A communication security detection method and system based on deep learning

By improving the communication security detection method that combines PixelCNN and METIS algorithms, the difficulty in identifying covert communication behaviors in existing technologies has been solved. This enables efficient detection and localization of covert attacks in complex networks, thereby improving the efficiency and accuracy of security detection in communication networks.

CN122339838APending Publication Date: 2026-07-03SHANXI XUNHAI ZONGHE TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHANXI XUNHAI ZONGHE TECHNOLOGY CO LTD
Filing Date
2026-05-25
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing communication security detection methods are unable to accurately identify covert communication behaviors that are low-intensity, long-term, and spread across nodes. They suffer from insufficient ability to correlate anomalies, inadequate expression of temporal dependencies, and weak adaptability to complex communication topologies.

Method used

By employing improved PixelCNN, weak anomaly correlation analysis, and anomaly communication topology partitioning techniques, conditional probability modeling and anomaly correlation analysis are performed on communication fields such as source address, destination address, port, protocol type, and connection status in the communication network. A communication behavior matrix is ​​constructed, an anomaly communication topology map is generated, and the METIS algorithm is used to partition regions and identify covert lateral penetration behaviors.

Benefits of technology

It improves the ability to identify low-intensity abnormal communication, reduces the false alarm rate and false negative rate in complex network environments, and has the advantages of strong abnormal correlation ability, high adaptability to communication topology and high accuracy in identifying covert attacks. It can automatically detect and locate covert abnormal behavior in complex communication networks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122339838A_ABST
    Figure CN122339838A_ABST
Patent Text Reader

Abstract

This invention discloses a communication security detection method and system based on deep learning, belonging to the field of deep learning technology. The method includes: collecting communication data from a communication network to generate a communication session data set; performing field encoding and normalization processing to generate a communication behavior matrix sequence; constructing an improved PixelCNN to generate a communication field conditional probability matrix; calculating and generating session anomaly scores to generate a long-term weak anomaly association sequence; generating an abnormal communication topology map; executing the METIS algorithm based on the abnormal communication topology map to generate a candidate lateral penetration subgraph set; calculating penetration area scores based on the candidate lateral penetration subgraph set to generate a communication security detection result. This invention, by introducing an improved PixelCNN and METIS algorithm, achieves high-precision automatic detection of concealed lateral penetration behavior and anomaly propagation area localization in complex communication networks.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of deep learning technology, and in particular to a communication security detection method and system based on deep learning. Background Technology

[0002] With the continuous development of internet communication, cloud platforms, and industrial network systems, the scale of data exchange in communication networks is constantly expanding, resulting in a large amount of continuous and high-frequency data interaction between network devices. Due to the increasing complexity of communication protocol types, access methods, and network structures, communication data contains a large number of dynamically changing connection relationships and temporal characteristics, leading to a growing trend of network attacks becoming more covert, distributed, and persistent. Some attacks are hidden within normal communication processes through low-frequency access, abnormal port detection, and cross-node propagation. Traditional security detection methods relying on fixed rules and human experience struggle to accurately identify abnormal behavior in complex networks. Simultaneously, with the increasing number of communication nodes, network security detection systems face challenges such as large communication data volumes, high real-time requirements, and increased difficulty in correlating abnormal behavior. Consequently, communication security detection technology is gradually developing towards automation and intelligence.

[0003] Existing communication security detection methods typically employ statistical analysis, machine learning, or deep learning to identify anomalies in communication data. For example, convolutional neural networks, autoencoder networks, or recurrent neural networks are used to extract communication features, and graph structure analysis is combined to detect abnormal behavior and identify attack paths. Some methods analyze the correlations between communication fields using probabilistic models, while others utilize graph partitioning or clustering algorithms to identify abnormal communication regions. While these methods can improve anomaly detection capabilities to some extent, they still suffer from insufficient anomaly correlation capabilities, inadequate expression of temporal dependencies, and weak adaptability to complex communication topologies, especially for low-intensity, long-term latency, and cross-node propagation covert communication behaviors.

[0004] Therefore, how to provide a communication security detection method and system based on deep learning is a problem that urgently needs to be solved by those skilled in the art. Summary of the Invention

[0005] One objective of this invention is to propose a communication security detection method and system based on deep learning. This invention utilizes an improved PixelCNN, weak anomaly correlation analysis, and anomaly communication topology partitioning techniques to perform conditional probability modeling and anomaly correlation analysis on communication fields such as source address, destination address, port, protocol type, and connection status in a communication network. It details the implementation process of communication behavior matrix construction, coarse path signature recursion, spinor mask coupling, normalized flow probability generation, low-anomaly communication memory chain construction, and candidate lateral penetration subgraph partitioning. This enables automatic detection and region localization of covert lateral penetration behavior in complex communication networks. This invention can improve the ability to identify low-intensity anomaly communication, increase the accuracy of long-term latent attack detection, reduce the false alarm rate and false negative rate in complex network environments, and possesses advantages such as strong anomaly correlation ability, high communication topology adaptability, and high accuracy in identifying covert attacks.

[0006] A deep learning-based communication security detection method according to an embodiment of the present invention includes: Collect communication data from the communication network, and aggregate the communication data into sessions according to time windows to generate a communication session data set; The communication session data set is processed by field encoding and normalization, and each communication session is converted into a communication behavior matrix according to the order of communication occurrence, generating a sequence of communication behavior matrices; Based on the communication behavior matrix sequence, an improved PixelCNN is constructed. Coarse path signature recursion, screw mask coupling and Sinkhorn normalized flow probability generation are performed on the communication field to generate the conditional probability matrix of the communication field. Based on the conditional probability matrix of the communication field, the field anomaly probability is calculated, a session anomaly score is generated, low-anomaly communication sessions and high-anomaly communication sessions are marked, and a low-anomaly communication memory chain is constructed to generate a long-term weak anomaly association sequence. Based on low-anomaly communication sessions, high-anomaly communication sessions, session anomaly scores, and long-term weak anomaly association sequences, anomaly topology edge weights are generated using communication nodes as graph nodes and communication sessions as graph edges, and session anomaly scores, access frequency, number of failed connections, and memory association strength to generate anomaly communication topology graph. The METIS algorithm is executed based on the abnormal communication topology graph. The abnormal communication topology graph is divided into regions according to the edge weights of the abnormal topology, and a set of candidate lateral penetration subgraphs is generated. The penetration area score is calculated based on the candidate lateral penetration subgraph set to identify hidden lateral penetration areas, suspected lateral penetration areas, and ordinary abnormal communication areas, and to generate communication security detection results.

[0007] Optionally, the communication data includes source address, destination address, source port, destination port, protocol type, packet direction, packet length, connection duration, handshake status, number of retransmissions, number of access failures, authentication status, communication timestamp, and session identifier.

[0008] Optionally, a communication session data set is generated, including: Communication data is read according to a fixed time window. Communication data with the same session identifier is grouped into the same initial session group. For communication data with an empty session identifier, communication data with the same source address, destination address, source port, destination port and protocol type and a communication timestamp interval of less than 60 seconds are grouped into the same initial session group. Read each initial session group in the order of communication timestamps, write the data packet direction, data packet length, connection duration, handshake status, number of retransmissions, number of access failures and authentication status into the corresponding session record, and configure the source node, destination node, port encoding, protocol encoding and session time range to generate a communication session data set.

[0009] Optionally, generating the communication behavior matrix sequence includes: Read the source address, destination address, source port, destination port, protocol type, packet direction, handshake status, and authentication status from the communication session data set, and convert them into the corresponding field encoded values; Read the data packet length, connection duration, number of retransmissions, and number of access failures. Subtract the minimum field value within the current time window from the current field value, and then divide by the difference between the maximum and minimum field values ​​to obtain the corresponding normalized value. When the maximum field value equals the minimum field value, set the corresponding normalized value to 0. Each communication session is read in the order of communication timestamps, and the encoded and normalized values ​​of each field are written into fixed row and column positions to generate a communication behavior matrix. All communication behavior matrices are then arranged in the order of communication timestamps to generate a communication behavior matrix sequence.

