CN112653680A - Model training method, network situation prediction method, device, equipment and medium - Google Patents

Model training method, network situation prediction method, device, equipment and medium Download PDF

Info

Publication number
CN112653680A
CN112653680A CN202011474986.8A CN202011474986A CN112653680A CN 112653680 A CN112653680 A CN 112653680A CN 202011474986 A CN202011474986 A CN 202011474986A CN 112653680 A CN112653680 A CN 112653680A
Authority
CN
China
Prior art keywords
network security
security situation
training
value
time period
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011474986.8A
Other languages
Chinese (zh)
Other versions
CN112653680B (en
Inventor
叶明武
邹晓明
刘楚群
钟超逸
张璐娟
郑兴月
曾夏叶
谭翠容
黄青平
雷雨
王曦彤
何溢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Power Grid Co Ltd
Heyuan Power Supply Bureau of Guangdong Power Grid Co Ltd
Original Assignee
Guangdong Power Grid Co Ltd
Heyuan Power Supply Bureau of Guangdong Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Power Grid Co Ltd, Heyuan Power Supply Bureau of Guangdong Power Grid Co Ltd filed Critical Guangdong Power Grid Co Ltd
Priority to CN202011474986.8A priority Critical patent/CN112653680B/en
Publication of CN112653680A publication Critical patent/CN112653680A/en
Application granted granted Critical
Publication of CN112653680B publication Critical patent/CN112653680B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • G06N20/10Machine learning using kernel methods, e.g. support vector machines [SVM]

Abstract

The invention discloses a model training method, a network situation prediction method, a device, equipment and a medium, wherein the model training method comprises the following steps: determining the network security situation value of each sample time period; processing the network security situation values of each sample time period according to the processing mode to form a network security situation training sample set; inputting a network security situation training sample set into an initial SVM model optimized by a PSO algorithm, and acquiring errors of each training predicted value and a corresponding actual value; determining patch training samples in a training sample set according to errors of each training predicted value and the corresponding actual value; training the initial SVM model according to the patch training samples to obtain a patch SVM model; and training the initial SVM model according to the remaining normal training samples except the patch training samples in the training sample set to obtain a global SVM model. The model training method is high in training efficiency and high in accuracy of the trained SVM model.

