CN117596058A - Network information security protection system and method - Google Patents
Network information security protection system and method Download PDFInfo
- Publication number
- CN117596058A CN117596058A CN202311654281.8A CN202311654281A CN117596058A CN 117596058 A CN117596058 A CN 117596058A CN 202311654281 A CN202311654281 A CN 202311654281A CN 117596058 A CN117596058 A CN 117596058A
- Authority
- CN
- China
- Prior art keywords
- feature vector
- scale
- feature
- trained
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 239000013598 vector Substances 0.000 claims description 293
- 238000012549 training Methods 0.000 claims description 62
- 238000000605 extraction Methods 0.000 claims description 37
- 238000013527 convolutional neural network Methods 0.000 claims description 35
- 239000011159 matrix material Substances 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 17
- 238000010586 diagram Methods 0.000 claims description 15
- 230000004927 fusion Effects 0.000 claims description 10
- 238000011176 pooling Methods 0.000 claims description 8
- 230000011218 segmentation Effects 0.000 claims description 7
- 230000004913 activation Effects 0.000 claims description 6
- 238000003062 neural network model Methods 0.000 claims description 6
- 238000012546 transfer Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 description 17
- 238000004891 communication Methods 0.000 description 10
- 238000004458 analytical method Methods 0.000 description 8
- 238000003708 edge detection Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 238000013528 artificial neural network Methods 0.000 description 3
- 238000013135 deep learning Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000007781 pre-processing Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 230000009118 appropriate response Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0464—Convolutional networks [CNN, ConvNet]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Artificial Intelligence (AREA)
- General Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Life Sciences & Earth Sciences (AREA)
- Molecular Biology (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to the field of network information security protection, and particularly discloses a network information security protection system and method. Therefore, the network information security system to be detected can detect network vulnerabilities in real time, so as to achieve the purpose of protecting network information.
Description
Technical Field
The present application relates to the field of network information security protection, and more particularly, to a system and method for security protection of network information.
Background
The advent and popularity of computer networks has provided convenience for information exchange and data transmission, but has also posed a security threat. With the development of the internet, people can communicate and trade through a worldwide network connection, but at the same time risk of network attacks such as hackers, viruses, malware, etc. The existing network information security system has the problems that a large number of detection results only reflect the existence of a certain system, the presentation modes are various, and the correlation analysis of massive security data is difficult to achieve, so that a large number of false positive alarms can be generated. This can lead to the security team having to deal with a large number of false alarms, wasting time and resources, reducing the attention to real threats.
Therefore, a system and a method for protecting network information are desired, which can more accurately judge whether the network information is safe or not by monitoring and analyzing the security log, the system log, the vulnerability data and the flow data generated in the operation process of the network information security system.
Disclosure of Invention
The present application has been made in order to solve the above technical problems. The embodiment of the application provides a network information security protection system and a network information security protection method, which are characterized in that firstly, security logs, system logs, vulnerability data and flow data acquired from a network security server of a network information security system to be detected are acquired, and then training learning, feature extraction and analysis are respectively carried out on the security logs, the system logs, the vulnerability data and the flow data through a convolutional neural network model, so that whether the network information security system to be detected has a vulnerability or not is judged according to an obtained classification result. Therefore, the network information security system to be detected can detect network vulnerabilities in real time, so as to achieve the purpose of protecting network information.
According to a first aspect of the present application, there is provided a security protection system for network information, comprising:
the data acquisition unit is used for acquiring the security log, the system log, the vulnerability data and the flow data acquired from the network security server of the network information security system to be detected;
The system log context coding unit is used for enabling the system log to pass through a trained context coder containing an embedded layer so as to obtain a semantic understanding feature vector of the system log;
the vulnerability data context coding unit is used for enabling the vulnerability data to pass through a trained context coder comprising an embedded layer to obtain vulnerability data semantic understanding feature vectors;
the flow data context coding unit is used for enabling the flow data to pass through a trained context coder containing an embedded layer so as to obtain flow data semantic understanding feature vectors;
the convolution coding unit is used for two-dimensionally arranging the system log semantic understanding feature vector, the vulnerability data semantic understanding feature vector and the flow data semantic understanding feature vector into a two-dimensional input matrix and obtaining an information association feature vector through a trained convolution neural network model;
the multi-scale coding unit is used for arranging the safety logs into input vectors and obtaining the multi-scale feature vectors of the safety logs through a trained multi-scale neighborhood feature extraction module;
the feature fusion unit is used for carrying out prior-based feature engineering matching on the information association feature vector and the security log multi-scale feature vector so as to obtain a classification feature vector;
And the result generation unit is used for passing the classification feature vector through the trained classifier to obtain a classification result, wherein the classification result is used for indicating whether the network information security system to be detected has a vulnerability.
In the above network information security protection system, the network information security protection system further includes a training module for training the context encoder including the embedded layer, the convolutional neural network model, the multi-scale neighborhood feature extraction module, and the classifier;
wherein, training module includes:
the system comprises a training data acquisition unit, a data processing unit and a data processing unit, wherein the training data acquisition unit is used for acquiring training data, and the training data comprises a security log, a system log, vulnerability data and flow data which are acquired from a network security server of a network information security system to be detected;
the training system log context coding unit is used for enabling the system log to pass through a context coder comprising an embedded layer to obtain a trained system log semantic understanding feature vector;
the training vulnerability data context coding unit is used for enabling the vulnerability data to pass through a context coder comprising an embedded layer to obtain a trained vulnerability data semantic understanding feature vector;
The training flow data context coding unit is used for enabling the flow data to pass through a context coder comprising an embedded layer to obtain a semantic understanding feature vector of the flow data after training;
the training convolutional coding unit is used for two-dimensionally arranging the trained system log semantic understanding feature vector, the trained vulnerability data semantic understanding feature vector and the trained flow data semantic understanding feature vector into a trained two-dimensional input matrix and then obtaining a trained information association feature vector through a convolutional neural network model;
the training multi-scale coding unit is used for arranging the security logs into one-dimensional input vectors and then obtaining the trained security log multi-scale feature vectors through the multi-scale neighborhood feature extraction module;
the training feature fusion unit is used for carrying out prior-based feature engineering matching on the trained information associated feature vector and the trained safety log multi-scale feature vector so as to obtain a trained classified feature vector;
the classification loss unit is used for passing the trained classification feature vector through a classifier to obtain a classification loss function value;
and the training unit is used for training the context encoder containing the embedded layer, the convolutional neural network model, the multi-scale neighborhood feature extraction module and the classifier by using the classification loss function value.
With reference to the first aspect of the present application, in a security protection system for network information of the first aspect of the present application, the system log context encoding unit includes: the word segmentation subunit is used for carrying out word segmentation processing on the system log to obtain a word sequence; a word embedding subunit, configured to input each word in the word sequence into an embedding layer of the context encoder, so that the embedding layer converts each word into a word embedding vector to obtain a sequence of word embedding vectors; a context semantic understanding subunit for inputting the sequence of word embedding vectors into a converter-based Bert model of the context encoder to obtain a plurality of word semantic feature vectors; and the cascading subunit is used for cascading the plurality of word sense feature vectors to obtain the system log semantic understanding feature vector.
With reference to the first aspect of the present application, in a network information security protection system of the first aspect of the present application, the convolutional encoding unit is configured to: each layer using the convolutional neural network model performs the following steps on input data in forward transfer of the layer: using convolution units of all layers of the convolution neural network model to carry out convolution processing on the input data based on a two-dimensional convolution kernel so as to obtain a convolution characteristic diagram; using pooling units of each layer of the convolutional neural network model to carry out global average pooling treatment along the channel dimension on the convolutional feature map so as to obtain a pooled feature map; using an activation unit of each layer of the convolutional neural network model to perform nonlinear activation on the characteristic values of each position in the pooled characteristic map so as to obtain an activated characteristic map; and the output of the last layer of the convolutional neural network model is the information-associated feature vector.
With reference to the first aspect of the present application, in a security protection system for network information of the first aspect of the present application, the classification loss unit is configured to: performing full-connection coding on the trained classification feature vectors by using a plurality of full-connection layers of the classifier to obtain classification feature vectors; inputting the classification feature vector into a Softmax classification function of the classifier to obtain a classification result; and calculating a cross entropy value between the classification result and a true value as the classification loss function value.
According to a second aspect of the present application, there is provided a security protection method for network information, including:
acquiring a security log, a system log, vulnerability data and flow data acquired from a network security server of a network information security system to be detected;
passing the system log through a trained context encoder comprising an embedded layer to obtain a semantic understanding feature vector of the system log;
passing the vulnerability data through a trained context encoder comprising an embedded layer to obtain vulnerability data semantic understanding feature vectors;
the flow data passes through a trained context encoder comprising an embedded layer to obtain flow data semantic understanding feature vectors;
Two-dimensionally arranging the system log semantic understanding feature vector, the vulnerability data semantic understanding feature vector and the flow data semantic understanding feature vector into a two-dimensional input matrix, and obtaining an information association feature vector through a convolutional neural network model which is completed through training;
the safety logs are arranged into input vectors, and then the trained multi-scale neighborhood feature extraction module is used for obtaining multi-scale feature vectors of the safety logs;
performing prior-based feature engineering matching on the information-associated feature vector and the security log multi-scale feature vector to obtain a classification feature vector;
and the classification feature vector passes through a trained classifier to obtain a classification result, wherein the classification result is used for indicating whether a vulnerability exists in the network information security system to be detected.
In the above method for protecting the security of network information, the method for protecting the security of network information further includes a training module for training the context encoder including the embedded layer, the convolutional neural network model, the multi-scale neighborhood feature extraction module, and the classifier;
wherein, training module includes:
Acquiring training data, wherein the training data comprises a security log, a system log, vulnerability data and flow data which are acquired from a network security server of a network information security system to be detected;
passing the system log through a context encoder comprising an embedded layer to obtain a trained system log semantic understanding feature vector;
passing the vulnerability data through a context encoder comprising an embedded layer to obtain trained vulnerability data semantic understanding feature vectors;
passing the flow data through a context encoder comprising an embedded layer to obtain a trained flow data semantic understanding feature vector;
two-dimensionally arranging the trained system log semantic understanding feature vector, the trained vulnerability data semantic understanding feature vector and the trained flow data semantic understanding feature vector into a trained two-dimensional input matrix, and obtaining a trained information association feature vector through a convolutional neural network model;
the safety logs are arranged into one-dimensional input vectors and then pass through a multi-scale neighborhood feature extraction module to obtain multi-scale feature vectors of the trained safety logs;
performing prior-based feature engineering matching on the trained information associated feature vector and the trained security log multi-scale feature vector to obtain a trained classification feature vector;
Passing the trained classification feature vector through a classifier to obtain a classification loss function value;
training the context encoder including the embedded layer, the convolutional neural network model, the multi-scale neighborhood feature extraction module, and the classifier with the classification loss function values.
Compared with the prior art, the network information security protection system provided by the application firstly acquires the security log, the system log, the vulnerability data and the flow data acquired from the network security server of the network information security system to be detected, and then respectively carries out training learning, feature extraction and analysis on the security log, the system log, the vulnerability data and the flow data through the convolutional neural network model, so that whether the network information security system to be detected has the vulnerability or not is judged according to the obtained classification result. Therefore, the network information security system to be detected can detect network vulnerabilities in real time, so as to achieve the purpose of protecting network information.
Drawings
Embodiments of the present application will be described in more detail with reference to the accompanying drawings.
Fig. 1 illustrates a schematic block diagram of a security protection system for network information according to an embodiment of the present application.
Fig. 2 illustrates a schematic block diagram of a system log context encoding unit in a network information security protection system according to an embodiment of the present application.
Fig. 3 illustrates a schematic block diagram of a result generation unit in a security protection system of network information according to an embodiment of the present application.
Fig. 4 illustrates a schematic block diagram of a training module in a network information security protection system according to an embodiment of the present application.
Fig. 5 illustrates a flow chart of a method of security protection of network information according to an embodiment of the present application.
Fig. 6 illustrates a schematic diagram of a system architecture of a method of security protection of network information according to an embodiment of the present application.
Fig. 7 illustrates a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Hereinafter, example embodiments according to the present application will be described in detail with reference to the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application and not all of the embodiments of the present application, and it should be understood that the present application is not limited by the example embodiments described herein.
Exemplary System
Fig. 1 illustrates a schematic block diagram of a security protection system for network information according to an embodiment of the present application. As shown in fig. 1, the network information security protection system 100 according to an embodiment of the present application includes: a data acquisition unit 110 for acquiring security logs, system logs, vulnerability data and flow data acquired from a network security server of a network information security system to be detected; a system log context coding unit 120, configured to pass the system log through a trained context coder including an embedded layer to obtain a semantic understanding feature vector of the system log; the vulnerability data context coding unit 130 is configured to pass the vulnerability data through a trained context coder including an embedded layer to obtain a vulnerability data semantic understanding feature vector; a flow data context coding unit 140, configured to pass the flow data through a trained context encoder including an embedded layer to obtain a flow data semantic understanding feature vector; the convolutional encoding unit 150 is configured to two-dimensionally arrange the system log semantic understanding feature vector, the vulnerability data semantic understanding feature vector, and the flow data semantic understanding feature vector into a two-dimensional input matrix, and obtain an information-associated feature vector through a convolutional neural network model after training; the multi-scale encoding unit 160 is configured to arrange the security log into an input vector, and then obtain a multi-scale feature vector of the security log through a trained multi-scale neighborhood feature extraction module; the feature fusion unit 170 is configured to perform a priori-based feature engineering matching on the information-associated feature vector and the security log multi-scale feature vector to obtain a classification feature vector; the result generating unit 180 is configured to pass the classification feature vector through the trained classifier to obtain a classification result, where the classification result is used to indicate whether a vulnerability exists in the network information security system to be detected.
In this embodiment of the present application, the data obtaining unit 110 is configured to obtain a security log, a system log, vulnerability data, and traffic data collected from a network security server of a network information security system to be detected. As described in the background art, the network security system often faces the risk of network attacks such as hackers, viruses, malicious software, etc., but the existing system has a large number of detection results which only reflect the problems existing in a certain system, and the existing system has various presentation modes, so that it is difficult to perform association analysis on a large amount of security data, and a large number of false positive alarms may be generated. This can lead to the security team having to deal with a large number of false alarms, wasting time and resources, reducing the attention to real threats. Therefore, a system and a method for protecting network information are desired, which can more accurately judge whether the network information is safe or not by monitoring and analyzing the security log, the system log, the vulnerability data and the flow data generated in the operation process of the network information security system.
In recent years, deep learning and neural networks have been widely used in the fields of computer vision, natural language processing, text signal processing, and the like. In addition, deep learning and neural networks have also shown levels approaching and even exceeding humans in the fields of image classification, object detection, semantic segmentation, text translation, and the like. The development of deep learning and neural networks provides new solutions and schemes for the security protection of network information.
It should be appreciated that the network information security system may generate large amounts of security logs, system logs, vulnerability data, and traffic data at runtime, which may provide detailed information about network activities. By analyzing this data, potential security events, aggression, or abnormal activity may be detected. This facilitates timely discovery and appropriate response measures to prevent further expansion of potential security threats. Therefore, whether the network information is safe or not is judged more accurately, and firstly, the security log, the system log, the vulnerability data and the flow data are collected. Specifically, a security log, a system log, vulnerability data, and traffic data collected from a network security server are obtained.
In this embodiment of the present application, the system log context encoding unit 120 is configured to pass the system log through a trained context encoder including an embedded layer to obtain a semantic understanding feature vector of the system log. It should be appreciated that the system log typically contains a large amount of text information including events, errors, warnings, etc. during system operation. Some redundant information exists in the information, and the redundant information may affect the judgment of the system security. While text information can be converted into semantic understanding feature vectors by entering the system log into a trained context encoder. By doing so, key information in the system log can be extracted, redundancy and noise are removed, and higher-level semantic meaning is captured. Therefore, in order to obtain more accurate feature information and semantic understanding in the system log, the system log is passed through a trained context encoder comprising an embedded layer to obtain a system log semantic understanding feature vector.
Fig. 2 illustrates a schematic block diagram of a system log context encoding unit in a network information security protection system according to an embodiment of the present application. As shown in fig. 2, the system log context encoding unit 120 includes: a word segmentation subunit 121, configured to perform word segmentation processing on the system log to obtain a word sequence; a word embedding subunit 122, configured to input each word in the word sequence into an embedding layer of the context encoder, so that the embedding layer converts the each word into a word embedding vector to obtain a sequence of word embedding vectors; a context semantic understanding subunit 123 for inputting the sequence of word embedding vectors into a converter-based Bert model of the context encoder to obtain a plurality of word sense feature vectors; and a concatenation subunit 124, configured to concatenate the plurality of word sense feature vectors to obtain the system log semantic understanding feature vector.
In this embodiment of the present application, the vulnerability data context encoding unit 130 is configured to pass the vulnerability data through a trained context encoder including an embedded layer to obtain a vulnerability data semantic understanding feature vector. Considering that the vulnerability data has multiple types, analysis errors and other conditions may be caused when feature extraction and analysis are performed on the vulnerability data. To solve this problem, feature vectors are understood by converting the vulnerability data into semantics. Specifically, the vulnerability data is passed through a trained context encoder comprising an embedded layer to obtain vulnerability data semantic understanding feature vectors. In this way, different vulnerability data can be compared and clustered, and then similar vulnerability types, shared vulnerability characteristics or potential vulnerability risks can be found more conveniently. The semantic understanding feature vector captures semantic meaning of vulnerability data, so that similar vulnerabilities are closer in a feature space, and therefore similarity comparison and clustering effects are improved.
