CN117318981A

CN117318981A - Network attack prediction method, system, electronic equipment and storage medium

Info

Publication number: CN117318981A
Application number: CN202311000479.4A
Authority: CN
Inventors: 顾钊铨; 赵昂霄; 方滨兴; 贾焰; 景晓; 李润恒; 高翠芸; 张欢; 谢敏容
Original assignee: Higher Research Institute Of University Of Electronic Science And Technology Shenzhen; Sichuan Yilan Situation Technology Co ltd; Peng Cheng Laboratory
Current assignee: Higher Research Institute Of University Of Electronic Science And Technology Shenzhen; Sichuan Yilan Situation Technology Co ltd; Peng Cheng Laboratory
Priority date: 2023-08-09
Filing date: 2023-08-09
Publication date: 2023-12-29

Abstract

The embodiment of the application provides a network attack prediction method, a network attack prediction system, electronic equipment and a storage medium, and belongs to the technical field of data processing. The method comprises the following steps: acquiring a network data map and a corresponding historical feature mapping vector at each time point; vectorizing the network data map to obtain a map embedding vector, obtaining a network RGB map corresponding to each time point, and carrying out feature mapping on the network RGB map at the current moment to obtain a first feature mapping vector; performing optical flow map conversion on the network RGB map at each moment and at least one network RGB map adjacent to each moment to obtain a network optical flow map; performing feature mapping processing on the network light flow graph to obtain a second feature mapping vector; constructing a predicted feature mapping vector according to the first feature mapping vector and the second feature mapping vector; and screening the predicted attack data from the historical attack data according to the predicted feature mapping vector and the historical feature mapping vector to obtain a network attack predicted result.

Description

Network attack prediction method, system, electronic equipment and storage medium

Technical Field

The present disclosure relates to the field of data processing technologies, and in particular, to a network attack prediction method, a system, an electronic device, and a storage medium.

Background

With the development of artificial intelligence technology, massive information on the internet is better connected and utilized. The knowledge graph is used as a representative of a knowledge representation method and related embedding technology, so that calculation, reasoning and application of knowledge are possible. However, in the field of network security, the authenticity of many facts changes with time and space, and if these characteristics are not considered, invalid knowledge in the knowledge graph becomes more and more important. To solve this problem, the representation of time-space characteristics can be added on the basis of a general knowledge graph through a network data graph model so as to know the specific variation performance. However, as the attacker changes continuously, the attack object and the attack mode change continuously, and the network data map cannot accurately predict the attack at the next moment.

Disclosure of Invention

The embodiment of the application mainly aims to provide a network attack prediction method, a system, electronic equipment and a storage medium, which can be used for predicting the attack at the next moment of a network data map and improving the accuracy of network attack prediction.

To achieve the above object, a first aspect of an embodiment of the present application provides a network attack prediction method, where the method includes: acquiring a network data map at each time point and a historical feature mapping vector of each network data map; the network data map is constructed by historical network monitoring data generated at each moment of the history, and the historical network monitoring data comprises historical attack data; vectorizing the network data map to obtain a map embedding vector; performing RGB image conversion on the map embedding vectors corresponding to the time points to obtain a network RGB image; acquiring the network RGB image corresponding to the current time point, and performing feature mapping processing on the network RGB image to obtain a first feature mapping vector; performing optical flow map conversion on the network RGB map of each time point and one network RGB map corresponding to the adjacent last time point to obtain a network optical flow map; performing feature mapping processing on the network light flow graph to obtain a second feature mapping vector; constructing a predicted feature mapping vector according to the first feature mapping vector and the second feature mapping vector; and screening predicted attack data from the historical attack data according to the predicted feature mapping vector and the historical feature mapping vector to obtain a network attack predicted result.

According to some embodiments of the present application, the network data map includes original triplet data; the vectorization processing is carried out on the network data spectrum to obtain a spectrum embedding vector, which comprises the steps of inputting the network data spectrum into a preset convolutional neural network; wherein the convolutional neural network comprises: a dimension reduction layer, a convolution layer and an activation function layer; performing dimension reduction processing on the original triplet data through the dimension reduction layer and preset dimensions to obtain candidate triplet data; performing feature extraction on the candidate triplet data through the convolution layer to obtain triplet feature information; and carrying out nonlinear transformation on the triplet characteristic information through the activation function layer to obtain the atlas embedded vector.

According to some embodiments of the application, after the inputting the network data map into a preset convolutional neural network, the method further includes: training the convolutional neural network specifically comprises: inputting the map embedded vector to a linear conversion evaluation model for linear conversion evaluation to obtain linear conversion evaluation data; training the convolutional neural network according to the linear transformation evaluation data.

According to some embodiments of the present application, the inputting the atlas embedded vector into a linear transformation evaluation model to perform linear transformation evaluation, to obtain linear transformation evaluation data includes: multiplying the spectrum embedding vector by the filtering parameter of the linear transformation evaluation model, and adding the obtained product with a first bias to obtain a first spectrum embedding vector; activating the first spectrum embedded vector through an activation function, and adding the first spectrum embedded vector with a second bias to obtain a second spectrum embedded vector; and multiplying the second atlas embedding vector by the linear operation coefficient of the linear transformation evaluation model to obtain linear transformation evaluation data.

According to some embodiments of the present application, the performing RGB map conversion on the map embedding vectors corresponding to the time points to obtain a network RGB map includes: normalizing the map embedding vectors corresponding to each time point to obtain candidate embedding vectors; performing product operation according to a preset color intensity value and the candidate embedded vector to obtain a target embedded vector; and constructing the network RGB map according to the target embedded vector and a preset pixel color value.

According to some embodiments of the present application, the normalizing the map-embedded vectors corresponding to each time point to obtain candidate embedded vectors includes: acquiring a plurality of map embedding vectors corresponding to each time point; wherein the atlas embedding vector comprises: a head entity vector, a relationship vector, and a tail entity vector; sequencing the map embedding vectors to obtain the most values of a plurality of head entity vectors, a plurality of relation vectors and a plurality of tail entity vectors; wherein the maximum value comprises a maximum value and a minimum value; obtaining a target vector; the first map vector is the map embedding vector which needs to be subjected to normalization processing; subtracting the minimum value corresponding to the head entity vector from the head entity vector of the target vector to obtain a head entity reference value; subtracting the minimum value corresponding to the relation vector from the relation vector to obtain a relation reference value; subtracting the minimum value corresponding to the tail entity vector from the tail entity vector to obtain a relation reference value; dividing the head entity reference value by the difference between the maximum value and the minimum value corresponding to the head entity vector to obtain a head entity vector; dividing the relation vector reference value by the difference between the maximum value and the minimum value corresponding to the relation vector to obtain a normalized relation vector; dividing the tail entity vector reference value by the difference between the maximum value and the minimum value corresponding to the tail entity vector to obtain a normalized tail entity vector; and obtaining candidate embedded vectors according to the normalized head entity vector, the normalized relation vector and the normalized tail entity vector.

According to some embodiments of the present application, the performing optical flow map conversion on the network RGB map at each time point and one network RGB map corresponding to a previous time point to obtain a network optical flow map includes: acquiring a network RGB (red, green and blue) graph of each time point and an adjacent network RGB graph corresponding to the last time point adjacent to each time point; carrying out weighted average on pixel values in the network RGB image to obtain a first gray image; carrying out weighted average on pixel values in the adjacent network RGB image to obtain a second gray image; performing optical flow calculation on the first gray level image and the second gray level image through a Fabry-Perot algorithm to obtain a first optical flow characteristic vector and a second optical flow characteristic vector; combining according to the first optical flow characteristic vector and the second optical flow characteristic vector to form an initial optical flow diagram; and performing color coding on the initial optical flow graph to obtain a network optical flow graph.

According to some embodiments of the application, the constructing a predicted feature map vector from the first feature map vector and the second feature map vector includes: selecting a first allocation proportion corresponding to the first feature mapping vector and a second allocation proportion corresponding to the second feature mapping vector; wherein the sum of the first dispensing ratio and the second dispensing ratio is 1; and adding the product of the first feature mapping vector and the first allocation proportion to the product of the second feature mapping vector and the second allocation proportion to obtain a predicted feature mapping vector.

