CN117811846B - Network security detection method, system, equipment and medium based on distributed system - Google Patents
Network security detection method, system, equipment and medium based on distributed system Download PDFInfo
- Publication number
- CN117811846B CN117811846B CN202410230120.4A CN202410230120A CN117811846B CN 117811846 B CN117811846 B CN 117811846B CN 202410230120 A CN202410230120 A CN 202410230120A CN 117811846 B CN117811846 B CN 117811846B
- Authority
- CN
- China
- Prior art keywords
- security detection
- network security
- depth
- model
- detection model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/098—Distributed learning, e.g. federated learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Physics (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Artificial Intelligence (AREA)
- General Health & Medical Sciences (AREA)
- Evolutionary Computation (AREA)
- Data Mining & Analysis (AREA)
- Biophysics (AREA)
- Software Systems (AREA)
- Biomedical Technology (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Molecular Biology (AREA)
- Pure & Applied Mathematics (AREA)
- Probability & Statistics with Applications (AREA)
- Mathematical Optimization (AREA)
- Mathematical Analysis (AREA)
- Algebra (AREA)
- Image Analysis (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明公开了一种基于分布式系统的网络安全检测方法、系统、设备及介质,涉及网络安全领域,为解决边缘计算设备采用固定大小的本地网络安全检测模型无法发挥最优性能的问题,该方法包括基于本地安全数据训练初始网络安全检测模型;将测试安全数据集输入初始网络安全检测模型后,根据两个输出网络块对应的输出值调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型;当满足参数更新条件时,利用本地网络安全检测模型的模型参数和关联计算设备的模型参数更新本地网络安全检测模型;通过更新后的本地网络安全检测模型进行本地网络安全检测。本发明能够使边缘计算设备发挥最优的本地网络安全检测性能,减少了通信开销和带宽需求。
The present invention discloses a network security detection method, system, device and medium based on a distributed system, which relates to the field of network security. In order to solve the problem that the edge computing device adopts a local network security detection model of a fixed size and cannot exert the optimal performance, the method includes training an initial network security detection model based on local security data; after inputting a test security data set into the initial network security detection model, adjusting the neural network depth of the initial network security detection model according to the output values corresponding to two output network blocks to obtain a local network security detection model; when the parameter update condition is met, updating the local network security detection model using the model parameters of the local network security detection model and the model parameters of the associated computing device; and performing local network security detection through the updated local network security detection model. The present invention enables the edge computing device to exert the optimal local network security detection performance and reduces the communication overhead and bandwidth requirements.
Description
技术领域Technical Field
本发明涉及网络安全领域,特别涉及一种基于分布式系统的网络安全检测方法、系统、设备及介质。The present invention relates to the field of network security, and in particular to a network security detection method, system, equipment and medium based on a distributed system.
背景技术Background Art
在网络安全领域,为了提高对恶意软件、网络攻击、数据泄露等威胁的检测能力,可通过分布式系统中的多个边缘计算设备和边缘云服务器协同进行本地网络安全模型训练,并通过训练好的本地网络安全模型进行网络安全检测。目前,每个边缘计算设备通常使用固定大小的模型进行训练,而不同的边缘计算设备可能有不同的数据量和需求,比如有的边缘计算设备数据较少,需要小模型,有些边缘计算设备数据较多,需要大模型,统一大小的模型并不能满足所有设备的需求,导致一些边缘计算设备在使用过大或过小的模型时遇到性能瓶颈,无法发挥最优的网络安全检测性能。In the field of network security, in order to improve the detection capabilities of threats such as malware, network attacks, and data leaks, multiple edge computing devices and edge cloud servers in a distributed system can be used to collaboratively train local network security models, and network security detection can be performed using the trained local network security models. At present, each edge computing device usually uses a fixed-size model for training, and different edge computing devices may have different data volumes and requirements. For example, some edge computing devices have less data and require a small model, while some edge computing devices have more data and require a large model. Models of the same size cannot meet the needs of all devices, causing some edge computing devices to encounter performance bottlenecks when using models that are too large or too small, and fail to achieve optimal network security detection performance.
因此,如何提供一种解决上述技术问题的方案是本领域技术人员目前需要解决的问题。Therefore, how to provide a solution to the above technical problems is a problem that technical personnel in this field need to solve at present.
发明内容Summary of the invention
本发明的目的是提供一种基于分布式系统的网络安全检测方法、系统、设备及介质,能够使边缘计算设备发挥最优的本地网络安全检测性能,同时减少通信开销和带宽需求。The purpose of the present invention is to provide a network security detection method, system, device and medium based on a distributed system, which can enable edge computing devices to exert optimal local network security detection performance while reducing communication overhead and bandwidth requirements.
为解决上述技术问题,本发明提供了一种基于分布式系统的网络安全检测方法,应用于所述分布式系统中的每一边缘计算设备,所述分布式系统中的各个所述边缘计算设备按相似性划分为多个数据同性簇,所述网络安全检测方法包括:In order to solve the above technical problems, the present invention provides a network security detection method based on a distributed system, which is applied to each edge computing device in the distributed system. Each edge computing device in the distributed system is divided into multiple data homogeneity clusters according to similarity. The network security detection method includes:
基于本地安全数据训练初始网络安全检测模型,所述初始网络安全检测模型的网络包括依次连接的多个神经网络块,多个所述神经网络块对应不同的神经网络深度;Training an initial network security detection model based on local security data, wherein the network of the initial network security detection model includes a plurality of neural network blocks connected in sequence, and the plurality of neural network blocks correspond to different neural network depths;
在多个所述神经网络块中选择两个输出网络块,将测试安全数据集输入所述初始网络安全检测模型后,根据两个所述输出网络块对应的输出值调整所述初始网络安全检测模型的神经网络深度得到本地网络安全检测模型;Selecting two output network blocks from the plurality of neural network blocks, inputting the test security data set into the initial network security detection model, and adjusting the neural network depth of the initial network security detection model according to the output values corresponding to the two output network blocks to obtain a local network security detection model;
当满足参数更新条件时,利用所述本地网络安全检测模型的模型参数和关联计算设备的模型参数更新所述本地网络安全检测模型;所述关联计算设备为与自身处于同一数据同性簇中且与自身连接的边缘计算设备;When the parameter update condition is met, the local network security detection model is updated using the model parameters of the local network security detection model and the model parameters of the associated computing device; the associated computing device is an edge computing device that is in the same data homogeneity cluster as itself and is connected to itself;
通过更新后的本地网络安全检测模型进行本地网络安全检测。Perform local network security detection through the updated local network security detection model.
其中,根据两个所述输出网络块对应的输出值调整所述初始网络安全检测模型的神经网络深度得到本地网络安全检测模型的过程包括:The process of adjusting the neural network depth of the initial network security detection model according to the output values corresponding to the two output network blocks to obtain the local network security detection model includes:
获取第一个所述输出网络块对应的第一输出值,以及第二个所述输出网络块对应的第二输出值,第一个所述输出网络块的神经网络深度小于第二个所述输出网络块的神经网络深度;Obtaining a first output value corresponding to the first output network block and a second output value corresponding to the second output network block, wherein the neural network depth of the first output network block is less than the neural network depth of the second output network block;
基于所述第一输出值和所述第二输出值确定深度调整策略;determining a depth adjustment strategy based on the first output value and the second output value;
按照所述深度调整策略调整所述初始网络安全检测模型的神经网络深度得到本地网络安全检测模型。The neural network depth of the initial network security detection model is adjusted according to the depth adjustment strategy to obtain a local network security detection model.
其中,基于所述第一输出值和所述第二输出值确定深度调整策略的过程包括:The process of determining the depth adjustment strategy based on the first output value and the second output value includes:
确定所述第一输出值和所述第二输出值的差值的绝对值;determining an absolute value of a difference between the first output value and the second output value;
基于所述第一输出值和所述第二输出值的大小关系确定深度调整方向;所述深度调整方向为深度回退或深度加深;Determine a depth adjustment direction based on a magnitude relationship between the first output value and the second output value; the depth adjustment direction is depth retreat or depth deepening;
基于所述绝对值与预设值的大小关系确定浅层网络模型与深层网络模型的性能差距所满足的调整条件;所述浅层网络模型基于第一个所述输出网络块得到,所述深层网络模型基于第二个所述输出网络块得到,所述调整条件为即时调整条件或步进调整条件;Determine the adjustment condition satisfied by the performance gap between the shallow network model and the deep network model based on the size relationship between the absolute value and the preset value; the shallow network model is obtained based on the first output network block, the deep network model is obtained based on the second output network block, and the adjustment condition is an immediate adjustment condition or a step adjustment condition;
基于所述深度调整方向和所述性能差距所满足的调整条件确定深度调整策略。A depth adjustment strategy is determined based on the depth adjustment direction and an adjustment condition satisfied by the performance gap.
其中,基于所述第一输出值和所述第二输出值的大小关系确定深度调整方向的过程包括:The process of determining the depth adjustment direction based on the magnitude relationship between the first output value and the second output value includes:
当所述第一输出值大于所述第二输出值时,所述深度调整方向为所述深度回退;When the first output value is greater than the second output value, the depth adjustment direction is the depth retreat;
当所述第一输出值小于所述第二输出值时,所述深度调整方向为所述深度加深。When the first output value is less than the second output value, the depth adjustment direction is to increase the depth.
其中,基于所述绝对值与预设值的大小关系确定浅层网络模型与深层网络模型的性能差距所满足的调整条件的过程包括:The process of determining the adjustment condition satisfied by the performance gap between the shallow network model and the deep network model based on the magnitude relationship between the absolute value and the preset value includes:
当所述绝对值小于所述预设值,确定所述浅层网络模型与所述深层网络模型的性能差距满足所述步进调整条件;When the absolute value is less than the preset value, it is determined that the performance gap between the shallow network model and the deep network model meets the step adjustment condition;
当所述绝对值大于或等于所述预设值,确定所述浅层网络模型与所述深层网络模型的性能差距满足所述即时调整条件。When the absolute value is greater than or equal to the preset value, it is determined that the performance gap between the shallow network model and the deep network model meets the immediate adjustment condition.
其中,基于所述深度调整方向和所述性能差距所满足的调整条件确定深度调整策略的过程包括:The process of determining the depth adjustment strategy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap includes:
当所述深度调整方向为所述深度回退,且所述性能差距满足所述即时调整条件,确定所述深度调整策略为深度回退即时调整策略;When the depth adjustment direction is the depth rollback and the performance gap satisfies the instant adjustment condition, determining that the depth adjustment strategy is the depth rollback instant adjustment strategy;
按照所述深度调整策略调整所述初始网络安全检测模型的神经网络深度得到本地网络安全检测模型的过程包括:The process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain a local network security detection model includes:
当所述深度调整策略为所述深度回退即时调整策略,利用所述深度回退即时调整策略对应的第一关系式计算回退深度;When the depth adjustment strategy is the depth backoff instant adjustment strategy, the backoff depth is calculated using a first relational expression corresponding to the depth backoff instant adjustment strategy;
按所述回退深度调整所述初始网络安全检测模型的神经网络深度得到本地网络安全检测模型;Adjusting the neural network depth of the initial network security detection model according to the fallback depth to obtain a local network security detection model;
所述第一关系式为f1(k)=η×ek,f1(k)为回退深度,η为超参数,k为所述绝对值。The first relational expression is f 1 (k)=η×e k , where f 1 (k) is the backoff depth, η is a hyperparameter, and k is the absolute value.
其中,基于所述深度调整方向和所述性能差距所满足的调整条件确定深度调整策略的过程包括:The process of determining the depth adjustment strategy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap includes:
当所述深度调整方向为所述深度回退,且所述性能差距满足所述步进调整条件,确定所述深度调整策略为深度回退步进调整策略,并将步进回退作为当前记录写入预设存储空间;When the depth adjustment direction is the depth rollback and the performance gap satisfies the step adjustment condition, the depth adjustment strategy is determined to be the depth rollback step adjustment strategy, and the step rollback is written into the preset storage space as the current record;
按照所述深度调整策略调整所述初始网络安全检测模型的神经网络深度得到本地网络安全检测模型的过程包括:The process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain a local network security detection model includes:
当所述深度调整策略为所述深度回退步进调整策略,获取所述预设存储空间中包括所述当前记录在内的连续预设数量的记录,若包括所述当前记录在内的连续预设数量的记录均为所述步进回退,将所述初始网络安全检测模型的神经网络深度回退一层得到本地网络安全检测模型。When the depth adjustment strategy is the depth backoff step adjustment strategy, a continuous preset number of records including the current record in the preset storage space are obtained. If the continuous preset number of records including the current record are all the step backoffs, the neural network depth of the initial network security detection model is backed off by one layer to obtain a local network security detection model.
其中,基于所述深度调整方向和所述性能差距所满足的调整条件确定深度调整策略的过程包括:The process of determining the depth adjustment strategy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap includes:
当所述深度调整方向为所述深度加深,且所述性能差距满足所述即时调整条件,确定所述深度调整策略为深度加深即时调整策略;When the depth adjustment direction is the depth deepening and the performance gap satisfies the instant adjustment condition, determining that the depth adjustment strategy is the depth deepening instant adjustment strategy;
按照所述深度调整策略调整所述初始网络安全检测模型的神经网络深度得到本地网络安全检测模型的过程包括:The process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain a local network security detection model includes:
当所述深度调整策略为所述深度加深即时调整策略,利用所述深度加深即时调整策略对应的第二关系式计算加深深度;When the depth adjustment strategy is the depth deepening instant adjustment strategy, the deepening depth is calculated using a second relational expression corresponding to the depth deepening instant adjustment strategy;
按所述加深深度调整所述初始网络安全检测模型的神经网络深度得到本地网络安全检测模型;Adjusting the neural network depth of the initial network security detection model according to the deepening depth to obtain a local network security detection model;
所述第二关系式为f2(k)=η×ek,f2(k)为加深深度,η为超参数,k为所述绝对值。The second relational expression is f 2 (k)=η×e k , where f 2 (k) is the deepening depth, η is a hyperparameter, and k is the absolute value.