Description

Model training method, network situation prediction method, device, equipment and medium
Technical Field
The embodiment of the invention relates to the field of network security, in particular to a model training method, a network situation prediction device, equipment and a medium.
Background
Under the big data era, high-efficiency and high-quality transmission of various information resources is realized, and the data operation efficiency is greatly improved. However, in the operation process of the network system, corresponding loopholes exist, which provides a riding opportunity for hackers, viruses and the like, and simultaneously, personal privacy information of computer users is exposed under the view of the network. If the value of the data information lost by the user is higher, the economic loss risk is increased. Such a problem is also a missing phenomenon in current network security architectures. In view of the importance of the network communication industry, the national departments have produced corresponding network security regulations, and have increased the research and development of network security technologies, so as to construct a network communication environment with higher security coefficient for people and ensure the steady-state development of social economy. The prediction of network security posture is the strategy for optimizing network security. The security situation of the power communication network at the next stage is predicted by carrying out comparative analysis on the collected network security data, so that the probability of the network being attacked is greatly reduced, and the overall performance of the power communication network is improved.
Although there are many models and methods for sensing and predicting the network security situation, there are often reasons that the adaptability of the model is not flexible enough, and the accuracy of the prediction result is not high enough when the model is directly used for sensing the power communication network security situation.
Disclosure of Invention
The invention provides a model training method, a network situation prediction device and a network situation prediction medium, and aims to solve the technical problem that the accuracy of a prediction result is not high enough when the security situation of an existing power communication network is perceived.
In a first aspect, an embodiment of the present invention provides a model training method, including:
determining a network security situation value of each sample time period according to the network key information data of each sample time period;
processing the network security situation values of each sample time period according to a preset processing mode to form a network security situation training sample set;
inputting the network security situation training sample set into an initial Support Vector Machine (SVM) model optimized by a Particle Swarm Optimization (PSO) algorithm to obtain errors between each training predicted value and a corresponding actual value;
determining patch training samples in the training sample set according to the error between each training predicted value and the corresponding actual value;
training an initial SVM model according to the patch training samples to obtain a patch SVM model;
and training the initial SVM model according to the remaining normal training samples in the training sample set except the patch training samples to obtain a global SVM model.
In a second aspect, an embodiment of the present invention provides a method for predicting a network situation, including:
determining a network security situation value of each historical time period according to the network key information data of each historical time period;
processing the network security situation values of the historical time periods according to a preset processing mode to form a network security situation historical set;
determining a target SVM model corresponding to the network security situation history set; the target SVM model is a patch SVM model or a global SVM model obtained by adopting the model training method in the first aspect;
inputting the network security situation history set into the target SVM model to obtain a network security situation prediction set of a next stage output by the target SVM model;
and processing the network security situation prediction set of the next stage according to a preset inverse processing mode to obtain a final prediction set of the network security situation of the next stage.
In a third aspect, an embodiment of the present invention provides a model training apparatus, including:
the first determining module is used for determining the network security situation value of each sample time period according to the network key information data of each sample time period;
the second determining module is used for processing the network security situation values of all the sample time periods according to a preset processing mode to form a network security situation training sample set;
the acquisition module is used for inputting the network security situation training sample set into an initial SVM model optimized by a PSO algorithm, and acquiring the error between each training predicted value and the corresponding actual value;
a third determining module, configured to determine patch training samples in the training sample set according to errors between each of the training predicted values and the corresponding actual value;
the first training module is used for training an initial SVM model according to the patch training samples to obtain a patch SVM model;
and the second training module is used for training the initial SVM model according to the remaining normal training samples in the training sample set except the patch training samples to obtain a global SVM model.
In a fourth aspect, an embodiment of the present invention provides a network situation prediction apparatus, including:
the fourth determining module is used for determining the network security situation value of each historical time period according to the network key information data of each historical time period;
a fifth determining module, configured to process the network security situation values of the historical time periods according to a preset processing manner, so as to form a network security situation history set;
a sixth determining module, configured to determine a target SVM model corresponding to the network security situation history set; the target SVM model is a patch SVM model or a global SVM model obtained by adopting the model training method in the first aspect;
a seventh determining module, configured to input the network security situation history set into the target SVM model, so as to obtain a network security situation prediction set of a next stage output by the target SVM model;
and the eighth determining module is used for processing the network security situation prediction set of the next stage according to a preset inverse processing mode of the processing mode to obtain a final prediction set of the network security situation of the next stage.
In a fifth aspect, an embodiment of the present invention further provides a computer device, where the computer device includes:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement a model training method as provided in the first aspect or a network situation prediction method as provided in the second aspect.
In a sixth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the model training method as provided in the first aspect or the network situation prediction method as provided in the second aspect.
The embodiment of the invention provides a model training method, a network situation prediction device, equipment and a medium, wherein the method comprises the following steps: determining a network security situation value of each sample time period according to the network key information data of each sample time period; processing the network security situation values of each sample time period according to a preset processing mode to form a network security situation training sample set; inputting a network security situation training sample set into an initial SVM model optimized by a PSO algorithm, and acquiring errors of each training predicted value and a corresponding actual value; determining patch training samples in a training sample set according to errors of each training predicted value and the corresponding actual value; training the initial SVM model according to the patch training samples to obtain a patch SVM model; and training the initial SVM model according to the remaining normal training samples except the patch training samples in the training sample set to obtain a global SVM model. In the model training method, on one hand, a PSO algorithm is adopted for optimization to form an initial SVM model, training is carried out based on the initial SVM model, the subsequent model training efficiency is improved, and the prediction accuracy of the trained SVM model is higher; on the other hand, based on the patch learning idea, the error of the trained SVM model is greatly reduced, and the performance of the model is improved.
Drawings
FIG. 1 is a schematic flow chart of a model training method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a network architecture;
FIG. 3 is a schematic flow chart illustrating a process of determining a network security situation value for each sample time period according to the network key information data for each sample time period;
fig. 4 is a flowchart illustrating a network situation prediction method according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a model training apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a network situation prediction apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Fig. 1 is a schematic flow chart of a model training method according to an embodiment of the present invention. The method and the device are suitable for the scene of training the model capable of predicting the network situation. The present embodiment may be performed by a model training apparatus, which may be implemented by software and/or hardware, which may be integrated in a computer device. As shown in fig. 1, the model training method provided in this embodiment includes the following steps:
step 101: and determining the network security situation value of each sample time period according to the network key information data of each sample time period.
Specifically, in this embodiment, the original records related to the network key information may be collected from the power communication network, and the original network key information data with a fixed time length may be selected from the original records, which includes the following 4-aspect information.
A. Time information, comprising: sample period i and average visit amount F in sample period ii. For convenience of processing, to improve the efficiency of model training, the average visit quantity FiMay be a result of quantifying the actual average visit volume. Illustratively, five levels of the average access amount can be represented by 1, 2, 3, 4 and 5, respectively, and the larger the value, the higher the average access amount.
B. Host-related information in the network, including: number of hosts n, each host HkImportance level ST in a networkk. Is exemplified byThe importance levels of the hosts may be represented by 1, 2, and 3, respectively.
C. Service layer information in a network, comprising: each host HkTotal number of service running on mkHost HkImportance level IM of each service r provided abover. Illustratively, the importance levels of the services may be represented by 1, 2 and 3, respectively.
D. A hacking behavior that triggers an Intrusion Detection System (IDS for short) to generate an alarm is denoted as a { Name, Time, Type, SIP, DIP, SP, DP, Pro, Priority }, where Name, Time, and Type denote attack characteristics, occurrence Time, and Type; SIP, DIP stands for source host address and destination host address; SP, DP stands for source host port and purpose host port; pro represents a protocol type; priority represents the level of threat of an attack.
E. The following information is obtained according to the attack event log database: in sample time period i, for service SjOf various attacks DijAnd number of occurrences Cij(ii) a Network bandwidth occupancy of each time window in sample time period i
Figure BDA0002834898170000071
And presetting the degree grade of the attack
Figure BDA0002834898170000072
Since in sample period i, for service SjMay be multiple, and thus, DijAnd CijMay be a vector. In this embodiment, the sample time period i may be divided into a plurality of time windows according to a preset rule, and the network bandwidth occupancy rate of each time window and the threat level of the preset attack may be determined. Alternatively, the predetermined attack may be a Disk Operating System (DOS) attack.
After the original network key information data is obtained, data cleaning can be carried out, and data records containing missing values are removed. And then, generating network key information data corresponding to each sample time period. The network key information data in this embodiment refers to data related to the generation of network security situation values for each sample time period.
Fig. 2 is a schematic diagram of a network architecture. As shown in fig. 2, the Network in this embodiment is a Local Area Network (LAN). The local area network can be represented by three levels: network layer-host layer-service layer. Wherein the host layer comprises n hosts. In the service layer, the total number of services running on each host is m. Each service may encounter multiple attacks.
Based on the hierarchical implementation manner of the network architecture, the network security situation value of each sample time period can be determined in a hierarchical manner of "from bottom to top, local to whole first".
Fig. 3 is a schematic flow chart of determining a network security situation value of each sample time period according to the network key information data of each sample time period. As shown in fig. 3, the determining the network security situation value of each sample time period according to the network key information data of each sample time period provided in this embodiment includes the following steps 301 to 305.
Step 301: and determining a normal access amount vector according to the normal average access amount in each sample time period.
Specifically, the normal access vector may be represented as:
Figure BDA0002834898170000081
wherein the element value
Figure BDA0002834898170000082
FiRepresents the average number of visits in a sample period i and h represents the number of sample periods. In other words, the average visit amount in each sample time period is normalized to obtain the average visit amount
Figure BDA0002834898170000083
The initial value of the element(s).
Step 302: and for each service, determining an attack occurrence frequency vector and an attack severity vector corresponding to the service at the target time according to the severity and occurrence frequency of various attacks on the service from the target time to the next time in each sample time period.
And the time interval between the next moment and the target moment is a preset moment.
In particular, service SjThe attack occurrence frequency vector corresponding to the target time t can be expressed as:
Figure BDA0002834898170000084
service SjThe attack severity vector corresponding to the target time t may be expressed as:
Figure BDA0002834898170000085
wherein the content of the first and second substances,
Figure BDA0002834898170000086
representing the time from the target time t to the time t + deltat (i.e. the next time) within the sample period i, for the service SjU is the number of types of attacks within Δ t time.
Figure BDA0002834898170000087
Represents the time from the target time t to t + Δ t within the sample time period i, for the service SjThe severity of the various attacks.
Figure BDA0002834898170000088
Can be according to CijIt is determined that,
Figure BDA0002834898170000089
can be according to DijAnd (4) determining.
It should be noted that the target time in the sample time period is a time determined according to a preset rule. The service in this embodiment may refer to a program running in the host. Illustratively, the service may be an application program or an operating system program.
Step 303: and aiming at each service, determining a network bandwidth occupancy rate vector corresponding to the service and a threat level vector of a preset attack according to the network bandwidth occupancy rate and the preset attack level of the time window in each sample time period.
In particular, service SjThe corresponding network bandwidth occupancy vector may be expressed as:
Figure BDA0002834898170000091
service SjThe threat level vector for the corresponding pre-set attack may be expressed as:
Figure BDA0002834898170000092
wherein the elements
Figure BDA0002834898170000093
Representing the network bandwidth occupancy of each time window within the sample period i. Element(s)
Figure BDA0002834898170000094
Representing the level of the preset attack for each time window within the sample time period i. v denotes the number of time windows within a sample period i.
Step 304: and aiming at each service, determining a security situation value corresponding to the service at the target moment according to the normal access quantity vector, the attack occurrence frequency vector and the attack severity vector corresponding to the service at the target moment, the network bandwidth occupancy rate vector corresponding to the service and a preset attack threat level vector.
Specifically, based on the normal access vector acquired in steps 301 to 303, the attack occurrence frequency vector and the attack severity vector corresponding to the service at the target time, and the network bandwidth occupancy rate vector corresponding to the service and the preset attack threat level vector, the security situation value corresponding to the service at the target time may be determined.
Optionally, a service SjThe corresponding security posture value at the target time may be expressed as:
Figure BDA0002834898170000095
based on the steps, the safety situation value corresponding to each service at the target time can be determined.
Step 305: and determining the network security situation value of each sample time period according to the security situation value corresponding to each service at the target time.
After the security situation value corresponding to each service at the target time is determined, the network security situation value of each sample time period can be determined.
More specifically, step 305 includes steps 3051 through 3053 as follows.
Step 3051: and for each host, determining a service layer weight vector corresponding to the host according to the importance level of the service provided by the host.
Specifically, host HkThe corresponding service layer weight vector may be represented as:
Figure BDA0002834898170000101
element(s)
Figure BDA0002834898170000102
Represents the host HkNormalized importance level of the upper running service r. IMrRepresents the host HkThe importance level of the service r running on.
Step 3052: and for each host, determining the security situation value of the host at the target moment according to the service layer weight vector corresponding to the host and the security situation value of the service provided by the host at the target moment.
Specifically, host HkThe safety situation value at target time t may be expressed as:
Figure BDA0002834898170000103
in the above-mentioned formula, the compound of formula,
Figure BDA0002834898170000104
represents the host HkAt a target time tOf a service security threat vector of elements
Figure BDA0002834898170000105
For service S calculated according to step 304rSafety situation value m corresponding to target timekAs a host HkThe number of open services.
