CN116436700B - Monitoring method and system for network security event - Google Patents

Abstract

The application discloses a method and a system for monitoring network security events. Firstly, network security event historical data passes through a network security event feature extractor to obtain a plurality of network security event semantic feature vectors, then, after the network security event semantic feature vectors are arranged, the network security event semantic feature vectors pass through a network security event correlation feature extractor to obtain a network security event correlation feature matrix, then, a spatial attention module is used for obtaining a network security event correlation enhancement feature matrix, then, network security online data passes through the network security event feature extractor to obtain a network security online feature vector, then, the product between the network security online feature vector and the network security event correlation enhancement feature matrix is calculated to obtain a classification feature vector, and the classification feature vector passes through a classifier to obtain a classification result used for indicating whether a network security alarm prompt is generated. In this way, the level of network security may be increased.

Description

Monitoring method and system for network security event

Technical Field

The present application relates to the field of network communication security, and more particularly, to a method and system for monitoring network security events.

Background

With the advent of the digital age, network security issues have become increasingly important. Security events such as malicious attacks, data leakage and the like bring great threat to personal lives and properties and enterprise operations. Therefore, in the field of network communication security, how to rapidly and accurately monitor network security events is the focus of research.

The traditional network security monitoring method is mainly based on a threshold triggering early warning mode. However, when actually performing network security monitoring, the threshold value for triggering the early warning is usually set statically, and is difficult to adapt to complex network environments and various different types of attacks, so that the accuracy of monitoring network security events is not high. In addition, in the existing network security event monitoring scheme, the threshold value parameter adjustment work needs to be manually carried out, the manual experience is excessively relied on, the requirement of the intelligent degree of the network security event response cannot be met, and meanwhile, the network security event monitoring scheme cannot be adapted to increasingly severe network security situations.

Accordingly, an optimized network security event monitoring scheme is desired.

Disclosure of Invention

In view of the above, the invention discloses a method and a system for monitoring network security events, which can accurately monitor network security in real time and give an alarm to abnormal data of the network security so as to help operation and maintenance personnel to find and solve problems in time, improve the intelligent degree of network security event response and further improve the network security protection level.

According to an aspect of the disclosure, there is provided a method for monitoring a network security event, including: acquiring network security event history data and network security online data; each network security event in the network security event history data is respectively passed through a network security event feature extractor based on a long-term and short-term memory network model to obtain a plurality of network security event semantic feature vectors; the semantic feature vectors of the network security events are arranged into a two-dimensional feature matrix, and then the two-dimensional feature matrix is obtained through a correlation feature extractor between the network security events based on a convolutional neural network model; the association characteristic matrix among the network security events passes through a spatial attention module to obtain an association strengthening characteristic matrix among the network security events; passing the network security online data through the network security event feature extractor based on the long-short-term memory network model to obtain a network security online feature vector; taking the network security online feature vector as a query feature vector, and calculating the product between the network security online feature vector and the association strengthening feature matrix to obtain a classification feature vector; and passing the classification feature vector through a classifier to obtain a classification result, wherein the classification result is used for indicating whether a network security alarm prompt is generated.

In one possible implementation manner, passing each network security event in the network security event history data through a network security event feature extractor based on a long-short-term memory network model to obtain a plurality of network security event semantic feature vectors, including: word segmentation processing is carried out on each network security event in the network security event history data, and then a plurality of network security event word feature vectors are obtained through a word embedding layer of the network security event feature extractor based on the long-short-term memory network model; in each of the network security event feature extractors based on the long-term and short-term memory network model: extracting a first precursor feature of a current network security event word feature vector in the network security event word feature vectors through a forward long-short-term memory network of the network security event feature extractor based on the long-short-term memory network model; extracting a first postamble feature of a current network security event word feature vector in the plurality of network security event word feature vectors through a reverse long-short-term memory network of the network security event feature extractor based on the long-short-term memory network model; and obtaining a first intermediate feature vector of the plurality of network security event word feature vectors based on the first precursor feature and the first postamble feature of each network security event word feature vector, the first intermediate feature vector being an input of the network security event feature extractor of the next layer based on the long-short-term memory network model.

In one possible implementation manner, the step of arranging the plurality of network security event semantic feature vectors into a two-dimensional feature matrix and then obtaining a network security event correlation feature matrix through a network security event correlation feature extractor based on a convolutional neural network model includes: and respectively carrying out convolution processing, pooling processing along a channel dimension and nonlinear activation processing on input data in forward transfer of layers by using each layer of the network security inter-event correlation feature extractor based on the convolution neural network model so as to output the network security inter-event correlation feature matrix by the last layer of the network security inter-event correlation feature extractor based on the convolution neural network model, wherein the input of the first layer of the network security inter-event correlation feature extractor based on the convolution neural network model is the two-dimensional feature matrix.

In one possible implementation manner, the method for obtaining the inter-network security event association strengthening feature matrix by passing the inter-network security event association feature matrix through a spatial attention module includes: input data are respectively carried out in the forward transmission process of each layer of the spatial attention module: convolving the input data to generate a convolved feature map; pooling the convolution feature map to generate a pooled feature map; non-linearly activating the pooled feature map to generate an activated feature map; calculating the mean value of each position of the activation feature map along the channel dimension to generate a spatial feature matrix; calculating a Softmax-like function value of each position in the space feature matrix to obtain a space score matrix; calculating the position-wise dot multiplication of the spatial feature matrix and the spatial score matrix to obtain a feature matrix; the feature matrix output by the last layer of the spatial attention module is the inter-network security event association strengthening feature matrix.

In one possible implementation, passing the cyber-security online data through the cyber-security event feature extractor based on the long-term memory network model to obtain a cyber-security online feature vector includes: word embedding layers of the network security event feature extractor based on the long-term and short-term memory network model are used for obtaining a plurality of network security online data word feature vectors after word segmentation processing is carried out on the network security online data; in each of the network security event feature extractors based on the long-term and short-term memory network model: extracting second precursor features of the current network security online data word feature vector in the network security online data word feature vectors through a forward long-short-term memory network of the network security event feature extractor based on the long-short-term memory network model; extracting second postamble characteristics of a current network security online data word characteristic vector in the network security online data word characteristic vectors through a reverse long-short-term memory network of the network security event characteristic extractor based on the long-short-term memory network model; and obtaining a second intermediate feature vector of the plurality of network security online data word feature vectors based on the second precursor feature and the second post feature of each network security online data word feature vector, the second intermediate feature vector being an input of the network security event feature extractor of the next layer based on the long-short-term memory network model.

In one possible implementation, the method further includes a training step for training the long-term memory network model-based network security event feature extractor, the spatial attention module, the convolutional neural network model-based network security inter-event correlation feature extractor, and the classifier.

In one possible implementation, the training step includes: acquiring training data, wherein the training data comprises training network security event historical data, training network security online data and whether a true value of a network security alarm prompt is generated or not; respectively passing each training network security event in the training network security event history data through the network security event feature extractor based on the long-short-term memory network model to obtain a plurality of training network security event semantic feature vectors; the semantic feature vectors of the plurality of training network security events are arranged into training two-dimensional feature matrices and then pass through the correlation feature extractor between the network security events based on the convolutional neural network model to obtain correlation feature matrices between the training network security events; the correlation characteristic matrix among the training network security events passes through the spatial attention module to obtain a correlation strengthening characteristic matrix among the training network security events; passing the training network security online data through the network security event feature extractor based on the long-short-term memory network model to obtain a training network security online feature vector; taking the training network security online feature vector as a query feature vector, and calculating the product between the training network security online feature vector and the association strengthening feature matrix to obtain a training classification feature vector; passing the training classification feature vector through the classifier to obtain a classification loss function value; calculating a pseudo-cyclic difference penalty factor of the training classification feature vector and the training network security online feature vector as a pseudo-cyclic difference penalty loss function value; and

And training the network security event feature extractor based on the long-short-term memory network model, the spatial attention module, the network security inter-event correlation feature extractor based on the convolutional neural network model and the classifier by taking the weighted sum of the classification loss function value and the pseudo-cyclic difference penalty loss function value as a loss function value and through back propagation of gradient descent.

In one possible implementation, passing the training classification feature vector through the classifier to obtain a classification loss function value includes: the classifier processes the training classification feature vector to obtain a training classification result according to the following classification formula:, wherein ,/>To->Is a weight matrix>To->For the bias vector +.>Classifying feature vectors for the training; and

and calculating a cross entropy value between the training classification result and the true value as the classification loss function value.

In one possible implementation, the training classification feature vector and the training network security are calculatedThe pseudo-cyclic difference penalty factor of the full online feature vector is taken as a pseudo-cyclic difference penalty loss function value, comprising: calculating a pseudo-cyclic difference penalty factor of the training classification feature vector and the training network security online feature vector as the pseudo-cyclic difference penalty loss function value according to the following loss formula; wherein, the loss formula is: , wherein ,/>Is the training classification feature vector, +.>Is the training network security online feature vector, < >>For a distance matrix between the training classification feature vector and the training network security online feature vector,/for the training network security online feature vector>Frobenius norms of the matrix are represented, < >>Is the length of the feature vector, +.>Is the distance between the training classification feature vector and the training network security online feature vector,/a->Is the two norms of the vector, ">Represents a logarithmic function with the base 2 and +.> and />In order to weight the super-parameters,is the pseudo-cyclic difference penalty loss function value, < >>Is vector subtraction, ++>Is vector addition.

According to another aspect of the present disclosure, there is provided a monitoring system for a network security event, comprising: the data acquisition module is used for acquiring network security event historical data and network security online data; the first network security event feature extraction module is used for enabling each network security event in the network security event historical data to pass through a network security event feature extractor based on a long-term and short-term memory network model respectively so as to obtain a plurality of network security event semantic feature vectors; the inter-network security event association feature extraction module is used for arranging the semantic feature vectors of the plurality of network security events into a two-dimensional feature matrix and then obtaining an inter-network security event association feature matrix through a convolutional neural network model-based inter-network security event association feature extractor; the spatial attention coding module is used for enabling the correlation characteristic matrix among the network security events to pass through the spatial attention module so as to obtain a correlation strengthening characteristic matrix among the network security events; the second network security event feature extraction module is used for enabling the network security online data to pass through the network security event feature extractor based on the long-term and short-term memory network model so as to obtain a network security online feature vector; the query calculation module is used for taking the network security online feature vector as a query feature vector and calculating the product between the network security online feature vector and the association strengthening feature matrix to obtain a classification feature vector; and the classification module is used for passing the classification feature vector through a classifier to obtain a classification result, wherein the classification result is used for indicating whether a network security alarm prompt is generated or not.

According to the embodiment of the disclosure, firstly, network security event historical data is passed through a network security event feature extractor to obtain a plurality of network security event semantic feature vectors, then, after the plurality of network security event semantic feature vectors are arranged, the network security event semantic feature vectors are passed through a network security event correlation feature extractor to obtain a network security event correlation feature matrix, then, the network security online data is passed through a network security event feature extractor to obtain a network security online feature vector, then, the product between the network security online feature vector and the network security event correlation enhancement feature matrix is calculated to obtain a classification feature vector, and finally, the classification feature vector is passed through a classifier to obtain a classification result for representing whether a network security alarm prompt is generated. In this way, the level of network security may be increased.

Other features and aspects of the present disclosure will become apparent from the following detailed description of exemplary embodiments, which proceeds with reference to the accompanying drawings.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate exemplary embodiments, features and aspects of the present disclosure and together with the description, serve to explain the principles of the disclosure.

Fig. 1 illustrates an application scenario diagram of a method of monitoring network security events according to an embodiment of the present disclosure.

Fig. 2 shows a flow chart of a method of monitoring network security events in accordance with an embodiment of the present disclosure.

Fig. 3 shows an architecture diagram of a method of monitoring network security events according to an embodiment of the present disclosure.

Fig. 4 shows a flowchart of training steps further included in a method of monitoring a network security event in accordance with an embodiment of the present disclosure.

Fig. 5 shows a block diagram of a monitoring system for network security events in accordance with an embodiment of the present disclosure.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are also within the scope of the application.

As used in the specification and in the claims, the terms "a," "an," "the," and/or "the" are not specific to a singular, but may include a plurality, unless the context clearly dictates otherwise. In general, the terms "comprises" and "comprising" merely indicate that the steps and elements are explicitly identified, and they do not constitute an exclusive list, as other steps or elements may be included in a method or apparatus.

A flowchart is used in the present application to describe the operations performed by a system according to embodiments of the present application. It should be understood that the preceding or following operations are not necessarily performed in order precisely. Rather, the various steps may be processed in reverse order or simultaneously, as desired. Also, other operations may be added to or removed from these processes.

Various exemplary embodiments, features and aspects of the present disclosure will be described in detail below with reference to the drawings. In the drawings, like reference numbers indicate identical or functionally similar elements. Although various aspects of the embodiments are illustrated in the accompanying drawings, the drawings are not necessarily drawn to scale unless specifically indicated.

The word "exemplary" is used herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.

In addition, numerous specific details are set forth in the following detailed description in order to provide a better understanding of the present disclosure. It will be understood by those skilled in the art that the present disclosure may be practiced without some of these specific details. In some instances, well known methods, procedures, components, and circuits have not been described in detail so as not to obscure the present disclosure.

As described above, when actually performing network security monitoring, the threshold value for triggering the early warning is generally set statically, and is difficult to adapt to a complex network environment and various different types of attacks, so that the accuracy of monitoring network security events is not high. In addition, in the existing network security event monitoring scheme, the threshold value parameter adjustment work needs to be manually carried out, the manual experience is excessively relied on, the requirement of the intelligent degree of the network security event response cannot be met, and meanwhile, the network security event monitoring scheme cannot be adapted to increasingly severe network security situations. Accordingly, an optimized network security event monitoring scheme is desired.

Accordingly, in consideration of the fact that the network security event history data can help to know various security events and characteristics thereof occurring in the network in the process of actually monitoring the network security event, rules and trends of the network security events can be found through analysis of the data, high-risk areas and high-risk behaviors are identified, and various attack means and behavior characteristics of attackers are mastered. Thus, the network attack can be found and dealt with in time, and the network security protection level can be improved.

Based on the above, in the technical scheme of the application, comprehensive analysis is expected to be performed based on the network security event history data and the network security online data to perform network security monitoring and early warning. However, since there are many network security events in the network security event history data, semantic analysis understanding needs to be performed on the network security events, so that rules and trend analysis of the network security events are performed based on the semantic understanding association features of the respective network security events. And, since the network security online data also has own semantic feature information. Therefore, in the process, the difficulty is how to fully express the correlation characteristic information between the semantic correlation characteristic of the network security event history data and the semantic understanding characteristic of the network security online data, so as to monitor the network security accurately in real time, and give an alarm to the network security abnormal data, so as to help the operation and maintenance personnel to find and solve the problem in time, improve the intelligent degree of the network security event response, and further improve the network security protection level.

In recent years, deep learning and neural networks have been widely used in the fields of computer vision, natural language processing, text signal processing, and the like. Deep learning and development of neural networks provide new solutions and schemes for mining correlation feature information between semantic correlation features of the network security event history data and semantic understanding features of the network security online data.

Specifically, in the technical scheme of the application, firstly, network security event history data and network security online data are acquired. It should be appreciated that there are various security events and their characteristic information about what happens in the network security event history data and real-time online data. Therefore, through analysis of the data, the regularity and trend of the network security event can be found, so that the high-risk area and the high-risk behavior can be conveniently identified, and the behavior characteristics of various attack means and attackers can be mastered. Thus, the network attack can be found and dealt with in time, and the network security protection level can be improved. Meanwhile, according to the result of historical data analysis, a more accurate and effective network security policy and a predicted security event which may happen in the future can be formulated, so that the security of the network is better protected.

Then, considering that a plurality of network security events exist in the network security event history data, if the rules and trends of the network security events are to be accurately analyzed and grasped, semantic association characteristic information among the network security events needs to be fully captured, and before that, semantic understanding needs to be carried out on the network security events respectively. Therefore, in the technical scheme of the application, each network security event in the network security event history data is further subjected to feature mining through a network security event feature extractor based on a long-short-term memory network model, so that semantic understanding feature information of each network security event is extracted, and a plurality of network security event semantic feature vectors are obtained. It should be understood that the Long Short-Term Memory neural network model (LSTM) adopted by the network security event feature extractor enables the weights of the neural network to be updated by adding an input gate, an output gate and a forgetting gate, and the weight scales of different channels can be dynamically changed under the condition of fixed parameters of the network model, so that the problem of gradient disappearance or gradient expansion can be avoided, and the semantic understanding precision of each network security event is improved.

Further, in order to capture the correlation feature information between the semantic features of each network security event, so as to accurately grasp the law and trend of the network security event, thereby identifying a high risk area and a high risk behavior.

It should be appreciated that in actual network security monitoring, the semantic association of the individual network security events exhibits different semantic association characteristics between different event types. Therefore, in the technical scheme of the application, the important semantic association features in the network security event need to be expressed in an intensified manner, so that the accuracy of the subsequent network security early warning is improved. In view of the ability of the attention mechanism to select the focus position, a more resolved representation of the feature is produced, and the feature after addition to the attention module will change adaptively as the network deepens. Based on the above, in the technical scheme of the application, the inter-network security event association feature matrix is further passed through a spatial attention module to obtain an inter-network security event association strengthening feature matrix. It should be understood that the associated features extracted by the spatial attention module reflect weights of the spatial dimension feature differences, so as to suppress or strengthen features of different spatial locations, that is, the spatial attention module may adjust weights of different areas of the associated feature matrix between network security events, so that in a subsequent classification task, the classifier can pay more attention to those areas with the greatest contribution to the classification result, thereby improving the classification accuracy.

Further, for the network security online data, since the network security online data also has the context semantic association feature information, similarly, the network security online data is subjected to semantic feature mining in the network security event feature extractor based on the long-short-term memory network model, so as to extract the context semantic association feature information based on the middle-short-distance dependency association in the network security online data, and thus a network security online feature vector is obtained.

And then, taking the network security online feature vector as a query feature vector, calculating the product between the network security online feature vector and the network security event association strengthening feature matrix, and mapping the network security online feature vector into a high-dimensional feature space of the network security event association strengthening feature matrix, thereby obtaining a classification feature vector for representing association feature information between semantic association features of the network security event historical data and semantic understanding features of the network security online data, namely, semantic feature information about the network security online data under the background of the semantic association features of each network security event in the network security event historical data.

And then, further carrying out classification processing on the classification feature vector in a classifier to obtain a classification result used for indicating whether the network security alarm prompt is generated. That is, in the technical solution of the present application, the labeling of the classifier includes generating a network security alarm prompt (first labeling) and not generating a network security alarm prompt (second labeling), wherein the classifier determines to which classification label the classification feature vector belongs through a soft maximum function. It should be noted that the first tag p1 and the second tag p2 do not include a manually set concept, and in fact, during the training process, the computer model does not have a concept of "whether to generate a network security alarm prompt", which is just two kinds of classification tags, and the probability that the output feature is under the two classification tags, that is, the sum of p1 and p2 is one. Therefore, the classification result of whether to generate the network security alarm prompt is actually converted into the classified probability distribution conforming to the natural rule through classifying the labels, and the physical meaning of the natural probability distribution of the labels is essentially used instead of the language text meaning of whether to generate the network security alarm prompt. It should be understood that, in the technical scheme of the application, the classification label of the classifier is a control strategy label for generating a network security alarm prompt, so that after the classification result is obtained, the real-time accurate monitoring of the network security can be performed based on the classification result, and the alarm prompt is performed on the network security abnormal data, so as to help operation and maintenance personnel to find and solve the problem in time, and improve the intelligent degree of the response of the network security event.

In particular, in the technical scheme of the application, when the network security online feature vector is taken as a query feature vector and the product between the query feature vector and the network security event inter-association strengthening feature matrix is calculated to obtain the classification feature vector, the inter-sample inter-feature in-sample association feature of the spatial strengthening of the semantic feature of the network security event expressed by the network security event inter-association strengthening feature matrix is mapped into the bidirectional process-remote data semantic association feature space of the network security online data expressed by the network security online feature vector, so as to obtain the classification feature vector. However, due to the difference between the correlation strengthening feature matrix between the network security online feature vector and the network security event in the feature order and the expression dimension, the distribution imbalance may exist between the classification feature vector obtained by mapping and the feature distribution of the network security online feature vector, so that the expression effect of the classification feature vector is affected, and the accuracy of the classification result obtained by the classification feature vector through the classifier is also affected.

Accordingly, applicants of the present application have found a classification loss function for the classification feature vector Further, the classification feature vector is introduced, e.g. noted asAnd said network security online feature vector, e.g. denoted +.>As a loss function, the pseudo-cyclic difference penalty factor of (a) is expressed in detail as:，/>is a feature vector +> and />Distance matrix between, i.e. the first +.>The characteristic value of a position is the characteristic vector +.>Is>Personal characteristic value->And feature vector->Is>Personal characteristic value->Distance between->Representing momentFrobenius norms of the array, +.>Is the length of the feature vector, +.>Is a feature vector +.> and />Distance between, e.g. Euclidean distance, +.>Is the two norms of the vector, ">Represents the logarithm based on 2, and +.> and />Is a weighted superparameter.

Here, consider the classification feature vectorAnd said network security online feature vector +.>The imbalance distribution therebetween causes gradient propagation anomalies during a model training process based on back propagation of gradient descent, thereby forming pseudo-loops of model parameter updates, the pseudo-loops of model parameter updates being treated as true loops during model training process minimizing a loss function by introducing penalty factors for expressing both spatial and numerical relationships of closely related numerical pairs of feature values, the classification feature vectors being implemented by simulated activation of gradient propagation >And said network security online feature vector +.>The progressive coupling of the respective feature distribution improves the distribution unbalance of the feature distribution existing between the classification feature vector and the network security online feature vector, so as to improve the expression effect of the classification feature vector, and further improve the accuracy of the classification result obtained by the classification feature vector through the classifier. Therefore, network safety monitoring can be accurately performed in real time, and alarming prompt is performed on network safety abnormal data, so that operation and maintenance personnel can find and solve problems in time, the intelligent degree of network safety event response is improved, and the network safety protection level is further improved.

Fig. 1 illustrates an application scenario diagram of a method of monitoring network security events according to an embodiment of the present disclosure. As shown in fig. 1, in this application scenario, first, network security event history data (e.g., D1 illustrated in fig. 1) is acquired, and network security online data (e.g., D2 illustrated in fig. 1) is then input into a server (e.g., S illustrated in fig. 1) where a monitoring algorithm for network security events is deployed, wherein the server is capable of processing the network security event history data and the network security online data using the monitoring algorithm for network security events to obtain a classification result for indicating whether a network security alarm hint is generated.

Having described the basic principles of the present application, various non-limiting embodiments of the present application will now be described in detail with reference to the accompanying drawings.

Fig. 2 shows a flow chart of a method of monitoring network security events in accordance with an embodiment of the present disclosure. As shown in fig. 2, a method for monitoring a network security event according to an embodiment of the present application includes the steps of: s110, acquiring network security event history data and network security online data; s120, each network security event in the network security event history data is respectively passed through a network security event feature extractor based on a long-term and short-term memory network model to obtain a plurality of network security event semantic feature vectors; s130, arranging the semantic feature vectors of the network security events into a two-dimensional feature matrix, and then obtaining a correlation feature matrix between the network security events through a correlation feature extractor between the network security events based on a convolutional neural network model; s140, the correlation characteristic matrix among the network security events passes through a spatial attention module to obtain a correlation strengthening characteristic matrix among the network security events; s150, the network security online data passes through the network security event feature extractor based on the long-term and short-term memory network model to obtain network security online feature vectors; s160, taking the network security online feature vector as a query feature vector, and calculating the product between the network security online feature vector and the association strengthening feature matrix to obtain a classification feature vector; and S170, passing the classification feature vector through a classifier to obtain a classification result, wherein the classification result is used for indicating whether a network security alarm prompt is generated.

Fig. 3 shows an architecture diagram of a method of monitoring network security events according to an embodiment of the present disclosure. As shown in fig. 3, in the network architecture, first, network security event history data is acquired, and network security online data is acquired; then, each network security event in the network security event history data is respectively passed through a network security event feature extractor based on a long-term and short-term memory network model to obtain a plurality of network security event semantic feature vectors; then, the semantic feature vectors of the network security events are arranged into a two-dimensional feature matrix, and then the correlation feature matrix among the network security events is obtained through a correlation feature extractor among the network security events based on a convolutional neural network model; then, the correlation characteristic matrix among the network security events passes through a spatial attention module to obtain a correlation strengthening characteristic matrix among the network security events; then, the network security online data passes through the network security event feature extractor based on the long-term and short-term memory network model to obtain network security online feature vectors; then, taking the network security online feature vector as a query feature vector, and calculating the product between the network security online feature vector and the association strengthening feature matrix to obtain a classification feature vector; and finally, the classification feature vector passes through a classifier to obtain a classification result, wherein the classification result is used for indicating whether a network security alarm prompt is generated.

More specifically, in step S110, network security event history data, and network security online data are acquired. The network security event history data and the real-time online data have various security events and characteristic information thereof which occur in the network

More specifically, in step S120, each network security event in the network security event history data is passed through a network security event feature extractor based on a long-short-term memory network model to obtain a plurality of network security event semantic feature vectors. Because a plurality of network security events exist in the network security event history data, if the rules and trends of the network security events are required to be accurately analyzed and mastered, semantic association characteristic information among the network security events needs to be fully captured, and before the semantic association characteristic information, semantic understanding needs to be carried out on the network security events respectively. Therefore, in the technical scheme of the application, each network security event in the network security event history data is further subjected to feature mining through a network security event feature extractor based on a long-short-term memory network model, so that semantic understanding feature information of each network security event is extracted, and a plurality of network security event semantic feature vectors are obtained.

Accordingly, in one possible implementation manner, passing each network security event in the network security event history data through a network security event feature extractor based on a long-short-term memory network model to obtain a plurality of network security event semantic feature vectors, including: word segmentation processing is carried out on each network security event in the network security event history data, and then a plurality of network security event word feature vectors are obtained through a word embedding layer of the network security event feature extractor based on the long-short-term memory network model; in each of the network security event feature extractors based on the long-term and short-term memory network model: extracting a first precursor feature of a current network security event word feature vector in the network security event word feature vectors through a forward long-short-term memory network of the network security event feature extractor based on the long-short-term memory network model; extracting a first postamble feature of a current network security event word feature vector in the plurality of network security event word feature vectors through a reverse long-short-term memory network of the network security event feature extractor based on the long-short-term memory network model; and obtaining a first intermediate feature vector of the plurality of network security event word feature vectors based on the first precursor feature and the first postamble feature of each network security event word feature vector, the first intermediate feature vector being an input of the network security event feature extractor of the next layer based on the long-short-term memory network model.

More specifically, in step S130, the plurality of semantic feature vectors of the network security event are arranged into a two-dimensional feature matrix, and then the two-dimensional feature matrix is passed through a correlation feature extractor between network security events based on a convolutional neural network model to obtain a correlation feature matrix between network security events. In this way, high-dimensional implicit association characteristic information between semantic characteristics of each network security event in the network security event history data can be extracted.

It should be appreciated that convolutional neural network (Convolutional Neural Network, CNN) is an artificial neural network and has wide application in the fields of image recognition and the like. The convolutional neural network may include an input layer, a hidden layer, and an output layer, where the hidden layer may include a convolutional layer, a pooling layer, an activation layer, a full connection layer, etc., where the previous layer performs a corresponding operation according to input data, outputs an operation result to the next layer, and obtains a final result after the input initial data is subjected to a multi-layer operation.

Accordingly, in one possible implementation manner, after the plurality of network security event semantic feature vectors are arranged into a two-dimensional feature matrix, the network security event correlation feature extractor based on the convolutional neural network model is used to obtain a network security event correlation feature matrix, which includes: and respectively carrying out convolution processing, pooling processing along a channel dimension and nonlinear activation processing on input data in forward transfer of layers by using each layer of the network security inter-event correlation feature extractor based on the convolution neural network model so as to output the network security inter-event correlation feature matrix by the last layer of the network security inter-event correlation feature extractor based on the convolution neural network model, wherein the input of the first layer of the network security inter-event correlation feature extractor based on the convolution neural network model is the two-dimensional feature matrix.

More specifically, in step S140, the inter-network security event correlation feature matrix is passed through a spatial attention module to obtain an inter-network security event correlation enhancement feature matrix. When the network security monitoring is actually carried out, the semantic association of each network security event presents different semantic association characteristics among different event types. Therefore, in the technical scheme of the application, the important semantic association features in the network security event need to be expressed in an intensified manner, so that the accuracy of the subsequent network security early warning is improved. The attention mechanism can select the focus position, which can produce a more resolved representation of the feature, and the feature after adding to the attention module can change adaptively as the network deepens.

Accordingly, in one possible implementation manner, the inter-network security event association feature matrix is passed through a spatial attention module to obtain an inter-network security event association enhancement feature matrix, which includes: input data are respectively carried out in the forward transmission process of each layer of the spatial attention module: convolving the input data to generate a convolved feature map; pooling the convolution feature map to generate a pooled feature map; non-linearly activating the pooled feature map to generate an activated feature map; calculating the mean value of each position of the activation feature map along the channel dimension to generate a spatial feature matrix; calculating a Softmax-like function value of each position in the space feature matrix to obtain a space score matrix; calculating the position-wise dot multiplication of the spatial feature matrix and the spatial score matrix to obtain a feature matrix; the feature matrix output by the last layer of the spatial attention module is the inter-network security event association strengthening feature matrix.

More specifically, in step S150, the cyber-security online data is passed through the cyber-security event feature extractor based on the long-short-term memory network model to obtain cyber-security online feature vectors. The network security online data also has context semantic association characteristic information, so that similarly, the network security online data is subjected to semantic feature mining in the network security event feature extractor based on the long-short-term memory network model, so that the context semantic association characteristic information based on the middle-short-distance dependency association in the network security online data is extracted, and a network security online characteristic vector is obtained.

Accordingly, in one possible implementation manner, passing the network security online data through the network security event feature extractor based on the long-term memory network model to obtain a network security online feature vector includes: word embedding layers of the network security event feature extractor based on the long-term and short-term memory network model are used for obtaining a plurality of network security online data word feature vectors after word segmentation processing is carried out on the network security online data; in each of the network security event feature extractors based on the long-term and short-term memory network model: extracting second precursor features of the current network security online data word feature vector in the network security online data word feature vectors through a forward long-short-term memory network of the network security event feature extractor based on the long-short-term memory network model; extracting second postamble characteristics of a current network security online data word characteristic vector in the network security online data word characteristic vectors through a reverse long-short-term memory network of the network security event characteristic extractor based on the long-short-term memory network model; and obtaining a second intermediate feature vector of the plurality of network security online data word feature vectors based on the second precursor feature and the second post feature of each network security online data word feature vector, wherein the second intermediate feature vector is input of the network security event feature extractor based on the long-short-term memory network model of the next layer.

More specifically, in step S160, the online feature vector of network security is used as a query feature vector, and the product between the online feature vector of network security and the association-enhanced feature matrix of network security event is calculated to obtain a classification feature vector. And mapping the network security online feature vector into a high-dimensional feature space of the inter-network security event association strengthening feature matrix, thereby obtaining a classification feature vector for representing association feature information between semantic association features of the network security event historical data and semantic understanding features of the network security online data, namely semantic feature information about the network security online data based on the semantic association features of each network security event in the network security event historical data.

More specifically, in step S170, the classification feature vector is passed through a classifier to obtain a classification result, which is used to indicate whether or not a network security alarm prompt is generated. After the classification result is obtained, real-time accurate monitoring of network security can be performed based on the classification result, and alarm prompt is performed on abnormal network security data, so that operation and maintenance personnel can find and solve problems in time, and the intelligent degree of network security event response is improved.

It should be appreciated that the role of the classifier is to learn the classification rules and classifier using a given class, known training data, and then classify (or predict) the unknown data. Logistic regression (logistics), SVM, etc. are commonly used to solve the classification problem, and for multi-classification problems (multi-class classification), logistic regression or SVM can be used as well, but multiple bi-classifications are required to compose multiple classifications, but this is error-prone and inefficient, and the commonly used multi-classification method is the Softmax classification function.

Accordingly, in one possible implementation manner, the method for monitoring network security events further includes a training step for training the network security event feature extractor based on the long-short-term memory network model, the spatial attention module, the inter-network security event correlation feature extractor based on the convolutional neural network model, and the classifier. As shown in fig. 4, the training step includes: s210, acquiring training data, wherein the training data comprises training network security event historical data, training network security online data and whether a true value of a network security alarm prompt is generated or not; s220, respectively passing each training network security event in the training network security event history data through the network security event feature extractor based on the long-term and short-term memory network model to obtain a plurality of training network security event semantic feature vectors; s230, arranging the semantic feature vectors of the plurality of training network security events into a training two-dimensional feature matrix, and then obtaining a training network security inter-event association feature matrix through the convolutional neural network model-based network security inter-event association feature extractor; s240, passing the correlation characteristic matrix between the training network security events through the spatial attention module to obtain a correlation strengthening characteristic matrix between the training network security events; s250, passing the training network security online data through the network security event feature extractor based on the long-short-term memory network model to obtain training network security online feature vectors; s260, taking the training network security online feature vector as a query feature vector, and calculating the product between the training network security online feature vector and the association strengthening feature matrix to obtain a training classification feature vector; s270, passing the training classification feature vector through the classifier to obtain a classification loss function value; s280, calculating a pseudo-cycle difference penalty factor of the training classification feature vector and the training network safety online feature vector as a pseudo-cycle difference penalty loss function value; and S290, training the network security event feature extractor based on the long-short-term memory network model, the spatial attention module, the network security inter-event correlation feature extractor based on the convolutional neural network model and the classifier by taking the weighted sum of the classification loss function value and the pseudo-cyclic difference penalty loss function value as a loss function value and through back propagation of gradient descent.

Accordingly, in one possible implementation, passing the training classification feature vector through the classifier to obtain a classification loss function value includes: the classifier processes the training classification feature vector to obtain a training classification result according to the following classification formula:, wherein ,/>To->Is a weight matrix>To->For the bias vector +.>Classifying feature vectors for the training; and calculating a cross entropy value between the training classification result and the true value as the classification loss function value.

In particular, in the technical scheme of the application, the training network security online feature vector is taken as a query feature vector, and when the product between the training network security online feature vector and the training network security event association strengthening feature matrix is calculated to obtain the training classification feature vector, the inter-sample association feature in the space strengthening feature sample of the semantic feature of the network security event expressed by the training network security event association strengthening feature matrix is mapped into the bidirectional process-remote data semantic association feature space of the network security online data expressed by the training network security online feature vector, so as to obtain the training classification feature vector. However, because of the difference between the correlation reinforcement feature matrix between the training network security online feature vector and the training network security event in the feature order and the expression dimension, the distribution imbalance may exist between the training classification feature vector obtained by mapping and the feature distribution of the training network security online feature vector, thereby affecting the expression effect of the training classification feature vector, and also affecting the accuracy of the classification result obtained by the training classification feature vector through the classifier. Therefore, the applicant of the present application further introduces a pseudo-cyclic difference penalty factor for the training classification feature vector and the training network security online feature vector as a loss function in addition to the classification loss function for the training classification feature vector.

Accordingly, in one possible implementation, calculating the pseudo-cyclic difference penalty factor for the training classification feature vector and the training network security online feature vector as pseudo-cyclic difference penalty loss function values includes: calculating a pseudo-cyclic difference penalty factor of the training classification feature vector and the training network security online feature vector as the pseudo-cyclic difference penalty loss function value according to the following loss formula; wherein, the loss formula is:, wherein ,/>Is the training classification feature vector, +.>Is the training network security online feature vector, < >>For a distance matrix between the training classification feature vector and the training network security online feature vector,/for the training network security online feature vector>Frobenius norms of the matrix are represented, < >>Is the length of the feature vector, +.>Is the distance between the training classification feature vector and the training network security online feature vector,/a->Is the two norms of the vector, ">Represents a logarithmic function with the base 2 and +.> and />In order to weight the super-parameters,is the pseudo-cyclic difference penalty loss function value, < >>Is vector subtraction, ++>Is vector addition.

Here, considering that the unbalanced distribution between the training classification feature vector and the training network security online feature vector may cause gradient propagation abnormality during the model training based on the back propagation of gradient descent, thereby forming a pseudo-loop of model parameter update, the pseudo-loop difference penalty factor regards the pseudo-loop of model parameter update as a true loop during the model training process of minimizing the loss function by introducing a penalty factor for expressing both spatial relationships and numerical relationships of closely related numerical pairs of feature values, so as to achieve progressive coupling of feature distributions of the training classification feature vector and the training network security online feature vector by means of simulated activation of gradient propagation, thereby improving the distribution unbalance of feature distributions existing between the training classification feature vector and the training network security online feature vector, so as to promote the expression effect of the training classification feature vector, and thereby promote the accuracy of the training classification result obtained by the training classification feature vector through the classifier. Therefore, network safety monitoring can be accurately performed in real time, and alarming prompt is performed on network safety abnormal data, so that operation and maintenance personnel can find and solve problems in time, the intelligent degree of network safety event response is improved, and the network safety protection level is further improved.

In summary, according to the method for monitoring the network security event according to the embodiment of the application, firstly, network security event history data is passed through a network security event feature extractor to obtain a plurality of network security event semantic feature vectors, then, after the plurality of network security event semantic feature vectors are arranged, the network security event semantic feature vectors are passed through a network security event correlation feature extractor to obtain a network security event correlation feature matrix, then, the network security online data is passed through the network security event feature extractor to obtain a network security online feature vector, then, the product between the network security online feature vector and the network security event correlation enhancement feature matrix is calculated to obtain a classification feature vector, and finally, the classification feature vector is passed through a classifier to obtain a classification result for indicating whether a network security alarm prompt is generated. In this way, the level of network security may be increased.

Fig. 5 shows a block diagram of a monitoring system 100 for network security events in accordance with an embodiment of the present disclosure. As shown in fig. 5, a monitoring system 100 for network security events according to an embodiment of the present application includes: a data acquisition module 110, configured to acquire network security event history data and network security online data; a first network security event feature extraction module 120, configured to pass each network security event in the network security event history data through a network security event feature extractor based on a long-short-term memory network model to obtain a plurality of network security event semantic feature vectors; the inter-network security event correlation feature extraction module 130 is configured to arrange the plurality of semantic feature vectors of network security events into a two-dimensional feature matrix, and then obtain an inter-network security event correlation feature matrix through a convolutional neural network model-based inter-network security event correlation feature extractor; the spatial attention encoding module 140 is configured to pass the inter-network security event correlation feature matrix through the spatial attention module to obtain an inter-network security event correlation enhancement feature matrix; a second network security event feature extraction module 150, configured to pass the network security online data through the network security event feature extractor based on the long-short-term memory network model to obtain a network security online feature vector; a query calculation module 160, configured to calculate a product between the online feature vector of network security and the association-enhanced feature matrix of network security event to obtain a classification feature vector; and a classification module 170, configured to pass the classification feature vector through a classifier to obtain a classification result, where the classification result is used to indicate whether to generate a network security alarm prompt.

In one possible implementation manner, in the monitoring system 100 for network security events, the first network security event feature extraction module 120 is configured to: word segmentation processing is carried out on each network security event in the network security event history data, and then a plurality of network security event word feature vectors are obtained through a word embedding layer of the network security event feature extractor based on the long-short-term memory network model; in each of the network security event feature extractors based on the long-term and short-term memory network model: extracting a first precursor feature of a current network security event word feature vector in the network security event word feature vectors through a forward long-short-term memory network of the network security event feature extractor based on the long-short-term memory network model; extracting a first postamble feature of a current network security event word feature vector in the plurality of network security event word feature vectors through a reverse long-short-term memory network of the network security event feature extractor based on the long-short-term memory network model; and obtaining a first intermediate feature vector of the plurality of network security event word feature vectors based on the first precursor feature and the first postamble feature of each network security event word feature vector, the first intermediate feature vector being an input of the network security event feature extractor of the next layer based on the long-short-term memory network model.

In one possible implementation manner, in the monitoring system 100 for network security events, the inter-network security event correlation feature extraction module 130 is configured to: and respectively carrying out convolution processing, pooling processing along a channel dimension and nonlinear activation processing on input data in forward transfer of layers by using each layer of the network security inter-event correlation feature extractor based on the convolution neural network model so as to output the network security inter-event correlation feature matrix by the last layer of the network security inter-event correlation feature extractor based on the convolution neural network model, wherein the input of the first layer of the network security inter-event correlation feature extractor based on the convolution neural network model is the two-dimensional feature matrix.

In one possible implementation manner, in the monitoring system 100 for network security events, the spatial attention encoding module 140 is configured to: input data are respectively carried out in the forward transmission process of each layer of the spatial attention module: convolving the input data to generate a convolved feature map; pooling the convolution feature map to generate a pooled feature map; non-linearly activating the pooled feature map to generate an activated feature map; calculating the mean value of each position of the activation feature map along the channel dimension to generate a spatial feature matrix; calculating a Softmax-like function value of each position in the space feature matrix to obtain a space score matrix; calculating the position-wise dot multiplication of the spatial feature matrix and the spatial score matrix to obtain a feature matrix; the feature matrix output by the last layer of the spatial attention module is the inter-network security event association strengthening feature matrix.

In one possible implementation manner, in the monitoring system 100 for network security events, the second network security event feature extraction module 150 is configured to: word embedding layers of the network security event feature extractor based on the long-term and short-term memory network model are used for obtaining a plurality of network security online data word feature vectors after word segmentation processing is carried out on the network security online data; in each of the network security event feature extractors based on the long-term and short-term memory network model: extracting second precursor features of the current network security online data word feature vector in the network security online data word feature vectors through a forward long-short-term memory network of the network security event feature extractor based on the long-short-term memory network model; extracting second postamble characteristics of a current network security online data word characteristic vector in the network security online data word characteristic vectors through a reverse long-short-term memory network of the network security event characteristic extractor based on the long-short-term memory network model; and obtaining a second intermediate feature vector of the plurality of network security online data word feature vectors based on the second precursor feature and the second post feature of each network security online data word feature vector, wherein the second intermediate feature vector is input of the network security event feature extractor based on the long-short-term memory network model of the next layer.

In a possible implementation manner, in the monitoring system 100 for network security events, the training module is further configured to train the network security event feature extractor based on the long-short-term memory network model, the spatial attention module, the correlation feature extractor between network security events based on the convolutional neural network model, and the classifier. Wherein, training module is used for: acquiring training data, wherein the training data comprises training network security event historical data, training network security online data and whether a true value of a network security alarm prompt is generated or not; respectively passing each training network security event in the training network security event history data through the network security event feature extractor based on the long-short-term memory network model to obtain a plurality of training network security event semantic feature vectors; the semantic feature vectors of the plurality of training network security events are arranged into training two-dimensional feature matrices and then pass through the correlation feature extractor between the network security events based on the convolutional neural network model to obtain correlation feature matrices between the training network security events; the correlation characteristic matrix among the training network security events passes through the spatial attention module to obtain a correlation strengthening characteristic matrix among the training network security events; passing the training network security online data through the network security event feature extractor based on the long-short-term memory network model to obtain a training network security online feature vector; taking the training network security online feature vector as a query feature vector, and calculating the product between the training network security online feature vector and the association strengthening feature matrix to obtain a training classification feature vector; passing the training classification feature vector through the classifier to obtain a classification loss function value; calculating a pseudo-cyclic difference penalty factor of the training classification feature vector and the training network security online feature vector as a pseudo-cyclic difference penalty loss function value; and training the long-short-term memory network model-based network security event feature extractor, the spatial attention module, the convolutional neural network model-based network security inter-event correlation feature extractor and the classifier by taking a weighted sum of the classification loss function value and the pseudo-cyclic difference penalty loss function value as a loss function value and by back propagation of gradient descent.

In one possible implementation manner, in the monitoring system 100 of network security events, the step of passing the training classification feature vector through the classifier to obtain a classification loss function value includes: the classifier processes the training classification feature vector to obtain a training classification result according to the following classification formula:, wherein ,/>To->Is a weight matrix>To->For the bias vector +.>Classifying feature vectors for the training; and calculating a cross entropy value between the training classification result and the true value as the classification loss function value.

In one possible implementation, in the above-mentioned network security event monitoring system 100, calculating the pseudo-cyclic difference penalty factor of the training classification feature vector and the training network security online feature vector as the pseudo-cyclic difference penalty loss function value includes: calculating a pseudo-cyclic difference penalty factor of the training classification feature vector and the training network security online feature vector as the pseudo-cyclic difference penalty loss function value according to the following loss formula; wherein, the loss formula is:, wherein ,/>Is the training classification feature vector, +. >Is the training network security online feature vector, < >>For a distance matrix between the training classification feature vector and the training network security online feature vector,/for the training network security online feature vector>Frobenius norms of the matrix are represented, < >>Is the length of the feature vector, +.>Is the training classification feature vector and the training network security online feature vectorDistance between (I) and (II)>Is the two norms of the vector, ">Represents a logarithmic function with the base 2 and +.> and />For weighting superparameters, < >>Is the pseudo-cyclic difference penalty loss function value, < >>Is vector subtraction, ++>Is vector addition.

Here, it will be understood by those skilled in the art that the specific functions and operations of the respective units and modules in the above-described network security event monitoring system 100 have been described in detail in the above description of the network security event monitoring method with reference to fig. 1 to 4, and thus, repetitive descriptions thereof will be omitted.

As described above, the network security event monitoring system 100 according to the embodiment of the present application may be implemented in various wireless terminals, for example, a server or the like having a network security event monitoring algorithm. In one possible implementation, the network security event monitoring system 100 according to embodiments of the present application may be integrated into a wireless terminal as a software module and/or hardware module. For example, the monitoring system 100 for network security events may be a software module in the operating system of the wireless terminal or may be an application developed for the wireless terminal; of course, the monitoring system 100 for network security events may also be one of many hardware modules of the wireless terminal.

Alternatively, in another example, the network security event monitoring system 100 and the wireless terminal may be separate devices, and the network security event monitoring system 100 may be connected to the wireless terminal through a wired and/or wireless network and transmit the interaction information in a agreed data format.

In an exemplary embodiment, a non-transitory computer readable storage medium is also provided, such as a memory including computer program instructions executable by a processing component of an apparatus to perform the above-described method.

The present disclosure may be a system, method, and/or computer program product. The computer program product may include a computer readable storage medium having computer readable program instructions embodied thereon for causing a processor to implement aspects of the present disclosure.

The computer readable storage medium may be a tangible device that can hold and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: portable computer disks, hard disks, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), static Random Access Memory (SRAM), portable compact disk read-only memory (CD-ROM), digital Versatile Disks (DVD), memory sticks, floppy disks, mechanical coding devices, punch cards or in-groove structures such as punch cards or grooves having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media, as used herein, are not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., optical pulses through fiber optic cables), or electrical signals transmitted through wires.

The computer readable program instructions described herein may be downloaded from a computer readable storage medium to a respective computing/processing device or to an external computer or external storage device over a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmissions, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network interface card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium in the respective computing/processing device.

Computer program instructions for carrying out operations of the present disclosure may be assembly instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, c++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer readable program instructions may be executed entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, aspects of the present disclosure are implemented by personalizing electronic circuitry, such as programmable logic circuitry, field Programmable Gate Arrays (FPGAs), or Programmable Logic Arrays (PLAs), with state information for computer readable program instructions, which can execute the computer readable program instructions.

Various aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.

These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable medium having the instructions stored therein includes an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The foregoing description of the disclosed embodiments of the invention is illustrative, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the various embodiments described. The terminology used herein was chosen in order to best explain the principles of the embodiments, the practical application, or the improvement of technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims (9)

1. A method for monitoring network security events, comprising:

acquiring network security event history data and network security online data;

each network security event in the network security event history data is respectively passed through a network security event feature extractor based on a long-term and short-term memory network model to obtain a plurality of network security event semantic feature vectors;

the semantic feature vectors of the network security events are arranged into a two-dimensional feature matrix, and then the two-dimensional feature matrix is obtained through a correlation feature extractor between the network security events based on a convolutional neural network model;

The association characteristic matrix among the network security events passes through a spatial attention module to obtain an association strengthening characteristic matrix among the network security events;

passing the network security online data through the network security event feature extractor based on the long-short-term memory network model to obtain a network security online feature vector;

taking the network security online feature vector as a query feature vector, and calculating the product between the network security online feature vector and the association strengthening feature matrix to obtain a classification feature vector; and

the classification feature vector passes through a classifier to obtain a classification result, wherein the classification result is used for indicating whether a network security alarm prompt is generated;

the method for obtaining the inter-network security event association strengthening feature matrix by the inter-network security event association feature matrix through the spatial attention module comprises the following steps:

input data are respectively carried out in the forward transmission process of each layer of the spatial attention module:

convolving the input data to generate a convolved feature map;

pooling the convolution feature map to generate a pooled feature map;

non-linearly activating the pooled feature map to generate an activated feature map;

Calculating the mean value of each position of the activation feature map along the channel dimension to generate a spatial feature matrix;

calculating a Softmax-like function value of each position in the space feature matrix to obtain a space score matrix; and

calculating the position-wise dot multiplication of the space feature matrix and the space score matrix to obtain a feature matrix;

the feature matrix output by the last layer of the spatial attention module is the inter-network security event association strengthening feature matrix.

2. The method for monitoring network security events according to claim 1, wherein passing each network security event in the network security event history data through a network security event feature extractor based on a long-short-term memory network model to obtain a plurality of network security event semantic feature vectors, respectively, comprises:

word segmentation processing is carried out on each network security event in the network security event history data, and then a plurality of network security event word feature vectors are obtained through a word embedding layer of the network security event feature extractor based on the long-short-term memory network model;

in each of the network security event feature extractors based on the long-term and short-term memory network model:

Extracting a first precursor feature of a current network security event word feature vector in the network security event word feature vectors through a forward long-short-term memory network of the network security event feature extractor based on the long-short-term memory network model;

extracting a first postamble feature of a current network security event word feature vector in the plurality of network security event word feature vectors through a reverse long-short-term memory network of the network security event feature extractor based on the long-short-term memory network model; and

and obtaining a first intermediate feature vector of the network security event word feature vectors based on the first precursor feature and the first postamble feature of each network security event word feature vector, wherein the first intermediate feature vector is the input of the network security event feature extractor based on the long-term and short-term memory network model of the next layer.

3. The method for monitoring network security events according to claim 2, wherein the step of arranging the plurality of network security event semantic feature vectors into a two-dimensional feature matrix and then obtaining a network security event correlation feature matrix through a network security event correlation feature extractor based on a convolutional neural network model comprises the steps of:

And respectively carrying out convolution processing, pooling processing along a channel dimension and nonlinear activation processing on input data in forward transfer of layers by using each layer of the network security inter-event correlation feature extractor based on the convolution neural network model so as to output the network security inter-event correlation feature matrix by the last layer of the network security inter-event correlation feature extractor based on the convolution neural network model, wherein the input of the first layer of the network security inter-event correlation feature extractor based on the convolution neural network model is the two-dimensional feature matrix.

4. The method of claim 3, wherein passing the cyber-security online data through the cyber-security event feature extractor based on the long-term memory network model to obtain cyber-security online feature vectors, comprises:

word embedding layers of the network security event feature extractor based on the long-term and short-term memory network model are used for obtaining a plurality of network security online data word feature vectors after word segmentation processing is carried out on the network security online data;

in each of the network security event feature extractors based on the long-term and short-term memory network model:

Extracting second precursor features of the current network security online data word feature vector in the network security online data word feature vectors through a forward long-short-term memory network of the network security event feature extractor based on the long-short-term memory network model;

extracting second postamble characteristics of a current network security online data word characteristic vector in the network security online data word characteristic vectors through a reverse long-short-term memory network of the network security event characteristic extractor based on the long-short-term memory network model; and

and obtaining second intermediate feature vectors of the network security online data word feature vectors based on the second front feature and the second rear feature of each network security online data word feature vector, wherein the second intermediate feature vectors are input of the network security event feature extractor based on the long-term and short-term memory network model of the next layer.

5. The method of claim 4, further comprising training steps for training the long-term memory network model-based network security event feature extractor, the spatial attention module, the convolutional neural network model-based network security inter-event correlation feature extractor, and the classifier.

6. The method of claim 5, wherein the training step comprises:

acquiring training data, wherein the training data comprises training network security event historical data, training network security online data and whether a true value of a network security alarm prompt is generated or not;

respectively passing each training network security event in the training network security event history data through the network security event feature extractor based on the long-short-term memory network model to obtain a plurality of training network security event semantic feature vectors;

the semantic feature vectors of the plurality of training network security events are arranged into training two-dimensional feature matrices and then pass through the correlation feature extractor between the network security events based on the convolutional neural network model to obtain correlation feature matrices between the training network security events;

the correlation characteristic matrix among the training network security events passes through the spatial attention module to obtain a correlation strengthening characteristic matrix among the training network security events;

passing the training network security online data through the network security event feature extractor based on the long-short-term memory network model to obtain a training network security online feature vector;

Taking the training network security online feature vector as a query feature vector, and calculating the product between the training network security online feature vector and the association strengthening feature matrix to obtain a training classification feature vector;

passing the training classification feature vector through the classifier to obtain a classification loss function value;

calculating a pseudo-cyclic difference penalty factor of the training classification feature vector and the training network security online feature vector as a pseudo-cyclic difference penalty loss function value; and

and training the network security event feature extractor based on the long-short-term memory network model, the spatial attention module, the network security inter-event correlation feature extractor based on the convolutional neural network model and the classifier by taking the weighted sum of the classification loss function value and the pseudo-cyclic difference penalty loss function value as a loss function value and through back propagation of gradient descent.

7. The method of claim 6, wherein passing the training classification feature vector through the classifier to obtain a classification loss function value comprises:

the classifier processes the training classification feature vector to obtain a training classification result according to the following classification formula: , wherein ,/>To->Is a weight matrix>To->For the bias vector +.>Classifying feature vectors for the training; and

and calculating a cross entropy value between the training classification result and the true value as the classification loss function value.

8. The method of claim 7, wherein calculating a pseudo-cyclic difference penalty factor for the training classification feature vector and the training network security online feature vector as a pseudo-cyclic difference penalty loss function value comprises:

calculating a pseudo-cyclic difference penalty factor of the training classification feature vector and the training network security online feature vector as the pseudo-cyclic difference penalty loss function value according to the following loss formula;

wherein, the loss formula is:

wherein ,is the training classification feature vector, +.>Is the training network security online feature vector, < >>For a distance matrix between the training classification feature vector and the training network security online feature vector,/for the training network security online feature vector>Frobenius norms of the matrix are represented, < >>Is the length of the feature vector, +.>Is the distance between the training classification feature vector and the training network security online feature vector,/a- >Is the two norms of the vector, ">Represents a logarithmic function with the base 2 and +.> and />For weighting superparameters, < >>Is the pseudo-cyclic difference penalty loss function value, < >>Is vector subtraction, ++>Is vector addition.

9. A system for monitoring network security events, comprising:

the data acquisition module is used for acquiring network security event historical data and network security online data;

the first network security event feature extraction module is used for enabling each network security event in the network security event historical data to pass through a network security event feature extractor based on a long-term and short-term memory network model respectively so as to obtain a plurality of network security event semantic feature vectors;

the inter-network security event association feature extraction module is used for arranging the semantic feature vectors of the plurality of network security events into a two-dimensional feature matrix and then obtaining an inter-network security event association feature matrix through a convolutional neural network model-based inter-network security event association feature extractor;

the spatial attention coding module is used for enabling the correlation characteristic matrix among the network security events to pass through the spatial attention module so as to obtain a correlation strengthening characteristic matrix among the network security events;

The second network security event feature extraction module is used for enabling the network security online data to pass through the network security event feature extractor based on the long-term and short-term memory network model so as to obtain a network security online feature vector;

the query calculation module is used for taking the network security online feature vector as a query feature vector and calculating the product between the network security online feature vector and the association strengthening feature matrix to obtain a classification feature vector; and

the classification module is used for enabling the classification feature vector to pass through a classifier to obtain a classification result, wherein the classification result is used for indicating whether a network security alarm prompt is generated or not;

wherein the spatial attention encoding module comprises:

input data are respectively carried out in the forward transmission process of each layer of the spatial attention module:

convolving the input data to generate a convolved feature map;

pooling the convolution feature map to generate a pooled feature map;

non-linearly activating the pooled feature map to generate an activated feature map;

calculating the mean value of each position of the activation feature map along the channel dimension to generate a spatial feature matrix;

Calculating a Softmax-like function value of each position in the space feature matrix to obtain a space score matrix; and

calculating the position-wise dot multiplication of the space feature matrix and the space score matrix to obtain a feature matrix;

the feature matrix output by the last layer of the spatial attention module is the inter-network security event association strengthening feature matrix.