Ant Group Anti‑Intrusion Platform: Architecture, Trillion‑Scale Detection, Risk Assessment, and Automated Response

Following the enactment of China’s Data Security Law, Personal Information Protection Law and other regulations, enterprises face increasingly sophisticated and hidden security threats. To address these challenges, Ant Group’s security team built a reliable, flexible, and intelligent anti‑intrusion platform capable of operating at trillion‑scale data volumes.

Development History – The platform originated in early 2018 with a real‑time big‑data intrusion detection engine, evolved through 2019‑2021 with the introduction of security parallel‑aspect concepts, SOAR capabilities, and finally, in 2022, integrated the detection, risk‑assessment, and response modules into a unified solution serving Ant Group and its subsidiaries.

Platform Overview – The system consists of three core functions: intrusion detection, risk judgment, and security response, all unified by a security parallel‑aspect layer that standardizes log ingestion and enables high‑throughput, real‑time threat mitigation.

Trillion‑Scale Intrusion Detection – Ant Group processes millions of endpoints and generates up to tens of billions of probe logs per second, reaching daily volumes of a trillion events. The detection engine uses a streaming computation framework with four foundational engines (rule, model, feature, function) optimized for CPU, memory, and network I/O. A flexible computation graph (input, SQL, rule, model, feature, output nodes) allows security engineers to quickly compose detection tasks for any threat vector, while high‑availability mechanisms monitor and self‑heal the system under massive load.

Risk Assessment and Attribution – Massive alert volumes are filtered from billions to hundreds of high‑priority alerts using multi‑level severity grading (P0‑P3). A graph‑based risk analysis engine models alerts as attacker‑victim relationships, performs real‑time graph computation, and produces explainable attack chains. The engine combines threat intelligence, asset profiling, and AI‑driven risk scoring, merging expert annotations with machine‑learning predictions.

Rapid Security Incident Response – The platform provides a scriptable, workflow‑driven response engine that lets security experts design playbooks using drag‑and‑drop UI components (workflow, human‑in‑the‑loop, service extension nodes). It supports zero‑code integration of millions of security facets, versioned lifecycle management, audit logging, and safeguards such as gray‑scale rollout, circuit‑breakers, and fast rollback to ensure reliable execution of high‑risk actions.

Conclusion – After years of red‑blue exercises and real‑world deployments, the anti‑intrusion platform now supports daily trillion‑level data processing, high‑precision detection, comprehensive risk attribution, and automated response, positioning Ant Group as a leader in large‑scale information security operations.