[0010] Optionally, generating the communication field conditional probability matrix includes: An improved PixelCNN is constructed, comprising a communication feature encoding layer, a screw mask probability generation layer, and a normalized stream output layer; Input the communication behavior matrix sequence into the communication feature coding layer and statistically analyze the mutual information values ​​of the fields between source address, destination address, source port, destination port, protocol type, packet direction, packet length, connection duration, handshake status, number of retransmissions, number of access failures, and authentication status. Construct a Huffman field tree based on the field mutual information values, rearrange the field writing order according to the field path order of the Huffman field tree, and perform coarse path signature recursion according to the rearranged field order to generate a coarse path field state sequence. The coarse path field state sequence is input into the screw mask probability generation layer. The field states corresponding to the source address, destination address, source port, destination port, protocol type, and data packet direction are mapped to screw field features. Lie group exposure mapping is performed on the screw field features. Autoregressive coupling calculation is performed on the screw field features after Lie group exposure mapping according to the mask order to generate the screw condition feature matrix. Input the screw conditional feature matrix into the normalized flow output layer, construct the optimal transport residual interchange block, and perform optimal transport mapping and interchange fusion between the mainstream features and residual features corresponding to the screw conditional feature matrix to generate transport residual fusion features. The transport residual fusion features are subjected to Sinkhorn double-row normalization processing, and the normalization results are mapped to the occurrence probability of each communication field under the condition of the preceding communication field, generating a communication field conditional probability matrix. The improved PixelCNN was trained using the negative log-likelihood loss between the conditional probability matrix of the communication field and the true distribution of the communication field as the optimization objective. The parameters of the communication feature encoding layer, the screw mask probability generation layer, and the normalized stream output layer were continuously optimized. Training was stopped when the change in negative log-likelihood loss was less than 0.001 for 10 consecutive training rounds.

[0011] Optionally, generating long-term weak anomaly association sequences includes: Read the conditional probability value corresponding to each communication field in the conditional probability matrix of communication fields, and subtract the corresponding conditional probability value from 1 to obtain the field anomaly probability; The abnormal probability of each field is multiplied by the corresponding field weight and then summed to obtain the session abnormality score; When the session anomaly score is greater than 0.35 and less than or equal to 0.65, the corresponding communication session is marked as a low anomaly communication session; when the session anomaly score is greater than 0.65, the corresponding communication session is marked as a high anomaly communication session. When the time interval between adjacent low-anomaly communication sessions is less than 30 minutes, the source address and destination address of the preceding and following communication sessions correspond, and the protocol type or destination port is the same, a memory association edge is established between the two low-anomaly communication sessions, and all memory association edges are connected to generate a low-anomaly communication memory chain. Read the repetition count, cumulative duration, and cross-node propagation count of each memory association edge, calculate the memory association strength value, and arrange all memory association edges according to the association strength value to generate a long-term weak anomaly association sequence.

[0012] Optionally, generating the abnormal communication topology map includes: Read the source address, destination address, and session identifier from low-anomaly communication sessions and high-anomaly communication sessions, write the communication nodes corresponding to the source address and destination address into the graph node set, and write the communication sessions into the graph edge set; Read the session anomaly score, access frequency, access failure count and memory association strength of each communication session. Divide the access frequency by the maximum access frequency in the current time window to obtain the access frequency normalization value. Divide the access failure count by the maximum access failure count in the current time window to obtain the failed connection count normalization value. The memory association strength of communication sessions without matching memory association edges is 0. Multiply the session anomaly score by 0.45, the access frequency normalization value by 0.20, the failed connection count normalization value by 0.15, and the memory association strength by 0.20, and then add them together to obtain the anomaly topology edge weights. Combine the graph node set, graph edge set, and anomaly topology edge weights to generate an anomaly communication topology graph.

[0013] Optionally, generating the candidate lateral penetration subgraph set includes: Read the set of graph nodes, the set of graph edges, and the weights of abnormal topology edges in the abnormal communication topology graph. Construct a bipartite graph of session negative nodes from the communication sessions and communication nodes. Then aggregate the communication sessions and communication nodes respectively to generate a hypergraph of session cluster negative nodes. The number of supernodes in the session cluster negative node cluster supergraph is counted, and the number of partitions is determined based on the number of supernodes. When the number of supernodes is less than 100, the number of partitions is set to 4; when the number of supernodes is greater than or equal to 100 and less than 1000, the number of partitions is set to 8; when the number of supernodes is greater than or equal to 1000, the number of partitions is set to 16. Based on the METIS algorithm, multi-layer shrinkage processing is performed on the hypergraph of negative node clusters of session clusters. Adjacent hypernodes are merged according to the abnormal topology edge weights, and the number of communication sessions, the abnormal topology edge weights, and the memory association strength are accumulated to the shrinkage hyperedge to generate a shrinkage hypergraph. Based on the number of partitions, a dual edge weight offset optimization partitioning process is performed on the shrinking hypergraph. The sum of the weights of the cross-regional anomalous topology edges is used as the first optimization objective, and the sum of the weights of the low-anomaly topology edges within the region is used as the second optimization objective. The assignment of the boundary supernodes is adjusted according to the dual optimization objectives. At the same time, self-supervised residual refinement is performed during the reverse unfolding process. When the residual discriminant value is greater than 0.05, the previous round of boundary supernode movement results are rolled back and the assignment of the boundary supernodes is readjusted to generate the optimized hypergraph partitioning result. The optimized hypergraph partitioning results are mapped back to the abnormal communication topology graph. Graph nodes, graph edges, internal abnormal topology edge weights, and cross-regional abnormal topology edge weights are extracted from each region to generate a set of candidate lateral penetration subgraphs.

[0014] Optionally, generating the communication security detection result includes: Read the low-anomaly communication sessions, high-anomaly communication sessions, internal anomalous topological edge weights, cross-regional anomalous topological edge weights, and long-term weak anomalous association sequences in the candidate lateral penetration subgraph, and calculate the low-anomaly session density, anomalous edge weight concentration, node jump depth, time duration, and cross-regional outbound strength. The penetration area score is obtained by multiplying the low abnormal session density by 0.25, the abnormal edge weight concentration by 0.30, the node jump depth by 0.20, the time duration by 0.15, and the cross-regional external connection strength by 0.10. When the penetration area score is greater than 0.70, the corresponding candidate lateral penetration sub-map is identified as a concealed lateral penetration area. When the penetration area score is greater than 0.50 and less than or equal to 0.70, the corresponding candidate lateral penetration sub-map is identified as a suspected lateral penetration area. When the penetration area score is less than or equal to 0.50, the corresponding candidate lateral penetration sub-map is identified as a normal abnormal communication area, and a communication security detection result is generated.

[0015] A deep learning-based communication security detection system according to an embodiment of the present invention includes the following modules: The communication acquisition module is used to collect communication data in the communication network and generate a communication session data set; The behavior matrix module is used to encode and normalize the fields of the communication session data set to generate a sequence of communication behavior matrices. The probability modeling module is used to build an improved PixelCNN and generate a conditional probability matrix for communication fields. The weak anomaly association module is used to calculate the probability of field anomalies, generate session anomaly scores, and generate long-term weak anomaly association sequences. The topology generation module is used to generate abnormal communication topology diagrams; The subgraph partitioning module is used to execute the METIS algorithm based on the abnormal communication topology graph to generate a set of candidate lateral penetration subgraphs. The security detection module is used to calculate the penetration area score and generate communication security detection results.

[0016] The beneficial effects of this invention are: This invention proposes a deep learning-based communication security detection method and system. By performing temporal session aggregation, field probability modeling, weak anomaly correlation analysis, and anomalous topology region division on communication data in communication networks, it achieves automatic identification of covert anomalous communication behaviors and lateral penetration area localization in complex network environments. Compared with traditional detection methods that rely on fixed rules, human experience, or single communication feature matching, this invention constructs a communication behavior matrix and combines it with an improved PixelCNN to model the conditional probability relationships between communication fields. This enables the learning of the temporal correlation features and implicit dependencies of communication fields in continuous communication processes, improving the anomalous representation ability of complex communication behaviors. Furthermore, this invention uses low-anomaly communication memory chains and long-term weak anomaly correlation sequences to perform continuous correlation analysis on low-frequency anomalous behaviors, enabling the identification of long-term latent, low-intensity, and distributed propagation covert attack behaviors, reducing the problem of traditional detection methods missing weak anomalies.

