CN117811846B - Network security detection method, system, equipment and medium based on distributed system - Google Patents

Network security detection method, system, equipment and medium based on distributed system Download PDF

Info

Publication number
CN117811846B
CN117811846B CN202410230120.4A CN202410230120A CN117811846B CN 117811846 B CN117811846 B CN 117811846B CN 202410230120 A CN202410230120 A CN 202410230120A CN 117811846 B CN117811846 B CN 117811846B
Authority
CN
China
Prior art keywords
security detection
network security
depth
model
detection model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410230120.4A
Other languages
Chinese (zh)
Other versions
CN117811846A (en
Inventor
李仁刚
范宝余
赵雅倩
王立
张润泽
赵坤
郭振华
鲁璐
曹芳
贺蒙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Electronic Information Industry Co Ltd
Original Assignee
Inspur Electronic Information Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Electronic Information Industry Co Ltd filed Critical Inspur Electronic Information Industry Co Ltd
Priority to CN202410230120.4A priority Critical patent/CN117811846B/en
Publication of CN117811846A publication Critical patent/CN117811846A/en
Application granted granted Critical
Publication of CN117811846B publication Critical patent/CN117811846B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/098Distributed learning, e.g. federated learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Mathematical Physics (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Artificial Intelligence (AREA)
  • General Health & Medical Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Data Mining & Analysis (AREA)
  • Biophysics (AREA)
  • Software Systems (AREA)
  • Biomedical Technology (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Molecular Biology (AREA)
  • Pure & Applied Mathematics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Algebra (AREA)
  • Image Analysis (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network security detection method, a system, equipment and a medium based on a distributed system, which relate to the field of network security and aim to solve the problem that an edge computing device cannot exert optimal performance by adopting a local network security detection model with a fixed size; after the test safety data set is input into the initial network safety detection model, the neural network depth of the initial network safety detection model is adjusted according to the output values corresponding to the two output network blocks to obtain a local network safety detection model; when the parameter updating condition is met, updating the local network security detection model by using the model parameters of the local network security detection model and the model parameters of the associated computing equipment; and carrying out local network security detection through the updated local network security detection model. The invention can enable the edge computing equipment to exert the optimal local network security detection performance, and reduces the communication overhead and the bandwidth requirement.

