CN111935134A - Complex network security risk monitoring method and system - Google Patents

Abstract

The invention discloses a method and a system for monitoring the security risk of a complex network, which comprehensively consider the limitations of the traditional network security monitoring method, the problems of network security monitoring experiments, the application of network security monitoring based on artificial intelligence and the like. The network safety risk monitoring experiment platform under the complex network environment is constructed based on the virtual network system by utilizing the artificial intelligence technology, the safety risk of the complex network is monitored comprehensively, accurately and quickly, and the safety of the network system is improved.

Description

Complex network security risk monitoring method and system

Technical Field

The invention relates to the technical field of network security monitoring, in particular to a method and a system for monitoring security risks of a complex network.

Background

With the rapid development of network information technology, networks have become important guarantees and indispensable tools for social development and economic development. In the transportation industry, especially in the ocean transportation industry, with the rapid development of digitalization, integration, automation, networking and intellectualization, the interconnection and intercommunication among various systems in ships, different ships and ship networks and shore-based networks are greatly promoted.

The network brings great convenience to people and also brings network threat. The network threat means that the network security is threatened, and the existence of the network threat can lead a network system to be accessed and attacked maliciously or unintentionally, thus causing immeasurable economic loss. In recent years, network security events are frequent, which causes great social influence and economic loss, and causes high attention of various social circles to network security problems. 2011. In 2013, the information system of the Aturveda harbor suffers network attack, and the data of the goods is tampered, so that the plan of smuggling the drugs is successful; 2017. in 2018, Petya network viruses attack the world, and a plurality of famous shipping enterprises go wrong in IT systems of a plurality of office organizations and partial service units around the world, so that the great loss is caused.

Among the various network attacks, illegal intrusion specific to computer networks and information systems is becoming more and more serious, and trends of diversification, complication, fast update of intrusion technologies and increase of influence range are presented. How to accurately detect and monitor increasingly serious network intrusion behaviors by using a network security monitoring related technology, effectively prevent network attacks and improve network security becomes a research hotspot in the network field.

With the rapid development of artificial intelligence technology, its application in the field of network security monitoring is increasing. A great deal of research work is carried out on network development technology, network security system, expert system and the like, and the intelligent firewall technology, the intrusion monitoring technology and the spam network security defense are successfully implemented.

For network security, it is crucial to maintain a lead position for the threat, rather than to react to the threat. At present, in the monitoring and research of network security risks, the industrial manufacturing industry and the academic research industry usually adopt the results obtained from the existing computer networks and industrial control networks, and conventional network security devices such as firewalls, intrusion detection systems, network isolation equipment and the like are introduced in the design process of a network system to ensure the security of the network system. However, the above devices are usually developed for networks of general computers, and many threat discovery and management control technologies thereof cannot be well adapted to the mixed heterogeneous characteristics of multiple industrial control networks possessed by the complex network itself, or even cannot resolve and understand proprietary protocols on a specific dedicated network system, so that the devices cannot play due roles. Meanwhile, the traditional intrusion detection system needs to continuously update the feature database to deal with attacks from different malicious software, and a large amount of manpower and material resources are needed in the later period. Generally, in the current stage, network space security, especially complex networks such as ocean transport ship networks, is still a very passive party in the situation of attack and defense gaming.

Disclosure of Invention

The invention provides a method and a system for monitoring the security risk of a complex network, which can realize the monitoring of the security state of the network.

According to one aspect of the invention, a method for monitoring the security risk of a complex network is provided, which comprises the following steps:

acquiring a network security data set, carrying out numerical, normalized and normalized processing on the network security data contained in the network security data set, and converting text data into readable information of a neural network;

building a four-layer neural network comprising a convolution layer, a pooling layer, a full-link layer and a logistic regression layer to train the normalized and normalized network security data set to obtain a classification data set;

optimizing and adjusting the neural network according to the network security data set and the corresponding classification data set to obtain a risk monitoring neural network;

and carrying out classified monitoring on network data according to the network safety neural network.

The network security data is subjected to numeralization, normalization and normalization processing, and the processing comprises the following steps:

deleting the types of data with a large proportion number in the redundant data in the network security data set, reducing data redundancy and realizing balance among different types of data;

digitizing text data in the network security data set, and representing different text data by using set numerical values;

and normalizing the protocol type, the normal or wrong connection state and the byte number numerical attribute of the data from the source host to the target host in the network security data set.

