An end-to-end data encryption transmission method

By establishing communication behavior basis vectors and an improved Markov distance method in communication devices, and combining them with Markov decision models for dynamic security control, the problem of unutilized communication behavior characteristics in existing technologies is solved, and implicit authentication and dynamic defense capabilities for end-to-end encrypted data transmission are realized.

CN122339814APending Publication Date: 2026-07-03HEBEI RUICHENGSI INFORMATION TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HEBEI RUICHENGSI INFORMATION TECH CO LTD
Filing Date
2026-04-29
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing communication technologies fail to effectively utilize the communication behavior characteristics of devices for authentication, resulting in encrypted data being easily copied and replayed, and lacking a protection mechanism for the authenticity of communication sources.

Method used

Communication behavior basis vectors are established through probe message experiments, communication difference is calculated using an improved Markov distance method, and real-time behavioral feature monitoring and dynamic security control are performed by combining an improved Markov decision model. An encrypted encapsulation channel is established and implicit identity verification and drift correction are performed.

Benefits of technology

It enables implicit and continuous online identity verification without the need for additional authentication credentials, defends against replay attacks and man-in-the-middle attacks, improves the system's identity anti-spoofing capabilities in complex network environments, and realizes the transformation from passive protection to active dynamic defense.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122339814A_ABST
    Figure CN122339814A_ABST
Patent Text Reader

Abstract

This invention discloses an end-to-end encrypted data transmission method, relating to the field of encrypted transmission technology. The method includes the following steps: conducting probe message experiments on the communication device for encrypted transmission to establish a communication behavior basis vector; collecting the real-time interactive communication vectors of the communication device, calculating the degree of difference between the real-time interactive communication vectors and the communication behavior basis vectors using an improved Markov distance method to obtain the communication difference degree, comparing the communication difference degree with a preset threshold to obtain an implicit identity verification result; based on the implicit identity verification result, combining the real-time interactive communication vectors and the communication difference degree to obtain a session binding factor, establishing an encrypted encapsulation channel based on the session binding factor; collecting the real-time behavior feature vectors of the encrypted encapsulation channel and inputting them into an improved Markov decision model to output a drift correction result; the other end of the communication device performs a decryption process based on the drift correction result, thereby achieving end-to-end encrypted transmission.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of encrypted transmission technology, specifically to an end-to-end encrypted data transmission method. Background Technology

[0002] With the deep integration and practical application of technologies such as the Internet of Things (IoT) and the Industrial Internet, the scale of communication between intelligent device clusters continues to expand. Communication scenarios are gradually evolving from point-to-point interaction between single devices to complex network collaboration involving multiple devices and nodes. In this process, the communication behavior characteristics of devices, such as their sending rhythm, response latency, and control message arrangement, are not only key elements for ensuring efficient communication but also important indicators for distinguishing the authenticity of communication sources and preventing unauthorized intrusion. Currently, the construction of communication technology systems still focuses on the basic connectivity of data transmission, and a comprehensive system for the value extraction and security application of device communication behavior characteristics has not yet been established.

[0003] Traditional communication security protection methods mainly revolve around data content encryption. They encode the transmitted raw data using algorithms such as symmetric encryption and asymmetric encryption, and establish a dedicated encryption key system only between the data sending end and the receiving end to ensure that the data is not illegally stolen or tampered with during transmission.

[0004] However, traditional methods do not incorporate communication behavior characteristics such as device sending rhythm and response delay into the security system. They lack the ability to effectively identify and verify the communication source by utilizing these stable and unique behavior characteristics. As a result, encrypted communication data lacks a protection mechanism against the authenticity of the communication source, which ultimately leads to encrypted data being easily copied and replayed for use in other sessions. Summary of the Invention

[0005] To address the shortcomings of existing technologies, this invention provides an end-to-end encrypted data transmission method to solve the problems existing in the background technology.

[0006] To achieve the above objectives, the present invention provides the following technical solution: an end-to-end encrypted data transmission method, comprising the following steps:

[0007] Step S1: Conduct probe message experiments on the encrypted communication device, and establish communication behavior basis vectors based on the feature data in the probe message experiments;

[0008] Step S2: Collect the real-time interactive communication vectors of the communication devices, calculate the degree of difference between the real-time interactive communication vectors and the communication behavior basis vectors using the improved Mahalanobis distance method, obtain the degree of communication difference, compare the degree of communication difference with a preset threshold, and obtain the implicit identity verification result.

[0009] Step S3: Based on the implicit identity verification result, combine the real-time interactive communication vector and the degree of communication difference to obtain the session binding factor, and establish an encrypted encapsulation channel based on the session binding factor;

[0010] Step S4: Collect the real-time behavior feature vector of the encrypted encapsulation channel, input the real-time behavior feature vector into the improved Markov decision model, and output the drift correction result. The other end of the communication device performs the decryption process based on the drift correction result, thereby realizing end-to-end encrypted transmission.

[0011] Preferably, the probe message experiment on the encrypted transmission communication device includes the following specific steps:

[0012] The communication device executes N preset probe message experiments in a pre-established trusted network link, where N is the total number of probe message experiments, and each probe message experiment contains... Secondary probe interaction.

