A dynamic data flow self-optimizing encryption method based on neural network
By adopting a neural network-based dynamic data stream self-optimization encryption method, the problem of lag in feature extraction and policy determination in the high-speed dynamic data stream encryption process of existing technologies is solved, achieving efficient encryption protection within microseconds and improving the data transmission security of backbone networks and the system's adaptability.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUANGDONG CHUANGKE SECURITY TECH CO LTD
- Filing Date
- 2026-05-27
- Publication Date
- 2026-07-03
AI Technical Summary
Existing technologies struggle to complete feature extraction and simultaneous determination of encryption strategies within a very short time during the encryption process of high-speed dynamic data streams. This results in some data being exposed to security risks during transmission, especially in backbone networks where transmission rates are high and dynamic characteristics are strong, making it impossible for existing methods to achieve effective real-time protection.
A dynamic data stream self-optimization encryption method based on neural networks is adopted. The data sub-stream is grouped and processed by combining neural networks with K-Means clustering algorithm to identify abnormal patterns. Accelerated computation and encryption strategy generation are performed within a microsecond time window. Feature extraction and encryption operations are optimized by using dynamic resource scheduling framework and parallel pipeline computing architecture. The strategy is adjusted by combining neural network-assisted decision tree. The national cryptographic algorithm SM4 is used for encryption, and the encryption strategy is optimized through closed-loop feedback learning mechanism.
It enables feature extraction and encryption strategy determination within a microsecond-level time window, improving the accuracy of abnormal pattern recognition, ensuring the flexibility and adaptability of encryption strategies, enhancing the response speed and security of the encryption system, meeting the large-scale data transmission needs of backbone networks, and maintaining the continuity and security of data transmission under extreme conditions.
Smart Images

Figure CN122339841A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of data encryption technology, specifically to a dynamic data stream self-optimization encryption method based on neural networks. Background Technology
[0002] Data security is a fundamental guarantee in the field of network communication, directly related to the confidentiality, integrity, and availability of information systems. With the rapid development of internet technology and the continuous advancement of digitalization, various network applications generate massive amounts of dynamic data streams. These data face multiple security threats during transmission, including interception, tampering, and leakage. Especially in large-scale data transmission scenarios such as backbone networks, data streams have extremely high transmission rates and highly dynamic characteristics. How to implement effective and real-time encryption protection for such high-speed dynamic data streams has become a core issue that urgently needs to be addressed in the field of information security.
[0003] Among them, the dynamic data stream self-optimization encryption method based on neural networks is an emerging technological direction. It aims to use artificial intelligence technology to intelligently analyze the real-time characteristics of data streams and dynamically generate and adjust encryption strategies accordingly to achieve the optimal balance between security protection and transmission efficiency. The core objective of this technology is to enable the encryption system to respond quickly and adaptively to environmental changes, much like a biological nervous system.
[0004] Existing dynamic data stream encryption methods generally rely on preset rule bases or fixed policy templates, exhibiting significant limitations when facing the complex and ever-changing environment of high-speed data streams. These methods often employ simple statistical models or lightweight algorithms in the feature extraction stage, resulting in insufficient and inaccurate capture of dynamic changes in the data stream. In the encryption policy determination stage, they frequently use static rules based on thresholds, making it difficult to flexibly adjust according to real-time traffic characteristics. More importantly, due to the lack of an effective synchronization mechanism between feature extraction and policy determination, systems often cannot complete the entire process from analysis to decision within a very short time window when processing large-scale data, potentially exposing some data to security risks during transmission. For example, in backbone networks, data streams may be transmitted at speeds of millions of data points per second. If the encryption system cannot complete feature analysis and determine the encryption method within microseconds, some unprotected data may be intercepted or tampered with, causing serious security vulnerabilities. Therefore, how to complete feature extraction of high-speed data streams in a very short time and simultaneously achieve rapid determination and execution of encryption policies has become a key technical challenge restricting network data security. Summary of the Invention
[0005] The purpose of this invention is to address the aforementioned shortcomings in the prior art by providing a dynamic data stream self-optimization encryption method based on neural networks.
[0006] The objective of this invention is achieved through the following technical solution: a dynamic data stream self-optimization encryption method based on neural networks, comprising the following steps:
[0007] S1. Obtain high-speed dynamic data stream from the backbone network, separate the high-speed dynamic data stream to obtain an initial data packet sequence, perform preliminary classification on the dynamic change part in the initial data packet sequence, and obtain classified data sub-streams;
[0008] S2. The traffic features within the classified data sub-streams are grouped using a neural network combined with the K-Means clustering algorithm. The grouping results are then used to determine if there are any abnormal patterns. When the proportion of abnormal patterns exceeds a preset threshold, the corresponding data sub-streams are marked as high-risk sub-streams, and the core feature set of the high-risk sub-streams is determined.
[0009] S3. Obtain computing resources that match the microsecond-level time window based on the core feature set, perform accelerated calculations on the speed-related attributes in the core feature set, and obtain optimized feature extraction results that meet the real-time protection requirements.
[0010] S4. Based on the optimized feature extraction results, a preliminary encryption strategy draft is generated. Synchronous execution elements are extracted from the preliminary encryption strategy draft. A neural network-assisted decision tree is used to perform branch analysis on the synchronous execution elements. The final encryption method is determined for the dynamically changing branches in the analysis results, and the adjusted encryption strategy is obtained.
[0011] S5. Implement encryption operations on high-risk substreams according to the adjusted encryption strategy and monitor the delay time of the encryption operations;
[0012] S6. Determine whether the delay time of the encryption operation is within the preset range of microseconds. If it is within the preset range of microseconds, output the encrypted target data stream.
[0013] S7. Collect transmission feedback information of the target data stream, verify the degree of reduction in security risk after encryption through transmission feedback information, determine whether the remaining risk in the verification result is lower than the preset threshold, and complete the closed-loop execution of dynamic data stream self-optimization encryption when the remaining risk is lower than the preset threshold.