That is, for each host, the service security threat vector of the host at the target time may be determined according to the security situation value corresponding to the service provided by the host at the target time. And determining the security situation value of the host at the target moment according to the service layer weight vector corresponding to the host and the service security threat vector of the host at the target moment.
Step 3053: and determining the network security situation value of each sample time period according to the security situation value of each host at the target time.
Optionally, step 3053 includes steps 30531 through 30533 as follows.
Step 30531: and determining a host layer weight vector according to the importance level of each host in the network.
In particular, the host layer weight vector may be represented as:
Figure BDA0002834898170000106
element(s)
Figure BDA0002834898170000111
Represents the host HkNormalized importance level in a local area network. ST (ST)kRepresents the host HkImportance level in the network.
Step 30532: and determining the network security situation value at the target moment according to the host layer weight vector and the security situation value of each host at the target moment.
Specifically, the network security situation value at the target time may be expressed as:
Figure BDA0002834898170000112
Figure BDA0002834898170000113
for security threat vectors of hosts within a network at a target time, elements thereof
Figure BDA0002834898170000114
For host H calculated according to step 3052lThe value of the security posture at the target moment, n is the number of hosts in the network.
Step 30533: and determining the network security situation value of the sample time period according to the network security situation value of each target time in the sample time period aiming at each sample time period.
Alternatively, step 30533 may be: and determining the average value of the network security situation values of all the target moments in the sample time period as the network security situation value of the sample time period. The network security posture value of the sample time period i can be expressed by the following formula:
Figure BDA0002834898170000115
RiLand (t) represents the network security situation value of the target time t in the sample time period i, and H is the number of the target times in the sample time i.
The implementation manners of steps 301 to 305 are a hierarchical manner, and the security situation value corresponding to the service at the target time is determined first, then the security situation value of the host at the target time is determined, and finally the network security situation value at the target time is determined.
After step 101, network security posture values for each sample time period may be determined.
Step 102: and processing the network security situation values of each sample time period according to a preset processing mode to form a network security situation training sample set.
Optionally, step 102 may comprise: arranging the network security situation values of each sample time period according to a time sequence to form an original situation value time sequence sample; sequentially accumulating the time sequence samples of the original situation values to form accumulated time sequence samples of the situation values; and normalizing the elements in the accumulated situation value time sequence samples to obtain a network security situation training sample set.
The raw situation value time series samples can be expressed as: { x(0)(1),x(0)(2),…,x(0)(h)},x(0)(i) A network security posture value representing a sample time period i. The accumulated posture value time series samples can be expressed as: { x(1)(1),x(1)(2),…,x(1)(n), wherein,
Figure BDA0002834898170000121
the network security situation training sample set can be represented as: { x(1)(1)′,x(1)(2)′,…,x(1)(n)', wherein,
Figure BDA0002834898170000122
x(1)(i) ' training the ith element, x, in the sample set for the network security situation(1)(max) represents the maximum element value in the accumulated state value time series samples, x(1)(min) represents the minimum element value in the accumulated posture value time series samples.
On one hand, the processing mode is subjected to normalization processing, and the calculation is simple in the subsequent training process, so that the model training efficiency can be improved; on the other hand, the original situation value time sequence samples are sequentially accumulated, so that the prediction accuracy of the trained model can be improved.
Step 103: and inputting the network security situation training sample set into an initial SVM model optimized by a PSO algorithm, and acquiring the error between each training predicted value and the corresponding actual value.
Specifically, in this embodiment, a Support Vector Machine (SVM) model is used to predict the network situation. The parameters influencing the prediction accuracy of the SVM mainly comprise a penalty factor C, the width sigma of a kernel function and an insensitive loss function epsilon.
In this embodiment, the SVM model is optimized based on a Particle Swarm Optimization (PSO) algorithm.
The optimization process is described in detail below.
Step 1031: first, a parameter setting work related to initializing a particle group is developed, mainly relating to a particle position, a velocity, and a population size. Location of initial search point
Figure BDA0002834898170000131
And velocity thereof
Figure BDA0002834898170000132
And (5) performing population iteration according to the following formula, and searching an optimal solution.
Figure BDA0002834898170000133
Figure BDA0002834898170000134
Wherein, here
Figure BDA00028348981700001311
Is the inertial weight, and rand () refers to a random number in the interval 0 to 1, c1And c2All refer to the learning factor, pbestRefers to the individual optimum value, g, for particle ibestRefers to the population optimum.
Figure BDA0002834898170000135
The velocity of particle i 'at time j',
Figure BDA0002834898170000136
is the position of particle i 'at time j'.
P of each particlebestThe coordinates are set to their current positions, and calculatedCorresponding individual extreme value (namely the adaptability value of the individual extreme point), and the global extreme value (namely the adaptability value of the global extreme point) is the best individual extreme value in the individual extreme values of the particles, the best particle serial number corresponding to the best individual extreme value is recorded, and g is recordedbestSet to the current position of the best particle.
Step 1032: each particle was evaluated: calculating the fitness value of the particle
Figure BDA0002834898170000137
Into an objective function f1) Can calculate its adaptive value
Figure BDA0002834898170000138
According to the adaptive value
Figure BDA0002834898170000139
Size measurement of
Figure BDA00028348981700001310
The quality of (1) is good. If it is better than the current individual extremum of the particle, p is setbestSet to the position of the particle and update the individual extremum. If the best of the individual extrema of all the particles is better than the current global extremum, then g is setbestAnd setting the position of the best particle, recording the serial number of the particle, and updating the global extreme value.
Step 1033: updating the particles: the velocity and position of each particle is updated with the two formulas in step 1031.
Step 1034: checking whether the end condition is met: if the current iteration number reaches the preset maximum number (or reaches the minimum error requirement), stopping the iteration and outputting the optimal solution, otherwise, returning to the step 1032.
The optimal solution is a parameter corresponding to the SVM, for example: penalty factor C, kernel function width σ, insensitive loss function e, etc. And constructing an initial SVM model according to the optimal solution.
And inputting the network security situation training sample set into the initial SVM model, and acquiring the error between each training predicted value and the corresponding actual value. The actual value may be data collected from the network.
Let the error between h training predicted values and corresponding actual values be epsilon1,ε2,...,εh. Let the actual situation value of the ith network security situation training sample be x'iPredicted value is y'iThen the predicted relative error of this sample
Figure BDA0002834898170000141
Can be defined as:
Figure BDA0002834898170000142
then, the average relative error of the network security situation training sample set, i.e. the learning error of the whole PSO-SVM, is defined as:
Figure BDA0002834898170000143
step 104: and determining patch training samples in the training sample set according to the error between each training predicted value and the corresponding actual value.
Specifically, learning errors in the initial SVM model are identified according to errors between each training prediction value and the corresponding actual value
Figure BDA0002834898170000144
And (4) taking p network security situation training samples with larger influence as patch training samples. These patch training samples may be arranged from high to low in degree of influence:
{x(1)(1)″,x(1)(2)″,...,x(1)(p)′′}
step 105: and training the initial SVM model according to the patch training samples to obtain a patch SVM model.
Specifically, the patch training samples obtained in step 104 are divided into q groups, and each group is qu(u=1,2,...,q;qu< p) patch training samples. The q sets of patch training samples are represented as follows:
patch (patch) 1: { x(1)(1)″,x(1)(2)″,...,x(1)(q1)″}
patch 2:{x(1)(q1+1)″,x(1)(q1+2)″,...,x(1)(q1+q2)″}
patch q:{x(1)(qq-1+1)″,x(1)(qq-1+2)″,...,x(1)(q)″}
Based on the idea of patch learning (patch learning), patch training samples included in each patch are input into the initial SVM model for relearning, and only training data in the patch is used for learning. And training the initial SVM model from the first group of patch training samples to obtain a patch SVM model. And removing the patch from the patch pool after each patch SVM model is trained. Until the patch training samples in all patches are trained, q patch SVM models can be obtained, and corresponding to q groups of different optimization parameters:
patch 1:C1,σ1,ε1#
patch 2:C2,σ2,ε2#
patch q:Cq,σq,εq
step 106: and training the initial SVM model according to the remaining normal training samples except the patch training samples in the training sample set to obtain a global SVM model.
In step 106, a global SVM model may be obtained.
It should be noted that there is no timing relationship between step 105 and step 106.
The patch SVM model and the global SVM model trained by the embodiment can realize the prediction of the network situation.
In one possible implementation, the network key information data used is from a network security protection log, including 120-day data records collected from the power communication network. Two-month logs are used as a group of data, only the data are different, and the process is completely consistent. The data of each day is sampled for 3 times, and network security situation values of each sample time period of the power communication network are generated through step 101, so that a total of 360 network security situation values are obtained. Randomly selecting the network security situation values of 10 continuous days, processing the network security situation values according to a preset processing mode to be used as the input of the model, taking the network security situation values of 11 th day as the labeling results, and training out the patch SVM model and the global SVM model through steps 103 to 106. Based on the Patch Learning idea, the training error is greatly reduced, and the performance of the model is improved.
The embodiment provides a model training method, which comprises the following steps: determining a network security situation value of each sample time period according to the network key information data of each sample time period; processing the network security situation values of each sample time period according to a preset processing mode to form a network security situation training sample set; inputting a network security situation training sample set into an initial SVM model optimized by a PSO algorithm, and acquiring errors of each training predicted value and a corresponding actual value; determining patch training samples in a training sample set according to errors of each training predicted value and the corresponding actual value; training the initial SVM model according to the patch training samples to obtain a patch SVM model; and training the initial SVM model according to the remaining normal training samples except the patch training samples in the training sample set to obtain a global SVM model. In the model training method, on one hand, a PSO algorithm is adopted for optimization to form an initial SVM model, training is carried out based on the initial SVM model, the subsequent model training efficiency is improved, and the prediction accuracy of the trained SVM model is higher; on the other hand, based on the patch learning idea, the error of the trained SVM model is greatly reduced, and the performance of the model is improved.
Fig. 4 is a flowchart illustrating a network situation prediction method according to an embodiment of the present invention. The method and the device are suitable for the scene of predicting the network security situation. The embodiment may be implemented by a network situation prediction apparatus, which may be implemented by software and/or hardware, and may be integrated in a computer device. As shown in fig. 4, the network situation prediction method provided in this embodiment includes the following steps:
step 401: and determining the network security situation value of each historical time period according to the network key information data of each historical time period.
The history time period in the present embodiment is different from the sample time period in step 101 in that: the historical time period is a time period before the prediction time when the network situation is actually predicted; the sample time period is a time period before the training time when the model training is performed. Although the historical time periods are different from the sample time periods, the process of determining the network security situation values of the historical time periods according to the network key information data of the historical time periods is similar to the implementation process and the technical principle of determining the network security situation values of the sample time periods according to the network key information data of the sample time periods, and is not repeated here.
Step 402: and processing the network security situation values of the historical time periods according to a preset processing mode to form a network security situation historical set.
Step 402 is similar to the implementation process and technical principle of step 102, and is not described herein again.
Step 403: and determining a target SVM model corresponding to the network security situation history set.
The target SVM model is a patch SVM model or a global SVM model obtained by using a model training method in the embodiment and various optional implementation manners shown in fig. 1.
Optionally, the target SVM model corresponding to the network security situation history set may be determined based on a preset model determination rule according to statistical parameters such as a distribution rule and a size of each network security situation history value in the network security situation history set.
Step 404: and inputting the network security situation history set into a target SVM model to obtain a network security situation prediction set of the next stage output by the target SVM model.
Optionally, the network security situation prediction set includes network security situation prediction values for a plurality of future time periods.
Step 405: and processing the network security situation prediction set of the next stage according to a preset inverse processing mode of the processing mode to obtain a final prediction set of the network security situation of the next stage.
Optionally, the preset processing mode is sequential accumulation processing and normalization processing. Step 405 may specifically include the following steps: performing reverse normalization on elements in the network security situation prediction set of the next stage to obtain a network security situation prediction set after reverse normalization; and sequentially carrying out accumulation and subtraction on elements in the network security situation prediction set after the reverse normalization to obtain a network security situation final prediction set of the next stage. Is formulated as follows:
x(1)(i″)=x(1)(i″)′×(x(1)(max') x(1)(min′))+x(1)(min′)
x(0)(i″+1)=x(1)(i″+1)-x(1)(i″)i″=1,2,...,h
Wherein x is(1)(i ') represents the ith' predicted value in the network security posture prediction set. x is the number of(1)(i ") represents the ith' predicted value in the network security situation prediction set after reverse normalization. x is the number of(1)(max') represents the maximum value in the network security posture prediction set. x is the number of(1)(min') represents the minimum value in the network security posture prediction set. x is the number of(0)(i "+ 1) represents the i" +1 th element value in the final prediction set of network security posture. And after the network security situation prediction set after inverse normalization is obtained, the value obtained by subtracting the previous element from the next element is used as the final prediction value of the network security situation of the corresponding position of the next element, and the final prediction set of the network security situation of the next stage is formed. h represents the number of elements in the final prediction set of the network security situation.
After the final prediction set of the network security situation at the next stage is determined, corresponding processing and prevention work can be carried out according to the final prediction set of the network security situation so as to improve the overall performance of the network.
The embodiment of the invention provides a network situation prediction method, which comprises the following steps: determining a network security situation value of each historical time period according to the network key information data of each historical time period; processing the network security situation values of all historical time periods according to a preset processing mode to form a network security situation historical set; determining a target SVM model corresponding to the network security situation history set; inputting the network security situation history set into a target SVM model to obtain a network security situation prediction set of the next stage output by the target SVM model; and processing the network security situation prediction set of the next stage according to a preset inverse processing mode of the processing mode to obtain a final prediction set of the network security situation of the next stage. The network situation prediction method can realize accurate and efficient network situation prediction.
Fig. 5 is a schematic structural diagram of a model training apparatus according to an embodiment of the present invention. As shown in fig. 5, the model training apparatus provided in this embodiment includes the following modules: a first determination module 51, a second determination module 52, an acquisition module 53, a third determination module 54, a first training module 55, and a second training module 56.
The first determining module 51 is configured to determine a network security situation value of each sample time period according to the network key information data of each sample time period.
Optionally, the first determining module 51 is specifically configured to: determining a normal access vector according to the normal average access in each sample time period; for each service, determining an attack occurrence frequency vector and an attack severity vector corresponding to the service at a target time according to the severity and occurrence frequency of various attacks on the service from the target time to the next time in each sample time period, wherein the time interval between the next time and the target time is a preset time; for each service, determining a network bandwidth occupancy rate vector corresponding to the service and a threat level vector of a preset attack according to the network bandwidth occupancy rate and the preset attack level of a time window in each sample time period; aiming at each service, determining a security situation value corresponding to the service at a target moment according to a normal access quantity vector, an attack occurrence frequency vector and an attack severity vector corresponding to the service at the target moment, a network bandwidth occupancy rate vector corresponding to the service and a preset attack threat level vector; and determining the network security situation value of each sample time period according to the security situation value corresponding to each service at the target time.
In the aspect of determining the network security situation value of each sample time period according to the security situation value corresponding to each service at the target time, the first determining module 51 is specifically configured to: for each host, determining a service layer weight vector corresponding to the host according to the importance level of the service provided by the host; for each host, determining a security situation value of the host at a target moment according to a service layer weight vector corresponding to the host and a security situation value corresponding to a service provided by the host at the target moment; and determining the network security situation value of each sample time period according to the security situation value of each host at the target time.
In the aspect of determining the network security situation value of each sample time period according to the security situation value of each host at the target time, the first determining module 51 is specifically configured to: determining a host layer weight vector according to the importance level of each host in the network; determining a network security situation value at a target moment according to the host layer weight vector and the security situation value of each host at the target moment; and determining the network security situation value of the sample time period according to the network security situation value of each target time in the sample time period aiming at each sample time period.
In an aspect of determining, for each sample time period, a network security situation value of the sample time period according to the network security situation value of each target time in the sample time period, the first determining module 51 is specifically configured to: and determining the average value of the network security situation values of all the target moments in the sample time period as the network security situation value of the sample time period.
And the second determining module 52 is configured to process the network security situation values of each sample time period according to a preset processing manner, so as to form a network security situation training sample set.
Optionally, the second determining module 52 is specifically configured to: arranging the network security situation values of each sample time period according to a time sequence to form an original situation value time sequence sample; sequentially accumulating the time sequence samples of the original situation values to form accumulated time sequence samples of the situation values; and normalizing the elements in the accumulated situation value time sequence samples to obtain a network security situation training sample set.
And the obtaining module 53 is configured to input the network security situation training sample set into an initial SVM model optimized by a PSO algorithm, and obtain an error between each training predicted value and a corresponding actual value.
And a third determining module 54, configured to determine patch training samples in the training sample set according to errors between each training predicted value and the corresponding actual value.
And the first training module 55 is configured to train the initial SVM model according to the patch training samples to obtain a patch SVM model.
And the second training module 56 is configured to train the initial SVM model according to the remaining normal training samples in the training sample set except the patch training samples, so as to obtain a global SVM model.
The model training device provided by the embodiment of the invention can execute the model training method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Fig. 6 is a schematic structural diagram of a network situation prediction apparatus according to an embodiment of the present invention. As shown in fig. 6, the network situation prediction apparatus provided in this embodiment includes the following modules: a fourth determination module 61, a fifth determination module 62, a sixth determination module 63, a seventh determination module 64, and an eighth determination module 65.
And the fourth determining module 61 is configured to determine the network security situation value of each historical time period according to the network key information data of each historical time period.
And a fifth determining module 62, configured to process the network security situation values of each historical time period according to a preset processing manner, so as to form a network security situation history set.
And a sixth determining module 63, configured to determine a target SVM model corresponding to the network security situation history set.
The target SVM model is a patch SVM model or a global SVM model obtained by using a model training method in the embodiment and various optional implementation manners shown in fig. 1.
And a seventh determining module 64, configured to input the network security situation history set into the target SVM model, so as to obtain a network security situation prediction set of a next stage output by the target SVM model.
The eighth determining module 65 is configured to process the network security situation prediction set at the next stage according to a reverse processing manner of the preset processing manner, so as to obtain a final prediction set of the network security situation at the next stage.
Optionally, the preset processing mode is sequential accumulation processing and normalization processing. The eighth determining module 65 is specifically configured to: performing reverse normalization on elements in the network security situation prediction set of the next stage to obtain a network security situation prediction set after reverse normalization; and sequentially carrying out accumulation and subtraction on elements in the network security situation prediction set after the reverse normalization to obtain a network security situation final prediction set of the next stage.
The network situation prediction device provided by the embodiment of the invention can execute the network situation prediction method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Fig. 7 is a schematic structural diagram of a computer device according to an embodiment of the present invention. As shown in fig. 7, the computer device includes a processor 70 and a memory 71. The number of the processors 70 in the computer device may be one or more, and one processor 70 is taken as an example in fig. 7; the processor 70 and the memory 71 of the computer device may be connected by a bus or other means, as exemplified by the bus connection in fig. 7.
The memory 71 is used as a computer-readable storage medium and can be used for storing software programs, computer-executable programs, and modules, such as program instructions and modules corresponding to the model training method in the embodiment of the present invention (for example, the first determining module 51, the second determining module 52, the obtaining module 53, the third determining module 54, the first training module 55, and the second training module 56 in the model training device, or the fourth determining module 61, the fifth determining module 62, the sixth determining module 63, the seventh determining module 64, and the eighth determining module 65 in the network situation prediction device). The processor 70 executes various functional applications of the computer device and the model training method, i.e., implements the model training method or the network situation prediction method described above, by executing software programs, instructions, and modules stored in the memory 71.
The memory 71 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of the computer device, and the like. Further, the memory 71 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, the memory 71 may further include memory located remotely from the processor 70, which may be connected to a computer device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The present invention also provides a storage medium containing computer-executable instructions which, when executed by a computer processor, perform a method of model training, the method comprising:
determining a network security situation value of each sample time period according to the network key information data of each sample time period;
processing the network security situation values of each sample time period according to a preset processing mode to form a network security situation training sample set;
inputting the network security situation training sample set into an initial Support Vector Machine (SVM) model optimized by a Particle Swarm Optimization (PSO) algorithm to obtain errors between each training predicted value and a corresponding actual value;
determining patch training samples in the training sample set according to the error between each training predicted value and the corresponding actual value;
training an initial SVM model according to the patch training samples to obtain a patch SVM model;
and training the initial SVM model according to the remaining normal training samples in the training sample set except the patch training samples to obtain a global SVM model.
Of course, the storage medium provided by the embodiments of the present invention contains computer-executable instructions, and the computer-executable instructions are not limited to the operations of the method described above, and may also perform related operations in the model training method provided by any embodiments of the present invention.
The present invention also provides a storage medium containing computer-executable instructions which, when executed by a computer processor, perform a method of network situational prediction, the method comprising:
determining a network security situation value of each historical time period according to the network key information data of each historical time period;
processing the network security situation values of the historical time periods according to a preset processing mode to form a network security situation historical set;
determining a target SVM model corresponding to the network security situation history set; the target SVM model is a patch SVM model or a global SVM model obtained by adopting a model training method in the embodiment and various optional implementation manners shown in FIG. 1;
inputting the network security situation history set into the target SVM model to obtain a network security situation prediction set of a next stage output by the target SVM model;
and processing the network security situation prediction set of the next stage according to a preset inverse processing mode to obtain a final prediction set of the network security situation of the next stage.
Of course, the storage medium containing the computer-executable instructions provided by the embodiments of the present invention is not limited to the method operations described above, and may also perform related operations in the network situation prediction method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a computer device, or a network device) to execute the model training method according to the embodiments of the present invention.
It should be noted that, in the embodiment of the model training apparatus or the network situation prediction apparatus, each unit and each module included in the embodiment are only divided according to functional logic, but are not limited to the above division as long as the corresponding function can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A method of model training, comprising:
determining a network security situation value of each sample time period according to the network key information data of each sample time period;
processing the network security situation values of each sample time period according to a preset processing mode to form a network security situation training sample set;
inputting the network security situation training sample set into an initial Support Vector Machine (SVM) model optimized by a Particle Swarm Optimization (PSO) algorithm to obtain errors between each training predicted value and a corresponding actual value;
determining patch training samples in the training sample set according to the error between each training predicted value and the corresponding actual value;
training an initial SVM model according to the patch training samples to obtain a patch SVM model;
and training the initial SVM model according to the remaining normal training samples in the training sample set except the patch training samples to obtain a global SVM model.
2. The method according to claim 1, wherein the determining the network security situation value of each sample time period according to the network key information data of each sample time period comprises:
determining a normal access vector according to the normal average access in each sample time period;
for each service, determining an attack occurrence frequency vector and an attack severity vector corresponding to the service at a target moment according to the severity and occurrence frequency of various attacks on the service from the target moment to the next moment in each sample time period; wherein, the time interval between the next moment and the target moment is a preset moment;
for each service, determining a network bandwidth occupancy rate vector corresponding to the service and a threat level vector of a preset attack according to the network bandwidth occupancy rate and the preset attack level of a time window in each sample time period;
aiming at each service, determining a security situation value corresponding to the service at a target moment according to a normal access quantity vector, an attack occurrence frequency vector and an attack severity vector corresponding to the service at the target moment, a network bandwidth occupancy rate vector corresponding to the service and a preset attack threat level vector;
and determining the network security situation value of each sample time period according to the security situation value corresponding to each service at the target time.
3. The method according to claim 2, wherein the determining the network security posture value of each sample time period according to the security posture value corresponding to each service at the target time comprises:
for each host, determining a service layer weight vector corresponding to the host according to the importance level of the service provided by the host;
for each host, determining a security situation value of the host at a target moment according to a service layer weight vector corresponding to the host and a security situation value corresponding to a service provided by the host at the target moment;
and determining the network security situation value of each sample time period according to the security situation value of each host at the target time.
4. The method according to claim 3, wherein the determining the network security posture value of each sample time period according to the security posture value of each host at the target time comprises:
determining a host layer weight vector according to the importance level of each host in the network;
determining a network security situation value at a target moment according to the host layer weight vector and the security situation value of each host at the target moment;
and for each sample time period, determining the network security situation value of the sample time period according to the network security situation value of each target time in the sample time period.
5. The method according to claim 4, wherein the determining the network security posture value of the sample time period according to the network security posture value of each target time in the sample time period comprises:
and determining the average value of the network security situation values of all target moments in the sample time period as the network security situation value of the sample time period.
6. The method according to any one of claims 1 to 5, wherein the processing the network security situation values of the respective sample time periods according to a preset processing manner to form a network security situation training sample set comprises:
arranging the network security situation values of each sample time period according to a time sequence to form an original situation value time sequence sample;
sequentially accumulating the original situation value time sequence samples to form accumulated situation value time sequence samples;
and normalizing the elements in the accumulated situation value time sequence samples to obtain the network security situation training sample set.
7. A method for predicting network situation, comprising:
determining a network security situation value of each historical time period according to the network key information data of each historical time period;
processing the network security situation values of the historical time periods according to a preset processing mode to form a network security situation historical set;
determining a target SVM model corresponding to the network security situation history set; the target SVM model is a patch SVM model or a global SVM model obtained by the model training method according to any one of claims 1 to 6;
inputting the network security situation history set into the target SVM model to obtain a network security situation prediction set of a next stage output by the target SVM model;
and processing the network security situation prediction set of the next stage according to a preset inverse processing mode to obtain a final prediction set of the network security situation of the next stage.
8. The method according to claim 7, wherein the preset processing mode is sequential accumulation processing and normalization processing;
the processing the network security situation prediction set of the next stage according to the inverse processing mode of the preset processing mode to obtain the final prediction set of the network security situation of the next stage includes:
performing reverse normalization on elements in the network security situation prediction set of the next stage to obtain a network security situation prediction set after reverse normalization;
and sequentially subtracting elements in the network security situation prediction set after the reverse normalization to obtain the network security situation final prediction set of the next stage.
9. A computer device, characterized in that the computer device comprises:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-8.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 8.
CN202011474986.8A 2020-12-14 2020-12-14 Model training method, network situation prediction method, device, equipment and medium Active CN112653680B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011474986.8A CN112653680B (en) 2020-12-14 2020-12-14 Model training method, network situation prediction method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011474986.8A CN112653680B (en) 2020-12-14 2020-12-14 Model training method, network situation prediction method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN112653680A true CN112653680A (en) 2021-04-13
CN112653680B CN112653680B (en) 2022-04-12

Family

ID=75354865

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011474986.8A Active CN112653680B (en) 2020-12-14 2020-12-14 Model training method, network situation prediction method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN112653680B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114037145A (en) * 2021-11-05 2022-02-11 河北师范大学 Network security situation prediction method and system
CN115567300A (en) * 2022-09-27 2023-01-03 中国人民解放军军事科学院战略评估咨询中心 Data processing method and device for network security analysis

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107786369A (en) * 2017-09-26 2018-03-09 广东电网有限责任公司电力调度控制中心 Based on the perception of IRT step analyses and LSTM powerline network security postures and Forecasting Methodology
CN108280462A (en) * 2017-12-11 2018-07-13 北京三快在线科技有限公司 A kind of model training method and device, electronic equipment
CN109816204A (en) * 2018-12-25 2019-05-28 南京理工大学 A kind of safety of subway operation Tendency Prediction method based on GA-SVM
US20190251479A1 (en) * 2018-02-09 2019-08-15 Cisco Technology, Inc. Detecting dataset poisoning attacks independent of a learning algorithm
CN110380897A (en) * 2019-07-04 2019-10-25 湖北央中巨石信息技术有限公司 Network security situation awareness model and method based on improved BP
CN111340192A (en) * 2020-02-28 2020-06-26 腾讯科技(深圳)有限公司 Network path allocation model training method, path allocation method and device
CN111931826A (en) * 2020-07-20 2020-11-13 华南理工大学 Rolling bearing fault diagnosis method and system based on multi-scale convolution migration model

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107786369A (en) * 2017-09-26 2018-03-09 广东电网有限责任公司电力调度控制中心 Based on the perception of IRT step analyses and LSTM powerline network security postures and Forecasting Methodology
CN108280462A (en) * 2017-12-11 2018-07-13 北京三快在线科技有限公司 A kind of model training method and device, electronic equipment
US20190251479A1 (en) * 2018-02-09 2019-08-15 Cisco Technology, Inc. Detecting dataset poisoning attacks independent of a learning algorithm
CN109816204A (en) * 2018-12-25 2019-05-28 南京理工大学 A kind of safety of subway operation Tendency Prediction method based on GA-SVM
CN110380897A (en) * 2019-07-04 2019-10-25 湖北央中巨石信息技术有限公司 Network security situation awareness model and method based on improved BP
CN111340192A (en) * 2020-02-28 2020-06-26 腾讯科技(深圳)有限公司 Network path allocation model training method, path allocation method and device
CN111931826A (en) * 2020-07-20 2020-11-13 华南理工大学 Rolling bearing fault diagnosis method and system based on multi-scale convolution migration model

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
孙卫喜: "《SVM-PSO在网络安全态势预测中的应用研究》", 《信息技术》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114037145A (en) * 2021-11-05 2022-02-11 河北师范大学 Network security situation prediction method and system
CN115567300A (en) * 2022-09-27 2023-01-03 中国人民解放军军事科学院战略评估咨询中心 Data processing method and device for network security analysis

Also Published As

Publication number Publication date
CN112653680B (en) 2022-04-12

Similar Documents

Publication Publication Date Title
JP7183385B2 (en) Node classification method, model training method, and its device, equipment and computer program
CN110417721B (en) Security risk assessment method, device, equipment and computer readable storage medium
CN109067773B (en) Vehicle-mounted CAN network intrusion detection method and system based on neural network
CN112653680B (en) Model training method, network situation prediction method, device, equipment and medium
CN108881250B (en) Power communication network security situation prediction method, device, equipment and storage medium
Madbouly et al. Relevant feature selection model using data mining for intrusion detection system
CN110162958B (en) Method, apparatus and recording medium for calculating comprehensive credit score of device
CN113067804A (en) Network attack detection method and device, electronic equipment and storage medium
Kholidy et al. Attack prediction models for cloud intrusion detection systems
Ghalehgolabi et al. Intrusion detection system using genetic algorithm and data mining techniques based on the reduction
CN114944939B (en) Network attack situation prediction model construction method, device, equipment and storage medium
CN113822355A (en) Composite attack prediction method and device based on improved hidden Markov model
CN109636212B (en) Method for predicting actual running time of job
CN114037145B (en) Network security situation prediction method and system
CN117176482B (en) Big data network safety protection method and system
CN110166422A (en) Domain name Activity recognition method, apparatus, readable storage medium storing program for executing and computer equipment
Awad et al. Addressing imbalanced classes problem of intrusion detection system using weighted extreme learning machine
CN111159481B (en) Edge prediction method and device for graph data and terminal equipment
CN110290101B (en) Deep trust network-based associated attack behavior identification method in smart grid environment
CN116846612A (en) Attack chain completion method and device, electronic equipment and storage medium
CN115102779B (en) Prediction model training and access request decision method, device and medium
CN110766338A (en) DPOS (distributed data processing) bifurcation prediction model method based on artificial intelligence and EOS (Ethernet over Ethernet) and IO (input/output) of block chain technology
CN112242973A (en) DDoS attack detection method, device, computing equipment and computer storage medium
CN114615056B (en) Tor malicious flow detection method based on robust learning
CN116155626B (en) Complex network attack detection method based on cross-host abnormal behavior recognition

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant