CN116915511B - Information processing method, device, equipment and storage medium - Google Patents
Information processing method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN116915511B CN116915511B CN202311178977.8A CN202311178977A CN116915511B CN 116915511 B CN116915511 B CN 116915511B CN 202311178977 A CN202311178977 A CN 202311178977A CN 116915511 B CN116915511 B CN 116915511B
- Authority
- CN
- China
- Prior art keywords
- network
- data
- network security
- data set
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003860 storage Methods 0.000 title claims abstract description 17
- 230000010365 information processing Effects 0.000 title claims abstract description 16
- 238000003672 processing method Methods 0.000 title claims abstract description 7
- 230000015654 memory Effects 0.000 claims abstract description 87
- 238000012545 processing Methods 0.000 claims abstract description 48
- 230000009467 reduction Effects 0.000 claims description 76
- 238000000034 method Methods 0.000 claims description 68
- 230000008447 perception Effects 0.000 claims description 44
- 230000006870 function Effects 0.000 claims description 37
- 239000011159 matrix material Substances 0.000 claims description 31
- 238000012549 training Methods 0.000 claims description 31
- 238000004140 cleaning Methods 0.000 claims description 23
- 238000000605 extraction Methods 0.000 claims description 22
- 238000004590 computer program Methods 0.000 claims description 18
- 238000013507 mapping Methods 0.000 claims description 17
- 230000004913 activation Effects 0.000 claims description 13
- 230000007246 mechanism Effects 0.000 claims description 13
- 230000002441 reversible effect Effects 0.000 claims description 13
- 238000007781 pre-processing Methods 0.000 claims description 12
- 230000002457 bidirectional effect Effects 0.000 claims description 9
- 238000010606 normalization Methods 0.000 claims description 8
- 239000013598 vector Substances 0.000 claims description 8
- 238000000354 decomposition reaction Methods 0.000 claims description 6
- 238000002372 labelling Methods 0.000 claims description 6
- 230000007787 long-term memory Effects 0.000 claims description 6
- 230000006403 short-term memory Effects 0.000 claims description 6
- 238000011176 pooling Methods 0.000 claims description 5
- 230000002779 inactivation Effects 0.000 claims 2
- 238000001514 detection method Methods 0.000 abstract description 11
- 238000010586 diagram Methods 0.000 description 15
- 238000005516 engineering process Methods 0.000 description 14
- 230000008569 process Effects 0.000 description 14
- 238000004891 communication Methods 0.000 description 12
- 238000004422 calculation algorithm Methods 0.000 description 11
- 238000012360 testing method Methods 0.000 description 9
- 238000004364 calculation method Methods 0.000 description 8
- 230000009471 action Effects 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 6
- 238000011156 evaluation Methods 0.000 description 6
- 230000005291 magnetic effect Effects 0.000 description 6
- 238000012795 verification Methods 0.000 description 5
- 238000009826 distribution Methods 0.000 description 4
- 239000000284 extract Substances 0.000 description 4
- 230000005236 sound signal Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 238000013178 mathematical model Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000003909 pattern recognition Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 2
- 230000009849 deactivation Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- NAWXUBYGYWOOIX-SFHVURJKSA-N (2s)-2-[[4-[2-(2,4-diaminoquinazolin-6-yl)ethyl]benzoyl]amino]-4-methylidenepentanedioic acid Chemical compound C1=CC2=NC(N)=NC(N)=C2C=C1CCC1=CC=C(C(=O)N[C@@H](CC(=C)C(O)=O)C(O)=O)C=C1 NAWXUBYGYWOOIX-SFHVURJKSA-N 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000007621 cluster analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013210 evaluation model Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000000513 principal component analysis Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
- G06N20/20—Ensemble learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
- G06N3/0442—Recurrent networks, e.g. Hopfield networks characterised by memory or gating, e.g. long short-term memory [LSTM] or gated recurrent units [GRU]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
- G06N3/0455—Auto-encoder networks; Encoder-decoder networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/084—Backpropagation, e.g. using gradient descent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Mathematical Physics (AREA)
- Artificial Intelligence (AREA)
- Data Mining & Analysis (AREA)
- Molecular Biology (AREA)
- General Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Computational Linguistics (AREA)
- Biophysics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Medical Informatics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the disclosure provides an information processing method, an information processing device, information processing equipment and a storage medium, and relates to the technical field of network security. In some embodiments of the present disclosure, current network source data is obtained; performing feature processing on the current network source data to obtain network feature data; inputting network characteristic data into a network security situation awareness model to obtain a current network security awareness result, wherein the network security situation awareness model comprises a two-way long-short-term memory network, an encoder and a prediction layer which are sequentially connected; the network security situation awareness model is used for predicting the security situation of the current network, and accuracy of network security detection is improved.
Description
Technical Field
The disclosure relates to the technical field of network security, and in particular relates to an information processing method, an information processing device, information processing equipment and a storage medium.
Background
With the rapid development of new technologies in the fields of cloud computing, virtualization, internet of things and the like, the network scale is continuously enlarged, the network architecture is more complex, the network security protection is more difficult, and the network attack problem is more remarkable. Network security issues have become a prime factor limiting current network development.
Currently, the accuracy for network security detection is low.
Disclosure of Invention
The disclosure provides an information processing method to at least solve the problem of low accuracy of existing network security detection.
The technical scheme of the present disclosure is as follows:
the embodiment of the disclosure provides an information processing method, which comprises the following steps:
acquiring current network source data;
performing feature processing on the current network source data to obtain network feature data;
and inputting the network characteristic data into a network security situation awareness model to obtain a current network security awareness result, wherein the network security situation awareness model comprises a two-way long-short-term memory network, an encoder and a prediction layer which are sequentially connected.
Optionally, inputting the network feature data into a network security situation awareness model to obtain a current network security awareness result, including:
the bidirectional long-short-term memory network is used for extracting the characteristics of the network characteristic data to obtain time sequence characteristics and position codes, and outputting the time sequence characteristics and the position codes to the encoder;
the encoder is used for carrying out encoding processing on the time sequence characteristics and the position codes to obtain encoding characteristics, and outputting the encoding characteristics to the prediction layer;
And the prediction layer is used for predicting the network security perception result according to the coding characteristics to obtain the current network security perception result.
Optionally, the bidirectional long-short term memory network comprises: a forward long-short term memory network and a reverse long-short term memory network; the two-way long-short-term memory network is used for extracting the characteristics of the network characteristic data to obtain time sequence characteristics and position codes, and comprises the following components:
the forward long-term and short-term memory network is used for extracting features from the past network feature data;
the reverse long-short-term memory network is used for extracting features from the future network feature data;
and the two-way long-short-term memory network performs feature extraction according to the linear rectification activation function to obtain time sequence features and position codes.