[0014] The present invention is further configured such that, in step S1, when acquiring high-speed dynamic data streams from the backbone network, port mirroring technology or a splitter device is used to capture the data streams in transmission in real time, and the buffer queue of the data capture module adopts a circular overwrite writing mechanism; when separating the high-speed dynamic data streams, deep parsing is performed based on the protocol field in the packet header to identify TCP, UDP and custom protocols, and hash bucketing is performed according to the source address and destination address to obtain a structured initial packet sequence.
[0015] The present invention is further configured such that, when performing preliminary classification of the dynamically changing parts in the initial data packet sequence, a dynamic detection algorithm based on entropy calculation is used to quantify the information entropy change rate of each data packet sequence, and packets with an entropy change rate greater than a preset entropy threshold are marked as high dynamic region identifier bits, and preliminary classification is completed accordingly.
[0016] The present invention is further configured such that, in step S2, the input layer of the neural network receives the traffic statistics features of each data sub-stream, including packet length distribution features, arrival time interval features, protocol proportion features, and port distribution features; the hidden layer is configured with a multi-layer fully connected network, and the activation function is a linear rectified function; the output features of the neural network are concatenated with the input features of the K-Means clustering algorithm and then cluster analysis is performed.
[0017] The present invention is further configured to determine whether there is an abnormal pattern by calculating the cluster center distance of the cluster to which each data sub-stream belongs; when the proportion of abnormal patterns exceeds a preset proportion threshold, the corresponding data sub-stream is marked as a high-risk sub-stream; the core feature set contains multi-dimensional feature vectors extracted from the output of the intermediate layer of the neural network.
[0018] The present invention is further configured such that, in step S3, a dynamic resource scheduling framework is used to pre-allocate graphics processing unit stream multiprocessor resources according to the data volume and computational complexity of the core feature set, and dedicated registers and shared memory buffers are set up; for speed-related attributes, a parallel pipeline computing architecture is adopted to convert the serial computing path into a multi-level parallel pipeline, and zero-copy data transmission technology is combined to reduce memory access overhead.
[0019] The present invention is further configured such that, in step S4, the policy generation network is a two-layer fully connected neural network, and the output layer contains multiple neurons corresponding to combinations of multiple encryption strength levels and multiple key update frequencies; the synchronous execution elements include encryption start time, key distribution path and encryption algorithm switching trigger conditions; each leaf node of the decision tree is associated with a neural network predictor for evaluating the risk value of branch selection.
[0020] The present invention is further configured such that, in step S5, the national cryptographic algorithm SM4 is used as the core implementation of the symmetric encryption algorithm, the block length of the SM4 algorithm is 128 bits, and the key length is 128 bits; the key update cycle is dynamically adjusted according to the update frequency determined in step S4; a timestamp collection point is set at the exit of the encryption pipeline to collect the complete time of the encryption operation from input to output as the delay time.
[0021] The present invention is further configured such that, in step S6, if the delay time exceeds a preset range at the microsecond level, an exception handling process is triggered. The exception handling process includes a multi-level degradation strategy, and the execution order of the degradation strategy is activated in order of increasing impact on the delay, including reducing the encryption strength level, reducing the key update frequency, and enabling hardware acceleration bypass.
[0022] The invention is further configured to include a closed-loop feedback learning mechanism, which stores the encryption parameters, latency data, and risk assessment results collected in each closed-loop execution into a time-series database, and constructs a policy evolution model using a long short-term memory recurrent neural network based on historical data in the time-series database. The output of the policy evolution model is the recommended encryption parameters for the next cycle. The invention also includes a multi-level encryption collaboration module, which deploys independent encryption execution units at the entry node, core forwarding node, and exit node of the backbone network, and synchronizes encryption policies between nodes through an out-of-band management channel.
[0023] The beneficial effects of this invention are:
[0024] I. This invention, through the deep integration of a dynamic resource scheduling framework and a parallel pipeline computing architecture, controls the end-to-end processing latency of feature extraction results within a preset time threshold. Combined with the rapid branch analysis capability of neural network-assisted decision trees, it ensures that the determination and execution of encryption strategies are completed within a preset time limit. Compared with traditional methods that rely on preset rules, the response speed is significantly improved, effectively solving the protection lag problem of high-speed data streams within microsecond-level time windows.
[0025] Second, by combining neural networks with the K-Means clustering algorithm, the accuracy of abnormal pattern recognition in high-speed dynamic data streams is significantly improved. Potential security threats can be identified in the early stages of data stream transmission, thus gaining a valuable time window for subsequent encryption operations.
[0026] Third, based on the branch analysis results of the neural network-assisted decision tree, the system can dynamically select the optimal encryption method according to the real-time characteristics of the data stream. The key update frequency can be adaptively adjusted within a preset frequency range. The encryption strength level supports multi-level gradient switching. The flexibility of strategy adjustment is significantly improved compared with traditional static rules.
[0027] Fourth, through the synergistic effect of time-series database and long short-term memory recurrent neural network, the system can continuously learn from historical execution records and optimize the strategy evolution model. The accuracy of strategy recommendation continues to improve with the increase of running time, realizing the self-evolution of encryption strategy and effectively extending the life cycle and protection effectiveness of encryption system.
[0028] Fifth, the three-node collaborative working mode of the backbone network entry node, core forwarding node and exit node of this invention realizes the step-by-step offloading and close cooperation of processing functions, and the overall processing throughput is not lower than the preset throughput threshold, which meets the performance requirements of large-scale data transmission scenarios in the backbone network.
[0029] VI. When the encryption operation delay exceeds the preset range of microseconds, the system automatically triggers a multi-level degradation strategy, including reducing the encryption strength level, reducing the key update frequency, and enabling hardware acceleration bypass, to ensure that basic encryption protection capabilities can still be maintained under extreme conditions such as sudden increases in system load, thus guaranteeing the continuity and security of data transmission. Attached Figure Description
[0030] The invention will be further illustrated with reference to the accompanying drawings, but the embodiments in the drawings do not constitute any limitation on the invention. For those skilled in the art, other drawings can be obtained based on the following drawings without any creative effort.
[0031] Figure 1 This is a flowchart of the filtering method of the present invention; Detailed Implementation
[0032] The present invention will be further described in conjunction with the following embodiments.
