Search

CN-122001690-A - Network security alarm efficient handling method based on dynamic graph neural network

CN122001690ACN 122001690 ACN122001690 ACN 122001690ACN-122001690-A

Abstract

The invention relates to a network security alarm high-efficiency treatment method based on a dynamic graph neural network, belonging to the technical field of artificial intelligence and network security. The method comprises the steps of collecting network security alarms, intelligent agents and treatment tool information, preprocessing data, creating an initial dynamic diagram, monitoring network environment changes in real time, updating the dynamic diagram, training a dynamic diagram neural network model by using historical network security alarm treatment data, inputting the dynamic diagram, outputting recommended results for the intelligent agents and the treatment tool, feeding back and continuously updating and optimizing the model according to the treatment results, determining the most suitable intelligent agents and treatment tools to treat the current network security alarms, converting the determined treatment scheme into specific instructions, sending the specific instructions to the corresponding intelligent agents and the treatment tools for execution, monitoring treatment effects in real time in the treatment execution process, feeding back the results to an alarm system, and optimizing the dynamic diagram and the model. The invention has the intelligent analysis and high-efficiency disposal capability and strong expandability.

Inventors

  • PU YANHONG
  • QU RUI
  • HAN LU
  • LIANG HAOYUAN
  • WANG SHILEI
  • MENG XIANGYAN
  • YANG CHUNPING
  • YANG YAQI
  • LUO LIN
  • CHEN JIAQING
  • ZHU LIEHUANG
  • ZHOU YONGBIN
  • ZHANG YING
  • HU WENFEI

Assignees

  • 云南省大数据有限公司

Dates

Publication Date
20260508
Application Date
20260410

Claims (10)