[0013] Preferably, the step of establishing a communication behavior basis vector based on feature data from probe message experiments includes the following steps:

[0014] After the nth probe message experiment, for n=1,2,...,N, the sample feature vector of the nth probe message experiment is obtained. ;

[0015] After all N probe message experiments are completed, a set of sample feature vectors is obtained;

[0016] Based on the set of sample feature vectors, the communication behavior basis vector B is calculated.

[0017] Preferably, the modified Mahalanobis distance method is used to calculate the degree of difference between the real-time interactive communication vector and the communication behavior basis vector to obtain the degree of communication difference, including the following steps:

[0018] Collect real-time interactive communication vectors , = ,in For the feature dimension of real-time interactive communication vectors, Represents the first in the real-time interactive communication vector Real-time observations of each feature;

[0019] Calculate the initial sample covariance matrix;

[0020] Construct a shrinkage covariance matrix based on the initial sample covariance matrix;

[0021] Calculate real-time interactive communication vectors To communication behavior basis vectors The Mahalanobis distance Distance is calculated using the following formula:

[0022] ;

[0023] Distance represents the degree of communication difference. To shrink the covariance matrix, The number of feature values ​​greater than or equal to the smoothing threshold. This is the regularization parameter.

[0024] Preferably, the calculation of the initial sample covariance matrix includes the following steps:

[0025] Standardize the set of sample feature vectors; calculate the initial sample covariance matrix based on the standardized set of sample feature vectors. :

[0026] ;

[0027] in, For the first The standardized sample feature vector of the probe message experiment, where T is the transpose symbol.

[0028] Preferably, the shrinking covariance matrix includes the following steps:

[0029] Calculate the sample covariance matrix All eigenvalues ​​and the mean of the eigenvalues ;

[0030] The eigenvalues ​​are compared with preset regularization parameters and smoothing thresholds to perform regularization and smoothing on the initial sample covariance matrix, ultimately yielding a shrunken covariance matrix.

[0031] Preferably, the step of combining real-time interactive communication vectors and communication difference levels to obtain a session binding factor includes the following specific steps:

[0032] Based on real-time interactive communication vector And the degree of communication difference Calculate session binding factor :

[0033] ;

[0034] in () represents the cryptographic hash function, and || represents data concatenation.

[0035] Preferably, the establishment of the encrypted encapsulation channel based on the session binding factor specifically includes:

[0036] The session encryption key is calculated using a standard key derivation function based on the session binding factor. With message authentication key The local end of the communication device uses a session encryption key. With message authentication key Establish an encrypted encapsulation channel.

[0037] Preferably, the step of inputting the real-time behavior feature vector into the improved Markov decision model and outputting the drift correction result includes the following specific steps:

[0038] Construct an improved Markov decision process model;

[0039] The real-time behavioral feature vectors are input into the improved Markov decision model, and the evaluation function of the improved Markov decision model is iteratively updated through temporal difference learning.

[0040] ;

[0041] in To perform atomic actions Expected one-step instant reward For subtask completion functions, it means that in the subtask status Next action After that, continue to follow the strategy. The expected cumulative discount reward for completing sub-tasks. This represents the subtask evaluation function. Representation strategy, This represents the i-th strategy;

[0042] The final output is the drift correction result.

[0043] Preferably, the construction of the improved Markov decision process model specifically involves:

[0044] The improved Markov decision process model includes quintuples. In a hierarchical reinforcement learning architecture, S represents the state space, A represents the action space, P represents the state transition probability, and R represents the reward function. This is the discount factor.

[0045] This invention provides an end-to-end encrypted data transmission method, which relates to machine learning and deep learning technologies, and has the following beneficial effects:

[0046] (1) An improved Mahalanobis distance method is adopted, which significantly enhances the accuracy and robustness of authentication. Through regularization and eigenvalue smoothing, the inherent defect of unstable calculation results caused by ill-conditioned covariance matrix in traditional Mahalanobis distance in high-dimensional and small-sample scenarios is overcome. This enables the system to accurately quantify the degree of difference between the current communication behavior and the fingerprint base of legitimate device behavior, i.e., the degree of communication difference, so that implicit and continuous online authentication can be completed during the TCP handshake phase without exchanging additional authentication credentials. Compared with traditional authentication methods based on fixed passwords or certificates, this verification mechanism based on dynamic behavioral features can effectively defend against threats such as replay attacks and man-in-the-middle attacks that forge legitimate credentials, and improve the system's identity anti-counterfeiting capability in complex network environments.

[0047] (2) By introducing a Markov decision model, dynamic perception and adaptive control of security risks are achieved. During the continuous operation phase after the establishment of the encrypted channel, this method no longer relies on static security policies, but instead inputs the real-time monitored behavioral feature vectors into the Markov decision model. This model formalizes the security state of the system into discrete states, defines various security control actions such as hold, alarm, rate limiting, key update, and disconnection as optional actions, and learns the optimal decision strategy by maximizing long-term cumulative security benefits. This enables the system to automatically and intelligently select the most appropriate control action based on the real-time drift of communication behavior, thereby proactively adjusting the security protection level in the early stages of potential attacks or when the network environment is abnormal. While ensuring business continuity, it controls security risks to the lowest level, realizing the transformation from passive protection to proactive dynamic defense.