[0033] Example 1, by Figure 1As can be seen, the dynamic data stream self-optimization encryption method based on neural networks in this embodiment includes the following steps: S1, obtaining high-speed dynamic data streams from the backbone network, separating the high-speed dynamic data streams to obtain initial data packet sequences, and performing preliminary classification on the dynamic change parts in the initial data packet sequences to obtain classified data sub-streams; S2, using a neural network combined with the K-Means clustering algorithm to group the traffic features within the classified data sub-streams, determining whether there are abnormal patterns (cluster center distance exceeds a threshold) in the grouping results, and when the proportion of abnormal patterns exceeds a preset threshold, marking the corresponding data sub-stream as a high-risk sub-stream (abnormal pattern proportion ≥ 30%), and determining the core feature set of the high-risk sub-stream; S3, based on the core feature set, acquiring computing resources matching the microsecond (1-5μs) time window, performing accelerated calculations on the speed-related attributes in the core feature set to obtain data that meets real-time protection requirements. S4. Based on the optimized feature extraction results, generate a preliminary encryption strategy draft. Extract synchronous execution elements from the preliminary encryption strategy draft, and use a neural network-assisted decision tree to perform branch analysis on the synchronous execution elements. Determine the final encryption method for the dynamically changing branches in the analysis results, and obtain the adjusted encryption strategy. S5. Implement encryption operations on high-risk sub-streams according to the adjusted encryption strategy and monitor the latency of the encryption operations. S6. Determine whether the latency of the encryption operations is within a preset range of microseconds. If the latency of the encryption operations is within a preset range of microseconds, output the encrypted target data stream. S7. Collect transmission feedback information of the target data stream, verify the degree of security risk reduction after encryption through the transmission feedback information, and determine whether the remaining risk in the verification results is lower than a preset threshold. When the remaining risk is lower than the preset threshold, complete the closed-loop execution of dynamic data stream self-optimization encryption. The specific implementation process of each step is described in detail below.
[0034] In step S1, when acquiring high-speed dynamic data streams from the backbone network, the data acquisition module uses port mirroring technology or a splitter device to capture the data stream in real time. Port mirroring technology, by configuring a mirroring policy on a specific port of the switch, completely copies all data traffic passing through the source port to the monitoring port for real-time reception by the data acquisition module. The splitter device achieves this through physical layer signal splitting, proportionally dividing the bidirectional traffic in the backbone network link to ensure that the captured data stream remains synchronized with the original transmitted data. The buffer queue depth of the data acquisition module is set to a preset depth value, for example, configurable as 4096 data frame slots, with each slot temporarily storing one parsed Ethernet data frame. The sampling period is set to a preset period time, for example, a fixed sampling interval of 10 milliseconds. At the end of each sampling period, the data in the buffer queue is processed in batches to ensure that the original form of the data stream is completely recorded without packet loss. The buffer queue uses a circular overwrite mechanism; when the queue is full, it automatically overwrites the earliest written data frame, avoiding data loss due to queue overflow.
[0035] When separating high-speed dynamic data streams, deep parsing is performed based on the protocol fields in the packet header. In the Ethernet frame structure, the protocol field is located at the Ethernet type field position, and the upper-layer protocol type is determined by reading the value of this field. Specifically, an Ethernet type field value of 0x0800 indicates an IPv4 protocol packet, a value of 0x86DD indicates an IPv6 protocol packet, and a value of 0x0806 indicates an ARP protocol packet. After identifying various packet types, including TCP, UDP, and custom protocols, the protocol fields in the IP header are further parsed to distinguish between TCP (protocol number 6), UDP (protocol number 17), and other custom upper-layer protocols. For TCP packets, the source and destination port fields, the four-tuple information (source IP address, destination IP address, source port, destination port), and the TCP flag status are parsed; for UDP packets, the source port, destination port, and data length fields are parsed; for custom protocol packets, key fields in the packet header are extracted according to predefined protocol parsing rules. The separation process involves hashing and bucketing based on source and destination addresses. Specifically, a 5-tuple-based hash function is used: `Hash 5-tuple` equals the source IP address XORed with the destination IP address shifted left by a specific number of bits XORed with the source port XORed with the destination port XORed with the protocol number modulo the preset number of buckets. Each data packet is mapped to its corresponding hash bucket, resulting in a structured initial data packet sequence. Data packets within each hash bucket are then sorted in ascending order by arrival timestamp, forming a time-ordered subsequence of data packets, providing the basic data structure for subsequent dynamic change detection.
[0036] When initially classifying the dynamically changing portions of the initial data packet sequence, a dynamic detection algorithm based on entropy calculation is employed. The core idea of this algorithm is to identify high-dynamic regions in the data stream by quantifying the rate of change of information entropy for each data packet sequence. The specific calculation process is as follows: For the data packet sequence within each hash bucket, it is segmented according to a fixed time window, for example, a time window width of 100 microseconds. A probability density estimate is constructed for all data packets within the time window according to their packet length distribution. The frequency of different packet length values is statistically analyzed and normalized to a probability distribution. The formula for calculating information entropy is: entropy equals the negative summation of the packet length probability for all packet length values multiplied by the logarithm of the packet length probability at base 2. The rate of change of entropy is defined as the difference in entropy between two adjacent time windows divided by the entropy of the previous time window. Packets with an entropy rate of change greater than a preset entropy threshold are marked as high-dynamic regions. The preset entropy threshold is determined based on the baseline characteristics of normal traffic in the backbone network; for example, the entropy rate of change threshold is set to 0.15. When the proportion of high dynamic region flag bits in data packets within a certain time window exceeds a preset threshold (e.g., 50%), the data packet subsequence corresponding to that time window is marked as a high dynamic subflow. After traversing all hash buckets, a final set of classified data subflows is obtained. Each data subflow contains its own hash bucket identifier, time window identifier, high dynamic region flag bit sequence, and corresponding original data packet list.
