A network intrusion detection method and apparatus
By constructing a multi-layer network model and combining feature analysis, time series analysis, and detection analysis, the computational efficiency and defense mechanism problems of existing network intrusion detection systems under multi-scale threats are solved. This enables accurate detection and automated defense against encrypted traffic and sudden attacks, thereby improving the security of industrial networks.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- 南宁桂电电子科技研究院有限公司
- Filing Date
- 2026-04-10
- Publication Date
- 2026-07-03
AI Technical Summary
Existing network intrusion detection systems suffer from several problems when facing multi-scale network threats. These include the inability of a single-stream architecture to be compatible with multi-scale features, the excessive computational cost of hybrid expert models, and the lack of proactive closed-loop defense mechanisms. As a result, they are unable to effectively cope with encrypted traffic and sudden attacks.
By constructing a training model that combines feature analysis networks, temporal analysis networks, and detection analysis networks, and utilizing edge-enhanced attention mechanisms and temporal analysis techniques, multi-scale features of network traffic are captured. The model is then optimized using a loss function to achieve a security closed loop from accurate detection to coordinated defense.
It solves the temporal and spatial scale dilemma of encrypted traffic and sudden attacks, enhances the ability to integrate topology and traffic, significantly improves computing efficiency and anti-evasion capabilities, realizes automated closed-loop defense from detection to blocking, and improves the overall security of industrial network environments.
Smart Images

Figure CN122339770A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network detection technology, specifically to a network intrusion detection method and apparatus. Background Technology
[0002] With the widespread adoption of network encryption technology and the increasing complexity of network attack methods, existing network intrusion detection systems (IDS) are facing a serious "spatio-temporal scale dilemma." Current network threats present two distinct extremes: on the one hand, there are distributed denial-of-service (DDoS) attacks with macroscopic complexity, which typically exhibit strong burstiness in local topologies; on the other hand, there are encrypted command and control (C2) channels with microscopic stealth, where traffic is extremely covert in topology but exhibits specific periodic global patterns over long time series.
[0003] Traditional network intrusion detection methods mainly suffer from the following technical bottlenecks: I. Single-stream architectures cannot accommodate multi-scale features. Existing sequence models (such as Transformer and Mamba) are good at capturing long-range dependencies, but they usually treat network flows as isolated time series, ignoring the key graph topology of interactions between IP nodes; while traditional graph neural networks tend to dilute edge features during the aggregation process.
[0004] Second, the computational cost of the hybrid expert model (MoE) used to cope with variable traffic is too high. The heavy multi-expert routing introduces huge computational overhead, which simply cannot meet the real-time deployment requirements of a 100Gbps high-speed network operation center.
[0005] Third, there is a lack of proactive closed-loop defense mechanisms for detection results. Most existing technical solutions only stay at the stage of "identifying anomalies" and lack the ability to work with existing network infrastructure (such as firewalls and SDN controllers), resulting in a disconnect between detection and blocking, and failing to effectively contain security threats during the golden window of opportunity when attacks occur. Summary of the Invention
[0006] The technical problem to be solved by the present invention is to provide a network intrusion detection method and apparatus to address the shortcomings of the prior art.
[0007] The technical solution of the present invention to solve the above-mentioned technical problems is as follows: A network intrusion detection method, comprising the following steps: Import multiple raw network traffic data sets and combine all the raw network traffic data sets to obtain the raw network traffic dataset; A training model is constructed, and the training model is analyzed using the original network traffic dataset to obtain a network intrusion detection model. Import the network traffic data to be detected, and use the network intrusion detection model to detect the network traffic data to obtain the network intrusion detection result.
[0008] Another technical solution of the present invention to solve the above-mentioned technical problems is as follows: A network intrusion detection device, comprising: The import module is used to import multiple raw network traffic data sets; The collection module is used to collect all the original network traffic data to obtain the original network traffic dataset. The model analysis module is used to build a training model and perform model analysis on the training model using the original network traffic dataset to obtain a network intrusion detection model. The import module is also used to import network traffic data to be detected; The detection result acquisition module is used to detect the network traffic data to be detected through the network intrusion detection model and obtain the network intrusion detection result.
[0009] Based on the above-mentioned network intrusion detection method, the present invention also provides a network intrusion detection system.
[0010] Another technical solution of the present invention to solve the above-mentioned technical problems is as follows: a network intrusion detection system, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements the network intrusion detection method as described above.
[0011] Based on the above-described network intrusion detection method, the present invention also provides a computer-readable storage medium.
[0012] Another technical solution of the present invention to solve the above-mentioned technical problems is as follows: a computer-readable storage medium storing a computer program, which, when executed by a processor, implements the network intrusion detection method as described above.
[0013] The beneficial effects of this invention are as follows: By importing raw network traffic data and aggregating the raw network traffic data to obtain a raw network traffic dataset, a training model is constructed. The network intrusion detection model is obtained through model analysis of the training model using the raw network traffic dataset. The network intrusion detection result is obtained by importing the network traffic data to be detected and detecting the network traffic data to be detected through the network intrusion detection model. This not only solves the temporal and spatial scale dilemma of encrypted traffic and sudden attacks, but also forms a complete security closed loop from accurate detection to coordinated defense. It gets rid of the limitation of traditional models being used only for monitoring, enhances the ability to integrate topology and traffic, significantly improves computational efficiency and anti-evasion capabilities, effectively resists attackers' escape attacks based on time obfuscation, and effectively improves the overall security in industrial network environments. Attached Figure Description
[0014] Figure 1 This is a flowchart illustrating the network intrusion detection method provided in an embodiment of the present invention; Figure 2 This is a schematic diagram of the training model structure of the network intrusion detection method provided in an embodiment of the present invention; Figure 3 A schematic diagram of the timing analysis process of the network intrusion detection method provided in the embodiments of the present invention; Figure 4 This is a schematic diagram of the loss function analysis process of the network intrusion detection method provided in the embodiments of the present invention; Figure 5 This is a block diagram of a network intrusion detection device provided in an embodiment of the present invention. Detailed Implementation
[0015] The principles and features of the present invention are described below with reference to the accompanying drawings. The examples given are only for explaining the present invention and are not intended to limit the scope of the present invention.