[0017] This invention constructs an abnormal communication topology map and performs region partitioning on the map using the METIS algorithm. This enables the location of abnormal propagation regions and potential lateral penetration paths in complex communication networks, improving the accuracy of identifying anomalous communication clusters. Through joint optimization of cross-regional anomalous topology edge weights and intra-regional low-anomaly topology edge weights, the system's ability to identify cross-node propagation and covert correlation behaviors is enhanced. This invention possesses advantages such as strong anomalous correlation capabilities, high adaptability to complex communication topologies, high accuracy in identifying covert attacks, and a low false alarm rate, thereby improving the efficiency of security detection and automated analysis capabilities in communication networks. Attached Figure Description

[0018] The accompanying drawings are provided to further illustrate the invention and form part of the specification. They are used in conjunction with embodiments of the invention to explain the invention and do not constitute a limitation thereof. In the drawings: Figure 1 This is a flowchart of a deep learning-based communication security detection method proposed in this invention; Figure 2 This is a schematic diagram of the structure of the improved PixelCNN, a deep learning-based communication security detection method proposed in this invention. Figure 3 This is a schematic diagram of the structure of a deep learning-based communication security detection system proposed in this invention. Detailed Implementation

[0019] The present invention will now be described in further detail with reference to the accompanying drawings. These drawings are simplified schematic diagrams, illustrating only the basic structure of the invention, and therefore only show the components relevant to the invention.

[0020] refer to Figure 1 and Figure 2 A deep learning-based communication security detection method includes: Collect communication data from the communication network, and aggregate the communication data into sessions according to time windows to generate a communication session data set; The communication session data set is processed by field encoding and normalization, and each communication session is converted into a communication behavior matrix according to the order of communication occurrence, generating a sequence of communication behavior matrices; Based on the communication behavior matrix sequence, an improved PixelCNN is constructed. Coarse path signature recursion, screw mask coupling and Sinkhorn normalized flow probability generation are performed on the communication field to generate the conditional probability matrix of the communication field. Based on the conditional probability matrix of the communication field, the field anomaly probability is calculated, a session anomaly score is generated, low-anomaly communication sessions and high-anomaly communication sessions are marked, and a low-anomaly communication memory chain is constructed to generate a long-term weak anomaly association sequence. Based on low-anomaly communication sessions, high-anomaly communication sessions, session anomaly scores, and long-term weak anomaly association sequences, anomaly topology edge weights are generated using communication nodes as graph nodes and communication sessions as graph edges, and session anomaly scores, access frequency, number of failed connections, and memory association strength to generate anomaly communication topology graph. The METIS algorithm is executed based on the abnormal communication topology graph. The abnormal communication topology graph is divided into regions according to the edge weights of the abnormal topology, and a set of candidate lateral penetration subgraphs is generated. The penetration area score is calculated based on the candidate lateral penetration subgraph set to identify hidden lateral penetration areas, suspected lateral penetration areas, and ordinary abnormal communication areas, and to generate communication security detection results.

[0021] In this embodiment, the communication data includes source address, destination address, source port, destination port, protocol type, data packet direction, data packet length, connection duration, handshake status, number of retransmissions, number of access failures, authentication status, communication timestamp, and session identifier.

[0022] In this embodiment, generating the communication session data set includes: Communication data is read according to a fixed time window. Communication data with the same session identifier is grouped into the same initial session group. For communication data with an empty session identifier, communication data with the same source address, destination address, source port, destination port and protocol type and a communication timestamp interval of less than 60 seconds are grouped into the same initial session group. Read each initial session group in the order of communication timestamps, write the data packet direction, data packet length, connection duration, handshake status, number of retransmissions, number of access failures and authentication status into the corresponding session record, and configure the source node, destination node, port encoding, protocol encoding and session time range to generate a communication session data set.

[0023] In this embodiment, generating the communication behavior matrix sequence includes: Read the source address, destination address, source port, destination port, protocol type, packet direction, handshake status, and authentication status from the communication session data set, and convert them into corresponding field encoded values, where: Convert to the corresponding field encoding value, specifically: Read the field contents corresponding to source address, destination address, source port, destination port, protocol type, packet direction, handshake status, and authentication status. Assign integer numbers sequentially according to the order of first appearance of the fields. When the read field contents are consistent with the existing field contents, directly read the corresponding integer number value as the field encoding value. The packet direction adopts a binary encoding method, with the encoding value for inbound communication set to 0 and the encoding value for outbound communication set to 1. The handshake status adopts a ternary encoding method, with the encoding value for successful handshake set to 2, the encoding value for interrupted handshake set to 1, and the encoding value for failed handshake set to 0. The authentication status adopts a binary encoding method, with the encoding value for successful authentication set to 1 and the encoding value for failed authentication set to 0. Read the data packet length, connection duration, number of retransmissions, and number of access failures. Subtract the minimum field value within the current time window from the current field value, and then divide by the difference between the maximum and minimum field values ​​to obtain the corresponding normalized value. When the maximum field value equals the minimum field value, set the corresponding normalized value to 0. Each communication session is read in the order of communication timestamps, and the encoded and normalized values ​​of each field are written into fixed row and column positions to generate a communication behavior matrix. All communication behavior matrices are then arranged in the order of communication timestamps to generate a communication behavior matrix sequence.