[0037] In step S2, a neural network combined with the K-Means clustering algorithm is used to group the traffic features within the classified data sub-streams. The input layer of the neural network receives the traffic statistics features of each data sub-stream. The feature dimensions are determined based on the principal component analysis results, including multiple principal component features such as packet length distribution features, arrival time interval features, protocol proportion features, and port distribution features. The packet length distribution features are obtained by statistically analyzing the byte distribution of data packets within the data sub-stream, including minimum packet length, maximum packet length, average packet length, packet length standard deviation, and quantile features (e.g., 25th percentile, 50th percentile, 75th percentile). The arrival time interval features are obtained by calculating the difference between the arrival timestamps of adjacent data packets, including average arrival interval, arrival interval standard deviation, maximum arrival interval, and burst arrival count (defined as the number of consecutive arrival intervals less than a preset short interval threshold). The protocol proportion features are obtained by statistically analyzing the proportion of data packets of different protocol types within the data sub-stream, including TCP protocol proportion, UDP protocol proportion, and other protocol proportions. The port distribution characteristics are obtained by statistically analyzing the dispersion of source and destination ports within a sub-stream, including port number entropy, the number of active ports, and high-risk port usage indicators (marked when a port number falls within a predefined range of high-risk ports). These multi-dimensional feature vectors are then input into a neural network after Z-score standardization.
[0038] The neural network uses a fully connected network with a preset number of hidden layers and a preset number of neurons in each layer. For example, a three-layer fully connected structure can be used with 64, 32, and 16 neurons respectively. The activation function is a Rectified Linear Activation Function (ReLU), which is mathematically expressed as the activation value equal to the maximum of the input value and zero, i.e., ReLU equals max0 input. The output of the first fully connected layer is activated by ReLU and then input into the second layer. The output of the second layer is activated by ReLU and then input into the third layer. The output of the third layer serves as the feature vector of the neural network, and its dimension matches the input feature dimension of the K-Means clustering algorithm. When concatenating the output features of the neural network with the input features of the K-Means clustering algorithm, a feature concatenation strategy is used. The output feature vector of the neural network is concatenated with the original input feature vector along the same feature dimension. The dimension of the concatenated feature vector is the sum of the original feature dimension and the network output feature dimension. The concatenated feature vector is then used as input to the K-Means clustering algorithm for cluster analysis. The number of cluster centers is set to a preset number, for example, 5 cluster centers based on the data distribution density. The K-Means algorithm is initialized using the K-Means plus plus plus method to improve clustering quality.
[0039] After clustering analysis, the presence of abnormal patterns is determined by calculating the distance to the cluster centers of each data sub-stream. Specifically, the Euclidean distance from the feature vector of each data sub-stream to the center of its cluster is calculated. When this distance exceeds a preset distance threshold, the data sub-stream is marked as an abnormal pattern. The proportion of abnormal patterns in all data sub-streams is counted. When the proportion of abnormal patterns exceeds a preset proportion threshold (e.g., 30%), the corresponding data sub-stream is marked as a high-risk sub-stream. The core feature set of the high-risk sub-stream contains multi-dimensional feature vectors extracted from the output of the intermediate layer of the neural network, specifically the activation output of the second fully connected layer. The dimension of the core feature set is the same as the number of neurons in the second layer. The extracted feature vectors are stored in the attribute fields of the high-risk sub-stream for use in subsequent steps.
[0040] In step S3, a dynamic resource scheduling framework is used to acquire computing resources matching the microsecond-level time window based on the core feature set. This framework immediately triggers the resource allocation process upon detecting a high-risk sub-stream, pre-allocating graphics processing unit (GPU) stream multiprocessor resources based on the data volume and computational complexity of the core feature set. The number of pre-allocated stream multiprocessors is no less than a preset multiple; for example, when the core feature set has a dimension of 32, the number of pre-allocated stream multiprocessors is 8 (twice the feature dimension). The allocation strategy is based on a computational load prediction model. The model inputs are the dimension of the core feature set, the number of data packets to be processed, and the parallelism parameters required for accelerated computation; the output is the recommended number of stream multiprocessors. Dedicated registers are used to temporarily store intermediate results during accelerated computation, and their number is determined based on the number of pipeline stages in the accelerated computation. A shared memory buffer is used to store core feature set data, input and output data for accelerated computation, and temporary data transferred between pipeline stages. The buffer size is set to accommodate the data volume of at least two complete data sub-stream processing batches.
[0041] When performing accelerated computation on speed-related attributes in the core feature set, these attributes include packet transmission rate, burst traffic peak, and timing fluctuation coefficient. The packet transmission rate is calculated by dividing the number of packets within a time window by the window width, measured in packets per second. The burst traffic peak is obtained by maintaining a sliding time window (e.g., a 1-millisecond window) and counting the maximum number of packets arriving within that window. The timing fluctuation coefficient is obtained by calculating the ratio of the standard deviation to the average of the packet arrival time intervals, used to quantify the uniformity of traffic arrival. A parallel pipelined computation architecture is used for these attributes, transforming the serial computation path into a multi-stage parallel pipeline. The pipeline consists of four stages: the first stage is the data loading stage, responsible for reading core feature set data from the shared memory buffer and distributing it to each stream multiprocessor; the second stage is the transmission rate calculation stage, where each stream multiprocessor calculates the transmission rate in parallel within different time windows; the third stage is the burst peak detection stage, where each stream multiprocessor detects burst traffic peaks in parallel within the sliding window; and the fourth stage is the fluctuation coefficient calculation and result aggregation stage, aggregating the calculation results of each processor to obtain the final timing fluctuation coefficient. The processing latency of each pipeline stage is controlled within a preset single-stage latency threshold, for example, a single-stage latency threshold set to 0.5 microseconds, and the total pipeline latency does not exceed a preset total latency threshold, for example, 2 microseconds. Zero-copy data transfer technology is used to reduce memory access overhead. Zero-copy technology is implemented through the graphics processing unit's direct memory access channel, avoiding redundant data copying between system memory and graphics processing unit device memory. Optimized feature extraction results that meet real-time protection requirements are obtained, and the end-to-end processing latency of this result does not exceed a preset end-to-end latency threshold, for example, no more than 3 microseconds.