[0048] (3) An improved Markov decision model is adopted, and the decision-making efficiency and accuracy are further optimized through a hierarchical reinforcement learning architecture based on task decomposition. Standard Markov decision processes may suffer from large policy search spaces and slow convergence when dealing with complex, multi-objective security decisions. The improvement of this method lies in decomposing the top-level dynamic security control objective into two sub-tasks with different focuses: risk mitigation and business continuity. The high-level policy intelligently invokes sub-tasks that prioritize rapid risk suppression or business continuity assurance based on the level of current behavioral deviation (normal, suspicious, high-risk) and the trend of change (rising, stable, declining). Then, the specific atomic actions are selected by the policies within each sub-task. This hierarchical structure reduces the complexity of a single decision, enabling the model to learn the optimal response strategy under different risk situations more quickly, and improving the overall decision-making intelligence and robustness in the face of complex and persistent threats. Attached Figure Description

[0049] To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0050] Figure 1 This is a flowchart of the steps of an end-to-end data encryption transmission method proposed in this invention;

[0051] Figure 2 This is a step hierarchy diagram of obtaining implicit identity verification results in an end-to-end data encryption transmission method proposed in this invention;

[0052] Figure 3 This is a hierarchical diagram of the steps involved in obtaining the encrypted encapsulation channel in an end-to-end data encryption transmission method proposed in this invention. Detailed Implementation

[0053] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0054] Please see Figures 1-3 The present invention provides a technical solution: an end-to-end data encryption transmission method.

[0055] Step S1: Conduct probe message experiments on the encrypted communication device, and establish communication behavior basis vectors based on the feature data in the probe message experiments.

[0056] In a pre-established, attack-free, hijacking-free, and interference-free trusted network link, the local and remote ends of the communication equipment perform N preset probe message experiments, where N is the total number of probe message experiments. Each probe message experiment contains... Secondary probe interaction. The optimal number of trials is 30 to ensure sufficient behavioral observation data is obtained in a single experiment. The probe interaction rules in the probe message experiment are as follows: the local end sends a lightweight, fixed-format probe request message at the application layer. The message contains a fixed type identifier, sequence number, and blank padding fields, but does not carry business data. The remote end returns a probe response message containing the corresponding request sequence number and a fixed response field. The local end sending a request and the remote end returning a response constitute a complete probe interaction.

[0057] To ensure that interactive behaviors can be accurately measured and analyzed, probe packets must be designed to meet the following core constraints: identifiability (containing a clear protocol identifier to distinguish them from business data), associativity (containing a matching sequence number to accurately pair each request and response), and measurability (containing timestamps and other auxiliary verification sequences). During this process, each observed network packet event is recorded, and the triplet of the k-th recorded packet event is... ,in This indicates the absolute timestamp at which the message event was processed by the local protocol stack or captured by the network interface card. Indicates the direction of message transmission; 1 indicates sending, and -1 indicates receiving. This is the SHA-256 hash value calculated for fixed fields such as sequence number and protocol identifier in the message.

[0058] For each probe packet experiment, K packet events are generated. Due to network limitations, such as delays, retransmissions, or inherent acknowledgment mechanisms in the protocol, the number of packet events in each probe packet experiment is not fixed, where K ≥ 2. .

[0059] For each probe message experiment, the message event sequence consisting of K message events is: Let k = 1, 2, ..., K, where K is the total number of message events. First, extract the message generation rhythm characteristics: filter the continuously sent events from the message events to ensure they meet the following conditions. =1 and =1, kcou represents the index of the continuously sent events. and Let kcou and kcou+1 represent the directions of the k-th consecutive transmission event and the (kcou+1)-th consecutive transmission event, respectively. The direction of transmission is 1, and the direction of reception is -1. Therefore, the kcou-th and (kcou+1)-th message events represent the immediately adjacent message events transmitted from this end with a transmission direction of 1. The time interval between adjacent events is calculated. Then, all intervals that meet the conditions are grouped into an interval sequence, with a total number of intervals of KCOU. The statistical characteristics of this interval sequence are calculated, including the mean of the transmission intervals. Sending interval variance And the autocorrelation coefficient of the transmission interval with a lag of 1. = .

[0060] Secondly, analyzing the Transmission Control Protocol (TCP) and its connection persistence mechanism, the TCP connection establishment event is the point in time when the transport layer connection between the local and remote ends switches from a disconnected state to a connected state. The timestamps of LEN TCP connection establishment events are recorded sequentially as a sequence. Only events that legally complete the TCP three-way handshake and achieve a normal transport layer state switch are considered valid TCP connection establishment events and included in the LEN count; based on sequence... The duration of a single connection is statistically analyzed, i.e., the time interval from connection establishment to connection termination, forming a duration series. This duration series is then clustered using K-means clustering, and the centroid of each cluster is extracted to obtain the sequence containing... The connection duration of each center point is a set of center points. }

[0061] Next, from the message event sequence In the process of identifying request-response pairs: a set of request-response pairs is formed by matching the sequence numbers of probe request messages with their corresponding probe response messages. For the k'-th successfully matched request-response pair, its delay... The delay sequence is calculated by subtracting the timestamp of the probe request message sent by the local end from the timestamp of the probe response message received by the peer end. All matching pairs are iterated to obtain the effective delay sequence. This effective delay sequence is then sorted in ascending order of value. After sorting, kernel density estimation is performed on the effective delay sequence to obtain its probability density function of delay distribution. Key quantiles are extracted as features from the lag distribution obtained from kernel density estimation. Key quantiles include: lag median. 90th percentile (delay) .