Description

Network security detection method, system, equipment and medium based on distributed system
Technical Field
The present invention relates to the field of network security, and in particular, to a network security detection method, system, device, and medium based on a distributed system.
Background
In the field of network security, in order to improve the detection capability of threats such as malicious software, network attack, data leakage and the like, local network security model training can be performed cooperatively by a plurality of edge computing devices and edge cloud servers in a distributed system, and network security detection can be performed through the trained local network security model. Currently, each edge computing device is usually trained by using a model with a fixed size, and different edge computing devices may have different data amounts and requirements, such as edge computing devices with less data, small models are required, some edge computing devices with more data, large models are required, and models with a uniform size cannot meet the requirements of all devices, so that some edge computing devices encounter performance bottlenecks when using models with too large or too small models, and cannot exert optimal network security detection performance.
Therefore, how to provide a solution to the above technical problem is a problem that a person skilled in the art needs to solve at present.
Disclosure of Invention
The invention aims to provide a network security detection method, a system, equipment and a medium based on a distributed system, which can enable edge computing equipment to exert optimal local network security detection performance and reduce communication overhead and bandwidth requirements.
In order to solve the technical problem, the present invention provides a network security detection method based on a distributed system, which is applied to each edge computing device in the distributed system, wherein each edge computing device in the distributed system is divided into a plurality of data like-nature clusters according to similarity, and the network security detection method comprises:
Training an initial network security detection model based on local security data, wherein the network of the initial network security detection model comprises a plurality of neural network blocks which are sequentially connected, and the plurality of neural network blocks correspond to different neural network depths;
Selecting two output network blocks from the plurality of neural network blocks, inputting a test safety data set into the initial network safety detection model, and adjusting the neural network depth of the initial network safety detection model according to output values corresponding to the two output network blocks to obtain a local network safety detection model;
When the parameter updating condition is met, updating the local network security detection model by using the model parameters of the local network security detection model and the model parameters of the associated computing equipment; the associated computing device is an edge computing device which is in the same data homopolarity cluster with the associated computing device and is connected with the associated computing device;
and carrying out local network security detection through the updated local network security detection model.
The process of adjusting the neural network depth of the initial network security detection model to obtain the local network security detection model according to the output values corresponding to the two output network blocks comprises the following steps:
acquiring a first output value corresponding to a first output network block and a second output value corresponding to a second output network block, wherein the neural network depth of the first output network block is smaller than that of the second output network block;
Determining a depth adjustment strategy based on the first output value and the second output value;
and adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain a local network security detection model.
Wherein determining a depth adjustment strategy based on the first output value and the second output value comprises:
determining an absolute value of a difference between the first output value and the second output value;
Determining a depth adjustment direction based on a magnitude relation of the first output value and the second output value; the depth adjustment direction is depth backspacing or depth deepening;
determining an adjustment condition which is met by the performance gap between the shallow network model and the deep network model based on the magnitude relation between the absolute value and the preset value; the shallow network model is obtained based on a first output network block, the deep network model is obtained based on a second output network block, and the adjustment condition is an instant adjustment condition or a stepping adjustment condition;
and determining a depth adjustment strategy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap.
Wherein determining the depth adjustment direction based on the magnitude relation of the first output value and the second output value comprises:
when the first output value is larger than the second output value, the depth adjustment direction is the depth rollback;
And when the first output value is smaller than the second output value, the depth adjusting direction deepens the depth.
The process of determining the adjustment condition satisfied by the performance gap between the shallow network model and the deep network model based on the magnitude relation between the absolute value and the preset value comprises the following steps:
When the absolute value is smaller than the preset value, determining that the performance gap between the shallow network model and the deep network model meets the step adjustment condition;
And when the absolute value is larger than or equal to the preset value, determining that the performance gap between the shallow network model and the deep network model meets the instant adjustment condition.
Wherein determining a depth adjustment strategy based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap comprises:
when the depth adjustment direction is the depth rollback and the performance gap meets the instant adjustment condition, determining the depth adjustment strategy as a depth rollback instant adjustment strategy;
the process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model comprises the following steps:
When the depth adjustment strategy is the depth rollback instant adjustment strategy, calculating the rollback depth by using a first relation corresponding to the depth rollback instant adjustment strategy;
adjusting the neural network depth of the initial network security detection model according to the rollback depth to obtain a local network security detection model;
The first relation is f 1(k)=η×ek,f1 (k) which is the back-off depth, eta is the super parameter, and k is the absolute value.
Wherein determining a depth adjustment strategy based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap comprises:
When the depth adjustment direction is the depth rollback and the performance gap meets the step adjustment condition, determining that the depth adjustment strategy is a depth rollback step adjustment strategy, and writing the step rollback serving as a current record into a preset storage space;
the process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model comprises the following steps:
And when the depth adjustment strategy is the depth rollback stepping adjustment strategy, acquiring a continuous preset number of records including the current record in the preset storage space, and if the continuous preset number of records including the current record are all the stepping rollback, backing the neural network depth of the initial network security detection model by one layer to obtain a local network security detection model.
Wherein determining a depth adjustment strategy based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap comprises:
when the depth adjustment direction is the depth deepening and the performance gap meets the instant adjustment condition, determining the depth adjustment strategy as a depth deepening instant adjustment strategy;
the process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model comprises the following steps:
when the depth adjustment strategy is the depth deepening instant adjustment strategy, calculating the deepening depth by using a second relation corresponding to the depth deepening instant adjustment strategy;
adjusting the neural network depth of the initial network security detection model according to the deepened depth to obtain a local network security detection model;
The second relation is f 2(k)=η×ek,f2 (k) which is the deepening depth, eta is the super parameter, and k is the absolute value.
Wherein determining a depth adjustment strategy based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap comprises:
When the depth adjustment direction is the depth deepening and the performance gap meets the step adjustment condition, determining the depth adjustment strategy as a depth deepening step adjustment strategy, and writing the step deepening serving as a current record into a preset storage space;
the process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model comprises the following steps:
And when the depth adjustment strategy is the depth deepening step adjustment strategy, acquiring continuous preset number of records including the current record in the preset storage space, and deepening the neural network depth of the initial network security detection model by one layer if the continuous preset number of records including the current record are the step deepening, so as to obtain a local network security detection model.
Wherein the process of selecting two output network blocks among the plurality of neural network blocks includes:
Two adjacent neural network blocks are selected from the plurality of the neural network blocks as output network blocks.
Wherein updating the local network security detection model using the model parameters of the local network security detection model and the model parameters of the associated computing device comprises:
Obtaining model parameters of the local network security detection model, and sending the model parameters of the local network security detection model to each associated computing device;
receiving model parameters sent by each associated computing device;
Calculating a neighborhood average value of the model parameters of the local network security detection model and the model parameters sent by each associated calculation device;
and updating the local network security detection model based on the neighborhood average value.
The process of obtaining the model parameters of the local network security detection model and sending the model parameters of the local network security detection model to each associated computing device comprises the following steps:
And obtaining model parameters of standard depth of the local network security detection model, and sending the model parameters of the standard depth to each associated computing device.
After receiving the model parameters sent by each associated computing device, the network security detection method further comprises the following steps:
Judging whether the neural network depth corresponding to the model parameters sent by the associated computing equipment is larger than the neural network depth of the local network security detection model or not according to the model parameters sent by each associated computing equipment, if so, determining the model parameters which are the same as the neural network depth of the local network security detection model in the model parameters sent by the associated computing equipment as target model parameters, and if not, determining the model parameters sent by the associated computing equipment as target model parameters;
The process of calculating the neighborhood average value for the model parameters of the local network security detection model and the model parameters sent by each associated calculation device comprises the following steps:
And calculating a neighborhood average value for the model parameters of the local network security detection model and each target model parameter.
Wherein after updating the local network security detection model with the model parameters of the local network security detection model and the model parameters of the associated computing device, the network security detection method further comprises:
When the cluster aggregation condition is met and the cluster aggregation condition is not the cluster head equipment, the model parameters of the local network security detection model are sent to the cluster head equipment of the data like clusters where the local network security detection model is located, so that the cluster head equipment obtains global model parameters in the cluster according to the model parameters of all edge computing equipment in the data like clusters where the local network security detection model is located;
and when the global model parameters in the cluster are acquired, updating the local network security detection model by utilizing the global model parameters in the cluster so as to carry out local network security detection through the updated local network security detection model.
The process of obtaining global model parameters in clusters according to the model parameters of all edge computing devices in the data homography clusters comprises the following steps:
Calculating global model parameters in the cluster by using a third relational expression, wherein the third relational expression is
Wherein alpha is a super parameter,Intra-cluster global model parameters of the t-th round stored for the cluster head device of the c-th data-like cluster,Global model parameters in the t+1st round for the c-th data-like cluster, c being the sequence number of the data-like cluster,Model parameters of the j-th associated computing device in the device set N i of the data identity clusters after the first update of the t-th round are N i, the i is a device set of the associated computing devices with a connection relation with the i-th edge computing device in the data identity clusters, the i is a serial number of the edge computing device in the data identity clusters, the j is a serial number of the associated computing device in the device set, and the I N i I is the total number of the edge computing devices in the data identity clusters.
Wherein, when the intra-cluster global model parameter is obtained, after the local network security detection model is updated by using the intra-cluster global model parameter, the network security detection method further comprises:
when a global condition is met and the cluster head equipment is the cluster head equipment, the intra-cluster global model parameters are sent to an edge cloud server in the distributed system, so that the edge cloud server obtains a global model based on intra-cluster global model parameters sent by all the cluster head equipment of the data-like clusters in the distributed system;
and after receiving the global model, updating the model parameters of the local network security detection model based on the model parameters of the global model so as to carry out local network security detection through the updated local network security detection model.
The process of obtaining the global model based on the intra-cluster global model parameters sent by the cluster head devices of all the data-like clusters in the distributed system comprises the following steps:
Calculating a global model by using a fourth relation; the fourth relation is
Wherein C is the number of the cluster head devices,For the global model of the t+1st round,Model parameters for the c-th data-like cluster at the t+1st round with respect to the data sample loss function L, c being the sequence number of the data-like cluster.
Before the initial network security detection model is trained based on the local security data, the network security detection method further comprises the following steps:
And receiving connection relations of the data homography clusters divided by the edge cloud server based on the similarity and all edge computing devices in the data homography clusters, so as to determine corresponding associated computing devices based on the data homography clusters and the connection relations.
The process of dividing the data homography clusters by the edge cloud server in the distributed system based on the similarity comprises the following steps:
an edge cloud server in the distributed system acquires test results obtained by each edge computing device in the distributed system based on the test safety data set;
constructing weighted undirected graphs among all the edge computing devices according to the similarity of the test results of all the edge computing devices;
And dividing all the edge computing devices by using the weighted undirected graph to obtain a plurality of data homography clusters.
In order to solve the above technical problem, the present invention further provides a network security detection system based on a distributed system, which is applied to each edge computing device in the distributed system, where each edge computing device in the distributed system is divided into a plurality of data homography clusters according to similarity, and the network security detection system includes:
The training module is used for training an initial network security detection model based on local security data, wherein the network of the initial network security detection model comprises a plurality of neural network blocks which are sequentially connected, and the plurality of neural network blocks correspond to different neural network depths;
The selection module is used for selecting two output network blocks from the plurality of the neural network blocks, inputting a test safety data set into the initial network safety detection model, and adjusting the neural network depth of the initial network safety detection model according to output values corresponding to the two output network blocks to obtain a local network safety detection model;
The updating module is used for updating the local network security detection model by using the model parameters of the local network security detection model and the model parameters of the associated computing equipment when the parameter updating conditions are met; the associated computing device is an edge computing device which is in the same data homopolarity cluster with the associated computing device and is connected with the associated computing device;
and the detection module is used for carrying out local network security detection through the updated local network security detection model.
In order to solve the above technical problem, the present invention further provides an edge computing device, including:
a memory for storing a computer program;
A processor for implementing the steps of the distributed system based network security detection method as claimed in any one of the preceding claims when executing the computer program.
In order to solve the above technical problem, the present invention further provides a distributed system, including:
a plurality of edge computing devices as described above;
And the edge cloud server is used for outputting a test data set and clustering results to each edge computing device, wherein the clustering results comprise data homography clusters where the edge computing devices are located and associated computing devices connected with the edge computing devices.
To solve the above technical problem, the present invention further provides a computer readable storage medium, where a computer program is stored, where the computer program, when executed by a processor, implements the steps of the network security detection method based on a distributed system as described in any one of the above.
The invention provides a network security detection method based on a distributed system, wherein the neural network depth of a local network security detection model of each edge computing device in the distributed system can be dynamically adjusted so as to better adapt to the requirements of diversified tasks, so that the edge computing device can exert optimal local network security detection performance, and meanwhile, the edge computing device can update model parameters in a data homography cluster without uploading model parameters to an edge cloud server during each communication, thereby reducing communication overhead and bandwidth requirements. The invention also provides a network security detection system based on the distributed system, edge computing equipment, the distributed system and a computer readable storage medium, and the network security detection system based on the distributed system has the same beneficial effects as the network security detection method based on the distributed system.
Drawings
For a clearer description of embodiments of the present invention, the drawings that are required to be used in the embodiments will be briefly described, it being apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to the drawings without inventive effort for those skilled in the art.
FIG. 1 is a flow chart of steps of a network security detection method based on a distributed system according to the present invention;
FIG. 2 is a schematic diagram of a heterogeneous distributed system according to the present invention;
FIG. 3 is a schematic diagram of a neural network model according to the present invention;
FIG. 4 is a schematic diagram of a weighted undirected graph according to the present invention;
FIG. 5 is a schematic view of a cluster according to the present invention;
fig. 6 is a schematic structural diagram of a network security detection system based on a distributed system according to the present invention;
FIG. 7 is a schematic diagram of an edge computing device according to the present invention;
FIG. 8 is a schematic diagram of a distributed system according to the present invention;
fig. 9 is a schematic structural diagram of a computer readable storage medium according to the present invention.
Detailed Description
The core of the invention is to provide a network security detection method, a system, equipment and a medium based on a distributed system, which can enable edge computing equipment to exert optimal local network security detection performance and reduce communication overhead and bandwidth requirements.
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, fig. 1 is a flowchart illustrating steps of a network security detection method based on a distributed system, where the network security detection method is applied to each edge computing device in the distributed system, each edge computing device in the distributed system is divided into a plurality of data like clusters according to similarity, fig. 2 is a schematic structural diagram of the distributed system, which includes an edge cloud server and a plurality of edge computing devices, any two edge computing devices may have data interaction or may not have data interaction, each edge computing device interacts with the edge server, and the network security detection method is described below by taking one edge computing device as an example, where the network security detection method includes:
s101: training an initial network security detection model based on local security data, wherein the network of the initial network security detection model comprises a plurality of neural network blocks which are sequentially connected, and the plurality of neural network blocks correspond to different neural network depths;
In this embodiment, the edge computing device performs model training by using local security data to obtain an initial network security detection model, where the initial network security detection model is formed by stacking a plurality of Block modules (neural network blocks) with a fixed layer structure, each neural network Block includes a convolution layer, a batch normalization layer, a pooling layer and an activation function, and connection of each neural network Block should satisfy consistency of an overall network structure, so as to ensure that each neural network Block of the network can cooperatively work, effectively process input data, and enable gradients to correctly propagate and update parameters. In this embodiment, block numbers are allocated to each neural network Block, as shown in fig. 3, B1, B2, …, and BT are sequentially set from a shallow layer to a deep layer, an initial state of a local network security detection model of each edge computing device is defined as a neural network Block connected by numbers B1, B2, …, and BT, an output layer of each neural network Block is connected to a model depth switching controller, specifically, the model depth switching controller may be connected to any 2 neural network blocks with different neural network depths, the model depth switching controller is connected to an output layer module, the output layer module includes a plurality of full connection layers and an activation function layer, and converts a backbone network feature into an output probability, and in this embodiment, the output layer module includes two branched output layers, which are respectively connected to the model depth switching controller. At initial training, the model depth switch controller is connected to a shallower neighboring layer 2 neural network block, the depth value being determined by the initialization parameter h, which may be set to 5 as an alternative embodiment.
S102: selecting two output network blocks from the multiple neural network blocks, inputting the test safety data set into an initial network safety detection model, and adjusting the neural network depth of the initial network safety detection model according to output values corresponding to the two output network blocks to obtain a local network safety detection model;
In order to obtain a more accurate neural network depth, in this embodiment, after a model training period is fixed, a local network security detection model is tested based on a test data set, where the test data set is issued by an edge cloud server, and each edge computing device tests an initial network security detection model based on the same test data set. In this embodiment, the test may be performed after the local network security detection model is trained C times, where C is a super parameter.
Firstly, selecting two output network blocks from a plurality of neural network blocks, connecting an output layer of a first output network block with a first access end of a model depth switching controller, connecting an output layer of a second output network module with a second access end of the model depth switching controller, connecting an output layer of a first branch of the output layer module with a first output end of the model depth switching controller, connecting an output layer of a second branch of the output layer module with a second output end of the model depth switching controller, inputting a test data set into an initial network security detection model, acquiring test results of all test samples, outputting the test results at the output layer module, wherein an output value of the output layer of the first branch in the output layer module is a test result of the first output network block, and an output value of the output layer of the second branch in the output layer module is a test result of the second output network block. For the classification task, the classification task results of all the test samples are obtained and judged, and the average value of the accuracy is obtained.
The output layer module sends output results of the test data sets corresponding to the two branches of different neural network depths into a decision maker, the decision maker judges whether to change the neural network depth of the initial network security detection model, if so, the current neural network depth of the initial network security detection model is subjected to rollback adjustment or deepening adjustment according to the corresponding adjustment strategy to obtain a local network security detection model, so that the edge computing equipment can play an optimal network security detection performance.
S103: when the parameter updating condition is met, updating the local network security detection model by using the model parameters of the local network security detection model and the model parameters of the associated computing equipment; the associated computing device is an edge computing device which is in the same data homography cluster with the associated computing device and is connected with the associated computing device;
s104: and carrying out local network security detection through the updated local network security detection model.
It can be appreciated that, in the existing federal learning scheme, all edge computing devices need to send the local network security detection model to the edge cloud server for aggregation, the edge cloud server has limited bandwidth, transmission of a large number of model parameters can affect efficiency of model replacement of federal learning, in addition, data isomerism exists in a data set stored by the edge computing devices, and simply aggregating a plurality of models can cause offset errors in different federal computing devices of the federal aggregated models, because the federal aggregated models are comprehensive models integrating data characteristics of all federal devices, and even model degradation can occur. Based on this, the present embodiment first clusters each edge computing device in a heterogeneous distributed system based on the data heterogeneity of each edge computing device.
In an exemplary embodiment, before training the initial network security detection model based on the local security data, the network security detection method based on the distributed system further includes:
an edge cloud server in the distributed system is received, and based on the similarity, the data homography clusters are divided and the connection relation of all edge computing devices in the data homography clusters is divided, so that corresponding associated computing devices are determined based on the data homography clusters and the connection relation.
In an exemplary embodiment, a process for partitioning data homography clusters based on similarity by an edge cloud server in a distributed system includes:
An edge cloud server in the distributed system acquires test results obtained by each edge computing device in the distributed system based on a test safety data set;
constructing weighted undirected graphs among all edge computing devices according to the similarity of test results of all edge computing devices;
all edge computing devices are divided by the weighted undirected graph to obtain a plurality of data homography clusters.
Assuming a total of N edge computing devices, the present embodiment first builds a weighted undirected graph between all devices. Firstly, all edge computing equipment performs 1-time local data model training, namely the edge computing equipment performs training by using a local safety data set to obtain a local network safety detection model. The edge cloud server searches public data from the public network, a test data set oriented to the federal learning task is constructed, the test data set is sent to each edge computing device, the edge computing devices store the test data set, meanwhile, the local network security detection model is used for testing the public data set to obtain a test result, the test result is uploaded to the edge cloud server, and because the self-owned data used by the edge computing devices has data isomerism, namely, the data of each edge computing device is limited and mostly only contains samples of limited types, the structure for testing by using the test data set is different, and deviation exists. All edge computing devices upload test results of the public test data set to an edge cloud server, and the edge cloud server establishes a right undirected graph by using the test results of all the devices.
Specifically, the edge cloud server calculates the similarity of the test results of all edge computing devices by using a vector similarity calculation method, for example, a Jaccard similarity coefficient calculation method, and performs neighbor ranking. Jaccard similarity coefficients are commonly used to calculate the similarity between sets, and can also be used to calculate the similarity of binary vectors. For two binary vectors A and B, the Jaccard similarity coefficient is calculated as: similarity= |aΣb|/|aζ where aζb represents the intersection of vectors a and B and aζb represents the union of vectors a and B. For example, the test result of the device a is a binary vector [1,0, … …,1,0], the classification result of the device B is also a binary vector [0,1, 0, … …,1,0], and the Jaccard similarity coefficient is used to calculate the result similarity of the device a and the device B, which is only a special case of proving the result similarity of the edge computing device, and not only protecting the calculation mode.
