1. A situation assessment element extraction method based on a layer-by-layer loss compensation depth self-encoder is characterized by comprising the following steps:

inputting the obtained network security data set into a layer-by-layer loss compensation encoder for dimensionality reduction and feature extraction, and compensating the loss of the situation assessment element feature information during encoding by using a loss compensation module to generate a layer-by-layer loss compensation depth self-encoder;

restoring the coded data of the layer-by-layer loss compensation encoder by using a corresponding decoder, evaluating the difference between the restored data and original data by minimizing an MSE loss function, and training the layer-by-layer loss compensation depth self-encoder, wherein the layer-by-layer loss compensation depth self-encoder comprises a layer-by-layer loss compensation encoder and a decoder, and the layer-by-layer loss compensation encoder comprises a loss compensation module and a decoder in the loss compensation module;

and extracting situation evaluation elements of the whole data by using the trained layer-by-layer loss compensation depth self-encoder to obtain an evaluation factor set.

2. The method of extracting pose estimation elements based on layer-by-layer loss compensation depth self-encoder according to claim 1, further comprising:

and acquiring network security situation awareness original data, and performing data preprocessing on the acquired original data to obtain the data set.

3. The method of extracting pose estimation elements based on layer-by-layer loss compensation depth self-encoder according to claim 2, further comprising:

judging whether all the original data in the data set are extracted completely;

if so, completing the training of the layer-by-layer loss compensation depth self-encoder;

if not, training the layer-by-layer loss compensation depth self-encoder by using the next original data in the data set until all the original data are used up.

4. The method for extracting situation assessment factors based on the layer-by-layer loss compensation depth self-encoder according to claim 1, wherein the obtained network security data set is input into the layer-by-layer loss compensation encoder for dimension reduction and feature extraction, and a loss compensation module is used for compensating the loss of the situation assessment factor feature information during encoding, so as to generate the layer-by-layer loss compensation depth self-encoder, and the method comprises the following steps:

inputting any original data in the acquired network security data set into a layer-by-layer loss compensation encoder to perform dimensionality reduction and feature extraction;

transmitting the encoded situation evaluation element characteristic information to a decoder in a compensation module for decoding and restoring to obtain restored data with the same dimension as the original input data of the encoder at the current layer;

and the restored data is different from the original input data, and the loss of the situation evaluation element characteristic information during encoding is compensated by using a loss compensation module, so that the layer-by-layer loss compensation depth self-encoder is generated.

5. The method for extracting situation assessment factors based on layer-by-layer loss compensation depth self-encoder according to claim 4, wherein the layer-by-layer loss compensation depth self-encoder is trained by utilizing a corresponding decoder to restore the encoded data of the layer-by-layer loss compensation encoder and simultaneously evaluating the difference between the restored data and the original data by minimizing an MSE loss function, and comprises the following steps:

restoring the compensated encoded data by using decoders with the same number as the layer-by-layer loss compensation encoders to obtain restored original data;

and calculating the mean square error of the original input data and the restored original data by minimizing an MSE loss function to obtain a loss value, and training the layer-by-layer loss compensation depth self-encoder.

Background

The situation assessment original data in the current network environment has the characteristics of multiple features, high dimension, nonlinearity and the like, and the situation assessment element extraction method based on a mathematical model, knowledge reasoning and machine learning has certain limitation on the processing capability of the multiple-feature high-dimension nonlinear data, so that the problems of inaccurate situation assessment element extraction, low efficiency and the like are caused; in the process of extracting elements from the original data by adopting the deep neural network, the loss of layer-by-layer characteristic information is continuously increased along with the reduction of data dimensions, and the effectiveness of extracting the elements is finally influenced by the situation evaluation.

Disclosure of Invention

The invention aims to provide a situation assessment element extraction method based on a layer-by-layer loss compensation depth self-encoder, which ensures the effectiveness of the situation assessment element extraction.