[0062] Then, the sequence relationship between instructions and responses is calculated. The action types in the probe interaction process are extracted, including sending probe requests and receiving probe responses, and mapped into symbol sequences strictly according to their absolute chronological order. A 2-gram binary grammar is used to count the frequency of consecutive action pairs. ,in This indicates the first interactive action. Let `inter+1` represent the interaction action at step `inter`. Based on this frequency statistics, calculate the interaction action transition probability. , This indicates the action of sending a probe request from the local end. This indicates that the local end has received the probe's response, and Take only and Two categories are identified, thus constructing an interaction action transition probability matrix, which characterizes the inherent and stable interaction habits of the device from a temporal perspective.

[0063] To capture the behavior patterns of the device under normal disturbances, two types of controllable disturbances—controllable network latency jitter and simulated CPU load changes—were introduced into the local device during the probe interactive data acquisition process. A total of [number] operations were performed. Group perturbation test, Preferably, there are 5 groups, and the perturbation parameters tested in each group include network latency jitter and CPU load variation, then 1 to The network latency jitter in the group tests was as follows: 5ms, 15ms, 25ms, 35ms, 50ms, simulating the network latency fluctuations from low to high, 1 to... The CPU load changes in the test groups were as follows: 10%, 20%, 30%, 40%, and 50%, simulating the fluctuations in service load from light to heavy, all within the load range under normal equipment operation. The mean message transmission interval, variance of message transmission interval, and median delay were observed and recorded for each group of disturbance tests. Calculations were then performed. The arithmetic mean of three types of features in the group of observations: mean of message transmission interval, variance of message transmission interval, and median delay; the overall mean of the mean of transmission interval under disturbance, the overall mean of the variance of transmission interval under disturbance, and the overall mean of the median delay under disturbance; calculation The range of fluctuations in the three types of characteristics in the group of observations, namely the mean of message transmission interval, the variance of message transmission interval, and the median delay, are as follows: the range of fluctuations in the mean of transmission interval under disturbance, the range of fluctuations in the variance of transmission interval under disturbance, and the range of fluctuations in the median delay under disturbance.

[0064] After extracting the above features, each complete probe experiment will generate a sample feature vector that characterizes the behavior pattern of that experiment. The set of sample feature vectors corresponding to all N probe message experiments { , ,..., ,..., }

[0065] After all features are extracted in the nth complete probe message experiment, a sample feature vector representing the interaction behavior pattern is generated. The sample feature vector This includes: mean transmission interval, variance of transmission interval, autocorrelation coefficient of transmission interval, set of connection duration midpoints, and median delay. 90th percentile (delay) The interaction action state shift probability matrix contains all elements, as well as the summation mean of the three types of features and the fluctuation range of the three types of features.

[0066] The set of sample feature vectors corresponding to all N probe message experiments { , ,..., ,..., Using the historical global mean and historical global standard deviation as fixed standardization parameters, Z-score standardization is uniformly applied to the feature vectors of all samples within the set to obtain a standardized set of sample feature vectors. , ,..., ,..., Finally, the arithmetic mean of all standardized sample feature vectors is calculated according to each feature dimension. The calculated average feature vector is used as the final communication behavior basis vector B. This basis vector is generated based on globally unified standardized parameters, which can ensure the consistency of the feature space and the feasibility of comparison during subsequent real-time identity verification.

[0067] It should be noted that the historical global mean and historical global standard deviation are fixed parameters determined in advance based on the behavioral data generated by probe interactions performed by various certified legitimate communication devices, including but not limited to terminals of different models, brands and systems, in their respective trusted network environments. These parameters strictly follow the same feature system definition and extraction calculation process as when constructing the single-device behavioral basis vector B in step S1, and are determined after statistical analysis of data for each behavioral feature dimension. The historical global mean represents the overall average level of each behavioral feature in the group of legitimate devices, while the historical global standard deviation represents the overall dispersion of the corresponding feature within that group. Once these parameters are statistically determined, they are solidified into a globally unified measurement scale, unchanging with subsequent sample collection processes for any single device. This ensures that the behavioral features of all communication devices, after being extracted through the same process, can be mapped to the same standardized feature space for fair and consistent similarity comparison and identity verification calculations.

[0068] Step S2: Collect the real-time interactive communication vectors of the communication devices, calculate the degree of difference between the real-time interactive communication vectors and the basis vectors of communication behavior using the improved Mahalanobis distance method, obtain the degree of communication difference, compare the degree of communication difference with a preset threshold, and obtain the implicit identity verification result.

[0069] After receiving a connection request from the peer, the local end extracts real-time interactive data during the TCP initial handshake phase of the current session, processes it using the same feature extraction process and historical global normalization parameters as in step S1, and generates a real-time interactive communication vector. , = ,in The feature dimension of the real-time interactive communication vector is strictly consistent with the dimension of the communication behavior basis vector B in step S1. Represents the first in the real-time interactive communication vector Real-time observations of each feature.

[0070] This end reads the communication behavior basis vector B generated in step S1 and the set of standardized sample feature vectors { from local secure storage. , ,..., ,..., }; and calculate the initial sample covariance matrix based on this set. : , for The transpose of , where T is the transpose symbol.

[0071] To overcome the instability of the inverse matrix of the covariance matrix under high-dimensional small sample conditions, Regularization and smoothing are performed. First, the sample covariance matrix is ​​calculated. All eigenvalues and its mean .

[0072] Set regularization parameters With smoothing threshold Regularization parameters The preferred value is 0.2, which aims to balance the bias and variance of the estimate given a limited sample size; smoothing threshold. The preferred value is 0.01, used to identify and replace unstable eigenvalues ​​that are close to zero, to ensure that the covariance matrix is ​​invertible and numerically stable, and for values ​​less than the smoothing threshold. The eigenvalues ​​are smoothed. For greater than or equal to the smoothing threshold The number of feature values ​​is calculated to be less than the smoothing threshold. eigenvalue mean , .

[0073] Furthermore, a shrinkage covariance matrix is ​​constructed. , ,in The sample covariance matrix The orthogonal eigenvector matrix, It is a diagonal eigenvalue matrix. , For all eigenvalues The mean of the diagonal eigenvalue matrix. The diagonal elements are as follows: arrive The remaining m- All diagonal elements are .

[0074] It should be noted that the constructed shrinking covariance matrix is ​​an improved matrix obtained by combining eigenvalue regularization and smoothing correction on the basis of the original sample covariance matrix. This matrix is ​​designed to address the shortcomings of the original covariance matrix in high-dimensional small sample scenarios, such as easy singularity and unstable inversion operation. By performing mean correction and small eigenvalue smoothing constraints on all eigenvalues ​​obtained from matrix decomposition, the shrinking adjustment is completed. This not only fully preserves the true correlation and distribution pattern between various communication behavior characteristics of the device, but also effectively eliminates the numerical disturbance problem caused by near-zero eigenvalues, and significantly improves the numerical stability of matrix inversion.

[0075] Calculate real-time interactive communication vectors To communication behavior basis vectors The Mahalanobis distance Distance is calculated using the following formula:

[0076] ;

[0077] Where Distance is the real-time interactive communication vector. To communication behavior basis vectors The degree of communication differences, To shrink the covariance matrix.

[0078] Preset confidence threshold With blocking threshold And satisfy The calculated Mahalanobis distance The implicit identity verification result is obtained by comparing it with these two thresholds respectively, and a decision is made. The implicit identity verification result includes verification passed, verification suspicious, and verification failed. ≤ If the match is successful, the verification passes, and the session is allowed to be established; if the match is not successful, the session is considered to be successful. < ≤ If the verification is deemed suspicious, restrictive control policies are triggered, such as downgrading the current session's trust level. ,in The highest trust level is L, which is the dynamic trust level, and the value of L ranges from [0, ..., L]. ];when > If the verification fails, the verification channel immediately rejects the connection establishment. The entire process is completed during the handshake phase, without the need to exchange additional authentication credentials, thus achieving implicit continuous authentication.

[0079] It should be noted that the aforementioned confidence threshold With blocking threshold The value is determined based on the following: during the offline modeling phase, the improved Mahalanobis distance distribution calculated from legitimate device behavior data is used, and the high-confidence quantile (e.g., the 99th percentile) is selected as the confidence threshold. Based on this, and according to distance observations of known attack or anomalous behavior patterns, a higher value with security redundancy is set as... , = * ,in The coefficient is greater than 1, preferably 1.5. The specific value needs to be finally calibrated during system deployment based on the security policy and false alarm tolerance of the actual scenario.

[0080] Step S3: Based on the implicit identity verification result, combine the real-time interactive communication vector and the degree of communication difference to obtain the session binding factor, and establish an encrypted encapsulation channel based on the session binding factor.

[0081] In step S3, the specific implementation of establishing the encrypted encapsulation channel bound to the behavior is as follows: Branch logic is executed based on the implicit identity verification result: when the result is "verification passed" or "verification suspicious," the process of generating the session binding factor is initiated; when the result is "verification failed," the connection is rejected and the process is terminated.

[0082] The local end obtains the following session-specific data from the real-time processing in step S2: real-time interactive communication vector. And the degree of communication difference .

[0083] Based on real-time interactive communication vector And the degree of communication difference Calculate its cryptographic hash value ,in () represents the standard cryptographic hash function, preferably SHA-256, and || represents data concatenation. This hash value This is the binding factor for this session. This session binding factor is uniquely generated based on the real-time behavior and real-time matching degree of this session, achieving a dynamic and strong binding with the session.

[0084] Subsequently, key material aggregation and session key derivation are performed. This end gathers the key material negotiated during the current handshake phase, including the shared secret calculated by the Diffie-Hellman exchange. Client-side random number generation Server random number and session binding factor As a key input, the final session encryption key is calculated using the standard key derivation function KDF(). With message authentication key The formula is: ( , )=KDF(Z|| || ||Salt), where || represents data concatenation. This step ensures that the session key is cryptographically strongly bound to the verified real-time behavioral characteristics of this session.

[0085] Next, the local end uses the session encryption key. With message authentication key Highly efficient authentication and encryption algorithms, such as AES-GCM, are employed to encrypt and encapsulate all subsequent application-layer business data, ensuring its integrity. At this point, a secure, encrypted data transmission channel with a strong, end-to-end, real-time interactive communication vector firmly bound to the device is officially established and operational.

[0086] Step S4: Collect the real-time behavior feature vector of the encrypted encapsulation channel, input the real-time behavior feature vector into the improved Markov decision model, and output the drift correction result. The other end of the communication device performs the decryption process based on the session binding factor and the drift correction result, thereby realizing end-to-end encrypted transmission.

[0087] After the encrypted encapsulation channel enters a stable operating state, this end initiates a continuous behavior monitoring process. Let the monitoring period be... , The preferred interval is 1 second, which can be adjusted according to real-time requirements at each monitoring time. ( Real-time behavioral feature vectors are extracted from transport layer metadata of encrypted data streams, such as message intervals, directions, and length sequences. , = ,in The feature dimension is consistent with the feature extraction logic of the communication behavior basis vector in step S1 and the real-time interactive communication vector in step S2. express Time of the first The observed values ​​of each feature.

[0088] This end synchronously reads the communication behavior basis vector from secure storage. and its corresponding shrinkage covariance matrix .calculate Real-time behavioral deviation at any given moment, i.e., improved Mahalanobis distance This deviation With the confidence threshold from step S2 Blocking threshold Together constitute The observed variables of the system state at any given time.

[0089] The improved Markov decision model includes quintuples. Let S be the state space, A be the action space, P be the state transition probability, and R be the reward function. is the discount factor. Where, the state space... For a discrete finite set, its elements It is a binary tuple describe, Based on the comparison with the threshold, the results are discretized into {normal, suspicious, high risk}. The condition for normal is... ≤ The suspicious condition is < ≤ High-risk conditions are > . From the most recent W periods The changing first difference value The optimal value for W is 3, balancing response speed and stability. = - ,Will With stable interval threshold Compare, > If so, it is determined to be an increase. ≤ ≤ If it is stable, then it is determined to be stable. <- If so, it is determined to be a decline, and ultimately... Discretize into {rising, stable, falling}. The setting should match the normal fluctuation range of the Distance value. =0.1* The coefficient is set to 0.1 because, under common communication disturbances such as network latency jitter and CPU load changes, the real-time fluctuation of the device communication behavior improvement Mahalanobis distance is constrained within a reliable threshold. Within 10%, this ratio can fully cover the normal numerical drift caused by inherent communication noise of the equipment, normal network fluctuations and controllable load disturbances, taking into account both the anti-interference ability of behavior status determination and the sensitivity of anomaly detection.

[0090] Action space of Markov decision models This is the set of security control commands executable on this end, defined as follows: .

[0091] The state transition probability P of the Markov decision model Representation in state Take action below Later transitioned to a new state The probability of state transition is calculated by statistically normalizing the behavioral state time-series data of historical reliable communication sessions. First, based on multiple sets of baseline device behavioral state sequences collected during the model training phase, no less than 30 sets, preferably 50-100 sets, combined with state evolution records under different decision actions, the actual frequency of transitions from the current state s to each target state s' after the execution of action a is statistically analyzed. Then, the total frequency is obtained by summing all transition frequencies under the action and state combination. The frequency of a single type of transition is calculated as the ratio to the total transition frequency to complete the frequency normalization process, and finally, the probability value of the corresponding state transition is obtained. At the same time, the probability value is adaptively corrected by combining the first-order difference fluctuation amplitude of behavioral features and the stability coefficient of the shrinkage covariance matrix, so that the state transition probability conforms to the dynamic change law of the device's real-time communication behavior, rather than a fixed static probability assignment.

[0092] The reward function R, For single-step instant rewards, considering security benefits, business costs, and behavioral risks, a weighted portfolio is constructed, specifically as follows: .in, + + =1. (If the action interrupts a real attack) or (If the attack is missed during the action); , For action The preset service cost weights are preferably C(hold)=0, C(alarm)=1, C(rate limiting)=3, C(key update)=5, C(disconnect)=10; The cost of behavioral risk is proportional to the square of the deviation from the expected behavior at the next moment. The proportionality coefficient makes the decision-making strategy tend to reduce behavioral deviation in the long run.

[0093] This step employs a hierarchical reinforcement learning architecture based on task decomposition, with the top-level objective being the root task. For dynamic safety control. To reduce learning complexity, the root task is decomposed into two subtasks with different focuses: Risk mitigation and Business maintenance. High-level strategy. Based on the current state Select call or ,when When activated, its objective focuses on rapidly suppressing risk. When activated, its objective focuses on ensuring business continuity.

[0094] It should be noted that the selection call or ,when =High-risk situation: Regardless of the trend, the area is clearly in a risk zone. At this point, the subtask must be invoked immediately. Risk mitigation involves initiating strong control actions such as key updates and disconnection to quickly suppress the risk. =Suspicious: The system is in a state requiring vigilance; decisions must be made in conjunction with risk trends. If =Rising: This indicates that behavioral deviations are intensifying and risks are escalating. Subtasks should be invoked. Preventive control measures, such as alerts and flow restrictions, should be implemented to prevent the situation from evolving into a "high-risk" state. If... =Stable or Decreasing: Indicates that while the behavioral deviation has not been eliminated, it has not worsened or has improved. Callable Subtasks Prioritize ensuring business continuity while maintaining monitoring, and avoid unnecessary control actions that could interfere with normal communication. =Under normal circumstances: The system is in a safe zone. The core objective at this time is to maintain efficient communication: If =Stable or declining: Behavior is good and stable. Subtasks should be invoked. Maintain the current strategy; no additional control is required. =Rising: Although currently safe, risk indicators have shown signs of increasing. As a conservative but lightweight precaution, subtasks can be invoked. However, internal strategies can be configured to increase monitoring frequency or prepare for early warnings. In standard designs, this is usually still handled by... The issue was addressed because its "upward" trend remained within the safe threshold.

[0095] Each subtask It contains a strategy Used to select specific atomic control actions when a subtask is activated. The subtask evaluation function is iteratively updated through temporal difference learning. ,in To perform atomic actions Expected one-step instant reward For subtask completion functions, it means that in the subtask status Next action After that, continue to follow the strategy. The expected cumulative discount reward for completing sub-tasks.

[0096] By maximizing long-term cumulative discount rewards , Let be the long-term cumulative discounted total return at time t. For the summation index, Indicates the future The policy eventually converges to the optimal policy based on the instantaneous reward at each step. Discount factor The present value used to measure future rewards.

[0097] At each monitoring moment The agent, based on the current state With the optimal strategy Output optimal control action This action The drift correction result is sent to the encrypted encapsulation channel actuator to dynamically adjust the security policy or connection status, thereby completing the correction of behavior drift and the control of channel risks.

[0098] It should be noted that the improved Markov decision model upgrades the traditional single decision-making process into a hierarchical reinforcement learning architecture. This architecture includes a high-level scheduling strategy and two underlying sub-tasks with different focuses: risk mitigation and business maintenance. Based on this, a discretized state space that conforms to the logic of the security domain is defined, such as combining behavioral deviation levels and trends, explicit sets of atomic actions such as five levels of control from maintaining to disconnecting, and a reward function that integrates multi-objective trade-offs. Furthermore, the model designs a decompositional evaluation function for each sub-task to distinguish between immediate rewards and the long-term value of completing the sub-task, thereby achieving adaptive behavior and real-time drift correction of encrypted channels.

[0099] The motion records and state trajectories generated by the drift correction results during the above correction process will be transmitted to the communication peer as key session context information, along with the session binding factor.

[0100] The peer end of the communication device performs a decryption process based on the session binding factor and drift correction results, thereby achieving end-to-end encrypted transmission. Specifically, during the stable operation of the encrypted encapsulation channel, the local end synchronously provides the peer end with the drift correction results generated by its decisions, i.e., the optimal control action and its related state trajectory, as key session context information. Before formally decrypting the application layer data, the peer end needs to execute a trusted decryption and anomaly isolation process. This process requires the peer end to make a comprehensive judgment based on the following three elements: session binding information: authentication information carried in the message and derived from the session binding factor; risk correction record: drift correction results synchronously provided by the local end, characterizing the dynamic changes in risk status during the session; locally stored communication behavior basis vector: the legitimate behavior benchmark stored by the peer end and corresponding to the local end. Only when the session binding relationship, behavior source attribute, and behavior drift trajectory during transmission of the message all pass the comparison with the basis vector and meet the consistency verification requirements are they allowed to enter the normal decryption process.

[0101] If a message is detected to have a valid encryption form but exhibits a break in session binding continuity or a mismatch between its behavioral characteristics and the session evolution trajectory reflected in the drift correction record, the receiving end (the peer) will not directly reject all data. Instead, it will be transferred to an anomaly isolation zone for layered inspection, where the control fields, status fields, and service fields of the message will be independently verified. This aims to distinguish between local, temporary anomalies caused by network disturbances and session hijacking or contamination caused by the insertion of forged nodes, avoiding disruption to normal communication service continuity due to simply discarding data. After completing trusted decryption, the receiving end will also generate a trusted receipt for this round of session and feed back the validity determination information from this decryption process to the behavioral fingerprint correction process for the next round of communication, used for adaptive updates of the communication behavior basis vector reference boundary in subsequent sessions.

[0102] This establishes a complete technical chain, encompassing behavioral fingerprint foundation construction, implicit identity verification, session-bound encrypted transmission, behavioral drift dynamic correction, and trusted decryption closed-loop feedback. This upgrades end-to-end data encryption from simple ciphertext transmission to an encrypted transmission mode based on continuous trusted constraints of real communication objects, effectively enhancing the system's anti-spoofing, anti-replay, and continuous secure transmission capabilities in complex network environments.