其中,基于所述深度调整方向和所述性能差距所满足的调整条件确定深度调整策略的过程包括:The process of determining the depth adjustment strategy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap includes:
当所述深度调整方向为所述深度加深,且所述性能差距满足所述步进调整条件,确定所述深度调整策略为深度加深步进调整策略,并将步进加深作为当前记录写入预设存储空间;When the depth adjustment direction is the depth deepening and the performance gap satisfies the step adjustment condition, determining that the depth adjustment strategy is the depth deepening step adjustment strategy, and writing the step deepening as the current record into the preset storage space;
按照所述深度调整策略调整所述初始网络安全检测模型的神经网络深度得到本地网络安全检测模型的过程包括:The process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain a local network security detection model includes:
当所述深度调整策略为所述深度加深步进调整策略,获取所述预设存储空间中包括所述当前记录在内的连续预设数量的记录,若包括所述当前记录在内的连续预设数量的记录均为所述步进加深,将所述初始网络安全检测模型的神经网络深度加深一层得到本地网络安全检测模型。When the depth adjustment strategy is the depth deepening step adjustment strategy, a continuous preset number of records including the current record in the preset storage space are obtained. If the continuous preset number of records including the current record are all step deepening, the neural network depth of the initial network security detection model is deepened by one layer to obtain a local network security detection model.
其中,在多个所述神经网络块中选择两个输出网络块的过程包括:The process of selecting two output network blocks from the plurality of neural network blocks includes:
在多个所述神经网络块中选择相邻的两个神经网络块作为输出网络块。Two adjacent neural network blocks are selected from the multiple neural network blocks as output network blocks.
其中,利用所述本地网络安全检测模型的模型参数和关联计算设备的模型参数更新所述本地网络安全检测模型的过程包括:The process of updating the local network security detection model by using the model parameters of the local network security detection model and the model parameters of the associated computing device includes:
获取所述本地网络安全检测模型的模型参数,将所述本地网络安全检测模型的模型参数发送至各个所述关联计算设备;Acquire model parameters of the local network security detection model, and send the model parameters of the local network security detection model to each of the associated computing devices;
接收各个所述关联计算设备发送的模型参数;Receiving model parameters sent by each of the associated computing devices;
对所述本地网络安全检测模型的模型参数以及各个所述关联计算设备发送的模型参数计算邻域平均值;Calculating neighborhood average values of model parameters of the local network security detection model and model parameters sent by each of the associated computing devices;
基于所述邻域平均值更新所述本地网络安全检测模型。The local network security detection model is updated based on the neighborhood average value.
其中,获取所述本地网络安全检测模型的模型参数,将所述本地网络安全检测模型的模型参数发送至各个所述关联计算设备的过程包括:The process of obtaining the model parameters of the local network security detection model and sending the model parameters of the local network security detection model to each of the associated computing devices includes:
获取所述本地网络安全检测模型的标准深度的模型参数,将所述标准深度的模型参数发送至各个所述关联计算设备。The model parameters of the standard depth of the local network security detection model are obtained, and the model parameters of the standard depth are sent to each of the associated computing devices.
其中,接收各个所述关联计算设备发送的模型参数之后,所述网络安全检测方法还包括:After receiving the model parameters sent by each of the associated computing devices, the network security detection method further includes:
针对每一所述关联计算设备发送的模型参数,判断所述关联计算设备发送的模型参数对应的神经网络深度是否大于所述本地网络安全检测模型的神经网络深度,若是,将所述关联计算设备发送的模型参数中与所述本地网络安全检测模型的神经网络深度相同的模型参数确定为目标模型参数,若否,将所述关联计算设备发送的模型参数确定为目标模型参数;For each model parameter sent by the associated computing device, determine whether the neural network depth corresponding to the model parameter sent by the associated computing device is greater than the neural network depth of the local network security detection model; if so, determine the model parameter in the model parameter sent by the associated computing device that is the same as the neural network depth of the local network security detection model as the target model parameter; if not, determine the model parameter sent by the associated computing device as the target model parameter;
对所述本地网络安全检测模型的模型参数以及各个所述关联计算设备发送的模型参数计算邻域平均值的过程包括:The process of calculating the neighborhood average values of the model parameters of the local network security detection model and the model parameters sent by each of the associated computing devices includes:
对所述本地网络安全检测模型的模型参数及各个所述目标模型参数计算邻域平均值。The neighborhood average values are calculated for the model parameters of the local network security detection model and each of the target model parameters.
其中,利用所述本地网络安全检测模型的模型参数和关联计算设备的模型参数更新所述本地网络安全检测模型之后,所述网络安全检测方法还包括:After the local network security detection model is updated by using the model parameters of the local network security detection model and the model parameters of the associated computing device, the network security detection method further includes:
当满足簇内聚合条件且自身不为簇头设备时,将所述本地网络安全检测模型的模型参数发送给自身所处的数据同性簇的簇头设备,以便所述簇头设备根据所处的数据同性簇中的所有边缘计算设备的模型参数得到簇内全局模型参数;When the cluster aggregation condition is met and the device itself is not a cluster head device, the model parameters of the local network security detection model are sent to the cluster head device of the data homogeneity cluster in which the device is located, so that the cluster head device obtains the global model parameters in the cluster according to the model parameters of all edge computing devices in the data homogeneity cluster in which the device is located;
当获取到所述簇内全局模型参数,利用所述簇内全局模型参数更新所述本地网络安全检测模型,以便通过更新后的本地网络安全检测模型进行本地网络安全检测。When the in-cluster global model parameters are acquired, the local network security detection model is updated using the in-cluster global model parameters, so that the local network security detection is performed using the updated local network security detection model.
其中,根据所处的数据同性簇中的所有边缘计算设备的模型参数得到簇内全局模型参数的过程包括:The process of obtaining the global model parameters in the cluster according to the model parameters of all edge computing devices in the data homogeneity cluster includes:
利用第三关系式计算簇内全局模型参数,所述第三关系式为;The global model parameters in the cluster are calculated using the third relational expression, which is: ;
其中,α为超参数,为第c个数据同性簇的簇头设备存储的第t轮的簇内全局模型参数,为第c个数据同性簇在第t+1轮的簇内全局模型参数,c为所述数据同性簇的序号,为所述数据同性簇的设备集合Ni中的第j个关联计算设备在第t轮第l次更新后的模型参数,Ni为与所述数据同性簇内的第i个边缘计算设备具有连接关系的关联计算设备的设备集合,i为所述边缘计算设备在所述数据同性簇中的序号,j为所述关联计算设备在所述设备集合中的序号,|Ni|为所述数据同性簇中的边缘计算设备的总数量。Among them, α is a hyperparameter, The cluster head device of the cth data homogeneity cluster stores the cluster global model parameters of the tth round, is the global model parameter of the cth data homogeneity cluster in the t+1th round, c is the sequence number of the data homogeneity cluster, is the model parameter of the j-th associated computing device in the device set Ni of the data homogeneity cluster after the l-th update in the t-th round, Ni is the device set of associated computing devices that have a connection relationship with the i-th edge computing device in the data homogeneity cluster, i is the sequence number of the edge computing device in the data homogeneity cluster, j is the sequence number of the associated computing device in the device set, and |N i | is the total number of edge computing devices in the data homogeneity cluster.
其中,当获取到所述簇内全局模型参数,利用所述簇内全局模型参数更新所述本地网络安全检测模型之后,所述网络安全检测方法还包括:Wherein, after the in-cluster global model parameters are acquired and the local network security detection model is updated using the in-cluster global model parameters, the network security detection method further includes:
当满足全局条件时且自身为所述簇头设备时,将所述簇内全局模型参数发送至所述分布式系统中的边缘云服务器,以便所述边缘云服务器基于所述分布式系统中的所有所述数据同性簇的簇头设备发送的簇内全局模型参数得到全局模型;When the global condition is met and the cluster head device itself is the cluster head device, the cluster global model parameters are sent to the edge cloud server in the distributed system, so that the edge cloud server obtains the global model based on the cluster global model parameters sent by the cluster head devices of all the data homogeneity clusters in the distributed system;
当接收到所述全局模型后,基于所述全局模型的模型参数更新所述本地网络安全检测模型的模型参数,以便通过更新后的本地网络安全检测模型进行本地网络安全检测。After receiving the global model, the model parameters of the local network security detection model are updated based on the model parameters of the global model, so as to perform local network security detection through the updated local network security detection model.
其中,基于所述分布式系统中的所有所述数据同性簇的簇头设备发送的簇内全局模型参数得到全局模型的过程包括:The process of obtaining the global model based on the intra-cluster global model parameters sent by the cluster head devices of all the data homogeneity clusters in the distributed system includes:
利用第四关系式计算全局模型;所述第四关系式为;The global model is calculated using the fourth relationship; the fourth relationship is: ;
其中,C为所述簇头设备的数量,为第t+1轮的所述全局模型,为第c个数据同性簇在第t+1轮关于数据样本损失函数L的模型参数,c为所述数据同性簇的序号。Wherein, C is the number of cluster head devices, is the global model in round t+1, is the model parameter of the cth data homogeneity cluster with respect to the data sample loss function L in the t+1th round, and c is the sequence number of the data homogeneity cluster.
其中,基于本地安全数据训练初始网络安全检测模型之前,所述网络安全检测方法还包括:Before training the initial network security detection model based on the local security data, the network security detection method further includes:
接收所述分布式系统中的边缘云服务器基于相似性划分的数据同性簇及所述数据同性簇内的各个边缘计算设备的连接关系,以便基于数据同性簇及所述连接关系确定自身对应的关联计算设备。Receive the data homogeneity clusters divided by the edge cloud server in the distributed system based on similarity and the connection relationship between the edge computing devices in the data homogeneity clusters, so as to determine the associated computing device corresponding to itself based on the data homogeneity clusters and the connection relationship.
其中,所述分布式系统中的边缘云服务器基于相似性划分数据同性簇的过程包括:The process of dividing the edge cloud server in the distributed system into data homogeneous clusters based on similarity includes:
所述分布式系统中的边缘云服务器获取所述分布式系统中各个边缘计算设备基于所述测试安全数据集得到的测试结果;The edge cloud server in the distributed system obtains the test results obtained by each edge computing device in the distributed system based on the test security data set;
根据所有所述边缘计算设备的测试结果的相似性构建所有所述边缘计算设备之间的带权无向图;Constructing a weighted undirected graph between all the edge computing devices according to the similarity of the test results of all the edge computing devices;
利用所述带权无向图对所有所述边缘计算设备进行划分得到多个数据同性簇。All the edge computing devices are divided using the weighted undirected graph to obtain a plurality of data homogeneity clusters.
为解决上述技术问题,本发明还提供了一种基于分布式系统的网络安全检测系统,应用于所述分布式系统中的每一边缘计算设备,所述分布式系统中的各个所述边缘计算设备按相似性划分为多个数据同性簇,所述网络安全检测系统包括:In order to solve the above technical problems, the present invention also provides a network security detection system based on a distributed system, which is applied to each edge computing device in the distributed system. Each edge computing device in the distributed system is divided into a plurality of data homogeneity clusters according to similarity. The network security detection system includes:
训练模块,用于基于本地安全数据训练初始网络安全检测模型,所述初始网络安全检测模型的网络包括依次连接的多个神经网络块,多个所述神经网络块对应不同的神经网络深度;A training module, used for training an initial network security detection model based on local security data, wherein the network of the initial network security detection model includes a plurality of neural network blocks connected in sequence, and the plurality of neural network blocks correspond to different neural network depths;
选择模块,用于在多个所述神经网络块中选择两个输出网络块,将测试安全数据集输入所述初始网络安全检测模型后,根据两个所述输出网络块对应的输出值调整所述初始网络安全检测模型的神经网络深度得到本地网络安全检测模型;A selection module is used to select two output network blocks from the plurality of neural network blocks, and after inputting the test security data set into the initial network security detection model, adjust the neural network depth of the initial network security detection model according to the output values corresponding to the two output network blocks to obtain a local network security detection model;
更新模块,用于当满足参数更新条件时,利用所述本地网络安全检测模型的模型参数和关联计算设备的模型参数更新所述本地网络安全检测模型;所述关联计算设备为与自身处于同一数据同性簇中且与自身连接的边缘计算设备;An updating module, configured to update the local network security detection model using model parameters of the local network security detection model and model parameters of an associated computing device when a parameter update condition is met; the associated computing device is an edge computing device that is in the same data homogeneity cluster as the device and is connected to the device;
检测模块,用于通过更新后的本地网络安全检测模型进行本地网络安全检测。The detection module is used to perform local network security detection through an updated local network security detection model.
为解决上述技术问题,本发明还提供了一种边缘计算设备,包括:In order to solve the above technical problems, the present invention further provides an edge computing device, including:
存储器,用于存储计算机程序;Memory for storing computer programs;
处理器,用于执行所述计算机程序时实现如上文任意一项所述的基于分布式系统的网络安全检测方法的步骤。A processor is used to implement the steps of the distributed system-based network security detection method as described in any one of the above when executing the computer program.
为解决上述技术问题,本发明还提供了一种分布式系统,包括:In order to solve the above technical problems, the present invention further provides a distributed system, comprising:
多个如上文所述的边缘计算设备;A plurality of edge computing devices as described above;
边缘云服务器,用于向各个所述边缘计算设备输出测试数据集及分簇结果,所述分簇结果包括所述边缘计算设备所处的数据同性簇及与所述边缘计算设备连接的关联计算设备。The edge cloud server is used to output a test data set and a clustering result to each of the edge computing devices, wherein the clustering result includes the data homogeneity cluster where the edge computing device is located and the associated computing device connected to the edge computing device.
为解决上述技术问题,本发明还提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如上文任意一项所述的基于分布式系统的网络安全检测方法的步骤。To solve the above technical problems, the present invention also provides a computer-readable storage medium, on which a computer program is stored. When the computer program is executed by a processor, the steps of the network security detection method based on a distributed system as described in any one of the above are implemented.
