Search

CN-122001608-A - Large model training method in network security alarm log field

CN122001608ACN 122001608 ACN122001608 ACN 122001608ACN-122001608-A

Abstract

The invention relates to the technical field of network security, in particular to a large model training method in the field of network security alarm logs, which comprises the following steps of continuously pre-training a first large language model by adopting a network security corpus to obtain a pre-training model; the method comprises the steps of collecting a network security alarm log, formulating a level standard, carrying out preliminary dangerous level marking through a second large language model to obtain a marked alarm log data set, carrying out rough-to-fine reasoning enhancement supervision fine adjustment on the marked alarm log data set to obtain a strategy model, constructing a preference data set based on analysis error data, and carrying out preference optimization on the model through the preference data set to obtain a final model. The invention more accurately adapts to the analysis requirement in the field of network security alarm logs, effectively reduces the noise of the security alarm logs, remarkably improves the performance of the model in the network security alarm analysis task, improves the accuracy of risk level judgment, and reduces the manual processing cost.

Inventors

  • WEN JING
  • LEI XUAN
  • SU CHONG
  • LI FENG
  • CHEN YUANYUAN
  • MO YUXING
  • LU NING
  • CHEN NINGJIANG
  • LI SEN
  • WEI YUXING
  • LUO CHANGLIANG
  • WEI JIAYI
  • YANG ZIXIAO
  • SHI CHENGYUE
  • FENG YAOWEN

Assignees

  • 广西壮族自治区信息中心(广西壮族自治区大数据研究院)
  • 广西大学

Dates

Publication Date
20260508
Application Date
20251128

Claims (10)

  1. 1. The large model training method in the field of network security alarm logs is characterized by comprising the following steps of: s1, continuously pre-training a first large language model by adopting a network security corpus to obtain a pre-training model; S2, collecting a network security alarm log, preprocessing data of the network security alarm log, making a level standard, and primarily marking the risk level of the network security alarm log through a second large language model to obtain a marked alarm log data set; S3, performing coarse-to-fine reasoning enhancement supervision fine tuning on the marked alarm log data set to obtain a strategy model; s4, constructing a preference data set based on the analysis error data, and carrying out preference optimization on the model through the preference data set to obtain a final model.
  2. 2. The method for training a large model in the field of network security alarm logs according to claim 1, wherein in step S1, the data of the network security corpus comprises professional security blogs, technical reports, threat information, vulnerability analysis, academic papers, local asset databases and equipment manuals; In step S1, repeatedly detecting the data of the network security corpus by adopting a MinHash algorithm based on fuzzy Hash, extracting characteristic Hash signatures of texts to identify high-similarity content, deleting repeated or approximately repeated texts to obtain cleaned data, constructing a TinyBERT model-based binary classifier, screening out text data with irrelevant or low relevance according to the predicted classification by the binary classifier to reserve the corpus with high relevance to the network security.
  3. 3. A training method of a large model in the field of network security alarm log is characterized in that in step S1, the corpus is trained by using Qwen-8 b as a basic model, and cross entropy loss is minimized by maximizing the probability of the next word element in the training corpus during training, so as to obtain a pre-training model, wherein the pre-training model is that The training process is as follows: formula (1), Wherein, the Is a corpus The first of (3) A sequence of text; Is a corpus The first of (3) The length of the individual text; is the first in the sequence The method comprises the steps of (1) generating a word element; to represent its context, to be location All the preceding tokens; Predicting correct word elements for the basic model under the given context Is a probability of (2).
  4. 4. The method for training the large model in the network security alarm log field according to claim 1, wherein in step S2, the data of the network security alarm log is cleaned, redundant information irrelevant to risk level analysis is removed to reserve key fields for security analysis, the key fields comprise a timestamp, a source IP, a target IP, an HTTP request body and an HTTP response body, and the cleaned data of the network security alarm log is subjected to standardized format conversion to complete data preprocessing.
  5. 5. The method for training the large model in the network security alarm log field according to claim 1, wherein in step S2, the level standard classifies the network security alarm event into five levels of critical, high-risk, medium-risk, low-risk and security according to specification formulation; The second large language model performs semantic analysis on the content of the network security alarm log through multiple dimensions of event type, attack implementation result, importance of the affected system and event influence range to infer the risk level of each alarm and assign corresponding preliminary labels, performs verification on the result output by the second large language model, performs cause analysis and recording on the labeling error to obtain a labeling alarm log data set, wherein the labeling alarm log data set is 。
  6. 6. The method for training a large model in the field of network security alarm logs according to claim 1, wherein in step S3, the policy model obtaining comprises the following steps: S3.1, carrying out semantic filtering screening on the marked alarm log data set to obtain alarm log sets containing different security event types; S3.2, inputting the semantic alarm log set into the second large language model, and refining an analysis workflow corresponding to the type event to form a strategy data set; s3.3, performing first-stage supervision fine adjustment on the pre-training model based on the strategy data set so as to obtain an optimized pre-training model; S3.4, sampling a sampling alarm log which is not used for constructing the strategy data set in the semantic alarm log set, and inputting the sampling alarm log into the optimized pre-training model to construct a correct set and an error set; S3.5, performing second-stage supervision fine tuning on the optimized pre-training model again by using the correct set so as to obtain a strategy model.
  7. 7. The method of claim 6, wherein in step S3.1, the labeled alarm log dataset is vectorized by using a pre-trained semantic embedding model bge-large-zh-v1.5 to map the labeled alarm log dataset to a unified semantic space, the labeled alarm log dataset is vectorized and then based on cosine similarity between vectors, alarm clusters with similar semantics are automatically identified by HDBSCAN, and representative samples are selected in each cluster to remove semantic duplication data and preserve diversified security event semantic patterns to obtain a log-containing database Recording and analyzing error reasons The semantic alarm log set is that Wherein ; In step 3.2, an abstract analysis strategy is obtained through an analysis workflow corresponding to the type event, and a strategy data set is obtained after the abstract analysis strategy is inspected and improved, wherein the strategy data set is obtained by the abstract analysis strategy Wherein , wherein, Is a log; Is the cause of the error; An analysis workflow corresponding to a type event; In step 3.3, performing a first stage supervised fine tuning on the pre-training model based on the strategy data set, so that the pre-training model can generate a high-level analysis strategy to obtain an optimized pre-training model, wherein an optimization target of the pre-training model performing the first stage supervised fine tuning is expressed as: Formula (2), Wherein, the Is log content data; Is the cause of the error; Is a policy dataset; Is a pre-trained model.
  8. 8. The method for training a large model in a network security alarm log field as set forth in claim 7, wherein in step 3.4, the sampling alarm day is , , wherein, Sampling the content of the alarm log; inputting the sampling alarm log into the optimizing pre-training model in step S3.3, and prompting the optimizing pre-training model to generate detailed reasoning steps according to event strategies for each instance Collecting the prediction result of the optimized pre-training model, and constructing a correct set and an error set, wherein the correct set is The error set is , , , wherein, Is log content data; Is a log label; optimizing the prediction result of the pre-training model; In order for the step of reasoning to be correct, A step of error reasoning; in step 3.5, the policy model is Performing second-stage supervised fine tuning on the optimized pre-training model is expressed as: formula (3), Wherein, the Is log content data; Is a log label; optimizing the prediction result of the pre-training model; Is the correct set; optimizing the pre-training model; a correct reasoning step for step S3.4; and supervising the correct reasoning step generated in the fine tuning process for the optimized pre-training model in the second stage.
  9. 9. The method for training a large model in the field of network security alarm log according to claim 8, wherein in step S4, the second large language model is used as a teacher model, and a prompt word is designed in the training process to guide the second large language model to identify an error step in the error reasoning process, and a modified error is negatively thought to construct a preference data set, wherein the preference data set is that , And } wherein, Is log data; a step of reasoning after correction; an inference step of being an error; Is the error set.
  10. 10. The method for training a large model in the field of network security alarm logs according to claim 9, wherein the policy model is further optimized by the preference data set, the probability gap between maximizing preference reasoning and non-preference reasoning is reduced, and the optimized model is sufficiently close to a pre-training model to obtain a final model, wherein the final model is The optimization process is as follows: Equation (4), Wherein, the Is a sigmoid function; is the final model; Is a strategy model; Is log data; A correct reasoning step; A step of error reasoning; is a hyper-parameter that adjusts the degree of deviation of the final model from the strategy model.

Description

Large model training method in network security alarm log field Technical Field The invention relates to the technical field of network security, in particular to a large model training method in the field of network security alarm logs. Background With the rapid development of information technology and the continuous advancement of digital transformation, network security operation centers face increasingly serious operation and maintenance challenges. The network security threat presents an exponential growth, and the attack means are continuously upgraded. Various types of security devices, such as network traffic probes, can generate massive amounts of log information that can grow at rates far exceeding human processing capabilities. The traditional security detection mechanism based on the rule base has poor flexibility, is difficult to cope with complex and changeable network attack modes, and the generated alarm log generally has the problems of repeated information, high-risk alarm deficiency, inundated useful information and the like, so that operation and maintenance personnel cannot timely identify real security threats. The rapid development of large language model (Large Language Models, LLMs) technology has brought new solutions to these challenges. The large language model has remarkable advantages in the field of text information processing, has strong language understanding and reasoning capability, can improve the efficiency and accuracy of key security tasks such as threat detection, vulnerability analysis and the like, and effectively reduces noise for alarms. However, the application of the general large language model in the field of network security alarm logs still faces a plurality of problems. The training data of the general large language model mainly comes from a large amount of general texts, and lack of in-depth learning of professional knowledge and specific scenes in the network security field, so that when the training data process the network security alarm information, reasonable and practically erroneous or nonsensical information is easy to generate. Secondly, the network security alarm log contains a large number of terms, abbreviations and specific formats, and the general large model may not accurately understand the meaning, so that the understanding capability is limited and the analysis result is inaccurate. In addition, in real-world alarm log analysis, experienced technicians often need to perform multi-step reasoning in conjunction with information, and such structured reasoning ensures logical consistency and accuracy throughout the analysis. The general large model often generates a fragmented or unfocused reasoning process, and cannot effectively summarize the analysis workflow for the alarm log task. Disclosure of Invention In order to solve the problems, the invention provides a large model training method in the field of network security alarm logs, which is more accurately suitable for analysis requirements in the field of network security alarm logs, effectively reduces noise of the security alarm logs, remarkably improves the performance of the model in a network security alarm analysis task, improves the accuracy of risk level judgment, and reduces the manual processing cost. In order to achieve the above purpose, the technical scheme adopted by the invention is as follows: a large model training method in the field of network security alarm logs comprises the following steps: s1, continuously pre-training a first large language model by adopting a network security corpus to obtain a pre-training model; S2, collecting a network security alarm log, preprocessing data of the network security alarm log, making a level standard, and primarily marking the risk level of the network security alarm log through a second large language model to obtain a marked alarm log data set; S3, performing coarse-to-fine reasoning enhancement supervision fine tuning on the marked alarm log data set to obtain a strategy model; s4, constructing a preference data set based on the analysis error data, and carrying out preference optimization on the model through the preference data set to obtain a final model. Further, in step S1, the data of the web security corpus includes professional security blogs, technical reports, threat information, vulnerability analysis, academic papers, local asset databases, equipment manuals; In step S1, repeatedly detecting the data of the network security corpus by adopting a MinHash algorithm based on fuzzy Hash, extracting characteristic Hash signatures of texts to identify high-similarity content, deleting repeated or approximately repeated texts to obtain cleaned data, constructing a TinyBERT model-based binary classifier, screening out text data with irrelevant or low relevance according to the predicted classification by the binary classifier to reserve the corpus with high relevance to the network security. Further, in step S1, the cor