CN114254130A - Relation extraction method of network security emergency response knowledge graph - Google Patents

Relation extraction method of network security emergency response knowledge graph Download PDF

Info

Publication number
CN114254130A
CN114254130A CN202210184821.XA CN202210184821A CN114254130A CN 114254130 A CN114254130 A CN 114254130A CN 202210184821 A CN202210184821 A CN 202210184821A CN 114254130 A CN114254130 A CN 114254130A
Authority
CN
China
Prior art keywords
vector
network security
extracting
convolution
emergency response
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210184821.XA
Other languages
Chinese (zh)
Inventor
车洵
孙捷
胡牧
梁小川
刘志顺
金奎�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Zhongzhiwei Information Technology Co ltd
Original Assignee
Nanjing Zhongzhiwei Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Zhongzhiwei Information Technology Co ltd filed Critical Nanjing Zhongzhiwei Information Technology Co ltd
Priority to CN202210184821.XA priority Critical patent/CN114254130A/en
Publication of CN114254130A publication Critical patent/CN114254130A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/30Semantic analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computational Linguistics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Data Mining & Analysis (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Computing Systems (AREA)
  • Molecular Biology (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Biophysics (AREA)
  • Animal Behavior & Ethology (AREA)
  • Databases & Information Systems (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Machine Translation (AREA)

Abstract

The invention discloses a relation extraction method of a network security emergency response knowledge graph, which comprises the following steps: giving a network security response knowledge text; vectorizing the knowledge text data, extracting vocabularies in the network security response knowledge text, and mapping the vocabularies to a K-dimensional vocabulary vector; extracting the position vector corresponding to the vocabulary vector and combining the current word entity
Figure 756902DEST_PATH_IMAGE002
And entities
Figure 987026DEST_PATH_IMAGE004
The relative distance between them is converted into vector representation; extracting semantic features of sentences by adopting a residual segmented convolutional neural network JRpcnn to form feature vectors,taking the vocabulary vectors and the position vectors corresponding to the vocabulary vectors as input residual error segmented convolution neural network JRpcnn; the method has the characteristics of effectively reducing the influence of noise data on remote supervision and more accurately extracting the entity relation from the network security emergency response text.

