Dynamic white list management method and system based on immune-kalman collaborative evolution
By adopting a dynamic whitelist management method based on immune-Kalman co-evolution, the whitelist strategy is dynamically adjusted, solving the problem that static whitelists cannot keep up with changes in business models, and achieving security adaptation and real-time protection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SHENZHEN Y& D ELECTRONICS CO LTD
- Filing Date
- 2026-06-11
- Publication Date
- 2026-07-14
AI Technical Summary
In existing technologies, static whitelists cannot keep up with changes in business models in real time, which may lead to legitimate businesses being blocked or new attack patterns not being included in protection in a timely manner. They are also unable to adapt to new attack patterns or zero-day vulnerability attacks, resulting in security blind spots.
A dynamic whitelist management method based on immune-Kalman co-evolution is adopted. The business baseline state is predicted and updated by Kalman filter state estimator, the self-non-self judgment threshold of the immune system is dynamically adjusted, and the dynamic matching strategy of whitelist is adjusted by combining affinity calculation and comprehensive health index.
It enables real-time updates of the whitelist, adapts to business changes, ensures both security rigidity and business flexibility, avoids frequent fluctuations, and improves the system's protection capabilities.
Smart Images

Figure CN122394962A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of information security technology, and in particular to a dynamic whitelist management method and system based on immune-Kalman co-evolution. Background Technology
[0002] Static whitelist access control is a widely adopted baseline protection method in distributed business systems. The technical solution is as follows: the system administrator pre-configures a set of allowed access rules (i.e., a whitelist) in the policy server. Each rule defines constraints such as allowed operation types, user roles, time windows, and source addresses. When a business access request reaches the edge gateway, the gateway matches the request characteristics against the whitelist rules one by one: if there is a complete match, the request is allowed; otherwise, it is rejected. Adding, modifying, and deleting rules all rely on manual operation. Once set, rules remain unchanged for a long period, only being updated when the administrator actively intervenes.
[0003] Representative solutions include: Role-based access control (RBAC): static authorization is achieved through role-permission mapping tables, such as the NIST RBAC standard; static instances of attribute-based access control (ABAC): user attributes, resource attributes, and environment attributes are matched with predefined policies, but the policies themselves are still statically configured; existing ticketing access control in the ticketing system: fixed access rules are configured by site, role, and time period, and are maintained regularly by security operations personnel.
[0004] In existing technologies, whitelist rules rely on manual maintenance. When business models change (such as adding ticketing channels or adjusting business hours), the whitelist cannot keep up with the changes in real time, resulting in legitimate business being blocked or new attack patterns not being included in protection in a timely manner. Once the rules are set, they remain unchanged for a long time. When faced with new attack patterns or zero-day vulnerability attacks, the protection strategy cannot be automatically adjusted, resulting in security blind spots.
[0005] The information disclosed in this background section is intended only to enhance the understanding of the general background of the invention and should not be construed as an admission or in any way implying that the information constitutes prior art known to those skilled in the art. Summary of the Invention
[0006] This invention provides a dynamic whitelist management method and system based on immune-Kalman co-evolution, thereby effectively solving the problems in the background art. To achieve the above objectives, the technical solution adopted by this invention is: a dynamic whitelist management method based on immune-Kalman co-evolution, applied to a policy decision server, the method comprising: Receive observation data of service access requests collected and sent by the edge access gateway; The state vector of the current business baseline is predicted and updated by using a Kalman filter state estimator to obtain the prior state prediction value and prediction residual; The immune system's "self-non-self" judgment threshold is dynamically adjusted based on the predicted residuals, and the features of the business access request are encoded into an antigen vector, which is then used to calculate affinity with the antibody vectors stored in the memory bank. An immune decision is made based on the comparison between the affinity and the determination threshold: if the decision is self, the features of the service access request are fed back to the Kalman filter state estimator as observation samples and the baseline state is updated; if the decision is not self, an isolation instruction is generated and sent to the software-defined network controller, and an access denial instruction is sent to the edge access gateway. Based on the prediction residuals and comprehensive health indicators of the Kalman filter output, the current operating status of the system is determined. According to the operating status, the corresponding matching strategy is selected from the preset whitelist matching strategy set and sent to the edge access gateway for execution.
[0007] Furthermore, the state vector is a five-dimensional column vector, including: the mean of the operation frequency, the standard deviation of the operation frequency, the offset of the time window center, the spatial location center of the access terminal, and the rate of change of the operation frequency.
[0008] Furthermore, the Kalman filter state estimator performs a prediction step and an update step in each sampling period: The prediction step calculates the prior state prediction value and the prior covariance matrix at the current time based on the state transition matrix and the posterior state estimate of the previous time step. The update step calculates the Kalman gain based on the observations at the current time, and fuses the predicted values and observations to obtain the posterior state estimate and the posterior covariance matrix.
[0009] Furthermore, the determination threshold is dynamically calculated based on the Mahalanobis norm of the predicted residual and the trace of the prior covariance matrix, and the calculation formula is as follows: ; In the formula The base threshold is set during system initialization based on historical data statistics. This is the residual adjustment coefficient. A positive value indicates that the larger the residual, the lower the threshold, and the more sensitive the immune system. This is the covariance adjustment coefficient. A positive value indicates that the larger the prior covariance, the higher the estimation uncertainty and the lower the threshold. The Markov norm of the residuals, , The new information is the deviation between the actual observed value and the predicted value, which directly reflects the degree of fit between the current business behavior and the baseline model; This is the residual covariance matrix, used to measure the statistical uncertainty of the prediction residuals; The trace of the prior covariance matrix reflects the overall uncertainty of the state estimate.
[0010] Furthermore, the affinity is calculated by a weighted fusion of cosine similarity and Mahalanobis distance: ; In the formula, The cosine similarity between the antigen vector and the antibody vector measures the consistency of their directions. for and The Mahalanobis distance between them measures the statistical distance between the two after considering the covariance structure. For weight parameters, The system initializes the settings based on the business scenario, increasing the value when the directional characteristics of the business model are more important. When statistical distance features are more important, reduce Only use during calculation , .
[0011] Furthermore, the comprehensive health index is obtained by weighted fusion of the stability index, consistency index, and variance convergence index; The operational status is determined by jointly judging the comprehensive health index and the predicted residual: When the comprehensive health index is not lower than the high health threshold and the predicted residual is lower than the low residual threshold, it is determined to be in a stable state, and a strict matching strategy for the allowed set is issued. When the comprehensive health index is between the low health threshold and the high health threshold and the prediction residual is between the small residual threshold and the large residual threshold, it is determined to be in a drift state, and the tolerance set elastic matching strategy is issued. When the comprehensive health index is lower than the low health threshold and the predicted residual is not lower than the high residual threshold, it is determined to be an abnormal state, an access denial instruction is issued and an immune decision depth determination is triggered. Otherwise, it is determined to be in an undetermined state, and an instruction to shorten the sampling period is issued.
[0012] Furthermore, the memory bank is divided into a long-term memory bank and a short-term memory bank: the long-term memory bank stores stable baseline rules that have been verified multiple times, and the corresponding process noise covariance matrix value is less than a set threshold; the short-term memory bank stores newly included patterns that have not yet been fully verified, and the corresponding process noise covariance matrix value is greater than a set threshold.