[0103] It should be noted that, in this document, relational terms such as "first" and "second" are used merely to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, the phrase "comprising an element defined as..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0104] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.

Claims

1. An end-to-end encrypted data transmission method, characterized in that: Includes the following steps: Step S1: Conduct probe message experiments on the encrypted communication device, and establish communication behavior basis vectors based on the feature data in the probe message experiments; Step S2: Collect the real-time interactive communication vectors of the communication devices, calculate the degree of difference between the real-time interactive communication vectors and the communication behavior basis vectors using the improved Mahalanobis distance method, obtain the degree of communication difference, compare the degree of communication difference with a preset threshold, and obtain the implicit identity verification result. Step S3: Based on the implicit identity verification result, combine the real-time interactive communication vector and the degree of communication difference to obtain the session binding factor, and establish an encrypted encapsulation channel based on the session binding factor; Step S4: Collect the real-time behavior feature vector of the encrypted encapsulation channel, input the real-time behavior feature vector into the improved Markov decision model, and output the drift correction result. The other end of the communication device performs the decryption process based on the drift correction result, thereby realizing end-to-end encrypted transmission.

2. The end-to-end encrypted data transmission method according to claim 1, characterized in that: The probe message experiment on the encrypted transmission communication device includes the following specific steps: The communication device executes N preset probe message experiments in a pre-established trusted network link, where N is the total number of probe message experiments, and each probe message experiment contains... Secondary probe interaction.

3. The end-to-end encrypted data transmission method according to claim 2, characterized in that: The establishment of communication behavior basis vectors based on feature data from probe message experiments includes the following steps: After the nth probe message experiment, for n=1,2,...,N, the sample feature vector of the nth probe message experiment is obtained. ; After all N probe message experiments are completed, a set of sample feature vectors is obtained; Based on the set of sample feature vectors, the communication behavior basis vector B is calculated.

4. The end-to-end encrypted data transmission method according to claim 3, characterized in that: The modified Mahalanobis distance method is used to calculate the degree of difference between the real-time interactive communication vector and the communication behavior basis vector, and to obtain the degree of communication difference, including the following steps: Collect real-time interactive communication vectors , = ,in For the feature dimension of real-time interactive communication vectors, Represents the first in the real-time interactive communication vector Real-time observations of each feature; Calculate the initial sample covariance matrix; Construct a shrinkage covariance matrix based on the initial sample covariance matrix; Calculate real-time interactive communication vectors To communication behavior basis vectors The Mahalanobis distance Distance is calculated using the following formula: ; Distance represents the degree of communication difference. To shrink the covariance matrix, The number of feature values ​​greater than or equal to the smoothing threshold. This is the regularization parameter.

5. The end-to-end encrypted data transmission method according to claim 4, characterized in that: The calculation of the initial sample covariance matrix includes the following steps: Standardize the set of sample feature vectors; calculate the initial sample covariance matrix based on the standardized set of sample feature vectors. : ; in, For the first The standardized sample feature vector of the probe message experiment, where T is the transpose symbol.

6. The end-to-end encrypted data transmission method according to claim 5, characterized in that: The shrinkage covariance matrix includes the following steps: Calculate the sample covariance matrix All eigenvalues ​​and the mean of the eigenvalues ; The eigenvalues ​​are compared with preset regularization parameters and smoothing thresholds to perform regularization and smoothing on the initial sample covariance matrix, ultimately yielding a shrunken covariance matrix.

7. The end-to-end encrypted data transmission method according to claim 6, characterized in that: The process of combining real-time interactive communication vectors and communication difference levels to obtain a session binding factor includes the following specific steps: Based on real-time interactive communication vector And the degree of communication difference Calculate session binding factor : ; in () represents the cryptographic hash function, and || represents data concatenation.

8. The end-to-end encrypted data transmission method according to claim 7, characterized in that: The establishment of the encrypted encapsulation channel based on the session binding factor is specifically as follows: The session encryption key is calculated using a standard key derivation function based on the session binding factor. With message authentication key ; The local end of the communication device uses a session encryption key. With message authentication key Establish an encrypted encapsulation channel.

9. The end-to-end encrypted data transmission method according to claim 8, characterized in that: The process of inputting real-time behavioral feature vectors into an improved Markov decision model and outputting drift correction results includes the following specific steps: Construct an improved Markov decision process model; The real-time behavioral feature vectors are input into the improved Markov decision model, and the evaluation function of the improved Markov decision model is iteratively updated through temporal difference learning. ; in To perform atomic actions Expected one-step instant reward For subtask completion functions, it means that in the subtask status Next action After that, continue to follow the strategy. The expected cumulative discount reward for completing sub-tasks. This represents the subtask evaluation function. Representation strategy, This represents the i-th strategy; The final output is the drift correction result.

10. The end-to-end encrypted data transmission method according to claim 9, characterized in that: The construction of the improved Markov decision process model specifically involves: The improved Markov decision process model includes quintuples. In a hierarchical reinforcement learning architecture, S represents the state space, A represents the action space, P represents the state transition probability, and R represents the reward function. This is the discount factor.