Description

Relation extraction method of network security emergency response knowledge graph
Technical Field
The invention relates to the field of network security emergency response, in particular to a relation extraction method of a network security emergency response knowledge graph.
Background
Network security emergency response refers to the computer dealing with a possible threat and what to do after the threat has occurred, based on its internally stored relevant security knowledge. The traditional network security passive defense method is difficult to rapidly deal with increasingly complex threats, people continuously innovate in the field of network security, and therefore the standard provided by the capability and efficiency of emergency command for dealing with unusual situations is higher. Therefore, people propose to use the knowledge graph to process the network security problem, the knowledge graph is a new idea for analyzing and processing data in the network security analysis, and the network security emergency response knowledge graph is generated due to operation. The network security emergency response knowledge graph is a data-driven, linear, very computationally powerful tool. Personnel working in network security can intuitively know the relationship between network security entities and entities through a network security emergency response knowledge-graph, such as exploitation relationship between malicious software and vulnerabilities, affiliation relationship between attackers and organizations, and relationship between software and vulnerabilities, thereby better dealing with network security problems. After extracting the entities from the network security emergency response text base, the obtained entities are very dispersed entities, and the relation between the entities needs to be known in order to obtain further information. Relationship extraction is a very important task for constructing a network security emergency response knowledge graph from unstructured data.
The Relationship Extraction (RE) is part of Natural Language Processing (NLP) and this part is very important. There are many relationship extraction methods such as bootstrapping, unsupervised relationship discovery and supervised classification. Most existing Relationship Extraction (RE) methods require a large amount of labeled relationship-specific training data, which is very time-consuming and laborious. The remote supervision strategy is an effective and effective method for automatically marking the training data. However, the assumption in the remote supervision approach is too strong, often leading to tag error problems. Therefore, in the framework of remote supervised learning, some recent efforts attempt to use deep neural networks for relationship prediction. Therefore, it is urgently needed to provide a relationship extraction method of a network security emergency response knowledge graph to solve the above problems.
Disclosure of Invention
Therefore, a relation extraction method of the network security emergency response knowledge graph is needed to be provided, influence of noise data on remote supervision is reduced, and a firm foundation is laid for subsequently establishing the network security emergency response knowledge graph.
In order to achieve the above object, the inventor provides a relationship extraction method of a network security emergency response knowledge-graph, comprising the following steps:
s1: giving a network security response knowledge text;
s2: vectorizing the knowledge text data, namely extracting words in the network security response knowledge text, and mapping the words to a K-dimensional word vector;
s3: extracting the position vector corresponding to the vocabulary vector by adopting a position vector mapping method, namely extracting the current word entity
Figure 296078DEST_PATH_IMAGE001
And entities
Figure 275535DEST_PATH_IMAGE002
Relative distance between them, converted into vector representation by embedding;
s4: extracting semantic features of sentences by adopting a residual segmented convolutional neural network JRpcnn to form feature vectors, namely using the vocabulary vectors obtained in the steps S2 and S3 and the position vectors corresponding to the vocabulary vectors as the input of the residual segmented convolutional neural network JRpcnn;
s5: the feature vectors derived in step S4 are further processed using the multiple instance attention mechanism MIT and entity relationships are obtained.
As a preferred embodiment of the present invention, step S2: vectorizing the knowledge text data, namely extracting vocabularies in the network security response knowledge text, and mapping the vocabularies to a K-dimensional vocabulary vector, comprises the following steps:
s201: inputting an original network security emergency response knowledge text, and converting each input word mark into a vector by searching a pre-trained word embedding;
s202: for a given sentence
Figure 320852DEST_PATH_IMAGE003
The method comprises the steps that n words are formed, each word is mapped to a low-dimensional real value vector space by using a word2vec model, One-Hot codes of the words are input by the word2vec, and then the output is obtained through a hidden layer of a neural network;
s203: then, the sentence is executed with word vector processing, finally, the vector representation of each word in the sentence is obtained, and a word vector query matrix is formed