In this embodiment of the present application, the traffic data context encoding unit 140 is configured to pass the traffic data through a trained context encoder including an embedded layer to obtain a traffic data semantic understanding feature vector. It will be appreciated that the traffic data is typically very large, containing a large number of network traffic records. The direct use of raw traffic data for analysis and processing may lead to dimensional disasters and computational complexity problems. By using an embedded layer and a context encoder, the traffic data can be converted into a semantic understanding feature vector of a fixed dimension, thereby reducing the dimension of the data and simplifying the subsequent analysis and processing process. Specifically, the flow data is passed through a trained context encoder comprising an embedded layer to obtain flow data semantic understanding feature vectors.
In this embodiment of the present application, the convolutional encoding unit 150 is configured to two-dimensionally arrange the system log semantic understanding feature vector, the vulnerability data semantic understanding feature vector, and the traffic data semantic understanding feature vector into a two-dimensional input matrix, and obtain an information correlation feature vector through a convolutional neural network model after training. It should be understood that the system log, the vulnerability data and the traffic data are important data sources in the network information security protection system, and may have an association relationship therebetween, for example, the system log may record abnormal behavior related to a known vulnerability, and the communication record in the traffic data may display attack traffic related to the vulnerability. Security threats associated with system vulnerabilities may be better understood and analyzed through vulnerability correlation. Therefore, the system log semantic understanding feature vector, the vulnerability data semantic understanding feature vector and the traffic data semantic understanding feature vector are arranged into a two-dimensional input matrix, so that different types of data can be organized according to a time sequence or other association modes. And then through a convolutional neural network model, the local and global context information of the two-dimensional input matrix can be captured through convolution operation and pooling operation, so that the relation and the context semantics between data points can be better understood, and the understanding and analysis capability of data are improved. Specifically, the system log semantic understanding feature vector, the vulnerability data semantic understanding feature vector and the flow data semantic understanding feature vector are two-dimensionally arranged into a two-dimensional input matrix, and then the information association feature vector is obtained through a convolutional neural network model which is completed through training.
In a specific embodiment of the present application, the convolutional encoding unit 150 is configured to: each layer using the convolutional neural network model performs the following steps on input data in forward transfer of the layer: using convolution units of all layers of the convolution neural network model to carry out convolution processing on the input data based on a two-dimensional convolution kernel so as to obtain a convolution characteristic diagram; using pooling units of each layer of the convolutional neural network model to carry out global average pooling treatment along the channel dimension on the convolutional feature map so as to obtain a pooled feature map; and using an activation unit of each layer of the convolutional neural network model to perform nonlinear activation on the characteristic values of each position in the pooled characteristic map so as to obtain an activated characteristic map.
In this embodiment, the multi-scale encoding unit 160 is configured to arrange the security log into the input vector, and then obtain the multi-scale feature vector of the security log through the trained multi-scale neighborhood feature extraction module. It should be appreciated that the security log contains a large amount of information such as event description, time stamp, source IP address, destination IP address, etc. By arranging the security log as an input vector, this information can be represented in a structured way. In addition, in order to better extract the feature distribution and the context semantic information of the security log, the input vector is subjected to feature extraction through a trained multi-scale neighborhood feature extraction module so as to obtain the multi-scale feature vector of the security log. The multi-scale neighborhood feature extraction module can automatically learn and extract important features in the security log through convolution, pooling and other operations, so that the content and the context information of the security log are better represented.
In a specific embodiment of the present application, the multi-scale encoding unit 160 includes: a first scale convolution encoding subunit 161, configured to input the input vector into a first convolution layer of the multi-scale neighborhood feature extraction module to obtain a first scale feature vector, where the first convolution layer has a first one-dimensional convolution kernel with a first length; a second scale convolution encoding subunit 162, configured to input the input vector into a second convolution layer of the multi-scale neighborhood feature extraction module to obtain a second scale feature vector, where the second convolution layer has a second one-dimensional convolution kernel of a second length, and the first length is different from the second length; a cascading subunit 163, configured to cascade the first scale feature vector and the second scale feature vector by using a cascading layer of the multi-scale neighborhood feature extraction module to obtain the security log multi-scale feature vector. Wherein the first scale convolution encoding subunit 161 is configured to: performing one-dimensional convolution encoding on the input vector by using a first convolution layer of the multi-scale neighborhood feature extraction module according to the following first one-dimensional convolution formula to obtain the first scale feature vector; wherein the first one-dimensional convolution formula is:
Wherein a is the width of the first one-dimensional convolution kernel in the x direction, F (a) is a first one-dimensional convolution kernel parameter vector, G (x-a) is a local vector matrix calculated by a convolution kernel function, n is the size of the first one-dimensional convolution kernel, and V represents the input vector, cov 1 (V) one-dimensional convolutional encoding the input vector to obtain the first scale feature vector. The second scale convolution encoding subunit 162 is configured to: performing one-dimensional convolution coding on the input vector by using a second convolution layer of the multi-scale neighborhood feature extraction module according to the following second one-dimensional convolution formula to obtain a second scale feature vector; wherein the second one-dimensional convolution formula is:
wherein b is the width of the second one-dimensional convolution kernel in the x direction, F (b) is a parameter vector of the second one-dimensional convolution kernel, G (x-b) is a local vector matrix calculated by a convolution kernel function, m is the size of the second one-dimensional convolution kernel, V represents the input vector, cov 2 (V) one-dimensional convolutional encoding the input vector to obtain the second scale feature vector.
In this embodiment of the present application, the feature fusion unit 170 is configured to perform a priori-based feature engineering matching on the information-associated feature vector and the security log multi-scale feature vector to obtain a classification feature vector. It should be appreciated that the information-bearing feature vector and the security log multi-scale feature vector each describe a security event from different dimensions. The information association feature vector can provide association information with other related data, and the security log multi-scale feature vector can provide content and context information of the security log. Therefore, in order to comprehensively consider information of multiple dimensions, classification results are more comprehensive and comprehensive, and the information-associated feature vector and the security log multi-scale feature vector are fused to obtain the classification feature vector.
In particular, in the technical scheme of the application, the information association feature vector is extracted from a two-dimensional input matrix consisting of a system log semantic understanding feature vector, a vulnerability data semantic understanding feature vector and a flow data semantic understanding feature vector, and the security log multi-scale feature vector is extracted from the security log. These two data sources have different characteristics and representations. The information association feature vector is extracted based on semantic understanding information of the system log, the vulnerability data and the flow data, and the security log multi-scale feature vector is extracted based on multi-scale features of the security log. There may be a difference between these two feature vectors due to differences in the source of the data. The information-bearing feature vector and the security log multi-scale feature vector may take different feature representations. The information association feature vector is extracted from the two-dimensional input matrix through a convolutional neural network model, and the security log multi-scale feature vector is extracted from the security log through a multi-scale neighborhood feature extraction module. This difference in feature representation may result in reduced alignment between the information-bearing feature vector and the security log multi-scale feature vector. The dimensions of the information-bearing feature vector and the security log multi-scale feature vector may be different. The information association feature vector is extracted based on semantic understanding information of the system log, the vulnerability data and the flow data, and the dimension of the information association feature vector is possibly higher. The multi-scale feature vector of the security log is extracted based on the multi-scale features of the security log, and the dimension of the multi-scale feature vector may be lower. Due to the difference of feature dimensions, there may be a problem of low alignment between the information-associated feature vector and the security log multi-scale feature vector.
Aiming at the technical problem of the alignment degree between the information associated feature vectors and the multi-scale feature vectors of the security log, in the technical scheme of the application, the alignment problem between the feature vectors is converted into a probability problem by utilizing prior-based feature engineering matching, so that the alignment degree and the fusion effect between the feature vectors are improved by adopting a probability technology.
Specifically, firstly, according to the structures and the attributes of the information-associated feature vector and the security log multi-scale feature vector, a prior-based feature engineering matching strategy is designed, and feature values of different categories and dimensions are mapped and transformed according to a certain prior rule, so that information loss and error accumulation in an alignment process are reduced. Furthermore, by means of a probability technology, posterior feature distribution of hidden feature expression of the parameterized model is represented based on a priori-based feature engineering matching vector of the security log multi-scale feature vector relative to the information association feature vector, so that smoother vector consistency fusion is achieved, and the accuracy of classification judgment of the classification feature vector is improved.
Based on the above, in the technical solution of the present application, the prior-based feature engineering matching is performed on the information-associated feature vector and the security log multi-scale feature vector according to the following formula to obtain a classification feature vector: wherein, the formula is:
Wherein V is 1 Representing the information-associated feature vector, V 2 Representing the security log multi-scale feature vector, alpha, beta and lambda represent predetermined hyper-parameters, I.I F The Frobenius norm of the vector, exp (·) the exponential operation of the vector, tanh the hyperbolic tangent function,representing the addition of vectors by position +.>Indicates the subtraction of the positions of the vectors, +. f Representing the classification feature vector.
In this embodiment of the present application, the result generating unit 180 is configured to pass the classification feature vector through a trained classifier to obtain a classification result, where the classification result is used to indicate whether a vulnerability exists in the network information security system to be detected. And in order to judge whether the network information security system to be detected has a vulnerability, classifying the classification feature vectors by using a classifier. The classifier may map the classification feature vector into two different classification labels, which are: and the network information security system to be detected has a loophole and the network information security system to be detected does not have a loophole. Therefore, early warning prompt can be timely carried out on management personnel according to the classification result so as to ensure the safety of the network information safety system. Specifically, the classification feature vector is passed through a trained classifier to obtain a classification result, wherein the classification result is used for indicating whether a vulnerability exists in the network information security system to be detected.
Fig. 3 illustrates a schematic block diagram of a result generation unit in a security protection system of network information according to an embodiment of the present application. As shown in fig. 3, the result generation unit 180 includes: a full-connection coding subunit 181, configured to perform full-connection coding on the classification feature vector by using a full-connection layer of the classifier to obtain a full-connection coding feature vector; a probability obtaining subunit 182, configured to pass the fully-connected encoding feature vector through a Softmax classification function of the classifier to obtain a first probability that a vulnerability exists in the network information security system to be detected and a second probability that the vulnerability does not exist in the network information security system to be detected; a classification result determination subunit 183 for determining the classification result based on a comparison between the first probability and the second probability.
It should be appreciated that the embedded layer-containing context encoder, the convolutional neural network model, the multi-scale neighborhood feature extraction module, and the classifier need to be trained prior to failure recognition of the hydraulic forging press to be detected using the above-described roll-to-roll neural network model. That is, in the network information security protection system of the embodiment of the present application, the system further includes a training module, where the training module is configured to train the context encoder including the embedded layer, the convolutional neural network model, the multi-scale neighborhood feature extraction module, and the classifier.
Fig. 4 illustrates a schematic block diagram of a training module in a network information security protection system according to an embodiment of the present application. As shown in fig. 4, the training module 200 includes: a training data obtaining unit 210, configured to obtain training data, where the training data includes a security log, a system log, vulnerability data, and traffic data collected from a network security server of a network information security system to be detected; a training system log context coding unit 220, configured to pass the system log through a context coder including an embedded layer to obtain a trained system log semantic understanding feature vector; a training vulnerability data context encoding unit 230, configured to pass the vulnerability data through a context encoder including an embedded layer to obtain a trained vulnerability data semantic understanding feature vector; a training traffic data context encoding unit 240, configured to pass the traffic data through a context encoder including an embedded layer to obtain a trained traffic data semantic understanding feature vector; the training convolutional encoding unit 250 is configured to two-dimensionally arrange the trained system log semantic understanding feature vector, the trained vulnerability data semantic understanding feature vector and the trained traffic data semantic understanding feature vector into a trained two-dimensional input matrix, and then obtain a trained information association feature vector through a convolutional neural network model; the training multi-scale encoding unit 260 is configured to arrange the security log into a one-dimensional input vector, and then obtain a multi-scale feature vector of the trained security log through a multi-scale neighborhood feature extraction module; the training feature fusion unit 270 is configured to perform a priori-based feature engineering matching on the trained information-associated feature vector and the trained security log multi-scale feature vector to obtain a trained classification feature vector; a classification loss unit 280, configured to pass the trained classification feature vector through a classifier to obtain a classification loss function value; a training unit 290, configured to train the context encoder including the embedded layer, the convolutional neural network model, the multi-scale neighborhood feature extraction module, and the classifier with the classification loss function value.
In the embodiment of the present application, the classification loss unit 280 is configured to: performing full-connection coding on the trained classification feature vectors by using a plurality of full-connection layers of the classifier to obtain classification feature vectors; inputting the classification feature vector into a Softmax classification function of the classifier to obtain a classification result; and calculating a cross entropy value between the classification result and a true value as the classification loss function value.
In summary, the network information security protection system 100 according to the embodiment of the present application is illustrated, firstly, a security log, a system log, vulnerability data and traffic data collected from a network security server of a network information security system to be detected are obtained, and then training learning, feature extraction and analysis are respectively performed on the security log, the system log, the vulnerability data and the traffic data through a convolutional neural network model, so that whether the vulnerability exists in the network information security system to be detected is determined according to the obtained classification result. Therefore, the network information security system to be detected can detect network vulnerabilities in real time, so as to achieve the purpose of protecting network information.
As described above, the security protection system 100 for network information according to the embodiment of the present application may be implemented in various terminal devices, for example, a server or the like where a security protection algorithm for network information is deployed. In one example, the network information based security protection system 100 may be integrated into the terminal device as a software module and/or hardware module. For example, the security protection system 100 of the network information may be a software module in the operating system of the terminal device, or may be an application developed for the terminal device; of course, the network information security protection system 100 may also be one of a plurality of hardware modules of the terminal device.
Alternatively, in another example, the network information security protection system 100 and the terminal device may be separate devices, and the network information security protection system 100 may be connected to the terminal device through a wired and/or wireless network and transmit the interactive information in a agreed data format.
Exemplary method
Fig. 5 illustrates a flow chart of a method of security protection of network information according to an embodiment of the present application. Fig. 6 illustrates a schematic diagram of a system architecture of a method of security protection of network information according to an embodiment of the present application. As shown in fig. 5 and fig. 6, a method for protecting security of network information according to an embodiment of the present application includes: s110, acquiring a security log, a system log, vulnerability data and flow data acquired from a network security server of a network information security system to be detected; s120, passing the system log through a trained context encoder comprising an embedded layer to obtain a semantic understanding feature vector of the system log; s130, enabling the vulnerability data to pass through a trained context encoder comprising an embedded layer to obtain vulnerability data semantic understanding feature vectors; s140, the flow data passes through a trained context encoder comprising an embedded layer to obtain flow data semantic understanding feature vectors; s150, two-dimensionally arranging the system log semantic understanding feature vector, the vulnerability data semantic understanding feature vector and the flow data semantic understanding feature vector into a two-dimensional input matrix, and obtaining an information association feature vector through a convolutional neural network model which is completed through training; s160, arranging the security logs into input vectors, and obtaining the security log multi-scale feature vectors through a trained multi-scale neighborhood feature extraction module; s170, performing prior-based feature engineering matching on the information-associated feature vector and the security log multi-scale feature vector to obtain a classification feature vector; and S180, the classification feature vectors pass through a trained classifier to obtain a classification result, wherein the classification result is used for indicating whether a vulnerability exists in the network information security system to be detected.
Here, it will be understood by those skilled in the art that the specific functions and operations of the respective steps in the above-described security protection method of network information have been described in detail in the above description of the security protection system of network information with reference to fig. 1, and thus, repetitive descriptions thereof will be omitted.
Exemplary electronic device
Next, an electronic device according to an embodiment of the present application is described with reference to fig. 7.
Fig. 7 illustrates a block diagram of an electronic device according to an embodiment of the present application.
As shown in fig. 7, the electronic device comprises a processor 601, a communication interface 602, a memory 603 and a communication bus 604. The processor 601, the communication interface 602, and the memory 603 communicate with each other via the communication bus 604, and the components of the processor 601, the communication interface 602, and the memory 603 may also communicate with each other via a network connection. The present disclosure is not limited herein with respect to the type and functionality of the network. It should be noted that the components of the electronic device shown in fig. 7 are exemplary only and not limiting, and that the electronic device may have other components as desired for practical applications.
For example, the memory 603 is used to non-transitory store computer readable instructions. The processor 601 is configured to implement the edge detection method according to any of the embodiments described above when executing computer readable instructions. For specific implementation of each step of the edge detection method and related explanation, reference may be made to the above-mentioned embodiment of the edge detection method, which is not described herein.
For example, other implementations of the edge detection method implemented by the processor 601 executing computer readable instructions stored on the memory 603 are the same as those mentioned in the foregoing method embodiment, and will not be described herein again.
For example, communication bus 604 may be a peripheral component interconnect standard (PCI) bus, or an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
For example, the communication interface 602 is used to enable communication between an electronic device and other devices.
For example, the processor 601 and the memory 603 may be provided at a server side (or cloud).
For example, the processor 601 may control other components in the electronic device to perform desired functions. The processor 601 may be a device with data processing and/or program execution capabilities such as a Central Processing Unit (CPU), network Processor (NP), tensor Processor (TPU), or Graphics Processor (GPU); but also Digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The Central Processing Unit (CPU) can be an X86 or ARM architecture, etc.
For example, memory 603 may include any combination of one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. Volatile memory can include, for example, random Access Memory (RAM) and/or cache memory (cache) and the like. The non-volatile memory may include, for example, read-only memory (ROM), hard disk, erasable programmable read-only memory (EPROM), portable compact disc read-only memory (CD-ROM), USB memory, flash memory, and the like. One or more computer readable instructions may be stored on the computer readable storage medium that can be executed by the processor 601 to implement various functions of the electronic device. Various applications and various data, etc. may also be stored in the storage medium.
For example, in some embodiments, the electronic device may further include an image acquisition component. The image acquisition section is for acquiring an input image of an object. The memory 603 is also used to store input images.
For example, the image acquisition component may be a camera of a smart phone, a camera of a tablet computer, a camera of a personal computer, a lens of a digital camera, or even a web cam.
For example, the input image may be an original image directly acquired by the image acquisition section, or may be an image obtained after preprocessing the original image. Preprocessing may eliminate extraneous or noise information in the original image to facilitate better processing of the input image. Preprocessing may include, for example, image expansion (DataAugment), image scaling, gamma (Gamma) correction, image enhancement, or noise reduction filtering of the original image.
For example, a detailed description of a process of performing edge detection by an electronic device may refer to a related description in an embodiment of an edge detection method, and a detailed description is omitted.
Claims (10)
1. A system for securing network information, comprising:
the data acquisition unit is used for acquiring the security log, the system log, the vulnerability data and the flow data acquired from the network security server of the network information security system to be detected;
the system log context coding unit is used for enabling the system log to pass through a trained context coder containing an embedded layer so as to obtain a semantic understanding feature vector of the system log;
the vulnerability data context coding unit is used for enabling the vulnerability data to pass through a trained context coder comprising an embedded layer to obtain vulnerability data semantic understanding feature vectors;
The flow data context coding unit is used for enabling the flow data to pass through a trained context coder containing an embedded layer so as to obtain flow data semantic understanding feature vectors;
the convolution coding unit is used for two-dimensionally arranging the system log semantic understanding feature vector, the vulnerability data semantic understanding feature vector and the flow data semantic understanding feature vector into a two-dimensional input matrix and obtaining an information association feature vector through a trained convolution neural network model;
the multi-scale coding unit is used for arranging the safety logs into input vectors and obtaining the multi-scale feature vectors of the safety logs through a trained multi-scale neighborhood feature extraction module;
the feature fusion unit is used for carrying out prior-based feature engineering matching on the information association feature vector and the security log multi-scale feature vector so as to obtain a classification feature vector;
and the result generation unit is used for passing the classification feature vector through the trained classifier to obtain a classification result, wherein the classification result is used for indicating whether the network information security system to be detected has a vulnerability.
2. The system for protecting security of network information according to claim 1, wherein the system log context encoding unit comprises:
The word segmentation subunit is used for carrying out word segmentation processing on the system log to obtain a word sequence;
a word embedding subunit, configured to input each word in the word sequence into an embedding layer of the context encoder, so that the embedding layer converts each word into a word embedding vector to obtain a sequence of word embedding vectors;
a context semantic understanding subunit for inputting the sequence of word embedding vectors into a converter-based Bert model of the context encoder to obtain a plurality of word semantic feature vectors;
and the cascading subunit is used for cascading the plurality of word sense feature vectors to obtain the system log semantic understanding feature vector.
3. The system for protecting network information according to claim 2, wherein the convolutional encoding unit is configured to: each layer using the convolutional neural network model performs the following steps on input data in forward transfer of the layer:
using convolution units of all layers of the convolution neural network model to carry out convolution processing on the input data based on a two-dimensional convolution kernel so as to obtain a convolution characteristic diagram;
using pooling units of each layer of the convolutional neural network model to carry out global average pooling treatment along the channel dimension on the convolutional feature map so as to obtain a pooled feature map; and
Using an activation unit of each layer of the convolutional neural network model to perform nonlinear activation on the characteristic values of each position in the pooled characteristic map so as to obtain an activated characteristic map;
and the output of the last layer of the convolutional neural network model is the information-associated feature vector.
4. A network information security protection system according to claim 3, wherein the multi-scale encoding unit comprises:
a first scale convolution encoding subunit, configured to input the input vector into a first convolution layer of the multi-scale neighborhood feature extraction module to obtain a first scale feature vector, where the first convolution layer has a first one-dimensional convolution kernel with a first length;
a second scale convolution encoding subunit, configured to input the input vector into a second convolution layer of the multi-scale neighborhood feature extraction module to obtain a second scale feature vector, where the second convolution layer has a second one-dimensional convolution kernel of a second length, and the first length is different from the second length;
and the cascading subunit is used for cascading the first scale feature vector and the second scale feature vector by using a cascading layer of the multi-scale neighborhood feature extraction module so as to obtain the security log multi-scale feature vector.
5. The system for protecting network information according to claim 4, wherein the first scale convolutional encoding subunit is configured to: performing one-dimensional convolution encoding on the input vector by using a first convolution layer of the multi-scale neighborhood feature extraction module according to the following first one-dimensional convolution formula to obtain the first scale feature vector;
wherein the first one-dimensional convolution formula is:
wherein a is the width of the first one-dimensional convolution kernel in the x direction, F (a) is a first one-dimensional convolution kernel parameter vector, G (x-a) is a local vector matrix calculated by a convolution kernel function, n is the size of the first one-dimensional convolution kernel, and V represents the input vector, cov 1 (V) one-dimensional convolutional encoding the input vector to obtain the first scale feature vector.
6. The system for protecting network information according to claim 5, wherein the feature fusion unit is configured to:
performing a priori based feature engineering matching on the information-associated feature vector and the security log multi-scale feature vector with the following formula to obtain a classification feature vector: wherein, the formula is:
wherein V is 1 Representing the information-associated feature vector, V 2 Representing the security log multi-scale feature vector, alpha, beta and lambda represent predetermined hyper-parameters, I.I F The Frobenius norm of the vector, exp (·) represents the exponential operation of the vector, tanh represents the hyperbolic tangent function, and it represents the per-position addition of the vector,indicates the subtraction of the positions of the vectors, +. f Representing the classification feature vector.
7. The network information security protection system according to claim 6, wherein the result generation unit includes:
the full-connection coding subunit is used for carrying out full-connection coding on the classification feature vectors by using a full-connection layer of the classifier so as to obtain full-connection coding feature vectors;
the probability obtaining subunit is used for obtaining a first probability of existence of a vulnerability of the network information security system to be detected and a second probability of non-existence of the vulnerability of the network information security system to be detected by passing the full-connection coding feature vector through a Softmax classification function of the classifier;
and a classification result determination subunit configured to determine the classification result based on a comparison between the first probability and the second probability.
8. The system for protecting the security of network information according to claim 7, further comprising a training module for training the context encoder including an embedded layer, the convolutional neural network model, the multi-scale neighborhood feature extraction module, and the classifier;
Wherein, training module includes:
the system comprises a training data acquisition unit, a data processing unit and a data processing unit, wherein the training data acquisition unit is used for acquiring training data, and the training data comprises a security log, a system log, vulnerability data and flow data which are acquired from a network security server of a network information security system to be detected;
the training system log context coding unit is used for enabling the system log to pass through a context coder comprising an embedded layer to obtain a trained system log semantic understanding feature vector;
the training vulnerability data context coding unit is used for enabling the vulnerability data to pass through a context coder comprising an embedded layer to obtain a trained vulnerability data semantic understanding feature vector;
the training flow data context coding unit is used for enabling the flow data to pass through a context coder comprising an embedded layer to obtain a semantic understanding feature vector of the flow data after training;
the training convolutional coding unit is used for two-dimensionally arranging the trained system log semantic understanding feature vector, the trained vulnerability data semantic understanding feature vector and the trained flow data semantic understanding feature vector into a trained two-dimensional input matrix and then obtaining a trained information association feature vector through a convolutional neural network model;
The training multi-scale coding unit is used for arranging the security logs into one-dimensional input vectors and then obtaining the trained security log multi-scale feature vectors through the multi-scale neighborhood feature extraction module;
the training feature fusion unit is used for carrying out prior-based feature engineering matching on the trained information associated feature vector and the trained safety log multi-scale feature vector so as to obtain a trained classified feature vector;
the classification loss unit is used for passing the trained classification feature vector through a classifier to obtain a classification loss function value;
and the training unit is used for training the context encoder containing the embedded layer, the convolutional neural network model, the multi-scale neighborhood feature extraction module and the classifier by using the classification loss function value.
9. The system for protecting network information according to claim 8, wherein the classification loss unit is configured to:
performing full-connection coding on the trained classification feature vectors by using a plurality of full-connection layers of the classifier to obtain classification feature vectors;
inputting the classification feature vector into a Softmax classification function of the classifier to obtain a classification result; and
And calculating a cross entropy value between the classification result and a true value as the classification loss function value.
10. A method for protecting security of network information, comprising:
acquiring a security log, a system log, vulnerability data and flow data acquired from a network security server of a network information security system to be detected;
passing the system log through a trained context encoder comprising an embedded layer to obtain a semantic understanding feature vector of the system log;
passing the vulnerability data through a trained context encoder comprising an embedded layer to obtain vulnerability data semantic understanding feature vectors;
the flow data passes through a trained context encoder comprising an embedded layer to obtain flow data semantic understanding feature vectors;
two-dimensionally arranging the system log semantic understanding feature vector, the vulnerability data semantic understanding feature vector and the flow data semantic understanding feature vector into a two-dimensional input matrix, and obtaining an information association feature vector through a convolutional neural network model which is completed through training;
the safety logs are arranged into input vectors, and then the trained multi-scale neighborhood feature extraction module is used for obtaining multi-scale feature vectors of the safety logs;
Performing prior-based feature engineering matching on the information-associated feature vector and the security log multi-scale feature vector to obtain a classification feature vector;
and the classification feature vector passes through a trained classifier to obtain a classification result, wherein the classification result is used for indicating whether a vulnerability exists in the network information security system to be detected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311654281.8A CN117596058A (en) | 2023-12-05 | 2023-12-05 | Network information security protection system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311654281.8A CN117596058A (en) | 2023-12-05 | 2023-12-05 | Network information security protection system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117596058A true CN117596058A (en) | 2024-02-23 |
Family
ID=89916602
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311654281.8A Withdrawn CN117596058A (en) | 2023-12-05 | 2023-12-05 | Network information security protection system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117596058A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118200057A (en) * | 2024-05-16 | 2024-06-14 | 江苏国信瑞科系统工程有限公司 | Automatic scanning and early warning system and method for network security vulnerability information |
-
2023
- 2023-12-05 CN CN202311654281.8A patent/CN117596058A/en not_active Withdrawn
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118200057A (en) * | 2024-05-16 | 2024-06-14 | 江苏国信瑞科系统工程有限公司 | Automatic scanning and early warning system and method for network security vulnerability information |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105426356B (en) | A kind of target information recognition methods and device | |
| Neumann et al. | Computation of likelihood ratios in fingerprint identification for configurations of three minutiae | |
| US10872270B2 (en) | Exploit kit detection system based on the neural network using image | |
| CN113381962B (en) | Data processing method, device and storage medium | |
| CN117596058A (en) | Network information security protection system and method | |
| CN101930608A (en) | Method and system for blindly detecting tampered image | |
| CN116309580B (en) | Oil and gas pipeline corrosion detection method based on magnetic stress | |
| Shelke et al. | Multiple forgery detection and localization technique for digital video using PCT and NBAP | |
| CN112088378A (en) | Image hidden information detector | |
| CN116343301B (en) | Personnel information intelligent verification system based on face recognition | |
| CN112241530A (en) | Malicious PDF document detection method and electronic equipment | |
| CN112329012A (en) | Detection method for malicious PDF document containing JavaScript and electronic equipment | |
| CN117082118B (en) | Network connection method based on data derivation and port prediction | |
| CN115511890A (en) | Analysis system for large-flow data of special-shaped network interface | |
| CN116702156A (en) | Information security risk evaluation system and method thereof | |
| Gao et al. | Real-time detecting one specific tampering operation in multiple operator chains | |
| CN116912597A (en) | Intellectual property intelligent management system and method thereof | |
| CN117176433A (en) | Abnormal behavior detection system and method for network data | |
| CN117749499A (en) | Malicious encryption traffic detection method and system in network information system scene | |
| CN117743665A (en) | Illegal network station identification method, illegal network station identification device, illegal network station identification equipment and storage medium | |
| CN117057929A (en) | Abnormal user behavior detection method, device, equipment and storage medium | |
| CN115865486B (en) | Network intrusion detection method and system based on multi-layer perception convolutional neural network | |
| Zhao et al. | YOLOv5-Sewer: Lightweight Sewer Defect Detection Model | |
| CN110674497A (en) | Malicious program similarity calculation method and device | |
| CN113888760B (en) | Method, device, equipment and medium for monitoring violation information based on software application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20240223 |
|
| WW01 | Invention patent application withdrawn after publication |