CN118174962B

CN118174962B - Network safety feedback analysis method and system based on artificial intelligence

Info

Publication number: CN118174962B
Application number: CN202410581648.6A
Authority: CN
Inventors: 齐艳铭; 杨凡; 邓川
Original assignee: Sichuan Jiuzhou Video Technology Co ltd
Current assignee: Sichuan Jiuzhou Video Technology Co ltd
Priority date: 2024-05-11
Filing date: 2024-05-11
Publication date: 2024-08-13
Anticipated expiration: 2044-05-11
Also published as: CN118174962A

Abstract

The application provides a network safety feedback analysis method and a system based on artificial intelligence, which can effectively establish an accurate network intrusion estimation model, namely a first network intrusion estimation network, by acquiring sampling example network feedback session data and training, thereby improving the recognition accuracy of network intrusion behaviors. Secondly, the first network intrusion estimation network and the network intrusion labeling data are utilized to train the second network intrusion estimation network, and the model is lighter and has higher operation efficiency due to the smaller parameter quantity of the second network, and meanwhile, higher estimation precision is maintained, so that the method has important value in practical application, and particularly in the environment with limited resources. Finally, network intrusion risk assessment can be rapidly and accurately carried out on the input target network session behavior track, and the target linkage network session event is timely processed based on the risk probability, so that the instantaneity and the effectiveness of network security protection are improved.

Description

Network safety feedback analysis method and system based on artificial intelligence

Technical Field

The application relates to the technical field of artificial intelligence, in particular to a network security feedback analysis method and system based on artificial intelligence.

Background

With the rapid development of information technology, network security problems are increasingly prominent. Traditional network security protection means, such as a firewall, an Intrusion Detection System (IDS) and the like, can protect the security of a network to a certain extent, but the protection effect of the traditional network security protection means is gradually worry against increasingly complex and changeable network attack means. In recent years, the rise of artificial intelligence technology brings new breakthrough points to the field of network security, and the strong data processing and pattern recognition capability of the artificial intelligence technology enables network security protection to be more intelligent and efficient.

In existing network security technologies, potential network intrusion behavior is typically identified by acquiring network session data and analyzing the data using machine learning algorithms. However, when processing the linked network session event, the related art only focuses on a single network session behavior track, and ignores the association between the pre-detection node and the protection node. In addition, when the related technology processes a large amount of network session data, the related technology often faces the problems of high computational complexity, poor real-time performance and the like.

Disclosure of Invention

In view of the above-mentioned problems, in combination with the first aspect of the present application, the present application provides an artificial intelligence based network security feedback analysis method, the method comprising:

Obtaining sample network feedback session data, wherein the sample network feedback session data comprises a network session data sequence of a plurality of linked network session events and network intrusion annotation data of each linked network session event, and the network session data sequence comprises a first network session behavior track of a front detection node and a second network session behavior track of a rear detection node;

Training a first network intrusion estimation network based on a network session data sequence of the plurality of linked network session events and the network intrusion annotation data;

Training a second network intrusion estimation network according to the first network session behavior tracks of the plurality of linkage network session events, the network intrusion annotation data and the network intrusion estimation data of the plurality of first network session behavior tracks by the first network intrusion estimation network, wherein the parameter quantity of the second network intrusion estimation network is smaller than the parameter quantity of the first network intrusion estimation network;

Acquiring a target network session behavior track of an input target linkage network session event at a front detection node;

And carrying out network intrusion estimation on the target network session behavior track according to the second network intrusion estimation network, generating the network intrusion risk probability of the target linkage network session event, and processing the target linkage network session event based on the network intrusion risk probability of the target linkage network session event.

In a possible implementation manner of the first aspect, the training the second network intrusion estimation network according to the first network session behavior trajectories of the plurality of linked network session events, the network intrusion annotation data, and the network intrusion estimation data of the first network intrusion estimation network on the plurality of first network session behavior trajectories includes:

Performing network intrusion estimation on first network session behavior tracks of the plurality of linkage network session events according to the first network intrusion estimation network, and generating a network intrusion risk score corresponding to each first network session behavior track;

and training a second network intrusion estimation network by taking the first network session behavior tracks of the plurality of linkage network session events as network learning data and taking the network intrusion risk scores corresponding to each first network session behavior track and the network intrusion labeling data as network supervision data.

In a possible implementation manner of the first aspect, the training the second network intrusion estimation network with the first network session behavior trajectories of the plurality of coordinated network session events as network learning data and the network intrusion risk score and the network intrusion labeling data corresponding to each first network session behavior trajectory as network supervision data includes:

performing network intrusion estimation on first network session behavior tracks of the plurality of linkage network session events according to the initialized second network intrusion estimation network, and generating first network intrusion estimation data of each first network session behavior track;

calculating a first network intrusion estimation error according to the first network intrusion estimation data of each first network session behavior track and the corresponding network intrusion risk score;

Calculating a second network intrusion estimation error according to the first network intrusion estimation data of each first network session behavior track and the network intrusion annotation data corresponding to each linkage network session event;

And back-propagating based on the first network intrusion estimation error and the second network intrusion estimation error to train the second network intrusion estimation network.

In a possible implementation manner of the first aspect, the performing back propagation based on the first network intrusion estimation error and the second network intrusion estimation error to train the second network intrusion estimation network includes:

acquiring a first importance score of the first network intrusion estimation error and a second importance score of the second network intrusion estimation error;

fusing the first network intrusion estimation error and the second network intrusion estimation error based on the first importance score and the second importance score to generate a target network intrusion estimation error;

and carrying out back propagation according to the target network intrusion estimation error so as to train the second network intrusion estimation network.

In a possible implementation manner of the first aspect, the obtaining a first importance score of the first network intrusion estimation error and a second importance score of the second network intrusion estimation error includes:

Determining importance score allocation parameters based on network learning stage parameters of the second network intrusion estimation network;

calculating a first importance score of the first network intrusion estimation error and a second importance score of the second network intrusion estimation error according to the importance score distribution parameters;

wherein the step of determining importance score distribution parameters based on the network learning phase parameters of the second network intrusion estimation network comprises:

in the training process of the second network intrusion estimation network, recording network learning stage parameters of the current network learning stage, wherein the network learning stage parameters comprise iteration times, training periods or training loss parameters;

comparing the current network learning stage parameter with a set stage threshold value to determine the current training stage;

initializing corresponding importance score distribution parameters according to the training stage, and dynamically adjusting the importance score distribution parameters according to the change of the network learning stage;

the step of calculating a first importance score of the first network intrusion estimation error and a second importance score of the second network intrusion estimation error according to the importance score distribution parameter includes:

Multiplying the weight of the first network intrusion estimation error corresponding to the importance score distribution parameter by the absolute value of the first network intrusion estimation error to obtain a first importance score;

And multiplying the weight corresponding to the second network intrusion estimation error in the importance score distribution parameter by the absolute value of the second network intrusion estimation error to obtain a second importance score.

In a possible implementation manner of the first aspect, the training the first network intrusion estimation network based on the network session data sequence of the plurality of linked network session events and the network intrusion annotation data includes:

Performing graph convolution processing on the first network session behavior track and the second network session behavior track to generate a first network session graph convolution result and a second network session graph convolution result, and fusing the first network session graph convolution result and the second network session graph convolution result to generate a network session graph convolution result;

Integrating the network session graph rolling result with the first priori graph rolling result, and performing network intrusion estimation on the integrated graph rolling result to generate second network intrusion estimation data;

Calculating a third network intrusion estimation error based on the second network intrusion estimation data and the network intrusion labeling data corresponding to each linkage network session event, and performing back propagation according to the third network intrusion estimation error so as to train the first network intrusion estimation network;

the step of determining the first prior graph convolution result includes:

Collecting historical network session data, wherein the historical network session data comprises normal network session data and known network intrusion behaviors;

constructing one or more first prior knowledge graphs for representing relationships between entities in a network session using collected historical network session data;

And carrying out graph convolution processing on the one or more first priori knowledge graphs based on the global structural features of the network session, and generating the first priori graph convolution result.

In a possible implementation manner of the first aspect, the step of performing a graph convolution process on the first network session behavior trace and the second network session behavior trace to generate a first network session graph convolution result and a second network session graph convolution result includes:

Constructing first graph data aiming at a first network session behavior track, wherein nodes in the first graph data represent first key behavior events of a front detection node, edges represent logic relations or time sequences among the first key behavior events, and second graph data aiming at a second network session behavior track, wherein nodes in the second graph data represent second key behavior events of the front detection node, and edges represent logic relations or time sequences among the second key behavior events;

A network session feature associated with each node in the first graph data and the second graph data, the network session feature including a timestamp, a source/destination IP address, a port number, a transmitted packet size;

Respectively inputting the first graph data and the second graph data into a predefined graph rolling network, and updating the network session characteristics of the nodes by aggregating the neighbor information of each node in each layer of graph rolling unit of the graph rolling network so that each node in the first graph data and the second graph data fuses the network session characteristics of the neighborhood information;

After the graph rolling network processing, extracting the characteristic representation of each node from a last layer of graph rolling unit of the graph rolling network, combining all the characteristic representations of the first graph data to generate a first network session graph rolling result, and combining all the characteristic representations of the second graph data to generate a second network session graph rolling result;

The step of respectively inputting the first graph data and the second graph data into a predefined graph rolling network, in each layer of graph rolling unit of the graph rolling network, updating the network session characteristics of the nodes by aggregating the neighbor information of each node so that each node in the first graph data and the second graph data fuses the network session characteristics of the neighborhood information, comprises the following steps:

assigning the network session feature to each node in the first graph data and the second graph data;

And respectively inputting the first graph data and the second graph data into a predefined graph rolling network, and for each node, aggregating the information of the neighbor node corresponding to the node in each layer of the graph rolling network, and updating the characteristic representation of the node by using graph rolling operation in combination with the current network session characteristic of the node and the network session characteristic of the neighbor node, wherein in the last layer of the graph rolling network, each node obtains a characteristic representation fused with multi-hop neighborhood information of the node so as to extract the characteristic representation of each node from the last layer of the graph rolling network.

In a possible implementation manner of the first aspect, the step of fusing the first network session graph convolution result and the second network session graph convolution result to generate a network session graph convolution result includes:

According to the importance of the first network session behavior track and the second network session behavior track in network security analysis, different fusion weights are distributed to the first network session behavior track and the second network session behavior track;

fusing the first network session graph convolution result and the second network session graph convolution result by using the determined fusion weight;

Wherein, the fusion formula is expressed as:

Fused_feature=w 1 first_gcn\u Result + w2 secondary GCN Result, where w1 and w2 are weights assigned to the First and Second web session graph convolution results, and w1+w2=1.

In a possible implementation manner of the first aspect, the performing network intrusion estimation on the first network session behavior trajectories of the plurality of coordinated network session events according to the initialized second network intrusion estimation network, generating first network intrusion estimation data of each first network session behavior trajectory, includes:

Integrating a first network session graph convolution result corresponding to each first network session behavior track with a second prior graph convolution result, wherein the second prior graph convolution result is matched with the characteristic dimension of the first prior graph convolution result;

performing network intrusion estimation on the integration graph convolution result to generate first network intrusion estimation data of each first network session behavior track;

The step of determining the convolution result of the second prior graph includes:

Constructing one or more second prior knowledge graphs for representing relationships between entities in the network session using the collected historical network session data;

and carrying out graph convolution processing on the one or more second prior knowledge graphs based on the local structural features of the network session, and generating a second prior graph convolution result.

In yet another aspect, the present application further provides an artificial intelligence based network security feedback analysis system, including a processor, a machine-readable storage medium, where the machine-readable storage medium is connected to the processor, and the machine-readable storage medium is used to store a program, an instruction, or a code, and the processor is used to execute the program, the instruction, or the code in the machine-readable storage medium, so as to implement the method described above.

Based on the above aspects, by acquiring sample network feedback session data and training, an accurate network intrusion estimation model, namely a first network intrusion estimation network, can be effectively established, so that the accuracy of identifying network intrusion behaviors is improved. Secondly, the first network intrusion estimation network and the network intrusion labeling data are utilized to train the second network intrusion estimation network, and the model is lighter and has higher operation efficiency due to the smaller parameter quantity of the second network, and meanwhile, higher estimation precision is maintained, so that the method has important value in practical application, and particularly in the environment with limited resources. Finally, network intrusion risk assessment can be rapidly and accurately carried out on the input target network session behavior track, and the target linkage network session event is timely processed based on the risk probability, so that the instantaneity and the effectiveness of network security protection are greatly improved. Therefore, the intelligent level of network safety protection is improved through an artificial intelligence technology.

Drawings

Fig. 1 is a schematic diagram of an execution flow of an artificial intelligence based network security feedback analysis method according to an embodiment of the present application.

Fig. 2 is a schematic diagram of a hardware architecture of an artificial intelligence based network security feedback analysis system according to an embodiment of the present application.

Detailed Description

The present application is specifically described below with reference to the accompanying drawings, and fig. 1 is a schematic flow chart of an artificial intelligence-based network security feedback analysis method according to an embodiment of the present application, and the detailed description of the artificial intelligence-based network security feedback analysis method is provided below.

Step S110, sample network feedback session data is obtained, wherein the sample network feedback session data comprises a network session data sequence of a plurality of linkage network session events and network intrusion annotation data of each linkage network session event, and the network session data sequence comprises a first network session behavior track of a front detection node and a second network session behavior track of a rear detection node.

In detail, the sample network feedback session data is a set of data sets for training, verifying or testing a network security model, and includes detailed information of a plurality of network session events, where the sample network feedback session data is collected from a real network environment or is generated based on a real network behavior simulation. For example, all network traffic records of a large data platform over the course of a day, for example, are saved for use as training data for subsequent data analysis or machine learning models.

The linked web session events are understood to be interrelated, may be different phases or components of a web session, or may have network responses of different components that interact in a security event. Network session events generally refer to a series of data exchange or communication activities that occur over a network.

The network session data sequence is a chronological data set that records all activities of the network session event from start to end, typically including time stamps, source and destination IP addresses, port numbers, type of data transmitted, etc. For example, when a user accesses a web site, a request is sent to the web server, which can respond to the request and send back the required data, and all communication data generated in the process are arranged according to the time sequence of occurrence, so as to form a network session data sequence.

The network intrusion annotation data is a marker of a network intrusion risk probability value corresponding to a network intrusion behavior for a linkage network session event. In machine learning, these network intrusion labeling data are used as labels for supervised learning, helping the model identify which network behaviors are normal and which are intrusion behaviors.

In the network architecture, the front-end detection node is responsible for monitoring and analyzing network traffic to identify any potential abnormal behavior; the latter detection node is responsible for taking further follow-up detection actions, such as detecting system paths where abnormal traffic is affected, when a potential abnormal behavior is detected. That is, the pre-detection node is used to monitor and analyze network traffic in order to discover any abnormal behavior in time. And after the rear detection node detects the abnormal behavior, the corresponding advanced detection operation is implemented.

The first network session behavior track and the second network session behavior track refer to detailed tracks of network session behaviors recorded at a pre-detection node and a protection node respectively, and the network session behavior tracks comprise a series of network activities such as sending and receiving data packets, establishing and disconnecting a connection and the like. That is, the first network session behavior trace refers to a detailed trace of network activity recorded at the pre-detection node, and is mainly used for identifying potential abnormal behavior. The second network session behavior track refers to a detailed track of network activity recorded at a post-detection node, and is generally used for analyzing a network response process after abnormal behavior occurs.

Thus, in this embodiment, the server obtains sample network feedback session data from the network monitoring system, which is collected from a plurality of linked network session events in the network over a period of time. Each linked network session event contains a complete network session data sequence detailing a first network session behavior trace at a pre-detection node and a second network session behavior trace at a post-detection node. In addition, each linkage network session event is also attached with network intrusion labeling data, and the network intrusion probability value of the linkage network session event corresponding to the network intrusion behavior is definitely labeled.

Step S120, training the first network intrusion estimation network based on the network session data sequences of the plurality of linkage network session events and the network intrusion annotation data.

In this embodiment, the server starts training the first network intrusion estimation network by using the acquired network session data sequences and the network intrusion annotation data of the plurality of linked network session events. In the training process, the server takes the network session data sequence as input, the network intrusion labeling data as expected output, and the weight and parameters of the network are continuously adjusted through a back propagation algorithm, so that the first network intrusion estimation network can learn the mode of identifying intrusion behaviors from the network session data.

Step S130, training a second network intrusion estimation network according to the first network session behavior tracks of the plurality of linkage network session events, the network intrusion labeling data and the network intrusion estimation data of the first network session behavior tracks by the first network intrusion estimation network, where the parameter quantity of the second network intrusion estimation network is smaller than the parameter quantity of the first network intrusion estimation network.

In this embodiment, after the first network intrusion estimation network is trained, the server starts to use the trained first network intrusion estimation network to assist in training the second network intrusion estimation network. Firstly, a server performs network intrusion estimation on first network session behavior tracks of a plurality of linked network session events by using a first network intrusion estimation network, and generates a network intrusion risk score of each network session behavior track. These network intrusion risk scores are then used together with the network intrusion annotation data as supervisory data to train a second network intrusion estimation network. Since the second network intrusion estimation network has a small amount of parameters, it is desirable to compress the model size as much as possible while maintaining performance in order to facilitate quick deployment and response.

Step S140, obtaining a target network session behavior track of the input target linkage network session event at the front detection node.

Step S150, performing network intrusion estimation on the target network session behavior track according to the second network intrusion estimation network, generating a network intrusion risk probability of the target linkage network session event, and processing the target linkage network session event based on the network intrusion risk probability of the target linkage network session event.

In this embodiment, when a new linked network session event occurs, the server immediately captures a target network session behavior trace of the linked network session event at the pre-detection node, where the target network session behavior trace includes a series of key behaviors and data exchange records of the linked network session event in the network.

The server inputs the captured target network session behavior track into a trained second network intrusion estimation network to perform real-time estimation of network intrusion risks. The second network intrusion estimation network outputs a value indicative of the probability of the existence of a network intrusion for the coordinated network session event. Based on this risk probability, the server may decide whether immediate defensive measures, such as blocking the suspicious connection, raising an alarm or performing further in-depth analysis, are needed. For example, if the network intrusion risk probability exceeds a preset threshold, the server may automatically isolate network traffic associated with the linked network session event to ensure network security.

Based on the steps, through obtaining the sampling example network feedback session data and training, an accurate network intrusion estimation model, namely a first network intrusion estimation network, can be effectively established, so that the accuracy rate of identifying network intrusion behaviors is improved. Secondly, the first network intrusion estimation network and the network intrusion labeling data are utilized to train the second network intrusion estimation network, and the model is lighter and has higher operation efficiency due to the smaller parameter quantity of the second network, and meanwhile, higher estimation precision is maintained, so that the method has important value in practical application, and particularly in the environment with limited resources. Finally, network intrusion risk assessment can be rapidly and accurately carried out on the input target network session behavior track, and the target linkage network session event is timely processed based on the risk probability, so that the instantaneity and the effectiveness of network security protection are greatly improved. Therefore, the intelligent level of network safety protection is improved through an artificial intelligence technology.

In one possible implementation, step S130 may include:

step S131, performing network intrusion estimation on the first network session behavior tracks of the plurality of linked network session events according to the first network intrusion estimation network, and generating a network intrusion risk score corresponding to each first network session behavior track.

Step S132, training the second network intrusion estimation network by using the first network session behavior tracks of the plurality of linkage network session events as network learning data and using the network intrusion risk score and the network intrusion labeling data corresponding to each first network session behavior track as network supervision data.

In this embodiment, the server first loads the first network intrusion estimation network for initially estimating the security risk of the network session. Then, the server reads first network session behavior trace data of a plurality of linkage network session events from the database, and inputs the first network session behavior trace data into the first network intrusion estimation network. Through calculation and analysis of the first network intrusion estimation network, the server obtains network intrusion risk scores corresponding to the behavior tracks of each first network session, the network intrusion risk scores reflect the potential security risk of each network session, and the higher the scores are, the more malicious or intrusion behavior the linked network session event can be.

After the network intrusion risk score is generated, the server begins to prepare to train a second network intrusion estimation network that will be used to more accurately predict network intrusion behavior.

The server takes as network learning data a first network session behavior trace of a plurality of linked network session events that were used previously. Meanwhile, the server also takes the network intrusion risk scores and the network intrusion labeling data corresponding to each first network session behavior track as network supervision data, and the network supervision data provide learning targets and directions for the second network intrusion estimation network.

Next, the server initiates a training process for the second network intrusion estimation network. During the training process, the server continuously inputs the network learning data into the network, and performs error back propagation and optimizes network parameters according to the network supervision data. Through multiple iterative training, the second network intrusion estimation network gradually learns how to predict the network intrusion risk according to the first network session behavior trace data.

Finally, after training is completed, the server obtains a second network intrusion estimation network capable of accurately evaluating the security risk of the network session, and the second network intrusion estimation network can play an important role in future network monitoring, and timely discover and early warn potential network intrusion behaviors.

In one possible implementation, step S132 may include:

Step S1321, performing network intrusion estimation on the first network session behavior tracks of the plurality of linked network session events according to the initialized second network intrusion estimation network, and generating first network intrusion estimation data of each first network session behavior track.

In this embodiment, the server first initializes a second network intrusion estimation network that is untrained for subsequent cyber-security risk assessment. The server then inputs the first network session behavior trace data one by one into the initialized second network intrusion estimation network. The second network intrusion estimation network processes and analyzes the first network session behavior track data to generate first network intrusion estimation data corresponding to each first network session behavior track, and the first network intrusion estimation data reflects preliminary evaluation of the security risk of the current session behavior by the second network intrusion estimation network.

Step S1322, calculating a first network intrusion estimation error according to the first network intrusion estimation data of each first network session behavior trace and the corresponding network intrusion risk score.

After the first network intrusion estimation data are generated, the server starts to calculate errors between the first network intrusion estimation data and the corresponding network intrusion risk scores. Thus, the server compares the first network intrusion estimation data for each first network session behavior trace with the corresponding network intrusion risk score. By calculating the difference between the two, the server obtains a first network intrusion estimation error reflecting the degree of difference of the second network intrusion estimation network with the first network intrusion estimation network when predicting the network intrusion risk.

Step S1323, calculating a second network intrusion estimation error according to the first network intrusion estimation data of each first network session behavior trace and the network intrusion labeling data corresponding to each linkage network session event.

After the first network intrusion estimation error is calculated, the server continues to calculate a second network intrusion estimation error, and the difference between the first network intrusion estimation data generated by the second network intrusion estimation network and the actual network intrusion labeling data is compared.

The server compares the first network intrusion estimation data of each first network session behavior trace with the corresponding network intrusion annotation data. The server obtains a second network intrusion estimation error by calculating the difference between the two, and the second network intrusion estimation error reflects the degree of difference between the second network intrusion estimation network and the real labeling data when predicting the network intrusion risk.

Step S1324, performing back propagation based on the first network intrusion estimation error and the second network intrusion estimation error, so as to train the second network intrusion estimation network.

After the first network intrusion estimation error and the second network intrusion estimation error are obtained, the server starts training the second network intrusion estimation network by using the first network intrusion estimation error and the second network intrusion estimation error. The goal of the training is to reduce these errors and improve the accuracy of the predictions of the network model.

The server employs a back-propagation algorithm to update the parameters of the network model. Specifically, the server calculates the gradient of the model parameters according to the first network intrusion estimation error and the second network intrusion estimation error, and adjusts the parameters of the network model according to the opposite direction of the gradient.

As training proceeds, the second network intrusion estimation network gradually learns how to more accurately predict the security risk of the network session. After training is completed, the server obtains a network model with better performance, and can play an important role in future network monitoring, and timely discover and early warn potential network intrusion behaviors.

In one possible implementation, step S1324 includes:

step S1324-1, acquiring a first importance score of the first network intrusion estimation error and a second importance score of the second network intrusion estimation error.

Step S1324-2, fusing the first network intrusion estimation error and the second network intrusion estimation error based on the first importance score and the second importance score, to generate a target network intrusion estimation error.

And step S1324-3, back-propagating according to the target network intrusion estimation error to train the second network intrusion estimation network.

In this embodiment, after completing network intrusion estimation and calculating a first network intrusion estimation error and a second network intrusion estimation error, the server enters a next training preparation stage. At this stage, the server needs to obtain importance scores for the first network intrusion estimation error and the second network intrusion estimation error in order to reasonably weigh their impact in the training process.

First, the server accesses a pre-set scoring system or profile that includes settings for two error importance scores, which may be set based on historical data, expert opinion, or experimental results, reflecting the relative importance of each error in the training process.

The server reads from the scoring system or profile a first importance score for the first network intrusion estimation error and a second importance score for the second network intrusion estimation error, which scores are numerical representations, which may be weight values between 0 and 1, for example.

After the importance scores of the two errors are obtained, the server then needs to fuse the two errors to generate a target network intrusion estimation error, and the fusion process is weighted based on the importance scores of the two errors.

The server first performs a weighted summation of the first network intrusion estimation error and the second network intrusion estimation error according to the first and second importance scores. Specifically, the server multiplies the first network intrusion estimation error by the first importance score, multiplies the second network intrusion estimation error by the second importance score, and then adds the two weighted errors to obtain the target network intrusion estimation error.

This procedure ensures that the effects of both errors are taken into account simultaneously in the training process and that a reasonable trade-off is made according to their importance.

After the target network intrusion estimation error is generated, the server begins using this error for back propagation training to adjust parameters of the second network intrusion estimation network.

The server first calculates a gradient of the target network intrusion estimation error with respect to the network model parameters, which gradient indicates how the parameters of the network model should be adjusted in order to reduce the error.

The server then uses an optimization algorithm (e.g., gradient descent) to update the parameters of the network model. Specifically, the server performs fine adjustment on parameters of the network model according to the calculated gradient, so as to reduce the target network intrusion estimation error.

The process is iterative, and the server can perform forward propagation, error calculation and backward propagation for a plurality of times, and continuously update parameters of the network model until a preset training round is reached or the error converges below a certain threshold.

Through such a training process, the server can gradually optimize the performance of the second network intrusion estimation network, so that it can more accurately predict the network intrusion risk.

In one possible implementation, step S1324-1 includes:

Step S1324-11, determining importance score distribution parameters based on the network learning stage parameters of the second network intrusion estimation network.

Step S1324-12, calculating a first importance score of the first network intrusion estimation error and a second importance score of the second network intrusion estimation error according to the importance score allocation parameter.

In this embodiment, before the second network intrusion estimation network starts to be trained, the server sets a series of parameters including learning rate, batch size, importance score distribution parameters, etc. according to the learning stage of the current second network intrusion estimation network, which are critical to the regulation of the training process.

The importance score assignment parameter is a specially designed value for determining the relative importance of the first network intrusion estimation error and the second network intrusion estimation error during the training process, the setting of the parameter typically being based on the training phase and training objectives of the network.

For example, during the initial stage of network training, the server may set a higher importance score assignment parameter to the first network intrusion estimation error to allow the network to learn the basic network intrusion pattern more quickly. As training progresses, the server may gradually decrease the value of this parameter, increasing the importance score assignment parameter of the second network intrusion estimation error so that the network can more finely adjust its predictions to more closely approximate the actual network intrusion annotation data.

The server dynamically adjusts the importance score assignment parameters by accessing an internal configuration system or using a preset algorithm that automatically adjusts the parameters based on the training progress of the network, the rate of error reduction, and other performance metrics.

Once the server determines the importance score assignment parameters, these importance score assignment parameters are used to calculate a first importance score for the first network intrusion estimation error and a second importance score for the second network intrusion estimation error.

In particular, the server may convert the importance score assignment parameter of the first network intrusion estimation error into a specific value, which represents the weight of the first network intrusion estimation error during the training process. Similarly, the server calculates a corresponding weight value for the second network intrusion estimation error.

These weight values will be used in the subsequent training process to instruct the network how to adjust its parameters based on both errors. For example, if the first importance score is higher, the network may be more focused on reducing the first network intrusion estimation error during training; conversely, if the second importance score is higher, the network will pay more attention to the consistency with the true annotation data.

By the mode, the server can flexibly adjust the influence of different errors in the training process, so that the training effect of the network is optimized.

For another example, in a specific implementation concept, the step of determining the importance score distribution parameter based on the network learning phase parameter of the second network intrusion estimation network includes:

In one possible implementation, step S120 includes:

Step S121, performing graph convolution processing on the first network session behavior track and the second network session behavior track, generating a first network session graph convolution result and a second network session graph convolution result, and fusing the first network session graph convolution result and the second network session graph convolution result to generate a network session graph convolution result.

Step S122, integrating the network session convolution result with the first prior convolution result, and performing network intrusion estimation on the integrated convolution result to generate second network intrusion estimation data.

Step S123, calculating a third network intrusion estimation error based on the second network intrusion estimation data and the network intrusion labeling data corresponding to each linkage network session event, and performing back propagation according to the third network intrusion estimation error, so as to train the first network intrusion estimation network.

The step of determining the first prior graph convolution result includes:

step a110, collecting historical web session data, the historical web session data including normal web session data and known network intrusion behavior.

Step a120, using the collected historical web session data, constructs one or more first prior knowledge maps representing relationships between entities in the web session.

Step a130, performing graph convolution processing on the one or more first prior knowledge graphs based on the global structural features of the network session, so as to generate the first prior graph convolution result.

In this embodiment, the server builds a graph roll-up network model that is capable of processing graph structure data in the network session. The server inputs the first network session behavior track and the second network session behavior track into the graph rolling network model respectively, and graph rolling processing is carried out. In the processing process, the graph convolution network model analyzes the relation among all entities in the network session and extracts advanced features. After the graph convolution processing, the server obtains a first network session graph convolution result and a second network session graph convolution result, wherein the two results respectively represent characteristic information extracted from different network session behavior tracks.

To comprehensively utilize the information, the server fuses the first network session map convolution result and the second network session map convolution result. In the fusion process, a specific algorithm is adopted by the server, and the characteristics in the two results are weighted and averaged or combined through other fusion strategies, so that a fused network session graph convolution result is finally generated.

After the network session graph convolution result is obtained, the server does not directly use the result to perform network intrusion estimation. Instead, more a priori knowledge is introduced to improve the accuracy of the estimation.

To obtain this a priori knowledge, the server first collects a large amount of historical network session data, including both normal network session data and known network intrusion behavior data. Through analysis of this data, the server builds one or more first prior knowledge graphs that describe relationships between entities in the network session, as well as patterns of known network intrusion behavior.

Next, the server performs graph convolution processing on the prior knowledge graphs based on global structural features of the network session. During the processing, the model can deeply analyze the structural information in the priori knowledge graph and extract the characteristics related to the network intrusion behavior. After processing, the server obtains a first prior graph convolution result.

The server then integrates the network session graph convolution result with the first prior graph convolution result, the integration being achieved by a specific algorithm that is capable of effectively combining features in the two results to obtain a more comprehensive and accurate integrated graph convolution result.

Finally, the server uses the integration graph convolution result to perform network intrusion estimation. By deeply analyzing the characteristic information in the integrated result, the server can accurately judge whether the current network session has intrusion behaviors or not, and generate second network intrusion estimation data.

After the second network intrusion estimation data is generated, the server needs to compare with the real network intrusion annotation data to evaluate the accuracy of the estimation. The server acquires the network intrusion annotation data corresponding to each linkage network session event from the database.

By comparing the difference between the second network intrusion estimation data and the actual network intrusion annotation data, the server calculates a third network intrusion estimation error reflecting the accuracy of the server in terms of network intrusion estimation.

In order to further improve accuracy, the server performs back propagation training according to the third network intrusion estimation error. During the training process, the server can adjust parameters of the network model according to the magnitude and direction of the error. Through repeated iterative training and optimized parameter setting, the server can gradually reduce the third network intrusion estimation error and improve the accuracy of network intrusion estimation.

In one possible implementation, step S121 includes:

Step S1211, for the first network session behavior trace, constructs first graph data, where nodes in the first graph data represent first critical behavior events of the pre-detection node, edges represent a logical relationship or a time sequence between the first critical behavior events, and for the second network session behavior trace, constructs second graph data, where nodes in the second graph data detect second critical behavior events of the node at the pre-detection node, edges represent a logical relationship or a time sequence between the second critical behavior events.

Step S1212, for each node in the first graph data and the second graph data, a network session characteristic, including a timestamp, a source/destination IP address, a port number, a transmitted packet size.

Step S1213, inputting the first graph data and the second graph data into a predefined graph rolling network, respectively, and in each layer of graph rolling unit of the graph rolling network, updating the network session characteristics of the nodes by aggregating the neighbor information of each node, so that each node in the first graph data and the second graph data fuses the network session characteristics of the neighborhood information.

Step S1214, after the processing of the graph rolling network, extracts the feature representation of each node from the last layer of graph rolling unit of the graph rolling network, combines all the feature representations of the first graph data to generate the first network session graph rolling result, and combines all the feature representations of the second graph data to generate the second network session graph convolution result.

In this embodiment, for the first network session behavior trace, the server begins to construct a first graph data. In this first graph data, each node represents a first critical behavior event that occurs at the pre-detection node, which may be an abnormal data transmission, an illegal login attempt, etc. The edges in the graph represent the logical relationship or chronological order between these first critical-behavior events. For example, an improper login attempt (node a) may result in a data leakage event (node B), and there may be an edge between the two nodes that points from a to B.

Similarly, for the second network session behavior trace, the server also constructs a second graph data, where nodes in the second graph data represent second critical behavior events and edges represent logical relationships or time sequences between the events.

After constructing the first and second graph data, the server begins adding to each node the relevant network session characteristics including a timestamp (recording the time the event occurred), source/destination IP address (identifying the source and destination of the data), port number (identifying the channel for the data transfer), and the size of the transferred data packet (indicating the amount of data transferred).

For example, for a node in the first graph data, it represents an abnormal data transmission event. The server may add a timestamp (e.g., "2023-07-06 14:20:00"), a source IP address (e.g., "192.168.1.100"), a destination IP address (e.g., "10.0.0.1"), a port number (e.g., "8080"), and a transmitted packet size (e.g., "1024 bytes") to this node.

Next, the server inputs the first map data and the second map data into a predefined map convolution network, respectively. In this network, each layer of graph rolling units updates the network session characteristics of the nodes by aggregating neighbor information of each node.

Taking one node in the first graph data as an example, it is assumed that it has three neighbor nodes. During the graph rolling process, the characteristics of this node are updated to be the aggregate of its own characteristics and the characteristics of three neighboring nodes, so that each node merges the network session characteristics of its neighborhood information.

After processing the graph rolling network, the server extracts the characteristic representation of each node from the last layer of graph rolling unit of the network, and the characteristic representations capture the comprehensive information of each node and the neighborhood thereof.

For the first graph data, the server combines the feature representations of all nodes to generate a first network session graph convolution result. Likewise, for the second graph data, the server also generates a second web session graph convolution result.

The two graph convolution results not only contain the information of each key behavior event, but also integrate the information of surrounding events, and provide a rich feature set for subsequent network intrusion detection.

In one possible implementation, step S121 includes:

Step S1211, allocating different fusion weights to the first network session behavior trace and the second network session behavior trace according to the importance of the first network session behavior trace and the second network session behavior trace in the network security analysis.

Step S1212, fusing the first network session graph convolution result and the second network session graph convolution result using the determined fusion weight.

Wherein, the fusion formula is expressed as:

In this embodiment, the server first analyzes the importance of the first network session behavior trace and the second network session behavior trace in the network security analysis, for example, based on historical data, expert knowledge, and the current network threat environment.

For example, if the first web session behavior trace is primarily focused on user login behavior, and a series of attacks against the login system have recently been discovered, then the importance of this trace may be relatively high. Whereas the second network session behavior trace, if focused on file transfer behavior, may be of somewhat less importance in the context of no current relevant file transfer attacks.

Based on such analysis, the server decides to assign a higher fusion weight, such as 0.6 (i.e. w1=0.6), to the first web session behavior trace and a lower fusion weight, such as 0.4 (i.e. w2=0.4), to the second web session behavior trace, the assignment of these weights ensuring that more important trace information can be taken into account more in the fusion of the web session map convolution results.

After determining the fusion weights, the server begins fusing the first network session map convolution results and the second network session map convolution results using the weights.

Assuming that the First network session graph convolution Result is one feature vector first_gcn_result and the Second network session graph convolution Result is another feature vector second_gcn_result. The server will use the fusion formula described above to make the calculation:

Fused_Feature = 0.6 * First_GCN_Result + 0.4 * Second_GCN_Result

The fusion process is performed at the Feature level, that is, the server can multiply the Feature values of the corresponding positions in the two graph convolution results by the weights respectively, and add the weighted Feature values to obtain a new fusion Feature vector fused_feature, wherein the fusion Feature vector comprehensively considers the information of the first and second network session behavior tracks, and performs weighting processing according to the importance of the first and second network session behavior tracks, so that more accurate and comprehensive Feature input is provided for subsequent network intrusion detection.

In one possible implementation, step S1321 includes:

Step S1321-1, integrating the first network session graph convolution result corresponding to each first network session behavior trace with a second prior graph convolution result, where the second prior graph convolution result is matched with the feature dimension of the first prior graph convolution result.

Step S1321-2, performing network intrusion estimation on the integration graph convolution result to generate first network intrusion estimation data of each first network session behavior track.

Step B110, collecting historical network session data, the historical network session data including normal network session data and known network intrusion behavior.

Step B120, using the collected historical web session data, constructs one or more second prior knowledge maps representing relationships between entities in the web session.

And step B130, performing graph convolution processing on the one or more second prior knowledge graphs based on the local structural features of the network session, and generating a second prior graph convolution result.

In this embodiment, the server first obtains first network session graph convolution results corresponding to the first network session behavior tracks of the plurality of linked network session events, where the graph convolution results capture features of the current network session behavior.

At the same time, the server also holds a second prior graph convolution result which is generated based on historical network session data and has been matched in feature dimensions to ensure that it can be integrated with the first network session graph convolution result.

The integration process is to correspondingly add or average the convolution result of the first network session graph and the convolution result of the second prior graph according to the feature dimension, so as to obtain an integration graph convolution result integrating the current network session behavior feature and the historical prior knowledge.

After obtaining the integrated graph convolution result, the server may perform network intrusion estimation on the result using an initialized second network intrusion estimation network, which may be a deep learning model, such as a convolutional neural network or a recurrent neural network, that has been trained to recognize network intrusion behavior.

By inputting the integrated graph convolution results into this network, the server may obtain first network intrusion estimation data for each first network session behavior trace. The first network intrusion estimation data may be a score representing the likelihood of intrusion, a category label (e.g., "normal" or "intrusion"), or other form of estimation.

To construct the second prior graph convolution result, the server first needs to collect a large amount of historical web session data, including normal web session data as well as known web intrusion behavior data, which may be obtained from past web logs, security event reports, and other relevant sources. After collecting the historical web session data, the server may utilize the historical web session data to construct one or more second prior knowledge maps that are used to represent relationships between entities (e.g., IP addresses, ports, users, etc.) in the web session. For example, one IP address may have a connection relationship with multiple ports, or some users may conduct network sessions frequently for a particular period of time.

By analyzing and mining the data, the server may construct a second prior knowledge graph that reflects complex relationships between network entities.

After constructing the second prior knowledge graph, the server may perform a graph convolution process on the graphs based on local structural features of the network session, similar to the graph convolution process on the first network session behavior trace described above, but where the process is based on the prior knowledge graph of historical data.

Through the graph convolution process, the server may extract spatial features and structural information in the graph, thereby generating a second prior graph convolution result, which will serve as an important reference for subsequent network intrusion estimation.

Fig. 2 illustrates a hardware structural intent of an artificial intelligence based network security feedback analysis system 100 for implementing the above-described artificial intelligence based network security feedback analysis method according to an embodiment of the present application, and as shown in fig. 2, the artificial intelligence based network security feedback analysis system 100 may include a processor 110, a machine-readable storage medium 120, a bus 130, and a communication unit 140.

In one possible design, the artificial intelligence based network security feedback analysis system 100 may be a single server or a group of servers. The server set may be centralized or distributed (e.g., the artificial intelligence based network security feedback analysis system 100 may be a distributed system). In some embodiments, the artificial intelligence based network security feedback analysis system 100 may be local or remote. For example, the artificial intelligence based network security feedback analysis system 100 may access information and/or data stored in the machine readable storage medium 120 via a network. As another example, the artificial intelligence based network security feedback analysis system 100 may be directly connected to the machine readable storage medium 120 to access stored information and/or data. In some embodiments, the artificial intelligence based cyber-security feedback analysis system 100 may be implemented on an artificial intelligence based cyber-security feedback analysis system. For example only, the artificial intelligence based network security feedback analysis system may include a private cloud, a public cloud, a hybrid cloud, a community cloud, a distributed cloud, an internal cloud, a multi-layer cloud, or the like, or any combination thereof.

The machine-readable storage medium 120 may store data and/or instructions. In some embodiments, the machine-readable storage medium 120 may store data acquired from an external terminal. In some embodiments, machine-readable storage medium 120 may store data and/or instructions that artificial intelligence based network security feedback analysis system 100 uses to perform or use to accomplish the exemplary methods described in this disclosure.

In a specific implementation, at least one processor 110 executes computer-executable instructions stored by the machine-readable storage medium 120, so that the processor 110 may perform the network security feedback analysis method based on artificial intelligence as in the above method embodiment, where the processor 110, the machine-readable storage medium 120, and the communication unit 140 are connected through the bus 130, and the processor 110 may be used to control the transceiving actions of the communication unit 140.

The specific implementation process of the processor 110 may refer to the above-mentioned embodiments of the method performed by the network security feedback analysis system 100 based on artificial intelligence, and the implementation principle and technical effects are similar, which are not described herein again.

In addition, the embodiment of the application also provides a readable storage medium, wherein computer executable instructions are preset in the readable storage medium, and when a processor executes the computer executable instructions, the network security feedback analysis method based on artificial intelligence is realized.

It should be noted that in order to simplify the presentation of the disclosure and thereby aid in understanding one or more embodiments of the application, various features are sometimes grouped together in a single embodiment, figure, or description thereof. Similarly, it should be noted that in order to simplify the description of the present disclosure and thereby aid in understanding one or more embodiments of the application, various features are sometimes grouped together in a single embodiment, figure, or description thereof.

Claims

1. An artificial intelligence based network security feedback analysis method, the method comprising:

2. The method of claim 1, wherein the training the second network intrusion estimation network based on the first network session behavior trace of the plurality of linked network session events, the network intrusion annotation data, and the network intrusion estimation data of the first network intrusion estimation network on the plurality of first network session behavior traces, comprises:

3. The method of claim 2, wherein training the second network intrusion estimation network with the first network session behavior traces of the plurality of linked network session events as network learning data and the network intrusion risk score and the network intrusion labeling data corresponding to each first network session behavior trace as network supervision data comprises:

4. The artificial intelligence based network security feedback analysis method of claim 3, wherein the back propagating based on the first network intrusion estimation error and the second network intrusion estimation error to train the second network intrusion estimation network comprises:

5. The artificial intelligence based network security feedback analysis method of claim 4, wherein the obtaining a first importance score for the first network intrusion estimation error and a second importance score for the second network intrusion estimation error comprises:

6. The artificial intelligence based network security feedback analysis method of any of claims 3-5, wherein the training of the first network intrusion estimation network based on the network session data sequence of the plurality of linked network session events and the network intrusion annotation data comprises:

the step of determining the first prior graph convolution result includes:

7. The method for analyzing network security feedback based on artificial intelligence according to claim 6, wherein the step of performing graph convolution processing on the first network session behavior trace and the second network session behavior trace to generate a first network session graph convolution result and a second network session graph convolution result comprises:

8. The artificial intelligence based network security feedback analysis method of claim 6, wherein the step of fusing the first and second network session map convolution results to generate a network session map convolution result comprises:

Wherein, the fusion formula is expressed as:

9. The method of claim 6, wherein the performing network intrusion estimation on the first network session behavior traces of the plurality of linked network session events according to the initialized second network intrusion estimation network to generate first network intrusion estimation data of each first network session behavior trace, comprises:

10. An artificial intelligence based network security feedback analysis system, comprising a processor and a memory, the memory being coupled to the processor, the memory being configured to store a program, instructions or code, the processor being configured to execute the program, instructions or code in the memory to implement the artificial intelligence based network security feedback analysis method of any of claims 1-9.