本发明提供了一种基于分布式系统的网络安全检测方法,分布式系统中的每个边缘计算设备的本地网络安全检测模型的神经网络深度可动态调整,以便更好的适应多样化任务的要求,使边缘计算设备发挥最优的本地网络安全检测性能,同时边缘计算设备可在数据同性簇内进行模型参数更新,无需在每次通信时均向边缘云服务器上传模型参数,减少了通信开销和带宽需求。本发明还提供了一种基于分布式系统的网络安全检测系统、边缘计算设备、分布式系统及计算机可读存储介质,具有和上述基于分布式系统的网络安全检测方法相同的有益效果。The present invention provides a network security detection method based on a distributed system, in which the neural network depth of the local network security detection model of each edge computing device in the distributed system can be dynamically adjusted to better adapt to the requirements of diversified tasks, so that the edge computing device can play the best local network security detection performance. At the same time, the edge computing device can update the model parameters within the data homogeneity cluster, without uploading the model parameters to the edge cloud server every time communication, reducing communication overhead and bandwidth requirements. The present invention also provides a network security detection system based on a distributed system, an edge computing device, a distributed system and a computer-readable storage medium, which have the same beneficial effects as the above-mentioned network security detection method based on a distributed system.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本发明实施例,下面将对实施例中所需要使用的附图做简单的介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention, the following briefly introduces the drawings required for use in the embodiments. Obviously, the drawings described below are only some embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying creative work.
图1为本发明所提供的一种基于分布式系统的网络安全检测方法的步骤流程图;FIG1 is a flow chart of the steps of a network security detection method based on a distributed system provided by the present invention;
图2为本发明所提供的一种异构分布式系统的结构示意图;FIG2 is a schematic diagram of the structure of a heterogeneous distributed system provided by the present invention;
图3为本发明所提供的一种神经网络模型示意图;FIG3 is a schematic diagram of a neural network model provided by the present invention;
图4为本发明所提供的一种带权无向图的结构示意图;FIG4 is a schematic diagram of the structure of a weighted undirected graph provided by the present invention;
图5为本发明所提供的一种分簇示意图;FIG5 is a schematic diagram of clustering provided by the present invention;
图6为本发明所提供的一种基于分布式系统的网络安全检测系统的结构示意图;FIG6 is a schematic structural diagram of a network security detection system based on a distributed system provided by the present invention;
图7为本发明所提供的一种边缘计算设备的结构示意图;FIG7 is a schematic diagram of the structure of an edge computing device provided by the present invention;
图8为本发明所提供的一种分布式系统的结构示意图;FIG8 is a schematic diagram of the structure of a distributed system provided by the present invention;
图9为本发明所提供的一种计算机可读存储介质的结构示意图。FIG. 9 is a schematic diagram of the structure of a computer-readable storage medium provided by the present invention.
具体实施方式DETAILED DESCRIPTION
本发明的核心是提供一种基于分布式系统的网络安全检测方法、系统、设备及介质,能够使边缘计算设备发挥最优的本地网络安全检测性能,同时减少通信开销和带宽需求。The core of the present invention is to provide a network security detection method, system, device and medium based on a distributed system, which can enable edge computing devices to exert optimal local network security detection performance while reducing communication overhead and bandwidth requirements.
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solution and advantages of the embodiments of the present invention clearer, the technical solution in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.
第一方面,请参照图1,图1为本发明所提供的一种基于分布式系统的网络安全检测方法的步骤流程图,该网络安全检测方法应用于分布式系统中的每一边缘计算设备,分布式系统中的各个边缘计算设备按相似性划分为多个数据同性簇,图2为本实施例所提供的一种分布式系统的结构示意图,包括边缘云服务器及多个边缘计算设备,任意两个边缘计算设备可以存在数据交互,也可以不存在数据交互,各个边缘计算设备均与边缘服务器交互,下面以一个边缘计算设备为例对网络安全检测方法进行说明,该网络安全检测方法包括:In the first aspect, please refer to FIG. 1, which is a flow chart of the steps of a network security detection method based on a distributed system provided by the present invention. The network security detection method is applied to each edge computing device in the distributed system. Each edge computing device in the distributed system is divided into multiple data homogeneity clusters according to similarity. FIG. 2 is a structural schematic diagram of a distributed system provided by this embodiment, including an edge cloud server and multiple edge computing devices. Any two edge computing devices may or may not have data interaction. Each edge computing device interacts with the edge server. The network security detection method is described below using an edge computing device as an example. The network security detection method includes:
S101:基于本地安全数据训练初始网络安全检测模型,初始网络安全检测模型的网络包括依次连接的多个神经网络块,多个神经网络块对应不同的神经网络深度;S101: training an initial network security detection model based on local security data, where the network of the initial network security detection model includes a plurality of neural network blocks connected in sequence, and the plurality of neural network blocks correspond to different neural network depths;
本实施例中,边缘计算设备使用本地安全数据进行模型训练得到初始网络安全检测模型,初始网络安全检测模型由固定层结构的多个Block模块(神经网络块)堆叠组成,每个神经网络块内部包括卷积层、批归一化层、池化层和激活函数,各个神经网络块的连接应当满足整体网络结构的一致性,确保网络的各个神经网络块能够协同工作,有效地处理输入数据,并使梯度能够正确地传播和更新参数。本实施例为各个神经网络块分配Block编号,参照图3所示,从浅层到深层依次为B1、B2,…,BT,每个边缘计算设备的本地网络安全检测模型的初始状态定义为由编号B1,B2,…,BT连接的神经网络块,每个神经网络块的输出层与模型深度切换控制器相连,具体的,模型深度切换控制器可与任意2个不同神经网络深度的神经网络块连接,模型深度切换控制器与输出层模块相连,输出层模块包含多个全连接层和激活函数层,将主干网络特征转换成输出概率,本实施例中输出层模块包含两个分支的输出层,分别与模型深度切换控制器相连。在初始训练时,模型深度切换控制器与较浅的相邻2层神经网络块相连,该深度值由初始化参数h决定,作为一种可选的实施例可以设置为5。In this embodiment, the edge computing device uses local security data to perform model training to obtain an initial network security detection model. The initial network security detection model is composed of a plurality of Block modules (neural network blocks) with a fixed layer structure. Each neural network block includes a convolution layer, a batch normalization layer, a pooling layer, and an activation function. The connection of each neural network block should meet the consistency of the overall network structure, ensuring that each neural network block of the network can work together, effectively process input data, and enable the gradient to correctly propagate and update parameters. In this embodiment, each neural network block is assigned a Block number. As shown in FIG3, from shallow to deep layers, they are B1, B2, ..., BT. The initial state of the local network security detection model of each edge computing device is defined as a neural network block connected by numbers B1, B2, ..., BT. The output layer of each neural network block is connected to the model depth switching controller. Specifically, the model depth switching controller can be connected to any two neural network blocks with different neural network depths. The model depth switching controller is connected to the output layer module. The output layer module includes multiple fully connected layers and activation function layers, which convert the backbone network features into output probabilities. In this embodiment, the output layer module includes two branch output layers, which are respectively connected to the model depth switching controller. During initial training, the model depth switching controller is connected to the shallower adjacent 2-layer neural network block. The depth value is determined by the initialization parameter h, which can be set to 5 as an optional embodiment.
S102:在多个神经网络块中选择两个输出网络块,将测试安全数据集输入初始网络安全检测模型后,根据两个输出网络块对应的输出值调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型;S102: selecting two output network blocks from a plurality of neural network blocks, inputting the test security data set into the initial network security detection model, and adjusting the neural network depth of the initial network security detection model according to the output values corresponding to the two output network blocks to obtain a local network security detection model;
为了获得更精确的神经网络深度,本实施例在模型训练周期固定后,再基于测试数据集对本地网络安全检测模型进行测试,测试数据集为边缘云服务器下发的,各个边缘计算设备基于相同的测试数据集对初始网络安全检测模型进行测试。本实施例可选择在本地网络安全检测模型训练C次以后进行测试,C为超参。In order to obtain a more accurate neural network depth, this embodiment tests the local network security detection model based on the test data set after the model training cycle is fixed. The test data set is issued by the edge cloud server, and each edge computing device tests the initial network security detection model based on the same test data set. This embodiment can choose to test after the local network security detection model is trained C times, where C is a hyperparameter.
首先在多个神经网络块中选择两个输出网络块,将第一个输出网络块的输出层与模型深度切换控制器的第一接入端连接,将第二个输出网络模块的输出层与模型深度切换控制器的第二接入端连接,输出层模块的第一分支的输出层与模型深度切换控制器的第一输出端连接,输出层模块的第二分支的输出层与模型深度切换控制器的第二输出端连接,将测试数据集输入初始网络安全检测模型后,获取所有测试样本的测试结果,测试结果在输出层模块输出,输出层模块中的第一分支的输出层的输出值为第一个输出网络块的测试结果,输出层模块中的第二分支的输出层的输出值为第二个输出网络块的测试结果。示例性地,对于分类任务,获取所有测试样本的分类任务结果并进行判断,求取准确率平均值。First, two output network blocks are selected from multiple neural network blocks, the output layer of the first output network block is connected to the first access terminal of the model depth switching controller, the output layer of the second output network module is connected to the second access terminal of the model depth switching controller, the output layer of the first branch of the output layer module is connected to the first output terminal of the model depth switching controller, and the output layer of the second branch of the output layer module is connected to the second output terminal of the model depth switching controller. After the test data set is input into the initial network security detection model, the test results of all test samples are obtained, and the test results are output in the output layer module. The output value of the output layer of the first branch in the output layer module is the test result of the first output network block, and the output value of the output layer of the second branch in the output layer module is the test result of the second output network block. Exemplarily, for the classification task, the classification task results of all test samples are obtained and judged, and the average accuracy rate is calculated.
输出层模块将对应不同神经网络深度的两个分支的测试数据集的输出结果送入决策器,通过决策器判断是否改变初始网络安全检测模型的神经网络深度,如果决策调整,则按照对应的调整策略对初始网络安全检测模型的当前神经网络深度进行回退调整或加深调整,得到本地网络安全检测模型,从而使边缘计算设备能够发挥最优网络安全检测性能。The output layer module sends the output results of the test data sets of the two branches corresponding to different neural network depths to the decision maker, which determines whether to change the neural network depth of the initial network security detection model. If the decision is adjusted, the current neural network depth of the initial network security detection model is retracted or deepened according to the corresponding adjustment strategy to obtain the local network security detection model, so that the edge computing device can achieve the best network security detection performance.
S103:当满足参数更新条件时,利用本地网络安全检测模型的模型参数和关联计算设备的模型参数更新本地网络安全检测模型;关联计算设备为与自身处于同一数据同性簇中且与自身连接的边缘计算设备;S103: When the parameter update condition is met, the local network security detection model is updated using the model parameters of the local network security detection model and the model parameters of the associated computing device; the associated computing device is an edge computing device that is in the same data homogeneity cluster as the device and is connected to the device;
S104:通过更新后的本地网络安全检测模型进行本地网络安全检测。S104: Perform local network security detection using the updated local network security detection model.
可以理解的是,分布式系统中包括一个边缘云服务器和多个边缘计算设备,在现有的联邦学习方案中,所有边缘计算设备需要将本地网络安全检测模型发送给边缘云服务器来进行聚合,边缘云服务器带宽有限,大量模型参数的传输会影响联邦学习的模型更替的效率,此外,边缘计算设备所存储的数据集存在数据异构性等问题,简单的把众多模型进行聚合会导致联邦聚合后的模型在不同联邦计算设备中存在偏移误差,因为联邦聚合后的模型是综合了所有联邦设备的数据特质的综合性模型,甚至会产生模型退化。基于此,本实施例首先基于各边缘计算设备的数据异构性对异构分布式系统中的各个边缘计算设备进行分簇。It is understandable that the distributed system includes an edge cloud server and multiple edge computing devices. In the existing federated learning solution, all edge computing devices need to send local network security detection models to the edge cloud server for aggregation. The edge cloud server has limited bandwidth, and the transmission of a large number of model parameters will affect the efficiency of model replacement in federated learning. In addition, the data sets stored by the edge computing devices have problems such as data heterogeneity. Simply aggregating many models will cause the federated aggregated model to have offset errors in different federated computing devices, because the federated aggregated model is a comprehensive model that integrates the data characteristics of all federated devices, and may even cause model degradation. Based on this, this embodiment first clusters each edge computing device in a heterogeneous distributed system based on the data heterogeneity of each edge computing device.
在一示例性实施例中,基于本地安全数据训练初始网络安全检测模型之前,基于分布式系统的网络安全检测方法还包括:In an exemplary embodiment, before training the initial network security detection model based on local security data, the network security detection method based on the distributed system further includes:
接收分布式系统中的边缘云服务器基于相似性划分的数据同性簇及数据同性簇内的各个边缘计算设备的连接关系,以便基于数据同性簇及连接关系确定自身对应的关联计算设备。The edge cloud server in the distributed system receives data homogeneity clusters divided based on similarity and connection relationships between edge computing devices in the data homogeneity clusters, so as to determine the associated computing device corresponding to itself based on the data homogeneity clusters and the connection relationships.
在一示例性实施例中,分布式系统中的边缘云服务器基于相似性划分数据同性簇的过程包括:In an exemplary embodiment, the process of dividing the edge cloud server in the distributed system into data homogeneous clusters based on similarity includes:
分布式系统中的边缘云服务器获取分布式系统中各个边缘计算设备基于测试安全数据集得到的测试结果;The edge cloud server in the distributed system obtains the test results obtained by each edge computing device in the distributed system based on the test security data set;
根据所有边缘计算设备的测试结果的相似性构建所有边缘计算设备之间的带权无向图;Construct a weighted undirected graph between all edge computing devices based on the similarity of the test results of all edge computing devices;
利用带权无向图对所有边缘计算设备进行划分得到多个数据同性簇。All edge computing devices are divided into multiple data homogeneous clusters using a weighted undirected graph.
假设一共有N个边缘计算设备,本实施例首先要构建所有设备之间的带权无向图。首先所有边缘计算设备进行1次本地数据模型训练,即边缘计算设备使用本地安全数据集进行训练,获得本地网络安全检测模型。边缘云服务器从公网搜寻公共数据,构建面向本联邦学习任务的测试数据集,将测试数据集发送到各个边缘计算设备,边缘计算设备存储测试数据集,同时使用本地网络安全检测模型对公共数据集进行测试,获得测试结果,测试结果上传到边缘云服务器,因为边缘计算设备所使用的自有数据存在数据异构性,即每个边缘计算设备的数据有限,大多只包含有限类别的样本,因此,使用测试数据集进行测试的结构也各不相同,存在偏差。所有边缘计算设备将公共测试数据集的测试结果上传到边缘云服务器,边缘云服务器使用所有设备的测试结果建立有权无向图。Assuming that there are N edge computing devices in total, this embodiment first needs to build a weighted undirected graph between all devices. First, all edge computing devices perform one local data model training, that is, the edge computing devices use the local security data set for training to obtain a local network security detection model. The edge cloud server searches for public data from the public network, builds a test data set for this federated learning task, and sends the test data set to each edge computing device. The edge computing device stores the test data set and uses the local network security detection model to test the public data set to obtain the test results. The test results are uploaded to the edge cloud server. Because the own data used by the edge computing device has data heterogeneity, that is, the data of each edge computing device is limited, and most of them only contain samples of limited categories. Therefore, the structure of the test using the test data set is also different and there are deviations. All edge computing devices upload the test results of the public test data set to the edge cloud server, and the edge cloud server uses the test results of all devices to establish a weighted undirected graph.
