Patent Application
20230136375
This application claims priority to Chinese Patent Application No. 202111284879.3, filed on Nov. 1, 2021, the entire disclosure of which is incorporated herein by reference.
The present disclosure relates to an internet network security technology field, and more particularly to a network security situation awareness method and a network security situation awareness apparatus.
With the development of the network technology and the enrichment of its application scenario, the computer network represented by Internet has evolved into a large-scale complex heterogeneous network including Internet of Things, autonomous and controllable private networks, industrial Internet and other forms. Thus, the security risks to the large-scale complex heterogeneous networks are also continuously developing and enriching. In order to evaluate a certain network unit (for example, a particular autonomous system, a particular unit network, or a particular form of network), the network administrator needs to deploy tasks for monitoring network status at a plurality of monitoring points (also known as network nodes), and one of the monitoring points may monitor more than one type of network security events at the same time. For a specific security event at a specific monitoring point, the network administrator may determine a threat degree caused by the specific security event according to an existing method. For example, the number of users affected by the specific security event is taken as an indication of the threat degree. However, since there are a plurality of monitoring points and a variety of different types of security events in a specific network unit, it is hard to determine an overall network security situation for the specific network unit.
For the determination of the overall network security situation of the specific network unit, a traditional method is that experts comprehensively analyze the threat degree of the security events at all monitoring points in the network unit based on their professional knowledge and the scene where the network unit is applied. However, in the traditional method, the expert’s professional knowledge in the specific network unit may have some limitations, and the existing network security situation data in the specific network unit may have limitations. In practical applications, the network security situations in different network units may have similar phenomena and essence. There is a need to combine the professional knowledge and the data in different network units to improve accuracy and effectiveness of the overall network security situation awareness in the network unit.
According to a first aspect of embodiments of the present disclosure, a network security situation awareness method based on collaborative learning is provided. The method includes integrating network security situation data monitored at different monitoring points in network units, and determining a unified data presentation form in each of the network units; obtaining an initial network security situation awareness model by constructing and optimizing a local network security situation awareness process according to a feature extraction module based on a convolutional neural network, a personalized customization module based on an attention mechanism and a network security situation grading module based on a fully connected network; improving generalization ability of the network unit in feature extraction to meet a preset condition by using a collaborative learning framework, and obtaining a final network security situation awareness model by performing secondary fine-tuning on the personalized customization module based on the attention mechanism; and performing network security situation awareness on a target network unit by using the final network security situation awareness model to obtain a network security situation awareness result, and updating a training set of the final network security situation awareness model according to the network security situation awareness result.
According to a second aspect of embodiments of the present disclosure, a method for determining a network security situation grade is provided. The method includes obtaining network security situation data; and obtaining the network security situation grade by inputting the network security situation data into the network security situation awareness model obtained by the network security situation awareness method in the above-mentioned embodiments.
According to a third aspect of embodiments of the present disclosure, an electronic device is provided. The electronic device includes at least one processor; and a memory communicatively connected to the at least one processor for storing computer instructions executable by the at least one processor. The at least one processor is configured to execute the computer instructions to perform the network security situation awareness method in the above-mentioned embodiments.
According to a fourth aspect of embodiments of the present disclosure, a computer-readable storage medium is provided. The computer-readable storage medium has stored therein computer instructions that, when executed by a processor, cause the processor to perform the network security situation awareness method in the above-mentioned embodiments.
Additional aspects and advantages of embodiments of the present disclosure will be given in part in the following descriptions, become apparent in part from the following descriptions, or be learned from the practice of the embodiments of the present disclosure.
These and other aspects and advantages of embodiments of the present disclosure will become apparent and more readily appreciated from the following descriptions made with reference to the drawings, in which:
Embodiments of the present disclosure are described in detail below, examples of which are illustrated in the drawings. The same or similar elements and the elements having the same or similar functions are denoted by like reference numerals in different drawings unless indicated otherwise. The embodiments described herein with reference to drawings are explanatory, and used to generally understand the present disclosure, but shall not be construed to limit the present disclosure.
The present disclosure provides a network security situation awareness method and a network security situation awareness apparatus based on collaborative learning. On a premise of maintaining data privacy of the network unit, the network security situation awareness knowledge is shared in different network units, and the network unit may customize and optimize the corresponding network security situation awareness model according to customized requirements and local data. The present disclosure may effectively improve scalability of the network security situation awareness, and greatly enrich application scenario of the network security situation awareness method.
As shown in
In step S101, network security situation data monitored at different monitoring points in network units is integrated, and a unified data presentation form in each of the network units is determined.
In some embodiments, integrating the network security situation data monitored at the different monitoring points in the network units, and determining the unified data presentation form in each of the network units include collecting basic information in a complex heterogeneous network scene; determining a data presentation form by introducing random characteristics according to the basic information in the complex heterogeneous network scene; and determining as the unified data presentation form a data presentation form based on public monitoring indicators or a data presentation form based on all monitoring indicators in an ascending order of subscript indices.
Specifically, although different network units have common knowledge in monitoring network security events and the threat levels of the network security events, there are differences in the network security situation data monitored by different network units. In order to improve optimization efficiency of a deep learning model for collaborative optimization in different network units, the network security situation awareness method based on deep learning running in all network units has an identical network structure. In order to be compatible with the unified network structure, the input of the network security situation awareness method in different network units has a consistent format. Thus, the unified data presentation form is designed for the different network security situation data in the complex heterogeneous network scene by the following step 1-1 to 1-4.
In step 1-1, basic information is collected in the complex heterogeneous network scene. For example, a complex heterogeneous network includes N network units, which forms a set U{U1, U2, ···, Ui, Ui+1, ···, UN-1, UN}, where Ui ∈ U= represents a network unit with a subscript index i. In a specific network unit Ui ∈ U=, there are Ni network status monitoring nodes (i.e., network status monitoring points) for monitoring network status, which forms a set Mi = {Mi,1,Mi,2,···,Mi,j,Mi,j+1,···,Mi,Ni-1,Mi,Ni} , where Mi,j represents a network status monitoring node with a subscript index j in a network unit Ui. In a specific network status monitoring point, there are Ni,j monitoring indicators, which forms a set Ti,j = {Ti,j,1,Ti,j,2,···,Ti,j,k,Ti,j,k+1,···,Ti,j,Ni,j-1,Ti,j,Ni,j}.
In step 1-2, random characteristics are introduced to determine a data presentation form. An indicative variable defining the data presentation form is represented by a symbol of α. α may be valued by obtaining a current system time, converting the current time into the 24-hour standard, and determining an integer part of the minutes as a specific value of α. The network unit U1 sends its own α value to other network units, such that each of the network units Ui ∈ U= keeps the same a value. When the a value is odd, the data presentation form is determined according to the following step 1-3. Otherwise, when the α value is even, the data presentation form is determined according to the following step 1-4. In addition, σ = min{Ni}represents the number of the monitoring points in the network unit with the least monitoring points. The first σ monitoring points are selected in all monitoring points in an ascending order of subscript indices, and the data of the selected monitoring points is used in the following step 1-3 or step 1-4.
In step 1-3, the data presentation form is determined based on the public monitoring indicators. Elements (that is, public monitoring indicators at all network monitoring points) in an intersection set of the monitoring indicators at all network status monitoring points are selected, and are represented as a set A = Ti,j,k)). W represents the number of the elements in the set A , and the set A is represented as A={a1,a2,···,aW-1,aW}. Therefore, each of the monitoring points may obtain the monitoring indicators contained in the set A. In a specific network unit Ui ∈ U=, the values of all monitoring indicators at the first σ monitoring points are represented by a matrix Ai as follows:
Elements in a row represents the public monitoring indicators monitored at the same monitoring point. The row number represents the subscript index of the monitoring point, and the column number represents the subscript index of the public monitoring indicator in the set A. Since the elements in the set A are the public monitoring indicators, each of the elements may have a corresponding monitoring value.
In step 1-4, the data presentation form is determined based on all monitoring indicators. Elements (that is, all monitoring indicators) in a union set of the monitoring indicators at all network status monitoring points are selected, and are represented by a set A = Ti,j,k)). W represents the number of elements of in the set A, and the set A is represented as A={a1,a2,···,aW-1,aW}. In a specific network unit Ui ∈ U=, the values of all monitoring indicators at the first σ monitoring points are represented by a matrix Ai as follows:
Elements in a row represents the monitoring indicators monitored at the same monitoring point. The row number represents the subscript index of the monitoring point, and the column number represents the subscript index of all monitoring indicators in the set A. Since the elements in the set A include all monitoring indicators, it may not be possible to monitor the corresponding monitoring indicators at some monitoring points. At this time, a zero element is filled.
In step S102, a local network security situation awareness process is constructed and optimized according to a feature extraction module based on a convolutional neural network, a personalized customization module based on an attention mechanism and a network security situation grading module based on a fully connected network to obtain an initial network security situation awareness mode.
Specifically, the unified data presentation form in the different network security situation data in the complex heterogeneous network scene is obtained in step S101. For each of the network units Ui ∈ U=, the local network security situation awareness process is constructed and optimized by the following steps 2-1 to 2-3.
In step 2-1, the feature extraction module of the network security situation is constructed based on the convolutional neural network. The matrix Ai in step 1-3 or step 1-4 is determined as a local monitoring indicator matrix in the network unit Ui ∈ U=. The feature extraction is performed by using a plurality of convolution layers such as ResNet as follows:
where fi represents a feature extraction function composed of a convolution layer. Trainable parameters in the function form a set Φi. featurei represents a matrix of h×w×c, where h, w and c represent feature parameters, respectively.
In step 2-2, the personalized customization module is constructed based on the attention mechanism. A matrix of 1×1×c is obtained by mean-pooling based on the feature featurei obtained in step 2-1. The relevant parameters of the personalized customization module are organized by using a two-layer fully connected network as follows:
where gi represents a personalized customization function composed of a fully connected network. Trainable parameters in the function form a set Θi. attentioni represents a matrix of 1×1×c.
In step 2-3, the network security situation grading module is constructed based on the fully connected network. Matrix multiplication is performed based on the feature featurei obtained in step 2-1 and attentioni obtained in step 2-2 to obtain a feature featurei that is optimized by attention. The network security situation is graded by adopting a supervised learning approach and the two-layer fully connected network. In this stage, softmax is used as the last layer, and a loss function is cross entropy. Trainable parameters in the function form a set Λi. The network security situation is divided into L grades.
In step S103, generalization ability of the network unit in feature extraction is improved to meet a preset condition by using a collaborative learning framework, and a final network security situation awareness model is obtained by performing secondary fine-tuning on the personalized customization module based on the attention mechanism.
Specifically, since the difference between the data characteristics in the complex heterogeneous network scene is obvious, the data in different network units are different, and may also be repeated at some time in the future. Therefore, in order to improve awareness ability of the network unit to various data, especially the data that has never been encountered, the generalization ability of the network unit in network security situation awareness is improved through collaborative learning.
In some embodiments, improving the generalization ability of the network unit in the feature extraction by using the collaborative learning framework includes performing regular collaborative optimization and secondary fine-tuning in a preset duration based on generalization of feature extraction ability shared by some parameters, and secondary fine-tuning of a local personalized customization module, which is implemented by the following steps 3-1 to 3-3.
In step 3-1, the feature extraction ability shared by some parameters is generalized. Through the training in step 2-3, each of the network units Ui ∈ U= has the network security situation awareness ability to adapt to the local data, which includes the feature extraction ability, the personalized customization and optimization ability, and network security situation grading ability. In order to improve coping ability of the network unit Ui ∈ U= to unknown data (such as data that has not been encountered by the network unit Ui, but has been encountered by other network units), the generalization ability of the feature extraction is improved through parameter averaging. In some embodiments of the present disclosure, the parameters in the set Φi in all network units are averaged.
In step 3-2, the secondary fine-tuning is performed based on the local personalized customization module. By averaging the parameters in step 3-1, each of the network units Ui ∈ U= has an improved feature extraction generalization ability for the network security situation awareness grading. At the same time, fine-tuning is performed on the personalized customization module composed of the set Θi by using the local data. That is, secondary training is performed on the model. During the second training, the parameters in the set Φi after averaging are frozen.
The parameters in the set Θi and the set A, are adjusted by back propagation optimization based on gradient.
In step 3-3, the regular collaborative optimization and the secondary fine-tuning are performed. For the complex heterogeneous network scene, a coarse collaborative optimization model is adopted at a collaborative optimization time interval t. Specifically, at a time interval of t, all network units perform step 3-1 to perform the generalization on the latest feature extraction capability, and then step 3-2 is performed to adjust the relevant parameters of the personalized customization module by using the local data through the secondary fine-tuning.
In step S104, network security situation awareness is performed on a target network unit by using the final network security situation awareness model to obtain a network security situation awareness result, and a training set of the final network security situation awareness model is updated according to the network security situation awareness result.
In some embodiments, performing the network security situation awareness on the target network unit by using the final network security situation awareness model to obtain the network security situation awareness result, and updating the training set of the final network security situation awareness model according to the network security situation awareness result include performing network security situation grading on the target network unit to obtain a network security situation grade of the target network unit, updating the training set according to the network security situation grade of the target network unit, and optimizing the final network security situation awareness model by using the training set.
In some embodiments, performing the network security situation grading on the target network unit to obtain the network security situation grade of the target network unit, updating the training set according to the network security situation grade of the target network unit, and optimizing the final network security situation awareness model by using the training set include updating a local monitoring indicator matrix in real time; and performing the security situation grading according to a change in the local monitoring indicator matrix after updating, and updating the training set by using an event having a security grade greater than a preset grade.
Specifically, the network security situation awareness process constructed in step S102 and the parameters with personalized customization and optimization capability in step S103 are used for the network security situation grading in real time, and the dataset used for the supervised training is further enriched according to the specific situation, which are implemented by the following steps 4-1 to 4-3.
In step 4-1, the local monitoring indicator matrix is updated in real time. In each of the network units Ui ∈ U=, the local monitoring index matrix Ai constructed in step S101 is monitored and updated in real time.
In step 4-2, the security situation is graded based on the change in the monitoring indicator matrix. Once the value in the local monitoring indicator matrix Ai changes, the local monitoring indicator matrix Ai is graded by using the network security situation awareness process constructed in step S102 and the parameters with the personalized customization optimization ability in step S103.
In step 4-3, the training dataset is enriched by using the events with outstanding security grade to further improve the coping ability of the sensitive network security situation. In a result reaching a specific security situation grade L′, such as above L′ = 8, new samples in the result are used in the training set to adjust and optimize the model parameters through the step S103.
Through the above-mentioned description, the collaborative learning has the ability to share knowledge while maintaining the data privacy of each data owner. For each network unit, the deep learning model based on neural network is adopted to evaluate the data of threat degree of all security events in the network unit, so as to realize the overall network security situation awareness of the network unit. At an initial stage of the task, experts are required to analyze the overall network security situation based on the data for a period of time, which is used as the optimization basis for supervised learning of the deep learning model. In this way, the scalability of the network security situation awareness may be improved, and the pressure of the experts to make manual judgments may be reduced. At the same time, in order to make full use of the objective regulation reflected by the network security situation data in different network units, and break the limitations of a single network unit in data and knowledge, it is possible to share knowledge through the collaborative learning framework, which further improves the perception ability of the network security situation awareness module to the network security situation that has never been encountered under the premise of maintaining the data privacy of each network unit. In addition, although there is common knowledge in the network security situation awareness, there is unique knowledge that is only applicable to a special unit in the network security situation awareness in different network units in a large-scale complex heterogeneous network. For example, both autonomous system A and autonomous system B may monitor security event a, security event b, and security event c. However, security event a is more important to autonomous system A, while security event b is more important to autonomous system B, and security event c has no impact on the overall network security situation of the two autonomous systems. Therefore, when all network units perform the collaborative optimization through collaborative learning, the network units not only share knowledge through the consistent network structure, but also optimize the personalized customization module separately in the training stage, such that each network unit has a more suitable network security situation awareness module. In summary, the network security situation awareness method in some embodiments of the present disclosure has high accuracy, strong scalability and personalized customization optimization capability in the network security situation awareness in the large-scale complex heterogeneous network scene, which is suitable for deployment and application in the large-scale complex heterogeneous network scene with common knowledge and unique requirement or characteristics.
According to the network security situation awareness method based on the collaborative learning in some embodiments of the present disclosure, through the integration of the network security situation data monitored at different monitoring points in the network units, the unified data presentation form is determined in each of the network units, and thus a same network structure may be used for collaborative optimization on different network units. The local network security situation awareness process is constructed and optimized according to the feature extraction module based on the convolutional neural network, the personalized customization module based on the attention mechanism and the network security situation grading module based on the fully connected network. After the data presentation form in each of the network units and the network security situation awareness process are determined, the collaborative learning framework is used to improve the generalization ability of the network unit in the feature extraction, and the personalized customization module based on the attention mechanism is fine tuned. The network security situation grading is performed in each network unit, while a dataset for supervised training is further updated according to a specific situation.
The present disclosure further provides a method for determining a network security situation grade. The method includes obtaining network security situation data; and obtaining the network security situation grade by inputting the network security situation data into the network security situation awareness model obtained by the network security situation awareness method in the above-mentioned embodiments of the present disclosure.
A network security situation awareness apparatus based on collaborative learning in some embodiment of the present disclosure is described with reference to the drawings.
As shown in
The integration module 100 is configured to integrate network security situation data monitored at different monitoring points in network units, and determine a unified data presentation form in each of the network units. The first construction module 200 is configured to obtain an initial network security situation awareness model by constructing and optimizing a local network security situation awareness process according to a feature extraction module based on a convolutional neural network, a personalized customization module based on an attention mechanism and a network security situation grading module based on a fully connected network. The second construction module 300 is configured to improve generalization ability of the network unit in feature extraction by using a collaborative learning framework to meet a preset condition, and obtain a final network security situation awareness model by performing secondary fine-tuning on the personalized customization module based on the attention mechanism. The awareness module 400 is configured to perform network security situation awareness on a target network unit by using the final network security situation awareness model to obtain a network security situation awareness result, and update a training set of the final network security situation awareness model according to the network security situation awareness result.
In some embodiments, the awareness module 400 is further configured to perform network security situation grading on the target network unit to obtain a network security situation grade of the target network unit, update the training set according to the network security situation grade of the target network unit, and optimize the final network security situation awareness model by using the training set.
In some embodiments, the integration module 100 is configured to collect basic information in a complex heterogeneous network scene; determine a data presentation form by introducing random characteristics according to the basic information in the complex heterogeneous network scene; and determine as the unified data presentation form a data presentation form based on public monitoring indicators or a data presentation form based on all monitoring indicators in an ascending order of subscript indices.
It should be noted that the above-mentioned description of the embodiments of the network security situation awareness method based on the collaborative learning is also applicable to the network security situation awareness apparatus based on the collaborative learning, which will not be repeated here.
According to the network security situation awareness apparatus based on the collaborative learning in some embodiments of the present disclosure, through the integration of the network security situation data monitored at different monitoring points in the network units, the unified data presentation form is determined in each of the network units, and thus a same network structure may be used for collaborative optimization on different network units. The local network security situation awareness process is constructed and optimized according to the feature extraction module based on the convolutional neural network, the personalized customization module based on the attention mechanism and the network security situation grading module based on the fully connected network. After the data presentation form in each of the network units and the network security situation awareness process are determined, the collaborative learning framework is used to improve the generalization ability of the network unit in the feature extraction, and the personalized customization module based on the attention mechanism is fine tuned. The network security situation grading is performed in each network unit, while a dataset for supervised training is further updated according to a specific situation. In this way, the network security situation awareness apparatus in some embodiments of the present disclosure has high accuracy, strong scalability and personalized customization optimization capability in the network security situation awareness in the large-scale complex heterogeneous network scene, which is suitable for deployment and application in the large-scale complex heterogeneous network scene with common knowledge and unique requirement or characteristics.
The processor 302 may perform the network security situation awareness method based on the collaborative learning provided in the above-mentioned embodiments when executing the computer instructions.
Further, the electronic device further includes a communication interface 303 for communication between the memory 301 and the processor 302.
The memory 301 is configured to store the computer instructions executable by the at least one processor 302.
The memory 301 may include a high-speed RAM memory, and may also include a non-volatile memory, such as at least one disk memory.
If the memory 301, the processor 302 and the communication interface 303 are implemented independently, the communication interface 303, the memory 301 and the processor 302 may be communicatively connected to each other through a bus. The bus may be an industry standard architecture (ISA) bus, a peripheral component interconnect (PCI) bus, or an extended industry standard architecture (EISA) bus. The bus may include an address bus, a data bus, a control bus and so on. For conciseness, as shown in
In some embodiments, if the memory 301, the processor 302 and the communication interface 303 are integrated on one chip, the memory 301, the processor 302 and the communication interface 303 may be communicatively connected to each other through internal interfaces.
The processor 302 may be a central processing unit (CPU for short), or an application specific integrated circuit (ASIC for short), or one or more integrated circuits for performing the method in the above-mentioned embodiments of the present disclosure.
The present disclosure further provides a computer-readable storage medium having stored therein computer instructions that, when executed by a processor, cause the processor to perform the network security situation awareness method in the above-mentioned embodiments of the present disclosure.
Reference throughout this specification to “an embodiment,” “some embodiments,” “an example,” “a specific example,” or “some examples,” means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present disclosure. Thus, the appearances of the phrases such as “in an embodiment”, “in some embodiments,” “in an example,” “in a specific example,” or “in some examples,” in various places throughout this specification are not necessarily referring to the same embodiment or example of the present disclosure. Furthermore, the particular features, structures, materials, or characteristics may be combined in any suitable manner in one or more embodiments or examples. In addition, those skilled in the art may combine different embodiments or examples described in the specification and the features of different embodiments or examples without contradiction.
In addition, terms such as “first” and “second” are used herein for purposes of description and are not intended to indicate or imply relative importance or significance or to imply the number of indicated technical features. Thus, the feature defined with “first” and “second” may comprise one or more of this feature. In the description of the present disclosure, “a plurality of” means two or more than two, unless specified otherwise.
It will be understood that, the flow chart or any process or method described herein in other manners may represent a module, segment, or portion of code that includes one or more executable instructions to implement the specified logic function(s) or step(s) of the process. Moreover, those skilled in the art shall understand that the scope of the preferred embodiments of the present disclosure includes other implementations, and the functions may be performed in a substantially simultaneous manner or in a reverse order according to the functions involved, rather than in the order shown or discussed.
It should be understood that each part of the present disclosure may be realized by the hardware, software, firmware or their combination. In the above-mentioned embodiments, a plurality of steps or methods may be realized by the software or firmware stored in the memory and executed by the appropriate instruction execution system. For example, if the present disclosure is realized by the hardware, likewise in another embodiment, the steps or methods may be realized by one or a combination of a discrete logic circuit having a logic gate circuit for realizing a logic function of a data signal, an application-specific integrated circuit having an appropriate combination logic gate circuit, a programmable gate array (PGA), a field programmable gate array (FPGA), etc.
Those skilled in the art shall understand that all or part of the steps in the method in the above-mentioned embodiments of the present disclosure may be achieved by commanding the related hardware with the programs. The programs may be stored in a computer readable storage medium, and the programs may perform one or a combination of the steps in the method of the above-mentioned embodiments of the present disclosure when executed by a computer.
| Number | Date | Country | Kind |
|---|---|---|---|
| 202111284879.3 | Nov 2021 | CN | national |
