CN117811846A

CN117811846A - Network security detection method, system, equipment and medium based on distributed system

Info

Publication number: CN117811846A
Application number: CN202410230120.4A
Authority: CN
Inventors: 李仁刚; 范宝余; 赵雅倩; 王立; 张润泽; 赵坤; 郭振华; 鲁璐; 曹芳; 贺蒙
Original assignee: Inspur Electronic Information Industry Co Ltd
Current assignee: Inspur Electronic Information Industry Co Ltd
Priority date: 2024-02-29
Filing date: 2024-02-29
Publication date: 2024-04-02
Anticipated expiration: 2044-02-29
Also published as: CN117811846B

Abstract

The invention discloses a network security detection method, a system, equipment and a medium based on a distributed system, which relate to the field of network security and aim to solve the problem that an edge computing device cannot exert optimal performance by adopting a local network security detection model with a fixed size; after the test safety data set is input into the initial network safety detection model, the neural network depth of the initial network safety detection model is adjusted according to the output values corresponding to the two output network blocks to obtain a local network safety detection model; when the parameter updating condition is met, updating the local network security detection model by using the model parameters of the local network security detection model and the model parameters of the associated computing equipment; and carrying out local network security detection through the updated local network security detection model. The invention can enable the edge computing equipment to exert the optimal local network security detection performance, and reduces the communication overhead and the bandwidth requirement.

Description

Network security detection method, system, equipment and medium based on distributed system

Technical Field

The present invention relates to the field of network security, and in particular, to a network security detection method, system, device, and medium based on a distributed system.

Background

In the field of network security, in order to improve the detection capability of threats such as malicious software, network attack, data leakage and the like, local network security model training can be performed cooperatively by a plurality of edge computing devices and edge cloud servers in a distributed system, and network security detection can be performed through the trained local network security model. Currently, each edge computing device is usually trained by using a model with a fixed size, and different edge computing devices may have different data amounts and requirements, such as edge computing devices with less data, small models are required, some edge computing devices with more data, large models are required, and models with a uniform size cannot meet the requirements of all devices, so that some edge computing devices encounter performance bottlenecks when using models with too large or too small models, and cannot exert optimal network security detection performance.

Therefore, how to provide a solution to the above technical problem is a problem that a person skilled in the art needs to solve at present.

Disclosure of Invention

The invention aims to provide a network security detection method, a system, equipment and a medium based on a distributed system, which can enable edge computing equipment to exert optimal local network security detection performance and reduce communication overhead and bandwidth requirements.

In order to solve the technical problem, the present invention provides a network security detection method based on a distributed system, which is applied to each edge computing device in the distributed system, wherein each edge computing device in the distributed system is divided into a plurality of data like-nature clusters according to similarity, and the network security detection method comprises:

training an initial network security detection model based on local security data, wherein the network of the initial network security detection model comprises a plurality of neural network blocks which are sequentially connected, and the plurality of neural network blocks correspond to different neural network depths;

selecting two output network blocks from the plurality of neural network blocks, inputting a test safety data set into the initial network safety detection model, and adjusting the neural network depth of the initial network safety detection model according to output values corresponding to the two output network blocks to obtain a local network safety detection model;

When the parameter updating condition is met, updating the local network security detection model by using the model parameters of the local network security detection model and the model parameters of the associated computing equipment; the associated computing device is an edge computing device which is in the same data homopolarity cluster with the associated computing device and is connected with the associated computing device;

and carrying out local network security detection through the updated local network security detection model.

The process of adjusting the neural network depth of the initial network security detection model to obtain the local network security detection model according to the output values corresponding to the two output network blocks comprises the following steps:

acquiring a first output value corresponding to a first output network block and a second output value corresponding to a second output network block, wherein the neural network depth of the first output network block is smaller than that of the second output network block;

determining a depth adjustment strategy based on the first output value and the second output value;

and adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain a local network security detection model.

Wherein determining a depth adjustment strategy based on the first output value and the second output value comprises:

Determining an absolute value of a difference between the first output value and the second output value;

determining a depth adjustment direction based on a magnitude relation of the first output value and the second output value; the depth adjustment direction is depth backspacing or depth deepening;

determining an adjustment condition which is met by the performance gap between the shallow network model and the deep network model based on the magnitude relation between the absolute value and the preset value; the shallow network model is obtained based on a first output network block, the deep network model is obtained based on a second output network block, and the adjustment condition is an instant adjustment condition or a stepping adjustment condition;

and determining a depth adjustment strategy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap.

Wherein determining the depth adjustment direction based on the magnitude relation of the first output value and the second output value comprises:

when the first output value is larger than the second output value, the depth adjustment direction is the depth rollback;

and when the first output value is smaller than the second output value, the depth adjusting direction deepens the depth.

The process of determining the adjustment condition satisfied by the performance gap between the shallow network model and the deep network model based on the magnitude relation between the absolute value and the preset value comprises the following steps:

When the absolute value is smaller than the preset value, determining that the performance gap between the shallow network model and the deep network model meets the step adjustment condition;

and when the absolute value is larger than or equal to the preset value, determining that the performance gap between the shallow network model and the deep network model meets the instant adjustment condition.

Wherein determining a depth adjustment strategy based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap comprises:

when the depth adjustment direction is the depth rollback and the performance gap meets the instant adjustment condition, determining the depth adjustment strategy as a depth rollback instant adjustment strategy;

the process of adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model comprises the following steps:

when the depth adjustment strategy is the depth rollback instant adjustment strategy, calculating the rollback depth by using a first relation corresponding to the depth rollback instant adjustment strategy;

adjusting the neural network depth of the initial network security detection model according to the rollback depth to obtain a local network security detection model;

The first relation is f ₁ （k）=η×e ^k ，f ₁ (k) For the back-off depth, η is a super parameter and k is the absolute value.

when the depth adjustment direction is the depth rollback and the performance gap meets the step adjustment condition, determining that the depth adjustment strategy is a depth rollback step adjustment strategy, and writing the step rollback serving as a current record into a preset storage space;

and when the depth adjustment strategy is the depth rollback stepping adjustment strategy, acquiring a continuous preset number of records including the current record in the preset storage space, and if the continuous preset number of records including the current record are all the stepping rollback, backing the neural network depth of the initial network security detection model by one layer to obtain a local network security detection model.