According to some embodiments of the present application, after obtaining the prediction feature mapping vector, the method further includes: analyzing the prediction feature mapping vector to obtain a prediction analysis result; and according to the prediction analysis result, the first allocation proportion and the second allocation proportion are adjusted, and the prediction feature mapping vectors corresponding to the first feature mapping vector and the second feature mapping vector are built again.

According to some embodiments of the present application, the filtering the predicted attack data from the historical attack data according to the predicted feature mapping vector and the historical feature mapping vector to obtain a network attack prediction result includes: performing similarity calculation according to the predicted feature mapping vector and the historical feature mapping vector to obtain vector similarity; obtaining the maximum value of the vector similarity to obtain the maximum similarity; and taking the historical attack data corresponding to the maximum similarity as the predicted attack data.

According to some embodiments of the present application, performing similarity calculation according to the prediction feature mapping vector and the historical feature mapping vector to obtain a vector similarity, including: multiplying the predicted feature mapping vector and the historical feature mapping vector to obtain a first product; taking the modulus value of the prediction feature mapping vector as a first vector modulus value; taking the module value of the history feature mapping vector as a second vector module value; multiplying the first vector modulus value and the second vector modulus value to obtain a second product; and dividing the first product by the second product to obtain the vector similarity.

According to some embodiments of the present application, the method further comprises: acquiring map size information of the network data map; setting the structure of the convolutional neural network according to the map size information; the convolutional neural network comprises a first convolutional neural network and a second convolutional neural network; the lengths of the first convolutional neural network and the second convolutional neural network are equal; the first convolutional neural network is used for acquiring the network RGB image corresponding to the current moment, and performing feature mapping processing on the network RGB image to obtain a first feature mapping vector; and the second convolutional neural network is used for carrying out feature mapping processing on the network optical flow graph to obtain a second feature mapping vector.

According to some embodiments of the present application, the method further comprises: acquiring network monitoring update data at each moment; updating the corresponding network data map according to the network monitoring update data to obtain an update data map; acquiring updated size information of the updated data map; and updating the structure of the convolutional neural network at corresponding moments according to the updated size information.

To achieve the above object, an embodiment of a second aspect of the present application proposes a network attack prediction system, including: the data acquisition module is used for acquiring a network data map at each time point and a historical feature mapping vector of each network data map; the network data map is constructed by historical network monitoring data generated at each moment of the history, and the historical network monitoring data comprises historical attack data; the map embedding vector acquisition module is used for carrying out vectorization processing on the network data map to obtain a map embedding vector; the network RGB image acquisition module is used for carrying out RGB image conversion on the map embedding vectors corresponding to the time points to obtain a network RGB image; the first feature mapping vector acquisition module is used for acquiring the network RGB image corresponding to the current time point, and carrying out feature mapping processing on the network RGB image to obtain a first feature mapping vector; the network light flow graph acquisition module is used for carrying out light flow graph conversion on the network RGB graph of each time point and one network RGB graph corresponding to the adjacent last time point to obtain a network light flow graph; the second feature mapping vector acquisition module is used for carrying out feature mapping processing on the network light flow graph to obtain a second feature mapping vector; the prediction feature mapping vector construction module is used for constructing a prediction feature mapping vector according to the first feature mapping vector and the second feature mapping vector; and the network attack prediction result acquisition module is used for screening predicted attack data from the historical attack data according to the predicted feature mapping vector and the historical feature mapping vector to obtain a network attack prediction result.

To achieve the above object, an embodiment of a third aspect of the present application provides an electronic device, where the electronic device includes a memory and a processor, where the memory stores a computer program, and the processor implements the network attack prediction method according to any one of the embodiments of the first aspect of the present application when executing the computer program.

To achieve the above object, an embodiment of a fourth aspect of the present application proposes a computer-readable storage medium storing a computer program, which when executed by a processor, implements a network attack prediction method according to any one of the embodiments of the first aspect of the present application.

According to the network attack prediction method, the network attack prediction system, the electronic equipment and the storage medium, the network data map at the current moment can be obtained and vectorized to obtain the map embedded vector, all the map embedded vectors are subjected to RGB map conversion according to the corresponding time point to obtain the network RGB map, and the network RGB map at the latest moment is subjected to feature mapping processing to obtain the first Deo feature mapping vector. And the network RGB image corresponding to each time point and the network RGB image of the adjacent last time point can be subjected to optical flow image conversion to obtain a network optical flow image representing the change, so that a second feature mapping vector is obtained. The second feature map vector can characterize a trend of change of the network data map. The method and the device can combine the first feature mapping vector and the second feature mapping vector to construct the prediction feature, construct the prediction feature mapping vector, analyze the prediction feature mapping vector according to the historical feature mapping vector, screen out the prediction attack data aiming at the next moment of the current moment, and obtain the network attack prediction result. The method and the device can predict the change trend of the changed network data map and improve the accuracy of attack prediction at the next moment of the network data map.

Drawings

Fig. 1 is a schematic structural diagram of a network attack prediction system provided in an embodiment of the present application;

FIG. 2 is a flowchart of a network attack prediction method provided in an embodiment of the present application;

FIG. 3-a is a schematic diagram of a knowledge graph provided in an embodiment of the present application;

FIG. 3-b is a schematic diagram of an MDA pattern provided in an embodiment of the present application;

fig. 4 is a flowchart of step S102 of fig. 2;

FIG. 5 is a schematic diagram of a graph embedding vector provided in an embodiment of the present application;

FIG. 6 is a flowchart of a network attack prediction method according to another embodiment of the present application;

fig. 7 is a flowchart of step S301;

fig. 8 is a flowchart of step S103 of fig. 2;

fig. 9 is a flowchart of step S501;

fig. 10 is a flowchart of step S105 of fig. 2;

FIG. 11 is a flowchart of step S107 of FIG. 2

FIG. 12 is a flow chart following the derivation of a predicted feature map vector provided by an embodiment of the present application;

fig. 13 is a flowchart of step S108 of fig. 2;

fig. 14 is a flowchart of step S1001 of fig. 13;

FIG. 15 is a further flowchart of a network attack prediction method provided in another embodiment of the present application;

FIG. 16 is yet another flow chart of a network attack prediction method provided in another embodiment of the present application;

FIG. 17 is a schematic diagram of a functional module of a cyber attack prediction system according to an embodiment of the present disclosure;

fig. 18 is a schematic hardware structure of an electronic device according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.

It should be noted that although functional block division is performed in a device diagram and a logic sequence is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the block division in the device, or in the flowchart. The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the present application.

Knowledge graph is an important knowledge representation method and embedding technology, and can calculate, infer and apply knowledge. However, in the field of network security, the authenticity of many facts changes with time and space, and if these characteristics are not considered, invalid information in the knowledge graph will gradually increase. In order to solve the problem, the expression of time characteristics is increased on the basis of a general knowledge graph by using a network data graph (such as an MDTA graph) model so as to better understand the specific variation performance. However, as the attack subject changes continuously, the attack object and the attack mode evolve continuously, the network data map model can only predict according to the static network data map, and the prediction basis is incomplete, which can cause the problems of prediction authenticity, prediction accuracy and the integrity of the predicted data, so that the attack at the next moment cannot be predicted accurately.

Based on the above, the embodiment of the application provides a network attack prediction method, a system, electronic equipment and a storage medium, which can predict the change trend of a changed network data map and improve the accuracy of attack prediction at the next moment of the network data map.

The method, the system, the electronic device and the storage medium for predicting the network attack provided by the embodiment of the application are specifically described through the following embodiments, and the system for predicting the network attack in the embodiment of the application is described first.

Referring to fig. 1, in some embodiments, the cyber attack prediction system includes a control module 101, a time data acquisition module 102, an image conversion module 103, a feature map vector acquisition module 104, and a data filtering module 105.

In some embodiments, the control module 101 may be a neural hub and command center of the system. The control module 101 can generate operation control signals according to the instruction operation code and the time sequence signals to complete the control of instruction fetching and instruction execution. Illustratively, the control module 101 may control the time data acquisition module 102, the image conversion module 103, the feature mapping vector acquisition module 104, and the data filtering module 105 according to the instruction, and finally complete the attack prediction.