The edge cloud server traverses test results of all edge computing devices, calculates the result similarity of each edge computing device and other edge computing devices, constructs edges between the edge computing devices and other edge computing devices according to the value of the result similarity, namely, constructs a connecting edge between the two similar edge computing devices when the value of the result similarity is larger than P, wherein the value of the edge is the calculation result of the result similarity, P is a threshold value which is initially set, when the value of the result similarity is smaller than P, the relation establishment of the connecting edge between the two edge computing devices is not carried out, the established weighted undirected graph between all edge computing devices can be shown by referring to FIG. 4, and 6 edge computing devices, namely, devices 1-6, are respectively shown in FIG. 4.
Each edge computing device in the weighted undirected graph is initialized to a separate homography cluster, i.e., the label of each edge computing device is initially the identity of the edge computing device itself. For each edge computing device, considering the labels of the neighbor edge computing devices, traversing each edge computing device, carrying out iterative updating according to a fixed sequence or a random sequence, for the current edge computing device, collecting the labels of the neighbor edge computing devices, counting the occurrence times of each label in the neighbor edge computing devices, selecting the label with the largest occurrence times in the neighbor edge computing devices as a new label of the current edge computing device, and updating the label of the current edge computing device as the new label. After each iteration, checking the change condition of the label, judging the change quantity by comparing the label of the current iteration with the label of the previous iteration, if the change quantity of the label is smaller than a set threshold value, namely the label is basically stable and does not change any more, considering that the algorithm converges, and if the label is still changing, continuing the iteration label propagation step. If the algorithm converges, i.e., the tag no longer changes significantly, the iteration terminates. If the tag is still changing, the tag propagation iteration is continued.
After the algorithm converges, a final label propagation result is obtained, edge computing devices with the same label are divided into the same data identity clusters, a final division result is obtained, and each data identity cluster is an edge computing device set with the same label. The edge cloud server sends the divided data identity clusters and intra-cluster connection relations to all edge computing devices, each edge computing device can obtain the device number of the edge computing device connected with own data identity, model parameter updating is carried out on the edge computing device and the neighboring edge computing device of the same cluster by using the device number, the divided data identity clusters are shown in fig. 5, according to the divided data identity clusters, if a label A represents one data identity cluster, a label B represents one data identity cluster, the label A comprises a device 1 and a device 2, and the label B comprises a device 3-a device 6: the edge computing device that is closer to the other edge computing devices or that communicates fastest with the remaining edge computing devices within the data-like cluster is selected as the cluster head. This can reduce the communication distance and delay and improve the communication efficiency. The edge cloud server selects cluster heads of each data-like cluster through the communication rate of data exchange with all edge computing devices, and sends the edge computing device numbers of the cluster heads to the edge computing devices of the cluster.
When the parameter updating condition is met, the local network security detection model is updated by using the model parameters of the local network security detection model and the model parameters of the associated computing equipment, wherein the associated computing equipment is the edge computing equipment which is in the same data homography cluster as the local edge computing equipment and has a connecting edge with the local edge computing equipment, and in the cluster model updating process, each edge computing equipment firstly carries out a model parameter aggregation process with the associated edge computing equipment connected in the cluster, so that the model convergence can be accelerated, the classification of the homography equipment in the cluster is more accurate, and the model aggregation update among the equipment with the data type most similar to the other equipment is carried out to obtain more information.
After the local network security detection model is updated by using the model parameters of the local network security detection model and the model parameters of the associated computing equipment, the local network security detection is performed by using the local network security detection model, so that the edge computing equipment can exert the optimal local network security detection performance.
Therefore, in this embodiment, the depth of the neural network of the local network security detection model of each edge computing device in the distributed system may be dynamically adjusted, so as to better adapt to the requirements of diversified tasks, so that the edge computing device may exert the optimal local network security detection performance, and meanwhile, the edge computing device may update the model parameters in the data like-nature cluster, without uploading the model parameters to the edge cloud server during each communication, thereby reducing communication overhead and bandwidth requirements.
Based on the above embodiments:
in an exemplary embodiment, the process of adjusting the neural network depth of the initial network security detection model according to the output values corresponding to the two output network blocks to obtain the local network security detection model includes:
acquiring a first output value corresponding to a first output network block and a second output value corresponding to a second output network block, wherein the neural network depth of the first output network block is smaller than that of the second output network block;
Determining a depth adjustment strategy based on the first output value and the second output value;
And adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model.
In this embodiment, the first output network block is shallower than the second output network block, the output value of the output branch corresponding to the shallow output network block is denoted as q, the output value of the output branch corresponding to the deep output network block is denoted as d, and the absolute value k= |q-d| of the difference between the shallow-deep data output values is obtained. It will be appreciated that the depth adjustment direction may be determined according to the magnitude relationship between q and d, and the size of the performance gap between the deep network model and the shallow network model may be determined according to the magnitude relationship between k and the preset value beta.
In an exemplary embodiment, determining a depth adjustment policy based on the first output value and the second output value includes:
Determining an absolute value of a difference between the first output value and the second output value;
Determining a depth adjustment direction based on a magnitude relation of the first output value and the second output value; the depth adjustment direction is depth backspacing or depth deepening;
determining an adjustment condition which is met by the performance gap between the shallow network model and the deep network model based on the magnitude relation between the absolute value and the preset value; the shallow layer network model is obtained based on the first output network block, the deep layer network model is obtained based on the second output network block, and the adjusting condition is an instant adjusting condition or a stepping adjusting condition;
a depth adjustment strategy is determined based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap.
In an exemplary embodiment, determining the depth adjustment direction based on the magnitude relation of the first output value and the second output value includes:
when the first output value is larger than the second output value, the depth adjustment direction is depth rollback;
when the first output value is smaller than the second output value, the depth adjusting direction is deepened.
In an exemplary embodiment, the process of determining the adjustment condition satisfied by the performance gap between the shallow network model and the deep network model based on the magnitude relation between the absolute value and the preset value includes:
when the absolute value is smaller than a preset value, determining that the performance gap between the shallow network model and the deep network model meets a step adjustment condition;
When the absolute value is larger than or equal to a preset value, determining that the performance gap between the shallow network model and the deep network model meets the instant adjustment condition.
In an exemplary embodiment, the process of determining a depth adjustment strategy based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap includes:
When the depth adjustment direction is depth rollback and the performance gap meets the instant adjustment condition, determining the depth adjustment strategy as the instant depth rollback adjustment strategy;
the process of obtaining the local network security detection model by adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy comprises the following steps:
when the depth adjustment strategy is a depth rollback immediate adjustment strategy, calculating the rollback depth by using a first relational expression corresponding to the depth rollback immediate adjustment strategy;
adjusting the neural network depth of the initial network security detection model according to the rollback depth to obtain a local network security detection model;
The first relation is f 1(k)=η×ek,f1 (k) which is the back-off depth, η is the hyper-parameter, and k is the absolute value.
In this embodiment, if q > d and k > beta, it is indicated that the output result of the shallow network model is better than the output result of the deep network model, and the performance gap is large. The decision maker outputs a depth rollback decision, the rollback depth being determined by the first relation.
In an exemplary embodiment, the process of determining a depth adjustment strategy based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap includes:
when the depth adjustment direction is depth rollback and the performance gap meets the step adjustment condition, determining the depth adjustment strategy as a depth rollback step adjustment strategy, and writing the step rollback as a current record into a preset storage space;
the process of obtaining the local network security detection model by adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy comprises the following steps:
When the depth adjustment strategy is the depth rollback stepping adjustment strategy, acquiring continuous preset number of records including the current record in the preset storage space, and if the continuous preset number of records including the current record are all stepwise rollback, deeply rollback the neural network of the initial network security detection model by one layer to obtain the local network security detection model.
In this embodiment, if q > d and k < beta, it is indicated that the shallow network model output result is better than the deep network model output result, and the performance improvement is smaller, and the model depth may need to be adjusted stepwise, but not immediately. The decision maker records the result into a memory unit of the decision maker, the decision maker reads the latest 3 recorded results of the memory unit to judge, and if the decision maker finds that the stepping back is needed for 3 times continuously, the decision maker outputs a depth back decision and backs 1 layer.
In an exemplary embodiment, the process of determining a depth adjustment strategy based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap includes:
When the depth adjustment direction is depth deepening and the performance gap meets the instant adjustment condition, determining the depth adjustment strategy as the instant depth deepening adjustment strategy;
the process of obtaining the local network security detection model by adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy comprises the following steps:
when the depth adjustment strategy is a depth deepening instant adjustment strategy, calculating the deepening depth by using a second relational expression corresponding to the depth deepening instant adjustment strategy;
Adjusting the neural network depth of the initial network security detection model according to the deepened depth to obtain a local network security detection model;
the second relation is f 2(k)=η×ek,f2 (k) is the deepening depth, η is the super parameter, and k is the absolute value.
In this embodiment, if q < d and k > beta, it is indicated that the deep network model output result is better than the shallow network model output result, and the performance gap is large. The decision maker outputs a deepening decision and the second relation of the deepening depth is obtained.
In an exemplary embodiment, the process of determining a depth adjustment strategy based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap includes:
When the depth adjustment direction is depth deepening and the performance difference meets the step adjustment condition, determining the depth adjustment strategy as a depth deepening step adjustment strategy, and writing the step deepening as a current record into a preset storage space;
the process of obtaining the local network security detection model by adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy comprises the following steps:
and when the depth adjustment strategy is a depth deepening step adjustment strategy, acquiring continuous preset number of records including the current record in the preset storage space, and deepening the neural network depth of the initial network security detection model by one layer to obtain the local network security detection model if the continuous preset number of records including the current record are step deepening.
In this embodiment, if q < d and k < beta, it is indicated that the deep network model output result is better than the shallow network model output result, and the performance improvement is smaller, the model depth may need to be deepened step by step, but not adjusted immediately. The decision maker records the result into a memory unit of the decision maker, the decision maker reads the latest 3 recorded results of the memory unit to judge, and if the decision maker finds that the step deepens is needed for 3 times continuously, the decision maker outputs a depth deepening decision to deepen 1 layer.
The depth adjustment mechanism in this embodiment can deepen and lighten, can quickly adjust and slowly control, and the decision maker with higher flexibility feeds back the output decision to the model depth switching controller, and the depth model controller executes depth switching and performs corresponding deepening or rollback switching according to the existing model depth reference layer.
In an exemplary embodiment, the process of selecting two output network blocks among the plurality of neural network blocks includes:
two adjacent neural network blocks are selected from the plurality of neural network blocks as output network blocks.
The model adaptive growth provided in this embodiment solves the limitation of the traditional fixed size model by gradually increasing the model capacity and complexity on the edge computing device, and can handle diversified tasks: as federal learning involves more different types of tasks and data, model adaptive growth allows for increasing the capacity of the model on local devices according to the complexity of the task, thereby better accommodating the requirements of diverse tasks; the model performance can be improved: by gradually increasing the capacity of the model, the adaptive growth of the model can overcome the capacity limit possibly encountered by the model with fixed size, thereby improving the performance and the representation capacity of the model and being beneficial to better capturing the characteristics and modes of data; communication overhead can be reduced: in traditional federal learning, complete model parameters are required to be uploaded for each communication, and the adaptive growth of the model allows more local training and updating on local equipment, so that the communication cost and the bandwidth requirement are reduced; data privacy can be improved: in model adaptive growth, training data on the device can be left more local, and only incremental parameters of the model need to be uploaded, which helps to improve data privacy protection.
In an exemplary embodiment, the process of updating the local network security detection model with model parameters of the local network security detection model and model parameters of an associated computing device includes:
Obtaining model parameters of a local network security detection model, and sending the model parameters of the local network security detection model to each associated computing device;
Receiving model parameters sent by each associated computing device;
calculating a neighborhood average value of model parameters of the local network security detection model and model parameters sent by each associated calculation device;
and updating the local network security detection model based on the neighborhood average value.
In this embodiment, it is assumed that all edge computing devices are divided into C clusters, denoted by the set { s 1,…,sc }, and the kth cluster s k contains n k=|sk |edge devices. In the federal learning system, each edge computing device i trains out a local network security detection model of the device individuation according to an adaptive model growth algorithm based on a data set D i of the edge computing device i. The local empirical loss function of the data distribution at the edge computing device i is
In the method, in the process of the invention,ForLoss function ofParameters for two outlets of the local network security detection model,Is a parameter set of the whole local network security detection model, D i is a local data set, |d i | is the total amount of data samples,Data sample loss function,For data samples in the local dataset that participate in iterative training,For the sample loss function of the combination of two outlets of the local network security detection model, the data samplePrediction error on the same.
The primary goal of the hierarchical aggregated federal learning algorithm is to optimize global model parameters to minimize the global loss function associated with all devices
Wherein,Is a model parameter of the global network model,Loss value of model parameters for a global network model, N is the total number of edge computing devices in the distributed system,For model parameters of the i-th edge computing device in cluster S k, i e (1, 2, 3.) n k-1,nk),nk is the total number of edge computing devices in cluster S k, k is the number of data-like clusters, k e (1, 2, 3.) C-1, C is the total number of clusters in the distributed system.
In hierarchical aggregation federal learning, the training process is divided into 3 steps of local network security detection model updating, intra-cluster aggregation and global aggregation, and the combination of the steps is called a training round.
Updating a local network security detection model: each edge computing device updates the local network security detection model using (Stochastic GRADIENT DESCENT, random gradient descent) algorithm. In training ofThe next iteration update process is that
In the method, in the process of the invention,For the model parameters of the local network security detection model of the ith edge computing device after the ith iteration update of the t-th round, i is the serial number of the edge computing device in the data homography cluster,Model parameters before the first iteration update of the t-th round are calculated for the ith edge, and the model parameters are calculated for the ith edgeLearning rate updated for the first iteration of round t,Is Hamiltonian operator,For data samples in the local data set participating in the first iteration update of the t-th round,The sample loss function updated for the first iteration of round t.
Edge computing devices within the same data-like clusterAnd after the iterative updating, performing one-time intra-cluster model aggregation. The device i epsilon s k numbers the local network security detection modelConnecting the neural network block as parameter/>, updated by the local network security detection modelAnd broadcast to its neighboring associated computing devices j e N i in the data-like cluster, and receive model parameters from N i to compute a neighborhood average to update the local network security detection model in the local edge computing device.
In an exemplary embodiment, the process of obtaining model parameters of the local network security detection model and transmitting the model parameters of the local network security detection model to each associated computing device includes:
and obtaining the model parameters of the standard depth of the local network security detection model, and sending the model parameters of the standard depth to each associated computing device.
In an exemplary embodiment, after receiving the model parameters sent by each associated computing device, the network security detection method further includes:
Judging whether the neural network depth corresponding to the model parameters sent by the associated computing equipment is larger than the neural network depth of the local network security detection model or not according to the model parameters sent by each associated computing equipment, if so, determining the model parameters which are the same as the neural network depth of the local network security detection model in the model parameters sent by the associated computing equipment as target model parameters, and if not, determining the model parameters sent by the associated computing equipment as target model parameters;
the process of calculating the neighborhood average value for the model parameters of the local network security detection model and the model parameters sent by each associated computing device comprises the following steps:
and calculating a neighborhood average value for the model parameters of the local network security detection model and the model parameters of each target model.
In the cluster aggregation process of adjacent edge computing equipment, because the neural network depth of each edge computing equipment is different, each edge computing equipment only transmits model Block parameters of standard depth, an output layer module of the edge computing equipment does not participate in aggregation, if receiving equipment receives model parameters deeper than the receiving equipment, only model parameters of depth corresponding to the receiving equipment are taken for aggregation, otherwise, if the edge computing equipment receives model parameters shallower than the receiving equipment, the edge computing equipment can directly aggregate. In the process of updating the model in the cluster, each edge computing device and the neighbor edge computing devices connected in the cluster are subjected to the model parameter aggregation process, so that model convergence can be accelerated, classification of the homopolar devices in the cluster is more accurate, and the model aggregation between the devices with the most similar data types is updated to obtain more information.
In an exemplary embodiment, after updating the local network security detection model with the model parameters of the local network security detection model and the model parameters of the associated computing device, the network security detection method further comprises:
When the cluster aggregation condition is met and the cluster aggregation condition is not the cluster head equipment, the model parameters of the local network security detection model are sent to the cluster head equipment of the data homography cluster where the local network security detection model is located, so that the cluster head equipment obtains global model parameters in the cluster according to the model parameters of all edge computing equipment in the data homography cluster where the local network security detection model is located;
And when the global model parameters in the cluster are acquired, updating the local network security detection model by using the global model parameters in the cluster so as to carry out local network security detection through the updated local network security detection model.
In an exemplary embodiment, the process of deriving intra-cluster global model parameters from model parameters of all edge computing devices in a data-like cluster comprises:
Calculating global model parameters in the cluster by using a third relational expression, wherein the third relational expression is ;/>
Wherein alpha is a super parameter,Intra-cluster global model parameters of the t-th round stored for the cluster head device of the c-th data-like cluster,Global model in-cluster global model parameters of the nth round stored for the (c) th data-like cluster in-cluster head equipment of the (t+1) th round of cluster-global model of the (c) th data-like cluster, c being the sequence number of the data-like cluster,Model parameters of the j-th associated computing device in the device set N i of the data identity clusters after the first update of the t-th round are N i, the i is a device set of the associated computing devices with a connection relation with the i-th edge computing device in the data identity clusters, the i is a serial number of the edge computing device in the data identity clusters, the j is a serial number of the associated computing device in the device set, and the I N i I is the total number of the edge computing devices in the data identity clusters.
In the present embodiment, when the iteration number l isWhen the data are integral multiples of each other, the edge computing equipment in all the data homography clusters carry out model parameter/>, of the local network security detection modelSending the data to a cluster head, and carrying out intra-cluster global model parameter aggregation to obtain
Wherein the constant α is a hyper-parameter.In-cluster model parameters of the t-th round stored for the cluster head,Representing the intra-cluster model aggregation parameters of the t+1 round after updating.
In an exemplary embodiment, after the global model parameters in the cluster are acquired and the local network security detection model is updated by using the global model parameters in the cluster, the network security detection method based on the distributed system further includes:
when the global condition is met and the cluster head equipment is adopted, the intra-cluster global model parameters are sent to an edge cloud server in the distributed system, so that the edge cloud server obtains a global model based on the intra-cluster global model parameters sent by the cluster head equipment of all data like clusters in the distributed system;
And after receiving the global model, updating the model parameters of the local network security detection model based on the model parameters of the global model so as to carry out local network security detection through the updated local network security detection model.
In an exemplary embodiment, the process of obtaining the global model based on the intra-cluster global model parameters sent by the cluster head devices of all data-like clusters in the distributed system includes:
Calculating a global model by using a fourth relation; the fourth relation is
Wherein C is the number of the cluster head devices,For the global model of the t+1st round,Model parameters for the c-th data-like cluster at the t+1st round with respect to the data sample loss function L, c being the sequence number of the data-like cluster.
In this embodiment, when all clusters are subjected to intra-cluster global aggregation for τ times, the edge cloud server performs global aggregation in a synchronous manner. And the cluster head equipment uploads the parameters of the model at the moment to the server. The server receives model parameters of local network security detection models of C cluster head devices, and updates a global model into a global model through parameter average; The edge cloud server broadcasts the global model to all devices.
According to the embodiment, after the edge cloud server broadcasts the global model to all edge computing devices, each edge computing device uses the blocks of the corresponding parts of the global model to update the blocks of the local network security detection model, the local data are used for training, and after h rounds of training are completed, the edge cloud server sends instructions to require the device to conduct a public test data set test, and the test structure is uploaded. The edge cloud server acquires the test structure, re-executes the data homography clustering and the data homography clustering dynamic partitioning, re-sends the partitioning result to all edge computing devices, re-updates the hierarchical clustering model, and repeats the steps until the global model converges.
In a second aspect, referring to fig. 6, the present invention further provides a network security detection system based on a distributed system, which is applied to each edge computing device in the distributed system, where each edge computing device in the distributed system is divided into a plurality of data identity clusters according to similarity, and the network security detection system includes:
The training module 11 is configured to train an initial network security detection model based on local security data, where a network of the initial network security detection model includes a plurality of neural network blocks connected in sequence, and the plurality of neural network blocks correspond to different neural network depths;
the selecting module 12 is configured to select two output network blocks from the plurality of neural network blocks, input the test security data set into the initial network security detection model, and then adjust the neural network depth of the initial network security detection model according to the output values corresponding to the two output network blocks to obtain a local network security detection model;
An updating module 13, configured to update the local network security detection model with the model parameters of the local network security detection model and the model parameters of the associated computing device when the parameter updating condition is satisfied; the associated computing device is an edge computing device which is in the same data homography cluster with the associated computing device and is connected with the associated computing device;
the detection module 14 is configured to perform local network security detection through the updated local network security detection model.
In an exemplary embodiment, the process of adjusting the neural network depth of the initial network security detection model according to the output values corresponding to the two output network blocks to obtain the local network security detection model includes:
acquiring a first output value corresponding to a first output network block and a second output value corresponding to a second output network block, wherein the neural network depth of the first output network block is smaller than that of the second output network block;
Determining a depth adjustment strategy based on the first output value and the second output value;
And adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model.
In an exemplary embodiment, determining a depth adjustment policy based on the first output value and the second output value includes:
Determining an absolute value of a difference between the first output value and the second output value;
Determining a depth adjustment direction based on a magnitude relation of the first output value and the second output value; the depth adjustment direction is depth backspacing or depth deepening;
determining an adjustment condition which is met by the performance gap between the shallow network model and the deep network model based on the magnitude relation between the absolute value and the preset value; the shallow layer network model is obtained based on the first output network block, the deep layer network model is obtained based on the second output network block, and the adjusting condition is an instant adjusting condition or a stepping adjusting condition;
a depth adjustment strategy is determined based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap.
In an exemplary embodiment, determining the depth adjustment direction based on the magnitude relation of the first output value and the second output value includes:
when the first output value is larger than the second output value, the depth adjustment direction is depth rollback;
when the first output value is smaller than the second output value, the depth adjusting direction is deepened.
In an exemplary embodiment, the process of determining the adjustment condition satisfied by the performance gap between the shallow network model and the deep network model based on the magnitude relation between the absolute value and the preset value includes:
when the absolute value is smaller than a preset value, determining that the performance gap between the shallow network model and the deep network model meets a step adjustment condition;
When the absolute value is larger than or equal to a preset value, determining that the performance gap between the shallow network model and the deep network model meets the instant adjustment condition.
In an exemplary embodiment, the process of determining a depth adjustment strategy based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap includes:
When the depth adjustment direction is depth rollback and the performance gap meets the instant adjustment condition, determining the depth adjustment strategy as the instant depth rollback adjustment strategy;
the process of obtaining the local network security detection model by adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy comprises the following steps:
when the depth adjustment strategy is a depth rollback immediate adjustment strategy, calculating the rollback depth by using a first relational expression corresponding to the depth rollback immediate adjustment strategy;
adjusting the neural network depth of the initial network security detection model according to the rollback depth to obtain a local network security detection model;
The first relation is f 1(k)=η×ek,f1 (k) which is the back-off depth, η is the hyper-parameter, and k is the absolute value.
In an exemplary embodiment, the process of determining a depth adjustment strategy based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap includes:
when the depth adjustment direction is depth rollback and the performance gap meets the step adjustment condition, determining the depth adjustment strategy as a depth rollback step adjustment strategy, and writing the step rollback as a current record into a preset storage space;
the process of obtaining the local network security detection model by adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy comprises the following steps:
When the depth adjustment strategy is the depth rollback stepping adjustment strategy, acquiring continuous preset number of records including the current record in the preset storage space, and if the continuous preset number of records including the current record are all stepwise rollback, deeply rollback the neural network of the initial network security detection model by one layer to obtain the local network security detection model.
In an exemplary embodiment, the process of determining a depth adjustment strategy based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap includes:
When the depth adjustment direction is depth deepening and the performance gap meets the instant adjustment condition, determining the depth adjustment strategy as the instant depth deepening adjustment strategy;
the process of obtaining the local network security detection model by adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy comprises the following steps:
when the depth adjustment strategy is a depth deepening instant adjustment strategy, calculating the deepening depth by using a second relational expression corresponding to the depth deepening instant adjustment strategy;
Adjusting the neural network depth of the initial network security detection model according to the deepened depth to obtain a local network security detection model;
the second relation is f 2(k)=η×ek,f2 (k) is the deepening depth, η is the super parameter, and k is the absolute value.
In an exemplary embodiment, the process of determining a depth adjustment strategy based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap includes:
When the depth adjustment direction is depth deepening and the performance difference meets the step adjustment condition, determining the depth adjustment strategy as a depth deepening step adjustment strategy, and writing the step deepening as a current record into a preset storage space;
the process of obtaining the local network security detection model by adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy comprises the following steps:
and when the depth adjustment strategy is a depth deepening step adjustment strategy, acquiring continuous preset number of records including the current record in the preset storage space, and deepening the neural network depth of the initial network security detection model by one layer to obtain the local network security detection model if the continuous preset number of records including the current record are step deepening.
In an exemplary embodiment, the process of selecting two output network blocks among the plurality of neural network blocks includes:
two adjacent neural network blocks are selected from the plurality of neural network blocks as output network blocks.
In an exemplary embodiment, the process of updating the local network security detection model with model parameters of the local network security detection model and model parameters of an associated computing device includes:
Obtaining model parameters of a local network security detection model, and sending the model parameters of the local network security detection model to each associated computing device;
Receiving model parameters sent by each associated computing device;
calculating a neighborhood average value of model parameters of the local network security detection model and model parameters sent by each associated calculation device;
and updating the local network security detection model based on the neighborhood average value.
In an exemplary embodiment, the process of obtaining model parameters of the local network security detection model and transmitting the model parameters of the local network security detection model to each associated computing device includes:
And obtaining model parameters of the standard depth of the local network security detection model, and sending the model parameters of the standard depth to each associated computing device.
In an exemplary embodiment, the network security detection system further comprises:
The first determining module is used for judging whether the neural network depth corresponding to the model parameters sent by the associated computing equipment is larger than the neural network depth of the local network security detection model according to the model parameters sent by each associated computing equipment after receiving the model parameters sent by each associated computing equipment, if so, determining the model parameters which are the same as the neural network depth of the local network security detection model in the model parameters sent by the associated computing equipment as target model parameters, and if not, determining the model parameters sent by the associated computing equipment as target model parameters;
the process of calculating the neighborhood average value for the model parameters of the local network security detection model and the model parameters sent by each associated computing device comprises the following steps:
and calculating a neighborhood average value for the model parameters and each target model parameter of the local network security detection model.
In an exemplary embodiment, the network security detection system further comprises:
The first sending module is used for sending the model parameters of the local network security detection model to the cluster head equipment of the data homography cluster where the local network security detection model is located when the cluster aggregation condition is met and the local network security detection model is not the cluster head equipment, so that the cluster head equipment obtains global model parameters in the cluster according to the model parameters of all edge computing equipment in the data homography cluster where the local network security detection model is located;
The updating module 13 is further configured to update the local network security detection model with the intra-cluster global model parameter when the intra-cluster global model parameter is acquired, so as to perform local network security detection through the updated local network security detection model.
In an exemplary embodiment, the process of deriving intra-cluster global model parameters from model parameters of all edge computing devices in a data-like cluster comprises:
Calculating global model parameters in the cluster by using a third relational expression, wherein the third relational expression is
Wherein alpha is a super parameter,Intra-cluster global model parameters of the t-th round stored for the cluster head device of the c-th data-like cluster,Global model parameters in the t+1st round for the c-th data-like cluster, c being the sequence number of the data-like cluster,Model parameters of the j-th associated computing device in the device set N i of the data identity clusters after the first update of the t-th round are N i, the i is a device set of the associated computing devices with a connection relation with the i-th edge computing device in the data identity clusters, the i is a serial number of the edge computing device in the data identity clusters, the j is a serial number of the associated computing device in the device set, and the I N i I is the total number of the edge computing devices in the data identity clusters.
In an exemplary embodiment, the distributed system-based network security detection system further comprises:
The second sending module is used for sending the intra-cluster global model parameters to an edge cloud server in the distributed system when the intra-cluster global model parameters are obtained, the intra-cluster global model parameters are utilized to update the local network security detection model, and the intra-cluster global model parameters are used for obtaining a global model based on the intra-cluster global model parameters sent by the cluster head equipment of all data homopolar clusters in the distributed system when the global conditions are met and the intra-cluster global model parameters are the cluster head equipment;
the updating module 13 is further configured to update the model parameters of the local network security detection model based on the model parameters of the global model after receiving the global model, so as to perform local network security detection through the updated local network security detection model.
In an exemplary embodiment, the process of obtaining the global model based on the intra-cluster global model parameters sent by the cluster head devices of all data-like clusters in the distributed system includes:
Calculating a global model by using a fourth relation; the fourth relation is
Wherein C is the number of the cluster head devices,For the global model of the t+1st round,Model parameters for the c-th data-like cluster at the t+1st round with respect to the data sample loss function L, c being the sequence number of the data-like cluster.
In an exemplary embodiment, the distributed system-based network security detection system further comprises:
the receiving module is used for receiving the data homography clusters divided based on the similarity and the connection relation of each edge computing device in the data homography clusters by the edge cloud server in the distributed system before the initial network security detection model is trained based on the local security data so as to determine the corresponding associated computing device based on the data homography clusters and the connection relation.
In an exemplary embodiment, a process for partitioning data homography clusters based on similarity by an edge cloud server in a distributed system includes:
An edge cloud server in the distributed system acquires test results obtained by each edge computing device in the distributed system based on a test safety data set;
constructing weighted undirected graphs among all edge computing devices according to the similarity of test results of all edge computing devices;
all edge computing devices are divided by the weighted undirected graph to obtain a plurality of data homography clusters.
In a third aspect, referring to fig. 7, fig. 7 is a schematic structural diagram of an edge computing device according to the present invention, including:
a memory 21 for storing a computer program;
a processor 22 for implementing the steps of the distributed system based network security detection method as described in any of the embodiments above when executing a computer program.
The edge computing device further includes:
The input interface 23 is connected to the processor 22 via the communication bus 26 for obtaining externally imported computer programs, parameters and instructions, which are stored in the memory 21 under control of the processor 22. The input interface may be coupled to an input device for receiving parameters or instructions manually entered by a user. The input device can be a touch layer covered on a display screen, or can be a key, a track ball or a touch pad arranged on a terminal shell.
A display unit 24 is coupled to the processor 22 via a communication bus 26 for displaying data transmitted by the processor 22. The display unit may be a liquid crystal display or an electronic ink display, etc.
The network port 25 is connected to the processor 22 via the communication bus 26 for communication connection with external terminal devices. The communication technology adopted by the communication connection can be a wired communication technology or a wireless communication technology, such as a mobile high-definition link technology, a universal serial bus, a high-definition multimedia interface, a wireless fidelity technology, a Bluetooth communication technology, a low-power consumption Bluetooth communication technology, an IEEE802.11 s-based communication technology and the like.
For an introduction of an edge computing device provided by the present invention, refer to the above embodiment, and the disclosure is not repeated here.
The edge computing device provided by the invention has the same beneficial effects as the network security detection method based on the distributed system.
In a fourth aspect, referring to fig. 8, fig. 8 is a schematic structural diagram of a distributed system according to the present invention, including:
a plurality of edge computing devices as described above;
The edge cloud server is used for outputting test data sets and clustering results to each edge computing device, wherein the clustering results comprise data homography clusters where the edge computing devices are located and associated computing devices connected with the edge computing devices.
The edge computing devices in one dotted line box in fig. 8 belong to the same cluster, for example, five edge computing devices in the dotted line box on the left side of the edge cloud server belong to a cluster s 1, and five edge computing devices in the dotted line box on the right side of the edge cloud server belong to a cluster s c, and the distributed system may be a heterogeneous distributed system in particular.
For an introduction of a distributed system provided by the present invention, refer to the above embodiment, and the disclosure is not repeated here.
The distributed system provided by the invention has the same beneficial effects as the network security detection method based on the distributed system.
In a fifth aspect, referring to fig. 9, fig. 9 is a schematic structural diagram of a computer readable storage medium according to the present invention, in which a computer program 31 is stored in the computer readable storage medium 30, and the computer program 31 implements the steps of the network security detection method based on the distributed system according to any one of the embodiments described above when being executed by a processor.
Wherein the computer-readable storage medium 30 may comprise: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
For an introduction to a computer readable storage medium provided by the present invention, refer to the above embodiments, and the disclosure is not repeated here.
The computer readable storage medium provided by the invention has the same beneficial effects as the network security detection method based on the distributed system.
It should also be noted that in this specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (22)

1. A network security detection method based on a distributed system, wherein the network security detection method is applied to each edge computing device in the distributed system, and each edge computing device in the distributed system is divided into a plurality of data identity clusters according to similarity, and the network security detection method comprises:
Training an initial network security detection model based on local security data, wherein the network of the initial network security detection model comprises a plurality of neural network blocks which are sequentially connected, and the plurality of neural network blocks correspond to different neural network depths;
Selecting two output network blocks from the plurality of neural network blocks, inputting a test safety data set into the initial network safety detection model, and adjusting the neural network depth of the initial network safety detection model according to output values corresponding to the two output network blocks to obtain a local network safety detection model;
When the parameter updating condition is met, updating the local network security detection model by using the model parameters of the local network security detection model and the model parameters of the associated computing equipment; the associated computing device is an edge computing device which is in the same data homopolarity cluster with the associated computing device and is connected with the associated computing device;
performing local network security detection through the updated local network security detection model;
The process of adjusting the neural network depth of the initial network security detection model according to the output values corresponding to the two output network blocks to obtain the local network security detection model comprises the following steps:
acquiring a first output value corresponding to a first output network block and a second output value corresponding to a second output network block, wherein the neural network depth of the first output network block is smaller than that of the second output network block;
Determining a depth adjustment strategy based on the first output value and the second output value;
and adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain a local network security detection model.
2. The distributed system-based network security detection method of claim 1, wherein determining a depth adjustment policy based on the first output value and the second output value comprises:
determining an absolute value of a difference between the first output value and the second output value;
Determining a depth adjustment direction based on a magnitude relation of the first output value and the second output value; the depth adjustment direction is depth backspacing or depth deepening;
determining an adjustment condition which is met by the performance gap between the shallow network model and the deep network model based on the magnitude relation between the absolute value and the preset value; the shallow network model is obtained based on a first output network block, the deep network model is obtained based on a second output network block, and the adjustment condition is an instant adjustment condition or a stepping adjustment condition;
and determining a depth adjustment strategy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap.
3. The distributed system-based network security detection method of claim 2, wherein determining a depth adjustment direction based on a magnitude relationship of the first output value and the second output value comprises:
when the first output value is larger than the second output value, the depth adjustment direction is the depth rollback;
And when the first output value is smaller than the second output value, the depth adjusting direction deepens the depth.
4. The network security detection method based on a distributed system according to claim 2, wherein the process of determining the adjustment condition satisfied by the performance gap between the shallow network model and the deep network model based on the magnitude relation between the absolute value and the preset value includes:
When the absolute value is smaller than the preset value, determining that the performance gap between the shallow network model and the deep network model meets the step adjustment condition;
And when the absolute value is larger than or equal to the preset value, determining that the performance gap between the shallow network model and the deep network model meets the instant adjustment condition.
5. The distributed system-based network security detection method of claim 2, wherein determining a depth adjustment policy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap comprises:
when the depth adjustment direction is the depth rollback and the performance gap meets the instant adjustment condition, determining the depth adjustment strategy as a depth rollback instant adjustment strategy;
the process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model comprises the following steps:
When the depth adjustment strategy is the depth rollback instant adjustment strategy, calculating the rollback depth by using a first relation corresponding to the depth rollback instant adjustment strategy;
adjusting the neural network depth of the initial network security detection model according to the rollback depth to obtain a local network security detection model;
The first relation is f 1(k)=η×ek,f1 (k) which is the back-off depth, eta is the super parameter, and k is the absolute value.
6. The distributed system-based network security detection method of claim 2, wherein determining a depth adjustment policy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap comprises:
When the depth adjustment direction is the depth rollback and the performance gap meets the step adjustment condition, determining that the depth adjustment strategy is a depth rollback step adjustment strategy, and writing the step rollback serving as a current record into a preset storage space;
the process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model comprises the following steps:
And when the depth adjustment strategy is the depth rollback stepping adjustment strategy, acquiring a continuous preset number of records including the current record in the preset storage space, and if the continuous preset number of records including the current record are all the stepping rollback, backing the neural network depth of the initial network security detection model by one layer to obtain a local network security detection model.
7. The distributed system-based network security detection method of claim 2, wherein determining a depth adjustment policy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap comprises:
when the depth adjustment direction is the depth deepening and the performance gap meets the instant adjustment condition, determining the depth adjustment strategy as a depth deepening instant adjustment strategy;
the process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model comprises the following steps:
when the depth adjustment strategy is the depth deepening instant adjustment strategy, calculating the deepening depth by using a second relation corresponding to the depth deepening instant adjustment strategy;
adjusting the neural network depth of the initial network security detection model according to the deepened depth to obtain a local network security detection model;
The second relation is f 2(k)=η×ek,f2 (k) which is the deepening depth, eta is the super parameter, and k is the absolute value.
8. The distributed system-based network security detection method of claim 2, wherein determining a depth adjustment policy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap comprises:
When the depth adjustment direction is the depth deepening and the performance gap meets the step adjustment condition, determining the depth adjustment strategy as a depth deepening step adjustment strategy, and writing the step deepening serving as a current record into a preset storage space;
the process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model comprises the following steps:
And when the depth adjustment strategy is the depth deepening step adjustment strategy, acquiring continuous preset number of records including the current record in the preset storage space, and deepening the neural network depth of the initial network security detection model by one layer if the continuous preset number of records including the current record are the step deepening, so as to obtain a local network security detection model.
9. The distributed system-based network security detection method of claim 1, wherein selecting two output network blocks among the plurality of neural network blocks comprises:
Two adjacent neural network blocks are selected from the plurality of the neural network blocks as output network blocks.
10. The distributed system-based network security detection method of claim 1, wherein updating the local network security detection model with model parameters of the local network security detection model and model parameters of an associated computing device comprises:
Obtaining model parameters of the local network security detection model, and sending the model parameters of the local network security detection model to each associated computing device;
receiving model parameters sent by each associated computing device;
Calculating a neighborhood average value of the model parameters of the local network security detection model and the model parameters sent by each associated calculation device;
and updating the local network security detection model based on the neighborhood average value.
11. The distributed system-based network security detection method of claim 10, wherein the process of obtaining the model parameters of the local network security detection model and transmitting the model parameters of the local network security detection model to each of the associated computing devices comprises:
And obtaining model parameters of standard depth of the local network security detection model, and sending the model parameters of the standard depth to each associated computing device.
12. The distributed system-based network security detection method of claim 11, wherein after receiving the model parameters sent by each of the associated computing devices, the network security detection method further comprises:
Judging whether the neural network depth corresponding to the model parameters sent by the associated computing equipment is larger than the neural network depth of the local network security detection model or not according to the model parameters sent by each associated computing equipment, if so, determining the model parameters which are the same as the neural network depth of the local network security detection model in the model parameters sent by the associated computing equipment as target model parameters, and if not, determining the model parameters sent by the associated computing equipment as target model parameters;
The process of calculating the neighborhood average value for the model parameters of the local network security detection model and the model parameters sent by each associated calculation device comprises the following steps:
And calculating a neighborhood average value for the model parameters of the local network security detection model and each target model parameter.
13. The distributed system-based network security detection method of claim 1, wherein after updating the local network security detection model with model parameters of the local network security detection model and model parameters of an associated computing device, the network security detection method further comprises:
When the cluster aggregation condition is met and the cluster aggregation condition is not the cluster head equipment, the model parameters of the local network security detection model are sent to the cluster head equipment of the data like clusters where the local network security detection model is located, so that the cluster head equipment obtains global model parameters in the cluster according to the model parameters of all edge computing equipment in the data like clusters where the local network security detection model is located;
and when the global model parameters in the cluster are acquired, updating the local network security detection model by utilizing the global model parameters in the cluster so as to carry out local network security detection through the updated local network security detection model.
14. The distributed system-based network security detection method of claim 13, wherein the process of deriving intra-cluster global model parameters from model parameters of all edge computing devices in the data-like clusters comprises:
Calculating global model parameters in the cluster by using a third relational expression, wherein the third relational expression is
Wherein alpha is a super parameter,Intra-cluster global model parameters of the t-th round stored for the cluster head device of the c-th data-like cluster,Global model parameters in the (t+1) -th round for the (c) -th data-like cluster, c being the sequence number of the data-like cluster,Model parameters of the j-th associated computing device in the device set N i of the data identity clusters after the first update of the t-th round are N i, the i is a device set of the associated computing devices with a connection relation with the i-th edge computing device in the data identity clusters, the i is a serial number of the edge computing device in the data identity clusters, the j is a serial number of the associated computing device in the device set, and the I N i I is the total number of the edge computing devices in the data identity clusters.
15. The distributed system-based network security detection method of claim 13, wherein after the intra-cluster global model parameters are acquired and the local network security detection model is updated with the intra-cluster global model parameters, the network security detection method further comprises:
when a global condition is met and the cluster head equipment is the cluster head equipment, the intra-cluster global model parameters are sent to an edge cloud server in the distributed system, so that the edge cloud server obtains a global model based on intra-cluster global model parameters sent by all the cluster head equipment of the data-like clusters in the distributed system;
and after receiving the global model, updating the model parameters of the local network security detection model based on the model parameters of the global model so as to carry out local network security detection through the updated local network security detection model.
16. The network security detection method based on a distributed system according to claim 15, wherein the process of obtaining a global model based on intra-cluster global model parameters sent by cluster head devices of all the data-like clusters in the distributed system comprises:
Calculating a global model by using a fourth relation; the fourth relation is
Wherein C is the number of the cluster head devices,For the global model of the t+1st round,Model parameters for the c-th data-like cluster at the t+1st round with respect to the data sample loss function L, c being the sequence number of the data-like cluster.
17. The distributed system-based network security detection method of any of claims 1-16, wherein prior to training an initial network security detection model based on local security data, the network security detection method further comprises:
And receiving connection relations of the data homography clusters divided by the edge cloud server based on the similarity and all edge computing devices in the data homography clusters, so as to determine corresponding associated computing devices based on the data homography clusters and the connection relations.
18. The distributed system-based network security detection method of claim 17, wherein the process of dividing the data homography clusters by the edge cloud server in the distributed system based on the similarity comprises:
an edge cloud server in the distributed system acquires test results obtained by each edge computing device in the distributed system based on the test safety data set;
constructing weighted undirected graphs among all the edge computing devices according to the similarity of the test results of all the edge computing devices;
And dividing all the edge computing devices by using the weighted undirected graph to obtain a plurality of data homography clusters.
19. A network security detection system based on a distributed system, wherein the network security detection system is applied to each edge computing device in the distributed system, and each edge computing device in the distributed system is divided into a plurality of data identity clusters according to similarity, and the network security detection system comprises:
The training module is used for training an initial network security detection model based on local security data, wherein the network of the initial network security detection model comprises a plurality of neural network blocks which are sequentially connected, and the plurality of neural network blocks correspond to different neural network depths;
The selection module is used for selecting two output network blocks from the plurality of the neural network blocks, inputting a test safety data set into the initial network safety detection model, and adjusting the neural network depth of the initial network safety detection model according to output values corresponding to the two output network blocks to obtain a local network safety detection model;
The updating module is used for updating the local network security detection model by using the model parameters of the local network security detection model and the model parameters of the associated computing equipment when the parameter updating conditions are met; the associated computing device is an edge computing device which is in the same data homopolarity cluster with the associated computing device and is connected with the associated computing device;
the detection module is used for carrying out local network security detection through the updated local network security detection model;
The process of adjusting the neural network depth of the initial network security detection model according to the output values corresponding to the two output network blocks to obtain the local network security detection model comprises the following steps:
acquiring a first output value corresponding to a first output network block and a second output value corresponding to a second output network block, wherein the neural network depth of the first output network block is smaller than that of the second output network block;
Determining a depth adjustment strategy based on the first output value and the second output value;
and adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain a local network security detection model.
20. An edge computing device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the distributed system based network security detection method according to any of claims 1-18 when executing the computer program.
21. A distributed system, comprising:
a plurality of edge computing devices as claimed in claim 20;
And the edge cloud server is used for outputting a test data set and clustering results to each edge computing device, wherein the clustering results comprise data homography clusters where the edge computing devices are located and associated computing devices connected with the edge computing devices.
22. A computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, which when executed by a processor, implements the steps of the distributed system based network security detection method according to any of claims 1-18.
CN202410230120.4A 2024-02-29 2024-02-29 Network security detection method, system, equipment and medium based on distributed system Active CN117811846B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410230120.4A CN117811846B (en) 2024-02-29 2024-02-29 Network security detection method, system, equipment and medium based on distributed system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410230120.4A CN117811846B (en) 2024-02-29 2024-02-29 Network security detection method, system, equipment and medium based on distributed system

