Research On Network Security Situation Assessment In Sub-domains Based On Deep Learning

To deal with the increasingly complex and covert network security threats,plenty of network security equipment and systems have been developed,such as firewalls,intrusion detection,anti-virus,security audits,etc.Although these measures can guarantee the normal operation of the network system,there still exist some limitations.One on hand,most of them only can achieve passive static protection,thus cannot perfectly satisfy the complex and dynamic network requirements.On the other hand,there is not unified and effective management and scheduling mechanism to coordinate these techniques.Therefore,it is an urgent need for theories and tools to realize cross-domain and global grasp of network security situation.Network security situation assessment,as an effective active defense technology to deal with network security threats,has become a hot research topic in the industry in recent years.The current network presents the new characteristics of complex architecture,largescale network,dynamic virtualization management.Meanwhile,the attack behaviors are characterized by large-scale,collaborative,multi-stage,etc.Moreover,the internal user threat behaviors become more and more serious,thus they cannot be ignored.As a result,the existing network security situation assessment methods suffer from insufficient comprehensiveness,low accuracy,and low efficiency.Therefore,it is meaningful to comprehensively analyze the potential security threats of network composition/operation status and user behavior/security situation.This dissertation adopts deep learning to study the network security situation assessment models,situation element extraction,evaluation index system,network domain situation assessment,research on behavioral threat detection and evaluation.Then,the main contributions of this dissertation are as follows.(1)A hierarchical evaluation model of network security situation in sub-domains is designed.The internal user behaviors have an unignorable impact on the security of network systems.However,few studies take user behaviors as a security situation assessment factor,resulting in incomplete and unreliable assessment results.Therefore,the idea of sub-domains is introduced to design a hierarchical network security situation assessment model of subdomain,which is divided into data layer,evaluation layer and knowledge layer.The model adds and distinguishes user-behavior-based evaluation data,factors and indicators to respectively evaluate the network from network domain and behavior domain,thus cahieve relative integrity and comprehensiveness of the evaluation objects.(2)A network situation elements extraction method based on layer-by-layer loss compensation deep autoencoder is proposed.In the current network environment,the original situation assessment data presents the characteristics of multi features and high dimensions.Meanwhile,in the existing elements extraction methods based on deep neural network,the loss of feature information layer by layer is increasing with the reduction of data dimensions,which greatly affects the accuracy of situation assessment.This dissertation adopts residual neural network and the Laplacian pyramid to improve deep autoencoders and then utilizes it to propose a novel situation assessment elements extraction method.In the proposed method,a loss compensation module is added to each encoding layer of the deep autoencoder.Specifically,this module firstly restores the data by using the decoding layer corresponding to the coding layer.Then,the loss value of the calculated characteristic information is compensated to the output of the corresponding coding layer.Finally,the experimental results show that compared with the original deep autoencoder method,the loss convergence effect of this method is better.Meanwhile,compared with other methods,this method improves the classification performance of BP neural network significantly.(3)A situation assessment index system establishment method based on hierarchical clustering and analytic hierarchy process is proposed.The existing evaluation indicators selection methods suffer from strong subjectivity and lack of integrity,resulting in incomplete situation assessment and low credibility of assessment results.Thus,this dissertation adopts hierarchical clustering and analytic hierarchy process to assessment index system establishment method.The proposed method firstly establishes the hierarchical structure model of the domain-specific indicator system to determine the comprehensive indicators in the target layer and the criterion layer.Secondly,the proposed method adopts analytic hierarchy process to quantify the evaluation factors for reducing the subjectivity of attribute assignment.Then,hierarchical clustering is used to automatically cluster similar evaluation factors and form a hierarchical relationship with comprehensive indicators.Finally,the analytic hierarchy process is used to screen out representative evaluation factors and build an optimized index system.The experimental results show that hierarchical clustering can automatically form the hierarchical relationship between evaluation factors compared with k-means clustering.Meanwhile,the situation value obtained by the proposed indicator system can reflect the changes in the actual network security situation.(4)A network domain security situation assessment method based on based on Subagging and Gated Recursive Unit(GRU)is proposed.Due to the large variance and mean square error,the existing machine learning evaluation models suffer from decision process unsmooth,which greatly affects the evaluation performance.This dissertation considers the time-dependent of the evaluation data,then proposed a security situation evaluation method based on integrated learning Subagging and GRU.The proposed method adopts GRU to solve the long-term dependence of the evaluation data,and effectively learns and characterizes its high-dimensional features.The Subagging algorithm based on subsampling scheme can improve the generalization ability of the model.Meanwhile,the genetic algorithm(GA)is used to automatically optimize the training parameters of GRU.The experimental results show that the GA-based parameter optimization method is better than the PSO-based method.Compared with other methods,the proposed method can obviously reduce the mean square error under the better evaluation performance.Moreover,the evaluation results can more accurately fit the real network security situation.(5)An improved user behavior threat detection and evaluation method based on Generative Adversarial Network(GAN)is proposed.Note that the distribution of positive and negative sample data in user behavior evaluation is extremely unbalanced.Meanwhile,the characteristics of user behavior are random and unpredictable.Therefore,by taking the advantages of GAN in the generation of small sample data,a user behavior threat detection and evaluation method based on adaptive sliding window is proposed.In the proposed method,the use behavior data is transferred into the matrix data which can be directly handled by the GAN.Meanwhile,considering the correlation among user behaviors,an adaptive sliding window mechanism based on attribute similarity is designed to realize different fine-grained user behavior threat detection.Further,the behavior threat level of the test results is evaluated according to the established criteria.The experimental results show that the adaptive sliding window detection method has better performance.Moreover,compared with other detection methods,the proposed method has higher accuracy and lower false positive rate,thus effectively evaluating the user threat behaviors.