Optionally, the encoder includes: a multi-head attention mechanism, a first residual connection is normalized with the layer, and a feedforward network and a second residual connection are normalized with the layer; the encoder is configured to perform encoding processing on the time sequence feature and the position code to obtain an encoded feature, and output the encoded feature to the prediction layer, and includes:
The multi-head attention mechanism is used for extracting the time sequence features and the position codes to obtain first data features;
the first residual error connection and layer normalization are used for carrying out feature extraction on the time sequence features, the position codes and the first data features to obtain second data features;
the feedforward network is used for extracting the characteristics of the second data characteristics to obtain third data characteristics;
and the second residual connection is normalized with the layer and is used for carrying out feature extraction on the third data feature and the second data feature to obtain the coding feature.
Optionally, before using the network security posture awareness model, the method further comprises:
acquiring network source data;
extracting the characteristics of the network source data to obtain a network security data set;
preprocessing the network security data set to obtain a preprocessed network security data set;
performing feature dimension reduction on the preprocessed network security data set to obtain a dimension reduction data set;
labeling network security perception results of at least part of the dimension reduction data sets to obtain training sample sets;
And training the initial model according to the training sample set to obtain the network security situation awareness model.
Optionally, the preprocessing the network security data set to obtain a preprocessed network security data set includes:
converting the classified features in the network security data set into numerical values to obtain a data set after the numerical values;
carrying out noise reduction processing on the digitized data set by using a self-encoder to obtain a data set after the noise reduction processing;
performing data cleaning on the data set subjected to the noise reduction treatment to obtain a data set subjected to the data cleaning;
and carrying out standardized processing on the data set after data cleaning to obtain the preprocessed network security data set.
Optionally, the feature dimension reduction is performed on the preprocessed network security data set to obtain a dimension reduction data set, which includes:
mapping the preprocessed network security data set into a high-dimensional space by using a mapping function and a radial basis function to obtain a high-dimensional space data set;
calculating a feature matrix of the high-dimensional space dataset;
performing eigenvalue decomposition on the eigenvalue matrix to obtain eigenvalues and eigenvectors corresponding to the eigenvalues;
According to the sequence from the big to the small of the characteristic values, taking the characteristic vector corresponding to the characteristic value of the preset bit sequence to obtain a projection matrix;
and determining the dimension reduction data set according to the projection matrix.
The embodiment of the disclosure also provides an information processing apparatus, including:
the acquisition module is used for acquiring current network source data;
the feature processing module is used for carrying out feature processing on the current network source data to obtain network feature data;
the network security situation awareness module is used for inputting the network characteristic data into a network security situation awareness module to obtain a current network security awareness result, wherein the network security situation awareness module comprises a two-way long-short-term memory network, an encoder and a prediction layer which are sequentially connected.
Optionally, the sensing model module is configured to, when inputting the network feature data into a network security situation sensing model to obtain a current network security sensing result:
the bidirectional long-short-term memory network is used for extracting the characteristics of the network characteristic data to obtain time sequence characteristics and position codes, and outputting the time sequence characteristics and the position codes to the encoder;
The encoder is used for carrying out encoding processing on the time sequence characteristics and the position codes to obtain encoding characteristics, and outputting the encoding characteristics to the prediction layer;
and the prediction layer is used for predicting the network security perception result according to the coding characteristics to obtain the current network security perception result.
Optionally, the bidirectional long-short term memory network comprises: a forward long-short term memory network and a reverse long-short term memory network; the perception model module is used for extracting the characteristics of the network characteristic data to obtain time sequence characteristics and position codes:
the forward long-term and short-term memory network is used for extracting features from the past network feature data;
the reverse long-short-term memory network is used for extracting features from the future network feature data;
and the two-way long-short-term memory network performs feature extraction according to the linear rectification activation function to obtain time sequence features and position codes.
Optionally, the encoder includes: a multi-head attention mechanism, a first residual connection is normalized with the layer, and a feedforward network and a second residual connection are normalized with the layer; the perception model module is used for encoding the time sequence features and the position codes to obtain encoding features and outputting the encoding features to the prediction layer when the encoding features are processed:
The multi-head attention mechanism is used for extracting the time sequence features and the position codes to obtain first data features;
the first residual error connection and layer normalization are used for carrying out feature extraction on the time sequence features, the position codes and the first data features to obtain second data features;
the feedforward network is used for extracting the characteristics of the second data characteristics to obtain third data characteristics;
and the second residual connection is normalized with the layer and is used for carrying out feature extraction on the third data feature and the second data feature to obtain the coding feature.
Optionally, before using the network security posture awareness model, the awareness model module is further configured to:
acquiring network source data;
extracting the characteristics of the network source data to obtain a network security data set;
preprocessing the network security data set to obtain a preprocessed network security data set;
performing feature dimension reduction on the preprocessed network security data set to obtain a dimension reduction data set;
labeling network security perception results of at least part of the dimension reduction data sets to obtain training sample sets;
And training the initial model according to the training sample set to obtain the network security situation awareness model.
Optionally, when the perception model module preprocesses the network security data set to obtain a preprocessed network security data set, the perception model module is configured to:
converting the classified features in the network security data set into numerical values to obtain a data set after the numerical values;
carrying out noise reduction processing on the digitized data set by using a self-encoder to obtain a data set after the noise reduction processing;
performing data cleaning on the data set subjected to the noise reduction treatment to obtain a data set subjected to the data cleaning;
and carrying out standardized processing on the data set after data cleaning to obtain the preprocessed network security data set.
Optionally, the perception model module is configured to, when performing feature dimension reduction on the preprocessed network security data set to obtain a dimension reduction data set:
mapping the preprocessed network security data set into a high-dimensional space by using a mapping function and a radial basis function to obtain a high-dimensional space data set;
calculating a feature matrix of the high-dimensional space dataset;
performing eigenvalue decomposition on the eigenvalue matrix to obtain eigenvalues and eigenvectors corresponding to the eigenvalues;
According to the sequence from the big to the small of the characteristic values, taking the characteristic vector corresponding to the characteristic value of the preset bit sequence to obtain a projection matrix;
and determining the dimension reduction data set according to the projection matrix.
The embodiment of the disclosure also provides an electronic device, including:
a processor;
a memory for storing the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement the steps in the method described above.
The disclosed embodiments also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the above-described method.
The disclosed embodiments also provide a computer program product comprising a computer program/instruction which, when executed by a processor, implements the steps of the method described above.
The technical scheme provided by the embodiment of the disclosure at least brings the following beneficial effects:
in some embodiments of the present disclosure, current network source data is obtained; performing feature processing on the current network source data to obtain network feature data; inputting network characteristic data into a network security situation awareness model to obtain a current network security awareness result, wherein the network security situation awareness model comprises a two-way long-short-term memory network, an encoder and a prediction layer which are sequentially connected; the network security situation awareness model is used for predicting the security situation of the current network, and accuracy of network security detection is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure and do not constitute an undue limitation on the disclosure.
Fig. 1 is a flowchart of an information determining method according to an exemplary embodiment of the present disclosure;
fig. 2 is a flow chart of a network security situation awareness method according to an exemplary embodiment of the present disclosure;
FIG. 3 is a network block diagram of a self-encoder provided in an exemplary embodiment of the present disclosure;
FIG. 4 is a schematic diagram of a noise reduction algorithm provided by an embodiment of the present disclosure;
FIG. 5 is a block diagram of a network security posture awareness model provided by an exemplary embodiment of the present disclosure;
fig. 6 is a schematic structural view of an information processing apparatus provided in an exemplary embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of an electronic device according to an exemplary embodiment of the present disclosure.