In order to achieve the above object, the present invention provides a situation assessment factor extraction method based on a layer-by-layer loss compensation depth self-encoder, comprising the following steps:

inputting the obtained network security data set into a layer-by-layer loss compensation encoder for dimensionality reduction and feature extraction, and compensating the loss of the situation assessment element feature information during encoding by using a loss compensation module to generate a layer-by-layer loss compensation depth self-encoder;

restoring the coded data of the layer-by-layer loss compensation encoder by using a corresponding decoder, evaluating the difference between the restored data and the original data by minimizing an MSE loss function, and training the layer-by-layer loss compensation depth self-encoder;

and extracting situation evaluation elements of the whole data by using the trained layer-by-layer loss compensation depth self-encoder to obtain an evaluation factor set.

Wherein the method further comprises:

and acquiring network security situation awareness original data, and performing data preprocessing on the acquired original data to obtain the data set.

Wherein the method further comprises:

judging whether all the original data in the data set are extracted completely;

if so, completing the training of the layer-by-layer loss compensation depth self-encoder;

if not, training the layer-by-layer loss compensation depth self-encoder by using the next original data in the data set until all the original data are used up.

The method comprises the following steps of inputting the acquired network security data set into a layer-by-layer loss compensation encoder to perform dimensionality reduction and feature extraction, compensating the loss of the situation assessment element feature information during encoding by using a loss compensation module, and generating a layer-by-layer loss compensation depth self-encoder, wherein the method comprises the following steps:

inputting any original data in the acquired network security data set into a layer-by-layer loss compensation encoder to perform dimensionality reduction and feature extraction;

transmitting the encoded situation evaluation element characteristic information to a decoder in a compensation module for decoding and restoring to obtain restored data with the same dimension as the original input data of the encoder at the current layer;

and the restored data is different from the original input data, and the loss of the situation evaluation element characteristic information during encoding is compensated by using a loss compensation module, so that the layer-by-layer loss compensation depth self-encoder is generated.

The method comprises the following steps of utilizing a corresponding decoder to restore the coded data of the layer-by-layer loss compensation encoder, evaluating the difference between restored data and original data through a minimum MSE loss function, and training the layer-by-layer loss compensation depth self-encoder, wherein the method comprises the following steps:

restoring the compensated encoded data by using decoders with the same number as the layer-by-layer loss compensation encoders to obtain restored original data;

and calculating the mean square error of the original input data and the restored original data by minimizing an MSE loss function to obtain a loss value, and training the layer-by-layer loss compensation depth self-encoder.

The invention relates to a situation assessment element extraction method based on a layer-by-layer loss compensation depth self-encoder, which comprises the steps of inputting an acquired part of network security data set into the layer-by-layer loss compensation encoder to perform dimensionality reduction and feature extraction, and transmitting encoded situation assessment element feature information to a decoder to perform decoding reduction, wherein the encoder part utilizes a loss compensation module to compensate loss of the situation assessment element feature information during encoding, and generates the layer-by-layer loss compensation depth self-encoder; evaluating the difference between the restored data and the original input data by minimizing an MSE loss function to realize model training; and performing situation evaluation element extraction on the whole data by using the trained layer-by-layer loss compensation depth self-encoder to obtain an evaluation factor set, improving the performance of network security situation evaluation, reducing the situation evaluation element characteristic information loss of the depth self-encoder between layers, and ensuring the effectiveness of influencing the situation evaluation element extraction.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a schematic step diagram of a method for extracting situation assessment elements based on a layer-by-layer loss compensation depth self-encoder according to the present invention.

FIG. 2 is a flow chart of the LC-DAE situation assessment element-based extraction method provided by the invention.

FIG. 3 is an architecture diagram of an LC-DAE situation assessment element extraction method provided by the present invention.

Fig. 4 is a structural diagram of a loss compensation module provided in the present invention.

FIG. 5 is a diagram of the original DAE and LC-DAE algorithm loss provided by the present invention.

FIG. 6 is a comparison graph of BP neural network classification performance based on different situation assessment element extraction methods provided by the present invention.

FIG. 7 is a graph of BP neural network classification versus experimental time provided by the present invention.

Detailed Description

Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative and intended to be illustrative of the invention and are not to be construed as limiting the invention.

