A ConvLSTM-CNN Model Based On Hybrid Balanced Sampling And Its Applications In Network Security Situational Awareness

In the application scenarios of ubiquitous internetworking of all things in the world nowadays,the institutional networks(such as campus networks,enterprise networks,com-munity networks,etc.)are facing more and more emerging problems,such as massive and complex service data flow,increasingly diverse ways of threat penetration,rapidly changing attack methods,inadequate emergency response and processing ability of the system,etc.The security situation in such networks is complicated and severe,and the security problems are becoming more and more prominent,which therefore puts forward new requirements and challenges for the existing network security architecture,technical means,deployment methods and coping strategies.The technology of Cyberspace Situational Awareness(CSA)comes into being,with the aim to better solve the afore-mentioned problems.Through acquiring,analyzing and understanding the security elements or factors that can cause changes in cyberspace behavior and status in large-scale cyberspace,CSA can therefore predict the future development trend of cyberspace security situations,and can also help to realize the early warning,protection and traceability of the overall cyberspace security situation in advance.In this sense,the research on cyberspace security situational awareness conducted in this thesis has important theoretical significance and application value for building a new network security defense system that can meet new challenges and new needs.In view of the currently existing problems in the field of cyberspace security situational awareness,such as incomplete feature extraction in network traffic data modeling,network attack traffic being often hidden in the sea of benign traffic data,lack of cyberspace security situation awareness model applicable to institutional networks,etc.,this thesis proposes a new model(called Conv LSTM-CNN),and combined it with a newly designed hybrid balanced sampling mechanism,to better meet the requirements of cyberspace security situation awareness.We also verify the correctness and effectiveness of the model and the mechanism through comprehensive empirical research.In addition,the research work in this thesis has also been applied to key scientific research projects,and deployed in ECNU's campus network environment,to monitor and analyze the campus network security situations.The research work of this thesis is supposed to provide strong support for creating a healthy and safe campus network environment and improving cyberspace security governance.The main research work and contributions of this thesis are as follows:(1)At the algorithm level,we proposed a new model called Conv LSTM-CNN that is more suitable for solving the problem of cyberspace security situation awareness.The model has the ability to effectively combine and utilize the spatial and temporal characteristics of network traffic data for modeling.The experimental results using the open network data set CICIDS-2017 show that,compared with the traditional CNN model,the missed detection rate of the Conv LSTM-CNN proposed in this thesis is reduced by about 7%,and the learning performance is improved by about 3%.(2)At the data level,we proposed a hybrid data balanced sampling mechanism.With this mechanism,we first use the K-means model optimized by PSO cluster the data to filter out the impact of the noise data samples on the quality of sample synthesis,and then select the minority class to sample by SMOTE which is optimized by Gaussian function,so as to achieve the purpose of balancing the data set.Experiments results show that the hybrid data balance mechanism proposed in this thesis can improve the accuracy of the original model by about 8% and reduce the error rate by 6%.(3)At the application level,we selected institutional networks as the application scenarios,applied the research results and findings to the key research fund project of East China Normal University,and designed a new-type CSA architecture and computing framework based on the rational of ”edge-cloud collaboration”.We then integrated into and applied the model and mechanism proposed in this thesis to the monitoring and analysis of daily traffic of ECNU's campus network,in order to assist campus network administrators in security monitoring and intelligent operation and maintenance of the network.