CN109547431A - A kind of network security situation evaluating method based on CS and improved BP - Google Patents

Abstract

A network security situation assessment method based on CS and improved BP neural network of the present invention includes four steps: S1, acquiring network security situation elements, forming a training sample set and a test sample set, determining the BP neural network structure S2, using the cuckoo The bird search (CS) algorithm finds the optimal initial weights and thresholds S3, introduces momentum factor and steepness factor to improve the BP neural network S4, trains the improved BP neural network, and finally uses the trained network for network security. Situation assessment to get the final situation value and security level. The invention utilizes the improved BP neural network to realize the precise quantitative evaluation of the network security situation, reduces the subjective influence of the expert opinions in the traditional evaluation method, and objectively and comprehensively reflects the overall network security situation; combined with the cuckoo search algorithm, the momentum factor and the steepness factor are introduced By improving it, the convergence speed is accelerated, the space-time overhead is reduced, and the accuracy and practicability of network security situation assessment are improved.

Description

A Network Security Situation Assessment Method Based on CS and Improved BP Neural Network

technical field

The invention relates to the technical field of network security, in particular to a network security situation assessment method based on CS and improved BP neural network.

Background technique

With the rapid development of Internet technology, the scale of the network has gradually increased and become more complex, the attacks suffered are diversified, the security incidents have risen sharply, and the security problems have become increasingly prominent and urgent. Network security situation assessment came into being under this background, and gradually became the research focus of next-generation network security technology. Comprehensive analysis and real-time assessment of the situation can help managers grasp the overall network security status, provide guidance for network security management command and decision-making, and minimize risks and losses.

At present, the network security situation assessment at home and abroad is mainly divided into three categories: (1) methods based on mathematical models, representative methods are based on AHP, deviation method, fuzzy comprehensive evaluation method, set pair analysis method, etc. (2) Methods based on knowledge reasoning, representative methods are based on Bayesian algorithm, DS evidence theory, graph model, Markov, etc. (3) methods based on pattern recognition, representative methods are based on support vector machine, artificial neural network, rough Set theory, grey relation, etc.

The first two methods are widely used, but have shortcomings such as strong subjective dependence, difficulty in acquiring prior knowledge, and inappropriate dynamic and complex network environment. In contrast, the evaluation method based on pattern recognition has higher accuracy and objectiveness. BP neural network is a multi-layer feedforward network, which is widely used in situation assessment due to its strong self-learning ability, good generalization ability and fault tolerance ability and many other advantages. However, from the perspective of application effects, there are still the following shortcomings: (1) The evaluation data source is single, resulting in one-sided evaluation results and low reliability. (2) The space-time overhead is large, it does not meet the real-time requirements and the evaluation results are not accurate (3) The traditional BP neural network has shortcomings such as easy to form local minima, easy to oscillate, and slow convergence speed.

SUMMARY OF THE INVENTION

In view of the above situation, in order to overcome the defects of the prior art, the purpose of the present invention is to provide a network security situation assessment method based on CS and improved BP neural network, which integrates comprehensive network security situation factors, and is iteratively updated through self-learning. Carry out accurate situation assessment, and at the same time have a relatively fast operation speed, improve the accuracy and evaluation efficiency of network security situation assessment, so as to truly reflect the overall situation of network security.

The technical solution it solves is, including the following four steps:

S1. Obtain network security situation elements, form a training sample set and a test sample set, and determine the BP neural network structure;

S2. Use the cuckoo search (CS) algorithm to find the optimal initial weights and thresholds;

S3. Introduce momentum factor and steepness factor to improve BP neural network;

S4, train the improved BP neural network, and use the trained network for network security situation assessment to obtain the final situation value and security level.

The method for assessing network security situation based on CS and improved BP neural network according to claim 1, characterized in that, in said step S1, network security situation elements are obtained, and a training sample set and a test sample set are formed to configure the system The situational element data including information, system operation information and network traffic information are normalized to obtain situational indicator data in a unified format, which constitutes a training sample set and a test sample set;

The BP neural network structure is determined in the step S1. Assuming that there are N signal inputs, the input vector is X=(x ₁ ,x ₂ ,...,x _n ), and the number of hidden layer nodes is M, then the hidden layer output vector is Y=(y ₁ , y ₂ ,...,y _m ), the number of output layer nodes is L, then the output layer vector is O=(o ₁ ,o ₂ ,...,o _l ), and the expected output vector is D=(d ₁ ,d ₂ ,…,d _l ), the weight matrix between the input layer and the hidden layer is W=(W ₁ ,W ₂ ,…,W _j ,…,W _m ), between the hidden layer and the output layer The weight is V=(V ₁ , V ₂ ,...,V _k ,...,V _l ), the hidden layer has a threshold θ _j , the output layer has a threshold r _k , and the output value of the jth neuron in the hidden layer y _j , the output ok of the _kth neuron in the output layer, then:

In the above formula, f(x) is the transfer function of the hidden layer, and the sigmoid function is generally used. The formula is as follows:

Preferably, in the step S2, using the cuckoo search (CS) algorithm to find the optimal initial weight and threshold is specifically:

S21, initialize the population, and randomly generate n cuckoos according to the weight and threshold characteristics of the neural network Encode n cuckoos, and the encoding method adopts floating-point encoding;

S22, calculate the fitness, the fitness function is the inverse of the total error function of the neural network, as shown below:

S23, location update, keep the best cuckoo of the previous generation Update the position of the cuckoo according to the following formula, get

in, represents the position of the i-th bird's nest in the t-th generation, For point-to-point multiplication, α>0 is the step size (generally α=1); L(λ) is the Lévy random search path, and the random step size λ obeys the Lévy distribution;

S24, select, replace, delete operations, randomly generate a decimal r in the [0, 1] interval, compare r with the discovery probability p _a , if r>p _a , update all cuckoos according to formula (12). Position, calculate and compare the fitness of the new cuckoo and the original cuckoo, keep the cuckoo with greater fitness, and get the updated cuckoo position If r≤p _a , keep the original cuckoo;

The elimination operation is to keep the population always in the optimal state, and n*p _a individuals with the worst fitness values will be eliminated; in order to keep the population size unchanged, n*p a solutions will be randomly generated (need to n*p _a solution). _a rounding operation); at the same time, for the individual with better fitness value, it will be directly passed on to the next generation;

S25, determine whether the optimal cuckoo meets the conditions or whether the iteration algebra meets the requirements, and if so, decode the optimal cuckoo to obtain the optimal weight and threshold, and execute step S3; otherwise, execute step S23.

Preferably, the introduction of the momentum factor and the steepness factor in the step S3 to improve the traditional BP neural network is specifically:

S31: Introduce a momentum factor and use the additional momentum method to improve the weight correction process of the neural network. The specific method is: adding a part of the last or previous weight adjustment to the weight adjustment calculated according to the current error. Above, as the actual weight adjustment amount this time, the weight adjustment formula with the momentum term designed by the present invention is as follows:

Δw(k+1)=(1-α)ηD(k)+αΔw(k)

in, represents the negative gradient at time k,

w is the weight of the network, Δw is the increment of the weight, k is the number of training times, α is the momentum factor, 0<α<1, generally around 0.95, and η is the learning rate;

S32, introduce a steepness factor, and introduce a steepness factor λ into the original transfer function. The improvement principle is: after the weight adjustment enters the flat area, try to compress the net input of the neuron, so that its output exits the saturation area of the transfer function, so as to This changes the shape of the error function, so that the adjustment is out of the flat region, the formula is as follows:

In the formula, net is the input of the neuron. When it is found that ΔE is close to zero, but the model output still has a large deviation from the actual value, it can be judged that it has entered the flat area, at this time, let λ>1; after exiting the flat area, let λ=1.

Preferably, in the step S4, the improved BP neural network is trained, and the trained network is used for network security situation assessment, specifically:

S41 , initialization of the neural network, including inputting the optimal initial weight and threshold combination of the BP neural network obtained by the cuckoo algorithm in step S2 as parameters into the network for parameter initialization, and the remaining parameters of the BP network, including the number of iterations N, the momentum factor α, and training. Allowable error ε; take the training situation data as the input vector, and take the situation value evaluated by experts as the output vector into the optimized BP neural network;

S42, calculate the output of the input layer, the intermediate hidden layer and the output layer, each neuron in the input layer does not process the input vector, and calculate the output y _j of the intermediate hidden layer and the output o _k of the output layer according to the step of claim 2 ;

S43 , according to the calculated output _ok and the actual output d _k , calculate the error _ek of each neuron in the output layer, and calculate the total error E of the system, and the formula is as follows:

S44, calculate the weight correction amount according to step S31, and then adjust the weight value of each neuron;

S45, randomly select the next training data and provide it to the BP neural network, and guide all the training data to train the BP neural network;

S46, judge whether the global error E of the neural network meets the accuracy requirements, if E<ε, then end the training of the network; otherwise, go to step S43 to continue to adjust the connection weights of each layer, and perform iterative training in this way until the network is fully trained. The global error satisfies the condition or the number of iterations reaches N;

S47, the test situation data is input into the trained neural network with evaluation ability, the situation value SA of the network is obtained through mapping, and finally the security level of the network can be obtained by comparing the overall situation level table of the network.

Due to the adoption of the above technical solutions, the present invention has the following advantages compared with the prior art;

1. Use the improved BP neural network to achieve accurate quantitative assessment of network security situation, reduce the subjective influence of expert opinions in traditional assessment methods, and objectively and comprehensively reflect the overall status of network security;

2. In view of the shortcomings of the traditional BP neural network, such as slow convergence speed, prone to oscillation and falling into local minimum, combined with the cuckoo search algorithm, the introduction of momentum factor and steepness factor to improve it, speed up the convergence speed, reduce the space-time overhead, improve the The accuracy and practicability of network security situation assessment.

Description of drawings

FIG. 1 is a flow chart of a network security situation assessment method based on CS and improved BP neural network of the present invention.

FIG. 2 is a structural diagram of a neural network provided by an embodiment of the present invention.

FIG. 3 is a comparison diagram of error curves between the evaluation method based on CS and the improved BP neural network and the evaluation method based on the traditional BP neural network provided by the embodiment of the present invention.

FIG. 4 is a comparison chart of the evaluation accuracy of a network security situation evaluation method based on CS and improved BP neural network of the present invention and an evaluation method based on traditional BP neural network.

Detailed ways

The foregoing and other technical contents, features and effects of the present invention will be clearly presented in the following detailed description of the embodiments with reference to FIG. 1 to FIG. 4 . The structural contents mentioned in the following embodiments are all referenced to the accompanying drawings.

Embodiment 1, a network security situation assessment method based on CS and improved BP neural network, including the following four steps:

S1. Obtain network security situation elements, form a training sample set and a test sample set, and determine the BP neural network structure;

S2. Use the cuckoo search (CS) algorithm to find the optimal initial weights and thresholds;

S3. In view of the shortcomings of the traditional BP neural network, such as slow convergence speed, prone to oscillation and falling into local minimum, the momentum factor and steepness factor are introduced to improve the BP neural network;

S4, train the improved BP neural network, and use the trained network for network security situation assessment to obtain the final situation value and security level.

Embodiment 2, on the basis of Embodiment 1, the step S1 specifically includes:

S11 , acquiring network security situation elements to form a training sample set and a test sample set, and the evaluation data sources mainly come from three categories: based on system configuration information, based on system operation information, and based on network traffic information. The first type of data source refers to the network design and configuration status, such as network topology, installation and setting of service software, and system vulnerabilities and defects; the second type of data source refers to the system operation when the network system is attacked, mainly from It is based on the system operation log library; the third type of data source mainly refers to various traffic conditions of network instant messaging, which can be monitored and obtained through special software. According to the current network status and actual requirements of the indicator system, the present invention selects Netflow data, Snort logs and Nessus scan logs as the data sources of the situation indicators. These three types of data cover traffic, attacks, and vulnerabilities. It reflects the basic operating status information of the network, the attack threats and potential security threats, and can provide comprehensive data support for network security situational awareness. Since the original data collected from network security devices have different formats and meanings, These data cannot be used as input data for situational assessment. These data need to be normalized to obtain situational indicator data in a unified format, which constitutes a training sample set and a test sample set.

S12, determine the BP neural network structure, FIG. 2 is a neural network structure diagram provided by an embodiment of the present invention. The BP neural network includes an input layer, an output layer and multiple hidden layers. The neurons between adjacent layers are connected by a reasonable activation function to maintain the parameters of the network, and through the forward propagation and back propagation process Combined for training, assuming there are N signal inputs, the input vector is X=(x ₁ ,x ₂ ,...,x _n ), and the number of hidden layer nodes is M, then the hidden layer output vector is Y=(y ₁ , y ₂ ,…,y _m ), the number of nodes in the output layer is L, then the output layer vector is O=(o ₁ ,o ₂ ,…,o _l ), and the expected output vector is D=(d ₁ ,d ₂ ,… ,d _l ), the weight matrix between the input layer and the hidden layer is W=(W ₁ ,W ₂ ,…,W _j ,…,W _m ), and the weight between the hidden layer and the output layer is V= (V ₁ , V ₂ ,…,V _k ,…,V _l ), the hidden layer has a threshold θ _j , and the output layer has a threshold r _k . The output value y _j of the jth neuron in the hidden layer and the output o _k of the kth neuron in the output layer, then:

In the above formula, f(x) is the transfer function of the hidden layer, and the sigmoid function is generally used. The formula is as follows:

In the embodiment of the present invention, the number of nodes in the input layer is 8, corresponding to 8 situation assessment elements: the number of security devices in the subnet (x ₁ ), the total number of open ports of each key device in the subnet (x ₂ ), and the key devices accessing the mainstream Frequency of secure websites (x ₃ ), number of alerts (x ₄ ), network bandwidth usage (x ₅ ), historical frequency of security incidents (x ₆ ), rate of change in subnet traffic (x ₇ ), average subnet-free failure time ( _x8 ). The number of output nodes is 1, which is marked as SA (ie, network security posture value). The number of hidden layer nodes is obtained by trial and error. First, set fewer hidden nodes through empirical formulas, and then increase the same amount of hidden nodes each time. Under the premise of using the same sample set, select the number of nodes corresponding to the minimum training error. The initial number of hidden nodes m is:

Among them: n represents the number of nodes in the input layer; l represents the number of nodes in the output layer; δ represents a constant from 0 to 10;

Embodiment 3, on the basis of Embodiment 1, the step S2 specifically includes:

The initial weights and thresholds of the BP neural network are randomly assigned, so the training time is generally long, and the weights and thresholds obtained after training may not be optimal, so the present invention uses the cuckoo (CS) algorithm to find the optimal value. The weights and thresholds of , the specific steps are as follows:

S21, initialize the population, and randomly generate n cuckoos according to the weight and threshold characteristics of the neural network To encode n cuckoos, the encoding method adopts floating-point number encoding. The floating-point number encoding is intuitive and has the characteristics of easy control of encoding length, high encoding precision and strong search ability in large spaces, which can reduce the computational complexity. Therefore, the present invention adopts floating-point number encoding. coding. According to the design structure of the BP neural network, its all values and thresholds are jointly coded into a cuckoo, then the coding of the cuckoo is:

W ₁₁ W ₂₁ …W _N1 V ₁₁ V ₂₁ …V _1L θ ₁ …W _1M W _2M …W _NM V _M1 V _M2 …V _ML θ _M r ₁ …r _L

Among them, N is the number of nodes in the input layer of the network, M is the number of nodes in the hidden layer, L is the number of nodes in the output layer, the weight matrix from the input layer to the hidden layer is W, the weight matrix from the hidden layer to the output layer is V, and the threshold matrix for the hidden layer is is θ, and the threshold matrix of the output layer is r;

S23, calculate the fitness, the cuckoo algorithm belongs to the meta-heuristic optimization algorithm, and the strengths and weaknesses of the individuals in the group are measured by the fitness. The higher the fitness value, the closer the individual is to the optimal solution. Combined with the feature that the smaller the total error of the BP neural network, the better, the fitness function designed in this example is the reciprocal of the sum of the absolute values of the errors between the actual output and the predicted output of the network. ,which is:

Substitute the situation index data obtained in step S1 into the fitness function to calculate the fitness of this generation of cuckoos. Select the cuckoo with the best fitness

S23, the location is updated. Keep the best cuckoo of the previous generation Update the position of the cuckoo, get The location update formula is as follows:

in, represents the position of the i-th bird's nest in the t-th generation, For point-to-point multiplication, α>0 is the step size (generally α=1); L(λ) is the Lévy random search path, and the random step size λ obeys the Lévy distribution.

Calculate the fitness of this generation of cuckoos, and compare it with the fitness value of the previous generation. If it is better, update the position, otherwise, keep the position of the previous generation's nest.

S24, select, replace, delete operations. Randomly generate a decimal r in the interval [0, 1], and compare the size of r with the discovery probability p _a . If r>p _a , update the positions of all the cuckoos, calculate and compare the fitness of the new cuckoo and the original cuckoo, keep the cuckoo with greater fitness, and get the updated position of the cuckoo If r≤p _a , keep the original cuckoo.

The elimination operation is to keep the population always in the optimal state, and n*p _a individuals with the worst fitness values will be eliminated; in order to keep the population size unchanged, n*p a solutions will be randomly generated (need to n*p _a solution). _a rounding operation); at the same time, for the individual with better fitness value, it will be directly passed on to the next generation.

S25. Determine whether the optimal cuckoo meets the conditions or whether the iteration algebra meets the requirements. If so, decode the optimal cuckoo to obtain the optimal weight and threshold, and execute step S3; otherwise, execute step S23.

The cuckoo algorithm belongs to the meta-heuristic optimization algorithm, and the strengths and weaknesses of the individuals in the group are measured by fitness. The higher the fitness value, the closer the individual is to the optimal solution. Combined with the feature that the smaller the total error of the BP neural network, the better, the fitness function designed in this example is the reciprocal of the sum of the absolute value of the error between the actual output and the predicted output of the network, namely:

Substitute the situation index data obtained in step S1 into the fitness function to calculate the fitness of this generation of cuckoos. Select the cuckoo with the best fitness

S23, the location is updated. Keep the best cuckoo of the previous generation Update the position of the cuckoo, get The location update formula is as follows:

in, represents the position of the i-th bird's nest in the t-th generation, For point-to-point multiplication, α>0 is the step size (generally α=1); L(λ) is the Lévy random search path, and the random step size λ obeys the Lévy distribution.

Calculate the fitness of this generation of cuckoos, and compare it with the fitness value of the previous generation. If it is better, update the position, otherwise, keep the position of the previous generation's nest.

S24, select, replace, and delete operations. Randomly generate a decimal r in the interval [0, 1], and compare the size of r with the discovery probability p _a . If r>p _a , update the positions of all the cuckoos, calculate and compare the fitness of the new cuckoo and the original cuckoo, keep the cuckoo with greater fitness, and get the updated position of the cuckoo If r≤pa, keep the original cuckoo.

The elimination operation is to keep the population always in the optimal state, and n*p _a individuals with the worst fitness values will be eliminated; in order to keep the population size unchanged, n*p a solutions will be randomly generated (need to n*p _a solution). _a rounding operation); at the same time, for the individual with better fitness value, it will be directly passed on to the next generation.

S25. Determine whether the optimal cuckoo meets the conditions or whether the iteration algebra meets the requirements. If so, decode the optimal cuckoo to obtain the optimal weight and threshold, and execute step S3; otherwise, execute step S23.

Embodiment 4, on the basis of Embodiment 1, the step S3 specifically includes:

S31, the momentum factor is introduced. The standard BP algorithm is essentially a simple static optimization method of steepest descent. When modifying w(k), it is only modified according to the negative gradient direction of the kth step, without considering the previously accumulated Experience, that is, the gradient direction of the previous moment, which often causes the training process to oscillate and converge slowly. The specific method of the weight adjustment algorithm of the additional momentum method is to superimpose a part of the last or previous weight adjustment to the original weight adjustment. The weight adjustment amount obtained by this error calculation is used as the actual weight adjustment amount this time. The weight adjustment formula with the momentum term designed by the present invention is as follows:

Dw(k+1)=(1-α)ηD(k)+αDw(k)

in, represents the negative gradient at time k.

w is the weight of the network, Dw is the increment of the weight, k is the number of training times, α is the momentum factor, 0<α<1, generally around 0.95. η is the learning rate, which is a constant in standard BP neural networks.

The meaning of the above formula is to transmit the influence of the previous weight change on the current weight adjustment trend through a momentum factor. When the value of the momentum factor α is zero, the change of the weight value is only generated according to the gradient descent method; when the value of the momentum factor α is 1, the new weight value change is set to the previous weight value change, and according to the gradient method The resulting changes are ignored. In this way, when the momentum term is added, the adjustment of the weights is forced to change in the average direction at the bottom of the error surface. When the network weights enter the flat area at the bottom of the error surface, Dw _ij (k+1)=Dw _ij (k ), thus preventing the appearance of Dw _ij =0, which helps the network to jump out of the local minima of the error surface. The momentum factor added by this method is actually equivalent to a damping term, which reduces the oscillation tendency in the learning process and plays a role in buffering and smoothing, thereby improving the convergence.

S32, the steepness factor BP neural network is introduced. In the training process, when the error squared sum is close to zero, there may still be a large deviation between the output of the model and the actual value. The reason for this phenomenon is that there is a flat area on the error surface. In order to prevent this situation during network training, the present invention introduces the method of steepness factor to improve the standard BP algorithm. The improvement principle is: after the weight adjustment enters the flat area, try to compress the net input of the neuron so that its output exits the saturation area of the transfer function, thereby changing the shape of the error function, so that the adjustment is out of the flat area. The specific approach is to introduce a steepness factor λ into the original transfer function:

In the formula, net is the input of the neuron. When it is found that ΔE is close to zero, and the model output still has a large deviation from the actual value, it can be judged that it has entered the flat area, and λ>1 at this time; after exiting the flat area, let λ=1. When λ>1, the net coordinate is compressed by λ times, and the sensitive area of the neuron function becomes longer, so that the nett with a larger absolute value exits the saturation area. When λ=1, the transfer function returns to its original state, with higher sensitivity to smaller nets. The application shows that this method is very effective in improving the convergence speed and accuracy of neural network algorithm.

Embodiment 5, on the basis of Embodiment 1, the step S4 specifically includes:

S41. Neural network initialization. 1) Parameter initialization. The optimal initial weight and threshold combination of the BP neural network obtained in step S2 is input into the network as a parameter. In addition, the remaining parameters of the BP network are initialized, including the number of iterations N, the momentum factor α, and the training allowable error ε. 2) Take the training situation data as the input vector, and take the situation value evaluated by the experts as the output vector into the optimized BP neural network.

S42: Calculate the output of the input layer. Each neuron of the input layer does not process the input vector, but simply transmits it as an output to the hidden layer. Calculate the output of each neuron in the middle hidden layer, the formula is as follows:

Calculate the output of each neuron in the output layer, the formula is as follows:

In the above formula, f(x) is the transfer function of the hidden layer, and the sigmoid function is generally used. The example of the present invention introduces the steepness factor λ, and the formula is as follows:

S43. Calculate the total system error E according to the calculated output _{ok and the actual output dk ,} and the formula is as follows:

S44. Because the total error E of the system is a function of the weights v _ij , w _jk , the weights can be adjusted by the gradient descent method, thereby reducing the error E and realizing iterative optimization solution. The embodiment of the present invention adopts the additional momentum factor method to optimize the weight correction process. Taking w _jk as an example, the formula is as follows:

Dw(k+1)=(1-α)ηD(k)+αDw(k)

S45, randomly select the next training data to provide the improved BP neural network, and guide all the training data to train the improved BP neural network.

S46. Determine whether the global error E of the neural network meets the accuracy requirement. If E<ε, then end the training of the network; otherwise, go to step (3) to continue to adjust the connection weights of each layer, and perform iterative training until the global error of the network meets the conditions or the number of iterations reaches N. .

S47 , input the test situation data into the trained neural network with evaluation ability, obtain the network situation value SA through mapping, and finally obtain the security level of the network by comparing Table 2.

The neural network evaluation result SA is a value within a certain threshold range and lacks certain practical guiding significance. Therefore, in actual production and life, it is necessary to delineate the network security level corresponding to the network security situation value. On the basis of the reference risk assessment, the present invention divides the network security situation into five levels {excellent, good, medium, poor, dangerous}, and the situation value range and network behavior characteristics of each level are shown in Table 2:

Table 2 Network overall situation level table

When the present invention is used, in order to make those skilled in the art better understand this solution, the following describes the solution with an actual application scenario, and uses simulated network security data to conduct a simulation comparison test with the network security situation assessment method proposed by the present invention. The embodiment of the present application builds a network experiment environment, and the common user User and the attacker Attacker can access each host on the network through the Internet. Periodically collect IDS attack information of the intrusion detection system, vulnerability scanning information collected from the host Nessus, log alarm information collected by Snort, and network traffic information collected by the router Netflow, as the multi-source heterogeneous original data source for this simulation experiment, and then organize experts to analyze security risks. Conduct manual assessments to get the actual level of cybersecurity posture. Extract the number of security devices in the subnet (x ₁ ), the total number of open ports of each key device in the subnet (x ₂ ), the frequency of key devices accessing mainstream security websites (x ₃ ), the number of alarms (x ₄ ), network bandwidth Utilization rate (x ₅ ), historical frequency of security incidents (x ₆ ), subnet traffic change rate (x ₇ ), subnet mean time between failures (x ₈ ). These 8 evaluation indicators constitute the sample set as the input of the evaluation model, and the expert evaluation results are used as the expected output, and a total of 1500 pieces of data are obtained. 1000 samples were randomly selected as the training set for training the improved BP neural network; the remaining 500 samples were used as the test set to test whether the evaluation results of the network security situation assessment model were consistent with the actual results, that is, the generalization ability of the model;

In the cuckoo optimization part, select the cuckoo population size, n = 40, set the discovery probability p _a = 0.1, and the maximum iteration algebra is 40; in the BP neural network part, set the number of input layer nodes to 8. The trial and error method is used to set the number of hidden layer nodes to 6, the output layer output is the situation value, the number of output nodes is 1, the transfer function is the standard sigmoid function, the maximum number of iterations is set to 1000, the objective function error ε=0.05, Momentum factor α = 0.95. In the embodiment of the present invention, comparative experiments before and after algorithm optimization are designed. FIG. 3 is a comparison diagram of error curves between the evaluation method based on CS and the improved BP neural network and the evaluation method based on the traditional BP neural network provided by the embodiment of the present invention. As shown in FIG. 3 , compared with the traditional BP neural network, a network security situation assessment method based on the cuckoo search algorithm and the improved BP neural network proposed by the embodiment of the present invention does not have the local minimum problem, and has a faster Convergence speed and convergence effect. This is because the CS algorithm can find the initial optimal weights and thresholds of the BP neural network with only a few resources, which effectively shortens the training time and space-time consumption of the later neural network. At the same time, the momentum factor and the steepness factor are introduced. The convergence speed is greatly accelerated, local extreme values and oscillations are avoided, and the convergence effect is improved. FIG. 4 is a comparison diagram of the evaluation accuracy of the evaluation method based on the CS and the improved BP neural network and the evaluation method based on the traditional BP neural network provided by the embodiment of the present invention. As shown in Figure 4, with the increase of the sample size, the evaluation accuracy of the traditional BP network algorithm decreases, while the accuracy curve of the evaluation method proposed by the example of the present invention is stable at more than 97.5%, which shows that the evaluation proposed by the example of the present invention The method has higher evaluation accuracy and more stable evaluation effect.

The above is a further detailed description of the present invention in conjunction with the specific embodiments, and it cannot be considered that the specific implementation of the present invention is limited to this; , the expansion and the replacement of the operation method and data should all fall within the protection scope of the present invention.

Claims (5)

1. a network security situation assessment method based on CS and improving BP neural network, is characterized in that, comprises following four steps, S1. Obtain network security situation elements, form a training sample set and a test sample set, and determine the BP neural network structure; S2. Use the cuckoo search (CS) algorithm to find the optimal initial weights and thresholds; S3. Introduce momentum factor and steepness factor to improve BP neural network; S4, train the improved BP neural network, and use the trained network for network security situation assessment to obtain the final situation value and security level. 2. a kind of network security situation assessment method based on CS and improved BP neural network as claimed in claim 1, it is characterized in that, in described step S1, obtain network security situation element, constitute training sample set and test sample set are paired. The situational element data including system configuration information, system operation information and network traffic information are standardized and processed to obtain situational index data in a unified format, which constitutes a training sample set and a test sample set; The BP neural network structure is determined in the step S1. Assuming that there are N signal inputs, the input vector is X=(x ₁ ,x ₂ ,...,x _n ), and the number of hidden layer nodes is M, then the hidden layer output vector is Y=(y ₁ , y ₂ ,...,y _m ), the number of output layer nodes is L, then the output layer vector is O=(o ₁ ,o ₂ ,...,o _l ), and the expected output vector is D=(d ₁ ,d ₂ ,…,d _l ), the weight matrix between the input layer and the hidden layer is W=(W ₁ ,W ₂ ,…,W _j ,…,W _m ), between the hidden layer and the output layer The weight is V=(V ₁ , V ₂ ,...,V _k ,...,V _l ), the hidden layer has a threshold θ _j , the output layer has a threshold r _k , and the output value of the jth neuron in the hidden layer y _j , the output ok of the _kth neuron in the output layer, then: In the above formula, f(x) is the transfer function of the hidden layer, and the sigmoid function is generally used. The formula is as follows: 3. a kind of network security situation assessment method based on CS and improved BP neural network as claimed in claim 1, is characterized in that, utilizes cuckoo search (CS) algorithm in described step S2 to find optimal initial weight and The threshold is specifically: S21, initialize the population, and randomly generate n cuckoos x ⁽⁰⁾ = (x ₁ ⁽⁰⁾ ,x ₂ ⁽⁰⁾ ,...,x _n ⁽⁰⁾ ) according to the characteristics of the neural network weight and threshold, to N cuckoos are used for encoding, and the encoding method adopts floating-point encoding; S22, calculate the fitness, the fitness function is the inverse of the total error function of the neural network, as shown below: S23, position update, keep the optimal cuckoo _xi ⁽⁰⁾ of the previous generation, update the position of the cuckoo according to the following formula, obtain x ^(t) = (x ₁ ^(t) ,x ₂ ^(t) ,... ,xn ^(t) ₎ Among them, x ^(t) represents the position of the i-th bird's nest in the t-th generation, For point-to-point multiplication, α>0 is the step size (generally α=1); L(λ) is the Lévy random search path, and the random step size λ obeys the Lévy distribution; S24, select, replace, delete operations, randomly generate a decimal r in the [0, 1] interval, compare r with the discovery probability p _a , if r>p _a , update all cuckoos according to formula (12). Position, calculate and compare the fitness of the new cuckoo and the original cuckoo, retain the cuckoo with greater fitness, and get the updated cuckoo position x ^(t+1) = (x ₁ ^(t+1) ,x ₂ ^{(t +1)} ,...,x _n ^(t+1) ); if r≤p _a , keep the original cuckoo; The elimination operation is to keep the population always in the optimal state, and n*p _a individuals with the worst fitness values will be eliminated; in order to keep the population size unchanged, n*p a solutions will be randomly generated (need to n*p _a solution). _a rounding operation); at the same time, for the individual with better fitness value, it will be directly passed on to the next generation; S25, determine whether the optimal cuckoo meets the conditions or whether the iteration algebra meets the requirements, and if so, decode the optimal cuckoo to obtain the optimal weight and threshold, and execute step S3; otherwise, execute step S23. 4. a kind of network security situation assessment method based on CS and improved BP neural network as claimed in claim 1, is characterized in that, the introduction momentum factor and steepness factor described in described step S3 carry out traditional BP neural network. The improvements are as follows: S31: Introduce a momentum factor and use the additional momentum method to improve the weight correction process of the neural network. The specific method is: adding a part of the last or previous weight adjustment to the weight adjustment calculated according to the current error. Above, as the actual weight adjustment amount this time, the weight adjustment formula with the momentum term designed by the present invention is as follows: Δw(k+1)=(1-α)ηD(k)+αΔw(k) in, represents the negative gradient at time k, w is the weight of the network, Δw is the increment of the weight, k is the number of training times, α is the momentum factor, 0<α<1, generally around 0.95, and η is the learning rate; S32, introduce a steepness factor, and introduce a steepness factor λ into the original transfer function. The improvement principle is: after the weight adjustment enters the flat area, try to compress the net input of the neuron, so that its output exits the saturation area of the transfer function, so as to This changes the shape of the error function, so that the adjustment is out of the flat region, the formula is as follows: In the formula, net is the input of the neuron. When it is found that ΔE is close to zero, and the model output still has a large deviation from the actual value, it can be judged that it has entered the flat area, and λ>1 at this time; after exiting the flat area, let λ=1. 5. a kind of network security situation assessment method based on CS and improved BP neural network as claimed in claim 1, is characterized in that, in described step S4, the improved BP neural network is trained, and the trained network is Specifically used for network security posture assessment: S41 , initialization of the neural network, including inputting the optimal initial weight and threshold combination of the BP neural network obtained by the cuckoo algorithm in step S2 as parameters into the network for parameter initialization, and the remaining parameters of the BP network, including the number of iterations N, the momentum factor α, and training. Allowable error ε; take the training situation data as the input vector, and take the situation value evaluated by experts as the output vector into the optimized BP neural network; S42, calculate the output of the input layer, the intermediate hidden layer and the output layer, each neuron in the input layer does not process the input vector, and calculate the output y _j of the intermediate hidden layer and the output o _k of the output layer according to the step of claim 2 ; S43 , according to the calculated output _ok and the actual output d _k , calculate the error _ek of each neuron in the output layer, and calculate the total error E of the system, and the formula is as follows: S44, calculate the weight correction amount according to step S31, and then adjust the weight value of each neuron; S45, randomly select the next training data and provide it to the BP neural network, and guide all the training data to train the BP neural network; S46, judge whether the global error E of the neural network meets the accuracy requirements, if E<ε, then end the training of the network; otherwise, go to step S43 to continue to adjust the connection weights of each layer, and perform iterative training in this way until the network is fully trained. The global error satisfies the condition or the number of iterations reaches N; S47, the test situation data is input into the trained neural network with evaluation ability, the situation value SA of the network is obtained through mapping, and finally the security level of the network can be obtained by comparing the overall situation level table of the network.