In the description of the present invention, "a plurality" means two or more unless specifically defined otherwise.

Referring to fig. 1 to 3, the present invention provides a method for extracting situation estimation elements based on a layer-by-layer loss compensation depth self-encoder, comprising the following steps:

s101, inputting the obtained network security data set into a layer-by-layer loss compensation encoder for dimensionality reduction and feature extraction, and compensating loss of the situation assessment element feature information during encoding by using a loss compensation module to generate a layer-by-layer loss compensation depth self-encoder.

Specifically, inputting part of processed data into a layer-by-layer loss compensation encoder for dimension reduction and feature extraction; transmitting the encoded situation evaluation element feature information to a decoder for decoding and restoring:

the LC-DAE situation assessment factor extraction method mainly comprises two parts: encoder and decoder with loss compensation. The input to the encoder section may be denoted X ═ X₁,X₂,…,X_l]^T∈R^l×1The weight can be expressed asCoding layer transmissionCan be represented asThe decoding layer output of the decoder can be represented asThe weight can be expressed asThe output may be represented as X '═ X'₁,X'₂,…,X′_l]^T∈R^l×1Where l represents the dimension of the data and n represents the number of layers of the encoder.

And (5) encoding of the ith layer of the depth self-encoder. When the output data of the i-1 th layer enters the coding layer of the i-th layer, the dimension M is obtained_iOutput data ofThe expression is as follows:

and decoding and restoring the data. In order to obtain the loss of the coded data in the coding process, the output data of the i-th coding layer is firstly neededAnd restoring by using the corresponding decoding layer to obtain output data with the same dimension as that of the coding layer of the (i-1) th layer. Wherein, decX_iRepresenting data restored by the i-th coding layer, the data dimension andequal, M_i-1Representing the data dimension of the i-1 coding layer. The expression is as follows:

in order to obtain the loss in the process of extracting the elements of the coding layer, the invention considers some existing loss function calculation methods, and the obtained loss needs to be compensated back to the corresponding coding layer, so that the method needs to be as intuitive as possible. L is₁The loss function is a method for solving loss by using absolute error, namely, data is subjected to difference operation to obtain an absolute value, and compared with other loss functions, the method can directly reflect the situation evaluation element characteristic information loss between layers, so that the invention uses L for reference₁The loss function calculates the loss of the element characteristic information. Since the difference in loss between coding layers allows the presence of negative values, if L is used purely₁The loss function will cause the loss of the original negative value data information, so the input data of the i-th layer coding layer is adoptedAnd decX_iMaking difference, and using i-th layer coding layer to code the data after difference operation to obtain corresponding loss value lossX_iThe expression is as follows:

and (4) loss compensation. At this time, the corresponding loss value lossX of the i-th layer coding layer in the coding process is used_iCompensating back to the output data of the i-th layer coding layerIn (1). The compensation mode refers to a residual error neural network, adopts an addition mode, and assumes that the i layer coding layer of the loss compensation module is represented as an encoder_iThe corresponding decoding layer is denoted as decoder_n-i+1，M_iThe dimension number corresponding to i layers is shown, n is the total number of layers of the encoder, dec is shown as difference operation, and the expression is shown as follows in conjunction with fig. 4:

it should be noted that, in order to ensure that the decoded data is as accurate as possible, the decoding layer corresponding to the coding layer is used for decoding and restoring, i.e. decoder_n-i+1And the n-i +1 th layer of the corresponding decoding layer. If an initialized decoding layer is defined at random, the weight of the decoding layer can not be guaranteed to be updated effectively in training, random weight decoding may be used in the decoding process, so that the loss involved in compensation is no longer the loss of element characteristic information between corresponding layers, and therefore, the selection and use of a specific decoding layer is particularly important here.

And when loss compensation of the current training data in all the encoders is completed, the construction of the layer-by-layer loss compensation depth self-encoder is completed.

And S102, restoring the coded data of the layer-by-layer loss compensation encoder by using a corresponding decoder, evaluating the difference between the restored data and the original data by minimizing an MSE loss function, and training the layer-by-layer loss compensation depth self-encoder.