In some embodiments, the temporal data acquisition module 102 may acquire corresponding network data according to a point in time and convert the network data into a network data map. In some embodiments, the time data acquisition module 102 may establish a time line, and the time points on the time line are arranged in sequence, and then acquire the network data according to each time point. In some embodiments, the network data may be data with an attack, data with an attack address, and so on, which is not particularly limited by the embodiments of the present application. Illustratively, the temporal data acquisition module 102 may transmit the acquired network data pattern to the image conversion module 103 for processing.

In some embodiments, the image conversion module 103 may perform vectorization processing on the network data spectrum corresponding to each time point to obtain a spectrum embedding vector; the image conversion module 103 may further perform RGB image conversion on the map-embedded vector to obtain a network RGB image. The image conversion module 103 may also perform optical flow map conversion according to the network RGB map at each time point and one network RGB map at the next previous time point, to obtain a network optical flow map.

In some embodiments, the feature map vector obtaining module 104 may perform feature map processing on the network RGB map to obtain a first feature map vector; the feature map vector obtaining module 104 may further perform feature map processing on the network light flow graph obtained by the image conversion module 103 to obtain a second feature map vector. In some embodiments, feature map vector acquisition module 104 may construct a predicted feature map vector from the first feature map vector and the second feature map vector.

In some embodiments, the data filtering module 105 may filter the predicted attack data from the historical attack data according to the predicted feature mapping vector and the historical feature mapping vector to obtain the network attack prediction result. The specific screening mode can be calculation of similarity, comparison of data and the like.

The network attack prediction method in the embodiment of the application can be illustrated by the following embodiment.

In the embodiments of the present application, when related processing is required to be performed according to data related to a user identity or a characteristic, such as user information, user behavior data, user history data, user location information, and the like, permission or consent of the user is obtained first, for example, when data stored by the user and a request for accessing cached data of the user are obtained first. Moreover, the collection, use, processing, etc. of such data would comply with relevant laws and regulations. In addition, when the embodiment of the application needs to acquire the sensitive personal information of the user, the independent permission or independent consent of the user is acquired through a popup window or a jump to a confirmation page or the like, and after the independent permission or independent consent of the user is explicitly acquired, necessary user related data for enabling the embodiment of the application to normally operate is acquired.

Fig. 2 is an optional flowchart of a network attack prediction method provided in an embodiment of the present application, where the method in fig. 2 may include, but is not limited to, steps S101 to S108.

Step S101, acquiring a network data map at each time point and a historical feature mapping vector of each network data map; the network data map is constructed by historical network monitoring data generated at each moment of the history, and the historical network monitoring data comprises historical attack data;

step S102, vectorizing a network data map to obtain a map embedding vector;

step S103, carrying out RGB image conversion on the map embedding vectors corresponding to each time point to obtain a network RGB image;

step S104, a network RGB image corresponding to the current time point is obtained, and feature mapping processing is carried out on the network RGB image to obtain a first feature mapping vector;

step S105, performing optical flow map conversion on the network RGB map of each time point and one network RGB map corresponding to the adjacent previous time point to obtain a network optical flow map;

step S106, performing feature mapping processing on the network light flow graph to obtain a second feature mapping vector;

step S107, constructing a prediction feature mapping vector according to the first feature mapping vector and the second feature mapping vector;

and S108, screening out predicted attack data from the historical attack data according to the predicted feature mapping vector and the historical feature mapping vector to obtain a network attack predicted result.

In some embodiments, the network data graph may be an MDATA graph (intelligent data graph), may also be used for data graph and social graph, and the like. The embodiments of the present application are mainly described around MDATA maps, but of course, the application range of the network attack prediction method of the present application is not limited to MDATA maps. It can be appreciated that the time main line can be constructed, and corresponding network data can be acquired according to the sequence of the time points, wherein the network data can be an alarm log, detection data, attack data and the like.

Referring to fig. 3-a and 3-b, fig. 3-a is a schematic diagram of a knowledge graph and fig. 3-b is a schematic diagram of an MDATA graph. It can be understood from the graph that the knowledge graph can only simply represent the relationship between the entities, and the MDATA graph can not only represent the relationship between the entities, but also represent the attribute of the entities and the relationship between the entities and the attribute, and the MDATA graph also has the dynamics and the expandability, so that the attack change prediction analysis can be performed on the network data through the MDATA graph.

For example, a network data map may be constructed from the network data. First, the network data is subjected to data cleansing, including removal of duplicate data, processing of missing values, correction of data formats, and the like. Meanwhile, when the network data carries sensitive information, the sensitive information can be subjected to desensitization treatment, so that the safety of the data is ensured. Secondly, entity identification and relation extraction can be carried out on the cleaned data, and the relation between the entity (an attacker and an attacked party, a source network address and a destination network address, an attack means and the like) and the entity in the data can be extracted. Further, natural Language Processing (NLP) techniques may be used to facilitate extraction operations of entities and relationships. Further, the network data map can be constructed and visually displayed by taking the entity as a node and the relationship as an edge.

In some embodiments, static knowledge composed of triplet knowledge in a network data map, that is, static knowledge composed of entities (including a head entity and a tail entity) and relations, may be extracted according to a time point, and embedded into a vector space through a convolutional neural network to perform vectorization processing, so as to obtain a map-embedded vector, so that the effect of network attack prediction is improved through the map-embedded vector.

It will be appreciated that in general, each time point corresponds to one network data map, and in some specific cases, each time point may also correspond to a plurality of network data maps, and this application takes one network data map for each time point as an example. In some embodiments, RGB map-embedded vectors corresponding to each time point may be subjected to RGB map conversion to obtain a network RGB map, in other words, RGB map conversion is performed on all map-embedded vectors to obtain a network RGB map. It is understood that the network RGB diagram is a vector diagram with color features, which can be understood as an RGB diagram or an RGB vector diagram. Specifically, the values of all the head entity vectors, the relation vectors and the tail entity vectors can be mapped in the numerical intervals of [0,1] by carrying out normalization processing on the map embedded vectors, and then carrying out number multiplication operation on all the vectors, namely, 255 (255 is the maximum color intensity of the network RGB map), so that all the head entity vectors, the relation vectors and the tail entity vectors can be converted in the numerical range specified by the network RGB map. In some embodiments, the module of the triplet vector included in each map-embedding vector is taken as the color of the pixel, and the pixels are arranged to obtain a network RGB map with fixed size.

In some embodiments, the convolutional neural network comprises a first convolutional neural network (i.e., a static information flow convolutional neural network) and a second convolutional neural network (i.e., an instantaneous null flow convolutional neural network). It can be understood that the first convolutional neural network may be used to perform vectorization processing on the network data spectrum to obtain a spectrum embedded vector, and after the spectrum embedded vector is converted into a network RGB diagram, the network RGB diagram corresponding to the current moment is selected to input the first convolutional neural network for feature mapping processing to obtain a first feature mapping vector. In some embodiments, the network data map may also be vectorized by a second convolutional neural network. In an embodiment of the present application, the second convolutional neural network is mainly configured to perform feature mapping processing on a network RGB map at each moment and a network light map obtained by converting at least one network RGB map adjacent to each moment to obtain a second feature mapping vector. It can be understood that the latest time and the latest time point, the current time point and the current time point are all the same concept.

In some embodiments, the feature mapping process may be performed on the network RGB map at the current time (i.e., the latest time) selected from the network RGB maps at the multiple times, to obtain the first feature mapping vector. It can be appreciated that the obtained first feature mapping vector can be used for tasks such as classification, clustering, identification and the like of the network, so that the structure and the behavior of the network data map can be better analyzed.

In some embodiments, the network optical flow graph may be obtained by performing optical flow graph conversion on the network RGB graph at each time point and one network RGB graph corresponding to the last time point adjacent to each time point. For example, in some embodiments, in the process of converting the network RGB map at each time point and one network RGB map corresponding to the next previous time point to obtain the network light flow map, if the current time point is 12:15:01, selecting adjacent time (i.e. the time point of the last time) according to a preset time point interval of 1 second (which can be specifically set according to actual conditions), if according to a time change main line, the adjacent time is 12:15:00, selecting 12:15:01 and 12:15: and processing the network data map corresponding to 00 to obtain a network optical flow diagram. For example, there are 5 time points arranged in time sequence, each time point corresponds to one network RGB diagram, and the total of 5 network RGB diagrams are respectively numbered as network RGB diagram No. 1, network RGB diagram No. 2, network RGB diagram No. 3, network RGB diagram No. 4 and network RGB diagram No. 5. And performing optical flow map conversion on the network RGB map at each moment and at least one network RGB map adjacent to each moment, namely performing optical flow map conversion on the network RGB maps of No. 1 and No. 2, no. 2 and No. 3, no. 3 and No. 4 and No. 5, and finally obtaining 4 network optical flow maps. It can be understood that the network RGB diagram at the current time and 2 or 3 network RGB diagrams at adjacent times may be converted to obtain a network optical flow diagram, for example, optical flow diagrams of the network RGB diagrams No. 1, no. 2 and No. 3 are converted to obtain 1 network optical flow diagram, which is not limited in this application.

It can be understood that the network light flow graph converted from two or more network RGB graphs captures the motion pattern and direction between the network RGB graphs, so that the network attack prediction can be performed more accurately according to the change information.

In some embodiments, the network optical flow graph may be input into a second convolutional neural network, and each feature map in the network optical flow graph is converted into a specific output value by the fully-connected layer through the fully-connected layer of the second convolutional neural network, so as to finally obtain second feature map information of the network data graph. That is, feature extraction is performed on the network optical flow graph through the second convolutional neural network, so as to obtain a second feature mapping vector. It will be appreciated that the second feature information can transform the original network optical flow map into a more representative and differentiated feature vector, thereby extracting more abundant information.

In some embodiments, the predictive feature map vector may be constructed from the first feature vector and the second feature vector. Specifically, the predictive feature mapping vector may be constructed by performing weighted average on the first feature vector and the second feature vector according to a preset allocation ratio, or directly adding the first feature vector and the second feature vector. It will be appreciated that the predicted feature map vector may represent a vector of changes at the next instant of prediction. It can be understood that the predicted feature mapping vector is obtained by construction, so that the feature information of the latest moment is obtained, and the change information is also obtained, and therefore, the network attack predicted vector of the next moment of the latest moment can be obtained.

In some embodiments, similarity calculation can be performed through the predicted feature mapping vector and the historical feature mapping vector, a historical feature mapping vector with the maximum similarity with the predicted feature mapping vector is selected, historical attack data corresponding to the historical feature mapping vector is selected as predicted attack data, and the predicted attack data is used as a network attack prediction result. In some embodiments, a similarity threshold may be set, historical feature mapping vectors with similarity greater than the similarity threshold may be screened, and then a plurality of screened historical feature mapping vectors may be secondarily screened to finally obtain the predicted attack data.

It can be understood that the historical feature mapping vector is a vector formed by a large amount of historical attack data, and the historical attack data can be obtained by summarizing the historical attack data. In some embodiments, the historical attack data may be stored in a historical attack database, or other database, to which embodiments of the present application are not particularly limited.

According to the network attack prediction method, the network attack prediction system, the electronic equipment and the storage medium, the network data map at the current moment can be obtained and vectorized to obtain the map embedding vector, and the process can be carried out through a common convolutional neural network or a first convolutional neural network or a second convolutional neural network. For example, RGB map conversion may be performed on all map embedded vectors according to the corresponding time points to obtain a network RGB map, and feature mapping processing may be performed on the network RGB map at the latest time to obtain a first feature mapping vector. And the network RGB image corresponding to each time point and one network RGB image corresponding to the adjacent time point can be subjected to optical flow image conversion to obtain a network optical flow image representing the change, and then the network optical flow image is subjected to feature mapping processing through a second convolutional neural network to obtain a second feature mapping vector, wherein the second feature mapping vector can represent the change trend of the network data image. The method and the device can combine the first feature mapping vector and the second feature mapping vector to construct the prediction feature, construct the prediction feature mapping vector, analyze the prediction feature mapping vector according to the historical feature mapping vector, screen out the prediction attack data aiming at the next moment of the current moment, and obtain the network attack prediction result. The method and the device can predict the change trend of the changed network data map and improve the accuracy of attack prediction at the next moment of the network data map.

Referring to fig. 4, in some embodiments, the network data map includes original triplet data, and step S102 includes, but is not limited to, steps S201 to S204:

step S201, inputting a network data map into a preset convolutional neural network; wherein the convolutional neural network comprises: a dimension reduction layer, a convolution layer and an activation function layer;

step S202, performing dimension reduction processing on the original triplet data through a dimension reduction layer and preset dimensions to obtain candidate triplet data;

step S203, extracting features of the candidate triplet data through a convolution layer to obtain triplet feature information;

and S204, performing nonlinear transformation on the triplet characteristic information through an activation function layer to obtain a map embedding vector.

In some embodiments, the network data map may be used as input to a pre-trained convolutional neural network for processing, where the convolutional neural network includes at least: a dimension reduction layer, a convolution layer and an activation function layer.

In some embodiments, the original triplet data can be subjected to dimension reduction processing through a dimension reduction layer and preset dimensions to obtain candidate triplet data, so that the dimensions of the features are reduced, and the calculation efficiency is improved.

It can be understood that feature extraction can be performed on candidate triplet data through a convolution layer to obtain triplet feature information so as to identify local features in a network data map and extract important information in the network data map.

In some embodiments, the triplet feature information can be subjected to nonlinear transformation through an activation function layer to obtain an embedded vector of the network data spectrum, so that the expression capability and the robustness of the network data spectrum are improved.

Referring to fig. 5, the network data pattern may be input into a pre-trained convolutional neural network, and in particular, the triplet data of the network data pattern may be input to the convolutional neural network, for example. Taking 6-dimensional vectors as an example, namely initial vectors of head entity vectors, relation vectors and tail entity vectors are all 6×1, if the preset dimension is 3×2, converting the initial vectors of 6×1 into dimension-reduced vectors of 3×2 through a dimension-reducing layer, so as to obtain candidate triplet data. It can be appreciated that by performing the dimension reduction processing on the initial vector, the computational complexity can be greatly reduced, so that analysis of the network data map and reasoning of the relationship can be efficiently performed.

In some embodiments, feature extraction may be performed on candidate triplet data by a convolution layer. Illustratively, the extracted features may be feature vectors of 2×2. Further, the triplet characteristic information can be subjected to nonlinear transformation through an activation function layer (a ReLU layer in a corresponding diagram), and then a pattern embedding vector is obtained through a full connection layer, so that more characteristic information is extracted, and a relation mode among triplet data is better expressed. In some embodiments, the candidate embedded vector may also be obtained by normalizing the Softmax layer. And finally, selecting predicted attack data through a triplet scoring function. In some embodiments, the triplet scoring function may be a cosine similarity function, a euclidean distance function, a manhattan distance function, a dimension square function, and so forth.

Referring to fig. 6, in some embodiments, after inputting the network data map to the preset convolutional neural network, training the convolutional neural network is further included, and the training process includes, but is not limited to, steps S301 to S302:

step S301, inputting the atlas embedding vector into a linear transformation evaluation model for linear transformation evaluation to obtain linear transformation evaluation data;

Step S302, training a convolutional neural network according to the linear transformation evaluation data.

In some embodiments, linear transformation evaluation data may be obtained by evaluating the atlas-embedding vector. The scoring result can be obtained by scoring the atlas embedding vector. In some embodiments, the atlas-embedding vector may be multiplied by a weight matrix to obtain linear transformation evaluation data, which is not particularly limited in embodiments of the present application.

In some embodiments, model parameters of the convolutional neural network may be updated based on the inverse propagation of scoring results to optimize the model parameters of the convolutional neural network to improve the performance of the convolutional neural network.

Referring to fig. 7, in some embodiments, step S301 includes, but is not limited to, steps S401 to S403:

step S401, multiplying the spectrum embedded vector by the filtering parameter of the linear conversion evaluation model, and adding the obtained product with a first bias to obtain a first spectrum embedded vector;

step S402, after activating the first spectrum embedded vector through an activating function, adding the first spectrum embedded vector with a second bias to obtain a second spectrum embedded vector;

step S403, multiplying the second atlas embedding vector by the linear operation coefficient of the linear transformation evaluation model to obtain linear transformation evaluation data.

In some embodiments, the spectrum embedded vector may be scored by a linear transformation evaluation model, so as to obtain a scoring result, i.e., obtain linear transformation evaluation data. Illustratively, the formula of the scoring function of the linear transformation assessment model is as follows:

score ₁ (h,r,t)＝[concat(σ(ω[e _h ；e _r ；e _t ]+b ₁ ))+b ₂ ]·f

wherein e _h Representing head entity vectors, e _r Representing a relationship vector e _t Representing a tail entity vector, ω is a set of filters for 3D convolution, σ is an activation function, b ₁ Representing a first bias, b ₂ Representing the second bias, concat represents the join operator and f is the linear operation coefficient in the fully-join layer.

It will be appreciated that the first bias and the second bias may adjust the relationship between the atlas-embedding vector and the filtering parameters of the linear transformation assessment model by introducing a bias, so that a better atlas-embedding vector is obtained after the atlas-embedding vector is subjected to the linear transformation and the activation function.

It can be understood that the spectrum embedded vector is multiplied by the filtering parameters of the linear conversion evaluation model, the spectrum embedded vector processed by the linear conversion and activation functions is obtained by combining the adjustment of the first offset and the second offset, the linear conversion evaluation data is obtained by multiplying the spectrum embedded vector by the linear operation coefficient of the linear conversion evaluation model, and the spectrum embedded vector and the evaluation data which meet the requirements are obtained, so that the convolutional neural network is evaluated, the evaluation value is obtained, and the parameters of the convolutional neural network are updated according to the evaluation value.

Referring to fig. 8, in some embodiments, step S103 includes, but is not limited to, steps S501 to S503:

step S501, carrying out normalization processing on the map embedding vectors corresponding to each time point to obtain candidate embedding vectors;

step S502, performing product operation according to a preset color intensity value and a candidate embedded vector to obtain a target embedded vector;

step S503, constructing a network RGB diagram according to the target embedded vector and the preset pixel color value.

In some embodiments, RGB map conversion may be performed on the map-embedded vector corresponding to each time point, to obtain a network RGB map. Specifically, the values of all the head entity vectors, the relation vectors and the tail entity vectors can be mapped in the numerical intervals of [0,1] by carrying out normalization processing on the map embedded vectors, and then carrying out number multiplication operation on all the vectors, namely, 255 (255 is the maximum color intensity of the network RGB map), so that all the head entity vectors, the relation vectors and the tail entity vectors can be converted in the numerical range specified by the network RGB map, and the target embedded vectors can be obtained.

In some embodiments, the module of the triplet vector included in each target embedded vector is taken as the color of the pixel, and the pixels are arranged to obtain a network RGB diagram with a fixed size, that is, the module of the head entity vector, the module of the relation vector and the module of the tail entity vector in the triplet vector are taken as the colors of the pixels. In some embodiments, pixels may be arranged in a left-to-right and top-to-bottom order to obtain a network RGB map.

It can be understood that, by performing normalization and multiplication operations on the spectrum embedded vector, the spectrum embedded vector can be mapped into a numerical range specified by the network RGB diagram, so as to obtain a target embedded vector, and by taking the modulus of the triplet vector as the color of a pixel, the network RGB diagram is generated according to a certain arrangement mode, and the connection and interaction between the relationship and the entity in the spectrum can be intuitively displayed. It will be appreciated that the network RGB map may facilitate a better understanding and analysis of the information in the map, facilitating further data processing and application.

Referring to fig. 9, in some embodiments, step S501 includes, but is not limited to, steps S601 to S606:

step S601, obtaining a plurality of map embedding vectors corresponding to each time point; wherein the atlas embedding vector comprises: a head entity vector, a relationship vector, and a tail entity vector;

step S602, sequencing the map embedding vectors to obtain the most values of a plurality of head entity vectors, a plurality of relation vectors and a plurality of tail entity vectors; wherein the maximum value includes a maximum value and a minimum value;

step S603, obtaining a target vector; the first map vector is a map embedding vector which needs to be subjected to normalization processing;

Step S604, subtracting the minimum value corresponding to the head entity vector from the head entity vector of the target vector to obtain a head entity reference value; subtracting the minimum value corresponding to the relation vector from the relation vector to obtain a relation reference value; subtracting the minimum value corresponding to the tail entity vector from the tail entity vector to obtain a relation reference value;

step S605, obtaining a head entity vector by dividing the head entity reference value by the difference between the maximum value and the minimum value corresponding to the head entity vector; dividing the reference value of the relation vector by the difference between the maximum value and the minimum value corresponding to the relation vector to obtain a normalized relation vector; obtaining a normalized tail entity vector by dividing the tail entity vector reference value by the difference between the maximum value and the minimum value corresponding to the tail entity vector;

step S606, obtaining candidate embedded vectors according to the normalized head entity vector, normalized relation vector and normalized tail entity vector.

In some embodiments, the calculation formula of the head-returning entity vector is:

wherein e _h1 Representing a return-to-head entity vector e _h Head entity vector representing target vector, a _h Representing the maximum value of the head entity in all map-embedded vectors, b _h Representing the minimum of the head entity in all atlas embedding vectors.

The calculation formula of the normalization relation vector is as follows:

wherein e _r1 Representing normalized relationship vectors e _r A relation vector representing a target vector, a _r Representing relationships in all atlas embedding vectorsMaximum value of b _r Representing the minimum of the relationship in all of the atlas-embedding vectors.

The calculation formula of the normalized tail entity vector is as follows:

wherein e _t1 Representing normalized tail entity vectors, e _t A tail entity vector representing a target vector, a _t Representing the maximum value of the tail entity in all atlas-embedding vectors, b _t Representing the minimum of tail entities in all atlas-embedding vectors.

In some embodiments, the final candidate embedding vector is represented as: (e) _h1 ，e _r1 ，e _t1 ). It can be understood that the normalization processing is performed on the atlas embedded vector to obtain the candidate embedded vector, which is beneficial to improving the efficiency of data processing and further data application.

Referring to fig. 10, in some embodiments, step S105 includes, but is not limited to, steps S701 to S706:

step S701, obtaining a network RGB map of each time point and an adjacent network RGB map corresponding to the last time point adjacent to each time point;

step S702, carrying out weighted average on pixel values in a network RGB image to obtain a first gray image;

Step S703, performing weighted average on pixel values in the adjacent network RGB image to obtain a second gray level image;

step S704, performing optical flow calculation on the first gray level image and the second gray level image by using a French inner bark algorithm to obtain a first optical flow feature vector and a second optical flow feature vector;

step S705, combining the first optical flow feature vector and the second optical flow feature vector to form an initial optical flow graph;

step S706, performing color coding on the initial optical flow graph to obtain a network optical flow graph.

For example, if three time points are sequentially arranged on the time main line, the time points are respectively 12:15, 12:16, 12:17, the network RGB diagrams corresponding to each time point are fig. 1, 2 and 3, and then the network RGB diagrams of fig. 1 and the previous adjacent time point can be obtained, and since fig. 1 does not have the previous adjacent time point, no specific calculation is performed. Acquiring a network RGB (red, green and blue) diagram of the figure 2 and the last adjacent moment, namely, the figure 1; the network RGB diagram of fig. 3 and the network RGB diagram of the last adjacent moment, i.e. fig. 2, is obtained, and the network light flow diagram finally obtained through calculation is 2.

For example, if a moment is called a moment, and a moment adjacent to the a moment is called B moment, the pixel values of the corresponding network RGB image at the a moment may be weighted-averaged to obtain a first gray-scale image, and the pixel values in the adjacent network RGB image at the B moment may be weighted-averaged to obtain a second gray-scale image. Specifically, the network RGB map may be read by an image processing function in an image processing library or a programming language, to obtain pixels in the network RGB map.

It is understood that the fal inner barker algorithm is an optical flow algorithm for calculating the motion of an image, and the optical flow is a representation way for describing the motion direction and speed of the pixel point at each time point in the network RGB image.

Illustratively, let the first gray-scale image be the gray-scale image corresponding to the a time, denoted by L1; the second gray level image is a gray level image corresponding to the moment B, and is represented by L2, and the optical flow calculation process of the first gray level image and the second gray level image by using the French Bark algorithm is as follows: first, an original feature point, such as a corner point or an edge point, is selected in L1, and then a corresponding point of the original feature point is found in the image L2 as an adjacent feature point, i.e., a point at the same position as the original feature point in L1 is found in L2.

In some embodiments, by comparing the pixel value changes of the two feature points, a displacement vector of the original feature point is calculated using the fire inner barker algorithm as a first optical flow feature vector, and the first optical flow feature vector may represent a movement direction and a speed of the original feature point from time a to time B.

Likewise, the displacement vector of the neighboring feature point may be calculated using the fire inner barker algorithm as a second optical flow feature vector, which may represent the direction and speed of movement of the neighboring feature point from time B to time a.

It will be appreciated that optical flow calculations of two successive gray images by the fire inner bark algorithm can result in a series of optical flow feature vectors that can be used to analyze and understand the motion of the network RGB diagram.

In some embodiments, two optical-flow vector fields may be derived from the first optical-flow feature vector and the second optical-flow feature vector, the optical-flow vector fields representing displacements of pixels between adjacent frames. Further, combining the two optical flow vector fields results in an initial optical flow map that can be used to display the direction and speed of movement of the object in the image.

In some embodiments, the initial optical flow graph may be color coded to yield a network optical flow graph. Specifically, each pixel point in the optical flow graph can be colored according to the movement direction and speed, so that the movement condition of an object can be observed more intuitively. It will be appreciated that the network light flow graph may be used to better characterize and understand the motion profile of an object.

Referring to fig. 11, in some embodiments, step S107 includes, but is not limited to, steps S801 to S802:

step S801, selecting a first allocation proportion corresponding to a first feature mapping vector and a second allocation proportion corresponding to a second feature mapping vector; wherein the sum of the first distribution ratio and the second distribution ratio is 1;

Step S802, the product of the first feature mapping vector and the first allocation proportion is added to the product of the second feature mapping vector and the second allocation proportion to obtain a predicted feature mapping vector.

In some embodiments, because the first feature map vector and the second feature map vector differ in structure, the characterized vector features are not the same, and therefore, the weights assigned by the first feature map vector and the second feature map vector are not the same when constructing the predicted feature map vector from the first feature map vector and the second feature map vector.

In some embodiments, a first allocation ratio, such as 60%, may be empirically preset for the first feature map vector; a second allocation proportion, for example 40%, is preset for the second feature map vector. It can be appreciated that the change of the first feature map vector at the next moment is finally predicted according to the motion law and the change law characterized by the second feature map vector, so that the first allocation proportion can be set to be larger than the second allocation proportion. It will be appreciated that the first and second dispensing ratios may also be set to 65% and 35% etc., and may be specifically set as desired. It will be appreciated that the sum of the first allocation ratio and the second allocation ratio corresponds to 1 in order to ensure the correctness of the weighting result.

In some embodiments, the product of the first feature map vector and the first allocation proportion may be added to the product of the second feature map vector and the second allocation proportion to obtain the predicted feature map vector. Specifically, if the first feature map vector is e ₁ The first distribution ratio is 60%, and the second feature map vector is represented by e ₂ Indicating that the second allocation ratio is 40%, the feature map vector e is predicted _{Pre-preparation} The calculation formula of (2) is as follows:

e _{pre-preparation} ＝e ₁ ×60％+e ₂ ×40％

It can be understood that by means of feature selection and weight distribution, more accurate and reasonable prediction feature vectors can be calculated, and prediction accuracy and prediction effect are improved.

Referring to fig. 12, in some embodiments, after obtaining the predicted feature map vector, the method further includes, but is not limited to, steps S901 to S902:

step S901, analyzing the predicted feature mapping vector to obtain a predicted analysis result;

and step S902, according to the prediction analysis result, the first allocation proportion and the second allocation proportion are adjusted, and the prediction feature mapping vectors corresponding to the first feature mapping vector and the second feature mapping vector are constructed again.

In some embodiments, to ensure accuracy of the prediction feature mapping vector, the prediction feature vector may be analyzed to obtain a prediction analysis result. In particular, the analysis may be performed by a semantic recognition model or other machine learning model, or by the user himself or herself, etc.

In some embodiments, according to the prediction analysis result, it may be determined whether the prediction feature mapping vector meets a preset requirement. If the predicted feature vector meets the preset requirement, the calculation of the predicted feature vector is reasonable, and adjustment is not needed; if the first distribution ratio and the second distribution ratio do not meet the preset requirement, the first distribution ratio and the second distribution ratio can be adjusted, and in general, the first distribution ratio can be properly adjusted up and the second distribution ratio can be properly adjusted down; the first distribution proportion can be properly adjusted down, the second distribution proportion can be properly adjusted up, and the specific adjustment mode is determined according to the prediction analysis result.

Referring to fig. 13, in some embodiments, step S108 includes, but is not limited to, steps S1001 to S1003:

step S1001, carrying out similarity calculation according to the predicted feature mapping vector and the historical feature mapping vector to obtain vector similarity;

step S1002, obtaining the maximum value of the vector similarity, and obtaining the maximum similarity;

in step S1003, the historical attack data corresponding to the maximum similarity is used as predicted attack data.

In some embodiments, a cosine similarity or euclidean distance may be used to calculate the similarity between the predicted feature map vector and the plurality of historical feature map vectors, and obtain a plurality of vector similarities.

In some embodiments, the maximum value of the vector similarity may be selected to obtain the maximum similarity, and the historical attack data corresponding to the historical feature mapping vector of the maximum similarity is used as the predicted attack data.

In some embodiments, a similarity threshold may be set to filter predictive attack data. For example, the similarity threshold may be set to be 85%, and if the calculated similarity between the predicted feature mapping vector and the No. 1 historical feature mapping vector is 40%, the calculated similarity between the predicted feature mapping vector and the No. 2 historical feature mapping vector is 98%, the calculated similarity between the predicted feature mapping vector and the No. 3 historical feature mapping vector is 68%, and the calculated similarity between the predicted feature mapping vector and the No. 4 historical feature mapping vector is 92%, then the No. 2 historical attack data and the No. 4 historical attack data corresponding to the No. 2 historical feature mapping vector and the No. 4 historical feature mapping vector may be screened out as the predicted attack data.

Referring to fig. 14, in some embodiments, step S1001 includes, but is not limited to, steps S1101 to S1104:

step S1101, multiplying the predicted feature mapping vector and the history feature mapping vector to obtain a first product;

step S1102, taking the module value of the predicted feature mapping vector as a first vector module value; taking the module value of the history feature mapping vector as a second vector module value;

Step S1103, multiplying the first vector module value and the second vector module value to obtain a second product;

in step S1104, the vector similarity is obtained according to the first product divided by the second product.

In some embodiments, the similarity is calculated as follows:

S(e,e ₀ )＝(e·e ₀ )/(|e|×|e ₀ |)

wherein S (e, e ₀ ) Representing the similarity of the predicted feature map vector and the historical feature map vector, e represents the predicted feature map vector, e ₀ Representing the historical feature map vector, representing the dot product of the predictive feature map vector and the historical feature map vector, |e| representing the modulo length of the predictive feature map vector, |e ₀ The i represents the modulo length of the historical feature map vector.

Specifically, a first product may be obtained by multiplying the predicted feature mapping vector and the historical feature mapping vector, then taking a modulus value of the predicted feature mapping vector as a first vector modulus value, taking a modulus value of the historical feature mapping vector as a second vector modulus value, multiplying the first vector modulus value and the second vector modulus value to obtain a second product, and finally dividing the first product by the second product to obtain a vector similarity, thereby performing screening of the predicted feature mapping vector according to the similarity.

Referring to fig. 15, in some embodiments, the network attack prediction method further includes, but is not limited to, steps S1201 to S1202:

Step S1201, acquiring map size information of a network data map;

step S1202, setting the structure of a convolutional neural network according to the map size information; the convolutional neural network comprises a first convolutional neural network and a second convolutional neural network; the lengths of the first convolutional neural network and the second convolutional neural network are equal; the first convolutional neural network is used for acquiring a network RGB image corresponding to the current moment, and performing feature mapping processing on the RGB image to obtain a first feature mapping vector; and the second convolutional neural network is used for carrying out feature mapping processing on the network optical flow graph to obtain a second feature mapping vector.

In some embodiments, profile size information for a network data profile may be obtained and the structure of the convolutional neural network may be adjusted based on the size information for the network data profile. It will be appreciated that the lengths of the first convolutional neural network and the second convolutional neural network are the same, as both are extracted from the network data map at the same point in time. The first convolutional neural network may be a static information flow convolutional neural network, and is configured to obtain a network RGB diagram corresponding to a current moment, and perform feature mapping processing on the network RGB diagram to obtain a first feature mapping vector; the second convolutional neural network may be a space-time flow convolutional neural network, and after performing optical flow map conversion on the network RGB map at each moment and at least one network RGB map adjacent to each moment to obtain a network optical flow map, the second convolutional neural network may perform feature mapping processing on the network optical flow map to obtain a second feature mapping vector. In some embodiments, the first convolutional neural network and the second convolutional neural network may each vector the network data pattern to obtain a pattern embedding vector.

Referring to fig. 16, in some embodiments, the network attack prediction method further includes, but is not limited to, steps S1301 to S1304:

step S1301, acquiring network monitoring update data at each moment;

step S1302, updating the corresponding network data map according to the network monitoring update data to obtain an update data map;

step S1303, obtaining updated size information of an updated data map;

in step S1304, the structure of the convolutional neural network is updated at the corresponding time according to the updated size information.

It can be understood that the network data may be network traffic, connection status, abnormal attack, etc., and the network data is updated in real time, so that new network data may continuously appear, or network data missing at a historical time point is detected, so that a corresponding network data map may be updated according to the time point at which the network data appears, an updated data map may be obtained, and the structure of the convolutional neural network may be updated at a corresponding time according to the size information of the updated data map.

For example, if the network data is detected according to A, B, C, D in advance and the detected network data pattern is embedded into the convolutional neural network according to the sequence of time points A, B, C, D, and when the network data is monitored later, it is found that the new network monitoring update data corresponds to the time point B, then a corresponding update network data pattern can be obtained according to the network monitoring update data, and the size of the update data pattern can be calculated.

It will be appreciated that if the size of the update data pattern is smaller than the size of the convolutional neural network, then the update data pattern need not be directly embedded at the alignment position of time point B without adjusting the convolutional neural network.

Further, if the size of the update data pattern is larger than the size of the convolutional neural network, the structure of the convolutional neural network is adjusted, for example, the space size of the convolutional neural network is adjusted, and the update data pattern is embedded into the space corresponding to the time point B in the convolutional neural network. It can be appreciated that embedding the updated data pattern into the existing convolutional neural network can ensure the integrity of the network data and improve the accuracy of the prediction.

Referring to fig. 17, the embodiment of the present application further provides a network attack prediction system, which may implement the above network attack prediction method, where the network attack prediction system includes:

a data acquisition module 1701, configured to acquire a network data map at each time point and a historical feature mapping vector of each network data map; the network data map is constructed by historical network monitoring data generated at each moment of the history, and the historical network monitoring data comprises historical attack data;

The spectrum embedding vector acquisition module 1702 is configured to perform vectorization processing on a network data spectrum to obtain a spectrum embedding vector;

the network RGB diagram acquiring module 1703 is configured to perform RGB diagram conversion on the map embedding vectors corresponding to each time point to obtain a network RGB diagram;

the first feature mapping vector obtaining module 1704 is configured to obtain a network RGB diagram corresponding to the current time point, and perform feature mapping processing on the network RGB diagram to obtain a first feature mapping vector;

the network optical flow diagram obtaining module 1705 is configured to perform optical flow diagram conversion on the network RGB diagram at each time point and one network RGB diagram corresponding to the adjacent previous time point, so as to obtain a network optical flow diagram;

the second feature mapping vector obtaining module 1706 is configured to perform feature mapping processing on the network optical flow graph to obtain a second feature mapping vector;

a predicted feature map vector construction module 1707, configured to construct a predicted feature map vector according to the first feature map vector and the second feature map vector;

and the network attack prediction result obtaining module 1708 is configured to screen out predicted attack data from the historical attack data according to the predicted feature mapping vector and the historical feature mapping vector, so as to obtain a network attack prediction result.

The specific implementation of the network attack prediction system is basically the same as the specific embodiment of the network attack prediction method, and will not be described herein. On the premise of meeting the requirements of the embodiment of the application, the network attack prediction system can also be provided with other functional modules so as to realize the network attack prediction method in the embodiment.

The embodiment of the application also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the network attack prediction method when executing the computer program. The electronic equipment can be any intelligent terminal including a tablet personal computer, a vehicle-mounted computer and the like.

Referring to fig. 18, fig. 18 illustrates a hardware structure of an electronic device according to another embodiment, the electronic device includes:

the processor 1801 may be implemented by a general-purpose CPU (central processing unit), a microprocessor, an application-specific integrated circuit (ApplicationSpecificIntegratedCircuit, ASIC), or one or more integrated circuits, etc. for executing related programs to implement the technical solutions provided by the embodiments of the present application;

the memory 1802 may be implemented in the form of read-only memory (ReadOnlyMemory, ROM), static storage, dynamic storage, or random access memory (RandomAccessMemory, RAM), among others. The memory 1802 may store an operating system and other application programs, and when the technical solutions provided in the embodiments of the present application are implemented by software or firmware, relevant program codes are stored in the memory 1802, and the processor 1801 invokes a network attack prediction method to execute the embodiments of the present application;

An input/output interface 1803 for implementing information input and output;

the communication interface 1804 is configured to implement communication interaction between the device and other devices, and may implement communication in a wired manner (e.g. USB, network cable, etc.), or may implement communication in a wireless manner (e.g. mobile network, WIFI, bluetooth, etc.);

a bus 1805 for transferring information between components of the device (e.g., processor 1801, memory 1802, input/output interfaces 1803, and communication interfaces 1804);

wherein the processor 1801, memory 1802, input/output interface 1803, and communication interface 1804 enable communication connection among each other within the device via bus 1805.

The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the network attack prediction method when being executed by a processor.

The memory, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory remotely located relative to the processor, the remote memory being connectable to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The embodiments described in the embodiments of the present application are for more clearly describing the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application, and as those skilled in the art can know that, with the evolution of technology and the appearance of new application scenarios, the technical solutions provided by the embodiments of the present application are equally applicable to similar technical problems.

It will be appreciated by those skilled in the art that the technical solutions shown in the figures do not constitute limitations of the embodiments of the present application, and may include more or fewer steps than shown, or may combine certain steps, or different steps.

The above described apparatus embodiments are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

Those of ordinary skill in the art will appreciate that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.

The terms "first," "second," "third," "fourth," and the like in the description of the present application and in the above-described figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

It should be understood that in this application, "at least one (item)" and "a number" mean one or more, and "a plurality" means two or more. "and/or" for describing the association relationship of the association object, the representation may have three relationships, for example, "a and/or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.

In the several embodiments provided in this application, it should be understood that the disclosed systems and methods may be implemented in other ways. For example, the system embodiments described above are merely illustrative, e.g., the division of the above elements is merely a logical functional division, and there may be additional divisions in actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including multiple instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the various embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing a program.

Preferred embodiments of the present application are described above with reference to the accompanying drawings, and thus do not limit the scope of the claims of the embodiments of the present application. Any modifications, equivalent substitutions and improvements made by those skilled in the art without departing from the scope and spirit of the embodiments of the present application shall fall within the scope of the claims of the embodiments of the present application.

Claims

1. A method for predicting network attacks, the method comprising:

acquiring a network data map at each time point and a historical feature mapping vector of each network data map; the network data map is constructed by historical network monitoring data generated at each moment of the history, and the historical network monitoring data comprises historical attack data;

vectorizing the network data map to obtain a map embedding vector;

performing RGB image conversion on the map embedding vectors corresponding to the time points to obtain a network RGB image;

acquiring the network RGB image corresponding to the current time point, and performing feature mapping processing on the network RGB image to obtain a first feature mapping vector;

performing optical flow map conversion on the network RGB map of each time point and one network RGB map corresponding to the adjacent last time point to obtain a network optical flow map;

performing feature mapping processing on the network light flow graph to obtain a second feature mapping vector;

constructing a predicted feature mapping vector according to the first feature mapping vector and the second feature mapping vector;

and screening predicted attack data from the historical attack data according to the predicted feature mapping vector and the historical feature mapping vector to obtain a network attack predicted result.

2. The network attack prediction method according to claim 1, wherein the network data graph includes original triplet data; the vectorizing processing is carried out on the network data spectrum to obtain a spectrum embedding vector, which comprises the following steps:

inputting the network data map into a preset convolutional neural network; wherein the convolutional neural network comprises: a dimension reduction layer, a convolution layer and an activation function layer;

performing dimension reduction processing on the original triplet data through the dimension reduction layer and preset dimensions to obtain candidate triplet data;

performing feature extraction on the candidate triplet data through the convolution layer to obtain triplet feature information;

and carrying out nonlinear transformation on the triplet characteristic information through the activation function layer to obtain the atlas embedded vector.

3. The network attack prediction method according to claim 2, further comprising, after the inputting the network data map to a preset convolutional neural network:

training the convolutional neural network specifically comprises:

inputting the map embedded vector to a linear conversion evaluation model for linear conversion evaluation to obtain linear conversion evaluation data;

Training the convolutional neural network according to the linear transformation evaluation data.

4. The network attack prediction method according to claim 3, wherein the inputting the atlas-embedded vector into a linear transformation evaluation model for linear transformation evaluation, to obtain linear transformation evaluation data, includes:

multiplying the spectrum embedding vector by the filtering parameter of the linear transformation evaluation model, and adding the obtained product with a first bias to obtain a first spectrum embedding vector;

activating the first spectrum embedded vector through an activation function, and adding the first spectrum embedded vector with a second bias to obtain a second spectrum embedded vector;

and multiplying the second atlas embedding vector by the linear operation coefficient of the linear transformation evaluation model to obtain linear transformation evaluation data.

5. The network attack prediction method according to claim 1, wherein the converting the RGB map of the map-embedded vector corresponding to each time point to obtain a network RGB map includes:

normalizing the map embedding vectors corresponding to each time point to obtain candidate embedding vectors;

performing product operation according to a preset color intensity value and the candidate embedded vector to obtain a target embedded vector;

And constructing the network RGB map according to the target embedded vector and a preset pixel color value.

6. The network attack prediction method according to claim 5, wherein the normalizing the map-embedded vectors corresponding to each time point to obtain candidate embedded vectors includes:

acquiring a plurality of map embedding vectors corresponding to each time point; wherein the atlas embedding vector comprises: a head entity vector, a relationship vector, and a tail entity vector;

sequencing the map embedding vectors to obtain the most values of a plurality of head entity vectors, a plurality of relation vectors and a plurality of tail entity vectors; wherein the maximum value comprises a maximum value and a minimum value;

obtaining a target vector; the first map vector is the map embedding vector which needs to be subjected to normalization processing;

subtracting the minimum value corresponding to the head entity vector from the head entity vector of the target vector to obtain a head entity reference value; subtracting the minimum value corresponding to the relation vector from the relation vector to obtain a relation reference value; subtracting the minimum value corresponding to the tail entity vector from the tail entity vector to obtain a relation reference value;

Dividing the head entity reference value by the difference between the maximum value and the minimum value corresponding to the head entity vector to obtain a head entity vector; dividing the relation vector reference value by the difference between the maximum value and the minimum value corresponding to the relation vector to obtain a normalized relation vector; dividing the tail entity vector reference value by the difference between the maximum value and the minimum value corresponding to the tail entity vector to obtain a normalized tail entity vector;

and obtaining candidate embedded vectors according to the normalized head entity vector, the normalized relation vector and the normalized tail entity vector.

7. The network attack prediction method according to claim 1, wherein the performing optical flow map conversion on the network RGB map at each time point and one network RGB map corresponding to an adjacent previous time point to obtain a network optical flow map includes:

acquiring a network RGB (red, green and blue) graph of each time point and an adjacent network RGB graph corresponding to the last time point adjacent to each time point;

carrying out weighted average on pixel values in the network RGB image to obtain a first gray image;

carrying out weighted average on pixel values in the adjacent network RGB image to obtain a second gray image;

Performing optical flow calculation on the first gray level image and the second gray level image through a Fabry-Perot algorithm to obtain a first optical flow characteristic vector and a second optical flow characteristic vector;

combining according to the first optical flow characteristic vector and the second optical flow characteristic vector to form an initial optical flow diagram;

and performing color coding on the initial optical flow graph to obtain a network optical flow graph.

8. The network attack prediction method according to claim 1, wherein the constructing a predicted feature map vector from the first feature map vector and the second feature map vector includes:

selecting a first allocation proportion corresponding to the first feature mapping vector and a second allocation proportion corresponding to the second feature mapping vector; wherein the sum of the first dispensing ratio and the second dispensing ratio is 1;

and adding the product of the first feature mapping vector and the first allocation proportion to the product of the second feature mapping vector and the second allocation proportion to obtain a predicted feature mapping vector.

9. The network attack prediction method according to claim 8, wherein after obtaining the predicted feature map vector, further comprising:

Analyzing the prediction feature mapping vector to obtain a prediction analysis result;

and according to the prediction analysis result, the first allocation proportion and the second allocation proportion are adjusted, and the prediction feature mapping vectors corresponding to the first feature mapping vector and the second feature mapping vector are built again.

10. The network attack prediction method according to claim 1, wherein the screening the predicted attack data from the historical attack data according to the predicted feature mapping vector and the historical feature mapping vector to obtain the network attack prediction result includes:

performing similarity calculation according to the predicted feature mapping vector and the historical feature mapping vector to obtain vector similarity;

obtaining the maximum value of the vector similarity to obtain the maximum similarity;

and taking the historical attack data corresponding to the maximum similarity as the predicted attack data.

11. The network attack prediction method according to claim 10, wherein performing similarity calculation according to the prediction feature mapping vector and the history feature mapping vector to obtain a vector similarity comprises:

multiplying the predicted feature mapping vector and the historical feature mapping vector to obtain a first product;

Taking the modulus value of the prediction feature mapping vector as a first vector modulus value; taking the module value of the history feature mapping vector as a second vector module value;

multiplying the first vector modulus value and the second vector modulus value to obtain a second product;

and dividing the first product by the second product to obtain the vector similarity.

12. The network attack prediction method according to claim 2, wherein the method further comprises:

acquiring map size information of the network data map;

setting the structure of the convolutional neural network according to the map size information; the convolutional neural network comprises a first convolutional neural network and a second convolutional neural network; the lengths of the first convolutional neural network and the second convolutional neural network are equal; the first convolutional neural network is used for acquiring the network RGB image corresponding to the current moment, and performing feature mapping processing on the network RGB image to obtain a first feature mapping vector; and the second convolutional neural network is used for carrying out feature mapping processing on the network optical flow graph to obtain a second feature mapping vector.

13. The network attack prediction method according to claim 2 or 12, characterized in that the method further comprises:

Acquiring network monitoring update data at each moment;

updating the corresponding network data map according to the network monitoring update data to obtain an update data map;

acquiring updated size information of the updated data map;

and updating the structure of the convolutional neural network at corresponding moments according to the updated size information.

14. A network attack prediction system, the system comprising:

the data acquisition module is used for acquiring a network data map at each time point and a historical feature mapping vector of each network data map; the network data map is constructed by historical network monitoring data generated at each moment of the history, and the historical network monitoring data comprises historical attack data;

the map embedding vector acquisition module is used for carrying out vectorization processing on the network data map to obtain a map embedding vector;

the network RGB image acquisition module is used for carrying out RGB image conversion on the map embedding vectors corresponding to the time points to obtain a network RGB image;

the first feature mapping vector acquisition module is used for acquiring the network RGB image corresponding to the current time point, and carrying out feature mapping processing on the network RGB image to obtain a first feature mapping vector;

The network light flow graph acquisition module is used for carrying out light flow graph conversion on the network RGB graph of each time point and one network RGB graph corresponding to the adjacent last time point to obtain a network light flow graph;

the second feature mapping vector acquisition module is used for carrying out feature mapping processing on the network light flow graph to obtain a second feature mapping vector;

the prediction feature mapping vector construction module is used for constructing a prediction feature mapping vector according to the first feature mapping vector and the second feature mapping vector;

and the network attack prediction result acquisition module is used for screening predicted attack data from the historical attack data according to the predicted feature mapping vector and the historical feature mapping vector to obtain a network attack prediction result.

15. An electronic device comprising a memory storing a computer program and a processor implementing the network attack prediction method according to any of claims 1 to 13 when the computer program is executed by the processor.

16. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the network attack prediction method of any of claims 1 to 13.