CN102185735A - Network security situation prediction method - Google Patents

Abstract

The invention discloses a network security situation prediction method in the technical field of network information security. The method comprises the following steps of: analyzing the hazard degrees of each network security threat by using a grey clustering analysis method, and further constructing a hierarchical network security situation index system, obtaining network security situation values of each time monitoring point, constructing a time sequence, constructing the time sequence into a training sample set, and performing iterative training on the training sample set by utilizing an integrated learning Boosting algorithm to obtain a weak learning machine sequence meeting error requirements; obtaining a strong learning machine by utilizing the method for calculating the weighted sum of the weak learning machine sequence; and finishing predicting the network security situation values of future time monitoring points by using the strong learning machine. The method is relatively higher in adaptability and relatively lower in prediction error rate in terms of reduction in network security situation value prediction errors.

Description

A kind of network safety situation Forecasting Methodology

Technical field

The invention belongs to the network information security technology field, relate in particular to a kind of network safety situation Forecasting Methodology.

Background technology

Develop rapidly along with the Internet technology, the importance of network security and increasing to influence of society, network security problem is also more and more outstanding, and becomes the key issue that Internet and every network service and application further develop the solution of needing badly gradually.Network intrusions and attack are just towards trend developments such as distribution, scale, complicated, indirectization in addition; certainly will higher requirement be proposed to the safety product technology; and existing safety product (as IDS, IPS, fire compartment wall etc.) can only provide the most basic intrusion detection information, can't provide believable prediction alarm to the security postures of future network.Therefore press for the security postures prediction alarm that new technology of research realizes large scale network.The method that is widely used for describing the network security situation at present is network safety situation and network safety situation value prediction.So-called network safety situation is meant by whole network current safe state and variation tendencies that factor constituted such as various network device operation conditions, network behavior and user behaviors.The network safety situation prediction is meant in large-scale network environment, obtains, understands, shows and predict development in future trend to causing the security factor that network situation changes.The network safety situation Forecasting Methodology mainly is to use the method for single learning machine in the artificial intelligence at present, the network safety situation value of some historical discrete times monitoring point is abstracted into time series, and then with the network safety situation forecasting problem as the regression analysis problem, utilize single learning machine to find the solution, this process mainly comprises three parts, is respectively tectonic network safety index system, computing network security postures value, sets up the network safety situation forecast model.

Tectonic network safety index system is that the all-network security threat that will be referred to network security is configured to the index system structure according to certain rule, calculates thereby be fit to the network safety situation value.The building method of index system will determine directly whether the network safety situation value can accurately reflect the actual situation of current network, the present invention introduces grey clustering analysis GCA (Grey Clustering Analysis) method thus, thereby has obtained accurately reflecting the index system of current network safe condition.

Computing network security postures value process is exactly to utilize intrusion detection that the diverse network safety means provide category and time statistics as a result, be input to the network security index system again, with the multiplied by weight of every kind of network security threats corresponding in the network security index system, thereby obtain the network safety situation value of each historical time monitoring point.

At present the Forecasting Methodology of network safety situation value mainly is to utilize single learning machine methods such as neural net, SVMs, and the methodical error of single learning machine is relatively large, be prone to over-fitting phenomenon, computational process complexity.The present invention adopts integrated study Boosting algorithm to finish the prediction of network safety situation value for this reason, has effectively improved precision of prediction.

Summary of the invention

Big at single learning machine methodical error of mentioning in the above-mentioned background technology, be prone to deficiencies such as over-fitting phenomenon, computational process complexity, the present invention proposes a kind of network safety situation Forecasting Methodology.

Technical scheme of the present invention is that a kind of network safety situation Forecasting Methodology is characterized in that said method comprising the steps of:

Step 1: use grey clustering analysis method to analyze every kind of network security threats x ₁, x ₂, L, x _nThe extent of injury, and then construct the network safety situation index system T of stratification;

Step 2: with the historical intrusion detection result of Network Security Device order, be input to successively among the network safety situation index system T of stratification, obtain the network safety situation value V of each time supervision point i according to time supervision point i _i

Step 3: use the sliding window method with network safety situation value V _iBe configured to time series S, and time series S is configured to the readable training sample set S of integrated study Boosting algorithm _Train

Step 4: utilize integrated study Boosting algorithm to training sample set S _TrainCarry out the iteration training, obtain weak learning machine sequences h, utilize method to obtain strong learning machine H again the weighted sum of weak learning machine sequences h _j

Step 5: utilize strong learning machine H _jFinish the network safety situation value prediction of following time supervision point, and set strong learning machine H _jLife cycle, if strong learning machine H _jReach its life cycle, then return step 3.

Described step 1 may further comprise the steps:

Step 1.1: the white function matrix of structure global index;

Step 1.2: determine the grey cluster coefficient according to white function;

Step 1.3: calculate every kind of network security threats x ₁, x ₂, L, x _nThe grey cluster coefficient, and determine its grey cluster ownership;

Step 1.4: the grey cluster result is configured to hierarchical network security postures index system T;

Step 1.5: determine the index t among the index system T ₁, t ₂, L t _nFinal weights omega with respect to the network safety situation value.

Described step 2 may further comprise the steps:

Step 2.1: the Network Security Device intrusion detection of adding up each time supervision point i is r as a result _i

Step 2.2: with r _iDo multiplication with the weight matrix ω of network safety situation index system T, obtain the network safety situation value V of time supervision point i _i

Described step 4 may further comprise the steps:

Step 4.1: set integrated study Boosting algorithm maximum iteration time k, and set the weak learning algorithm that integrated study Boosting algorithm is called;

Step 4.2: standardization training sample set S _Train

Step 4.3: the primary data sample collection D that sets integrated study Boosting algorithm;

Step 4.4: with ω _f(l) be probability sample drawn collection D from primary data sample collection D _f, and, obtain weak learning machine h by weak learning algorithm training _f

Step 4.5: calculate weak learning machine h _fTraining error ε _f

Step 4.6: calculate weak learning machine h _fWeight _f

Step 4.7: the weight of upgrading training sample;

Step 4.8: when satisfying one of following two conditions, then execution in step 4.9; Otherwise return step 4.4;

Condition 1: integrated study Boosting algorithm reaches maximum iteration time k;

Condition 2: sample set D _fNo longer change;

Step 4.9: export strong learning machine H _j

Weak learning algorithm is core vector regression CVR in the described step 4.1.

Training error ε in the described step 4.5 _fComputing formula be:

${\mathrm{\ϵ}}_f=\underset{l=1}{\overset{q}{\mathrm{\Σ}}}{\mathrm{\ω}}_f\left(l\right)$

In the formula:

ε _fBe training error, f ∈ [1 ..., k];

ω _f(l) for extracting probability.

Weight in the described step 4.6 _fComputing formula be:

${\mathrm{\α}}_f=\frac{1}{2}\ln \left[\frac{1-{\mathrm{\ϵ}}_f}{{\mathrm{\ϵ}}_f}\right]$

In the formula:

α _fBe weak learning machine h _fWeight.

Strong learning machine H in the described step 4.9 _jComputing formula be:

$H_j=\mathrm{sign}\left[\underset{l=1}{\overset{k}{\mathrm{\Σ}}}{\text{\α}}_l{h}_l\left(x\right)\right]$

In the formula:

H _jBe strong learning machine;

Sign is a sign function;

α _lBe weak learning machine h _lWeight.

Adopt the present invention that network safety situation is predicted, not only overcome original defective, and improved the accuracy rate of prediction based on single learning machine situation value prediction technology.

Description of drawings

Fig. 1 is a network safety situation Forecasting Methodology flow chart;

Fig. 2 is the network safety situation index system generative process flow chart based on grey clustering analysis method;

Fig. 3 is a sliding window method schematic diagram;

Fig. 4 is the weak learning machine flow chart of integrated study Boosting algorithm training;

Fig. 5 is the strong learning machine prediction network safety situation process schematic diagram that utilizes integrated study Boosting algorithm to obtain.

Embodiment

Below in conjunction with accompanying drawing, preferred embodiment is elaborated.Should be emphasized that following explanation only is exemplary, rather than in order to limit the scope of the invention and to use.

Set up the network safety situation index system and calculate the prerequisite that the situation value is the network safety situation prediction.For this reason, the present invention introduces and based on grey clustering analysis method original diverse network security threat is analyzed, and then obtains the stratification index system; After obtaining the stratification index system, can computing network security postures value, and discrete-time series become training sample set according to the sliding window method construct; Training sample set is input in the integrated study Boosting algorithm, by learning machine a little less than the integrated study Boosting algorithm invokes--core vector regression CVR (Core Vector Regression) carries out the sample set training to obtain weak learning machine sequence, again the weighting of weak learning machine sequence is become strong learning machine; Utilize strong learning machine to finish the prediction of network safety situation value at last.From the part to integral body, make integrated study Boosting algorithm can be suitable for more generally network safety situation forecasting problem like this.

Fig. 1 is a kind of network safety situation Forecasting Methodology flow chart provided by the invention.Among Fig. 1, method provided by the invention comprises following step:

Step 1: use grey clustering analysis method to analyze every kind of network security threats x ₁, x ₂, L, x _nThe extent of injury, n is a network security threats kind sum, and then constructs the network safety situation index system T of stratification;

Grey clustering analysis GCA (Grey Clustering Analysis) is more outstanding a kind of of performance in the clustering method, it utilizes the gray scale membership function to differentiate the classification ownership of sample to be clustered, it is advantageous that does not need the large sample collection to support, and can disclose unconspicuous implicit contact between each sample built-in attribute.Setting up process based on the network safety situation index system of grey clustering analysis among the present invention mainly is made of following five steps:

Step 1.1: the white function matrix of structure global index;

If sample X={x to be clustered ₁, L x _i, L x _m, cluster index Y={y ₁, L y _j, L y _n, S different cluster ash class arranged, each object x _iFor the cluster index y _jThe white function that is had is d _Ij, i=1,2, L, m, j=1,2, L, n sets up matrix D=[d _Ij],

$D=\left[d_{\mathrm{ij}}\right]=\left[\begin{array}{cccc}{d}_{11}& d_{12}& L& d_{1m}\\ d_{21}& d_{22}& L& d_{2m}\\ L& L& L& L\\ d_{n1}& d_{n2}& L& d_{\mathrm{nm}}\end{array}\right]$

Step 1.2: determine the grey cluster coefficient according to white function;

Following formula is three class white functions, f (d _Ij) be the albefaction weight function of the j ash class of i cluster index, f (d _Ij) ∈ [0,1], λ _IjBe f (d _Ij) threshold values.

The upper limit is estimated white function $f_1\left(d_{\mathrm{ij}}\right)=\left\{\begin{array}{cc}0,& x\∈[-\∞,a]\\ \frac{x-a}{x-b},& x\∈[a,b]\\ 1,& x\∈[b,+\∞]\end{array}\right.$

Moderately estimate white function $f_2\left(d_{\mathrm{ij}}\right)=\left\{\begin{array}{cc}\frac{x}{a},& x\∈[0,a]\\ \frac{a-x}{b-a},& x\∈[a,b]\\ 0,& x\∉[0,b]\end{array}\right.$

Lower limit is estimated white function $f_3\left(d_{\mathrm{ij}}\right)=\left\{\begin{array}{cc}0,& x\∉[0,b]\\ \frac{a-x}{b-a},& x\∈[a,b]\\ 1,& x\∈[0,a]\end{array}\right.$

Step 1.3: calculate every kind of network security threats x ₁, x ₂, L, x _nThe grey cluster coefficient, and determine its grey cluster ownership;

Sample to be tested is done albefaction handle, obtain the white function f (d of the relative j ash of i index class _Ij), obtain the threshold values λ of each grey class _Ij, and then ask the cluster of the j ash class of i index to weigh

Then obtaining the grey cluster coefficient is

σ _IjReflect that i cluster object is under the jurisdiction of the degree of j ash class.Obtain cluster row vector σ _i=(σ _I1, σ _I2L σ _Is), S is grey class number.σ _cBe the Grey Clustering Decision-Making matrix, as the following formula:

