CN-121984790-A - Network security situation assessment method and system based on deep learning

Abstract

A network security situation assessment method and system based on deep learning relates to the technical field of deep learning and is used for improving accuracy of network security situation assessment. In the method, the network security situation assessment system automatically learns and weights the input feature vectors through a multi-head attention mechanism, so that the network security situation assessment system can dynamically focus on the most relevant feature dimension aiming at different network attack categories and inhibit the interference of irrelevant noise data. And then, carrying out depth extraction and abstraction on the weighted feature vectors through a two-stage one-dimensional convolution network to finally obtain a more accurate attack category identification result, and finally calculating a network security situation assessment value, thereby overcoming the defects that the traditional method relies on expert experience to carry out feature selection and indiscriminate processing on all features to cause dilution of core information, and further improving the accuracy of network security situation assessment.

Inventors

• ZHANG JIAQI
• HUANG YI
• WANG FEI
• LI QUANHENG
• HAN TAO
• ZHU SUOMING
• HAO LINGYUN
• HAN BO

Assignees

• 卡斯柯信号(西安)有限公司

Dates

Publication Date

20260505

Application Date

20260407

Claims (10)

1. 1. The network security situation assessment method based on deep learning is characterized by being applied to a network security situation assessment system, and comprises the following steps: Carrying out standardization and normalization processing on network connection record data in a preset time period to obtain an input feature vector with multidimensional feature attributes; Calculating the correlation between the multidimensional characteristic attribute of the input characteristic vector and each preset network attack category in parallel by adopting a preset scaling dot product function to obtain a multi-head attention weight matrix, wherein the multi-head attention weight matrix characterizes the influence degree of the characteristic attribute of different dimensions on the corresponding network attack category; Weighting the input feature vectors according to the multi-head attention weight matrix to obtain a plurality of attention weighted feature vectors respectively corresponding to and associated with each preset network attack category; arranging the attention weighted feature vectors in rows to obtain a two-dimensional feature matrix; Performing first-stage parallel multi-core one-dimensional convolution processing and maximum pooling processing on the two-dimensional feature matrix, and under the condition that the number of rows of the convolved two-dimensional feature matrix is consistent with the number of kinds of the network attack categories, splicing the pooled multiple feature sequences into an intermediate two-dimensional vector according to columns; Performing second-stage single-core one-dimensional convolution processing and maximum pooling processing on the intermediate two-dimensional vector to obtain a feature vector after dimension reduction compression; Inputting the feature vector to a full-connection computing layer to execute normalized exponential operation to obtain a network attack category identification result corresponding to the input feature vector; And calculating a network security situation assessment value in the preset time period based on the preset situation quantification influence value corresponding to each preset network attack category and the network attack category identification result.
2. 2. The method according to claim 1, wherein the step of calculating the correlation between the multidimensional feature attribute of the input feature vector and each preset network attack category in parallel by using a preset scaling dot product function to obtain a multi-head attention weight matrix specifically includes: representing the input feature vector as a feature key value pair formed by a feature name and a feature value; respectively constructing parallel attention pooling modules aiming at each preset network attack category; In each attention pooling module, calculating the correlation between the multidimensional feature attribute of the input feature vector and the corresponding network attack category by adopting the preset scaling dot product function; normalizing the correlation to obtain attention weight coefficients corresponding to the characteristic attributes; and according to the category number of the preset network attack category, splicing attention weight coefficients output by each attention pooling module to obtain the multi-head attention weight matrix.
3. 3. The method according to claim 2, characterized in that said preset scaling dot product function comprises in particular: Wherein the said For the preset network attack category, the For the feature name, the For the correlation of the multidimensional feature attribute of the input feature vector and the preset network attack category, the following steps are adopted Representing the feature vector dimension.
4. 4. The method according to claim 2, wherein the step of weighting the input feature vectors according to the multi-headed attention weight matrix to obtain a plurality of attention weighted feature vectors respectively associated with the preset network attack categories includes: respectively carrying out weighted summation on each characteristic value in the characteristic key value pair and the corresponding attention weight coefficient to obtain attention head vectors corresponding to each preset network attack category; And splicing attention head vectors corresponding to the preset network attack categories, and performing linear conversion processing by adopting linear conversion parameter vectors to obtain the attention weighted feature vectors.
5. 5. The method according to claim 1, wherein the step of performing first-stage parallel multi-core one-dimensional convolution processing and max pooling processing on the two-dimensional feature matrix specifically comprises: Configuring a plurality of one-dimensional convolution kernels with the same number as the preset network attack categories, and matching the sliding step length of each one-dimensional convolution kernel with the row vector length of the two-dimensional feature matrix; respectively extracting local features of corresponding row vectors in the two-dimensional feature matrix according to each one-dimensional convolution kernel to obtain a plurality of preliminary feature sequences; and performing downsampling on each preliminary feature sequence through a maximum pooling operation to obtain pooled multiple feature sequences.
6. 6. The method according to claim 1, wherein the step of calculating the cyber security posture assessment value in the preset time period based on the preset posture quantization impact value corresponding to each preset cyber attack class and the cyber attack class identification result specifically includes: based on the network attack category identification results corresponding to all network connection record data in the preset time period, counting the sample occurrence times of each preset network attack category and the total number of network connection records in the preset time period; and calculating a network security situation assessment value in the preset time period based on the preset situation quantification influence value, the sample occurrence times of each preset network attack category, the total number of network connection records, the normal sample occurrence times in the preset time period and a preset network security situation quantification function.
7. 7. The method according to claim 6, wherein the preset network security posture quantifying function specifically includes: Wherein the said For the network security posture assessment value, the Recording a total number of network connections for the preset time period, the total number of network connections being the same as the total number of network connections For the number of normal sample occurrences, said Quantifying an influence value for the preset situation, The said For each sample occurrence of the network attack class, The said And the total number of the network attack categories is preset.
8. 8. A network security posture assessment system comprising one or more processors and memory coupled to the one or more processors, the memory for storing computer program code comprising computer instructions that the one or more processors invoke to cause the network security posture assessment system to perform the method of any of claims 1-7.
9. 9. A computer program product comprising instructions which, when run on a network security posture assessment system, cause the network security posture assessment system to perform the method of any of claims 1-7.
10. 10. A computer readable storage medium comprising instructions which, when run on a network security posture assessment system, cause the network security posture assessment system to perform the method of any of claims 1-7.

Description

Network security situation assessment method and system based on deep learning Technical Field The application relates to the technical field of deep learning, in particular to a network security situation assessment method and system based on deep learning. Background With the continuous expansion and complexity of the network scale, the network security situation assessment gradually becomes a core means for maintaining the security of the network system and performing prospective active defense. In order to realize automatic analysis of the security elements of the mass network, related technologies generally adopt a method based on a deep neural network (such as a convolutional neural network) to evaluate the security situation of the network. Specifically, the collected real-time network security data is firstly used as input layer data, and the input vector is subjected to unified feature extraction and information compression by depending on a multi-layer convolution kernel or a full connection layer in the network. In the multi-classification training stage of the model, the related technology generally adopts a cross entropy loss function to guide classification learning of different network states, utilizes a back propagation mechanism to continuously update a network weight matrix according to the overall errors generated between various real samples and prediction results, and finally constructs a nonlinear mapping relation between an input feature set and various network attack categories, and further outputs a classification recognition result and calculates a corresponding network security situation evaluation value. However, since the related art adopts a unified convolution structure to map the features, the model will passively apply equal computation processing to the security features of all dimensions, resulting in dilution of the core feature variables highly related to the local specific attack category by a large amount of irrelevant network noise data, which reduces the accuracy of network security situation assessment. Disclosure of Invention The application provides a network security situation assessment method and system based on deep learning, which are used for improving the accuracy of network security situation assessment. The first aspect provides a network security situation assessment method based on deep learning, which is characterized by being applied to a network security situation assessment system, and comprising the steps of carrying out standardization and normalization processing on network connection record data in a preset time period to obtain an input feature vector with multidimensional feature attributes; the method comprises the steps of adopting a preset scaling dot product function to parallelly calculate the correlation between multidimensional feature attributes of input feature vectors and preset network attack categories to obtain a multihop attention weight matrix, enabling the multihop attention weight matrix to represent the influence degree of feature attributes of different dimensions on corresponding network attack categories, carrying out weighting processing on the input feature vectors according to the multihop attention weight matrix to obtain a plurality of attention weighted feature vectors respectively corresponding to the preset network attack categories, arranging the plurality of attention weighted feature vectors according to rows to obtain a two-dimensional feature matrix, carrying out first-stage parallel one-dimensional convolution processing and maximum pooling processing on the two-dimensional feature matrix, splicing the pooled feature sequences into middle two-dimensional vectors according to columns under the condition that the number of the convolved two-dimensional feature matrix is consistent with the number of the types of the network attack categories, carrying out second-stage single-core one-dimensional convolution processing and maximum pooling processing on the middle two-dimensional vectors to obtain feature vectors after dimension reduction compression, carrying out normalization index operation on the feature vectors to obtain network attack category identification results corresponding to the input feature vectors, and carrying out quantization result on network attack category identification corresponding to the preset network attack category evaluation values based on preset network situation evaluation values. By adopting the technical scheme, the network security situation assessment system automatically learns and weights the input feature vectors through a multi-head attention mechanism, so that the network security situation assessment system can dynamically focus on the most relevant feature dimension aiming at different network attack categories, and interference of irrelevant noise data is restrained. And then, carrying out deep extraction and abstraction on the weighted feature vectors through a two-st