CN117609806A

CN117609806A - Network security situation awareness method based on machine learning

Info

Publication number: CN117609806A
Application number: CN202311473761.4A
Authority: CN
Inventors: 冯涛; 高先明; 陶沛琳; 林佳琦
Original assignee: Institute of Systems Engineering of PLA Academy of Military Sciences
Current assignee: Institute of Systems Engineering of PLA Academy of Military Sciences
Priority date: 2023-11-07
Filing date: 2023-11-07
Publication date: 2024-02-27

Abstract

The invention provides a network security situation awareness method based on machine learning, and belongs to the technical field of network security situation awareness. The method comprises the following steps: step S1, acquiring network data for security situation awareness, and preprocessing the network data, wherein the preprocessing comprises denoising processing and attribute association processing, so as to obtain sample data of the network data; s2, clustering the sample data, sorting all the clustering centers according to the distance between the clustering centers, and dividing positive sample data and negative sample data; and S3, training a support vector machine model based on an artificial fish swarm algorithm by using the positive type sample data and the negative type sample data, storing optimal parameters, and performing security situation sensing by using the support vector machine model based on the artificial fish swarm algorithm with the optimal parameters.

Description

Network security situation awareness method based on machine learning

Technical Field

The invention belongs to the technical field of network security situation awareness, and particularly relates to a network security situation awareness method based on machine learning.

Background

The analysis model commonly used by traditional network situation awareness comprises:

endsley model: endsley divides situational awareness into three levels, awareness (permission), understanding (Comprehension) and projection (project). Perception refers to the system's acquisition of the state, attributes and dynamic information of the relevant elements of the network environment. The understanding is to analyze the information acquired by sensing, and the analysis is to analyze the acquired information singly, but to arrange and fuse the information according to the importance degree and the correlation degree to obtain the security situation and image, and along with the change of sensing in time sequence, the understanding is to fuse new information continuously to form a new security situation and image. Projection is to evaluate the current state of each element in the situation by understanding the obtained change of the situation. Therefore, according to Endsley model definition, situation awareness can be regarded as a cognitive process of the system on the environment, the current system condition is obtained by understanding the information through awareness of environment information, an analyst evaluates the environment state and then obtains new environment information, and a cyclic process is formed. This process is dynamic and thus situational awareness is also dynamic.

JDL data fusion model: JDL divides the fusion process into four stages, object refinement, situation refinement, risk refinement, and process refinement. Object refinement expresses individual objects by combining location, parameters, and identity information. The situation refinement describes the communication influence, longitudinal and transverse relations, context rules and other relations between objects and events in the situation, and the emphasis is on researching the associated information. The risk refinement is to predict the future according to the current situation, and the technical difficulty is not only to calculate the possible result, but also to convert the result into the intention, the technology, the threat level and the current situation of the intrusion. Process refinement refers to the process focusing on the execution of other processes, namely, monitoring the data fusion process in real time, determining what information is needed to improve the product of the information fusion, determining the requirements of the data source to collect relevant information, and distributing and guiding the data source to achieve the target task.

OODA control loop model: OODA divides the situational awareness loop into four phases, observation (onserve), direction (client), decision (Decision), action (Act). The OODA establishes a ring structure, and continuous situation awareness is carried out in three layers of a physical domain, an information domain and a cognitive domain in the network. First, observation is the crossing from physical domain to information domain, referring to the collection of information. The guidance and decision belongs to a cognitive domain that includes collecting structured elements from the information domain and integrating analytical understanding thereof, and outputting decision information back to the information domain. The action is from the information domain back to the physical domain, completing the loop. The OODA supplements and corrects the next cycle while completing one cycle, and the dynamic cycle process can more comprehensively perform situation awareness.

Network security situational awareness based on machine learning includes:

markov model: the Markov model is a randomization method for describing the transition from one state to another, the probability of which is related to various state changes, and the core idea of the prediction model is to take the state with the highest probability of transition of the current state in the history data as the next state.

Support vector machine (support vector machine, SVM): SVM is widely used for classification and regression problems, which are formed on the basis of structural risk minimization and modern statistical theory, and which map input spatial vectors to a high-dimensional feature space, i.e. convert the nonlinear regression problem in a low-dimensional feature space into a linear regression problem in a high-dimensional feature space.