具体的,边缘云服务器利用向量相似计算方法,例如Jaccard相似系数计算方法,计算所有边缘计算设备的测试结果相似性,并进行近邻排序。Jaccard相似系数常用于计算集合之间的相似度,也可以用于计算二值向量的相似度。对于两个二值向量A和B,Jaccard相似系数的计算公式为:similarity=|A∩B|/|A∪B|其中,A∩B表示向量A和B的交集,A∪B表示向量A和B的并集。例如A设备的测试结果是一个二值向量[1,0,0,0,……1,1,1,0],B设备的分类结果也是一个二值向量[0,1,1,0,……1,1,1,0],使用Jaccard相似系数可以计算A设备和B设备的结果相似度,这里仅仅是举例证明边缘计算设备的结果相似性的一个特例,并不是只保护这一种计算方式。Specifically, the edge cloud server uses a vector similarity calculation method, such as the Jaccard similarity coefficient calculation method, to calculate the similarity of the test results of all edge computing devices and perform neighbor sorting. The Jaccard similarity coefficient is often used to calculate the similarity between sets, and can also be used to calculate the similarity of binary vectors. For two binary vectors A and B, the calculation formula of the Jaccard similarity coefficient is: similarity=|A∩B|/|A∪B|, where A∩B represents the intersection of vectors A and B, and A∪B represents the union of vectors A and B. For example, the test result of device A is a binary vector [1,0,0,0,...1,1,1,0], and the classification result of device B is also a binary vector [0,1,1,0,...1,1,1,0]. The Jaccard similarity coefficient can be used to calculate the similarity of the results of devices A and B. This is just an example to illustrate a special case of the similarity of the results of edge computing devices, and it does not protect only this calculation method.
边缘云服务器遍历所有边缘计算设备的测试结果,计算每一边缘计算设备与其他边缘计算设备的结果相似性,根据结果相似性的值,构建该边缘计算设备与其他边缘计算设备之间的边,即,当结果相似性的值大于P的时候,构建这两个相似边缘计算设备之间的连接边,该条边的值即为其结果相似性的计算结果,P为人为初始设定的阈值,当结果相似性的值小于P的时候,不进行两个边缘计算设备之间的连接边的关系建立,构建的所有边缘计算设备之间的带权无向图可以参照图4所示,图4中示意了6个边缘计算设备,分别为设备1~设备6。The edge cloud server traverses the test results of all edge computing devices, calculates the result similarity of each edge computing device with other edge computing devices, and constructs the edge between the edge computing device and other edge computing devices according to the value of the result similarity. That is, when the value of the result similarity is greater than P, a connecting edge is constructed between the two similar edge computing devices. The value of the edge is the calculation result of the result similarity. P is an artificially set threshold. When the value of the result similarity is less than P, the relationship between the connecting edges of the two edge computing devices is not established. The weighted undirected graph constructed between all edge computing devices can be shown in Figure 4, which shows 6 edge computing devices, namely device 1 to device 6.
将带权无向图中每个边缘计算设备初始化为一个单独的同性簇,即每个边缘计算设备的标签初始为边缘计算设备自身的标识。对于每个边缘计算设备,考虑其邻居边缘计算设备的标签,遍历每个边缘计算设备,按照固定顺序或随机顺序进行迭代更新,对于当前边缘计算设备,收集它的邻居边缘计算设备的标签,统计邻居边缘计算设备中每个标签的出现次数,选择邻居边缘计算设备中出现次数最多的标签作为当前边缘计算设备的新标签,将当前边缘计算设备的标签更新为新标签。在每次迭代后,检查标签的变化情况,可以通过比较当前迭代和前一迭代的标签来判断变化量,如果标签的变化量小于设定的阈值,即标签基本稳定不再变化,则认为算法收敛,如果标签仍在变化,则继续迭代标签传播步骤。如果算法收敛,即标签不再发生显著变化,迭代终止。如果标签仍在变化,继续进行标签传播迭代。Each edge computing device in the weighted undirected graph is initialized as a separate homogeneous cluster, that is, the label of each edge computing device is initially the identifier of the edge computing device itself. For each edge computing device, consider the labels of its neighbor edge computing devices, traverse each edge computing device, and perform iterative updates in a fixed order or random order. For the current edge computing device, collect the labels of its neighbor edge computing devices, count the number of occurrences of each label in the neighbor edge computing devices, select the label with the most occurrences in the neighbor edge computing devices as the new label of the current edge computing device, and update the label of the current edge computing device to the new label. After each iteration, check the change of the label. The change amount can be judged by comparing the labels of the current iteration and the previous iteration. If the change amount of the label is less than the set threshold, that is, the label is basically stable and no longer changes, the algorithm is considered to have converged. If the label is still changing, continue to iterate the label propagation step. If the algorithm converges, that is, the label no longer changes significantly, the iteration is terminated. If the label is still changing, continue to iterate the label propagation.
当算法收敛后,得到最终的标签传播结果,将具有相同标签的边缘计算设备划分到同一个数据同性簇中,得到最终的划分结果,每个数据同性簇即为具有相同标签的边缘计算设备集合。边缘云服务器将划分好的数据同性簇及簇内连接关系发送给所有边缘计算设备,每个边缘计算设备会获得与自身数据同性的连接的边缘计算设备的设备号,将来会用该设备号与同簇邻居边缘计算设备进行模型参数更新,划分好的一种数据同性簇如图5所示,根据划分好的数据同性簇,如标签A代表一个数据同性簇,标签B代表一个数据同性簇,标签A中包括设备1和设备2,标签B中包括设备3~设备6,本发明进行联邦学习,需要选择一个簇头,选择原则是通信效率或邻近性选择:选择离其他边缘计算设备距离较近或与数据同性簇内其余边缘计算设备通信最快的边缘计算设备作为簇头。这样可以减少通信距离和延迟,并提高通信效率。边缘云服务器会通过与所有边缘计算设备进行数据交换的通信速率,选择每个数据同性簇的簇头,并将簇头的边缘计算设备号发给该簇的边缘计算设备。When the algorithm converges, the final label propagation result is obtained, and the edge computing devices with the same label are divided into the same data homogeneity cluster to obtain the final division result. Each data homogeneity cluster is a set of edge computing devices with the same label. The edge cloud server sends the divided data homogeneity cluster and the connection relationship within the cluster to all edge computing devices. Each edge computing device will obtain the device number of the edge computing device connected to its own data homogeneity. In the future, the device number will be used to update the model parameters with the edge computing devices of the same cluster neighbors. A divided data homogeneity cluster is shown in Figure 5. According to the divided data homogeneity cluster, such as label A represents a data homogeneity cluster, label B represents a data homogeneity cluster, label A includes device 1 and device 2, and label B includes device 3 to device 6. The present invention performs federated learning and needs to select a cluster head. The selection principle is communication efficiency or proximity selection: select the edge computing device that is closer to other edge computing devices or has the fastest communication with the other edge computing devices in the data homogeneity cluster as the cluster head. This can reduce the communication distance and delay and improve communication efficiency. The edge cloud server selects the cluster head of each data homogeneity cluster through the communication rate for data exchange with all edge computing devices, and sends the edge computing device number of the cluster head to the edge computing device of the cluster.
当满足参数更新条件时,利用本地网络安全检测模型的模型参数和关联计算设备的模型参数更新本地网络安全检测模型,关联计算设备即为与本边缘计算设备处于同一数据同性簇内,且与本边缘计算设备存在连接边的边缘计算设备,在簇内模型更新的过程中,首先每个边缘计算设备与其簇内相连的关联边缘计算设备进行模型参数聚合过程,这样可以加速模型收敛和使簇内同性设备分类更精准,使数据类型最为近似的设备之间模型聚合更新来获得更多的信息。When the parameter update conditions are met, the local network security detection model is updated using the model parameters of the local network security detection model and the model parameters of the associated computing device. The associated computing device is an edge computing device that is in the same data homogeneity cluster as the edge computing device and has a connection edge with the edge computing device. In the process of updating the model within the cluster, each edge computing device first performs a model parameter aggregation process with the associated edge computing devices connected to its cluster. This can accelerate model convergence and make the classification of homogeneous devices within the cluster more accurate, so that the models between devices with the most similar data types can be aggregated and updated to obtain more information.
当利用本地网络安全检测模型的模型参数和关联计算设备的模型参数更新本地网络安全检测模型后,通过该本地网络安全检测模型进行本地网络安全检测,可以使边缘计算设备发挥最优的本地网络安全检测性能。After the local network security detection model is updated using the model parameters of the local network security detection model and the model parameters of the associated computing device, local network security detection is performed using the local network security detection model, so that the edge computing device can exert the optimal local network security detection performance.
可见,本实施例中,分布式系统中的每个边缘计算设备的本地网络安全检测模型的神经网络深度可动态调整,以便更好的适应多样化任务的要求,使边缘计算设备发挥最优的本地网络安全检测性能,同时边缘计算设备可在数据同性簇内进行模型参数更新,无需在每次通信时均向边缘云服务器上传模型参数,减少了通信开销和带宽需求。It can be seen that in this embodiment, the neural network depth of the local network security detection model of each edge computing device in the distributed system can be dynamically adjusted to better adapt to the requirements of diversified tasks and enable the edge computing device to exert the best local network security detection performance. At the same time, the edge computing device can update the model parameters within the data homogeneity cluster, without uploading the model parameters to the edge cloud server during each communication, reducing communication overhead and bandwidth requirements.
在上述实施例的基础上:Based on the above embodiments:
在一示例性实施例中,根据两个输出网络块对应的输出值调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型的过程包括:In an exemplary embodiment, the process of adjusting the neural network depth of the initial network security detection model according to the output values corresponding to the two output network blocks to obtain the local network security detection model includes:
获取第一个输出网络块对应的第一输出值,以及第二个输出网络块对应的第二输出值,第一个输出网络块的神经网络深度小于第二个输出网络块的神经网络深度;Obtain a first output value corresponding to a first output network block and a second output value corresponding to a second output network block, wherein the neural network depth of the first output network block is less than the neural network depth of the second output network block;
基于第一输出值和第二输出值确定深度调整策略;determining a depth adjustment strategy based on the first output value and the second output value;
按照深度调整策略调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型。The neural network depth of the initial network security detection model is adjusted according to the depth adjustment strategy to obtain a local network security detection model.
本实施例中,第一个输出网络块比第二个输出网络块的深度浅,将浅层输出网络块对应的输出分支的输出值记为q,深层输出网络块对应的输出分支的输出值记为d,求取浅层-深层数据输出值的差值的绝对值k=|q-d|。可以理解,根据q和d的大小关系可以确定深度调整方向,根据k与预设值beta的大小关系可以确定深层网络模型和浅层网络模型之前的性能差距的大小。In this embodiment, the first output network block is shallower than the second output network block. The output value of the output branch corresponding to the shallow output network block is recorded as q, and the output value of the output branch corresponding to the deep output network block is recorded as d. The absolute value of the difference between the shallow and deep data output values is obtained, k=|q-d|. It can be understood that the depth adjustment direction can be determined according to the size relationship between q and d, and the performance gap between the deep network model and the shallow network model can be determined according to the size relationship between k and the preset value beta.
在一示例性实施例中,基于第一输出值和第二输出值确定深度调整策略的过程包括:In an exemplary embodiment, the process of determining the depth adjustment strategy based on the first output value and the second output value includes:
确定第一输出值和第二输出值的差值的绝对值;determining an absolute value of a difference between the first output value and the second output value;
基于第一输出值和第二输出值的大小关系确定深度调整方向;深度调整方向为深度回退或深度加深;Determine the depth adjustment direction based on the magnitude relationship between the first output value and the second output value; the depth adjustment direction is depth retreat or depth deepening;
基于绝对值与预设值的大小关系确定浅层网络模型与深层网络模型的性能差距所满足的调整条件;浅层网络模型基于第一个输出网络块得到,深层网络模型基于第二个输出网络块得到,调整条件为即时调整条件或步进调整条件;Determine the adjustment condition satisfied by the performance gap between the shallow network model and the deep network model based on the size relationship between the absolute value and the preset value; the shallow network model is obtained based on the first output network block, the deep network model is obtained based on the second output network block, and the adjustment condition is an immediate adjustment condition or a step adjustment condition;
基于深度调整方向和性能差距所满足的调整条件确定深度调整策略。The depth adjustment strategy is determined based on the depth adjustment direction and the adjustment conditions satisfied by the performance gap.
在一示例性实施例中,基于第一输出值和第二输出值的大小关系确定深度调整方向的过程包括:In an exemplary embodiment, the process of determining the depth adjustment direction based on the magnitude relationship between the first output value and the second output value includes:
当第一输出值大于第二输出值时,深度调整方向为深度回退;When the first output value is greater than the second output value, the depth adjustment direction is depth retreat;
当第一输出值小于第二输出值时,深度调整方向为深度加深。When the first output value is less than the second output value, the depth adjustment direction is increasing the depth.
在一示例性实施例中,基于绝对值与预设值的大小关系确定浅层网络模型与深层网络模型的性能差距所满足的调整条件的过程包括:In an exemplary embodiment, the process of determining the adjustment condition satisfied by the performance gap between the shallow network model and the deep network model based on the magnitude relationship between the absolute value and the preset value includes:
当绝对值小于预设值,确定浅层网络模型与深层网络模型的性能差距满足步进调整条件;When the absolute value is less than the preset value, it is determined that the performance gap between the shallow network model and the deep network model meets the step adjustment condition;
当绝对值大于或等于预设值,确定浅层网络模型与深层网络模型的性能差距满足即时调整条件。When the absolute value is greater than or equal to the preset value, it is determined that the performance gap between the shallow network model and the deep network model meets the immediate adjustment condition.