[0016] Figure 1 This is a flowchart illustrating a network intrusion detection method provided in an embodiment of the present invention.
[0017] like Figure 1 As shown, a network intrusion detection method includes the following steps: S1: Import multiple raw network traffic data sets and combine all the raw network traffic data sets to obtain the raw network traffic dataset; S2: Construct a training model, and perform model analysis on the training model using the original network traffic dataset to obtain a network intrusion detection model; S3: Import the network traffic data to be detected, and use the network intrusion detection model to detect the network traffic data to obtain the network intrusion detection result.
[0018] It should be understood that the raw network traffic dataset may be NetFlow / IPFIX flow logs exported via PCAP packet capture or network devices.
[0019] In the above embodiments, by importing raw network traffic data and aggregating the raw network traffic data to obtain a raw network traffic dataset, a training model is constructed. The network intrusion detection model is obtained by analyzing the training model using the raw network traffic dataset. The network traffic data to be detected is imported, and the network intrusion detection result is obtained by detecting the network traffic data to be detected using the network intrusion detection model. This not only solves the temporal and spatial scale dilemma of encrypted traffic and sudden attacks, but also forms a complete security closed loop from accurate detection to coordinated defense. It gets rid of the limitation of traditional models being used only for monitoring, enhances the ability to integrate topology and traffic, significantly improves computational efficiency and anti-evasion capabilities, effectively resists attackers' escape attacks based on time obfuscation, and effectively improves the overall security in industrial network environments.
[0020] Optionally, as an embodiment of the present invention, such as Figure 2 As shown, the training model includes a feature analysis network, a temporal analysis network, and a detection analysis network; The process of performing model analysis on the trained model using the original network traffic dataset to obtain the network intrusion detection model includes: The original network traffic dataset is sliced according to a preset time window to obtain multiple network traffic time slices, and a graph snapshot sequence is constructed from all the network traffic time slices. The feature analysis network is used to perform feature analysis on the graph snapshot sequence to obtain the target node features corresponding to each node and multiple target edge features corresponding to each node. The target temporal feature matrix is obtained by performing temporal analysis on the features of all the target nodes through the temporal analysis network. The detection and analysis network is used to detect and analyze the target temporal feature matrix and all target edge features to obtain a first set of predicted probability labels. The target loss function is obtained by performing loss function analysis on the first predicted probability label set and all the target edge features; The parameters of the trained model are updated according to the target loss function to obtain the network intrusion detection model.
[0021] It should be understood that the original network traffic dataset is divided into discrete time slices according to a preset time window (e.g., every 1 minute) to construct a time-ordered sequence of graph snapshots G = {G1,...,GT} (i.e., the graph snapshot sequence).
[0022] In the above embodiments, the network intrusion detection model is obtained by analyzing the training model using the original network traffic dataset. This not only solves the temporal and spatial scale dilemma of encrypted traffic and sudden attacks, but also forms a complete security closed loop from accurate detection to coordinated defense. It breaks away from the limitation of traditional models being used only for monitoring, enhances the ability to integrate topology and traffic, significantly improves computational efficiency and anti-evasion capabilities, effectively resists attackers' escape attacks based on time obfuscation, and effectively improves the overall security in industrial network environments.
[0023] Optionally, as an embodiment of the present invention, the feature analysis network includes an edge-enhanced attention mechanism layer and a first MLP multilayer perceptron. The process of performing feature analysis on the graph snapshot sequence through the feature analysis network to obtain target node features corresponding to each node and multiple target edge features corresponding to each node includes: Graph structure analysis is performed on the graph snapshot sequence to obtain the original node features corresponding to each node and multiple edge features to be processed corresponding to each node; The edge-enhanced attention mechanism layer performs aggregation analysis on the original node features and the multiple edge features to be processed corresponding to each node to obtain the target node features corresponding to each node. The features of each target node and the multiple edge features to be processed corresponding to each node are concatenated to obtain multiple processed edge features corresponding to each node. The first MLP multilayer perceptron updates each of the processed features to obtain multiple updated features corresponding to each node. The target edge features are obtained by randomly removing all the updated edge features using the edge-dropping strategy algorithm.
[0024] It should be understood that, in order to enhance the model's resistance to topology masquerading and structural noise in real networks, a drop-edge strategy (i.e., the drop-edge algorithm) is introduced during the training phase. That is, with a preset probability p (e.g., p = 0.2), a portion of the network edges in the graph snapshot are randomly removed in each forward propagation (i.e., the edge features are updated). This mechanism forces the model not to overly rely on specific communication links, thereby improving its generalization ability.
[0025] In the above embodiments, the feature analysis network performs feature analysis on the graph snapshot sequence to obtain the target node features and target edge features, which gets rid of the limitation of traditional models that are only used for monitoring, enhances the ability to integrate topology and traffic, significantly improves computational efficiency and anti-evasion capabilities, effectively resists attackers' escape attacks based on time obfuscation, and effectively improves the overall security in industrial network environments.
[0026] Optionally, as an embodiment of the present invention, the graph snapshot sequence includes multiple IP address data and multiple inter-node network data; The process of performing graph structure analysis on the graph snapshot sequence to obtain the original node features corresponding to each node and the multiple edge features to be processed corresponding to each node includes: Map all the IP address data to obtain multiple node physical communication data, and combine all the node physical communication data to obtain a node physical communication dataset; Extract the original node features corresponding to each node from the node physical communication dataset; The network data between all the nodes is mapped to obtain multiple edge data, and all the edge data are combined to obtain an edge data set. Extract multiple original edge features corresponding to each node from the edge data set; Each of the original edge features is normalized to obtain multiple edge features to be processed corresponding to each node.
[0027] It should be understood that the IP address data includes the source IP address and the destination IP address of the communication.