[0024] In this embodiment, generating the communication field conditional probability matrix includes: An improved PixelCNN is constructed, comprising a communication feature encoding layer, a spinor mask probability generation layer, and a normalized stream output layer, wherein: The improved PixelCNN is constructed as follows: To improve the PixelCNN, a Huffman field tree rearrangement and coarse path signature recursion are added to the input convolutional layers, resulting in a communication feature encoding layer. A Lie group exposure mapping and spinor orientation coupling are added to the mask convolutional layers, resulting in a spinor mask probability generation layer. Finally, an optimal transport residual swapping block and Sinkhorn double-row normalization are connected after the conditional probability output layer of the traditional PixelCNN, resulting in a normalized stream output layer. This forms the improved PixelCNN. The communication feature coding layer includes: Field register: Stores the encoded values ​​of fields including source address, destination address, port, and protocol type; Time register: stores the corresponding communication timestamp; Mutual Information Sorter: Outputs the field writing order based on mutual information values; Signature Calculator: Performs a weighted average calculation of the current field value and the result of the previous column, and outputs the cumulative result. The spinor mask probabilistic generation layer includes: Screw kernel memory: stores the screw convolution kernel weights mapped by the Lie group exponent; Mask controller: When calculating the current row and current column, only allow reading of inputs in the same row that precede the current column and all inputs from the previous row; Lie group converter: maps the convolution output to the gyroscope coordinate space, preserving the information of orientation change; Coupled calculator: Performs dual-gated coupled calculations on the screw eigenvalues ​​at the current position to generate a screw conditional eigenvalue matrix; The normalized stream output layer includes: Feature Separator: The first half of the spinor conditional feature matrix is ​​classified as the main feature and the second half as the residual feature, column by column. Transport mapping table: Matches the corresponding residual feature column to each main feature column and records the displacement relationship; Residual Swapper: Swaps the positions of corresponding columns according to the mapping relationship and concatenates them to generate transport residual fusion features; Dual-row normalizer: Performs row normalization on the fused features first, then column normalization, and repeats this process 20 times. Probability buffer: Outputs the normalization results according to the original row and column positions of the fields, forming a conditional probability matrix for the communication fields; The communication behavior matrix sequence is input into the communication feature coding layer, and the mutual information values ​​of the fields such as source address, destination address, source port, destination port, protocol type, packet direction, packet length, connection duration, handshake state, retransmission count, access failure count, and authentication state are statistically analyzed. The mutual information values ​​of the fields related to source address, destination address, source port, destination port, protocol type, packet direction, packet length, connection duration, handshake status, retransmission count, access failure count, and authentication status are calculated as follows: Count the number of times any two communication fields appear together and the number of times they appear independently within the current time window. Multiply the probability of the joint occurrence by the logarithm of the ratio of the product of the probability of the joint occurrence and the probability of the corresponding independent occurrence. Then sum all the results of the joint occurrence to obtain the mutual information value of the corresponding field. A Huffman field tree is constructed based on the field mutual information values. The field writing order is rearranged according to the field path order of the Huffman field tree, and coarse path signature recursion is performed according to the rearranged field order to generate a coarse path field state sequence, where: Constructing a Huffman field tree based on field mutual information values, specifically: Arrange all field mutual information values ​​in descending order, take the two fields with the largest mutual information values ​​as child nodes of the same parent node, and add the mutual information values ​​of the two fields to obtain the new parent node weight. Continue to select the two nodes with the largest current mutual information values ​​and perform the same merge operation until all fields are merged into a root node, generating a Huffman field tree. The field write order is rearranged according to the field path order of the Huffman field tree, specifically as follows: Starting from the root node of the Huffman field tree, read all the corresponding fields of the leaf nodes in the traversal order from the left child node to the right child node, and rearrange the writing order of source address, destination address, source port, destination port, protocol type, packet direction, packet length, connection duration, handshake status, retransmission count, access failure count and authentication status according to the reading order. The coarse path signature is recursively executed according to the rearranged field order, specifically: Read the field values ​​in the communication behavior matrix column by column according to the rearranged field order. Take the field value of the first column as the first recursive result. Starting from the second column, add the field value of the current column to the recursive result of the previous column and multiply by 0.5 to get the recursive result of the current column. Arrange all recursive results according to the field order to generate a coarse path field status sequence. The coarse path field state sequence is input into the screw mask probability generation layer. The field states corresponding to source address, destination address, source port, destination port, protocol type, and packet direction are mapped to screw field features. Lie group exposure mapping is performed on the screw field features, and autoregressive coupling calculation is performed on the screw field features after Lie group exposure mapping according to the mask order to generate a screw conditional feature matrix, where: The source address, destination address, source port, destination port, protocol type, and packet direction are mapped to spinor field features, specifically: Read the field status values ​​in the coarse path field status sequence column by column, write the current field status value to the horizontal coordinate position of the two-dimensional coordinate, and write the result of subtracting the previous field status value from the current field status value to the vertical coordinate position of the two-dimensional coordinate. When the current field is the first field, set the vertical coordinate position to 0 and generate the corresponding spinor field feature. Perform Lie group exposure mapping on the spinor field features, specifically: Read the x-coordinate and y-coordinate values ​​corresponding to the spinor field features, write the x-coordinate values ​​to the upper left and lower right positions of the two-dimensional matrix, write the y-coordinate values ​​to the upper right position of the two-dimensional matrix, write the negative of the y-coordinate values ​​to the lower left position of the two-dimensional matrix, multiply the generated two-dimensional matrix by itself in sequence to obtain the quadratic, cubic, fourth and fifth powers, and divide them by 2, 6, 24 and 120 respectively, and add them to the two-dimensional matrix itself and the identity matrix to obtain the corresponding Lie group exposure mapping results. Autoregressive coupled computation is performed on the spinor field features after exposure mapping of the Lie group according to the mask order, specifically as follows: Read all Lie group exposure mapping results in the same row from left to right according to the column number of the field, and read all Lie group exposure mapping results in the next row from top to bottom according to the row number of the matrix. Add the corresponding values ​​of all Lie group exposure mapping results before the current reading position and divide by the current reading quantity to obtain the conditional feature value corresponding to the current field. Write the conditional feature value back to the matrix position of the current field. After completing the calculation of all field positions, generate the spinor conditional feature matrix. The spinor conditional feature matrix is ​​input into the normalized flow output layer to construct an optimal transport residual interchange block. The mainstream features and residual features corresponding to the spinor conditional feature matrix are then optimally transport-mapped and interchanged and fused to generate transport residual fused features, where: Constructing the optimal transport residual swap block is as follows: The total number of all fields in the spinor conditional feature matrix is ​​counted. The first 50% of the fields are divided into the mainstream feature matrix and the last 50% of the fields are divided into the residual feature matrix. When the number of fields is odd, the middle fields are divided into the mainstream feature matrix. The field column number, field column position and field column value in the mainstream feature matrix and the residual feature matrix are recorded respectively to generate the optimal transport residual interchange block. The mainstream features and residual features corresponding to the spinor conditional feature matrix are optimally transported and interchanged and fused, specifically as follows: The mainstream feature matrix and residual feature matrix are read by the optimal transport residual exchange block. The mainstream field column is read one by one, and the sum of the absolute values ​​of the numerical differences between the corresponding positions of the current mainstream field column and each residual field column is calculated. The sum of the absolute values ​​is used as the transport cost. The residual field column with the lowest transport cost is selected to establish a transport mapping relationship with the current mainstream field column, and the corresponding field column positions are swapped. After completing the mapping and swapping of all mainstream field columns and residual field columns in the same way, the swapped mainstream field columns and residual field columns are reassembled according to the original field order to generate transport residual fusion features. The transport residual fusion features are subjected to Sinkhorn double-row normalization processing. The normalization results are mapped to the occurrence probability of each communication field under the condition of the preceding communication field, generating a communication field conditional probability matrix, where: The transport residual fusion features are subjected to Sinkhorn double-row normalization processing, specifically: The values ​​of the fields in the transport residual fusion feature are read row by row. The sum of all field values ​​in the current row is calculated, and the current field value is divided by the sum of the field values ​​in the current row to obtain the normalized field value of the corresponding row. The normalized field values ​​of the rows are read column by column. The sum of all field values ​​in the current column is calculated, and the normalized field value of the rows in the current column is divided by the sum of the field values ​​in the current column to obtain the normalized field value of the corresponding column. The normalized field value of the column is used as input again, and the row normalization and column normalization calculations are performed again. This process is repeated 20 times to obtain the Sinkhorn double-row normalization result. Generate the conditional probability matrix for the communication fields, specifically as follows: Read the corresponding field values ​​in the Sinkhorn double-row normalization result according to the original arrangement order of the communication fields, take the current field value as the probability of the current communication field under the condition of the previous communication field, and arrange the probability of all communication fields according to the original row and column positions in the communication behavior matrix to obtain the communication field conditional probability matrix. The improved PixelCNN was trained using the negative log-likelihood loss between the conditional probability matrix of the communication field and the true distribution of the communication field as the optimization objective. The parameters of the communication feature encoding layer, the screw mask probability generation layer, and the normalized stream output layer were continuously optimized. Training was stopped when the change in negative log-likelihood loss was less than 0.001 for 10 consecutive training rounds. The improved PixelCNN was trained as follows: Read the real communication field values ​​in the communication behavior matrix sequence, set the corresponding position of the real communication field value to 1, and set the other field positions to 0 to generate the real communication field distribution. Read the conditional probability value of the corresponding field position in the conditional probability matrix of the communication field, calculate the natural logarithm of the conditional probability value, multiply it by the value of the corresponding position of the real communication field distribution, and then multiply it by -1 to obtain the negative log-likelihood error of the corresponding communication field. Add the negative log-likelihood errors corresponding to all communication fields and divide by the total number of communication fields to obtain the negative log-likelihood loss value of the current round of training. The parameters in the communication feature coding layer, screw mask probability generation layer and normalized stream output layer are updated by back gradient based on the negative log-likelihood loss value. The parameter update step size is set to 0.0001. One round of training is defined as the completion of a complete traversal of the entire communication behavior matrix sequence. Training is stopped when the difference between the maximum and minimum negative log-likelihood loss corresponding to 10 consecutive rounds of training is less than 0.001.

[0025] In this embodiment, generating a long-term weak anomaly association sequence includes: Read the conditional probability value corresponding to each communication field in the conditional probability matrix of communication fields, and subtract the corresponding conditional probability value from 1 to obtain the field anomaly probability; The abnormality probability of each field is multiplied by its corresponding field weight, and then summed to obtain the session abnormality score, where: The anomaly probability of each field is multiplied by its corresponding field weight and then summed. Specifically: Multiply the abnormal probability of the fields corresponding to source address, destination address, protocol type and handshake status by 0.10, multiply the abnormal probability of the fields corresponding to source port, destination port, packet direction, packet length, connection duration and access failure number by 0.08, multiply the abnormal probability of the fields corresponding to retransmission number and authentication status by 0.06, and add all the product results to get the session abnormal score. When the session anomaly score is greater than 0.35 and less than or equal to 0.65, the corresponding communication session is marked as a low anomaly communication session; when the session anomaly score is greater than 0.65, the corresponding communication session is marked as a high anomaly communication session. When the time interval between adjacent low-anomaly communication sessions is less than 30 minutes, and the source and destination addresses of the preceding and following communication sessions correspond, and the protocol type or destination port is the same, a memory association edge is established between the two low-anomaly communication sessions, and all memory association edges are connected to generate a low-anomaly communication memory chain, wherein: The correspondence between the source address and the destination address in the preceding and following communication sessions means that the destination address in the preceding communication session is the same as the source address in the following communication session. Generate a low-anomaly communication memory chain, specifically as follows: Read all low-anomaly communication sessions in the order of communication timestamps. When the time interval between two adjacent low-anomaly communication sessions is less than 30 minutes, and the destination address in the previous communication session is the same as the source address in the next communication session, and the protocol type or destination port is the same, establish a memory association edge between the two low-anomaly communication sessions, and continue to connect all low-anomaly communication sessions that meet the conditions in the same way to generate a low-anomaly communication memory chain. Read the repetition count, cumulative duration, and cross-node propagation count for each memory association edge, calculate the memory association strength value, and sort all memory association edges according to their association strength values ​​to generate a long-term weak anomaly association sequence, where: Cumulative duration refers to the sum of the durations of all communication session connections corresponding to the same memory-associated edge; Cross-node propagation count refers to the number of times the same memory-associated edge propagates continuously between different source and destination addresses; The memory association strength value is calculated as follows: Multiply the number of repetitions by 0.40, divide the cumulative duration by the maximum cumulative duration within the current time window and then multiply by 0.35, divide the number of cross-node propagation counts by the maximum number of cross-node propagation counts within the current time window and then multiply by 0.25, and sum all the results to obtain the memory association strength of the corresponding memory association edge.

[0026] In this embodiment, generating the abnormal communication topology map includes: Read the source address, destination address, and session identifier from low-anomaly communication sessions and high-anomaly communication sessions, write the communication nodes corresponding to the source address and destination address into the graph node set, and write the communication sessions into the graph edge set; Read the session anomaly score, access frequency, access failure count, and memory association strength for each communication session. Divide the access frequency by the maximum access frequency within the current time window to obtain the normalized access frequency value. Divide the access failure count by the maximum access failure count within the current time window to obtain the normalized failed connection count value. The memory association strength of communication sessions without a matching memory association edge is set to 0. Access frequency refers to the total number of times the same source address initiates a communication connection to the same destination address within the current time window; The number of failed accesses refers to the total number of times that the same source address initiates communication to the same destination address within the current time window, and the handshake status is either handshake failure or authentication status is authentication failure. Multiply the session anomaly score by 0.45, the access frequency normalization value by 0.20, the failed connection count normalization value by 0.15, and the memory association strength by 0.20, and then add them together to obtain the anomaly topology edge weights. Combine the graph node set, graph edge set, and anomaly topology edge weights to generate an anomaly communication topology graph.

[0027] In this embodiment, generating a set of candidate lateral penetration subgraphs includes: Read the set of graph nodes, the set of graph edges, and the weights of abnormal topology edges in the abnormal communication topology graph. Construct a bipartite graph of session negative nodes from the communication sessions and communication nodes. Then, aggregate the communication sessions and communication nodes separately to generate a hypergraph of session cluster negative nodes, where: The communication session and communication nodes are constructed as a bipartite graph of negative nodes in the session, specifically as follows: Read all communication nodes and communication sessions in the abnormal communication topology graph, write each communication node into the node-side vertex set, and write each communication session into the session-side vertex set. When the source address or destination address of a communication session corresponds to a communication node, establish a connection edge between the corresponding communication session and the communication node, and generate a session negative node bipartite graph. The communication sessions and communication nodes are aggregated separately, specifically as follows: The abnormal topological edge weights and memory association strengths corresponding to each communication session in the bipartite graph of the negative node of the session are counted. When the difference between the abnormal topological edge weights corresponding to two communication sessions is less than 0.10 and the difference between the memory association strengths is less than 0.05, the corresponding communication sessions are assigned to the same session cluster. The number of connection edges between each communication node is counted. When the number of connection edges between two communication nodes is greater than 5, the corresponding communication nodes are assigned to the same node cluster. All session clusters and node clusters are combined to generate a hypergraph of negative node clusters of session clusters. The number of supernodes in the session cluster negative node cluster supergraph is counted, and the number of partitions is determined based on the number of supernodes. When the number of supernodes is less than 100, the number of partitions is set to 4; when the number of supernodes is greater than or equal to 100 and less than 1000, the number of partitions is set to 8; when the number of supernodes is greater than or equal to 1000, the number of partitions is set to 16. The number of supernodes refers to the sum of the total number of session clusters and the total number of node clusters in the session cluster negative node cluster supergraph; The METIS algorithm is used to perform multi-layer shrinkage processing on the hypergraph of negative nodes in the session cluster. Adjacent hypernodes are merged based on anomalous topology edge weights, and the number of communication sessions, anomalous topology edge weights, and memory association strength are accumulated into the shrinking hyperedge to generate a shrinking hypergraph. Where: The specific steps for performing multi-level shrinkage processing on the session cluster negative node cluster hypergraph based on the METIS algorithm are as follows: First, calculate the abnormal topological edge weights between each supernode. Then, merge the two adjacent supernodes with the largest abnormal topological edge weights into a new supernode. Next, calculate the abnormal topological edge weights between the new supernode and the remaining supernodes. Continue to merge the two adjacent supernodes with the largest abnormal topological edge weights. Repeat the supernode merging process in the same way until the number of supernodes is reduced to 20% of the original number of supernodes, generating a shrinking hypergraph. Merge adjacent supernodes based on the edge weights of abnormal topology, specifically as follows: Read the abnormal topological edge weights corresponding to all connecting edges between two adjacent supernodes, add all abnormal topological edge weights together and divide by the number of connecting edges to obtain the average abnormal topological edge weight between supernodes. When the average abnormal topological edge weight is greater than 0.60, merge the corresponding adjacent supernodes and add the number of communication sessions, abnormal topological edge weights and memory association strength respectively and write them into the shrinking superedge. Based on the number of partitions, a dual edge weight hedging optimization partitioning process is performed on the shrinking hypergraph. The sum of edge weights for anomalous topologies across regions is used as the first optimization objective, and the sum of edge weights for low-anomaly topologies within regions is used as the second optimization objective. The assignment of boundary supernodes is adjusted according to the dual optimization objectives. Simultaneously, self-supervised residual refinement is performed during the reverse unfolding process. When the residual discriminant value is greater than 0.05, the previous round of boundary supernode movement results are rolled back and the assignment of boundary supernodes is readjusted to generate the optimized hypergraph partitioning result, where: Based on the number of partitions, a dual edge weight hedging optimization partitioning process is performed on the shrinking hypergraph, specifically as follows: When the number of partitions is 4, the first to fourth regions are established. When the number of partitions is 8, the first to eighth regions are established. When the number of partitions is 16, the first to sixteenth regions are established. All super nodes are arranged in descending order of abnormal topology edge weights, and the super nodes are written into the corresponding regions in ascending order of region number. When the number of region numbers written reaches the number of partitions, the writing starts again from the first region to generate the initial partitioned regions. The sum of abnormal topological edge weights corresponding to all connecting edges between different initial partitioned regions is calculated to obtain the total abnormal topological edge weights across regions. The sum of abnormal topological edge weights corresponding to all connecting edges with abnormal topological edge weights less than 0.35 within the same initial partitioned region is calculated to obtain the total low abnormal topological edge weights within the region. Boundary supernodes are read one by one, and the sum of abnormal topological edge weights across regions and the sum of low abnormal topological edge weights within regions are calculated after the boundary supernodes are moved to different adjacent regions. When the sum of abnormal topological edge weights across regions decreases after the boundary supernodes are moved, and the sum of low abnormal topological edge weights within regions increases, the current boundary supernode is moved to the corresponding adjacent region. The sum of cross-regional abnormal topology edge weights refers to the sum of the abnormal topology edge weights corresponding to all connecting edges between different regions; The sum of low-anomaly topological edge weights within a region refers to the sum of the anomaly topological edge weights corresponding to all connecting edges within the same region whose anomaly topological edge weights are less than 0.35. The assignment of boundary supernodes is adjusted based on the dual optimization objectives, specifically as follows: Read the connection edges between the boundary supernode and the adjacent region one by one. When the total weight of the cross-regional abnormal topology edge decreases after the boundary supernode moves to the adjacent region, and the total weight of the low abnormal topology edge within the region increases, the current boundary supernode is assigned to the corresponding adjacent region. During the reverse expansion process, self-supervised residual refinement is performed, specifically as follows: The merged supernodes are restored layer by layer in the reverse order of supernode merging. After each supernode is restored, the sum of cross-regional abnormal topological edge weights and the sum of intra-regional low abnormal topological edge weights are calculated before and after restoration. The sum of cross-regional abnormal topological edge weights before restoration is subtracted from the sum of cross-regional abnormal topological edge weights after restoration to obtain the cross-regional edge weight residual value. The sum of intra-regional low abnormal topological edge weights before restoration is subtracted from the sum of intra-regional low abnormal topological edge weights after restoration to obtain the intra-regional edge weight residual value. The cross-regional edge weight residual value and the intra-regional edge weight residual value are added to obtain the residual discrimination value. When the residual discrimination value is greater than 0.05, the current supernode restoration result is cancelled and the corresponding boundary supernode affiliation is readjusted. The optimized hypergraph partitioning results are generated as follows: After completing the adjustment of all boundary supernode affiliations, count all supernode numbers, intra-regional connection edge numbers, and cross-regional connection edge numbers in each region, and combine the corresponding results to generate the optimized hypergraph partitioning result; The optimized hypergraph partitioning results are mapped back to the anomalous communication topology graph. Graph nodes, graph edges, internal anomalous topology edge weights, and cross-regional anomalous topology edge weights are extracted from each region to generate a set of candidate lateral penetration subgraphs, where: The optimized hypergraph partitioning results are mapped back to the abnormal communication topology graph, specifically as follows: Read the supernode number corresponding to each region in the optimized hypergraph partitioning result, query the original communication node number and original communication session number contained in each supernode, recombine all original communication nodes and original communication sessions belonging to the same region, and retain the connection relationship between original communication nodes and original communication sessions. After restoring the original communication nodes and original communication sessions corresponding to all regions, a regionalized abnormal communication topology map is obtained. Generate a set of candidate lateral penetration subgraphs, specifically as follows: Read each region in the regionalized abnormal communication topology graph, extract the graph nodes, graph edges, internal abnormal topology edge weights and cross-regional abnormal topology edge weights in the corresponding region, and write the results of each region as a candidate lateral penetration subgraph into a set to generate a candidate lateral penetration subgraph set.

[0028] In this embodiment, generating the communication security detection result includes: Read the low-anomaly communication sessions, high-anomaly communication sessions, internal anomalous topological edge weights, cross-regional anomalous topological edge weights, and long-term weak anomalous association sequences from the candidate lateral penetration subgraph, and calculate the low-anomaly session density, anomalous edge weight concentration, node jump depth, time duration, and cross-regional outreach strength, where: The calculation of low-abnormal session density, abnormal edge weight concentration, node jump depth, time duration, and cross-regional outbound strength is as follows: The low-abnormality communication sessions in the candidate lateral penetration subgraph are counted and divided by the total number of communication sessions in the candidate lateral penetration subgraph to obtain the low-abnormality session density. The sum of the weights of the internal abnormal topology edges is divided by the number of internal abnormal topology edges to obtain the abnormal edge weight concentration. The number of consecutive communication nodes traversed in the same communication path is counted to obtain the node jump depth. The connection durations corresponding to all communication sessions in the candidate lateral penetration subgraph are added together to obtain the time duration. The sum of the weights of the cross-regional abnormal topology edges is divided by the sum of the weights of the internal abnormal topology edges to obtain the cross-regional outbound connection strength. The penetration area score is obtained by multiplying the low abnormal session density by 0.25, the abnormal edge weight concentration by 0.30, the node jump depth by 0.20, the time duration by 0.15, and the cross-regional external connection strength by 0.10. When the penetration area score is greater than 0.70, the corresponding candidate lateral penetration sub-map is identified as a concealed lateral penetration area. When the penetration area score is greater than 0.50 and less than or equal to 0.70, the corresponding candidate lateral penetration sub-map is identified as a suspected lateral penetration area. When the penetration area score is less than or equal to 0.50, the corresponding candidate lateral penetration sub-map is identified as a normal abnormal communication area, and a communication security detection result is generated, wherein: The communication security detection results are generated as follows: Read the penetration area score corresponding to each candidate lateral penetration subgraph. When the penetration area score is greater than 0.70, mark the corresponding candidate lateral penetration subgraph as a hidden lateral penetration area. When the penetration area score is greater than 0.50 and less than or equal to 0.70, mark the corresponding candidate lateral penetration subgraph as a suspected lateral penetration area. When the penetration area score is less than or equal to 0.50, mark the corresponding candidate lateral penetration subgraph as a normal abnormal communication area. Combine the candidate lateral penetration subgraph number, area type, penetration area score, corresponding communication node number, and corresponding communication session number to generate the communication security detection result.

[0029] refer to Figure 3 A deep learning-based communication security detection system includes the following modules: The communication acquisition module is used to collect communication data in the communication network and generate a communication session data set; The behavior matrix module is used to encode and normalize the fields of the communication session data set to generate a sequence of communication behavior matrices. The probability modeling module is used to build an improved PixelCNN and generate a conditional probability matrix for communication fields. The weak anomaly association module is used to calculate the probability of field anomalies, generate session anomaly scores, and generate long-term weak anomaly association sequences. The topology generation module is used to generate abnormal communication topology diagrams; The subgraph partitioning module is used to execute the METIS algorithm based on the abnormal communication topology graph to generate a set of candidate lateral penetration subgraphs. The security detection module is used to calculate the penetration area score and generate communication security detection results.

[0030] Example 1: To verify the feasibility of this invention in practice, it was applied to a security detection device for an internal communication network. This network includes a terminal access area, an application service area, an authentication service area, and a data service area. The detection device collected 326,400 data packet records by mirroring traffic from the access switching device within one continuous monitoring cycle. After session aggregation according to a 5-minute time window, 39,610 communication sessions were obtained, including 38,620 normal business sessions, 740 sessions related to simulated covert lateral penetration, and 250 high-anomaly scanning sessions. The traditional rule detection system is set to trigger alarms when the number of single access failures exceeds 5, the duration of a single session exceeds 90 seconds, or the number of accesses from a single source address exceeds 80 within 1 minute. However, it was found that a host with a source IP address of 192.168.10.24 accessed port 445 of 192.168.20.15, 192.168.20.31, and 192.168.20.46 in different time windows. Each access failed 1 to 2 times, and the connection duration was 8 to 21 seconds. The abnormality of a single session was low, and the traditional rule detection system did not trigger a high-risk alarm.

[0031] The system first performs session aggregation on the communication data. The communication record with source address 192.168.10.24, destination address 192.168.20.15, source port 49162, destination port 445, protocol type TCP, packet direction outbound, packet length 684 bytes, connection duration 11 seconds, handshake status handshake interrupted, retransmission count 2, access failure count 1, and authentication status authentication failed was grouped into session C001. After an interval of 12 minutes, the communication record with source address 192.168.20.15, destination address 192.168.20.31, destination port 445, connection duration 14 seconds, and access failure count 1 was grouped into session C037. After another interval of 17 minutes, the communication record with source address 192.168.20.31, destination address 192.168.20.46, destination port 445, connection duration 18 seconds, and access failure count 2 was grouped into session C092. The preceding destination address of the above session corresponds to the following source address, and the destination port is 445 in both cases, forming a low-intensity cross-node propagation characteristic.

[0032] The system performs field encoding and normalization on the communication session data set. Taking session C001 as an example, the source address is converted to 1043, the destination address to 2087, the source port to 49162, the destination port to 445, the protocol type TCP to 6, the packet direction outbound to 1, the handshake interruption to 1, and the authentication failure to 0. Within the current time window, the minimum packet length is 64 bytes and the maximum is 1514 bytes. The normalized value for this session's packet length of 684 bytes is 0.4276. The minimum connection duration is 1 second and the maximum is 60 seconds. The normalized value for this session's 11 seconds is 0.1695. The normalized value for the number of retransmissions is 0.4000, and the normalized value for the number of access failures is 0.2500. The system writes the above field encoding and normalized values ​​into fixed row and column positions to generate a communication behavior matrix, and generates a communication behavior matrix sequence according to the communication timestamp order.

[0033] The system inputs the communication behavior matrix sequence into the improved PixelCNN. The system calculates the mutual information values ​​of the fields: source address and destination address mutual information is 0.73, destination address and destination port mutual information is 0.69, destination port and protocol type mutual information is 0.64, handshake state and authentication state mutual information is 0.58, and retransmission count and access failure count mutual information is 0.52. Based on the mutual information values, the system constructs a Huffman field tree, prioritizing source address, destination address, destination port, protocol type, handshake state, and authentication state in the first path, and performs coarse path signature recursion according to the rearranged field order. Subsequently, the system maps the field states corresponding to source address, destination address, source port, destination port, protocol type, and packet direction to spinor field features. A spinor conditional feature matrix is ​​generated through Lie group exposure mapping and mask autoregressive coupling. Finally, a communication field conditional probability matrix is ​​generated through optimal transport residual interchange and Sinkhorn double-row normalization.

[0034] Taking session C001 as an example, the system outputs the following conditional probabilities: source address 0.82, destination address 0.76, destination port 0.58, protocol type 0.81, handshake status 0.49, access failure count 0.51, and authentication status 0.46. The system subtracts the corresponding conditional probability value from 1 to obtain the field anomaly probability, and calculates the session anomaly score according to the field weight. The resulting session anomaly score is 0.43 for session C001, 0.46 for session C037, and 0.49 for session C092. Since all these scores are greater than 0.35 and less than or equal to 0.65, the system marks these three sessions as low-anomaly communication sessions.

[0035] The system reads low-anomaly communication sessions in order of communication timestamps. Since the destination address of session C001 is the same as the source address of session C037, the time interval is 12 minutes, and the destination port is the same, the system establishes a memory association edge between C001 and C037. Similarly, since the destination address of session C037 is the same as the source address of session C092, the time interval is 17 minutes, and the destination port is the same, the system establishes a memory association edge between C037 and C092. The system counts the number of repetitions of this propagation chain as 3, the cumulative duration as 43 seconds, and the number of cross-node propagations as 2. Within the current time window, the maximum cumulative duration is 60 seconds and the maximum number of cross-node propagations is 3. The calculated memory association strength is 0.74.

[0036] When generating an abnormal communication topology graph, the system treats communication nodes as graph nodes and communication sessions as graph edges. Taking session C001 as an example, its session anomaly score is 0.43, access frequency is 6 times, current maximum access frequency is 12 times, access frequency normalization value is 0.50, access failure count is 1 time, current maximum access failure count is 4 times, failed connection count normalization value is 0.25, and memory association strength is 0.74. The system multiplies the session anomaly score by 0.45, the access frequency normalization value by 0.20, the failed connection count normalization value by 0.15, and the memory association strength by 0.20, and then adds them together to obtain an abnormal topology edge weight of 0.479. The abnormal topology edge weights of sessions C037 and C092 are 0.512 and 0.548, respectively, indicating that low-anomaly communication chains are continuously strengthened in the topology graph.

[0037] The system executes an improved METIS algorithm based on an anomaly communication topology graph. The simulated data contains a bipartite graph of negative nodes with 148 communication nodes and 866 communication sessions. After aggregation, 132 supernodes are generated, so the partitioning quantity is set to 8. The system performs multi-layer shrinkage processing and establishes regions 1 to 8 on the shrunk hypergraph. The system uses the sum of cross-regional anomaly topology edge weights as the first optimization objective and the sum of intra-regional low-anomaly topology edge weights as the second optimization objective to adjust the assignment of boundary supernodes. For example, after boundary supernode H27 moves from region 3 to region 5, the sum of cross-regional anomaly topology edge weights decreases from 6.84 to 5.91, while the sum of intra-regional low-anomaly topology edge weights increases from 3.22 to 3.76. The system then assigns H27 to region 5. During reverse unrolling, when a recovery causes the residual discriminant value to reach 0.071, the system rolls back the boundary supernode movement result and readjusts the boundary supernode assignments, ultimately generating a set of candidate lateral penetration subgraphs.

[0038] The system calculates penetration region scores for candidate lateral penetration subgraphs. The candidate subgraph corresponding to region 5 contains 18 communication nodes and 43 communication sessions, including 37 low-anomaly communication sessions and 2 high-anomaly communication sessions. The low-anomaly session density is 0.86, the anomalous edge weight concentration is 0.71, the normalized node jump depth is 0.60, the time duration is 0.68, and the cross-regional outreach strength is 0.14. The system multiplies these indicators by 0.25, 0.30, 0.20, 0.15, and 0.10 respectively, and then adds them together to obtain a penetration region score of 0.664, thus identifying this region as a suspected lateral penetration region. Another candidate subgraph has a low-anomaly session density of 0.91, anomaly edge weight concentration of 0.78, node jump depth of 0.83, time duration of 0.74, and cross-regional outreach strength of 0.32, resulting in a penetration region score of 0.771. The system identifies this as a concealed lateral penetration region.

[0039] The traditional rule-based detection method, the ordinary convolutional neural network detection method, and the method of this invention were compared using the same batch of test data. The test data included 39,340 normal communication sessions, 100 highly anomaly communication sessions, and 2,180 low-anomaly lateral penetration communication sessions, with 27 manually labeled hidden lateral penetration regions. The traditional rule-based detection method detected 9 hidden lateral penetration regions, with a recall rate of 38.6%, a false positive rate of 18.4%, and a false negative rate of 61.4% for low-anomaly communication sessions. The ordinary convolutional neural network detection method detected 16 hidden lateral penetration regions, with a recall rate of 64.2%, a false positive rate of 13.7%, and a false negative rate of 35.8% for low-anomaly communication sessions. The method of this invention detected 25 hidden lateral penetration regions, with a recall rate of 91.8%, a false positive rate of 6.9%, and a false negative rate of 8.2% for low-anomaly communication sessions. The system finally outputs the communication security detection results, recording the region type, penetration region score, involved communication nodes, involved communication sessions, main destination ports, and memory association strength. Based on the detection results, isolation marking was applied to the nodes involved, and rate limiting and secondary authentication were applied to cross-regional access on port 445. Within the same observation window, the number of related communication sessions decreased from 56 to 7, the number of access failures decreased from 63 to 5, and the number of cross-node propagation decreased from 9 to 1. This proves that the present invention can identify the hidden lateral penetration area formed by multiple low-anomaly communication sessions during long-term propagation.

[0040] The above description is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any equivalent substitutions or modifications made by those skilled in the art within the scope of the technology disclosed in the present invention, based on the technical solution and inventive concept of the present invention, should be covered within the scope of protection of the present invention.

Claims

1. A communication security detection method based on deep learning, characterized in that, include: Collect communication data from the communication network, and aggregate the communication data into sessions according to time windows to generate a communication session data set; The communication session data set is processed by field encoding and normalization, and each communication session is converted into a communication behavior matrix according to the order of communication occurrence, generating a sequence of communication behavior matrices; Based on the communication behavior matrix sequence, an improved PixelCNN is constructed. Coarse path signature recursion, screw mask coupling and Sinkhorn normalized flow probability generation are performed on the communication field to generate the conditional probability matrix of the communication field. Based on the conditional probability matrix of the communication field, the field anomaly probability is calculated, a session anomaly score is generated, low-anomaly communication sessions and high-anomaly communication sessions are marked, and a low-anomaly communication memory chain is constructed to generate a long-term weak anomaly association sequence. Based on low-anomaly communication sessions, high-anomaly communication sessions, session anomaly scores, and long-term weak anomaly association sequences, anomaly topology edge weights are generated using communication nodes as graph nodes and communication sessions as graph edges, and session anomaly scores, access frequency, number of failed connections, and memory association strength to generate anomaly communication topology graph. The METIS algorithm is executed based on the abnormal communication topology graph. The abnormal communication topology graph is divided into regions according to the edge weights of the abnormal topology, and a set of candidate lateral penetration subgraphs is generated. The penetration area score is calculated based on the candidate lateral penetration subgraph set to identify hidden lateral penetration areas, suspected lateral penetration areas, and ordinary abnormal communication areas, and to generate communication security detection results.

2. The deep learning-based communication security detection method according to claim 1, characterized in that, The communication data includes source address, destination address, source port, destination port, protocol type, data packet direction, data packet length, connection duration, handshake status, number of retransmissions, number of access failures, authentication status, communication timestamp, and session identifier.

3. The deep learning-based communication security detection method according to claim 1, characterized in that, The generated communication session data set includes: Communication data is read according to a fixed time window. Communication data with the same session identifier is grouped into the same initial session group. For communication data with an empty session identifier, communication data with the same source address, destination address, source port, destination port and protocol type and a communication timestamp interval of less than 60 seconds are grouped into the same initial session group. Read each initial session group in the order of communication timestamps, write the data packet direction, data packet length, connection duration, handshake status, number of retransmissions, number of access failures and authentication status into the corresponding session record, and configure the source node, destination node, port encoding, protocol encoding and session time range to generate a communication session data set.

4. The deep learning-based communication security detection method according to claim 1, characterized in that, The generation of the communication behavior matrix sequence includes: Read the source address, destination address, source port, destination port, protocol type, packet direction, handshake status, and authentication status from the communication session data set, and convert them into the corresponding field encoded values; Read the data packet length, connection duration, number of retransmissions, and number of access failures. Subtract the minimum field value within the current time window from the current field value, and then divide by the difference between the maximum and minimum field values ​​to obtain the corresponding normalized value. When the maximum field value equals the minimum field value, set the corresponding normalized value to 0. Each communication session is read in the order of communication timestamps, and the encoded and normalized values ​​of each field are written into fixed row and column positions to generate a communication behavior matrix. All communication behavior matrices are then arranged in the order of communication timestamps to generate a communication behavior matrix sequence.

5. The deep learning-based communication security detection method according to claim 1, characterized in that, The generation of the communication field conditional probability matrix includes: An improved PixelCNN is constructed, comprising a communication feature encoding layer, a screw mask probability generation layer, and a normalized stream output layer; Input the communication behavior matrix sequence into the communication feature coding layer and statistically analyze the mutual information values ​​of the fields between source address, destination address, source port, destination port, protocol type, packet direction, packet length, connection duration, handshake status, number of retransmissions, number of access failures, and authentication status. Construct a Huffman field tree based on the field mutual information values, rearrange the field writing order according to the field path order of the Huffman field tree, and perform coarse path signature recursion according to the rearranged field order to generate a coarse path field state sequence. The coarse path field state sequence is input into the screw mask probability generation layer. The field states corresponding to the source address, destination address, source port, destination port, protocol type, and data packet direction are mapped to screw field features. Lie group exposure mapping is performed on the screw field features. Autoregressive coupling calculation is performed on the screw field features after Lie group exposure mapping according to the mask order to generate the screw condition feature matrix. Input the screw conditional feature matrix into the normalized flow output layer, construct the optimal transport residual interchange block, and perform optimal transport mapping and interchange fusion between the mainstream features and residual features corresponding to the screw conditional feature matrix to generate transport residual fusion features. The transport residual fusion features are subjected to Sinkhorn double-row normalization processing, and the normalization results are mapped to the occurrence probability of each communication field under the condition of the preceding communication field, generating a communication field conditional probability matrix. The improved PixelCNN was trained using the negative log-likelihood loss between the conditional probability matrix of the communication field and the true distribution of the communication field as the optimization objective. The parameters of the communication feature encoding layer, the screw mask probability generation layer, and the normalized stream output layer were continuously optimized. Training was stopped when the change in negative log-likelihood loss was less than 0.001 for 10 consecutive training rounds.

6. The deep learning-based communication security detection method according to claim 1, characterized in that, The generation of long-term weak anomaly association sequences includes: Read the conditional probability value corresponding to each communication field in the conditional probability matrix of communication fields, and subtract the corresponding conditional probability value from 1 to obtain the field anomaly probability; The abnormal probability of each field is multiplied by the corresponding field weight and then summed to obtain the session abnormality score; When the session anomaly score is greater than 0.35 and less than or equal to 0.65, the corresponding communication session is marked as a low anomaly communication session; when the session anomaly score is greater than 0.65, the corresponding communication session is marked as a high anomaly communication session. When the time interval between adjacent low-anomaly communication sessions is less than 30 minutes, the source address and destination address of the preceding and following communication sessions correspond, and the protocol type or destination port is the same, a memory association edge is established between the two low-anomaly communication sessions, and all memory association edges are connected to generate a low-anomaly communication memory chain. Read the repetition count, cumulative duration, and cross-node propagation count of each memory association edge, calculate the memory association strength value, and arrange all memory association edges according to the association strength value to generate a long-term weak anomaly association sequence.

7. The deep learning-based communication security detection method according to claim 1, characterized in that, The generation of the abnormal communication topology map includes: Read the source address, destination address, and session identifier from low-anomaly communication sessions and high-anomaly communication sessions, write the communication nodes corresponding to the source address and destination address into the graph node set, and write the communication sessions into the graph edge set; Read the session anomaly score, access frequency, access failure count and memory association strength of each communication session. Divide the access frequency by the maximum access frequency in the current time window to obtain the access frequency normalization value. Divide the access failure count by the maximum access failure count in the current time window to obtain the failed connection count normalization value. The memory association strength of communication sessions without matching memory association edges is 0. Multiply the session anomaly score by 0.45, the access frequency normalization value by 0.20, the failed connection count normalization value by 0.15, and the memory association strength by 0.20, and then add them together to obtain the anomaly topology edge weights. Combine the graph node set, graph edge set, and anomaly topology edge weights to generate an anomaly communication topology graph.

8. The deep learning-based communication security detection method according to claim 1, characterized in that, The generated candidate lateral penetration subgraph set includes: Read the set of graph nodes, the set of graph edges, and the weights of abnormal topology edges in the abnormal communication topology graph. Construct a bipartite graph of session negative nodes from the communication sessions and communication nodes. Then aggregate the communication sessions and communication nodes respectively to generate a hypergraph of session cluster negative nodes. The number of supernodes in the session cluster negative node cluster supergraph is counted, and the number of partitions is determined based on the number of supernodes. When the number of supernodes is less than 100, the number of partitions is set to 4; when the number of supernodes is greater than or equal to 100 and less than 1000, the number of partitions is set to 8; when the number of supernodes is greater than or equal to 1000, the number of partitions is set to 16. Based on the METIS algorithm, multi-layer shrinkage processing is performed on the hypergraph of negative node clusters of session clusters. Adjacent hypernodes are merged according to the abnormal topology edge weights, and the number of communication sessions, the abnormal topology edge weights, and the memory association strength are accumulated to the shrinkage hyperedge to generate a shrinkage hypergraph. Based on the number of partitions, a dual edge weight offset optimization partitioning process is performed on the shrinking hypergraph. The sum of the weights of the cross-regional anomalous topology edges is used as the first optimization objective, and the sum of the weights of the low-anomaly topology edges within the region is used as the second optimization objective. The assignment of the boundary supernodes is adjusted according to the dual optimization objectives. At the same time, self-supervised residual refinement is performed during the reverse unfolding process. When the residual discriminant value is greater than 0.05, the previous round of boundary supernode movement results are rolled back and the assignment of the boundary supernodes is readjusted to generate the optimized hypergraph partitioning result. The optimized hypergraph partitioning results are mapped back to the abnormal communication topology graph. Graph nodes, graph edges, internal abnormal topology edge weights, and cross-regional abnormal topology edge weights are extracted from each region to generate a set of candidate lateral penetration subgraphs.

9. The deep learning-based communication security detection method according to claim 1, characterized in that, The generation of communication security detection results includes: Read the low-anomaly communication sessions, high-anomaly communication sessions, internal anomalous topological edge weights, cross-regional anomalous topological edge weights, and long-term weak anomalous association sequences in the candidate lateral penetration subgraph, and calculate the low-anomaly session density, anomalous edge weight concentration, node jump depth, time duration, and cross-regional outbound strength. The penetration area score is obtained by multiplying the low abnormal session density by 0.25, the abnormal edge weight concentration by 0.30, the node jump depth by 0.20, the time duration by 0.15, and the cross-regional external connection strength by 0.

10. When the penetration area score is greater than 0.70, the corresponding candidate lateral penetration sub-map is identified as a concealed lateral penetration area. When the penetration area score is greater than 0.50 and less than or equal to 0.70, the corresponding candidate lateral penetration sub-map is identified as a suspected lateral penetration area. When the penetration area score is less than or equal to 0.50, the corresponding candidate lateral penetration sub-map is identified as a normal abnormal communication area, and a communication security detection result is generated.

10. A deep learning-based communication security detection system, comprising executing the deep learning-based communication security detection method according to any one of claims 1 to 8, characterized in that, Includes the following modules: The communication acquisition module is used to collect communication data in the communication network and generate a communication session data set; The behavior matrix module is used to encode and normalize the fields of the communication session data set to generate a sequence of communication behavior matrices. The probability modeling module is used to build an improved PixelCNN and generate a conditional probability matrix for communication fields. The weak anomaly association module is used to calculate the probability of field anomalies, generate session anomaly scores, and generate long-term weak anomaly association sequences. The topology generation module is used to generate abnormal communication topology diagrams; The subgraph partitioning module is used to execute the METIS algorithm based on the abnormal communication topology graph to generate a set of candidate lateral penetration subgraphs. The security detection module is used to calculate the penetration area score and generate communication security detection results.