Figure DEST_PATH_IMAGE004
Each input training sequence queries the matrix by a word vector
Figure 309536DEST_PATH_IMAGE004
Mapping to obtain corresponding vocabulary vector
Figure 15586DEST_PATH_IMAGE005
As a preferred embodiment of the present invention, step S3: the method for extracting the position vector corresponding to the vocabulary vector by adopting the position vector mapping representation method, namely converting the relative distance between the current word entity and the entity into vector representation by embedding comprises the following steps:
s301: defined as from the current word to the entity by pf
Figure 634786DEST_PATH_IMAGE006
And entities
Figure 964137DEST_PATH_IMAGE007
Randomly initializing two position-embedding matrices
Figure 729748DEST_PATH_IMAGE008
And
Figure 257682DEST_PATH_IMAGE009
converting the relative distance into a vocabulary vector by searching the position embedding matrix;
s302: in sentence position vectorization, if the dimension of the vocabulary vector is
Figure 47783DEST_PATH_IMAGE010
The position vector dimension is
Figure 864429DEST_PATH_IMAGE011
Then the sentence vector dimension is
Figure 634064DEST_PATH_IMAGE012
The combination of the vocabulary vector and the position vector forms a sentence vector
Figure 485346DEST_PATH_IMAGE013
The sentence vector Q is then fed back to the convolution portion.
As a preferred embodiment of the present invention, step S4: extracting semantic features of sentences by adopting a residual segmented convolutional neural network JRpcnn to form feature vectors, namely using the vocabulary vectors obtained in the steps S2 and S3 and the position vectors corresponding to the vocabulary vectors as the input of the residual segmented convolutional neural network JRpcnn, and comprising the following steps:
s401: extracting semantic information of a network security emergency response knowledge text by adopting a residual error segmented convolutional neural network JRpcnn, wherein two convolutional layers form a residual error block, and an activation function Relu is adopted for nonlinear mapping after each convolutional layer;
s402: convolution is an operation between a convolution kernel W and an input vector q sequence, where the convolution kernel W is a weight matrix and the convolution kernel W is used as a convolution filter, and the convolution operation can be expressed as:
Figure 180769DEST_PATH_IMAGE014
wherein i and j represent
Figure 484712DEST_PATH_IMAGE015
N is the number of convolution kernels, s is the dimensionality of the sentence vector, w is the dimensionality of the convolution kernels,
Figure 117425DEST_PATH_IMAGE016
to represent
Figure 885530DEST_PATH_IMAGE017
To
Figure 814171DEST_PATH_IMAGE018
The connection of (2).
The result of one convolution yields a matrix:
Figure 638033DEST_PATH_IMAGE019
as a preferred embodiment of the present invention, the method further comprises the steps of:
s403: the dimensionality of all convolution kernels in the residual error segmentation convolution neural network is w, and boundary filling operation is adopted, and the convolution kernels of two layers of convolution are
Figure 779165DEST_PATH_IMAGE020
The result obtained after the first layer convolution of the residual block is known as step S401
Figure DEST_PATH_IMAGE021
The result obtained after the second layer convolution is
Figure 652310DEST_PATH_IMAGE022
Wherein
Figure 751853DEST_PATH_IMAGE023
Figure DEST_PATH_IMAGE024
Is an offset vector, the output vector of the residual convolutional block is C = f (x) + x, where f (x) is the output result of the second convolutional layer, x is the input of the first convolutional layer;
s404: after the convolutional layer obtains semantic features, further extracting the most representative local features through a pooling layer, and adopting a segmented maximum pooling process, wherein the formula is as follows:
Figure 92704DEST_PATH_IMAGE025
for the output of each pooled layer convolution kernel, we can obtain a 3-dimensional vector
Figure DEST_PATH_IMAGE026
And then concatenates all convolution kernel segmented pooling layer outputs into
Figure 398046DEST_PATH_IMAGE027
And then the nonlinear function output is as follows:
Figure DEST_PATH_IMAGE028
wherein
Figure 78426DEST_PATH_IMAGE027
Is composed of
Figure 378564DEST_PATH_IMAGE029
To
Figure DEST_PATH_IMAGE030
The tanh () function is an activation function in a neural network
As a preferred embodiment of the present invention, step S5: further processing the feature vectors obtained in step S4 using the multiple instance attention mechanism MIT, and obtaining entity relationships comprises the steps of:
s501: vector for an instance set
Figure 941132DEST_PATH_IMAGE031
The example set vector describes a corresponding network security emergency response entity pair
Figure 627329DEST_PATH_IMAGE032
Wherein
Figure DEST_PATH_IMAGE033
Represents the output of the neural network;
s502: computing instance vectors
Figure 460418DEST_PATH_IMAGE033
And the correlation degree r, and calculating an example set vector S, wherein the calculation formula of the example set vector S is as follows:
Figure 370605DEST_PATH_IMAGE034
the computation of the instance set vector S depends on each instance in the set;
wherein
Figure 889311DEST_PATH_IMAGE035
Is an input instance vector
Figure 8226DEST_PATH_IMAGE033
For measuring the correlation of the correspondence r,
Figure 132040DEST_PATH_IMAGE035
the calculation formula of (a) is as follows:
Figure 511331DEST_PATH_IMAGE036
Figure 100002_DEST_PATH_IMAGE037
is a basic query function, which represents the matching degree between the output vector g and the prediction relation r;
s503: after calculating the value of the instance set vector S, the likelihood of the predicted relationship is calculated, p represents the likelihood of the predicted relationship, and the calculation formula of p is as follows:
Figure 110809DEST_PATH_IMAGE038
wherein S describes a corresponding network security emergency response entity pair,
Figure 699660DEST_PATH_IMAGE039
is a previously defined relationship vector, b represents an offset vector,
Figure 209138DEST_PATH_IMAGE040
two entity pairs representing corresponding relationships,
Figure 992287DEST_PATH_IMAGE040
the calculation formula of (a) is as follows:
Figure 455891DEST_PATH_IMAGE041
compared with the prior art, the method has the advantages that the influence of noise data on remote supervision can be reduced, the depth semantic features of sentences can be better extracted by using the depth residual errors, so that entity relations can be more accurately extracted from the network security emergency response texts, and a firm foundation is laid for the subsequent establishment of the network security emergency response knowledge graph.
Drawings
Fig. 1 is a frame diagram of a relationship extraction method of a network security emergency response knowledge-graph according to an embodiment.
Fig. 2 is a schematic diagram of a position code according to an embodiment.
FIG. 3 is a schematic diagram of a Word2vec model according to an embodiment.
FIG. 4 is a schematic diagram of a Skip-Gram model according to an embodiment.
Figure 5 is a graph of the trend of AUC results under cnn, pcnn and JRpcnn neural network models, in accordance with embodiments.
FIG. 6 is a graph of the trend of AUC results under the AVE, ONE and MIT mechanisms according to the embodiments.
Detailed Description
To explain technical contents, structural features, and objects and effects of the technical solutions in detail, the following detailed description is given with reference to the accompanying drawings in conjunction with the embodiments.
Referring to fig. 1 to 6 together, the knowledge graph is a new idea of analyzing and processing data in the network security emergency response, and in order to better associate the network security emergency response data to construct the knowledge graph, the embodiment provides a relationship extraction method for the knowledge graph of the network security emergency response. The method can accurately and quickly extract the relation between the entities in the network security emergency response text and can help to establish the network security emergency response knowledge graph more quickly, and the method can be used for each network company to establish the network security emergency response knowledge graph base.
As shown in fig. 1, the main structure of the method is as follows:
the input to the network is the original network security emergency response text. When using neural networks, we typically convert word tokens into low-dimensional vectors. In this embodiment, each input word token is converted to a vector by looking up the pre-trained word embedding. Furthermore, we use location features to designate each entity pair and represent these location features with a location vector.
For a given sentence
Figure 84319DEST_PATH_IMAGE042
Consisting of n words, each word is mapped to a low-dimensional real-valued vector space, wo, using the word2vec (word vector generative model) modelThe general structure of the rd2vec model is shown in fig. 3, and word2vec inputs One-Hot coding (One-Hot coding) of the word and then outputs the word through a hidden layer of a neural network. The word2vec model is trained in a Skip-Gram (context word prediction algorithm based on the central word) manner, the general flow of which is shown in fig. 4, a word in a text is given, and then the word is used to predict the adjacent words above and below the word through a neural network.
Then, the sentence is executed with word vector processing, finally, the vector representation of each word in the sentence is obtained, and a word vector query moment is formed
Figure 979462DEST_PATH_IMAGE004
. Each input training sequence can query the matrix through the word vector
Figure 426188DEST_PATH_IMAGE004
Mapping to obtain corresponding real value vector
Figure 141203DEST_PATH_IMAGE043
In the task of extracting the relationship of the network security emergency response knowledge graph, the emphasis is placed on finding the relationship between entity pairs. Generally, the relation between entities is more emphasized by comparing words near the entities, and therefore, the position of each word in the sentence in two entities is also important in relation extraction. Pf is defined herein as the distance from the current word to
Figure 776583DEST_PATH_IMAGE006
And
Figure 995075DEST_PATH_IMAGE007
combinations of relative distances of (a). Random initialization of two-position embedded matrix
Figure 57709DEST_PATH_IMAGE008
And
Figure 495906DEST_PATH_IMAGE044
. Then theThe relative distance is converted to a real-valued vector by finding the position-embedding matrix. For example, the vectorization representation of "Jack find chrome has xs vss vulnerability (Jack finds Google browser has xss hole)" as shown in FIG. 2, where "chrome" and "xss" in the sentence correspond to the entities respectively
Figure 934978DEST_PATH_IMAGE001
And entities
Figure 7976DEST_PATH_IMAGE002
. Then, the distance from "Jack" to "chrome" is 2, and the distance from "vulnerability" to "xss" is-1.
In sentence position vectorization, if the word vector dimension
Figure 834986DEST_PATH_IMAGE010
The position vector dimension is
Figure 491970DEST_PATH_IMAGE011
Then the sentence vector dimension is:
Figure 312DEST_PATH_IMAGE045
the word vector and the position vector are combined to form a sentence vector
Figure DEST_PATH_IMAGE046
The sentence vector Q is then fed back to the convolution portion.
In the relationship extraction in the network security emergency response knowledge graph establishing process, all local features are required to be utilized, and the prediction is carried out in a global scope. When using neural networks, the convolution method is the best way to combine all these features.
The embodiment designs a residual segmented neural network block for extracting semantic information of a network security emergency response knowledge sentence, wherein two convolutional layers form a residual block, and an activation function Relu is used for nonlinear mapping after each convolutional layer.
Convolution is an operation between a convolution kernel W, which is a weight matrix, and a sequence of input vectors q, with the convolution kernel W as a filter for convolution, and in the example shown in fig. 1, we assume that the size of the convolution kernel is set to W (W = 3). This embodiment defines Q as a sequence
Figure 881812DEST_PATH_IMAGE047
Wherein
Figure DEST_PATH_IMAGE048
In general terms, the amount of the solvent to be used,
Figure 879723DEST_PATH_IMAGE049
refer to
Figure DEST_PATH_IMAGE050
To
Figure 561021DEST_PATH_IMAGE051
The connection of (2).
Convolution is to perform dot product on convolution kernel W and sequence q to obtain another sequence
Figure 138633DEST_PATH_IMAGE052
Figure 186224DEST_PATH_IMAGE053
The value range of the index j is 1 to s + w-1, and in order to capture the capability of different features, multiple convolution kernels are generally required to be used in the convolution, and under the assumption that n convolution kernels are used, the convolution operation can be expressed as:
Figure 325343DEST_PATH_IMAGE054
wherein i and j represent
Figure 989543DEST_PATH_IMAGE055
N is a weight momentThe number of arrays, s is the dimension of the sentence vector, and w is the dimension of the convolution kernel.
The result of one convolution is a matrix
Figure 197277DEST_PATH_IMAGE056
The sizes of all convolution kernels in the residual error segmentation convolution network are w, and in order to ensure that the size of a newly generated feature matrix is the same as that of an original feature matrix, boundary filling operation is adopted. The convolution kernel of the two-layer convolution is
Figure DEST_PATH_IMAGE057
. The result obtained after the first layer convolution of the residual block is:
Figure 630532DEST_PATH_IMAGE058
the result obtained after the second layer of convolution is:
Figure 173509DEST_PATH_IMAGE059
wherein
Figure 528267DEST_PATH_IMAGE023
Figure 480305DEST_PATH_IMAGE024
Is the offset vector, the output vector of the residual convolutional block is C = f (x) + x, where f (x) is the output result of the second convolutional layer and x is the input of the first convolutional layer.
After the convolutional layer obtains semantic features, the most representative local features are further extracted through the pooling layer, and in order to obtain feature information of different sentence structures, a segmented maximum pool process is adopted. The output of each convolution kernel, as shown in FIG. 1
Figure 95963DEST_PATH_IMAGE060
Divided into 3 parts by two entitiesThe output dimension is a 3-dimensional vector:
Figure 325954DEST_PATH_IMAGE061
the maximum pooling of segments is to take the maximum value of each part:
Figure 699167DEST_PATH_IMAGE062
for the output of each pooled layer convolution kernel, we can obtain a 3-dimensional vector,
Figure 156693DEST_PATH_IMAGE026
and then concatenates all convolution kernel segmented pooling layer outputs into
Figure 800426DEST_PATH_IMAGE027
Then, the output of the nonlinear function is:
Figure 950785DEST_PATH_IMAGE063
wherein
Figure 545714DEST_PATH_IMAGE027
Is composed of
Figure 10193DEST_PATH_IMAGE029
To
Figure 974345DEST_PATH_IMAGE030
The tanh () function is an activation function in the neural network.
In the method for extracting the relation of the network security emergency response knowledge map of the embodiment, the attention of the sentence level is established on a plurality of examples, and a vector is set for one example set
Figure 826763DEST_PATH_IMAGE031
The example set describes a corresponding network security emergency response entity pair
Figure 440147DEST_PATH_IMAGE032
Wherein
Figure 442738DEST_PATH_IMAGE033
Representing the output of the neural network.
Example vectors are then computed herein
Figure 529905DEST_PATH_IMAGE033
And the degree of association r. In order to reduce the influence of meaningless data and fully utilize semantic information contained in each instance in a set, a calculation formula of an instance set vector S is provided:
Figure 22066DEST_PATH_IMAGE064
(ii) a The calculation of the instance set vector S will depend on each instance in the set.
Wherein
Figure 326009DEST_PATH_IMAGE035
Is an input instance vector
Figure 663449DEST_PATH_IMAGE033
Is used to measure the correlation of the correspondence r.
Figure 201528DEST_PATH_IMAGE035
The calculation formula of (a) is as follows:
Figure 130170DEST_PATH_IMAGE065
Figure 157294DEST_PATH_IMAGE066
is a basic query function that represents the degree of match between the output vector g and the prediction relation r.
After the value of S is calculated, the likelihood of the predicted relationship can be calculated, p represents the likelihood of the predicted relationship, and the calculation formula of p is as follows:
Figure 95163DEST_PATH_IMAGE067
wherein S describes a corresponding network security emergency response entity pair,
Figure 186615DEST_PATH_IMAGE068
is a previously defined relationship vector, b represents an offset vector,
Figure 253535DEST_PATH_IMAGE040
two entity pairs representing corresponding relationships,
Figure 532070DEST_PATH_IMAGE040
the formula of (c) is as follows:
Figure 476892DEST_PATH_IMAGE069
in the embodiment of the present invention, the network framework shown in fig. 1 needs to be trained in advance, and the specific details of the training phase are as follows:
the dataset used in this training is the Comprehensive, Multi-Source Cyber-Security Events dataset. The data set is obtained from various websites and various vulnerability databases on the network, wherein the data set comprises network text data such as network security and vulnerability information.
All network models in this embodiment are trained on Comprehensive, Multi-Source Cyber-Security Events (Comprehensive Multi-Source Cyber-Security) datasets.
To train the network model, the objective function is defined herein with cross-entropy loss.
The set of dimensions of the word vector input to the network is {50, 60.., 300}, and the set of dimensions of the position vector input is {1, 2.., 10 }.
Where the input window of the convolutional network is 3 in size and the hidden layer is 230 in size.
During the network model training process, Adam (Adam) optimizer is used for optimization training to set momentum by default, and the set momentum by default
Figure DEST_PATH_IMAGE070
=0.9,
Figure 455475DEST_PATH_IMAGE071
= 0.999. The network model was first iteratively trained 60 times at a learning rate of 0.01, then iteratively trained 60 times at a learning rate of 0.001, and then learned 60 times at a learning rate of 0.0001. The set of batch sizes processed in one iteration is 40,160,640,1280. To prevent model overfitting, a dropout (random discard algorithm) method is employed herein, where the dropout rate is 0.5.
In order to verify the performance of the method, based on the above embodiment, this embodiment tests the model on Comprehensive, Multi-Source Cyber-Security Events data sets in combination with the online emergency response processing method. The model was evaluated using the commonly used precision-recall curve (P-r), AUC values and mean precision (P & n).
The experimental comparison of the model is mainly carried out in two aspects in the embodiment. On the one hand, cnn (convolutional neural network) algorithms with different performances are adopted, including traditional cnn (convolutional neural network), pcnn (segmented convolutional neural network) and JRpcnn (residual segmented convolutional neural network); the second aspect is based on how cnn/pcnn/JRpcnn uses the attention mechanism to boost the functionality of the model. Three different attention mechanisms were used for testing, namely AVE (average attention mechanism), ONE (single instance attention mechanism) and MIT (multiple instance attention mechanism). The test is carried out on different networks by using three attention mechanisms in a test stage, and then the test result is observed.
As can be seen from fig. 5, the value of AUC using JRpcnn is the largest using the same attention mechanism.
Figure 663602DEST_PATH_IMAGE073
The relation extraction accuracy of the JRpcnn-MIT on the network safety emergency response data set is the highest, reaches 34.6 percent and is better than results obtained by other models, and the AUC value of the JRpcnn-MIT also reaches the highest 12.8 percent and is better than results obtained by other models.
The experimental result shows that compared with other model methods of network security data sets, the method provided by the embodiment has better result, namely the accuracy of the extraction relationship is higher, and the deep semantic information of the sentence can be better extracted. The introduction of the multi-instance attention mechanism method can effectively reduce redundant data in remote supervised learning. And then, based on a specific network security scene, a JRpcnn-MIT is applied to construct a network security emergency response knowledge graph, so that the capability of network security emergency response can be further enhanced.
It should be noted that, although the above embodiments have been described herein, the invention is not limited thereto. Therefore, based on the innovative concepts of the present invention, the technical solutions of the present invention can be directly or indirectly applied to other related technical fields by making changes and modifications to the embodiments described herein, or by using equivalent structures or equivalent processes performed in the content of the present specification and the attached drawings, which are included in the scope of the present invention.

Claims (6)

1. The method for extracting the relation of the network security emergency response knowledge graph is characterized by comprising the following steps of:
s1: giving a network security response knowledge text;
s2: vectorizing the knowledge text data, namely extracting words in the network security response knowledge text, and mapping the words to a K-dimensional word vector;
s3: extracting the position vector corresponding to the vocabulary vector by adopting a position vector mapping method, namely extracting the current word entity
Figure 788937DEST_PATH_IMAGE001
And entities
Figure 643760DEST_PATH_IMAGE002
Relative distance between them, converted into vector representation by embedding;
s4: extracting semantic features of sentences by adopting a residual segmented convolutional neural network JRpcnn to form feature vectors, namely using the vocabulary vectors obtained in the steps S2 and S3 and the position vectors corresponding to the vocabulary vectors as the input of the residual segmented convolutional neural network JRpcnn;
s5: the feature vectors derived in step S4 are further processed using the multiple instance attention mechanism MIT and entity relationships are obtained.
2. The method for extracting the relationship of the network security emergency response knowledge-graph according to claim 1, wherein the step S2: vectorizing the knowledge text data, namely extracting vocabularies in the network security response knowledge text, and mapping the vocabularies to a K-dimensional vocabulary vector, comprises the following steps:
s201: inputting an original network security emergency response knowledge text, and converting each input word mark into a vector by searching a pre-trained word embedding;
s202: for a given sentence
Figure 95601DEST_PATH_IMAGE003
The method comprises the steps that n words are formed, each word is mapped to a low-dimensional real value vector space by using a word2vec model, One-Hot codes of the words are input by the word2vec, and then the output is obtained through a hidden layer of a neural network;
s203: then, the sentence is executed with word vector processing, finally, the vector representation of each word in the sentence is obtained, and a word vector query matrix is formed
Figure 864712DEST_PATH_IMAGE004
Each input training sequence queries the matrix by a word vector
Figure 616767DEST_PATH_IMAGE004
Mapping to obtain corresponding vocabulary vector
Figure 173651DEST_PATH_IMAGE005
3. The method for extracting the relationship of the network security emergency response knowledge-graph according to claim 2, wherein the step S3: the method for extracting the position vector corresponding to the vocabulary vector by adopting the position vector mapping representation method, namely converting the relative distance between the current word entity and the entity into vector representation by embedding comprises the following steps:
s301: defined as from the current word to the entity by pf
Figure 378367DEST_PATH_IMAGE006
And entities
Figure 28134DEST_PATH_IMAGE007
Randomly initializing two position-embedding matrices
Figure 634696DEST_PATH_IMAGE008
And
Figure 300163DEST_PATH_IMAGE009
converting the relative distance into a vocabulary vector by searching the position embedding matrix;
s302: in sentence position vectorization, if the dimension of the vocabulary vector is
Figure 992176DEST_PATH_IMAGE010
The position vector dimension is
Figure 165406DEST_PATH_IMAGE011
Then the sentence vector dimension is
Figure 423212DEST_PATH_IMAGE012
The combination of the vocabulary vector and the position vector forms a sentence vector
Figure 790739DEST_PATH_IMAGE013
The sentence vector Q is then fed back to the convolution portion.
4. The method for extracting the relationship of the network security emergency response knowledge-graph according to claim 3, wherein the step S4: extracting semantic features of sentences by adopting a residual segmented convolutional neural network JRpcnn to form feature vectors, namely using the vocabulary vectors obtained in the steps S2 and S3 and the position vectors corresponding to the vocabulary vectors as the input of the residual segmented convolutional neural network JRpcnn, and comprising the following steps:
s401: extracting semantic information of a network security emergency response knowledge text by adopting a residual error segmented convolutional neural network JRpcnn, wherein two convolutional layers form a residual error block, and an activation function Relu is adopted for nonlinear mapping after each convolutional layer;
s402: convolution is an operation between a convolution kernel W and an input vector q sequence, where the convolution kernel W is a weight matrix and the convolution kernel W is used as a convolution filter, and the convolution operation can be expressed as:
Figure 704469DEST_PATH_IMAGE014
wherein i and j represent
Figure 917275DEST_PATH_IMAGE015
N is the number of convolution kernels, s is the dimensionality of the sentence vector, w is the dimensionality of the convolution kernels,
Figure 999894DEST_PATH_IMAGE016
to represent
Figure 272744DEST_PATH_IMAGE017
To
Figure 736086DEST_PATH_IMAGE018
The connection of (1);
the result of one convolution yields a matrix:
Figure 955846DEST_PATH_IMAGE019
5. the method for extracting the relationship of the network security emergency response knowledge-graph according to claim 4, further comprising the steps of:
s403: the dimensionality of all convolution kernels in the residual error segmentation convolution neural network is w, and boundary filling operation is adopted, and the convolution kernels of two layers of convolution are
Figure 686779DEST_PATH_IMAGE020
The result obtained after the first layer convolution of the residual block is known as step S401
Figure 130530DEST_PATH_IMAGE021
The result obtained after the second layer convolution is
Figure 18852DEST_PATH_IMAGE022
Wherein
Figure 635778DEST_PATH_IMAGE023
Figure 925945DEST_PATH_IMAGE024
Is an offset vector, the output vector of the residual convolutional block is C = f (x) + x, where f (x) is the output result of the second convolutional layer, x is the input of the first convolutional layer;
s404: after the convolutional layer obtains semantic features, further extracting the most representative local features through a pooling layer, and adopting a segmented maximum pooling process, wherein the formula is as follows:
Figure 42062DEST_PATH_IMAGE025
for the output of each pooled layer convolution kernel, we can obtain a 3-dimensional vector
Figure 417680DEST_PATH_IMAGE026
And then concatenates all convolution kernel segmented pooling layer outputs into
Figure 572717DEST_PATH_IMAGE027
And then the nonlinear function output is as follows:
Figure 717391DEST_PATH_IMAGE028
wherein
Figure 267059DEST_PATH_IMAGE029
Is composed of
Figure 926710DEST_PATH_IMAGE030
To
Figure 88701DEST_PATH_IMAGE031
The tanh () function is an activation function in the neural network.
6. The relationship extraction method of the network security emergency response knowledge-graph of claim 5, wherein: step S5: further processing the feature vectors obtained in step S4 using the multiple instance attention mechanism MIT, and obtaining entity relationships comprises the steps of:
s501: vector for an instance set
Figure DEST_PATH_IMAGE032
The example set vector describes a corresponding network security emergency response entity pair
Figure 556723DEST_PATH_IMAGE033
Wherein
Figure 280222DEST_PATH_IMAGE034
Represents the output of the neural network;
s502: computing instance vectors
Figure 630431DEST_PATH_IMAGE034
And the correlation degree r, and calculating an example set vector S, wherein the calculation formula of the example set vector S is as follows:
Figure DEST_PATH_IMAGE035
the computation of the instance set vector S depends on each instance in the set;
wherein
Figure 268217DEST_PATH_IMAGE036
Is an input instance vector
Figure DEST_PATH_IMAGE037
For measuring the correlation of the correspondence r,
Figure 620439DEST_PATH_IMAGE036
the calculation formula of (a) is as follows:
Figure 482216DEST_PATH_IMAGE038
Figure DEST_PATH_IMAGE039
is a basic query function, which represents the matching degree between the output vector g and the prediction relation r;
s503: after calculating the value of the instance set vector S, the likelihood of the predicted relationship is calculated, representing the likelihood of the predicted relationship, and p is calculated as follows:
Figure 54143DEST_PATH_IMAGE040
wherein S describes a corresponding network security emergency response entity pair,
Figure 782103DEST_PATH_IMAGE041
is a previously defined relationship vector, b represents an offset vector,
Figure DEST_PATH_IMAGE042
two entity pairs representing corresponding relationships,
Figure 755875DEST_PATH_IMAGE042
the calculation formula of (a) is as follows:
Figure 788553DEST_PATH_IMAGE043
CN202210184821.XA 2022-02-28 2022-02-28 Relation extraction method of network security emergency response knowledge graph Pending CN114254130A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210184821.XA CN114254130A (en) 2022-02-28 2022-02-28 Relation extraction method of network security emergency response knowledge graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210184821.XA CN114254130A (en) 2022-02-28 2022-02-28 Relation extraction method of network security emergency response knowledge graph

Publications (1)

Publication Number Publication Date
CN114254130A true CN114254130A (en) 2022-03-29

Family

ID=80800004

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210184821.XA Pending CN114254130A (en) 2022-02-28 2022-02-28 Relation extraction method of network security emergency response knowledge graph

Country Status (1)

Country Link
CN (1) CN114254130A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115622806A (en) * 2022-12-06 2023-01-17 南京众智维信息科技有限公司 Network intrusion detection method based on BERT-CGAN

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110619121A (en) * 2019-09-18 2019-12-27 江南大学 Entity relation extraction method based on improved depth residual error network and attention mechanism
CN111241303A (en) * 2020-01-16 2020-06-05 东方红卫星移动通信有限公司 Remote supervision relation extraction method for large-scale unstructured text data
CN112989048A (en) * 2021-03-29 2021-06-18 华南理工大学 Network security domain relation extraction method based on dense connection convolution

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110619121A (en) * 2019-09-18 2019-12-27 江南大学 Entity relation extraction method based on improved depth residual error network and attention mechanism
CN111241303A (en) * 2020-01-16 2020-06-05 东方红卫星移动通信有限公司 Remote supervision relation extraction method for large-scale unstructured text data
CN112989048A (en) * 2021-03-29 2021-06-18 华南理工大学 Network security domain relation extraction method based on dense connection convolution

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王晓霞等: "基于注意力与图卷积网络的关系抽取模型", 《计算机应用》, vol. 41, no. 2, 31 December 2021 (2021-12-31), pages 352 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115622806A (en) * 2022-12-06 2023-01-17 南京众智维信息科技有限公司 Network intrusion detection method based on BERT-CGAN

Similar Documents

Publication Publication Date Title
Gao et al. Topology-aware graph pooling networks
Nguyen et al. Relation extraction: Perspective from convolutional neural networks
US20230031738A1 (en) Taxpayer industry classification method based on label-noise learning
CN101894130B (en) Sparse dimension reduction-based spectral hash indexing method
CN109948149B (en) Text classification method and device
CN110929080B (en) Optical remote sensing image retrieval method based on attention and generation countermeasure network
CN110619034A (en) Text keyword generation method based on Transformer model
CN113806746B (en) Malicious code detection method based on improved CNN (CNN) network
US9141877B2 (en) Method for context aware text recognition
CN111931935B (en) Network security knowledge extraction method and device based on One-shot learning
CN111241303A (en) Remote supervision relation extraction method for large-scale unstructured text data
CN113315789B (en) Web attack detection method and system based on multi-level combined network
CN109190521B (en) Construction method and application of face recognition model based on knowledge purification
JP6738769B2 (en) Sentence pair classification device, sentence pair classification learning device, method, and program
CN113742733B (en) Method and device for extracting trigger words of reading and understanding vulnerability event and identifying vulnerability type
CN110602120B (en) Network-oriented intrusion data detection method
CN114297079B (en) XSS fuzzy test case generation method based on time convolution network
CN114237621A (en) Semantic code searching method based on fine-grained common attention mechanism
CN114429132A (en) Named entity identification method and device based on mixed lattice self-attention network
CN116527357A (en) Web attack detection method based on gate control converter
US11562133B2 (en) System and method for detecting incorrect triple
CN116432184A (en) Malicious software detection method based on semantic analysis and bidirectional coding characterization
CN114254130A (en) Relation extraction method of network security emergency response knowledge graph
Wang et al. File fragment type identification with convolutional neural networks
CN113076744A (en) Cultural relic knowledge relation extraction method based on convolutional neural network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20220329

RJ01 Rejection of invention patent application after publication