[0028] Specifically, the source IP address and destination IP address (i.e., IP address data) of the communication are mapped to nodes in the graph (i.e., node physical communication data). Unlike directly using IP address strings, this invention extracts initial statistical features (i.e., original node features) of 5 key dimensions based on the physical communication behavior of the nodes: the logarithm of the node's in-degree log(1 + Din), the logarithm of the node's out-degree log(1 + Dout), the privileged port (i.e., port number less than 1024) usage ratio, the total number of data packets passed by the node, and a high-frequency Boolean feature characterizing whether the node is a network hub (e.g., setting the feature to 1.0 when Din + Dout > 50, and 0.0 otherwise).
[0029] It should be understood that the transmission of real network data between nodes (i.e., inter-node network data) is mapped to edges in the graph (i.e., the edge data set). Multidimensional statistical information (such as the total number of forward packets, average packet length, flow duration, etc.) is extracted from the traffic packets (i.e., the edge data set) as edge feature tensors (i.e., the original edge features). To prevent gradient explosion caused by features of different magnitudes, strict zero-mean-variance normalization is performed using StandardScaler. In particular, the normalization parameters are only fitted and calculated on the training set and then frozen before being applied to the test set to strictly prevent future data leakage to the training phase.
[0030] In the above embodiments, graph structure analysis is performed on the graph snapshot sequence to obtain the original node features and edge features to be processed, preventing gradient explosion caused by features of different magnitudes, effectively resisting escape attacks based on time obfuscation, and effectively improving the overall security in the industrial network environment.
[0031] Optionally, as an embodiment of the present invention, the edge-enhanced attention mechanism layer includes a first Softmax activation function layer, and the process of aggregating and analyzing the features of each original node and the multiple edge features to be processed corresponding to each node through the edge-enhanced attention mechanism layer to obtain the target node features corresponding to each node includes: Extract the query node features corresponding to each of the original node features and the key node features corresponding to each of the original node features respectively; The first formula is used to calculate the features of each query node, the key node features corresponding to each node, and the multiple edge features to be processed corresponding to each node, to obtain multiple original attention scores corresponding to each node. , in, For the first Layer nodes With nodes The original attention scores between them , and All are learnable weight matrices. For the first Layer nodes Corresponding query node characteristics For transpose, For the first Layer nodes The corresponding key node features, For the first Layer nodes With nodes The features of the edges to be processed between them Preset attention head dimension; The first Softmax activation function layer is used to normalize each of the original attention scores to obtain multiple normalized attention scores corresponding to each node. The target node features corresponding to each node are obtained by calculating the normalized attention scores, key node features corresponding to each node, and multiple unprocessed edge features corresponding to each node using the second formula. The second formula is: , in, For the first Layer nodes Corresponding target node features The GELU nonlinear activation function is used. For nodes The corresponding set of neighboring nodes, For the first Layer nodes With nodes Normalized attention scores between them and All are learnable weight matrices. For the first Layer nodes The corresponding key node features, For the first Layer nodes With nodes Features of the edges to be processed between them.
[0032] It should be understood that nodes The corresponding set of neighboring nodes refers to the set of nodes that are adjacent to the node. The set of all nodes that share the same edge.
[0033] Specifically, conventional Graph Attention Networks (GATs) typically calculate attention based solely on node features, which can easily dilute the signature features of edges (i.e., network flows) themselves during deep propagation. Therefore, this invention obtains the central node... Features (i.e., query node features), its neighboring nodes Features (i.e., key node features) and network flow edge features connecting them. (i.e., the edge features to be processed). Through a learnable weight matrix... , and Linear mapping is performed on the three components respectively. The key node features are added to the edge features (i.e., the edge features to be processed), and then the inner product is calculated with the query node features. Finally, the result is divided by the attention head dimension. The attention score is calculated by scaling the square root of the (i.e., the preset attention head dimension) value. (That is, the original attention score). This is equivalent to assigning a very high decision weight to specific traffic types (high traffic or heartbeat packets) when evaluating the influence of neighbors on the central node. The calculation formula is: .
[0034] Specifically, each of the original attention scores is subjected to Softmax normalization using a normalization formula to obtain multiple normalized attention scores corresponding to each node. The normalization formula is as follows: , in, For the first Layer nodes Its neighboring nodes The corresponding normalized attention scores are as follows: For the first Layer nodes Its neighboring nodes The corresponding raw attention scores, For nodes The set of neighboring nodes, For the set of neighbor nodes The index variable used when traversing and summing each neighbor node.
[0035] It should be understood that this is based on the normalized attention coefficients. (i.e., for) Perform a Softmax operation (i.e., normalized attention score), weightedly fuse the features of neighboring nodes (i.e., key node features) with edge features (i.e., edge features to be processed), and then pass them through the GELU non-linear activation function to update the features of the center node, as shown in the following equation: .
[0036] Specifically, to enable the graph model to maintain statefulness, a multilayer perceptron (MLP) consisting of a linear layer, LayerNorm, and Dropout (i.e., the first MLP multilayer perceptron) is used. The updated features of the central node (i.e., query node features), the features of neighboring nodes (i.e. key node features), and the edge features before the update (i.e. edge features to be processed) are concatenated (CONCAT) to synchronously update the edge features of the network flow itself. Furthermore, residual connections are introduced to prevent gradient vanishing.
[0037] In the above embodiments, the target node features are obtained by aggregating and analyzing the original node features and the edge features to be processed through the edge enhancement attention mechanism layer, which prevents gradient vanishing and enables the model to avoid over-reliance on specific communication links, thereby improving generalization ability.