  1. 1. The network security alarm efficient treatment method based on the dynamic graph neural network is characterized by comprising the following steps of: S1, collecting network safety alarm information, agent information and treatment tool information in a network environment, and performing data preprocessing, wherein the data preprocessing comprises data cleaning, conversion and feature extraction; S2, creating an initial dynamic diagram by utilizing the preprocessed data, representing network security alarms, intelligent agents and treatment tools as nodes, representing the relationship among the nodes as edges, and endowing the nodes with corresponding attributes of the edges; s3, monitoring the network environment change in real time and updating the dynamic diagram in time; S4, training a dynamic graph neural network model by using historical network safety alarm treatment data, inputting a dynamic graph, and outputting recommended results for an intelligent body and a treatment tool; S5, according to the output result of the model, comprehensively considering various decision strategies, and determining the most suitable agent and treatment tool to treat the current network security alarm; S6, converting the determined treatment scheme into a specific instruction, sending the specific instruction to a corresponding agent and a treatment tool for execution, monitoring the treatment effect in real time in the treatment execution process, and feeding back the result to an alarm system to further optimize the dynamic diagram and the model.
  2. 2. The method for efficiently handling network security alarms based on a dynamic graph neural network of claim 1, wherein S2 comprises: s2.1, determining the type and the attribute of the node, wherein the network security alarm, the intelligent agent and the treatment tool are respectively used as three types of nodes in the dynamic diagram; s2.2, determining the type and attribute of the edge, wherein the edge is used for representing the relationship between nodes; S2.3, constructing an initial dynamic graph, and forming a dynamic graph by a node set and an edge set; S2.4, initializing node and edge embedding representation, namely node embedding initialization and edge embedding initialization; Node embedding initialization, namely initializing node embedding by using a random vector; And initializing the embedding of the edges, namely initializing the embedding of the edges into the single-hot coding vectors of the corresponding relation types.
  3. 3. The method for efficiently handling network security alarms based on a dynamic graph neural network according to claim 1, wherein in the step S3, the real-time monitoring of network environment changes means: Firstly, continuously monitoring real-time alarm information generated by network security equipment, and immediately acquiring detailed information of a new alarm once the new alarm is detected, wherein the detailed information comprises key elements of alarm type, alarm level and occurrence time; Secondly, monitoring registration or installation conditions of the intelligent body and the treatment tool in the system, and timely acquiring function description and application range information of the new intelligent body or the treatment tool when the new intelligent body or the new treatment tool is on line; thirdly, tracking the processing progress and state change of the existing alarms, including alarm level adjustment and processing state update.
  4. 4. The method for efficiently handling network security alarms based on a dynamic graph neural network of claim 1, wherein in S3, the operation of updating the dynamic graph comprises adding an emerging alarm, agent or handling tool as a new node to the dynamic graph; wherein when a new node is added to the dynamic graph, the updating of the embedded representation of the node and the edge comprises: When the node attribute changes or new nodes are added, updating node embedding by using the graph neural network model; for newly added nodes, the initial embedded vectors are obtained by adopting random initialization or coding according to the attributes of the newly added nodes, and then the newly added nodes are gradually optimized through model training; for existing nodes, updating the embedded vector according to attribute changes of the existing nodes and interactions with neighboring nodes; When the attribute or relation of the edge changes, the embedded representation of the edge is updated correspondingly, and the embedded representation of the edge is recalculated by using the graph neural network model, or the embedded representation of the edge is adjusted according to the attribute change of the edge and the embedded vector of the associated node, so that the embedded representation of the edge can be ensured to accurately reflect the relation and interaction between the nodes.
  5. 5. The method for efficiently handling network security alarms based on a dynamic graph neural network according to claim 1, wherein the step S4 comprises the following steps: S41, determining and initializing a model, namely selecting a proper dynamic graph neural network model, and initializing parameters of the dynamic graph neural network model, including a node embedding matrix and an edge embedding matrix; s42, model forward propagation, namely inputting a dynamic graph into the model to perform forward propagation calculation, and aggregating and updating the characteristics of nodes and edges through a multi-layer structure of a graph neural network to obtain an output representation of each node; S43, calculating loss function according to the recommended result and the real disposal result output by the model, adopting cross entropy loss function, and supposing an alarm node The true agent is selected as The treatment tool is selected as Model predicted agent selection probability distribution as The treatment tool selection probability distribution is The loss function is expressed as: ; S44, back propagation, namely calculating the gradient of the loss function to the model parameters through a back propagation algorithm, and updating the model parameters by using an optimization algorithm to minimize the loss function; S45, collecting new data, namely collecting new network security alarm treatment data in real time in the model application process, wherein the new network security alarm treatment data comprises structure data updated by a dynamic diagram and new treatment result data; S46, performing regular fine tuning, namely performing fine tuning on the model by using a new training data set regularly, and performing forward propagation, loss calculation and back propagation by adopting the same method as model training, and updating model parameters; s47, performance evaluation and verification, namely performing performance evaluation and verification on the model after the model is updated.
  6. 6. The method for efficiently handling network security alarms based on a dynamic graph neural network according to claim 1, wherein the step S5 comprises the following steps: S51, obtaining a model output result, namely obtaining recommended results of an agent and a treatment tool corresponding to the current network security alarm from the trained dynamic graph neural network model, wherein the recommended results comprise probability distribution of agent selection and probability distribution of treatment tool selection; s52, based on probability decision, selecting an agent and a treatment tool according to probability distribution output by the model, and selecting the agent with the highest probability as a recommended agent; similarly, the treatment tool with the highest probability is selected as the recommended treatment tool; S53, a decision based on a threshold value is that the threshold value is set, if the maximum probability is smaller than the threshold value, the output of the current model is not reliable, and further analysis or manual intervention is needed; s54, comprehensively considering various decision strategies and business rules, namely adjusting a model recommendation result according to actual network security handling requirements and the business rules; S55, multi-objective optimization decision making, namely, constructing a multi-objective optimization model by considering a plurality of decision targets, comprehensively considering all targets through weight distribution or sequence optimization to obtain a final decision result, and defining an objective function: ; Wherein, the The weight of each object is represented by, The final objective function is represented by a function of the final objective, The effect of the treatment is indicated and, Indicating the consumption of the resource(s), The treatment time is indicated as a time period for treatment, And adjusting according to actual requirements to achieve the optimal treatment effect.
  7. 7. The method for efficiently handling network security alarms based on a dynamic graph neural network according to claim 1, wherein the step S6 comprises the following steps: s61, converting the treatment scheme into specific instructions, namely converting the combination of the agent determined by the intelligent decision module and the treatment tool into specific instructions, and for the selected agent Treatment tool Generating corresponding execution instruction according to the function and operation requirements, if the intelligent agent Is an agent for analyzing network flow, and the instructions comprise starting flow monitoring and setting monitoring parameters, if a treatment tool is used The method is a tool for defending DDoS attacks, and the instructions comprise enabling a defending mode and configuring a defending strategy; S62, sending the generated specific instruction to a corresponding agent and a treatment tool, and executing specific treatment operation by the agent and the treatment tool; S63, monitoring treatment effects in real time, namely collecting feedback data in real time in the treatment execution process, and monitoring the treatment effects, wherein the feedback data comprise changes of alarm states, changes of network performance indexes and running states of an intelligent body and a treatment tool; S64, integrating and analyzing feedback results, namely feeding back the monitored treatment results to a system for further optimizing a dynamic graph and a model, wherein the method comprises the specific steps of collecting feedback data of an alarm state, a network performance index, an intelligent agent and operation logs of a treatment tool after treatment, preprocessing the feedback data, including data cleaning and conversion operation, so that the feedback data is consistent with the input requirements of the structure and the model of the dynamic graph, updating the dynamic graph according to the feedback data, taking the feedback data as a new training sample, and updating the model by combining historical data, retraining or fine-tuning the model, and gradually updating model parameters by using an incremental learning method for enabling the model to continuously adapt to a new network security situation; S65, optimizing system performance, namely realizing continuous optimization of the system through analysis of feedback data and updating of a model, and adjusting parameters and strategies of the system according to evaluation indexes of treatment effects to achieve optimal performance.
  8. 8. A network security alarm efficient handling system based on a dynamic graph neural network, comprising: The data acquisition and preprocessing module is used for collecting network safety alarm information, intelligent agent information and treatment tool information in a network environment and preprocessing data, wherein the data preprocessing comprises data cleaning, conversion and feature extraction; The dynamic diagram construction module is used for creating an initial dynamic diagram by utilizing the preprocessed data, representing the network security alarm, the intelligent agent and the treatment tool as nodes, representing the relationship among the nodes as edges, and endowing the nodes and the edges with corresponding attributes; The initial dynamic diagram updating module is used for monitoring the network environment change in real time and updating the dynamic diagram in time; The model training and updating module is used for training the dynamic graph neural network model by using the historical network safety alarm treatment data, inputting a dynamic graph, and outputting recommended results for the intelligent body and the treatment tool; the intelligent decision module is used for comprehensively considering various decision strategies according to the output result of the model, and determining the most suitable agent and treatment tool to treat the current network security alarm; The treatment execution and feedback module is used for converting the determined treatment scheme into specific instructions, sending the specific instructions to corresponding agents and treatment tools for execution, monitoring treatment effects in real time in the treatment execution process, and feeding back results to the alarm system to further optimize the dynamic diagram and the model.
  9. 9. The network security alarm efficient handling system based on a dynamic graph neural network of claim 8, wherein: The dynamic graph neural network model used by the model training and updating module comprises an input layer, a hidden layer and an output layer, wherein the hidden layer adopts a graph convolution layer and a graph annotation force layer to aggregate and update the characteristics of nodes and edges.
  10. 10. The network security alarm efficient treatment system based on the dynamic graph neural network of claim 8, wherein the treatment execution and feedback module adjusts a treatment strategy according to the treatment effect monitored in real time when executing the treatment scheme, and integrates feedback data into the system for further optimizing the dynamic graph and the model.

Description

Network security alarm efficient handling method based on dynamic graph neural network Technical Field The invention relates to a network security alarm high-efficiency treatment method based on a dynamic graph neural network, belonging to the technical field of artificial intelligence and network security. Background In the present digital age, the network has become the basis of life and work of people, but the network security problem is increasingly prominent, and network attack means and modes are more and more complex, so that the number of network security alarms is increased explosively. Timely and effective disposal of network security alarms has important significance in protecting network assets, preventing data leakage, maintaining service continuity and the like. Traditional network security alarm handling methods rely primarily on preset rules and human experience. These rules are based on a summary and generalization of the common alarm types and treatments by security personnel. When an alarm occurs, the system matches the corresponding processing flow according to preset rules, or the security analyst performs manual intervention according to experience. However, the conventional method has a plurality of limitations, and is difficult to cope with the current complex and changeable network security environment: On the one hand, the network security alarm types are complex, and the generation reasons, influence ranges and processing modes of different alarms are large in difference. The preset rules are difficult to cover all possible alarm conditions, and when facing a novel network attack or a complex alarm scene, an effective treatment scheme cannot be provided, so that alarm treatment is not timely and accurate, the solution time of a network security problem is prolonged, and the risk of being utilized by an attacker is increased. On the other hand, the network environment is in dynamic change, and factors such as network topology, device state, traffic flow and security threat are continuously changed. The traditional system has weak sensing and adapting ability to the dynamic change of the network, and is difficult to adjust the alarm treatment strategy according to the real-time network state. For example, when a new attack pattern or exploit mode occurs in the network, the system cannot update the rules in time to cope with these changes, thus compromising the alarm handling effect. In addition, it is difficult for conventional methods to efficiently correlate and analyze correlations between multiple alarms. In a complex network attack, one attack step may cause multiple related alarms, and a certain association relationship exists between the alarms. If the association alarms cannot be accurately identified and analyzed, repeated processing or missing of important information may be caused, and the network security problem cannot be fundamentally solved. Dynamic graph neural network technology has made significant progress in processing graph structure data in recent years. The dynamic change of the nodes and the edges can be effectively captured, and complex relations and semantic information between the nodes and the edges can be mined through a learning mechanism of the graph neural network. The technical characteristics enable the method to have huge application potential in the field of network security alarm disposal, can overcome the limitations of the traditional method, and realize high-efficiency and accurate disposal of network security alarms. Disclosure of Invention The invention provides a network security alarm high-efficiency treatment method based on a dynamic graph neural network, which is used for solving the limitation of the traditional network security alarm treatment method when facing complex and changeable network environments, dynamically adapting to the change of the network environments by intelligently analyzing network security alarm information, and associatively analyzing the relation among a plurality of alarms, so that the high-efficiency and accurate treatment of the network security alarm is realized, the network security is improved, and the adverse effect on the service caused by the network security problem is reduced. The technical scheme of the invention is that the network security alarm high-efficiency treatment method based on the dynamic graph neural network comprises the following steps: S1, collecting network safety alarm information, agent information and treatment tool information in a network environment, and performing data preprocessing, wherein the data preprocessing comprises data cleaning, conversion and feature extraction; S2, creating an initial dynamic diagram by utilizing the preprocessed data, representing network security alarms, intelligent agents and treatment tools as nodes, representing the relationship among the nodes as edges, and endowing the nodes with corresponding attributes of the edges; s3, monitoring the net