When the depth adjustment direction is the depth deepening and the performance gap meets the instant adjustment condition, determining the depth adjustment strategy as a depth deepening instant adjustment strategy;

when the depth adjustment strategy is the depth deepening instant adjustment strategy, calculating the deepening depth by using a second relation corresponding to the depth deepening instant adjustment strategy;

adjusting the neural network depth of the initial network security detection model according to the deepened depth to obtain a local network security detection model;

the second relation is f ₂ （k）=η×e ^k ，f ₂ (k) For deepening depth, η is a super parameter and k is the absolute value.

when the depth adjustment direction is the depth deepening and the performance gap meets the step adjustment condition, determining the depth adjustment strategy as a depth deepening step adjustment strategy, and writing the step deepening serving as a current record into a preset storage space;

and when the depth adjustment strategy is the depth deepening step adjustment strategy, acquiring continuous preset number of records including the current record in the preset storage space, and deepening the neural network depth of the initial network security detection model by one layer if the continuous preset number of records including the current record are the step deepening, so as to obtain a local network security detection model.

Wherein the process of selecting two output network blocks among the plurality of neural network blocks includes:

two adjacent neural network blocks are selected from the plurality of the neural network blocks as output network blocks.

Wherein updating the local network security detection model using the model parameters of the local network security detection model and the model parameters of the associated computing device comprises:

obtaining model parameters of the local network security detection model, and sending the model parameters of the local network security detection model to each associated computing device;

receiving model parameters sent by each associated computing device;

Calculating a neighborhood average value of the model parameters of the local network security detection model and the model parameters sent by each associated calculation device;

and updating the local network security detection model based on the neighborhood average value.

The process of obtaining the model parameters of the local network security detection model and sending the model parameters of the local network security detection model to each associated computing device comprises the following steps:

and obtaining model parameters of standard depth of the local network security detection model, and sending the model parameters of the standard depth to each associated computing device.

After receiving the model parameters sent by each associated computing device, the network security detection method further comprises the following steps:

judging whether the neural network depth corresponding to the model parameters sent by the associated computing equipment is larger than the neural network depth of the local network security detection model or not according to the model parameters sent by each associated computing equipment, if so, determining the model parameters which are the same as the neural network depth of the local network security detection model in the model parameters sent by the associated computing equipment as target model parameters, and if not, determining the model parameters sent by the associated computing equipment as target model parameters;

The process of calculating the neighborhood average value for the model parameters of the local network security detection model and the model parameters sent by each associated calculation device comprises the following steps:

and calculating a neighborhood average value for the model parameters of the local network security detection model and each target model parameter.

Wherein after updating the local network security detection model with the model parameters of the local network security detection model and the model parameters of the associated computing device, the network security detection method further comprises:

when the cluster aggregation condition is met and the cluster aggregation condition is not the cluster head equipment, the model parameters of the local network security detection model are sent to the cluster head equipment of the data like clusters where the local network security detection model is located, so that the cluster head equipment obtains global model parameters in the cluster according to the model parameters of all edge computing equipment in the data like clusters where the local network security detection model is located;

and when the global model parameters in the cluster are acquired, updating the local network security detection model by utilizing the global model parameters in the cluster so as to carry out local network security detection through the updated local network security detection model.

The process of obtaining global model parameters in clusters according to the model parameters of all edge computing devices in the data homography clusters comprises the following steps:

Calculating global model parameters in the cluster by using a third relational expression, wherein the third relational expression is；

Wherein alpha is a super parameter,intra-cluster global model parameters of the t-th round stored for the cluster head device of the c-th data-like cluster, are stored>Global model parameters in the t+1st round for the c-th data-like cluster, c being the sequence number of the data-like cluster,>device set N for the data homography cluster _i Model parameters, N of the jth associated computing device after the jth round of updating for the first time _i A device set of associated computing devices having a connection relationship with an ith edge computing device in the data-like-cluster, i being a sequence number of the edge computing device in the data-like-cluster, j being a sequence number of the associated computing device in the device set, |N _i I is the total number of edge computing devices in the data-like cluster.

Wherein, when the intra-cluster global model parameter is obtained, after the local network security detection model is updated by using the intra-cluster global model parameter, the network security detection method further comprises:

when a global condition is met and the cluster head equipment is the cluster head equipment, the intra-cluster global model parameters are sent to an edge cloud server in the distributed system, so that the edge cloud server obtains a global model based on intra-cluster global model parameters sent by all the cluster head equipment of the data-like clusters in the distributed system;

And after receiving the global model, updating the model parameters of the local network security detection model based on the model parameters of the global model so as to carry out local network security detection through the updated local network security detection model.

The process of obtaining the global model based on the intra-cluster global model parameters sent by the cluster head devices of all the data-like clusters in the distributed system comprises the following steps:

calculating a global model by using a fourth relation; the fourth relation is；

Wherein C is the number of the cluster head devices,for the global model of round t+1, -/->Model parameters for the c-th data-like cluster at the t+1st round with respect to the data sample loss function L, c being the sequence number of the data-like cluster.

Before the initial network security detection model is trained based on the local security data, the network security detection method further comprises the following steps:

and receiving connection relations of the data homography clusters divided by the edge cloud server based on the similarity and all edge computing devices in the data homography clusters, so as to determine corresponding associated computing devices based on the data homography clusters and the connection relations.

The process of dividing the data homography clusters by the edge cloud server in the distributed system based on the similarity comprises the following steps:

An edge cloud server in the distributed system acquires test results obtained by each edge computing device in the distributed system based on the test safety data set;

constructing weighted undirected graphs among all the edge computing devices according to the similarity of the test results of all the edge computing devices;

and dividing all the edge computing devices by using the weighted undirected graph to obtain a plurality of data homography clusters.

In order to solve the above technical problem, the present invention further provides a network security detection system based on a distributed system, which is applied to each edge computing device in the distributed system, where each edge computing device in the distributed system is divided into a plurality of data homography clusters according to similarity, and the network security detection system includes:

the training module is used for training an initial network security detection model based on local security data, wherein the network of the initial network security detection model comprises a plurality of neural network blocks which are sequentially connected, and the plurality of neural network blocks correspond to different neural network depths;

the selection module is used for selecting two output network blocks from the plurality of the neural network blocks, inputting a test safety data set into the initial network safety detection model, and adjusting the neural network depth of the initial network safety detection model according to output values corresponding to the two output network blocks to obtain a local network safety detection model;

The updating module is used for updating the local network security detection model by using the model parameters of the local network security detection model and the model parameters of the associated computing equipment when the parameter updating conditions are met; the associated computing device is an edge computing device which is in the same data homopolarity cluster with the associated computing device and is connected with the associated computing device;

and the detection module is used for carrying out local network security detection through the updated local network security detection model.