Specifically, the compensated encoded data is restored by using decoders with the same number as the layer-by-layer loss compensation encoders to obtain restored original data; performing mean square error calculation on the original input data and the restored original data by minimizing an MSE loss function to obtain a loss value, and training the layer-by-layer loss compensation depth self-encoder, wherein an MSE loss function expression is as follows:

where X represents the input variable, X 'represents the output variable, L (X, X') represents the loss function, and k represents the number of samples.

Then, judging whether training of the layer-by-layer loss compensation depth self-encoder is finished by using part of the original network safety data; if so, extracting the situation assessment factors of the whole original network safety data set by utilizing the trained layer-by-layer compensation depth self-encoder; if not, continuing the training of the layer-by-layer loss compensation depth self-encoder until a training period is met, wherein whether all the original data in the data set are extracted is judged; if so, completing the training of the layer-by-layer loss compensation depth self-encoder; if not, training the layer-by-layer loss compensation depth self-encoder by using the next original data in the data set until all the original data are used up.

S103, extracting situation evaluation factors of the whole data by using the trained layer-by-layer loss compensation depth self-encoder to obtain an evaluation factor set.

Specifically, the situation assessment factor set is obtained by extracting situation assessment factors from the whole data by using the trained layer-by-layer loss compensation depth self-encoder. Selecting the performance indexes of the classification as the comprehensive indexes of Accuracy (Accuracy), Precision (Precision), Recall (Recall) and F1

The method further comprises the following steps:

acquiring network security situation perception original data, and performing data preprocessing on the acquired original data, such as label segmentation, normalization and the like; the data set used in the experiment was the UNSW-NB15 data set created by the australian network security centre using the IXIA perfect storm tool. The ixiapperfectstorm tool supports more than 245 application protocols and more than 35000 malicious attacks, simulates millions of real-world end-user environments, and is used for generating large-scale network traffic data, which is a network intrusion detection public data set recognized in the field of network security at present. The UNSW-NB15 data set covers 9 types of modern common network attack, each record is composed of 47 different features and 2 tags, and 2540044 pieces of data are stored in 4 csv files respectively. Among them, there are 30 ten thousand abnormal records.

In order to meet the experiment requirements, characteristics such as IP (Internet protocol), ports and the like in original data are removed (the characteristics are removed from an example data set given by an official website), and all non-numerical data in the data set are subjected to numerical processing. The processed data is then normalized. Each piece of processed data contains 43 features. And finally, uniformly processing the data labels, wherein the normal flow label is represented by 0, and the abnormal labels in the rest 9 are represented by 1-9 in sequence. Because the size of the original data is huge, 60 ten thousand pieces of data are intercepted from the original data for testing.

1. Loss contrast test of different situation evaluation element extraction method

In order to verify the convergence of the LC-DAE situation assessment element extraction model, the invention carries out a comparative test on the original DAE model and the LC-DAE model through the loss value of model training, and the convergence curve is shown in FIG. 5.

As can be seen from FIG. 5, the loss of the LC-DAE posture assessment element extraction method has a better starting point, and meanwhile, in the gradient descending process, the loss curve is more stable in expression, the descending speed is faster than that of the original DAE, convergence is finally achieved in 200 cycles, and the convergence result is shown in Table 1, which indicates that the LC-DAE method has better convergence in the training process of the posture assessment element extraction. It is analyzed that this is because the original DAE has a lot of non-linear transformations between layers of the coding layer during the element extraction process, and these non-linear transformations cause the loss of element characteristic information, which is difficult to avoid during the neural network training process. The LC-DAE uses a layer-by-layer loss compensation mode to greatly reduce the loss of the feature information of the situation assessment element, so that the LC-DAE situation assessment element extraction method can fully reserve the feature information of the element of the original data and realize better loss convergence in the training process.

TABLE 1 original DAE and LC-DAE situation assessment element extraction method Convergence value of training 200 periods

2. BP neural network classification performance comparison experiment based on different element extraction methods

In order to verify the effectiveness of the LC-DAE situation assessment element extraction method provided by the invention, a BP neural network is used for carrying out classification comparison experiments on original data and data extracted by elements based on LC-DAE, original DAE and Principal Component Analysis (PCA) methods, and the classification methods are respectively recorded as: original data-BP, LC-DAE-BP, PCA-BP.

The data set used in this experiment has multiple label classes, and therefore the cross entropy loss function used is shown below.

Wherein N represents the total number of samples, k represents the number of tags, y is the true tag, y_i,kThe true value, p, of the kth label representing the ith sample_i,kRepresenting the probability that the ith sample is predicted to be a k-tag.

The performance indexes of the selected classification in this chapter are Accuracy (Accuracy), Precision (Precision), Recall (Recall) and F1 comprehensive indexes, some of which are defined as follows:

TP: the sample is expressed as true positive, namely, the sample is predicted to be a positive sample and actually is a positive sample;

FP: representing false positive, namely predicting as a positive sample and actually as a negative sample;

TN: the method is characterized by representing true negativity, namely predicting as a negative sample and actually as a negative sample;

FN: false negatives are indicated, i.e. negative samples are predicted, and positive samples are actually present.

The corresponding confusion matrix is shown in table 2.

TABLE 2 confusion matrix

The performance index calculation expression is as follows:

wherein Precision represents the ratio of the number of correctly identified samples to the total number of identified samples; recall represents the ratio of the number of correctly identified samples to the number of samples that should be identified. However, if it is not reasonable to evaluate the merits of the model performance from Precision or Recall alone, it is generally necessary to use the F1 synthetic index value in which Precision and Recall are combined as the model evaluation criterion in order to make the evaluation more convincing.

According to the invention, abnormal attacks in a data set are set as positive samples, the experimental result is shown in fig. 6, and it can be seen from fig. 6 that after element extraction is carried out by the LC-DAE method, the accuracy, recall rate and F1 comprehensive indexes after BP neural network classification are superior to those of other three methods, because the LC-DAE-BP method can better extract element characteristic information from original data and remove redundant data, the BP neural network can better learn the characteristic information of the data during classification, and the classification performance is improved.

In the index of precision, the LC-DAE-BP method is slightly lower, and precision and recall are a pair of contradictory variables, and when the recall is high, the precision is usually lower, and the LC-DAE-BP method has higher recall than the other three methods, so the precision index is slightly lower.

In addition to the indexes, the invention also compares the classification efficiency of the BP neural network, and the time complexity of a certain layer in the BP neural network can be regarded as O (m × n), wherein m is the number of output neurons, and n is the number of output neurons. Therefore, the input dimension of the data has a significant influence on the time complexity of the BP neural network. The experimental results of FIG. 7 give a comparison of the efficiency of the classification experiments for raw data-BP versus LC-DAE-BP.

According to the efficiency comparison experiment of the classification experiment performed once every 50 training periods, as can be seen from fig. 7, in the three training periods 50, 100 and 150, the time consumed for directly performing the classification experiment by using the original data-BP method is shorter, because the time for extracting the data elements needs to be calculated when performing the classification experiment by using the LC-DAC-BP method, the time for performing the classification experiment by using the LC-DAE-BP method is longer than the time for performing the classification experiment by directly using the original data-BP method in the shorter training period. With the increase of the training period, it can be seen that the time required for the classification experiment by the LC-DAE-BP method is less than the time required for the classification experiment by the original data-BP method, which is because the dimension of data is reduced in the element extraction process, thereby reducing m input in the time complexity O (m × n) of the BP neural network, and therefore, with the increase of the training period or the increase of data samples, the efficiency of classification can be greatly improved by the posture estimation element extraction method.

The invention relates to a situation assessment element extraction method based on a layer-by-layer loss compensation depth self-encoder, which is characterized in that the idea of Laplacian pyramid in the fusion of a residual neural network and an image is used for reference, a loss compensation module is added to each coding layer of the depth self-encoder, the module firstly restores data coded by a current layer by using a decoder, secondly codes a characteristic information loss value obtained by comparing the restored data with data before coding, and finally compensates the obtained loss value into corresponding coding layer output data.

While the invention has been described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.