A computer network security intelligent control system

By collecting network traffic rates in real time, generating abnormal interactive traffic distribution maps, analyzing attack sequences and generating attacker profiles, and combining asset criticality with defense strategies, this technology solves the problem of existing technologies being unable to effectively deal with complex network attacks, and realizes an intelligent control system for accurate identification and proactive defense.

CN122394857APending Publication Date: 2026-07-14郑州经贸学院

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
郑州经贸学院
Filing Date
2026-04-16
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing technologies struggle to create a complete intelligent control system that integrates network traffic anomaly detection, attack behavior clustering, attack sequence generation, attacker profiling, and dynamic execution of defense strategies. This makes it difficult to effectively address complex network attacks and lacks the linkage between multi-dimensional attacker behavior profiling and dynamic defense strategies.

Method used

By collecting network traffic rates in real time, calculating the time-series change rate, generating an abnormal interactive traffic distribution map, extracting core feature information, and combining it with a hidden Markov model to analyze attack sequences, attacker profiles are generated. Based on asset criticality, defense strategies are matched to achieve dynamic patch delivery and adaptive traffic scheduling.

Benefits of technology

It enables accurate identification and isolation of complex network attacks, reduces false alarm rates, generates structured attacker profiles, and transforms from passive response to proactive, adaptive defense, ensuring the timeliness and stability of defense strategies.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394857A_ABST
    Figure CN122394857A_ABST
Patent Text Reader

Abstract

The application provides a computer network security intelligent control system, and relates to the technical field of machine learning, and comprises: a traffic anomaly detection module that collects outgoing and incoming traffic rates in real time, calculates time sequence change rates, and determines abnormal monitoring time periods; an abnormal behavior clustering module that extracts deviation frequency, duration and access depth of each interaction behavior in the abnormal time period, generates an abnormal interaction traffic distribution map through clustering; an attack sequence generation module that extracts traffic features of nodes in the distribution map, matches core features with an attack feature library, and further analyzes and generates an attacker operation sequence; an attacker portrait modeling module that extracts full-amount traffic data of an attack source based on the operation sequence, performs multi-dimensional fusion modeling, and generates an attacker portrait containing behavior features, target preferences and link features; and a defense strategy execution module that combines the portrait with target asset criticality levels, matches a strategy library, and executes patch strategies and traffic scheduling strategies to realize closed-loop intelligent defense.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of machine learning technology, and in particular to a computer network security intelligent control system. Background Technology

[0002] With increasingly sophisticated cyberattacks and the widespread adoption of encrypted traffic, traditional security strategies based on static rules or perimeter defenses are struggling to cope with dynamic, high-frequency threats. Existing technologies include some anomaly detection schemes based on network traffic analysis, such as identifying engineering modification anomalies by collecting traffic data from specific devices (e.g., programmable logic controllers) or issuing alerts using simple traffic rate thresholds. However, these methods are often limited to single-dimensional metric comparisons or modification identification in specific scenarios, lacking deep clustering analysis of interactions between network entities, automatic parsing of attacker operation sequences, and dynamic modeling of attacker profiles. Furthermore, existing defense strategies are mostly fixed blocking or alerting, unable to adapt and fine-grained patching and traffic scheduling based on attacker profiles and the criticality of target assets.

[0003] For example, patent CN112906903B discloses a network security risk prediction method based on federated learning. This method distributes pre-trained model parameters to multiple clients for local training and aggregates intermediate parameters to a central server to obtain a global model. This global model is then used to predict risks in the enterprise network environment. This approach avoids the cleaning and labeling costs associated with directly collecting raw security data, thus improving prediction accuracy to some extent. However, it remains at the level of risk probability output. It cannot reverse engineer the specific operation sequences of attackers, generate multi-dimensional behavioral profiles of attackers, or establish a closed-loop linkage between the prediction results and dynamic defense strategies (such as patch delivery timing and malicious traffic redirection). Therefore, existing technologies lack a complete intelligent control system capable of realizing the entire process from traffic anomaly detection, attack behavior clustering, attack sequence generation, attacker profile construction to dynamic execution of defense strategies.

[0004] Therefore, this invention proposes a computer network security intelligent control system to overcome the shortcomings of the prior art. Summary of the Invention

[0005] In view of this, embodiments of the present invention provide a computer network security intelligent control system that collects network inbound and outbound traffic rates in real time and calculates the time-series change rate to determine abnormal monitoring time periods; extracts interactive behavior data during abnormal periods and clusters it to generate an abnormal interactive traffic distribution map; matches it with an attack feature library to filter core feature information containing traffic statistical features, topological centrality features, and time-series correlation features; extracts time-series parameters based on the core feature information to construct an observation sequence; combines a hidden Markov model to solve the attack phase sequence and parses it to generate the attacker's operation sequence; extracts the full traffic data of the attack source, decouples it after covariance matrix dimensionality reduction, and inputs it into a multilayer perceptron model to output a four-dimensional feature probability distribution, which is then normalized and integrated into a standardized attacker profile; finally, it combines asset criticality to match defense strategies, and achieves precise attack isolation and vulnerability repair through dynamic patching and adaptive traffic scheduling.

[0006] The technical solution of this invention is implemented as follows: This invention provides a computer network security intelligent control system, including: a traffic anomaly detection module, used to collect outbound and inbound traffic rates of the protected network in real time, calculate the temporal change rate of outbound and inbound traffic rates within each monitoring time period, perform entity interaction anomaly time period determination based on the temporal change rate, and generate anomaly monitoring time periods and normal monitoring time periods; an anomaly behavior clustering module, used to extract interaction behavior data of each interaction behavior instance within each anomaly monitoring time period, perform anomaly interaction behavior clustering processing, and generate anomaly interaction traffic distribution map; the interaction behavior data includes interaction deviation frequency, deviation duration, and deviation access depth; and an attack sequence generation module, used for... The system extracts traffic distribution characteristics from each network node in the abnormal interaction traffic distribution map, performs abnormal feature matching processing on the traffic distribution characteristics, and filters out core feature information that matches the preset attack traffic feature library. Based on the core feature information, it parses and generates attacker operation sequences. The attacker profiling module is used to extract the full amount of network traffic data generated by the attack source based on the attacker operation sequence, perform multi-dimensional fusion modeling, and generate an attacker profile. The attacker profile includes attack behavior characteristics, attack target preference characteristics, and attack link characteristics. The defense strategy execution module is used to match the attacker profile with the criticality level of the target assets of the protected network, match the preset defense strategy library, and execute the corresponding level of defense strategy. The defense strategies include patching strategies and traffic scheduling strategies.

[0007] The beneficial effects of the technical solutions provided in the embodiments of the present invention include at least the following: 1. The system first calculates the temporal rate of change of outbound and inbound traffic rates and, combined with an adaptively dynamically calibrated threshold range, accurately identifies abnormal monitoring time periods, avoiding false alarms or missed alarms caused by static thresholds. Based on this, a three-dimensional feature vector is constructed using interaction deviation frequency, deviation duration, and deviation access depth. Unsupervised clustering of abnormal interaction behaviors is then performed, automatically distinguishing core points, boundary points, and noise points, thereby generating an abnormal interaction traffic distribution map reflecting the actual attack path. This two-stage detection mechanism, combining temporal initial screening and behavioral deep clustering, effectively addresses encrypted traffic and complex attack patterns, significantly reducing false alarm rates and discovering unknown anomalies that traditional rules cannot identify.

[0008] 2. The system extracts multi-dimensional features such as node traffic entropy, traffic burstiness, port connection diversity, and betweenness centrality from the abnormal interaction traffic distribution map. After matching these features with the attack traffic feature database, core feature information is obtained, and then time-series correlation parameters are extracted. Using a pre-constructed attack phase transition probability matrix and observation probability matrix, a Hidden Markov Model is employed to solve for the most probable attack phase state sequence, which is then mapped to specific operational instructions to generate the attacker's operation sequence. This process elevates low-level traffic features to the attacker's tactical behavior chain, enabling the defender to clearly grasp the attack's steps, rhythm, and purpose, providing an interpretable basis for proactive defense decisions.

[0009] 3. Based on the full traffic data of the attack source, the system inputs it into a multilayer perceptron model after dimensionality reduction and decoupling using the covariance matrix. It outputs the probability distribution of the attacker's attack behavior characteristics, target preference characteristics, and link characteristics, generating a structured attacker profile. Simultaneously, combined with the criticality level of the target assets in the protected network, the system dynamically matches a defense strategy library: on one hand, the patching strategy calculates the patch urgency index based on the attack surface correlation characteristics, vulnerability exploitability scores, and attack link distances in the profile, and uses an LSTM model to predict the time window of the next attack, achieving precise control over the timing and scope of patch distribution; on the other hand, the traffic scheduling strategy automatically selects physical or logical isolation zones based on the attack type, and dynamically adjusts rate limiting thresholds and connection limits, guiding malicious traffic to the isolation zone according to the priority of the redirection path. This closed-loop control of the profile-asset-strategy three-layer linkage achieves a fundamental shift from passive response to proactive, adaptive defense.

[0010] 4. The system incorporates feedback and adaptive mechanisms in several key aspects: the traffic temporal change rate threshold range is updated via a sliding window based on newly added normal monitoring data every preset calibration period; the traffic scheduling strategy reassesses the attack traffic status every preset scheduling time window and uses a moving average algorithm to smoothly update the rate limiting threshold ratio and connection limit threshold, avoiding network instability caused by sudden policy changes; for assets in the warning range, patches are dynamically selected based on the current bandwidth load and then distributed in order of urgency after bandwidth recovery. These periodic assessment and smooth adjustment mechanisms enable the system to continuously adapt to changes in the network environment and attack landscape, maintaining the timeliness and stability of the defense strategy while avoiding resource overload or service interruption. Attached Figure Description

[0011] Figure 1 This is a schematic diagram of a computer network security intelligent control system structure provided in an embodiment of the present invention; Figure 2 This is a flowchart of a patching strategy based on a computer network security intelligent control system provided in an embodiment of the present invention; Figure 3 This is a flowchart of a traffic scheduling strategy based on a computer network security intelligent control system provided in an embodiment of the present invention. Detailed Implementation

[0012] To make the objectives, technical solutions, and advantages of this application clearer, the embodiments of this application will be described in further detail below with reference to the accompanying drawings.

[0013] This invention provides a computer network security intelligent control system. For example... Figure 1 The diagram shows the structure of a computer network security intelligent control system. This system includes: a traffic anomaly detection module, used to collect the outbound and inbound traffic rates of the protected network in real time, and calculate the time-series change rate of the outbound and inbound traffic rates within each monitoring time period. Based on the time-series change rate, the entity interaction abnormal time period is determined, and abnormal monitoring time periods and normal monitoring time periods are generated.

[0014] The steps for determining abnormal time periods in entity interaction include: comparing the time-series change rates of outbound and inbound flow rates within each monitoring time period with a preset threshold range for flow time-series change rates; if the time-series change rate exceeds the preset threshold range for flow time-series change rates within any monitoring time period, then that time period is determined to be an abnormal monitoring time period; if the time-series change rate does not exceed the preset threshold range for flow time-series change rates, then that time period is determined to be a normal monitoring time period.

[0015] The threshold range for the flow time-series change rate is obtained through statistical calibration based on the flow time-series data within the historical normal monitoring period of the protected network. Specifically, this includes: collecting the flow time-series data of the protected network that has been marked as normal monitoring periods within a preset historical period; calculating the time-series change rate of outbound and inbound flow rates within each normal monitoring period to form a normal change rate sample set; calculating the mean and standard deviation of the normal change rate sample set; recording the product of the preset threshold width coefficient and the standard deviation as the threshold correction amount; setting the lower limit of the flow time-series change rate threshold range as the difference between the mean and the threshold correction amount; setting the upper limit as the sum of the mean and the threshold correction amount; and updating the mean and standard deviation with a sliding window based on newly added normal monitoring data every preset calibration period to achieve adaptive dynamic calibration of the threshold range.

[0016] This invention compares the temporal change rates of outbound and inbound flow rates within each monitoring time period with a preset threshold range for flow temporal change rates. Based on whether the temporal change rate exceeds the threshold range, it accurately determines whether the corresponding monitoring time period is an abnormal or normal monitoring time period. Simultaneously, this threshold range for flow temporal change rates is statistically calibrated using flow temporal data from historical normal monitoring time periods of the protected network. A normal change rate sample set is constructed by collecting flow temporal data marked as normal within a preset historical period and calculating the corresponding temporal change rate. The mean and standard deviation of the sample set are then calculated, and combined with a preset threshold width coefficient, a threshold correction amount is derived, which is used to set the upper and lower limits of the threshold range. Furthermore, every [period]... The preset calibration cycle uses newly added normal monitoring data to update the mean and standard deviation through a sliding window, achieving adaptive dynamic calibration of the traffic time-series change rate threshold range. This effectively avoids the misjudgment and missed judgment problems caused by fixed thresholds, making the judgment results of abnormal time periods more consistent with the actual traffic operation patterns of the protected network. This significantly improves the accuracy and reliability of entity interaction anomaly judgment. At the same time, the dynamic calibration mechanism can adapt to the dynamic change characteristics of network traffic, enhance the system's adaptability to different network operation scenarios, and provide accurate and reliable judgment basis for subsequent abnormal behavior clustering, attack sequence analysis, and defense strategy execution. This further ensures the stable and efficient operation of the entire computer network security intelligent control system's detection and defense links.

[0017] The abnormal behavior clustering module is used to extract the interaction behavior data of each interaction behavior instance within each abnormal monitoring time period, perform abnormal interaction behavior clustering processing, and generate an abnormal interaction traffic distribution map. The interaction behavior data includes interaction deviation frequency, deviation duration, and deviation access depth. Interaction deviation frequency refers to the ratio of the number of deviations between the actual interaction behavior and the normal interaction behavior of a single interaction behavior instance within the abnormal monitoring time period to the total number of interactions within that time period. Deviation duration refers to the duration from the first occurrence of interaction deviation of a single interaction behavior instance to the end of the deviation state. Deviation access depth refers to the depth of the access level of a single interaction behavior instance to the protected network when it deviates from the normal interaction. The access level depth ranges from [0,10]. For example, the access levels are divided into network boundary access (1-2 points), intranet ordinary node access (3-5 points), core asset node access (6-8 points), and core asset sensitive data access (9-10 points) from low to high. The scoring criteria are based on the preset asset level division of the protected network.

[0018] The steps for performing clustering processing of abnormal interaction behaviors include: presetting an initial cluster radius and a minimum deviation density threshold; constructing a corresponding three-dimensional feature vector for each interaction behavior instance based on the interaction behavior data; traversing the three-dimensional feature vectors of each interaction behavior instance, calculating the feature distance between the current interaction behavior instance and other interaction behavior instances, and counting the number of instances whose feature distance does not exceed the initial cluster radius; if the number of instances reaches the minimum deviation density threshold, then the current interaction behavior instance is marked as a core point, other interaction behavior instances in its neighborhood are marked as boundary points, and all points in the neighborhood centered on the core point are marked as clusters; if the number of instances does not reach the minimum deviation density threshold and is not in the neighborhood of any core point, then the current interaction behavior instance is marked as a cluster. Behavioral instances are marked as noise points. For each cluster, the behavioral deviation distance between its center vector and the preset typical normal behavioral baseline vector is calculated. If the behavioral deviation distance exceeds the preset upper limit of the deviation distance baseline, the cluster is marked as an abnormal interaction cluster. The network nodes and interaction paths covered by each abnormal interaction cluster are extracted and visualized using a graph structure to generate an abnormal interaction traffic distribution map of the protected network. In this map, the graph nodes represent each network node in the protected network, such as core servers, terminal devices, routers, and border firewalls. The graph edges represent the interaction paths between each network node. The weight of the graph edges is determined by a comprehensive weighted processing of the average interaction deviation frequency and the average deviation duration of the sample points within the cluster.

[0019] This invention, through a preset initial clustering radius and minimum deviation density threshold, focuses on the frequency, duration, and depth of deviation in interactive behavior data to construct a corresponding three-dimensional feature vector for each interactive behavior instance, comprehensively and accurately characterizing the abnormal features of each interactive behavior. Subsequently, it iterates through the three-dimensional feature vectors of all interactive behavior instances, calculating the feature distance between the current instance and other instances, and combining this with the minimum deviation density threshold to accurately mark core points, boundary points, and noise points. This effectively eliminates meaningless abnormal interference data, avoiding the influence of noise points on the clustering results. Simultaneously, clusters are formed around the core points, ensuring the accuracy and effectiveness of the clustering results. Next, for each cluster, the deviation distance between its center vector and a preset typical normal behavior benchmark vector is calculated. By comparing this deviation distance with the preset upper limit, truly threatening abnormal interaction clusters are accurately screened, eliminating false clusters caused by normal fluctuations, further improving the accuracy of abnormal interactive behavior identification. Finally, it extracts... The network nodes and interaction paths covered by each abnormal interaction cluster are visualized using a graph structure to generate an abnormal interaction traffic distribution map. Graph nodes clearly correspond to various types of nodes in the network, and graph edges represent the interaction paths between nodes. The edge weights are determined by a comprehensive weighting of the average interaction deviation frequency and average deviation duration of sample points within the cluster. This intuitively reflects the degree of abnormality of each interaction path. It not only achieves accurate clustering and filtering of abnormal interaction behaviors but also transforms abstract interaction data into intuitive visualizations, facilitating rapid location of abnormal network nodes, identification of high-risk interaction paths, and a clear understanding of the distribution characteristics and severity of abnormal network interactions. This provides accurate, comprehensive, and intuitive data support for the subsequent attack sequence generation module to extract traffic distribution characteristics and analyze attacker operation sequences. It effectively improves the system's efficiency and depth of abnormal interaction behavior identification, laying a solid foundation for the accurate formulation of subsequent defense strategies and further enhancing the targetedness and effectiveness of computer network security protection.

[0020] The attack sequence generation module is used to extract the traffic distribution characteristics of each network node in the abnormal interaction traffic distribution map, perform abnormal feature matching processing on the traffic distribution characteristics, and filter out the core feature information that matches the preset attack traffic feature library; based on the core feature information, it parses and generates the attacker's operation sequence.

[0021] The steps for performing anomaly feature matching processing include: traversing the traffic distribution characteristics of each network node in the anomaly interaction traffic distribution graph. These characteristics include node traffic entropy, traffic burstiness, and port connection diversity index. Obtaining the node traffic entropy involves first identifying the target network node to be calculated, then statistically analyzing the traffic of all ports on that node, calculating the proportion of traffic from each port to the total traffic of that node, and then quantifying the degree of disorder in the node's traffic distribution using information entropy calculation logic. The core of this process is to reflect the balance of node traffic through the distribution of traffic proportions from each port. The analysis considers the following: the tendency towards abnormality; the traffic burst rate is the ratio of peak traffic to average traffic within the current monitoring period for that node; the port connection diversity index is the ratio of the number of active ports to the total number of ports for that node; the node traffic entropy value is matched against the baseline tolerance range of entropy values ​​in the preset attack traffic feature library, and nodes whose traffic entropy values ​​are within the baseline tolerance range are selected as candidate nodes; the time series sequences of the traffic burst rate and port connection diversity index of the candidate nodes are compared with the corresponding time series sequences of each attack template in the preset attack traffic feature library to calculate the first similarity component and the second phase. The similarity component is obtained by comprehensively weighting the first and second similarity components to obtain the similarity score of each attack template. Based on the similarity score and the betweenness centrality parameter of the candidate node in the abnormal interaction traffic distribution graph, a comprehensive weighting process is performed to calculate its confidence score with each attack template in the feature library. The betweenness centrality parameter includes node betweenness centrality and edge betweenness centrality. Node betweenness centrality measures the hub status of a node in the network path and is calculated as the proportion of the number of paths passing through that node in all shortest paths to the total number of shortest paths. Edge betweenness centrality measures the influence of graph edges in the network path. The hub degree in the network is calculated as the proportion of the number of paths passing through that edge out of the total number of shortest paths. Among the attack templates with similarity scores exceeding the preset matching threshold, the feature subset with the highest confidence score is determined as the core feature information that matches the preset attack traffic feature library. The core feature information includes the node traffic entropy, traffic burstiness, port connection diversity index, node betweenness centrality, and edge betweenness centrality of network nodes. It also carries temporal correlation features that can be used to extract the order of attacker appearance, duration, and time interval between operations, to support the parsing and generation of attacker operation sequences.

[0022] The attack traffic feature library is a set of prior knowledge for anomaly feature matching. Its core contains traffic behavior feature templates corresponding to various known attack patterns. Specifically, it includes: entropy baseline tolerance range (used to determine the degree of disorder in node traffic), traffic burstiness time series templates (such as the instantaneous peak patterns of distributed denial-of-service attacks), port connection diversity index sequence templates (such as port activity patterns during scanning and probing), and abnormal fluctuation benchmarks for node betweenness centrality and edge betweenness centrality. In application, the system performs similarity calculations and weighted matching between the real-time features of candidate nodes in the abnormal interaction traffic distribution map (such as node traffic entropy values ​​and burstiness time series) and the attack templates in this library, thereby filtering out the core feature information with the highest confidence.This invention, through traversing the traffic distribution characteristics of each network node in an abnormal interaction traffic distribution diagram, clarifies the specific acquisition logic of three core features: node traffic entropy, traffic burstiness, and port connection diversity index. Specifically, by accurately calculating the traffic proportion of each port of the target node and combining it with information entropy logic to calculate the node traffic entropy, the degree of disorder in node traffic distribution can be effectively quantified, clearly reflecting traffic balance and abnormal tendencies. The traffic burstiness is obtained by calculating the ratio of peak traffic to average traffic within the current monitoring period, and the port connection diversity index is obtained by calculating the ratio of active ports to total ports, comprehensively capturing the dynamic fluctuation characteristics of node traffic and port connection status. Subsequently, by analyzing the node traffic... The entropy value is matched with the baseline tolerance range of the entropy value in the preset attack traffic feature library to accurately screen candidate nodes with abnormal tendencies, effectively narrowing the feature matching range, improving matching efficiency, avoiding interference from invalid nodes, and reducing redundant calculations. Then, the time series sequences of traffic burstiness and port connection diversity index of the candidate nodes are compared with the corresponding time series sequences of each attack template in the preset attack traffic feature library. The first and second similarity components are calculated and weighted to obtain the similarity score of each attack template. Simultaneously, the node betweenness centrality (measuring the node's pivotal position in the network path) of the candidate nodes in the abnormal interaction traffic distribution map is considered. Edge betweenness centrality (a measure of the pivotal nature of graph edges in network paths) is used to calculate its confidence score with each attack template through a comprehensive weighted calculation. This achieves a multi-dimensional and comprehensive consideration of anomaly feature matching, effectively avoiding misjudgments and omissions caused by single feature matching, and significantly improving the accuracy and reliability of anomaly feature matching. Finally, the subset of features with similarity scores exceeding a preset matching threshold and the highest confidence scores is selected as core feature information. This core feature information not only covers key features such as node traffic entropy, traffic burstiness, port connection diversity index, and node betweenness centrality and edge betweenness centrality, but also carries information that can be used to extract the order and duration of attacker appearance. The temporal correlation characteristics of time intervals between operations not only enable accurate identification and screening of core features of abnormal traffic, ensuring that the extracted feature information has high correlation and high reliability, but also provide comprehensive, accurate and temporally correlated core data support for the parsing and generation of attacker operation sequences. This effectively improves the accuracy, completeness and efficiency of attacker operation sequence parsing, and provides a scientific and reliable basis for subsequent attacker profiling and defense strategy formulation. It enhances the entire computer network security intelligent control system's ability to identify network attacks, the depth of analysis and the efficiency of response, and further strengthens the pertinence and effectiveness of network security protection, helping to block network attacks in a timely and accurate manner.

[0023] The steps for generating attacker operation sequences include: extracting temporal correlation parameters based on core feature information. These parameters include the attacker's appearance order, duration, and time interval between operations. The appearance order is used to construct the observation sequence of core feature information, the duration is used to quantify the stability of each core feature information, and the time interval between operations is used to characterize the temporal tightness between adjacent feature information. The attack phase transition probability matrix is ​​trained and constructed based on historical attack chain data, resulting in transition probability and observation probability matrices. The historical attack chain data includes the transition frequency between each attack phase and the appearance frequency of each core feature information. Specifically, the historical attack chain data is preprocessed to remove abnormal and invalid data. To ensure data accuracy, duplicate data is removed. Next, the frequency of transitions between attack stages is calculated, i.e., the number of times data is transferred from one attack stage to another. The frequency of each attack stage's transitions is divided by the total frequency of transitions in that attack stage, and normalization is performed to obtain the attack stage transition probability matrix. Then, the frequency of occurrence of each core feature information under each attack stage is calculated. This frequency is divided by the total frequency of occurrence of all core feature information under that attack stage, and normalization is performed to obtain the observation probability matrix. Finally, temporal correlation parameters are used as observation states and mapped to the corresponding attack stage states in the pre-defined attack chain model to construct... The core feature information observation sequence and attack chain model include six stages: reconnaissance and detection, vulnerability exploitation, privilege escalation, lateral movement, data theft, and trace erasure. Each stage corresponds to a unique feature identifier and a corresponding temporal correlation parameter matching condition, forming a stage-parameter mapping table. Specifically, this includes: quantifying the extracted temporal correlation parameters, where the attacker's appearance order is converted into a sequence number, the duration is converted into a minute-level quantized value, and the time interval between operations is converted into a second-level quantized value; comparing the quantized temporal correlation parameters with the matching conditions of each attack stage in the stage-parameter mapping table to determine the attack stage state corresponding to each temporal correlation parameter; and assigning each temporal correlation parameter to a corresponding attack stage according to the attacker's appearance order. The attack phase states corresponding to the numbers are arranged sequentially to form an ordered observation sequence. Each element of the observation sequence is an attack phase feature identifier, and the sequence length is consistent with the number of core feature information elements. This ensures that the observation sequence fully reflects the temporal distribution of the core feature information while corresponding to the phase order of the attack chain model, providing a foundation for subsequently solving the optimal attack phase state sequence. Based on the observation sequence, the attack phase transition probability matrix, and the observation probability matrix, the most probable attack phase state sequence is solved. Specifically, this includes: initializing the initial probability of each attack phase, and using the product of the initial probability and the observation probability of the first observation value in the corresponding attack phase as the initial cumulative probability of each attack phase.For each subsequent observation in the observation sequence, all attack stages are traversed, and the cumulative probability of each attack stage transitioning from all previous attack stages is calculated. This is achieved by multiplying the cumulative probability of the previous stage by the transition probability between two stages, and then multiplying this product by the observation probability of the current observation under that attack stage. The maximum cumulative probability corresponding to each attack stage is selected as the current cumulative probability of that stage, and the previous attack stage corresponding to this maximum cumulative probability is recorded. After traversing all observations, the stage with the highest cumulative probability among all attack stages is selected as the final attack stage. Starting from the final attack stage, the complete attack stage state sequence is obtained by backtracking based on the previously recorded information of the previous attack stage, which is the most likely attack stage state sequence. Based on the transition triggering conditions between states in the attack stage state sequence, and combined with a preset attack instruction mapping library, the corresponding specific operation instructions are parsed out. The specific operation instructions are arranged in chronological order to generate the attacker's operation sequence. The attack instruction mapping library is a mapping table used to restore the abstract attack stage state to specific executable operations. It stores the correspondence between each stage of the attack chain model (such as reconnaissance and detection, vulnerability exploitation, privilege escalation, etc.) and specific attack behavior instructions. Each entry includes: instruction code (such as specific vulnerability exploitation tool commands, scanning parameters), execution conditions (such as required privileges, target environment dependencies), and operational purpose (such as information gathering, credential theft).

[0024] This invention extracts temporal correlation parameters such as the attacker's appearance order, duration, and operation time interval based on core feature information. The appearance order is used to construct the observation sequence of core feature information, the duration quantifies the stability of each core feature, and the operation time interval characterizes the temporal tightness of adjacent feature information. This comprehensively captures the temporal patterns and correlation features of the attacker's operations, laying the foundation for subsequent attack phase mapping and sequence parsing. Subsequently, an attack phase transition probability matrix and an observation probability matrix are trained based on historical attack chain data. The historical attack chain data is preprocessed to remove abnormal, invalid, and duplicate data to ensure data accuracy. Finally, the transition frequency of each attack phase is statistically analyzed and normalized. The transition probability matrix is ​​obtained, and the frequency of occurrence of core feature information in each attack stage is statistically analyzed and normalized to obtain the observation probability matrix. This provides scientific and reliable model support for solving the attack stage state sequence, effectively improving the accuracy of the sequence solution. Next, the temporal correlation parameters are used as observation states, and are converted into comparable values ​​through quantization. These values ​​are compared with the stage-parameter mapping table of the preset attack chain model to determine the attack stage state corresponding to each temporal correlation parameter. The observation sequence is then arranged according to the attacker's appearance order to form an observation sequence. This ensures that the observation sequence can fully reflect the temporal distribution of core feature information and accurately correspond to the stage order of the attack chain model, providing a reasonable basis for solving the optimal attack stage state sequence. The process involves several steps. First, based on the observation sequence, transition probability matrix, and observation probability matrix, initial probabilities are initialized, cumulative probabilities for each attack stage are calculated sequentially, optimal transition paths are recorded, and backtracking is performed to determine the most probable attack stage state sequence. This effectively avoids misjudgments caused by single features or random factors, ensuring the reconstructed attack stage flow closely matches the actual attack process. Finally, based on the transition triggering conditions of each state in the attack stage state sequence, and combined with a pre-set attack instruction mapping library (which stores the mapping relationship between attack stages and attack instructions), specific operation instructions are parsed and arranged chronologically to generate a complete attacker operation sequence. This entire process realizes the transformation from core feature information to temporal correlation parameters, and then to the attack... The step-by-step, precise analysis from the initial sequence of stages to the final specific operational instructions not only completely and accurately reconstructs the attacker's entire operational process, clearly presenting the attacker's attack logic, operational sequence, and behavioral intent, but also provides comprehensive and accurate operational behavior data support for subsequent attacker profiling, making the construction of attacker profiles more targeted and realistic. Simultaneously, it provides clear attack behavior evidence for the defense strategy execution module to accurately match defense strategies and block attack processes, effectively improving the system's depth of analysis and accuracy of response to network attacks. This further strengthens the initiative and effectiveness of computer network security protection, helping to promptly detect attack trajectories, block attack behaviors, and safeguard network security.

[0025] The attacker profiling module is used to extract full network traffic data generated by the attack source based on the attacker's operation sequence, perform multi-dimensional fusion modeling, and generate an attacker profile. The attacker profile includes attack behavior characteristics, attack target preference characteristics, and attack link characteristics. The steps for multi-dimensional fusion modeling to generate attacker profiles include: extracting multi-dimensional feature parameters from the full network traffic data generated by the attack source, including source IP address, protocol type, static characteristics of attack tools, attack path trajectory, attack frequency, and time-series distribution information; assigning initial fusion weights to each dimension based on the contribution of each multi-dimensional feature parameter to the attacker profile, and performing dimensionality reduction and correlation decoupling based on the covariance matrix between the multi-dimensional feature parameters to generate low-dimensional fusion feature vectors. Specifically, this includes: calculating the covariance matrix between each data dimension to quantify the linear correlation between dimensions; performing eigenvalue decomposition on the covariance matrix to obtain eigenvalues ​​and corresponding eigenvectors; selecting a preset number of eigenvectors with eigenvalues ​​greater than a preset threshold, the preset number being dynamically determined according to preset dimensionality reduction accuracy requirements to ensure that the dimensionality-reduced feature vectors retain the core information of the original data; and projecting the original multi-dimensional feature parameters onto the feature space formed by the selected feature vectors to obtain low-dimensional fusion feature vectors, thereby achieving correlation decoupling of information between dimensions and eliminating redundant information between dimensions. The covariance matrix is ​​a symmetric matrix used to quantify the degree of linear correlation between any two dimensions of a multi-dimensional feature parameter. Its dimensions are the same as those of the multi-dimensional feature parameters (assuming the multi-dimensional feature parameters contain k dimensions, then the covariance matrix is ​​a k×k matrix). The element in the i-th row and j-th column of the matrix represents the covariance between the i-th and j-th dimension feature parameters. A positive covariance value indicates a positive correlation between the two dimensions, a negative value indicates a negative correlation, and a value of 0 indicates no linear correlation. The larger the absolute value, the higher the degree of correlation. Its core function is to mine redundant information between multi-dimensional feature parameters, providing data support for subsequent dimensionality reduction and correlation decoupling.

[0026] The specific steps for obtaining the covariance matrix are as follows: Quantize and encode the multi-dimensional feature parameters to obtain numerical data; calculate the mean vector of each dimension; calculate the covariance between each pair of dimensions based on the sample data and the mean vector; and fill in the matrix to form the covariance matrix. For any two dimensions i and j, calculate the covariance Cov(i,j) between the i-th and j-th dimensions using the following formula: ,in This represents the k-th sample data in the i-th dimension. This represents the k-th sample data in the j-th dimension, where n represents the total number of samples. and Let represent the sample means of the features in the i-th and j-th dimensions, respectively. The denominator is set to n-1 to achieve unbiased estimation of the covariance. All calculated covariance elements Cov(i,j) are filled in their corresponding positions to form a 6×6 covariance matrix. The diagonal elements of the matrix represent the covariance (variance) of each dimension itself, and the off-diagonal elements represent the covariance of the corresponding two dimensions. This results in a complete covariance matrix, used for subsequent eigenvalue decomposition, dimensionality reduction, and correlation decoupling operations. The low-dimensional fused feature vector is input into a pre-defined multilayer perceptron model, which outputs the probability distributions of the attacker's attack behavior features, attack target preference features, and attack chain features. After normalizing the probability distributions, they are combined to generate a structured attacker profile, specifically including: a pre-defined structured... The attacker profiling framework is divided into four levels: primary dimensions (i.e., four core dimensions: attack behavior characteristics, attack target preference characteristics, and attack chain characteristics) and secondary dimensions (specific features under each primary dimension). The secondary dimensions of attack behavior characteristics include attack frequency, attack duration, attack triggering method (active / passive), and attack intensity. The secondary dimensions of attack target preference characteristics include preferred attack asset types (core servers / terminal devices, etc.), preferred attack ports, and preferred attack time periods. The secondary dimensions of attack chain characteristics include the number of hops in the attack path, the types of nodes traversed by the path, the path hop frequency, and the path concealment. The normalized probability distribution is mapped to a predefined hierarchical profiling framework. The framework includes primary dimensions of attack behavior features, attack target preference features, and attack chain features, as well as secondary features corresponding to each dimension. The secondary dimensions of attack behavior features include attack frequency, attack duration, attack triggering method, and attack intensity. The secondary dimensions of attack target preference features include preferred attack asset type, preferred attack port, and preferred attack time period. The secondary dimensions of attack chain features include attack path hop count, path node type, path hop frequency, and path concealment. The attacker profile is generated by key-value pair structured integration according to the hierarchical structure of primary dimensions, secondary dimensions, and normalized probabilities. The generated attacker profile is validated to ensure that the sum of the probabilities of the secondary features under each primary dimension is 1. If there are probability anomalies, the multilayer perceptron model is called back to optimize the parameters and output a standardized attacker profile that conforms to the attack behavior features. The multilayer perceptron model is a fully connected feedforward neural network, consisting of an input layer, hidden layers, and an output layer. The hidden layers use a modified linear unit activation function, and the output layer uses a soft maximization function to output the probability distribution. The model is trained in a supervised manner on a labeled dataset and iteratively trained until convergence using a cross-entropy loss function and an adaptive moment estimation optimizer.

[0027] This invention extracts multi-dimensional feature parameters from the full network traffic data generated by the attack source, including source IP address, protocol type, static features of attack tools, attack path trajectory, attack frequency, and time-series distribution information. Initial fusion weights are assigned based on the contribution of each feature dimension to the attacker profile. The multi-dimensional feature parameters are then quantified and encoded to obtain numerical data. The mean vectors of each dimension are calculated to fill the formed-order covariance matrix to accurately quantify the linear correlation of each dimension and uncover redundant information between features. Subsequently, eigenvalue decomposition is performed on the covariance matrix. Based on preset eigenvalue thresholds and dimensionality reduction accuracy requirements, corresponding feature vectors are selected to construct a feature space. The original multi-dimensional feature parameters are projected into this space to obtain a low-dimensional fused feature vector. This achieves decoupling of correlations and removal of redundant information across dimensions, effectively simplifying computational complexity and improving modeling efficiency while fully preserving the core features of the original data. The low-dimensional fused feature vector is then input into a multilayer perceptron model trained under supervised training on a labeled dataset, using a cross-entropy loss function and an adaptive moment estimation optimizer until convergence. The hidden layers of this fully connected feedforward neural network are used to correct the activation function and output of the linear units. The layered soft maximization function outputs the probability distribution of attackers across three primary dimensions: attack behavior characteristics, attack target preference characteristics, and attack chain characteristics. After normalization, this distribution is mapped to a pre-defined hierarchical profiling framework. This is combined with secondary features such as attack frequency, attack duration, preferred attack asset types, and attack path hop count, and structured integration is achieved in key-value pairs. Model parameters are optimized by checking that the sum of the probabilities of the secondary features under each primary dimension is 1. The final output is a standardized attacker profile that closely reflects actual attack behavior. This multi-dimensional fusion modeling approach not only solves the problem of insufficient profile accuracy caused by mutual interference and information redundancy among multiple feature dimensions, but also achieves in-depth mining and intelligent classification of attack features through dimensionality reduction and deep learning models. This allows the generated attacker profile to comprehensively, clearly, and structurally display the attacker's behavioral patterns, target preferences, and attack chain characteristics. It provides detailed and reliable core evidence for the subsequent defense strategy execution module to accurately match defense strategies and implement targeted defense, significantly improving the intelligence and targeting of network security protection. This helps the system quickly identify attack characteristics, predict attack trends, and efficiently block attack behavior.

[0028] The defense strategy execution module is used to match the attacker profile with the criticality level of the target assets in the protected network, and execute the corresponding level of defense strategy based on the preset defense strategy library. The defense strategy library refers to the set of protection parameter rules stored internally by the criticality level of the target assets, used to achieve accurate mapping between assets of different importance and differentiated protection levels. The content mainly consists of two categories of threshold parameters: one is the urgency threshold for patching strategies (determining whether patches are forcibly distributed or subject to warning screening); the other is the traffic rate limiting baseline threshold ratio (the ratio of the maximum allowed traffic rate to the total bandwidth under normal conditions) and the connection number baseline limit threshold (the maximum number of concurrent connections allowed per IP under normal conditions) for traffic scheduling strategies. The application method is as follows: The system first quantifies the criticality level (e.g., high, medium, low) of assets based on their business importance (e.g., core servers, edge terminals) in the protected network. Then, it retrieves the preset parameter values ​​corresponding to the level from the defense policy library. For example, high-risk core assets are matched with a lower tolerance for rate limiting and a higher threshold for patch urgency, thereby dynamically determining the mandatory scope of patch distribution or the degree of tightening of traffic control. The defense policy includes patch policy and traffic scheduling policy. The patch policy is used to dynamically determine the scope and timing of patch distribution to achieve targeted vulnerability repair. The traffic scheduling policy is used to dynamically adjust the traffic rate limiting threshold and connection limit threshold of network traffic to isolate attack sources and prevent attack spread.

[0029] Figure 2This is a flowchart of a patching strategy based on a computer network security intelligent control system provided in this embodiment of the invention. The specific steps of the patching strategy are as follows: Based on the attack target preference characteristics and attack link characteristics in the attacker profile, extract attack surface related feature parameters, including asset type parameters, vulnerability type parameters, and network topology node jump parameters; Collect assets in the protected network that match the attack surface related feature parameters and whose vulnerability exploitability score exceeds a preset exploitability threshold, and compile them into a target asset list. Asset type parameters include device category, operating system version, and open service port number; vulnerability type parameters include CVE (Common Vulnerabilities and...) Exposures (General Vulnerability Disclosures) number and exploitation type; network topology node hop parameters include the number of hops from the attack source to the target asset and the network area identifiers traversed; vulnerability exploitability score is a quantitative score obtained by weighting attack path, attack complexity, permission requirements, and user interaction indicators in the general vulnerability scoring system standard; patch urgency index is calculated for each asset in the target asset list, which is obtained by comprehensively weighting asset criticality, vulnerability exploitability score, and distance in the attack chain, where asset criticality is obtained by quantifying the business importance level of the asset in the protected network; vulnerability exploitability score is obtained based on the general vulnerability scoring system standard; distance in the attack chain refers to the number of hops from the attack source to the asset in the network topology; each asset is sorted in descending order based on its patch urgency index, protection priority is divided according to the criticality level of the target asset, and the patch distribution scope is dynamically determined; based on the attack execution timeline in the attacker's operation sequence, the time interval and attack duration of each attack step in the attacker's operation sequence are analyzed, and a pre-trained time series prediction model (LSTM model, Long Short-Term) is used. The Long Short-Term Memory (LSTM) network fits the attack time pattern and predicts the time window of the next possible attack. The LSTM model is pre-trained on a dataset of historical attack operation sequences, and the prediction error is controlled within a preset range. The timing of the patch strategy is set to complete the distribution and installation of the corresponding patch before the predicted time window.

[0030] This invention extracts attack surface-related feature parameters, including asset type parameters, vulnerability type parameters, and network topology node jump parameters, based on the attacker's target preference characteristics and attack chain characteristics in the attacker's profile. Combined with a vulnerability exploitability score calculated using indicators such as attack path and attack complexity from a general vulnerability scoring system standard, it accurately selects target assets that match the attack surface characteristics and whose vulnerability exploitability exceeds a preset threshold, forming a target asset list. This effectively avoids the resource waste caused by indiscriminate patch deployment, ensuring that patch deployment focuses on high-risk assets. Subsequently, by comprehensively weighting asset criticality, vulnerability exploitability score, and attack chain distance, a patch urgency index is calculated for each target asset. The assets are sorted in descending order of the index and protection priorities are determined based on asset criticality levels, dynamically determining the patch distribution scope. This achieves hierarchical control of patch deployment, ensuring that core high-risk assets receive vulnerability patching first, improving the targeting and rationality of patch deployment. Simultaneously, by combining the attacker's operation sequence with the attack timeline, the time interval and duration of each attack step are analyzed. This system utilizes an LSTM time-series prediction model trained on a dataset of historical attack sequences, with prediction errors controlled within a preset range, to fit attack time patterns and accurately predict the time window of the next potential attack. Patch deployment is scheduled to be completed before this predicted time window, effectively avoiding the problem of patch deployment lagging behind attack behavior and achieving forward-looking and timely patch deployment. The entire patching strategy process achieves intelligent management and control throughout the entire process, from accurate identification of high-risk assets and scientific priority allocation of patches to accurate prediction of deployment time. This not only significantly improves the efficiency and accuracy of patch deployment, avoiding network resource consumption and business interruptions caused by blindly patching, but also proactively blocks vulnerabilities that attackers may exploit, blocking attack paths at the source. This significantly enhances the targeted and proactive nature of vulnerability remediation, builds a robust vulnerability protection barrier for protected network core assets, further improves the defense effectiveness of the entire computer network security intelligent control system, reduces network attack losses caused by vulnerability exploitation, and ensures the stable and secure operation of the network system.

[0031] The steps for dynamically determining the patch distribution scope include: matching the defense strategy library based on the criticality level of the target asset to obtain the corresponding preset urgency threshold; including assets with patch urgency indices exceeding the urgency threshold in the mandatory distribution scope and distributing them first; ensuring that high-risk assets are quickly repaired; and for assets whose patch urgency indices do not exceed the urgency threshold but are within the preset urgency warning range, dynamically filtering is performed based on the current bandwidth load of the protected network: if the bandwidth load is lower than the preset load threshold, such assets are included in the distribution scope and distributed synchronously with assets in the mandatory distribution scope; if the bandwidth load is higher than the preset load threshold, they are not included in the distribution scope, and are distributed in descending order of patch urgency index after the bandwidth load drops below the threshold.

[0032] This invention, through matching the criticality level of target assets with a pre-set urgency threshold, prioritizes and includes assets with patch urgency indices exceeding the threshold in the mandatory patching scope. This clarifies the remediation priority of high-risk assets, ensuring core high-risk assets receive rapid patch deployment and vulnerability remediation, minimizing the time high-risk assets are exposed to vulnerability threats, reducing the probability of attackers exploiting vulnerabilities, and preventing core assets from being damaged due to unpatched vulnerabilities, thus ensuring the security and stability of core network services. Simultaneously, for assets with patch urgency indices below the threshold but within a pre-set urgency warning range, dynamic filtering is performed based on the current bandwidth load of the protected network. When the bandwidth load is below a pre-set threshold, these assets are included in the patching scope and distributed simultaneously with assets in the mandatory patching scope. This achieves vulnerability remediation for potentially risky assets, comprehensively covering vulnerabilities that could be exploited by attackers, without affecting normal network data transmission and business operations due to excessive bandwidth consumption during patch distribution. When the bandwidth load is above a pre-set threshold, the patching process is more efficient. When setting a load threshold, such assets are temporarily excluded from the patch distribution scope. Once the bandwidth load drops below the threshold, patches are distributed in descending order of urgency index. This effectively avoids bandwidth overload caused by concentrated patch distribution, preventing network lag, latency, service interruptions, and other anomalies, achieving a dynamic balance between patch deployment and network bandwidth resources. The entire process of dynamically determining the patch distribution scope adheres to the principle of prioritizing high-risk protection, ensuring that core high-risk assets are protected first, while also taking into account the actual network load. This allows for flexible adaptation and dynamic adjustment of the patch distribution scope, avoiding both the waste of bandwidth resources and network burden caused by blindly expanding the distribution scope, and the potential vulnerability risks caused by narrowing the distribution scope. It optimizes the resource utilization and execution efficiency of patch deployment, further improving the targeting, flexibility, and executability of the patch strategy. This makes vulnerability remediation both efficient and secure, building a more accurate and reliable vulnerability protection system for the protected network, and helping to improve the defense stability and practicality of the entire computer network security intelligent control system.

[0033] Figure 3This is a flowchart of a traffic scheduling strategy based on a computer network security intelligent control system provided in this embodiment of the invention. The specific steps of the traffic scheduling strategy are as follows: Based on the attack source information and attack target preference characteristics in the attacker profile, determine the malicious traffic characteristics and attack targets that need to be scheduled. Specifically, this includes: extracting the source IP (Internet Protocol) address, attack port, protocol type, and attack traffic packet characteristics of the attack source in the attacker profile as malicious traffic characteristics; combining the attack target preference characteristics in the attacker profile, identifying the core asset nodes and critical links in the protected network that have been attacked or are at risk of being attacked, and determining them as attack targets; dynamically determining the isolation zone level of the target based on the severity of the attack extracted from the attack behavior characteristics: if the attack type is data theft or ransomware, it is directed to a preset physical isolation zone; if it is a scanning probe or denial-of-service attack, it is directed to a preset logical isolation zone. The physical isolation zone refers to a completely independent network area that has no electrical or signal connection with the protected network and is used to isolate the highest risk attacks; the logical isolation zone refers to a network area that is logically isolated from the protected network through access control lists, virtual LANs, or firewall policies, but still shares physical infrastructure, and is used to isolate medium risk attacks. The attack process involves: dynamically adjusting the traffic rate limiting threshold and connection limit threshold based on the remaining bandwidth of the protected network and the peak attack traffic, combined with the criticality level of the target asset; comprehensively weighting the attack path trajectory based on its complexity and attack frequency to obtain the traction adaptability index of each traction path, and recording the proportion of each traction path's traction adaptability index to the comprehensive value of all traction path traction adaptability values ​​as the corresponding traction path priority; filtering out malicious traffic that needs to be tractioned based on the data packets in the malicious traffic characteristics, and tractioning the filtered malicious traffic to the traction target isolation area corresponding to the attack target along the corresponding traction path according to the traction path priority. The complexity of the attack path trajectory is obtained by comprehensively weighting the number of network nodes traversed by the attack path, the diversity of node types, and the number of path jumps. The attack frequency is the number of times the attack source launches an attack through this path per unit time (e.g., 1 hour).

[0034] This invention extracts the source IP address, attack port, protocol type, and attack traffic packet characteristics of the attack source as malicious traffic features based on the attack source information and attack target preference characteristics in the attacker profile. Simultaneously, it accurately identifies attacked or potentially vulnerable core asset nodes and critical links in the protected network as attack targets, achieving precise location of malicious traffic and attack targets. This effectively avoids misclassifying normal traffic as malicious traffic or non-core nodes as attack targets, providing precise targeting basis for subsequent traffic scheduling and isolation. Subsequently, based on the attack severity extracted from the attack behavior characteristics, the isolation zone level of the target is dynamically determined. High-risk attacks such as data theft and ransomware are redirected to completely independent physical isolation zones without any electrical or signal connections. Medium-risk attacks such as scanning and probing and denial-of-service attacks are redirected to logical isolation zones that share physical infrastructure and are logically isolated through access control lists and other policies. This achieves hierarchical isolation and control of attack risks, effectively blocking the highest-risk attacks. The system effectively prevents attacks from intruding into the core network while flexibly isolating medium-risk attacks, conserving physical isolation resources, and preventing the spread of attacks to the entire protected network. Then, based on the remaining bandwidth of the protected network and the peak attack traffic, combined with the criticality level of the target assets, the system dynamically adjusts the traffic rate limiting threshold and connection limit threshold. This not only curbs the transmission and spread of malicious traffic through reasonable rate limiting and connection restrictions, but also fully utilizes remaining bandwidth to ensure the stable transmission of normal network services, avoiding network congestion and service interruptions caused by excessive rate limiting, thus achieving a dynamic balance between malicious traffic control and normal business operation. Simultaneously, the system comprehensively weights the attack path trajectory based on its complexity (obtained by weighting the number of network nodes traversed, the diversity of node types, and the number of path hops) and attack frequency (the number of times the attack source launches an attack through this path per unit time) to obtain the traction adaptability index of each traction path and determine path priority. This ensures the selection of the most adaptable and efficient traction path, avoiding malicious traffic congestion caused by traction path bottlenecks.Finally, based on the characteristics of malicious traffic, malicious traffic that needs to be redirected is selected and redirected to the corresponding isolation zone according to the priority of the redirection path. This achieves rapid and accurate isolation of malicious traffic, completely blocking the connection path between the attack source and the attack target, and curbing the continued advance of the attack from the traffic level. The entire traffic scheduling strategy realizes intelligent management and control of the entire process, including accurate identification of malicious traffic, hierarchical isolation of attack risks, dynamic balancing of network load, and optimized selection of redirection paths. This not only significantly improves the efficiency and accuracy of malicious traffic scheduling and isolation, effectively reducing the impact and damage of malicious traffic on the protected network, but also maximizes the stable operation of normal network services, avoiding resource waste or service interruption caused by improper traffic scheduling. It further strengthens the traffic protection capability of the computer network security intelligent control system, builds a solid traffic security barrier for the core assets and critical links of the protected network, and improves the anti-attack capability and operational stability of the entire network system.

[0035] The steps for dynamically adjusting the traffic rate limiting threshold ratio and the connection limit threshold include: matching the defense strategy library based on the target asset's criticality level to obtain the corresponding preset traffic rate limiting baseline threshold ratio and connection limit threshold. The traffic rate limiting baseline threshold ratio represents the ratio of the maximum allowed outbound traffic rate to the total network bandwidth under normal conditions; the connection limit threshold represents the maximum allowed concurrent connections per IP under normal conditions; the ratio of the peak attack traffic to the remaining bandwidth of the protected network is recorded as the attack bandwidth utilization rate; and the ratio of the peak concurrent connection number initiated by the attack source to the connection limit parameter is defined as the attack connection. Expansion rate; Based on the attack bandwidth utilization rate and the attack connection expansion rate, a comprehensive weighted processing is performed to obtain the rate limiting tightening coefficient; The dynamically adjusted traffic rate limiting threshold ratio is set as the product of the traffic rate limiting baseline threshold ratio and the reciprocal of the rate limiting tightening coefficient, and preset rate limiting lower limit protection value and rate limiting upper limit protection value are applied; The dynamically adjusted connection number limit threshold is set as the ratio of the connection number baseline limit threshold to the attack connection expansion rate, and a preset connection number lower limit protection value is applied; Every preset scheduling time window, the attack traffic status is re-evaluated, and a moving average algorithm is used to smoothly update the adjusted rate limiting threshold ratio and connection number limit threshold.

[0036] This invention ensures that the baseline thresholds for traffic scheduling are precisely matched to the asset's importance by matching the target asset's criticality level with a preset traffic rate limiting baseline threshold ratio (the ratio of the maximum allowed outbound traffic rate to the total network bandwidth under normal conditions) and a connection number baseline limit threshold (the maximum number of concurrent connections allowed per IP under normal conditions). This provides differentiated traffic control baselines for assets with different criticality levels, avoiding the problem of overly lenient control over core assets or overly strict control over non-core assets. Subsequently, the attack bandwidth utilization rate is obtained by calculating the ratio of the peak attack traffic to the remaining bandwidth of the protected network, and the peak concurrent connection number and connection number of the attack source are obtained. The ratio of the baseline limiting parameters yields the attack connection bloat rate, accurately quantifying the pressure of attack behavior on network bandwidth and connection count, providing a scientific and precise quantitative basis for dynamic threshold adjustment. A comprehensive weighted calculation based on these two ratios yields the rate limiting tightening coefficient, achieving precise adaptation to attack intensity. This allows threshold adjustment to be flexibly adjusted according to the attack pressure, avoiding the drawback of fixed thresholds being unable to adapt to different attack intensities. The dynamically adjusted traffic rate limiting threshold ratio is set as the product of the traffic rate limiting baseline threshold ratio and the reciprocal of the rate limiting tightening coefficient, with preset upper and lower rate limiting protection values ​​applied. This ensures effective rate limiting tightening and suppression of malicious attacks under high attack pressure. This approach aims to balance controlled traffic flow with prevented over-limiting of normal business traffic, while avoiding network resource waste or protection failure caused by excessively low or high speed limits. The dynamically adjusted connection limit threshold is set as the ratio of the baseline connection limit to the attack connection expansion rate, and a preset lower limit protection value is applied. This precisely controls the concurrent connections from the attack source, blocking the establishment of numerous malicious connections while preventing excessively low connection limits from affecting legitimate connections for normal users. Finally, at preset scheduling time windows, the attack traffic status is reassessed, and a moving average algorithm is used to smoothly update the adjusted threshold, effectively preventing network instability caused by frequent threshold fluctuations. This ensures that traffic scheduling strategies can dynamically adapt to real-time changes in attack status, achieving precise, dynamic, and stable control over traffic rate limiting and connection limit. It can flexibly adjust the protection level according to the attack intensity, effectively curbing the impact of malicious traffic on the network, while maximizing the stable transmission of normal network services. It balances network security protection and business operation efficiency, avoiding problems such as bandwidth waste, business interruption, or protection failure caused by improper threshold adjustment. It further improves the rationality, flexibility, and reliability of traffic scheduling strategies, enhances the traffic protection capability of the entire computer network security intelligent control system, and ensures the stable and efficient operation of the protected network.

[0037] The above description is only an optional embodiment of this application and is not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the protection scope of this application.

Claims

1. A computer network security intelligent control system, characterized in that, include: The traffic anomaly detection module is used to collect the outbound and inbound traffic rates of the protected network in real time, calculate the time-series change rate of the outbound and inbound traffic rates within each monitoring time period, perform entity interaction anomaly time period determination based on the time-series change rate, and generate anomaly monitoring time periods and normal monitoring time periods. The abnormal behavior clustering module is used to extract the interaction behavior data of each interaction behavior instance within each abnormal monitoring time period, perform abnormal interaction behavior clustering processing, and generate an abnormal interaction traffic distribution map. The attack sequence generation module is used to extract the traffic distribution characteristics of each network node in the abnormal interaction traffic distribution map, perform abnormal feature matching processing on the traffic distribution characteristics, and filter out the core feature information that matches the preset attack traffic feature library; based on the core feature information, it parses and generates the attacker's operation sequence. The attacker profiling modeling module is used to extract full network traffic data generated by the attack source based on the attacker's operation sequence, perform multi-dimensional fusion modeling, and generate an attacker profile; the attacker profile includes attack behavior characteristics, attack target preference characteristics, and attack link characteristics. The defense strategy execution module is used to match the attacker profile with the criticality level of the target assets of the protected network, and execute the corresponding level of defense strategy based on the preset defense strategy library; the defense strategy includes patching strategy and traffic scheduling strategy.

2. The computer network security intelligent control system as described in claim 1, characterized in that, The steps for determining abnormal time periods in entity interaction include: The time-series change rate of the outflow rate and the inflow rate during each monitoring time period is compared with the preset threshold range of the time-series change rate of the flow rate. If the time-series change rate exceeds the preset threshold range of the traffic flow time-series change rate within any monitoring time period, then that time period is determined to be an abnormal monitoring time period. If the time-series change rate does not exceed the preset threshold range of the traffic flow time-series change rate, then the time period is determined to be a normal monitoring time period.

3. The computer network security intelligent control system as described in claim 1, characterized in that, The steps for performing abnormal interaction behavior clustering processing include: Preset the initial cluster radius and minimum deviation density threshold; construct a corresponding three-dimensional feature vector for each interaction behavior instance based on interaction behavior data, which includes interaction deviation frequency, deviation duration and deviation access depth; Traverse the 3D feature vectors of each interactive behavior instance, calculate the feature distance between the current interactive behavior instance and other interactive behavior instances, and count the number of instances whose feature distance does not exceed the initial cluster radius; if the number of instances reaches the minimum deviation density threshold, then mark the current interactive behavior instance as a core point, mark other interactive behavior instances in its neighborhood as boundary points, and mark all points in the neighborhood centered on the core point as a cluster; if the number of instances does not reach the minimum deviation density threshold and is not in the neighborhood of any core point, then mark the current interactive behavior instance as a noise point; For each cluster, calculate the behavioral deviation distance between its center vector and a preset typical normal behavior benchmark vector. If the behavioral deviation distance exceeds the preset upper limit of the deviation distance benchmark, then mark the cluster as an abnormal interaction cluster. Extract the network nodes and interaction paths covered by each abnormal interaction cluster, visualize and map them using a graph structure, and generate an abnormal interaction traffic distribution map of the protected network; where graph nodes represent each network node in the protected network, and graph edges represent the interaction paths between each network node.

4. The computer network security intelligent control system as described in claim 1, characterized in that, The steps for performing anomaly feature matching processing include: Traverse the traffic distribution characteristics of each network node in the abnormal interaction traffic distribution graph. The traffic distribution characteristics include node traffic entropy, traffic burstiness, and port connection diversity index. The node traffic entropy value is matched with the entropy value baseline tolerance range in the preset attack traffic feature library, and nodes whose node traffic entropy value is within the entropy value baseline tolerance range are selected as candidate nodes. The traffic burst rate time series and port connection diversity index time series of the candidate node are compared with the corresponding time series of each attack template in the preset attack traffic feature library to calculate the first similarity component and the second similarity component. The first similarity component and the second similarity component are then combined and weighted to obtain the similarity score of each attack template. Based on the similarity score and the betweenness centrality parameter of the candidate node in the abnormal interaction traffic distribution map, calculate its confidence score with each attack template in the feature library. The betweenness centrality parameter includes node betweenness centrality and edge betweenness centrality. Among the attack templates whose similarity scores exceed the preset matching threshold, the feature subset with the highest confidence score is identified as the core feature information that matches the preset attack traffic feature library.

5. The computer network security intelligent control system as described in claim 1, characterized in that, The step of generating the attacker's operation sequence includes: Based on the core feature information, temporal correlation parameters are extracted, including the order of attacker appearance, duration, and time interval between operations. An attack phase transition probability matrix is ​​constructed based on historical attack chain data to obtain the transition probability and observation probability matrix. The historical attack chain data includes the transition frequency between each attack phase and the occurrence frequency of each core feature information. The time-series correlation parameters are used as observation states and mapped to the corresponding attack stage states in the preset attack chain model to construct an observation sequence of core feature information. Based on the observed sequence, the attack phase transition probability matrix, and the observed probability matrix, the most likely attack phase state sequence is solved. Based on the transition triggering conditions between states in the attack phase state sequence, and combined with a preset attack instruction mapping library, the corresponding specific operation instructions are parsed out, and the specific operation instructions are arranged in chronological order to generate the attacker's operation sequence.

6. The computer network security intelligent control system as described in claim 1, characterized in that, The steps for performing multi-dimensional fusion modeling to generate an attacker profile include: Multi-dimensional feature parameters are extracted from the full amount of network traffic data generated by the attack source. These multi-dimensional feature parameters include source IP address, protocol type, static characteristics of the attack tool, attack path trajectory, attack frequency, and time series distribution information. Based on the contribution of each multi-dimensional feature parameter to the attacker profile, initial fusion weights are assigned to each dimension, and dimensionality reduction and correlation decoupling are performed based on the covariance matrix between the multi-dimensional feature parameters to generate a low-dimensional fusion feature vector. The low-dimensional fused feature vector is input into a preset multilayer perceptron model, which outputs the probability distribution of the attacker's attack behavior features, attack target preference features, and attack chain features. After normalizing the probability distribution, the data is combined to generate a structured attacker profile.

7. The computer network security intelligent control system as described in claim 1, characterized in that, The specific steps of the patching strategy are as follows: Based on the attack target preference features and attack chain features in the attacker profile, attack surface related feature parameters are extracted. The attack surface related feature parameters include asset type parameters, vulnerability type parameters, and network topology node jump parameters. Assets in the protected network that match the attack surface related feature parameters and whose vulnerability exploitability scores exceed a preset exploitability threshold are counted as a target asset list. A patch urgency index is calculated for each asset in the target asset list. The patch urgency index is obtained by comprehensively weighting the asset criticality, vulnerability exploitability score, and distance in the attack chain. Patches are sorted in descending order based on their patch urgency index, and protection priorities are assigned according to the criticality level of the target assets to dynamically determine the scope of patch distribution. Based on the attack execution timeline in the attacker's operation sequence, the time interval and duration of each attack step in the attacker's operation sequence are analyzed. A pre-trained time series prediction model is used to fit the attack time pattern and predict the time window of the next possible attack. The timing of the patch strategy is set so that the corresponding patch is delivered and installed before the predicted time window.

8. The computer network security intelligent control system as described in claim 7, characterized in that, The steps for dynamically determining the patch distribution scope include: Based on the criticality level of the target asset and the corresponding preset urgency threshold, assets with patch urgency indices exceeding the urgency threshold are included in the mandatory distribution scope and distributed with priority. For assets whose patch urgency index does not exceed the urgency threshold but are within the preset urgency warning range, dynamic screening is performed based on the current bandwidth load of the protected network: if the bandwidth load is lower than the preset load threshold, such assets are included in the distribution scope and distributed synchronously with assets in the mandatory distribution scope; if the bandwidth load is higher than the preset load threshold, they are not included in the distribution scope, and after the bandwidth load drops below the threshold, they are distributed in descending order of patch urgency index.

9. The computer network security intelligent control system as described in claim 1, characterized in that, The specific steps of the traffic scheduling strategy are as follows: Based on the attack source information and attack target preference characteristics in the attacker profile, the characteristics of malicious traffic and attack targets that need to be scheduled are determined. Based on the severity of the attack extracted from the attack behavior characteristics, the isolation zone level of the target is dynamically determined: if the attack type is data theft or ransomware, it is redirected to a preset physical isolation zone; if it is scanning, probing or denial-of-service attack, it is redirected to a preset logical isolation zone. Based on the remaining bandwidth of the protected network and the peak attack traffic, combined with the criticality level of the target asset, the traffic rate limiting threshold ratio and the connection limit threshold are dynamically adjusted. Based on the complexity and frequency of the attack path trajectory, a comprehensive weighted processing is performed to obtain the traction adaptability index of each traction path. The proportion of the traction adaptability index of each traction path to the comprehensive value of the traction adaptability of all traction paths is recorded as the priority of the corresponding traction path. Based on the data packets in the malicious traffic characteristics, the malicious traffic that needs to be redirected is selected, and according to the redirection path priority, the selected malicious traffic is redirected along the corresponding redirection path to the redirection target isolation area corresponding to the attack target.

10. The computer network security intelligent control system as described in claim 9, characterized in that, The steps for dynamically adjusting the ratio of the traffic rate limiting threshold to the connection number limiting threshold include: Based on the criticality level of the target asset, the corresponding preset traffic rate limiting baseline threshold ratio and connection number baseline limit threshold are matched to the level of the target asset. The ratio of the peak attack traffic to the remaining bandwidth of the protected network is denoted as the attack bandwidth utilization rate; the ratio of the peak number of concurrent connections initiated by the attack source to the connection number baseline limit parameter is denoted as the attack connection expansion rate. Based on the attack bandwidth utilization rate and attack connection expansion rate, a comprehensive weighted processing is performed to obtain the rate limiting tightening coefficient. The dynamically adjusted flow rate limiting threshold ratio is set to the product of the flow rate limiting baseline threshold ratio and the reciprocal of the rate limiting tightening coefficient, and a preset lower limit protection value and upper limit protection value are applied. The dynamically adjusted connection limit threshold is set as the ratio of the connection base limit threshold to the attack connection expansion rate, and a preset lower limit protection value for the connection number is applied. Every preset scheduling time window, the attack traffic status is reassessed, and the adjusted rate limit threshold ratio and connection limit threshold are smoothly updated.