在一示例性实施例中,基于深度调整方向和性能差距所满足的调整条件确定深度调整策略的过程包括:In an exemplary embodiment, the process of determining the depth adjustment strategy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap includes:
当深度调整方向为深度回退,且性能差距满足即时调整条件,确定深度调整策略为深度回退即时调整策略;When the depth adjustment direction is depth rollback and the performance gap meets the immediate adjustment condition, the depth adjustment strategy is determined to be the depth rollback immediate adjustment strategy;
按照深度调整策略调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型的过程包括:The process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model includes:
当深度调整策略为深度回退即时调整策略,利用深度回退即时调整策略对应的第一关系式计算回退深度;When the depth adjustment strategy is a depth backoff instant adjustment strategy, the backoff depth is calculated using a first relational expression corresponding to the depth backoff instant adjustment strategy;
按回退深度调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型;The neural network depth of the initial network security detection model is adjusted according to the backoff depth to obtain a local network security detection model;
第一关系式为f1(k)=η×ek,f1(k)为回退深度,η为超参数,k为绝对值。The first relation is f 1 (k) = η×e k , where f 1 (k) is the backoff depth, η is a hyperparameter, and k is an absolute value.
本实施例中,若q>d,且k>beta,说明浅层网络模型输出结果优于深层网络模型输出结果,且性能差距大。则决策器输出深度回退决策,回退深度由第一关系式求取。In this embodiment, if q>d, and k>beta, it means that the output result of the shallow network model is better than the output result of the deep network model, and the performance gap is large. Then the decision maker outputs a deep backoff decision, and the backoff depth is obtained by the first relational expression.
在一示例性实施例中,基于深度调整方向和性能差距所满足的调整条件确定深度调整策略的过程包括:In an exemplary embodiment, the process of determining the depth adjustment strategy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap includes:
当深度调整方向为深度回退,且性能差距满足步进调整条件,确定深度调整策略为深度回退步进调整策略,并将步进回退作为当前记录写入预设存储空间;When the depth adjustment direction is depth rollback and the performance gap meets the step adjustment condition, the depth adjustment strategy is determined to be the depth rollback step adjustment strategy, and the step rollback is written into the preset storage space as the current record;
按照深度调整策略调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型的过程包括:The process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model includes:
当深度调整策略为深度回退步进调整策略,获取预设存储空间中包括当前记录在内的连续预设数量的记录,若包括当前记录在内的连续预设数量的记录均为步进回退,将初始网络安全检测模型的神经网络深度回退一层得到本地网络安全检测模型。When the depth adjustment strategy is a depth backoff step adjustment strategy, a preset number of consecutive records including the current record are obtained in the preset storage space. If the preset number of consecutive records including the current record are all step backoff, the neural network depth of the initial network security detection model is backed off by one layer to obtain a local network security detection model.
本实施例中,若q>d,且k<beta,说明浅层网络模型输出结果优于深层网络模型输出结果,且性能提升较小,模型深度可能需要步进调节,但不会立即调节。决策器将该结果记录到决策器的记忆单元中,决策器读取记忆单元最新3次记录结果进行判断,发现连续3次需要步进回退,则决策器输出深度回退决策,回退1层。In this embodiment, if q>d, and k<beta, it means that the output result of the shallow network model is better than the output result of the deep network model, and the performance improvement is small. The model depth may need to be adjusted step by step, but it will not be adjusted immediately. The decision maker records the result in the memory unit of the decision maker. The decision maker reads the latest three recorded results of the memory unit for judgment. If it is found that step back is needed for three consecutive times, the decision maker outputs a deep backoff decision and backs off by 1 layer.
在一示例性实施例中,基于深度调整方向和性能差距所满足的调整条件确定深度调整策略的过程包括:In an exemplary embodiment, the process of determining the depth adjustment strategy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap includes:
当深度调整方向为深度加深,且性能差距满足即时调整条件,确定深度调整策略为深度加深即时调整策略;When the depth adjustment direction is depth deepening and the performance gap meets the immediate adjustment condition, the depth adjustment strategy is determined to be the depth deepening immediate adjustment strategy;
按照深度调整策略调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型的过程包括:The process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model includes:
当深度调整策略为深度加深即时调整策略,利用深度加深即时调整策略对应的第二关系式计算加深深度;When the depth adjustment strategy is a depth deepening instant adjustment strategy, the deepening depth is calculated using a second relational expression corresponding to the depth deepening instant adjustment strategy;
按加深深度调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型;Adjusting the neural network depth of the initial network security detection model according to the deepening depth to obtain a local network security detection model;
第二关系式为f2(k)=η×ek,f2(k)为加深深度,η为超参数,k为绝对值。The second relation is f 2 (k) = η × e k , where f 2 (k) is the deepening depth, η is a hyperparameter, and k is an absolute value.
本实施例中,若q<d,且k>beta,说明深层网络模型输出结果优于浅层网络模型输出结果,且性能差距大。则决策器输出加深决策,加深深度第二关系式求取。In this embodiment, if q<d, and k>beta, it means that the output result of the deep network model is better than the output result of the shallow network model, and the performance gap is large. Then the decision maker outputs a deepening decision, and the second relational expression of the deepening depth is obtained.
在一示例性实施例中,基于深度调整方向和性能差距所满足的调整条件确定深度调整策略的过程包括:In an exemplary embodiment, the process of determining the depth adjustment strategy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap includes:
当深度调整方向为深度加深,且性能差距满足步进调整条件,确定深度调整策略为深度加深步进调整策略,并将步进加深作为当前记录写入预设存储空间;When the depth adjustment direction is depth deepening and the performance gap meets the step adjustment condition, the depth adjustment strategy is determined to be the depth deepening step adjustment strategy, and the step deepening is written into the preset storage space as the current record;
按照深度调整策略调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型的过程包括:The process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model includes:
当深度调整策略为深度加深步进调整策略,获取预设存储空间中包括当前记录在内的连续预设数量的记录,若包括当前记录在内的连续预设数量的记录均为步进加深,将初始网络安全检测模型的神经网络深度加深一层得到本地网络安全检测模型。When the depth adjustment strategy is a depth deepening step adjustment strategy, a continuous preset number of records including the current record in the preset storage space are obtained. If the continuous preset number of records including the current record are all step-deepening, the neural network depth of the initial network security detection model is deepened by one layer to obtain a local network security detection model.
本实施例中,若q<d,且k<beta,说明深层网络模型输出结果优于浅层网络模型输出结果,且性能提升较小,模型深度可能需要步进加深,但不会立即调节。决策器将该结果记录到决策器的记忆单元中,决策器读取记忆单元最新3次记录结果进行判断,发现连续3次需要步进加深,则决策器输出深度加深决策,加深1层。In this embodiment, if q<d, and k<beta, it means that the output result of the deep network model is better than the output result of the shallow network model, and the performance improvement is small. The model depth may need to be stepped up, but it will not be adjusted immediately. The decision maker records the result in the memory unit of the decision maker. The decision maker reads the latest three recorded results of the memory unit for judgment. If it is found that step-up is required for three consecutive times, the decision maker outputs a depth deepening decision and deepens by 1 layer.
本实施例中的深度调节机制,不但可以加深还可以变浅,不但可以快速调节,也可以慢速控制,灵活性更强决策器将输出决策反馈至模型深度切换控制器,深度模型控制器执行深度切换,按照现有模型深度基准层,进行相应的加深或回退切换。The depth adjustment mechanism in this embodiment can not only deepen but also shallow, can not only adjust quickly but also control slowly, and is more flexible. The decision maker feeds back the output decision to the model depth switching controller, and the depth model controller executes the depth switching and performs corresponding deepening or fallback switching according to the existing model depth reference layer.
在一示例性实施例中,在多个神经网络块中选择两个输出网络块的过程包括:In an exemplary embodiment, the process of selecting two output network blocks from a plurality of neural network blocks includes:
在多个神经网络块中选择相邻的两个神经网络块作为输出网络块。Two adjacent neural network blocks are selected from multiple neural network blocks as output network blocks.
本实施例所提供的模型自适应成长,通过在边缘计算设备上逐步增加模型容量和复杂度来解决传统固定大小模型的限制,能够处理多样化任务:随着联邦学习涉及到更多不同类型的任务和数据,模型自适应成长允许在本地设备上根据任务的复杂程度增加模型的容量,从而更好地适应多样化任务的要求;能够提高模型性能:通过逐渐增加模型容量,模型自适应成长可以克服固定大小模型可能遇到的容量限制,从而提高模型的性能和表示能力,有助于更好地捕捉数据的特征和模式;能够减少通信开销:传统联邦学习中,每次通信都需要上传完整的模型参数,而模型自适应成长允许在本地设备上进行更多的本地训练和更新,减少了通信开销和带宽的需求;能够改进数据隐私:在模型自适应成长中,设备上的训练数据可以更多地留在本地,只有模型的增量参数才需要上传,有助于改进数据隐私保护。The model adaptive growth provided in this embodiment solves the limitations of traditional fixed-size models by gradually increasing the model capacity and complexity on edge computing devices, and can handle diversified tasks: as federated learning involves more different types of tasks and data, model adaptive growth allows the capacity of the model to be increased on local devices according to the complexity of the task, thereby better adapting to the requirements of diversified tasks; it can improve model performance: by gradually increasing the model capacity, model adaptive growth can overcome the capacity limitations that fixed-size models may encounter, thereby improving the performance and representation capabilities of the model, and helping to better capture the characteristics and patterns of the data; it can reduce communication overhead: in traditional federated learning, each communication requires uploading the complete model parameters, while model adaptive growth allows more local training and updates on local devices, reducing communication overhead and bandwidth requirements; it can improve data privacy: in model adaptive growth, the training data on the device can be kept more locally, and only the incremental parameters of the model need to be uploaded, which helps to improve data privacy protection.
在一示例性实施例中,利用本地网络安全检测模型的模型参数和关联计算设备的模型参数更新本地网络安全检测模型的过程包括:In an exemplary embodiment, the process of updating the local network security detection model using the model parameters of the local network security detection model and the model parameters of the associated computing device includes:
获取本地网络安全检测模型的模型参数,将本地网络安全检测模型的模型参数发送至各个关联计算设备;Obtain model parameters of a local network security detection model, and send the model parameters of the local network security detection model to each associated computing device;
接收各个关联计算设备发送的模型参数;Receiving model parameters sent by each associated computing device;
对本地网络安全检测模型的模型参数以及各个关联计算设备发送的模型参数计算邻域平均值;Calculate neighborhood average values of model parameters of the local network security detection model and model parameters sent by each associated computing device;
基于邻域平均值更新本地网络安全检测模型。Update the local network security detection model based on the neighborhood average.
本实施例中,假设将所有边缘计算设备划分为C个簇,由集合{s1,…,sc}表示,第k个簇sk包含nk=|sk|个边缘设备。在联邦学习系统中,每个边缘计算设备i基于自身的数据集Di按照自适应模型生长算法训练出该设备个性化的本地网络安全检测模型。边缘计算设备i处的数据分布的局部经验损失函数为In this embodiment, it is assumed that all edge computing devices are divided into C clusters, represented by the set {s 1 , …, sc }, and the kth cluster sk contains n k = |s k | edge devices. In the federated learning system, each edge computing device i trains a personalized local network security detection model for the device based on its own data set D i according to the adaptive model growth algorithm. The local empirical loss function of the data distribution at the edge computing device i is
; ;
式中,为的损失函数,为本地网络安全检测模型的两个出口的参数,的集合,是整个本地网络安全检测模型的参数集合,Di为本地数据集,|Di|为数据样本的总量,为数据样本损失函数,为本地数据集中参与迭代训练的数据样本,为本地网络安全检测模型两个出口联合的样本损失函数,量化数据样本上的预测误差。In the formula, for The loss function is The parameters of the two exports of the local network security detection model, is the parameter set of the entire local network security detection model, Di is the local data set, | Di | is the total amount of data samples, is the data sample loss function, is the data sample participating in iterative training in the local dataset, It is the sample loss function of the two exports of the local network security detection model, quantifying the data samples The prediction error on .
层级聚合联邦学习算法主要目标是优化全局模型参数,以最小化与所有设备关联的全局损失函数为。The main goal of the hierarchical aggregation federated learning algorithm is to optimize the global model parameters to minimize the global loss function associated with all devices: .
其中,为全局网络模型的模型参数,为全局网络模型的模型参数的损失值,N为所述分布式系统中的边缘计算设备的总数量,为簇Sk中的第i个边缘计算设备的模型参数,i∈(1,2,3...nk-1,nk),nk为簇Sk中边缘计算设备的总数量,k为数据同性簇的序号,k∈(1,2,3...C-1,C),C为所述分布式系统中簇的总数量。in, are the model parameters of the global network model, is the loss value of the model parameter of the global network model, N is the total number of edge computing devices in the distributed system, are the model parameters of the i-th edge computing device in cluster S k , i∈(1,2,3... nk -1, nk ), nk is the total number of edge computing devices in cluster S k , k is the sequence number of the data homogeneity cluster, k∈(1,2,3...C-1,C), and C is the total number of clusters in the distributed system.
层级聚合联邦学习中,训练过程分为本地网络安全检测模型更新、簇内聚合和全局聚合3个步骤,这些步骤的组合称为一个训练轮次。In hierarchical aggregation federated learning, the training process is divided into three steps: local network security detection model update, intra-cluster aggregation, and global aggregation. The combination of these steps is called a training round.
本地网络安全检测模型更新:每个边缘计算设备使用(Stochastic gradientdescent,随机梯度下降)算法更新本地网络安全检测模型。在训练的第次迭代更新过程为Local network security detection model update: Each edge computing device uses the Stochastic gradient descent algorithm to update the local network security detection model. The iterative update process is
; ;
式中,为第i个边缘计算设备在第t轮第l次迭代更新后的本地网络安全检测模型的模型参数,i为边缘计算设备在数据同性簇中的序号,为第i个边缘计算设备在第t轮第l次迭代更新前的模型参数,为第t轮第l次迭代更新的学习率,为哈密顿算子,为本地数据集中参与第t轮第l次迭代更新的数据样本,为第t轮第l次迭代更新的样本损失函数。In the formula, is the model parameter of the local network security detection model of the ith edge computing device after the lth iteration update in the tth round, i is the serial number of the edge computing device in the data homogeneity cluster, is the model parameter of the i-th edge computing device before the l- th iteration update in the t-th round, is the learning rate updated in the lth iteration of the tth round, is the Hamiltonian operator, is the data sample in the local dataset that participates in the lth iteration update in the tth round, It is the sample loss function updated at the lth iteration of the tth round.
