subspace includes multiple discrete key update cycle options, key length options, and forward secrecy enable options. The authentication enhancement subspace includes multiple authentication strength strategy options; each subspace option is collaboratively filtered through a hierarchical deep deterministic strategy gradient algorithm to output a combination that adapts to the current threat and business needs.