CN102185735B - Network security situation prediction method - Google Patents

Abstract

The invention discloses a network security situation prediction method in the technical field of network information security. The method comprises the following steps of: analyzing the hazard degrees of each network security threat by using a grey clustering analysis method, and further constructing a hierarchical network security situation index system, obtaining network security situation values of each time monitoring point, constructing a time sequence, constructing the time sequence into a training sample set, and performing iterative training on the training sample set by utilizing an integrated learning Boosting algorithm to obtain a weak learning machine sequence meeting error requirements; obtaining a strong learning machine by utilizing the method for calculating the weighted sum of the weak learning machine sequence; and finishing predicting the network security situation values of future time monitoring points by using the strong learning machine. The method is relatively higher in adaptability and relatively lower in prediction error rate in terms of reduction in network security situation value prediction errors.

Description

A kind of network security situation prediction method

Technical field

The invention belongs to the network information security technology field, relate in particular to a kind of network security situation prediction method.

Background technology

Develop rapidly along with the Internet technology, the importance of network security and increasing on the impact of society, network security problem is also more and more outstanding, and becomes gradually Internet and every network service and use the key issue that further develops the solution of needing badly.Network intrusions and attack are just towards trend developments such as distribution, scale, complicated, indirectization in addition; certainly will higher requirement be proposed to the safety product technology; and existing safety product (as IDS, IPS, fire compartment wall etc.) can only provide the most basic intrusion detection information, can't provide to the security postures of future network believable prediction alarm.Therefore realize the security postures prediction alarm of large scale network in the urgent need to studying a new technology.The method that is widely used for describing at present security status is network safety situation and network safety situation value prediction.So-called network safety situation refers to the whole network current safe state and the variation tendency that are made of factors such as various network device operation conditions, network behavior and user behaviors.Network safety situation prediction refers in large-scale network environment, to can cause that the security factor that Network Situation changes is obtained, understood, the development trend of demonstration and predict future.Network security situation prediction method is mainly the method for using single learning machine in artificial intelligence at present, the network safety situation value of some historical discrete times monitoring points is abstracted into time series, and then with the network safety situation forecasting problem as the regression analysis problem, utilize single learning machine to find the solution, this process mainly comprises three parts, is respectively tectonic network Safety index system, computing network security postures value, sets up the network safety situation forecast model.

The tectonic network Safety index system is that the all-network security threat that will be referred to network security is configured to the index system structure according to certain rule, calculates thereby be fit to the network safety situation value.The building method of index system will determine directly whether the network safety situation value can accurately reflect the actual situation of current network, the present invention introduces grey clustering analysis GCA (Grey Clustering Analysis) method thus, thereby has obtained accurately reflecting the index system of current network safe condition.

Computing network security postures value process is exactly to utilize intrusion detection that the diverse network safety means provide category and time statistics as a result, be input to again the network security index system, with the multiplied by weight of every kind of network security threats corresponding in the network security index system, thereby obtain the network safety situation value of each historical time monitoring point.

At present the Forecasting Methodology of network safety situation value, be mainly to utilize single learning machine methods such as neural net, SVMs, and the methodical error of single learning machine is relatively large, be prone to the over-fitting phenomenon, computational process is complicated.The present invention adopts integrated study Boosting algorithm to complete the prediction of network safety situation value for this reason, has effectively improved precision of prediction.

Summary of the invention

Large for single learning machine methodical error of mentioning in the above-mentioned background technology, be prone to the deficiencies such as over-fitting phenomenon, computational process complexity, the present invention proposes a kind of network security situation prediction method.

Technical scheme of the present invention is that a kind of network security situation prediction method is characterized in that said method comprising the steps of:

Step 1: use grey clustering analysis method to analyze every kind of network security threats x ₁, x ₂..., x _nThe extent of injury, and then construct the network safety situation index system T of stratification;

Step 2: with the historical intrusion detection result of the Network Security Device order according to time supervision point i, be input to successively in the network safety situation index system T of stratification, obtain the network safety situation value V of each time supervision point i _i

Step 3: use the sliding window method with network safety situation value V _iBe configured to time series S, and time series S is configured to the readable training sample set S of integrated study Boosting algorithm _Train

Step 4: utilize integrated study Boosting algorithm to training sample set S _TrainCarry out the iteration training, obtain weak learning machine sequences h, recycling obtains strong learning machine H to the method for weak learning machine sequences h weighted sum _j

Step 5: utilize strong learning machine H _jComplete the network safety situation value prediction of future time monitoring point, and set strong learning machine H _jLife cycle, if strong learning machine H _jReach its life cycle, return to step 3.