The four-layer neural network comprises:

the convolution layer is used for carrying out feature extraction on the data in the network security data set;

the pooling layer is used for compressing the data characteristics processed by the convolution layer and extracting main characteristics;

the full connection layer is used for connecting all the main characteristics and sending the output value to the logistic regression layer;

and the logistic regression layer is used for outputting the classified data set.

The four-layer neural network further comprises:

using a cross entropy loss function, categoratic _ cross as a loss function;

the adapelta algorithm was used as the optimizer.

The four-layer neural network further comprises:

stopping training after 14 iterations to prevent model overfitting;

a 15% training set is partitioned using a partition function to serve as a validation set.

The four-layer neural network further comprises:

the initial selection learning rate of the four-layer convolutional neural network is set to be 5 x 10-4, the training iteration times are set to be 50 times, and the number of training samples is set to be 40 ten thousand;

continuously optimizing parameters of each network layer by monitoring the training loss, the verification loss val _ loss, the training accuracy acc and the verification accuracy val _ acc, evaluating on a test set, and adjusting the model again;

and repeating the process to finally obtain the optimized risk monitoring neural network.

The four-layer neural network further comprises:

convolutional layer parameters: the dimension filters of the output is 32; convolution window 3 × 3;

parameters of the pooling layer: the size of the pooling window is 2 multiplied by 2;

full connection layer parameters: 128 nodes;

logistic regression layer parameters: and 40 nodes, wherein the activation function of the nodes uses a logistic regression sonmax function.

The method further comprises the following steps:

and simulating a plurality of operating systems, various network devices and network security devices on the basis of the existing physical resource pool by using the Xen virtualization technology so as to realize the complex network security risk monitoring method.

The method further comprises the following steps:

and customizing a network topology by using a Mininet network simulator, and simulating a real network environment to realize the complex network security risk monitoring method.

According to another aspect of the present invention, there is provided a complex cyber-security risk monitoring system, including:

the preprocessing unit is used for acquiring the network security data set, carrying out numerical, normalized and normalized processing on the network security data contained in the network security data set, and converting text data into readable information of the neural network;

the neural network unit is used for building a four-layer neural network comprising a convolution layer, a pooling layer, a full-link layer and a logistic regression layer so as to train the normalized and normalized network security data set and obtain a classification data set;

the optimization unit is used for optimizing and adjusting the neural network according to the network security data set and the corresponding classification data set to obtain a risk monitoring neural network;

and the monitoring unit is used for carrying out classified monitoring on the network data according to the network safety neural network.

The preprocessing unit is specifically configured to:

deleting the types of data with a large proportion number in the redundant data in the network security data set, reducing data redundancy and realizing balance among different types of data;

digitizing text data in the network security data set, and representing different text data by using set numerical values;

and normalizing the protocol type, the normal or wrong connection state and the byte number numerical attribute of the data from the source host to the target host in the network security data set.

The neural network unit is specifically used for building a four-layer neural network, and comprises:

the convolution layer is used for carrying out feature extraction on the data in the network security data set;

the pooling layer is used for compressing the data characteristics processed by the convolution layer and extracting main characteristics;

the full connection layer is used for connecting all the main characteristics and sending the output value to the logistic regression layer;

and the logistic regression layer is used for outputting the classified data set.

By adopting the technical scheme, the invention provides a complex network security risk monitoring scheme, and the factors of the traditional network security monitoring method, the network security monitoring experiment problem, the artificial intelligent network security monitoring application and the like are comprehensively considered. The network safety risk monitoring experiment platform under the complex network environment is constructed based on the virtual network system by utilizing the artificial intelligence technology, the safety risk of the complex network is monitored comprehensively, accurately and quickly, and the safety of the network system is improved.

The invention provides a complex network security risk monitoring method based on a simulation environment, which mainly comprises three parts: the method comprises the steps of virtual environment construction, generation of an experimental network topology system, model training of a network security data set, and identification of network security risks based on the model.

The network safety monitoring equipment and the network safety monitoring method can further solve the problem that the traditional network safety monitoring equipment and method are poor in applicability, improve the network safety monitoring and identifying precision and achieve the purpose of quickly and accurately identifying the network intrusion behavior. Meanwhile, the expandability of the hardware resources of the experiment platform can adjust/expand the resource pool according to the experiment requirements; and secondly, the expandability of the experiment content can adjust and increase the experiment resource packet according to the subsequent actual requirements.

The technical solution of the present invention is further described in detail by the accompanying drawings and embodiments.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:

fig. 1 is a flow chart illustrating a principle of risk monitoring for a complex network security according to a first embodiment of the present invention;

FIG. 2 is a diagram illustrating a data normalization result according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of a four-layer neural network according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of a complex network security risk monitoring system in the second embodiment of the present invention.

Detailed Description

The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.

In the field of machine learning, the artificial neural network technology is widely used because of good robustness to data. The convolutional neural network is a feedforward neural network, has deep structure and convolutional operation capability, is one of representative algorithms for deep learning, and has a network structure shared by weights, so that the number of the weights is reduced, and the complexity of a network model is reduced.

According to the embodiments of the invention, the limitations of the traditional network security monitoring method, the network security monitoring experiment problems, the artificial intelligent network security monitoring application and other factors are comprehensively considered. The network safety risk monitoring experiment platform under the complex network environment is constructed based on the virtual network system by utilizing the artificial intelligence technology, the safety risk of the complex network is monitored comprehensively, accurately and quickly, and the safety of the network system is improved.

Fig. 1 is a flowchart illustrating a complex network security risk monitoring method according to an embodiment of the present invention. As shown in fig. 1, the complex network security risk monitoring process includes the following steps:

step 101, acquiring a network security data set, performing numeralization, normalization processing on the network security data contained in the network security data set, and converting text data into readable information of a neural network.

In one embodiment of the invention, the simulation is run based on a virtual network environment. The virtualization technology is a resource management technology, existing entity hardware resources (servers, storage, networks and the like) are abstracted and recombined to form a same resource pool, a plurality of logically independent devices are virtualized on the basis, a plurality of virtual machines can run on one physical machine without mutual influence, the resource utilization rate is greatly improved, and the maintenance cost is reduced.

By utilizing the characteristic, the invention simulates various operating systems on the basis of the existing physical resource pool by selecting and utilizing the open-source, free and high-performance virtualization technology Xen: windows, Linux, various network devices and network security devices, and the investment of experimental hardware equipment is reduced.

In order to realize the authenticity of the experiment in the simulation environment and the subsequent deployment in the real use environment, a network topology system needs to be further built, and a method which is flexible and reliable in design and deployment is considered due to the programmable characteristic and the reconfigurable characteristic of the SDN. The invention aims to select a network simulator which is formed by connecting end-hosts, switches and routers, and defines network topology to ensure that the network simulator works like a real computer, flexibly adds new functions to the network and performs related tests.

The set of related network security data may include a KDD99 intrusion detection dataset, a NSL-KDD intrusion detection dataset, a UNSW _ NB15 intrusion detection dataset, a NASA MDP software bug dataset, a CNNVD software security vulnerability dataset, and a NVD software security vulnerability dataset.

The KDD99 data set is an internationally recognized intrusion detection data set and comprises a large amount of normal network traffic data and abnormal traffic data, wherein training data internally contain artificial identifications, test data are internally unidentified, the test data also contain attack types which are not contained in the training data, and probability distribution is different, so that the whole data set is more real.

The KDD99 data set and the NSL KDD data set are selected as reference data sets, preprocessing operations such as data filtering, normalization and normalization are carried out on the data sets, and training sets and the data sets are generated.

KDD is short for Data Mining and Knowledge Discovery (Data Mining and Knowledge Discovery), and KDD CUP is an annual competition organized by SIGKDD (Special Interest Group on Knowledge Discovery and Data Mining) of ACM (Association for Computing machine). The NSL-KDD dataset solves the inherent problems that exist in the KDD99 dataset. NSL-KDD dataset due to the lack of public datasets based on intrusion detection networks, NSL-KDD dataset still presents some problems and is not a perfect representation of existing real networks. It can still be used as an effective reference data set to help researchers compare different intrusion detection methods. The settings of the training set and test set of NSL-KDD are reasonable and the results of the evaluations of the different research jobs will be consistent and comparable.

The NSL-KDD dataset is a modification of the KDD99 dataset. The training set of the NSL-KDD dataset does not contain redundant records, so the classifier is not biased towards more frequent records; and no repeated record exists in the test set of the NSL-KDD data set, so that the detection rate is more accurate. The number of selected records from each difficulty level group is inversely proportional to the percentage of records in the raw KDD dataset. As a result, the classification rate of different machine learning methods varies over a wider range, which makes accurate assessment of different learning techniques more efficient. The number of records in training and testing is reasonable, which makes running experiments on a whole set of experiments cost-effective without the need to randomly select a small fraction. Thus, the results of the evaluations of the different research works will be consistent and comparable.

And (3) data filtering: the KDD99 raw data set is analyzed to have data redundancy phenomena and the imbalance of samples of different attack types in the training set and the testing set. And deleting redundant data and data with a larger proportion quantity of a certain type in the KDD99 original data set by using a correlation algorithm, reducing the balance between data redundancy and different types of data, increasing the data processing speed and reducing the occurrence of model overfitting.

Normalization: the data in the KDD99 data set is text data which can not be identified by the convolutional neural network model, and character type features in the data set need to be converted into numerical type features. The method comprises the following steps of (1) carrying out data set classification on TCP, UDP and ICMP3 protocol types in a data set; 70 target host network service types including 'aol', 'auth', 'bgp', 'courier', 'csnet _ ns', 'ctf', etc.; 11 network connection states of OTH, REJ, RSTO and the like are digitalized by formula conversion and are represented by different numerical values.

f：A→B

In the formula: a is original character type data; b is numerical data; f is the mapping relation.

And carrying out one-hot coding on the attack type, and converting text data into readable information of the neural network.

Normalization: the range of data in the KDD99 data set is unevenly distributed, so that the convergence speed is slow and the precision is inaccurate in the deep networkAnd in order to solve the problem, the related data is subjected to normalization processing. Using x_ik＝(x_ijThe-xmin)/(xmax-xmin) function normalizes the numerical attributes such as the protocol type, the connection normal or error state, the number of bytes of data from the source host to the target host, and the like, and the processing result is shown in fig. 2, where: x_ik∈[0，1]Represents a normalized value; x_ijE KDD99 represents the value in the raw dataset; min and Max are respectively the minimum value and the maximum value which need to be normalized in the original data set.

And 102, building a four-layer neural network comprising a convolution layer, a pooling layer, a full-link layer and a logistic regression layer to train the normalized and normalized network security data set to obtain a classification data set.

According to the scheme, a four-layer convolutional neural network (convolutional layer + pooling layer + full-link layer + softmax layer) is built, a schematic diagram of the four-layer convolutional neural network is shown in fig. 3, and network feature extraction is performed on the preprocessed network security data set.

The convolution layer is used for carrying out feature extraction on data in the network security data set and consists of a plurality of convolution kernels, and the feature value extraction needs to be carried out through multilayer convolution. The convolution operation of the image mxn is

In the formula: z (x, y) represents the convolved image; f represents an input 2-dimensional image; g represents a convolution kernel; m and n represent the size of the convolution kernel, respectively.

After convolution operation, non-linear activation is needed to remove redundant information, and mapping information of original data features is stored. The "gradient vanishing" can be mitigated with a non-saturating activation function, i.e. the ReLu function.

In the formula: when the value of the matrix x is non-negative, the matrix x becomes 0 after being activated; when the value of matrix x is negative, the activation is still itself.

The pooling layer is used for compressing the data characteristics processed by the convolution layer and extracting main characteristics;

the full connection layer is used for connecting all the main characteristics and sending the output value to the logistic regression layer;

and the logistic regression softmax layer is used for outputting the classification data set.

In a convolutional neural network, pooling operation is often encountered, and a pooling layer is often behind a convolutional layer and compresses an input feature map, so that the feature map is reduced, and the network computation complexity is simplified; on one hand, feature compression is carried out, main features are extracted, feature vectors output by the convolutional layer are reduced through pooling, and meanwhile results are improved (overfitting is not easy to occur).

The full link layer connects all the features and sends the output value to a classifier (e.g., softmax classifier).

Four layers of convolutional neural networks (convolutional layer + pooling layer + fully-connected layer + softmax layer). And using the coordinated _ cross control (multi-class log-loss, for multi-class problems) at the loss function (loss function). The optimizer (optimizer) uses Adadelta, which operates faster. To prevent overfitting of the model, the model was optimized by stopping the training after 14 iterations. Meanwhile, in order to leave enough validation sets to evaluate the model, a 15% training set is divided by using a segmentation function to serve as the validation set, and F1-score is used as a criterion for experimental effect, and the formula is as follows:

in the above formula F1-score, the meaning of the criterion parameter of each index is explained as follows.

TP positive judgment samples; TN negative judgment negative sample; FP negative positive sample; FN positive judgment negative sample; pk positive proportion of positive sample; the Rk positive proportion accounts for the total positive proportion; and A, judging the correct specific gravity of the whole sample.

And 103, optimizing and adjusting the neural network according to the network security data set and the corresponding classification data set to obtain a risk monitoring neural network.

The initial selection learning rate of the convolutional neural network is set to be 5 x 10-4, the number of training iterations is set to be 50, and the number of training samples is about 40 ten thousand. By monitoring the training loss (loss) and the verification loss (val _ loss), and the training accuracy (acc) and the verification accuracy (val _ acc), parameters of each network level are continuously optimized (increasing or decreasing the number of layers, trying different parameters, and the like), training, evaluating on a test set, adjusting the model again, and finally obtaining the optimized training model by repeating the process. The convolutional layer parameters are as follows: the dimension filters of the output is 32; the convolution window is 3 x 3. Parameters of the pooling layer: the pooling window size is 2 × 2. Full connection layer: 128 nodes. softmax layer: and 40 nodes, wherein the activation function of the nodes uses a sonmax function.

And identifying and classifying unknown network intrusion data in the virtual environment by using the stored network model, and normalizing the classification result.

And 104, classifying and monitoring network data according to the network safety neural network.

And for the trained neural network, carrying out network security classification monitoring on specific network data to obtain a classification monitoring result.

The technical scheme of the invention provides a complex network security risk monitoring method based on a simulation environment, which mainly comprises three parts: 1. and building a virtual environment. 2. And (4) generating an experimental network topology system. 3. And performing model training on the network security data set, and identifying network security risks based on the model.

The method can further solve the problem of poor applicability of the traditional network security monitoring equipment and method, improve the network security monitoring and identifying precision and achieve the rapid and accurate identification of network intrusion behaviors. Meanwhile, the expandability of the hardware resources of the experiment platform can adjust/expand the resource pool according to the experiment requirements; and secondly, the expandability of the experiment content can adjust and increase the experiment resource packet according to the subsequent actual requirements.

In the embodiment of the invention, the four-layer neural network uses a cross entropy loss function, namely, coordinated _ cross entropy as a loss function; using an Adadelta algorithm as an optimizer; stopping training after 14 iterations to prevent model overfitting; a 15% training set is partitioned using a partition function to serve as a validation set.

The initial selection learning rate of the four-layer convolutional neural network is set to be 5 x 10-4, the training iteration times are set to be 50 times, and the number of training samples is set to be 40 ten thousand; continuously optimizing parameters of each network layer by monitoring the training loss, the verification loss val _ loss, the training accuracy acc and the verification accuracy val _ acc, evaluating on a test set, and adjusting the model again; repeating the above processes to finally obtain an optimized risk monitoring neural network;

convolutional layer parameters: the dimension filters of the output is 32; convolution window 3 × 3;

parameters of the pooling layer: the size of the pooling window is 2 multiplied by 2;

full connection layer parameters: 128 nodes;

logistic regression layer parameters: and 40 nodes, wherein the activation function of the nodes uses a logistic regression softmax function.

And simulating a plurality of operating systems, various network devices and network security devices on the basis of the existing physical resource pool by using the Xen virtualization technology so as to realize the complex network security risk monitoring method.

And customizing a network topology by using a Mininet network simulator, and simulating a real network environment to realize the complex network security risk monitoring method.

In order to implement the above process, the technical solution of the present invention further provides a complex network security risk monitoring system, as shown in fig. 4, the complex network security risk monitoring system includes:

the preprocessing unit 201 is configured to acquire a network security data set, perform numeralization, normalization processing on the network security data included in the network security data set, and convert text data into readable information of a neural network;

the neural network unit 202 is used for building a four-layer neural network comprising a convolutional layer, a pooling layer, a full-link layer and a logistic regression layer so as to train the normalized and normalized network security data set and obtain a classification data set;

the optimizing unit 203 is configured to optimize and adjust the neural network according to the network security data set and the corresponding classification data set, so as to obtain a risk monitoring neural network;

and the monitoring unit 204 is configured to perform classified monitoring on the network data according to the network security neural network.

The preprocessing unit 201 is specifically configured to:

deleting the types of data with a large proportion number in the redundant data in the network security data set, reducing data redundancy and realizing balance among different types of data;

digitizing text data in the network security data set, and representing different text data by using set numerical values;

and normalizing the protocol type, the normal or wrong connection state and the byte number numerical attribute of the data from the source host to the target host in the network security data set.

The neural network unit 202 is specifically configured to build a four-layer neural network, and includes:

the convolution layer is used for carrying out feature extraction on the data in the network security data set;

the pooling layer is used for compressing the data characteristics processed by the convolution layer and extracting main characteristics;

the full connection layer is used for connecting all the main characteristics and sending the output value to the logistic regression layer;

and the logistic regression layer is used for outputting the classified data set.

The four-layer neural network further comprises:

using a cross entropy loss function, categoratic _ cross as a loss function;

the adapelta algorithm was used as the optimizer.

Stopping training after 14 iterations to prevent model overfitting;

a 15% training set is partitioned using a partition function to serve as a validation set.

The initial selection learning rate of the four-layer convolutional neural network is set to be 5 x 10-4, the training iteration times are set to be 50 times, and the number of training samples is set to be 40 ten thousand;

continuously optimizing parameters of each network layer by monitoring the training loss, the verification loss val _ loss, the training accuracy acc and the verification accuracy val _ acc, evaluating on a test set, and adjusting the model again;

and repeating the process to finally obtain the optimized risk monitoring neural network.

Convolutional layer parameters: the dimension filters of the output is 32; convolution window 3 × 3;

parameters of the pooling layer: the size of the pooling window is 2 multiplied by 2;

full connection layer parameters: 128 nodes;

logistic regression layer parameters: and 40 nodes, wherein the activation function of the nodes uses a logistic regression softmax function.

And simulating a plurality of operating systems, various network devices and network security devices on the basis of the existing physical resource pool by using the Xen virtualization technology so as to realize the complex network security risk monitoring method.

And customizing a network topology by using a Mininet network simulator, and simulating a real network environment to realize the complex network security risk monitoring method.

In summary, in the technical scheme of the invention, the complex network security risk monitoring experiment platform adopts technologies such as virtual servers and networks, and an interconnection device is designed to realize interconnection and deployment of virtual and real nodes in the experiment platform, construct a high-simulation experiment environment of a ship actual navigation network system, realize efficient co-fusion and effective isolation of basic component resources, and realize overall-process, multi-user and multi-scene concurrent management and control of the experiment platform.

A set of interactive network safety monitoring system is built, and a real operating system and a real network system are provided through a virtual environment. Meanwhile, the external interface and the internal interface of the gateway host adopt a bridge mode and are respectively connected with the Internet and the virtual network security host, meanwhile, the gateway is the only connection point for connecting the network security monitoring system with other networks, and all network flows flowing into and out of the system pass through the gateway and are controlled and audited by the gateway.

And constructing a four-layer convolutional neural network (convolutional layer + pooling layer + full-link layer + softmax layer). And using the coordinated _ cross control (multi-class log-loss, for multi-class problems) at the loss function (loss function). The optimizer (optimizer) uses Adadelta, which operates faster. To prevent overfitting of the model, the model was optimized by stopping the training after 14 iterations. While leaving enough validation sets to evaluate the model, a segmentation function is used to partition out 15% of the training set to serve as the validation set.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (10)

1. A complex network security risk monitoring method is characterized by comprising the following steps:

acquiring a network security data set, carrying out numerical, normalized and normalized processing on the network security data contained in the network security data set, and converting text data into readable information of a neural network;

building a four-layer neural network comprising a convolution layer, a pooling layer, a full-link layer and a logistic regression layer to train the normalized and normalized network security data set to obtain a classification data set;

optimizing and adjusting the neural network according to the network security data set and the corresponding classification data set to obtain a risk monitoring neural network;

and carrying out classified monitoring on network data according to the network safety neural network.

2. The method for monitoring the risk of the complex network security according to claim 1, wherein the network security data is digitized, normalized and normalized, and comprises:

deleting the types of data with a large proportion number in the redundant data in the network security data set, reducing data redundancy and realizing balance among different types of data;

digitizing text data in the network security data set, and representing different text data by using set numerical values;

and normalizing the protocol type, the normal or wrong connection state and the byte number numerical attribute of the data from the source host to the target host in the network security data set.

3. The method for monitoring the security risk of the complex network according to claim 1, wherein the four-layer neural network comprises:

the convolution layer is used for carrying out feature extraction on the data in the network security data set;

the pooling layer is used for compressing the data characteristics processed by the convolution layer and extracting main characteristics;

the full connection layer is used for connecting all the main characteristics and sending the output value to the logistic regression layer;

and the logistic regression layer is used for outputting the classified data set.

4. The method for monitoring the security risk of the complex network according to claim 3, wherein the four-layer neural network further comprises:

using a cross entropy loss function, categoratic _ cross as a loss function;

using an Adadelta algorithm as an optimizer;

stopping training after 14 iterations to prevent model overfitting;

a 15% training set is partitioned using a partition function to serve as a validation set.

5. The method for monitoring the security risk of the complex network according to claim 3, wherein the four-layer neural network further comprises:

the initial selection learning rate of the four-layer convolutional neural network is set to be 5 x 10-4, the training iteration times are set to be 50 times, and the number of training samples is set to be 40 ten thousand;

continuously optimizing parameters of each network layer by monitoring the training loss, the verification loss val _ loss, the training accuracy acc and the verification accuracy val _ acc, evaluating on a test set, and adjusting the model again;

repeating the above processes to finally obtain an optimized risk monitoring neural network;

convolutional layer parameters: the dimension filters of the output is 32; convolution window 3 × 3;

parameters of the pooling layer: the size of the pooling window is 2 multiplied by 2;

full connection layer parameters: 128 nodes;

logistic regression layer parameters: and 40 nodes, wherein the activation function of the nodes uses a logistic regression softmax function.

6. The method for monitoring the security risk of the complex network according to any one of claims 1 to 5, wherein the method further comprises:

and simulating a plurality of operating systems, various network devices and network security devices on the basis of the existing physical resource pool by using the Xen virtualization technology so as to realize the complex network security risk monitoring method.

7. The method for monitoring the security risk of the complex network according to any one of claims 1 to 5, wherein the method further comprises:

and customizing a network topology by using a Mininet network simulator, and simulating a real network environment to realize the complex network security risk monitoring method.

8. A complex cyber-security risk monitoring system, comprising:

the preprocessing unit is used for acquiring the network security data set, carrying out numerical, normalized and normalized processing on the network security data contained in the network security data set, and converting text data into readable information of the neural network;

the neural network unit is used for building a four-layer neural network comprising a convolution layer, a pooling layer, a full-link layer and a logistic regression layer so as to train the normalized and normalized network security data set and obtain a classification data set;

the optimization unit is used for optimizing and adjusting the neural network according to the network security data set and the corresponding classification data set to obtain a risk monitoring neural network;

and the monitoring unit is used for carrying out classified monitoring on the network data according to the network safety neural network.

9. The system according to claim 8, wherein the preprocessing unit is specifically configured to:

deleting the types of data with a large proportion number in the redundant data in the network security data set, reducing data redundancy and realizing balance among different types of data;

digitizing text data in the network security data set, and representing different text data by using set numerical values;

and normalizing the protocol type, the normal or wrong connection state and the byte number numerical attribute of the data from the source host to the target host in the network security data set.

10. The complex network security risk monitoring system according to claim 8, wherein the neural network unit is specifically configured to build a four-layer neural network, and comprises:

the convolution layer is used for carrying out feature extraction on the data in the network security data set;

the pooling layer is used for compressing the data characteristics processed by the convolution layer and extracting main characteristics;

the full connection layer is used for connecting all the main characteristics and sending the output value to the logistic regression layer;

and the logistic regression layer is used for outputting the classified data set.

Images