Network defense deployment updating method and device based on attack behavior monitoring and prediction

By monitoring network behavior data and extracting attack features and predicting trends, the defense strategy is dynamically adjusted, solving the problems of response delay and defense blind spots in the face of distributed attacks in honeypot systems. This enables real-time identification and proactive defense against attack behaviors, improving the flexibility and interception efficiency of the defense strategy.

CN122339831APending Publication Date: 2026-07-03INFORMATION & COMMNUNICATION BRANCH STATE GRID JIANGXI ELECTRIC POWER CO +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
INFORMATION & COMMNUNICATION BRANCH STATE GRID JIANGXI ELECTRIC POWER CO
Filing Date
2026-05-22
Publication Date
2026-07-03

Smart Images

  • Figure CN122339831A_ABST
    Figure CN122339831A_ABST
Patent Text Reader

Abstract

This invention provides a method and apparatus for updating network defense deployment based on attack behavior monitoring and prediction. The method includes: monitoring behavioral data in the target network and detecting attack behaviors to generate attack behavior descriptions; extracting attack behavior features, obtaining raw behavioral data, extracting and generating multi-dimensional attack feature vectors; calculating attack trend features of attack events, and inferring attack behavior change trends based on attack trend features and multi-dimensional attack feature vectors to construct predicted attack trajectories; quantitatively evaluating attack intensity indicators and behavioral discrete indicators of the predicted attack trajectories to generate attack impact risk values, and determining them as risk trajectories; dividing key interaction nodes on the risk trajectory into multiple response segments according to attack flow logic, modifying the response segments to construct dynamic defense strategies to update the defense deployment in the target network. This method constructs a new network defense strategy deployment and update process, significantly improving the guidance and behavioral interference capabilities of decoy strategies.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and in particular to a method and apparatus for updating network defense deployment based on attack behavior monitoring and prediction. Background Technology

[0002] As cyberattack methods continue to evolve towards greater concealment, automation, and collaboration, traditional defense systems are showing significant shortcomings when facing complex attack scenarios such as advanced persistent threats (APTs), multi-hop penetration, and cross-domain lateral movement, including slow response, difficulty in tracing the source, and high false alarm rates.

[0003] To address the challenges faced by defense systems, honeypot technology has been widely deployed as a proactive deception and inducement defense method. Honeypots simulate real service or system environments, enticing attackers to expose their attack tools, methods, and intentions, while simultaneously recording attack behavior completely without affecting real business operations. This provides crucial data support for intrusion detection, attack attribution, and threat intelligence generation.

[0004] Dynamically updating defense deployments based on attack behavior detected by honeypots has become a research hotspot. However, existing honeypot detection technologies have the following drawbacks: Most honeypot systems adopt a single-point independent deployment or a simple log aggregation mode. When attackers use distributed probing or multi-hop attack patterns, each node captures only partial behavioral fragments, and the information between nodes cannot be effectively integrated. This makes it easy for attackers to exploit information blind spots, resulting in response delays and defense blind spots. Existing detection mechanisms are mostly based on rule matching or static signatures, which cannot adapt to the adversarial strategies employed by attackers, such as time delays, behavioral obfuscation, and rhythm changes. They lack the ability to proactively predict and infer the evolution of attack behavior trends, often triggering alarms only after the attack has caused substantial damage. Even when an intrusion is detected, fixed blocking or alarm responses are usually used, lacking proactive defense against attack behavior, making protective measures easy for attackers to bypass.

[0005] Therefore, it is necessary to propose a defense deployment update method that can adaptively defend against deception attacks. Summary of the Invention

[0006] The purpose of this invention is to provide a method and apparatus for updating network defense deployment based on attack behavior monitoring and prediction, so as to improve the proactive protection capability and countermeasure flexibility of the defense strategy.

[0007] In a first aspect, the network defense deployment and update method based on attack behavior monitoring and prediction provided by this invention includes: monitoring behavioral data in the target network and detecting attack behaviors; generating attack behavior descriptions based on the behavioral data corresponding to the attack behaviors; extracting attack behavior features based on the attack behavior descriptions; obtaining corresponding original behavioral data based on the attack behavior descriptions to extract phase transition features; fusing attack behavior features and phase transition features to generate a multi-dimensional attack feature vector; setting an analysis window; comprehensively analyzing the attack behavior features within the window to calculate the attack trend features of the attack events; learning the patterns and rules of the attack trend features and multi-dimensional attack feature vectors based on time series analysis technology and making predictions to obtain predicted attack features for subsequent time segments; and deducing the attack behavior change trend based on the predicted attack features and current attack features. The attack behavior change trends are integrated to construct a predicted attack trajectory. Based on the predicted attack trajectory, an attack intensity index in the time domain is calculated to quantify the concentration and impact of attack behavior on the time axis, and a behavior dispersion index in the frequency domain is calculated to quantify the sparsity of attack events in the frequency domain. The attack intensity index and the behavior dispersion index are fused to obtain an attack impact risk value. Predicted attack trajectories with attack impact risk values ​​greater than a preset threshold are identified as risk trajectories. Key interaction nodes on the risk trajectory are extracted, and key interaction nodes are divided into multiple response segments according to the attack flow logic. The response sequence of the response segments is rearranged according to the service value of each response segment, and the response logic is modified according to predefined perturbation operations to construct a dynamic defense strategy. The defense deployment in the target network is updated according to the dynamic defense strategy.

[0008] The beneficial effects of the network defense deployment and update method based on attack behavior monitoring and prediction provided by this invention are as follows: Addressing the problem of static and rigid network defense strategy deployment and response strategies, a new network defense strategy deployment and update process is constructed. This process improves the real-time performance and robustness of attack intent identification by identifying attack behavior characteristics based on behavior sequences and estimating the state of attack phase transition characteristics based on meta-traffic analysis, while integrating system calls and network data. Furthermore, it predicts attack evolution trends and judges risk trajectories, performing proactive assessments and judgments during the attack's progression. This allows for the early identification of potential high-risk attack chains, effectively improving interception timeliness. Finally, through response fragment decomposition and dynamic defense strategy design, it enhances the ability to guide attacker paths and interfere with their behavior, avoiding the problems caused by the templated and unvariable nature of baiting behaviors.

[0009] In one possible embodiment, extracting attack behavior features based on the attack behavior description includes: performing temporal encoding on the behavior sequence in the attack behavior description, calculating the phase transition probability, behavior density temporal sequence, and key operation proportion of the attack behavior based on the encoded sequence, and generating an attack behavior feature vector; obtaining the corresponding original behavior data based on the attack behavior description to extract phase transition features includes: obtaining network traffic mirror data, extracting meta-features from the network traffic mirror data based on the meta-traffic in the attack behavior description, constructing an attack path graph based on the meta-features, learning the topological features of nodes based on the attack path graph, and aggregating to generate a phase transition feature vector.

[0010] In another possible embodiment, calculating the attack intensity index in the time domain based on the predicted attack trajectory includes: defining a time window, dividing the timestamp sequence of attack events in the predicted attack trajectory into continuous sub-windows based on the time window, calculating the attack intensity index within the sub-window based on the division of the sub-windows, and extracting the maximum attack intensity index in all sub-windows or calculating the average attack intensity index within the analysis window as the attack intensity index in the time domain; calculating the behavioral discrete index in the frequency domain based on the predicted attack trajectory includes: transforming the time interval sequence of attack events in the predicted attack trajectory to obtain the spectrum, analyzing the spectrum energy distribution and extracting the main frequency energy ratio and spectrum entropy, and calculating the behavioral discrete index in the frequency domain.

[0011] In other possible embodiments, rearranging the response timing of response segments according to the value of each response segment service includes: rearranging the response timing of response segments based on the attacker's historical behavior patterns and service dependencies to generate a service exposure sequence; during the generation of the service exposure sequence, comparing the value of each response segment service, adjusting the exposure timestamp of high-value services to be earlier than that of low-value services based on the comparison results, and adding a timing offset to each response segment; modifying the response logic according to predefined perturbation operations includes: for the original response template of each response segment, randomly selecting perturbation operations according to a predefined perturbation strategy library to perturb the response logic of the response segment.

[0012] Each response fragment corresponds to a defense interaction unit; the response fragment includes a service identifier, interaction type, and original response template; the defense interaction unit includes a simulated database management interface, a disguised API interface, simulated response results, and redirected simulation resources; the defense interaction unit is used to adjust the processing sequence and logic of the response fragment.

[0013] Monitor behavioral data in the target network and detect attack behaviors. Generate attack behavior descriptions based on the behavioral data corresponding to the attack behaviors, including: monitoring behavioral data in the target network; when an operation matching the characteristics of intrusion behavior is detected in the behavioral data, extracting multi-dimensional features from the behavioral data; when any dimension feature exceeds a preset warning threshold, determining that an attack behavior has been detected; and extracting information from the behavioral data corresponding to the attack behavior according to the set field items to generate an attack behavior description.

[0014] Attack characteristics include attack intensity, attack path, and tactical type; attack characteristic transfer factors are derived by extrapolating the trend of attack behavior changes based on predicted and current attack characteristics, including extrapolated changes in attack intensity, path switching probability, and potential tactical transfer factors.

[0015] Secondly, this invention also provides a network defense deployment and update device based on attack behavior monitoring and prediction, comprising: an attack behavior detection unit, used to monitor behavioral data in a target network and detect attack behaviors, and generate an attack behavior description based on the behavioral data corresponding to the attack behaviors; a multi-dimensional feature fusion unit, used to extract attack behavior features based on the attack behavior description, obtain corresponding original behavioral data based on the attack behavior description to extract phase transition features, and fuse the attack behavior features and phase transition features to generate a multi-dimensional attack feature vector; and an attack trajectory prediction unit, used to set an analysis window, comprehensively analyze the attack behavior features within the analysis window to calculate the attack trend features of the attack event, learn the patterns and rules of the attack trend features and multi-dimensional attack feature vector based on time series analysis technology and make predictions to obtain the predicted attack features for subsequent time segments, and deduce the attack trajectory based on the predicted attack features and the current attack features. The attack behavior trend analysis unit integrates these trends to construct a predicted attack trajectory. A risk trajectory determination unit calculates an attack intensity index in the time domain to quantify the concentration and impact of attack behavior over time, and calculates a behavior dispersion index in the frequency domain to quantify the sparsity of attack events. The attack intensity index and behavior dispersion index are then fused to obtain an attack impact risk value. Predicted attack trajectories with an attack impact risk value exceeding a preset threshold are identified as risk trajectories. A defense deployment update unit extracts key interaction nodes from the risk trajectory, divides these nodes into multiple response segments according to the attack flow logic, rearranges the response sequence of each segment based on its service value, and modifies the response logic according to predefined perturbation operations to construct a dynamic defense strategy. The defense deployment in the target network is then updated based on this dynamic defense strategy.

[0016] For the beneficial effects of the second aspect mentioned above, please refer to the description of the first aspect mentioned above. Attached Figure Description

[0017] Figure 1A flowchart illustrating a network defense deployment and update method based on attack behavior monitoring and prediction, provided in an embodiment of the present invention;

[0018] Figure 2 A schematic diagram of a network defense deployment and update device based on attack behavior monitoring and prediction provided in an embodiment of the present invention;

[0019] Figure 3 This is a schematic diagram of an electronic device structure provided in an embodiment of the present invention. Detailed Implementation

[0020] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions in the embodiments of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without inventive effort are within the scope of protection of this invention. Unless otherwise defined, the technical or scientific terms used herein should have the ordinary meaning understood by those skilled in the art. The terms "comprising" and similar expressions used herein mean that the element or object preceding the word covers the element or object listed following the word and its equivalents, but do not exclude other elements or objects.

[0021] This embodiment provides a method and apparatus for deploying and updating network defenses based on attack behavior monitoring and prediction.

[0022] See Figure 1 Network defense deployment and update methods based on attack behavior monitoring and prediction include:

[0023] S101: Monitor behavioral data in the target network and detect attack behaviors, and generate attack behavior descriptions based on the behavioral data corresponding to the attack behaviors.

[0024] In one possible embodiment, a network security protection system with distributed honeypots is deployed in the target network to form a multi-source honeypot collaborative monitoring system. Distributed honeypots refer to multiple honeypot nodes deployed at network boundaries, terminals, or intermediate network segments. The honeypot nodes continuously monitor network traffic and system behavior within the synchronization cycle of the network protection cycle. If an operation matching the characteristics of intrusion behavior (such as lateral scanning, permission probing, or illegal command injection) is detected, and the multi-dimensional characteristics of this behavior exceed a pre-set warning threshold, then the attack behavior generation mechanism is triggered. The warning threshold is usually statically or semi-statically set based on historical baseline data or security policy configuration, and its update frequency is lower than that of dynamic thresholds (such as weekly or monthly adjustments based on threat intelligence).

[0025] In one possible embodiment, monitoring behavioral data in the target network and detecting attack behavior, and generating an attack behavior description based on the behavioral data corresponding to the attack behavior, includes: monitoring behavioral data in the target network; when an operation matching the characteristics of intrusion behavior is detected in the behavioral data, extracting multi-dimensional features from the behavioral data; when any dimension feature exceeds a preset warning threshold, determining that an attack behavior has been detected; and extracting information from the behavioral data corresponding to the attack behavior according to set field items to generate an attack behavior description.