Described step 1 comprises the following steps:

Step 1.1: the white function matrix of structure global index;

Step 1.2: determine the grey cluster coefficient according to white function;

Step 1.3: calculate every kind of network security threats x ₁, x ₂..., x _nThe grey cluster coefficient, and determine its grey cluster ownership;

Step 1.4: the grey cluster result is configured to hierarchical network security postures index system T;

Step 1.5: determine the index t in index system T ₁, t ₂... t _nFinal weights omega with respect to the network safety situation value.

Described step 2 comprises the following steps:

Step 2.1: the Network Security Device intrusion detection of adding up each time supervision point i is r as a result _i

Step 2.2: with r _iDo multiplication with the weight matrix ω of network safety situation index system T, obtain the network safety situation value V of time supervision point i _i

Described step 4 comprises the following steps:

Step 4.1: set integrated study Boosting algorithm maximum iteration time k, and set the weak learning algorithm that integrated study Boosting algorithm calls;

Step 4.2: standardization training sample set S _Train

Step 4.3: the primary data sample collection D that sets integrated study Boosting algorithm;

Step 4.4: with ω _f(l) be probability sample drawn collection D from primary data sample collection D _f, and by weak learning algorithm training, obtain weak learning machine h _f

Step 4.5: calculate weak learning machine h _fTraining error ε _f

Step 4.6: calculate weak learning machine h _fWeight α _f

Step 4.7: the weight of upgrading training sample;

Step 4.8: when satisfying one of following two conditions, execution in step 4.9; Otherwise return to step 4.4;

Condition 1: integrated study Boosting algorithm reaches maximum iteration time k;

Condition 2: sample set D _fNo longer change;

Step 4.9: export strong learning machine H _j

In described step 4.1, weak learning algorithm is core vector regression CVR.

Training error ε in described step 4.5 _fComputing formula be:

${\mathrm{\ϵ}}_f=\underset{l=1}{\overset{q}{\mathrm{\Σ}}}{\mathrm{\ω}}_f\left(l\right)$

In formula:

ε _fBe training error, f ∈ [1 ..., k];

ω _f(l) for extracting probability.

Weight α in described step 4.6 _fComputing formula be:

${\mathrm{\α}}_f=\frac{1}{2}\ln \left[\frac{1-{\mathrm{\ϵ}}_f}{{\mathrm{\ϵ}}_f}\right]$

In formula:

α _fBe weak learning machine h _fWeight.

Strong learning machine H in described step 4.9 _jComputing formula be:

$H_j=\mathrm{sign}\left[\underset{l=1}{\overset{k}{\mathrm{\Σ}}}{\mathrm{\α}}_l{h}_l\left(x\right)\right]$

In formula:

H _jBe strong learning machine;

Sign is sign function;

α _lBe weak learning machine h _lWeight.

Adopt the present invention that network safety situation is predicted, not only overcome original defective based on single learning machine situation value prediction technology, and improved the accuracy rate of prediction.

Description of drawings

Fig. 1 is the network security situation prediction method flow chart;

Fig. 2 is the network safety situation index system generative process flow chart based on grey clustering analysis method;

Fig. 3 is sliding window method schematic diagram;

Fig. 4 is the weak learning machine flow chart of integrated study Boosting Algorithm for Training;

Fig. 5 is the strong learning machine prediction network safety situation process schematic diagram that utilizes integrated study Boosting algorithm to obtain.

Embodiment

Below in conjunction with accompanying drawing, preferred embodiment is elaborated.Should be emphasized that, following explanation is only exemplary, rather than in order to limit the scope of the invention and to use.

Set up the network safety situation index system and calculate the prerequisite that the situation value is the network safety situation prediction.For this reason, the present invention introduces and based on grey clustering analysis method, original diverse network security threat is analyzed, and then obtains the stratification index system; After obtaining the stratification index system, can computing network security postures value, and discrete-time series is become training sample set according to the sliding window method construct; Training sample set is input in integrated study Boosting algorithm, calling weak learning machine by integrated study Boosting algorithm--core vector regression CVR (Core Vector Regression) carries out sample set and trains to obtain weak learning machine sequence, then the weighting of weak learning machine sequence is become strong learning machine; Utilize at last strong learning machine to complete the prediction of network safety situation value.From the part to integral body, make integrated study Boosting algorithm can be suitable for more generally network safety situation forecasting problem like this.

Fig. 1 is a kind of network security situation prediction method flow chart provided by the invention.In Fig. 1, method provided by the invention comprises following step:

Step 1: use grey clustering analysis method to analyze every kind of network security threats x ₁, x ₂..., x _nThe extent of injury, n is network security threats kind sum, and then constructs the network safety situation index system T of stratification;

Grey clustering analysis GCA (Grey Clustering Analysis) is more outstanding a kind of of clustering method performance, it utilizes the gray scale membership function to differentiate the classification ownership of sample to be clustered, it is advantageous that does not need the large sample collection to support, and can disclose unconspicuous implicit contact between each sample built-in attribute.Setting up process based on the network safety situation index system of grey clustering analysis in the present invention mainly is made of following five steps:

Step 1.1: the white function matrix of structure global index;

If sample X={x to be clustered ₁... x _i... x _m, cluster index Y={y ₁... y _j... y _n, S different cluster ash class arranged, each object xi is for the cluster index y _jThe white function that has is d _ij, i=1,2 ..., m, j=1,2 ..., n sets up matrix D=[d _ij],

$D=\left[d_{\mathrm{ij}}\right]=\left[\begin{array}{cccc}{d}_{11}& d_{12}& ...& d_{1m}\\ d_{21}& d_{22}& ...& d_{2m}\\ ...& ...& ...& ...\\ d_{n1}& {\mathrm{<figure-callout\; id="2"\; label="d\; n"\; filenames="HDA0000057559020000011.png"\; state="\{\{state\}\}">d</figure-callout>}}_n& ...& d_{\mathrm{nm}}\end{array}\right]$

Step 1.2: determine the grey cluster coefficient according to white function;

Following formula is three class white functions, f (d _ij) be the albefaction weight function of the j ash class of i cluster index, f (d _ij) ∈ [0,1], λ _ijBe f (d _ij) threshold values.

The upper measure white function $f_1\left(d_{\mathrm{ij}}\right)=\left\{\begin{array}{cc}0,& x\&Element;[-\&infin;,a]\\ \frac{x-a}{x-b},& x\&Element;[a,b]\\ 1,& x\&Element;[b,+\&infin;]\end{array}\right.$

Moderately estimate white function $f_2\left(d_{\mathrm{ij}}\right)=\left\{\begin{array}{cc}\frac{x}{a},& x\&Element;[0,a]\\ \frac{a-x}{b-a},& x\&Element;[a,b]\\ 0,& x\&NotElement;[0,b]\end{array}\right.$

Lower limit is estimated white function $f_3\left(d_{\mathrm{ij}}\right)=\left\{\begin{array}{cc}0,& x\&NotElement;[0,b]\\ \frac{a-x}{b-a},& x\&Element;[a,b]\\ 1,& x\&Element;[0,a]\end{array}\right.$

Step 1.3: calculate every kind of network security threats x ₁, x ₂..., x _nThe grey cluster coefficient, and determine its grey cluster ownership;

Sample to be tested is done albefaction process, obtain the white function f (d of the relative j ash of i index class _ij), obtain the threshold values λ of each grey class _ij, and then ask the cluster of the j ash class of i index to weigh

Obtaining the grey cluster coefficient is σ ij reflection i clustering object is under the jurisdiction of the degree of j ash class.Obtain cluster row vector σ _i=(σ _i1, σ _i2σ _is), S is grey class number.σ _cBe the Grey Clustering Decision-Making matrix, as the following formula:

${\mathrm{\&sigma;}}_c=\left[\begin{array}{c}{\mathrm{\&sigma;}}_1\\ .\\ .\\ .\\ {\mathrm{\&sigma;}}_n\end{array}\right]=\left[\begin{array}{ccc}{\mathrm{\&sigma;}}_{11}& ...& {\mathrm{\&sigma;}}_{1k}\\ ...& ...& ...\\ {\mathrm{\&sigma;}}_{\mathrm{<figure-callout\; id="1"\; label="n"\; filenames="HDA0000057559020000031.png"\; state="\{\{state\}\}">n</figure-callout>}1}& ...& {\mathrm{\&sigma;}}_{\mathrm{nk}}\end{array}\right]$

If certain σ is arranged _ik*Satisfy ${\mathrm{\&sigma;}}_{{\mathrm{ik}}^{*}}=\underset{1\&le;k\&le;K}{\mathrm{<figure-callout\; id="1"\; label="max"\; filenames="HDA0000057559020000031.png"\; state="\{\{state\}\}">max</figure-callout>}}\left\{{\mathrm{\&sigma;}}_{\mathrm{ik}}\right\}=\max \{{\mathrm{\&sigma;}}_{i1},{\mathrm{\&sigma;}}_{i2},...,{\mathrm{\&sigma;}}_{\mathrm{ik}}\},$ Claim clustering object i to belong to grey class k ^*Namely at cluster row vector σ _iIn find out maximum cluster coefficients, grey class is grey class under clustering object i under this maximum cluster coefficients.

Step 1.4: the grey cluster result is configured to hierarchical network security postures index system T;

As Fig. 2, choose in this example the gray scale classification for " by force ", " in ", " weak " three classes, distinguish the extent of injury of map network security threat.

Step 1.5: determine the index t in index system T ₁, t ₂... t _nFinal weights omega with respect to the network safety situation value.

This stage need to determine that every kind of Cyberthreat is for the influence coefficient of network safety situation value, utilize analytic hierarchy process (AHP) set up in stratification index system structure the judgment matrix in twos between every layer of all index and find the solution the characteristic vector of judgment matrix, thereby obtain the influence coefficient of the relative last layer element of each element of every layer, determine successively that with the method for weighted sum the diverse network attack is to the final influence coefficient of network safety situation value at last.Step 1.5 is comprised of following two sub-steps,

The first step: network attack weight assignment

Look for some association area experts that diverse network is threatened and provide weight according to its extent of injury.The general weight that adopts 1-9, weight 1 extent of injury is minimum, rises successively, and the extent of injury of weight 9 is the highest.Recycling Delphi method is obtained expert's average weight that diverse network threatens, as the sample of analytic hierarchy process (AHP).

Second step: utilize analytic hierarchy process (AHP) to determine the final weight allocation of evaluation system

According to " first local; rear whole " strategy, calculate diverse network attack with respect to rule layer ownership " by force " in its grey cluster index system, " in ", the influence coefficient of " weak " three major types, calculate again " by force ", " in ", " weak " three major types is for the influence coefficient of network safety situation value, thereby obtain the diverse network security threat for the final influence coefficient matrix of network safety situation value.Process is as follows:

(1) compare in twos judgment matrix A according to the hierarchical structure structure.In the process that compares in twos, the policymaker need to determine for certain class criterion B _k, two indicator layer Elements C _iAnd C _jWhich is more important, need to quantize its importance degree, uses the scale of 1-9 here.Concrete scale implication sees Table 1:

Table 1 judgment matrix scale and implication thereof

(2) for n indicator layer Elements C ₁C _n, by mutually comparing in twos, finally obtain the judgment matrix A that compares in twos;

(3) calculate the relative weighting of element under single criterion, utilize A ω=λ _maxω calculates the characteristic vector ω of matrix, with its unit and as Elements C ₁C _nAt criterion B _kUnder weight order;

(4) the total weight order matrix of parameter system;

(5) consistency check of matrix.If CI is the general coincident indicator of judgment matrix, CI=(λ _max-n)/(n-1), wherein n is the judgment matrix dimension; RI is the average homogeneity index, and concrete value sees Table 2; CR is the random Consistency Ratio of judgment matrix, and CR=CI/RI is if CR≤0.1 acquired results satisfies consistency.

Table 2 average homogeneity index value

Step 2: the historical intrusion detection result of Network Security Device is input to the network safety situation index system T of stratification successively according to time supervision point i order, obtains the network safety situation value V of each time supervision point i _i

Described step 2 specifically comprises the following steps:

Step 2.1: the Network Security Device intrusion detection of carrying statistics each time supervision point i is r as a result _i, r _iIt is 1 * n matrix Wherein

The number of times that occurs for the xm kind network security threats of time supervision point i;

Step 2.2: with r _iDo multiplication, ω=[ω with the weight matrix ω of network safety situation index system T ₁, ω ₂..., ω _n] ^TBe n * 1 matrix, thereby obtain the network safety situation value V of time supervision point i _i

Step 3: use the sliding window method with the network safety situation value V of each time supervision point i _iBe configured to time series S={V ₁, V ₂..., V _i, and time series S is configured to the readable training sample set S of integrated study Boosting algorithm _TrainSpecific as follows:

1: use the sliding window method with the network safety situation value V of each discrete time monitoring point i _iBe configured to time series S={V ₁, V ₂..., V _i, be 4 as setting the sliding window size, sliding step is 1, S ₁={ V ₁, V ₂, V ₃, V ₄, S ₂={ V ₂, V ₃, V ₄, V ₅, S ₃={ V ₃, V ₄, V ₅, V ₆, by that analogy, as Fig. 3;

2: time series S is configured to the readable training sample set Strain of integrated study Boosting algorithm, guarantees that namely training sample set Strain satisfies the weak desired data format of learning machine in integrated study Boosting algorithm;

Step 4: utilize integrated study Boosting algorithm to training sample set S _TrainTrain and obtain weak learning machine sequences h={ h ₁, h ₂..., h _k, k is integrated study Boosting algorithm maximum iteration time, recycling obtains strong learning machine H to the method for weak learning machine sequences h weighted sum _j, j ∈ [1 ,+∞];

Integrated study Boosting algorithm is the outstanding representative of Ensemble Learning Algorithms, its theoretical thought is to utilize certain unsettled weak learning machine to generate a weak learning machine combination, wherein each weak learning machine all exists as basic grader, the classification results of basic grader before the training process of each basic grader all depends on, before being about to, the error of basic grader is used for adjusting the sample probability distribution of current basic grader, and strong learning machine forms by the weighted array of single basic grader.Integrated study Boosting algorithm can obviously improve the accuracy rate of unstable learning machine, and is obvious for the lifting of single learning machine performance.Because the each training of integrated study Boosting algorithm can obtain a basic grader, and each basic grader is to improve on the result of calculation of upper once basic grader, therefore from the training angle, the training process of integrated study Boosting algorithm is exactly a process of continuing to optimize, and namely grader never is stabilized to stable process.Find after deliberation, integrated study Boosting algorithm only need to be adjusted parameter of maximum frequency of training k, and integrated study Boosting algorithm can not cause the study phenomenon to occur.Fig. 4 is the process of the weak learning machine of integrated study Boosting Algorithm for Training, and described step 4 specifically comprises the following steps:

Step 4.1: set integrated study Boosting algorithm maximum iteration time k, and set the weak learning algorithm that integrated study Boosting algorithm calls;

Step 4.2: standardization training sample set S _TrainIf time series S ₁Be S ₁={ V ₁, V ₂, V ₃, V ₄, V ₁, V ₂, V ₃, V ₄For the input vector of the weak learning algorithm of integrated study Boosting algorithm, according to S ₁The network safety situation value V of prediction ₅Be its corresponding output vector;

Step 4.3: the primary data sample collection D that sets integrated study Boosting algorithm;

D={S ₁, V ₅S ₂, V ₆L S _q, V _q+4, ω ₁(l) be the initial weight of each sample in primary data sample collection D,

L ∈ [1 ..., q], q is the total number of sample;

Step 4.4: with ω _f(l) the sample set D that extracts from primary data sample collection D for probability _f, and by weak learning algorithm training, obtain weak learning machine h _f, f ∈ [1 ..., k];

ω _f(l) the condition of choosing is:

If satisfy this condition, ω _f(l) be its result of calculation; If do not satisfy this condition, ω _f(l)=0, wherein,

Be network safety situation value V _i+4Predicted value;

Step 4.5: calculate weak learning machine h _fTraining error ε _f

${\mathrm{\&epsiv;}}_f=\underset{l=1}{\overset{q}{\mathrm{\&Sigma;}}}{\mathrm{\&omega;}}_f\left(l\right)$

In formula:

ε _fBe training error, f ∈ [1 ..., k];

ω _f(l) for extracting probability.

Step 4.6: calculate weak learning machine h _fWeight α _f

${\mathrm{\&alpha;}}_f=\frac{1}{2}\ln \left[\frac{1-{\mathrm{\&epsiv;}}_f}{{\mathrm{\&epsiv;}}_f}\right]$

In formula:

α _fBe weak learning machine h _fWeight.

Step 4.7: the weight of upgrading training sample;

${\mathrm{\&omega;}}_{f+1}\left(l\right)=\frac{{\mathrm{\&omega;}}_f\left(l\right)e^{-{\mathrm{\&alpha;}}_f{V}_l{h}_f\left(x_l\right)}}{M_f},$

In formula:

ω _f+1(l) be the weight of the training sample after upgrading;

ω _f(l) be the weight of training sample;

h _f(x _l) be that weak learning machine is according to input variable x _lThe calculated value that obtains;

V _lIt is actual situation value;

M _fBe normalization coefficient, must guarantee

Step 4.8: when satisfying one of following two conditions, execution in step 4.9; Otherwise return to step 4.4;

Condition 1: integrated study Boosting algorithm reaches maximum iteration time k;

Condition 2: sample set D _fNo longer change;

Step 4.9: export strong learning machine H _j

$H_j=\mathrm{sign}\left[\underset{l=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&alpha;}}_l{h}_l\left(x\right)\right]$

In formula:

H _jBe strong learning machine;

Sign is sign function;

α _lBe weak learning machine h _lWeight.

What pay special attention to is that the selected core vector regression CVR (Core Vector Regression) of integrated study Boosting algorithm completes the training to sample data in step 4.1.CVR utilizes the former n dimension of MEB Algorithm for Solving Euclidean space R ⁿMiddle target problem Φ, its process is as follows:

(1) utilize kernel function to complete from n dimension Euclidean space R ⁿTo the conversion in Hilbert space, i.e. the dual problem Φ ' of structure target problem Φ in the Hilbert space.

(2) the sample set S according to dual problem Φ ' sets initial MEB.

(3) carry out the MEB algorithm, until obtain the nucleon collection S of sample set S _e, be converted into the MEB problem with dual problem Φ ' this moment.If c, r are respectively center of gravity and the radius of ball, use one of B (c, r) expression heavily to be c, radius is the ball of r.Establish error threshold δ＞0, ball B (c, (1+ δ) r) is considered as (1+ δ) approximate ball of MEB (S) again.Nucleon collection S _cMay be defined as: if proper subclass S _cComprised sample point in all S with the MEB of the factor (1+ δ) expansion, that is:

B (c, R)=MEB (S wherein _c), proper subclass S _cThe nucleon collection that is called S.

(4) under the constraints of center, find the solution the MEB problem, namely complete finding the solution of target problem Φ.

Step 5: utilize strong learning machine H _jComplete the network safety situation value prediction of future time monitoring point, and set strong learning machine H _jLife cycle, if strong learning machine H _jReach its life cycle, repeating step 3;

Concrete implementation such as Fig. 5 of step 5 are specially:

1: set strong learning machine H _jLife cycle T _Live

2: check strong learning machine H _jLife cycle whether finish, if finished according to step 3 until generate the strong learning machine H of a new generation _j+1

Through after the training study of above-mentioned 5 steps, form the network safety situation value prediction model based on integrated study Boosting algorithm, thereby realize the situation value Accurate Prediction to the future time monitoring point.

The present invention compares traditional single learning machine method aspect prediction network safety situation value, precision of prediction is preferably arranged, and has improved the practicality of network safety situation prediction.

The above; only for the better embodiment of the present invention, but protection scope of the present invention is not limited to this, anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement are within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.

Claims (5)

1. network security situation prediction method is characterized in that said method comprising the steps of:

Step 1: use grey clustering analysis method to analyze every kind of network security threats x ₁, x ₂..., x _nThe extent of injury, and then construct the network safety situation index system T of stratification; Described step 1 comprises the following steps:

Step 1.1: the white function matrix of structure global index;

Step 1.2: determine the grey cluster coefficient according to white function;

Step 1.3: calculate every kind of network security threats x ₁, x ₂..., x _nThe grey cluster coefficient, and determine its grey cluster ownership;

Step 1.4: the grey cluster result is configured to hierarchical network security postures index system T;

Step 1.5: determine the index t in index system T ₁, t ₂... t _nFinal weights omega with respect to the network safety situation value;

Step 2: with the historical intrusion detection result of the Network Security Device order according to time supervision point i, be input to successively in the network safety situation index system T of stratification, obtain the network safety situation value V of each time supervision point i _iDescribed step 2 comprises the following steps:

Step 2.1: the Network Security Device intrusion detection of adding up each time supervision point i is r as a result _i

Step 2.2: with r _iDo multiplication with the weight matrix ω of network safety situation index system T, obtain the network safety situation value V of time supervision point i _i

Step 3: use the sliding window method with network safety situation value V _iBe configured to time series S, and time series S is configured to the readable training sample set S of integrated study Boosting algorithm _Train

Step 4: utilize integrated study Boosting algorithm to training sample set S _TrainCarry out the iteration training, obtain weak learning machine sequences h, recycling obtains strong learning machine H to the method for weak learning machine sequences h weighted sum _jDescribed step 4 comprises the following steps:

Step 4.1: set integrated study Boosting algorithm maximum iteration time k, and set the weak learning algorithm that integrated study Boosting algorithm calls;

Step 4.2: standardization training sample set S _Train

Step 4.3: the primary data sample collection D that sets integrated study Boosting algorithm;

Step 4.4: with ω _f(l) be probability sample drawn collection D from primary data sample collection D _f, and by weak learning algorithm training, obtain weak learning machine h _fWherein, ω _f(l) for extracting probability;

Step 4.5: calculate weak learning machine h _fTraining error ε _f

Step 4.6: calculate weak learning machine h _fWeight α _f

Step 4.7: the weight of upgrading training sample;

Step 4.8: when satisfying one of following two conditions, execution in step 4.9; Otherwise return to step 4.4;

Condition 1: integrated study Boosting algorithm reaches maximum iteration time k;

Condition 2: sample set D _fNo longer change;

Step 4.9: export strong learning machine H _j

Step 5: utilize strong learning machine H _jComplete the network safety situation value prediction of future time monitoring point, and set strong learning machine H _jLife cycle, if strong learning machine H _jReach its life cycle, return to step 3.

2. a kind of network security situation prediction method according to claim 1, is characterized in that in described step 4.1, weak learning algorithm is core vector regression CVR.

3. a kind of network security situation prediction method according to claim 1, is characterized in that training error ε in described step 4.5 _fComputing formula be:

${\mathrm{\&epsiv;}}_f=\underset{l=1}{\overset{q}{\mathrm{\&Sigma;}}}{\mathrm{\&omega;}}_f\left(l\right)$

In formula:

ε _fBe training error, f ∈ [1 ..., k];

ω _f(l) for extracting probability.

4. a kind of network security situation prediction method according to claim 1, is characterized in that weight α in described step 4.6 _fComputing formula be:

${\mathrm{\&alpha;}}_f=\frac{1}{2}\ln \left[\frac{1-{\mathrm{\&epsiv;}}_f}{{\mathrm{\&epsiv;}}_f}\right]$

In formula:

α _fBe weak learning machine h _fWeight.

5. a kind of network security situation prediction method according to claim 1, is characterized in that strong learning machine H in described step 4.9 _jComputing formula be:

$H_j=\mathrm{sign}\left[\underset{l=1}{\overset{k}{\mathrm{\&Sigma;}}}{\mathrm{\&alpha;}}_1{h}_1\left(x\right)\right]$

In formula:

H _jBe strong learning machine;

Sigh is sign function;

α _lBe weak learning machine h _lWeight.

Images