摘要: |
计算机网络高速发展的同时也带来了许多的安全问题,对网络安全进行有效的网络安全态势评估对于掌握网络整体的状态并帮助管理人员全面掌握整体态势具有重要意义。然而,现有的网络安全态势评估方法存在特征要素提取困难、准确率低、时效性差的问题。针对这些问题,提出一种面向网络威胁检测的基于深度加权特征学习的网络安全态势评估方法。首先,考虑到单个稀疏自动编码器进行特征提取时无法很好的拟合不同攻击的分布,从而影响威胁检测准确率的缺点,构建一个基于并行稀疏自动编码器的特征提取器提取网络流量中的关键信息,并将其与数据原始特征进行融合。其次,为了更多的关注网络流量中的关键信息,采用注意力机制改进双向门控循环单元网络,对网络中的威胁进行检测并统计每种攻击类型的发生次数以及误报消减矩阵。然后,根据误报消减矩阵修正每种攻击类型的发生次数,并结合威胁严重因子计算得到威胁严重度。最后,根据威胁严重度和每种攻击类型的威胁影响度确定网络安全态势值以获取网络安全态势。本文选取NSL-KDD数据集进行实验验证,实验结果显示本文方法在测试集上达到了82.13%的最高准确率,召回率、F1值分别达到了83.36%、82.74%。此外,通过消融实验进一步验证了所提出的并行稀疏自动编码器提取特征和注意力机制加权特征两种改进方法的有效性。与经典态势评估方法SVM、LSTM、BiGRU、AEDNN等的对比实验也证明,该方法能够高效、全面地评估网络安全的整体态势。 |
关键词: 并行稀疏自动编码器 注意力机制 威胁严重因子 误报消减矩阵 网络安全态势评估 |
DOI:10.19363/J.cnki.cn10-1380/tn.2022.07.03 |
投稿时间:2021-05-19修订日期:2021-08-08 |
基金项目:本课题得到国家自然科学基金民航联合研究基金资助项目(No.U1833107)资助。 |
|
Network Security Situation Assessment Based on Deep Weighted Feature Learning |
YANG Hongyu1,2, ZHANG Zixin2, ZHANG Liang3
|
(1.Department of Safety Science and Engineering, Civil Aviation University of China, Tianjin 300300, China;2.Department of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China;3.Department of Information, University of Arizona, Tucson AZ 85721, USA) |
Abstract: |
The rapid development of computer network also brings many security problems, network security situation assessment is of great significance for mastering the overall state of the network and helping managers fully grasp the overall situation. However, the available network security situation assessment methods have difficulties in extracting feature elements, low precision and the poor timelines. To tackle this problem, a network security situation assessment method based on deep weighted feature learning for network threat detection was proposed. Firstly, considering the disadvantage of a single sparse automatic encoder to fit the distribution of different attacks when extracting features, which affects the accuracy of threat detection, a feature extractor based on a parallel sparse auto-encoder was built to extract key data of network traffic and integrate them with the original features. Then, to pay more attention to the key information in the network traffic, the attention mechanism was used to improve the improved Bi-directional Gate Recurrent Unit. The network threat was tested by the testing set and the occurrence number of each attack type and the false alarm reduction matrix were counted. Then, the occurrence number of each attack type was corrected according to the false alarm reduction matrix, and the threat severity was calculated by combining the threat severity factor of each attack type. Finally, the network security situation was determined according to the threat severity and the threat impact level of each attack type. On the data sets of the NSL-KDD, the experimental results show that the proposed method achieves the highest precision of 82.13% in the test dataset, and the recall and F1 scores reach 83.36%, and 82.74% respectively. The ablation experiment further verifies the effectiveness of the proposed two improved methods: parallel sparse automatic encoder to extract features and attention mechanism weighted features. Besides, the comparative experiment with the classical situation assessment methods such as SVM, LSTM, BiGRU, AEDNN also prove that the proposed method can assess the whole situation of network security efficiently and comprehensively. |
Key words: parallel sparse auto-encoder attention mechanism threat severity factor false alarm reduction matrix network security situation assessment |