[0013] This invention also includes a dynamic whitelist management method based on immune-Kalman co-evolution, applied to edge access gateways, the method comprising: Collect real-time observation data of business access requests, encapsulate the observation data into standardized observation vectors, and send them to the policy decision server; Receive and execute the whitelist matching policy issued by the policy decision server, and perform whitelist rule matching on the service access request; Upon receiving an access denial instruction from the policy decision server, the service access request is intercepted.
[0014] Furthermore, the whitelist matching strategy includes a strict matching strategy for the allowed set and a flexible matching strategy for the tolerated set: The strict matching policy for the allowed set requires that the operation type, user role, time window, and spatial location be completely consistent with the baseline rules. The tolerance set elastic matching strategy allows all deviations to remain within a dynamic tolerance range, which is driven by the comprehensive health index and the posterior covariance matrix and is negatively correlated with the comprehensive health index.
[0015] This invention also includes a dynamic whitelist management system based on immune-Kalman co-evolution, using the method described above, wherein the system comprises: The receiving unit is used to receive observation data of service access requests collected and sent by the edge access gateway; The Kalman filter unit is used to predict and update the state vector of the current service baseline through the Kalman filter state estimator to obtain the prior state prediction value and prediction residual; The determination unit is used to dynamically adjust the "self-non-self" determination threshold of the immune system according to the predicted residual, and encode the features of the business access request into an antigen vector, and perform affinity calculation with the antibody vector stored in the memory bank. The decision unit is used to perform immune decision based on the comparison result of the affinity and the judgment threshold: if it is determined to be self, the features of the service access request are fed back to the Kalman filter state estimator as observation samples and the baseline state is updated; if it is determined to be not self, an isolation instruction is generated and sent to the software-defined network controller, and an access denial instruction is sent to the edge access gateway. The distribution unit is used to jointly determine the current operating status of the system based on the prediction residuals and comprehensive health indicators output by the Kalman filter, select the corresponding matching strategy from the preset whitelist matching strategy set according to the operating status, and distribute it to the edge access gateway for execution.
[0016] This invention also includes a dynamic whitelist management system based on immune-Kalman co-evolution, using the method described above, wherein the system comprises: The data acquisition and transmission unit is used to acquire real-time observation data of service access requests, encapsulate the observation data into standardized observation vectors, and send them to the policy decision server. The whitelist matching unit is used to receive and execute the whitelist matching policy issued by the policy decision server, and to perform whitelist rule matching on the service access request. The interception unit is used to intercept the service access request when it receives an access denial instruction issued by the policy decision server.
[0017] The present invention also includes a computer device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, implements the method as described above.
[0018] The present invention also includes a storage medium having a computer program stored thereon, which, when executed by a processor, implements the method as described above.
[0019] The beneficial effects of this invention are as follows: By using an immune-Kalman co-evolutionary engine as a unified decision-making core, the judgment results of identity authentication, transmission security, and business authorization triple protection are uniformly incorporated into the state vector update and immune judgment, realizing cross-layer correlation reasoning and collaborative linkage, and solving the problem of fragmented operation of each protection layer in the prior art. Through the prediction step-update step recursive mechanism of Kalman filtering, when the business mode changes normally, the "self" judgment result is fed back to the filter as a new observation sample, automatically updating the posterior state estimate, realizing the smooth migration of the baseline, and updating the whitelist in real time with business changes without manual intervention, solving the problem of lag in static whitelist updates. The tolerance set dynamic switching mechanism is based on the joint judgment of health and prediction residuals. In the steady state, strict matching is used to ensure security rigidity, and in the drift state, it automatically switches to elastic matching to take into account business elasticity. The hysteresis interval prevents frequent oscillations, solving the problem that static rules cannot adapt. Attached Figure Description
[0020] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0021] Figure 1 This is a flowchart of the strategy decision server method applied in Embodiment 1 of the present invention; Figure 2 This is a flowchart of the edge access gateway method applied in Embodiment 1 of the present invention; Figure 3This is a schematic diagram of the structure of the strategy decision server system applied in Embodiment 1 of the present invention; Figure 4 This is a schematic diagram of the structure applied to the edge access gateway system in Embodiment 1 of the present invention; Figure 5 This is a schematic diagram of the system architecture in Embodiment 2 of the present invention; Figure 6 This is a flowchart of the immune-Kalman double closed-loop process in Embodiment 2 of the present invention; Figure 7 This is a schematic diagram of the computer device in Embodiment 4 of the present invention. Detailed Implementation
[0022] The technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments.
[0023] Example 1: like Figure 1 As shown: A dynamic whitelist management method based on immune-Kalman co-evolution includes the following steps: Applied to policy decision servers, the methods include: Receive observation data of service access requests collected and sent by the edge access gateway; The state vector of the current business baseline is predicted and updated by using a Kalman filter state estimator to obtain the prior state prediction value and prediction residual; The immune system's "self-non-self" judgment threshold is dynamically adjusted based on the predicted residuals, and the features of business access requests are encoded into antigen vectors, which are then used to calculate affinity with antibody vectors stored in the memory bank. Immune decision is executed based on the comparison between affinity and the judgment threshold: if it is determined to be self, the characteristics of the business access request are fed back to the Kalman filter state estimator as observation samples and the baseline state is updated; if it is determined to be non-self, an isolation instruction is generated and sent to the software-defined network controller, and an access denial instruction is sent to the edge access gateway. The system's current operating status is determined by combining the predicted residuals from the Kalman filter output with the comprehensive health index. Based on the operating status, the corresponding matching strategy is selected from the preset whitelist matching strategy set and sent to the edge access gateway for execution.
[0024] By using an immune-Kalman co-evolutionary engine as the unified decision-making core, the judgment results of identity authentication, transmission security, and business authorization are uniformly incorporated into the state vector update and immune judgment, realizing cross-layer correlation reasoning and collaborative linkage, and solving the problem of fragmented operation of each protection layer in existing technologies. Through the prediction step-update step recursive mechanism of Kalman filtering, when the business mode changes normally, the "self" judgment result is fed back to the filter as a new observation sample, automatically updating the posterior state estimate, realizing the smooth migration of the baseline, and updating the whitelist in real time with business changes without manual intervention, solving the problem of lag in static whitelist updates. The tolerance set dynamic switching mechanism is based on the joint judgment of health and prediction residuals. In the steady state, strict matching is used to ensure security rigidity, and in the drift state, it automatically switches to elastic matching to take into account business elasticity. The hysteresis interval prevents frequent oscillations, solving the problem that static rules cannot adapt.
[0025] In this embodiment, the state vector is a five-dimensional column vector, including: the mean of the operation frequency, the standard deviation of the operation frequency, the offset of the time window center, the spatial location center of the access terminal, and the rate of change of the operation frequency.
[0026] The Kalman filter state estimator performs a prediction step and an update step in each sampling period: The prediction step calculates the prior state prediction and prior covariance matrix at the current time step based on the state transition matrix and the posterior state estimate of the previous time step. The update step calculates the Kalman gain based on the observations at the current time, and fuses the predicted values with the observed values to obtain the posterior state estimate and the posterior covariance matrix.
[0027] As a preferred embodiment of the above, the determination threshold is dynamically calculated based on the Mahalanobis norm of the predicted residual and the trace of the prior covariance matrix, and the calculation formula is as follows: ; In the formula The base threshold is set during system initialization based on historical data statistics. This is the residual adjustment coefficient. A positive value indicates that the larger the residual, the lower the threshold, and the more sensitive the immune system. This is the covariance adjustment coefficient. A positive value indicates that the larger the prior covariance, the higher the estimation uncertainty and the lower the threshold. The Markov norm of the residuals, , The new information is the deviation between the actual observed value and the predicted value, which directly reflects the degree of fit between the current business behavior and the baseline model; This is the residual covariance matrix, used to measure the statistical uncertainty of the prediction residuals; The trace of the prior covariance matrix reflects the overall uncertainty of the state estimate.
[0028] Affinity is calculated by a weighted fusion of cosine similarity and Mahalanobis distance: ; In the formula, The cosine similarity between the antigen vector and the antibody vector measures the consistency of their directions. for and The Mahalanobis distance between them measures the statistical distance between the two after considering the covariance structure. For weight parameters, The system initializes the settings based on the business scenario, increasing the value when the directional characteristics of the business model are more important. When statistical distance features are more important, reduce Only use during calculation , .
[0029] In this embodiment, the comprehensive health index is obtained by weighted fusion of the stability index, consistency index, and variance convergence index; Operational status is determined by combining comprehensive health indicators with predicted residuals: When the comprehensive health index is not lower than the high health threshold and the predicted residual is lower than the low residual threshold, it is determined to be in a stable state, and the strict matching strategy of the allowable set is issued. When the comprehensive health index is between the low health threshold and the high health threshold, and the prediction residual is between the small residual threshold and the large residual threshold, it is determined to be in a drift state, and the tolerance set elastic matching strategy is issued. When the overall health index is lower than the low health threshold and the predicted residual is not lower than the high residual threshold, it is judged as an abnormal state, an access denial instruction is issued and an immune decision depth judgment is triggered. Otherwise, it is determined to be in an undetermined state, and an instruction to shorten the sampling period is issued.
[0030] The memory bank is divided into a long-term memory bank and a short-term memory bank: the long-term memory bank stores stable baseline rules that have been verified multiple times, and the corresponding process noise covariance matrix value is less than a set threshold; the short-term memory bank stores newly included patterns that have not yet been fully verified, and the corresponding process noise covariance matrix value is greater than a set threshold.
[0031] like Figure 2 As shown, this embodiment also includes a dynamic whitelist management method based on immune-Kalman co-evolution, applied to an edge access gateway. The method includes: Collect real-time observation data of business access requests, encapsulate the observation data into standardized observation vectors, and send them to the policy decision server; Receive and execute the whitelist matching policy issued by the policy decision server, and perform whitelist rule matching on business access requests; When a denial instruction is received from the policy decision server, the business access request is intercepted.
[0032] As a preferred embodiment of the above, the whitelist matching strategy includes a strict matching strategy for the allowed set and a flexible matching strategy for the tolerated set: The strict matching policy allows for a requirement that the operation type, user role, time window, and spatial location be completely consistent with the baseline rules. The tolerance set elastic matching strategy allows all deviations to remain within a dynamic tolerance range, which is driven by both the comprehensive health index and the posterior covariance matrix and is negatively correlated with the comprehensive health index.
[0033] like Figure 3 As shown, this embodiment includes a dynamic whitelist management system based on immune-Kalman co-evolution, using the method described above. The system includes: The receiving unit is used to receive observation data of service access requests collected and sent by the edge access gateway; The Kalman filter unit is used to predict and update the state vector of the current service baseline through the Kalman filter state estimator to obtain the prior state prediction value and prediction residual; The decision unit is used to dynamically adjust the "self-non-self" decision threshold of the immune system based on the prediction residual, and encode the features of the business access request into an antigen vector, and perform affinity calculation with the antibody vector stored in the memory bank. The decision unit is used to perform immune decisions based on the comparison results of affinity and judgment threshold: if it is determined to be self, the characteristics of the business access request are fed back to the Kalman filter state estimator as observation samples and the baseline state is updated; if it is determined to be non-self, an isolation instruction is generated and sent to the software-defined network controller, and an access denial instruction is sent to the edge access gateway. The distribution unit is used to jointly determine the current operating status of the system based on the prediction residuals of the Kalman filter output and the comprehensive health index. According to the operating status, it selects the corresponding matching strategy from the preset whitelist matching strategy set and distributes it to the edge access gateway for execution.
[0034] like Figure 4 As shown, this embodiment also includes a dynamic whitelist management system based on immune-Kalman co-evolution, using the method described above. The system includes: The data acquisition and transmission unit is used to collect real-time observation data of business access requests, encapsulate the observation data into standardized observation vectors, and send them to the policy decision server. The whitelist matching unit is used to receive and execute the whitelist matching policy issued by the policy decision server, and to perform whitelist rule matching on business access requests. The interception unit is used to intercept business access requests when it receives an access denial instruction from the policy decision server.
[0035] Example 2: 1. General Overview The system in this embodiment runs in a distributed computing environment composed of the following hardware platforms. The logical relationships between the platforms are as follows: Figure 5 As shown: the strategy decision server is the core decision node of the entire system, and the other platforms are its peripheral execution and storage nodes.
[0036] This embodiment proposes a dynamic whitelist management method and system based on immune-Kalman co-evolution. By constructing an "immune-Kalman dual closed-loop" mechanism, the "self-non-self" recognition capability of the immune system is deeply coupled with the real-time state estimation capability of Kalman filtering: Kalman filtering is used as the core of state estimation, the optimal threshold parameter of the business baseline is tracked in real time, and the deviation between the current observation and the baseline model is quantified by using the prediction residual; the immune mechanism is used as the core of adaptive evolution, and the sensitivity of "self" recognition is dynamically adjusted according to the prediction uncertainty provided by Kalman filtering, forming a full-process iterative process of "state estimation → sensitivity adjustment → pattern verification → baseline update".
[0037] Based on the above process, this embodiment designs a tolerance set dynamic switching mechanism jointly triggered by health score and prediction residual: when the system is in a stable state (small prediction residual and high baseline confidence), a strict matching strategy is adopted; when baseline drift is detected (increased prediction residual, but verified as a normal variant), it automatically switches to the tolerance strategy to achieve a dynamic balance between security rigidity and business elasticity.
[0038] 2. System Composition and Hardware Platform The system in this embodiment runs in a distributed computing environment consisting of the following hardware platforms: (1) Policy Decision Server: Deployed in the core network area of the business system, this server is equipped with a multi-core central processing unit (CPU), large-capacity memory (not less than 32GB) and high-speed solid-state storage, and contains the following functional sub-modules: The Immune-Kalman Co-evolution Engine is responsible for performing Kalman filter state estimation, prediction residual calculation, dynamic adjustment of immune affinity threshold, and immune decision-making. This engine is the sole execution entity for the "Immune-Kalman Co-evolution" section.
[0039] The dynamic whitelist management module is responsible for executing the dynamic switching strategy for the tolerance set, including health assessment, dual-threshold status determination, selection of allow / tolerance set matching strategy, and policy distribution. This module is the main execution unit for the "dynamic switching of tolerance sets" part and is physically deployed inside the policy decision server, rather than on separate hardware.
[0040] Knowledge graph storage and reasoning module: responsible for maintaining graph structure data of business entities (users, roles, resources, operation types) and their relationships, supporting multi-hop association queries and subgraph matching, and providing contextual reasoning capabilities for immune decision-making.
[0041] The memory management module is responsible for reading, writing, migrating, and maintaining the long-term and short-term memories, as well as scheduling the process noise covariance parameters for each mode. Physically, the memory data is stored in an independent memory storage device (key-value database), but the management logic runs within the policy decision server.
[0042] Threat Response Decision Module: Responsible for generating isolation instructions and issuing them to the SDN controller when a threat is determined to be "not mine", while also recording audit logs.
[0043] (2) Edge access gateway: Deployed at the access boundary of each business subsystem (ticketing system: such as ticketing subsystem, ticket refund subsystem, query subsystem), responsible for collecting real-time observation data of business access requests and encapsulating the data into standardized observation vectors. Send to the policy decision server; receive the whitelist matching policy (allow set / tolerance set) issued by the policy decision server and perform local matching; initially intercept requests that fail to match, and configure the embedded processor and network interface.
[0044] (3) Software-defined network controller (SDN controller): Deployed in the network control plane, it is interconnected with the policy decision server through a secure channel. It only accepts isolation commands from the "threat response decision module" in the policy decision server, and achieves network layer blocking of threat nodes through flow table updates. It does not directly participate in whitelist matching or immunity determination.
[0045] (4) Knowledge Graph Database: Physically deployed using a graph database, it stores business entities (users, roles, resources, operation types) and their relationships. It is invoked by the "Knowledge Graph and Reasoning Module" within the policy decision server.
[0046] (5) Memory bank storage: It is divided into long-term memory and short-term memory. It uses a numerical database to achieve fast read and write and is scheduled by the "memory bank management module" in the policy decision server.
[0047] 3. Immune-Kalman dual-loop architecture like Figure 6As shown, this architecture consists of two parts: immune-Kalman co-evolution and dynamic switching of the tolerance set. The immune-Kalman co-evolution engine in the policy decision server is the main body responsible for executing the immune-Kalman co-evolution; the dynamic whitelist management module is the main body responsible for executing the dynamic switching of the tolerance set.
[0048] The specific process of immune-Kalman co-evolution is as follows: Step 1: The Kalman filter state estimator calculates the predicted state value and prediction residual based on the posterior state estimate from the previous time step and the operational observation data from the current time step. Step 2: The predicted residuals are input into the immune decision engine to dynamically adjust the antigen-antibody affinity threshold; Step 3: The immune decision engine performs a "self-non-self" judgment on the new business model; Step 4: The judgment result is used as a feedback signal to update the state vector of the Kalman filter, forming a process of "prediction → residual calculation → immune judgment → baseline update".
[0049] The specific process for dynamic switching of the tolerance set is as follows: Step 1: Based on the predicted residuals from the Kalman filter output and the comprehensive health index, jointly determine the current operating state of the system (stable state, drifting state, abnormal state, and undetermined state). Step 2: Execute the corresponding matching strategy based on the state determination result: Strict matching of the allowable set is used for the stable state; the drift state is automatically switched to elastic matching of the tolerance set; access is denied for the abnormal state and the immune decision engine is triggered for deep determination. If it is determined to be "not me", an isolation command is issued to the SDN controller; the detection cycle is shortened to increase the monitoring density for the waiting state; after the state is clarified, it is processed according to the above rules. Step 3: Deploy the switched matching policy to the edge access gateway for execution and record the switch log for auditing and traceability.
[0050] 4. State estimation driven by Kalman filter 4.1 Definition and Update of State Vector Definition of the first The state vector of the service baseline at each sampling time is a five-dimensional column vector. The components are explained below: : Average operation frequency, which represents the average number of operations allowed per unit time. Physically, it is a core statistic reflecting the intensity of business load. It is counted by the edge access gateway within the current sampling period, averaged, and then reported. Operation frequency standard deviation represents the degree of fluctuation in the number of operations within the current sampling period (unit: times / minute). Its physical meaning is the statistical dispersion that measures the stability of business behavior. It is calculated and reported by the edge access gateway within the current sampling period. Time window center offset: This represents the average offset (in hours) of the time when a service operation occurs within the current sampling period relative to the center point of the reference time period. Physically, it reflects the locational regularity of the service's timing. For example, if the reference time period is 9:00-11:00 and the center point is 10:00, and the actual operation occurs on average at 10:30, then the offset is +0.5 hours. The edge access gateway records the request timestamp, calculates the offset, and then reports it. The spatial location center of the access terminal represents the average geographical coordinates (longitude, latitude, or station number encoding value) of the service access request initiator within the current sampling period. Physically, it reflects the spatial regularity of the service. Acquisition method: For fixed terminals (ticket windows, self-service machines), the pre-entered station number is mapped to an encoding value; for mobile terminals, the GPS coordinates or IP address carried in the request are resolved via GeoIP to obtain latitude and longitude, which is then mapped to a standardized encoding value. This value is then parsed and encoded by the edge access gateway before being reported.
[0051] The rate of change of operating frequency represents the trend of change in the average operating frequency per unit time. Physically, it is a dynamic parameter for capturing the drift speed of service load. The formula is as follows: ,in This is the sampling period duration. The policy decision server determines this based on adjacent periods. The calculation is obtained, or the raw count reported by the edge gateway is calculated by the server.
[0052] The mathematical expressions for the state equation and the observation equation are as follows: Equations of state: ; Observation equation: Z ; in, This is the state transition matrix, reflecting the evolution of the service baseline within adjacent sampling periods (by default, it takes the decay form of a five-dimensional identity matrix, i.e.) , (This is the rate of change decay coefficient, indicating that the rate of change of frequency has short-term persistence but tends to be stable in the long term). The noise is the process noise, which has a mean of 0 and a covariance matrix of... The normal distribution, i.e. , The process noise covariance matrix; The observed noise follows a mean of 0 and a covariance matrix of... The normal distribution, i.e. , To observe the noise covariance matrix; The observation matrix represents the first four state components (frequency mean, frequency standard deviation, time offset, and spatial location center) that the edge gateway can directly observe. The frequency change rate needs to be obtained indirectly through state estimation. (4×5 matrix).
[0053] 4.2 Prediction Step and Update Step The Kalman filter performs a prediction step and an update step in each sampling period. The specific calculation process is as follows: Prediction Step: ; ; Update steps: (Predicted residuals, also known as new information); (Residual covariance matrix); (Kalman gain calculation); (Post-hoc status update); (Covariance posterior update); in, The new information is the deviation between the actual observed value and the predicted value, which directly reflects the degree of fit between the current business behavior and the baseline model; This is the residual covariance matrix, used to measure the statistical uncertainty of the prediction residuals; This is the Kalman gain matrix, which balances the confidence levels of predicted and observed values.
[0054] 4.3 Sensitivity Adjustment Driven by Prediction Uncertainty The prediction residuals of the Kalman filter This is dynamically correlated with the "self-non-self" judgment threshold of the immune system. In the immune system, the affinity threshold of an antibody for an antigen is... lower than The antigen is identified as "not me" and triggers a response, in traditional methods This is a fixed value. This embodiment establishes the following coupling mechanism: ,in, The base threshold (initial value) is set by the system during initialization based on historical data statistics. This is the residual adjustment coefficient. A positive value indicates that the larger the residual, the lower the threshold, and the more sensitive the immune system. This is the covariance adjustment coefficient. A positive value indicates that the larger the prior covariance, the higher the estimation uncertainty and the lower the threshold. It is the Mahalanobis norm of the residual (the Mahalanobis norm is the weighted norm that takes into account the dimensional differences of the state components). ; The trace of the prior covariance matrix reflects the overall uncertainty of the state estimate.
[0055] When the Kalman filter prediction residual suddenly increases (e.g., when business behavior deviates from the baseline). As the condition decreases, the immune system becomes more sensitive and more easily triggered to make in-depth judgments; when the predicted residuals remain small and the covariance is stable, The system has recovered and returned to a stable state, reducing false alarms.
[0056] 5. Adaptive Evolution of Immune Mechanisms 5.1 Calculation of antigen-antibody affinity (1) Antigen vector Encoding method Antigen vector This is a row vector formed by numerically encoding the multidimensional features of a business access request. The encoding follows the principles of "features of the same type having the same dimension, discrete features being enumerated, and continuous features being standardized." Let the antigen dimension be... The specific encoding rules are as follows: : Operation type code. Uses enumerated values: ticketing = 1, ticket refund = 2, query = 3, ticket change = 4, ...; if it is a mixed operation, take the main operation type.
[0057] User role code. An enumerated set of values is used: Regular Ticket Seller = 1, Senior Ticket Seller = 2, System Administrator = 3, Automated Terminal = 4, ...; This is parsed and appended by the identity authentication module when a request enters the gateway.
[0058] Time window characteristic. A continuous value representing the offset of the dynamic moment of the operation occurrence relative to the center point of the daily business baseline time period. Calculation formula: ,in: This refers to the time when the operation occurs. The center point of the baseline time period. For example, if the baseline time period is 9:00-11:00 (center 10:00), and the operation occurs at 10:30, then... .
[0059] Spatial location coding. Standardized coding values are adopted: For railway stations, the unified station number of China State Railway Group is mapped to an integer code (e.g., Beijing South Station = 10001, Shanghai Hongqiao Station = 20001); for non-fixed terminals, latitude and longitude are obtained through GeoIP or GPS, and mapped to a regional code according to the geographic grid. The coding value needs to be pre-established in a mapping table and updated regularly.
[0060] Operation frequency. A continuous value (unit: times / minute), representing the frequency of operations performed by the current requesting user within the current sampling period. Statistics are compiled and appended by the edge access gateway.
[0061] : Amount constraint level. Logarithmic binning coding is used: no amount = 0, small amount (0, 100] = 1, medium amount (100, 1000] = 2, large amount (1000, 10000] = 3, super large amount > 10000 = 4. The business system automatically maps according to the amount involved in the request.
[0062] Extended features include request packet size levels, session duration, and node association scores in the knowledge graph, which can be expanded based on specific business scenarios.
[0063] Example: A ticket seller performs ticket sales at Beijing South Railway Station at 10:30 AM. Within the current period, the seller performs 5 sales, involving a total amount of 300 yuan. The antigen vector code would be: .
[0064] (2) Antibody vector Encoding method Antibody vector It is a row vector formed by numerically encoding the multidimensional features of the validated baseline rules in the memory. The effective computational dimension of the antibody vector must be strictly consistent with the dimension of the antigen vector, and the meaning of each component must correspond one-to-one. and They represent the same type of features. The antibody vector data structure is as follows: .in: A unique identifier in the memory (e.g., R001) is not used in affinity calculations and is only used for indexing; : Operation type baseline value, value and The enumeration system is consistent, indicating the types of operations allowed by the rule; : Role constraint baseline value, the value is related to The enumeration system is consistent with the user role to which the rule applies; The time window baseline value, a continuous value, indicates the center of time offset allowed by this rule; Spatial reference values, coding system and Complete consistency indicates that the rule allows for the center of the geographical location; : Frequency reference value, continuous value (unit: times / minute), indicating the center of the operating frequency allowed by this rule; Amount constraint benchmark value, coding system and Completely identical indicates that the rule covers the monetary level; Extended feature baseline value, and One-to-one correspondence.
[0065] Example: If rule R001 in the memory bank represents "the ticket sales baseline of Beijing South Railway Station ticket sellers during the 9:00-11:00 time period", then the antibody vector encoding is: .in This indicates that the rule allows for a minimum operating frequency of 3 times per minute.
[0066] Affinity is calculated using a weighted fusion of cosine similarity and Mahalanobis distance: .in, The cosine similarity between the antigen vector and the antibody vector measures the consistency of their directions. for and The Mahalanobis distance between them measures the statistical distance between the two after considering the covariance structure. For weight parameters ( The system initializes the settings based on the business scenario, increasing the value when the directional characteristics of the business model are more important. When statistical distance features are more important, reduce Only use during calculation , .
[0067] 5.2 Self-Non-Self Judgment and Baseline Update The immune decision engine executes the following decision rules: If affinity If it is determined to be "self" (normal business mode), the following operations will be performed: (1) Incorporate the pattern into the tolerance set; (2) Use its features as new observation samples Feedback to the Kalman filter; (3) The Kalman filter is updated accordingly to obtain the posterior state estimate. and posterior covariance This enables a smooth migration of the baseline; (4) After the update, the system will use the following in the next cycle: As a new forecasting benchmark.
[0068] If affinity If it is not me (abnormal mode), then it is determined to be "not me" and the following operations are performed: (1) Trigger a security alarm; (2) Incorporate the pattern into the threat pattern library of the memory bank; (3) Send isolation instructions to the SDN controller to block abnormal access sources at the network layer; (4) Record a complete audit log, including antigen vector, antibody vector, affinity calculation results and judgment threshold.
[0069] 5.3 Immune Memory Mechanism The memory bank is divided into a long-term memory bank and a short-term memory bank. Both have the same data structure but different update strategies, as detailed below: Long-term memory: Stores stable baseline rules that have been validated multiple times, along with their corresponding process noise covariance matrices. The relatively small values of the relevant elements result in a slower update rate for this part of the state components by the Kalman filter, thus maintaining baseline stability.
[0070] Short-term memory: stores newly incorporated but not yet fully validated patterns, and their corresponding... The matrix contains relatively large values for relevant elements, allowing for rapid baseline adjustments to adapt to new business models.
[0071] Memory decay mechanism: If a certain pattern does not appear for a long period of time (exceeding the preset time window, such as 30 days) and the deviation is consistently below the threshold, it will gradually migrate to long-term memory, while reducing its corresponding tolerance parameter and tightening the matching conditions.
[0072] The memory management module dynamically schedules global data based on the current matching pattern. Matrix parameters, that is, only one type at any given time. The effectiveness of the parameters depends on the type of the matched memory pattern. 6. Dynamic switching strategy for the tolerance set 6.1 System Health Assessment Define health indicators The formula for comprehensively reflecting the reliability of the current baseline is as follows: .in, , , Let be the weighting coefficient, satisfying The emphasis can be adjusted according to the business scenario, for example, increasing the emphasis in scenarios with high security requirements. The weights are as follows: The individual sub-indicators are as follows: This is a stability index, calculated based on the covariance of the predicted residuals. The residuals remain consistently small, approaching 1. ; This is a consistency index, representing the degree of consistency between a new pattern and similar rules in the memory. It is calculated by comparing the new pattern with the most recent... The average affinity of similar rules is obtained. This indicator is calculated after immunization and reflects the degree of consistency between the new pattern and the historical baseline; Let be the variance convergence exponent, and let represent the posterior covariance. The trace relative to the initial covariance The degree of decay over time, If the coefficients show a model mismatch, resulting in... Increase The value might be negative. In this case, an exception alarm should be triggered instead of being directly used for health calculation. In actual implementation, this can be adjusted... Perform truncation, i.e. .in, It is the uncertainty of the baseline estimate at the initial time, i.e. , Let represent the variance of the initial estimation error for the i-th state.
[0073] 6.2 State switching mechanism jointly triggered by health status and predicted residual This embodiment uses health status. Compared with the predicted residual The joint determination is based on the health status lag interval to prevent frequent state oscillations, forming a four-state transition mechanism of stable state, drift state, abnormal state, and undetermined state.
[0074] (1) Threshold definition Define the following four thresholds: Health threshold: Recommended value range [0.70, 0.85], default 0.75. Physical meaning: When... When the baseline estimate is considered highly reliable, the system is in a stable or slightly drifting state; when At this time, the reliability of the baseline decreases, and vigilance is required.
[0075] Health threshold: Recommended value range [0.25, 0.40], default 0.35. Physical meaning: When... If the baseline estimate is deemed severely inaccurate, the system may be under attack or experiencing drastic business changes, necessitating a deep assessment or access denial. (This condition must be met.) At that time, a stratification of health levels is formed.
[0076] : Residual minimum threshold (Mahanobis distance threshold), recommended value range [1.5, 3.0], default 2.0. Physical meaning: When If the difference between the current observation and the baseline prediction is within the statistically normal range, then it is considered to be within the range of normal fluctuations; otherwise, it is considered to be baseline drift or anomaly. This threshold is set based on the statistical properties of Mahalanobis distance and corresponds to an approximately 95% confidence interval.
[0077] : Residual threshold (Mahanobis distance threshold), recommended value range [3.5, 5.0], default 4.0. Physical meaning: When At that time, it was considered that the difference between the current observations and the baseline predictions was extremely large, almost impossible to be caused by normal business fluctuations, and highly likely to be due to an abnormal attack or system failure. This leads to the stratification of residuals.
[0078] (2) Health lag maintenance rule To prevent system oscillations caused by frequent switching, a hysteresis interval is set. To ensure a stable state: When the current state is an allowed set (strict matching), if If so, switch to the tolerance set (flexible matching); When the current state is a tolerance set (flexible matching), if If yes, then switch back to the allowed set (strict matching); When health is in the lag zone, maintain the current state.
[0079] (3) Four-state joint determination logic 1) Steady state: Health And predict residuals At that time, a strict matching strategy for allowed sets is adopted, requiring that the operation types be completely consistent, the time window deviation not exceed ±5%, and the frequency deviation not exceed 10%.
[0080] 2) Drift state: The system is currently in a tolerance set (elastic matching) state, and its health is... Predicting residuals At the same time, the tolerance set elastic matching strategy is maintained, allowing a certain range of deviations. The trigger condition for the first entry from the allowable set into the tolerance set is a hysteresis rule. If the residual is in the middle range and the health has not recovered after entering, If the above is true, it will remain in a drift state.
[0081] 3) Abnormal state: Health level And predict residuals At that time, access is denied and the immune decision engine is triggered to make a deep judgment.
[0082] 4) Undetermined state: None of the above conditions are met (i.e., health status and residual are in the middle of the intersection range). Maintain the current state, while shortening the detection cycle and increasing the detection density.
[0083] (4) Processing flow for unstable states The following detection process is performed under the condition of being undetermined: 1) Shorten the sampling period to 1 / 5 of the original period; 2) Continuously collect N (default N=5) short-period observations; 3) Calculate the average residual and average health for N observations; 4) If the average residual decreases to The following is determined to be a temporary fluctuation; the cycle will return to normal. 5) If the average residual consistently exceeds This is determined to be an abnormal state, triggering a depth determination. 6) If it remains in the middle range after N cycles, maintain the undetermined state and continue monitoring.
[0084] 6.3 Flexible matching rules within the tolerance set When the system switches to the tolerance set, whitelist matching adopts the following flexible strategy, with the dynamic range of allowed deviations determined by health status. Kalman posterior covariance Jointly driven: Time window deviation: ±( ),in The basic tolerance percentage (e.g., 5%). and For adjustment coefficients, Let be the trace of the posterior covariance matrix.
[0085] Operating frequency deviation: ±( ),in , The specific value is dynamically mapped from the health score.
[0086] Amount constraint deviation: ±( ),in , The specific value is dynamically mapped from the health status.
[0087] Matching decision rules: If all deviations are within the tolerance range, access is allowed and audit logs are recorded; if any deviation exceeds the tolerance range, the immune decision engine is triggered to perform a deep judgment.
[0088] 7. Complete dual-loop workflow The complete execution flow of this embodiment is as follows, which is executed by the immune-Kalman co-evolutionary engine in the policy decision server at a fixed period (e.g., every 5 minutes) or in an event-triggered manner: Step 1: When a business access request enters the edge access gateway, it first undergoes triple protection verification (identity authentication, information integrity verification, and channel security verification). If any verification fails, access is directly denied and an alarm log is recorded; if all verifications pass, proceed to Step 2.
[0089] Step 2: Kalman filter state prediction. Based on the posterior state estimate from the previous time step. The prediction step calculates the predicted value of the prior state at the current time. Simultaneously calculate the prior covariance matrix. .
[0090] Step 3: Initial Health Assessment. The edge gateway encapsulates the characteristics of the current service access request into an observation vector. And report it. The strategy decision server calculates the stability index based on the statistical characteristics of the predicted residuals. Variance convergence index calculated based on posterior covariance historical sequence .
[0091] Step 4: State determination and policy pre-selection. Based on... , Preliminary joint judgment is made based on predicted residuals and thresholds, and a pre-selected whitelist matching strategy is adopted: if and If it is determined to be a stable state; and If the condition is 0, it is pre-judged as an abnormal state; otherwise, it is judged as an undetermined state.
[0092] Step 5: Whitelist Matching Execution. The edge access gateway matches access requests against whitelist rules based on the matching policy issued by the policy decision server. In strict matching mode, the operation type, user role, time window, spatial location, and operation frequency must all be completely consistent with the baseline rules. In flexible matching mode, the deviations are calculated. If all deviations are within the dynamic tolerance range, access is allowed; otherwise, proceed to Step 6.
[0093] Step 6: Immune Decision Engine Intervention. When any deviation in elastic matching exceeds the tolerance range, or when the system is in an abnormal state, the immune decision engine initiates deep judgment: encoding the new business model as an antigen vector. Retrieve the most similar antibody vector from the memory. ; Calculate affinity Based on the prediction residuals and covariance of the Kalman filter output, the current decision threshold is dynamically calculated. Perform the "self-non-self" judgment.
[0094] Step 7: Result Processing and Baseline Update. If the result is determined to be "Self" ( Access is granted, and the pattern features are used as new observation samples. Feedback is sent to the Kalman filter to perform an update step and obtain the posterior state. and To achieve smooth baseline migration; if determined to be "not me" ( If access is denied, a security alert is triggered, the pattern is added to the threat pattern library, and an isolation command is issued to the SDN controller.
[0095] Step 8: Complete Health Assessment and Memory Bank Maintenance. After obtaining the affinity results in Step 6, calculate the consistency index. , and step 3 , Integration yields overall health Based on the number of validations, frequency of occurrence, and most recent occurrence time of each pattern, a migration between the long-term memory and short-term memory is performed, and the process noise covariance corresponding to each pattern is adjusted accordingly. .
[0096] The above steps are executed cyclically to form a continuous closed-loop evolution of "state estimation → sensitivity adjustment → pattern verification → baseline update".
[0097] Key technical parameters
[0098] This embodiment has the following beneficial effects: Collaborative linkage of protection layers: By using the immune-Kalman collaborative evolution engine as the unified decision core, the judgment results of the triple protection of identity authentication, transmission security and business authorization are uniformly incorporated into the state vector update and immune judgment, realizing cross-layer correlation reasoning and collaborative linkage, which solves the problem of fragmented operation of each protection layer in the existing technology.
[0099] Automatic smooth baseline migration: Through the prediction step-update step recursive mechanism of Kalman filtering, when the business model changes normally, the "self" judgment result is fed back to the filter as a new observation sample, automatically updating the posterior state estimate, realizing the smooth migration of the baseline. The whitelist can be updated in real time with business changes without manual intervention, solving the problem of the lag in static whitelist updates.
[0100] Dynamic balance between security rigidity and business flexibility: The tolerance set dynamic switching mechanism is based on the joint judgment of health and prediction residuals. In the steady state, strict matching is used to ensure security rigidity, while in the drift state, it automatically switches to flexible matching to take into account business flexibility. The hysteresis interval prevents frequent oscillations and solves the problem that static rules cannot adapt.
[0101] Deep coupling of immunity and state estimation: a sensitivity adjustment formula driven by prediction uncertainty The prior state uncertainty output by the Kalman filter prediction step is dynamically mapped to the immune decision threshold, forming a dynamic adjustment process of "state estimation → sensitivity adjustment → pattern verification → baseline update", which solves the problem of the disconnect between the immune mechanism and state estimation.
[0102] Example 3: Financial transaction system scenario Taking a bank's online transaction system as an example, it includes a transfer subsystem, a payment subsystem, and a query subsystem. In this scenario, the weight of amount constraint level and operation frequency is higher, and parameters need to be adjusted to adapt to the characteristics of financial business.
[0103] Parameter adjustment
[0104] The above parameter settings are not intended to limit the scope of the claims.
[0105] Technical effects: The accuracy rate for detecting large-amount abnormal transfers has been improved to over 98%. False alarm rate during normal peak business hours <1%; The tolerance set elastic matching effectively covers changes in transaction patterns during holidays.
[0106] Example 4: Please see Figure 7 The diagram shows a structural schematic of a computer device provided in an embodiment of this application. An embodiment of this application provides a computer device 400, including a processor 410 and a memory 420. The memory 420 stores a computer program executable by the processor 410. When the computer program is executed by the processor 410, it performs the method described above.
[0107] This application embodiment also provides a storage medium 430, on which a computer program is stored, and the computer program is executed by a processor 410 to perform the above method.
[0108] The storage medium 430 can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read Only Memory (EPROM), Programmable Red-Only Memory (PROM), Read-Only Memory (ROM), magnetic storage, flash memory, magnetic disk, or optical disk.
[0109] In the description of this invention, the terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of indicated technical features. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. "A plurality of" means two or more, unless otherwise explicitly specified.
[0110] In this invention, unless otherwise explicitly specified and limited, the terms "installation," "connection," "linking," and "fixing," etc., should be interpreted broadly. For example, they can refer to a fixed connection, a detachable connection, or an integral part; they can refer to a mechanical connection or an electrical connection; they can refer to a direct connection or an indirect connection through an intermediate medium; they can refer to the internal communication of two components or the interaction between two components. Those skilled in the art can understand the specific meaning of the above terms in this invention according to the specific circumstances.
[0111] In the description of this specification, the references to terms such as "one embodiment," "some embodiments," "example," "specific example," or "some examples," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of the present invention. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Moreover, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples. Furthermore, without contradiction, those skilled in the art can combine and integrate the different embodiments or examples described in this specification, as well as the features of different embodiments or examples.
[0112] Any process or method description in the flowchart or otherwise herein can be understood as representing a module, segment, or portion of code comprising one or more executable instructions for implementing a particular logical function or process, and the scope of the preferred embodiments of the invention includes additional implementations in which functions may be performed not in the order shown or discussed, including substantially simultaneously or in reverse order depending on the functions involved, as will be understood by those skilled in the art to which embodiments of the invention pertain.
[0113] The logic and / or steps represented in the flowchart or otherwise described herein, for example, can be considered as a ordered list of executable instructions for implementing logical functions, and can be embodied in any computer-readable medium for use by, or in conjunction with, an instruction execution system, apparatus, or device (such as a computer-based system, a processor-included system, or other system that can fetch and execute instructions from, an instruction execution system, apparatus, or device). For the purposes of this specification, "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transmit programs for use by, or in conjunction with, an instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of computer-readable media include: an electrical connection having one or more wires (electronic device), a portable computer disk drive (magnetic device), random access memory (RAM), read-only memory (ROM), erasable and editable read-only memory (EPROM or flash memory), fiber optic devices, and portable optical disc read-only memory (CDROM). Alternatively, the computer-readable medium may be paper or other suitable media on which the program can be printed, since the program can be obtained electronically, for example, by optically scanning the paper or other medium, followed by editing, interpreting, or otherwise processing as necessary, and then stored in a computer memory.
[0114] It should be understood that various parts of the present invention can be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, multiple steps or methods can be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented using any one or a combination of the following techniques known in the art: discrete logic circuits having logic gates for implementing logical functions on data signals, application-specific integrated circuits (ASICs) having suitable combinational logic gates, programmable gate arrays (PGAs), field-programmable gate arrays (FPGAs), etc.
[0115] Those skilled in the art will understand that all or part of the steps of the methods in the above embodiments can be implemented by a program instructing related hardware. The program can be stored in a computer-readable storage medium, and when executed, the program includes one or a combination of the steps of the method embodiments.
[0116] The storage medium mentioned above can be a read-only memory, a disk, or an optical disk, etc. Although embodiments of the present invention have been shown and described above, it is to be understood that the above embodiments are exemplary and should not be construed as limiting the present invention. Those skilled in the art can make changes, modifications, substitutions, and variations to the above embodiments within the scope of the present invention.
Claims
1. A dynamic whitelist management method based on immune-Kalman co-evolution, characterized in that, Applied to a policy decision server, the method includes: Receive observation data of service access requests collected and sent by the edge access gateway; The state vector of the current business baseline is predicted and updated by using a Kalman filter state estimator to obtain the prior state prediction value and prediction residual; The immune system's "self-non-self" judgment threshold is dynamically adjusted based on the predicted residuals, and the features of the business access request are encoded into an antigen vector, which is then used to calculate affinity with the antibody vectors stored in the memory bank. An immune decision is made based on the comparison between the affinity and the determination threshold: if the decision is self, the features of the service access request are fed back to the Kalman filter state estimator as observation samples and the baseline state is updated; if the decision is not self, an isolation instruction is generated and sent to the software-defined network controller, and an access denial instruction is sent to the edge access gateway. Based on the prediction residuals and comprehensive health indicators of the Kalman filter output, the current operating status of the system is determined. According to the operating status, the corresponding matching strategy is selected from the preset whitelist matching strategy set and sent to the edge access gateway for execution.
2. The method according to claim 1, characterized in that, The state vector is a five-dimensional column vector, including: mean operation frequency, standard deviation of operation frequency, time window center offset, spatial location center of access terminal, and rate of change of operation frequency.
3. The method according to claim 1, characterized in that, The Kalman filter state estimator performs a prediction step and an update step in each sampling period: The prediction step calculates the prior state prediction value and the prior covariance matrix at the current time based on the state transition matrix and the posterior state estimate of the previous time step. The update step calculates the Kalman gain based on the observations at the current time, and fuses the predicted values and observations to obtain the posterior state estimate and the posterior covariance matrix.
4. The method according to claim 3, characterized in that, The determination threshold is dynamically calculated based on the Mahalanobis norm of the predicted residual and the trace of the prior covariance matrix, and the calculation formula is as follows: ; In the formula The base threshold is set during system initialization based on historical data statistics. This is the residual adjustment coefficient. A positive value indicates that the larger the residual, the lower the threshold, and the more sensitive the immune system. This is the covariance adjustment coefficient. A positive value indicates that the larger the prior covariance, the higher the estimation uncertainty and the lower the threshold. The Markov norm of the residuals, , The new information is the deviation between the actual observed value and the predicted value, which directly reflects the degree of fit between the current business behavior and the baseline model; This is the residual covariance matrix, used to measure the statistical uncertainty of the prediction residuals; The trace of the prior covariance matrix reflects the overall uncertainty of the state estimate.
5. The method according to claim 1, characterized in that, The affinity is calculated by a weighted fusion of cosine similarity and Mahalanobis distance: ; In the formula, The cosine similarity between the antigen vector and the antibody vector measures the consistency of their directions. for and The Mahalanobis distance between them measures the statistical distance between the two after considering the covariance structure. For weight parameters, The system initializes the settings based on the business scenario, increasing the value when the directional characteristics of the business model are more important. When statistical distance features are more important, reduce Only use during calculation , .
6. The method according to claim 1, characterized in that, The comprehensive health index is obtained by weighted fusion of the stability index, consistency index, and variance convergence index. The operational status is determined by jointly judging the comprehensive health index and the predicted residual: When the comprehensive health index is not lower than the high health threshold and the predicted residual is lower than the low residual threshold, it is determined to be in a stable state, and a strict matching strategy for the allowed set is issued. When the comprehensive health index is between the low health threshold and the high health threshold and the prediction residual is between the small residual threshold and the large residual threshold, it is determined to be in a drift state, and the tolerance set elastic matching strategy is issued. When the comprehensive health index is lower than the low health threshold and the predicted residual is not lower than the high residual threshold, it is determined to be an abnormal state, an access denial instruction is issued and an immune decision depth determination is triggered. Otherwise, it is determined to be in an undetermined state, and an instruction to shorten the sampling period is issued.
7. The method according to claim 1, characterized in that, The memory bank is divided into a long-term memory bank and a short-term memory bank: the long-term memory bank stores stable baseline rules that have been verified multiple times, and the corresponding process noise covariance matrix value is less than a set threshold; the short-term memory bank stores newly included patterns that have not yet been fully verified, and the corresponding process noise covariance matrix value is greater than a set threshold.
8. A dynamic whitelist management method based on immune-Kalman co-evolution, characterized in that, Applied to an edge access gateway, the method includes: Collect real-time observation data of business access requests, encapsulate the observation data into standardized observation vectors, and send them to the policy decision server; Receive and execute the whitelist matching policy issued by the policy decision server, and perform whitelist rule matching on the service access request; Upon receiving an access denial instruction from the policy decision server, the service access request is intercepted.
9. The method according to claim 8, characterized in that, The whitelist matching strategy includes a strict matching strategy for the allowed set and a flexible matching strategy for the tolerated set. The strict matching policy for the allowed set requires that the operation type, user role, time window, and spatial location be completely consistent with the baseline rules. The tolerance set elastic matching strategy allows all deviations to remain within a dynamic tolerance range, which is driven by the comprehensive health index and the posterior covariance matrix and is negatively correlated with the comprehensive health index.
10. A dynamic whitelist management system based on immune-Kalman co-evolution, characterized in that, Using the method of any one of claims 1 to 7, the system comprises: The receiving unit is used to receive observation data of service access requests collected and sent by the edge access gateway; The Kalman filter unit is used to predict and update the state vector of the current service baseline through the Kalman filter state estimator to obtain the prior state prediction value and prediction residual; The determination unit is used to dynamically adjust the "self-non-self" determination threshold of the immune system according to the predicted residual, and encode the features of the business access request into an antigen vector, and perform affinity calculation with the antibody vector stored in the memory bank. The decision unit is used to perform immune decision based on the comparison result of the affinity and the judgment threshold: if it is determined to be self, the features of the service access request are fed back to the Kalman filter state estimator as observation samples and the baseline state is updated; if it is determined to be not self, an isolation instruction is generated and sent to the software-defined network controller, and an access denial instruction is sent to the edge access gateway. The distribution unit is used to jointly determine the current operating status of the system based on the prediction residuals of the Kalman filter output and the comprehensive health index, and select the corresponding matching strategy from the preset whitelist matching strategy set according to the operating status and distribute it to the edge access gateway for execution.
11. A dynamic whitelist management system based on immune-Kalman co-evolution, characterized in that, Using the method of claim 8 or 9, the system comprises: The data acquisition and transmission unit is used to acquire real-time observation data of service access requests, encapsulate the observation data into standardized observation vectors, and send them to the policy decision server. The whitelist matching unit is used to receive and execute the whitelist matching policy issued by the policy decision server, and to perform whitelist rule matching on the service access request. The interception unit is used to intercept the service access request when it receives an access denial instruction issued by the policy decision server.
12. A computer device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the computer program, it implements the method as described in any one of claims 1-9.
13. A storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the method as described in any one of claims 1-9.