[0038] Optionally, as an embodiment of the present invention, such as Figure 3 As shown, the temporal analysis network includes multiple parallel one-dimensional convolutional kernels, fully connected layers, and a sigmoid activation function layer. The process of performing temporal analysis on the features of all target nodes through the temporal analysis network to obtain the target temporal feature matrix includes: Alignment processing is performed on the features of each target node to obtain aligned temporal features corresponding to each node; Each aligned temporal feature is encoded using a time-position coding algorithm, and the original temporal sequence is constructed using the encoding results. The original time sequence is convolved by multiple one-dimensional convolution kernels to obtain multiple convolved time sequences. The original temporal sequence and multiple convolutional temporal sequences are concatenated to obtain a local burst feature matrix; The original time series sequence is mapped using a query matrix to obtain the query matrix; The original time series sequence is mapped using a key matrix to obtain the key matrix; The original time series sequence is subjected to value matrix mapping processing to obtain a value matrix; The global dependency feature matrix is obtained by calculating the query matrix, the key matrix, and the value matrix using the third equation, which is: , in, , , in, , , in, For the globally dependent feature matrix, For kernel function, For the context matrix, As the normalization factor, For numerically stable terms, The key matrix, For value matrices, For querying the matrix, The number of linear unit activation functions; The original time series sequence is calculated using the fourth equation to obtain the original gated feature matrix. The fourth equation is as follows: , in, The original gated feature matrix, The original time series sequence, This is the global average pooling function. It is the global max pooling function. For feature splicing; The gating feature matrix is reduced in dimensionality by the fully connected layer to obtain the dimensionality-reduced gating feature matrix. The dimensionality-reduced gated feature matrix is mapped through the Sigmoid activation function layer to obtain the gate coefficients; The target time series feature matrix is obtained by calculating the gating coefficient, the original time series sequence, the local burst feature matrix, and the global dependency feature matrix using the fifth equation. The fifth equation is: , in, The target time series feature matrix, The gating coefficient, This is a local burst feature matrix. For the globally dependent feature matrix, This is the original time series sequence.
[0039] It should be understood that after spatial evolution is completed, the spatial representations of the same network flow at different time steps are aligned, extracted, and incorporating temporal positional embeddings to form a temporal input sequence. (i.e., the original time series) In order to solve the "spatiotemporal scale dilemma", this invention constructs a parallel dual-stream architecture for feature extraction.
[0040] Specifically, attacks such as Distributed Denial-of-Service (DDoS) often erupt within a very short time. This invention employs an Inception-like structure, using multiple sets of one-dimensional convolutional kernels of different sizes (i.e., one-dimensional convolutional kernels) (e.g., K = {1, 3, 5, 7}) in parallel to perform sliding window convolutions in the temporal dimension. Smaller kernels capture millisecond-level bursts of jitter, while larger kernels capture slightly longer connection patterns. The multi-scale convolution results are concatenated and supplemented with residual connections to output local burst features. (i.e., the local burst feature matrix), this invention is like the "temporal fovea" of the model, specifically targeting transient anomalies.
[0041] Specifically, for encrypted C2 channel communication, due to the highly encrypted and concealed nature of the traffic, local convolution is ineffective, necessitating reliance on global statistical dependencies over long time spans (long sequences). However, computing Q×KT in the standard Transformer incurs O(T²) time and memory complexity, which is unacceptable when processing long network streams containing tens of thousands of packets. Therefore, this invention employs kernel function techniques, utilizing... The alternative to the standard Softmax operation, by changing the associative law of matrix multiplication, first computes a context matrix that is independent of sequence length. Then combine it with Multiplication. This cleverly reduces the time and space complexity of global attention computation to linear O(T), outputting globally dependent features. (i.e., the global dependency feature matrix).
[0042] Understandably, according to information theory, high-entropy encrypted traffic often exhibits saturation in its distribution within the feature space, while plaintext burst attacks show dramatic local spikes. Since directly calculating Shannon entropy in high-speed networks is extremely costly, this invention cleverly utilizes dual-pooling layers to extract temporal features as a potential proxy for traffic complexity: along the sequence dimension, respectively... (i.e., the original time series) Calculate global average pooling (to capture global entropy saturation) and global max pooling (to capture high-frequency spike signals).
[0043] It should be understood that the two pooling results are concatenated using tensors to obtain the gated feature (i.e., the original gated feature matrix) g = [AvgPoolt( MaxPoolt ( )).
[0044] Specifically, g (i.e., the original gated feature matrix) is input into a lightweight gated unit consisting of a dimension-reduced fully connected layer and a Sigmoid activation function (i.e., a Sigmoid activation function layer), generating a gate coefficient between 0 and 1. .because It can automatically assess the underlying logic of current traffic and handle sudden attacks. It will adaptively bias towards 1; when processing high-entropy encrypted streams, Biased towards 0. Ultimately adopted. Achieve seamless, adaptive weighted fusion of features.
[0045] In the above embodiments, the target temporal feature matrix is obtained by performing temporal analysis on the features of all target nodes through a temporal analysis network. This can capture millisecond-level sudden jitter, achieve seamless and adaptive weighted fusion of features, effectively resist attackers' escape attacks based on time obfuscation, and effectively improve the overall security in industrial network environments.
[0046] Optionally, as an embodiment of the present invention, the detection and analysis network includes a second MLP multilayer perceptron and a second Softmax activation function layer. The process of detecting and analyzing the target temporal feature matrix and all the target edge features through the detection and analysis network to obtain a first predicted probability label set includes: The target temporal feature matrix and all the target edge features are concatenated to obtain the concatenated feature matrix. The concatenated feature matrix is classified using the second MLP multilayer perceptron to obtain multiple edge classification features. The second Softmax activation function layer is used to predict all the edge classification features, and the prediction results are combined to obtain the first predicted probability label set.
[0047] It should be understood that, after completing the temporal evolution, in order to reduce the problem back to the original network flow classification task, this invention will output a temporal fusion representation. The features belonging to the source and destination nodes in the target temporal feature matrix are concatenated (CONCAT) with the corresponding network flow edge features (i.e., target edge features). This concatenation is then fed into a classification network constructed from a multilayer perceptron (MLP) (i.e., the second MLP multilayer perceptron) for edge classification. Finally, a Softmax or Sigmoid layer (i.e., the Softmax activation function layer) outputs a probability label (i.e., the first set of predicted probability labels) indicating whether the network traffic is "benign" or represents a specific attack type (such as DDoS, Botnet, etc.).
[0048] In the above embodiments, the first predicted probability label set is obtained by detecting and analyzing the target temporal feature matrix and all target edge features through the detection and analysis network, which effectively resists the attacker's escape attack based on time obfuscation and effectively improves the overall security in the industrial network environment.
[0049] Optionally, as an embodiment of the present invention, such as Figure 4 As shown, the process of performing loss function analysis on the first predicted probability label set and all the target edge features to obtain the target loss function includes: Multiple original anchor point features are extracted from all the target edge features according to a preset time frame range; Import a Gaussian noise vector, and add noise to each of the original anchor point features according to the Gaussian noise vector to obtain the noise-added anchor point features corresponding to each of the original anchor point features; Each of the original anchor point features is subjected to projection processing to obtain the projected anchor point features corresponding to each of the original anchor point features; Each of the noise-added anchor point features is projected to obtain a perturbation view corresponding to each of the original anchor point features. Import multiple real labels, and use the cross-entropy loss function algorithm to calculate the loss function for all the real labels and the first predicted probability label set to obtain the classification loss function; The InfoNCE loss function algorithm is used to calculate the loss function for all the projected anchor point features and all the perturbation views to obtain the contrastive learning loss function. The target loss function is obtained by weighted summation of the classification loss function and the contrastive learning loss function.
[0050] It should be understood that real attackers often use methods such as packet delays and temporal obfuscation to deceive detection models. To ensure that the features learned by the model have robust semantics resistant to interference, this invention introduces a contrastive learning mechanism based on feature space jitter during the training phase.
[0051] Specifically, only the edge features of intermediate frames during the temporal evolution process are extracted as the original anchor point representation (i.e., original anchor point features) to reduce memory complexity and improve computational efficiency. Then, the original anchor point representation (i.e., original anchor point features) and its representation after injecting Gaussian noise (i.e., Gaussian noise vector) are projected to obtain the original anchor point projection representation (i.e., projected anchor point features) and the perturbation view. The InfoNCE loss function is used to bring positive sample pairs (i.e., projected anchor point features and perturbation view) closer together and push away negative sample pairs, thereby significantly improving the robustness of the model to temporal confusion perturbations.
[0052] It should be understood that the original anchor point representation (i.e., original anchor point features) and the disturbed anchor point representation (i.e., anchor point features after adding noise) are projected using the following formulas to obtain the original anchor point projection representation (i.e., anchor point features after projection) and the disturbed view, respectively. The formulas are as follows: , , , in, This represents the original anchor point projection (i.e., the anchor point features after projection). For the perturbation view, For projection processing, The original anchor point representation (i.e., original anchor point features) is obtained from the edge features of the intermediate temporal frames. The vector is Gaussian noise. For noise variance, The identity matrix is used; the classification loss is calculated based on the first predicted probability label set and the true label; the contrastive learning loss is calculated using the InfoNCE loss function based on the original anchor point projection representation (i.e., the anchor point features after projection) and the perturbation view; the classification loss (i.e., the classification loss function) and the contrastive learning loss (i.e., the contrastive learning loss function) are weighted and summed to obtain the total loss function (i.e., the target loss function).
[0053] In the above embodiments, the target loss function is obtained by performing loss function analysis on the first predicted probability label set and all target edge features, which ensures that the features learned by the model have robust semantics against interference and ensures that the model can still maintain semantic consistency even if the traffic is maliciously obfuscated in the time dimension.
[0054] Optionally, as an embodiment of the present invention, the network intrusion detection result includes a second predicted probability label and a malicious traffic type, and further includes: If the second predicted probability label is greater than or equal to the preset confidence threshold, then the network traffic underlying quintuple information is extracted from the network traffic data to be detected corresponding to the second predicted probability label. After converting the format of the malicious traffic type corresponding to the network traffic data to be detected, a security alarm log is obtained, and the security alarm log is sent to the designated terminal. Based on preset protection rules, protection rules are generated for the underlying five-tuple information of the network traffic to obtain access control instructions, and the access control instructions are sent to the designated terminal.
[0055] It should be understood that the designated endpoint can be the enterprise's security operations center, or it can be a firewall or core switch at the network physical boundary.
[0056] Specifically, when the classifier determines that the network traffic corresponding to a certain graph edge is highly suspected of being malicious (for example, exceeding the set confidence threshold (i.e., the preset confidence threshold)), it immediately parses and restores the underlying five-tuple information of the network traffic (i.e.: source IP address, destination IP address, source port, destination port, transport layer protocol) (i.e., the underlying five-tuple information of the network traffic).
[0057] It should be understood that the information, along with the predicted types of malicious traffic (such as the discovery of C2 remote control channels), should be packaged into a standard format security alert log (such as Syslog or JSON format) and reported to the enterprise's Security Operations Center (SOC) dashboard in real time for auditing.
[0058] Specifically, this invention dynamically generates access control policies (ACLs) containing blocking instructions based on predefined protection rules (i.e., preset protection rules). These blocking policies are then automatically distributed to the firewall or core switch at the network's physical boundary via standard API interfaces (such as the Netconf protocol or SSH tunnel). For example, blacklisting (dropping) the attack source IP or bandwidth limiting the connection to the abnormal port can automatically disconnect the connection before the network is completely compromised.
[0059] In the above embodiments, the underlying five-tuple information of network traffic is extracted from the network traffic data to be detected corresponding to the second predicted probability label. After the malicious traffic type corresponding to the network traffic data to be detected is converted into a format, a security alarm log is obtained. According to the preset protection rules, the underlying five-tuple information of network traffic is used to generate access control instructions, which can complete the automatic connection disconnection before the network is completely destroyed.
[0060] Optionally, as another embodiment of the present invention, the present invention includes: constructing network traffic data into a dynamic attribute graph sequence; employing an edge-enhanced spatial attention mechanism for spatial evolution, explicitly integrating edge features into node message passing; constructing a dual-stream adaptive temporal evolution architecture, where stream A uses multi-scale convolution to capture local burst features, and stream B uses linear attention to capture globally dependent features; extracting the feature distribution of the temporal sequence as a complexity proxy, and generating dynamic weights through gating units to perform weighted fusion of the dual-stream features; inputting the fused features into a classifier to output detection results; and, upon detecting malicious traffic, dynamically issuing access control policies to block it in conjunction with security protection devices. The present invention not only solves the "spatiotemporal scale dilemma" between encrypted traffic and burst attacks, but also forms a complete security closed loop from accurate detection to coordinated defense, greatly improving the overall security in industrial network environments.
[0061] Optionally, as another embodiment of the present invention, the present invention includes the following steps: Step S1: Obtain network traffic data, preprocess the network traffic data and construct a dynamic attribute graph sequence containing the time dimension, and extract the node features and edge features of the network traffic. Step S2: Perform spatial evolution: At each time step, on the graph snapshot, use an edge-enhanced spatial attention mechanism to explicitly integrate edge features into the message passing and aggregation process of nodes, and synchronously update edge features after iterative aggregation to obtain the node representation and edge representation after spatial evolution. Step S3: Perform temporal evolution: Align the spatial representations of the same node at different time steps and extract them into a temporal sequence, which is then input into the dual-stream adaptive temporal evolution module; wherein, the first stream uses a multi-scale local convolutional network to capture short-period local traffic burst features, and the second stream uses a global linear attention network to capture long-period global traffic dependency features. Step S4: Calculate entropy-aware gating weights: Extract the feature spatial distribution state of the time series as a traffic complexity proxy, generate dynamic weights through the gating unit, and perform weighted fusion of the output features of the first flow and the second flow based on the dynamic weights to obtain a time series fusion representation containing spatiotemporal dependencies. Step S5: Malicious traffic detection: During the model training phase, the original anchor features are extracted from the target edge features, latent space noise is injected into them to obtain noisy anchor features, and projection processing is performed to obtain projected anchor features and perturbation views. The model parameters are jointly optimized through a contrastive learning strategy.
[0062] Optionally, as another embodiment of the present invention, the present invention divides network traffic into multiple time windows of graph snapshots according to time series, maps the source IP address and destination IP address of communication to a set of nodes in the graph, and extracts node features through aggregation statistics; maps network communication between nodes to a set of edges in the graph, and extracts the statistical feature vector of traffic data packets as edge features.
[0063] Optionally, as another embodiment of the present invention, the present invention obtains query node features, key node features, and edge features connecting the query node and the key node; calculates attention scores after linearly transforming the query node features, key node features, and edge features to characterize the importance of neighboring nodes to the central node; based on the normalized attention scores, the fusion information of neighboring node features and edge features is weighted and summed, and after passing through an activation function, updated node features are obtained; the updated node features are concatenated with the unupdated edge features through network mapping to synchronously update the edge features.
[0064] Optionally, as another embodiment of the present invention, the present invention performs global average pooling and global max pooling operations on the time series along the time dimension; the results of the two pooling operations are concatenated as the traffic complexity proxy representing local traffic spikes and global saturation; the traffic complexity proxy is input into a gating unit to generate gating weights between 0 and 1; the gating weights are used to linearly weight and sum the first-stream output features and the second-stream output features, and residual connections are introduced to obtain the time series fusion representation.
[0065] Optionally, as another embodiment of the present invention, the purpose of the present invention is to provide a malicious traffic detection method and related system based on entropy-aware dual-stream temporal dynamic graph learning. The present invention constructs a lightweight fully adaptive framework (MILAN) and introduces a "detection-response" security closed-loop mechanism, which can not only achieve autonomous shift of computational focus between high-entropy encrypted traffic and sudden structural attacks, but also immediately link devices to implement blocking after the threat is confirmed.
[0066] Alternatively, as another embodiment of the present invention, the beneficial effects of the present invention are: 1. Breaking the spatial-temporal scale dilemma: Through an innovative entropy-aware gating mechanism, the model can adaptively switch between "focusing on local bursts" and "focusing on global statistics" based on the complexity of the traffic.
[0067] 2. Forming a proactive security defense closed loop: Breaking away from the limitations of traditional models that are only used for monitoring, this invention adds a security linkage response mechanism. Within milliseconds of the model determining malicious traffic, it automatically extracts the five-tuple and links the boundary firewall and switch, realizing a fully automated closed-loop defense from "detection" to "blocking".
[0068] 3. Enhanced topology and traffic fusion capability: The proposed edge-enhanced spatial attention mechanism breaks the limitation of traditional graph neural networks that emphasize nodes and neglect edges, and uses network packet header statistical signatures as key information to participate in aggregation.
[0069] 4. Extremely high computational efficiency and anti-evasion capability: By introducing a global linear attention mechanism using kernel function techniques, the time complexity is reduced to linear. Simultaneously, Gaussian noise is introduced into the latent space to simulate network jitter and contrastive learning is implemented, effectively resisting escape attacks based on temporal obfuscation.
[0070] Optionally, as another embodiment of the present invention, in this deployment scenario, the core detection model (MILAN) of the present invention is encapsulated and deployed on a high-performance bypass traffic analysis probe (Probe) with GPU acceleration capabilities. This analyzer is physically connected to the core switch side of the enterprise data center, and through the switch's port mirroring or splitter technology, it acquires the raw data packet streams (PCAP) of the entire network's uplink and downlink communication in real time and completely in a bypass, non-intrusive manner.
[0071] Suppose that during a peak business period, a server on the company's internal network is infected by a hidden botnet Trojan and attempts to establish a long-term, low-frequency communication channel with an external malicious C2 server, encrypted with strong SSL / TLS. Traditional signature-based firewalls, unable to decrypt the content and with packet transmission frequencies below the alert threshold, often allow the attack directly, failing to detect the anomaly.
[0072] However, when traffic enters the bypass analyzer of this invention: the probe first constructs these fragmented encrypted sessions into a graph snapshot containing the network topology context; facing high-entropy encrypted traffic, the "global linear attention module" keenly captures the hidden periodic handshake pattern behind the encrypted channel that lasts for several minutes; subsequently, the "gated fusion mechanism" automatically detects the global entropy saturation characteristic of the traffic and outputs a very small weight. This ensured that the model fully accepted the global diagnostic results; the probe output a high-risk warning for "Botnet C2" with extremely high confidence.
[0073] Less than 100 milliseconds after the alarm was generated, the security linkage mechanism was triggered. The bypass analysis probe not only sent emails and pop-up alerts to the administrator, but also communicated directly with the enterprise's Software-Defined Networking (SDN) controller via the northbound interface, issuing a global network blacklist policy targeting the external IP address (e.g., 192.168.XX) of the C2 server. Upon receiving the instruction, the SDN controller instantly updated the flow tables of all underlying switches, completely cutting off the data transmission channel of the controlled server, completing a textbook example of proactive defense.
[0074] Optionally, as another embodiment of the present invention, the data acquisition and mapping module is used to construct the graph snapshot sequence and calculate and extract the initial multidimensional features; the edge enhancement spatial evolution module includes a core operator for calculating attention scores and an MLP network for updating edge states; the dual-stream temporal evolution module incorporates a convolutional network for calculating multi-scale local inceptions and a processing circuit for performing global linear attention; the entropy-aware gating fusion module includes a pooling component for feature concatenation and a Sigmoid gating activation function, and is dedicated to allocating channel weights; the detection and contrastive learning module is responsible for outputting business classifications and calculating InfoNCE loss during the model iteration phase; the security response and linkage defense module serves as the business exit, dedicated to receiving prediction results, generating alarm protocol messages, and issuing corresponding routing control blocking strategies to external protection facilities. These functional modules logically cooperate with each other to construct the complete working architecture of the present invention.
[0075] Figure 5 This is a block diagram of a network intrusion detection device provided in an embodiment of the present invention.
[0076] Alternatively, as another embodiment of the present invention, such as Figure 5 As shown, a network intrusion detection device includes: The import module is used to import multiple raw network traffic data sets; The collection module is used to collect all the original network traffic data to obtain the original network traffic dataset. The model analysis module is used to build a training model and perform model analysis on the training model using the original network traffic dataset to obtain a network intrusion detection model. The import module is also used to import network traffic data to be detected; The detection result acquisition module is used to detect the network traffic data to be detected through the network intrusion detection model and obtain the network intrusion detection result.
[0077] Optionally, another embodiment of the present invention provides a network intrusion detection system, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements the network intrusion detection method described above. This system can be a computer or similar system.
[0078] Optionally, another embodiment of the present invention provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the network intrusion detection method as described above.
[0079] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus.
[0080] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working process of the above-described apparatus and unit can be referred to the corresponding process in the foregoing method embodiments, and will not be repeated here.
[0081] In the several embodiments provided in this application, it should be understood that the disclosed apparatus and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative. For instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed.
[0082] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of the embodiments of the present invention, depending on actual needs.
[0083] Furthermore, the functional units in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.
[0084] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods of the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0085] The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the protection scope of the present invention.
Claims
1. A network intrusion detection method, characterized in that, Includes the following steps: Import multiple raw network traffic data sets and combine all the raw network traffic data sets to obtain the raw network traffic dataset; A training model is constructed, and the training model is analyzed using the original network traffic dataset to obtain a network intrusion detection model. Import the network traffic data to be detected, and use the network intrusion detection model to detect the network traffic data to obtain the network intrusion detection result.
2. The network intrusion detection method according to claim 1, characterized in that, The training model includes a feature analysis network, a temporal analysis network, and a detection analysis network; The process of performing model analysis on the trained model using the original network traffic dataset to obtain the network intrusion detection model includes: The original network traffic dataset is sliced according to a preset time window to obtain multiple network traffic time slices, and a graph snapshot sequence is constructed from all the network traffic time slices. The feature analysis network is used to perform feature analysis on the graph snapshot sequence to obtain the target node features corresponding to each node and the target edge features corresponding to each node. The target temporal feature matrix is obtained by performing temporal analysis on the features of all the target nodes through the temporal analysis network. The detection and analysis network is used to detect and analyze the target temporal feature matrix and all target edge features to obtain a first set of predicted probability labels. The target loss function is obtained by performing loss function analysis on the first predicted probability label set and all the target edge features; The parameters of the trained model are updated according to the target loss function to obtain the network intrusion detection model.
3. The network intrusion detection method according to claim 2, characterized in that, The feature analysis network includes an edge-enhanced attention mechanism layer and a first MLP (Multilayer Perceptron). The process of performing feature analysis on the graph snapshot sequence through the feature analysis network to obtain the target node features corresponding to each node and multiple target edge features corresponding to each node includes: Graph structure analysis is performed on the graph snapshot sequence to obtain the original node features corresponding to each node and multiple edge features to be processed corresponding to each node; The edge-enhanced attention mechanism layer performs aggregation analysis on the original node features and the multiple edge features to be processed corresponding to each node to obtain the target node features corresponding to each node. The features of each target node and the multiple edge features to be processed corresponding to each node are concatenated to obtain multiple processed edge features corresponding to each node. The first MLP multilayer perceptron updates each of the processed features to obtain multiple updated features corresponding to each node. The target edge features are obtained by randomly removing all the updated edge features using the edge-dropping strategy algorithm.
4. The network intrusion detection method according to claim 3, characterized in that, The snapshot sequence includes multiple IP address data and multiple inter-node network data; The process of performing graph structure analysis on the graph snapshot sequence to obtain the original node features corresponding to each node and the multiple edge features to be processed corresponding to each node includes: Map all the IP address data to obtain multiple node physical communication data, and combine all the node physical communication data to obtain a node physical communication dataset; Extract the original node features corresponding to each node from the node physical communication dataset; The network data between all the nodes is mapped to obtain multiple edge data, and all the edge data are combined to obtain an edge data set. Extract multiple original edge features corresponding to each node from the edge data set; Each of the original edge features is normalized to obtain multiple edge features to be processed corresponding to each node.
5. The network intrusion detection method according to claim 3, characterized in that, The edge-enhanced attention mechanism layer includes a first Softmax activation function layer. The process of aggregating and analyzing the features of each original node and the multiple edge features to be processed corresponding to each node through the edge-enhanced attention mechanism layer to obtain the target node features corresponding to each node includes: Extract the query node features corresponding to each of the original node features and the key node features corresponding to each of the original node features respectively; The first formula is used to calculate the features of each query node, the key node features corresponding to each node, and the multiple edge features to be processed corresponding to each node, to obtain multiple original attention scores corresponding to each node. , in, For the first Layer nodes With nodes The original attention scores between them , and All are learnable weight matrices. For the first Layer nodes Corresponding query node characteristics For transpose, For the first Layer nodes The corresponding key node features, For the first Layer nodes With nodes The features of the edges to be processed between them Preset attention head dimension; The first Softmax activation function layer is used to normalize each of the original attention scores to obtain multiple normalized attention scores corresponding to each node. The target node features corresponding to each node are obtained by calculating the normalized attention scores, key node features corresponding to each node, and multiple unprocessed edge features corresponding to each node using the second formula. The second formula is: , in, For the first Layer nodes Corresponding target node features The GELU nonlinear activation function is used. For nodes The corresponding set of neighboring nodes, For the first Layer nodes With nodes Normalized attention scores between them and All are learnable weight matrices. For the first Layer nodes The corresponding key node features, For the first Layer nodes With nodes Features of the edges to be processed between them.
6. The network intrusion detection method according to claim 2, characterized in that, The temporal analysis network includes multiple parallel one-dimensional convolutional kernels, fully connected layers, and a sigmoid activation function layer. The process of performing temporal analysis on the features of all target nodes through the temporal analysis network to obtain the target temporal feature matrix includes: Alignment processing is performed on the features of each target node to obtain aligned temporal features corresponding to each node; Each aligned temporal feature is encoded using a time-position coding algorithm, and the original temporal sequence is constructed using the encoding results. The original time sequence is convolved by multiple one-dimensional convolution kernels to obtain multiple convolved time sequences. The original temporal sequence and multiple convolutional temporal sequences are concatenated to obtain a local burst feature matrix; The original time series sequence is mapped using a query matrix to obtain the query matrix; The original time series sequence is mapped using a key matrix to obtain the key matrix; The original time series sequence is subjected to value matrix mapping processing to obtain a value matrix; The global dependency feature matrix is obtained by calculating the query matrix, the key matrix, and the value matrix using the third equation, which is: , in, , , in, , , in, For the globally dependent feature matrix, For kernel function, For the context matrix, As the normalization factor, For numerically stable terms, The key matrix, For value matrices, For querying the matrix, The number of linear unit activation functions; The original time series sequence is calculated using the fourth equation to obtain the original gated feature matrix. The fourth equation is as follows: , in, The original gated feature matrix, The original time series sequence, This is the global average pooling function. It is the global max pooling function. For feature splicing; The gating feature matrix is reduced in dimensionality by the fully connected layer to obtain the dimensionality-reduced gating feature matrix. The dimensionality-reduced gated feature matrix is mapped through the Sigmoid activation function layer to obtain the gate coefficients; The target time series feature matrix is obtained by calculating the gating coefficient, the original time series sequence, the local burst feature matrix, and the global dependency feature matrix using the fifth equation. The fifth equation is: , in, The target time series feature matrix, The gating coefficient, This is a local burst feature matrix. For the globally dependent feature matrix, This is the original time series sequence.
7. The network intrusion detection method according to claim 2, characterized in that, The detection and analysis network includes a second MLP (Multilayer Perceptron) and a second Softmax activation function layer. The process of detecting and analyzing the target temporal feature matrix and all target edge features through the detection and analysis network to obtain a first predicted probability label set includes: The target temporal feature matrix and all the target edge features are concatenated to obtain the concatenated feature matrix. The concatenated feature matrix is classified using the second MLP multilayer perceptron to obtain multiple edge classification features. The second Softmax activation function layer is used to predict all the edge classification features, and the prediction results are combined to obtain the first predicted probability label set.
8. The network intrusion detection method according to claim 2, characterized in that, The process of performing loss function analysis on the first predicted probability label set and all the target edge features to obtain the target loss function includes: Multiple original anchor point features are extracted from all the target edge features according to a preset time frame range; Import a Gaussian noise vector, and add noise to each of the original anchor point features according to the Gaussian noise vector to obtain the noise-added anchor point features corresponding to each of the original anchor point features; Each of the original anchor point features is subjected to projection processing to obtain the projected anchor point features corresponding to each of the original anchor point features; Each of the noise-added anchor point features is projected to obtain a perturbation view corresponding to each of the original anchor point features. Import multiple real labels, and use the cross-entropy loss function algorithm to calculate the loss function for all the real labels and the first predicted probability label set to obtain the classification loss function; The InfoNCE loss function algorithm is used to calculate the loss function for all the projected anchor point features and all the perturbation views to obtain the contrastive learning loss function. The target loss function is obtained by weighted summation of the classification loss function and the contrastive learning loss function.
9. The network intrusion detection method according to claim 1, characterized in that, The network intrusion detection results include a second predicted probability label and malicious traffic type, and also include: If the second predicted probability label is greater than or equal to the preset confidence threshold, then the network traffic underlying quintuple information is extracted from the network traffic data to be detected corresponding to the second predicted probability label. After converting the format of the malicious traffic type corresponding to the network traffic data to be detected, a security alarm log is obtained, and the security alarm log is sent to the designated terminal. Based on preset protection rules, protection rules are generated for the underlying five-tuple information of the network traffic to obtain access control instructions, and the access control instructions are sent to the designated terminal.
10. A network intrusion detection device, characterized in that, include: The import module is used to import multiple raw network traffic data sets; The collection module is used to collect all the original network traffic data to obtain the original network traffic dataset. The model analysis module is used to build a training model and perform model analysis on the training model using the original network traffic dataset to obtain a network intrusion detection model. The import module is also used to import network traffic data to be detected; The detection result acquisition module is used to detect the network traffic data to be detected through the network intrusion detection model and obtain the network intrusion detection result.