In order to solve the above technical problem, the present invention further provides an edge computing device, including:

a memory for storing a computer program;

a processor for implementing the steps of the distributed system based network security detection method as claimed in any one of the preceding claims when executing the computer program.

In order to solve the above technical problem, the present invention further provides a distributed system, including:

a plurality of edge computing devices as described above;

and the edge cloud server is used for outputting a test data set and clustering results to each edge computing device, wherein the clustering results comprise data homography clusters where the edge computing devices are located and associated computing devices connected with the edge computing devices.

To solve the above technical problem, the present invention further provides a computer readable storage medium, where a computer program is stored, where the computer program, when executed by a processor, implements the steps of the network security detection method based on a distributed system as described in any one of the above.

The invention provides a network security detection method based on a distributed system, wherein the neural network depth of a local network security detection model of each edge computing device in the distributed system can be dynamically adjusted so as to better adapt to the requirements of diversified tasks, so that the edge computing device can exert optimal local network security detection performance, and meanwhile, the edge computing device can update model parameters in a data homography cluster without uploading model parameters to an edge cloud server during each communication, thereby reducing communication overhead and bandwidth requirements. The invention also provides a network security detection system based on the distributed system, edge computing equipment, the distributed system and a computer readable storage medium, and the network security detection system based on the distributed system has the same beneficial effects as the network security detection method based on the distributed system.

Drawings

For a clearer description of embodiments of the present invention, the drawings that are required to be used in the embodiments will be briefly described, it being apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to the drawings without inventive effort for those skilled in the art.

FIG. 1 is a flow chart of steps of a network security detection method based on a distributed system according to the present invention;

FIG. 2 is a schematic diagram of a heterogeneous distributed system according to the present invention;

FIG. 3 is a schematic diagram of a neural network model according to the present invention;

FIG. 4 is a schematic diagram of a weighted undirected graph according to the present invention;

FIG. 5 is a schematic view of a cluster according to the present invention;

fig. 6 is a schematic structural diagram of a network security detection system based on a distributed system according to the present invention;

FIG. 7 is a schematic diagram of an edge computing device according to the present invention;

FIG. 8 is a schematic diagram of a distributed system according to the present invention;

fig. 9 is a schematic structural diagram of a computer readable storage medium according to the present invention.

Detailed Description

The core of the invention is to provide a network security detection method, a system, equipment and a medium based on a distributed system, which can enable edge computing equipment to exert optimal local network security detection performance and reduce communication overhead and bandwidth requirements.

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Referring to fig. 1, fig. 1 is a flowchart illustrating steps of a network security detection method based on a distributed system, where the network security detection method is applied to each edge computing device in the distributed system, each edge computing device in the distributed system is divided into a plurality of data like clusters according to similarity, fig. 2 is a schematic structural diagram of the distributed system, which includes an edge cloud server and a plurality of edge computing devices, any two edge computing devices may have data interaction or may not have data interaction, each edge computing device interacts with the edge server, and the network security detection method is described below by taking one edge computing device as an example, where the network security detection method includes:

S101: training an initial network security detection model based on local security data, wherein the network of the initial network security detection model comprises a plurality of neural network blocks which are sequentially connected, and the plurality of neural network blocks correspond to different neural network depths;

in this embodiment, the edge computing device performs model training by using local security data to obtain an initial network security detection model, where the initial network security detection model is formed by stacking a plurality of Block modules (neural network blocks) with a fixed layer structure, each neural network Block includes a convolution layer, a batch normalization layer, a pooling layer and an activation function, and connection of each neural network Block should satisfy consistency of an overall network structure, so as to ensure that each neural network Block of the network can cooperatively work, effectively process input data, and enable gradients to correctly propagate and update parameters. In this embodiment, block numbers are allocated to each neural network Block, as shown in fig. 3, B1, B2, …, and BT are sequentially set from a shallow layer to a deep layer, an initial state of a local network security detection model of each edge computing device is defined as a neural network Block connected by numbers B1, B2, …, and BT, an output layer of each neural network Block is connected to a model depth switching controller, specifically, the model depth switching controller may be connected to any 2 neural network blocks with different neural network depths, the model depth switching controller is connected to an output layer module, the output layer module includes a plurality of full connection layers and an activation function layer, and converts a backbone network feature into an output probability, and in this embodiment, the output layer module includes two branched output layers, which are respectively connected to the model depth switching controller. At initial training, the model depth switch controller is connected to a shallower neighboring layer 2 neural network block, the depth value being determined by the initialization parameter h, which may be set to 5 as an alternative embodiment.

S102: selecting two output network blocks from the multiple neural network blocks, inputting the test safety data set into an initial network safety detection model, and adjusting the neural network depth of the initial network safety detection model according to output values corresponding to the two output network blocks to obtain a local network safety detection model;

in order to obtain a more accurate neural network depth, in this embodiment, after a model training period is fixed, a local network security detection model is tested based on a test data set, where the test data set is issued by an edge cloud server, and each edge computing device tests an initial network security detection model based on the same test data set. In this embodiment, the test may be performed after the local network security detection model is trained C times, where C is a super parameter.

Firstly, selecting two output network blocks from a plurality of neural network blocks, connecting an output layer of a first output network block with a first access end of a model depth switching controller, connecting an output layer of a second output network module with a second access end of the model depth switching controller, connecting an output layer of a first branch of the output layer module with a first output end of the model depth switching controller, connecting an output layer of a second branch of the output layer module with a second output end of the model depth switching controller, inputting a test data set into an initial network security detection model, acquiring test results of all test samples, outputting the test results at the output layer module, wherein an output value of the output layer of the first branch in the output layer module is a test result of the first output network block, and an output value of the output layer of the second branch in the output layer module is a test result of the second output network block. For the classification task, the classification task results of all the test samples are obtained and judged, and the average value of the accuracy is obtained.

The output layer module sends output results of the test data sets corresponding to the two branches of different neural network depths into a decision maker, the decision maker judges whether to change the neural network depth of the initial network security detection model, if so, the current neural network depth of the initial network security detection model is subjected to rollback adjustment or deepening adjustment according to the corresponding adjustment strategy to obtain a local network security detection model, so that the edge computing equipment can play an optimal network security detection performance.

S103: when the parameter updating condition is met, updating the local network security detection model by using the model parameters of the local network security detection model and the model parameters of the associated computing equipment; the associated computing device is an edge computing device which is in the same data homography cluster with the associated computing device and is connected with the associated computing device;

s104: and carrying out local network security detection through the updated local network security detection model.

It can be appreciated that, in the existing federal learning scheme, all edge computing devices need to send the local network security detection model to the edge cloud server for aggregation, the edge cloud server has limited bandwidth, transmission of a large number of model parameters can affect efficiency of model replacement of federal learning, in addition, data isomerism exists in a data set stored by the edge computing devices, and simply aggregating a plurality of models can cause offset errors in different federal computing devices of the federal aggregated models, because the federal aggregated models are comprehensive models integrating data characteristics of all federal devices, and even model degradation can occur. Based on this, the present embodiment first clusters each edge computing device in a heterogeneous distributed system based on the data heterogeneity of each edge computing device.

In an exemplary embodiment, before training the initial network security detection model based on the local security data, the network security detection method based on the distributed system further includes:

an edge cloud server in the distributed system is received, and based on the similarity, the data homography clusters are divided and the connection relation of all edge computing devices in the data homography clusters is divided, so that corresponding associated computing devices are determined based on the data homography clusters and the connection relation.

In an exemplary embodiment, a process for partitioning data homography clusters based on similarity by an edge cloud server in a distributed system includes:

an edge cloud server in the distributed system acquires test results obtained by each edge computing device in the distributed system based on a test safety data set;

constructing weighted undirected graphs among all edge computing devices according to the similarity of test results of all edge computing devices;

all edge computing devices are divided by the weighted undirected graph to obtain a plurality of data homography clusters.

Assuming a total of N edge computing devices, the present embodiment first builds a weighted undirected graph between all devices. Firstly, all edge computing equipment performs 1-time local data model training, namely the edge computing equipment performs training by using a local safety data set to obtain a local network safety detection model. The edge cloud server searches public data from the public network, a test data set oriented to the federal learning task is constructed, the test data set is sent to each edge computing device, the edge computing devices store the test data set, meanwhile, the local network security detection model is used for testing the public data set to obtain a test result, the test result is uploaded to the edge cloud server, and because the self-owned data used by the edge computing devices has data isomerism, namely, the data of each edge computing device is limited and mostly only contains samples of limited types, the structure for testing by using the test data set is different, and deviation exists. All edge computing devices upload test results of the public test data set to an edge cloud server, and the edge cloud server establishes a right undirected graph by using the test results of all the devices.

Specifically, the edge cloud server calculates the similarity of the test results of all edge computing devices by using a vector similarity calculation method, for example, a Jaccard similarity coefficient calculation method, and performs neighbor ranking. Jaccard similarity coefficients are commonly used to calculate the similarity between sets, and can also be used to calculate the similarity of binary vectors. For two binary vectors A and B, the Jaccard similarity coefficient is calculated as: similarity= |aΣb|/|aζ where aζb represents the intersection of vectors a and B and aζb represents the union of vectors a and B. For example, the test result of the A device is a binary vector [1,0, … … 1,0], the classification result of the B device is also a binary vector [0,1, 0, … … 1,0], the use of Jaccard similarity coefficients to calculate the result similarity between devices a and B is merely a specific example of proving the result similarity between edge computing devices, and is not intended to be a mere protection of this calculation.

The edge cloud server traverses test results of all edge computing devices, calculates the result similarity of each edge computing device and other edge computing devices, constructs edges between the edge computing devices and other edge computing devices according to the value of the result similarity, namely, constructs a connecting edge between the two similar edge computing devices when the value of the result similarity is larger than P, wherein the value of the edge is the calculation result of the result similarity, P is a threshold value which is initially set, when the value of the result similarity is smaller than P, the relation establishment of the connecting edge between the two edge computing devices is not carried out, the established weighted undirected graph between all edge computing devices can be shown by referring to FIG. 4, and 6 edge computing devices, namely, devices 1-6, are respectively shown in FIG. 4.

Each edge computing device in the weighted undirected graph is initialized to a separate homography cluster, i.e., the label of each edge computing device is initially the identity of the edge computing device itself. For each edge computing device, considering the labels of the neighbor edge computing devices, traversing each edge computing device, carrying out iterative updating according to a fixed sequence or a random sequence, for the current edge computing device, collecting the labels of the neighbor edge computing devices, counting the occurrence times of each label in the neighbor edge computing devices, selecting the label with the largest occurrence times in the neighbor edge computing devices as a new label of the current edge computing device, and updating the label of the current edge computing device as the new label. After each iteration, checking the change condition of the label, judging the change quantity by comparing the label of the current iteration with the label of the previous iteration, if the change quantity of the label is smaller than a set threshold value, namely the label is basically stable and does not change any more, considering that the algorithm converges, and if the label is still changing, continuing the iteration label propagation step. If the algorithm converges, i.e., the tag no longer changes significantly, the iteration terminates. If the tag is still changing, the tag propagation iteration is continued.

After the algorithm converges, a final label propagation result is obtained, edge computing devices with the same label are divided into the same data identity clusters, a final division result is obtained, and each data identity cluster is an edge computing device set with the same label. The edge cloud server sends the divided data identity clusters and intra-cluster connection relations to all edge computing devices, each edge computing device can obtain the device number of the edge computing device connected with own data identity, model parameter updating is carried out on the edge computing device and the neighboring edge computing device of the same cluster by using the device number, the divided data identity clusters are shown in fig. 5, according to the divided data identity clusters, if a label A represents one data identity cluster, a label B represents one data identity cluster, the label A comprises a device 1 and a device 2, and the label B comprises a device 3-a device 6: the edge computing device that is closer to the other edge computing devices or that communicates fastest with the remaining edge computing devices within the data-like cluster is selected as the cluster head. This can reduce the communication distance and delay and improve the communication efficiency. The edge cloud server selects cluster heads of each data-like cluster through the communication rate of data exchange with all edge computing devices, and sends the edge computing device numbers of the cluster heads to the edge computing devices of the cluster.

When the parameter updating condition is met, the local network security detection model is updated by using the model parameters of the local network security detection model and the model parameters of the associated computing equipment, wherein the associated computing equipment is the edge computing equipment which is in the same data homography cluster as the local edge computing equipment and has a connecting edge with the local edge computing equipment, and in the cluster model updating process, each edge computing equipment firstly carries out a model parameter aggregation process with the associated edge computing equipment connected in the cluster, so that the model convergence can be accelerated, the classification of the homography equipment in the cluster is more accurate, and the model aggregation update among the equipment with the data type most similar to the other equipment is carried out to obtain more information.

After the local network security detection model is updated by using the model parameters of the local network security detection model and the model parameters of the associated computing equipment, the local network security detection is performed by using the local network security detection model, so that the edge computing equipment can exert the optimal local network security detection performance.

Therefore, in this embodiment, the depth of the neural network of the local network security detection model of each edge computing device in the distributed system may be dynamically adjusted, so as to better adapt to the requirements of diversified tasks, so that the edge computing device may exert the optimal local network security detection performance, and meanwhile, the edge computing device may update the model parameters in the data like-nature cluster, without uploading the model parameters to the edge cloud server during each communication, thereby reducing communication overhead and bandwidth requirements.

Based on the above embodiments:

in an exemplary embodiment, the process of adjusting the neural network depth of the initial network security detection model according to the output values corresponding to the two output network blocks to obtain the local network security detection model includes:

and adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy to obtain the local network security detection model.

In this embodiment, the first output network block is shallower than the second output network block, the output value of the output branch corresponding to the shallow output network block is denoted as q, the output value of the output branch corresponding to the deep output network block is denoted as d, and the absolute value k= |q-d| of the difference between the shallow-deep data output values is obtained. It will be appreciated that the depth adjustment direction may be determined according to the magnitude relationship between q and d, and the size of the performance gap between the deep network model and the shallow network model may be determined according to the magnitude relationship between k and the preset value beta.

In an exemplary embodiment, determining a depth adjustment policy based on the first output value and the second output value includes:

determining an adjustment condition which is met by the performance gap between the shallow network model and the deep network model based on the magnitude relation between the absolute value and the preset value; the shallow layer network model is obtained based on the first output network block, the deep layer network model is obtained based on the second output network block, and the adjusting condition is an instant adjusting condition or a stepping adjusting condition;

a depth adjustment strategy is determined based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap.

In an exemplary embodiment, determining the depth adjustment direction based on the magnitude relation of the first output value and the second output value includes:

when the first output value is larger than the second output value, the depth adjustment direction is depth rollback;

when the first output value is smaller than the second output value, the depth adjusting direction is deepened.

In an exemplary embodiment, the process of determining the adjustment condition satisfied by the performance gap between the shallow network model and the deep network model based on the magnitude relation between the absolute value and the preset value includes:

When the absolute value is smaller than a preset value, determining that the performance gap between the shallow network model and the deep network model meets a step adjustment condition;

when the absolute value is larger than or equal to a preset value, determining that the performance gap between the shallow network model and the deep network model meets the instant adjustment condition.

In an exemplary embodiment, the process of determining a depth adjustment strategy based on the adjustment conditions satisfied by the depth adjustment direction and the performance gap includes:

when the depth adjustment direction is depth rollback and the performance gap meets the instant adjustment condition, determining the depth adjustment strategy as the instant depth rollback adjustment strategy;

the process of obtaining the local network security detection model by adjusting the neural network depth of the initial network security detection model according to the depth adjustment strategy comprises the following steps:

when the depth adjustment strategy is a depth rollback immediate adjustment strategy, calculating the rollback depth by using a first relational expression corresponding to the depth rollback immediate adjustment strategy;

the first relation is f ₁ （k）=η×e ^k ，f ₁ (k) For the back-off depth, η is a super parameter and k is an absolute value.

In this embodiment, if q > d and k > beta, it is indicated that the output result of the shallow network model is better than the output result of the deep network model, and the performance gap is large. The decision maker outputs a depth rollback decision, the rollback depth being determined by the first relation.

when the depth adjustment direction is depth rollback and the performance gap meets the step adjustment condition, determining the depth adjustment strategy as a depth rollback step adjustment strategy, and writing the step rollback as a current record into a preset storage space;

when the depth adjustment strategy is the depth rollback stepping adjustment strategy, acquiring continuous preset number of records including the current record in the preset storage space, and if the continuous preset number of records including the current record are all stepwise rollback, deeply rollback the neural network of the initial network security detection model by one layer to obtain the local network security detection model.

In this embodiment, if q > d and k < beta, it is indicated that the shallow network model output result is better than the deep network model output result, and the performance improvement is smaller, and the model depth may need to be adjusted stepwise, but not immediately. The decision maker records the result into a memory unit of the decision maker, the decision maker reads the latest 3 recorded results of the memory unit to judge, and if the decision maker finds that the stepping back is needed for 3 times continuously, the decision maker outputs a depth back decision and backs 1 layer.

when the depth adjustment direction is depth deepening and the performance gap meets the instant adjustment condition, determining the depth adjustment strategy as the instant depth deepening adjustment strategy;

when the depth adjustment strategy is a depth deepening instant adjustment strategy, calculating the deepening depth by using a second relational expression corresponding to the depth deepening instant adjustment strategy;

the second relation is f ₂ （k）=η×e ^k ，f ₂ (k) For deepening depth, η is a super parameter and k is an absolute value.

In this embodiment, if q < d and k > beta, it is indicated that the deep network model output result is better than the shallow network model output result, and the performance gap is large. The decision maker outputs a deepening decision and the second relation of the deepening depth is obtained.

When the depth adjustment direction is depth deepening and the performance difference meets the step adjustment condition, determining the depth adjustment strategy as a depth deepening step adjustment strategy, and writing the step deepening as a current record into a preset storage space;

and when the depth adjustment strategy is a depth deepening step adjustment strategy, acquiring continuous preset number of records including the current record in the preset storage space, and deepening the neural network depth of the initial network security detection model by one layer to obtain the local network security detection model if the continuous preset number of records including the current record are step deepening.

In this embodiment, if q < d and k < beta, it is indicated that the deep network model output result is better than the shallow network model output result, and the performance improvement is smaller, the model depth may need to be deepened step by step, but not adjusted immediately. The decision maker records the result into a memory unit of the decision maker, the decision maker reads the latest 3 recorded results of the memory unit to judge, and if the decision maker finds that the step deepens is needed for 3 times continuously, the decision maker outputs a depth deepening decision to deepen 1 layer.

The depth adjustment mechanism in this embodiment can deepen and lighten, can quickly adjust and slowly control, and the decision maker with higher flexibility feeds back the output decision to the model depth switching controller, and the depth model controller executes depth switching and performs corresponding deepening or rollback switching according to the existing model depth reference layer.

In an exemplary embodiment, the process of selecting two output network blocks among the plurality of neural network blocks includes:

two adjacent neural network blocks are selected from the plurality of neural network blocks as output network blocks.

The model adaptive growth provided in this embodiment solves the limitation of the traditional fixed size model by gradually increasing the model capacity and complexity on the edge computing device, and can handle diversified tasks: as federal learning involves more different types of tasks and data, model adaptive growth allows for increasing the capacity of the model on local devices according to the complexity of the task, thereby better accommodating the requirements of diverse tasks; the model performance can be improved: by gradually increasing the capacity of the model, the adaptive growth of the model can overcome the capacity limit possibly encountered by the model with fixed size, thereby improving the performance and the representation capacity of the model and being beneficial to better capturing the characteristics and modes of data; communication overhead can be reduced: in traditional federal learning, complete model parameters are required to be uploaded for each communication, and the adaptive growth of the model allows more local training and updating on local equipment, so that the communication cost and the bandwidth requirement are reduced; data privacy can be improved: in model adaptive growth, training data on the device can be left more local, and only incremental parameters of the model need to be uploaded, which helps to improve data privacy protection.

In an exemplary embodiment, the process of updating the local network security detection model with model parameters of the local network security detection model and model parameters of an associated computing device includes:

obtaining model parameters of a local network security detection model, and sending the model parameters of the local network security detection model to each associated computing device;

receiving model parameters sent by each associated computing device;

calculating a neighborhood average value of model parameters of the local network security detection model and model parameters sent by each associated calculation device;

In this embodiment, it is assumed that all edge computing devices are divided into C clusters, formed by the set { s } ₁ ，…，s _c ' th cluster s _k Comprising n _k =|s _k I edge devices. In the federal learning system, each edge computing device i is based on its own dataset D _i And training a personalized local network security detection model of the equipment according to a self-adaptive model growth algorithm. The local empirical loss function of the data distribution at the edge computing device i is

；

In the method, in the process of the invention,is->Is a loss function of->Parameters for two outlets of the local network security detection model,is the parameter set of the whole local network security detection model, D _i For the local dataset, |D _i I is the total amount of data samples, +.>Loss function for data samples, +_>For data samples in the local dataset that participate in iterative training,quantifying data samples for a sample loss function of two export associations of a local network security detection modelPrediction error on the same.

The primary goal of the hierarchical aggregated federal learning algorithm is to optimize global model parameters to minimize the global loss function associated with all devices。

Wherein,is a model parameter of the global network model, +.>Loss value of model parameters for the global network model, N is the total number of edge computing devices in the distributed system,/->Is cluster S _k The ith edge in (a) calculates the model parameters of the device, i e (1, 2, 3..n) _k -1,n _k ），n _k Is cluster S _k The total number of edge computing devices, k is the number of data-like clusters, k e (1, 2, 3..c-1, C), C is the total number of clusters in the distributed system.

In hierarchical aggregation federal learning, the training process is divided into 3 steps of local network security detection model updating, intra-cluster aggregation and global aggregation, and the combination of the steps is called a training round.

Updating a local network security detection model: each edgeThe edge computing device updates the local network security detection model using (Stochastic gradient descent, random gradient descent) algorithm. In training of The next iteration update process is that

；

In the method, in the process of the invention,for the model parameters of the local network security detection model of the ith edge computing device after the ith iteration update of the ith round, i is the serial number of the edge computing device in the data identity cluster, and>computing device at wheel t for ith edgelModel parameters before iterative updating +.>Is the t-th wheellLearning rate of iterative update +_>In the form of a hamiltonian,participation in round t for local datasetlData samples updated for a second iteration, +.>Is the t-th wheellThe sample loss function updated for the next iteration.

Edge computing devices within the same data-like clusterAnd after the iterative updating, performing one-time intra-cluster model aggregation. Device i e s _k Numbering the local network security detection model +.>Connecting a neural network block as a parameter for local network security detection model update>And broadcast to associated computing devices j e N adjacent thereto within the data-like clusters _i And at the same time from N _i And (3) calculating a neighborhood average value by the receiving model parameters to update a local network security detection model in the local edge computing device.

In an exemplary embodiment, the process of obtaining model parameters of the local network security detection model and transmitting the model parameters of the local network security detection model to each associated computing device includes:

And obtaining the model parameters of the standard depth of the local network security detection model, and sending the model parameters of the standard depth to each associated computing device.

In an exemplary embodiment, after receiving the model parameters sent by each associated computing device, the network security detection method further includes:

the process of calculating the neighborhood average value for the model parameters of the local network security detection model and the model parameters sent by each associated computing device comprises the following steps:

and calculating a neighborhood average value for the model parameters of the local network security detection model and the model parameters of each target model.

In the cluster aggregation process of adjacent edge computing equipment, because the neural network depth of each edge computing equipment is different, each edge computing equipment only transmits model Block parameters of standard depth, an output layer module of the edge computing equipment does not participate in aggregation, if receiving equipment receives model parameters deeper than the receiving equipment, only model parameters of depth corresponding to the receiving equipment are taken for aggregation, otherwise, if the edge computing equipment receives model parameters shallower than the receiving equipment, the edge computing equipment can directly aggregate. In the process of updating the model in the cluster, each edge computing device and the neighbor edge computing devices connected in the cluster are subjected to the model parameter aggregation process, so that model convergence can be accelerated, classification of the homopolar devices in the cluster is more accurate, and the model aggregation between the devices with the most similar data types is updated to obtain more information.

In an exemplary embodiment, after updating the local network security detection model with the model parameters of the local network security detection model and the model parameters of the associated computing device, the network security detection method further comprises:

when the cluster aggregation condition is met and the cluster aggregation condition is not the cluster head equipment, the model parameters of the local network security detection model are sent to the cluster head equipment of the data homography cluster where the local network security detection model is located, so that the cluster head equipment obtains global model parameters in the cluster according to the model parameters of all edge computing equipment in the data homography cluster where the local network security detection model is located;

and when the global model parameters in the cluster are acquired, updating the local network security detection model by using the global model parameters in the cluster so as to carry out local network security detection through the updated local network security detection model.

In an exemplary embodiment, the process of deriving intra-cluster global model parameters from model parameters of all edge computing devices in a data-like cluster comprises:

Wherein alpha is a super parameter,intra-cluster global model parameters of the t-th round stored for the cluster head device of the c-th data-like cluster, are stored >Global model in-cluster global model parameters of the t th round stored for the c-th data-like cluster in-cluster head device of the c-th round in-cluster+1, c being the sequence number of the data-like cluster,/o>Device set N for the data homography cluster _i Model parameters, N of the jth associated computing device after the jth round of updating for the first time _i A device set of associated computing devices having a connection relationship with an ith edge computing device in the data-like-cluster, i being a sequence number of the edge computing device in the data-like-cluster, j being a sequence number of the associated computing device in the device set, |N _i I is the total number of edge computing devices in the data-like cluster.

In the present embodiment, when the iteration number l isWhen the edge computing devices in all the data homography clusters are integer multiples of the model parameters +.>Transmitting to a cluster head, and carrying out cluster global model parameter aggregation to obtain +.>；

Wherein the constant α is a hyper-parameter.Intra-cluster model parameters of the t-th round stored for the cluster head,>representing the intra-cluster model aggregation parameters of the t+1 round after updating.

In an exemplary embodiment, after the global model parameters in the cluster are acquired and the local network security detection model is updated by using the global model parameters in the cluster, the network security detection method based on the distributed system further includes:

When the global condition is met and the cluster head equipment is adopted, the intra-cluster global model parameters are sent to an edge cloud server in the distributed system, so that the edge cloud server obtains a global model based on the intra-cluster global model parameters sent by the cluster head equipment of all data like clusters in the distributed system;

In an exemplary embodiment, the process of obtaining the global model based on the intra-cluster global model parameters sent by the cluster head devices of all data-like clusters in the distributed system includes:

In this embodiment, when all clusters are subjected to intra-cluster global aggregation for τ times, the edge cloud server performs global aggregation in a synchronous manner. And the cluster head equipment uploads the parameters of the model at the moment to the server. The server receives model parameters of local network security detection models of C cluster head devices, and updates a global model into a global model through parameter average The method comprises the steps of carrying out a first treatment on the surface of the The edge cloud server broadcasts the global model to all devices.

According to the embodiment, after the edge cloud server broadcasts the global model to all edge computing devices, each edge computing device uses the blocks of the corresponding parts of the global model to update the blocks of the local network security detection model, the local data are used for training, and after h rounds of training are completed, the edge cloud server sends instructions to require the device to conduct a public test data set test, and the test structure is uploaded. The edge cloud server acquires the test structure, re-executes the data homography clustering and the data homography clustering dynamic partitioning, re-sends the partitioning result to all edge computing devices, re-updates the hierarchical clustering model, and repeats the steps until the global model converges.

In a second aspect, referring to fig. 6, the present invention further provides a network security detection system based on a distributed system, which is applied to each edge computing device in the distributed system, where each edge computing device in the distributed system is divided into a plurality of data identity clusters according to similarity, and the network security detection system includes:

the training module 11 is configured to train an initial network security detection model based on local security data, where a network of the initial network security detection model includes a plurality of neural network blocks connected in sequence, and the plurality of neural network blocks correspond to different neural network depths;

The selecting module 12 is configured to select two output network blocks from the plurality of neural network blocks, input the test security data set into the initial network security detection model, and then adjust the neural network depth of the initial network security detection model according to the output values corresponding to the two output network blocks to obtain a local network security detection model;

an updating module 13, configured to update the local network security detection model with the model parameters of the local network security detection model and the model parameters of the associated computing device when the parameter updating condition is satisfied; the associated computing device is an edge computing device which is in the same data homography cluster with the associated computing device and is connected with the associated computing device;

the detection module 14 is configured to perform local network security detection through the updated local network security detection model.

receiving model parameters sent by each associated computing device;

and obtaining model parameters of the standard depth of the local network security detection model, and sending the model parameters of the standard depth to each associated computing device.

In an exemplary embodiment, the network security detection system further comprises:

the first determining module is used for judging whether the neural network depth corresponding to the model parameters sent by the associated computing equipment is larger than the neural network depth of the local network security detection model according to the model parameters sent by each associated computing equipment after receiving the model parameters sent by each associated computing equipment, if so, determining the model parameters which are the same as the neural network depth of the local network security detection model in the model parameters sent by the associated computing equipment as target model parameters, and if not, determining the model parameters sent by the associated computing equipment as target model parameters;

And calculating a neighborhood average value for the model parameters and each target model parameter of the local network security detection model.

the first sending module is used for sending the model parameters of the local network security detection model to the cluster head equipment of the data homography cluster where the local network security detection model is located when the cluster aggregation condition is met and the local network security detection model is not the cluster head equipment, so that the cluster head equipment obtains global model parameters in the cluster according to the model parameters of all edge computing equipment in the data homography cluster where the local network security detection model is located;

the updating module 13 is further configured to update the local network security detection model with the intra-cluster global model parameter when the intra-cluster global model parameter is acquired, so as to perform local network security detection through the updated local network security detection model.

Wherein alpha is a super parameter,intra-cluster global model parameters of the t-th round stored for the cluster head device of the c-th data-like cluster, are stored >Global model parameters in the t+1st round for the c-th data-like cluster, c being the sequence number of the data-like cluster,>device set N for the data homography cluster _i Model parameters, N of the jth associated computing device after the jth round of updating for the first time _i A device set of associated computing devices having a connection relationship with an ith edge computing device in the data-like-cluster, i being a sequence number of the edge computing device in the data-like-cluster, j being a sequence number of the associated computing device in the device set, |N _i I is the total number of edge computing devices in the data-like cluster.

In an exemplary embodiment, the distributed system-based network security detection system further comprises:

the second sending module is used for sending the intra-cluster global model parameters to an edge cloud server in the distributed system when the intra-cluster global model parameters are obtained, the intra-cluster global model parameters are utilized to update the local network security detection model, and the intra-cluster global model parameters are used for obtaining a global model based on the intra-cluster global model parameters sent by the cluster head equipment of all data homopolar clusters in the distributed system when the global conditions are met and the intra-cluster global model parameters are the cluster head equipment;

The updating module 13 is further configured to update the model parameters of the local network security detection model based on the model parameters of the global model after receiving the global model, so as to perform local network security detection through the updated local network security detection model.

the receiving module is used for receiving the data homography clusters divided based on the similarity and the connection relation of each edge computing device in the data homography clusters by the edge cloud server in the distributed system before the initial network security detection model is trained based on the local security data so as to determine the corresponding associated computing device based on the data homography clusters and the connection relation.

In a third aspect, referring to fig. 7, fig. 7 is a schematic structural diagram of an edge computing device according to the present invention, including:

a memory 21 for storing a computer program;

a processor 22 for implementing the steps of the distributed system based network security detection method as described in any of the embodiments above when executing a computer program.

The edge computing device further includes:

the input interface 23 is connected to the processor 22 via the communication bus 26 for obtaining externally imported computer programs, parameters and instructions, which are stored in the memory 21 under control of the processor 22. The input interface may be coupled to an input device for receiving parameters or instructions manually entered by a user. The input device can be a touch layer covered on a display screen, or can be a key, a track ball or a touch pad arranged on a terminal shell.

A display unit 24 is coupled to the processor 22 via a communication bus 26 for displaying data transmitted by the processor 22. The display unit may be a liquid crystal display or an electronic ink display, etc.

The network port 25 is connected to the processor 22 via the communication bus 26 for communication connection with external terminal devices. The communication technology adopted by the communication connection can be a wired communication technology or a wireless communication technology, such as a mobile high-definition link technology, a universal serial bus, a high-definition multimedia interface, a wireless fidelity technology, a Bluetooth communication technology, a low-power consumption Bluetooth communication technology, an IEEE802.11 s-based communication technology and the like.

For an introduction of an edge computing device provided by the present invention, refer to the above embodiment, and the disclosure is not repeated here.

The edge computing device provided by the invention has the same beneficial effects as the network security detection method based on the distributed system.

In a fourth aspect, referring to fig. 8, fig. 8 is a schematic structural diagram of a distributed system according to the present invention, including:

a plurality of edge computing devices as described above;

the edge cloud server is used for outputting test data sets and clustering results to each edge computing device, wherein the clustering results comprise data homography clusters where the edge computing devices are located and associated computing devices connected with the edge computing devices.

The edge computing devices in one dashed box in fig. 8 belong to the same cluster, e.g., five edge computing devices located in the left dashed box of the edge cloud server belong to cluster s ₁ Five edge computing devices located in the dashed box on the right side of the edge cloud server belong to cluster s _c The distributed system may be a heterogeneous distributed system in particular.

For an introduction of a distributed system provided by the present invention, refer to the above embodiment, and the disclosure is not repeated here.

The distributed system provided by the invention has the same beneficial effects as the network security detection method based on the distributed system.

In a fifth aspect, referring to fig. 9, fig. 9 is a schematic structural diagram of a computer readable storage medium according to the present invention, in which a computer program 31 is stored in the computer readable storage medium 30, and the computer program 31 implements the steps of the network security detection method based on the distributed system according to any one of the embodiments described above when being executed by a processor.

Wherein the computer-readable storage medium 30 may comprise: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

For an introduction to a computer readable storage medium provided by the present invention, refer to the above embodiments, and the disclosure is not repeated here.

The computer readable storage medium provided by the invention has the same beneficial effects as the network security detection method based on the distributed system.

It should also be noted that in this specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A network security detection method based on a distributed system, wherein the network security detection method is applied to each edge computing device in the distributed system, and each edge computing device in the distributed system is divided into a plurality of data identity clusters according to similarity, and the network security detection method comprises:

2. The network security detection method based on a distributed system according to claim 1, wherein the process of adjusting the neural network depth of the initial network security detection model according to the output values corresponding to the two output network blocks to obtain the local network security detection model comprises:

3. The distributed system-based network security detection method of claim 2, wherein determining a depth adjustment policy based on the first output value and the second output value comprises:

4. A distributed system based network security detection method as claimed in claim 3, wherein determining a depth adjustment direction based on the magnitude relation of the first output value and the second output value comprises:

5. The network security detection method based on a distributed system according to claim 3, wherein the process of determining the adjustment condition satisfied by the performance gap between the shallow network model and the deep network model based on the magnitude relation between the absolute value and the preset value comprises:

6. The distributed system-based network security detection method of claim 3, wherein determining a depth adjustment policy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap comprises:

7. The distributed system-based network security detection method of claim 3, wherein determining a depth adjustment policy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap comprises:

8. The distributed system-based network security detection method of claim 3, wherein determining a depth adjustment policy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap comprises:

9. The distributed system-based network security detection method of claim 3, wherein determining a depth adjustment policy based on the depth adjustment direction and the adjustment condition satisfied by the performance gap comprises:

10. The distributed system-based network security detection method of claim 1, wherein selecting two output network blocks among the plurality of neural network blocks comprises:

11. The distributed system-based network security detection method of claim 1, wherein updating the local network security detection model with model parameters of the local network security detection model and model parameters of an associated computing device comprises:

receiving model parameters sent by each associated computing device;

12. The distributed system-based network security detection method of claim 11, wherein the process of obtaining the model parameters of the local network security detection model and transmitting the model parameters of the local network security detection model to each of the associated computing devices comprises:

13. The distributed system-based network security detection method of claim 12, wherein after receiving the model parameters sent by each of the associated computing devices, the network security detection method further comprises:

14. The distributed system-based network security detection method of claim 1, wherein after updating the local network security detection model with model parameters of the local network security detection model and model parameters of an associated computing device, the network security detection method further comprises:

15. The distributed system-based network security detection method of claim 14, wherein deriving intra-cluster global model parameters from model parameters of all edge computing devices in the data-like clusters comprises:

Wherein alpha is a super parameter,intra-cluster global model parameters of the t-th round stored for the cluster head device of the c-th data-like cluster, are stored>Global model parameters in the (t+1) -th round for the (c) -th data-like cluster, c being the sequence number of the data-like cluster,device set N for the data homography cluster _i Model parameters, N of the jth associated computing device after the jth round of updating for the first time _i A device set of associated computing devices having a connection relationship with an ith edge computing device in the data-like-cluster, i being a sequence number of the edge computing device in the data-like-cluster, j being a sequence number of the associated computing device in the device set, |N _i I is the total number of edge computing devices in the data-like cluster.

16. The distributed system-based network security detection method of claim 14, wherein after the intra-cluster global model parameters are acquired and the local network security detection model is updated with the intra-cluster global model parameters, the network security detection method further comprises:

17. The network security detection method based on a distributed system according to claim 16, wherein the process of obtaining a global model based on intra-cluster global model parameters transmitted by cluster head devices of all the data-like clusters in the distributed system comprises:

18. The distributed system-based network security detection method of any of claims 1-17, wherein prior to training an initial network security detection model based on local security data, the network security detection method further comprises:

19. The distributed system-based network security detection method of claim 18, wherein the process of dividing the data homography clusters by the edge cloud server in the distributed system based on the similarity comprises:

20. A network security detection system based on a distributed system, wherein the network security detection system is applied to each edge computing device in the distributed system, and each edge computing device in the distributed system is divided into a plurality of data identity clusters according to similarity, and the network security detection system comprises:

21. An edge computing device, comprising:

a memory for storing a computer program;

a processor for implementing the steps of the distributed system based network security detection method according to any of claims 1-19 when executing the computer program.

22. A distributed system, comprising:

A plurality of edge computing devices as claimed in claim 21;

23. A computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, which when executed by a processor, implements the steps of the distributed system based network security detection method according to any of claims 1-19.