Computer network traffic anomaly detection method and system based on deep learning
By deconstructing network traffic at the protocol stack level and distilling abnormal features using deep learning models, the problem of accurately tracing abnormal behavior in existing technologies has been solved. This enables precise location of abnormal traffic and dynamic blocking strategies, improving the accuracy and efficiency of network security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUIZHOU UNIVERSITY OF FINANCE AND ECONOMICS
- Filing Date
- 2026-06-10
- Publication Date
- 2026-07-10
AI Technical Summary
Existing network traffic anomaly detection technologies struggle to effectively distinguish the specific protocol layer where abnormal behavior occurs, and they cannot accurately trace the source when faced with complex anomalies that cross protocol layers, preventing network security administrators from implementing targeted traffic blocking strategies.
By performing protocol stack layer deconstruction on the original network traffic bitstream, extracting the frequency distribution features of the transport layer payload bytes and the fragment offset sequence features of the network layer, a hierarchical traffic structure representation map oriented towards the session interaction mode is constructed. Then, by using the pre-constructed traffic pattern deep autoencoder to reconstruct the network, cross-protocol layer anomaly feature distillation is performed to generate multi-dimensional anomaly feature output, thereby achieving accurate location and source tracing of abnormal traffic behavior.
It enables precise location and source tracing of abnormal traffic behavior, generates targeted traffic blocking strategies, reduces accidental damage to normal business traffic, and improves the accuracy and efficiency of network security.
Smart Images

Figure CN122372345A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of deep learning technology, and more specifically, to a method and system for detecting anomalies in computer network traffic based on deep learning. Background Technology
[0002] With the continuous expansion of computer network scale and the increasing complexity of business operations, network traffic anomaly detection has become an indispensable technical component for ensuring the safe operation of the network. Currently, existing network traffic anomaly detection technologies can be mainly divided into the following categories: The first category is rule-based detection methods. These methods compare network traffic packet by packet using predefined feature rules, triggering an alarm when the traffic features match known attack patterns in the rule base. However, these methods have extremely limited ability to detect unknown and variant attacks, and maintaining the rule base requires significant manual labor, often proving inadequate in the face of rapidly evolving attack methods.
[0003] The second category is detection methods based on statistical learning. These methods typically model single-dimensional statistical characteristics of traffic, such as byte distribution and packet arrival intervals, and determine whether the traffic is abnormal by setting thresholds. However, these methods only focus on the surface statistical attributes of traffic and are difficult to capture the deep correlation characteristics between different layers of the protocol stack. In particular, when attackers evade statistical detection through carefully crafted fragmented packets or payload spoofing, their false negative rate will increase significantly.
[0004] The third category comprises detection methods based on deep learning that have emerged in recent years. Some existing technologies attempt to use autoencoders or recurrent neural networks for end-to-end anomaly detection of raw traffic data. However, these methods typically input the entire traffic stream directly into the neural network for black-box feature learning, lacking explicit modeling of the traffic data's inherent protocol layer structure. This results in the model being unable to effectively distinguish between abnormal anomalies originating from abnormal construction of the transport layer payload or abnormal arrangement of network layer fragmentation behavior when faced with complex anomalies across protocol layers. Ultimately, it can only output a general anomaly score without pinpointing the specific protocol layer where the anomaly occurred. Furthermore, most existing deep learning detection solutions focus on anomaly detection while neglecting precise source tracing. In real-world network operation and maintenance scenarios, security administrators not only need to know which connection is abnormal but also need to pinpoint the exact layer of the protocol stack where the abnormal behavior occurs in order to implement targeted traffic blocking strategies. Summary of the Invention
[0005] In view of the aforementioned problems, and in conjunction with the first aspect of the present invention, embodiments of the present invention provide a method for detecting anomalies in computer network traffic based on deep learning, the method comprising: The raw network traffic bit stream captured by the traffic acquisition probe in the target computer network is obtained. The raw network traffic bit stream contains a sequence of Transmission Control Protocol (TCP) data packets with source and destination transport layer port identifiers. The original network traffic bitstream is subjected to protocol stack layer deconstruction processing to obtain the transport layer payload byte frequency distribution characteristics and network layer fragment offset sequence characteristics of each transport control protocol data packet in the transport control protocol data packet sequence. Based on the transport layer payload byte frequency distribution characteristics and network layer fragment offset sequence characteristics, a traffic hierarchical structure representation diagram oriented to the session interaction mode is constructed. The traffic hierarchical structure representation map is subjected to cross-protocol layer anomaly distillation using a pre-built traffic pattern deep autoencoder reconstruction network to generate a first anomaly distillation output and a second anomaly distillation output. The first anomaly distillation output reflects the reconstruction error tensor between the input traffic hierarchical structure representation map and the normal traffic baseline pattern, and the second anomaly distillation output reflects the response intensity distribution of the reconstruction error tensor at each layer of the protocol stack. Based on the first and second abnormal feature distillation outputs, multi-dimensional abnormal signal collaborative source tracing processing is performed to determine the communication connection session identifier with abnormal traffic behavior in the target computer network and the abnormal source protocol layer location corresponding to the communication connection session identifier. Based on the communication connection session identifier and the location of the abnormal source protocol layer, a network security handling instruction containing traffic blocking policy parameters is generated, and the network security handling instruction is sent to the target network traffic management device to trigger abnormal traffic isolation operation.
[0006] Furthermore, embodiments of the present invention also provide a computer network traffic anomaly detection system based on deep learning, characterized in that it includes: A processor; a machine-readable storage medium for storing machine-executable instructions of the processor; wherein the processor is configured to execute the aforementioned deep learning-based computer network traffic anomaly detection method by executing the machine-executable instructions.
[0007] Based on the above, this invention does not directly input the original network traffic bitstream into the deep learning model for end-to-end black-box discrimination. Instead, it first performs protocol stack layer deconstruction processing on the original traffic bitstream, extracting two key features that characterize the payload semantics and fragmentation behavior, namely, the transport layer payload byte frequency distribution feature and the network layer fragmentation offset sequence feature. Based on these two types of features, a traffic hierarchical structure representation graph oriented towards session interaction modes is constructed. Thus, protocol layer semantics of the traffic data are injected at the input end of the deep learning model, laying a structured data foundation for cross-protocol layer anomaly analysis. On this basis, this invention uses a pre-constructed traffic pattern deep autoencoder reconstruction network to perform cross-protocol layer anomaly feature distillation processing on the traffic hierarchical structure representation graph, generating a dual output that simultaneously contains a reconstruction error tensor and the response intensity distribution of the error tensor at each layer of the protocol stack. The reconstruction error tensor quantifies the overall deviation between the current traffic and the normal traffic baseline pattern, while the response intensity distribution further reveals the specific distribution of the above deviation at each layer of the protocol stack. Together, they constitute a multi-dimensional anomaly feature space that can reflect both the existence and origin of anomalies. Compared with existing technologies, this approach offers significant advantages. This invention represents a qualitative leap in abnormal feature distribution, moving from scalar to tensor and from single-dimensional to multi-dimensional distribution, compared to previous methods that only output a single anomaly score. Subsequently, based on the first and second anomaly feature distillation outputs, the invention performs multi-dimensional anomaly signal collaborative tracing to determine the communication connection session identifier exhibiting abnormal traffic behavior and the corresponding anomaly source protocol layer location. The multi-dimensional anomaly features obtained from the distillation are then fused for tracing, not only accurately locating the specific communication connection to which the abnormal traffic belongs but also further pinpointing the protocol layer location where the abnormal behavior occurred. Finally, based on the communication connection session identifier and the anomaly source protocol layer location, the invention generates a network security handling instruction containing traffic blocking policy parameters and sends it to the target network traffic management device to trigger anomaly traffic isolation operation. This ensures that the handling action is no longer a general full-link blocking or simple connection dropping, but rather dynamically adjusts the blocking policy parameters according to the anomaly source protocol layer location. For example, when the anomaly source is located at the network layer fragment offset anomaly, refined blocking targeting fragment reassembly can be implemented; when the anomaly source is located at the transport layer load anomaly, load filtering targeting specific ports can be implemented. This ensures network security while minimizing accidental damage to normal service traffic. Attached Figure Description
[0008] Figure 1 This is a schematic diagram of the execution flow of the computer network traffic anomaly detection method based on deep learning provided in an embodiment of the present invention.
[0009] Figure 2 This is a logical schematic diagram of a computer network traffic anomaly detection method based on deep learning provided in an embodiment of the present invention.
[0010] Figure 3 This is a schematic diagram of exemplary hardware and software components of a deep learning-based computer network traffic anomaly detection system provided in an embodiment of the present invention. Detailed Implementation
[0011] Figure 1 This is a flowchart illustrating a deep learning-based computer network traffic anomaly detection method according to an embodiment of the present invention, which will be described in detail below.
[0012] Step S110: Obtain the raw network traffic bit stream captured by the traffic acquisition probe in the target computer network. The raw network traffic bit stream contains a sequence of Transmission Control Protocol (TCP) data packets with source and destination transport layer port identifiers that are recorded continuously.
[0013] At the core switching node of the target computer network, bidirectional traffic is mirrored to a traffic acquisition probe via an optical splitter. The traffic acquisition probe operates in line-rate mode, sampling the electrical signals on the mirrored port bit-by-bit, converting the physical layer waveform into a binary bit sequence. The sampling process follows the Nyquist sampling theorem, with the sampling frequency set to twice the link bandwidth. The acquired binary bit sequence is continuously appended to the original network traffic bitstream file in chronological order. For each captured complete data packet, a Unix timestamp of the packet's arrival time is inserted into the bitstream, with a timestamp accuracy of microseconds.
[0014] In the raw network traffic bitstream, the original time-slot information between data packets is preserved without any gap removal or time compression. The boundaries of each Transmission Control Protocol (TCP) packet in the bitstream are identified by the Ethernet frame preamble and start-of-frame delimiter. The source and destination transport layer port identifiers for each TCP packet are located in bytes 0-1 and byte 2-3 of the TCP header, respectively. Data collection has been explicitly authorized by the network owner, and the scope is limited to network traffic metadata and payload data, without involving any privacy monitoring of the communication content. For potentially sensitive fields carried in the payload, real-time encryption based on the AES-256 algorithm is used during the collection phase. The encryption key is generated by an independent key management service and rotated periodically.
[0015] Step S120: Perform protocol stack layer deconstruction processing on the original network traffic bit stream to obtain the transport layer payload byte frequency distribution characteristics and network layer fragment offset sequence characteristics of each transport control protocol data packet in the transport control protocol data packet sequence. Based on the transport layer payload byte frequency distribution characteristics and the network layer fragment offset sequence characteristics, construct a traffic hierarchical structure representation diagram oriented towards session interaction mode.
[0016] Protocol stack deconstruction process peels off the protocol header layer by layer from the original network traffic bit stream to restore the complete Transmission Control Protocol data packet sequence. It also extracts the statistical characteristics of the transport layer payload and the sequence characteristics of the network layer fragmentation behavior from each data packet. Finally, the above features are organized into graph structure data according to the temporal logic of session interaction.
[0017] Step S121: Perform Ethernet frame start delimiter identification processing on the original network traffic bit stream, strip the frame header control information to obtain an Internet Protocol datagram set, and retain the original capture timestamp of each Internet Protocol datagram in the Internet Protocol datagram set.
[0018] Starting from the beginning of the original network traffic bitstream, a sliding scan is performed byte by byte, comparing the current byte with the standard bit pattern 0xD5 of the Ethernet frame start delimiter. When the sum of the bits in the XOR result is 0, the current position is determined to be the frame start boundary. Offset 14 bytes from the frame start boundary, skipping the destination MTAC address, source MTAC address, and Ethernet type field, and extract the value of the Ethernet type field. If the value of the Ethernet type field is equal to 0x0800, it indicates that the frame encapsulates an Internet Protocol (IP) datagram. All bytes from the 15th byte to the frame check sequence are extracted into an IP datagram. Each extracted IP datagram is bound to a timestamp of its original network traffic bitstream segment. All IP datagrams are arranged in ascending order of timestamp, forming an IP datagram set.
[0019] Step S122: Perform bit-by-bit parsing of the Internet Protocol header fields on the Internet Protocol datagram set, extract the fragment offset field value and fragment identifier field value of each Internet Protocol datagram, and generate Internet Protocol fragment offset sequence features. The elements in the Internet Protocol fragment offset sequence features are arranged in the order of the original capture timestamps.
[0020] For each Internet Protocol (IP) datagram in the set, parse the identifier field in bytes 4 and 5 of its header, and read the 16-bit unsigned integer value as the fragmentation identifier field value, denoted as u. Parse the flag bits and fragmentation offset field in bytes 6 and 7 of the header, and read the lower 13 bits as the fragmentation offset field value, denoted as v, with a unit of 8 bytes. Combine the u, v, and timestamp of each IP datagram into a triplet record. Arrange all triplet records in ascending order of timestamp to generate the IP fragmentation offset sequence feature.
[0021] Step S123: Perform Transmission Control Protocol (TCP) segment reassembly processing on the Internet Protocol (IP) datagram set. Concatenate the TCP segment data carried by the IP datagrams with consecutive fragment offset field values and the same fragment identifier field value in ascending order of fragment offset to obtain the TCP data packet sequence.
[0022] Construct a key-value mapping where the key is 'u' and the values are lists of Internet Protocol (IP) datagrams sorted by 'v'. Iterate through the set of IP datagrams, searching the mapping for each datagram using 'u' as the key. If the key does not exist, create a new list and add the current datagram to it; if the key already exists, insert the current datagram into the list at the corresponding position sorted by 'v' in ascending order. After insertion, check if the current list meets the reassembly criteria: the difference in 'v' between adjacent datagrams in the list is equal to the length of the previous datagram divided by 8, and the first datagram has a 'v' of 0. If the criteria are met, concatenate the Transmission Control Protocol (TCP) segment data of each datagram into a complete TCP data packet in ascending order of 'v', taking the minimum timestamp of each datagram as the timestamp of the TCP data packet. All reassembled TCP data packets are arranged in ascending order of timestamps, forming a TCP data packet sequence.
[0023] Step S124: Extract the frequency distribution features of the transport layer payload bytes for each transport control protocol data packet in the transport control protocol data packet sequence, count the number of times each byte value appears within the range of the transport layer payload according to the byte value, and construct a fixed-length transport layer payload byte frequency distribution feature vector.
[0024] For each Transmission Control Protocol (TCP) data packet in the sequence, locate the value of its TCP header length field, multiply it by 4 to obtain the TCP header byte length, denoted as 'a'. All bytes from the end of the TCP header to the end of the datagram indicated by the Internet Protocol Total Length field constitute the transport layer payload, denoted as 'B'. Create an integer array of length 256, denoted as 'C', where array index j corresponds to byte value j, with j ranging from 0 to 255, and each element initially set to 0. Iterate through each byte of B, read its value b, and execute C[b] = C[b] + 1. After iteration, convert C to a floating-point array and perform L1 normalization on C: for j from 0 to 255, D[j] = C[j] / (C[0] + C[1] + ... + C
[255] ). D is a 256-dimensional floating-point array, and the sum of all elements in D equals 1. D is the transport layer payload byte frequency distribution feature vector of this TCP data packet.
[0025] Step S125: Perform Transmission Control Protocol header control flag combination pattern recognition processing on each Transmission Control Protocol data packet in the Transmission Control Protocol data packet sequence, map the combination of synchronization flag status, acknowledgment flag status, and push flag status to connection state transition node type identifier, and generate connection state transition node sequence.
[0026] For each Transmission Control Protocol (TCP) data packet in the TCP packet sequence, parse the flag field of the 13th byte of the TCP header. Extract the first bit of the synchronization flag status, denoted as f1, with a value of 0 or 1. Extract the fourth bit of the acknowledgment flag status, denoted as f2, with a value of 0 or 1. Extract the third bit of the push flag status, denoted as f3, with a value of 0 or 1. There are 8 possible states for the three flag bits, with a preset state mapping table: when f1=1, f2=0, f3=0, it is mapped to type identifier Q1; when f1=1, f2=1, f3=0, it is mapped to type identifier Q2; when f1=0, f2=1, f3=1, it is mapped to type identifier Q3; when f1=0, f2=1, f3=0, it is mapped to type identifier Q4; when f1=0, f2=0, f3=0, it is mapped to type identifier Q5; when f1=1, f2=1, f3=1, it is mapped to type identifier Q6; when f1=0, f2=0, f3=1, it is mapped to type identifier Q7; when f1=1, f2=0, f3=1, it is mapped to type identifier Q8. The connection state transition node type identifiers obtained by mapping each transmission control protocol data packet are arranged in chronological order according to the timestamp of the data packet, forming a connection state transition node sequence.
[0027] Step S126: Based on the temporal relationship between the connection state transition node sequence and the transmission control protocol data packet sequence, construct a prototype session graph structure for session interaction mode. The node set of the prototype session graph structure is the type identifier of each connection state transition node in the connection state transition node sequence, and the edge set of the prototype session graph structure is the relationship formed by connecting adjacent connection state transition node type identifiers according to the order of the original capture timestamps of the transmission control protocol data packet sequence.
[0028] A set of nodes is created for the prototype session graph structure. Each connection state transition node type identifier in the connection state transition node sequence is treated as a graph node instance. Each graph node instance is assigned a unique node index i, which is assigned sequentially starting from 1. A set of edges is created for the prototype session graph structure. Starting from the first element of the connection state transition node sequence, directed edges are established from the node instance with index i to the node instance with index i+1, where i ranges from 1 to the sequence length minus 1. The direction of the directed edges is consistent with the direction of timestamp increment. The prototype session graph structure is stored using an adjacency list. Each entry in the adjacency list contains a list of source node indices and destination node indices.
[0029] Step S127: Use the transport layer payload byte frequency distribution feature vector to perform node attribute binding processing on each node in the prototype session graph structure, and associate the type identifier of each connection state transition node with the transport layer payload byte frequency distribution feature vector of the corresponding transmission control protocol data packet to obtain the attributed session graph structure.
[0030] For each graph node instance i in the prototype session graph structure, obtain its index position in the connection state transition node sequence. Based on this index position, retrieve the corresponding Transmission Control Protocol (TCP) data packet from the Transmission Control Protocol (TCP) data packet sequence, and then extract the 256-dimensional feature vector D of the data packet from the transport layer payload byte frequency distribution feature vector set generated in step S124. Bind D as an attribute value to the graph node instance i, and the binding data structure is a mapping table from node index to feature vector. After completing the binding of all node attributes, the prototype session graph structure is transformed into an attributed session graph structure.
[0031] Step S128: Perform edge weight quantization processing based on time interval on each edge in the attributed session graph structure, and take the absolute value of the difference between the original capture timestamps of the two transmission control protocol data packets corresponding to the type identifiers of the two adjacent connection state transition nodes as the weight value of the corresponding edge, so as to obtain a traffic hierarchical structure representation graph with edge weight attributes.
[0032] For each directed edge in the attributed session graph structure, the source node index is i, and the destination node index is i+1. Obtain the timestamp of the Transmission Control Protocol (TCP) data packet corresponding to source node i, denoted as p. Obtain the timestamp of the TCP data packet corresponding to destination node i+1, denoted as q. Calculate r = |qp|, in microseconds. Store r as the weight value of this directed edge in the edge weight mapping table. After assigning weights to all edges, the attributed session graph structure is transformed into a hierarchical traffic representation graph with edge weight attributes, denoted as G. G contains: a node feature matrix X, with a shape of N×256; an adjacency list A, recording the source and destination node indices of each edge; and an edge weight vector Y, with a length of M, where M is the total number of edges.
[0033] Step S130: Use a pre-built traffic pattern deep autoencoder reconstruction network to perform cross-protocol layer anomaly distillation on the traffic hierarchical structure representation map to generate a first anomaly distillation output and a second anomaly distillation output. The first anomaly distillation output reflects the reconstruction error tensor between the input traffic hierarchical structure representation map and the normal traffic baseline pattern, and the second anomaly distillation output reflects the response intensity distribution of the reconstruction error tensor at each layer of the protocol stack.
[0034] The traffic pattern deep autoencoder reconstruction network uses a sample set of traffic hierarchical structure representation graphs containing only normal traffic for self-supervised training during the training phase. Training samples are constructed from raw network traffic bitstreams collected during the historical normal operation of the target computer network, following the same processing procedure as step S120. During training, the input samples and the reconstruction target use the same traffic hierarchical structure representation graph. The network learns to encode the normal traffic graph structure into a low-dimensional latent space before accurately reconstructing it. When training converges, the network exhibits a small reconstruction error for normal traffic but a large reconstruction error for abnormal traffic deviating from the normal pattern.
[0035] The architecture of the traffic pattern deep autoencoder reconstructing network is as follows: The graph attention encoding module consists of three stacked graph attention layers, each with four attention heads. Each attention head outputs a dimension of 64. The outputs of each head are concatenated along the feature dimensions and linearly projected to obtain a 256-dimensional encoded node representation vector. The protocol layer skip connection module receives the encoded node representation vector and, based on the Internet Protocol header protocol fields and port numbers of each node's data packets, classifies the nodes into network layer node sets, transport layer node sets, or application layer node sets. The network layer and transport layer perform linear feature fusion through a cross-layer learnable weight matrix, and the transport layer and application layer also perform linear feature fusion through a cross-layer learnable weight matrix to generate a cross-layer fused representation vector. The gated loop decoding module consists of a single-layer gated loop unit with a hidden state dimension of 256. It expands step-by-step according to the node's time sequence. At each time step, the node representation vector is reconstructed based on the cross-layer fused representation vector of the previous node and the current hidden state.
[0036] Step S131: Input the traffic hierarchical structure representation graph into the graph attention encoding module of the traffic pattern deep autoencoder reconstruction network, and use the multi-layer graph attention mechanism to perform message passing aggregation processing on the set of adjacent nodes of each node in the traffic hierarchical structure representation graph to generate the encoded node representation vector of each node. The attention weight of each layer of the graph attention encoding module on the set of adjacent nodes is dynamically adjusted according to the similarity of the transport layer payload byte frequency distribution feature vector of the adjacent nodes.
[0037] The node feature matrix X and adjacency list A of G are fed into the first layer of the graph attention encoding module. For node i, let its set of neighboring nodes be U. For each neighboring node j belonging to U, calculate eij = LeakyReLU(z·(M·Xi||M·Xj)), where z is the learnable attention weight vector, M is the learnable linear transformation matrix, Xi is the feature vector of node i, Xj is the feature vector of node j, || represents feature dimension concatenation, and · represents dot product. Softmax normalize the eij of all neighboring nodes of node i: aij = exp(eij) / sum_{k belongs to U}exp(eik). Calculate the neighborhood aggregation vector of node i: Xi' = ReLU(sum_{j belongs to U}aij*M*Xj+M*Xi), where * represents matrix multiplication. The processing flow of the second and third layers of the graph attention layer is the same, with the input being the output of the previous layer, and each layer has independent learnable parameters. The 256-dimensional vector output from the third layer is the encoded node representation vector of node i, denoted as Hi.
[0038] Step S132: Input the encoded node representation vector into the protocol layer jump connection module of the traffic pattern deep autoencoder reconstructed network. According to the protocol layer to which each node belongs, the encoded node representation vector is divided into a network layer node representation vector set, a transport layer node representation vector set, and an application layer node representation vector set. Perform cross-layer concatenation fusion processing on the network layer node representation vector set and the transport layer node representation vector set, and perform cross-layer concatenation fusion processing on the transport layer node representation vector set and the application layer node representation vector set to generate cross-layer fused representation vectors for each node.
[0039] For each node i, the protocol layer affiliation is determined based on the destination port number of its corresponding Transmission Control Protocol (TCP) data packet. Nodes whose destination port numbers belong to the network layer protocol port range are assigned to set V1; nodes whose destination port numbers belong to the transport layer protocol port range are assigned to set V2; and nodes whose destination port numbers belong to the application layer protocol port range are assigned to set V3.
[0040] Calculate the mean vector of V2, denoted as n2 for the number of nodes in V2, and H2m = (Hk1 + Hk2 + ... + Hkn2) / n2, where k1, k2, ..., kn2 are the indices of each node in V2, and addition is performed element-wise. For each node i in V1, calculate Hf(i) = ReLU(P1*Hi + Q1*H2m). For each node i in V2, calculate Hf(i) = ReLU(P2*Hi + Q2*Hi). For each node i in V3, calculate Hf(i) = ReLU(P3*H2m + Q3*Hi). Here, P1, Q1, P2, Q2, P3, and Q3 are all learnable weight matrices with a shape of 256 × 256. Hf(i) is the cross-layer fusion representation vector of node i, with a dimension of 256.
[0041] Step S133: Input the cross-layer fusion representation vector into the gated loop decoding module of the traffic pattern deep autoencoder reconstruction network. The gated loop decoding module performs time-step expansion reconstruction according to the original order of each node in the traffic hierarchical structure representation graph. Each time step generates the reconstructed node representation vector of the current node based on the cross-layer fusion representation vector of the previous node and the hidden state of the gated loop unit of the current time step.
[0042] The gated loop decoding module initializes the hidden state K0 as a zero vector. Following the node indices from 1 to N in the hierarchical flow representation graph, at the i-th time step, the gated loop unit receives Hf(i) as input, combines it with the hidden state K(i-1), and calculates Z(i) = sigmoid(Wz*Hf(i) + Uz*K(i-1)) and R(i) = sigmoid(Wr*Hf(i) + Ur*K(i-1)). The candidate hidden state Kc(i) = tanh(Wh*Hf(i) + Uh*(R(i)⊙K(i-1))), where ⊙ represents element-wise multiplication. The current hidden state K(i) = Z(i)⊙K(i-1) + (1-Z(i))⊙Kc(i). K(i) is mapped through the fully connected output layer to obtain the reconstructed node representation vector J(i) = Wo*K(i). Wo is a learnable weight matrix with a shape of 256×256. Wz, Uz, Wr, Ur, Wh, Uh, and Wo are all learnable weight matrices.
[0043] Step S134: Perform element-wise difference operations on the reconstructed node representation vector of each node and the coded node representation vector of the corresponding node to obtain the reconstruction error vector of each node. Stack the reconstruction error vectors of all nodes in the traffic hierarchical structure representation diagram into tensors according to the node index to generate a reconstruction error tensor as the first anomaly feature distillation output.
[0044] For each node index i, calculate E(i) = Hi - J(i), where the minus sign represents element-wise subtraction. E(i) has 256 dimensions. Stack all E(i) values from 1 to N along the 0th dimension in node index order to obtain a reconstruction error tensor of shape N×256, denoted as F. The element at position (i, j) in F represents the reconstruction deviation of node i in the j-th feature dimension. F is output as the first anomaly feature distillation.
[0045] Step S135: Perform protocol-level abnormal response intensity mapping processing on the reconstruction error tensor. According to the hierarchical relationship of network layer, transport layer and application layer, the average length of the reconstruction error vector of all nodes belonging to the same protocol layer is calculated to obtain the abnormal response intensity value of each protocol layer.
[0046] Based on the protocol layer affiliation of each node determined in step S132, the reconstruction error vector E(i) of each node in F is grouped into V1, V2, and V3. For each E(i) within group V1, its L2 norm is calculated: s(i) = sqrt(E(i, 1)^2 + E(i, 2)^2 + ... + E(i, 256)^2). Let c1 be the number of nodes in V1, and calculate S1 = (s(i1) + s(i2) + ... + s(ic1)) / c1, where i1, i2, ..., ic1 are the indices of each node in V1. Let c2 be the number of nodes in V2, and calculate S2 = (s(j1) + s(j2) + ... + s(jc2)) / c2, where j1, j2, ..., jc2 are the indices of each node in V2. Let c3 be the number of nodes in V3. Calculate S3 = (s(k1) + s(k2) + ... + s(kc3)) / c3, where k1, k2, ..., kc3 are the indices of each node in V3. If a protocol layer group is empty, the abnormal response strength value of that layer is set to 0.
[0047] Step S136: Arrange the abnormal response intensity values of each protocol layer along the protocol stack depth direction to generate a response intensity distribution that reflects the distribution of abnormal response intensity at each layer of the protocol stack as the second abnormal feature distillation output.
[0048] Construct a one-dimensional array S=[S1, S2, S3] of length 3, where index 0 corresponds to the network layer, index 1 corresponds to the transport layer, and index 2 corresponds to the application layer. S is the response intensity distribution, which is used as the output of the second anomaly feature distillation.
[0049] Step S137: Construct cross-protocol layer distillation loss constraints based on the first and second anomaly feature distillation outputs, wherein the distillation objective function includes a first loss term and a second loss term, the first loss term being the Frobenius norm of the reconstruction error tensor, and the second loss term being the sum of the absolute differences between the anomaly response intensity values of adjacent protocol layers in the response intensity distribution. Perform gradient backpropagation optimization on the network parameters of the traffic pattern deep autoencoder reconstruction network to minimize the distillation objective function.
[0050] L1=sqrt(F(1,1)^2+F(1,2)^2+...+F(1,256)^2+F(2,1)^2+...+F(N,256)^2).
[0051] L2 = |S1 - S2| + |S2 - S3|.
[0052] L = L1 + λ × L2, where λ is a preset weight hyperparameter.
[0053] After each forward propagation to obtain L, the gradients of L with respect to all learnable parameters in the traffic pattern deep autoencoder are calculated using automatic differentiation. The parameters are then updated using the Adam optimizer with a learning rate η. The attention weight matrix of the attention encoding module, the cross-layer cascaded fusion weight matrix of the protocol layer skip connection module, the gated recurrent unit weight matrix of the gated recurrent decoding module, and the weight matrix of the fully connected output layer all participate in gradient updates. Iterative training is performed on normal traffic samples until L converges.
[0054] Step S140: Perform multi-dimensional abnormal signal collaborative tracing processing based on the first abnormal feature distillation output and the second abnormal feature distillation output to determine the communication connection session identifier with abnormal traffic behavior in the target computer network and the abnormal source protocol layer location corresponding to the communication connection session identifier.
[0055] Multidimensional anomaly signal collaborative tracing processing combines the anomaly degree of each node in the reconstructed error tensor with the hierarchical anomaly response in the response intensity distribution, tracing back from the node-level location of the anomaly to the session-level boundary, and determining which layer of the protocol stack the anomaly first appeared at.
[0056] Step S141: Perform node dimension anomaly saliency sorting processing on the reconstruction error tensor in the first abnormal feature distillation output, calculate the reconstruction error vector magnitude of each node in the reconstruction error tensor, arrange the nodes in descending order of reconstruction error vector magnitude, and generate an abnormal node priority sorting list.
[0057] For each node index i in F, calculate its L2 norm s(i) = sqrt(E(i, 1)^2 + E(i, 2)^2 + ... + E(i, 256)^2). Construct a list of pairs of nodes i and their corresponding s(i), and sort this list in descending order using heap sort as the sorting key. After sorting in descending order, extract the node indices from each pair and construct an exception node priority sorting list Lpri in order.
[0058] Step S142: Based on the priority sorting list of abnormal nodes, extract the nodes whose reconstruction error vector magnitude exceeds the dynamic anomaly determination threshold as a set of candidate abnormal nodes. The dynamic anomaly determination threshold is adaptively determined based on the weighted result of the median of the reconstruction error vector magnitude of all nodes in the reconstruction error tensor and the absolute deviation of the median.
[0059] Take the median of the set of s(i) values for all nodes, denoted as m. For each s(i), calculate |s(i)-m|, and take the median of all these absolute deviations, denoted as d. The dynamic anomaly detection threshold T = m + c × d, where c is a preset positive real constant. Traverse all nodes and extract the nodes that satisfy s(i) > T, adding them to the candidate anomaly node set C.
[0060] Step S143: For each candidate abnormal node in the candidate abnormal node set, perform time-based reverse tracing path search processing in the traffic hierarchical structure representation graph. Starting from the candidate abnormal node, trace back hop by hop along the edge defined by the time sequence between nodes in the traffic hierarchical structure representation graph to the adjacent node with an earlier time until the session start node is reached. Record all the nodes passed through on the backtracking path as the abnormal propagation chain.
[0061] For each candidate anomalous node in C, locate its adjacency list entry in G. Using this candidate anomalous node as the current node, search the adjacency list for all incoming edges pointing to the current node; that is, search for all directed edges with the current node as the destination node. For the source node of each incoming edge, compare the source node's timestamp with the current node's timestamp, retaining the source node with an earlier timestamp as the backtracking predecessor node. If multiple backtracking predecessor nodes exist, select the source node of the edge with the smallest edge weight r as the previous hop node on the backtracking path. Update the current node to this previous hop node, and repeat the above backtracking process until the current node no longer has a backtracking predecessor node with an earlier timestamp. At this point, the current node is the session start node. Arrange the indices of all nodes traversed sequentially during the backtracking process in order from the session start node to the candidate anomalous node, forming the anomalous propagation chain of the candidate anomalous node. The anomalous propagation chain records the complete propagation path of anomalous traffic behavior from its inception to the anomalous outbreak point in the session graph structure.
[0062] Step S144: Extract the transport layer payload byte frequency distribution feature vector bound to each path node in the abnormal propagation chain, merge adjacent path nodes whose vector cosine similarity between the transport layer payload byte frequency distribution feature vectors exceeds the similarity threshold, obtain the abnormal communication connection session segment, and generate a communication connection session identifier based on the source Internet Protocol address and destination Internet Protocol address of the starting path node of the abnormal communication connection session segment.
[0063] For each node i in the anomaly propagation chain, extract the 256-dimensional transport layer payload byte frequency distribution feature vector D(i) from the node feature matrix X of G. For each pair of adjacent nodes i and i+1 in the anomaly propagation chain, calculate the cosine similarity of their feature vectors: cos(i, i+1) = (D(i)·D(i+1)) / (|D(i)|×|D(i+1)|), where · represents the vector dot product and |D| represents the vector L2 norm. If cos(i, i+1) exceeds the preset similarity threshold τ, then nodes i and i+1 are merged into the same anomalous communication connection session segment; if cos(i, i+1) does not exceed τ, then the anomaly propagation chain is divided into different anomalous communication connection session segments using that position as the dividing point. For each abnormal communication connection session segment, extract the source Internet Protocol (IP) address and destination Internet Protocol (IP) address of the Transmission Control Protocol (TCP) data packet corresponding to the node through which it originates. Combine the source IP address and destination IP address with the start and end timestamps of the abnormal communication connection session segment to generate a Communication Connection Session Identifier (CID).
[0064] Step S145: Associate the abnormal response intensity values of each protocol level in the response intensity distribution of the second abnormal feature distillation output with the protocol level to which each candidate abnormal node in the candidate abnormal node set belongs in the traffic hierarchical structure representation diagram, and determine the protocol level with the largest abnormal response intensity value as the abnormal source protocol level.
[0065] For each candidate anomalous node in C, determine its protocol layer affiliation in G. The affiliation information comes from the partitioning results of V1, V2, and V3 in step S132. Count the number of nodes belonging to V1 (c1), V2 (c2), and V3 (c3) in C. Calculate the weighted anomalous response intensity for each protocol layer: S1w = S1 × c1, S2w = S2 × c2, S3w = S3 × c3. Compare the values of S1w, S2w, and S3w, and take the protocol layer corresponding to the maximum value as the location of the anomalous source protocol layer. If the maximum value is S1w, the anomalous source protocol layer is the network layer; if the maximum value is S2w, the anomalous source protocol layer is the transport layer; if the maximum value is S3w, the anomalous source protocol layer is the application layer.
[0066] Step S146: Pair and bind the communication connection session identifier with the location of the abnormal source protocol layer to generate a set of abnormal source tracing pairing results containing one-to-one correspondence.
[0067] Each CID is paired with its corresponding anomaly source protocol layer location to form a pair record. All paired records constitute the anomaly tracing pairing result set R. Each element in R is a tuple (CID, Lsrc), where Lsrc can be a value from the network layer, transport layer, or application layer.
[0068] Step S150: Generate a network security handling instruction containing traffic blocking policy parameters based on the communication connection session identifier and the location of the abnormal source protocol layer, and send the network security handling instruction to the target network traffic management device to trigger abnormal traffic isolation operation.
[0069] The network security response instruction generation step transforms the session identifiers and abnormal source information obtained from tracing into blocking policies that can be parsed and executed by the target network traffic control device.
[0070] Step S151: Extract the source Internet Protocol address, destination Internet Protocol address, source transport layer port identifier, and destination transport layer port identifier of the corresponding communication connection session from the original network traffic bit stream according to the communication connection session identifier, and generate a communication connection session quadruple identifier.
[0071] From the abnormal communication connection session segment corresponding to the CID, extract the source Internet Protocol address, destination Internet Protocol address, source transport layer port identifier, and destination transport layer port identifier of the Transmission Control Protocol data packet corresponding to the starting node. Combine the four fields into a quadruple identifier T4=(sip, dip, sport, dport).
[0072] Step S152: Determine the action level type of the blocking operation based on the location of the abnormal source protocol layer. When the abnormal source protocol layer is at the application layer, generate application layer request reset blocking policy parameters. When the abnormal source protocol layer is at the transport layer, generate transport layer connection reset blocking policy parameters. When the abnormal source protocol layer is at the network layer, generate network layer traffic filtering blocking policy parameters.
[0073] If Lsrc is at the application layer, it generates a blocking policy parameter Btype=RST_APP, instructing the target network traffic control device to send a forged HTTP 403 response or TLSalert reset message to both communicating parties to interrupt the application layer session. If Lsrc is at the transport layer, it generates a blocking policy parameter Btype=RST_TRANS, instructing the target network traffic control device to send a forged TCPRST packet to both communicating parties to interrupt the transport layer connection. If Lsrc is at the network layer, it generates a blocking policy parameter Btype=DROP_NET, instructing the target network traffic control device to directly discard all Internet Protocol (IP) packets matching the T4 tuple at the routing and forwarding plane.
[0074] Step S153: Combine and encapsulate the communication connection session quadruple identifier with the blocking operation's level type to generate a traffic blocking policy parameter set containing quadruple filtering rules and blocking level indicators.
[0075] T4 and Btype are combined and encapsulated into a traffic blocking policy parameter set Pblock={sip, dip, sport, dport, Btype}.
[0076] Step S154: Embed the traffic blocking policy parameter set into a preset network security device control instruction template to generate a network security handling instruction that conforms to the parsing format of the target network traffic management device.
[0077] Fill the values of each field in Pblock into the control command template corresponding to the target network traffic management device model. The command template adopts the application programming interface request format defined by the target device manufacturer, and includes authentication token field, command type field, and parameter field. After filling, a complete network security handling command (CMD) is generated.
[0078] Step S155: The network security handling instruction is sent to the target network traffic management device connected to the target computer network through the Secure Shell Protocol tunnel, so as to trigger the target network traffic management device to perform the blocking operation indicated by the corresponding blocking level indicator on the communication connection session identified by the communication connection session quadruple identifier, thereby realizing the isolation of abnormal traffic.
[0079] A secure tunnel is established via the Secure Shell protocol to connect to the management interface of the target network traffic control device. The Command Message (CMD) is sent as a Secure Shell protocol data packet payload. Upon receiving the CMD, the target network traffic control device parses the instruction content, extracts the T4 and Btype, installs matching rules in its flow table, and executes the blocking action corresponding to the Btype for subsequent matching traffic, thus isolating abnormal traffic.
[0080] Step S210: Perform adversarial training on the traffic pattern deep autoencoder reconstruction network based on traffic graph structure perturbation enhancement. Input the traffic samples marked as normal in the original network traffic bitstream into the traffic pattern deep autoencoder reconstruction network to generate a hierarchical structure representation map of normal traffic.
[0081] From the traffic samples that have been labeled as normal, construct the hierarchical structure representation map Gnorm of normal traffic according to the processing flow from steps S110 to S128.
[0082] Step S220: Apply a graph structure perturbation operation with a preset perturbation amplitude to the edge set of the normal flow hierarchical structure representation graph, randomly delete a preset proportion of existing edge connections, and at the same time randomly add a preset proportion of new edge connections to obtain a perturbation-enhanced flow hierarchical structure representation graph.
[0083] For the edge set E of Gnorm, a random proportion γ of existing edges are deleted, where γ is a preset perturbation magnitude. Simultaneously, the same number of unconnected node pairs are randomly selected, and directed edges are added between them. The weight of the new edges is the average of the weights of all edges in E. The resulting perturbation-enhanced hierarchical flow representation graph, Gpert, is obtained.
[0084] Step S230: Input the perturbation-enhanced traffic hierarchical structure representation graph into the traffic pattern deep autoencoder reconstruction network, and generate the perturbation-enhanced reconstruction output after processing by the graph attention encoding module, the protocol layer jump connection module and the gated loop decoding module.
[0085] The Gpert input flow pattern deep autoencoder reconstruction network is processed according to steps S131 to S134 to obtain the perturbation-enhanced reconstruction error tensor Fpert.
[0086] Step S240: Calculate the difference between the overall graph representation corresponding to the perturbation enhancement reconstruction output and the overall graph representation corresponding to the normal flow hierarchical structure representation graph, and construct an adversarial training loss function based on the difference.
[0087] The overall graph representation of Gnorm is calculated as follows: The average of the reconstruction error vectors of all nodes in Fnorm is calculated along the node dimension, resulting in a 256-dimensional vector Rnorm. The overall graph representation of Gpert is calculated as follows: The average of the reconstruction error vectors of all nodes in Fpert is calculated along the node dimension, resulting in a 256-dimensional vector Rpert. The adversarial training loss function Ladv = |Rnorm - Rpert|, which is the L2 distance between Rnorm and Rpert.
[0088] Step S250: Perform weighted summation and joint optimization on the adversarial training loss function and the cross-protocol layer distillation loss constraint, and update the attention weight matrix of the graph attention encoding module, the cross-layer cascaded fusion weight matrix of the protocol layer skip connection module, and the gated recurrent unit weight matrix of the gated recurrent decoding module in the traffic pattern deep autoencoder reconstruction network through gradient backpropagation.
[0089] The total loss Ltotal = L + β × Ladv, where β is the preset adversarial loss weight. The gradient of Ltotal with respect to all learnable parameters is calculated by automatic differentiation, and the parameters are updated using the Adam optimizer. The updated parameters include the attention weight vector z and linear transformation matrix M in the graph attention encoding module, the cross-layer cascaded fusion weight matrices P1, Q1, P2, Q2, P3, Q3 in the protocol layer skip connection module, and the gated recurrent unit weight matrices Wz, Uz, Wr, Ur, Wh, Uh and the fully connected output layer weight matrix Wo in the gated recurrent decoding module.
[0090] Step S260: After the weighted summation joint optimization process converges iteratively, a traffic pattern deep autoencoder reconstruction network with anti-graph structure disturbance capability is obtained. This network is used to generate stable first and second anomalous feature distillation outputs even when the original network traffic bit stream has packet loss or packet out-of-order delivery.
[0091] When the change in Ltotal over multiple consecutive training epochs is less than the preset convergence threshold, iterative convergence is determined. All weight parameters of the traffic pattern deep autoencoder reconstruction network at this point are saved; this traffic pattern deep autoencoder reconstruction network is the version with resistance to graph structure perturbations.
[0092] Step S310: After performing multi-dimensional abnormal signal collaborative tracing processing based on the first abnormal feature distillation output and the second abnormal feature distillation output to determine the communication connection session identifier with abnormal traffic behavior in the target computer network and the abnormal source protocol layer position corresponding to the communication connection session identifier, perform abnormal root cause deep localization processing based on fine-grained parsing of protocol fields on the abnormal source protocol layer position.
[0093] After R is output in step S140, anomaly root cause deep localization processing is performed to further determine the specific attack type of the anomaly at the protocol field level.
[0094] Step S320: Based on the protocol field structure definition specification of the protocol layer corresponding to the location of the anomaly source protocol layer, extract the original protocol field bit sequence of each path node belonging to the protocol layer from the anomaly propagation chain, and use it as the input feature sequence for anomaly root cause analysis.
[0095] The target protocol layer is determined based on Lsrc. If Lsrc is the network layer, the original bit sequence of the Internet Protocol header of each node in V1 of the anomaly propagation chain is extracted. If Lsrc is the transport layer, the original bit sequence of the Transmission Control Protocol header of each node in V2 is extracted. If Lsrc is the application layer, the original bit sequence of the transport layer payload of each node in V3 is extracted. The extracted original protocol field bit sequences of each node are arranged in the node order of the anomaly propagation chain to form the input feature sequence for anomaly root cause analysis.
[0096] Step S330: Input the anomaly root cause analysis input feature sequence into a pre-built protocol field anomaly pattern matching engine. The protocol field anomaly pattern matching engine stores a set of feature signatures of known network attack patterns. Perform regular expression matching processing on the anomaly root cause analysis input feature sequence and each feature signature in the set of feature signatures of known network attack patterns in turn to generate a matching result set. Each matching result in the matching result set contains a successfully matched attack pattern identifier and a corresponding matching confidence value.
[0097] The protocol field anomaly pattern matching engine stores a set of signature features for known network attack patterns. Each signature contains a regular expression pattern and a corresponding attack pattern identifier. The anomaly root cause analysis input feature sequence is converted into a hexadecimal string, and each regular expression signature is used to match this string sequentially. The matching result includes whether a match was successful and the ratio of the length of the matched substring to the total length of the feature sequence; this ratio is used as the match confidence value (conf). All matching results constitute the matching result set.
[0098] Step S340: Sort all matching results in the matching result set from largest to smallest according to the matching confidence value, and extract the attack mode identifier corresponding to the matching result with the largest matching confidence value as the anomaly root cause category.
[0099] Sort the matching result set in descending order of conf, and take the attack mode identifier of the first element in the sorted list as the anomaly root cause category Atype.
[0100] Step S350: Bind the anomaly root cause category to the communication connection session identifier and the anomaly source protocol layer location using a triplet to generate an anomaly tracing report containing the anomaly root cause category field.
[0101] The Atype, CID, and Lsrc triplets are bound together to form an anomaly tracing report. The report includes three fields: communication connection session identifier, anomaly source protocol layer location, and anomaly root cause category.
[0102] Step S410: After obtaining the raw network traffic bit stream captured by the traffic acquisition probe in the target computer network, the raw network traffic bit stream is subjected to aggregation and grouping processing based on session connection granularity. According to the conditions of the same source Internet Protocol address, the same destination Internet Protocol address, the same source transport layer port identifier, and the same destination transport layer port identifier, each transport control protocol data packet in the transport control protocol data packet sequence is divided into different communication connection session packets.
[0103] From the reconstructed Transmission Control Protocol (TCP) packet sequence in the original network traffic bitstream, extract the source Internet Protocol address (IP) field, destination IP address field, source transport layer port identifier (TLI) field, and destination TLI port identifier field for each TCP packet, forming a quadruple (sip, dip, sport, dport). Construct a key-value map where the key is the aforementioned quadruple and the value is a list of TCP packets. Traverse the TCP packet sequence, searching the map for each packet using its quadruple as the key. If the key already exists, append the packet to the end of the corresponding list; otherwise, create a new list with the packet as the first element. After traversal, the list corresponding to each key in the key-value map represents a communication connection session packet, and all communication connection session packets constitute a set Z.
[0104] Step S420: Sort the Transmission Control Protocol (TCP) data packets within each communication connection session packet in ascending order according to the TCP sequence number to obtain an ordered sequence of data packets for each communication connection session.
[0105] For each communication connection session group in Z, extract the Transmission Control Protocol (TCP) sequence number (seq) field value of each TCP data packet within the group. Using seq as the sorting key, perform ascending sorting on all data packets within the group, employing a merge sort algorithm. After sorting, data packets within the same group are arranged in ascending order of seq, with the difference between adjacent seq values reflecting the continuity of data packet transmission order. Store the sorted results of all groups as an ordered data packet sequence set.
[0106] Step S430: Perform session-level statistical feature extraction processing on the ordered data packet sequence, extracting session duration, total number of data packets in the session, total number of payload bytes in the session, and average data packet arrival interval in the session. Standardize each feature to eliminate differences in units and numerical ranges, and concatenate the standardized feature values into a session-level statistical feature vector.
[0107] For each communication connection session's ordered data packet sequence, the following statistical characteristics are extracted: Session duration, denoted as t1, where t1 = t_last - t_first, and t_last is the timestamp of the last data packet and t_first is the timestamp of the first data packet, measured in microseconds. Total number of data packets in the session, denoted as n1, where n1 is the length of the ordered data packet sequence, measured in units. Total number of payload bytes in the session, denoted as b1, where b1 is the sum of the lengths of the transport layer payload bytes of each data packet in the ordered data packet sequence, measured in bytes. Average data packet arrival interval in the session, denoted as t2, where t2 = t1 / (n1-1) when n1 > 1, and t2 = 0 when n1 = 1, measured in microseconds.
[0108] The four features t1, n1, b1, and t2 mentioned above have different dimensions and need to be standardized. Calculate the mean μt1 and standard deviation σt1 of t1 across all communication connection sessions. After standardization, t1' = (t1 - μt1) / σt1. Calculate the mean μn1 and standard deviation σn1 of n1. After standardization, n1' = (n1 - μn1) / σn1. Calculate the mean μb1 and standard deviation σb1 of b1. After standardization, b1' = (b1 - μb1) / σb1. Calculate the mean μt2 and standard deviation σt2 of t2. After standardization, t2' = (t2 - μt2) / σt2. Concatenate the four standardized feature values along the feature dimensions to obtain a 4-dimensional session-level statistical feature vector Vstat = [t1', n1', b1', t2'].
[0109] The four features t1, n1, b1, and t2 mentioned above have different dimensions and need to be standardized. Calculate the mean μ_t1 and standard deviation σ_t1 of t1 across all communication connection sessions. After standardization, t1' = (t1 - μ_t1) / σ_t1. Similarly, calculate the mean μ_n1 and standard deviation σ_n1 of n1, n1' = (n1 - μ_n1) / σ_n1. Calculate the mean μ_b1 and standard deviation σ_b1 of b1, b1' = (b1 - μ_b1) / σ_b1. Calculate the mean μ_t2 and standard deviation σ_t2 of t2, t2' = (t2 - μ_t2) / σ_t2. Concatenate the four standardized feature values along the feature dimensions to obtain a 4-dimensional session-level statistical feature vector Vstat = [t1', n1', b1', t2'].
[0110] Step S440: The session-level statistical feature vector is used as the global graph-level attribute vector of the traffic hierarchical structure representation graph. The global graph-level attribute vector is connected to the type identifier of all connection state transition nodes in the traffic hierarchical structure representation graph in the form of additional nodes. This is used to participate in the dynamic adjustment of attention weights as global context information of each adjacent node when the graph attention encoding module of the traffic pattern deep autoencoder reconstruction network performs message passing aggregation processing.
[0111] A new global context node is added to the traffic hierarchical structure representation graph G, with its node index set to 0. The feature vector of this global context node is assigned the value Vstat. For each existing node i in G, i ranging from 1 to N, a new directed edge is added from global context node 0 to node i, with the edge weight set to the average of all existing edge weights. Simultaneously, a new directed edge is added from node i to global context node 0, with its weight also set to the average. In the message passing aggregation processing of the graph attention encoding module in step S131, global context node 0 participates in the neighborhood aggregation of each node i, and the set U of neighboring nodes of node i is expanded to include the original neighboring nodes plus node 0. The feature vector Vstat of node 0 is incorporated into the attention weight calculation as global context information, enabling node i to perceive the overall statistical characteristics of its communication connection session.
[0112] Step S510: After obtaining the transport layer payload byte frequency distribution characteristics and network layer fragment offset sequence characteristics of each transport control protocol data packet in the transport control protocol data packet sequence, perform time-series evolution pattern extraction processing on the transport layer payload byte frequency distribution feature vectors of adjacent transport control protocol data packets, calculate the element-wise difference between the transport layer payload byte frequency distribution feature vectors of adjacent transport control protocol data packets, and obtain the payload byte frequency distribution time-series difference sequence.
[0113] From the Transmission Control Protocol (TCP) data packet sequence, extract the transport layer payload byte frequency distribution feature vectors D(i) and D(i+1) corresponding to two adjacent TCP data packets in chronological order, where i ranges from 1 to the total number of TCP data packets minus 1. Calculate the element-wise difference vector Δ(i) = D(i+1) - D(i), where the minus sign indicates element-wise subtraction. Δ(i) has a 256-dimensional dimension, and each element represents the change in the frequency of the corresponding byte value between adjacent data packets. Arrange all Δ(i) corresponding to i in chronological order to form the payload byte frequency distribution temporal difference sequence {Δ(1), Δ(2), ..., Δ(K)}, where K is the total number of TCP data packets minus 1.
[0114] Step S520: Perform segmented aggregation approximation processing on the time-series difference sequence of payload byte frequency distribution, divide the time-series difference sequence of payload byte frequency distribution into equal time window segments, calculate the average value vector of the time-series difference sequence of payload byte frequency distribution within each time window segment, and obtain the segmented aggregation approximation feature sequence.
[0115] The {Δ(1), Δ(2), ..., Δ(K)} is divided into W consecutive non-overlapping time windows, each containing m Δ vectors, where m = floor(K / W). For the w-th time window, where w ranges from 1 to W, the element-wise average vector of all Δ vectors within the window is calculated: Δavg(w) = (Δ((w-1)×m+1) + Δ((w-1)×m+2) + ... + Δ(w×m)) / m, where the addition is element-wise. Δavg(w) has a dimension of 256. All W Δavg(w) are arranged in w order, forming a segmented aggregated approximate feature sequence {Δavg(1), Δavg(2), ..., Δavg(W)}.
[0116] Step S530: Discretize and encode the sign change pattern of the average value vector of each time window segment in the segmented aggregated approximate feature sequence, map the positive sign change to the first encoding value, the negative sign change to the second encoding value, and the zero sign change to the third encoding value to generate a time-series pattern encoding sequence.
[0117] For each 256-dimensional vector of Δavg(w) in the segmented aggregated approximate feature sequence, extract the sign of each element. Define the sign function sign(x): when x is greater than 0, sign(x) = +1; when x is less than 0, sign(x) = -1; when x is equal to 0, sign(x) = 0. Perform majority voting on the signs of each dimension of Δavg(w), and take the sign that appears most frequently in the 256 dimensions as the overall sign s(w) of Δavg(w), where s(w) takes the value of +1, -1, or 0. Map s(w) to discrete codes: if s(w) = +1, the code is c1; if s(w) = -1, the code is c2; if s(w) = 0, the code is c3. Arrange the code values in the order of w from 1 to W to generate the temporal pattern code sequence {code(1), code(2), ..., code(W)}, where each code(w) takes the value of c1, c2, or c3.
[0118] Step S540: The temporal pattern encoding sequence is attached as an edge attribute between nodes to the edge connecting the adjacent connection state transition node type identifier in the traffic hierarchy structure representation graph, thereby generating an enhanced traffic hierarchy structure representation graph with temporal evolution edge attributes.
[0119] In the traffic hierarchy representation graph G, for each directed edge e(i, i+1) with the adjacent connection state transition node type identifier, the encoded value code(i) at the corresponding index position is extracted from the temporal pattern encoding sequence and appended as the temporal evolution attribute of edge e(i, i+1). If i exceeds the length of the temporal pattern encoding sequence, the last encoded value is used to fill it. After appending the attributes to all edges, G is transformed into an enhanced traffic hierarchy representation graph G' with temporal evolution edge attributes. Each edge in G' has both an edge weight attribute r and a temporal evolution attribute code, where r reflects the transmission time interval and code reflects the changing direction trend of the transport layer payload byte distribution.
[0120] For example, the method may further include: step S610: while performing cross-protocol layer anomaly distillation on the traffic hierarchical structure representation map using the pre-built traffic pattern deep autoencoder reconstruction network to generate a first anomaly distillation output and a second anomaly distillation output, the traffic hierarchical structure representation map is input in parallel into the pre-built traffic pattern prediction network, wherein the traffic pattern prediction network and the traffic pattern deep autoencoder reconstruction network share the parameters of the graph attention encoding module.
[0121] A traffic pattern prediction network is constructed, which shares the same graph attention encoding module with the traffic pattern deep autoencoder reconstruction network. Specifically, the three graph attention layers and their learnable parameters z and M in step S131 are shared by both networks. A separate part of the traffic pattern prediction network is a stacked gated recurrent unit (GRU) sequence prediction module, consisting of two stacked GRU layers. Each layer has a hidden state dimension of 256. The output of the first GRU layer serves as the input to the second GRU layer. The output of the second GRU layer is mapped to an 8-dimensional array via a fully connected classification layer. The 8 dimensions correspond to eight connection state transition node type identifiers Q1 to Q8. A softmax activation function is used to output the predicted probability for each type.
[0122] Step S620: Using the gated cyclic unit sequence prediction module stacked in the traffic pattern prediction network, perform sequence prediction processing on the next connection state transition node type identifier of each node in the traffic hierarchical structure representation diagram to generate a predicted connection state transition node sequence.
[0123] The node representation vectors Hi, output by the graph attention encoding module in step S131, are arranged in node index order and input into the stacked gated recurrent unit sequence prediction module. The first-layer gated recurrent unit is expanded step by step. At each time step, it receives Hi and the previous hidden state and outputs the first-layer hidden state. The second-layer gated recurrent unit receives the hidden state sequence of the first layer, processes it in the same way, and outputs the second-layer hidden state. The hidden state of each time step in the second layer is processed by a fully connected classification layer and a softmax activation function, and outputs an 8-dimensional probability distribution vector Pi. The category corresponding to the maximum probability in Pi is taken as the predicted value of the next connection state transition node type identifier of node i, denoted as Qpred(i). All Qpred(i) corresponding to i are arranged in order to form the predicted connection state transition node sequence {Qpred(1), Qpred(2), ..., Qpred(N)}.
[0124] Step S630: Compare the predicted connection state transition node sequence with the actual connection state transition node sequence in the traffic hierarchy structure representation diagram node by node, and calculate the prediction deviation. The prediction deviation is the ratio of the number of nodes whose predicted connection state transition node type identifier is inconsistent with the actual connection state transition node type identifier to the total number of nodes.
[0125] Extract the actual connection state transition node sequence {Qreal(1), Qreal(2), ..., Qreal(N)} from G. For each node index i, compare Qpred(i) with Qreal(i) to see if they are equal. Count the number of nodes that are not equal, denoted as Ndiff. The prediction bias δ = Ndiff / N, where N is the total number of nodes.
[0126] Step S640: Normalize the average magnitude of the reconstruction error vector of all nodes in the prediction deviation and the reconstruction error tensor respectively, then multiply the normalized prediction deviation by a preset prediction deviation weight coefficient, add the average magnitude of the normalized reconstruction error vector by a preset reconstruction error weight coefficient, and generate a fusion anomaly score.
[0127] The prediction bias δ is normalized as δnorm = δ / δmax, where δmax is the preset maximum reference value for prediction bias. The average value of the reconstruction error vector magnitude s(i) of all nodes in the reconstruction error tensor F is calculated as: savg = (s(1) + s(2) + ... + s(N)) / N. savg is normalized as snorm = savg / smax, where smax is the preset maximum reference value for reconstruction error. The preset prediction bias weight coefficient is α, and the preset reconstruction error weight coefficient is β, satisfying α + β = 1. The fusion anomaly score is Score = α × δnorm + β × snorm.
[0128] Step S650: For communication connection sessions whose fusion anomaly score exceeds the preset fusion anomaly score threshold, generate high-priority anomaly alarm information, and add the communication connection session identifier corresponding to the high-priority anomaly alarm information to the priority blocking queue. The communication connection session identifier in the priority blocking queue is processed in the target network traffic management device with priority over the communication connection session identifier in the non-priority blocking queue.
[0129] The Score_fusion is compared with the preset fusion anomaly scoring threshold θfusion. If Score_fusion is greater than θfusion, a high-priority anomaly alarm is generated, which includes the CID and Score_fusion. The CID is added to the tail of the priority blocking queue Qprior. In the target network traffic management device, the CID in the priority blocking queue Qprior is extracted and blocked before the CID in the non-priority blocking queue. The blocking operation process is the same as step S150.
[0130] Step S710: Before performing cross-protocol layer anomaly feature distillation on the traffic hierarchical structure representation graph using the pre-built traffic pattern deep autoencoder reconstruction network, the traffic hierarchical structure representation graph is subjected to graph structure decoupling processing based on protocol semantics. Each node in the traffic hierarchical structure representation graph is split into a network layer subgraph, a transport layer subgraph, and an application layer subgraph according to the protocol layer to which it belongs.
[0131] The hierarchical traffic representation graph G is divided into three subgraphs according to the protocol layer classification V1, V2, and V3 determined in step S132. The network layer subgraph G1 contains all nodes in V1 and the original directed edges between these nodes in G. The transport layer subgraph G2 contains all nodes in V2 and the original directed edges between these nodes. The application layer subgraph G3 contains all nodes in V3 and the original directed edges between these nodes. Each subgraph retains the node index, feature vector, and edge weights from the original graph.
[0132] Step S720: Extract the fragmentation behavior pattern from the Internet Protocol fragmentation offset sequence features bound to each node in the network layer subgraph, count the discrete distribution range of the fragmentation offset field value of the original Internet Protocol datagram corresponding to each network layer subgraph node, and generate a fragmentation behavior pattern description vector.
[0133] For each node i in G1, obtain the fragment offset field value v of all Internet Protocol (IP) datagrams involved in the corresponding Transmission Control Protocol (TCP) datagram before reassembly. Calculate the minimum value v_min and maximum value v_max of v, and then calculate the fragment span span = v_max - v_min. Count the number of fragments cnt, which is the number of v. If cnt is greater than 1, calculate the fragment continuity index cont, which is the proportion of adjacent fragment pairs where v(k+1) minus v(k) equals the length of the previous fragment divided by 8, relative to the total number of adjacent fragment pairs. Concatenate the values of span, cnt, and cont into a 3D fragment behavior pattern description vector Vfrag(i). If cnt equals 1, then all three elements of Vfrag(i) are set to 0.
[0134] Step S730: Perform state transition probability modeling on the combination state of the control flag bits of the transmission control protocol header bound to each node in the transport layer subgraph, calculate the state transition probability matrix based on the frequency of occurrence of the type identifiers of adjacent connection state transition nodes in the connection state transition node sequence, and generate the transport layer state transition mode description vector.
[0135] Count the frequency of adjacent state transition pairs from the sequence of connected state transition nodes. Construct an 8×8 counting matrix Cnt, where Cnt(p, q) represents the number of times Qq immediately follows the type identifier Qp, and p and q range from 1 to 8. Normalize Cnt row-wise to obtain the state transition probability matrix T, T(p, q) = Cnt(p, q) / (Cnt(p, 1) + Cnt(p, 2) + ... + Cnt(p, 8)). Expand T row-wise into a 64-dimensional vector, which serves as the transport layer state transition mode description vector Vtrans.
[0136] Step S740: Perform application layer protocol reverse inference processing on the transport layer payload byte frequency distribution feature vector bound to each node in the application layer subgraph, match the transport layer payload byte frequency distribution feature vector with the feature byte frequency distribution template of the known application layer protocol, and generate an application layer protocol type inference identifier.
[0137] The feature byte frequency distribution templates of known application layer protocols store 256-dimensional byte frequency distribution reference vectors for various application layer protocols under normal communication, with each protocol corresponding to a template vector Dref. For each node i in G3, its feature vector D(i) is taken, and its cosine similarity is calculated with each of the template vectors Dref. The protocol type corresponding to the maximum cosine similarity is taken as the application layer protocol type prediction identifier Pr(i) for that node.
[0138] Step S750: Map the application layer protocol type inference identifier to an application layer protocol type vector through the embedding layer; perform cross-layer semantic alignment fusion processing on the fragmentation behavior mode description vector, the transport layer state transition mode description vector, and the application layer protocol type vector; calculate the semantic association weight between the vectors of each protocol layer using the cross-layer semantic alignment attention mechanism; and generate a protocol semantic alignment fusion vector.
[0139] Construct a protocol type embedding matrix Eproto with shape Nproto×64, where Nproto represents the total number of known application layer protocol types. For each Pr(i), retrieve the corresponding 64-dimensional embedding vector Vapp(i) from Eproto using a lookup table. Calculate the mean of Vfrag(i) for all nodes in G1 to obtain Vfrag_avg, which has a dimension of 3. For Vtrans (64 dimensions), extend Vfrag_avg to 64 dimensions via linear projection to obtain Vfrag_proj, and Vapp(i) has a dimension of 64. Use Vfrag_proj, Vtrans, and Vapp(i) as inputs to a cross-layer semantic alignment attention mechanism. Calculate the semantic association weights among the three: using Vfrag_proj as the query and Vtrans and Vapp(i) as the key and value, respectively, to calculate the attention output. Similarly, using Vtrans as the query and Vfrag_proj and Vapp(i) as the key and value, and vice versa, using Vapp(i) as the query and Vfrag_proj and Vtrans as the key and value. The three attention outputs are concatenated along the feature dimension and linearly projected to obtain the protocol semantic alignment fusion vector Valign, which has a dimension of 192.
[0140] Step S760: The protocol semantic alignment fusion vector is appended as a supplementary graph-level attribute to the traffic hierarchical structure representation graph to obtain a semantically enhanced traffic hierarchical structure representation graph. The semantically enhanced traffic hierarchical structure representation graph is used to provide protocol semantic prior guidance in the cross-protocol layer anomaly feature distillation processing of the traffic pattern deep autoencoder reconstruction network.
[0141] A new semantic prior node is added to the traffic hierarchy structure representation graph G, with its node index set to -1. The feature vector of this semantic prior node is assigned the value Valign. For each existing node i in G, a new directed edge is added from the semantic prior node -1 to node i and a new directed edge is added from node i to the semantic prior node -1, with the edge weights set to the average of all existing edge weights. In the message passing aggregation processing of the graph attention encoding module in step S131, the semantic prior node -1 participates in the neighborhood aggregation of each node i, and Valign is incorporated into the attention weight calculation as protocol semantic prior guiding information. The G enhanced in this way is the semantically enhanced traffic hierarchy structure representation graph.
[0142] Step S810: After performing multi-dimensional abnormal signal collaborative tracing processing based on the first abnormal feature distillation output and the second abnormal feature distillation output to determine the communication connection session identifier with abnormal traffic behavior in the target computer network and the abnormal source protocol layer position corresponding to the communication connection session identifier, the abnormal propagation chain is subjected to abnormal propagation path evolution analysis processing based on time causal convolution.
[0143] After outputting R in step S140, perform anomaly propagation path evolution analysis on the anomaly propagation chain corresponding to each pairing record in R to understand the propagation direction and speed of the anomaly between different layers of the protocol stack.
[0144] Step S820: Arrange the reconstruction error vectors of each node along the anomaly propagation chain in the order of the original capture timestamps to construct an anomaly evolution time series. Input the anomaly evolution time series into a pre-constructed temporal causal convolutional network. The temporal causal convolutional network adopts a dilated causal convolution structure to capture the anomaly propagation patterns at different time spans in the anomaly evolution time series.
[0145] For each node along the anomaly propagation chain, its reconstruction error vector E(i) is extracted in chronological order of timestamps, forming an anomaly evolution time series {E(1), E(2), ..., E(L)}, where L is the length of the anomaly propagation chain. The temporal causal convolutional network consists of four stacked dilated causal convolutional layers, with dilation factors of 1, 2, 4, and 8 for each layer, a kernel size of 3 for each layer, a total of 64 kernels, and ReLU activation function. Dilated causal convolution ensures that the output at time step t depends only on the input at time step t and previous time steps, and does not depend on future time steps, which conforms to the temporal causality of anomaly propagation. {E(1), E(2), ..., E(L)} is input into the temporal causal convolutional network, and dilated convolution operations are performed layer by layer. The first layer has a dilation factor of 1, and the receptive field of the convolutional kernel covers three adjacent time steps. The second layer has a dilation factor of 2, and the receptive field of the convolutional kernel spans one time step interval, covering a range of six time steps. Similarly, the fourth layer has an inflation factor of 8, covering a range of 24 time steps. The four dilated causal convolutional layers output a set of multi-timescale anomalous evolution features {H1, H2, H3, H4}, with each Hk having a shape of L×64.
[0146] Step S830: Perform anomaly propagation direction inference processing on the multi-timescale anomaly evolution feature set, and determine the propagation direction marker of the anomaly on the anomaly propagation chain according to the changing trend of the anomaly evolution time series in adjacent time steps. The propagation direction marker includes the bottom-up propagation direction from the network layer to the application layer, the top-down propagation direction from the application layer to the network layer, and the lateral propagation direction within the same layer.
[0147] For two adjacent nodes i and i+1 in the anomaly propagation chain, obtain their protocol layer affiliation L(i) and L(i+1). Compare L(i) and L(i+1): If L(i) is a network layer and L(i+1) is a transport layer, or L(i) is a transport layer and L(i+1) is an application layer, then the propagation direction is marked as bottom-up, denoted as DIR_UP. If L(i) is an application layer and L(i+1) is a transport layer, or L(i) is a transport layer and L(i+1) is a network layer, then the propagation direction is marked as top-down, denoted as DIR_DOWN. If L(i) and L(i+1) are the same, then it is marked as horizontal propagation within the same layer, denoted as DIR_FLAT. Arrange the propagation direction labels of all adjacent node pairs in order to form a propagation direction label sequence.
[0148] Step S840: Calculate the time delay interval for the propagation of the anomaly between adjacent protocol layers based on the timestamps of each node along the anomaly propagation chain and the propagation direction markers, and generate anomaly propagation delay features.
[0149] For adjacent node pairs (i, i+1) marked as DIR_UP or DIR_DOWN in the propagation direction marking sequence, calculate the time delay: delay = t(i+1) - t(i), where t(i) and t(i+1) are the timestamps of node i and node i+1, respectively. Average all time delays of type DIR_UP, denoted as dup, where dup = (delay_up1 + delay_up2 + ... + delay_upx) / x, and x is the number of time delays of type DIR_UP. Average all time delays of type DIR_DOWN, denoted as ddown, where ddown = (delay_down1 + delay_down2 + ... + delay_downy) / y, and y is the number of time delays of type DIR_DOWN. Concatenate dup and ddown to form a 2D anomalous propagation delay feature Vdelay = [dup, ddown], with the dimension in microseconds.
[0150] Step S850: The multi-timescale abnormal evolution feature set, the propagation direction marker and the abnormal propagation delay feature are fused and encoded to generate an abnormal propagation path evolution descriptor. The abnormal propagation path evolution descriptor is used to describe the propagation trajectory and propagation speed of abnormal traffic behavior between different layers of the protocol stack.
[0151] For the multi-timescale anomaly evolution feature set {H1, H2, H3, H4}, global average pooling is performed along the time dimension to obtain four 64-dimensional vectors, which are concatenated into a 256-dimensional vector Hevo. The propagation direction marker sequences are statistically analyzed, and the proportions of the three markers DIR_UP, DIR_DOWN, and DIR_FLAT in the sequence are calculated, resulting in a 3-dimensional directional statistical vector Vdir. Hevo, Vdir, and Vdelay are concatenated along the feature dimensions to obtain an anomaly propagation path evolution descriptor Desc_evo with a total dimension of 256 + 3 + 2 = 261 dimensions. Desc_evo fully describes the propagation trajectory and speed of the anomaly between different layers of the protocol stack.
[0152] Step S910: After performing cross-protocol layer anomaly feature distillation on the traffic hierarchical structure representation graph using the pre-built traffic pattern deep autoencoder reconstruction network to generate the first anomaly feature distillation output and the second anomaly feature distillation output, the reconstruction error tensor in the first anomaly feature distillation output is subjected to anomaly range expansion and localization processing based on graph topology.
[0153] After outputting F and S in step S130, an anomaly range expansion and localization process is performed, using candidate anomaly nodes as seeds to expand to the neighborhood and determine the complete influence range of the anomaly in the time dimension and address space dimension.
[0154] Step S920: Using each candidate abnormal node in the candidate abnormal node set as a seed node, perform a neighborhood expansion search process based on the similarity of abnormal features on the traffic hierarchical structure representation graph, calculate the similarity between the seed node and its neighboring nodes in the reconstruction error tensor, expand to the neighboring nodes along the edges where the similarity exceeds the neighborhood expansion similarity threshold, and add the expanded neighboring nodes to the abnormal neighborhood node set.
[0155] From the candidate abnormal node set C obtained in step S142, each candidate abnormal node is sequentially selected as a seed node, denoted as sd. All neighboring nodes of sd are obtained in G, and the set of neighboring nodes is denoted as U. For each neighboring node nb belonging to U, the reconstruction error vector E(sd) of sd and the reconstruction error vector E(nb) of nb are extracted from the reconstruction error tensor F. The cosine similarity between the two reconstruction error vectors is calculated as: g = (E(sd)·E(nb)) / (|E(sd)|×|E(nb)|), where · represents the vector dot product, and |E| represents the L2 norm of the vector. g is compared with a preset neighborhood expansion similarity threshold h. If g is greater than h, nb is added to the abnormal neighboring node set Cx, and nb is marked as expanded. Then, using nb as the new seed node, the above neighborhood expansion search process is repeated for its unexpanded neighboring nodes. If g is less than or equal to h, expansion is not performed along that edge. The expansion search is performed in a breadth-first manner, using a queue data structure to manage the nodes to be expanded until the queue is empty.
[0156] Step S930: Perform weighted aggregation processing on the reconstruction error vector of each node in the abnormal neighborhood node set, and use the reciprocal of the shortest path hop count between each node and the seed node as the aggregation weight to generate abnormal range aggregation features.
[0157] In G, calculate the shortest path hop count from each node in Cx to the original seed node sd. A breadth-first search algorithm is used, traversing layer by layer starting from sd, using a distance array to record the hop count from each node to sd. For each node i in Cx, its hop count d(i) is calculated. If d(i) equals 0, the aggregation weight w(i) is set to 1; otherwise, w(i) = 1 / d(i). The reconstruction error vector E(i) of all nodes in Cx is weighted and summed according to the weight w(i): Ea = w(i1) × E(i1) + w(i2) × E(i2) + ... + w(im) × E(im), where i1, i2, ..., im are the indices of each node in Cx, and the addition is element-wise. The total weight sum ws = w(i1) + w(i2) + ... + w(im) is calculated. The anomaly range aggregation feature Ean = Ea / ws, where Ean has 256 dimensions.
[0158] Step S940: Compare and analyze the abnormal range aggregation feature with the reconstruction error vector of the seed node, calculate the vector direction consistency measure between the abnormal range aggregation feature and the reconstruction error vector of the seed node, and when the vector direction consistency measure exceeds the consistency threshold, merge the abnormal neighborhood node set with the seed node into an abnormal range connected component.
[0159] Calculate the cosine similarity between Ean and E(sd): r = (Ean·E(sd)) / (|Ean|×|E(sd)|). Compare r with a preset consistency threshold u. If r is greater than u, it indicates that the reconstruction error vectors of each node in Cx deviate in a direction highly consistent with sd, and Cx and {sd} are merged into an anomalous range connected region Rc. If r is less than or equal to u, only {sd} is retained as an isolated outlier, and no neighborhood merging is performed.
[0160] Step S950: Perform boundary delineation processing on the connected domain of the abnormal range, extract the earliest and latest times of the original capture timestamps of all nodes in the connected domain of the abnormal range as the abnormal activity time window, and extract the union of the source Internet Protocol address and the destination Internet Protocol address of all nodes in the connected domain of the abnormal range as the address range involved in the abnormality.
[0161] For all nodes in Rc, extract the timestamp of the corresponding Transmission Control Protocol (TCP) data packets for each node. Take the minimum value of all timestamps as the start time of the abnormal activity time window, denoted as t1. Take the maximum value of all timestamps as the end time of the abnormal activity time window, denoted as t2. The time window is represented as [t1, t2], with the unit being microseconds.
[0162] Extract the source and destination Internet Protocol (IP) addresses of the Transmission Control Protocol (TCP) data packets corresponding to all nodes in Rc. Place all source IP addresses into set A1 and all destination IP addresses into set A2. Take the union of A1 and A2 to obtain the address range A involved in the anomaly. A contains all network addresses affected by the anomaly or involved in the anomaly communication.
[0163] Step S960: Generate an anomaly range location description information based on the abnormal activity time window and the address range involved in the anomaly. The anomaly range location description information is used to indicate the impact range of the abnormal traffic behavior in the time dimension and the network address space dimension.
[0164] Combine t1, t2, and A into an anomaly range localization description, denoted as Z. Z = (t1, t2, A). Z indicates the start and end boundaries of the abnormal traffic behavior in time and its scope in the network address space.
[0165] Step S1010: After generating a network security handling instruction containing traffic blocking policy parameters based on the communication connection session identifier and the abnormal source protocol layer position, and sending the network security handling instruction to the target network traffic management device to trigger abnormal traffic isolation operation, residual abnormality detection processing is performed on the target computer network after the abnormal traffic isolation operation based on traffic pattern deep autoencoding to reconstruct the network.
[0166] After the abnormal traffic isolation operation is performed in step S150, residual abnormality detection processing is started to verify whether the isolation operation has completely eliminated the abnormal traffic.
[0167] Step S1020: Within a preset time window after the abnormal traffic isolation operation is performed, continuously acquire the isolated network traffic bit stream captured by the traffic acquisition probe in the target computer network, and perform the protocol stack layer deconstruction processing on the isolated network traffic bit stream to obtain the hierarchical structure representation diagram of the isolated traffic.
[0168] A preset time window length of Tw is set, and timing begins from the moment the isolation operation is executed. Network traffic is continuously collected within the Tw time period to obtain the isolated network traffic bitstream. The isolated network traffic bitstream is subjected to the same protocol stack layer deconstruction processing as step S120, including frame start delimiter identification, IP datagram extraction, IP header parsing, TCP segment reassembly, payload byte frequency distribution feature extraction, control flag combination pattern identification, prototype session graph construction, node attribute binding, and edge weight quantization. Finally, the hierarchical structure representation graph of the isolated traffic is obtained, denoted as G2.
[0169] Step S1030: Input the hierarchical structure representation map of the isolated flow into the deep autoencoder reconstruction network of the flow pattern to generate the first anomaly distillation output and the second anomaly distillation output after isolation.
[0170] Input G2 into the trained traffic pattern deep autoencoder reconstruction network and process it according to the complete process from steps S131 to S136. The graph attention encoding module outputs the isolated encoded node representation vector, the protocol layer skip connection module outputs the isolated cross-layer fusion representation vector, and the gated loop decoding module outputs the isolated reconstructed node representation vector. Calculate the isolated reconstruction error tensor F2, with a shape of N2×256, where N2 is the total number of nodes in G2. Calculate the isolated response intensity distribution S2=[Sa, Sb, Sc], where Sa corresponds to the network layer abnormal response intensity value, Sb corresponds to the transport layer abnormal response intensity value, and Sc corresponds to the application layer abnormal response intensity value. F2 is used as the first abnormal feature distillation output after isolation, and S2 is used as the second abnormal feature distillation output after isolation.
[0171] Step S1040: Perform differential comparison processing on the reconstruction error tensor after isolation in the first abnormal feature distillation output after isolation and the reconstruction error tensor before the execution of the abnormal flow isolation operation, calculate the element-by-element difference of the reconstruction error tensor before and after isolation, and generate the isolation effect evaluation tensor.
[0172] Take the reconstruction error tensor F before isolation, with a shape of N×256. Take the reconstruction error tensor F2 after isolation, with a shape of N2×256. Take the smaller of N and N2 as Nmin. For i from 1 to Nmin, and for j from 1 to 256, calculate Fd(i,j)=F(i,j)-F2(i,j). Fd has a shape of Nmin×256, which is the isolation effect evaluation tensor.
[0173] Step S1050: Perform overall abnormal residual degree quantification processing on the isolation effect evaluation tensor, calculate the sum of the absolute values of all positive elements in the isolation effect evaluation tensor as the abnormal residual index, and determine that the abnormal traffic isolation operation has not completely eliminated the abnormal traffic when the abnormal residual index exceeds the residual judgment threshold.
[0174] Iterate through all elements in Fd. For each element Fd(i,j), if Fd(i,j)>0, then Q=Q+Fd(i,j); if Fd(i,j)<=0, then Q remains unchanged. The initial value of Q is 0. Compare Q with the preset residual judgment threshold Qth. If Q>Qth, it is determined that the abnormal traffic isolation operation has not completely eliminated the abnormal traffic, and abnormal residuals still exist in the network after isolation. If Q<=Qth, it is determined that the isolation operation has completely eliminated the abnormal traffic.
[0175] Step S1060: When it is determined that the abnormal traffic isolation operation has not completely eliminated the abnormal traffic, extract the abnormal response intensity values of each protocol layer in the response intensity distribution of the second abnormal feature distillation output after isolation, determine the protocol layer with the largest abnormal response intensity value as the location of the residual abnormal source protocol layer, update the traffic blocking policy parameters according to the location of the residual abnormal source protocol layer, generate an enhanced network security handling instruction and send it again to the target network traffic management device to trigger the enhanced abnormal traffic isolation operation.
[0176] When Q is greater than Qth, extract Sa, Sb, and Sc from S2. Compare the three values and take the protocol layer corresponding to the maximum value as the protocol layer position of the residual anomaly source, denoted as L2. If Sa is the largest, L2 is the network layer; if Sb is the largest, L2 is the transport layer; if Sc is the largest, L2 is the application layer. Update the blocking layer indicator Btype in the traffic blocking policy parameters according to L2, in the same way as step S152. Generate an enhanced network security handling instruction CMD2 and send CMD2 to the target network traffic management device through the secure shell protocol tunnel to trigger the enhanced anomaly traffic isolation operation. The enhanced isolation operation applies stricter deep packet inspection filtering rules to the protocol layer corresponding to the protocol layer position L2 of the residual anomaly source, based on the original blocking rules, and adds newly added network addresses in the address range A involved in the anomaly to the blocking quadruple list.
[0177] Based on the same inventive concept, please refer to Figure 3 The diagram shows a schematic block diagram of a deep learning-based computer network traffic anomaly detection system 100 provided in an embodiment of this application. The deep learning-based computer network traffic anomaly detection system 100 may include a communication unit 110, a machine-readable storage medium 120, and a processor 130.
[0178] In this embodiment, alternatively, the machine-readable storage medium 120 can also be integrated into the processor 130 and can communicate and interact with external systems through the communication unit 110. The machine-readable storage medium 120 stores machine-executable instructions for executing the scheme of this application, and the processor 130 executes the machine-executable instructions stored in the machine-readable storage medium 120 to implement the deep learning-based computer network traffic anomaly detection method provided in the aforementioned method embodiments.
[0179] It should be noted that, in order to simplify the description of the present invention and thus help to understand one or more embodiments of the invention, multiple features may sometimes be grouped into one embodiment, drawing or description thereof in the foregoing description of the embodiments of the present invention.
Claims
1. A method for detecting anomalies in computer network traffic based on deep learning, characterized in that, The method includes: The raw network traffic bit stream captured by the traffic acquisition probe in the target computer network is obtained. The raw network traffic bit stream contains a sequence of Transmission Control Protocol (TCP) data packets with source and destination transport layer port identifiers. The original network traffic bitstream is subjected to protocol stack layer deconstruction processing to obtain the transport layer payload byte frequency distribution characteristics and network layer fragment offset sequence characteristics of each transport control protocol data packet in the transport control protocol data packet sequence. Based on the transport layer payload byte frequency distribution characteristics and network layer fragment offset sequence characteristics, a traffic hierarchical structure representation diagram oriented to the session interaction mode is constructed. The traffic hierarchical structure representation map is subjected to cross-protocol layer anomaly distillation using a pre-built traffic pattern deep autoencoder reconstruction network to generate a first anomaly distillation output and a second anomaly distillation output. The first anomaly distillation output reflects the reconstruction error tensor between the input traffic hierarchical structure representation map and the normal traffic baseline pattern, and the second anomaly distillation output reflects the response intensity distribution of the reconstruction error tensor at each layer of the protocol stack. Based on the first and second abnormal feature distillation outputs, multi-dimensional abnormal signal collaborative source tracing processing is performed to determine the communication connection session identifier with abnormal traffic behavior in the target computer network and the abnormal source protocol layer location corresponding to the communication connection session identifier. Based on the communication connection session identifier and the location of the abnormal source protocol layer, a network security handling instruction containing traffic blocking policy parameters is generated, and the network security handling instruction is sent to the target network traffic management device to trigger abnormal traffic isolation operation.
2. The deep learning-based computer network traffic anomaly detection method according to claim 1, characterized in that, The process of performing protocol stack layer deconstruction on the original network traffic bitstream yields the transport layer payload byte frequency distribution characteristics and network layer fragmentation offset sequence characteristics of each Transmission Control Protocol (TCP) data packet in the Transmission Control Protocol (TCP) data packet sequence. Based on the transport layer payload byte frequency distribution characteristics and network layer fragmentation offset sequence characteristics, a hierarchical traffic structure representation diagram oriented towards session interaction modes is constructed, including: The original network traffic bitstream is processed by Ethernet frame start delimiter identification, and the frame header control information is stripped to obtain an Internet Protocol datagram set. Each Internet Protocol datagram in the Internet Protocol datagram set retains its original capture timestamp. The Internet Protocol (IP) datagram set is parsed bit by bit in the IP header field. The fragment offset field value and fragment identifier field value of each IP datagram are extracted to generate an IP fragment offset sequence feature. The elements in the IP fragment offset sequence feature are arranged in the order of the original capture timestamp. The Internet Protocol datagram set is subjected to Transmission Control Protocol (TCP) segment reassembly processing. The TCP segment data carried by Internet Protocol datagrams with consecutive fragment offset field values and the same fragment identifier field value are spliced together in ascending order of fragment offset to obtain a Transmission Control Protocol data packet sequence. For each Transmission Control Protocol (TCP) data packet in the Transmission Control Protocol (TCP) data packet sequence, the frequency distribution feature of the transport layer payload byte is extracted. The number of times each byte value appears within the range of the transport layer payload is counted according to the byte value, and a fixed-length transport layer payload byte frequency distribution feature vector is constructed. For each Transmission Control Protocol (TCP) data packet in the Transmission Control Protocol (TCP) data packet sequence, perform Transmission Control Protocol header control flag combination pattern recognition processing, map the combination of synchronization flag status, acknowledgment flag status, and push flag status to connection state transition node type identifier, and generate connection state transition node sequence. Based on the temporal relationship between the connection state transition node sequence and the transmission control protocol data packet sequence, a prototype session graph structure for session interaction mode is constructed. The node set of the prototype session graph structure is the type identifier of each connection state transition node in the connection state transition node sequence, and the edge set of the prototype session graph structure is the relationship formed by connecting adjacent connection state transition node type identifiers according to the order of the original capture timestamps of the transmission control protocol data packet sequence. The node attribute binding process is performed on each node in the prototype session graph structure using the transport layer payload byte frequency distribution feature vector. The type identifier of each connection state transition node is associated with the transport layer payload byte frequency distribution feature vector of the corresponding transmission control protocol data packet to obtain the attributed session graph structure. The edge weight quantization process based on time interval is performed on each edge in the attributed session graph structure. The absolute value of the difference between the original capture timestamps of the two Transmission Control Protocol data packets corresponding to the type identifiers of the two adjacent connection state transition nodes is used as the weight value of the corresponding edge, thus obtaining a traffic hierarchical structure representation graph with edge weight attributes.
3. The computer network traffic anomaly detection method based on deep learning according to claim 1, characterized in that, The method of using a pre-built traffic pattern deep autoencoder reconstruction network to perform cross-protocol layer anomaly distillation on the traffic hierarchical structure representation map to generate a first anomaly distillation output and a second anomaly distillation output includes: The hierarchical traffic structure representation graph is input into the graph attention encoding module of the traffic pattern deep autoencoder reconstruction network. The multi-layer graph attention mechanism is used to perform message passing aggregation processing on the set of adjacent nodes of each node in the hierarchical traffic structure representation graph to generate the encoded node representation vector of each node. The attention weight of each layer of the graph attention encoding module on the set of adjacent nodes is dynamically adjusted according to the similarity of the feature vector of the frequency distribution of the transport layer payload bytes of the adjacent nodes. The encoded node representation vector is input into the protocol layer jump connection module of the traffic pattern deep autoencoder reconstructing network. According to the protocol layer to which each node belongs, the encoded node representation vector is divided into a network layer node representation vector set, a transport layer node representation vector set, and an application layer node representation vector set. Cross-layer concatenation fusion processing is performed on the network layer node representation vector set and the transport layer node representation vector set, and cross-layer concatenation fusion processing is performed on the transport layer node representation vector set and the application layer node representation vector set to generate cross-layer fused representation vectors for each node. The cross-layer fusion representation vector is input into the gated loop decoding module of the traffic pattern deep autoencoder reconstruction network. The gated loop decoding module performs time-step expansion reconstruction according to the original order of each node in the traffic hierarchical structure representation graph. Each time step generates the reconstruction node representation vector of the current node based on the cross-layer fusion representation vector of the previous node and the hidden state of the gated loop unit of the current time step. The reconstruction node representation vector of each node is processed by element-wise difference operation with the corresponding encoded node representation vector to obtain the reconstruction error vector of each node. The reconstruction error vectors of all nodes in the traffic hierarchical structure representation diagram are stacked as tensors according to the node index to generate a reconstruction error tensor as the first anomaly feature distillation output. The reconstruction error tensor is subjected to protocol layer abnormal response intensity mapping processing. According to the hierarchical relationship of network layer, transport layer and application layer, the reconstruction error vector magnitude of all nodes belonging to the same protocol layer is averaged to obtain the abnormal response intensity value of each protocol layer. Arrange the abnormal response intensity values of each protocol layer along the protocol stack depth direction to generate a response intensity distribution that reflects the distribution of abnormal response intensity at each layer of the protocol stack as the second abnormal feature distillation output. Based on the first and second anomaly feature distillation outputs, a cross-protocol layer distillation loss constraint is constructed. The distillation objective function includes a first loss term and a second loss term. The first loss term is the Frobenius norm of the reconstruction error tensor, and the second loss term is the sum of the absolute differences between the anomaly response intensity values of adjacent protocol layers in the response intensity distribution. The network parameters of the traffic pattern deep autoencoder reconstruction network are optimized by gradient backpropagation to minimize the distillation objective function.
4. The method for detecting abnormal computer network traffic based on deep learning according to claim 1, characterized in that, The step of performing multi-dimensional anomaly signal collaborative tracing processing based on the first and second anomaly feature distillation outputs to determine the communication connection session identifiers with abnormal traffic behavior in the target computer network and the corresponding anomaly source protocol layer location of the communication connection session identifiers includes: The reconstruction error tensor in the first abnormal feature distillation output is sorted by the significance of node dimension anomalies. The reconstruction error vector magnitude of each node in the reconstruction error tensor is calculated. The nodes are arranged in descending order of reconstruction error vector magnitude to generate an abnormal node priority sorting list. According to the priority sorting list of abnormal nodes, nodes whose reconstruction error vector magnitude exceeds the dynamic anomaly determination threshold are extracted as a set of candidate abnormal nodes. The dynamic anomaly determination threshold is adaptively determined based on the weighted result of the median of the reconstruction error vector magnitude of all nodes in the reconstruction error tensor and the absolute deviation of the median. For each candidate abnormal node in the candidate abnormal node set, a time-based reverse tracing path search process is performed in the traffic hierarchical structure representation graph. Starting from the candidate abnormal node, the process traces back to the adjacent node with an earlier time along the edge defined by the time sequence between nodes in the traffic hierarchical structure representation graph until the session start node is reached. All the nodes passed through on the backtracking path are recorded as the abnormal propagation chain. Extract the transport layer payload byte frequency distribution feature vectors bound to each path node in the abnormal propagation chain, merge adjacent path nodes whose vector cosine similarity between the transport layer payload byte frequency distribution feature vectors exceeds the similarity threshold, obtain the abnormal communication connection session segment, and generate a communication connection session identifier based on the source Internet Protocol address and destination Internet Protocol address of the starting path node of the abnormal communication connection session segment. The abnormal response intensity values of each protocol level in the response intensity distribution of the second abnormal feature distillation output are associated and mapped with the protocol level to which each candidate abnormal node in the candidate abnormal node set belongs in the traffic hierarchical structure representation diagram. The protocol level with the largest abnormal response intensity value is determined as the abnormal source protocol level. The communication connection session identifier is paired and bound with the location of the abnormal source protocol layer to generate a set of abnormal source tracing pairing results containing one-to-one correspondences.
5. The deep learning-based computer network traffic anomaly detection method according to claim 1, characterized in that, The process of generating a network security handling instruction containing traffic blocking policy parameters based on the communication connection session identifier and the abnormal source protocol layer location, and sending the network security handling instruction to the target network traffic management device to trigger abnormal traffic isolation operation includes: Based on the communication connection session identifier, the source Internet Protocol address, destination Internet Protocol address, source transport layer port identifier, and destination transport layer port identifier of the corresponding communication connection session are extracted from the original network traffic bit stream to generate a communication connection session quadruple identifier; The blocking operation's level is determined based on the location of the anomaly's origin protocol layer. When the anomaly's origin protocol layer is at the application layer, an application layer request reset blocking policy parameter is generated. When the anomaly's origin protocol layer is at the transport layer, a transport layer connection reset blocking policy parameter is generated. When the anomaly's origin protocol layer is at the network layer, a network layer traffic filtering blocking policy parameter is generated. The communication connection session quadruple identifier and the blocking operation level type are combined and encapsulated to generate a traffic blocking policy parameter set containing quadruple filtering rules and blocking level indicators. The traffic blocking policy parameter set is embedded into a pre-set network security device control instruction template to generate a network security handling instruction that conforms to the parsing format of the target network traffic management device; The network security handling instruction is sent to the target network traffic management device connected to the target computer network through the Secure Shell Protocol tunnel, so as to trigger the target network traffic management device to perform the blocking operation indicated by the corresponding blocking level indicator on the communication connection session identified by the communication connection session quadruple identifier, thereby achieving isolation of abnormal traffic.
6. The deep learning-based computer network traffic anomaly detection method according to claim 3, characterized in that, The method further includes: The traffic pattern deep autoencoder reconstruction network is subjected to adversarial training based on traffic graph structure perturbation enhancement. The traffic samples marked as normal in the original network traffic bitstream are input into the traffic pattern deep autoencoder reconstruction network to generate a hierarchical structure representation map of normal traffic. Apply a graph structure perturbation operation with a preset perturbation amplitude to the edge set of the normal flow hierarchical structure representation graph, randomly delete a preset proportion of existing edge connections, and randomly add a preset proportion of new edge connections to obtain a perturbation-enhanced flow hierarchical structure representation graph. The perturbation-enhanced traffic hierarchical structure representation map is input into the traffic pattern deep autoencoder reconstruction network, and after processing by the graph attention encoding module, the protocol layer jump connection module and the gated loop decoding module, the perturbation-enhanced reconstruction output is generated. Calculate the difference between the overall graph representation corresponding to the perturbation-enhanced reconstruction output and the overall graph representation corresponding to the normal traffic hierarchical structure representation graph, and construct an adversarial training loss function based on the difference; The adversarial training loss function and the cross-protocol layer distillation loss constraint are weighted and jointly optimized. The attention weight matrix of the graph attention encoding module, the cross-layer cascaded fusion weight matrix of the protocol layer skip connection module, and the gated recurrent unit weight matrix of the gated recurrent decoding module in the traffic pattern deep autoencoder reconstruction network are updated through gradient backpropagation. After the weighted summation joint optimization process converges iteratively, a traffic pattern deep autoencoder reconstruction network with anti-graph structure perturbation capability is obtained. This network is used to generate stable first and second anomalous feature distillation outputs even when the original network traffic bit stream has packet loss or packet out-of-order delivery.
7. The deep learning-based computer network traffic anomaly detection method according to claim 4, characterized in that, The method further includes: After performing multi-dimensional abnormal signal collaborative tracing processing based on the first abnormal feature distillation output and the second abnormal feature distillation output to determine the communication connection session identifier with abnormal traffic behavior in the target computer network and the abnormal source protocol layer position corresponding to the communication connection session identifier, the abnormal source protocol layer position is subjected to abnormal root cause deep localization processing based on fine-grained parsing of protocol fields. According to the protocol field structure definition specification of the protocol layer corresponding to the location of the anomaly source protocol layer, the original protocol field bit sequence of each path node belonging to the protocol layer is extracted from the anomaly propagation chain as the input feature sequence for anomaly root cause analysis. The anomaly root cause analysis input feature sequence is input into a pre-built protocol field anomaly pattern matching engine. The protocol field anomaly pattern matching engine stores a set of feature signatures of known network attack patterns. The anomaly root cause analysis input feature sequence is matched with each feature signature in the set of feature signatures of known network attack patterns in turn using regular expressions to generate a set of matching results. Each matching result in the set of matching results contains a successfully matched attack pattern identifier and a corresponding matching confidence value. Sort all matching results in the matching result set from largest to smallest according to the matching confidence value, and extract the attack mode identifier corresponding to the matching result with the largest matching confidence value as the anomaly root cause category; The anomaly root cause category is bound to the communication connection session identifier and the anomaly source protocol layer location as a triple to generate an anomaly tracing report that includes the anomaly root cause category field.
8. The method for detecting abnormal computer network traffic based on deep learning according to claim 1, characterized in that, The method further includes: After acquiring the raw network traffic bitstream captured by the traffic acquisition probe in the target computer network, the raw network traffic bitstream is subjected to aggregation and grouping processing based on session connection granularity. According to the conditions of the same source Internet Protocol address, the same destination Internet Protocol address, the same source transport layer port identifier, and the same destination transport layer port identifier, each transport control protocol data packet in the transport control protocol data packet sequence is divided into different communication connection session packets. The Transmission Control Protocol (TCP) data packets within each communication connection session are sorted in ascending order according to the TCP sequence number to obtain an ordered sequence of data packets for each communication connection session. The ordered data packet sequence is subjected to session-level statistical feature extraction processing to extract session duration, total number of data packets in the session, total number of payload bytes in the session, and average data packet arrival interval in the session. Each feature is standardized to eliminate differences in units and numerical ranges. The standardized feature values are concatenated into a session-level statistical feature vector. The session-level statistical feature vector is used as the global graph-level attribute vector of the traffic hierarchical structure representation graph. The global graph-level attribute vector is connected to the type identifier of all connection state transition nodes in the traffic hierarchical structure representation graph in the form of additional nodes. When the graph attention encoding module of the traffic pattern deep autoencoder reconstruction network performs message passing aggregation processing, the global graph-level attribute vector is used as the global context information of each adjacent node to participate in the dynamic adjustment of attention weights.
9. The computer network traffic anomaly detection method based on deep learning according to claim 1, characterized in that, The method further includes: After obtaining the transport layer payload byte frequency distribution characteristics and network layer fragment offset sequence characteristics of each transport control protocol data packet in the transport control protocol data packet sequence, the transport layer payload byte frequency distribution feature vectors of adjacent transport control protocol data packets are subjected to time-series evolution pattern extraction processing, and the element-wise difference between the transport layer payload byte frequency distribution feature vectors of adjacent transport control protocol data packets is calculated to obtain the payload byte frequency distribution time-series difference sequence. The time-series difference sequence of payload byte frequency distribution is segmented and aggregated for approximation. The time-series difference sequence of payload byte frequency distribution is divided into equal time window segments. The average value vector of the time-series difference sequence of payload byte frequency distribution within each time window segment is calculated to obtain the segmented and aggregated approximation feature sequence. The sign change pattern of the average value vector of each time window segment in the segmented aggregated approximate feature sequence is discretized and encoded. Positive sign changes are mapped to the first encoded value, negative sign changes are mapped to the second encoded value, and zero sign changes are mapped to the third encoded value to generate a time-series pattern encoded sequence. The temporal pattern encoding sequence is appended as an edge attribute between nodes to the edge connecting the adjacent connection state transition node type identifier in the traffic hierarchy structure representation graph, thereby generating an enhanced traffic hierarchy structure representation graph with temporal evolution edge attributes.
10. A computer network traffic anomaly detection system based on deep learning, characterized in that, include: processor; A machine-readable storage medium for storing machine-executable instructions of the processor; The processor is configured to execute the deep learning-based computer network traffic anomaly detection method according to any one of claims 1 to 9 by executing the machine-executable instructions.