同一个数据同性簇内的边缘计算设备进行次迭代更新后,进行一次簇内模型聚合。设备i∈sk将本地网络安全检测模型编号连接神经网络块作为本地网络安全检测模型更新的参数,并以广播的方式发送到数据同性簇内与其相邻的关联计算设备j∈Ni,并且同时从Ni中接收模型参数计算邻域平均值,以更新本边缘计算设备内的本地网络安全检测模型。Edge computing devices in the same data homogeneity cluster perform After the iteration update, the cluster model aggregation is performed. Device i∈s k numbers the local network security detection model Connect the neural network block as a parameter for updating the local network security detection model And send it to the associated computing devices j∈N i adjacent to it in the data homogeneity cluster in a broadcast manner, and at the same time receive the model parameters from N i to calculate the neighborhood average value to update the local network security detection model in this edge computing device.
在一示例性实施例中,获取本地网络安全检测模型的模型参数,将本地网络安全检测模型的模型参数发送至各个关联计算设备的过程包括:In an exemplary embodiment, the process of obtaining model parameters of a local network security detection model and sending the model parameters of the local network security detection model to each associated computing device includes:
获取本地网络安全检测模型本地网络安全检测模型的标准深度的模型参数,将标准深度的模型参数发送至各个关联计算设备。Obtain model parameters of the standard depth of the local network security detection model, and send the model parameters of the standard depth to each associated computing device.
在一示例性实施例中,接收各个关联计算设备发送的模型参数之后,网络安全检测方法还包括:In an exemplary embodiment, after receiving the model parameters sent by each associated computing device, the network security detection method further includes:
针对每一关联计算设备发送的模型参数,判断关联计算设备发送的模型参数对应的神经网络深度是否大于本地网络安全检测模型的神经网络深度,若是,将关联计算设备发送的模型参数中与本地网络安全检测模型的神经网络深度相同的模型参数确定为目标模型参数,若否,将关联计算设备发送的模型参数确定为目标模型参数;For each model parameter sent by the associated computing device, determine whether the neural network depth corresponding to the model parameter sent by the associated computing device is greater than the neural network depth of the local network security detection model; if so, determine the model parameter in the model parameter sent by the associated computing device that is the same as the neural network depth of the local network security detection model as the target model parameter; if not, determine the model parameter sent by the associated computing device as the target model parameter;
对本地网络安全检测模型的模型参数以及各个关联计算设备发送的模型参数计算邻域平均值的过程包括:The process of calculating the neighborhood average values of the model parameters of the local network security detection model and the model parameters sent by each associated computing device includes:
对本地网络安全检测模型本地网络安全检测模型的模型参数及各个目标模型参数计算邻域平均值。The neighborhood average values of the model parameters of the local network security detection model and each target model parameter are calculated.
在相邻边缘计算设备的簇内聚合过程中,由于每个边缘计算设备的神经网络深度不同,因此每个边缘计算设备只发送其标准深度的模型Block参数,其输出层模块发送,不参与聚合,若接收设备接收到比自己深的模型参数,只取与之对应深度的模型参数聚合,反之,若边缘计算设备接收到比自己浅的模型参数,则直接聚合即可。在簇内模型更新的过程中,首先每个边缘计算设备与其簇内相连的邻居边缘计算设备进行模型参数聚合过程,这样可以加速模型收敛和使簇内同性设备分类更精准,使数据类型最为近似的设备之间模型聚合更新来获得更多的信息。In the cluster aggregation process of adjacent edge computing devices, since the neural network depth of each edge computing device is different, each edge computing device only sends the model block parameters of its standard depth, and its output layer module is sent and does not participate in aggregation. If the receiving device receives a model parameter deeper than itself, it only takes the model parameter of the corresponding depth for aggregation. On the contrary, if the edge computing device receives a model parameter shallower than itself, it can directly aggregate. In the process of updating the model within the cluster, first, each edge computing device aggregates the model parameters with the neighboring edge computing devices connected to its cluster, which can accelerate the convergence of the model and make the classification of the same type of devices in the cluster more accurate, so that the model aggregation and update between devices with the most similar data types can obtain more information.
在一示例性实施例中,利用本地网络安全检测模型的模型参数和关联计算设备的模型参数更新本地网络安全检测模型之后,网络安全检测方法还包括:In an exemplary embodiment, after updating the local network security detection model using the model parameters of the local network security detection model and the model parameters of the associated computing device, the network security detection method further includes:
当满足簇内聚合条件且自身不为簇头设备时,将本地网络安全检测模型的模型参数发送给自身所处的数据同性簇的簇头设备,以便簇头设备根据所处的数据同性簇中的所有边缘计算设备的模型参数得到簇内全局模型参数;When the cluster aggregation conditions are met and the device itself is not a cluster head device, the model parameters of the local network security detection model are sent to the cluster head device of the data homogeneity cluster in which the device is located, so that the cluster head device can obtain the global model parameters in the cluster according to the model parameters of all edge computing devices in the data homogeneity cluster in which the device is located;
当获取到簇内全局模型参数,利用簇内全局模型参数更新本地网络安全检测模型,以便通过更新后的本地网络安全检测模型进行本地网络安全检测。When the cluster global model parameters are obtained, the local network security detection model is updated using the cluster global model parameters, so that the local network security detection is performed through the updated local network security detection model.
在一示例性实施例中,根据所处的数据同性簇中的所有边缘计算设备的模型参数得到簇内全局模型参数的过程包括:In an exemplary embodiment, the process of obtaining the global model parameters in the cluster according to the model parameters of all edge computing devices in the data homogeneity cluster includes:
利用第三关系式计算簇内全局模型参数,所述第三关系式为;The global model parameters in the cluster are calculated using the third relational expression, which is: ;
其中,α为超参数,为第c个数据同性簇的簇头设备存储的第t轮的簇内全局模型参数,为第c个数据同性簇在第t+1轮的簇内全局模型c个数据同性簇的簇头设备存储的第t轮的簇内全局模型参数,c为所述数据同性簇的序号,为所述数据同性簇的设备集合Ni中的第j个关联计算设备在第t轮第l次更新后的模型参数,Ni为与所述数据同性簇内的第i个边缘计算设备具有连接关系的关联计算设备的设备集合,i为所述边缘计算设备在所述数据同性簇中的序号,j为所述关联计算设备在所述设备集合中的序号,|Ni|为所述数据同性簇中的边缘计算设备的总数量。Among them, α is a hyperparameter, The cluster head device of the cth data homogeneity cluster stores the cluster global model parameters of the tth round, The cluster head device of the c-th data homogeneity cluster stores the in-cluster global model parameters of the c-th data homogeneity cluster in the t+1-th round, where c is the sequence number of the data homogeneity cluster. is the model parameter of the j-th associated computing device in the device set Ni of the data homogeneity cluster after the l-th update in the t-th round, Ni is the device set of associated computing devices that have a connection relationship with the i-th edge computing device in the data homogeneity cluster, i is the sequence number of the edge computing device in the data homogeneity cluster, j is the sequence number of the associated computing device in the device set, and |N i | is the total number of edge computing devices in the data homogeneity cluster.
本实施例中,当迭代次数l是的整数倍时,所有数据同性簇内的边缘计算设备将自己的本地网络安全检测模型的模型参数,发送给簇头,进行簇内全局模型参数聚合得到;In this embodiment, when the number of iterations l is When the value is an integer multiple of , all edge computing devices in the data homogeneity cluster will set the model parameters of their local network security detection model to , sent to the cluster head, and the global model parameters are aggregated within the cluster to obtain ;
其中,常数α为超参数。为簇头存储的第t轮的簇内模型参数,代表更新完毕后的t+1轮的簇内模型聚合参数。Among them, the constant α is a hyperparameter. is the cluster model parameter of the tth round stored in the cluster head, Represents the aggregation parameters of the cluster model in round t+1 after the update is completed.
在一示例性实施例中,当获取到簇内全局模型参数,利用簇内全局模型参数更新本地网络安全检测模型之后,基于分布式系统的网络安全检测方法还包括:In an exemplary embodiment, after obtaining the in-cluster global model parameters and updating the local network security detection model using the in-cluster global model parameters, the network security detection method based on the distributed system further includes:
当满足全局条件时且自身为簇头设备时,将簇内全局模型参数发送至分布式系统中的边缘云服务器,以便边缘云服务器基于分布式系统中的所有数据同性簇的簇头设备发送的簇内全局模型参数得到全局模型;When the global conditions are met and the cluster head device itself is a cluster head device, the cluster global model parameters are sent to the edge cloud server in the distributed system, so that the edge cloud server obtains the global model based on the cluster global model parameters sent by the cluster head devices of all data homogeneity clusters in the distributed system;
当接收到全局模型后,基于全局模型的模型参数更新本地网络安全检测模型的模型参数,以便通过更新后的本地网络安全检测模型进行本地网络安全检测。After receiving the global model, the model parameters of the local network security detection model are updated based on the model parameters of the global model, so that the local network security detection is performed through the updated local network security detection model.
在一示例性实施例中,基于分布式系统中的所有数据同性簇的簇头设备发送的簇内全局模型参数得到全局模型的过程包括:In an exemplary embodiment, the process of obtaining the global model based on the global model parameters in the cluster sent by the cluster head devices of all data homogeneity clusters in the distributed system includes:
利用第四关系式计算全局模型;所述第四关系式为;The global model is calculated using the fourth relationship; the fourth relationship is: ;
其中,C为所述簇头设备的数量,为第t+1轮的所述全局模型,为第c个数据同性簇在第t+1轮关于数据样本损失函数L的模型参数,c为所述数据同性簇的序号。Wherein, C is the number of cluster head devices, is the global model in round t+1, is the model parameter of the cth data homogeneity cluster with respect to the data sample loss function L in the t+1th round, and c is the sequence number of the data homogeneity cluster.
本实施例中,当所有的簇进行τ次簇内全局聚合,边缘云服务器以同步的方式执行全局聚合。簇头设备将此时模型的参数上传至服务器。服务器接收C个簇头设备的本地网络安全检测模型的模型参数,通过参数平均更新全局模型为;边缘云服务器将全局模型广播到所有设备。In this embodiment, when all clusters perform τ times of intra-cluster global aggregation, the edge cloud server performs global aggregation in a synchronous manner. The cluster head device uploads the parameters of the model at this time to the server. The server receives the model parameters of the local network security detection model of C cluster head devices, and updates the global model by averaging the parameters: ; The edge cloud server broadcasts the global model to all devices.
本实施例在边缘云服务器将全局模型广播到所有边缘计算设备后,各边缘计算设备使用全局模型对应部分的Block来更新本地网络安全检测模型的Block,利用本地数据进行训练,在完成h轮训练以后,边缘云服务器发送指令要求设备进行公共测试数据集测试,并上传测试结构。边缘云服务器获取测试结构,重新执行数据同性分簇、数据同性簇动态划分,并将划分结果再次发送给所有边缘计算设备,再次进行层级聚类式的模型更新,重复上述步骤,直到全局模型收敛。In this embodiment, after the edge cloud server broadcasts the global model to all edge computing devices, each edge computing device uses the corresponding part of the global model Block to update the local network security detection model Block, and uses local data for training. After completing h rounds of training, the edge cloud server sends instructions to require the device to test the public test data set and upload the test structure. The edge cloud server obtains the test structure, re-executes data homogeneity clustering and data homogeneity cluster dynamic division, and sends the division results to all edge computing devices again, and performs hierarchical clustering model update again, repeating the above steps until the global model converges.
第二方面,请参照图6,本发明还提供了一种基于分布式系统的网络安全检测系统,应用于分布式系统中的每一边缘计算设备,分布式系统中的各个边缘计算设备按相似性划分为多个数据同性簇,网络安全检测系统包括:In the second aspect, referring to FIG. 6 , the present invention further provides a network security detection system based on a distributed system, which is applied to each edge computing device in the distributed system. Each edge computing device in the distributed system is divided into a plurality of data homogeneity clusters according to similarity. The network security detection system includes:
训练模块11,用于基于本地安全数据训练初始网络安全检测模型,初始网络安全检测模型的网络包括依次连接的多个神经网络块,多个神经网络块对应不同的神经网络深度;A training module 11 is used to train an initial network security detection model based on local security data, where the network of the initial network security detection model includes a plurality of neural network blocks connected in sequence, and the plurality of neural network blocks correspond to different neural network depths;
选择模块12,用于在多个神经网络块中选择两个输出网络块,将测试安全数据集输入初始网络安全检测模型后,根据两个输出网络块对应的输出值调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型;A selection module 12 is used to select two output network blocks from a plurality of neural network blocks, and after inputting the test security data set into the initial network security detection model, adjust the neural network depth of the initial network security detection model according to the output values corresponding to the two output network blocks to obtain a local network security detection model;
更新模块13,用于当满足参数更新条件时,利用本地网络安全检测模型的模型参数和关联计算设备的模型参数更新本地网络安全检测模型;关联计算设备为与自身处于同一数据同性簇中且与自身连接的边缘计算设备;An updating module 13 is used to update the local network security detection model using the model parameters of the local network security detection model and the model parameters of the associated computing device when the parameter update condition is met; the associated computing device is an edge computing device that is in the same data homogeneity cluster as itself and is connected to itself;
检测模块14,用于通过更新后的本地网络安全检测模型进行本地网络安全检测。The detection module 14 is used to perform local network security detection by using the updated local network security detection model.
在一示例性实施例中,根据两个输出网络块对应的输出值调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型的过程包括:In an exemplary embodiment, the process of adjusting the neural network depth of the initial network security detection model according to the output values corresponding to the two output network blocks to obtain the local network security detection model includes:
获取第一个输出网络块对应的第一输出值,以及第二个输出网络块对应的第二输出值,第一个输出网络块的神经网络深度小于第二个输出网络块的神经网络深度;Obtain a first output value corresponding to a first output network block and a second output value corresponding to a second output network block, wherein the neural network depth of the first output network block is less than the neural network depth of the second output network block;
基于第一输出值和第二输出值确定深度调整策略;determining a depth adjustment strategy based on the first output value and the second output value;
按照深度调整策略调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型。The neural network depth of the initial network security detection model is adjusted according to the depth adjustment strategy to obtain a local network security detection model.
在一示例性实施例中,基于第一输出值和第二输出值确定深度调整策略的过程包括:In an exemplary embodiment, the process of determining the depth adjustment strategy based on the first output value and the second output value includes:
确定第一输出值和第二输出值的差值的绝对值;determining an absolute value of a difference between the first output value and the second output value;
基于第一输出值和第二输出值的大小关系确定深度调整方向;深度调整方向为深度回退或深度加深;Determine the depth adjustment direction based on the magnitude relationship between the first output value and the second output value; the depth adjustment direction is depth retreat or depth deepening;
基于绝对值与预设值的大小关系确定浅层网络模型与深层网络模型的性能差距所满足的调整条件;浅层网络模型基于第一个输出网络块得到,深层网络模型基于第二个输出网络块得到,调整条件为即时调整条件或步进调整条件;Determine the adjustment condition satisfied by the performance gap between the shallow network model and the deep network model based on the size relationship between the absolute value and the preset value; the shallow network model is obtained based on the first output network block, the deep network model is obtained based on the second output network block, and the adjustment condition is an immediate adjustment condition or a step adjustment condition;
基于深度调整方向和性能差距所满足的调整条件确定深度调整策略。The depth adjustment strategy is determined based on the depth adjustment direction and the adjustment conditions satisfied by the performance gap.
在一示例性实施例中,基于第一输出值和第二输出值的大小关系确定深度调整方向的过程包括:In an exemplary embodiment, the process of determining the depth adjustment direction based on the magnitude relationship between the first output value and the second output value includes:
当第一输出值大于第二输出值时,深度调整方向为深度回退;When the first output value is greater than the second output value, the depth adjustment direction is depth retreat;
当第一输出值小于第二输出值时,深度调整方向为深度加深。When the first output value is less than the second output value, the depth adjustment direction is increasing the depth.
在一示例性实施例中,基于绝对值与预设值的大小关系确定浅层网络模型与深层网络模型的性能差距所满足的调整条件的过程包括:In an exemplary embodiment, the process of determining the adjustment condition satisfied by the performance gap between the shallow network model and the deep network model based on the magnitude relationship between the absolute value and the preset value includes:
当绝对值小于预设值,确定浅层网络模型与深层网络模型的性能差距满足步进调整条件;When the absolute value is less than the preset value, it is determined that the performance gap between the shallow network model and the deep network model meets the step adjustment condition;
当绝对值大于或等于预设值,确定浅层网络模型与深层网络模型的性能差距满足即时调整条件。When the absolute value is greater than or equal to the preset value, it is determined that the performance gap between the shallow network model and the deep network model meets the immediate adjustment condition.
在一示例性实施例中,基于深度调整方向和性能差距所满足的调整条件确定深度调整策略的过程包括:In an exemplary embodiment, the process of determining the depth adjustment strategy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap includes:
当深度调整方向为深度回退,且性能差距满足即时调整条件,确定深度调整策略为深度回退即时调整策略;When the depth adjustment direction is depth rollback and the performance gap meets the immediate adjustment condition, the depth adjustment strategy is determined to be the depth rollback immediate adjustment strategy;
按照深度调整策略调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型的过程包括:The process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model includes:
当深度调整策略为深度回退即时调整策略,利用深度回退即时调整策略对应的第一关系式计算回退深度;When the depth adjustment strategy is a depth backoff instant adjustment strategy, the backoff depth is calculated using a first relational expression corresponding to the depth backoff instant adjustment strategy;
按回退深度调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型;The neural network depth of the initial network security detection model is adjusted according to the backoff depth to obtain a local network security detection model;
第一关系式为f1(k)=η×ek,f1(k)为回退深度,η为超参数,k为绝对值。The first relation is f 1 (k) = η×e k , where f 1 (k) is the backoff depth, η is a hyperparameter, and k is an absolute value.
在一示例性实施例中,基于深度调整方向和性能差距所满足的调整条件确定深度调整策略的过程包括:In an exemplary embodiment, the process of determining the depth adjustment strategy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap includes:
当深度调整方向为深度回退,且性能差距满足步进调整条件,确定深度调整策略为深度回退步进调整策略,并将步进回退作为当前记录写入预设存储空间;When the depth adjustment direction is depth rollback and the performance gap meets the step adjustment condition, the depth adjustment strategy is determined to be the depth rollback step adjustment strategy, and the step rollback is written into the preset storage space as the current record;
按照深度调整策略调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型的过程包括:The process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model includes:
当深度调整策略为深度回退步进调整策略,获取预设存储空间中包括当前记录在内的连续预设数量的记录,若包括当前记录在内的连续预设数量的记录均为步进回退,将初始网络安全检测模型的神经网络深度回退一层得到本地网络安全检测模型。When the depth adjustment strategy is a depth backoff step adjustment strategy, a preset number of consecutive records including the current record are obtained in the preset storage space. If the preset number of consecutive records including the current record are all step backoff, the neural network depth of the initial network security detection model is backed off by one layer to obtain a local network security detection model.
在一示例性实施例中,基于深度调整方向和性能差距所满足的调整条件确定深度调整策略的过程包括:In an exemplary embodiment, the process of determining the depth adjustment strategy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap includes:
当深度调整方向为深度加深,且性能差距满足即时调整条件,确定深度调整策略为深度加深即时调整策略;When the depth adjustment direction is depth deepening and the performance gap meets the immediate adjustment condition, the depth adjustment strategy is determined to be the depth deepening immediate adjustment strategy;
按照深度调整策略调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型的过程包括:The process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model includes:
当深度调整策略为深度加深即时调整策略,利用深度加深即时调整策略对应的第二关系式计算加深深度;When the depth adjustment strategy is a depth deepening instant adjustment strategy, the deepening depth is calculated using a second relational expression corresponding to the depth deepening instant adjustment strategy;
按加深深度调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型;Adjusting the neural network depth of the initial network security detection model according to the deepening depth to obtain a local network security detection model;
第二关系式为f2(k)=η×ek,f2(k)为加深深度,η为超参数,k为绝对值。The second relation is f 2 (k) = η × e k , where f 2 (k) is the deepening depth, η is a hyperparameter, and k is an absolute value.
在一示例性实施例中,基于深度调整方向和性能差距所满足的调整条件确定深度调整策略的过程包括:In an exemplary embodiment, the process of determining the depth adjustment strategy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap includes:
当深度调整方向为深度加深,且性能差距满足步进调整条件,确定深度调整策略为深度加深步进调整策略,并将步进加深作为当前记录写入预设存储空间;When the depth adjustment direction is depth deepening and the performance gap meets the step adjustment condition, the depth adjustment strategy is determined to be the depth deepening step adjustment strategy, and the step deepening is written into the preset storage space as the current record;
按照深度调整策略调整初始网络安全检测模型的神经网络深度得到本地网络安全检测模型的过程包括:The process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model includes:
当深度调整策略为深度加深步进调整策略,获取预设存储空间中包括当前记录在内的连续预设数量的记录,若包括当前记录在内的连续预设数量的记录均为步进加深,将初始网络安全检测模型的神经网络深度加深一层得到本地网络安全检测模型。When the depth adjustment strategy is a depth deepening step adjustment strategy, a continuous preset number of records including the current record in the preset storage space are obtained. If the continuous preset number of records including the current record are all step-deepening, the neural network depth of the initial network security detection model is deepened by one layer to obtain a local network security detection model.
在一示例性实施例中,在多个神经网络块中选择两个输出网络块的过程包括:In an exemplary embodiment, the process of selecting two output network blocks from a plurality of neural network blocks includes:
在多个神经网络块中选择相邻的两个神经网络块作为输出网络块。Two adjacent neural network blocks are selected from multiple neural network blocks as output network blocks.
在一示例性实施例中,利用本地网络安全检测模型的模型参数和关联计算设备的模型参数更新本地网络安全检测模型的过程包括:In an exemplary embodiment, the process of updating the local network security detection model using the model parameters of the local network security detection model and the model parameters of the associated computing device includes:
获取本地网络安全检测模型的模型参数,将本地网络安全检测模型的模型参数发送至各个关联计算设备;Obtain model parameters of a local network security detection model, and send the model parameters of the local network security detection model to each associated computing device;
接收各个关联计算设备发送的模型参数;Receiving model parameters sent by each associated computing device;
对本地网络安全检测模型的模型参数以及各个关联计算设备发送的模型参数计算邻域平均值;Calculate neighborhood average values of model parameters of the local network security detection model and model parameters sent by each associated computing device;
基于邻域平均值更新本地网络安全检测模型。Update the local network security detection model based on the neighborhood average.
在一示例性实施例中,获取本地网络安全检测模型的模型参数,将本地网络安全检测模型的模型参数发送至各个关联计算设备的过程包括:In an exemplary embodiment, the process of obtaining model parameters of a local network security detection model and sending the model parameters of the local network security detection model to each associated computing device includes:
获取本地网络安全检测模型的标准深度的模型参数,将标准深度的模型参数发送至各个关联计算设备。The model parameters of the standard depth of the local network security detection model are obtained, and the model parameters of the standard depth are sent to each associated computing device.
在一示例性实施例中,网络安全检测系统还包括:In an exemplary embodiment, the network security detection system further includes:
第一确定模块,用于在接收各个关联计算设备发送的模型参数之后,针对每一关联计算设备发送的模型参数,判断关联计算设备发送的模型参数对应的神经网络深度是否大于本地网络安全检测模型的神经网络深度,若是,将关联计算设备发送的模型参数中与本地网络安全检测模型的神经网络深度相同的模型参数确定为目标模型参数,若否,将关联计算设备发送的模型参数确定为目标模型参数;A first determination module is used to, after receiving the model parameters sent by each associated computing device, determine, for each model parameter sent by the associated computing device, whether the neural network depth corresponding to the model parameter sent by the associated computing device is greater than the neural network depth of the local network security detection model; if so, determine the model parameter in the model parameter sent by the associated computing device that is the same as the neural network depth of the local network security detection model as the target model parameter; if not, determine the model parameter sent by the associated computing device as the target model parameter;
对本地网络安全检测模型的模型参数以及各个关联计算设备发送的模型参数计算邻域平均值的过程包括:The process of calculating the neighborhood average values of the model parameters of the local network security detection model and the model parameters sent by each associated computing device includes:
对本地网络安全检测模型的模型参数及各个目标模型参数计算邻域平均值。The neighborhood average values of the model parameters of the local network security detection model and each target model parameter are calculated.
在一示例性实施例中,网络安全检测系统还包括:In an exemplary embodiment, the network security detection system further includes:
第一发送模块,用于当满足簇内聚合条件且自身不为簇头设备时,将本地网络安全检测模型的模型参数发送给自身所处的数据同性簇的簇头设备,以便簇头设备根据所处的数据同性簇中的所有边缘计算设备的模型参数得到簇内全局模型参数;The first sending module is used to send the model parameters of the local network security detection model to the cluster head device of the data homogeneity cluster in which it is located when the cluster aggregation condition is met and the cluster head device is not a cluster head device, so that the cluster head device obtains the global model parameters in the cluster according to the model parameters of all edge computing devices in the data homogeneity cluster in which it is located;
更新模块13,还用于当获取到簇内全局模型参数,利用簇内全局模型参数更新本地网络安全检测模型,以便通过更新后的本地网络安全检测模型进行本地网络安全检测。The updating module 13 is further configured to update the local network security detection model using the global model parameters within the cluster when the global model parameters within the cluster are acquired, so as to perform local network security detection through the updated local network security detection model.
在一示例性实施例中,根据所处的数据同性簇中的所有边缘计算设备的模型参数得到簇内全局模型参数的过程包括:In an exemplary embodiment, the process of obtaining the global model parameters in the cluster according to the model parameters of all edge computing devices in the data homogeneity cluster includes:
利用第三关系式计算簇内全局模型参数,所述第三关系式为;The global model parameters in the cluster are calculated using the third relational expression, which is: ;
其中,α为超参数,为第c个数据同性簇的簇头设备存储的第t轮的簇内全局模型参数,为第c个数据同性簇在第t+1轮的簇内全局模型参数,c为所述数据同性簇的序号,为所述数据同性簇的设备集合Ni中的第j个关联计算设备在第t轮第l次更新后的模型参数,Ni为与所述数据同性簇内的第i个边缘计算设备具有连接关系的关联计算设备的设备集合,i为所述边缘计算设备在所述数据同性簇中的序号,j为所述关联计算设备在所述设备集合中的序号,|Ni|为所述数据同性簇中的边缘计算设备的总数量。Among them, α is a hyperparameter, The cluster head device of the cth data homogeneity cluster stores the cluster global model parameters of the tth round, is the global model parameter of the cth data homogeneity cluster in the t+1th round, c is the sequence number of the data homogeneity cluster, is the model parameter of the j-th associated computing device in the device set Ni of the data homogeneity cluster after the l-th update in the t-th round, Ni is the device set of associated computing devices that have a connection relationship with the i-th edge computing device in the data homogeneity cluster, i is the sequence number of the edge computing device in the data homogeneity cluster, j is the sequence number of the associated computing device in the device set, and |N i | is the total number of edge computing devices in the data homogeneity cluster.
在一示例性实施例中,基于分布式系统的网络安全检测系统还包括:In an exemplary embodiment, the network security detection system based on the distributed system further includes:
第二发送模块,用于当获取到簇内全局模型参数,利用簇内全局模型参数更新本地网络安全检测模型之后,当满足全局条件时且自身为簇头设备时,将簇内全局模型参数发送至分布式系统中的边缘云服务器,以便边缘云服务器基于分布式系统中的所有数据同性簇的簇头设备发送的簇内全局模型参数得到全局模型;The second sending module is used to, after obtaining the in-cluster global model parameters and updating the local network security detection model with the in-cluster global model parameters, send the in-cluster global model parameters to the edge cloud server in the distributed system when the global conditions are met and the device itself is a cluster head device, so that the edge cloud server obtains the global model based on the in-cluster global model parameters sent by the cluster head devices of all data homogeneity clusters in the distributed system;
更新模块13,还用于当接收到全局模型后,基于全局模型的模型参数更新本地网络安全检测模型的模型参数,以便通过更新后的本地网络安全检测模型进行本地网络安全检测。The updating module 13 is further configured to update the model parameters of the local network security detection model based on the model parameters of the global model after receiving the global model, so as to perform local network security detection through the updated local network security detection model.
在一示例性实施例中,基于分布式系统中的所有数据同性簇的簇头设备发送的簇内全局模型参数得到全局模型的过程包括:In an exemplary embodiment, the process of obtaining the global model based on the global model parameters in the cluster sent by the cluster head devices of all data homogeneity clusters in the distributed system includes:
利用第四关系式计算全局模型;所述第四关系式为;The global model is calculated using the fourth relationship; the fourth relationship is: ;
其中,C为所述簇头设备的数量,为第t+1轮的所述全局模型,为第c个数据同性簇在第t+1轮关于数据样本损失函数L的模型参数,c为所述数据同性簇的序号。Wherein, C is the number of cluster head devices, is the global model in round t+1, is the model parameter of the cth data homogeneity cluster with respect to the data sample loss function L in the t+1th round, and c is the sequence number of the data homogeneity cluster.
在一示例性实施例中,基于分布式系统的网络安全检测系统还包括:In an exemplary embodiment, the network security detection system based on the distributed system further includes:
接收模块,用于在基于本地安全数据训练初始网络安全检测模型之前,接收分布式系统中的边缘云服务器基于相似性划分的数据同性簇及数据同性簇内的各个边缘计算设备的连接关系,以便基于数据同性簇及连接关系确定自身对应的关联计算设备。The receiving module is used to receive the data homogeneity clusters divided by similarity and the connection relationship between each edge computing device in the data homogeneity cluster from the edge cloud server in the distributed system before training the initial network security detection model based on local security data, so as to determine the corresponding associated computing device based on the data homogeneity cluster and the connection relationship.
在一示例性实施例中,分布式系统中的边缘云服务器基于相似性划分数据同性簇的过程包括:In an exemplary embodiment, the process of dividing the edge cloud server in the distributed system into data homogeneous clusters based on similarity includes:
分布式系统中的边缘云服务器获取分布式系统中各个边缘计算设备基于测试安全数据集得到的测试结果;The edge cloud server in the distributed system obtains the test results obtained by each edge computing device in the distributed system based on the test security data set;
根据所有边缘计算设备的测试结果的相似性构建所有边缘计算设备之间的带权无向图;Construct a weighted undirected graph between all edge computing devices based on the similarity of the test results of all edge computing devices;
利用带权无向图对所有边缘计算设备进行划分得到多个数据同性簇。All edge computing devices are divided into multiple data homogeneous clusters using a weighted undirected graph.
第三方面,请参照图7,图7为本发明所提供的一种边缘计算设备的结构示意图,包括:In the third aspect, please refer to FIG. 7, which is a schematic diagram of the structure of an edge computing device provided by the present invention, including:
存储器21,用于存储计算机程序;A memory 21, used for storing computer programs;
处理器22,用于执行计算机程序时实现如上文任意一个实施例所描述的基于分布式系统的网络安全检测方法的步骤。The processor 22 is used to implement the steps of the distributed system-based network security detection method described in any one of the above embodiments when executing the computer program.
该边缘计算设备还包括:The edge computing device also includes:
输入接口23,经通信总线26与处理器22相连,用于获取外部导入的计算机程序、参数和指令,经处理器22控制保存至存储器21中。该输入接口可以与输入装置相连,接收用户手动输入的参数或指令。该输入装置可以是显示屏上覆盖的触摸层,也可以是终端外壳上设置的按键、轨迹球或触控板。The input interface 23 is connected to the processor 22 via the communication bus 26, and is used to obtain the computer programs, parameters and instructions imported from the outside, and save them in the memory 21 under the control of the processor 22. The input interface can be connected to an input device to receive parameters or instructions manually input by the user. The input device can be a touch layer covered on the display screen, or a key, trackball or touchpad set on the terminal housing.
显示单元24,经通信总线26与处理器22相连,用于显示处理器22发送的数据。该显示单元可以为液晶显示屏或者电子墨水显示屏等。The display unit 24 is connected to the processor 22 via the communication bus 26 and is used to display the data sent by the processor 22. The display unit can be a liquid crystal display or an electronic ink display.
网络端口25,经通信总线26与处理器22相连,用于与外部各终端设备进行通信连接。该通信连接所采用的通信技术可以为有线通信技术或无线通信技术,如移动高清链接技术、通用串行总线、高清多媒体接口、无线保真技术、蓝牙通信技术、低功耗蓝牙通信技术、基于IEEE802.11s的通信技术等。The network port 25 is connected to the processor 22 via the communication bus 26, and is used to communicate with various external terminal devices. The communication technology used in the communication connection can be a wired communication technology or a wireless communication technology, such as mobile high-definition link technology, universal serial bus, high-definition multimedia interface, wireless fidelity technology, Bluetooth communication technology, low-power Bluetooth communication technology, communication technology based on IEEE802.11s, etc.
对于本发明所提供的一种边缘计算设备的介绍请参照上述实施例,本发明在此不再赘述。For an introduction to an edge computing device provided by the present invention, please refer to the above embodiment, and the present invention will not be repeated here.
本发明所提供的一种边缘计算设备具有和上述基于分布式系统的网络安全检测方法相同的有益效果。The edge computing device provided by the present invention has the same beneficial effects as the above-mentioned network security detection method based on distributed system.
第四方面,请参照图8,图8为本发明所提供的一种分布式系统的结构示意图,包括:In the fourth aspect, please refer to FIG. 8 , which is a schematic diagram of the structure of a distributed system provided by the present invention, including:
多个如上文的边缘计算设备;Multiple edge computing devices as above;
边缘云服务器,用于向各个边缘计算设备输出测试数据集及分簇结果,分簇结果包括边缘计算设备所处的数据同性簇及与边缘计算设备连接的关联计算设备。The edge cloud server is used to output the test data set and clustering results to each edge computing device. The clustering results include the data homogeneity cluster where the edge computing device is located and the associated computing devices connected to the edge computing device.
图8中在一个虚线框中的边缘计算设备属于同一个簇,如位于边缘云服务器左侧虚线框中的五个边缘计算设备属于簇s1,位于边缘云服务器右侧虚线框中的五个边缘计算设备属于簇sc,该分布式系统具体可以为异构分布式系统。In FIG8 , the edge computing devices in a dotted box belong to the same cluster. For example, the five edge computing devices in the dotted box on the left side of the edge cloud server belong to cluster s 1 , and the five edge computing devices in the dotted box on the right side of the edge cloud server belong to cluster sc . The distributed system may specifically be a heterogeneous distributed system.
对于本发明所提供的一种分布式系统的介绍请参照上述实施例,本发明在此不再赘述。For an introduction to a distributed system provided by the present invention, please refer to the above embodiments, and the present invention will not be described in detail here.
本发明所提供的一种分布式系统具有和上述基于分布式系统的网络安全检测方法相同的有益效果。The distributed system provided by the present invention has the same beneficial effects as the above-mentioned network security detection method based on the distributed system.
五方面,请参照图9,图9为本发明所提供的一种计算机可读存储介质的结构示意图,计算机可读存储介质30上存储有计算机程序31,计算机程序31被处理器执行时实现如上文任意一个实施例所描述的基于分布式系统的网络安全检测方法的步骤。In the fifth aspect, please refer to Figure 9, which is a structural diagram of a computer-readable storage medium provided by the present invention. A computer program 31 is stored on the computer-readable storage medium 30. When the computer program 31 is executed by the processor, the steps of the network security detection method based on the distributed system as described in any of the embodiments above are implemented.
其中,该计算机可读存储介质30可以包括:U盘、移动硬盘、只读存储器(Read-OnlyMemory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The computer-readable storage medium 30 may include: a USB flash drive, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and other media that can store program codes.
对于本发明所提供的一种计算机可读存储介质的介绍请参照上述实施例,本发明在此不再赘述。For an introduction to a computer-readable storage medium provided by the present invention, please refer to the above embodiments, and the present invention will not be described in detail here.
本发明所提供的一种计算机可读存储介质具有和上述基于分布式系统的网络安全检测方法相同的有益效果。The computer-readable storage medium provided by the present invention has the same beneficial effects as the above-mentioned network security detection method based on the distributed system.
还需要说明的是,在本说明书中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的状况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should also be noted that, in this specification, relational terms such as first and second, etc. are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Moreover, the terms "comprise", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, the elements defined by the statement "comprise a ..." do not exclude the presence of other identical elements in the process, method, article or device including the elements.
对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本发明。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本发明的精神或范围的情况下,在其他实施例中实现。因此,本发明将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the present invention. Therefore, the present invention will not be limited to the embodiments shown herein, but rather to the widest scope consistent with the principles and novel features disclosed herein.
Claims (22)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410230120.4A CN117811846B (en) | 2024-02-29 | 2024-02-29 | Network security detection method, system, equipment and medium based on distributed system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410230120.4A CN117811846B (en) | 2024-02-29 | 2024-02-29 | Network security detection method, system, equipment and medium based on distributed system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN117811846A CN117811846A (en) | 2024-04-02 |
CN117811846B true CN117811846B (en) | 2024-05-28 |
Family
ID=90430334
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202410230120.4A Active CN117811846B (en) | 2024-02-29 | 2024-02-29 | Network security detection method, system, equipment and medium based on distributed system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117811846B (en) |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019136946A1 (en) * | 2018-01-15 | 2019-07-18 | 中山大学 | Deep learning-based weakly supervised salient object detection method and system |
WO2020172974A1 (en) * | 2019-02-25 | 2020-09-03 | 中国科学院自动化研究所 | Artificial neural network optimization method and system based on orthogonal projection matrix, and apparatuses |
CN115167977A (en) * | 2022-06-22 | 2022-10-11 | 国网湖南省电力有限公司 | Target detection method and system, device and storage medium based on Docker virtual isolation |
CN116229170A (en) * | 2023-03-03 | 2023-06-06 | 北京邮电大学 | Training method, classification method and equipment for federated unsupervised image classification model based on task migration |
CN116405262A (en) * | 2023-03-07 | 2023-07-07 | 北京邮电大学 | Network security access method, device, equipment and storage medium |
CN116579417A (en) * | 2023-05-10 | 2023-08-11 | 之江实验室 | Hierarchical personalized federated learning method, device and medium in edge computing network |
CN116708009A (en) * | 2023-07-18 | 2023-09-05 | 杭州电子科技大学上虞科学与工程研究院有限公司 | Network intrusion detection method based on federal learning |
CN117580046A (en) * | 2023-06-09 | 2024-02-20 | 西安电子科技大学 | Deep learning-based 5G network dynamic security capability scheduling method |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11640528B2 (en) * | 2019-10-22 | 2023-05-02 | Baidu Usa Llc | Method, electronic device and computer readable medium for information processing for accelerating neural network training |
-
2024
- 2024-02-29 CN CN202410230120.4A patent/CN117811846B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019136946A1 (en) * | 2018-01-15 | 2019-07-18 | 中山大学 | Deep learning-based weakly supervised salient object detection method and system |
WO2020172974A1 (en) * | 2019-02-25 | 2020-09-03 | 中国科学院自动化研究所 | Artificial neural network optimization method and system based on orthogonal projection matrix, and apparatuses |
CN115167977A (en) * | 2022-06-22 | 2022-10-11 | 国网湖南省电力有限公司 | Target detection method and system, device and storage medium based on Docker virtual isolation |
CN116229170A (en) * | 2023-03-03 | 2023-06-06 | 北京邮电大学 | Training method, classification method and equipment for federated unsupervised image classification model based on task migration |
CN116405262A (en) * | 2023-03-07 | 2023-07-07 | 北京邮电大学 | Network security access method, device, equipment and storage medium |
CN116579417A (en) * | 2023-05-10 | 2023-08-11 | 之江实验室 | Hierarchical personalized federated learning method, device and medium in edge computing network |
CN117580046A (en) * | 2023-06-09 | 2024-02-20 | 西安电子科技大学 | Deep learning-based 5G network dynamic security capability scheduling method |
CN116708009A (en) * | 2023-07-18 | 2023-09-05 | 杭州电子科技大学上虞科学与工程研究院有限公司 | Network intrusion detection method based on federal learning |
Non-Patent Citations (1)
Title |
---|
基于自组织映射网络的网络入侵检测算法设计;周丽娟;;成都大学学报(自然科学版);20180930(第03期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN117811846A (en) | 2024-04-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Cui et al. | A multi-objective particle swarm optimization algorithm based on two-archive mechanism | |
CN115358487A (en) | Federal learning aggregation optimization system and method for power data sharing | |
CN103838820B (en) | Evolutionary multi-objective optimization community detection method based on affinity propagation | |
CN110856268A (en) | A wireless network dynamic multi-channel access method | |
CN117641542B (en) | A method for online optimization of power consumption strategy of IoT terminal | |
CN117875454A (en) | A data heterogeneity federated learning method and storage medium based on multi-level intelligent connection | |
CN112291284B (en) | Content pushing method and device and computer readable storage medium | |
CN117811846B (en) | Network security detection method, system, equipment and medium based on distributed system | |
WO2022111403A1 (en) | Machine learning method, device, and system | |
CN117808127B (en) | Image processing method, federated learning method and device under data heterogeneity conditions | |
Huang et al. | Distributed solution of GNEP over networks via the Douglas-Rachford splitting method | |
CN117806838B (en) | Device clustering method, apparatus, device, system and medium based on heterogeneous data | |
CN118313871A (en) | A method and system for predicting clothing production capacity of an enterprise | |
CN116896510B (en) | Link prediction method based on odd-length paths and oriented to two-way network | |
CN117873952A (en) | IP core mapping method, medium, device and system | |
Lin et al. | Fedspd: A soft-clustering approach for personalized decentralized federated learning | |
CN117829274B (en) | Model fusion method, device, equipment, federated learning system and storage medium | |
CN117808128B (en) | Image processing method and device under data heterogeneity conditions | |
CN107995643B (en) | Network element parameter prediction optimization method and device based on data driving | |
CN112911677A (en) | Wireless sensor network clustering method based on permutation search | |
Hui et al. | Detection algorithm based on closeness rank and signal transimission | |
CN116321219B (en) | Adaptive cellular base station federation formation method, federation learning method and device | |
CN116209015B (en) | Edge network cache scheduling method, system and storage medium | |
CN108363728A (en) | A kind of method and system for excavating extra-high voltage transformer equipment status data correlation rule | |
CN111754313B (en) | Efficient communication online classification method for distributed data without projection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |