Intelligent waf attack traffic discrimination method, system, device and medium based on large model MoE

By employing an intelligent WAF attack traffic discrimination method based on the large-scale MoE model, and utilizing multi-expert models and gating mechanisms for dynamic routing, the accuracy and efficiency issues of existing Web application firewalls in the face of diverse attacks are resolved, achieving refined identification and efficient protection against complex Web attacks.

CN122394831APending Publication Date: 2026-07-14SHANDONG LANGCHAO YUNTOU INFORMATION TECH CO LTD +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHANDONG LANGCHAO YUNTOU INFORMATION TECH CO LTD
Filing Date
2026-03-04
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing web application firewalls struggle to effectively identify attack traffic when faced with diverse attack types, significant differences in attack characteristics, and dynamic changes in the business environment. Furthermore, rule maintenance costs are high, and false positives or false negatives are frequent.

Method used

An intelligent WAF attack traffic discrimination method based on the large model MoE is adopted. Through traffic collection, parsing, feature vector construction and multi-expert model discrimination, the expert sub-model is dynamically selected for attack discrimination using a gating mechanism, and refined identification is performed in combination with the MoE architecture.

Benefits of technology

It improves the accuracy and precision of attack traffic identification, reduces computational load, enhances protection against unknown attacks and attack variants, and strengthens the intelligent protection capabilities of the Web application firewall.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394831A_ABST
    Figure CN122394831A_ABST
Patent Text Reader

Abstract

The application discloses an intelligent WAF attack flow discrimination method, system, device and medium based on a large model MoE, belongs to the technical field of network security and artificial intelligence, and aims to solve the technical problem that an existing Web Application Firewall mainly relies on rule matching or a single model mode in an attack flow discrimination process, and it is difficult to effectively cope with diversified attack types, significant attack feature differences and dynamic business environment changes. The technical scheme is as follows: collecting Web access flow: collecting access request flow entering a Web application from a Web Application Firewall or a network environment where the Web Application Firewall is located through flow mirroring, bypass listening, log collection or interface calling; analyzing and preprocessing the access flow: analyzing and preprocessing the access request flow to generate structured request data; constructing a flow feature vector; discriminating attacks based on a large model of an MOE architecture; outputting an attack flow discrimination result; and executing a WAF protection strategy.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the fields of network security and artificial intelligence, and in particular to a threat detection technology for Web Application Firewall (WAF), specifically an intelligent WAF attack traffic discrimination method, system, device and medium based on a large model MoE. Background Technology

[0002] With the rapid development of internet technology, web applications have been widely used in various fields such as government affairs, finance, e-commerce, and enterprise information systems. The cyberattack situation faced by web applications is becoming increasingly complex. Web Application Firewalls (WAFs), as an important means of protecting web application security, are mainly used to detect and protect HTTP / HTTPS access traffic to identify and block common web attack behaviors such as SQL injection, cross-site scripting attacks, command execution, and file inclusion. Existing WAF technologies mainly employ attack traffic detection methods based on rule matching, feature libraries, or traditional machine learning models. Rule-based and feature-based detection methods rely on manually maintained attack rule libraries. While they have high detection efficiency for known attack types, they often struggle to respond promptly to attack variants, obfuscation, or new attack methods. Furthermore, rule maintenance is costly and prone to false positives or false negatives. Some WAFs introduce traditional machine learning models to distinguish traffic, but limited by model expressive power and reliance on feature engineering, they struggle to accurately characterize complex web attack behaviors, and their model generalization ability is limited. Summary of the Invention

[0003] The technical objective of this invention is to provide an intelligent WAF attack traffic discrimination method, system, device, and medium based on a large-scale MoE model, in order to solve the problem that existing Web application firewalls mainly rely on rule matching or a single model in the attack traffic discrimination process, which makes it difficult to effectively cope with the diversification of attack types, significant differences in attack characteristics, and dynamic changes in the business environment.

[0004] The technical objective of this invention is achieved as follows: an intelligent WAF attack traffic discrimination method based on a large-scale MoE model, the specific method of which is as follows: Collect Web access traffic: Collect access request traffic entering the Web application from the Web application firewall or the network environment in which the Web application firewall is located through traffic mirroring, bypass listening, log collection or interface call methods, so as to achieve continuous collection and real-time acquisition of Web access request traffic. Parse and preprocess access traffic: Parse and preprocess access request traffic to generate structured request data; Constructing traffic feature vectors: Constructing traffic feature vectors for attack traffic identification based on structured request data; Large-scale attack detection based on MOE architecture: Input the traffic feature vector into the large-scale model based on MOE architecture, and the gating network controls one or more expert sub-models to perform attack detection on the access request traffic; Output attack traffic discrimination results: Generate attack traffic discrimination results based on the discrimination results of the expert sub-model; Execute WAF protection policies: Based on the attack traffic identification results, execute the corresponding Web Application Firewall protection policies.

[0005] Preferably, web access traffic information includes HTTP or HTTPS request and response messages, web session information, web session information, and metadata information related to access behavior; The metadata information includes access time, source address, destination address, request method, access path, request parameters, and user agent information.

[0006] As a preferred approach, the access traffic is parsed and preprocessed as follows: Protocol parsing and extraction: The original HTTP / HTTPS traffic is fully parsed using regular expression matching and key field identification to extract key fields (Header, Body, Method, URI, Cookie, etc.). Context reorganization: Reorganize scattered fields into a Prompt sequence that meets the input requirements of a large model according to HTTP semantics; Lightweight Embedding: Use a lightweight encoder (such as Transformer Encoder) to convert text sequences into high-dimensional vector representations, i.e., traffic feature vectors x, as input to large models based on the MOE architecture.

[0007] More specifically, the large-model attack detection based on the MOE architecture is as follows: Intelligent gated routing: Based on the input traffic feature vector x, a learnable gating function G(x) is used to determine the activated expert model; Multi-expert judgment: Constructing a set of functionally specialized expert models E i Each expert model is an independent feedforward neural network (FFN) or a small Transformer block, focused on identifying specific types of attacks or normal traffic. The large model of the MOE architecture is pre-trained with data from various attack samples, enabling each expert model to accurately identify a wide variety of attacks.

[0008] More preferably, the learnable gate function G(x) is formulated as follows: G(x) = TopK(softmax(x*w) g ), k); Where x represents the traffic feature vector, which is usually the representation vector of the current token; w g represents the gating weight matrix; softmax represents the normalization process in the dimension to obtain the probability distribution; TopK() represents selecting the k expert models with the highest probability, and setting the probability of the other expert models to 0; G(x) represents the final gating output, a probability vector.

[0009] Ideally, the number of expert models should be determined based on the specific business requirements, and expert models should include SQL injection experts, cross-site scripting experts, command execution experts, and business logic experts.

[0010] An intelligent WAF attack traffic discrimination system based on the large-scale MoE model, which implements the intelligent WAF attack traffic discrimination method based on the large-scale MoE model as described above; the system includes: The traffic acquisition module is used to collect access request traffic entering the Web application from the Web application firewall or the network environment in which the Web application firewall is located through traffic mirroring, bypass listening, log collection or interface call methods, so as to realize continuous collection and real-time acquisition of Web access request traffic. The traffic processing module is used to parse and preprocess access request traffic to generate structured request data; The traffic feature vector construction module is used to construct traffic feature vectors for attack traffic identification based on structured request data. The attack detection module is used to input traffic feature vectors into a large model based on the MOE architecture. The gating network controls one or more expert sub-models to perform attack detection on the access request traffic. The attack discrimination result output module is used to generate attack traffic discrimination results based on the discrimination results of the expert sub-model; The WAF protection policy execution module is used to execute the corresponding Web Application Firewall protection policy based on the attack traffic identification results.

[0011] Preferably, the traffic processing module includes: The protocol parsing and extraction submodule is used to perform full protocol parsing on the raw HTTP / HTTPS traffic through regular expression matching and key field identification, and to separate key fields (Header, Body, Method, URI, Cookie, etc.). The context reorganization submodule is used to reorganize scattered fields into a Prompt sequence that meets the input requirements of large models according to HTTP semantics; The lightweight Embedding submodule is used to convert text sequences into high-dimensional vector representations, i.e., flow feature vectors x, using lightweight encoders (such as Transformer Encoder), as input to large models based on the MOE architecture; The attack detection module includes: The intelligent gated routing submodule is used to determine the activated expert model based on the input traffic feature vector x using a learnable gate function G(x); the formula for the learnable gate function G(x) is as follows: G(x) = TopK(softmax(x*w) g ), k); Where x represents the traffic feature vector, which is usually the representation vector of the current token; w g represents the gating weight matrix; softmax represents the normalization process in the dimension to obtain the probability distribution; TopK() represents selecting the k expert models with the highest probability, and setting the probability of the other expert models to 0; G(x) represents the final gating output, a probability vector; The multi-expert judgment submodule is used to construct a set of functionally specialized expert models E. i Each expert model is an independent feedforward neural network (FFN) or a small Transformer block, focused on identifying specific types of attacks or normal traffic. The large model of the MOE architecture is pre-trained with data from various attack samples, enabling each expert model to accurately identify a wide variety of attacks.

[0012] An electronic device includes: a memory and at least one processor; The memory stores computer-executed instructions; The at least one processor executes the computer execution instructions stored in the memory, causing the at least one processor to execute the intelligent WAF attack traffic discrimination method based on the large model MoE as described above.

[0013] A computer-readable storage medium storing computer-executable instructions, which, when executed by a processor, implement the intelligent WAF attack traffic discrimination method based on the large model MoE described above.

[0014] The intelligent WAF attack traffic identification method, system, device, and medium based on the large-scale MoE model of the present invention have the following advantages: (i) This invention introduces the MOE architecture to assign the discrimination tasks of different attack types or attack characteristics to different expert sub-models, and dynamically selects and combines expert sub-models through a gating mechanism, so that the model can make refined discrimination of various Web attack behaviors, thereby improving the accuracy of overall attack traffic discrimination, and thus improving the accuracy and refinement of attack traffic discrimination. (ii) This invention effectively reduces computational load and improves business availability: the gradient only flows to the K activated experts and the gating network, and the parameters of the unactivated experts are not updated in this step, which greatly reduces the computational load, making the training speed close to that of a small model, but the model capacity is at the level of a large model. (III) This invention relies on the ability of large models to express complex semantic and sequence features, and combines the division of labor and cooperation mechanism of the MoE architecture to effectively identify attack traffic with obfuscated, deformed or new features, thereby improving the protection capability of Web application firewalls against unknown attacks and attack variants. Attached Figure Description

[0015] The invention will be further described below with reference to the accompanying drawings.

[0016] Appendix Figure 1 This is a flowchart of an intelligent WAF attack traffic discrimination method based on the large-scale MoE model. Detailed Implementation

[0017] The intelligent WAF attack traffic discrimination method, system, device and medium based on the large model MoE of the present invention will be described in detail below with reference to the accompanying drawings and specific embodiments. Example

[0018] As attached Figure 1 As shown, this embodiment provides an intelligent WAF attack traffic discrimination method based on a large-scale MoE model. This method collects network access traffic monitored by the Web Application Firewall, performs session reconstruction, preprocessing, and feature construction on the network access traffic, and inputs the constructed traffic features into a large-scale MoE model for attack traffic discrimination. The MoE model dynamically routes different attack features through a gating mechanism, enabling multiple expert sub-models to discriminate different types of attack traffic such as SQL injection, cross-site scripting, and command execution, thereby achieving refined identification of complex and varied Web attack behaviors. Simultaneously, the MoE model is adapted and trained using proprietary traffic data from the target business environment, improving the model's ability to distinguish between real business traffic and attack traffic. Based on the discrimination results, corresponding WAF protection strategies are triggered, effectively improving the accuracy of attack traffic discrimination, reducing false positive rates, and enhancing the intelligent protection capabilities of the Web Application Firewall against unknown and variant attacks. Details are as follows: S1. Collect Web access traffic: Collect access request traffic entering the Web application from the Web application firewall or the network environment in which the Web application firewall is located through traffic mirroring, bypass listening, log collection or interface call methods to achieve continuous collection and real-time acquisition of Web access request traffic. S2. Parse and preprocess access traffic: Parse and preprocess access request traffic to generate structured request data; S3. Constructing Traffic Feature Vectors: Constructing traffic feature vectors for attack traffic identification based on structured request data; S4. Attack detection of large model based on MOE architecture: Input the traffic feature vector into the large model based on MOE architecture, and the gating network controls one or more expert sub-models to detect attacks on access request traffic; S5. Output attack traffic discrimination results: Generate attack traffic discrimination results based on the discrimination results of the expert sub-model; S6. Execute WAF protection policy: Execute the corresponding Web application firewall protection policy based on the attack traffic identification results.

[0019] In this embodiment, the web access traffic information includes HTTP or HTTPS request and response messages, web session information, web session information, and metadata information related to access behavior; The metadata information includes access time, source address, destination address, request method, access path, request parameters, and user agent information.

[0020] The specific steps for parsing and preprocessing the access traffic in step S2 of this embodiment are as follows: S201. Protocol parsing and extraction: Perform full protocol parsing on the original HTTP / HTTPS traffic through regular expression matching and key field identification to separate key fields (Header, Body, Method, URI, Cookie, etc.). S202, Context Reorganization: Reorganize the scattered fields into a Prompt sequence that meets the input requirements of a large model according to HTTP semantics; S203, Lightweight Embedding: Use a lightweight encoder (such as Transformer Encoder) to convert text sequences into high-dimensional vector representations, i.e., traffic feature vectors x, as input to large models based on the MOE architecture.

[0021] The specific steps for large model attack detection based on the MOE architecture in step S4 of this embodiment are as follows: S401, Intelligent Gated Routing: Based on the input traffic feature vector x, a learnable gating function G(x) is used to determine the activated expert model; S402, Multi-Expert Judgment: Construct a set of functionally specialized expert models E i Each expert model is an independent feedforward neural network (FFN) or a small Transformer block, focused on identifying specific types of attacks or normal traffic. The large model of the MOE architecture is pre-trained with data from various attack samples, enabling each expert model to accurately identify a wide variety of attacks.

[0022] The formula for the learnable gating function G(x) in step S401 of this embodiment is as follows: G(x) = TopK(softmax(x*w) g ), k); Where x represents the traffic feature vector, which is usually the representation vector of the current token; w g represents the gating weight matrix; softmax represents the normalization process in the dimension to obtain the probability distribution; TopK() represents selecting the k expert models with the highest probability, and setting the probability of the other expert models to 0; G(x) represents the final gating output, a probability vector.

[0023] The number of expert models in step S402 of this embodiment depends on the specific business requirements. Expert models include SQL injection experts, cross-site scripting experts, command execution experts, and business logic experts. Example

[0024] This embodiment provides an intelligent WAF attack traffic discrimination system based on the large-scale MoE model. This system is used to implement the intelligent WAF attack traffic discrimination method based on the large-scale MoE model as described in Embodiment 1. The system includes: The traffic acquisition module is used to collect access request traffic entering the Web application from the Web application firewall or the network environment in which the Web application firewall is located through traffic mirroring, bypass listening, log collection or interface call methods, so as to realize continuous collection and real-time acquisition of Web access request traffic. The traffic processing module is used to parse and preprocess access request traffic to generate structured request data; The traffic feature vector construction module is used to construct traffic feature vectors for attack traffic identification based on structured request data. The attack detection module is used to input traffic feature vectors into a large model based on the MOE architecture. The gating network controls one or more expert sub-models to perform attack detection on the access request traffic. The attack discrimination result output module is used to generate attack traffic discrimination results based on the discrimination results of the expert sub-model; The WAF protection policy execution module is used to execute the corresponding Web Application Firewall protection policy based on the attack traffic identification results.

[0025] The traffic processing module in this embodiment includes: The protocol parsing and extraction submodule is used to perform full protocol parsing on the raw HTTP / HTTPS traffic through regular expression matching and key field identification, and to separate key fields (Header, Body, Method, URI, Cookie, etc.). The context reorganization submodule is used to reorganize scattered fields into a Prompt sequence that meets the input requirements of large models according to HTTP semantics; The lightweight Embedding submodule is used to convert text sequences into high-dimensional vector representations, i.e., flow feature vectors x, using a lightweight encoder (such as Transformer Encoder), as input to a large model based on the MOE architecture.

[0026] The attack detection module in this embodiment includes: The intelligent gated routing submodule is used to determine the activated expert model based on the input traffic feature vector x using a learnable gate function G(x); the formula for the learnable gate function G(x) is as follows: G(x) = TopK(softmax(x*w) g ), k); Where x represents the traffic feature vector, which is usually the representation vector of the current token; w g represents the gating weight matrix; softmax represents the normalization process in the dimension to obtain the probability distribution; TopK() represents selecting the k expert models with the highest probability, and setting the probability of the other expert models to 0; G(x) represents the final gating output, a probability vector; The multi-expert judgment submodule is used to construct a set of functionally specialized expert models E. i Each expert model is an independent feedforward neural network (FFN) or a small Transformer block, focused on identifying specific types of attacks or normal traffic. The large model of the MOE architecture is pre-trained with data from various attack samples, enabling each expert model to accurately identify a wide variety of attacks.

[0027] This embodiment introduces a large model based on the MoE architecture to collaboratively identify different types of Web attack traffic. Multiple expert sub-models identify different attack types or attack characteristics, and the input traffic is dynamically routed through a gating mechanism, thereby improving the accuracy and precision of attack traffic identification.

[0028] This embodiment further utilizes proprietary traffic data accumulated during the actual operation of the Web Application Firewall to adapt and train the MoE large model, enabling the model to fully learn the differences in normal traffic behavior characteristics and attack characteristics in the target business environment, reducing the probability of misjudging normal business requests, and improving the applicability and stability of the model in the actual deployment environment.

[0029] In this embodiment, a dataset for each attack is constructed using a traffic processing module, and the number of datasets constructed corresponds to the number of expert models. Example

[0030] This embodiment also provides an electronic device, including: a memory and at least one processor; The memory stores computer-executed instructions; The at least one processor executes the computer execution instructions stored in the memory, causing the at least one processor to execute the intelligent WAF attack traffic discrimination method based on the large model MoE as described in any one of the present invention.

[0031] The processor can be a central processing unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), off-the-shelf programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The processor can be a microprocessor or any conventional processor.

[0032] Memory can be used to store computer programs and / or modules. The processor implements various functions of the electronic device by running or executing the computer programs and / or modules stored in the memory, and by accessing data stored in the memory. Memory can mainly include a program storage area and a data storage area. The program storage area can store the operating system, at least one application program required for a function, etc.; the data storage area can store data created based on the use of the terminal, etc. In addition, memory can also include high-speed random access memory, and can also include non-volatile memory, such as hard disks, RAM, plug-in hard disks, smart memory cards (SMC), secure digital cards (SD cards), flash memory cards, at least one disk storage device, flash memory device, or other volatile solid-state storage devices. Example

[0033] This embodiment also provides a computer-readable storage medium storing multiple instructions, which are loaded by a processor to cause the processor to execute the intelligent WAF attack traffic discrimination method based on the large model MoE in any embodiment of the present invention. Specifically, a system or device equipped with a storage medium may be provided, on which software program code implementing the functions of any of the above embodiments is stored, and the computer (or CPU or MPU) of the system or device may read and execute the program code stored in the storage medium.

[0034] In this case, the program code read from the storage medium can itself implement the function of any of the above embodiments, and therefore the program code and the storage medium storing the program code constitute part of the present invention.

[0035] Storage media embodiments for providing program code include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), magnetic tapes, non-volatile memory cards, and ROMs. Alternatively, program code can be downloaded from a server computer via a communication network.

[0036] Furthermore, it should be clear that not only can the program code read by the computer be executed, but also the operating system or other components operating on the computer can be instructed based on the program code to perform some or all of the actual operations, thereby realizing the function of any of the embodiments described above.

[0037] Furthermore, it is understood that the program code read from the storage medium is written to the memory set in the expansion board inserted into the computer or to the memory set in the expansion unit connected to the computer. Then, based on the instructions of the program code, the CPU or other components installed on the expansion board or expansion unit execute some and all of the actual operations, thereby realizing the function of any of the embodiments described above.

[0038] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of the present invention.

Claims

1. An intelligent WAF attack traffic discrimination method based on the large-scale MoE model, characterized in that, The method is as follows: Collect Web access traffic: Collect access request traffic entering the Web application from the Web application firewall or the network environment in which the Web application firewall is located through traffic mirroring, bypass listening, log collection or interface call methods, so as to achieve continuous collection and real-time acquisition of Web access request traffic. Parse and preprocess access traffic: Parse and preprocess access request traffic to generate structured request data; Constructing traffic feature vectors: Constructing traffic feature vectors for attack traffic identification based on structured request data; Large-scale attack detection based on MOE architecture: Input the traffic feature vector into the large-scale model based on MOE architecture, and the gating network controls one or more expert sub-models to perform attack detection on the access request traffic; Output attack traffic discrimination results: Generate attack traffic discrimination results based on the discrimination results of the expert sub-model; Execute WAF protection policies: Based on the attack traffic identification results, execute the corresponding Web Application Firewall protection policies.

2. The intelligent WAF attack traffic discrimination method based on the large model MoE as described in claim 1, characterized in that, Web access traffic information includes HTTP or HTTPS request and response messages, web session information, and metadata information related to access behavior; The metadata information includes access time, source address, destination address, request method, access path, request parameters, and user agent information.

3. The intelligent WAF attack traffic discrimination method based on the large model MoE as described in claim 1, characterized in that, The specific steps for parsing and preprocessing access traffic are as follows: Protocol parsing and extraction: The original HTTP / HTTPS traffic is fully parsed using regular expression matching and key field identification to extract key fields; Context reorganization: Reorganize scattered fields into a Prompt sequence that meets the input requirements of a large model according to HTTP semantics; Lightweight Embedding: Uses a lightweight encoder to convert text sequences into high-dimensional vector representations, i.e., traffic feature vectors x, as input to large models based on the MOE architecture.

4. The intelligent WAF attack traffic discrimination method based on the large model MoE according to any one of claims 1 to 3, characterized in that, The specific methods for identifying large-model attacks based on the MOE architecture are as follows: Intelligent gated routing: Based on the input traffic feature vector x, a learnable gating function G(x) is used to determine the activated expert model; Multi-expert discrimination: Construct a set of specialized expert models, each of which is an independent feedforward neural network or a small Transformer block, focusing on identifying specific types of attacks or normal traffic. The large model of the MOE architecture is pre-trained with data from various attack samples, enabling each expert model to accurately identify a wide variety of attacks.

5. The intelligent WAF attack traffic discrimination method based on the large model MoE according to claim 4, characterized in that, The learnable gating function G(x) is formulated as follows: G(x)=TopK(softmax(x*w) g ),k)? Where x represents the flow feature vector; w g represents the gating weight matrix; softmax represents the normalization process in the dimension to obtain the probability distribution; TopK() represents selecting the k expert models with the highest probability, and setting the probability of the other expert models to 0; G(x) represents the final gating output, a probability vector.

6. The intelligent WAF attack traffic discrimination method based on the large model MoE according to claim 4, characterized in that, The number of expert models depends on the specific business requirements. Expert models include SQL injection experts, cross-site scripting experts, command execution experts, and business logic experts.

7. An intelligent WAF attack traffic discrimination system based on the large-scale MoE model, characterized in that, This system is used to implement the intelligent WAF attack traffic discrimination method based on the large model MoE as described in any one of claims 1 to 6; the system includes: The traffic acquisition module is used to collect access request traffic entering the Web application from the Web application firewall or the network environment in which the Web application firewall is located through traffic mirroring, bypass listening, log collection or interface call methods, so as to realize continuous collection and real-time acquisition of Web access request traffic. The traffic processing module is used to parse and preprocess access request traffic to generate structured request data; The traffic feature vector construction module is used to construct traffic feature vectors for attack traffic identification based on structured request data. The attack detection module is used to input traffic feature vectors into a large model based on the MOE architecture. The gating network controls one or more expert sub-models to perform attack detection on the access request traffic. The attack discrimination result output module is used to generate attack traffic discrimination results based on the discrimination results of the expert sub-model; The WAF protection policy execution module is used to execute the corresponding Web Application Firewall protection policy based on the attack traffic identification results.

8. The intelligent WAF attack traffic discrimination system based on the large model MoE according to claim 7, characterized in that, The traffic processing module includes: The protocol parsing and extraction submodule is used to perform full protocol parsing on raw HTTP / HTTPS traffic and extract key fields by using regular expression matching and key field identification. The context reorganization submodule is used to reorganize scattered fields into a Prompt sequence that meets the input requirements of large models according to HTTP semantics; The lightweight Embedding submodule is used to convert text sequences into high-dimensional vector representations, i.e., traffic feature vectors x, using a lightweight encoder, as input to a large model based on the MOE architecture. The attack detection module includes: The intelligent gated routing submodule is used to determine the activated expert model based on the input traffic feature vector x using a learnable gate function G(x); the formula for the learnable gate function G(x) is as follows: G(x)=TopK(softmax(x*w) g ),k)? Where x represents the flow feature vector; w g represents the gating weight matrix; softmax represents the normalization process in the dimension to obtain the probability distribution; TopK() represents selecting the k expert models with the highest probabilities, and setting the probabilities of the other expert models to 0; G(x) represents the final gating output, a probability vector. The multi-expert discrimination submodule is used to build a set of specialized expert models. Each expert model is an independent feedforward neural network or a small Transformer block, which focuses on identifying specific types of attacks or normal traffic. The large model of the MOE architecture is pre-trained with data from various attack samples, enabling each expert model to accurately identify a wide variety of attacks.

9. An electronic device, characterized in that, include: Memory and at least one processor; The memory stores computer-executed instructions; The at least one processor executes the computer execution instructions stored in the memory, causing the at least one processor to execute the intelligent WAF attack traffic discrimination method based on the large model MoE as described in any one of claims 1 to 6.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer-executable instructions, which, when executed by the processor, implement the intelligent WAF attack traffic discrimination method based on the large model MoE as described in any one of claims 1 to 6.