Detailed Description
In order to enable those skilled in the art to better understand the technical solutions of the present disclosure, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the disclosure described herein may be capable of operation in sequences other than those illustrated or described herein. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with aspects of the present disclosure.
It should be noted that, the user information related to the present disclosure includes, but is not limited to: user equipment information and user personal information; the processes of collecting, storing, using, processing, transmitting, providing, disclosing and the like of the user information in the present disclosure all conform to the regulations of the relevant laws and regulations and do not violate the well-known and popular public order.
In order to cope with increasingly complex and hidden network security threats, numerous network security technologies have been proposed, and state-aware research in the field of network security has increasingly revealed frontal. Currently, three models of Endsley, timBass, JDL are typical perception models. The Endsley model extracts network security features from network information, evaluates current network security conditions through data preprocessing, data integration, data analysis and understanding, and predicts future network security states according to evaluation results. The TimBass model filters and calibrates network security information acquired by the sensor, analyzes data from two dimensions of time and space, realizes network security state sensing, and distributes and manages resources in the sensing process by analyzing attacks and threats possibly existing in the network. The JDL model perceives the network situation based on data fusion, evaluates the network security state through data analysis, predicts the future network state in real time by combining the evaluation result, and simultaneously manages, controls and optimizes the perceiving process. Therefore, network security situation awareness is realized on the premise of data processing no matter what model is.
The data processing is characterized by taking feature extraction as a key, the feature extraction technology can be divided into two types of feature extraction methods of linear dimension reduction and nonlinear dimension reduction, the traditional linear dimension reduction method mainly comprises principal component analysis, linear discriminant analysis and the like, and the methods actually seek an optimal linear model under different optimization criteria. The nonlinear dimension reduction method is most typically a main kernel method and a manifold learning method, and typically includes equidistant mapping, laplace feature mapping and the like. The PCA characteristic dimension reduction algorithm is high in use frequency and mature.
The network security situation awareness mainly comprises three types, namely a method based on a mathematical model, a method based on knowledge reasoning and a method based on pattern recognition. The evaluation method based on the mathematical model is to comprehensively consider various factors for situation evaluation, and is more common in weight analysis method, set analysis method and the like. The knowledge reasoning-based method is to establish an evaluation model by means of expert knowledge and experience, express and process uncertainty of safety attributes by means of logic reasoning analysis methods such as probability theory, fuzzy theory and evidence theory, and aggregate multi-attribute information by reasoning. The method based on pattern recognition is to establish a situation template through machine learning, and complete situation division through pattern matching and mapping. The method aims at automatically acquiring knowledge without excessively depending on expert and experience, establishing a scientific and objective evaluation template, mainly comprising an ash correlation method, a coarse set theory, a cluster analysis method and the like.
Under the environment that the network architecture is more complex, the scale is more huge and the network security threat is rapidly increased, the defects of the existing network situation awareness technology and the technical problems to be solved by the proposal are as follows:
as the network scale becomes larger and larger, the network data becomes more complex, how to effectively process noise points in the network data, and providing reliable data for network security situation sensing becomes a difficulty in the sensing process.
The PCA feature dimension reduction presupposes that the data obeys normal distribution, covariance matrix is adopted to measure correlation among features in the calculation process, the problem that the data does not meet Gaussian distribution conditions can not be solved, and meanwhile, the covariance matrix can not measure nonlinear relations among features;
aiming at the time sequence characteristics of network data, how to mine the time sequence characteristics of the network data, and fully utilizing the context information of the network security data are one of key problems of network security situation awareness.
In the prior art of network situation awareness, a method based on a mathematical model is easily influenced by human factors in the awareness process, and the interference generated by the result is high; when the knowledge reasoning-based method faces a large amount of network threat data, feedback cannot be timely made; the method based on pattern recognition is most widely applied, accurate and efficient, but has high computational complexity, difficult description of the principle and easy occurrence of fitting problems.
In view of the above technical problems, in some embodiments of the present disclosure, current network source data is acquired; performing feature processing on the current network source data to obtain network feature data; inputting network characteristic data into a network security situation awareness model to obtain a current network security awareness result, wherein the network security situation awareness model comprises a two-way long-short-term memory network, an encoder and a prediction layer which are sequentially connected; the network security situation awareness model is used for predicting the security situation of the current network, and accuracy of network security detection is improved.
The network security situation awareness model is provided by comprehensively analyzing the overall network environment by combining various security technologies. The model integrates various network security detection devices and technologies such as honeypots, firewalls, IDS and the like, and preprocesses data generated by the security devices through various data preprocessing methods to obtain high-quality network security data. The model extracts key features of network security data through a feature dimension reduction algorithm, takes the encoder as a situation-aware backbone network according to the advantages of the encoder in parallelization calculation and long-distance dependence learning, considers the time sequence of the network security data, optimizes the encoder by adopting a two-way long-short-term memory network, finally realizes highly-reliable and strong-robustness network security situation awareness, and provides powerful technical support for network security defense.
The network security situation awareness model disclosed by the disclosure has the general flow shown in fig. 1. The model acquires a network security data set by integrating a plurality of equipment acquisition results, preprocesses the data set in a plurality of modes such as numerical value, data noise reduction, data cleaning and data standardization, and performs characteristic dimension reduction on the preprocessed data set according to a characteristic dimension reduction algorithm, and the data set is divided into a training set, a verification set and a test set according to the ratio of 6:2:2. The training set is used for model training, network model parameters are updated through forward propagation, backward propagation and gradient descent, the verification set verifies model performance according to forward propagation results, the network model generalization performance is better than the previous one, the current network model is saved, otherwise, the current network model is abandoned from being stored, the training is terminated when the training reaches iteration termination conditions, and the network security situation perception model is the last saved result. And taking the test set as input to forward propagate the performance of the test model in the network model, and evaluating the test result of the model according to the comparison of the model perception result and the real perception result.
The network security situation awareness model takes the data after dimension reduction as input, fully excavates time sequence characteristics in the network security data through a two-way long-short-term memory network, combines the position coding of the network security data, and obtains a final network security situation awareness result through the output of a prediction layer after being processed by an encoder.
The following describes in detail the technical solutions provided by the embodiments of the present disclosure with reference to the accompanying drawings.
Fig. 1 is a flowchart of an information determining method according to an exemplary embodiment of the present disclosure. As shown in fig. 1, the method includes:
s101: acquiring current network source data;
s102: performing feature processing on the current network source data to obtain network feature data;
s103: inputting the network characteristic data into a network security situation awareness model to obtain a current network security awareness result, wherein the network security situation awareness model comprises a two-way long-short-term memory network, an encoder and a prediction layer which are sequentially connected.
In the embodiment of the present disclosure, the execution body of the method may be a server, or may be other computer devices.
