CN102694800A

CN102694800A - Gaussian process regression method for predicting network security situation

Info

Publication number: CN102694800A
Application number: CN2012101574447A
Authority: CN
Inventors: 李元诚; 王宇飞
Original assignee: North China Electric Power University
Current assignee: North China Electric Power University
Priority date: 2012-05-18
Filing date: 2012-05-18
Publication date: 2012-09-26

Abstract

The invention discloses a Gaussian process regression method for network security situation prediction in the technical field of network information security. The present invention uses the AHP to construct a hierarchical network security situation evaluation index system, uses this system to analyze the degree of harm of various network security threats to the network security situation, and then calculates the network security situation value of each time monitoring point and constructs a time sequence, construct it into a training sample set, use Gaussian process regression to iteratively train the training sample set to obtain a prediction model that meets the error requirements, and use particle swarm optimization algorithm to dynamically search for the optimal training parameters of Gaussian process regression during the training process to reduce the prediction Finally, the prediction model is used to complete the prediction of the network security situation value of the monitoring point in the future. The beneficial effects of the invention are: in reducing network security situation prediction errors, it has better adaptability and lower prediction errors.

Description

Gaussian Process Regression Method for Network Security Situation Prediction

技术领域 technical field

本发明属于网络信息安全技术领域，尤其涉及网络安全态势预测的高斯过程回归方法。The invention belongs to the technical field of network information security, in particular to a Gaussian process regression method for network security situation prediction.

背景技术 Background technique

Internet的普及和技术革新深刻改变了人类的生活，也带来了严重的网络安全问题。当前各种网络安全问题层出不穷，各种网络攻击逐渐展示出分布化、规模化、复杂化、间接化等发展趋势发展，而当前的网络安全设备还没有相对完善的安全告警机制，因而对于未来网络安全走势的精确告警有着十分重要的理论意义和现实意义。目前主流方式是通过对目标网络未来时间节点的网络安全态势值进行预测，以实现网络安全预警。网络安全态势值的预测手段主要是利用人工智能算法将目标问题抽象为回归问题，通过构造回归模型求解未来时间节点的网络安全态势值，该过程主要包括三个部分，分别是构造网络安全态势评价指标体系、计算网络安全态势值、建立网络安全态势预测模型。The popularity of the Internet and technological innovation have profoundly changed human life, but also brought serious network security problems. At present, various network security problems emerge in endlessly, and various network attacks gradually show development trends such as distribution, scale, complexity, and indirection. However, the current network security equipment does not have a relatively complete security alarm mechanism. Precise warning of security trends has very important theoretical and practical significance. At present, the mainstream method is to realize network security early warning by predicting the network security situation value of the target network in the future time node. The prediction method of network security situation value mainly uses artificial intelligence algorithm to abstract the target problem into a regression problem, and solves the network security situation value of future time nodes by constructing a regression model. This process mainly includes three parts, which are constructing network security situation evaluation Index system, calculation of network security situation value, establishment of network security situation prediction model.

构造网络安全态势评价指标体系需要计算各种网络攻击对于网络安全态势值的影响因子，即权重。评价指标体系的构造方法将直接决定网络安全态势值是否能准确的反映当前网络的实际态势。Constructing the network security situation evaluation index system needs to calculate the influence factors of various network attacks on the network security situation value, that is, the weight. The construction method of the evaluation index system will directly determine whether the network security situation value can accurately reflect the actual situation of the current network.

网络安全态势值的计算需要将某时间节点各种网络攻击发生的次数乘以各种网络攻击的权重，再求和，从而得到该时间节点的网络安全态势值。The calculation of the network security situation value needs to multiply the number of various network attacks at a certain time node by the weight of various network attacks, and then sum them up to obtain the network security situation value at this time node.

当前网络安全态势值的预测方法主要基于人工神经网络、支持向量机、贝叶斯网络等方法，但实际应用发现这些普遍存在预测误差大的问题。The current network security situation prediction methods are mainly based on methods such as artificial neural networks, support vector machines, and Bayesian networks.

发明内容 Contents of the invention

本发明针对上述缺陷公开了网络安全态势预测的高斯过程回归方法。本发明引入层次分析法（Analytic Hierarchy Process，AHP），从而得到了能准确反映当前网络安全状况的评价指标体系，本发明采用高斯过程回归算法完成网络安全态势值的预测，有效改善了预测精度。The invention discloses a Gaussian process regression method for network security situation prediction aiming at the above defects. The present invention introduces the Analytic Hierarchy Process (AHP), thereby obtaining an evaluation index system that can accurately reflect the current network security situation. The present invention uses the Gaussian process regression algorithm to complete the prediction of the network security situation value, which effectively improves the prediction accuracy.

网络安全态势预测的高斯过程回归方包括以下步骤：The Gaussian process regression method of network security situation prediction includes the following steps:

1）使用层次分析法构造层次化的网络安全态势评价指标体系T，计算得出网络安全态势评价指标体系T的总排序权重矩阵ω；1) Use the AHP to construct a hierarchical network security situation evaluation index system T, and calculate the total ranking weight matrix ω of the network security situation evaluation index system T;

2）将网络安全设备的历史入侵检测结果按照时间先后顺序，依次输入到网络安全态势评价指标体系T中，得到第1时刻的网络安全态势值V₁至第m时刻的网络安全态势值V_m；2) Input the historical intrusion detection results of network security equipment into the network security situation evaluation index system T in sequence according to the time sequence, and obtain the network security situation value V ₁ at the first moment to the network security situation value V _m at the m moment ;

3）使用滑动窗口方法将V₁~V_m构造成时间序列S，s＝{V₁…V_m}；3) Use the sliding window method to construct V ₁ ~V _m into a time series S, s={V ₁ ...V _m };

然后将时间序列S按照固定比例随机划分，得出高斯过程回归方法中可读的训练样本集S_train和测试样本集S_test；保证训练样本集S_train和测试样本集S_test满足高斯过程回归方法所要求的数据格式；Then the time series S is randomly divided according to a fixed ratio to obtain the readable training sample set S _train and test sample set S _test in the Gaussian process regression method; ensure that the training sample set S _train and test sample set S _test meet the Gaussian process regression method the required data format;

4）利用高斯过程回归方法对训练样本集S_train进行迭代训练，得到临时预测模型h，再利用粒子群算法对临时预测模型h进行误差修正以得到满足误差期望的预测模型H；4) Use the Gaussian process regression method to iteratively train the training sample set S _train to obtain a temporary prediction model h, and then use the particle swarm optimization algorithm to correct the error of the temporary prediction model h to obtain a prediction model H that meets the error expectation;

5）利用预测模型H完成未来时刻的网络安全态势值预测。5) Use the prediction model H to complete the prediction of the network security situation value in the future.

所述网络安全态势评价指标体系T的结构如下：网络安全态势评价指标体系T分为三层，上层为目标层，其内容为网络安全态势值；中层为准则层，其内容为强危害程度、中危害程度和弱危害程度，强危害程度、中危害程度和弱危害程度是按照网络安全威胁的危害程度划分的；下层为指标层，其内容为第1种网络安全威胁x₁至第n种网络安全威胁x_n。The structure of the network security situation evaluation index system T is as follows: the network security situation evaluation index system T is divided into three layers, the upper layer is the target layer, and its content is the network security situation value; Medium and weak hazards, strong hazards, medium hazards, and weak hazards are divided according to the hazards of network security threats; the lower layer is the index layer, and its content is the first type of network security threat x ₁ to the nth type Cyber security threats x _n .

所述总排序权重矩阵ω的计算过程如下：首先，对第1种网络安全威胁x₁至第n种网络安全威胁x_n的权重赋值，然后，根据层次分析法，分别推算第i中网络安全威胁x_i对于强危害程度、中危害程度和弱危害程度的影响系数，i取1至n；再分别计算强危害程度、中危害程度和弱危害程度对于网络安全态势值的最终影响系数，最后得出网络安全态势评价指标体系T的总排序权重矩阵ω。The calculation process of the total sorting weight matrix ω is as follows: first, assign the weights of the first type of network security threat x ₁ to the nth type of network security threat x _n , and then, according to the analytic hierarchy process, respectively calculate the i-th network security The influence coefficient of threat x _i on strong, medium and weak hazards, i ranges from 1 to n; then calculate the final influence coefficients of strong hazards, medium hazards and weak hazards on the network security situation value, and finally The total ranking weight matrix ω of the network security situation evaluation index system T is obtained.

所述步骤2）包括以下步骤：Said step 2) includes the following steps:

21）统计第j时刻的网络安全设备入侵检测结果r_j，j取1至m；r_j为1×n矩阵，其中，

至分别指：在第j时刻，第1种网络安全威胁x₁至第n种网络安全威胁x_n发生的次数；21) Count the intrusion detection results r _j of network security equipment at the jth moment, j ranges from 1 to m; r _j is a 1×n matrix, in,

to Respectively: at the moment j, the number of occurrences of the first type of network security threat x ₁ to the nth type of network security threat x _n ;

22）将r_j与网络安全态势评价指标体系T的总排序权重矩阵ω做乘法，从而得到第j时刻的网络安全态势值V_j。22) Multiply r _j with the total ranking weight matrix ω of the network security situation evaluation index system T to obtain the network security situation value V _j at the jth moment.

所述固定比例为3∶2。The fixed ratio is 3:2.

所述步骤4）具体包括以下步骤:The step 4) specifically includes the following steps:

41）在粒子群算法中，设定以下参数：最大迭代次数为100，种群规模为10、初始惯性权重ω₁=0.8，终止惯性权重ω_T=0.1，第1学习因子和第2学习因子均为2，粒子速度区间为[0，0.5]；41) In the particle swarm optimization algorithm, set the following parameters: the maximum number of iterations is 100, the population size is 10, the initial inertia weight ω ₁ =0.8, the termination inertia weight ω _T =0.1, the first learning factor and the second learning factor are both is 2, and the particle velocity interval is [0, 0.5];

42）设定高斯过程回归方法的核函数类型；42) Set the kernel function type of the Gaussian process regression method;

43）归一化训练样本集S_train和测试样本集S_test；43) Normalize the training sample set S _train and the test sample set S _test ;

44）粒子群算法将初始训练参数传递给高斯过程回归方法，高斯过程回归方法通过对训练样本集S_train的训练得到临时预测模型h；初始训练参数是指粒子群算法初始生成的随机训练参数；44) The particle swarm optimization algorithm passes the initial training parameters to the Gaussian process regression method, and the Gaussian process regression method obtains the temporary prediction model h through training the training sample set S _train ; the initial training parameters refer to the random training parameters initially generated by the particle swarm algorithm;

45）通过测试样本集S_test计算临时预测模型h的训练误差ε；45) Calculate the training error ε of the temporary prediction model h through the test sample set S _test ;

46）临时预测模型h的训练误差ε若满足预先设定的期望值θ，则为最终预测模型H，否则高斯过程回归方法根据粒子群算法迭代生成的新训练参数，通过对训练样本集S_train的训练，从而更新了临时预测模型h；46) If the training error ε of the temporary prediction model h meets the preset expectation value θ, it is the final prediction model H. Otherwise, the Gaussian process regression method generates new training parameters iteratively according to the particle swarm optimization algorithm, through the training sample set S _train Training, thus updating the temporary prediction model h;

47）当满足下列两个条件之一时，则执行步骤48），否则，返回执行步骤45）；第一个条件为：高斯过程回归方法的迭代次数达到最大迭代次数100；第二个条件为：临时预测模型h满足预先设定的期望值；47) When one of the following two conditions is met, execute step 48); otherwise, return to step 45); the first condition is: the number of iterations of the Gaussian process regression method reaches the maximum iteration number of 100; the second condition is: The temporary prediction model h meets the preset expectation;

48）输出最终预测模型H。48) Output the final prediction model H.

所述预先设定的期望值θ为85%。The preset expected value θ is 85%.

所述高斯过程回归方法根据粒子群算法迭代生成的新训练参数中，粒子群算法进行迭代的过程如下：Among the new training parameters generated by the Gaussian process regression method iteratively according to the particle swarm algorithm, the iterative process of the particle swarm algorithm is as follows:

粒子群算法（PSO）首先进行初始化，随机构造由10个粒子组成的初始种群，并给初始种群中第b个粒子赋以初始位置

及初始速度b取1至10；并计算初始种群中每个粒子的适应度函数F(b)，若初始种群所有粒子的适应度函数F(b)的最小值min(F(b))≤θ，则取min(F(b))对应的粒子作为待求问题的最优解，否则按以下三个公式更新粒子速度和位置，即进行种群迭代；Particle swarm optimization (PSO) first initializes, randomly constructs an initial population consisting of 10 particles, and assigns an initial position to the bth particle in the initial population

and initial velocity b ranges from 1 to 10; and calculate the fitness function F(b) of each particle in the initial population, if the minimum value min(F(b)) of the fitness function F(b) of all particles in the initial population min(F(b))≤θ, then Take the particle corresponding to min(F(b)) as the optimal solution to the problem to be found, otherwise update the particle velocity and position according to the following three formulas, that is, perform population iteration;

${V V}_{b b}^{k k + + 11} = = {ω ω}_{b b} {V V}_{b b}^{k k} + + {C C}_{11} \cdot \cdot {r r}_{11} \cdot \cdot (({p p}_{best the best} - - {X x}_{b b}^{k k})) + + {C C}_{22} \cdot \cdot {r r}_{22} \cdot \cdot (({g g}_{best the best} - - {X x}_{b b}^{k k}))$

${X x}_{b b}^{k k + + 11} = = {X x}_{b b}^{k k} + + {V V}_{b b}^{k k + + 11}$

${ω ω}_{b b} = = {ω ω}_{11} - - \frac{{ω ω}_{11} - - {ω ω}_{b b - - 11}}{k k}$

其中；P_best指所有粒子经过的个体最优位置；g_bestb指种群经过的最优位置；k为迭代次数，r₁和r₂为[0,1]之间的随机数；C₁和C₂分别为第1学习因子和第2学习因子；

和

分别指：迭代次数为k-1次和k次时第b个粒子的位置；和

分别指：迭代次数为k-1次和k次时第b个粒子的速度；ω₀和ω₁为初始惯性权重，ω₂至ω_b为第2惯性权重值第b惯性权重；ω₀=ω₁=0.8。Among them; P _best refers to the individual optimal position that all particles pass through; g _bestb refers to the optimal position passed by the population; k is the number of iterations, r ₁ and r ₂ are random numbers between [0,1]; C ₁ and C ₂ are respectively the first learning factor and the second learning factor;

and

Respectively: the position of the bth particle when the number of iterations is k-1 and k times; and

Respectively: the velocity of the b-th particle when the number of iterations is k-1 and k times; ω ₀ and ω ₁ are the initial inertia weights, ω ₂ to ω _b are the second inertia weight value and the b-th inertia weight; ω ₀ = ω ₁ =0.8.

本发明的有益效果为：采用本发明对网络安全态势进行预测，不但克服了原有态势预测技术的缺陷，而且提高了预测的准确率。The beneficial effects of the present invention are: adopting the present invention to predict the network security situation not only overcomes the defects of the original situation prediction technology, but also improves the prediction accuracy.

附图说明 Description of drawings

图1为网络安全态势预测方法流程图；Fig. 1 is a flow chart of network security situation prediction method;

图2为基于层次分析法的网络安全态势评价指标体系生成过程流程图；Figure 2 is a flow chart of the generation process of the network security situation evaluation index system based on the analytic hierarchy process;

图3为滑动窗口方法示意图；Fig. 3 is a schematic diagram of the sliding window method;

图4为高斯过程回归算法训练流程图；Fig. 4 is the training flowchart of Gaussian process regression algorithm;

具体实施方式 Detailed ways

下面结合附图，对优选实施例作详细说明。应该强调的是，下述说明仅仅是示例性的，而不是为了限制本发明的范围及其应用。The preferred embodiments will be described in detail below in conjunction with the accompanying drawings. It should be emphasized that the following description is only exemplary and not intended to limit the scope of the invention and its application.

建立网络安全态势评价指标体系和计算态势值是网络安全态势预测的前提。为此，本发明引入基于层次分析法对原始各种网络安全威胁进行分析，进而得到层次化评价指标体系；得到层次化评价指标体系后，可以计算网络安全态势值，并将离散时间序列根据滑动窗口方法构造成训练样本集和测试样本集；将训练样本集输入到高斯过程回归算法中，由高斯过程回归算法对训练样本集训练以得到临时预测模型，再利用测试样本集对临时预测模型进行误差检测，以得到满足误差要求的最终预测模型；最后利用最终预测模型完成网络安全态势值的预测。这样从局部到整体，使高斯过程回归算法能适用更一般的网络安全态势预测问题。The establishment of network security situation evaluation index system and the calculation of situation value are the premise of network security situation prediction. For this reason, the present invention introduces analysis based on AHP to analyze various original network security threats, and then obtains a hierarchical evaluation index system; The window method is constructed into a training sample set and a test sample set; the training sample set is input into the Gaussian process regression algorithm, and the training sample set is trained by the Gaussian process regression algorithm to obtain a temporary forecast model, and then the test sample set is used to test the temporary forecast model. Error detection to obtain the final prediction model that meets the error requirements; finally, the final prediction model is used to complete the prediction of network security situation value. In this way, from the local to the whole, the Gaussian process regression algorithm can be applied to more general network security situation prediction problems.

如图1所示是本发明提供的一种基于高斯过程回归的网络安全态势预测方法流程图。As shown in FIG. 1 , it is a flowchart of a network security situation prediction method based on Gaussian process regression provided by the present invention.

网络安全态势预测的高斯过程回归方法包括以下步骤：The Gaussian process regression method for network security situation prediction includes the following steps:

1）使用层次分析法构造层次化的网络安全态势评价指标体系T，计算得出网络安全态势评价指标体系T的总排序权重矩阵ω；以分析第1种网络安全威胁x₁至第n种网络安全威胁x_n对于网络安全态势的危害程度；n是网络安全威胁种类之和；1) Use the AHP to construct a hierarchical network security situation evaluation index system T, and calculate the total ranking weight matrix ω of the network security situation evaluation index system T; to analyze the first type of network security threat x ₁ to the nth type of network Security threat x _n is the degree of harm to the network security situation; n is the sum of network security threat types;

AHP（层次分析法）是把难以量化的定性问题通过严格数学运算进行量化，把原本定量与定性相混杂的复杂决策问题综合为统一整体，再做综合分析评价。AHP求解过程如下：先将待决策问题按目标层，准则层直至具体方案的顺序分解为不同层次，并建立递阶层次结构和两两判断矩阵；然后求解判断矩阵的特征向量，从而得到每层的各元素相对上一层元素的优先权重；最后用加权求和的方法递阶归并各方案对目标层的最终权重，最终权重值最大者即为最优方案。AHP求解过程可概括为“分解->判断->综合”。AHP适用于具有分层结构且难于定量描述的评价及决策问题。AHP (Analytic Hierarchy Process) is to quantify qualitative problems that are difficult to quantify through strict mathematical operations, and integrate complex decision-making problems that were originally mixed with quantitative and qualitative into a unified whole, and then perform comprehensive analysis and evaluation. The AHP solution process is as follows: Firstly, the problem to be decided is decomposed into different levels according to the order of the target level, the criterion level and the specific plan, and the hierarchical structure and pairwise judgment matrix are established; then the eigenvector of the judgment matrix is solved to obtain the The priority weight of each element of each element relative to the elements of the previous layer; finally, the final weight of each plan to the target layer is merged step by step using the method of weighted summation, and the one with the largest final weight value is the optimal plan. The AHP solution process can be summarized as "decomposition->judgment->synthesis". AHP is suitable for evaluation and decision-making problems that have a hierarchical structure and are difficult to describe quantitatively.

如图2所示，所述网络安全态势评价指标体系T的结构如下：网络安全态势评价指标体系T分为三层，上层为目标层，其内容为网络安全态势值；中层为准则层，其内容为强危害程度、中危害程度和弱危害程度，强危害程度、中危害程度和弱危害程度是按照网络安全威胁的危害程度划分的；下层为指标层，其内容为第1种网络安全威胁x₁至第n种网络安全威胁x_n。As shown in Figure 2, the structure of the network security situation evaluation index system T is as follows: the network security situation evaluation index system T is divided into three layers, the upper layer is the target layer, and its content is the network security situation value; the middle layer is the criterion layer, and its The contents are strong harm degree, medium harm degree and weak harm degree, and the strong harm degree, medium harm degree and weak harm degree are divided according to the harm degree of network security threats; the lower layer is the index layer, and its content is the first type of network security threat x ₁ to the nth network security threat x _n .

对步骤1）具体说明如下：The specific instructions for step 1) are as follows:

首先给网络攻击权重赋值First assign the network attack weight

由相关领域专家按照各种网络攻击的危害程度，给出1-5的度量，即给网络攻击赋予权重，度量5的危害程度最高，度量1的危害程度最低，最后结合Delphi方法求出各种网络威胁的平均权重。Experts in related fields give a scale of 1-5 according to the degree of harm of various network attacks, that is, assign weights to network attacks. The degree of harm of measure 5 is the highest, and the degree of harm of measure 1 is the lowest. Finally, the Delphi method is used to obtain various Average weight of cyber threats.

第二步：利用AHP确定评估体系最终权重分配，详细过程如下：Step 2: Use AHP to determine the final weight distribution of the evaluation system. The detailed process is as follows:

（1）计算两两比较矩阵A，对于同一准则下的元素i和元素j，计算哪个相对于该准则更为重要，需要对两个元素进行量化，采用下表1-5的标度，(1) Calculate pairwise comparison matrix A. For element i and element j under the same criterion, calculate which one is more important to the criterion. The two elements need to be quantified, and the scales in Table 1-5 below are used.

表1判断矩阵标度及其含义Table 1 Judgment matrix scale and its meaning

（2）计算某一准则下，各个元素的相对权重，通过AX=λ_maxX计算出矩阵A的特征向量X，λ_max指数值最大的特征值，并将ωX单位化以做为各个元素在该准则下的权重；(2) Calculate the relative weight of each element under a certain criterion, calculate the eigenvector X of matrix A through AX=λ _max X, and the eigenvalue with the largest λ _max index value, and unitize ωX as each element in weighting under the criterion;

（3）通过矩阵相乘得到计算指标体系总排序权重矩阵；(3) Obtain the total ranking weight matrix of the calculation index system through matrix multiplication;

（4）矩阵一致性检验。设矩阵的一致性指标为CI，CI=(λ_max-n)/(n-1),其中n是判断矩阵维数；RI为平均一致性指标，具体取值见表2；CR为判断矩阵的随机一致性比率，CR=CI/RI,当CR≤0.1时，矩阵满足一致性。(4) Matrix consistency check. Let the consistency index of the matrix be CI, CI=(λ _max -n)/(n-1), where n is the dimension of the judgment matrix; RI is the average consistency index, see Table 2 for specific values; CR is the judgment matrix The random consistency ratio of , CR=CI/RI, when CR≤0.1, the matrix meets the consistency.

表2平均一致性指标取值Table 2 Average Consistency Index Values

2）将网络安全设备的历史入侵检测结果按照时间先后顺序，依次输入到网络安全态势评价指标体系T中，得到第1时刻的网络安全态势值V₁至第m时刻的的网络安全态势值V_m；第1时刻至第m时刻是按时间先后顺序排列的；2) Input the historical intrusion detection results of network security equipment into the network security situation evaluation index system T in order of time, and obtain the network security situation value _V at the first moment to the network security situation value V at the m moment _m ; the 1st moment to the mth moment are arranged in chronological order;

所述步骤2）包括以下步骤：Said step 2) includes the following steps:

至

分别指：在第j时刻，第1种网络安全威胁x₁至第n种网络安全威胁x_n发生的次数；21) Count the intrusion detection results r _j of network security equipment at the jth moment, j ranges from 1 to m; r _j is a 1×n matrix, in,

to

Respectively: at the moment j, the number of occurrences of the first type of network security threat x ₁ to the nth type of network security threat x _n ;

22）将r_j与网络安全态势评价指标体系T的总排序权重矩阵ω做乘法，ω是n×1矩阵，从而得到第j时刻的网络安全态势值V_j。22) Multiply r _j with the total ranking weight matrix ω of the network security situation evaluation index system T, where ω is an n×1 matrix, so as to obtain the network security situation value V _j at the jth moment.

3）使用滑动窗口方法将V₁~V_m构造成时间序列S，s＝{V₁…V_m}；如设定滑动窗口大小为4，滑动步长为1，则S₁={V₁,V₂,V₃,V₄}；S₂={V₂,V₃,V₄,V₅}，S₃={V₃,V₄,V₅,V₆}，以此类推，如图3所示，如在S₁中，通过第1时刻的网络安全态势值V₁、第2时刻的网络安全态势值V₂、第3时刻的网络安全态势值V₃和第4时刻的网络安全态势值V₄来预测第5时刻的网络安全态势值V₅，然后，以此类推，得出时间序列S。3) Use the sliding window method to construct V ₁ ~V _m into a time series S, s={V ₁ ...V _m }; if the sliding window size is set to 4, and the sliding step is 1, then S ₁ ={V ₁ ,V ₂ ,V ₃ ,V ₄ }; S ₂ ={V ₂ ,V ₃ ,V ₄ ,V ₅ }, S ₃ ={V ₃ ,V ₄ ,V ₅ ,V ₆ }, and so on, such as As shown in Fig. 3, as in _S1 , through the network security situation value V ₁ at the first moment, the network security situation value V ₂ at the second moment, the network security situation value V ₃ at the third moment, and the network security situation value at the fourth moment The security situation value V ₄ is used to predict the network security situation value V ₅ at the fifth moment, and then, by analogy, the time series S is obtained.

然后将时间序列S按照固定比例随机划分，得出高斯过程回归（Gaussian Process Regression，GPR）方法中可读的训练样本集S_train和测试样本集S_test；保证训练样本集S_train和测试样本集S_test满足高斯过程回归方法所要求的数据格式；固定比例为3∶2。Then the time series S is randomly divided according to a fixed ratio to obtain the readable training sample set S _train and test sample set S _test in the Gaussian Process Regression (GPR) method; the training sample set S _train and the test sample set are guaranteed The S _test meets the data format required by the Gaussian process regression method; the fixed ratio is 3:2.

4）利用高斯过程回归方法对训练样本集S_train进行迭代训练，得到临时预测模型h，再利用粒子群算法（Particle SwarmOptimization，PSO）对临时预测模型h进行误差修正以得到满足误差期望的预测模型H；4) Use the Gaussian process regression method to iteratively train the training sample set S _train to obtain a temporary prediction model h, and then use Particle Swarm Optimization (PSO) to correct the error of the temporary prediction model h to obtain a prediction model that meets the error expectation H;

44）粒子群算法将初始训练参数传递给高斯过程回归方法，高斯过程回归方法通过对训练样本集S_train的训练得到临时预测模型h；初始训练参数是指粒子群算法初始生成的随机训练参数；当核函数为高斯核函数时，则初始训练参数为“核宽参数”和“惩罚因子”。44) The particle swarm optimization algorithm passes the initial training parameters to the Gaussian process regression method, and the Gaussian process regression method obtains the temporary prediction model h through training the training sample set S _train ; the initial training parameters refer to the random training parameters initially generated by the particle swarm algorithm; When the kernel function is a Gaussian kernel function, the initial training parameters are "kernel width parameter" and "penalty factor".

48）输出最终预测模型H。48) Output the final prediction model H.

高斯过程回归方法是工程技术问题中最常用的一种随机过程模型。在机器学习领域中，高斯过程回归方法是在高斯随机过程与贝叶斯学习理论基础上发展起来的一种机器学习方法，有着严格的统计学习理论基础，对处理高维数、小样本、非线性等复杂的问题，具有很好的适应性。在不牺牲性能的条件下，与人工神经网络相比,高斯过程具有容易实现的特点；具有灵活的非参数推断能力,即高斯过程的算法参数均可在模型构建过程中自适应地获得；同时高斯过程是一个具有概率意义的核学习机,可对预测输出做出概率解释,建模者能通过置信区间来对模型预测输出的不确定性进行评价。因此,高斯过程目前已成为机器学习领域的研究热点,并在许多领域都得到了成功的应用。图4为高斯过程回归方法的训练过程。The Gaussian process regression method is the most commonly used stochastic process model in engineering technology problems. In the field of machine learning, the Gaussian process regression method is a machine learning method developed on the basis of Gaussian random process and Bayesian learning theory. It has good adaptability to complex problems such as linearity. Under the condition of not sacrificing performance, compared with artificial neural network, Gaussian process has the characteristics of easy implementation; it has flexible non-parametric inference ability, that is, the algorithm parameters of Gaussian process can be adaptively obtained in the process of model construction; at the same time Gaussian process is a kernel learning machine with probabilistic significance, which can make probabilistic explanations for the predicted output, and the modeler can evaluate the uncertainty of the model predicted output through the confidence interval. Therefore, Gaussian process has become a research hotspot in the field of machine learning, and has been successfully applied in many fields. Figure 4 shows the training process of the Gaussian process regression method.

特别注意的是在步骤4中提及的利用粒子群算法搜索高斯过程回归的最优训练参数，从而降低高斯过程回归的训练误差，其过程如下：Pay special attention to the use of particle swarm optimization algorithm mentioned in step 4 to search for the optimal training parameters of Gaussian process regression, so as to reduce the training error of Gaussian process regression. The process is as follows:

粒子群算法(PSO)首先进行初始化，随机构造由10个粒子组成的初始种群，并给初始种群中第b个粒子赋以初始位置

及初始速度

b取1至10；并计算初始种群中每个粒子的适应度函数F(b)，若初始种群所有粒子的适应度函数F(b)的最小值min(F(b))≤θ，则取min(F(b))对应的粒子作为待求问题的最优解，否则按以下三个公式更新粒子速度和位置，即进行种群迭代；Particle Swarm Optimization (PSO) first initializes, randomly constructs an initial population consisting of 10 particles, and assigns an initial position to the bth particle in the initial population

and initial velocity

b ranges from 1 to 10; and calculate the fitness function F(b) of each particle in the initial population, if the minimum value of the fitness function F(b) of all particles in the initial population min(F(b))≤θ, then Take the particle corresponding to min(F(b)) as the optimal solution to the problem to be found, otherwise update the particle velocity and position according to the following three formulas, that is, perform population iteration;

${V V}_{b b}^{k k + + 11} = = {ω ω}_{b b} {V V}_{b b}^{k k} + + {C C}_{11} \cdot \cdot {r r}_{11} \cdot \cdot (({p p}_{best the best} - - {X x}_{b b}^{k k})) + + {C C}_{22} \cdot \cdot {r r}_{22} \cdot &Center Dot; (({g g}_{best the best} - - {X x}_{b b}^{k k}))$

${X x}_{b b}^{k k + + 11} = = {X x}_{b b}^{k k} + + {V V}_{b b}^{k k + + 11}$

其中；P_best指所有粒子经过的个体最优位置；g_bestb指种群经过的最优位置；k为迭代次数，r₁和r₂为[0，1]之间的随机数；C₁和C₂分别为第1学习因子和第2学习因子；

和

分别指：迭代次数为k-1次和k次时第b个粒子的位置；

和

分别指：迭代次数为k-1次和k次时第b个粒子的速度；ω₀和ω₁为初始惯性权重，ω₂至ω_b为第2惯性权重值第b惯性权重；ω₀＝ω₁＝0.8。Among them; P _best refers to the individual optimal position that all particles pass through; g _bestb refers to the optimal position passed by the population; k is the number of iterations, r ₁ and r ₂ are random numbers between [0, 1]; C ₁ and C ₂ are respectively the first learning factor and the second learning factor;

and

Respectively: the position of the bth particle when the number of iterations is k-1 and k times;

and

Respectively: the velocity of the bth particle when the number of iterations is k-1 and k times; ω ₀ and ω ₁ are the initial inertia weights, ω ₂ to ω _b are the second inertia weight value and the b-th inertia weight; ω ₀ = ω ₁ =0.8.

ω_b决定了粒子群算法的寻优收敛能力，当ω_b较大时全局收敛能力较强，当ω_b较小时局部收敛能力较强，所以ω_b的更新公式可以保证粒子群算法在前期全局收敛能力强，后期局部收敛能力强。当在某次迭代中出现min(F(i))≤θ或者迭代次数达到T，则算法终止。ω _b determines the optimal convergence ability of the particle swarm optimization algorithm. When ω _b is large, the global convergence ability is strong, and when ω _b is small, the local convergence ability is strong. Therefore, the update formula of ω _b can ensure that the particle swarm optimization algorithm has a global Strong convergence ability, strong local convergence ability in the later stage. When min(F(i))≤θ appears in a certain iteration or the number of iterations reaches T, the algorithm terminates.

经过上述5个步骤的训练学习之后，形成基于高斯过程回归的网络安全态势值预测模型，从而实现对未来时间监测点的态势值准确预测。After the training and learning of the above five steps, a network security situation value prediction model based on Gaussian process regression is formed, so as to realize accurate prediction of the situation value of future time monitoring points.

本发明在预测网络安全态势值方面，相比传统方法，有较好的预测精度，提高了网络安全态势预测的实用性。Compared with traditional methods, the present invention has better prediction accuracy in predicting network security situation value, and improves the practicability of network security situation prediction.

以上所述，仅为本发明较佳的具体实施方式，但本发明的保护范围并不局限于此，任何熟悉本技术领域的技术人员在本发明揭露的技术范围内，可轻易想到的变化或替换，都应涵盖在本发明的保护范围之内。因此，本发明的保护范围应该以权利要求的保护范围为准。The above is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any person skilled in the art within the technical scope disclosed in the present invention can easily think of changes or Replacement should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be determined by the protection scope of the claims.

Claims

1. The Gaussian process regression method for predicting the network security situation is characterized by comprising the following steps of:

1) constructing a hierarchical network security situation evaluation index system T by using an analytic hierarchy process, and calculating to obtain a total sequencing weight matrix omega of the network security situation evaluation index system T;

2) sequentially inputting historical intrusion detection results of the network security equipment into a network security situation evaluation index system T according to the time sequence to obtain a network security situation value V at the 1 st moment₁Network security state by mth momentPotential value V_m；

3) Using sliding window method to convert V₁~V_mIs configured to time-series S, S ═ V₁…V_m}; then, the time sequence S is randomly divided according to a fixed proportion to obtain a readable training sample set S in a Gaussian process regression method_trainAnd a test sample set S_test(ii) a Guarantee training sample set S_trainAnd a test sample set S_testThe data format required by the Gaussian process regression method is met;

4) training sample set S by using Gaussian process regression method_trainPerforming iterative training to obtain a temporary prediction model H, and performing error correction on the temporary prediction model H by using a particle swarm algorithm to obtain a prediction model H meeting error expectation;

5) and (4) completing the prediction of the network security situation value at the future moment by using the prediction model H.

2. The Gaussian process regression method for network security situation prediction according to claim 1, wherein the structure of the network security situation evaluation index system T is as follows: the network security situation evaluation index system T is divided into three layers, wherein the upper layer is a target layer, and the content of the target layer is a network security situation value; the middle layer is a criterion layer, the contents of which are strong hazard degree, medium hazard degree and weak hazard degree, and the strong hazard degree, the medium hazard degree and the weak hazard degree are divided according to the hazard degree of the network security threat; the lower layer is an index layer with the content of the 1 st network security threat x₁To nth network security threat x_n。

3. The method of claim 1, wherein the total ranking weight matrix ω is calculated as follows: first, threat x to type 1 network security₁To nth network security threat x_nThen, according to the analytic hierarchy process, respectively calculating the network security threat x in the ith_iFor the influence coefficients of strong hazard degree, medium hazard degree and weak hazard degree, i is 1 ton; and calculating final influence coefficients of the strong hazard degree, the medium hazard degree and the weak hazard degree on the network security situation value respectively, and finally obtaining a total sequencing weight matrix omega of the network security situation evaluation index system T.

4. The Gaussian process regression method for network security situation prediction according to claim 1, wherein the step 2) comprises the following steps:

21) counting the intrusion detection result r of the network security equipment at the j moment_jJ is 1 to m; r is_jIs a matrix of 1 x n, and the matrix is,

wherein,

to

Respectively indicate that: at time j, 1 st cyber-security threat x₁To nth network security threat x_nThe number of occurrences;

22) will r is_jMultiplying the total sorting weight matrix omega of the network security situation evaluation index system T to obtain the network security situation value V at the j moment_j。

5. The method of Gaussian process regression for network security situation prediction according to claim 1, wherein the fixed ratio is 3: 2.

6. The method for gaussian process regression for network security situation prediction according to claim 1, wherein the step 4) specifically comprises the following steps:

41) in the particle swarm algorithm, the following parameters are set: maximum iteration number of 100, population size of 10, initial inertial weight omega₁=0.8, terminating the inertial weight ω_T=0.1, 1 st learning factorAnd 2 nd learning factor are both 2, the particle velocity interval is [0, 0.5 ]]；

42) Setting a kernel function type of a Gaussian process regression method;

43) normalized training sample set S_trainAnd a test sample set S_test；

44) The particle swarm algorithm transfers the initial training parameters to a Gaussian process regression method which is implemented by carrying out regression on a training sample set S_trainObtaining a temporary prediction model h by training; the initial training parameters refer to random training parameters initially generated by a particle swarm algorithm;

45) by testing the sample set S_testCalculating a training error epsilon of the temporary prediction model h;

46) if the training error epsilon of the temporary prediction model H meets the preset expected value theta, the temporary prediction model H is the final prediction model H, otherwise, the Gaussian process regression method iteratively generates new training parameters according to the particle swarm algorithm by aiming at the training sample set S_trainThereby updating the temporary prediction model h;

47) when one of the following two conditions is satisfied, executing step 48), otherwise, returning to execute step 45); the first condition is: the iteration times of the Gaussian process regression method reach the maximum iteration times of 100; the second condition is: the temporary prediction model h meets a preset expected value;

48) and outputting the final prediction model H.

7. The method of claim 6, wherein the predetermined expected value θ is 85%.

8. The Gaussian process regression method for network security situation prediction according to claim 6, wherein in the new training parameters iteratively generated by the Gaussian process regression method according to the particle swarm optimization, the process of iteration performed by the particle swarm optimization is as follows:

the Particle Swarm Optimization (PSO) is initialized first, and an initial population consisting of 1O particles is randomly constructedAnd assigning an initial position to the b-th particle in the initial populationAnd initial velocity

b, taking 1 to 10; calculating a fitness function F (b) of each particle in the initial population, if the minimum value min (F (b)) of the fitness functions F (b) of all the particles in the initial population is less than or equal to theta, taking the particle corresponding to min (F (b)) as the optimal solution of the problem to be solved, otherwise, updating the speed and the position of the particle according to the following three formulas, namely performing population iteration;

X_{b}^{k + 1} = X_{b}^{k} + V_{b}^{k + 1}

wherein; p_bestRefers to the individual optimal positions through which all particles pass; g_bestbThe optimal position through which the population passes; k is the number of iterations, r₁And r₂Is [ O, 1 ]]A random number in between; c₁And C₂1 st learning factor and 2 nd learning factor respectively;

and

respectively indicate that: the iteration times are k-1 times and the position of the b-th particle when k times;and

respectively indicate that: the speed of the b-th particle when the iteration times are k-1 times and k times; omega₀And ω₁Is the initial inertial weight, ω₂To omega_bThe (b) th inertia weight is the 2 nd inertia weight value; omega₀＝ω₁＝0.8。