[0026] In a specific embodiment, honeypot nodes collect raw behavioral data from the target network using multi-dimensional probe metrics such as traffic mirroring analysis, system call auditing, and command-line behavior tracing. From this raw behavioral data, multi-dimensional key feature metrics are extracted, including but not limited to: the frequency of connection requests to multiple non-adjacent IPs or ports per unit time (e.g., TCP SYN packet rate, unit: times / minute); calculating the target port distribution entropy value (measuring the randomness of port selection; a high entropy value may indicate indiscriminate scanning); the span of IP segments scanned continuously; counting the number of abnormal login attempts (e.g., failed SSH / RDP logins, distinguishing the cumulative number of failed attempts from the source IP); the frequency of privileged command execution (e.g., sensitive operations such as sudo and netuser, associated with the user's permission level); and the anomalies of login time (e.g., concentrated login attempts outside of working hours); recording illegal command injection characteristics as non-standard character combinations (e.g., the appearance of characters && and | in web form inputs, or malicious payloads after URL encoding); and high-risk command calls (e.g., rm-rf, wget downloading external scripts, or read / write operations on critical system files). The characteristic indicators are calculated using a sliding window statistical method. These indicators are then compared to a warning threshold associated with the current protection cycle. When an indicator exceeds the warning threshold, an event generation mechanism is triggered to generate a corresponding attack behavior description. For example, similar behaviors within the past n seconds / minutes are counted, where the value of n is dynamically adjusted based on the network baseline, with a default initial value of 60 seconds.

[0027] For example, warning thresholds can be set based on historical baseline data, such as using the 95th percentile or mean of similar behaviors over the past 30 days plus two standard deviations as the warning threshold. Warning thresholds can also be set by referencing predefined values ​​in the security policy, such as using a compliance standard in the security policy that requires no more than 5 failed login attempts per hour as the corresponding warning threshold.

[0028] When a feature indicator in a certain dimension is detected to exceed the warning threshold, information is extracted from the behavioral data corresponding to the attack behavior according to the set fields to generate a standardized attack behavior description (IED). The core fields of the attack behavior description include: source IP address, associated geographical location, and behavior session ID; specific attack behavior type matched from a predefined classification library and labeled behavior sub-category; detailed parameters of the behavior that triggered the intrusion time, specific commands for permission probing, complete call chain of illegal commands, and related operations before and after the trigger time; the running status of the honeypot node itself, network interface load, current protection policy, and enabled decoy dataset version when the attack behavior is triggered.

[0029] S102: Extract attack behavior features based on attack behavior description, obtain corresponding raw behavior data according to attack behavior description to extract stage transition features, and fuse attack behavior features and stage transition features to generate a multi-dimensional attack feature vector.

[0030] In one possible embodiment, dual-channel feature extraction is performed based on attack behavior descriptions, specifically a Sequence Feature Analysis (SFAC) channel and a Meta-Traffic Path Analysis (MPAC) channel. The two channels achieve spatiotemporal alignment of observation data by sharing the same Time Anchor Window (UTAW). UTAW is set based on high-precision timestamps in the attack behavior descriptions, specifically: a preset duration is used as a sliding window, and the starting point of the time anchor window is aligned with the IED timestamp; the preset duration can be a fixed preset duration or dynamically adjusted to the median of the average attack interval of the current network traffic. The setting of sharing the same time anchor window for both channels ensures that the observation data processed by both channels covers the same attack period, avoiding misjudgments of behavior status due to time offsets.

[0031] The attack behavior features are extracted based on the attack behavior description through the sequence feature analysis channel. This includes: temporal encoding of the behavior sequence in the attack behavior description, calculating the stage transition probability, behavior density temporal sequence and key operation proportion of the attack behavior based on the encoded sequence, and generating an attack behavior feature vector.

[0032] In one possible embodiment, the behavioral sequences in the attack behavior description are temporally encoded, mapping each discrete behavior to a predefined semantic label s (e.g., reconnaissance behavior = 1, scanning behavior = 2, permission probing = 3), and the time interval Δt between behaviors is recorded. Local sequence features are extracted using a sliding window, including stage transition probability, behavior density temporal features, and the proportion of key operations. The stage transition probability is calculated based on the Markov property of historical attack case libraries or the behavioral sequences within the current window, determining the probability of transitioning from the current behavior stage to the next stage; the behavior density temporal features... The formula for calculating the number of behavioral events per unit time within the time anchoring window satisfies: , This indicates the number of actions within the time-anchored window; the percentage of critical operations. The proportion of high-risk behaviors (such as privileged command execution and vulnerability exploitation attempts) within the total number of behaviors in the time anchoring window is calculated using the following formula: , Counting high-risk behaviors.

[0033] In a specific embodiment, the calculation logic for the stage transition probability is as follows: given the encoded sequence within the time anchoring window as S={ , ,..., ,..., }, For behavioral semantic tags, This represents the number of behavioral events within the time anchoring window. The stage transition probability is determined by the ratio of the frequency of occurrence of all adjacent behavioral pairs within the statistical time anchoring window to the total number of occurrences of the behavior.

[0034] The stage transition probability is calculated according to the following formula: ,in, Indicates from the behavioral stage Shift to behavioral stage The stage transition probability, and For adjacent actions, Indicates adjacent behavior pairs The frequency of occurrence Indicates behavior Total number of occurrences.

[0035] In a specific embodiment, the attack behavior features output by the sequence feature analysis channel are represented as an attack behavior feature vector in the following form: The attack behavior feature vector describes the attacker's tactical phase and behavioral dynamics within the current window.

[0036] In one possible embodiment, stage transition features are extracted based on attack behavior descriptions through a meta-traffic path analysis channel, including: acquiring network traffic mirror data; extracting meta-features from the network traffic mirror data based on the meta-traffic in the attack behavior description; constructing an attack path graph based on the meta-features; learning the topological features of nodes based on the attack path graph; and aggregating them to generate a stage transition feature vector.

[0037] In one specific embodiment, network traffic mirroring data is acquired. Based on the meta-traffic in the attack behavior description, meta-traffic records related to the IED attack source identifier are filtered from the network traffic mirroring data, and key meta-features are extracted. The extracted key meta-features include: the number of different destination IPs accessed by the attacker's IP within UTAW. (For example, the transition from 192.168.1.10 to 192.168.2.20 to 10.0.0.5 is considered as two hops); changes in the network zone type of the destination IP. (e.g., the number of traversals from the external network to the internal network, determined by predefined network partition labels); the sequence of changes in protocol type or destination port of adjacent traffic packets. This reflects the diversity of access methods attempted by attackers. Each destination IP is treated as a graph node, traffic connections as edges, and edge weights are determined by the number of traffic packets or session duration. An attack path graph G=(V, E) is constructed, where V is the set of nodes and E is the set of edges. The topological features of each destination IP (such as centrality and hop distance to honeypot nodes) are learned using GNN node embedding techniques, and these features are aggregated to obtain a stage transition feature vector. Phase transition characteristics describe an attacker's trajectory and target selection tendencies within the network.

[0038] In one possible embodiment, fusing the extracted features to generate a multidimensional attack feature vector (MEV) includes: under UTAW synchronization constraints, generating a fused multidimensional attack feature vector (MEV) by using an attention mechanism or weighted summation to combine the attack behavior feature vector and the phase transition feature vector. The dimensions of the MEV include: the probability distribution of attack intent type (e.g., data theft, privilege escalation, destructive operations) (obtained based on the MITREATT&CK tactical target mapping); the confidence level of the current attack phase; the priority of potential target nodes; and the attack urgency index.

[0039] The first multidimensional attack feature vector The dimensional component calculation satisfies the following formula: ,in, and To merge weights, and ; A normalization function representing the characteristics of attack behavior; This is a normalization function for the stage transition characteristics; Dimension index for MEV; The first element representing the feature vector of attack behavior Dimensional features; The first characteristic vector representing the stage transition feature vector Multidimensional features. Multidimensional attack feature vectors can integrate key information from both channels to generate a global quantitative description of the attack intent.

[0040] S103: Set up an analysis window, comprehensively analyze the attack behavior characteristics within the window to calculate the attack trend characteristics of the attack event, learn the patterns and rules of the attack trend characteristics and multi-dimensional attack feature vectors based on time series analysis technology and make predictions to obtain the predicted attack characteristics of subsequent time segments, infer the attack behavior change trend based on the predicted attack characteristics and the current attack characteristics, and integrate the attack behavior change trend to construct the predicted attack trajectory.

[0041] In one possible embodiment, setting the analysis window includes setting the length of the analysis window and the sliding time step: the length of the analysis window determines the time range of the analysis, which is usually determined based on the average interval of attack events and the dynamic characteristics of the network environment, for example, it can be set to the past 10 minutes, 30 minutes, or dynamically adjusted according to the real-time situation; the analysis window slides at fixed time intervals. Slide. This refers to the sliding time step, which can be set to 1 minute or 5 minutes. Attack event characteristics within the statistical analysis window include the frequency, intensity, and target of statistical attack events. The attack event characteristics are analyzed to calculate attack trend characteristics, specifically including the rate of change of attack frequency and the growth trend of attack intensity. The calculation of the attack trend feature vector is based on the statistical analysis of attack event data within the time window, obtained through operations such as differencing and differentiation on the time series data of the attack events.

[0042] In one specific embodiment, an attack trend feature vector is introduced to accurately describe behavioral trends. elements This represents the value of the i-th attack trend feature, such as... Indicates the rate of change of attack frequency. This indicates an increasing trend in attack intensity.

[0043] For example, This can be achieved by calculating the difference between the attack frequency in the current time window and the attack frequency in the previous time window, divided by the time interval. To obtain, that is , The rate of change of attack frequency reflects how frequently attack events change within a unit of time. This represents the attack frequency within the current time window, i.e., the number of attack events that occur per unit of time. This represents the attack frequency within the previous time window; The time step is the sliding time window. By calculating the ratio of the difference in attack frequency within adjacent time windows to the time step, the degree of change in attack frequency per unit time is quantified, thereby capturing the trend characteristics of attack behavior in the frequency dimension.

[0044] Based on time series analysis technology, we learn the patterns and rules of attack trend characteristics and multi-dimensional attack feature vectors and make predictions to obtain the predicted attack characteristics of subsequent time segments. Based on the predicted attack characteristics and current attack characteristics, we infer the attack behavior change trend to obtain attack feature transfer factors for analyzing the attack behavior feature change trend. Attack feature transfer factors include behavior intensity changes, path switching probability, and potential tactical transfer factors.

[0045] Temporal analysis techniques include Autoregressive Integrated Moving Average (ARIMA) models and Long Short-Term Memory (LSTM) networks. In a specific embodiment, taking the use of LSTM to predict attack behavior characteristics in future time segments as an example, temporal analysis and prediction of attack characteristics are constructed based on attack trend characteristics and multi-dimensional attack feature vectors. This includes: using the attack trend feature vector and multi-dimensional attack feature vector as input to the LSTM model, with the input sequence length being the length of the analysis window. The LSTM model learns patterns and regularities in the input sequence to predict attack behavior characteristics in subsequent time segments. Attack characteristics include attack intensity, attack path, and tactical type. The LSTM model outputs a predicted sequence. , elements Indicates the first Predicted attack features within a time segment.

[0046] Comparing the changes in attack characteristics across different time segments to calculate attack characteristic transfer factors is used to analyze attack characteristic change trends. These factors include changes in attack intensity, path switching probability, and potential tactical transfer factors. Specifically, changes in attack intensity are obtained by calculating the difference between the predicted attack intensity and the current attack intensity. , Indicates changes in attack intensity. This indicates the predicted attack strength for the next time segment. This represents the attack intensity within the current time segment, and the difference in attack intensity between adjacent time segments (i.e., the change in attack intensity). It intuitively shows the trend of attack behavior in the dimension of intensity, which helps to determine whether the intensity of the attack is increasing or decreasing. The path switching probability is obtained by analyzing the changes in the predicted attack path. For example, the probability of a path different from the current attack path appearing in the predicted attack path is used as an estimate of the path switching probability. Potential tactical transfer factors are determined by analyzing the combination and change patterns of predicted attack features. For example, when the attack behavior intensity increases and the attack path changes, it may mean that the attacker has adopted a new tactic.

[0047] By integrating changes in attack intensity, path switching probability, and potential tactical shift factors, we can create the Predicted Attack Trajectory (AETD). Presented as a time series, AETD describes the development trends and patterns of attack behavior over multiple future time segments. Predicted attack trajectories will serve as a crucial basis for cybersecurity defense decisions, guiding the adjustment and optimization of dynamic defense strategies, such as proactively deploying defense resources and adjusting access control policies to address potential attack threats.

[0048] S104: Based on the predicted attack trajectory, calculate the attack intensity index in the time domain to quantify the concentration and impact intensity of the attack behavior on the time axis, calculate the behavior dispersion index in the frequency domain to quantify the distribution sparsity of the attack events in the frequency domain, and fuse the attack intensity index and behavior dispersion index to obtain the attack impact risk value. The predicted attack trajectory with the attack impact risk value greater than the preset threshold is determined as the risk trajectory.

[0049] In one possible embodiment, calculating the attack intensity index in the time domain based on the predicted attack trajectory includes: defining a time window, dividing the timestamp sequence of attack events in the predicted attack trajectory into consecutive sub-windows based on the time window, calculating the attack intensity index within the sub-window based on the division of the sub-windows, and extracting the maximum attack intensity index in all sub-windows or calculating the average attack intensity index within the analysis window as the attack intensity index in the time domain.

[0050] The calculation of behavioral discrete indicators in the frequency domain based on the predicted attack trajectory includes: transforming the time interval sequence of attack events in the predicted attack trajectory to obtain the spectrum, analyzing the spectrum energy distribution and extracting the main frequency energy ratio and spectrum entropy, and calculating the behavioral discrete indicators in the frequency domain.

[0051] In one specific embodiment, the Attack Intensity Index (AID) is used to quantify the concentration and impact of attack behavior over time, reflecting the cumulative effect of attack energy per unit time. Calculating the Attack Intensity Index over the time domain includes defining a time window. Based on the time window, the timestamp sequence of attack events in the predicted attack trajectory is divided into consecutive sub-windows. For each child window The total number of attack events within the statistics window is counted, and the total attack intensity is calculated. , This represents the set of event indices within the window. Indicates the first The impact weight of each event; the attack strength index of the window is obtained by calculating the average impact intensity per unit time within the sub-window: , Indicates the first Attack intensity metrics within each time window. By normalizing the total impact intensity within the window to eliminate the influence of the time window length, this directly reflects the energy accumulation of the attack within a short period. Finally, the maximum AID value is extracted from all sub-windows. As a representative indicator of attack intensity over the time domain (reflecting the period of most intense attack), or the average AID within the calculation and analysis window. As an indicator of attack intensity in the time domain (reflecting the overall impact intensity level in the time domain).

[0052] For example: Suppose that the timestamp sequence of attack events within a certain period of time is { , , , , }, the corresponding event impact intensity sequence is { =0.8, =0.5, =0.8, =0.3, =0.5}, set the time window =30 seconds, and divide it into two sub-windows. The first sub-window (k=1) contains the first 3 events, and the second sub-window (k=2) contains the last 2 events. For the sub-windows... The total number of attack events was 3, and the total impact intensity was... For child windows The total number of attack events was 2, and the total impact intensity was... Calculate the Attack Intensity Index (AID) for each sub-window: (Impact strength / second); (Impact intensity / second)

[0053] Maximum AID value across all windows ,Right now (Impact Intensity / Second) reflects the period of most intense attack. To reflect the most intense attack intensity level within the sliding window, select... This is an attack intensity indicator in the time domain. To reflect the overall impact intensity level over the time domain, the mean AID value within the analysis window is calculated. ,Right now (Impact strength / second), select It serves as an attack intensity indicator in the time domain, thereby quantifying the concentration and impact of attack behaviors over time.

[0054] Behavioral Discreteness (BD) metrics are used to quantify the sparsity of attack events in the frequency domain, reflecting the pattern complexity and unpredictability of attack behavior. Calculating BD metrics in the frequency domain involves analyzing the time interval sequence of attack events within the predicted attack trajectory. ( Indicates the time difference between adjacent attack events. The spectrum is obtained by performing a Fast Fourier Transform on the number of attack events. FFT ,in, For frequency components; analyze the spectral energy distribution to extract the dominant frequency energy proportion and spectral entropy to calculate the behavioral discrete index in the frequency domain. The dominant frequency energy proportion is the percentage of energy corresponding to the highest-energy frequency component in the spectrum relative to the total energy (reflecting whether the attack behavior is periodic or regular); spectral entropy... Probability density function based on spectral energy distribution The calculation yielded: The calculation of the discrete behavior index in the frequency domain satisfies the following formula: , Represents the weighting coefficient, and , This indicates the percentage of main frequency energy.

[0055] In one specific embodiment, the fusion of attack strength indicators and behavioral discrete indicators employs a weighted linear model, with time-domain weights applied during the fusion process. and frequency domain weights Determined based on the contribution of time-domain and frequency-domain features in historical attack cases. The calculation of the attack impact risk value satisfies the following formula: norm norm ,in, Indicates the attack risk value; norm The normalized value of the maximum attack strength metric, norm By normalizing the function Mapped to the range of 0 to 1, for example, norm ,in The minimum / maximum value of historical data; norm The normalized value of the behavior discrete index, norm By normalizing the function The attack risk value is obtained by mapping to the range of 0 to 1. The attack impact risk value is obtained by weighted combination of time and frequency domain features to balance the intensity concentration (time domain) and pattern complexity (frequency domain) of the attack, ensuring accurate measurement of complex attacks (such as high-frequency and irregular penetration attempts).

[0056] The attack risk value is compared with the preset protection threshold. In comparison, if If the corresponding attack path is deemed a risky trajectory, the defense strategy will be adjusted; if In this case, only attack events are recorded and continuously monitored. The protection threshold is defined by the security policy based on the network's criticality and can be dynamically adjusted according to real-time network conditions to ensure the adaptability of the defense strategy. For example, the protection threshold can be lowered during peak business periods to increase sensitivity.

[0057] S105: Extract key interaction nodes on the risk trajectory, divide the key interaction nodes into multiple response segments according to the attack flow logic, rearrange the response sequence of the response segments according to the service value of each response segment, and modify the response logic according to predefined perturbation operations to build a dynamic defense strategy, and update the defense deployment in the target network according to the dynamic defense strategy.

[0058] In one possible embodiment, each response fragment corresponds to a defense interaction unit; the response fragment includes a service identifier, an interaction type, and an original response template; the defense interaction unit includes a simulated database management interface, a disguised API interface, a simulated response result, and a redirected simulation resource; the defense interaction unit is used to adjust the processing timing and logic of the response fragment.

[0059] In a specific embodiment, the interaction nodes extracted from the risk trajectory include services accessed by the attacker, potential target resources, and attack behavior patterns. Based on the extracted interaction nodes, all interaction records along the attack path are traversed, resulting in all interaction records from the initial access event to the current high-risk behavior. The risk trajectory is then decomposed into multiple response segments according to the attack flow logic based on these interaction records. Specifically, the response segments are divided according to a triplet rule of service type – attack action – target resource. For example, if the attacker first accesses an HTTP service and submits a login form, and then attempts an SSH brute-force attack, two RFs are generated: RF1 (HTTP login service exposure + fake credential feedback) and RF2 (SSH service exposure + error count incrementing feedback). Each RF contains attributes: service identifier (e.g., IP address), interaction type (e.g., authentication request / command execution), and original response template (e.g., the default return content of the real service). Each of the multiple response fragments (RFs) obtained from the decomposition corresponds to a controllable defense interaction unit. By manipulating the defense interaction unit, the specific processing content of the response fragment can be modified, including a simulated database management interface, a disguised API interface; a fake login success page (containing fake user credential prompts), misleading command execution results (such as a file being downloaded but actually empty); redirection to fake internal network resources (such as a fake financial database server IP 10.0.0.200), and delayed responses to simulate a high-load environment.

[0060] In one possible embodiment, rearranging the response timing of response segments according to the value of each response segment service includes: rearranging the response timing of response segments based on the attacker's historical behavior patterns and service dependencies to generate a service exposure sequence; during the generation of the service exposure sequence, comparing the value of each response segment service, adjusting the exposure timestamp of high-value services to be earlier than that of low-value services based on the comparison results, and adding a timing offset to each response segment; modifying the response logic according to predefined perturbation operations includes: for the original response template of each response segment, randomly selecting perturbation operations according to a predefined perturbation strategy library to perturb the response logic of the response segment.

[0061] In one specific embodiment, the exposure order of RFs is adjusted to simulate atypical service deployment architectures or business processes. The response timing rearrangement is determined based on the attacker's historical behavior patterns (e.g., prioritizing probing common ports 80 / 443) and service dependencies (e.g., databases are typically located on the internal network), and satisfies the following: The value of each response segment service is quantified based on the attacker's historical behavior patterns and service dependencies; the value of each response segment service is compared; and based on the comparison results, the exposure timestamp of high-value services is adjusted to be earlier than that of low-value services (e.g., if the value of the database is higher than that of the static web server, then the database's exposure timestamp is adjusted to be earlier than that of the static web server). Simultaneously, a timing offset is added to each response segment to simulate network latency or service startup time differences. The timing offset is a random value, specifically ranging from 0 to 30 seconds, ultimately generating a non-standard service exposure sequence. , This is the original index for RF.

[0062] For example, in the original attack path, the attacker penetrates in the conventional order of Web front-end → database back-end. After rearrangement, the disguised database management interface is exposed first, and then the Web login page is presented with a delay. For example, if the original path is HTTP(80) → SSH(22) → database(3306), after rearrangement it may become database(3306, t=0s) → HTTP(80, t=15s) → SSH(22, t=30s), in which the database service is exposed in advance and disguised as a test environment with weak passwords.

[0063] In a specific embodiment, the goal of perturbing the response logic is to increase the attacker's decision-making uncertainty by modifying the internal logic of RFs (such as feedback content structure and service response rules). Specific perturbation operations include: tampering with the field order or semantics of a normal response (e.g., replacing "Welcome Administrator" in an HTTP 200 successful response with "Insufficient permissions, please contact IT"), or inserting fake data into command execution feedback (e.g., query result: "User table contains 1000 records" (actually empty)); dynamically adjusting virtual service parameters (e.g., changing the SSH service port from 22 to 2222, but the login interface still prompts the default port 22), or simulating service vulnerabilities (e.g., deliberately exposing a fake login form containing SQL injection vulnerabilities, but the actual input is recorded instead of executed); redirecting the attacker to a fake file with the same name (stored in the isolated storage area of ​​the honeypot node) when attempting to access a specific resource (e.g., / config / database.yml), or returning misleading path prompts (e.g., the target file is located at / backup / db / , requiring administrator privileges to download). Perturbation strategies include feedback content replacement rules and service parameter mutation rules. After the logic disturbance is completed, the RF for login feedback of the SSH service may simultaneously apply the error count increment logic (indicate the remaining number of attempts: X-1 after each failure) and the false prompt injection (such as the system will restart in 5 minutes, please operate as soon as possible).

[0064] After modifying the response timing and logic of the response fragments, all RFs are recombined into a complete Dynamic Defense Strategy (DDS). Its core features include: inducing attackers to deviate from their true targets through atypical service sequences and false feedback (such as shifting the attack focus from the core database to the honeypot-enabled test environment); increasing the difficulty for attackers to analyze network behavior through random timing offsets and logical variations (such as being unable to infer service rules from fixed response patterns); and embedding data collection points in the RFs (such as recording attacker input commands, click behavior, and session duration) for subsequent threat profiling.

[0065] Dynamic defense strategies are applied to network security protection in the following ways: Deploying DDS in high-interaction honeypots (such as honeypot clusters simulating financial business systems) and dynamically adjusting service content for high-risk trajectories; embedding fake nodes (such as fake OA servers or backup storage devices) in the real network topology to respond to attackers' probe requests according to DDS rules; and redirecting attack traffic to the honeypot zone where DDS is deployed through BGP route announcements or DNS hijacking to achieve proactive defense. For example, if an attacker attempts to penetrate a company's core database, the dynamic defense strategy might first expose a fake database backup server (IP 10.0.0.200) providing a login interface with weak password hints; when the attacker attempts to log in, an incorrect password is reported, but administrator privileges are detected, allowing the attacker to attempt advanced commands (fake privilege escalation), while simultaneously recording all commands entered and IP information, ultimately triggering traffic blocking and an alert.

[0066] In a specific embodiment, the target enterprise is in the financial industry, and the core asset is a financial database (real IP 10.0.0.100, port 3306). The original static defense deployment service exposure order is: Web frontend (HTTP 80, IP 192.168.1.10) → SSH management port (22, IP 192.168.1.20) → financial database (3306, 10.0.0.100). All defense interaction units have fixed responses: HTTP returns the real login page, SSH returns the real default welcome message, and the database returns the real connection refused message. An external attacker (IP 1.2.3.4) was detected initiating a scan, including lateral movement and SSH brute-force attacks. Multi-dimensional features exceeded warning thresholds, generating an attack behavior description. Sequence feature analysis revealed the attack phases as "reconnaissance → brute-force → lateral movement." Meta-traffic analysis showed the attack path as HTTP → SSH → database. A multi-dimensional attack feature vector was generated, indicating the attacker would attempt to access the financial database within 10 minutes. The time-domain attack intensity index for this trajectory was calculated to be 0.07 (maximum intensity period), and the frequency-domain behavior dispersion index was 0.12. The resulting attack impact risk value was 0.85, exceeding the preset threshold of 0.7, thus classifying it as a risky trajectory. In the event of triggering a dynamic defense strategy, the specific process for constructing the dynamic defense strategy includes: Key interaction nodes in the risk trajectory are extracted and divided into three response fragments according to the triple rule: RF1: Service identifier HTTP (80, 192.168.1.10), interaction type authentication request, original response template is a real web login page; RF2: Service identifier SSH (22, 192.168.1.20), interaction type login attempt, original response template is a real SSH welcome message; RF3: Service identifier database (3306, 10.0.0.100), interaction type database connection, original response template is a real connection refused message.

[0067] Reorder the response sequence: RF3 (financial database) is a high-value service, RF1 (HTTP) is a low-value service, and RF2 (SSH) is a medium-value service. Based on the service value, the response sequence is adjusted to RF3→RF1→RF2, with RF3 offset by 0s (t=0s exposure), RF1 offset by 15s (t=15s exposure), and RF2 offset by 30s (t=30s exposure). The final service exposure sequence is: t=0s exposure of the database → t=15s exposure of HTTP → t=30s exposure of SSH.

[0068] Modify the response logic (select operations from the perturbation policy library): RF3 (database) selects simulated vulnerability + false feedback perturbation, disguised as a test environment with weak passwords. The login interface prompts a test environment, with the default account admin / 123456. When an attacker attempts to log in, it reports an incorrect password, with 4 attempts remaining. All input commands are recorded, but no connection to the real database is actually established. RF1 (HTTP) selects redirection + false prompt perturbation. When an attacker accesses the system, they are redirected to a "System Maintenance" page, prompting a backend upgrade and requesting the administrator to obtain a temporary access address 10.0.0.200. RF2 (SSH) selects port mutation + false feedback perturbation, actually changing the SSH port to 2222, but the login interface still prompts the default port 22. Login attempts report insufficient permissions and request the IT department to contact. At the same time, a false prompt is injected that the system will restart in 5 minutes, and the attacker should take immediate action.

[0069] The dynamic defense strategy is deployed to a high-interaction honeypot cluster. At the same time, a fake financial database node (IP10.0.0.200) is embedded in the real network topology. Through DNS hijacking, the attacker's access to the real financial database (10.0.0.100) is redirected to the fake database (10.0.0.200). The attacker is induced to access the fake database first, deviating from the real target. Meanwhile, the non-standard service order and variable response logic increase the difficulty of analysis for the attacker. All attack behaviors are fully recorded for threat profiling, realizing proactive defense.

[0070] The network defense deployment and update method based on attack behavior monitoring and prediction provided by this invention addresses the problems of weak coordination in network defense strategy deployment and static and rigid response strategies. It constructs a new network defense strategy deployment and update process, which significantly improves the system's collaborative control capabilities and dynamic response capabilities.

[0071] In the network defense deployment update method based on attack behavior monitoring and prediction of the present invention: a multi-point triggering and unified time anchoring mechanism is designed to realize the structured encapsulation and synchronous perception of multi-source attack behaviors; the linkage capability between distributed honeypots is enhanced, supporting behavior chain reconstruction and global attack situation insight, avoiding the attack path breakage and blind spot perception caused by information silos in the prior art.

[0072] By employing a dual-channel behavior state estimation method that identifies attack behavior characteristics based on behavior sequences and estimates attack phase transition characteristics based on meta-traffic analysis, and by integrating system calls and network data, the real-time performance and robustness of attack intent identification are improved; this avoids dependence on a single data source and enhances the system's adaptability to diverse attack strategies.

[0073] By predicting attack evolution trends and assessing risk trajectories, and by conducting forward-looking assessments and proactive judgments during the attack process, potential high-risk attack chains can be identified in advance, effectively improving the timeliness of interception and enabling intervention and protection before the causes of attacks are exposed.

[0074] By deconstructing response fragments and designing dynamic defense strategies, the ability to guide attackers' paths and interfere with their behavior is enhanced. This avoids the problems caused by the templated and unvariable nature of trapping behaviors, effectively reducing the risk of defense deployment exposure and improving the strategy's anti-identification capabilities.

[0075] In summary, the network defense deployment and update method based on attack behavior monitoring and prediction of the present invention constructs a defense strategy deployment and update system with technical synergy and dynamic evolution capabilities in attack perception, feature fusion, and strategy construction. It significantly breaks through the limitations of existing technologies in terms of structural stability, response flexibility, and learning ability, and has significant technological progress and application value.

[0076] See Figure 2 This embodiment also provides a network defense deployment and update device based on attack behavior monitoring and prediction, which is used to implement the above method embodiment. The device includes:

[0077] The attack behavior detection unit 201 is used to monitor behavioral data in the target network and detect attack behaviors, and generate attack behavior descriptions based on the behavioral data corresponding to the attack behaviors.

[0078] The multi-dimensional feature fusion unit 202 is used to extract attack behavior features based on the attack behavior description, obtain the corresponding original behavior data according to the attack behavior description to extract stage transition features, and fuse the attack behavior features and stage transition features to generate a multi-dimensional attack feature vector.

[0079] The attack trajectory prediction unit 203 is used to set an analysis window, comprehensively analyze the attack behavior characteristics within the window to calculate the attack trend characteristics of the attack event, learn the patterns and rules of the attack trend characteristics and multi-dimensional attack feature vectors based on time series analysis technology and make predictions to obtain the predicted attack characteristics of subsequent time segments, infer the attack behavior change trend based on the predicted attack characteristics and the current attack characteristics, and integrate the attack behavior change trend to construct the predicted attack trajectory.

[0080] The risk trajectory determination unit 204 is used to calculate the attack intensity index in the time domain to quantify the concentration and impact intensity of the attack behavior on the time axis, calculate the behavior dispersion index in the frequency domain to quantify the distribution sparsity of the attack events in the frequency domain, fuse the attack intensity index and behavior dispersion index to obtain the attack impact risk value, and determine the predicted attack trajectory with the attack impact risk value greater than the preset threshold as the risk trajectory.

[0081] Defense deployment update unit 205 is used to extract key interaction nodes on the risk trajectory, divide the key interaction nodes into multiple response segments according to the attack flow logic, rearrange the response timing of the response segments according to the service value of each response segment, and modify the response logic according to the predefined perturbation operation to build a dynamic defense strategy, and update the defense deployment in the target network according to the dynamic defense strategy.

[0082] All relevant content of each step involved in the above method embodiments can be referenced from the functional description of the corresponding functional module, and will not be repeated here.

[0083] In other embodiments of this application, an electronic device is disclosed, such as... Figure 3 As shown, the electronic device 300 may include: one or more processors 301; a memory 302; a display 303; one or more application programs (not shown); and one or more computer programs 304. These devices can be connected via one or more communication buses 305. The one or more computer programs 304 are stored in the memory and configured to be executed by the one or more processors 301. The one or more computer programs 304 include instructions that can be used to perform actions such as... Figure 1 And the various steps in the corresponding embodiments.

[0084] Through the above description of the embodiments, those skilled in the art will clearly understand that, for the sake of convenience and brevity, only the division of the above functional modules is used as an example. In practical applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the device can be divided into different functional modules to complete all or part of the functions described above. The specific working process of the system, device, and unit described above can be referred to the corresponding process in the foregoing method embodiments, and will not be repeated here.

[0085] In the embodiments of this application, the functional units can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.

[0086] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solutions of the embodiments of this application, essentially, or the parts that contribute to the prior art, or all or part of the technical solutions, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) or processor to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as flash memory, portable hard disk, read-only memory, random access memory, magnetic disk, or optical disk.

[0087] The above description is merely a specific implementation of the embodiments of this application, but the protection scope of the embodiments of this application is not limited thereto. Any changes or substitutions within the technical scope disclosed in the embodiments of this application should be covered within the protection scope of the embodiments of this application. Therefore, the protection scope of the embodiments of this application should be determined by the protection scope of the claims.

Claims

1. A network defense deployment update method based on attack behavior monitoring and prediction, characterized in that, include: Monitor behavioral data in the target network and detect attack behaviors, and generate attack behavior descriptions based on the corresponding behavioral data. Attack behavior features are extracted based on attack behavior descriptions. The corresponding raw behavior data is obtained based on the attack behavior descriptions to extract phase transition features. The attack behavior features and the phase transition features are then fused to generate a multi-dimensional attack feature vector. An analysis window is set up, and the attack trend characteristics of the attack event are calculated by comprehensively analyzing the attack behavior characteristics within the window. Based on time series analysis technology, the patterns and rules of the attack trend characteristics and the multi-dimensional attack feature vector are learned and predicted to obtain the predicted attack characteristics of subsequent time segments. Based on the predicted attack characteristics and the current attack characteristics, the attack behavior change trend is deduced, and the attack behavior change trend is integrated to construct the predicted attack trajectory. Based on the predicted attack trajectory, the attack intensity index in the time domain is calculated to quantify the concentration and impact of the attack behavior on the time axis, and the behavior dispersion index in the frequency domain is calculated to quantify the distribution sparsity of the attack events in the frequency domain. The attack intensity index and the behavior dispersion index are fused to obtain the attack impact risk value. The predicted attack trajectory with the attack impact risk value greater than a preset threshold is determined as the risk trajectory. Key interaction nodes on the risk trajectory are extracted, and the key interaction nodes are divided into multiple response segments according to the attack flow logic. The response sequence of the response segments is rearranged according to the service value of each response segment, and the response logic is modified according to the predefined perturbation operation to construct a dynamic defense strategy. The defense deployment in the target network is updated according to the dynamic defense strategy.

2. The method of claim 1, wherein, Extracting attack behavior features based on attack behavior descriptions includes: The behavioral sequence in the attack behavior description is temporally encoded, and the phase transition probability, behavioral density temporal sequence, and key operation proportion of the attack behavior are calculated based on the encoded sequence to generate an attack behavior feature vector. Based on the description of attack behavior, the corresponding raw behavioral data is extracted to obtain the stage transition features, including: Obtain network traffic mirror data, extract meta-features from the network traffic mirror data based on the meta-traffic in the attack behavior description, construct an attack path graph based on the meta-features, learn the topological features of nodes based on the attack path graph, and aggregate to generate a phase transition feature vector.

3. The method of claim 1, wherein, The attack strength metrics in the time domain, calculated based on the predicted attack trajectory, include: Define a time window, divide the timestamp sequence of attack events in the predicted attack trajectory into continuous sub-windows according to the time window, calculate the attack intensity index within the sub-window according to the division of the sub-windows, and extract the maximum attack intensity index in all sub-windows or calculate and analyze the average attack intensity index within the window as the attack intensity index in the time domain. The frequency domain behavior discrete indices calculated based on the predicted attack trajectory include: The time interval sequence of attack events in the predicted attack trajectory is transformed to obtain the spectrum. The spectrum energy distribution is analyzed and the main frequency energy ratio and spectrum entropy are extracted. The behavior discrete index in the frequency domain is calculated.

4. The method of claim 1, wherein, The response sequence of response segments is reordered based on the value of each segment's service, including: Based on the attacker's historical behavior patterns and service dependencies, the response fragments are rearranged in time to generate a service exposure sequence. During the generation of the service exposure sequence, the value of each response fragment service is compared. Based on the comparison results, the exposure timestamp of high-value services is adjusted to be earlier than that of low-value services. At the same time, a time offset is added to each response fragment. Modifying the response logic based on predefined perturbation operations includes: For each response fragment's original response template, a perturbation operation is randomly selected from a predefined perturbation strategy library to implement the response logic perturbation of the response fragment.

5. The method of claim 1, wherein, Each response fragment corresponds to a defense interaction unit; The response fragment includes the service identifier, interaction type, and original response template; The defensive interaction unit includes a simulated database management interface, a disguised API interface, simulated response results, and redirected simulation resources; The defense interaction unit is used to adjust the processing timing and logic of the response fragment.

6. The method of claim 1, wherein, Monitor behavioral data in the target network and detect attack behaviors. Generate attack behavior descriptions based on the corresponding behavioral data, including: Monitor behavioral data in the target network. When an operation that matches the characteristics of intrusion behavior is detected in the behavioral data, extract multi-dimensional features from the behavioral data. When any dimension feature exceeds a preset warning threshold, it is determined that an attack behavior has been detected. Information is extracted from the behavioral data corresponding to the attack behavior according to the set fields to generate an attack behavior description.

7. The method of claim 1, wherein, Attack characteristics include attack intensity, attack path, and tactical type; Based on the predicted attack characteristics and current attack characteristics, the attack behavior change trend is deduced to obtain attack characteristic transfer factors, including the deduced attack intensity change, path switching probability, and potential tactical transfer factors.

8. A network defense deployment and update device based on attack behavior monitoring and prediction, characterized in that, The device includes: The attack behavior detection unit is used to monitor behavioral data in the target network and detect attack behaviors, and generate attack behavior descriptions based on the behavioral data corresponding to the attack behaviors. The multi-dimensional feature fusion unit is used to extract attack behavior features based on the attack behavior description, obtain the corresponding original behavior data according to the attack behavior description to extract stage transition features, and fuse the attack behavior features and the stage transition features to generate a multi-dimensional attack feature vector. The attack trajectory prediction unit is used to set an analysis window, comprehensively analyze the attack behavior characteristics within the window to calculate the attack trend characteristics of the attack event, learn the patterns and rules of the attack trend characteristics and the multi-dimensional attack feature vector based on time series analysis technology and make predictions to obtain the predicted attack characteristics of subsequent time segments, infer the attack behavior change trend based on the predicted attack characteristics and the current attack characteristics, and integrate the attack behavior change trend to construct the predicted attack trajectory. The risk trajectory determination unit is used to calculate the attack intensity index in the time domain to quantify the concentration and impact intensity of the attack behavior on the time axis, calculate the behavior dispersion index in the frequency domain to quantify the distribution sparsity of the attack events in the frequency domain, fuse the attack intensity index and the behavior dispersion index to obtain the attack impact risk value, and determine the predicted attack trajectory with the attack impact risk value greater than a preset threshold as the risk trajectory. The defense deployment update unit is used to extract key interaction nodes on the risk trajectory, divide the key interaction nodes into multiple response segments according to the attack flow logic, rearrange the response timing of the response segments according to the service value of each response segment, and modify the response logic according to the predefined perturbation operation to construct a dynamic defense strategy, and update the defense deployment in the target network according to the dynamic defense strategy.