Satellite network abnormal traffic detection method and device based on multi-scale feature fusion and distributed incremental support vector machine

By combining multi-scale feature fusion and distributed incremental support vector machines with online incremental learning and inter-satellite collaborative detection, the problem of abnormal traffic identification and defense in dynamic environments of satellite networks is solved, achieving a high-precision, low-resource-consumption real-time defense effect.

CN122394882APending Publication Date: 2026-07-14上海霄元创新中心

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
上海霄元创新中心
Filing Date
2026-04-20
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

When faced with dynamic environmental changes and limited resources, satellite networks struggle to effectively identify and defend against distributed denial-of-service attacks, resulting in high false alarm rates, large computational delays, and a lack of constellation-level collaborative defense capabilities.

Method used

By employing a multi-scale feature fusion and distributed incremental support vector machine approach, multi-dimensional features are extracted through the construction of a parallel sliding observation window. Combined with online incremental learning and inter-satellite collaborative detection, this approach enables accurate identification and real-time defense against abnormal traffic.

Benefits of technology

It achieves high-precision, low-resource-consumption abnormal traffic detection, reduces false alarm rate, improves constellation defense resilience, and ensures mission security and real-time performance.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394882A_ABST
    Figure CN122394882A_ABST
Patent Text Reader

Abstract

The application discloses a satellite network abnormal flow detection method and device based on multi-scale feature fusion and distributed incremental support vector machine, relates to the technical field of satellite communication network security, and comprises the following steps: acquiring real-time network flow, and establishing parallel different-scale windows; extracting multi-dimensional statistical elements of different dimensions in parallel in the double windows, constructing high-dimensional original feature vectors, and fusing and normalizing the high-dimensional original feature vectors into standardized feature vectors; based on an online incremental SVM model and an on-orbit evolution mechanism, outputting classification discrimination results and risk assessment indexes; monitoring flow benchmark drift, triggering an incremental learning mechanism to correct only key support vectors, and realizing on-orbit self-adaptation; when a single satellite satisfies early warning conditions, synchronizing risk confidence information through an inter-satellite link and jointly analyzing spatial correlation based on constellation topology, so that joint discrimination of distributed attacks is realized, the consumption of on-board resources is significantly reduced while high detection precision is ensured, and the overall security robustness of the constellation is improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of satellite communication network security technology, and in particular to a method and apparatus for detecting abnormal traffic in satellite networks based on multi-scale feature fusion and distributed incremental support vector machines. Background Technology

[0002] With the rapid deployment of global low-Earth orbit satellite constellations, satellite networks are evolving from traditional point-to-point transparent forwarding to large-scale, dynamically networked integrated space information networks. However, the openness and complexity of the network architecture also expose it to severe security threats. Attackers may launch distributed denial-of-service (DDoS) attacks, malicious command injections, network topology scans, and slow attacks against satellite nodes through illegal ground stations, hijacked payload terminals, or forged inter-satellite links. If these attacks succeed, they can not only cause congestion of satellite communication links and loss of normal telemetry data, but may even threaten the operational security of the onboard system, leading to the loss of control of the entire satellite.

[0003] Traditional ground-based traffic detection technologies face three major challenges when applied to satellite environments: 1. Poor environmental adaptability. During satellite operation, normal traffic baselines exhibit high dynamism due to orbital dynamics, mission mode switching (such as switching from telemetry and control mode to high-speed data transmission mode), and link shadowing effects. Traditional models based on static thresholds or offline training often produce extremely high false alarm rates after environmental changes. 2. Limited onboard computing resources. Technologies such as deep packet inspection require parsing massive protocol loads. For resource-constrained onboard microprocessors, the computational latency and power consumption are enormous, making it difficult to support Gbps-level line-speed real-time monitoring. 3. Lack of collaborative defense mechanisms. Current satellite defenses mostly adopt single-satellite autonomous strategies, lacking constellation-level security situational awareness capabilities. Against distributed collaborative attacks across orbits and multiple nodes, a single satellite can often only observe local traffic anomalies, making it difficult to accurately determine the attack source and attack mode from a global perspective, resulting in serious delays in defense decision-making. Therefore, developing an abnormal traffic detection scheme that can adapt to traffic changes online, achieve low-power real-time processing, and possess constellation-level collaborative detection capabilities has become a key issue that urgently needs to be addressed in the current satellite network field. Summary of the Invention

[0004] The purpose of this invention is to provide a method and device for detecting abnormal traffic in satellite networks based on multi-scale feature fusion and distributed incremental support vector machines, aiming to build a dynamic security defense system integrating air and space through lightweight statistical analysis and intelligent on-orbit evolution mechanism.

[0005] This invention provides a method for detecting abnormal traffic in satellite networks based on multi-scale feature fusion and distributed incremental support vector machines, comprising: To acquire real-time network traffic, a multi-scale sliding observation window mechanism is constructed, establishing parallel first-scale and second-scale sliding observation windows; Multidimensional statistical computation elements are extracted in parallel based on the first-scale sliding window and the second-scale sliding window. The multidimensional statistical computation elements characterize the distribution, fluctuation, trend and structural dimension characteristics of the flow, and construct and generate a high-dimensional original feature vector. The multidimensional computational subsystems of different scales and dimensions are subjected to feature fusion and normalization mapping to generate standardized feature vectors; Based on the online incremental support vector machine (SVM) model and the on-orbit evolution mechanism, the standardized feature vectors are input into the SVM model to perform classification calculations. Based on the distance from the feature points to the optimal classification hyperplane, the classification results of the traffic attributes and risk assessment indicators are output. The system monitors the drift status of the normal business traffic baseline. When the classification result shows a continuous deviation but does not reach the attack threshold, it triggers an incremental learning mechanism to correct only the key support vectors that determine the SVM classification hyperplane, so as to achieve on-track adaptation of the detection model. When the risk assessment index calculated by a single satellite node meets the preset early warning conditions, the risk confidence information obtained from local detection is synchronized to neighboring nodes via inter-satellite links, and spatial correlation analysis is performed in conjunction with the constellation topology to achieve joint discrimination against distributed attacks.

[0006] Preferably, the first-scale sliding observation window is configured with a time length of milliseconds to capture the instantaneous characteristics of burst attack traffic; the second-scale sliding observation window is configured with a time length of minutes to monitor the statistical offset of covert scanning or low-rate attacks; the first-scale sliding observation window and the second-scale sliding observation window slide in parallel.

[0007] Preferably, the parallel extraction of multidimensional statistical computation based on the first-scale sliding window and the second-scale sliding window includes: Perform the following operations simultaneously within the first-scale sliding window and the second-scale sliding window: The first-dimensional operator uses entropy weight features to calculate information entropy by statistically analyzing the frequency of occurrence of source IP addresses and destination IP addresses within a window. This is used to characterize the abnormal state of address distribution shifting from concentration to diffusion, in order to determine whether IP spoofing or large-scale address scanning exists. The second-dimensional operator uses the coefficient of variation, which is calculated by the ratio of the standard deviation to the mean of the data packet arrival interval. This is used to characterize the dispersion of traffic and to identify simulated traffic generated by automated attack tools with periodic patterns. The third-dimensional operator uses the cumulative sum CUSUM. It calculates the deviation between the current traffic observation and the baseline mean, subtracts the preset tolerance threshold, and then performs non-negative unidirectional accumulation to produce an integral amplification effect on small deviations. This allows for early identification of the gradual increase trend of low-rate attack traffic before the static alarm threshold is exceeded. The fourth-dimensional operator uses a packet length histogram distribution to count the proportion of packets according to a preset byte range, which is used to identify channel congestion attacks caused by small packet padding. The above-mentioned statistical operators calculated under the first-scale sliding window and the second-scale sliding window are combined to construct a high-dimensional original feature vector containing multi-scale and multi-dimensional information.

[0008] Preferably, the step of outputting the classification result and risk assessment index of the flow attribute based on the distance from the feature point to the optimal classification hyperplane includes: The decision function of the SVM classification model is invoked to calculate the absolute geometric distance from the standardized feature vector to the optimal classification hyperplane; A preset nonlinear mapping function is used to convert the absolute geometric distance into a risk probability score within a preset probability range; The classification results and the risk probability scores are combined and encapsulated to generate the risk assessment index.

[0009] Preferably, the triggering incremental learning mechanism, which only modifies the key support vectors that determine the SVM classification hyperplane, includes: When a persistent shift in the classification result is detected, samples within a preset interval of the SVM decision boundary are selected as candidate sets to be updated. The candidate set to be updated is determined as a new key support vector only if it violates the KKT constraints; An incremental recursive algorithm is used to update the Lagrange multipliers of the key support vectors to dynamically adjust the normal vector of the hyperplane, without performing retraining on the full historical data.

[0010] Preferably, the step of performing spatial correlation analysis in conjunction with constellation topology to achieve joint discrimination against distributed attacks includes: When the risk confidence probability score of a single-star node exceeds a preset primary threshold, a collaborative request signaling containing the node identifier, orbital position, and anomaly feature summary is generated. The neighboring node that receives the cooperative request signaling retrieves a snapshot of its own traffic statistics features within its corresponding time window and calculates the mutual information between the local features and the request source features; If more than a preset threshold number of nodes within a specific orbital plane simultaneously report abnormal features, and the abnormal pattern exhibits spatiotemporal continuity, then the attack is jointly identified as a distributed denial-of-service attack targeting the constellation, triggering a network-wide coordinated interception command.

[0011] Preferably, the online incremental support vector machine (SVM) model and on-orbit evolution mechanism further include: The SVM model uses fixed-point arithmetic instead of floating-point arithmetic to perform kernel function multiplication, thereby controlling the classification inference latency to the microsecond level, matching the data processing rate of the satellite's high-speed downlink. The on-orbit evolution mechanism includes a model snapshot rollback strategy: before executing the incremental learning mechanism correction, the current model parameters and hyperplane state are stored in the shadow memory area as a snapshot of the previous stable version model; when the incremental correction causes the model classification accuracy to drop beyond a preset safety threshold, the updated parameters are automatically discarded and the model is rolled back to the previous stable version model snapshot, and a reset request is sent to the ground.

[0012] As a preferred option, a false alarm suppression mechanism is also included: By reading the satellite payload mission plan, the predicted data transmission window period and expected bandwidth usage parameters can be obtained; Using the data transmission window period and expected bandwidth occupancy parameters as background noise benchmarks, the traffic observations are dynamically compensated during the calculation phase of the multidimensional system computation unit to prevent normal load data transmission tasks from triggering false alarms.

[0013] Preferably, the false alarm suppression mechanism also includes a dynamic adaptive compensation strategy: Obtain the space environment parameters of the satellite's current orbital position and assess the expected link error disturbance value caused by space thermal noise; Based on the expected link error disturbance value, the statistical weights of packet length distribution and arrival interval in the multidimensional statistical calculation are dynamically adjusted to suppress false alarms caused by spatial physical environment interference.

[0014] This invention also provides a satellite network abnormal traffic detection device based on multi-scale feature fusion and distributed incremental support vector machine, implementing the detection method described above. The device includes: The hardware feature extraction engine, deployed in the FPGA logic architecture, includes a parallel counter array and a shift register group. It is used to acquire real-time network traffic and build a multi-scale sliding observation window mechanism without occupying CPU cycles, establishing a parallel first-scale sliding observation window and a second-scale sliding observation window. The multidimensional statistical computation sub-extraction module is integrated into the hardware feature extraction engine. It is used to extract multidimensional statistical computation sub-sub ... The feature fusion and normalization module is used to perform feature fusion and normalization mapping on the multidimensional computational subsystems of different scales and dimensions to generate standardized feature vectors. The online incremental SVM classification module is used to input the standardized feature vectors into the SVM model to perform classification calculations based on the online incremental support vector machine SVM model and the on-orbit evolution mechanism. Based on the distance from the feature points to the optimal classification hyperplane, it outputs the classification results of the traffic attributes and risk assessment indicators. The incremental learning control module is used to monitor the drift status of the normal business traffic benchmark. When the classification result shows a continuous deviation but does not reach the attack threshold, the incremental learning mechanism is triggered to correct only the key support vectors that determine the SVM classification hyperplane, so as to achieve on-track adaptation of the detection model. The inter-satellite collaborative detection module is used to synchronize the risk confidence information obtained from local detection to neighboring nodes via inter-satellite links when the risk assessment indicators calculated by a single satellite node meet the preset early warning conditions, and to perform spatial correlation analysis in combination with the constellation topology to achieve joint discrimination against distributed attacks.

[0015] Compared with the prior art, the present invention has the following beneficial effects: (1) High precision and strong adaptability: The multi-scale observation window combined with four types of core statistical computing units can accurately identify all types of malicious traffic, from instantaneous flood attacks to covert slow attacks; the online incremental learning mechanism ensures that the model can dynamically evolve with the satellite mission mode, significantly reducing the false alarm rate.

[0016] (2) Extremely low resource overhead: The use of key support vector updates instead of full retraining, combined with FPGA line-speed feature extraction, greatly alleviates the pressure on onboard computing power and power consumption, and meets the real-time processing requirements.

[0017] (3) Global situational awareness: Distributed collaborative detection breaks through the limitations of single-star defense, can effectively deal with cross-orbit collaborative attacks, and improves the defensive resilience of the entire constellation.

[0018] (4) Business assurance capability: The task awareness suppression mechanism avoids false alarms triggered by normal data transmission, and achieves a balance between security and task. Attached Figure Description

[0019] Figure 1The flowchart below shows a method for detecting abnormal traffic in satellite networks based on multi-scale feature fusion and distributed incremental support vector machine, according to an embodiment of the present invention. Figure 2 This is a schematic diagram of the hardware logic deployment of the spaceborne abnormal traffic detection device in an embodiment of the present invention; Figure 3 This is a schematic diagram illustrating the logical principle of the multi-scale sliding window mechanism and statistical sub-extraction in an embodiment of the present invention; Figure 4 This is a schematic diagram of the adaptive evolution of the SVM decision boundary in an embodiment of the present invention. Detailed Implementation

[0020] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0021] The term "comprising" and its variations as used herein are open-ended inclusion, meaning "including but not limited to". The term "based on" means "at least partially based on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". Definitions of other terms will be given in the description below.

[0022] like Figure 1-2 As shown, this embodiment of the invention provides a method for detecting abnormal traffic in satellite networks based on multi-scale feature fusion and distributed incremental support vector machines. This embodiment uses a low-Earth orbit (LEO) communication constellation as an application background, deploying the abnormal traffic detection system on the critical data path of the satellite communication processor. For example... Figure 1 As shown, the device employs a coupled "data plane + control plane" design in its hardware architecture. The data plane, based on an FPGA logic architecture, utilizes a fully hardened line-rate packet parsing engine to perform non-intrusive image capture of 10Gbps-level inter-satellite or satellite-to-ground links, ensuring that feature extraction does not incur additional processing latency. The control plane runs on the embedded multi-core processor of the onboard SoC, responsible for SVM inference computation, scheduling of incremental learning algorithms, and generation and parsing of cross-satellite collaborative signaling. This architecture decouples the low-level high-speed data stream processing from the high-level complex logic analysis, providing a solid hardware foundation for enhanced real-time security.

[0023] The specific testing includes the following steps: Step S1: Acquire real-time network traffic and construct a multi-scale sliding observation window mechanism, establishing parallel first-scale and second-scale sliding observation windows; that is, multi-scale traffic feature extraction: satellite nodes acquire inbound and outbound traffic in real time through a line-speed packet capture engine, and establish parallel long and short-scale sliding observation windows. The short window Wshort is used to capture burst attacks with a duration of milliseconds, and the long window Wlong is used to monitor covert scans or slow attacks with a period of minutes. In this embodiment, a line-speed packet capture engine is first deployed at the junction of the physical layer and the link layer of the satellite data transmission system, and FPGA hardware logic is used to perform non-intrusive parsing of CCSDS packet streams.

[0024] Because malicious attacks on satellite networks exhibit extreme polarization over time (such as instantaneous DDoS flood attacks and long-term, low-speed, slow attacks), traditional single-scale observation windows struggle to simultaneously balance detection sensitivity and stability, easily leading to missed or false alarms. Therefore, this solution first deploys a line-speed packet capture engine based on FPGA hardware logic at the interface between the physical and link layers of the satellite data transmission system. This engine performs non-intrusive mirroring of CCSDS packet streams, acquiring real-time inbound and outbound traffic without consuming onboard CPU cycles. To balance detection sensitivity and stability, this embodiment designs a dual-scale sliding observation window mechanism: Based on this real-time traffic, a dual-scale parallel sliding observation window mechanism is constructed: The first-scale sliding observation window, also known as the short-scale window, is configured with a time length in milliseconds to capture the instantaneous characteristics of sudden attack traffic. The window length is set to Ts (e.g., 100ms to 500ms). It is mainly used to capture sudden changes in traffic. This scale is highly sensitive to DDoS flood attacks and pulse interference, and can monitor abnormal spikes in packet rate in real time.

[0025] The second-scale sliding observation window, also known as the long-scale window, is configured with a time length on the order of minutes to monitor statistical shifts in covert scans or low-rate attacks. The window length is set to Tl (e.g., 60s to 300s) to establish a macroscopic baseline for traffic. This scale aims to identify attacks with slow, covert characteristics, such as slow port scans or low-rate denial-of-service (LDoS) attacks. These attacks exhibit small traffic fluctuations in the short term but show deviations in statistical distribution over a long scale.

[0026] The first and second scale windows slide in parallel with an independent stepping mechanism on the time axis, so that the same network traffic data is synchronously mapped to observation slices with different time resolutions. This enables multi-granularity traffic perception under the constraint of limited onboard storage resources, ensuring both rapid capture of instantaneous attacks and long-term cumulative observation of slow, covert attacks. Step S2: Extract multidimensional statistical computation sub-sub ... In the feature extraction stage, the system achieves multi-scale monitoring through a set of parallel counter arrays and a sliding window mechanism. For example... Figure 2 As shown, the algorithm performs real-time calculations on the header fields of each CCSDS packet (such as source / destination IP, protocol number, packet length, and timestamp). The system pre-configures two observation dimensions: a short window (100ms) and a long window (300s). The short window focuses on capturing DDoS characteristics such as instantaneous packet rate mutations, while the long window identifies covert low-speed scanning behavior by calculating the address entropy weight feature H(IP) and the coefficient of variation (CV). To avoid the performance bottleneck of onboard floating-point operations, the engineering implementation widely adopts the lookup table method to approximate logarithmic operations and uses the CUSUM operator Si to accumulate and amplify subtle shifts in the mean, thereby greatly reducing the FPGA logic resource utilization while ensuring feature integrity.

[0027] Because satellite network protocols are relatively fixed, relying solely on single metrics such as packet rate makes them highly susceptible to simulation by attackers. Therefore, this scheme synchronously and in parallel extracts four core statistical computational units reflecting the inherent physical laws of traffic within the dual-scale sliding window established in step S1. Through multi-dimensional cross-validation, the planar traffic data is upgraded to a three-dimensional feature space. (See [link to relevant documentation]). Figure 3 As shown, the specific logic is as follows: (1) The first dimension operator (traffic distribution characteristics) adopts the entropy weight feature (Entropy), and calculates the information entropy by the frequency of occurrence of source IP address and destination IP address within the statistical window. , used to quantify the uncertainty of the address space, where n is the total number of different IP address types (source IP or destination IP) within the window; x i Let p(x) be the i-th type of IP address; i ) represents the frequency of the i-th IP address appearing within the window (i.e., the number of times this IP address appears divided by the total number of times all IP addresses appear within the window). This is used to calculate information entropy. This operator is used to characterize the abnormal state of address distribution shifting from concentration to diffusion, in order to determine whether IP spoofing or large-scale address scanning exists. When IP spoofing or large-scale address scanning occurs, the address distribution shifts from concentration to diffusion, and the entropy value increases significantly. Conversely, DDoS attacks targeting specific objects will lead to highly concentrated addresses, and the entropy value will drop sharply. This operator can accurately characterize the abnormal state of address distribution shifting from concentration to diffusion at the topological level. (2) The second dimension operator (traffic fluctuation characteristics) uses the coefficient of variation (CV). By calculating the ratio of the standard deviation to the mean of the arrival interval (IAT) of data packets, it is used to characterize the dispersion of traffic and identify the simulated traffic generated by automated attack tools with periodic patterns. Normal business traffic usually has a certain degree of randomness, while the simulated traffic generated by automated attack tools often shows a high degree of periodicity or regularity, resulting in an abnormally low value of the coefficient of variation. This operator can accurately identify the periodic characteristics of scripted attack traffic by monitoring the dispersion of traffic. (3) The third-dimensional operator (traffic trend characteristics) adopts the cumulative sum CUSUM. By calculating the deviation between the current traffic observation value and the benchmark mean, and subtracting the preset tolerance threshold, non-negative unidirectional accumulation is performed to generate an integral amplification effect on small deviations. This allows for early identification of the gradual increase trend of low-rate attack traffic before the static alarm threshold is exceeded. Through iterative formulas Where Sk is the cumulative sum statistic at time k, S k-1 x is the cumulative sum of the previous time step. k Given the current observed value, μ is the baseline mean, and Δ is the preset tolerance threshold, amplifying minute shifts in traffic volume through integration. For covert low-rate attacks (LDoS), the single increment is extremely small, completely hidden under normal background noise, and cannot exceed the static alarm threshold; however, CUSUM, through non-negative unidirectional accumulation after deducting the tolerance, can amplify this gradual upward trend through integration, achieving early warning before an absolute surge in traffic volume. Alternatively, differential accumulation can be performed on the traffic mean to calculate... Where Sn is the cumulative sum statistic at time n, and x i Let μ be the traffic observation value at time i (e.g., packet rate, byte rate), and μ be the baseline mean of normal business traffic (historical statistical average). This algorithm utilizes the cumulative effect of subtle changes in the mean to capture slow traffic spikes below background noise, enabling early warning of slow-moving attacks. The formula reflects the long-term trend of traffic shifts by summing the differences between each observation and the baseline mean. In practical applications, tolerance thresholds and reset mechanisms, such as the Sk formula, are often added to avoid false alarms caused by noise. (4) The fourth-dimensional operator (traffic structure characteristics) adopts packet length histogram distribution and counts the proportion of packets according to the preset byte range to identify channel congestion attacks caused by small packet padding. The system maintains the histogram and counts the proportion of packets in real time according to the preset byte range (such as less than 64 bytes, 64-512 bytes, and more than 512 bytes). Normal remote sensing data transmission or telemetry and control data is usually accompanied by long packet transmission. In order to exhaust the interrupt resources or bandwidth of the onboard processor at the lowest cost, attackers often use a large number of pure small packets without payload (such as TCP SYN or ACK packets less than 64 bytes) to carry out channel congestion attacks. This operator can directly identify such anomalies at the structural level.

[0028] Finally, the statistical operators calculated under the first and second scale sliding windows are combined to construct a high-dimensional original feature vector containing multi-scale and multi-dimensional information. This mechanism, through parallel design of the underlying hardware, transforms the original unordered data packet stream into a highly separable high-dimensional feature space with zero time superposition loss, laying a physical data foundation for the accurate classification of subsequent SVM models. Step S3: Perform feature fusion and normalization mapping on the multidimensional operators of different scales and dimensions to generate standardized feature vectors. Perform weighted mapping on operators of different scales to eliminate the influence of dimensions and form standardized feature vectors input to the classifier. Since different operators have different dimensions and numerical ranges (such as entropy values ​​are usually between 0 and logN, the coefficient of variation is a dimensionless ratio, CUSUM is a cumulative amount, and the proportion of packet length is a probability distribution), it is necessary to eliminate the influence of dimensions through normalization mapping.

[0029] Specifically, each operator is transformed to a uniform numerical range (e.g., [-1,1] or [0,1]) using either max-min or Z-score normalization, forming a normalized feature vector. This normalized feature vector eliminates scale differences, ensuring balanced weights across the input dimensions of the subsequent SVM classifier and preventing operators with large numerical ranges from dominating classification decisions. Step S4: Based on the online incremental support vector machine (SVM) model and on-orbit evolution mechanism, the standardized feature vector is input into the SVM model to perform classification calculation. Based on the distance from the feature point to the optimal classification hyperplane, the classification result of the traffic attribute and the risk assessment index are output. This includes: calling the decision function of the SVM classification model to calculate the absolute geometric distance from the standardized feature vector to the optimal classification hyperplane; using a preset nonlinear mapping function to convert the absolute geometric distance into a risk probability score within a preset probability range; and combining and encapsulating the classification result and the risk probability score to generate the risk assessment index.

[0030] After obtaining the aforementioned high-dimensional feature vectors, this invention employs a Support Vector Machine (SVM) as the core classification engine. Considering the computational limitations of onboard processors, this scheme makes the following key optimization to the standard SVM: Lightweight on-orbit inference: The system stores decision functions pre-trained on the ground. The kernel function K maps the standardized feature vector to a high-dimensional feature space. For the standardized feature vector z generated at the current time step, the classification process is as follows: (1) Calculate the geometric distance by calling the decision function: Calculate the signed function value f(z) from z to the optimal classification hyperplane. The absolute value of this value is equivalent to the absolute geometric distance from the feature point to the hyperplane. The magnitude of the geometric distance reflects the confidence level between the current traffic feature and the boundary between the normal / abnormal categories: the larger the distance, the more certain the classification; the smaller the distance, the closer the sample is to the boundary, and the higher the uncertainty.

[0031] (2) Output binary classification results: Output the binary results of traffic attributes according to the sign of f(z): If f(z)>0, it is judged as normal traffic; if f(z)<0, it is judged as abnormal attack traffic.

[0032] (3) Generate a risk confidence probability score: Using a preset nonlinear mapping function (such as Platt scaling or Sigmoid fitting), the absolute geometric distance is converted into a risk confidence probability score in the interval [0,1]. This score represents the degree of confidence that the current traffic is an abnormal attack; the higher the score, the higher the attack confidence.

[0033] (4) Combine and encapsulate into risk assessment indicators: Combine and encapsulate the binary classification results with the risk confidence probability scores to generate a unified risk assessment indicator for subsequent incremental learning trigger judgment and distributed collaborative detection.

[0034] During the inference phase, the DSP unit performs parallel kernel function multiplication operations. By replacing floating-point operations with fixed-point operations, processing latency is controlled to the microsecond level with minimal loss of precision, ensuring compatibility with the satellite's high-speed downlink rate.

[0035] In this embodiment, the online incremental support vector machine (SVM) model and on-orbit evolution mechanism further include: the SVM model uses fixed-point arithmetic instead of floating-point arithmetic to perform kernel function multiplication, so as to control the classification inference latency to the microsecond level and match the data processing rate of the satellite's high-speed downlink; the on-orbit evolution mechanism includes a model snapshot rollback strategy: before performing the incremental learning mechanism correction, the current model parameters and hyperplane state are stored in the shadow memory area as a snapshot of the previous stable version model; when the incremental correction causes the model classification accuracy to decrease beyond a preset safety threshold, the updated parameters are automatically discarded and the model is rolled back to the previous stable version model snapshot, and a reset request is sent to the ground.

[0036] Step S5: Monitor the drift status of the normal business traffic benchmark. When the classification result shows a continuous shift but does not reach the attack threshold, trigger the incremental learning mechanism. Only correct the key support vectors that determine the SVM classification hyperplane to achieve on-orbit adaptation of the detection model. This includes: when a continuous shift in the classification result is detected, selecting samples within a preset interval of the SVM decision boundary as the candidate set to be updated; only when the candidate set to be updated violates the KKT constraints, determining the candidate set to be updated as the new key support vectors; using an incremental recursive algorithm to update the Lagrange multipliers of the key support vectors to dynamically adjust the normal vector of the hyperplane, without performing retraining on all historical data. To address the drift of the normal traffic benchmark caused by satellite mission switching, link shadowing, etc., this solution does not use full retraining, but rather an incremental learning mechanism based on KKT conditions.

[0037] Satellite operation in orbit is affected by day-night cycles and payload task switching, causing dynamic drift in the normal flow baseline. Using traditional "full online retraining" would lead to a collapse of onboard computing power. Therefore, this invention, based on the risk assessment indicators output in step S4, designs a lightweight "online incremental update of key support vectors" mechanism. The specific implementation steps are as follows: 1) Drift monitoring and boundary sample screening: When a drift in the flow distribution is detected within the normal range, samples within the SVM decision boundary ±δ interval are selected as candidate sets to be updated; when samples judged as "normal" continuously approach the decision boundary (geometric distance gradually decreases) and have not yet exceeded the attack threshold, the baseline is considered to have drifted. Edge samples within the preset interval ±δ of the decision boundary are selected, marked as "critical samples," and stored in a sensitive cache as candidate sets to be updated. 2) Application of the KKT condition simplification algorithm: Only when a candidate sample violates the existing KKT constraints is it judged as a new support vector; verify whether each sample in the candidate set satisfies the Karlosh-Kun-Tucker (KKT) conditions. The KKT condition is a necessary condition for the optimal solution of SVM: it is automatically satisfied if the sample is located in the correct classification region and far from the boundary; if the KKT condition is violated (located on the wrong side of the boundary or falling within the interval band), it indicates that the current hyperplane can no longer optimally separate the data distribution. Incremental updates are only initiated when the accumulated critical number of samples reaches a preset threshold and there are samples that significantly violate the KKT condition, avoiding invalid updates caused by instantaneous noise. 3) Recursive weight adjustment: The Lagrange multiplier αi is updated using an incremental recursive algorithm to dynamically adjust the normal vector w and bias term b of the hyperplane without retraining on all historical data, thereby reducing the computational load and power consumption of the onboard processor. The above scheme performs another key optimization on the standard SVM: Incremental update of key support vectors: To address the drift in traffic benchmarks caused by satellite mission switching, this invention does not employ the costly "full online retraining," but instead proposes an incremental learning method based on KKT conditions: Drift monitoring: When the system determines that the current flow is "normal" but is close to the hyperplane boundary in the decision space, it is marked as a "critical sample". See [link to relevant documentation]. Figure 4 As shown.

[0038] Boundary correction: The update procedure is only initiated when the accumulated critical samples reach a certain number and significantly violate the existing KKT constraints.

[0039] Parameter replacement: Using recursive least squares, update a few key support vector parameters. This method requires adjusting only a very small number of data points near the decision boundary, reducing computational complexity from... Down to , where sv is the number of support vectors, which greatly saves onboard power consumption.

[0040] Step S6: When the risk assessment index calculated by a single satellite node meets the preset early warning conditions, the risk confidence information obtained from local detection is synchronized to neighboring nodes via inter-satellite links. Spatial correlation analysis is then performed in conjunction with the constellation topology to achieve joint identification of distributed attacks. For cross-orbit, multi-node distributed attacks (such as DDoS attacks launched collaboratively from multiple ground camouflage stations), a single satellite cannot independently identify the attack pattern. This solution constructs an "early warning-verification-consensus" collaborative protocol based on inter-satellite links.

[0041] Risk Information Broadcast (Early Warning): When the risk confidence probability score of a single satellite node exceeds a preset primary threshold, a collaborative request signaling message containing the node identifier, orbital position, and anomaly characteristic summary is generated and broadcast via inter-satellite links to several adjacent nodes within the orbital plane. When a single satellite detects a risk score... When the preset primary threshold is reached, the satellite generates a collaborative request packet containing its own ID, geographic location label, and anomaly feature summary.

[0042] Neighborhood Feature Comparison (Verification): The neighboring node that receives the collaborative request signaling retrieves a snapshot of its own traffic statistics (including entropy, CUSUM trend, etc.) within its corresponding time window and calculates the mutual information or similarity between its local features and the features of the requesting source. If the features deviate in the same direction and have similar statistical patterns, it sends back an acknowledgment signaling.

[0043] Group judgment and network-wide linkage (consensus): If more than a preset threshold number of nodes within a specific orbital plane simultaneously report abnormal characteristics, and the abnormal pattern exhibits spatiotemporal continuity, then a joint judgment is made that it is a distributed denial-of-service attack targeting the constellation, triggering a network-wide linkage interception command. If, within the same orbital plane, more than a preset threshold K of satellites all observe similar deviations in statistical patterns within the same time window, and the abnormal pattern exhibits temporal and spatial continuity, then a joint judgment is made that it is a distributed denial-of-service attack targeting the constellation. Once a collaborative consensus is reached, the judgment result is rapidly disseminated through the inter-satellite network. Each satellite node automatically loads a temporary access control list, discards illegal packets matching the characteristics at the protocol stack level, and can optionally adjust the anti-interference frequency or switch the communication beam to achieve dynamic closed-loop defense.

[0044] For distributed attacks (such as attacks from multiple ground camouflage stations against a satellite in orbit), a single satellite often struggles to accurately identify the attack pattern. This invention designs a collaborative decision-making system based on inter-satellite links. After local decision-making, each satellite not only generates a binary result of "normal / abnormal" but also includes a risk confidence score. When P exceeds the initial warning threshold, the satellite automatically broadcasts a "cooperative detection signaling" to the two adjacent satellites in front and behind it within the orbital plane. Upon receiving the signaling, the adjacent satellites transmit their respective traffic entropy values ​​and CUSUM trends over the same time span. The master control node performs spatial correlation analysis on the multi-point data. If the traffic anomalies detected by multiple nodes are synchronous in time and the anomaly vectors are similar in feature space, the system determines it as a global cooperative attack. Once a consensus is reached, the judgment result is rapidly disseminated through the inter-satellite network. Each satellite node automatically loads a temporary access control list, discards illegal packets matching specific characteristics at the protocol stack level, and adjusts anti-interference frequencies or switches communication beams to achieve dynamic closed-loop defense.

[0045] In this embodiment, a distributed collaborative detection signaling interaction process is adopted: For distributed attacks across orbits or multiple nodes, this embodiment constructs a lightweight "early warning-verification-consensus" collaborative protocol through inter-satellite links. When the risk confidence P determined by a single-satellite detection unit exceeds a preset primary threshold, the satellite immediately switches from "autonomous mode" to "cooperative mode" and broadcasts a collaborative request signaling (Alert_Req) ​​containing anomaly feature summaries, attack type labels, and timestamps to neighboring nodes in its orbital plane. The neighboring satellites receiving the signaling will retrieve their own feature snapshots within the corresponding timestamps for cross-verification: if multiple nodes observe similar statistical deviations (such as synchronous fluctuations in entropy values ​​at specific addresses) at the same time, consensus is reached by sending back a confirmation signaling (Confirm). This distributed signaling interaction mechanism can effectively integrate the constellation's global perspective, achieving rapid, network-wide blocking before the attack reaches a significant scale.

[0046] In this embodiment, the detection method further includes a false alarm suppression mechanism: by reading the satellite payload mission plan, the predicted data transmission window period and expected bandwidth occupancy parameters are obtained; the data transmission window period and expected bandwidth occupancy parameters are used as background noise benchmarks, and the traffic observation values ​​are dynamically compensated during the calculation phase of the multidimensional statistical calculator to prevent normal payload data transmission tasks from triggering false alarms. That is, by reading the satellite payload mission plan, the predetermined data transmission period and high-volume downlink service information are obtained, and these are used as background noise to cancel it during the feature calculation phase, preventing normal payload data transmission tasks from triggering security alarms. The false alarm suppression mechanism also includes a dynamic adaptive compensation strategy: by obtaining the space environment parameters of the satellite's current orbital position, the expected link error rate disturbance value caused by space thermal noise is evaluated; based on the expected link error rate disturbance value, the statistical weights of packet length distribution and arrival interval in the multidimensional statistical calculator are dynamically corrected to suppress false alarms caused by space physical environment interference. That is, a dynamic adaptive learning rate is used to compensate for the message error rate caused by environmental thermal noise in real time according to the satellite's orbit, improving the signal-to-noise ratio of traffic statistical characteristics in extreme space environments.

[0047] This embodiment analyzes a typical low-rate DDoS attack detection case: To verify the practical effectiveness of this system, the embodiment simulates a covert low-rate DoS attack targeting satellite channels. In this scenario, the attacker forges multiple ground terminals to send probe packets at an extremely low frequency. The instantaneous packet rate remains stable within a short window, making it difficult to trigger traditional threshold alarms. During the implementation of this invention, the address entropy operator under a long window keenly detects the unnatural concentration of the target IP distribution. Simultaneously, the CUSUM operator, through the integration and accumulation of minute-level minute deviations, causes the statistics to exceed the confidence interval. The SVM classifier, combining the anomaly representations at these two scales, accurately identifies the traffic as a "potential attack." Subsequently, the system uses an incremental update mechanism to load the support vector of this attack pattern into the judgment boundary in real time and triggers a cooperative protocol, enabling other satellites in the constellation to have immunity to this type of covert attack in advance.

[0048] In this embodiment, to eliminate false alarms caused by normal satellite data transmission tasks during task awareness, false alarm suppression, and performance verification, a unique task plan awareness logic is introduced. The system obtains the predicted data transmission window period and expected bandwidth by reading the task scheduling table of the satellite integrated electronic system. When performing large data backhaul tasks, the suppression module automatically adjusts the sensitivity gain of the detector, relaxes the packet rate threshold, and increases the weight of protocol validity checks to ensure that the security mechanism does not mistakenly intercept normal service data.

[0049] Based on the same inventive concept, embodiments of the present invention also provide a satellite network abnormal traffic detection device based on multi-scale feature fusion and distributed incremental support vector machine, implementing the above-mentioned detection method. The device includes: A hardware feature extraction engine, deployed within an FPGA logic architecture, includes a parallel counter array and shift register group. It acquires real-time network traffic data to construct a multi-scale sliding observation window mechanism without occupying CPU cycles, establishing parallel first-scale and second-scale sliding observation windows. This engine is programmable, supporting remote updates of the sliding window step size and packet length histogram grading thresholds via ground commands to address communication rate differences at different orbital altitudes. A multi-dimensional statistical computation module, integrated within the hardware feature extraction engine, extracts multi-dimensional statistical computations in parallel based on the first-scale and second-scale sliding windows. These multi-dimensional statistical computations characterize traffic distribution. The system utilizes the characteristics of distribution, fluctuation, trend, and structure to construct and generate high-dimensional original feature vectors. A feature fusion and normalization module performs feature fusion and normalization mapping on the multi-dimensional computational units at different scales and dimensions, generating standardized feature vectors. An online incremental SVM classification module, based on an embedded monolithic system or digital signal processor with a built-in SVM inference accelerator, inputs the standardized feature vectors into the SVM model based on the online incremental support vector machine (SVM) model and on-orbit evolution mechanism to perform classification calculations. Based on the distance from feature points to the optimal classification hyperplane, it outputs the classification results of flow attributes and risk assessment indicators. This module uses fixed-point arithmetic instead of floating-point arithmetic to perform kernel function multiplication, thereby increasing the classification accuracy. The latency is controlled at the microsecond level to match the data processing rate of the satellite's high-speed downlink. A dual-mode detection strategy is also employed: in normal monitoring mode, only the first-scale window and the CUSUM operator are activated to perform low-power real-time monitoring; in deep defense mode, full-scale, full-operator detection logic and collaborative sensing interfaces are fully activated. An incremental learning control module monitors the drift state of the normal service traffic baseline. When the classification result shows a persistent shift but does not reach the attack threshold, an incremental learning mechanism is triggered, correcting only the key support vectors that determine the SVM classification hyperplane to achieve on-orbit adaptive detection. This module includes a shadow memory area to store model snapshots before and after updates, ensuring the smooth transition between models. The system ensures continuous detection; it also supports a model snapshot rollback strategy: when incremental correction causes the model classification accuracy to decrease beyond a preset safety threshold, the updated parameters are automatically discarded and the system rolls back to the previous stable version model snapshot, and a reset request is sent to the ground; the inter-satellite collaborative detection module, integrated into the satellite communication subsystem, is used to synchronize locally detected risk confidence information to neighboring nodes via inter-satellite links when the risk assessment indicators calculated by a single satellite node meet preset early warning conditions, and performs spatial correlation analysis in conjunction with the constellation topology to achieve joint discrimination against distributed attacks; this module supports collaborative signaling transmission at a specific security level, and has data compression and integrity verification functions to ensure the real-time performance and accuracy of collaborative information.

[0050] The specific working principles of each of the above modules have been described in the aforementioned system embodiments, so they will not be repeated here.

[0051] Based on the same concept, an electronic device is also provided in some embodiments of this application. This electronic device includes a memory and a processor, wherein the memory stores a processing program, and the processor executes the processing program according to instructions. When the processor executes the processing program, the satellite network abnormal traffic detection method based on multi-scale feature fusion and distributed incremental support vector machines described in the foregoing embodiments is realized.

[0052] In some embodiments of this application, a readable storage medium is also provided. This readable storage medium can be a non-volatile readable storage medium or a volatile readable storage medium. The readable storage medium stores instructions that, when executed on a computer, cause an electronic device containing this readable storage medium to perform the aforementioned satellite network abnormal traffic detection method based on multi-scale feature fusion and distributed incremental support vector machines.

[0053] It is understood that the aforementioned satellite network abnormal traffic detection methods based on multi-scale feature fusion and distributed incremental support vector machines, if implemented as software functional modules and sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this invention, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods in the various embodiments of this invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0054] Computer-readable storage media may include data signals propagated in baseband or as part of a carrier wave, carrying readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A readable storage medium may also be any readable medium other than a readable storage medium that can transmit, propagate, or transfer a program for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on the readable storage medium may be transmitted using any suitable medium, including but not limited to wireless, wired, optical fiber, RF, etc., or any suitable combination thereof.

[0055] The program code for executing the technical solutions disclosed in this application can be written in any combination of one or more programming languages. These programming languages ​​include object-oriented programming languages—such as Java and C++—and conventional procedural programming languages—such as C or similar languages. The program code can be executed entirely on the user's computing device, partially on the user's computing device, as a standalone software package, partially on the user's computing device and partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).

[0056] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A method for detecting abnormal traffic in satellite networks based on multi-scale feature fusion and distributed incremental support vector machines, characterized in that, include: To acquire real-time network traffic, a multi-scale sliding observation window mechanism is constructed, establishing parallel first-scale and second-scale sliding observation windows; Multidimensional statistical computation elements are extracted in parallel based on the first-scale sliding window and the second-scale sliding window. The multidimensional statistical computation elements characterize the distribution, fluctuation, trend and structural dimension characteristics of the flow, and construct and generate a high-dimensional original feature vector. The multidimensional computational subsystems of different scales and dimensions are subjected to feature fusion and normalization mapping to generate standardized feature vectors; Based on the online incremental support vector machine (SVM) model and the on-orbit evolution mechanism, the standardized feature vectors are input into the SVM model to perform classification calculations. Based on the distance from the feature points to the optimal classification hyperplane, the classification results of the traffic attributes and risk assessment indicators are output. The system monitors the drift status of the normal business traffic baseline. When the classification result shows a continuous deviation but does not reach the attack threshold, it triggers an incremental learning mechanism to correct only the key support vectors that determine the SVM classification hyperplane, so as to achieve on-track adaptation of the detection model. When the risk assessment index calculated by a single satellite node meets the preset early warning conditions, the risk confidence information obtained from local detection is synchronized to neighboring nodes via inter-satellite links, and spatial correlation analysis is performed in conjunction with the constellation topology to achieve joint discrimination against distributed attacks.

2. The satellite network abnormal traffic detection method based on multi-scale feature fusion and distributed incremental support vector machine according to claim 1, characterized in that, The first-scale sliding observation window is configured with a time length of milliseconds to capture the instantaneous characteristics of sudden attack traffic; The second-scale sliding observation window is configured with a time length of minutes to monitor the statistical offset of covert scans or low-rate attacks; the first-scale sliding observation window slides in parallel with the second-scale sliding observation window.

3. The satellite network abnormal traffic detection method based on multi-scale feature fusion and distributed incremental support vector machine according to claim 1, characterized in that, The multidimensional statistical calculation sub-extraction based on the parallel extraction of the first-scale sliding window and the second-scale sliding window includes: Perform the following operations simultaneously within the first-scale sliding window and the second-scale sliding window: The first-dimensional operator uses entropy weight features to calculate information entropy by statistically analyzing the frequency of occurrence of source IP addresses and destination IP addresses within a window. This is used to characterize the abnormal state of address distribution shifting from concentration to diffusion, in order to determine whether IP spoofing or large-scale address scanning exists. The second-dimensional operator uses the coefficient of variation, which is calculated by the ratio of the standard deviation to the mean of the data packet arrival interval. This is used to characterize the dispersion of traffic and to identify simulated traffic generated by automated attack tools with periodic patterns. The third-dimensional operator uses the cumulative sum CUSUM. It calculates the deviation between the current traffic observation and the baseline mean, subtracts the preset tolerance threshold, and then performs non-negative unidirectional accumulation to produce an integral amplification effect on small deviations. This allows for early identification of the gradual increase trend of low-rate attack traffic before the static alarm threshold is exceeded. The fourth-dimensional operator uses a packet length histogram distribution to count the proportion of packets according to a preset byte range, which is used to identify channel congestion attacks caused by small packet padding. The above-mentioned statistical operators calculated under the first-scale sliding window and the second-scale sliding window are combined to construct a high-dimensional original feature vector containing multi-scale and multi-dimensional information.

4. The satellite network abnormal traffic detection method based on multi-scale feature fusion and distributed incremental support vector machine according to claim 1, characterized in that, The classification results and risk assessment indicators for traffic attributes, based on the distance from feature points to the optimal classification hyperplane, include: The decision function of the SVM classification model is invoked to calculate the absolute geometric distance from the standardized feature vector to the optimal classification hyperplane; A preset nonlinear mapping function is used to convert the absolute geometric distance into a risk probability score within a preset probability range; The classification results and the risk probability scores are combined and encapsulated to generate the risk assessment index.

5. The satellite network abnormal traffic detection method based on multi-scale feature fusion and distributed incremental support vector machine according to claim 1, characterized in that, The triggering incremental learning mechanism, which only modifies the key support vectors that determine the SVM classification hyperplane, includes: When a persistent shift in the classification result is detected, samples within a preset interval of the SVM decision boundary are selected as candidate sets to be updated. The candidate set to be updated is determined as a new key support vector only if it violates the KKT constraints; An incremental recursive algorithm is used to update the Lagrange multipliers of the key support vectors to dynamically adjust the normal vector of the hyperplane, without performing retraining on the full historical data.

6. The satellite network abnormal traffic detection method based on multi-scale feature fusion and distributed incremental support vector machine according to claim 1, characterized in that, The method of performing spatial correlation analysis based on constellation topology to achieve joint discrimination against distributed attacks includes: When the risk confidence probability score of a single-star node exceeds a preset primary threshold, a collaborative request signaling containing the node identifier, orbital position, and anomaly feature summary is generated. The neighboring node that receives the cooperative request signaling retrieves a snapshot of its own traffic statistics features within its corresponding time window and calculates the mutual information between the local features and the request source features; If more than a preset threshold number of nodes within a specific orbital plane simultaneously report abnormal features, and the abnormal pattern exhibits spatiotemporal continuity, then the attack is jointly identified as a distributed denial-of-service attack targeting the constellation, triggering a network-wide coordinated interception command.

7. The satellite network abnormal traffic detection method based on multi-scale feature fusion and distributed incremental support vector machine according to claim 1, characterized in that, The online incremental support vector machine (SVM) model and on-orbit evolution mechanism also include: The SVM model uses fixed-point arithmetic instead of floating-point arithmetic to perform kernel function multiplication, thereby controlling the classification inference latency to the microsecond level, matching the data processing rate of the satellite's high-speed downlink. The on-orbit evolution mechanism includes a model snapshot rollback strategy: before executing the incremental learning mechanism correction, the current model parameters and hyperplane state are stored in the shadow memory area as a snapshot of the previous stable version model; when the incremental correction causes the model classification accuracy to drop beyond a preset safety threshold, the updated parameters are automatically discarded and the model is rolled back to the previous stable version model snapshot, and a reset request is sent to the ground.

8. The satellite network abnormal traffic detection method based on multi-scale feature fusion and distributed incremental support vector machine according to claim 1, characterized in that, It also includes a false alarm suppression mechanism: By reading the satellite payload mission plan, the predicted data transmission window period and expected bandwidth usage parameters can be obtained; Using the data transmission window period and expected bandwidth occupancy parameters as background noise benchmarks, the traffic observations are dynamically compensated during the calculation phase of the multidimensional system computation unit to prevent normal load data transmission tasks from triggering false alarms.

9. The satellite network abnormal traffic detection method based on multi-scale feature fusion and distributed incremental support vector machine according to claim 8, characterized in that, The false alarm suppression mechanism also includes a dynamic adaptive compensation strategy: Obtain the space environment parameters of the satellite's current orbital position and assess the expected link error disturbance value caused by space thermal noise; Based on the expected link error disturbance value, the statistical weights of packet length distribution and arrival interval in the multidimensional statistical calculation are dynamically adjusted to suppress false alarms caused by spatial physical environment interference.

10. A satellite network abnormal traffic detection device based on multi-scale feature fusion and distributed incremental support vector machine, characterized in that, The apparatus for implementing the detection method according to any one of claims 1 to 9 comprises: The hardware feature extraction engine, deployed in the FPGA logic architecture, includes a parallel counter array and a shift register group. It is used to acquire real-time network traffic and build a multi-scale sliding observation window mechanism without occupying CPU cycles, establishing a parallel first-scale sliding observation window and a second-scale sliding observation window. The multidimensional statistical computation sub-extraction module is integrated into the hardware feature extraction engine. It is used to extract multidimensional statistical computation sub-sub ... The feature fusion and normalization module is used to perform feature fusion and normalization mapping on the multidimensional computation sub-components of different scales and dimensions to generate standardized feature vectors; The online incremental SVM classification module is used to input the standardized feature vectors into the SVM model to perform classification calculations based on the online incremental support vector machine SVM model and the on-orbit evolution mechanism. Based on the distance from the feature points to the optimal classification hyperplane, it outputs the classification results of the traffic attributes and risk assessment indicators. The incremental learning control module is used to monitor the drift status of the normal business traffic benchmark. When the classification result shows a continuous deviation but does not reach the attack threshold, the incremental learning mechanism is triggered to correct only the key support vectors that determine the SVM classification hyperplane, so as to achieve on-track adaptation of the detection model. The inter-satellite collaborative detection module is used to synchronize the risk confidence information obtained from local detection to neighboring nodes via inter-satellite links when the risk assessment indicators calculated by a single satellite node meet the preset early warning conditions, and to perform spatial correlation analysis in combination with the constellation topology to achieve joint discrimination against distributed attacks.