Neural Networks (NN): the neural network is a machine learning technology which simulates the human brain so as to realize artificial intelligence, and is typically composed of an input layer, an hidden layer and an output layer.

Network security situation awareness based on deep learning includes:

recurrent neural network (recurrent neural networks, RNN): in the traditional neural network, the input layer and the output layer are mutually independent, but in network security situation awareness prediction, future time situations depend on situations of historical test classes, so that the RNN executes the same operation on all nodes, the output at the current moment depends on previous calculation results, the layers are fully connected, nodes of hidden layers between front and rear time sequences are also mutually connected, and therefore the RNN can fully utilize information in any length sequence, and the accuracy of prediction is ensured.

Long and short term memory network (long short term memory, LSTM): the LSTM is an improved RNN, can solve the problem that the RNN cannot process long-term dependence, effectively overcomes the problem of gradient disappearance existing before, and is suitable for processing time sequence data and tasks with longer time delay.

Based on a distributed multi-sensor data fusion model: in 2000, bas proposed a method based on distributed multi-sensor data fusion to perform situation assessment, where the model is a situation awareness model built on top of an OODA control loop model, and performs network security situation awareness based on an intrusion detection model. The model fuses low-level security event warning information, extracts high-level situation information, and makes a new data model according to the situation information for generating knowledge unknown in the past. And, in the expression of knowledge, bas distinguishes procedural and declarative knowledge, such as pattern, algorithm, and mathematical transform representations. However, when the system is very complex, i.e. the data flow is very large, the model cannot effectively perform situation awareness.

Network security situation assessment model based on improved AFSA-TWSVM binary tree multi-classification model: the model is divided into three steps. (1) And calculating the characteristic average value of various samples in the network security situation awareness data set, and taking the characteristic average value as a clustering center of the category to obtain a clustering center oi of five class categories. (2) And (3) respectively calculating the sum of the distances from each cluster center to other cluster centers, sequencing the obtained values, putting the class to which the sum is the maximum value into the first position, marking the cluster center as O1, repeating the step (2), taking the maximum value of the four classes after sequencing and marking the maximum value as O2, and repeating the step two until 5 re-sequenced cluster centers are obtained. (3) And marking samples corresponding to the cluster gravity centers O1 as +1 type, and marking samples corresponding to the cluster gravity centers O2, O3, O4 and O5 as-1 type. And training a classification model by adopting an improved AFSA-TWSVM algorithm to obtain the classifier of the root node. And constructing the remaining classifiers of the child nodes of the binary tree continuously according to the order of the Oi sequence by adopting the same operation until all the classifiers are constructed.

RBF neural network algorithm based on SA-HHGA optimization: the algorithm is divided into nine steps. (1) And determining the number L of output layer nodes and the number O of output layer nodes of the RBF neural network according to the network security situation prediction sample, setting the maximum hidden layer node number L, and determining the basis function center and the expansion constant of the hidden layer nodes according to the K-means. (2) The control gene and the parameter gene are respectively encoded by binary encoding and real encoding, the initial population size Q is set, the maximum evolution algebra is G, the current evolution algebra is Gc=1, the simulated annealing initial temperature is T0=G, and the current temperature Tc=T0. (3) And constructing an RBF neural network hidden layer according to the chromosome of each individual in the initial population Q, determining an output layer weight by using a least square method, and determining RBF neural network parameters. (4) And calculating the fitness value of the individual according to the situation value y output by the network, the situation value y estimated by poems and the number of nodes of the hidden layer of the current neural network. (5) Judging whether the optimal individual fitness is smaller than a threshold value, if so, stopping calculating and determining the RBF network model, otherwise, turning to (6). (6) Judging whether the current evolution algebra reaches the maximum evolution algebra, if so, stopping calculating and determining the RBF network model, otherwise, turning to (7). (7) And carrying out genetic operation on the current population, selecting chromosomes, adjusting the crossover probability and the mutation probability according to the self-adaptive operator, and starting crossover and compiling operations. (8) An intermediate population is generated, the current algebra gc=gc+1. (9) And (3) performing simulated annealing on the intermediate population to obtain a new generation population, and turning TC=T0/TC (3).

The situation awareness hierarchy based on the Endsley cognition model is clear and visual, and is widely applied to situation awareness models and frame designs in various fields, but the model can evaluate the current or future network security state by establishing a complete security situation map, and the situation awareness result still has hysteresis and is difficult to achieve the result of pre-prevention. The JDL model is similar to the OODA model, the first three stages of the observation, guidance and decision fusion with the JDL model, the object refinement, situation refinement and risk refinement are similar, and the model can better adapt to complex network environments although the division of the model is less clear than the Endsley model.

A machine learning method based on classification belongs to the category of supervised learning, and an important problem of supervised learning is that training data must be tagged data, it is difficult, sometimes even impossible, to obtain tagged network data in practical applications, and in more cases, the obtained network data is untagged, so how to use less untagged traffic data and a large amount of untagged traffic data for semi-supervised training is an improved direction.

The algorithmic model for AFSA-TWSVM has a better output structure for small sample studies and analysis, but when faced with truly complex network space, the increase in data volume can lead to model difficulties. For the RBF neural network algorithm based on SA-HHGA optimization, although the model can jump out of the local optimal search with a certain probability to perform global optimal search, the parameters acquired by each algorithm cannot be guaranteed to be global optimal.

In general, most network security situation awareness methods are to select relatively independent data obtained in an environment from the data and fuse and sort the data with network indexes with high situation correlation degree so as to obtain network security situation images, and before the network is attacked seriously, the obtained images are normal, and after the network is attacked completely, the situation awareness results only help decision-making staff to solve the problems after the network is attacked, so that the network security situation awareness method is a strategy for post-compensation, and is difficult to prevent or predict possible coming threats.

Disclosure of Invention

Aiming at the technical problems, the invention provides a network security situation awareness scheme based on machine learning.

The invention discloses a network security situation awareness method based on machine learning.

The method comprises the following steps:

step S1, acquiring network data for security situation awareness, and preprocessing the network data, wherein the preprocessing comprises denoising processing and attribute association processing, so as to obtain sample data of the network data;

s2, clustering the sample data, sorting all the clustering centers according to the distance between the clustering centers, and dividing positive sample data and negative sample data;

and S3, training a support vector machine model based on an artificial fish swarm algorithm by using the positive type sample data and the negative type sample data, storing optimal parameters, and performing security situation sensing by using the support vector machine model based on the artificial fish swarm algorithm with the optimal parameters.

According to the method of the first aspect of the invention, in said step S1: the denoising processing means removing redundant data except IP addresses, MAC addresses, asset values, peak flow, average flow, minimum flow, alarm times, alarm frequencies and event categories in the network data; the attribute association processing refers to adding a value attribute, an operation state attribute and a defense priority attribute to each piece of network data subjected to denoising processing so as to obtain the sample data.

According to the method of the first aspect of the invention, in said step S2:

five clustering centers are obtained by clustering the sample data: security events, general network security events, larger network security events, significant network security events, particularly significant network security events, with a security level ranging from high to low;

and respectively calculating the sum of the distances from each cluster center to other cluster centers, obtaining the sequences O1-O5 of the five cluster centers according to descending order, taking O1 as the positive type sample data, and taking O2-O5 as the negative type sample data.

According to the method of the first aspect of the present invention, in the step S3, training the support vector machine model based on the artificial fish swarm algorithm includes:

setting parameters and initializing: setting a population scale N, a perceived distance Visual, a maximum iteration number Trynumber and a moving step size of an artificial fish swarm algorithm, setting a penalty coefficient C of a support vector machine, and initializing artificial fish Xij (Cij, sigma ij);

using the classification precision of the support vector machine as a physical fitness value of each artificial fish Xij, calculating the food concentration value of the initial fish group, comparing the food concentration value with the food concentration value, and storing the maximum value and the corresponding artificial fish Xpq (Cpq, sigma pq);

Executing an improved artificial fish whole algorithm on each artificial fish Xij, calculating the maximum food concentration value of the current fish group after the execution is finished, comparing the maximum food concentration value with the original maximum value, and reserving a larger value and a corresponding artificial fish;

judging whether the maximum iteration coefficient is reached, if so, reserving the optimal parameters pi (C, sigma), and taking pi as the input parameters of the support vector machine with the i type separated from other types.

The second aspect of the invention discloses a network security situation awareness system based on machine learning.

The system comprises:

a first processing unit configured to: acquiring network data for security situation awareness, and preprocessing the network data, wherein the preprocessing comprises denoising processing and attribute association processing, so as to obtain sample data of the network data;

a second processing unit configured to: clustering the sample data, sequencing each clustering center according to the distance between the clustering centers, and dividing positive sample data and negative sample data;

a third processing unit configured to: and training a support vector machine model based on an artificial fish swarm algorithm by using the positive type sample data and the negative type sample data, storing optimal parameters, and performing security situation sensing by using the support vector machine model based on the artificial fish swarm algorithm with the optimal parameters.

According to the system of the second aspect of the present invention, the denoising process refers to removing redundant data except for an IP address, a MAC address, an asset value, a peak flow, an average flow, a minimum flow, an alarm number, an alarm frequency and an event category in the network data; the attribute association processing refers to adding a value attribute, an operation state attribute and a defense priority attribute to each piece of network data subjected to denoising processing so as to obtain the sample data.

According to the system of the second aspect of the present invention, the second processing unit is specifically configured to:

According to the system of the second aspect of the invention, training the support vector machine model based on the artificial fish swarm algorithm comprises:

A third aspect of the invention discloses an electronic device. The electronic device comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the network security situation awareness method based on machine learning according to the first aspect of the disclosure when executing the computer program.

A fourth aspect of the invention discloses a computer-readable storage medium. The computer readable storage medium stores a computer program, which when executed by a processor, implements a network security situation awareness method based on machine learning according to the first aspect of the disclosure.

In summary, in the technical scheme provided by the invention, the network security situation value is quantified by collecting the basic operation, vulnerability, threat and risk indexes of the network in the process of preprocessing the data, the operation condition indexes of each device in the network and the association condition indexes of the devices and the network space are increased, and the problem that the possible attack is difficult to detect in advance in the network is solved.

Drawings

In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings which are required in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are some embodiments of the invention and that other drawings may be obtained from these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a flow chart of a machine learning based network security posture awareness method according to an embodiment of the present invention;

FIG. 2 is a flow chart of a preprocessing operation according to an embodiment of the present invention;

FIG. 3 is a flow chart of a clustering operation according to an embodiment of the present invention;

FIG. 4 is a schematic diagram of a model training process according to an embodiment of the present invention;

fig. 5 is a block diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

The elements used in the traditional network security situation awareness model for describing the network security situation are mostly the integral attributes of the network, such as the bandwidth utilization rate of the network, the flow rate of the network, the alarm number of the network and the like, and in general, after the network is attacked, the data can be changed greatly, so that the analysis and prediction of the situation are affected, but at the moment, the network is attacked, and network management staff can only repair the attacked network. The running index of each device in the network and the index of the connection between the devices and the network are increased, so that before the network is attacked, the possibility of the devices becoming an attacked entrance is predicted, thereby helping network management staff to update and deploy the security policy of the devices and the network in advance, thereby achieving the effect of preventing the network attack in advance, and even if the network is attacked, the attacked devices can be positioned faster, and more effective defense and repair can be performed.

The invention relates to a network security sense situation awareness algorithm based on an AFSA-SVM (artificial fish swarm algorithm-support vector machine), which not only utilizes basic operation, vulnerability, threat and risk indexes of a network to quantify network security situation values, but also increases operation condition indexes of various devices in the network and association condition indexes of the devices and network space to measure the network security situation values so as to detect or predict the problem of possible attack in advance, thereby helping network management staff to update and deploy the devices and the network in advance on security strategies, thereby achieving the effect of preventing network attack in advance, and being capable of positioning the attacked devices more quickly and defending and repairing the attacked devices even if the network is attacked. The basic idea of the artificial fish swarm algorithm is that a position of an artificial fish at a certain moment is set as Xt, the Visual field of the artificial fish is Visual, the Step length is Step, the Visual field position of the artificial fish is Xv, the food concentration delta at the position is located, if the food concentration at the current Visual field position Xv is larger than that at the position Xt, the artificial fish moves to a certain distance in the Xv direction within the Step length Step range to reach the position Xn, otherwise, other positions within the Visual field range are patrolled for multiple times, the artificial fish becomes familiar with the surrounding environment more along with the increase of the patrolling times, and a certain uncertainty jumps out of a local optimal solution, so that a global optimal solution is achieved.

The method comprises (as shown in fig. 1):

According to the method of the first aspect of the invention, in said step S2:

Specific example 1

Calculating clustering centers (o 1-o 5) of each category in a sample, and finally dividing the sample into five categories, namely safety, general network safety event, larger network safety event, important network safety event and particularly important network safety event, wherein the sample is an open-source data set, discarding indexes which do not relate to the network safety situation in the sample, adding attributes such as equipment, equipment and network connection for the sample through the network topology of the data set, and the like, and obtaining the clustering centers of each category through calculating characteristic average values of different categories.

And respectively calculating the sum of the distances from each cluster center to other cluster centers, and arranging the distances into O1-O5 in a descending order. And sets the loop variable i=1.

And selecting Oi as a class A, and marking the rest clustering centers which are not selected from the class A as a class B, wherein the clustering centers are used as input samples of ASFA-SVM classification.

Initializing related parameters of an ASFA-SVM model, initializing artificial fish, wherein the initial position of each artificial fish comprises a population scale N, a Visual field, a step length step and the repetition number Trynumber, in the common AFSA, the Visual field is a fixed value, and in order to better find a global optimal solution in the later calculation stage, the initial stage of setting the Visual field value is basically unchanged, and the Visual field is continuously reduced to a minimum value along with the increase of the iteration number. Visual is set, v= (1-a) v0+avmin, a=1/(1+e) ^-α(d-β) ) Where V0 is the initial field of view, vmin is the minimum field of view, a varies with the number of iterations d, αβ is a parameter, and setting of the parameter causes a variation in the convergence rate of the field of view. While the Step size influences the convergence speed of the algorithm, thus setting Step, s= (1-a) s0+acsmin, a=1/(1+e) ^-μ(d-θ) ) When the artificial fish directly finds a region with high food concentration in the visual field range, step is directly set as the distance between the artificial fish and the region, so that the artificial fish directly moves to the region, and the convergence speed is further increased. And calculating an individual fitness value, and updating the bulletin board if the individual is better than the bulletin board (the optimal artificial fish is given to the bulletin board in the initial fish shoal). And finishing classification when the optimal solution on the bulletin board reaches the expected target. Cyclic variable i: =i+1. i.e <Turning to step three when=5, and finishing classification when i > 5.

And outputting a classification result.

Specific example 2

Data preprocessing (as shown in fig. 2): and removing the redundant attribute of the acquired network data, acquiring and adding value attributes (hardware value, software value and information value) to equipment in a network, running states (time and service integrity), and defending priority (the positions of the equipment are acquired through network topology, weights are given to the positions, and the defending priority of the equipment is acquired by combining the importance degree of the sub-network where the equipment is located in the total network. The added attributes can help us to obtain better cluster centers in the k-means cluster algorithm module.

k-means clustering algorithm (as shown in FIG. 3): and the method is responsible for clustering samples, distinguishing the dissimilarity degree according to the distance between each cluster center and the rest cluster centers, and arranging the cluster centers in a descending order to determine the final classification sequence, so that the problem of error accumulation is reasonably improved.

Sample pretreatment: and (3) marking and classifying the arranged samples, wherein the module is a sub-module of the AFSA-SVM algorithm module. Specifically in fig. 3, 2. Training sample classification.

AFSA-SVM algorithm (as shown in fig. 4): is responsible for training five types of samples and preserving the model.

Updating an AFSA-SVM algorithm: inputting the data of the training sample to be added into a data preprocessing module to obtain a result A, putting the result A into a K-means clustering algorithm module to be classified to obtain a result B, putting the result B and the original parameters into an AFSA module, and outputting model parameters of an SVM classifier and storing after training is finished without initializing the parameters.

Predicting network security situation: and (3) carrying out data preprocessing on the data sample A provided by the network data provider to obtain a predicted sample B, and putting the predicted sample B into five SVM classifiers with parameters Pi (i=1, 2,3,4, 5) respectively to obtain a predicted result and a predicted log.

Network security situation feedback: on one hand, the network security situation assessment prediction report is sent to the network manager regularly, and on the other hand, when the network security situation prediction module predicts an unsafe network security event, the assessment prediction report and the unsafe event are sent to the network manager immediately.

Specific example 3

In the sample acquisition, not only the basic operation, vulnerability, threat and risk indexes of the network are utilized to quantify the network security situation value, but also the operation condition indexes of each device in the network and the association condition indexes of the device and the network space are increased to measure the network security situation value, so that possible attack is detected or predicted in advance, network management staff is helped to update and deploy the device in advance on the security policy of the network, the effect of preventing network attack in advance is achieved, and even if the network is attacked, the network can be positioned to the attacked device more quickly, and more effective defense and repair are performed.

In the artificial fish swarm algorithm, visual and Step are fixed values. The Visual parameters can influence the optimal property of the convergence of the result, and in order to ensure that the final result is a global optimal solution as much as possible, but not a local optimal solution, the algorithm is reduced to be converged to a global optimal position by adopting a self-adaptive Visual; the Step parameter can affect the convergence speed, so that the adaptive Step is used to increase the convergence speed of the algorithm. Wherein Visual, v= (1-a) v0+avmin, a=1/(1+e) ^-α(d-β) )，Step,S＝rand(0-1)*((1-a)S0+aSmin),a＝1/(1+e ^-μ(d-θ) ) And when the area with high food concentration is found in the visual field range, the artificial fish directly moves to the area, so that the convergence range is quickened.

Specific example 4

When the network does not fluctuate much or the network is not under attack, a host that may arrive at the attack or may be targeted for the attack is predicted.

And (3) data acquisition: network related information, such as firewall logs, network equipment operation conditions, network operation state logs and the like, is obtained from the attacked network.

Data preprocessing: basic operation, vulnerability, threat and risk indexes of the network in the data, operation condition indexes of each device in the network and association condition indexes of the devices and the network space are extracted, and clustering centers of the samples are calculated.

Situation prediction: the samples are input into an algorithm model to obtain a prediction result, and because the operation condition of the equipment and the association information between the equipment and the network are increased by the input data, the possible future attack of the network and the equipment in a dangerous state or a vulnerable state can be obtained by evaluating the prediction result, the prediction result is returned to a network manager, the network manager is helped to adjust the network security policy, and the corresponding equipment is repaired, so that the effect of preventing the accident is achieved.

Specific example 5

When the network is attacked by DDoS, web attack, penetration, etc., the hacked host is located or discovered quickly. The specific flow is as follows:

Situation assessment: the samples are input into an algorithm model to obtain an evaluation result, and because the operation condition of the equipment and the association information between the equipment and the network are increased by the input data, the equipment possibly suffering from invasion can be obtained by evaluating the prediction result, the evaluation result is returned to a network manager of the attacked network, and the network manager is helped to quickly process the invasion attack, so that the loss is reduced to the maximum extent.

The second aspect of the invention discloses a network security situation awareness system based on machine learning. The system comprises:

Specific example 6

Network security situation awareness system:

and (3) data extraction: and monitoring and acquiring firewall logs, intrusion detection logs, network security logs, network running state logs, host vulnerability information, network flow information, equipment running conditions in a network space and other information at a network entrance in real time.

Data preprocessing: and analyzing and processing the multi-source information by utilizing a big data technology, wherein the multi-source information comprises a plurality of network safety logs, intrusion monitoring logs, network running state logs, host vulnerability information, network flow information and other safety related information. The massive data have the defects of redundancy, complexity, even errors and the like, cannot be used as an information source of a network security situation awareness algorithm, and data processing is needed to be carried out on the data, while a big data technology provides technical support for the deep processing of high-speed network traffic, so that a basic platform provided by the big data and the technical support for the large data volume processing are used for carrying out multi-source information processing.

Data fusion: big data technology and machine learning are used for carrying out association and fusion analysis on data: basic operation, vulnerability, threat and risk indexes of network space in data after big data processing, basic operation indexes of network space equipment, and equipment-to-equipment and space contact information are extracted, a plurality of redundancies and correlations exist among the data samples, and the system makes the multiple data sources complement each other through a fusion technology so as to generate a security situation more accurately.

Situation assessment and prediction: and taking the fused data as a training sample, putting the training sample into a machine learning model for training, acquiring and storing the machine learning model with high accuracy and availability, and predicting the label-free data provided by the network data provider by using the model to obtain an evaluation result, and returning the evaluation result to a network manager to help the network manager to make decisions.

Model iteration and updating: the network data provider continuously provides the marking data, and iterates and updates the training model according to the time of the data and the weight occupied by the data in the situation model, so that the accuracy of the training model is ensured.

Fig. 5 is a block diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 5, the electronic device includes a processor, a memory, a communication interface, a display screen, and an input device connected through a system bus. Wherein the processor of the electronic device is configured to provide computing and control capabilities. The memory of the electronic device includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the electronic device is used for conducting wired or wireless communication with an external terminal, and the wireless communication can be achieved through WIFI, an operator network, near Field Communication (NFC) or other technologies. The display screen of the electronic equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the electronic equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the electronic equipment, and can also be an external keyboard, a touch pad or a mouse and the like.

Those skilled in the art will appreciate that the structure shown in fig. 5 is merely a structural diagram of a portion related to the technical solution of the present disclosure, and does not constitute a limitation of the electronic device to which the present application is applied, and that a specific electronic device may include more or less components than those shown in the drawings, or may combine some components, or have different component arrangements.

The system provided by the invention firstly starts a data preprocessing module, a k-means clustering algorithm module, a sample preprocessing module and an ASFA-SVM algorithm module to train out a model. And preprocessing the data according to the data provided by the network data provider, starting a network security situation prediction module, performing prediction marking on the data, and outputting an evaluation prediction report and an evaluation prediction log. If a network security event (general, large, significant, and particularly significant) classified as unsafe is found, the assessment prediction report and related events are immediately reported to the network administrator. The system obtains the marked data of the network manager or the network data provider, starts an algorithm updating module, and iteratively updates the model, so that the model has no or only certain hysteresis, and the prediction accuracy of the system is higher. In the data preprocessing process, the system adds the running condition of each device in the network space, the connection between the devices and the network, so that the measurement of the network security situation value is more comprehensive, and the system can predict possible attack from the change of the network end device and the change of the network space where the devices are located, rather than waiting until an attacker invades a certain network device, and discovering the invasion problem after the network attack is paralyzed.

Note that the technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be regarded as the scope of the description. The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.

Claims

1. A machine learning-based network security situation awareness method, the method comprising:

2. The machine learning based network security posture awareness method of claim 1, wherein in said step S1: the denoising processing means removing redundant data except IP addresses, MAC addresses, asset values, peak flow, average flow, minimum flow, alarm times, alarm frequencies and event categories in the network data; the attribute association processing refers to adding a value attribute, an operation state attribute and a defense priority attribute to each piece of network data subjected to denoising processing so as to obtain the sample data.

3. The machine learning based network security posture awareness method of claim 2, wherein in said step S2:

4. The machine learning based network security posture awareness method of claim 1, wherein in the step S3, training the support vector machine model based on the artificial fish swarm algorithm comprises:

5. A machine learning-based network security posture awareness system, the system comprising:

6. The machine learning based network security posture awareness system of claim 5, wherein said denoising means removes redundant data in said network data except IP address, MAC address, asset value, peak flow, average flow, minimum flow, alarm times, alarm frequency and event category; the attribute association processing refers to adding a value attribute, an operation state attribute and a defense priority attribute to each piece of network data subjected to denoising processing so as to obtain the sample data.

7. The machine learning based network security posture awareness system of claim 6, wherein the second processing unit is specifically configured to:

8. The machine learning based network security posture awareness system of claim 7, wherein training the artificial fish swarm algorithm based support vector machine model comprises:

9. An electronic device comprising a memory and a processor, the memory storing a computer program, the processor implementing a machine learning based network security posture awareness method according to any of claims 1-4 when executing the computer program.

10. A computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, and when the computer program is executed by a processor, the computer program implements a machine learning based network security posture awareness method according to any one of claims 1-4.