Network attack monitoring analysis method and monitoring analysis system
By extracting behavioral intent vectors from a unified semantic space from multi-source data and quantifying the consistency of cross-layer behavioral intent, the problem of traditional detection systems struggling to identify cross-protocol layer evasion attacks is solved, and accurate detection of high-order evasion attacks is achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- YUNBIAN CLOUD TECHNOLOGY (SHANGHAI) CO LTD
- Filing Date
- 2026-05-12
- Publication Date
- 2026-07-14
AI Technical Summary
Traditional detection systems struggle to identify cross-protocol layer evasion attacks because they lack the ability to comprehensively analyze the consistency between the intents of multiple layers, thus failing to detect high-level attacks.
By collecting observation data from multiple network and host data sources, an intent encoder is used to map it into a unified-dimensional intent vector. By combining prior constraint graphs, intent consistency distributions, and graph neural networks, the incompatibility, joint anomaly, and interpretability inconsistency between intents are quantified, and a combined conflict score is generated to trigger an alarm.
It achieves accurate detection of high-order evasion attacks that appear normal at a single layer but exhibit inexplicable contradictions in their cross-protocol layer behavioral intentions, thus solving the problems of isolated perspectives and semantic fragmentation in traditional detection systems.
Smart Images

Figure CN122394939A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, specifically to network attack monitoring and analysis methods and systems. Background Technology
[0002] As cyberattack techniques continue to evolve, sophisticated attackers are increasingly employing cross-protocol layer evasion strategies to evade traditional security detection systems. These attacks typically exhibit inconsistent behavioral intent across different network layers (such as the application layer, transport layer, and domain name resolution layer). For example, they might simulate normal user browsing behavior at the HTTP layer, while exhibiting clear automated or command-and-control (C2) communication characteristics at the DNS or TLS layer.
[0003] Traditional detection systems typically employ independent strategies to detect anomalies at a single level, lacking the comprehensive analytical capability to assess the consistency between multiple layers of behavioral intent, making it difficult to detect such evasion attacks. While existing machine learning-based behavioral analysis systems exist, most focus on single-layer feature modeling or multi-feature fusion classification, failing to fundamentally model the inherent consistency between multiple layers of intent and lacking mechanisms for quantifying and interpreting cross-layer behavioral contradictions.
[0004] Therefore, there is an urgent need for a detection method that can automatically extract multi-layered behavioral intentions and evaluate their consistency in a unified semantic space to identify and interpret cross-policy behavioral conflicts, thereby enabling earlier and more accurate detection of network attacks. Summary of the Invention
[0005] The purpose of this invention is to provide a network attack monitoring and analysis method, system, storage medium, and computer program product to solve the problems mentioned in the background art.
[0006] The first aspect of this invention provides a method for network attack monitoring and analysis, comprising the following steps: Step S10: Collect observation data from multiple network and host data sources, including at least L7 application layer, DNS layer, TLS fingerprint layer and host process behavior layer, and aggregate them by session within a predefined time window; Step S20: For each type of aggregated observation data, use the corresponding intent encoder to map it into an intent vector of a unified dimension, and construct an intent vector field based on the combination of multiple intent vectors generated within the same time window. Step S30, based on the prior constraint graph and the learned intent Figure 1 The consistency distribution is used to calculate the incompatibility and joint anomaly among multiple intentions in the intention vector field, and an interpretable contradiction degree is generated using a graph neural network; wherein, the prior constraint graph is a weighted graph with predefined intention categories as nodes and intention compatibility as edge weights, and the intention... Figure 1 The consistency distribution is a joint probability distribution obtained by modeling the normal user intent vector field using a multivariate joint density estimation algorithm. Step S40: Generate a combined conflict score based on incompatibility, joint anomaly, and interpretability contradiction. When the combined conflict score exceeds a threshold, trigger an alarm and output the cross-source evidence pair that caused the high combined conflict score.
[0007] A second aspect of the present invention provides a network attack monitoring and analysis system, the system comprising: The data acquisition and aggregation module is configured to: acquire observation data from multiple network and host data sources, the data sources including at least the L7 application layer, DNS layer, TLS fingerprint layer and host process behavior layer, and aggregate the data by session within a predefined time window; The multi-layer intent encoding module is configured to: map each type of aggregated observation data into a unified-dimensional intent vector using the corresponding intent encoder, and construct an intent vector field based on the combination of multiple intent vectors generated within the same time window; Intent conflict determination engine, configured to: base its decisions on prior constraint graphs and learned intents. Figure 1 The consistency distribution is used to calculate the incompatibility and joint anomaly among multiple intentions in the intention vector field, and an interpretable contradiction degree is generated using a graph neural network; wherein, the prior constraint graph is a weighted graph with predefined intention categories as nodes and intention compatibility as edge weights, and the intention... Figure 1 The consistency distribution is a joint probability distribution obtained by modeling the normal user intent vector field using a multivariate joint density estimation algorithm. The conflict score fusion and alarm module is configured to: generate a combined conflict score based on incompatibility, joint anomaly and interpretability contradiction; trigger an alarm when the combined conflict score exceeds a threshold; and output the cross-source evidence pair that caused the high combined conflict score.
[0008] A third aspect of the present invention provides a storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the method as described in any of the preceding claims.
[0009] A fourth aspect of the present invention provides a computer program product comprising a computer program that, when executed by a processor, implements the steps of the method as described in any of the preceding claims.
[0010] This invention automatically extracts behavioral intent vectors from a unified semantic space from multi-source data and quantifies the consistency of their cross-layer behavioral intents. This enables the accurate detection of high-order evasion attacks that behave normally at a single layer but exhibit inexplicable contradictions in their cross-protocol layer behavioral intents. This solves the technical problem that traditional detection systems struggle to detect such threats due to isolated perspectives and semantic fragmentation. Attached Figure Description
[0011] Figure 1 This is a flowchart illustrating a network attack monitoring and analysis method disclosed in an embodiment of the present invention; Figure 2 This is a schematic diagram of the core data flow of a network attack monitoring and analysis method disclosed in an embodiment of the present invention; Figure 3 (a) Figure 3 (b) is a schematic diagram of two structural forms of the intent encoder disclosed in the embodiments of the present invention; Figure 4 This is a schematic diagram of the structure of a network attack monitoring and analysis system disclosed in an embodiment of the present invention; Figure 5 This is a schematic diagram of another structure of a network attack monitoring and analysis system disclosed in an embodiment of the present invention. Detailed Implementation
[0012] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0013] Please see Figure 1 , Figure 2 This invention provides a network attack monitoring and analysis method, comprising the following steps: Step S10: Collect observation data from multiple network and host data sources, including at least L7 application layer, DNS layer, TLS fingerprint layer and host process behavior layer, and aggregate them by session within a predefined time window; In this step, observation data from multiple sources is passively collected from the network environment. Data sources include at least the L7 application layer, DNS layer, TLS fingerprint layer, and host process behavior layer. The collection methods and core observation content for each data source are detailed below: L7 Application Layer: Passively collects all outbound HTTP / HTTPS and SMTP protocol traffic through traffic mirroring devices deployed on enterprise gateways.
[0014] Core observation content includes, for example, URL path segmentation (e.g., splitting " / index.html" into ["index", "html"]), HTTP request methods (GET / POST / PUT / DELETE), User-Agent field, POST request body size, request parameter characteristics (e.g., whether it contains suspicious file extensions .pdf / .exe), HTTP response status codes (200 / 404 / 500, etc.), request time interval, Referer field sequence, cookie information, etc.
[0015] DNS layer: By configuring the log forwarding function of the enterprise DNS server, DNS query logs of all terminals are collected.
[0016] Core observation content includes, for example, the query domain name, query type (A / AAAA / TXT / MX, etc.), query frequency (the number of queries by a terminal per unit time), the entropy value of the query domain name (calculated using the Shannon entropy formula, reflecting the proportion of random characters in the domain name), the n-gram features of the query domain name (such as the character combinations after 2-gram segmentation), the NXDOMAIN response ratio (the proportion of times a terminal queries a non-existent domain name), the query interval distribution (statistics on the time difference between two adjacent queries), the domain name registration age (obtained by calling the WHOIS interface), and the distribution of client queries to multiple domain names (the number of different domain names queried by a terminal per unit time and their affiliation), etc.
[0017] TLS fingerprint layer: Parses the TLS handshake process through the gateway traffic mirroring device, and collects the client's hello message and handshake-related characteristics.
[0018] Core observational content includes, for example: client hello fingerprint (a unique identifier generated based on the cipher suite list, extended field order, version number, etc.), ALPN protocol negotiation result (such as h2 / http1.1), supported extended fields (such as SNI, OCSP Stapling, 0-RTT, etc.), certificate chain characteristics (certificate authority, validity period, subject field), handshake sequence (the time difference from the client sending hello to the server responding with hello, accurate to the millisecond level), key exchange algorithm type, etc.
[0019] Host process behavior layer: Deploy a lightweight host agent on all office terminals in the enterprise to collect process behavior data of the terminals.
[0020] Core observation content includes, for example: system call sequence summary (such as the frequency and order of system calls such as open / read / write / sendto), critical process spawn pattern (such as the relationship between parent and child processes, and whether there is abnormal process fork behavior), file access path pattern (such as whether it accesses sensitive system directories or hidden directories), network connection pattern (the network connection IP, port, and connection duration of the process), process startup time and duration, etc.
[0021] In addition to the four types of data sources mentioned above, L3 / L4 layer data (such as TCP connection status and port scanning behavior) and identity authentication logs (such as VPN login and domain account login records) can be collected according to actual needs. The collection method of the extended data sources is the same as that of the core data sources mentioned above, which adopts passive collection or lightweight proxy collection, without affecting the normal operation of the business system. The details will not be elaborated further.
[0022] After collecting the raw data, preprocessing is performed, including time synchronization, field standardization, and privacy-compliant de-identification or hashing. Then, within a predefined time window (e.g., a short window of 1 minute, a medium window of 10 minutes, and a long window of 1 hour), cross-layer observation data belonging to the same network session or user session are aggregated using association identifiers such as session identifiers (e.g., Session ID), a 5-tuple consisting of the source IP address, destination IP address, and port, or a user ID. This forms a unified cross-layer behavioral session object, ensuring that subsequent analysis can target the complete behavioral trajectory of the same entity.
[0023] Step S20: For each type of aggregated observation data, use the corresponding intent encoder to map it into an intent vector of a unified dimension, and construct an intent vector field based on the combination of multiple intent vectors generated within the same time window. In this step, each type of aggregated observation data (such as HTTP session sequences, DNS query sequences, TLS handshake features, and process behavior sequences) is processed using a corresponding intent encoder. Each intent encoder ultimately outputs a real-valued vector of a uniform dimension (e.g., d=128 dimensions), i.e., an intent vector. It can be understood that this intent vector includes the high-level behavioral semantics of the corresponding observation data. For cross-layer behavioral session objects aggregated within the same time window, the multiple intent vectors they contain from the L7 layer, DNS layer, TLS layer, host layer, etc., collectively constitute an intent vector field.
[0024] Step S30, based on the prior constraint graph and the learned intent Figure 1The consistency distribution is used to calculate the incompatibility and joint anomaly among multiple intentions in the intention vector field, and an interpretable contradiction degree is generated using a graph neural network; wherein, the prior constraint graph is a weighted graph with predefined intention categories as nodes and intention compatibility as edge weights, and the intention... Figure 1 The consistency distribution is a joint probability distribution obtained by modeling the normal user intent vector field using a multivariate joint density estimation algorithm. This step aims to quantify the inconsistencies within the intent vector field, as follows: (1) Calculate the incompatibility degree based on the prior constraint graph. The prior constraint graph is a weighted graph with predefined intent categories as nodes and the compatibility degree between intents as edge weights. The predefined intent categories are, for example, {browse, download, authenticate, C2 probe, C2 backlink, data transmission}; the edge weights s(i,j)∈[0,1] represent the compatibility degree of intent categories i and j in normal user behavior.
[0025] For example: In the prior constraint diagram, the compatibility edge weight s(browse, C2 backlink) between the two intent categories "browse" and "C2 backlink" can be preset to a very low 0.05, because normal users do not usually engage in regular C2 backlink behavior when browsing web pages.
[0026] By mapping vectors in the intent vector field to the semantic space of this weighted graph, and calculating the quantified incompatibility penalty value, i.e., the incompatibility degree, based on the compatibility relationships defined in the graph. .
[0027] (2) Based on intention Figure 1 The joint outlier is calculated using the consistency distribution. Among these, the intention... Figure 1 The consistency distribution is a joint probability distribution obtained by modeling the intent vector field of massive amounts of normal user behavior using a multivariate joint density estimation algorithm. Calculating the joint anomaly involves inputting the current intent vector field to be detected as a whole into this joint probability distribution and calculating the probability that it belongs to the normal joint distribution. Joint anomaly That is, the negative logarithm of the joint probability: .
[0028] For example: If an intent vector field simultaneously contains both high-confidence "browsing" intent and "data transfer" intent, and normal users rarely exhibit both behaviors within the same short time window, then the intent vector field... The value will be extremely low, resulting in Abnormally high.
[0029] (3) Generating interpretable contradiction scores using graph neural networks. Graph neural networks are used to capture the complex, non-linear contradiction relationships between intent vectors. Specifically, the intent vector field is constructed as a graph structure (each intent vector is a node) and input into a pre-trained graph neural network (such as GraphSAGE). This graph neural network directly outputs scalar scores by learning the complex interaction relationships between nodes. As an explanatory degree of contradiction.
[0030] Step S40: Generate a combined conflict score based on incompatibility, joint anomaly, and interpretability contradiction. When the combined conflict score exceeds a threshold, trigger an alarm and output the cross-source evidence pair that caused the high combined conflict score.
[0031] In this step, the above calculations are used... , and The weighted fusion is performed to generate the final combined conflict score, the specific expression of which is: ,in, These are the weight parameters determined through optimization using the validation set.
[0032] When the combined conflict score (CS) exceeds the threshold τ set according to the false alarm budget, it is determined that there is a cross-policy behavior conflict in the current session, triggering a security alarm.
[0033] Furthermore, it can automatically extract core intent vector pairs and related information that lead to high combined conflict scores, forming a chain of evidence output. For example, the output: "L7 application layer intent: browsing (confidence 0.89) vs DNS layer intent: C2_beacon (confidence 0.94) → prior compatibility 0.05; TLS fingerprint layer intent: automation script (confidence 0.90) vs L7 application layer intent: browsing (confidence 0.89) → prior compatibility 0.07", provides direct evidence for security personnel to quickly locate cross-layer conflict points and determine attack intent.
[0034] This invention automatically extracts behavioral intent vectors from a unified semantic space from multi-source data and quantifies the consistency of their cross-layer behavioral intents. This enables the accurate detection of high-order evasion attacks that behave normally at a single layer but exhibit inexplicable contradictions in their cross-protocol layer behavioral intents. This solves the fundamental technical problem that traditional detection systems struggle to detect such threats due to isolated perspectives and semantic fragmentation.
[0035] As an example, the intent encoder is constructed using a lightweight Transformer or temporal convolutional network model and trained by combining a self-supervised learning task with a micro-supervised learning task based on high-level intent labels.
[0036] In this implementation, the intent encoder is constructed using a lightweight Transformer or Temporal Convolutional Network (TCN) model, and their specific structures are described below: (1) Lightweight Transformer model structure The lightweight Transformer is optimized based on the standard Transformer encoder, significantly reducing computational complexity while maintaining expressive power. (See also...) Figure 3 (a) The specific architecture is as follows: Embedding layer: Maps the input discrete tokens (such as URL path tokens, DNS lookup name n-grams) into dense vector representations. For the HTTP URL path " / api / v1 / user / login", it is first tokenized into ["api","v1","user","login"], and then the embedding vector of each token is obtained through a lookup table.
[0037] Position encoding: Learnable position encoding or sinusoidal position encoding is used to generate a position vector for each position in the sequence, which is added to the token embedding and then input into the encoder.
[0038] Encoder layer: Contains 4-8 coding layers (instead of the standard 12 or more layers in the Transformer), each layer including a multi-head self-attention mechanism. The number of heads is set to 4-8, and the calculation formula is as follows: The calculation for each attention head is as follows: .
[0039] Feedforward network: adopts a bottleneck structure, with an input dimension of d=128 and an intermediate layer dimension of 512, and uses the GeLU activation function.
[0040] Layer normalization and residual connections: Apply layer normalization before and after each sub-layer and add residual connections to mitigate gradient vanishing.
[0041] Pooling layer: Performs mean pooling or uses the representation corresponding to the [CLS] token on the sequence representation output by the encoder to obtain a fixed-dimensional representation of the entire sequence.
[0042] Output layer: The pooled representation is projected onto a unified d=128-dimensional intent vector space through a fully connected layer.
[0043] (2) Temporal Convolutional Network (TCN) Model Structure TCN employs causal convolution and dilated convolution to capture long-term temporal dependencies, making it particularly suitable for processing long-sequence data. (See also...) Figure 3 (b) The specific architecture is as follows: Input layer: Receives a temporal feature sequence, for an input sequence of length T and feature dimension F. .
[0044] Causal convolutional layers: ensure that the output at time t depends only on the input at time t and before, without revealing future information. They use a one-dimensional convolutional kernel that slides along the time dimension, with kernel size k=3 or 5.
[0045] Dilated convolution block: Stacked multiple dilated convolution layers, the dilation factor of the l-th layer. The receptive field grows exponentially with the number of layers. A single TCN residual block contains: dilated causal convolution: causal convolution using a dilation factor d; weight normalization: normalizing the convolution weights to stabilize training; ReLU activation and spatial dropout to prevent overfitting; residual connections: added to the main path after adjusting the dimensions through 1x1 convolutions.
[0046] The formula for calculating the output of dilated convolution is: .
[0047] Depthwise separable convolution: Depthwise separable convolution is used in deep layers to reduce the number of parameters. First, each channel is convolved independently, and then the channels are mixed by 1x1 convolution.
[0048] Global pooling layer: Performs global average pooling on the temporal dimension of the temporal features output by TCN to obtain sequence-level representation.
[0049] Output layer: Projected onto the d=128-dimensional intent vector space through a fully connected layer.
[0050] The intent encoder is trained by combining self-supervised learning tasks (such as mask token recovery and next event prediction) with micro-supervised learning tasks based on high-level intent labels. The goal of the micro-supervised task is to predict the high-level behavioral intent label for an observation from historical labeled data. For example, for HTTP traffic, the intent label could be "user browsing," "file download," "API interaction," or "automation script"; for DNS traffic, the intent label could be "normal resolution," "DGA domain name query," or "beaconing."
[0051] The training process is illustrated below with an example: (1) Self-supervised pre-training stage Masked Language Modeling (MLM): Randomly mask 15% of the tokens in the input sequence, and train the model to predict the masked content based on the context. The loss function is:
[0052] Where D represents the data distribution of the training data. Represents all possible input sequences The average value is taken based on the probability of its occurrence; M is the set of masked positions. Represents the input sequence Remove the masked position The remaining context.
[0053] Next event prediction: Given a sequence of preceding events Predicting the next event The type or characteristic.
[0054] Contrastive learning: Creates different views of the same sequence through data augmentation, and trains the model to make its representations similar in the embedding space. Employs InfoNCE loss.
[0055] in, , These are representations of different enhanced views within the same sequence. The vector representation of the anchor point sample. The vector representation of positive samples, and From the same original data sample; The vector representation of negative samples, and From different raw data samples; is the temperature coefficient, a hyperparameter greater than 0, used to adjust the sensitivity of the loss function to difficult negative samples.
[0056] (2) Micro-supervision and fine-tuning stage Based on the pre-trained model, supervised fine-tuning was performed using high-level intent-labeled data with manual annotations, as follows: Multi-label classification task: Each intent vector needs to predict multiple possible behavioral intent labels, using sigmoid cross-entropy loss. Where C is the number of intent categories, Indicates whether a sample belongs to class c. For input The original output value for the c-th category, It is the Sigmoid activation function.
[0057] Cross-source contrast alignment: Different source intent vectors of the same session should be close to each other in the projection space.
[0058] in, , Different data sources from the same session, It is a projection network.
[0059] As an example, the calculation process for the incompatibility degree includes: Step S31: Map each intention vector in the intention vector field to the intention category space predefined by the prior constraint graph, and calculate the soft similarity between each pair of intention vectors in the intention category space; In this step, each intent vector in the intent vector field is mapped to a predefined intent category space in the prior constraint graph through its accompanying soft label distribution. The intent category space includes nodes such as {browse, download, authentication, C2_probe, C2_beacon, remote execution, data transfer}.
[0060] For any two intention vectors IV in the intention vector field i and IV j Calculate its soft similarity α in the intention category space. ij Soft similarity is calculated by determining the cosine similarity between the soft label distribution vectors corresponding to two intent vectors. The specific formula is as follows:
[0061] in, , , respectively representing the intent vector IV i and IV j The probability distribution vector in the intent category space.
[0062] For example, suppose the HTTP layer intent vector IV http The distribution is [views: 0.85, downloads: 0.10, authentication: 0.05], DNS layer intent vector IV dns The distribution of [C2_beacon: 0.80, views: 0.15, downloads: 0.05] is given, and their soft similarity is calculated as follows: .
[0063] S32. Query the prior constraint graph to obtain the compatibility edge weights corresponding to each pair of intent categories.
[0064] In this step, the prior constraint graph is queried to obtain the compatibility edge weights s(i,j)∈[0,1] for each pair of intent categories. The prior constraint graph is a weighted graph with predefined intent categories as nodes and the compatibility between intents as edge weights.
[0065] For example, in the prior constraint graph, the compatibility edge weights of some intent category pairs are preset as follows: Compatibility between browsing and downloading: s(browse, download) = 0.85; Compatibility between browsing and C2_beacon: s(browse, C2_beacon) = 0.05; Compatibility between authentication and data transmission: s(authentication, data transmission) = 0.10; Compatibility between C2_probe and C2_beacon: s(C2_probe, C2_beacon) = 0.95.
[0066] Understandably, these compatibility weights are initialized using a combination of historical traffic statistics and expert knowledge, and adjusted during system operation based on intention. Figure 1 The drift of the uniform distribution is adaptively adjusted.
[0067] Step S33: Based on the soft similarity and the corresponding compatibility edge weights, a prior incompatibility penalty value is calculated and used as the incompatibility degree.
[0068] In this step, based on the soft similarity α ij Together with the corresponding compatibility edge weights s(i,j), the prior incompatibility penalty value P is calculated. incomp The calculation formula is as follows:
[0069] in, Let be the soft similarity between IVi and IVj in the class space, and s(i,j)∈[0,1] be the compatibility edge weight in the prior constraint graph. When the two intentions are incompatible in the prior constraint graph, s is small, leading to P... incomp rise.
[0070] For example, suppose the following two intent vectors are observed within the same detection window: IV http The distribution is [Views: 0.88, Downloads: 0.10, Authentication: 0.02], with the main category being "Views"; IV dns The distribution is [C2_beacon: 0.93, views: 0.05, downloads: 0.02], with the main category being "C2_beacon". Soft similarity α http,dns =0.17, compatibility edge weight query: s(browser, C2_beacon)=0.05, then the incompatibility P incomp =1-[0.17×0.05]=0.9915. This incompatibility value of 0.9915 is close to 1, indicating that based on prior constraint knowledge, the browsing intent of the HTTP layer and the C2_beacon intent of the DNS layer are extremely incompatible, and there is a clear cross-layer behavioral contradiction.
[0071] When the intent vector field contains multiple intent vectors, it is necessary to calculate and sum the products of soft similarity and compatibility for all pairwise vector pairs. Given k intent vectors, the calculation formula is: The formula averages all pairwise vector pairs to ensure comparability of incompatibility across different numbers of intent vectors.
[0072] This implementation constructs a quantifiable incompatibility index by soft mapping the intent vector to the semantic space of the prior constraint graph and calculating the soft similarity. It combines expert knowledge and compatibility edge weights obtained through statistical learning, thereby achieving accurate calculation and quantitative evaluation of cross-protocol layer behavioral intent contradictions. This serves as a key criterion for discovering high-order attacks that deliberately evade traditional detection methods.
[0073] As an example, the calculation process for the joint anomaly degree includes: The intent vector field is input as a whole into the intent. Figure 1 In the consistency distribution model, through this intention Figure 1 The consistency distribution model calculates the joint probability of the intention vector field under normal behavior, and the negative logarithm of this joint probability is used as the joint anomaly degree; wherein, the intention Figure 1 Consistency distribution models are used to characterize the learned intention. Figure 1 Consistent distribution.
[0074] In this implementation, the intention is pre-built Figure 1 The consistent distribution model is constructed by the following steps: A large number of multi-source aligned intent vector field samples are extracted from historical normal traffic to ensure time window synchronization. The extracted samples are deduplicated and bursts of abnormal data are filtered to avoid contaminating the intent vector field. Figure 1 Consistent distribution.
[0075] A density estimation method based on a normalized flow model is employed, specifically using the RealNVP architecture. This method transforms simple prior distributions (such as the standard normal distribution) into desired values through a series of invertible transformations. Figure 1 Consistent distribution. The transformation formula is: ,in, , It is the zero vector. It is the identity matrix; each layer of transformation It includes a coupling layer to ensure that the Jacobian determinant is easy to compute.
[0076] Training is performed using negative log-likelihood loss, with the objective function being: By minimizing this loss function, the model learns the joint distribution characteristics of normal user behavior in the intent vector field space.
[0077] The intent vector field to be detected Input to the trained intention Figure 1 In the consistency distribution model, intention Figure 1 Consistency distribution model calculates the joint probability of this intention vector field under normal behavior. :
[0078] in, Under the prior distribution The probability density, It is the Jacobian determinant of the transformation, used to compensate for volume changes during the distribution transformation process.
[0079] Then joint anomaly degree .
[0080] For example, assuming a normal "user office" behavior, its intent vector field is represented as follows: L7 application layer intent: browsing (confidence 0.90); DNS layer intent: normal resolution (confidence 0.85); TLS fingerprint layer intent: modern browser (confidence 0.88). This combination occurs frequently in normal training data, therefore... A larger value, such as 0.6, corresponds to a joint outlier degree of: .
[0081] For example, for an evasion attack, its intent vector field is represented as follows: L7 application layer intent: browsing (confidence 0.88); DNS layer intent: C2 beaconing (confidence 0.93); TLS fingerprint layer intent: controlled client (confidence 0.91). This anomalous combination is extremely rare in normal data. The value is extremely low, for example, 10. -6 The corresponding joint outlier is: P anom =-log10 -6 =6.
[0082] This implementation method constructs an intention based on a normalized flow model. Figure 1 By using consistency distribution to learn the joint probability distribution of normal user behavior in the intent vector field space, and taking the negative logarithm of the joint probability of the intent vector field to be detected as the joint anomaly degree, we can realize the quantitative evaluation of the anomaly of cross-layer behavior combination from the perspective of overall statistical distribution, which serves as another key judgment criterion for discovering high-order attacks that deliberately evade traditional detection.
[0083] As an example, the method of generating interpretable contradictions using graph neural networks includes: Multiple intent vectors in the intent vector field are constructed into a graph structure, where each intent vector is a node in the graph. The graph structure is input into a pre-trained graph neural network model, which learns the interaction relationships between nodes and encodes the graph structure. A scalar contradiction score is output as the explanatory contradiction degree. The graph neural network model is trained using manually labeled contradictory and normal samples and a binary classification cross-entropy loss function.
[0084] In this implementation, multiple intent vectors in the intent vector field are first constructed into a graph structure, specifically: Node features: The initial features of each node are the corresponding intent vector. ; Edge connections: Edges are constructed using a fully connected approach, meaning each node is connected to all other nodes to form a complete graph; Edge weights: The initial edge weights can be set to weight values based on the cosine similarity of the intent vectors.
[0085] Graph structures can be formally represented as ,in: For a set of nodes, Let be the set of edges. This is the node feature matrix.
[0086] The pre-trained graph neural network model uses the GraphSAGE architecture, which specifically includes: Input layer: Receives the feature matrix of the receiving nodes ; Graph convolutional layers (layers 2-3): Each layer updates the node representation by aggregating information from neighboring nodes. The aggregation function uses mean pooling. ,in, Indicates the first Layers, nodes All neighboring nodes Aggregation characteristics; Represents the nodes in the graph The set of all neighboring nodes; Representing neighbor nodes In the The layer's feature representation; MEAN is the aggregation function, here it's the mean operation. The node update formula is: ,in For trainable weight matrix, It is the ReLU activation function; Representative node After the first The new feature representation obtained after layer graph convolution operation; Representative node In the The layer's feature representation is the feature of the node itself in the previous step; CONCAT is the splicing operation.
[0087] Graph-level representation layer: Attention pooling is used to aggregate the representations of all nodes to obtain the graph-level representation. ,in, This represents the final feature representation of the i-th node in the graph after processing through all L layers of graph convolutional layers. It is the normalized attention weight of the i-th node, calculated using the Softmax function.
[0088] Attention weight Where q is the query vector, and its dimension is the same as that of the node feature vector. They have the same dimensions.
[0089] Output layer: Maps the graph-level representation to scalar contradiction scores using a multilayer perceptron. ,in This is the weight matrix. This is a bias term.
[0090] The graph neural network model is trained using manually labeled contradictory and normal samples, employing a binary classification cross-entropy loss function. The specific training process is as follows: Construct training data. Positive samples (contradictory samples): Intent vector fields are extracted from historical events confirmed as cross-layer attacks, or generated through simulation in a laboratory environment; Negative samples (normal samples): Intent vector fields are randomly sampled from large-scale normal user traffic.
[0091] The loss function uses binary cross-entropy loss. ,in, Indicates the sample label (1 for contradictory samples, 0 for normal samples). These are the model's predicted values.
[0092] The Adam optimizer was used with a learning rate of 0.001, a batch size of 32, and a training cycle of 100 epochs.
[0093] Next, after constructing the intent vector field to be detected as a graph structure, it is input into a trained graph neural network model. The model learns the complex interaction relationships between nodes and encodes the entire graph structure, ultimately outputting a scalar conflict score. As an explanatory degree of contradiction.
[0094] For example, consider a graph structure containing three intent vectors: Node 1: L7 application layer intent vector (browsing, confidence 0.88); Node 2: DNS layer intent vector (C2 Beaconing, confidence 0.93); Node 3: TLS fingerprint layer intent vector (controlled client, confidence level 0.91).
[0095] Graph neural networks learn complex conflict patterns among these three intent vectors through message passing mechanisms, potentially resulting in higher conflict scores. .
[0096] This implementation constructs the intent vector field as a fully connected graph and utilizes graph neural networks to learn the complex nonlinear interaction relationships between nodes. It can uncover deep contradictory patterns that transcend prior rules and statistical features, thereby enabling the effective detection of complex evasion attacks that do not show anomalies in a single or dual dimension but have inherent contradictions in their overall behavioral patterns. This helps to improve the ability to detect new and advanced threats.
[0097] As an example, the method also includes: Maintain a profile of the historical behavior of entities corresponding to the same session or source IP within a long-term time window; In this step, the historical behavior profile records the following key information: historical conflict sequence: records the combined conflict sequences generated by the entity within a past time window. Intent distribution statistics: Record the historical distribution of intents at each layer, such as the frequency of occurrence of each intent category at layer L7; Behavioral pattern characteristics: Extract and record the typical behavioral pattern characteristics of the entity, such as active time periods and access resource type preferences; Historical alarm records: Record the alarms triggered by the entity in history and their processing results.
[0098] After generating a new combined conflict score, the posterior conflict probability is calculated using the Bayesian update method, based on the historical behavior profile. In this step, when a new combination conflict is generated... Then, based on the above historical behavior profile, the posterior conflict probability is calculated using the Bayesian update method, as follows: Based on historical behavior profiles, the prior probability that this entity is a malicious entity is set as follows: ,in, , For smoothing hyperparameters.
[0099] Based on historical data statistics, the observed conflict points under the current entity state are calculated. Likelihood (for malicious and benign causes):
[0100]
[0101] in, , The conflict scores for malicious entities are the mean and standard deviation. , The conflict scores for normal entities are the mean and standard deviation, which are estimated from historical data.
[0102] Calculate the posterior conflict probability using Bayes' theorem. , specifically:
[0103] in, This represents the prior probability that the entity is benign. .
[0104] The alarm triggering logic is dynamically adjusted based on the posterior conflict probability.
[0105] In this step, for entities with a good history: if the entity's historical behavior is good (i.e. Even if currently (Global threshold), also using a higher local threshold Or generate only low-priority alerts. For historically suspicious entities: if the entity's historical behavior is suspicious (i.e. Even if currently As long as the global threshold is not exceeded, the posterior probability is... This triggers an alarm. Additionally, the alarm threshold can be dynamically adjusted based on the entity's historical behavior profile. ,in This is for adjusting the coefficient.
[0106] For example, suppose the historical behavior profile of a certain source IP shows that there are 1000 historical observation events and 2 historical confirmed malicious events, then the prior probability is... When new combinational conflict points are observed At time: the likelihood of a malicious entity is (Based on historical malicious sample statistics), the likelihood of normal entities is: (Based on historical normal sample statistics), the posterior probability is calculated as follows: .
[0107] Although the conflict score is high, the entity has a good historical reputation and a low posterior probability, so a high-priority alert will not be triggered immediately; instead, it will continue to be observed.
[0108] Another example is the prior probability of another historically questionable source IP. The combination of conflict points is also as follows Then the posterior probability This will immediately trigger a high-priority alarm.
[0109] This implementation maintains the long-term historical behavior profile of entities and dynamically calculates the posterior conflict probability based on the Bayesian update method, thereby achieving context awareness and adaptive adjustment of alarm triggering logic. It can effectively combine the entity's historical reputation to intelligently evaluate the current detection results, significantly reducing the false alarm rate for entities with good reputation while improving the detection sensitivity and early warning timeliness for historically suspicious entities, thus optimizing the overall detection efficiency and security operation performance.
[0110] As an example, the prior constraint graph is a dynamically evolving graph structure, and the compatibility and edge weights between its nodes can be determined according to the prior constraints. Figure 1 The method further includes adaptively adjusting for drift in the uniform distribution; The intent vector field is monitored for frequently co-occurring intent combinations. When the co-occurrence frequency of a certain intent combination exceeds a preset statistical threshold, but the corresponding compatibility edge weight in the prior constraint graph is lower than a preset compatibility threshold, the review process for the intent combination is initiated, and the corresponding compatibility edge weight in the prior constraint graph is dynamically updated based on the review results.
[0111] In this implementation, the intent vector field generated in the network environment is continuously monitored, and frequently co-occurring intent combinations and their co-occurrence frequencies are statistically analyzed. Within a predefined statistical time window, the ratio of the occurrence frequency of each intent combination to the total number of intent vector fields is calculated to obtain the co-occurrence frequency. When the co-occurrence frequency of a certain intent combination exceeds a preset statistical threshold, the compatibility edge weight corresponding to that intent combination in the prior constraint graph is automatically checked.
[0112] If the co-occurrence frequency of a certain intent combination exceeds the statistical threshold, but its corresponding compatibility edge weight is lower than the preset compatibility threshold, then the intent combination is determined to have a compatibility anomaly, and the review process is automatically initiated.
[0113] The review process may include two stages: automated review and manual review. In the automated review stage, the system automatically checks whether the intent combination is associated with known threat intelligence, analyzes the temporal distribution characteristics of its co-occurrence patterns, and verifies whether it matches known normal business patterns. If the automated review cannot determine the nature of the intent combination, it proceeds to the manual review stage, where a security analyst makes the final confirmation based on the generated review report.
[0114] Based on the review results, the corresponding compatibility edge weights in the prior constraint diagram are dynamically updated. Specifically: if the review confirms that the intention combination is a normal business behavior, its compatibility edge weight is increased accordingly; if it is confirmed as malicious behavior, its compatibility edge weight is maintained or further reduced; if its nature cannot be determined, the original compatibility edge weight is maintained, but the monitoring frequency of the intention combination is increased.
[0115] For example, after a company deployed a new automated operations and maintenance system, the system detected that the co-occurrence frequency of the intent combination {L7 application layer: "automated script", DNS layer: "periodic query"} reached 0.05, exceeding the preset statistical threshold of 0.01. However, in the prior constraint graph, the compatibility edge weight corresponding to this intent combination was only 0.1, lower than the compatibility threshold of 0.3. At this point, after initiating the review process, the security analyst confirmed that this combination was normal operations and maintenance behavior, and subsequently updated the compatibility edge weight from 0.1 to 0.8. After the update, similar normal operations and maintenance behaviors no longer triggered system alarms, effectively reducing the false alarm rate.
[0116] In another example, the co-occurrence frequency of the intent combination {L7 application layer: "user browsing", DNS layer: "high-entropy domain name query"} was detected to be 0.02, exceeding the statistical threshold, while its compatibility edge weight was only 0.05. Automated review found that this combination highly matched known malware communication characteristics, confirming it as a malicious behavior pattern. Maintaining a low compatibility edge weight, it was added to the malicious pattern library for focused monitoring.
[0117] This implementation utilizes a dynamic evolution mechanism based on prior constraint diagrams, enabling the system to automatically adapt to changes in the network environment and business models, continuously optimizing detection accuracy. This mechanism can promptly identify new normal business models and adjust compatibility to avoid persistent false alarms, while also recognizing new threat patterns and strengthening monitoring, forming a complete self-optimization loop that significantly improves the system's practicality and durability in real-world environments.
[0118] Please see Figure 4 This invention also discloses a network attack monitoring and analysis system 200, the system comprising: The data acquisition and aggregation module 201 is configured to: acquire observation data from multiple network and host data sources, wherein the data sources include at least the L7 application layer, DNS layer, TLS fingerprint layer and host process behavior layer, and aggregate the data by session within a predefined time window; The multi-layer intent encoding module 202 is configured to: map each type of aggregated observation data into a unified-dimensional intent vector using the corresponding intent encoder, and construct an intent vector field based on the combination of multiple intent vectors generated within the same time window; Intent conflict determination engine 203, configured for: based on prior constraint graphs and learned intent... Figure 1 The consistency distribution is used to calculate the incompatibility and joint anomaly among multiple intentions in the intention vector field, and an interpretable contradiction degree is generated using a graph neural network; wherein, the prior constraint graph is a weighted graph with predefined intention categories as nodes and intention compatibility as edge weights, and the intention... Figure 1The consistency distribution is a joint probability distribution obtained by modeling the normal user intent vector field using a multivariate joint density estimation algorithm. The conflict score fusion and alarm module 204 is configured to: generate a combined conflict score based on incompatibility, joint anomaly and interpretability contradiction; trigger an alarm when the combined conflict score exceeds a threshold; and output the cross-source evidence pair that leads to the high combined conflict score.
[0119] As an example, the intent encoder is constructed using a lightweight Transformer or temporal convolutional network model and trained by combining a self-supervised learning task with a micro-supervised learning task based on high-level intent labels.
[0120] As an example, the calculation process for the incompatibility degree includes: Map each intention vector in the intention vector field to an intention category space predefined by the prior constraint graph, and calculate the soft similarity between each pair of intention vectors in the intention category space. Query the prior constraint graph to obtain the compatibility edge weights corresponding to each pair of intent categories; Based on the soft similarity and the corresponding compatibility edge weights, a prior incompatibility penalty value is calculated and used as the incompatibility degree.
[0121] As an example, the calculation process for the joint anomaly degree includes: The intent vector field is input as a whole into the intent. Figure 1 In the consistency distribution model, through this intention Figure 1 The consistency distribution model calculates the joint probability of the intention vector field under normal behavior, and the negative logarithm of this joint probability is used as the joint anomaly degree; wherein, the intention Figure 1 Consistency distribution models are used to characterize the learned intention. Figure 1 Consistent distribution.
[0122] As an example, the method of generating interpretable contradictions using graph neural networks includes: Multiple intent vectors in the intent vector field are constructed into a graph structure, where each intent vector is a node in the graph. The graph structure is input into a pre-trained graph neural network model, which learns the interaction relationships between nodes and encodes the graph structure. A scalar contradiction score is output as the explanatory contradiction degree. The graph neural network model is trained using manually labeled contradictory and normal samples and a binary classification cross-entropy loss function.
[0123] As an example, the method further includes long-term behavior modeling and conflict-based Bayesian update steps, specifically: Maintain a profile of the historical behavior of entities corresponding to the same session or source IP within a long-term time window; After generating a new combined conflict score, the posterior conflict probability is calculated using the Bayesian update method, based on the historical behavior profile. The alarm triggering logic is dynamically adjusted based on the posterior conflict probability.
[0124] As an example, please refer to Figure 5 The prior constraint graph is a dynamically evolving graph structure, and the compatibility and edge weights between its nodes can be determined according to the given intention. Figure 1 The system adaptively adjusts for drift in the uniform distribution; therefore, it further includes a monitoring and review module 205, configured for: The intent vector field is monitored for frequently co-occurring intent combinations. When the co-occurrence frequency of a certain intent combination exceeds a preset statistical threshold, but the corresponding compatibility edge weight in the prior constraint graph is lower than a preset compatibility threshold, the review process for the intent combination is initiated, and the corresponding compatibility edge weight in the prior constraint graph is dynamically updated based on the review results.
[0125] This invention also discloses a storage medium storing a computer program thereon, which, when executed by a processor, implements the steps of the method as described in any of the preceding claims.
[0126] This invention also discloses a computer program product, including a computer program that, when executed by a processor, implements the steps of the method as described in any of the preceding claims.
[0127] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.
[0128] The embodiments described above are merely examples of several implementations of the present invention, and while the descriptions are relatively specific and detailed, they should not be construed as limiting the scope of the present invention. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of the present invention, and these modifications and improvements all fall within the scope of protection of the present invention.
Claims
1. A method for monitoring and analyzing network attacks, characterized in that, Includes the following steps: Step S10: Collect observation data from multiple network and host data sources, including at least L7 application layer, DNS layer, TLS fingerprint layer and host process behavior layer, and aggregate them by session within a predefined time window; Step S20: For each type of aggregated observation data, use the corresponding intent encoder to map it into an intent vector of a unified dimension, and construct an intent vector field based on the combination of multiple intent vectors generated within the same time window. Step S30: Based on the prior constraint graph and the learned intent consistency distribution, calculate the incompatibility degree and joint anomaly degree among multiple intents in the intent vector field, and generate interpretable contradiction degree using a graph neural network; wherein, the prior constraint graph is a weighted graph with predefined intent categories as nodes and intent compatibility degree as edge weights, and the intent consistency distribution is a joint probability distribution obtained by modeling the normal user intent vector field through a multivariate joint density estimation algorithm; Step S40: Generate a combined conflict score based on incompatibility, joint anomaly, and interpretability contradiction. When the combined conflict score exceeds a threshold, trigger an alarm and output the cross-source evidence pair that caused the high combined conflict score.
2. The network attack monitoring and analysis method according to claim 1, characterized in that: The intent encoder is constructed using a lightweight Transformer or temporal convolutional network model and trained by combining a self-supervised learning task with a micro-supervised learning task based on high-level intent labels.
3. The network attack monitoring and analysis method according to claim 1, characterized in that: The calculation process for the incompatibility includes: Step S31: Map each intention vector in the intention vector field to the intention category space predefined by the prior constraint graph, and calculate the soft similarity between each pair of intention vectors in the intention category space; Step S32: Query the prior constraint graph to obtain the compatibility edge weights corresponding to each pair of intent categories; Step S33: Based on the soft similarity and the corresponding compatibility edge weights, a prior incompatibility penalty value is calculated and used as the incompatibility degree.
4. The network attack monitoring and analysis method according to claim 3, characterized in that: The calculation process for the joint anomaly degree includes: The intent vector field is input as a whole into the intent consistency distribution model, and the joint probability of the intent vector field under normal behavior is calculated through the intent consistency distribution model. The negative logarithm of the joint probability is used as the joint anomaly degree. The intent consistency distribution model is used to characterize the learned intent consistency distribution.
5. The network attack monitoring and analysis method according to claim 4, characterized in that: The method of generating interpretable contradiction degree using graph neural networks includes: Multiple intent vectors in the intent vector field are constructed into a graph structure, where each intent vector is a node in the graph. The graph structure is input into a pre-trained graph neural network model, which learns the interaction relationships between nodes and encodes the graph structure. A scalar contradiction score is output as the explanatory contradiction degree. The graph neural network model is trained using manually labeled contradictory and normal samples and a binary classification cross-entropy loss function.
6. A network attack monitoring and analysis method according to any one of claims 1-5, characterized in that: The method further includes: Maintain a profile of the historical behavior of entities corresponding to the same session or source IP within a long-term time window; After generating a new combined conflict score, the posterior conflict probability is calculated using the Bayesian update method, based on the historical behavior profile. The alarm triggering logic is dynamically adjusted based on the posterior conflict probability.
7. The network attack monitoring and analysis method according to claim 6, characterized in that: The prior constraint graph is a dynamically evolving graph structure, and the compatibility weights between its nodes can be adaptively adjusted according to the drift of the intent consistency distribution; therefore, the method further includes: The intent vector field is monitored for frequently co-occurring intent combinations. When the co-occurrence frequency of a certain intent combination exceeds a preset statistical threshold, but the corresponding compatibility edge weight in the prior constraint graph is lower than a preset compatibility threshold, the review process for the intent combination is initiated, and the corresponding compatibility edge weight in the prior constraint graph is dynamically updated based on the review results.
8. A network attack monitoring and analysis system, characterized in that: The system includes: The data acquisition and aggregation module is configured to: acquire observation data from multiple network and host data sources, the data sources including at least the L7 application layer, DNS layer, TLS fingerprint layer and host process behavior layer, and aggregate the data by session within a predefined time window; The multi-layer intent encoding module is configured to: map each type of aggregated observation data into a unified-dimensional intent vector using the corresponding intent encoder, and construct an intent vector field based on the combination of multiple intent vectors generated within the same time window; An intent conflict determination engine is configured to: calculate the incompatibility and joint anomaly among multiple intents in the intent vector field based on a prior constraint graph and a learned intent consistency distribution, and generate an interpretable contradiction degree using a graph neural network; wherein, the prior constraint graph is a weighted graph with predefined intent categories as nodes and intent compatibility as edge weights, and the intent consistency distribution is a joint probability distribution obtained by modeling the normal user intent vector field using a multivariate joint density estimation algorithm; The conflict score fusion and alarm module is configured to: generate a combined conflict score based on incompatibility, joint anomaly and interpretability contradiction; trigger an alarm when the combined conflict score exceeds a threshold; and output the cross-source evidence pair that caused the high combined conflict score.
9. A storage medium having a computer program stored thereon, characterized in that: When the computer program is executed by a processor, it implements the steps of the method as described in any one of claims 1-7.
10. A computer program product, comprising a computer program, characterized in that: When the computer program is executed by a processor, it implements the steps of the method as described in any one of claims 1-7.