A network intrusion detection method for both computing power and alarm double budget constraints

By combining a lightweight attention network and a multi-task deep model, along with dual-threshold hysteresis logic and a switching penalty mechanism, the problems of wasted computational resources and alarm fatigue in traditional network intrusion detection systems are solved, achieving efficient network intrusion detection.

CN122394970APending Publication Date: 2026-07-14CHENGDU UNIV OF INFORMATION TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHENGDU UNIV OF INFORMATION TECH
Filing Date
2026-06-12
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Traditional network intrusion detection systems suffer from wasted computing resources and alarm fatigue when facing complex, covert, and distributed network attacks, making it difficult to achieve a balance between high detection accuracy and low computational overhead.

Method used

A lightweight attention network is used for early traffic filtering, combined with a multi-task deep model for accurate diagnosis, and alarm generation is optimized through dual-threshold hysteresis logic and switching penalty mechanism. An online feature normalization mechanism based on the Welford algorithm is introduced for dynamic distribution tracking.

Benefits of technology

It significantly reduced the computational burden, improved the threat detection rate, maintained the stability of alerts, achieved a high macro average F1 score of 0.9855 and a high-risk node recall rate of 94%, while keeping the alert oscillation rate below 3.5%.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394970A_ABST
    Figure CN122394970A_ABST
Patent Text Reader

Abstract

The application discloses a network intrusion detection method for computing power and alarm double budget constraints, and relates to the technical field of network intrusion detection; after original data flow passes through increment statistics and standardization, the original data flow is input into a lightweight network with SE attention to output basic abnormal probability; risk is accumulated to an IP entity by using node aggregation and exponential moving average, and data flow of a suspicious IP associated with a threshold value is routed to a lower layer, and the rest is released; the suspicious data flow is sent into a heavy multi-task network, a malicious family label is output by combining FocalLoss, and a reconstruction loss is calculated by a self-encoder; a risk score is input into a hysteresis scheduler by a global aggregator, actual bandwidth is combined, and the most concerned attack source and target IP are accurately output by double threshold logic; the network intrusion detection method is used to maximize the threat discovery rate and maintain the stability of the alarm under the limited analysis budget.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network intrusion detection technology, and in particular to a network intrusion detection method oriented towards dual budget constraints of computing power and alarms. Background Technology

[0002] In the digital age, the widespread adoption of cloud computing, 5G, and the Internet of Things has led to a surge in network data volume and a continuous expansion of network attack exposure. Threats such as DDoS, APT, botnets, and zero-day attacks are becoming more complex, covert, and distributed. Traditional rule-based intrusion detection (NIDS) is struggling to cope with unknown and mutated attacks, and the industry is turning to deep learning solutions based on anomaly detection.

[0003] However, there are two major challenges to directly deploying deep learning models: First, the computational power consumption is too high. Models such as CNN and LSTM have a large amount of floating-point operations, which leads to resource waste and high latency for indiscriminate deep detection of all traffic, and cannot meet the requirements of line-speed processing. Second, it is out of touch with the practical needs of SOC. Existing research only focuses on the classification indicators of a single traffic flow, which easily generates a large number of fragmented and high-frequency oscillation alarms, causing analyst alarm fatigue and resulting in the submergence of real high-risk threats.

[0004] To address the barriers between high detection accuracy and low computational cost, as well as between model performance and operational quality, this application designs and implements a multi-level cascaded NIDS architecture for streaming environments. This architecture uses a lightweight attention network to quickly filter a large amount of benign traffic in the early stages, routing only a small number of high-risk traffic to a complex multi-task deep model for accurate diagnosis, thereby significantly reducing the overall computational burden. At the same time, by introducing dual-threshold hysteresis logic and a switching penalty mechanism, the alarm generation logic is changed, maximizing the threat detection rate and maintaining alarm stability within a limited analysis budget. Summary of the Invention

[0005] The purpose of this invention is to provide a network intrusion detection method oriented towards dual budget constraints of computing power and alarms. In the data preprocessing stage, an online feature normalization mechanism based on the Welford algorithm is introduced to achieve dynamic distribution tracking without historical data dependence. Secondly, in order to achieve the optimal balance between computing cost and detection efficiency, a lightweight network combining compression and excitation (SE) attention mechanism is used as the front-end filter. Through a dynamic computing power routing mechanism, only traffic nodes with high reputation are offloaded to the back-end deep detection network (HeavyInspectorNet). This heavy network adopts multi-task joint optimization and combines multi-class focal loss and mean squared error (MSE) reconstruction regularization to cope with extreme class imbalance and enhance the generalization ability of potential features.

[0006] To achieve the above objectives, this invention provides a network intrusion detection method oriented towards dual budget constraints of computing power and alarms, comprising the following steps: S1. The original network data stream is input in blocks and then updated and standardized in real time using an online feature matrix. S2. Input the standardized feature vectors from S1 into a lightweight scoring network equipped with an SE channel attention mechanism to perform binary classification evaluation on each data stream and output a basic anomaly probability score. S3. By combining node aggregators with exponential moving averages, the risk level of data flows is mapped and accumulated to the source / target IP entities. When the recent comprehensive risk of an IP entity exceeds a preset threshold, the node is marked as suspicious, and all data flows involving the node are routed to the next layer, while the remaining data flows are allowed to pass directly. S4, the data stream marked as suspicious by S3 is fed into the heavy multi-task detection network, combined with FocalLoss to output accurate multi-class malicious family labels, and the feature reconstruction loss is calculated through the autoencoder structure. S5. The risk score of the multi-class malicious family label merging based on S4 is again passed through the global node aggregator and input to the hysteresis scheduler based on the multi-budget mechanism. S6. Based on the actual processing bandwidth, output the most noteworthy attack source / target IP through dual-threshold hysteresis logic and switching penalty mechanism.

[0007] Preferably, the specific process of S1 is as follows: S11, for the first input feature vector Each dimension, assuming it has been observed The sample has a running mean of _ samples. And the sum of squares of deviations from the mean is When a new batch of data arrives, the number of valid samples in that batch is recorded as follows. The local mean is The sum of squares of local deviations from the mean is State updates strictly follow the following recursive relationship: S12. Update the cumulative total number of samples for this dimension. ; S13. Calculate the deviation between the old and new means. ; S14. Update the global mean using the bias. ; S15. Combine intra-batch variance and inter-batch variance due to mean shift to update the global sum of squares. During the streaming inference phase, the input matrix needs to be processed. primitive features Perform dynamic standardization transformation, utilizing accumulated... Calculate sample variance ; The Z-score normalization operation introduces a numerical stability lower bound. An empirical cutoff threshold was set. .

[0008] Preferably, the specific process of S2 is as follows: S21. Given the input feature vector normalized by S1 ,in Given the original feature dimension, a compression operation is directly performed through a global linear mapping to compress it to a low-dimensional bottleneck space. Let the decay rate parameter be... The feature dimension after dimensionality reduction is defined as ; S22. In order to force the network to learn the correlation between features rather than the baseline translation, the linear mapping layer removes the bias term, performs a squeezing operation and non-linear activation. S23. Subsequently, the incentive operation is performed to identify the bottleneck characteristics. Map back to the original The feature space is 3D, and importance weight vectors for each feature dimension are generated using the Sigmoid function. S24. Apply attention weights to the original input through element-wise multiplication to recalibrate the features and obtain features with high representational power. S25. Features with high representational ability after being filtered by the attention mechanism. The data is then fed into a minimally sized multilayer perceptron (MLP) for risk mapping. This MLP contains only one hidden layer, and the network ultimately outputs a single scalar. .

[0009] Preferably, the specific process of S3 is as follows: S31, Given the first Traffic collection within a time window For any data stream Let its source IP address be The target IP address is And the output of S25 The initial anomaly probability of the data stream is obtained after activation by the Sigmoid activation function. and ; S32. First, maintain a global mapping table to collect data on specific network nodes within the current time window. All associated risk evidence, defining nodes In batch The local evidence set within is: ; S33, Let For nodes The number of concurrent connections, for The elements in the array are arranged in descending order, and the first few elements are selected. The maximum value, node Current local risk scalar Defined as: ; S34, Let For nodes At any moment The overall risk status, The historical state decay factor is used, and the state update follows the Markov evolution equation. S35. Finally, based on the latest reputation status of the nodes at both ends of the traffic flow, a deterministic routing decision is executed, and a computing power decentralization instruction function is defined. And set a hard-coded sensitivity threshold. : ; in, It is an indicator function if and only if This indicates that the communication channel containing the data stream is in a high-risk state, and the traffic... The data will be routed to the computationally dense S4 for deep feature extraction and multi-class classification diagnosis; if If the data stream is deemed to be within a safe and trustworthy range, it will be allowed to pass directly.

[0010] Preferably, the specific process of S4 is as follows: S41. Given normalized high-risk flow characteristics The encoder first maps the data to a 128-dimensional hidden space through a fully connected layer, and then performs layer normalization and ReLU activation sequentially. To alleviate the vanishing gradient phenomenon in deep networks and enhance nonlinear representation capabilities, a feature residual block is integrated within the network. After undergoing linear transformation, layer normalization, and activation functions, the data stream forms a skip connection with the original input. S42. The high-dimensional features are further compressed by a bottleneck layer to form the core latent feature vector of dimensionality reduction. Then, the data is fed into two independent decision branches in parallel, and after nonlinear activation, it is mapped to the final category space to output a multi-class malicious family label. S43. The decoder head, as a symmetric inverse mapping network, converts 32-dimensional... Expand back to 128 dimensions and finally reconstruct it into a feature vector with the same dimensions as the original input. ; S44. During the online joint training phase of the model, the classification task abandons the standard cross-entropy loss and instead adopts a weighted multi-class focus loss; assuming the model has a good understanding of the samples... The true class prediction probability is Define class weights with smoothness Classification loss ; S45, Decoder head calculates reconstructed features With the original input The mean squared error (MSE) between the two sides is used as the unsupervised reconstruction loss. ; The global joint optimization objective of S46 and HeavyInspectorNet is a weighted sum of these two losses. : ; in, These are the weighting coefficients for the reconstruction loss.

[0011] Preferably, the specific working process of S5 is as follows: Reusing S3's EMA mechanism, it tracks the macro threat reputation of IP nodes over the long term, smooths transient risk spikes, and updates the node's final-state risk score by combining Top-K truncation. The updated formula is as follows: ; in, For smoothing parameters, This represents the average traffic risk score for the IP node within the current batch.

[0012] Preferably, S6 introduces dual-threshold hysteresis logic and a switching penalty mechanism from industrial control, setting a time step... The set of nodes that are in an active (attention) state is This dual-threshold hysteresis logic and switching penalty mechanism rely on three preset hyperparameters: activation threshold Inactivation threshold and switching penalty factors Current time step alarm set It follows the dual-threshold hysteresis logic and switching penalty mechanism.

[0013] Preferably, the dual-threshold hysteresis logic in S6 is a sticky retention mechanism based on the lower bound of hysteresis, as shown below: First, examine the alarm nodes that existed in the previous time step. If their current risk has not significantly declined below the inactivation threshold, they have priority for retention. The retention candidate set is defined as follows: ; Will The nodes in the list are sorted in descending order of their scores, and the node with the highest score is selected. Each node is directly merged into the current alarm set. .

[0014] Preferably, the switching penalty mechanism in S6 is a budget filling mechanism based on penalty sorting, as shown below: If there is still a budget shortfall after the retention operation (i.e.) The scheduler will select new nodes from the remaining global node set. To suppress the frequent appearance of new nodes, the scheduler calculates the effective competition score of all candidate nodes. : ; in, This is an indicator function that takes the value 1 when the condition inside the parentheses is true, and 0 otherwise; Mandatory deductions for new members The penalty score provides implicit score compensation for existing managed nodes, and then, under the premise of meeting strict activation thresholds, scores are awarded based on valid scores. Fill the new nodes from high to low. In the meantime, until the budget limit is reached. .

[0015] Therefore, the network intrusion detection method of the present invention, which adopts the above-mentioned content and is subject to dual budget constraints of computing power and alarms, has the following advantages compared with the prior art: 1. This application successfully exempts most of the benign background traffic from deep detection by innovative online feature normalization, pre-screening with channel attention, and dynamic computing power routing based on time-series reputation aggregation. While ensuring a high macro average F1 score of 0.9855, it significantly reduces the theoretical floating-point operation (FLOPs) overhead by 66.89%. 2. To address the engineering pain points of secure operation, this application introduces a hysteresis dual-threshold hysteresis logic and a switching penalty mechanism after the multi-task heavy detection network (Tier-3). Under a fixed manual audit budget, it achieves a high-risk node recall rate of over 94% and strictly suppresses the alarm oscillation rate to around 3.5%. Comprehensive experiments and cross-domain generalization prove that this architecture effectively provides a solution for low-cost defense in high-speed network environments.

[0016] The technical solution of the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. Attached Figure Description

[0017] Figure 1 This is a diagram illustrating the overall architecture of a network intrusion detection method oriented towards dual budget constraints of computing power and alarms according to the present invention. Figure 2 This is a data standardization flowchart of a network intrusion detection method oriented towards dual budget constraints of computing power and alarms according to the present invention; Figure 3 This is a lightweight scoring network structure diagram of a network intrusion detection method oriented towards dual budget constraints of computing power and alarms according to the present invention; Figure 4 This invention provides a computing power routing allocation diagram for a network intrusion detection method oriented towards dual budget constraints of computing power and alarms. Figure 5 This is a deep detection network structure diagram of a network intrusion detection method oriented towards dual budget constraints of computing power and alarms according to the present invention; Figure 6 This is a flowchart of the SOC alarm allocation process based on hysteresis logic for a network intrusion detection method oriented towards dual budget constraints of computing power and alarms, as described in this invention. Detailed Implementation

[0018] In the description of this invention, it should be noted that the terms "upper," "lower," "inner," "outer," etc., indicate the orientation or positional relationship based on the orientation or positional relationship shown in the accompanying drawings, or the orientation or positional relationship in which the product of this invention is usually placed when in use. They are only for the convenience of describing this invention and simplifying the description, and do not indicate or imply that the device or element referred to must have a specific orientation, or be constructed and operated in a specific orientation. Therefore, they should not be construed as limiting this invention.

[0019] Example like Figures 1-6 As shown, the present invention provides a network intrusion detection method oriented towards dual budget constraints of computing power and alarms, comprising the following steps: S1. The original network data stream is input in blocks and then updated and standardized in real time through the online feature matrix (OnlineFeatureMoments) to adapt to concept drift. The original network data stream used was not the original CIC-IDS2017 with known defects, but a deeply cleaned and repaired version (Distrinet-CIC-IDS2017) released by the DistriNet team at the IEEE CNS2022 conference. Recent studies have shown that the original network data stream has serious traffic overlap, label misalignment, and feature extraction errors. These data defects can cause machine learning models to learn false shortcut features. In contrast, the CNS2022 version has performed rigorous stream reconstruction and label calibration at the underlying PCAP level. As shown in Table 1, the core differences between the original version and the version used in this study are compared in detail. Choosing this version fundamentally eliminates the interference of the defects in the benchmark data on the Prequential Streaming evaluation results and ensures the statistical authenticity of the model's detection performance. Table 1. Comparison between the original CIC-IDS2017 and the IEEE CNS2022 revised version;

[0020] To ensure the physical realism and statistical rigor of the Prequential Streaming simulation, this study designed a standardized offline data cleansing pipeline before inputting the raw network flows. The core purpose of this stage is to eliminate data noise, prevent shortcut learning, and reconstruct the true streaming timeline. The specific engineering implementation and theoretical basis of the above algorithm can be summarized into the following four key dimensions: 1. Strict temporal alignment: In streaming intrusion detection evaluation, the simulation of concept drift is highly dependent on the temporal order of data input. After merging multiple original CSV files, a global ascending order is forced based on the Timestamp field. This operation is different from the evaluation paradigm of randomly shuffling the traditional static original network data stream, ensuring that the subsequent Prequential validation can truly reflect the model's dynamic adaptability in the evolution of time. 2. Feature space dimensionality reduction to prevent shortcut learning: To avoid deep neural networks making decisions by memorizing static network topology features (i.e., shortcut learning), strong identifier columns (including source / target IP, port number, etc.) are strictly removed. In addition, the algorithm automatically scans and removes cardinality. The zero-variance constant column is used to reduce the curse of dimensionality and reduce the computational cost of the initial screening stage; 3. Numerical stabilization for streaming processing: Due to packet loss or packet capture anomalies in the network environment, the raw extracted data stream features (such as FlowBytes / s) often contain infinite values. To prevent gradient explosion or statistical collapse of the online feature moments in the first stage during incremental updates (partial_fit), all infinite values ​​are forcibly converted into missing values ​​(NaN), and the global median of the feature is uniformly used for robust interpolation, thereby effectively reducing the disturbance of extreme outliers to the underlying distribution. 4. Macro-threat semantic aggregation: There is a serious long-tail distribution problem of labels in the original network data stream, and the sample size of some specific attacks is extremely scarce. In order to improve the statistical significance of Tier-3 HeavyInspectorNet in multi-classification tasks, the scattered attack subclasses are mapped to macro-threat families based on the underlying semantics of the attack vectors. The specific aggregation mapping rules are detailed in Table 2. Table 2 Semantic aggregation mapping from original attack types to macro threat families;

[0021] The specific process of S1 is as follows: S11, for the first input feature vector Each dimension, assuming it has been observed The sample has a running mean of _ samples. And the sum of squares of deviations from the mean is When a new data stream batch arrives, the number of valid samples in that batch is recorded as follows. The local mean is The sum of squares of local deviations from the mean is State updates strictly follow the following recursive relationship: S12. Update the cumulative total number of samples for this dimension. : ; S13. Calculate the deviation between the old and new means. : ; S14. Update the global mean using the bias. : ; S15. Combine intra-batch variance and inter-batch variance due to mean shift to update the global sum of squares. : ; During the streaming inference phase, the input matrix needs to be processed. primitive features Perform dynamic standardization transformation, utilizing accumulated... Calculate sample variance ; To prevent division-to-zero anomalies caused by constant features and to suppress the destructive effects of extreme outliers on network activation and gradients, the Z-score normalization operation introduces a numerically stable lower bound. An empirical cutoff threshold was set. The Z-score standardization formula is as follows: ; in, For the first j The output values ​​after standardization of each feature dimension This is a truncation function used to force input values ​​to be limited to a specified range of upper and lower bounds; This dynamic statistical and normalization mechanism ensures the relative stability of feature distribution in the concept drift environment, laying a data foundation for the rapid convergence and unbiased inference of subsequent deep neural networks; S2. Input the standardized feature vectors from S1 into a lightweight scoring network (LightScorerNet) equipped with an SE channel attention mechanism to perform binary classification evaluation on each data stream with extremely low computational overhead and output basic anomaly probability scores. The specific process of S2 is as follows: S21. Given the input feature vector normalized by S1 ,in Unlike traditional vision tasks that require spatial pooling, this module uses the original feature dimension and performs compression directly through a global linear mapping to compress one-dimensional flow features into a low-dimensional bottleneck space. The reduction ratio parameter is set to... The feature dimension after dimensionality reduction is defined as ; S22. To force the network to learn purely the correlation between features rather than the baseline shift, the linear mapping layer removes the bias term (Bias-free). The squeezing operation and non-linear activation are shown below: ; in, It is a dimension-reduced weight matrix; S23. Subsequently, the incentive operation is performed to identify the bottleneck characteristics. Map back to the original The feature space is 3D, and importance weight vectors for each feature dimension are generated using the Sigmoid function. : ; in, It is a weight matrix of increased dimension and also does not contain a bias term. The Sigmoid activation function is used to map the upgraded feature values ​​to the (0,1) interval. S24. Attention weights are applied to the original input using element-wise multiplication to recalibrate the features and obtain features with high representational power. : ; S25. Features with high representational ability after being filtered by the attention mechanism. The data is then fed into a minimally sized multilayer perceptron (MLP) for risk mapping. This MLP contains only one hidden layer, and the network ultimately outputs a single scalar. The process is as follows: ; ; in, and Network weights; During the streaming reasoning phase, It will be mapped to through the Sigmoid activation function. The initial risk probability of the interval is evaluated by the computational routing of S3; while in the online joint fine-tuning stage, the output is directly used to calculate BCEWithLogitsLoss with the binary true labels to ensure numerical stability and fast convergence. S3. By combining the node aggregator with the exponential moving average (EMA), the risk level of the data flow is mapped and accumulated to the source / target IP entity. When the recent comprehensive risk of an IP entity exceeds the preset threshold, the node is marked as suspicious, and all data flows involving the node will be routed to the next layer, while the remaining data flows are allowed to pass directly. The specific process of S3 is as follows: S31, Given the first The collection of traffic within a time window (or data stream batch). For any data stream Let its source IP address be The target IP address is And the output of S25 The initial anomaly probability of the data stream is obtained after activation by the Sigmoid activation function. and ; S32. First, maintain a global mapping table to collect data on specific network nodes within the current time window. Define nodes based on all associated risk evidence (as source or destination). In batch The local evidence set within is: ; To prevent a small number of extreme benign predictions from diluting the overall threat score of nodes, and to suppress noise interference, a local Top-K mean aggregation strategy is adopted. S33, Let For nodes The number of concurrent connections, for The elements in the array are arranged in descending order, and the first few elements are selected. The maximum value (when the number of connections is insufficient) (If necessary, take all nodes) Current local risk scalar Defined as: ; The attack intent exhibited by network entities is usually sequential. In order to capture this dynamic evolution process, a first-order exponential moving average (EMA) is used to update the global reputation status of nodes. S34, Let For nodes At any moment The overall risk status, The historical state decay factor is used, and the state update follows the following Markov evolution equation: ; Among them, the initial state This equation ensures that computing power routing is highly sensitive to recent threats while smoothly forgetting historical behavior from the distant future. S35. Finally, as a parameter-free computing distributor, the computing power routing allocation performs deterministic routing decisions based on the latest reputation status of the nodes at both ends of the traffic flow, defining a computing power decentralization indicator function (RoutingIndicator). And set a hard-coded sensitivity threshold. : ; in, It is an indicator function if and only if This indicates that the communication channel containing the data stream is in a high-risk state, and the traffic... They will be routed to the high-computation-density S4 for deep feature extraction and multi-class diagnostics; Source IP address At any moment The overall risk status, For target IP address At any moment The overall risk status; if If the data stream is considered to be within the safe and trustworthy range, it is allowed to pass directly, thus strictly avoiding the redundant FLOPs consumption caused by full-traffic deep detection within mathematical limits. S4. Data streams marked as suspicious by S3 are fed into a heavy multi-task detection network (Heavy Inspector Net), which combines FocalLoss to output accurate multi-class malicious family labels, and calculates feature reconstruction loss (MSELoss) through an autoencoder structure. For high-risk traffic that has been lightly scored by S2 and filtered by node routing in S3, it is routed to a heavy-duty multi-task detection network with high computational density for deep feature extraction and multi-class diagnosis. In order to deal with the extreme class imbalance problem that is common in network intrusion detection and to extract latent features with strong generalization ability, the network is designed as a multi-task learning model that combines a multi-classifier and an autoencoder architecture. Table 3 shows the algorithm structure of this module. Table 3. Multi-task inference and joint training algorithm of Heavy Inspector Net;

[0022] The specific process of S4 is as follows: S41. Given normalized high-risk flow characteristics The encoder first maps the data to a 128-dimensional hidden space through a fully connected layer, and then performs layer normalization (LayerNorm) and ReLU activation sequentially. To alleviate the gradient vanishing phenomenon in deep networks and enhance nonlinear representation capabilities, a feature residual block (ResBlock) is integrated within the network. After undergoing linear transformation, layer normalization, and activation functions, the data stream forms a skip connection with the original input. The specific formula is as follows: ; S42. The high-dimensional features are further compressed by a bottleneck layer to form the core latent feature vector with reduced dimensionality. Then, the data is fed in parallel into two independent decision branches, and after nonlinear activation, it is mapped to the final class space, outputting a multi-class malicious family label; (Total number of categories including benign ones), used for fine-grained threat assessment. S43. The decoder head, as a symmetric inverse mapping network, converts 32-dimensional... Expand back to 128 dimensions and finally reconstruct it into a feature vector with the same dimensions as the original input. ; S44. During the online joint training phase of the model, the classification task abandons the standard cross-entropy loss and instead adopts Weighted Multi-Class Focal Loss. Addressing the deficiency of cross-entropy in dominating the gradient when faced with massive amounts of easily classifiable samples (usually benign background data streams), Focal Loss introduces a modulation factor to dynamically amplify the gradient weights of the difficult-to-classify minority attack classes. Assume the model... The true class prediction probability is Define class weights with smoothness Classification loss The specific formula is as follows: ; The focusing parameter is hard-coded based on the optimal result of the grid search. ; S45, Decoder head calculates reconstructed features With the original input The mean squared error (MSE) between the two sides is used as the unsupervised reconstruction loss. The specific calculations are as follows: ; The global joint optimization objective of S46 and HeavyInspectorNet is a weighted sum of these two losses. : ; in, The weighting coefficients for the reconstruction loss (default setting is 1). In this mechanism, the decoder and MSE loss act as a powerful structured regularizer, which forces the encoder to retain essential information that can restore the original data stream while optimizing the classification boundary. This effectively prevents the deep network from simply memorizing spurious correlations in the training set and improves the model's robustness in dealing with the drift of unknown concepts. S5. The risk score of the multi-class malicious family label merging based on S4 is again processed by the global node aggregator and input into the hysteresisTop-KScheduler based on the multi-budget mechanism. The specific working process of S5 is as follows: Reusing S3's EMA mechanism, it tracks the macro threat reputation of IP nodes over the long term, smooths transient risk spikes, and updates the node's final-state risk score by combining Top-K truncation. The updated formula is as follows: ; in, For smoothing parameters, This represents the average traffic risk score for that IP node within the current batch; using Compared with Top-K partial evidence truncation, for each IP node Perform noise-resistant updates to absorb transient spikes in the network; When reporting high-risk nodes to the SOC, the hysteretic Top-K scheduler with switching penalties is subject to strict human analysis budget constraints. It relies solely on simple absolute threshold judgment or dynamic Top-K sorting. Small fluctuations in node scores near the critical point can lead to frequent entry and exit from the edge of the budget pool, triggering a massive number of alarm jitters and exacerbating alarm fatigue. S6. Based on the actual processing bandwidth, the most noteworthy attack source / target IP is output through dual-threshold hysteresis logic (tau_on / tau_off) and switching penalty mechanism; S6 introduces dual-threshold hysteresis logic and switching penalty mechanism from industrial control, setting time steps. The set of nodes that are in an active (attention) state is This dual-threshold hysteresis logic and switching penalty mechanism rely on three preset hyperparameters: activation threshold Inactivation threshold and switching penalty factors Current time step alarm set It follows the dual-threshold hysteresis logic and switching penalty mechanism; The dual-threshold hysteresis logic in S6 is a sticky retention mechanism based on the hysteresis lower bound, as detailed below: First, examine the alarm nodes that existed in the previous time step. If their current risk has not significantly declined below the inactivation threshold, they have priority for retention. The retention candidate set is defined as follows: ; Will The nodes in the list are sorted in descending order of their scores, and the node with the highest score is selected. Each node is directly merged into the current alarm set. ; The switching penalty mechanism in S6 is a budget filling mechanism based on penalty sorting, as shown below: If there is still a budget shortfall after the retention operation (i.e.) The scheduler will select new nodes from the remaining global node set. To suppress the frequent appearance of new nodes, the scheduler calculates the effective competition score of all candidate nodes. : ; in, This is an indicator function that takes the value 1 when the condition inside the parentheses is true, and 0 otherwise; Mandatory deductions for new members The penalty score provides implicit score compensation for existing managed nodes, subsequently subject to stringent activation thresholds ( Under the premise of ), based on the valid score Fill the new nodes from high to low. In the meantime, until the budget limit is reached. ; This asymmetric hysteresis interval ( The combination of features and penalties significantly suppresses state transitions caused by feature perturbations at the mathematical level, greatly enhancing the temporal stickiness of the controlled state of the entity, and ensuring the continuity of SOC alarms and extremely high effective recall rate from the architectural level.

[0023] In practice, all Prequential Streaming experiments are conducted in a unified hardware and software environment, including a computer operating system, CPU processor, GPU graphics processor, 32GB of memory, and a deep learning framework. The evaluation indicators are selected as follows: To comprehensively verify the overall performance of the proposed cascaded architecture in terms of detection accuracy, computational efficiency, and practical security operations, this study constructs an evaluation index system based on over two million (2,079,825) real data streams, from three main dimensions: Stream-level detection performance metrics: Abandoning the single metric of accuracy, we adopt the macro-average F1 score as the core evaluation benchmark to objectively reflect the model's performance under extreme class imbalance conditions. At the same time, we track the area under the receiver operating characteristic curve (Multi-class AUC), overall attack recall (i.e., the ability to detect real threats), and false positive rate (FPR) under multi-class classification.

[0024] Computing power and efficiency metrics: The theoretical floating-point operation reduction rate is introduced to quantify the computational overhead saved by the computing power routing mechanism of this application compared with the baseline full-traffic deep inspection. Hardware-level metrics include the end-to-end average latency of streaming batch processing (in milliseconds per block) and peak memory usage during inference.

[0025] Node-level Alarm Operation Quality Metrics (SOC Metrics): For actual Security Operations Center (SOC) scenarios, Node Recall@K is defined to measure the ability to capture high-risk attack sources under a fixed manual investigation budget (Budget K); at the same time, Alert Churn / Jitter is introduced to evaluate the temporal stability and noise resistance of the output high-risk alert list.

[0026] Therefore, this invention employs a network intrusion detection method oriented towards dual budget constraints of computing power and alarms, as described above. At the final output, it integrates an alarm management module based on a dual-threshold hysteresis scheduler (Hysteresis Top-K Scheduler) and exponential moving average (EMA), effectively eliminating alarm oscillations caused by minute score fluctuations. Baseline comparison evaluation based on over two million real data streams shows that this architecture not only achieves a macro-average F1 score of 0.9855 and an extremely low false positive rate of 0.0003, but also reduces theoretical computational overhead by up to 62.89% compared to the standard 1D-CNN baseline. The hysteresis scheduler achieves a high confidence node recall rate of 0.9394 under a fixed manual budget and strictly suppresses the alarm oscillation rate to 0.0356, fully demonstrating its superior computational efficiency and practical feasibility in modern SOC operations.

[0027] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit them. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can still be made to the technical solutions of the present invention, and these modifications or equivalent substitutions cannot cause the modified technical solutions to deviate from the spirit and scope of the technical solutions of the present invention.

Claims

1. A network intrusion detection method oriented towards dual budget constraints of computing power and alarms, characterized in that, Includes the following steps: S1. The original network data stream is input in blocks and then updated and standardized in real time using an online feature matrix. S2. Input the standardized feature vectors from S1 into a lightweight scoring network equipped with an SE channel attention mechanism to perform binary classification evaluation on each data stream and output a basic anomaly probability score. S3. By combining node aggregators with exponential moving averages, the risk level of data flows is mapped and accumulated to the source / target IP entities. When the recent comprehensive risk of an IP entity exceeds a preset threshold, the node is marked as suspicious, and all data flows involving the node are routed to the next layer, while the remaining data flows are allowed to pass directly. S4, the data stream marked as suspicious by S3 is fed into the heavy multi-task detection network, combined with FocalLoss to output accurate multi-class malicious family labels, and the feature reconstruction loss is calculated through the autoencoder structure. S5. The risk score of the multi-class malicious family label merging based on S4 is again passed through the global node aggregator and input to the hysteresis scheduler based on the multi-budget mechanism. S6. Based on the actual processing bandwidth, output the most noteworthy attack source / target IP through dual-threshold hysteresis logic and switching penalty mechanism.

2. The network intrusion detection method oriented towards dual budget constraints of computing power and alarms as described in claim 1, characterized in that: The specific process of S1 is as follows: S11, for the first input feature vector Each dimension, assuming it has been observed The sample has a running mean of _ samples. And the sum of squares of deviations from the mean is When a new batch of data arrives, the number of valid samples in that batch is recorded as follows. The local mean is The sum of squares of local deviations from the mean is State updates strictly follow the following recursive relationship: S12. Update the cumulative total number of samples for this dimension. ; S13. Calculate the deviation between the old and new means. ; S14. Update the global mean using the bias. ; S15. Combine intra-batch variance and inter-batch variance due to mean shift to update the global sum of squares. ; During the streaming inference phase, the input matrix needs to be processed. primitive features Perform dynamic standardization transformation, utilizing accumulated... Calculate sample variance ; The Z-score normalization operation introduces a numerical stability lower bound. An empirical cutoff threshold was set. .

3. The network intrusion detection method oriented towards dual budget constraints of computing power and alarms as described in claim 2, characterized in that: The specific process of S2 is as follows: S21. Given the input feature vector normalized by S1 ,in Given the original feature dimension, a compression operation is directly performed through a global linear mapping to compress it to a low-dimensional bottleneck space. Let the decay rate parameter be... The feature dimension after dimensionality reduction is defined as ; S22. In order to force the network to learn the correlation between features rather than the baseline translation, the linear mapping layer removes the bias term, performs a squeezing operation and non-linear activation. S23. Subsequently, the incentive operation is performed to identify the bottleneck characteristics. Map back to the original The feature space is 3D, and importance weight vectors for each feature dimension are generated using the Sigmoid function. ; S24. Apply attention weights to the original input through element-wise multiplication to recalibrate the features and obtain features with high representational power. ; S25. Features with high representational ability after being filtered by the attention mechanism. The data is then fed into a minimally sized multilayer perceptron (MLP) for risk mapping. This MLP contains only one hidden layer, and the network ultimately outputs a single scalar. .

4. The network intrusion detection method oriented towards dual budget constraints of computing power and alarms as described in claim 3, characterized in that: The specific process of S3 is as follows: S31, Given the first Traffic collection within a time window For any data stream Let its source IP address be The target IP address is And the output of S25 The initial anomaly probability of the data stream is obtained after activation by the Sigmoid activation function. and ; S32. First, maintain a global mapping table to collect data on specific network nodes within the current time window. All associated risk evidence, defining nodes In batch The local evidence set within is: ; S33, Let For nodes The number of concurrent connections, for The elements in the array are arranged in descending order, and the first few elements are selected. The maximum value, node Current local risk scalar Defined as: ; S34, Let For nodes At any moment The overall risk status, The historical state decay factor is used, and the state update follows the Markov evolution equation. S35. Finally, based on the latest reputation status of the nodes at both ends of the traffic flow, a deterministic routing decision is executed, and a computing power decentralization instruction function is defined. And set a hard-coded sensitivity threshold. : ; in, It is an indicator function if and only if This indicates that the communication channel containing the data stream is in a high-risk state, and the traffic... The data will be routed to the computationally dense S4 for deep feature extraction and multi-class classification diagnosis; if If the data stream is deemed to be within a safe and trustworthy range, it will be allowed to pass directly.

5. A network intrusion detection method oriented towards dual budget constraints of computing power and alarms as described in claim 4, characterized in that: The specific process of S4 is as follows: S41. Given normalized high-risk flow characteristics The encoder first maps the data to a 128-dimensional hidden space through a fully connected layer, and then performs layer normalization and ReLU activation sequentially. To alleviate the vanishing gradient phenomenon in deep networks and enhance nonlinear representation capabilities, a feature residual block is integrated within the network. After undergoing linear transformation, layer normalization, and activation functions, the data stream forms a skip connection with the original input. S42. The high-dimensional features are further compressed by a bottleneck layer to form the core latent feature vector of dimensionality reduction. Then, the data is fed into two independent decision branches in parallel, and after nonlinear activation, it is mapped to the final category space to output a multi-class malicious family label. S43. The decoder head, as a symmetric inverse mapping network, converts 32-dimensional... Expand back to 128 dimensions and finally reconstruct it into a feature vector with the same dimensions as the original input. ; S44. During the online joint training phase of the model, the classification task abandons the standard cross-entropy loss and instead adopts a weighted multi-class focus loss; assuming the model has a good understanding of the samples... The true class prediction probability is Define class weights with smoothness Classification loss ; S45, Decoder head calculates reconstructed features With the original input The mean squared error (MSE) between the two sides is used as the unsupervised reconstruction loss. ; The global joint optimization objective of S46 and HeavyInspectorNet is a weighted sum of these two losses. : ; in, These are the weighting coefficients for the reconstruction loss.

6. A network intrusion detection method oriented towards dual budget constraints of computing power and alarms as described in claim 5, characterized in that: The specific working process of S5 is as follows: Reusing S3's EMA mechanism, it tracks the macro threat reputation of IP nodes over the long term, smooths transient risk spikes, and updates the node's final-state risk score by combining Top-K truncation. The updated formula is as follows: ; in, For smoothing parameters, This represents the average traffic risk score for the IP node within the current batch.

7. A network intrusion detection method oriented towards dual budget constraints of computing power and alarms as described in claim 6, characterized in that: S6 introduces dual-threshold hysteresis logic and switching penalty mechanism from industrial control, setting time steps. The set of nodes that are active at that time is This dual-threshold hysteresis logic and switching penalty mechanism rely on three preset hyperparameters: activation threshold Inactivation threshold and switching penalty factors Current time step alarm set It follows the dual-threshold hysteresis logic and switching penalty mechanism.

8. A network intrusion detection method oriented towards dual budget constraints of computing power and alarms as described in claim 7, characterized in that: The dual-threshold hysteresis logic in S6 is a sticky retention mechanism based on the hysteresis lower bound, as detailed below: First, examine the alarm nodes that existed in the previous time step. If their current risk has not significantly declined below the inactivation threshold, they have priority for retention. The retention candidate set is defined as follows: ; Will The nodes in the list are sorted in descending order of their scores, and the node with the highest score is selected. Each node is directly merged into the current alarm set. .

9. A network intrusion detection method oriented towards dual budget constraints of computing power and alarms as described in claim 7, characterized in that: The switching penalty mechanism in S6 is a budget filling mechanism based on penalty sorting, as shown below: If there is still a budget shortfall after the operation is completed, then... New nodes will be selected from the remaining global node set. To suppress the frequent appearance of new nodes, the scheduler calculates the effective competition score of all candidate nodes. : ; in, This is an indicator function that takes the value 1 when the condition inside the parentheses is true, and 0 otherwise; Mandatory deductions for new members The penalty score provides implicit score compensation for existing managed nodes, and then, under the premise of meeting strict activation thresholds, scores are awarded based on valid scores. Fill the new nodes from high to low. In the meantime, until the budget limit is reached. .