In the present embodiment, the implementation form of the server is not limited. For example, the server may be a conventional server, a cloud host, a virtual center, or the like server device. The server mainly comprises a processor, a hard disk, a memory, a system bus and the like, and a general computer architecture type.
Fig. 2 is a flow chart of a network security situation awareness method according to an exemplary embodiment of the present disclosure. As shown in fig. 2, in the network security situation awareness model in the embodiment of the present disclosure, a network security data set is obtained by integrating multiple device acquisition results, the data set is preprocessed in multiple manners such as numerical value, data noise reduction, data cleaning, data standardization, and the like, and feature dimension reduction is performed on the preprocessed data set, where the data set is divided into a training set, a verification set, and a test set according to a ratio of 6:2:2. The training set is used for training the network model, the network model parameters are updated through forward propagation, backward propagation and gradient descent, the verification set verifies the model performance according to the forward propagation result, the current network model is saved if the network model generalization performance is better than the previous one, otherwise, the current network model is abandoned from being stored, the training is terminated when the training reaches the iteration termination condition, and the network security situation perception model is the last saved result. And taking the test set as input to forward propagate the performance of the test model in the network model, and evaluating the test result of the model according to the comparison of the model perception result and the real perception result.
Before using the network security situation awareness model, training is needed to obtain the network security situation awareness model. One way to do this is to obtain network source data; extracting characteristics of network source data to obtain a network security data set; preprocessing the network security data set to obtain a preprocessed network security data set; performing characteristic dimension reduction on the preprocessed network security data set to obtain a dimension reduction data set; labeling at least part of the dimensionality reduction data sets to obtain training sample sets; and training the initial model according to the training sample set to obtain a network security situation awareness model.
In some embodiments of the present disclosure, network source data is acquired, and feature extraction is performed on the network source data to obtain a network security dataset. An implementation manner is that in the embodiment of the disclosure, various sensor devices monitor network security guarantee objects such as host nodes, network nodes, software, services and the like and collect information, log files generated by various network security protection technologies such as vulnerability detection, flow monitoring analysis and intrusion detection are comprehensively processed, and network source data are extracted. And performing feature analysis, selection and measurement on the extracted network data to obtain asset feature data, service network flow feature data, fragile point feature data, attack feature data and the like, wherein the obtained multi-source feature data form a network security feature database, and marking the network security features according to experience knowledge to obtain a network security data set.
In some embodiments of the present disclosure, a network security data set is preprocessed to obtain a preprocessed network security data set. One way to be achieved is that the classified features in the network security data set are converted into numerical values to obtain a data set after numerical values; carrying out noise reduction treatment on the digitized data set by using a self-encoder to obtain a data set after the noise reduction treatment; performing data cleaning on the data set subjected to the noise reduction treatment to obtain a data set subjected to the data cleaning; and carrying out standardized processing on the data set after data cleaning to obtain a preprocessed network security data set.
For example, the classified features in the network security data set are converted into numerical values through single-hot encoding, so that the numerical data set is obtained.
And (3) carrying out noise reduction processing on the digitized data set by using a self-encoder to obtain a data set after the noise reduction processing. Fig. 3 is a network configuration diagram of a self-encoder according to an exemplary embodiment of the present disclosure. The network structure of the self-encoder mainly comprises two parts of the encoder and the decoder. The encoder encodes the input data, the decoder decodes the encoded data, and the dimension of the input data and the dimension of the output data of the encoder are the same, so that the noise reduction of the digitized network security data is realized.
X is taken as the input space of the self-encoder,for the number of samples, m is the data dimension for each sample X, +.>. Encoder and decoder find the mapping shown in equation (1)>The decoding error of the input features is minimized, i.e. the input and output are closest.
(1)
In the formula (1), h is the characteristic value of the input x after being coded by an encoder,for the value of the decoder after decoding the feature h, the map +.>。
Fig. 4 is a schematic diagram of a noise reduction algorithm according to an embodiment of the disclosure. As shown in fig. 4, to achieve the purpose of noise reduction of network security data, the noise reduction algorithm of fig. 4 is used to reduce noise of data. And adding noise into a result x obtained after the network security data is digitized to obtain data x ', taking x' as input of a self-encoder AE, wherein the output of the AE is y, the target output is original data x, calculating loss between a real sample x and the self-encoder output data y according to a loss function shown in a formula (2), and updating the self-encoder network parameters.
(2)
The self-encoder realizes noise reduction on network security data, the loss function of the self-encoder is a mean square error MSE shown in a formula (2), wherein n is the number of samples, y is the output of AE, and x is a data set after the network security data is digitized.
For another example, the data processed in the step a2 is cleaned by adopting a 5 sigma data cleaning method;
considering that bad values still exist in the data after the data noise reduction, eliminating the bad values to further improve the data quality, modifying a 3 sigma data cleaning method to improve the model robustness, expanding the deviation to 5 sigma, eliminating the bad values by adopting the improved 5 sigma method, and calculating the standard deviation of the data according to a formula (3).
(3)
Where n is the total number of entries of the network data,data mean,/->. For each data acquiredIf the residual Ei is:
(4)
if a certain value in the data is calculated to meet the condition shown in the formula (4), the value is seriously deviated from the normal data set, the value is regarded as a bad value and is deleted from the data, and the standard deviation is calculated again by the formula (3) after the data is deleted until Ei of all the data is not more than 5σ.
It should be noted that, in the above embodiment of the disclosure, the self-encoder data denoising method and the 5σ data cleaning method are adopted to denoise and reject the abnormal values in the network security data set, so that the interference of the abnormal data on the model is filtered, the stability of the data quantity is ensured to the maximum extent, and the robustness of the model is improved.
For another example, the data of the data set after the data cleansing is normalized according to the data standard deviation.
In order to reduce the influence of the numerical value difference between the features on model training, the scheme adopts a standardized formula shown in a formula (5) to process the features.
(5)
In some embodiments of the present disclosure, feature dimension reduction is performed on the preprocessed network security dataset to obtain a dimension reduced dataset. One implementation way is that the preprocessed network security data set is mapped into a high-dimensional space by using a mapping function and a radial basis function to obtain a high-dimensional space data set; calculating a feature matrix of the high-dimensional space data set; performing eigenvalue decomposition on the eigenvalue matrix to obtain eigenvalues and eigenvectors corresponding to the eigenvalues; according to the sequence of the characteristic values from large to small, taking the characteristic vector corresponding to the characteristic value of the preset bit sequence to obtain a projection matrix; from the projection matrix, a reduced data set is determined.
For example, first, the preprocessed network security dataset is mapped into a high-dimensional space using a mapping function represented by equation (6) and a radial basis function represented by equation (7), where、/>Representing any two eigenvectors, gamma being an adjustable parameter, and obtaining a new dataset +.>。
(6)
(7)
Then, based on the new data set Matrix M shown in calculation formula (8) 2 。
(8)
The mic in the formula (8) is the maximum information coefficient calculation formula, and is calculated by the mutual information MI (Mutual Information) and the grid dividing method, and is used for characteristic variablesAnd characteristic variable->The mutual information MI of the two is shown as a formula (9).
(9)
In the formula (9), p (a, B) is the joint probability density of A and B, p (a) and p (B) are the edge probability densities of A and B, respectively, the probability densities are estimated by using a histogram estimation method, assuming thatFor a limited ordered pair set, defining division G to divide the value range of A into m sections and dividing the value range of B into n sections, wherein G is +.>Calculating mutual information MI (A, B) in each obtained grid division, wherein the grid division modes are various, taking the maximum value of MI (A, B) obtained by the various division modes as the mutual information of division G, and defining a maximum mutual information formula of D under the division G as formula (10).
(10)
The mic calculation formula in formula (8) is shown as formula (11) in which。
(11)
Then, the matrix M in the formula (8) 2 Decomposing the characteristic value to obtain the characteristic valueAnd the corresponding feature vector +>。
Then, for the characteristic valueDescending order, taking feature vectors corresponding to the first k feature valuesObtaining projection matrix->。
Finally, calculating the dimension-reduced result of each piece of data according to the projection matrix Finally, a new data set +.>。
It should be noted that, in the embodiment of the present disclosure, a kernel function is introduced to improve the dimension reduction algorithm, and nonlinear data is mapped to a high-dimensional space through the kernel function to obtain high-dimensional linear distribution data, so that the limitation that the dimension reduction algorithm only processes the linear distribution data is solved. According to the embodiment of the disclosure, the covariance matrix adopted in the dimension reduction algorithm is replaced by the kernel function capable of measuring the linear, nonlinear and non-functional complex relations among the features, the dimension reduction algorithm is improved, and the problem that the covariance matrix only can measure the linear relations among the features and cannot cope with the complex relations such as the nonlinearity among most features in the actual situation is solved.
Fig. 5 is an architecture diagram of a network security posture awareness model provided by an exemplary embodiment of the present disclosure. As shown in fig. 5, in some embodiments of the present disclosure, the network security posture awareness model includes: the system comprises an input layer, a two-way long-short-term memory network, an encoder, a prediction layer and an output layer. The network security situation awareness model is internally provided with a two-way long-short-term memory network, which is used for extracting the characteristics of network characteristic data to obtain time sequence characteristics and position codes, and outputting the time sequence characteristics and the position codes to an encoder; the coder is used for carrying out coding processing on the time sequence characteristics and the position codes to obtain coding characteristics, and outputting the coding characteristics to the prediction layer; and the prediction layer is used for predicting the network security perception result according to the coding characteristics to obtain the current network security perception result.
In an exemplary embodiment, a reduced data set is used as the input of a network security situation awareness model, the time step is set to be 4, and the data of the current time t and the first three times are used as #,/>,/>,/>) Network situation of predictive perception of current time t as model input +.>。
In some embodiments of the present disclosure, the data is reconstructed as needed for model input, partitioned into n-4+1=n-3 groups, the first 4 actions in the table are input, and the last action is output for the target value.Representing data in sample j +.>I.e. with +.>Equivalent (S)>Representing the tag value in the j-th sample +.>The final data structure (network security situation awareness results) is shown in table 1. The data reconstruction method in the embodiment of the disclosure can provide the context information input by the model by combining the information of the past moment, and is better matched with the network security situation awareness model. />
Table 1 network security data reconstruction format
In some embodiments of the present disclosure, a two-way long and short term memory network includes: a forward long-short term memory network and a reverse long-short term memory network; a forward long-short term memory network for extracting features from past network feature data; the reverse long-short-term memory network is used for extracting features from future network feature data; and the two-way long-short-term memory network performs feature extraction according to the linear rectification activation function to obtain time sequence features and position codes. The forward long-short-term memory network extracts information from past data, and the reverse long-short-term memory network extracts information from future data, so that network data context information in time sequence data can be fully utilized. According to the embodiment of the disclosure, the linear rectification activation function is adopted to replace the tanh function shown in the formula (14), and according to the derivatives of the formula (13) and the formula (15), the improved two-way long-short-term memory network can effectively reduce the computational complexity by adopting the linear rectification activation function. According to the embodiment of the disclosure, the linear rectification activation function is adopted to replace the tanh activation function, and the calculation complexity is reduced on the premise of ensuring the network performance.
(12)
(13)
(14)
(15)
In some embodiments of the present disclosure, an encoder includes: a multi-head attention mechanism, a first residual connection is normalized with the layer, and a feedforward network and a second residual connection are normalized with the layer; the multi-head attention mechanism is used for extracting the characteristics of the time sequence characteristics and the position codes to obtain first data characteristics; the first residual connection and layer normalization are used for carrying out feature extraction on the time sequence features, the position codes and the first data features to obtain second data features; the feedforward network is used for extracting the characteristics of the second data characteristics to obtain third data characteristics; and the second residual is connected with the layer normalization and is used for carrying out feature extraction on the third data feature and the second data feature to obtain the coding feature.
In the above embodiment, the time series features and the position codes extracted by the two-way long-short-term memory network are input to the encoder, wherein the position code calculation is as shown in the formula (16).
(16)/>
In equation (16), p is the current position, 2i represents the even dimension, 2i+1 represents the odd dimension,for inputting feature number>And->Representing the corresponding position-coded values for even and odd dimensions, respectively.
The encoder structure in the embodiment of the disclosure can prevent network degradation and accelerate network parameter convergence.
In some embodiments of the present disclosure, the prediction layer includes: global average pooling layer, random deactivation layer and full connection layer. And the output result of the encoder is processed by a prediction layer to obtain the final output result of the network security situation awareness model. The global average pooling layer is adopted to alleviate the over-fitting problem from the perspective of reducing the parameters required to be optimized of the full-connection layer, and meanwhile, some units are ignored with a certain probability on the basis of the global average pooling layer according to a random deactivation mechanism so as to achieve the purpose of alleviating the over-fitting. And finally, mapping by the full connection layer through an activation function, and outputting a final network security situation sensing result.
In some embodiments of the present disclosure, after the network security situation awareness model is built, the model is trained and verified based on the training set and the verification set divided by the data set to obtain a highly reliable and robust network security situation awareness model. And verifying the performance of the model according to the advantages and disadvantages of the network security perception result under the evaluation test set.
In the above-described method embodiments of the present disclosure, current network source data is acquired; performing feature processing on the current network source data to obtain network feature data; inputting network characteristic data into a network security situation awareness model to obtain a current network security awareness result, wherein the network security situation awareness model comprises a two-way long-short-term memory network, an encoder and a prediction layer which are sequentially connected; the network security situation awareness model is used for predicting the security situation of the current network, and accuracy of network security detection is improved. The network security situation awareness model of the embodiment of the disclosure integrates various network security detection devices and technologies such as honeypots, firewalls, IDSs and the like, key features of network security data are extracted through a feature dimension reduction algorithm, and data dimension is reduced on the premise of retaining original information of the data. The bidirectional long-short-term memory network can fully mine the time sequence and the context information of network data, meanwhile, the introduction of the encoder increases the advantages of parallelization calculation and long-distance dependent learning of a model, can realize high-reliability and strong-robustness network security situation awareness, and provides powerful technical support for network security defense.
Fig. 6 is a schematic structural diagram of an information processing apparatus 60 provided in an exemplary embodiment of the present disclosure. As shown in fig. 6, the information processing apparatus 60 includes: an acquisition module 61, a feature processing module 62 and a perception model module 63.
The acquiring module 61 is configured to acquire current network source data;
the feature processing module 62 is configured to perform feature processing on current network source data to obtain network feature data;
the sensing model module 63 is configured to input the network feature data into a network security situation sensing model to obtain a current network security sensing result, where the network security situation sensing model includes a bidirectional long-short-term memory network, an encoder, and a prediction layer that are sequentially connected.
Optionally, the perception model module 63 is configured to, when inputting the network feature data into the network security situation perception model to obtain the current network security perception result:
the network security situation awareness model is internally provided with a two-way long-short-term memory network, which is used for extracting the characteristics of network characteristic data to obtain time sequence characteristics and position codes, and outputting the time sequence characteristics and the position codes to an encoder;
the coder is used for carrying out coding processing on the time sequence characteristics and the position codes to obtain coding characteristics, and outputting the coding characteristics to the prediction layer;
And the prediction layer is used for predicting the network security perception result according to the coding characteristics to obtain the current network security perception result.
Optionally, the bidirectional long and short term memory network comprises: a forward long-short term memory network and a reverse long-short term memory network; the perceptual model module 63 is configured to, when extracting the characteristics of the network characteristic data to obtain the time-series characteristics and the position codes:
a forward long-short term memory network for extracting features from past network feature data;
the reverse long-short-term memory network is used for extracting features from future network feature data;
and the two-way long-short-term memory network performs feature extraction according to the linear rectification activation function to obtain time sequence features and position codes.
Optionally, the encoder comprises: a multi-head attention mechanism, a first residual connection is normalized with the layer, and a feedforward network and a second residual connection are normalized with the layer; the perceptual model module 63 is configured to, when performing encoding processing on the time-series feature and the position code to obtain an encoded feature, output the encoded feature to the prediction layer:
the multi-head attention mechanism is used for extracting the characteristics of the time sequence characteristics and the position codes to obtain first data characteristics;
The first residual connection and layer normalization are used for carrying out feature extraction on the time sequence features, the position codes and the first data features to obtain second data features;
the feedforward network is used for extracting the characteristics of the second data characteristics to obtain third data characteristics;
and the second residual is connected with the layer normalization and is used for carrying out feature extraction on the third data feature and the second data feature to obtain the coding feature.
Optionally, before using the network security posture awareness model, the awareness model module 63 is further configured to:
acquiring network source data;
extracting characteristics of network source data to obtain a network security data set;
preprocessing the network security data set to obtain a preprocessed network security data set;
performing characteristic dimension reduction on the preprocessed network security data set to obtain a dimension reduction data set;
labeling at least part of the dimensionality reduction data sets to obtain training sample sets;
and training the initial model according to the training sample set to obtain a network security situation awareness model.
Optionally, the perception model module 63 is configured to, when preprocessing the network security data set to obtain a preprocessed network security data set:
Converting the classified characteristics in the network security data set into numerical values to obtain a data set after the numerical values;
carrying out noise reduction treatment on the digitized data set by using a self-encoder to obtain a data set after the noise reduction treatment;
performing data cleaning on the data set subjected to the noise reduction treatment to obtain a data set subjected to the data cleaning;
and carrying out standardized processing on the data set after data cleaning to obtain a preprocessed network security data set.
Optionally, the perception model module 63 is configured to, when performing feature dimension reduction on the preprocessed network security data set to obtain a dimension reduction data set:
mapping the preprocessed network security data set into a high-dimensional space by using a mapping function and a radial basis function to obtain a high-dimensional space data set;
calculating a feature matrix of the high-dimensional space data set;
performing eigenvalue decomposition on the eigenvalue matrix to obtain eigenvalues and eigenvectors corresponding to the eigenvalues;
according to the sequence of the characteristic values from large to small, taking the characteristic vector corresponding to the characteristic value of the preset bit sequence to obtain a projection matrix;
from the projection matrix, a reduced data set is determined.
The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.
Fig. 7 is a schematic structural diagram of an electronic device according to an exemplary embodiment of the present disclosure. As shown in fig. 7, the electronic device includes: a memory 71 and a processor 72. In addition, the electronic device further comprises a power supply component 73 and a communication component 74.
The memory 71 is used for storing computer programs and may be configured to store various other data to support operations on the electronic device. Examples of such data include instructions for any application or method operating on an electronic device.
The memory 71 may be implemented by any type of volatile or non-volatile memory device or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
A communication component 74 for data transmission with other devices.
A processor 72, executable computer instructions stored in memory 71, for: acquiring current network source data;
performing feature processing on the current network source data to obtain network feature data; inputting the network characteristic data into a network security situation awareness model to obtain a current network security awareness result, wherein the network security situation awareness model comprises a two-way long-short-term memory network, an encoder and a prediction layer which are sequentially connected.
Accordingly, the disclosed embodiments also provide a computer-readable storage medium storing a computer program. The computer-readable storage medium stores a computer program that, when executed by one or more processors, causes the one or more processors to perform the steps in the method embodiment of fig. 1.
Accordingly, the disclosed embodiments also provide a computer program product comprising a computer program/instructions for executing the steps of the method embodiment of fig. 1 by a processor.
The communication assembly of fig. 7 is configured to facilitate wired or wireless communication between the device in which the communication assembly is located and other devices. The device where the communication component is located can access a wireless network based on a communication standard, such as a mobile communication network of WiFi,2G, 3G, 4G/LTE, 5G, etc., or a combination thereof. In one exemplary embodiment, the communication component receives a broadcast signal or broadcast-related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component further includes a Near Field Communication (NFC) module to facilitate short range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.
The power supply assembly shown in fig. 7 provides power to various components of the device in which the power supply assembly is located. The power components may include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for the devices in which the power components are located.
The electronic device further comprises a display screen and an audio component.
The display screen includes a screen, which may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from a user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensor may sense not only the boundary of a touch or sliding action, but also the duration and pressure associated with the touch or sliding operation.
An audio component, which may be configured to output and/or input an audio signal. For example, the audio component includes a Microphone (MIC) configured to receive external audio signals when the device in which the audio component is located is in an operational mode, such as a call mode, a recording mode, and a speech recognition mode. The received audio signal may be further stored in a memory or transmitted via a communication component. In some embodiments, the audio assembly further comprises a speaker for outputting audio signals.
In the above-described apparatus, device, storage medium, and computer program product embodiments of the present disclosure, current network source data is obtained; performing feature processing on the current network source data to obtain network feature data; inputting network characteristic data into a network security situation awareness model to obtain a current network security awareness result, wherein the network security situation awareness model comprises a two-way long-short-term memory network, an encoder and a prediction layer which are sequentially connected; the network security situation awareness model is used for predicting the security situation of the current network, and accuracy of network security detection is improved.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
The above is merely a specific embodiment of the disclosure to enable one skilled in the art to understand or practice the disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (12)
1. An information processing method, characterized by comprising:
acquiring current network source data;
performing feature processing on the current network source data to obtain network feature data;
inputting the network characteristic data into a network security situation awareness model to obtain a current network security awareness result, wherein the network security situation awareness model comprises a two-way long-short-term memory network, an encoder and a prediction layer which are sequentially connected;
inputting the network characteristic data into a network security situation awareness model to obtain a current network security awareness result, wherein the network security awareness model comprises the following steps:
the bidirectional long-short-term memory network is used for extracting the characteristics of the network characteristic data according to a linear rectification activation function to obtain time sequence characteristics and position codes, and outputting the time sequence characteristics and the position codes to the encoder;
The encoder is used for carrying out encoding processing on the time sequence characteristics and the position codes to obtain encoding characteristics, and outputting the encoding characteristics to the prediction layer;
the prediction layer includes: the global average pooling layer, the random inactivation layer and the full connection layer are used for predicting a network security perception result according to the coding characteristics to obtain a current network security perception result;
the encoder includes: a multi-head attention mechanism, a first residual connection is normalized with the layer, and a feedforward network and a second residual connection are normalized with the layer; the encoder is configured to perform encoding processing on the time sequence feature and the position code to obtain an encoded feature, and output the encoded feature to the prediction layer, and includes:
the multi-head attention mechanism is used for extracting the time sequence features and the position codes to obtain first data features;
the first residual error connection and layer normalization are used for carrying out feature extraction on the time sequence features, the position codes and the first data features to obtain second data features;
the feedforward network is used for extracting the characteristics of the second data characteristics to obtain third data characteristics;
And the second residual connection is normalized with the layer and is used for carrying out feature extraction on the third data feature and the second data feature to obtain the coding feature.
2. The method of claim 1, wherein the two-way long-short-term memory network comprises: a forward long-short term memory network and a reverse long-short term memory network; the two-way long-short-term memory network is used for extracting the characteristics of the network characteristic data to obtain time sequence characteristics and position codes, and comprises the following components:
the forward long-term and short-term memory network is used for extracting features from the past network feature data;
the reverse long-short-term memory network is used for extracting features from the future network feature data;
and the two-way long-short-term memory network performs feature extraction according to the linear rectification activation function to obtain time sequence features and position codes.
3. The method of claim 1, wherein prior to using the network security posture awareness model, the method further comprises:
acquiring network source data;
extracting the characteristics of the network source data to obtain a network security data set;
preprocessing the network security data set to obtain a preprocessed network security data set;
Performing feature dimension reduction on the preprocessed network security data set to obtain a dimension reduction data set;
labeling network security perception results of at least part of the dimension reduction data sets to obtain training sample sets;
and training the initial model according to the training sample set to obtain the network security situation awareness model.
4. A method according to claim 3, wherein said preprocessing the network security data set to obtain a preprocessed network security data set comprises:
converting the classified features in the network security data set into numerical values to obtain a data set after the numerical values;
carrying out noise reduction processing on the digitized data set by using a self-encoder to obtain a data set after the noise reduction processing;
performing data cleaning on the data set subjected to the noise reduction treatment to obtain a data set subjected to the data cleaning;
and carrying out standardized processing on the data set after data cleaning to obtain the preprocessed network security data set.
5. A method according to claim 3, wherein said feature dimension reduction of said preprocessed network security dataset to obtain a dimension reduced dataset, comprises:
Mapping the preprocessed network security data set into a high-dimensional space by using a mapping function and a radial basis function to obtain a high-dimensional space data set;
calculating a feature matrix of the high-dimensional space dataset;
performing eigenvalue decomposition on the eigenvalue matrix to obtain eigenvalues and eigenvectors corresponding to the eigenvalues;
according to the sequence from the big to the small of the characteristic values, taking the characteristic vector corresponding to the characteristic value of the preset bit sequence to obtain a projection matrix;
and determining the dimension reduction data set according to the projection matrix.
6. An information processing apparatus, characterized by comprising:
the acquisition module is used for acquiring current network source data;
the feature processing module is used for carrying out feature processing on the current network source data to obtain network feature data;
the network security situation awareness module is used for inputting the network characteristic data into a network security situation awareness module to obtain a current network security awareness result, wherein the network security situation awareness module comprises a two-way long-short-term memory network, an encoder and a prediction layer which are sequentially connected;
the perception model module is used for inputting the network characteristic data into a network security situation perception model to obtain a current network security perception result when the network security situation perception model is used for:
The bidirectional long-short-term memory network is used for extracting the characteristics of the network characteristic data according to a linear rectification activation function to obtain time sequence characteristics and position codes, and outputting the time sequence characteristics and the position codes to the encoder;
the encoder is used for carrying out encoding processing on the time sequence characteristics and the position codes to obtain encoding characteristics, and outputting the encoding characteristics to the prediction layer;
the prediction layer includes: the global average pooling layer, the random inactivation layer and the full connection layer are used for predicting a network security perception result according to the coding characteristics to obtain a current network security perception result;
the encoder includes: a multi-head attention mechanism, a first residual connection is normalized with the layer, and a feedforward network and a second residual connection are normalized with the layer; the perception model module is used for encoding the time sequence features and the position codes to obtain encoding features and outputting the encoding features to the prediction layer when the encoding features are processed:
the multi-head attention mechanism is used for extracting the time sequence features and the position codes to obtain first data features;
The first residual error connection and layer normalization are used for carrying out feature extraction on the time sequence features, the position codes and the first data features to obtain second data features;
the feedforward network is used for extracting the characteristics of the second data characteristics to obtain third data characteristics;
and the second residual connection is normalized with the layer and is used for carrying out feature extraction on the third data feature and the second data feature to obtain the coding feature.
7. The apparatus of claim 6, wherein the two-way long-short term memory network comprises: a forward long-short term memory network and a reverse long-short term memory network; the perception model module is used for extracting the characteristics of the network characteristic data to obtain time sequence characteristics and position codes:
the forward long-term and short-term memory network is used for extracting features from the past network feature data;
the reverse long-short-term memory network is used for extracting features from the future network feature data;
and the two-way long-short-term memory network performs feature extraction according to the linear rectification activation function to obtain time sequence features and position codes.
8. The apparatus of claim 6, wherein prior to using the network security posture awareness model, the awareness model module is further to:
acquiring network source data;
extracting the characteristics of the network source data to obtain a network security data set;
preprocessing the network security data set to obtain a preprocessed network security data set;
performing feature dimension reduction on the preprocessed network security data set to obtain a dimension reduction data set;
labeling network security perception results of at least part of the dimension reduction data sets to obtain training sample sets;
and training the initial model according to the training sample set to obtain the network security situation awareness model.
9. The apparatus of claim 8, wherein the perception model module, when preprocessing the network security dataset to obtain a preprocessed network security dataset, is configured to:
converting the classified features in the network security data set into numerical values to obtain a data set after the numerical values;
carrying out noise reduction processing on the digitized data set by using a self-encoder to obtain a data set after the noise reduction processing;
Performing data cleaning on the data set subjected to the noise reduction treatment to obtain a data set subjected to the data cleaning;
and carrying out standardized processing on the data set after data cleaning to obtain the preprocessed network security data set.
10. The apparatus of claim 8, wherein the perception model module, when performing feature dimension reduction on the preprocessed network security dataset to obtain a dimension-reduced dataset, is configured to:
mapping the preprocessed network security data set into a high-dimensional space by using a mapping function and a radial basis function to obtain a high-dimensional space data set;
calculating a feature matrix of the high-dimensional space dataset;
performing eigenvalue decomposition on the eigenvalue matrix to obtain eigenvalues and eigenvectors corresponding to the eigenvalues;
according to the sequence from the big to the small of the characteristic values, taking the characteristic vector corresponding to the characteristic value of the preset bit sequence to obtain a projection matrix;
and determining the dimension reduction data set according to the projection matrix.
11. An electronic device, comprising:
a processor;
a memory for storing the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement the steps in the method of any of claims 1-5.
12. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311178977.8A CN116915511B (en) | 2023-09-13 | 2023-09-13 | Information processing method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311178977.8A CN116915511B (en) | 2023-09-13 | 2023-09-13 | Information processing method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116915511A CN116915511A (en) | 2023-10-20 |
| CN116915511B true CN116915511B (en) | 2023-12-08 |
Family
ID=88358795
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311178977.8A Active CN116915511B (en) | 2023-09-13 | 2023-09-13 | Information processing method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116915511B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104050242A (en) * | 2014-05-27 | 2014-09-17 | 哈尔滨理工大学 | Feature selection and classification method based on maximum information coefficient and feature selection and classification device based on maximum information coefficient |
| CN110738248A (en) * | 2019-09-30 | 2020-01-31 | 朔黄铁路发展有限责任公司 | State perception data feature extraction method and device and system performance evaluation method |
| CN115186904A (en) * | 2022-07-13 | 2022-10-14 | 清华大学 | Industrial equipment fault prediction method and device based on Transformer |
| CN115587007A (en) * | 2022-09-26 | 2023-01-10 | 国网江苏省电力有限公司连云港供电分公司 | Robertta-based weblog security detection method and system |
| CN115881164A (en) * | 2022-11-25 | 2023-03-31 | 山东省计算中心(国家超级计算济南中心) | Voice emotion recognition method and system |
| CN116094761A (en) * | 2022-12-06 | 2023-05-09 | 上海海事大学 | Ship network security situation prediction method based on satellite communication |
| CN116132103A (en) * | 2022-12-06 | 2023-05-16 | 中国电信股份有限公司 | Network security situation monitoring method and device, electronic equipment and storage medium |
| CN116346392A (en) * | 2022-11-28 | 2023-06-27 | 国网四川省电力公司电力科学研究院 | Network security situation prediction method and system based on Tranformer-CNN model and application thereof |
-
2023
- 2023-09-13 CN CN202311178977.8A patent/CN116915511B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104050242A (en) * | 2014-05-27 | 2014-09-17 | 哈尔滨理工大学 | Feature selection and classification method based on maximum information coefficient and feature selection and classification device based on maximum information coefficient |
| CN110738248A (en) * | 2019-09-30 | 2020-01-31 | 朔黄铁路发展有限责任公司 | State perception data feature extraction method and device and system performance evaluation method |
| CN115186904A (en) * | 2022-07-13 | 2022-10-14 | 清华大学 | Industrial equipment fault prediction method and device based on Transformer |
| CN115587007A (en) * | 2022-09-26 | 2023-01-10 | 国网江苏省电力有限公司连云港供电分公司 | Robertta-based weblog security detection method and system |
| CN115881164A (en) * | 2022-11-25 | 2023-03-31 | 山东省计算中心(国家超级计算济南中心) | Voice emotion recognition method and system |
| CN116346392A (en) * | 2022-11-28 | 2023-06-27 | 国网四川省电力公司电力科学研究院 | Network security situation prediction method and system based on Tranformer-CNN model and application thereof |
| CN116094761A (en) * | 2022-12-06 | 2023-05-09 | 上海海事大学 | Ship network security situation prediction method based on satellite communication |
| CN116132103A (en) * | 2022-12-06 | 2023-05-16 | 中国电信股份有限公司 | Network security situation monitoring method and device, electronic equipment and storage medium |
Non-Patent Citations (4)
| Title |
|---|
| Long-Term Prediction of Network Security Situation Through the Use of the Transformer-Based Model;KUN YIN et al.;IEEE Access;摘要、正文1-5节 * |
| 一种基于互信息的实时特征提取算法;王妍;李俊;曾辉;杨冰清;宋宝燕;;小型微型计算机系统(06);全文 * |
| 一种基于核PCA的网络流量异常检测算法;曾建华;;计算机应用与软件(03);全文 * |
| 基于Transformer-BiLSTM的入侵检测;石磊等;计算机工程;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116915511A (en) | 2023-10-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108108743B (en) | Abnormal user identification method and device for identifying abnormal user | |
| CN107533850B (en) | Audio content identification method and device | |
| WO2021004324A1 (en) | Resource data processing method and apparatus, and computer device and storage medium | |
| US20220309292A1 (en) | Growing labels from semi-supervised learning | |
| KR102359090B1 (en) | Method and System for Real-time Abnormal Insider Event Detection on Enterprise Resource Planning System | |
| JPWO2019220620A1 (en) | Anomaly detection device, anomaly detection method and program | |
| De Faria et al. | Insights into IoT data and an innovative DWT-based technique to denoise sensor signals | |
| CN116471307A (en) | Internet of things heterogeneous data cascade transmission method, device, equipment and medium | |
| CN117115581A (en) | Intelligent misoperation early warning method and system based on multi-mode deep learning | |
| CN110490304B (en) | Data processing method and device | |
| CN116933124A (en) | Time series data prediction method, device, equipment and storage medium | |
| KR102352954B1 (en) | Real-time Abnormal Insider Event Detection on Enterprise Resource Planning Systems via Predictive Auto-regression Model | |
| CN116915511B (en) | Information processing method, device, equipment and storage medium | |
| CN113223502A (en) | Speech recognition system optimization method, device, equipment and readable storage medium | |
| CN113762503A (en) | Data processing method, device, equipment and computer readable storage medium | |
| CN116805039A (en) | Feature screening method, device, computer equipment and data disturbance method | |
| CN113746780A (en) | Abnormal host detection method, device, medium and equipment based on host image | |
| CN116205726A (en) | Loan risk prediction method and device, electronic equipment and storage medium | |
| CN111144650A (en) | Power load prediction method, device, computer readable storage medium and equipment | |
| US20180276749A1 (en) | Multi-disciplinary comprehensive real-time trading signal within a designated time frame | |
| CN113160823B (en) | Voice awakening method and device based on impulse neural network and electronic equipment | |
| CN116150324A (en) | Training method, device, equipment and medium of dialogue model | |
| Li et al. | A reliable voice perceptual hash authentication algorithm | |
| CN117172632B (en) | Enterprise abnormal behavior detection method, device, equipment and storage medium | |
| CN117636909B (en) | Data processing method, device, equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |