计算机科学与探索

• 学术研究 •    下一篇

基于数据分解和多模型切换的网络安全态势预测

王娜, 张鑫海, 常娅明   

  1. 1. 天津工业大学 控制科学与工程学院,天津 300387
    2. 天津市电气装备智能控制重点实验室,天津 300387

Network security situation prediction based on data decomposition and multi-model switching

WANG Na,  ZHANG Xinhai,  CHANG Yaming   

  1. 1. School of Control Science and Engineering, Tiangong University, Tianjin 300387, China
    2. Key Laboratory of Intelligent Control of Electrical Equipment, Tianjin 300387, China

摘要: 准确的网络安全态势预测,能够给予网络安全管理者提供决策依据,以便及时做好应对措施,对于维护网络安全稳定具有重要意义。网络安全态势序列通常具有复杂性和非平稳性的特点,单一模型预测存在预测精度低,泛化性差等问题,针对上述问题,提出一种基于数据分解和多模型切换的态势预测方法。首先,引入变分模态分解方法,并与互信息熵结合,对原始态势数据集进行分解和重构,形成新的训练数据集和测试数据集,以降低数据的非平稳性,提高后续模型预测的精度。其次,提出一种多模型切换策略,利用皮尔逊相关系数对初始模型集进行差异性分析,找到差异性大且预测效果好的模型构成候选模型集;并基于距离测度,在训练数据集中找到测试数据的最近邻数据,采用投票机制找到最适合测试样本的预测模型,弥补了单一模型预测泛化性不足的缺陷。最后,利用该策略获得测试数据集的态势预测结果。通过在网络入侵检测数据集NSL-KDD和国家互联网应急中心数据集上的仿真,验证了所提方法的有效性。

关键词: 网络安全, 态势预测, 变分模态分解, 互信息熵, 多模型切换

Abstract: Accurate prediction of the network security situation can provide network security managers with a basis for decision-making, so that they can take timely countermeasures, which is of great significance for maintaining network security stability. Network security situation sequence is usually characterized by complexity and non-stationarity, and the prediction of a single model has problems such as low prediction accuracy and poor generalization. To address the above problems, a situation prediction method based on data decomposition and multi-model switching is proposed. Firstly, the variational modal decomposition approach is introduced and combined with the mutual information entropy. By this means, the original situation data set is decomposed and reconstructed. As a result, the new training set and the test set are formed. So the non-stationarity of the old data is decreased and the consequent prediction accuracy is also improved. Secondly, a multi-model switching strategy is presented. In that, the Person Correlation Coefficient is used to analyze the difference of the initial model set. On this basis, the more different and more accurate prediction models are selected to construct the candidate model set; Furthermore, the nearest neighbor data for the test data are found in the training data set via the distance measure. Then the voting mechanism is adopted to determine the appropriate prediction model for the test data. So the insufficient generalization due to the single model prediction is compensated. Finally, by the proposed strategy, the situation prediction result for the test data set is obtained. The validity of the proposed method is verified by the simulation of the network intrusion detection data set NSL-KDD and the National Internet Emergency Response Center data set.

Key words: network security, situation prediction, variational mode decomposition, mutual information entropy, multi-model switching