[0042] In step S4, when generating a preliminary encryption strategy draft based on the optimized feature extraction results, the multi-dimensional feature vectors from the feature extraction results are input into the strategy generation network. The strategy generation network is a two-layer fully connected neural network. The number of neurons in the first fully connected layer is twice the dimension of the feature vector; for example, when the feature vector dimension is 32, the number of neurons in the first layer is 64, and the ReLU activation function is used. The number of neurons in the second fully connected layer is determined by the product of the number of encryption strength levels and the key update frequency level. For example, if the encryption strength levels are divided into 4 levels (low strength, low-medium strength, medium-high strength, high strength) and the key update frequency is divided into 3 levels (slow update every 10 seconds, medium update every 5 seconds, fast update every 1 second), then the number of neurons in the second layer is set to 12. Each neuron in the output layer corresponds to a combination of encryption strength level and key update frequency, generating a total of 12 candidate encryption strategy drafts. Each draft includes encryption strength level parameters and key update frequency parameters. The 12 drafts output by the policy generation network are sorted according to the policy scoring function. The scoring function takes into account the risk level, transmission rate and temporal fluctuation coefficient in the feature extraction results, and outputs the top-scoring candidate drafts as the initial encryption policy drafts.
[0043] When extracting synchronous execution elements from the initial draft encryption strategy, these elements include the encryption initiation time, key distribution path, and encryption algorithm switching trigger condition. The encryption initiation time is determined based on the encryption strength level in the draft strategy; high-strength encryption corresponds to immediate initiation, while medium- and low-strength encryption corresponds to initiation at the next time window boundary. The key distribution path is determined based on the backbone network topology and node distribution, including both centralized and distributed distribution paths. The encryption algorithm switching trigger condition is defined as an encryption parameter adjustment event triggered when a significant change in the data stream's traffic characteristics is detected (e.g., a change in transmission rate exceeding a preset rate change threshold). When using a neural network-assisted decision tree to perform branch analysis on the synchronous execution elements, the decision tree depth is set to a preset number of layers, such as 6, with a preset number of leaf nodes, such as 32. Each leaf node is associated with a neural network predictor to evaluate the risk value of branch selection. The neural network predictor is a single-layer fully connected network; its input is the historical risk value sequence of branch selection, and its output is the predicted risk value of the current branch selection. For dynamically changing branches in the analysis results—those with risk value fluctuations exceeding a preset fluctuation threshold (e.g., 0.2)—the longest path first strategy is used to determine the final encryption method. The longest path first (LSB) strategy follows this rule: when multiple branches satisfy the fluctuation threshold condition, the branch with the longest path length from the root node to the leaf node is selected as the final encryption execution path. This is because longer paths typically correspond to more detailed strategy classifications and can provide more accurate encryption parameters. The resulting adjusted encryption strategy includes the target encryption strength level, target key update frequency, encryption start time, key distribution path, and encryption algorithm switching trigger conditions.
[0044] In step S5, when encrypting the high-risk substream according to the adjusted encryption strategy, the national cryptographic algorithm SM4 is used as the core implementation of the symmetric encryption algorithm. SM4 is a block cipher algorithm with a block length of 128 bits and a key length of 128 bits, employing a 32-round nonlinear iterative structure. The encryption key length is set to a preset key length of 128 bits, and the key update cycle is dynamically adjusted according to the update frequency determined in step S4, within a preset period range, for example, 1 to 10 seconds. The initial encryption strength level corresponds to a preset initial update cycle, for example, updating once every 5 seconds. The encryption operation execution flow is as follows: First, the currently valid encryption key is read from the key storage unit and loaded into the key scheduling module of the SM4 algorithm; then, data blocks are read sequentially from the data packet sequence of the high-risk substream, each data block being 128 bits long; next, the data blocks are input into the encryption core module of the SM4 algorithm for 32 rounds of iterative encryption operations, each round including S-box substitution, linear transformation, and round key addition; finally, the encrypted ciphertext blocks are output and sequentially concatenated into the encrypted data packet. When monitoring the latency of encryption operations, a timestamp collection point is set at the exit of the encryption pipeline. This timestamp collection point is located after the SM4 algorithm output register and before the ciphertext block concatenation module. The complete time taken from input to output of the encryption operation is collected as the latency. Specifically, the system timestamp when the data block enters the SM4 encryption core module and the system timestamp when the ciphertext block exits the encryption core module are recorded; the difference between the two is the encryption latency of that data block. Latency samples are collected at preset sampling intervals, for example, once every 100 data blocks processed. The collected latency samples are stored in a latency statistics buffer.
[0045] In step S6, when determining whether the latency of the encryption operation is within a preset range in microseconds, the preset range is from a preset lower limit to a preset upper limit, for example, the lower limit is set to 1 microsecond and the upper limit is set to 5 microseconds. If the latency is within this range, the encrypted data packet is re-encapsulated by the traffic shaping module and output as an encrypted target data stream. The encapsulation process of the traffic shaping module is as follows: an encryption identifier field (used by the receiver to identify that the data packet is encrypted) and a sequence number field (used by the receiver to reorder the data packet) are added to the header of the encrypted data packet. Then, the Ethernet frame header and IP header are updated according to the original destination address of the data packet. Finally, the encapsulated data packet is pushed to the next-hop device of the backbone network through the sending queue. If the latency exceeds this range, an exception handling process is triggered. The exception handling process includes a multi-level degradation strategy, and the execution order of the degradation strategy is activated in ascending order of its impact on latency. The first-level degradation strategy reduces the encryption strength by decreasing the number of rounds in the SM4 algorithm from 32 to 24 or 16, thereby reducing the computational load of encryption operations. The second-level degradation strategy reduces the key update frequency by doubling or tripling the key update cycle, thus reducing the frequency of key scheduling operations. The third-level degradation strategy enables hardware acceleration bypass, switching the encryption operation from software implementation to a dedicated hardware encryption engine, improving throughput by processing multiple data blocks in parallel. The effectiveness of each degradation strategy is evaluated in real-time by a latency monitoring module. If the latency still exceeds the upper limit after implementing the current degradation strategy, the next level of degradation strategy is automatically activated.
[0046] In step S7, when collecting transmission feedback information of the target data stream, a feedback collection agent is deployed at the receiving end. The feedback collection agent runs on the egress node of the backbone network and is responsible for collecting transmission quality indicators of the target data stream. These indicators include packet loss rate, bit error rate, and end-to-end round-trip time. The packet loss rate is calculated by dividing the number of packets received by the receiving end by the total number of packets sent by the sending end, and then multiplying by 100%. The bit error rate is obtained by the receiving end performing integrity verification on each packet using the CRC32 algorithm. The end-to-end round-trip time is measured by deploying time synchronization modules at both the sending and receiving ends to measure the round-trip time from transmission to acknowledgment of reception. The collection period is set to a preset period, such as 1 second, and the collection window size is set to a preset window size, such as 1000 packets, meaning that the transmission quality indicators of the most recent 1000 packets are collected within each 1-second time window. When verifying the degree of security risk reduction after encryption using transmission feedback information, the degree of security risk reduction is obtained by calculating the attack surface reduction ratio before and after encryption. Attack surface indicators include the number of exposed ports, the percentage of abnormal traffic, and the number of unencrypted data fragments. The statistics include: the number of exposed ports (the total number of ports exposed to potential attackers during the high-risk sub-stream identification phase); the percentage of abnormal traffic (the proportion of traffic in abnormal patterns within the data stream before and after encryption); and the number of unencrypted data fragments (the number of data blocks that remain unencrypted after the encryption operation). The degree of security risk reduction is equal to the sum of the weighted attack surface metrics after encryption and the weighted attack surface metrics before encryption. When the remaining risk (i.e., the residual attack surface metric value in the verification result) is lower than a preset risk threshold, a closed-loop confirmation signal is triggered, completing the closed-loop execution of the dynamic data stream self-optimization encryption. The encryption execution parameters are then written to the policy cache for future reference. The policy cache uses a key-value pair storage structure, where the key is the hash bucket identifier of the high-risk sub-stream, and the value is the encryption strength level used in this execution, the key update frequency, encryption latency statistics, and attack surface metric records.
[0047] This embodiment also includes a closed-loop feedback learning mechanism, storing the encryption parameters, latency data, and risk assessment results collected during each closed-loop execution into a time-series database. The time-series database has a storage precision of milliseconds, and each record contains a timestamp field (precision in milliseconds), a high-risk substream identifier field, a set of encryption parameter fields, a set of latency data fields, and a set of risk assessment fields. The storage space occupied by a single record does not exceed a preset storage size, such as 512 bytes, to control the storage growth rate of the database. Based on historical data in the time-series database, a policy evolution model is constructed using a Long Short-Term Memory (LSTM) recurrent neural network. The LSM structure includes three gating units: an input gate, a forget gate, and an output gate, as well as a cell state unit. The input to the policy evolution model is a feature sequence of a preset number of historical records, such as the feature sequence of the most recent 50 historical records. The feature vector of each record includes dimensions such as encryption strength level, key update frequency, average encryption latency, latency standard deviation, attack surface index, and transmission quality index. The output of the model is the recommended encryption parameters for the next cycle, including the recommended encryption strength level and the recommended key update frequency. The prediction lead time for the recommended parameters is no less than the preset number of periods, such as 3 periods. That is, the model predicts the recommended parameters 3 periods later after the current period is completed, providing a reference for the pre-configuration of the system's strategy.
[0048] This embodiment also includes a multi-level encryption coordination module, deploying independent encryption execution units at the entry node, core forwarding node, and exit node of the backbone network. Encryption strategies are synchronized between nodes via an out-of-band management channel. This out-of-band management channel uses an independent control plane network, physically isolated from the data plane transmission path, ensuring that the encryption strategy synchronization process does not affect the normal transmission of data streams. The policy synchronization delay between nodes does not exceed a preset synchronization delay threshold, such as 10 microseconds. The entry node is responsible for initial classification and high-risk sub-stream identification, specifically executing the data acquisition, separation, entropy calculation, and abnormal pattern detection operations described in steps S1 and S2. The core forwarding node is responsible for accelerated computation and policy determination, specifically executing the dynamic resource scheduling, parallel accelerated computation, and neural network-assisted decision tree policy analysis operations described in steps S3 and S4. The exit node is responsible for encryption execution and feedback collection, specifically executing the SM4 encryption operation, latency monitoring, traffic shaping, feedback collection, and risk verification operations described in steps S5, S6, and S7. In the three-node collaborative working mode, the overall processing throughput is no less than the preset throughput threshold, such as 1 million data packets per second, to meet the performance requirements of large-scale data transmission scenarios in backbone networks.
[0049] The encryption method of the present invention will be described in detail below through a specific application example.
[0050] Suppose that the high-speed dynamic data stream transmitted in the backbone network contains mixed traffic of various service types, with a total bandwidth of 10Gbps and an average packet size of 512 bytes. A data capture module deployed at the ingress node captures this data stream in real time using port mirroring, with a buffer queue depth of 8192 slots and a sampling period of 5 milliseconds. The captured data stream is bucketed according to a 5-tuple hash, with 256 buckets. During the entropy calculation phase, the information entropy of the packet sequence within each bucket is calculated with a time window width of 50 microseconds. When the proportion of high-dynamic region identifier bits in the packets within a certain time window exceeds 50%, the data stream is marked as a potentially high-risk sub-stream. Assume that within a certain detection period, 32 buckets out of the 256 hash buckets are marked as potentially high-risk sub-streams. At the core forwarding node, the core feature set of these 32 high-risk sub-streams is input into a neural network for cluster analysis. The input features of the neural network include packet length distribution features (8 dimensions), arrival time interval features (6 dimensions), protocol proportion features (3 dimensions), and port distribution features (4 dimensions), totaling 21 principal component features. The hidden layers employ a three-layer fully connected structure with 64, 32, and 16 neurons respectively. The number of K-Means cluster centers is set to 5. By calculating the distance from each high-risk subflow to its cluster center, 12 high-risk subflows were found to have distances exceeding a preset distance threshold and were thus identified as anomalous patterns. The anomalous pattern ratio was 12 divided by 32, or 37.5%, exceeding the preset ratio threshold of 30%. Therefore, these 12 high-risk subflows were confirmed as the final high-risk subflows, and their core feature sets were extracted and entered into the accelerated computation stage. In the accelerated computation stage, the dynamic resource scheduling framework pre-allocates 8 graphics processing unit stream multiprocessor resources based on the data volume and computational complexity of the core feature sets. The parallel pipelined computing architecture's four-stage pipeline processes the speed-related attributes of the 12 high-risk subflows in a pipelined manner. The processing latency for the first-level data loading stage is 0.3 microseconds, the second-level transmission rate calculation stage is 0.4 microseconds, the third-level burst peak detection stage is 0.4 microseconds, and the fourth-level fluctuation coefficient calculation and result summarization stage is 0.3 microseconds, resulting in a total pipeline latency of 1.4 microseconds, all within the preset total latency threshold of 2 microseconds. Zero-copy data transmission technology avoids redundant data copying between system memory and graphics processing unit device memory, achieving an end-to-end processing latency of 2.7 microseconds, meeting the preset end-to-end latency threshold of 3 microseconds. In the policy generation stage, the policy generation network outputs 12 candidate encryption policy drafts based on the optimized feature extraction results. The draft with the highest score is selected after sorting according to the policy scoring function. This draft specifies a medium-high encryption strength level (corresponding to 32 rounds of encryption in the SM4 algorithm) and a medium-speed key update frequency (updated every 5 seconds).After analyzing the synchronous execution factors using a neural network-assisted decision tree, the encryption start time was determined to be immediate, the key distribution path to be centralized, and the encryption algorithm switching trigger condition to be a transmission rate change exceeding 30%. The longest path first strategy selected the encryption parameter combination corresponding to the leaf nodes at a depth of 6 from the decision tree, resulting in the adjusted encryption strategy. During the encryption execution phase, the SM4 encryption module at the exit node encrypts these 12 high-risk substreams according to the adjusted encryption strategy. The encryption key length is 128 bits, and the initial key update cycle is 5 seconds. Delay samples are continuously collected at the timestamp collection point at the encryption pipeline exit. Assuming that 100 delay samples are collected within a certain monitoring window, 95 samples have delays within the preset microsecond range of 1 to 5 microseconds, 5 samples exceed the upper limit of 5 microseconds, and the highest delay reaches 6.2 microseconds. The system judges the average delay to be 2.8 microseconds, which is within an acceptable range. Therefore, the encrypted data packets are re-encapsulated by the traffic shaping module and output as the encrypted target data stream. During the feedback verification phase, the receiving end's feedback acquisition agent collected transmission quality indicators for 10,000 data packets within a 1-second acquisition cycle. The packet loss rate was 0.05%, the transmission error rate was 0.01%, and the end-to-end round-trip latency was an average of 800 microseconds. The attack surface reduction ratio was calculated to achieve a 72% reduction in security risk. The number of exposed ports decreased from 15 to 4, the percentage of abnormal traffic decreased from 28% to 8%, and the number of unencrypted data fragments decreased from 120 to zero. All remaining risk values were below the preset risk threshold, triggering a closed-loop confirmation signal and completing the closed-loop execution of this dynamic data stream self-optimization encryption. The encryption parameters, latency data, and risk assessment results of this execution were written to the policy cache, and the time-series database recorded detailed parameters for this execution cycle, which were then used by the Long Short-Term Memory Recurrent Neural Network for subsequent policy evolution analysis.
[0051] Example 2 expands the encryption system into a distributed architecture with multiple regions working together, based on Example 1.
[0052] Each region deploys independent entry nodes, core forwarding nodes, and exit nodes, forming a regional encryption cluster. Encryption policy synchronization between different regions is achieved through an out-of-band management channel on the wide area network (WAN), using a gRPC-based remote procedure call mechanism. In a WAN environment, the policy synchronization latency between nodes can reach millisecond levels; therefore, each regional encryption cluster employs a layered synchronization strategy. The first layer is intra-regional synchronization, with a synchronization latency target of no more than 10 microseconds, synchronizing emergency risk alarms and immediate policy updates. The second layer is inter-regional synchronization, with a synchronization latency target of no more than 100 milliseconds, synchronizing periodic policy summaries and historical data backups.
[0053] In the distributed architecture, the identification of high-risk sub-flows employs a two-level judgment mechanism. The first level is the initial identification of the entry node, which performs rapid entropy calculation and preliminary screening of abnormal patterns based on local data flow characteristics. The second level is the deep identification of the core forwarding nodes, which aggregates the core feature sets of the candidate high-risk sub-flows identified in the first level to the regional coordination node for cross-sub-flow correlation analysis and global risk assessment. The neural network of the regional coordination node adopts a graph attention network structure, treating each high-risk sub-flow as a graph node and the traffic correlation between sub-flows as graph edge weights, and calculating the global risk score of each sub-flow through an attention mechanism.
[0054] The encryption policy is implemented using a hierarchical authorization model within a distributed architecture. The regional coordination node is responsible for generating a global encryption policy framework, including a unified range of encryption strength levels and key update frequencies. Each regional egress node adapts encryption parameters locally based on its region's actual load and device capabilities within this global policy framework. When an abnormal latency is detected in a region, its egress node first executes its local degradation policy and reports the degradation event to the regional coordination node. The regional coordination node then determines whether to trigger cross-regional load balancing based on the global load distribution, rerouting some high-risk sub-streams to less loaded regions for processing.
[0055] The closed-loop feedback learning mechanism is extended to a federated learning model under a distributed architecture. Each region's encrypted cluster independently stores its execution records in its time-series database. Regional coordination nodes periodically collect parameter gradients from each region's policy evolution model, rather than the raw data, and aggregate the gradient information from each region using a federated averaging algorithm to update the global policy evolution model. This design ensures both local data privacy for each region and collaborative optimization of the global policy. The prediction lead time for recommended parameters in each region's policy evolution model is no less than 5 periods, and the prediction lead time for the global policy evolution model is no less than 10 periods, providing a reference for the medium- and long-term planning of the distributed system.
[0056] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and are not intended to limit the scope of protection of the present invention. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the essence and scope of the technical solutions of the present invention.
Claims
1. A dynamic data stream self-optimizing encryption method based on neural networks, characterized in that: Includes the following steps: S1. Obtain high-speed dynamic data stream from the backbone network, separate the high-speed dynamic data stream to obtain an initial data packet sequence, perform preliminary classification on the dynamic change part in the initial data packet sequence, and obtain classified data sub-streams; S2. The traffic features within the classified data sub-streams are grouped using a neural network combined with the K-Means clustering algorithm. The grouping results are then used to determine if there are any abnormal patterns. When the proportion of abnormal patterns exceeds a preset threshold, the corresponding data sub-streams are marked as high-risk sub-streams, and the core feature set of the high-risk sub-streams is determined. S3. Obtain computing resources that match the microsecond-level time window based on the core feature set, perform accelerated calculations on the speed-related attributes in the core feature set, and obtain optimized feature extraction results that meet the real-time protection requirements. S4. Based on the optimized feature extraction results, a preliminary encryption strategy draft is generated. Synchronous execution elements are extracted from the preliminary encryption strategy draft. A neural network-assisted decision tree is used to perform branch analysis on the synchronous execution elements. The final encryption method is determined for the dynamically changing branches in the analysis results, and the adjusted encryption strategy is obtained. S5. Implement encryption operations on high-risk substreams according to the adjusted encryption strategy and monitor the delay time of the encryption operations; S6. Determine whether the delay time of the encryption operation is within the preset range of microseconds. If it is within the preset range of microseconds, output the encrypted target data stream. S7. Collect transmission feedback information of the target data stream, verify the degree of reduction in security risk after encryption through transmission feedback information, determine whether the remaining risk in the verification result is lower than the preset threshold, and complete the closed-loop execution of dynamic data stream self-optimization encryption when the remaining risk is lower than the preset threshold.
2. The dynamic data stream self-optimization encryption method based on neural networks according to claim 1, characterized in that: In step S1, when acquiring high-speed dynamic data streams from the backbone network, port mirroring technology or a splitter device is used to capture the data streams in real time. The buffer queue of the data capture module adopts a circular overwrite writing mechanism. When separating the high-speed dynamic data streams, deep parsing is performed based on the protocol field in the packet header to identify TCP, UDP and custom protocols. The packets are then hashed and bucketed according to the source address and destination address to obtain a structured initial packet sequence.
3. The dynamic data stream self-optimization encryption method based on neural networks according to claim 1, characterized in that: When performing preliminary classification of the dynamic changes in the initial data packet sequence, a dynamic detection algorithm based on entropy calculation is used to quantify the information entropy change rate of each data packet sequence. Packets with an entropy change rate greater than a preset entropy threshold are marked as high dynamic regions, and preliminary classification is completed accordingly.
4. The dynamic data stream self-optimization encryption method based on neural networks according to claim 1, characterized in that: In step S2, the input layer of the neural network receives the traffic statistics features of each data sub-stream, including packet length distribution features, arrival time interval features, protocol proportion features, and port distribution features; the hidden layer is set up with a multi-layer fully connected network, and the activation function is a linear rectified function; the output features of the neural network are concatenated with the input features of the K-Means clustering algorithm and then clustered for analysis.
5. The dynamic data stream self-optimization encryption method based on neural networks according to claim 4, characterized in that: The presence of abnormal patterns is determined by calculating the cluster center distance of the cluster to which each data sub-stream belongs. When the proportion of abnormal patterns exceeds a preset proportion threshold, the corresponding data sub-stream is marked as a high-risk sub-stream. The core feature set contains multi-dimensional feature vectors, which are extracted from the output of the intermediate layer of the neural network.
6. The dynamic data stream self-optimization encryption method based on neural networks according to claim 1, characterized in that: In step S3, a dynamic resource scheduling framework is used to pre-allocate graphics processing unit stream multiprocessor resources based on the data volume and computational complexity of the core feature set, and to set up dedicated registers and shared memory buffers. For speed-related attributes, a parallel pipeline computing architecture is adopted to convert the serial computing path into a multi-level parallel pipeline, and to reduce memory access overhead by combining zero-copy data transfer technology.
7. The dynamic data stream self-optimization encryption method based on neural networks according to claim 1, characterized in that: In step S4, the policy generation network is a two-layer fully connected neural network, and the output layer contains multiple neurons corresponding to combinations of various encryption strength levels and multiple key update frequencies; the synchronous execution elements include encryption start time, key distribution path and encryption algorithm switching trigger conditions; each leaf node of the decision tree is associated with a neural network predictor to evaluate the risk value of branch selection.
8. The dynamic data stream self-optimization encryption method based on neural networks according to claim 1, characterized in that: In step S5, the national cryptographic algorithm SM4 is used as the core implementation of the symmetric encryption algorithm. The block length of the SM4 algorithm is 128 bits, and the key length is 128 bits. The key update cycle is dynamically adjusted according to the update frequency determined in step S4. A timestamp collection point is set at the exit of the encryption pipeline to collect the complete time taken from input to output of the encryption operation as the delay time.
9. The dynamic data stream self-optimization encryption method based on neural networks according to claim 1, characterized in that: In step S6, if the delay exceeds the preset range of microseconds, an exception handling process is triggered. The exception handling process includes a multi-level degradation strategy. The degradation strategy is executed in order of increasing impact on the delay, including reducing the encryption strength level, reducing the key update frequency, and enabling hardware acceleration bypass.
10. A dynamic data stream self-optimization encryption method based on neural networks according to claim 1, characterized in that: It also includes a closed-loop feedback learning mechanism, which stores the encryption parameters, latency data and risk assessment results collected in each closed-loop execution into a time-series database. Based on the historical data in the time-series database, a long short-term memory recurrent neural network is used to build a policy evolution model. The output of the policy evolution model is the recommended encryption parameters for the next cycle. It also includes a multi-level encryption collaboration module, which deploys independent encryption execution units at the entry nodes, core forwarding nodes and exit nodes of the backbone network. The encryption policies are synchronized between the nodes through an out-of-band management channel.