AI large model driven sd-wan zero trust network unknown threat accurate detection system

The AI-driven SD-WAN zero-trust network unknown threat precision detection system solves the problem of difficulty in identifying and blocking unknown threats in real time in existing technologies. It achieves precise detection and real-time blocking without decryption, ensuring the efficiency and security of encrypted transmission.

CN122372292APending Publication Date: 2026-07-10BEIJING XINDA WANGAN INFORMATION TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING XINDA WANGAN INFORMATION TECH CO LTD
Filing Date
2026-04-23
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Existing network security solutions that integrate SD-WAN and zero trust struggle to identify hidden malicious behavior without decryption when facing unknown threats within encrypted tunnels. Furthermore, the computational resources required for large-scale semantic analysis conflict with the line-speed encryption and decryption performance of edge gateways, making it impossible to balance encrypted transmission efficiency with accurate identification and real-time blocking of unknown threats.

Method used

The AI-driven SD-WAN zero-trust network unknown threat precision detection system captures encrypted tunnel features and performs standardized transformation through the data acquisition and processing module. Combined with the semantic threat analysis module, it uses a pre-trained Transformer large model for encoding inference, integrates normal behavior baselines and external intelligence, and uses the trust policy adjudication module to generate dynamic trust credentials to achieve real-time and accurate judgment of encrypted sessions. The encrypted tunnel control module implements route redirection and data anonymization, and the closed-loop evolution module performs local pre-blocking adjudication of the lightweight model.

Benefits of technology

While ensuring the efficiency of encrypted transmission, it achieves accurate identification and real-time blocking of unknown threats within the encrypted tunnel, providing efficient detection and blocking protection.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122372292A_ABST
    Figure CN122372292A_ABST
Patent Text Reader

Abstract

This invention relates to the field of network security technology and discloses an AI-driven large-scale model-based system for accurately detecting unknown threats in SD-WAN zero-trust networks. The system employs a data acquisition and processing module to capture encrypted tunnel packet sequence characteristics and arrival interval timelines, and associates them with identity token hashes. A semantic threat analysis module runs a Transformer large-scale model to perform encoding inference and baseline comparison to determine session threat confidence. An unknown feature solidification module stores abnormal pattern fingerprints to support variant attack retrieval. A trust policy adjudication module generates dynamic trust credentials based on exponential decay and compiles permission revocation instructions. An encrypted tunnel control module uses a quantum key protection strategy to distribute channel traffic and redirect high-risk traffic to an isolated domain. A closed-loop evolution and maintenance module combines edge inference and model fine-tuning for continuous optimization. This system accurately identifies hidden threats without decryption, providing efficient detection and real-time blocking protection for IoT security.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, and in particular to an AI-driven SD-WAN zero-trust network unknown threat accuracy detection system. Background Technology

[0002] With the deepening of enterprise digital transformation, SD-WAN (Software Defined Wide Area Network) technology has been widely adopted due to its ability to flexibly integrate multi-link resources, reduce WAN networking costs, and improve business deployment agility. Meanwhile, Zero Trust Architecture, as a security paradigm of "never trust, always verify," emphasizes continuous dynamic authorization and the principle of least privilege for network access behavior, and has become a core guiding principle for modern enterprise network security system construction. In SD-WAN networks, to ensure data transmission security, IPsec (Internet Protocol Security) encrypted tunneling technology is typically used to encapsulate and protect cross-WAN traffic.

[0003] The aforementioned and existing related technologies have the following drawbacks: Existing network security solutions based on SD-WAN and zero-trust architecture have technical shortcomings when facing unknown threats transmitted within encrypted tunnels. These shortcomings include reliance on plaintext payload parsing for detection methods, making it difficult to effectively identify hidden malicious behavior without decryption. Furthermore, there is a resource contention between the computing resources required for large-scale semantic analysis and the line-speed encryption and decryption performance of the edge gateway, making it impossible to accurately determine and block unknown threats in real time while ensuring the efficiency of encrypted transmission. Summary of the Invention

[0004] The technical problem this invention aims to solve is that existing network security solutions that integrate SD-WAN and zero trust suffer from drawbacks. These solutions rely on plaintext payload parsing for the detection of unknown threats within encrypted tunnels, making it difficult to identify concealed malicious behavior without decryption. Furthermore, the computational resource requirements of large-scale model semantic analysis conflict with the line-speed encryption and decryption performance of edge gateways. Consequently, these solutions cannot simultaneously achieve both encrypted transmission efficiency and accurate identification and real-time blocking of unknown threats. To address this, we propose an AI-driven large-scale model-based system for the accurate detection of unknown threats in SD-WAN zero-trust networks.

[0005] To achieve the above objectives, this application adopts the following technical solution: an AI-driven large-scale model-based system for accurate detection of unknown threats in SD-WAN zero-trust networks, comprising: a data acquisition and processing module: used to capture packet header sequence features and arrival interval time-series vectors at the SD-WAN encrypted tunnel ingress, and simultaneously associate them with zero-trust identity token hash values, generating an encrypted behavior observation data chain while performing standardized dimensionless transformation on the original features; a semantic threat analysis module: used to run a pre-trained Transformer large-scale model to perform semantic encoding inference on the encrypted behavior data chain, fusing normal behavior baseline references and external intelligence vectors to determine the threat confidence level of the current encrypted session deviating from the normal manifold; and an unknown feature solidification module: used to store the abnormal encryption patterns confirmed by the semantic threat analysis module. The system employs a fingerprint and corresponding high-dimensional semantic vector representation to support rapid retrieval and recall of subsequent variant covert attacks using near-nearest neighbor methods. A trust policy adjudication module generates dynamic trust quantification credentials by invoking a zero-trust exponential decay function based on threat confidence scores. After formal conflict verification passes, it compiles access control revocation statements with key signatures. A cryptographic tunnel control module distributes channels using quantum random key protection strategies and redirects high-risk encrypted sessions to isolated security domains. It also strips user-identified metadata before in-depth analysis. A closed-loop evolution and maintenance module deploys lightweight models at edge nodes to implement local pre-blocking adjudication, uses isolated domains to capture samples for incremental parameter fine-tuning of large models, and solidifies tamper-proof audit trails and overall threat posture.

[0006] Preferably, the data acquisition and processing module includes: an encrypted feature acquisition module, used to capture the IPsec encapsulated security payload header sequence number and packet length field on the SD-WAN gateway tunnel virtual interface, extract the packet arrival time interval change sequence, and calculate the encrypted payload information entropy value as the observation feature vector; an identity behavior association module, used to bind the user access token hash value and session identifier under the zero-trust architecture, and align multiple application data streams in the encrypted tunnel according to millisecond-level timestamps to generate a single subject's encrypted interaction behavior time-series trajectory; and a feature normalization preprocessing module, used to perform Z-score normalization calculation on each dimension of the output vector of the encrypted feature acquisition module to eliminate the interference of dimensional deviation caused by the difference in physical bandwidth of the WAN link and the end-to-end propagation delay jitter.

[0007] Preferably, the encryption feature acquisition module includes: a tunnel packet capture module: used to mount observation points on the driver layer of the SD-WAN gateway tunnel virtual interface and obtain the original byte sequence of the IPsec encapsulated security payload protocol header in a mirrored manner; a feature sequence extraction module: used to parse the sequence number field and the total length field of the encapsulated security payload header from the captured packets and calculate the time interval difference sequence between adjacent packets; and a payload entropy calculation module: used to perform sliding window information entropy calculation on the encrypted payload byte stream to quantify the degree of randomness in the distribution of encrypted data as a supplementary feature for observing encryption behavior.

[0008] Preferably, the identity behavior association module includes: a token hash binding module: used to extract the user access token forwarded by the zero-trust gateway to the edge node, process it with a secure hash algorithm, and establish a unique mapping relationship with the current encrypted tunnel session identifier; a multi-stream time sequence alignment module: used to perform microsecond-level timestamp alignment operations on several transmission control protocol data streams carried under the same session identifier based on the network time protocol synchronization benchmark; and a behavior trajectory generation module: used to splice the aligned interaction records of several application data streams into a continuous behavior state transition sequence of a single subject in the encrypted tunnel according to the chronological order of occurrence.

[0009] Preferably, the semantic threat analysis module includes: a security semantic large model module: used to run a Transformer encoder model pre-trained based on network security corpus, perform bidirectional self-attention encoding on normalized encrypted feature vectors and identity behavior trajectories, and output threat semantic confidence scores; a normal baseline self-learning module: used to train a variational autoencoder using encrypted traffic data during attack-free windows to construct a Gaussian mixture latent space distribution function representing the normal operating state of the network as a reference benchmark for deviation calculation; an external intelligence fusion module: used to access the structured threat intelligence expression data stream, and after vectorizing the malicious IP address ranges and encrypted certificate fingerprint lists therein, inject them into the embedding layer vocabulary parameters of the security semantic large model module; and a model inference acceleration module: used to call the unified computing device architecture acceleration library on the central control node equipped with parallel computing units to perform half-precision floating-point parallel optimization on the multi-head attention operation of the security semantic large model module.

[0010] Preferably, the trust policy adjudication module includes: a dynamic trust score calculation module, which receives the semantic confidence score and calls the preset zero trust index decay function to calculate the dynamic trust quantification evaluation value of the current session with a one-time timestamp certificate and a millisecond-level lifespan in real time; and a policy conflict detection module, which uses a formal verification method to check the syntactic consistency and permission transfer closure between the policy statement and the existing distributed zero trust security baseline before the newly generated access control policy is issued.

[0011] The real-time policy generation module is used to compile the evaluation values ​​output by the dynamic trust score calculation module into permission revocation statements that conform to the syntax structure of the Zero Trust Architecture Extended Access Control Markup Language, and to perform message authentication code signing with key hash.

[0012] Preferably, the encrypted tunnel control module includes: a quantum key injection module: used to call a quantum random number generator to generate truly random shared key material, and to implement a one-time pad write protection operation during the policy issuance control channel and traffic re-encryption tunnel establishment phase; an encrypted channel diversion module: used to immediately notify the SD-WAN route reflector of the border gateway protocol flow specification after identifying a high-risk encrypted session, and update the message to modify the WAN forwarding information database to achieve secure isolation and redirection of tunnel traffic; and a traffic desensitization and isolation module: used to strip plaintext metadata fields that can be associated with the user's personal identification in the network layer packets before the high-risk encrypted session enters the deep analysis node, and to replace and overwrite them with meaningless filler characters.

[0013] Preferably, the closed-loop evolution and maintenance module includes: an edge lightweight inference module: used to load a lightweight student model that has undergone knowledge distillation and compression on the SD-WAN edge gateway to perform local independent pre-filtering and blocking decisions on the burstiness of abnormal encrypted traffic when the central control link is interrupted; a model incremental evolution module: used to collect the control flow graph features of unknown threat binary code captured in the isolated area and verified false alarm sample data to perform weighted federated average incremental fine-tuning on the weight matrix of the large model encoder layer; an audit log solidification module: used to write the dynamic trust evaluation value change record and the encryption policy effective timestamp sequence into a tamper-proof read-only storage area built based on a Merkle tree hash chain; and a full-domain encryption situation module: used to aggregate threat events and keys reported by each SD-WAN edge node, negotiate change logs, and present a panoramic view of the distribution of hidden threats in the encrypted channels of the entire network in the form of heatmaps and attack vector lines.

[0014] Preferably, the security semantic large model module includes: a feature embedding and encoding module: used to map the normalized encrypted feature vector and the identity behavior trajectory sequence into high-dimensional dense embedding vectors respectively, and superimpose positional encoding information; a multi-head attention calculation module: used to perform separate self-attention operations on the embedding vectors to capture long-distance semantic dependencies between different time steps in the encrypted behavior sequence; and a confidence score output module: used to map the classification token vector output from the top layer of the Transformer encoder into a probability score indicating that the current encrypted session belongs to an unknown threat category through a fully connected feedforward network.

[0015] Preferably, the dynamic trust score calculation module includes: a score decay calculation module, used to receive the threat confidence score output by the security semantic big model module and substitute it into a preset negative exponential function to calculate the decay rate of the current session trust score; and a credential generation module, used to combine the decayed trust quantification value with the current system timestamp and a preset validity period offset to encode a one-time dynamic trust credential data structure.

[0016] The technical effects and advantages of this invention are as follows: In this invention, the data acquisition and processing module captures packet header sequence features and arrival interval time-series vectors at the SD-WAN encrypted tunnel inlet, and simultaneously associates them with zero-trust identity token hash values ​​to generate an encrypted behavior observation data chain. After standardization and transformation, this data is used by the semantic threat analysis module to run a pre-trained Transformer large model to perform semantic encoding inference. It integrates normal behavior baselines with external intelligence to determine the threat confidence level of encrypted sessions deviating from the normal manifold. This achieves effective identification of unknown threats within the encrypted tunnel without relying on plaintext payload parsing. The unknown feature solidification module stores abnormal encryption pattern fingerprints and high-dimensional semantic vector representations to support rapid recall of subsequent variant attacks. Trust strategy... The adjudication module generates dynamic trust credentials by calling the zero-trust exponential decay function based on the threat confidence score. After formal conflict verification, it compiles access control revocation statements with key signatures to ensure real-time and accurate blocking. The encrypted tunnel control module uses a quantum random key protection strategy to distribute channels and redirect high-risk sessions to isolated security domains. At the same time, it strips user personal identification metadata. The closed-loop evolution and maintenance module deploys lightweight models at edge nodes to implement local pre-blocking adjudication and uses isolated domain samples to incrementally fine-tune the large model, solidifying the audit trajectory and the overall threat situation. Thus, while ensuring the efficiency of encrypted transmission, it also takes into account the accurate judgment and real-time blocking capabilities of unknown threats, providing efficient detection and real-time blocking protection for IoT security. Attached Figure Description

[0017] The disclosure of this invention is illustrated with reference to the accompanying drawings. It should be understood that the drawings are for illustrative purposes only and are not intended to limit the scope of protection of this invention. In the drawings, the same reference numerals are used to refer to the same parts:

[0018] Figure 1 This is the overall architecture diagram of the AI-driven SD-WAN zero-trust network unknown threat accurate detection system of the present invention; Figure 2 This is a logic diagram of the AI-driven SD-WAN zero-trust network unknown threat accurate detection system of the present invention. Figure 3 This is an architecture diagram of the encrypted feature acquisition module of the AI-driven SD-WAN zero-trust network unknown threat accurate detection system of the present invention. Figure 4This is an architecture diagram of the identity behavior association module of the AI-driven SD-WAN zero-trust network unknown threat accurate detection system of the present invention. Detailed Implementation

[0019] It is readily understood that, based on the technical solution of this invention, those skilled in the art can propose various interchangeable structural methods and implementations without altering the essential spirit of the invention. Therefore, the following detailed embodiments and accompanying drawings are merely illustrative examples of the technical solution of this invention and should not be considered as the entirety of the invention or as limitations or restrictions on the technical solution of this invention.

[0020] Reference Figures 1-4 As shown, this invention provides a technical solution: an AI-driven SD-WAN zero-trust network unknown threat precision detection system, comprising six core modules: a data acquisition and processing module, a semantic threat analysis module, an unknown feature solidification module, a trust policy adjudication module, an encrypted tunnel control module, and a closed-loop evolution and maintenance module. In its specific deployment, the system adopts a distributed architecture deployed across multiple nodes in the SD-WAN network. The data acquisition and processing module is deployed at the tunnel virtual interface of the SD-WAN gateway, responsible for real-time capture and analysis of packet characteristics flowing through the encrypted tunnel. The semantic threat analysis module, unknown feature solidification module, and trust policy adjudication module are centrally deployed on a central control node with strong computing resources to support the inference operations of the large model. The encrypted tunnel control module is deployed on the SD-WAN route reflector and edge gateway to implement traffic redirection control. The closed-loop evolution and maintenance module adopts a cloud-edge collaborative deployment architecture, with the lightweight edge inference module distributed across each SD-WAN edge gateway, and the model incremental evolution module and the full-domain encrypted situation module deployed on the cloud control plane.

[0021] The modules interact with each other through a secure internal communication channel, using TLS 1.3 for encrypted transmission to prevent man-in-the-middle attacks. Message passing between modules follows a unified protocol format, including message type, payload, timestamp, and digital signature fields, ensuring message integrity and traceability.

[0022] The data acquisition and processing module includes an encrypted feature acquisition module, an identity and behavior association module, and a feature normalization preprocessing module. The specific implementation methods of each sub-module are described in detail below.

[0023] (I) Encryption Feature Acquisition Module

[0024] The encryption feature acquisition module is used to capture the header sequence features and packet arrival timing information of the IPsec Encapsulating Security Payload (ESP) on the SD-WAN gateway tunnel virtual interface. Specifically, it includes a tunnel packet capture module, a feature sequence extraction module, and a payload entropy calculation module.

[0025] The specific implementation of the tunnel packet capture module is as follows: An observation point is mounted at the tunnel virtual interface driver layer of the SD-WAN gateway, and the original byte sequence of the IPsec Encapsulated Security Payload (ESP) header flowing through this interface is obtained using mirroring. Specifically, the mounting can be implemented using eBPF (Extended Berkeley Packet Filter) technology, setting hook functions on the packet reception path of the Linux kernel network protocol stack. The hook functions intercept ESP packets flowing through the tunnel virtual interface, extract their header information, and copy it to a circular buffer in user space. To reduce the performance impact on normal business traffic, the capture process adopts an asynchronous mechanism, and the capture thread's priority is set to real-time priority to ensure no packet loss during packet processing.

[0026] The specific implementation of the feature sequence extraction module is as follows: The following key fields are parsed from the captured ESP packets: Security Association Identifier (SPI), Sequence Number, total length of the encapsulated security payload header, total length of the original IP packet, and length of the encapsulated ciphertext. After extraction, the arrival time difference sequence between adjacent packets is calculated. Specifically, let the arrival time of the i-th packet be T. i Then the arrival time interval ΔT between adjacent messages i =T i -T (i-1) This timing feature can effectively characterize the sending pattern of encrypted traffic; malicious traffic often exhibits abnormal sending frequency and periodic characteristics. In addition, the module also calculates the message length variation sequence to identify abnormal behaviors such as message fragmentation or padding.

[0027] The specific implementation of the payload entropy calculation module is as follows: A sliding window information entropy calculation is performed on the encrypted payload byte stream to quantify the degree of randomness in the distribution of encrypted data. Specifically, the Shannon entropy formula is used for calculation: H (X) =-ΣP(x i )×log2P(x i ), where P(x) i) represents the probability of the i-th byte value appearing within the sliding window. The sliding window size is set to 256 bytes, with a step size of 128 bytes. The entropy value of normal encrypted traffic is close to 8 (maximum entropy, representing complete randomness), while some malicious code or abnormal data may exhibit lower entropy values. This entropy value serves as a supplementary feature for observing encrypted behavior, and together with the packet header sequence features, constitutes a complete encrypted feature vector.

[0028] (ii) Identity and Behavior Association Module

[0029] The identity and behavior association module is used to associate user identity with session behavior under the zero-trust architecture. Specifically, it includes a token hash binding module, a multi-stream time sequence alignment module, and a behavior trajectory generation module.

[0030] The token hash binding module is implemented as follows: When a user initiates an access request, the zero-trust gateway requests an access token from the authentication server. This token is processed by a secure hash algorithm (such as SHA-256) to generate a hash value. The token hash binding module extracts this hash value and establishes a unique mapping relationship with the current encrypted tunnel session identifier (Session ID). This mapping relationship is stored in a distributed cache (such as a Redis cluster), with the key "session:{SessionID}" and the value "token_hash:{hash value}:timestamp:{generation time}". When a new data packet is transmitted within the encrypted tunnel, the system queries the corresponding token hash value based on the session identifier, thereby associating network behavior with a specific user identity.

[0031] The specific implementation of the multi-stream time alignment module is as follows: Within the same encrypted tunnel session, multiple application data streams (such as HTTP, HTTPS, SSH, etc.) may be carried simultaneously. The multi-stream time alignment module performs microsecond-level timestamp alignment operations on several TCP data streams carried under the same session identifier, using a time base synchronized with Network Time Protocol (NTP). Specifically, the module embeds a unified timestamp marker field into the data packets of each data stream. This field is appended by the SD-WAN gateway when the data packets traverse the tunnel. The alignment operation uses a linear interpolation algorithm to uniformly map the timestamps of each data stream to the global timeline, ensuring that the time points of different data streams can be accurately compared.

[0032] The specific implementation of the behavior trajectory generation module is as follows: Aligned application data stream interaction records are concatenated in chronological order to generate a continuous behavior state transition sequence for a single entity within the encrypted tunnel. This sequence includes information in the following dimensions: user identity, session identifier, timestamp sequence, request-response pairing information for each application, data transmission direction, data transmission volume, and encryption parameter change events (such as key updates). The behavior trajectory is stored in a structured log format, supporting batch processing by the subsequent semantic analysis module.

[0033] (III) Feature Normalization Preprocessing Module

[0034] The feature normalization preprocessing module is used to perform Z-score normalization calculation on the feature vectors output by the encrypted feature acquisition module to eliminate the interference of dimensional deviation caused by the difference in physical bandwidth of the wide area network link and the jitter of end-to-end propagation delay.

[0035] The standardized Z-score is calculated using the formula: Z = (X - μ) / σ, where X is the original feature value, μ is the mean of that feature dimension, and σ is the standard deviation. The mean and standard deviation are obtained based on historical traffic data statistics and are updated periodically to adapt to changes in the network environment.

[0036] In one specific embodiment of the present invention, the feature vector includes the following dimensions: ESP header sequence number increment, message length change value, mean and variance of message arrival interval, cryptographic payload entropy value, session duration, and token hash value (after encoding conversion). Each dimension has a different physical meaning and dimension, and directly using them as model input could lead to certain dimensions dominating model decisions. After Z-score standardization, each dimension is converted into a standard distribution with a mean of 0 and a variance of 1, ensuring that the model can fairly consider the contribution of each feature dimension.

[0037] The semantic threat analysis module includes a security semantic large model module, a normal baseline self-learning module, an external intelligence fusion module, and a model inference acceleration module. The specific implementation methods of each sub-module are described in detail below.

[0038] (I) Security Semantic Large Model Module

[0039] The security semantic large model module is the core detection engine of the system. It runs a Transformer encoder model pre-trained on a cybersecurity corpus, performs bidirectional self-attention encoding on normalized encrypted feature vectors and identity behavior trajectories, and outputs a threat semantic confidence score. Specifically, it includes a feature embedding encoding module, a multi-head attention calculation module, and a confidence score output module.

[0040] The specific implementation of the feature embedding and encoding module is as follows: Normalized encrypted feature vectors and identity behavior trajectory sequences are mapped to high-dimensional dense embedding vectors, respectively. For the encrypted feature vectors, a linear projection layer is used to map them from the original dimension (e.g., 64 dimensions) to the model's hidden layer dimension (e.g., 768 dimensions). For the identity behavior trajectory sequence, since it is a variable-length sequence, it is first discretized, converting continuous timestamps and numerical features into a discrete token sequence, and then converted into a dense vector through an embedding layer. Positional encoding information is superimposed during the embedding process to enable the model to perceive the positional relationships of elements in the sequence. The positional encoding adopts a sine-cosine function form:

[0041] PE(pos,2i)=sin(pos / 10000 (2i / dmodel) );

[0042] PE(pos,2i+1)=cos(pos / 10000 (2i / dmodel) );

[0043] Where pos is the position index, i is the dimension index, and d is the position index. model For the hidden layer dimension.

[0044] The specific implementation of the multi-head attention computation module is as follows: Separate self-attention operations are performed on the embedded vector to capture long-distance semantic dependencies between different time steps in the encrypted action sequence. The calculation formula for the self-attention mechanism is:

[0045] Where Q is the query matrix, K is the key matrix, V is the value matrix, and d k Let be the dimension of the key vector. Multi-head attention executes h (e.g., 12) attention functions in parallel, concatenates the results, and then performs a linear transformation to obtain the final output. In this invention, the self-attention mechanism can effectively identify abnormal patterns in encrypted traffic. For example, abnormal periodic changes in message sequences may indicate the presence of malicious programs that execute at time; abnormal synchronization behavior between multiple sessions may indicate the presence of coordinated attacks.

[0046] The specific implementation of the confidence score output module is as follows: The classification token vector output from the top layer of the Transformer encoder is mapped to a probability score indicating that the current encrypted session belongs to the unknown threat category through a fully connected feedforward network. Specifically, the output vector corresponding to the [CLS] marker of the last layer of the encoder (this vector aggregates the semantic information of the entire sequence) is taken and input into a classification head containing two fully connected layers. The first fully connected layer expands the dimension from 768 to 1024 and uses the GELU activation function, while the second fully connected layer compresses the dimension from 1024 to 2 (normal / threat). Finally, the probability value of the threat category is output through the Softmax function. This probability value is the threat confidence score, which ranges from [0, 1]. The higher the value, the greater the probability that the current encrypted session is an unknown threat.

[0047] (ii) Normal baseline self-learning module

[0048] The normal baseline self-learning module is used to train a variational autoencoder (VAE) using encrypted traffic data during an attack-free window period, in order to construct a Gaussian mixture latent spatial distribution function that represents the normal operating state of the network as a reference benchmark for deviation calculation.

[0049] The VAE model consists of two parts: an encoder and a decoder. The encoder maps the input encrypted feature vector to the mean vector μ and variance vector σ of the latent space; the decoder samples from the latent space and reconstructs the input vector. In this invention, the latent space is set to 32 dimensions and is assumed to follow a standard Gaussian distribution.

[0050] The training data consists of normal encrypted traffic samples without an attack window, with a sample size of no less than 1 million. During training, the VAE learns the implicit structure and distribution patterns of normal encrypted traffic. After training, for a new encrypted session sample, the Kullback-Leibler divergence between its latent space representation and the normal distribution is calculated as the deviation. The higher the deviation, the greater the difference between the session and the normal pattern, assisting the security semantic large model module in threat determination.

[0051] (III) External Intelligence Fusion Module

[0052] The external intelligence fusion module is used to access the Structured Threat Information Expression (STIX) data stream, and after vectorizing the malicious IP address ranges and the encrypted certificate fingerprint list, it is injected into the embedding layer vocabulary parameters of the security semantic big model module.

[0053] STIX is a standardized format for exchanging network threat intelligence, containing objects such as threat indicators, attack patterns, and threat actors. This module subscribes to threat intelligence data streams via the TAXII (Trusted Automated eXchange of Intelligence Information) protocol, parsing indicators such as malicious IP address ranges, malicious certificate fingerprints, and malicious domain names.

[0054] The specific vectorization transformation is as follows: For malicious IP address ranges, the 32-bit binary representation of the IPv4 address is used as the embedding vector input; for encrypted certificate fingerprints, the first 16 bytes of the certificate's SHA-256 hash value are used as the embedding vector input. These vectors are injected into the embedding layer during model training or inference, serving as prior knowledge to guide the model to focus on known malicious indicators.

[0055] (iv) Model Inference Acceleration Module

[0056] The model inference acceleration module utilizes the Compute Unified Device Architecture (CUDA) acceleration library on a central control node equipped with parallel computing units to perform half-precision (FP16) floating-point parallel optimization for multi-head attention operations in the security semantic large model module. The specific implementation is as follows: The central control node is configured with an NVIDIA GPU (such as A100 or H100) and has the CUDA Toolkit and cuDNN deep learning acceleration library installed. During model inference, model weights are converted from FP32 to FP16 format for storage to reduce GPU memory usage and accelerate computation. Matrix multiplication operations in the multi-head attention operation utilize the half-precision computation implementation of the cuBLAS library, leveraging Tensor Cores for hardware acceleration of matrix multiplication and accumulation operations.

[0057] In addition, the module implements the following optimization strategies: Operator Fusion – merging adjacent matrix operations, activation functions, etc. into a single kernel to reduce memory access overhead; Dynamic Batching – dynamically adjusting the inference batch size according to real-time traffic load to achieve a balance between latency and throughput; Model Parallelism – for ultra-large-scale models, a pipelined parallel strategy is used to deploy the model in layers to multiple GPUs.

[0058] The Unknown Feature Stabilization Module stores the fingerprints of anomalous encryption patterns confirmed by the semantic threat analysis module, along with their corresponding high-dimensional semantic vector representations. This supports rapid retrieval and recall of subsequent variant covert attacks using the Approximate Nearest Neighbor (ANN) algorithm. The specific implementation is as follows: The Unknown Feature Database uses a vector database (such as Milvus or Pinecone) to store high-dimensional semantic vectors, and employs the HNSW (Hierarchical Navigable SmallWorld) indexing algorithm to construct the index structure. The stored records contain the following fields: anomalous encryption pattern fingerprint (generated by hashing ESP header sequence features, payload entropy value sequences, temporal features, etc.), high-dimensional semantic vector (intermediate layer representation output by the security semantic large model module), first discovery timestamp, threat tag (manually labeled or automatically inferred), and associated external intelligence identifiers.

[0059] When a new encrypted session enters the detection process, the semantic threat analysis module outputs not only a threat confidence score but also a high-dimensional semantic vector for that session. This vector is first subjected to an ANN search against historical records in the unknown feature database to find similar known threat patterns. If a record with a similarity exceeding a threshold (e.g., 0.85) is found in the search results, the historical threat tags and handling suggestions are directly reused to improve detection efficiency.

[0060] The trust policy adjudication module includes a dynamic trust score calculation module, a policy conflict detection module, and a real-time policy generation module. The specific implementation methods of each sub-module are described in detail below.

[0061] (a) Dynamic Trust Score Calculation Module

[0062] The dynamic trust score calculation module receives semantic confidence scores and calls a preset zero-trust index decay function to calculate, in real time, the dynamic trust quantification assessment value of the current session with a one-time timestamped credential and a millisecond-level lifespan. Specifically, it includes a score decay calculation module and a credential generation module.

[0063] The specific implementation of the score decay calculation module is as follows: It receives the threat confidence score C (range [0,1]) output by the security semantic large model module, and substitutes it into the preset zero-trust index decay function to calculate the decay magnitude of the current session trust score. The initial value of the trust score T is 1.0 (complete trust), and the decay formula is: T=T0×e (-λ×C) Where T0 is the previous trust score, λ is the decay coefficient (configurable, typically 2.0), and C is the threat confidence score. This formula means that the higher the threat confidence score, the faster the trust score decays. When C=0, T remains unchanged; when C=1, T decays exponentially to near zero.

[0064] The specific implementation of the credential generation module is as follows: The decayed trust quantification value is combined with the current system timestamp and a preset expiration offset to encode a one-time dynamic trust credential (DTT) data structure. The DTT structure is as follows: {version:1,session_id:"xxx",trust_score:0.75,timestamp:699999999999,expiry_offset:60000,signature:"base64_encoded_signature"}. The signature uses the HMAC-SHA256 algorithm, and the private key of the zero-trust gateway is used to sign all fields except the signature field to ensure that the credential cannot be forged or tampered with. The DTT's lifespan is set to milliseconds (e.g., 60 seconds), and it needs to be re-evaluated after the timeout.

[0065] (II) Strategy Conflict Detection Module

[0066] The policy conflict detection module is used to perform formal verification methods to check the syntactic consistency and permission transfer closure between the policy statement and the existing distributed zero-trust security baseline before the newly generated access control policy is issued.

[0067] Formal verification is implemented using model checking. The system maintains an access control policy state machine model, which includes the following elements: Subject, Resource, Operation, Condition, and Effect. New policies, expressed in a policy language (such as XACML), are then converted into an input format acceptable to the state machine.

[0068] The specific content to be checked includes: Syntax consistency – verifying whether the policy statement conforms to the XACML syntax specification; Permission conflict – checking whether the new policy conflicts with the existing policy (such as granting and denying access to the same resource at the same time); Permission propagation loop – checking whether there is an infinite loop caused by recursive permission granting (such as role A being granted permissions to role B, and role B being granted permissions to role A); Principle of least privilege – checking whether the new policy follows the principle of least privilege, that is, granting only the minimum set of permissions required to complete the task.

[0069] (III) Real-time Strategy Generation Module

[0070] The real-time policy generation module is used to compile the evaluation values ​​output by the dynamic trust score calculation module into permission revocation statements that conform to the syntax structure of the zero-trust architecture extended access control markup language (XACML), and to perform keyed-hash message authentication code (HMAC) signing.

[0071] The following is an example of the XACML format for a permission revocation statement:

[0072] <policyset policysetid="dynamic_revoke_ps">

[0073] <policy policyid="session_revoke_p">

[0074] <rule ruleid="revoke_rule" effect="Deny">

[0075] <target>

[0076] <subjects>

[0077] <subject>

[0078] <subjectmatch matchid="string-equal">

[0079] <attributevalue datatype="string"> session_xxx< / attributevalue>

[0080] <subjectattributedesignator AttributeId="session-id" / >

[0081] < / subjectmatch>

[0082] < / subject>

[0083] < / subjects>

[0084] <resources>

[0085] <resource>

[0086] <resourcematch matchid="string-equal">

[0087] <attributevalue datatype="string"> *< / attributevalue>

[0088] <resourceattributedesignator AttributeId="resource-id" / >

[0089] < / resourcematch>

[0090] < / resource>

[0091] < / resources>

[0092] < / target>

[0093] <condition>

[0094] <apply functionid="double-less-than">

[0095] <attributevalue datatype="double"> 0.3< / attributevalue>

[0096] <resourceattributedesignator AttributeId="trust-score" / >

[0097] < / apply>

[0098] < / condition>

[0099] < / rule>

[0100] < / policy>

[0101] < / policyset>

[0102] The above policy states that when a session's trust score is below 0.3, all access requests for that session will be rejected. After the policy is generated, the policy content is HMAC-SHA256 signed using the private key of the zero-trust control plane, and the signature is appended to the policy data packet. Policies issued to each execution node (SD-WAN gateway) must pass signature verification to take effect.

[0103] The encrypted tunnel control module includes a quantum key injection module, an encrypted channel splitting module, and a traffic desensitization and isolation module. The specific implementation methods of each sub-module are described in detail below.

[0104] (a) Quantum Key Injection Module

[0105] The quantum key injection module is used to invoke a quantum random number generator (QRNG) to generate truly random shared key material and implement one-time pad (OTP) write protection operations during the establishment phase of the policy distribution control channel and traffic re-encryption tunnel. The specific implementation is as follows: The system integrates a hardware random number generator based on the photonic quantum random principle (such as IDQuantique's Quantis series). When a new session key needs to be generated or the protection key of the policy distribution channel needs to be updated, the module requests random numbers from the QRNG. The truly random numbers output by the QRNG are post-processed (including randomness detection and bias correction) and used as key material.

[0106] The One-Time Primitive key (OTP) is implemented as follows: For each key update, a random key string of the same length as the plaintext (length equal to the data to be encrypted) is generated, and the plaintext is encrypted using an XOR operation. Since the entropy of truly random numbers is infinitely large, this encryption method is theoretically unbreakable. The generated OTP key is used only once and destroyed afterward, with the key change event recorded in the audit log.

[0107] (ii) Encrypted Channel Diversion Module

[0108] The encrypted channel traffic redirection module, upon identifying a high-risk encrypted session, immediately notifies the SD-WAN route reflector of the Border Gateway Protocol (BGP) flow specification and updates the message to modify the Forwarding Information Base (FIB) to achieve secure isolation and redirection of tunnel traffic. The specific implementation is as follows: When the trust policy adjudication module determines that an encrypted session is high-risk (e.g., a threat confidence score exceeding 0.8), it sends a BGP Flow Specification update message to the SD-WAN route reflector. This message contains matching rules (such as five-tuple information, session identifiers, etc.) and execution actions (such as redirection to a specified isolated security domain). Upon receiving the update message, the route reflector updates its FIB and routing policy database, directing subsequent traffic from that session to a dedicated analysis node in the isolated security domain.

[0109] The redirection process is transparent to the user, who will not perceive any change in the traffic path. The isolated security domain is an independent sandbox environment containing components such as a honeypot system, a deep traffic analysis system, and a malware sandbox, used for detailed analysis of high-risk sessions.

[0110] (III) Flow Desensitization and Isolation Module

[0111] The traffic masking and isolation module is used to strip plaintext metadata fields that can be associated with a user's personal identification from network layer packets before high-risk encrypted sessions enter the deep analysis node, and replace them with meaningless padding characters. Specific fields that need to be masked include, but are not limited to: source IP address (replaced with a random address from the virtual IP address pool), source port number (replaced with a random port), timestamp option in the TCP options field (removed), User-Agent field in the HTTP request header (replaced with a general identifier), cookie field (replaced with a random string), and any custom fields containing a username.

[0112] The de-identification process employs Deep Packet Inspection (DPI) technology to identify and replace plaintext fields before decryption. For IPsec ESP-encrypted traffic, decryption is impossible due to the unavailability of the key. The module utilizes tunnel endpoint replication technology. When ESP packets traverse the SD-WAN gateway, the gateway, acting as the ESP tunnel endpoint, possesses the decryption key (during normal encryption / decryption operations). This feature is leveraged to obtain the plaintext and perform de-identification. The de-identified traffic is then sent to an isolated security domain for in-depth analysis. The original user identity information is stored separately from the de-identified traffic, ensuring user privacy is not compromised.

[0113] The closed-loop evolution and maintenance module includes an edge lightweight inference module, a model incremental evolution module, an audit log solidification module, and a global encryption posture module. The specific implementation methods of each sub-module are described in detail below.

[0114] (a) Lightweight edge inference module

[0115] The lightweight edge inference module is used to load a lightweight student model compressed with knowledge distillation onto the SD-WAN edge gateway when the central control link is interrupted. This student model performs local independent pre-filtering and blocking decisions on the burstiness of abnormal encrypted traffic. The knowledge distillation is implemented as follows: the teacher model (the large security semantic model module) adopts a BERT-based architecture (12-layer Transformer, 768 hidden dimensions). The student model adopts a DistilBERT architecture (6-layer Transformer, 66% hidden dimensions), trained on the intermediate layer output of the teacher model. The student model has only 40% of the parameters of the teacher model, resulting in a 60% improvement in inference speed, and can be deployed on resource-constrained edge gateways.

[0116] When deployed at the edge, student models are stored in ONNX (Open Neural Network Exchange) format and loaded and executed by the edge gateway's inference engine (such as NVIDIA TensorRT or Intel OpenVINO). When the central control link is normal, the edge module reports the detection results to the center for decision-making; when the link is interrupted, the edge module independently performs detection and blocking operations, with blocking policies based on preset local rules (such as blocking when the threat confidence score exceeds a threshold). After the link is restored, the edge module synchronizes the detection logs from the offline period to the center.

[0117] (ii) Model Incremental Evolution Module

[0118] The incremental evolution module collects Control Flow Graph (CFG) features of unknown threats captured within the isolated region, along with verified false positive samples, to perform weighted federated averaging (FedAvg) incremental fine-tuning on the encoder layer weight matrix of the large model. Specifically, the deep analysis nodes in the isolated security domain perform detailed analysis of redirected high-risk sessions, extracting CFG features of unknown threats. CFG features describe the execution flow of malware, including basic blocks, jump instructions, function calls, and other information. These features, along with the original encrypted traffic features, serve as positive samples for incremental training. Simultaneously, manually verified false positive samples serve as negative samples.

[0119] The specific process of federated averaging fine-tuning is as follows: Each SD-WAN edge node uses local data to fine-tune the model for several rounds (using a relatively large learning rate), and then sends the updated model weights to the central node. The central node performs a weighted average of the weight updates from each edge node to generate new global model weights. The weighted weights are dynamically adjusted based on the number and quality of samples from each node. Differential privacy technology is used during the fine-tuning process to add noise to the gradient to prevent privacy leaks.

[0120] (III) Audit Log Solidification Module

[0121] The audit log solidification module is used to write dynamic trust assessment value change records and encryption policy effective timestamp sequences into a tamper-proof read-only storage area built on a Merkle Tree hash chain. The Merkle Tree is constructed as follows: each audit log record is treated as a leaf node, and its SHA-256 hash value is calculated. Multiple leaf node hash values ​​are paired, and the hash value of the parent node is calculated, recursively until the root node. The root node hash value is published on a blockchain or a trusted timestamp service (such as RFC3161) to ensure immutability.

[0122] Audit logs include: timestamps (accurate to milliseconds), event type (e.g., "trust score update," "policy issuance," "blocking execution," etc.), session identifier, user identifier (anonymized), original trust score, updated trust score, threat confidence score, trigger rule identifier, operation result, and operator identifier. Write-once-read-many (WORM) storage devices are used to ensure logs can only be appended and not modified. Storage capacity is configured based on the log generation rate; it is recommended to retain at least 180 days of log data to meet compliance requirements.

[0123] (iv) Global Encryption Situation Module

[0124] The comprehensive encryption situational awareness module aggregates threat events and key negotiation change logs reported by each SD-WAN edge node and presents a panoramic view of the distribution of hidden threats across the entire network's encrypted channels in the form of heatmaps and attack vector lines. The specific implementation is as follows: The module receives threat event reports (including threat type, threat confidence score, affected nodes, affected users, etc.) and key negotiation change logs (including key update time, key length, key source, etc.) from each edge node. After data aggregation, it undergoes standardization processing and is aggregated and statistically analyzed according to dimensions such as geographical distribution, network topology, or service domain.

[0125] The visualization is presented via a web interface, supporting the following views: Heatmap view – using a geographic map or network topology as the background color, with color shades indicating threat activity in each area; Attack vector line view – using arrowed lines on the network topology map to represent attack paths, with the arrow direction indicating the attack propagation direction and the line thickness indicating the attack scale; Trend line chart – showing the changing trends of indicators such as the number of threats and the distribution of threat confidence scores over time; List table – listing a detailed list of threat events, supporting sorting and filtering. The situational data supports API interfaces for other systems to call, facilitating integration with the Security Operations Center (SOC) platform.

[0126] Based on the above modules, the complete workflow of the system in this embodiment of the invention is as follows: Step 1: Data Acquisition. The data acquisition and processing module captures ESP packets at the SD-WAN gateway tunnel virtual interface, extracting packet header sequence features and arrival interval time-series vectors. Simultaneously, the identity behavior association module binds the zero-trust identity token hash value with the session identifier, generating an encrypted behavior observation data chain. The feature normalization preprocessing module performs Z-score normalization transformation on the original features. Step 2: Threat Analysis. The semantic threat analysis module receives the normalized encrypted behavior data chain and runs a pre-trained Transformer large model to perform semantic encoding inference. The normal baseline self-learning module provides a normal behavior baseline reference, and the external intelligence fusion module injects known malicious indicators. The model outputs the threat confidence score of the current encrypted session. Step 3: Feature Solidification. If the threat confidence score exceeds a preset threshold, the unknown feature solidification module stores the abnormal encryption mode fingerprint and high-dimensional semantic vector in a vector database to support rapid retrieval of subsequent variant attacks. Step 4: Policy Adjudication. The trust policy adjudication module receives the threat confidence score, and the dynamic trust score calculation module calls the zero-trust exponential decay function to calculate the session trust score. The policy conflict detection module verifies the legitimacy of the new policy. The real-time policy generation module compiles signed permission revocation statements. Step 5: Tunnel Control. The encrypted tunnel control module uses quantum random keys to protect the policy distribution channel, the encrypted channel diversion module redirects high-risk sessions to isolated security domains, and the traffic desensitization and isolation module removes user identity identifiers. Step 6: Closed-Loop Evolution. The closed-loop evolution maintenance module deploys a lightweight model at edge nodes to implement local pre-blocking, uses isolated domain samples to perform incremental fine-tuning of the large model, solidifies audit logs, and updates the overall threat situation.

[0127] The technical scope of this invention is not limited to the content described above. Those skilled in the art can make various modifications and variations to the above embodiments without departing from the technical concept of this invention, and all such modifications and variations should fall within the protection scope of this invention.

Claims

1. An AI-driven, large-scale model-based system for accurately detecting unknown threats in SD-WAN zero-trust networks, characterized by: include: Data acquisition and processing module: used to capture packet header sequence features and arrival interval time vector at the SD-WAN encrypted tunnel inlet, and synchronously associate with zero-trust identity token hash value to generate encrypted behavior observation data chain while performing standardized dimensionless transformation on the original features; Semantic threat analysis module: Used to run a pre-trained Transformer large model to perform semantic encoding inference on the encrypted behavior data chain, and to fuse normal behavior baseline references with external intelligence vectors to determine the threat confidence level of the current encrypted session deviating from the normal manifold; Unknown Feature Solidification Module: Used to store the fingerprints of abnormal encryption patterns confirmed by the semantic threat analysis module and their corresponding high-dimensional semantic vector representations, so as to support the rapid retrieval and recall of subsequent variant covert attacks using approximate nearest neighbor methods. Trust Policy Adjudication Module: Used to generate dynamic trust quantification credentials by calling the zero-trust exponential decay function based on the threat confidence score. After passing formal conflict verification, it compiles access control revocation execution statements with key signatures. Encrypted Tunnel Control Module: Used to distribute channels using quantum random key protection strategies, and to redirect high-risk encrypted sessions to isolated security domains. It also strips user personal identification metadata before entering in-depth analysis. Closed-Loop Evolution Maintenance Module: Used to deploy lightweight models at edge nodes to implement local pre-blocking adjudication, use samples captured in the isolated domain to perform incremental parameter fine-tuning on the large model, and solidify anti-tampering audit tracks and overall threat posture.

2. The AI-driven large-scale model-based SD-WAN zero-trust network unknown threat accurate detection system according to claim 1, characterized in that: The data acquisition and processing module includes: an encryption feature acquisition module, used to capture the IPsec encapsulated security payload header sequence number and packet length field on the SD-WAN gateway tunnel virtual interface, extract the packet arrival time interval change sequence, and calculate the encryption payload information entropy value as the observation feature vector; an identity behavior association module, used to bind the user access token hash value and session identifier under the zero-trust architecture, and align multiple application data streams in the encryption tunnel according to millisecond-level timestamps to generate a single subject's encrypted interaction behavior time-series trajectory; and a feature normalization preprocessing module, used to perform Z-score normalization calculation on each dimension of the output vector of the encryption feature acquisition module to eliminate the interference of dimensional deviation caused by the difference in physical bandwidth of the WAN link and the end-to-end propagation delay jitter.

3. The AI-driven SD-WAN zero-trust network unknown threat accurate detection system according to claim 2, characterized in that: The encryption feature acquisition module includes: a tunnel packet capture module, used to mount observation points on the driver layer of the SD-WAN gateway tunnel virtual interface and acquire the original byte sequence of the IPsec encapsulated security payload protocol header in a mirrored manner; a feature sequence extraction module, used to parse the sequence number field and the total length field of the encapsulated security payload header from the captured packets and calculate the time interval difference sequence between adjacent packets; and a payload entropy calculation module, used to perform sliding window information entropy calculation on the encrypted payload byte stream to quantify the degree of randomness in the distribution of encrypted data as a supplementary feature for observing encryption behavior.

4. The AI-driven SD-WAN zero-trust network unknown threat accurate detection system according to claim 2, characterized in that: The identity behavior association module includes: a token hash binding module, used to extract the user access token forwarded by the zero-trust gateway to the edge node, process it with a secure hash algorithm, and establish a unique mapping relationship with the current encrypted tunnel session identifier; a multi-stream time sequence alignment module, used to perform microsecond-level timestamp alignment operations on several transmission control protocol data streams carried under the same session identifier based on the network time protocol synchronization benchmark; and a behavior trajectory generation module, used to splice the aligned interaction records of several application data streams into a continuous behavior state transition sequence of a single subject in the encrypted tunnel according to the chronological order of occurrence.

5. The AI-driven large-scale model-based SD-WAN zero-trust network unknown threat accurate detection system according to claim 1, characterized in that: The semantic threat analysis module includes: a security semantic large model module, used to run a Transformer encoder model pre-trained based on network security corpus, performing bidirectional self-attention encoding on normalized encrypted feature vectors and identity behavior trajectories, and outputting threat semantic confidence scores; a normal baseline self-learning module, used to train a variational autoencoder using encrypted traffic data during attack-free windows, to construct a Gaussian mixture latent space distribution function representing the normal operating state of the network as a reference benchmark for deviation calculation; an external intelligence fusion module, used to access structured threat intelligence expression data streams, and after vectorizing the malicious IP address ranges and encrypted certificate fingerprint lists, inject them into the embedding layer vocabulary parameters of the security semantic large model module; and a model inference acceleration module, used to call the unified computing device architecture acceleration library on the central control node equipped with parallel computing units to perform half-precision floating-point parallel optimization on the multi-head attention operation of the security semantic large model module.

6. The AI-driven SD-WAN zero-trust network unknown threat accurate detection system according to claim 1, characterized in that: The trust policy adjudication module includes: a dynamic trust score calculation module, used to receive semantic confidence scores and call a preset zero-trust exponential decay function to calculate the dynamic trust quantification evaluation value of the current session with a one-time timestamp credential and a millisecond-level lifespan in real time; a policy conflict detection module, used to use a formal verification method to check the syntactic consistency and permission transfer closure of the policy statement with the existing distributed zero-trust security baseline before issuing a newly generated access control policy; and a real-time policy generation module, used to compile the evaluation value output by the dynamic trust score calculation module into a permission revocation statement that conforms to the syntax structure of the zero-trust architecture extended access control markup language, and execute a message authentication code signature with a key hash.

7. The AI-driven SD-WAN zero-trust network unknown threat accurate detection system according to claim 1, characterized in that: The encrypted tunnel control module includes: a quantum key injection module, used to call a quantum random number generator to generate truly random shared key material, and to implement a one-time pad write protection operation during the policy issuance control channel and traffic re-encryption tunnel establishment phase; an encrypted channel diversion module, used to immediately notify the SD-WAN route reflector of the border gateway protocol flow specification after identifying a high-risk encrypted session, and update the message to modify the WAN forwarding information database to achieve secure isolation and redirection of tunnel traffic; and a traffic desensitization and isolation module, used to strip plaintext metadata fields that can be associated with the user's personal identification in the network layer packets before the high-risk encrypted session enters the deep analysis node, and replace and overwrite them with meaningless filler characters.

8. The AI-driven large-scale model-based SD-WAN zero-trust network unknown threat accurate detection system according to claim 1, characterized in that: The closed-loop evolution and maintenance module includes: an edge lightweight inference module, used to load a lightweight student model that has undergone knowledge distillation and compression on the SD-WAN edge gateway to perform local independent pre-filtering and blocking decisions on the burstiness of abnormal encrypted traffic when the central control link is interrupted; a model incremental evolution module, used to collect the control flow graph features of unknown threat binary code captured in the isolated area and verified false alarm sample data to perform weighted federated average incremental fine-tuning on the weight matrix of the large model encoder layer; an audit log solidification module, used to write the dynamic trust evaluation value change record and the encryption policy effective timestamp sequence into a tamper-proof read-only storage area built based on a Merkle tree hash chain; and a global encryption situation module, used to aggregate threat events and keys reported by each SD-WAN edge node, negotiate change logs, and present a panoramic view of the distribution of hidden threats in the encrypted channels of the entire network in the form of heatmaps and attack vector lines.

9. The AI-driven large-scale model-based SD-WAN zero-trust network unknown threat accurate detection system according to claim 5, characterized in that: The secure semantic large model module includes: a feature embedding and encoding module, used to map normalized encrypted feature vectors and identity behavior trajectory sequences into high-dimensional dense embedding vectors respectively, and superimpose positional encoding information; a multi-head attention calculation module, used to perform split-head self-attention operations on the embedding vectors to capture long-distance semantic dependencies between different time steps in the encrypted behavior sequence; and a confidence score output module, used to map the classification token vector output from the top layer of the Transformer encoder into a probability score indicating that the current encrypted session belongs to an unknown threat category through a fully connected feedforward network.

10. The AI-driven large-scale model-based SD-WAN zero-trust network unknown threat accurate detection system according to claim 6, characterized in that: The dynamic trust score calculation module includes: a score decay calculation module, which receives the threat confidence score output by the security semantic big model module and substitutes it into a preset negative exponential function to calculate the decay rate of the current session trust score; and a credential generation module, which combines the decayed trust quantification value with the current system timestamp and a preset validity period offset to encode a one-time dynamic trust credential data structure.