Publications (2)

Publication Number Publication Date
CN117811846A CN117811846A (en) 2024-04-02
CN117811846B true CN117811846B (en) 2024-05-28

Family

ID=90430334

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410230120.4A Active CN117811846B (en) 2024-02-29 2024-02-29 Network security detection method, system, equipment and medium based on distributed system

Country Status (1)

Country Link
CN (1) CN117811846B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019136946A1 (en) * 2018-01-15 2019-07-18 中山大学 Deep learning-based weakly supervised salient object detection method and system
WO2020172974A1 (en) * 2019-02-25 2020-09-03 中国科学院自动化研究所 Artificial neural network optimization method and system based on orthogonal projection matrix, and apparatuses
CN115167977A (en) * 2022-06-22 2022-10-11 国网湖南省电力有限公司 Target detection method, system, equipment and storage medium based on Docker virtual isolation
CN116229170A (en) * 2023-03-03 2023-06-06 北京邮电大学 Task migration-based federal unsupervised image classification model training method, classification method and equipment
CN116405262A (en) * 2023-03-07 2023-07-07 北京邮电大学 Network security access method, device, equipment and storage medium
CN116579417A (en) * 2023-05-10 2023-08-11 之江实验室 Layered personalized federal learning method, device and medium in edge computing network
CN116708009A (en) * 2023-07-18 2023-09-05 杭州电子科技大学上虞科学与工程研究院有限公司 Network intrusion detection method based on federal learning
CN117580046A (en) * 2023-06-09 2024-02-20 西安电子科技大学 Deep learning-based 5G network dynamic security capability scheduling method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11640528B2 (en) * 2019-10-22 2023-05-02 Baidu Usa Llc Method, electronic device and computer readable medium for information processing for accelerating neural network training
US20220147815A1 (en) * 2020-11-09 2022-05-12 Domaintools, Llc Multi-level ensemble classifers for cybersecurity machine learning applications

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019136946A1 (en) * 2018-01-15 2019-07-18 中山大学 Deep learning-based weakly supervised salient object detection method and system
WO2020172974A1 (en) * 2019-02-25 2020-09-03 中国科学院自动化研究所 Artificial neural network optimization method and system based on orthogonal projection matrix, and apparatuses
CN115167977A (en) * 2022-06-22 2022-10-11 国网湖南省电力有限公司 Target detection method, system, equipment and storage medium based on Docker virtual isolation
CN116229170A (en) * 2023-03-03 2023-06-06 北京邮电大学 Task migration-based federal unsupervised image classification model training method, classification method and equipment
CN116405262A (en) * 2023-03-07 2023-07-07 北京邮电大学 Network security access method, device, equipment and storage medium
CN116579417A (en) * 2023-05-10 2023-08-11 之江实验室 Layered personalized federal learning method, device and medium in edge computing network
CN117580046A (en) * 2023-06-09 2024-02-20 西安电子科技大学 Deep learning-based 5G network dynamic security capability scheduling method
CN116708009A (en) * 2023-07-18 2023-09-05 杭州电子科技大学上虞科学与工程研究院有限公司 Network intrusion detection method based on federal learning

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于自组织映射网络的网络入侵检测算法设计;周丽娟;;成都大学学报(自然科学版);20180930(第03期);全文 *

Also Published As

Publication number Publication date
CN117811846A (en) 2024-04-02

Similar Documents

Publication Publication Date Title
CN113139662B (en) Global and local gradient processing method, device, equipment and medium for federal learning
CN111629380B (en) Dynamic resource allocation method for high concurrency multi-service industrial 5G network
CN110968426B (en) Edge cloud collaborative k-means clustering model optimization method based on online learning
CN112181971A (en) Edge-based federated learning model cleaning and equipment clustering method, system, equipment and readable storage medium
CN114125785A (en) Low-delay high-reliability transmission method, device, equipment and medium for digital twin network
CN109587519B (en) Heterogeneous network multipath video transmission control system and method based on Q learning
CN113537514A (en) High-energy-efficiency federal learning framework based on digital twins
CN113518007B (en) Multi-internet-of-things equipment heterogeneous model efficient mutual learning method based on federal learning
CN110856268B (en) Dynamic multichannel access method for wireless network
CN111628855A (en) Industrial 5G dynamic multi-priority multi-access method based on deep reinforcement learning
Liu et al. Fedpa: An adaptively partial model aggregation strategy in federated learning
CN113469325A (en) Layered federated learning method, computer equipment and storage medium for edge aggregation interval adaptive control
CN105379412A (en) System and method for controlling multiple wireless access nodes
Chua et al. Resource allocation for mobile metaverse with the Internet of Vehicles over 6G wireless communications: A deep reinforcement learning approach
CN115374853A (en) Asynchronous federal learning method and system based on T-Step polymerization algorithm
CN115481748A (en) Federal learning freshness optimization method and system based on digital twin assistance
CN112888004A (en) Information age optimization method for multi-source node information updating in Internet of things
CN117811846B (en) Network security detection method, system, equipment and medium based on distributed system
CN117392483A (en) Album classification model training acceleration method, system and medium based on reinforcement learning
CN109413746B (en) Optimized energy distribution method in communication system powered by hybrid energy
CN116915726A (en) Client selection method and device for split federal learning
US12015507B2 (en) Training in communication systems
CN117829274B (en) Model fusion method, device, equipment, federal learning system and storage medium
CN117557870B (en) Classification model training method and system based on federal learning client selection
CN117808125B (en) Model aggregation method, device, equipment, federal learning system and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant