基于构建行为画像的网络安全态势感知机制  

作　　者：王晨飞 徐李阳 李慧芹 马建勋 WANG Chenfei;XU Liyang;LI Huiqin;MA Jianxun(Customer Service Center,State Grid Corporation of China,Tianjin 300309,China;Siji Testing Technology(Beijing)Company Limited,State Grid Corporation of China,Beijing 102200,China)

机构地区：[1]国家电网有限公司客户服务中心,天津300309 [2]国家电网有限公司思极检测技术(北京)有限公司,北京102200

出　　处：《计算机应用》2024年第S2期118-122,共5页journal of Computer Applications

基　　金：国家电网有限公司客户服务中心科技项目(SGKFYW00AZJS2310001)。

摘　　要：网络安全态势感知(NSSA)可全面评估网络状态并发现潜在风险,其关键是对网络用户的行为准确、全面地进行分析。构建行为画像能反映出用户的关键特征,有助于管理人员掌握网络的安全状况并有针对性地予以响应。然而,主流的行为画像构建方法对画像的关键信息提取能力不足且忽略了特征之间的关联性。因此,设计了一种基于构建行为画像的NSSA机制。该机制通过数据挖掘获取统计特征标签,利用双向长短期记忆(BiLSTM)神经网络对用户行为的建模能力形成行为特征标签,并综合用户行为的统计特征标签和行为特征标签共同构建行为画像。画像构建完成后,通过交叉熵损失函数计算用户行为序列标签特征与已知行为画像标签之间的相似度,进而根据行为画像的威胁等级确定用户的威胁等级。在UNSW-NB15数据集上进行的实验结果表明,所提方法对行为分类的精确率达到89.78%,与K-Medoids和主成分分析(PCA)-卷积神经网络(CNN)等机器学习方法相比提升了2.01~10.73个百分点。可见,所提画像构建方法对行为间关联更敏感,能特异性地建模不同画像的行为特征标签,提升威胁等级的分类精度,并实现网络安全态势感知。Network Security Situation Awareness( NSSA) can estimate the status of network comprehensively and find potentialrisks, and the key of it is accurate and comprehensive analysis of user behaviors. Building a behavioral portrait can reflect theimportant features of users, helping managers grasp the security status of network and respond accordingly. However, themainstream behavioral portrait construction methods have shortcomings such as insufficient extraction of key information in portraitsand ignoring the correlation among features. Therefore, an NSSA mechanism based on behavioral portrait construction was designed.In this mechanism, data mining was used to obtain statistical feature labels, Bi-directional Long Short-Term Memory (BiLSTM)neural network was used to generate behavior feature labels of user behaviors, and the statistical feature labels and behavioral featurelabels of user behaviors were combined to construct behavioral portrait. After constructing behavioral portrait, the similarity betweenthe user behavior sequence label features and the known behavioral portrait labels was calculated by a cross entropy loss function todetermine the user’s threat level based on the threat level of the behavioral portrait. Experimental results on UNSW-NB15 datasetshow that the proposed method achieves the precision of 89. 78%, which is improved by 2. 01 to 10. 73 percentage points comparedwith those of the machine learning methods such as K-Medoids and the Principal Component Analysis (PCA) -Convolutional NeuralNetwork( CNN). It can be seen that the proposed portrait construction method is more sensitive to the correlation among behaviors,can model behavior feature labels for different portraits specifically, improves classification accuracy of threat levels, and realizesNSSA.

关 键 词：行为画像 双向长短期记忆 神经网络 网络安全态势感知 行为建模 自动编码器 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]