${\mathrm{\σ}}_c=\left[\begin{array}{c}{\mathrm{\σ}}_1\\ M\\ {\mathrm{\σ}}_n\end{array}\right]=\left[\begin{array}{ccc}{\mathrm{\σ}}_{11}& L& {\mathrm{\σ}}_{1k}\\ L& L& L\\ {\mathrm{\σ}}_{n1}& L& {\mathrm{\σ}}_{\mathrm{nk}}\end{array}\right]$

If certain is arranged

Satisfy

Claim cluster object i to belong to grey class k ^*Promptly at cluster row vector σ _iIn find out maximum cluster coefficients, grey class is grey class under the cluster object i under this maximum cluster coefficients.

Step 1.4: the grey cluster result is configured to hierarchical network security postures index system T;

As Fig. 2, choose in this example the gray scale classification for " by force ", " in ", " weak " three classes, distinguish the extent of injury of map network security threat.

Step 1.5: determine the index t among the index system T ₁, t ₂, L t _nFinal weights omega with respect to the network safety situation value.

This stage need be determined the influence coefficient of every kind of Cyberthreat for the network safety situation value, utilize analytic hierarchy process (AHP) to set up in the stratification index system structure judgment matrix in twos between every layer of all index and find the solution the characteristic vector of judgment matrix, thereby obtain the influence coefficient of every layer the relative last layer element of each element, successively determine the final influence coefficient of diverse network attack with the method for weighted sum at last the network safety situation value.Step 1.5 is made up of following two sub-steps,

The first step: network attack weight assignment

Look for some association area experts that diverse network is threatened and provide weight according to its extent of injury.The general weight that adopts 1-9, weight 1 extent of injury is minimum, rises successively, and the extent of injury of weight 9 is the highest.Utilize the Delphi method to obtain expert's average weight that diverse network threatens again, as the sample of analytic hierarchy process (AHP).

Second step: utilize analytic hierarchy process (AHP) to determine the final weight allocation of evaluation system

According to " local earlier; that the back is whole " strategy, calculate diverse network attack with respect to rule layer ownership " by force " in its grey cluster index system, " in ", the influence coefficient of " weak " three major types, calculate again " by force ", " in ", " weak " three major types is for the influence coefficient of network safety situation value, thereby obtain the final influence coefficient matrix of diverse network security threat for the network safety situation value.Process is as follows:

(1) compares judgment matrix A in twos according to the hierarchical structure structure.In the process that compares in twos, the policymaker need determine at certain class criterion B _k, two indicator layer Elements C _iAnd C _jWhich is more important, need quantize its importance degree, uses the scale of 1-9 here.Concrete scale implication sees Table 1:

Table 1 judgment matrix scale and implication thereof

(2) for n indicator layer Elements C ₁C _n, by comparing mutually in twos, the judgment matrix A that is finally compared in twos;

(3) relative weighting of element under the single criterion of calculating utilizes A ω=λ _Maxω calculates the characteristic vector ω of matrix, with its unitization and as Elements C ₁C _nAt criterion B _kUnder the ordering weight;

(4) the parameter system weight matrix that always sorts;

(5) consistency check of matrix.If CI is the general coincident indicator of judgment matrix, CI=(λ _Max-n)/(n-1), wherein n is the judgment matrix dimension; RI is the average homogeneity index, and concrete value sees Table 2; CR is the Consistency Ratio at random of judgment matrix, and CR=CI/RI is if CR≤0.1 a gained result satisfies consistency.

Table 2 average homogeneity index is won the confidence

Step 2: the historical intrusion detection result of Network Security Device is input to the network safety situation index system T of stratification successively according to time supervision point i order, obtains the network safety situation value V of each time supervision point i _i

Described step 2 specifically comprises the following steps:

Step 2.1: the Network Security Device intrusion detection r as a result that carries each time supervision point i of statistics _i, r _iIt is 1 * n matrix

Wherein

X for time supervision point i _mPlant the number of times that network security threats takes place;

Step 2.2: with r _iDo multiplication, ω=[ω with the weight matrix ω of network safety situation index system T ₁, ω ₂, L, ω _n] ^TBe n * 1 matrix, thereby obtain the network safety situation value V of time supervision point i _i

Step 3: use the network safety situation value V of sliding window method with each time supervision point i _iBe configured to time series S={V ₁, V ₂, L, V _i, and time series S is configured to the readable training sample set S of integrated study Boosting algorithm _TrainSpecific as follows:

1: use the network safety situation value V of sliding window method with each discrete time monitoring point i _iBe configured to time series S={V ₁, V ₂, Λ, V _i, be 4 as setting the sliding window size, sliding step is 1, then S ₁={ V ₁, V ₂, V ₃, V ₄, S ₂={ V ₂, V ₃, V ₄, V ₅, S ₃={ V ₃, V ₄, V ₅, V ₆, by that analogy, as Fig. 3;

2: time series S is configured to the readable training sample set S of integrated study Boosting algorithm _Train, promptly guarantee training sample set S _TrainSatisfy the weak desired data format of learning machine in the integrated study Boosting algorithm;

Step 4: utilize integrated study Boosting algorithm to training sample set S _TrainTrain and obtain weak learning machine sequences h={ h ₁, h ₂, L, h _k, k is an integrated study Boosting algorithm maximum iteration time, utilizes the method to the weighted sum of weak learning machine sequences h to obtain strong learning machine H again _j, j ∈ [1 ,+∞];

Integrated study Boosting algorithm is the outstanding representative of integrated study algorithm, its theoretical thought is to utilize certain unsettled weak learning machine to generate a weak learning machine combination, wherein each weak learning machine all exists as basic grader, the classification results of basic grader before the training process of each basic grader all depends on, the error of basic grader is used to adjust the sample probability distribution of current basic grader before being about to, and strong learning machine forms by the weighted array of single basic grader.Integrated study Boosting algorithm can obviously improve the accuracy rate of unstable learning machine, and is obvious for the lifting of single learning machine performance.Because the each training of integrated study Boosting algorithm can obtain a basic grader, and each basic grader all is to improve on the result of calculation of last once basic grader, therefore from the training angle, the training process of integrated study Boosting algorithm is exactly a process of continuing to optimize, and promptly grader never is stabilized to stable process.Find that after deliberation integrated study Boosting algorithm only need be adjusted parameter of maximum frequency of training k, and integrated study Boosting algorithm can not cause the study phenomenon to occur.Fig. 4 is the process of the weak learning machine of integrated study Boosting algorithm training, and described step 4 specifically comprises the following steps:

Step 4.1: set integrated study Boosting algorithm maximum iteration time k, and set the weak learning algorithm that integrated study Boosting algorithm is called;

Step 4.2: standardization training sample set S _TrainIf time series S ₁Be S ₁={ V ₁, V ₂, V ₃, V ₄, V then ₁, V ₂, V ₃, V ₄For the input vector of the weak learning algorithm of integrated study Boosting algorithm, according to S ₁The network safety situation value V of prediction ₅Be its corresponding output vector;

Step 4.3: the primary data sample collection D that sets integrated study Boosting algorithm;

D={S ₁, V ₅S ₂, V ₆L S _q, V _Q+4, ω ₁(l) be the initial weight of each sample among the primary data sample collection D,

L ∈ [1 ..., q], q is the total number of sample;

Step 4.4: with ω _f(l) the sample set D that from primary data sample collection D, extracts for probability _f, and, obtain weak learning machine h by weak learning algorithm training _f, f ∈ [1 ..., k];

ω _f(l) the condition of choosing is:

If satisfy this condition, then ω _f(l) be its result of calculation; If do not satisfy this condition, then ω _f(l)=0, wherein,

Be network safety situation value V _I+4Predicted value;

Step 4.5: calculate weak learning machine h _fTraining error ε _f

${\mathrm{\ϵ}}_f=\underset{l=1}{\overset{q}{\mathrm{\Σ}}}{\mathrm{\ω}}_f\left(l\right)$

In the formula:

ε _fBe training error, f ∈ [1 ..., k];

ω _f(l) for extracting probability.

Step 4.6: calculate weak learning machine h _fWeight _f

${\mathrm{\α}}_f=\frac{1}{2}\ln \left[\frac{1-{\mathrm{\ϵ}}_f}{{\mathrm{\ϵ}}_f}\right]$

In the formula:

α _fBe weak learning machine h _fWeight.

Step 4.7: the weight of upgrading training sample;

${\mathrm{\ω}}_{f+1}\left(l\right)=\frac{{\mathrm{\ω}}_f\left(l\right)e^{-{\mathrm{\α}}_f{V}_l{h}_f\left(x_l\right)}}{M_f},$

In the formula:

ω _F+1(l) be the weight of the training sample after upgrading;

ω _f(l) be the weight of training sample;

h _f(x _l) be that weak learning machine is according to input variable x _lThe calculated value that obtains;

V _lIt is actual situation value;

M _fBe normalization coefficient, must guarantee $\underset{l=1}{\overset{q}{\mathrm{\Σ}}}{\mathrm{\ω}}_{f+1}\left(l\right)=1.$

Step 4.8: when satisfying one of following two conditions, execution in step 4.9; Otherwise return step 4.4;

Condition 1: integrated study Boosting algorithm reaches maximum iteration time k;

Condition 2: sample set D _fNo longer change;

Step 4.9: export strong learning machine H _j

$H_j\text{=sign[}\underset{l=1}{\overset{k}{\mathrm{\Σ}}}{\mathrm{\α}}_l{h}_l\left(x\right)\text{]}$

In the formula:

H _jBe strong learning machine;

Sign is a sign function;

α _lBe weak learning machine h _lWeight.

What pay special attention to is that the selected core vector regression CVR (Core Vector Regression) of integrated study Boosting algorithm finishes the training to sample data in step 4.1.CVR utilizes the MEB algorithm to find the solution former n dimension Euclidean space R ⁿMiddle target problem Φ, its process is as follows:

(1) utilize kernel function to finish from n dimension Euclidean space R ⁿTo the conversion in Hilbert space, promptly in the Hilbert space, construct the dual problem Φ ' of target problem Φ.

(2) the sample set S according to dual problem Φ ' sets initial MEB.

(3) carry out the MEB algorithm, until the nucleon collection S that obtains sample set S _c, be converted into the MEB problem with dual problem Φ ' this moment.If c, r are respectively the center of gravity and the radius of ball, and use B (c, r) one of expression heavily is c, radius is the ball of r.Establish error threshold δ＞0 again, ball B (c, (1+ δ) r) is considered as (1+ δ) approximate ball of MEB (S).Nucleon collection S then _cMay be defined as: if proper subclass S _cComprised sample point among all S with the MEB of the factor (1+ δ) expansion, that is:

Wherein B (c, R)=MEB (S _c), proper subclass S then _cThe nucleon collection that is called S.

(4) under the constraints of center, find the solution the MEB problem, promptly finish finding the solution of target problem Φ.

Step 5: utilize strong learning machine H _jFinish the network safety situation value prediction of following time supervision point, and set strong learning machine H _jLife cycle, if strong learning machine H _jReach its life cycle, then repeating step 3;

Concrete implementation such as Fig. 5 of step 5 are specially:

1: set strong learning machine H _jLife cycle T _Live

2: check strong learning machine H _jLife cycle whether finish, if finished then according to step 3 until generating the strong learning machine H of a new generation _J+1

Through after the training study of above-mentioned 5 steps, form network safety situation value prediction model, thereby realize the situation value of following time supervision point is accurately predicted based on integrated study Boosting algorithm.

The present invention compares traditional single learning machine method aspect prediction network safety situation value, the better prediction precision is arranged, and has improved the practicality of network safety situation prediction.

The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.

Claims (8)

1. network safety situation Forecasting Methodology is characterized in that said method comprising the steps of:

Step 1: use grey clustering analysis method to analyze every kind of network security threats x ₁, x ₂, L, x _nThe extent of injury, and then construct the network safety situation index system T of stratification;

Step 2: with the historical intrusion detection result of Network Security Device order, be input to successively among the network safety situation index system T of stratification, obtain the network safety situation value V of each time supervision point i according to time supervision point i _i

Step 3: use the sliding window method with network safety situation value V _iBe configured to time series S, and time series S is configured to the readable training sample set S of integrated study Boosting algorithm _Train

Step 4: utilize integrated study Boosting algorithm to training sample set S _TrainCarry out the iteration training, obtain weak learning machine sequences h, utilize method to obtain strong learning machine H again the weighted sum of weak learning machine sequences h _j

Step 5: utilize strong learning machine H _jFinish the network safety situation value prediction of following time supervision point, and set strong learning machine H _jLife cycle, if strong learning machine H _jReach its life cycle, then return step 3.

2. according to the described a kind of network safety situation Forecasting Methodology of claim 1, it is characterized in that described step 1 may further comprise the steps:

Step 1.1: the white function matrix of structure global index;

Step 1.2: determine the grey cluster coefficient according to white function;

Step 1.3: calculate every kind of network security threats x ₁, x ₂, L, x _nThe grey cluster coefficient, and determine its grey cluster ownership;

Step 1.4: the grey cluster result is configured to hierarchical network security postures index system T;

Step 1.5: determine the index t among the index system T ₁, t ₂, L t _nFinal weights omega with respect to the network safety situation value.

3. according to the described a kind of network safety situation Forecasting Methodology of claim 1, it is characterized in that described step 2 may further comprise the steps:

Step 2.1: the Network Security Device intrusion detection of adding up each time supervision point i is r as a result _i

Step 2.2: with r _iDo multiplication with the weight matrix ω of network safety situation index system T, obtain the network safety situation value V of time supervision point i _i

4. according to the described a kind of network safety situation Forecasting Methodology of claim 1, it is characterized in that described step 4 may further comprise the steps:

Step 4.1: set integrated study Boosting algorithm maximum iteration time k, and set the weak learning algorithm that integrated study Boosting algorithm is called;

Step 4.2: standardization training sample set S _Train

Step 4.3: the primary data sample collection D that sets integrated study Boosting algorithm;

Step 4.4: with ω _f(l) be probability sample drawn collection D from primary data sample collection D _f, and, obtain weak learning machine h by weak learning algorithm training _f

Step 4.5: calculate weak learning machine h _fTraining error ε _f

Step 4.6: calculate weak learning machine h _fWeight _f

Step 4.7: the weight of upgrading training sample;

Step 4.8: when satisfying one of following two conditions, then execution in step 4.9; Otherwise return step 4.4;

Condition 1: integrated study Boosting algorithm reaches maximum iteration time k;

Condition 2: sample set D _fNo longer change;

Step 4.9: export strong learning machine H _j

5. according to the described a kind of network safety situation Forecasting Methodology of claim 5, it is characterized in that weak learning algorithm is core vector regression CVR in the described step 4.1.

6. according to the described a kind of network safety situation Forecasting Methodology of claim 5, it is characterized in that training error ε in the described step 4.5 _fComputing formula be:

${\mathrm{\ϵ}}_f=\underset{l=1}{\overset{q}{\mathrm{\Σ}}}{\mathrm{\ω}}_f\left(l\right)$

In the formula:

ε _fBe training error, f ∈ [1 ..., k];

ω _f(l) for extracting probability.

7. according to the described a kind of network safety situation Forecasting Methodology of claim 5, it is characterized in that weight in the described step 4.6 _fComputing formula be:

${\mathrm{\α}}_f=\frac{1}{2}\ln \left[\frac{1-{\mathrm{\ϵ}}_f}{{\mathrm{\ϵ}}_f}\right]$

In the formula:

α _fBe weak learning machine h _fWeight.

8. according to the described a kind of network safety situation Forecasting Methodology of claim 5, it is characterized in that strong learning machine H in the described step 4.9 _jComputing formula be:

$H_j=\mathrm{sign}\left[\underset{l=1}{\overset{k}{\mathrm{\Σ}}}{\mathrm{\α}}_l{h}_l\left(x\right)\right]$

In the formula:

H _jBe strong learning machine;

Sign is a sign function;

α _lBe weak learning machine h _lWeight.

Images