Implementation of network information security monitoring system based on adaptive deep detection

3.1 Multilevel regression

CPN design proposes a new solution to the regression of multilevel category numbers. Due to the uneven distribution of objects in complex scenes and remote sensing images, the number of objects can appear at any value. For the advanced features of each image, each regression number of each category is predicted at the same time, and the regression of each category will not affect each other. In supervised batch learning, one of the key premises of the learning category prior networks is the definition of training samples [15]. For each image, nine levels (1, 2, 4, 8, 16, 24, 32, 48, and 64) are predicted as the reference base for regression. First, the actual number of objects in each category in each image is calculated, and the reference base of each level of each category is fixed. Then, the difference between the different levels of each category is calculated according to the following formula:

where c represents the category, and e represents the regression level within the E range. G c ⁎ represents the number of real targets in category c, and B e ⁎ is the reference base of the e-th level. To adapt to different images and improve the robustness of the CPN network, high-quality priori information of categories is obtained, the position of each d _ec between 1/2 and 2 is recorded, and the category regression at the above position is defined as a positive training sample. However, to expand the difference between the positive and negative training samples, the ratio of G c ⁎ to B e ⁎ between 1/4 to 1/2 and 2 to 4 is ignored. In addition, the different levels of regression bases for all other categories form a negative training sample space, and, in the negative training sample space, a regression base of three times the number of positive samples as negative samples is randomly selected, to ensure a balance between the number of positive samples and the number of negative samples [16].

3.2 Loss function

For the training of the CPN network, a new regression and classification loss are set. Similar to the multitask loss in the fast convolutional neural network, the loss of the CPN network is defined as follows:

where e is the number of levels of regression, I e c ⁎ = { 0 , 1 } is a kind of indicator and it is used to indicate whether the cardinality of the c-th category e level matches with the positive sample. If there is a c-th category target in the image and the base of e-level matches with the number of real targets, then I e c ⁎ = 1 , otherwise I e c ⁎ = 0 . p e c is the predicted probability of the base of category c at the e-th level. The real category label p e c ⁎ is 1 and indicates that the cardinality of the e-th level of the c-th category is a positive sample, and 0 means that the cardinality of the c-th e level is a negative sample. r e c is the regression result of the predicted value relative to the base of the e level of the c type, and r e c ⁎ is the regression result of the number of real targets relative to the base number of the c-th e level. Classification loss L c l s is the log loss of the two categories (including target p e c t or not including target p e c f ). c stands for category. For regression loss, L r e g ( r e c , r e c ⁎ ) = S ( r e c − r e c ⁎ ) is used for calculation, and among them, S is a robust function Smooth L1. I e c ⁎ L r e g means that it is only valid for the level where the target category exists and the base number matches, that is valid when I e c ⁎ = 1 , it is invalid when I e c ⁎ = 0 [17,18].

The classification and regression loss terms are normalized by N c l s and N r e g , respectively, and weighted by the balance parameter α . In the process of realization, N c l s represents the total number of categories, including the number of positive samples and negative samples, approximately four times the target number. N r e g represents the total positive number of the regression, which is about twice the target number. By default, set α = 1 , this shows that the loss tends to regress in the number of categories. For the regression of the number of categories, similar to the regression in the RPN network, the offset of the number of regression categories form the base of the level. As shown in formula (4), among them, variables G c , G c ⁎ , and B e c represent the number of predicted categories respectively, the actual number of categories, and the base number of e-levels in category c, respectively [19].

3.3 Training and testing

CPN is a small network [20,21,22,23,24,25,26,27,28] based on the advanced features of convolutional networks. As mentioned earlier, VGG-16 backbone network parameters [28,29,30,31,32] are initialized using the pretrained weights on the ImageNet1000 competition dataset [33,34,35]. For other convolutional layers in CPN, use the Xavier method to initialize the parameters. CPN can be trained end-to-end through backpropagation and stochastic gradient descent [36], and this includes forward iteration with labeled data as input [37,38,39]. According to the aforementioned multitask loss function, it can be optimized for each category prediction [40,41]. After training CPN, training images to the network are send, and the offset of the number of each image category relative to the base number of the level is generated. However, the purpose of CPN is to obtain the number of each category [42,43,44,45,46,47], not the offset of different levels of all categories. Therefore, during the CPN testing process, the scores of different levels of regression offset for each category are predicted. According to the output score of CPN, a threshold of 0.7 is fixed to filter the regression results of low confidence categories and low confidence levels. Only the regression results are kept at different levels for categories whose classification is higher than the 0.7 threshold, after calculating all the regression results of each category, and the average is the final predicted quantity result of the category [48].

4.1 Experimental environment and evaluation standards

1. Simulation experiment environment

   Operating system: Windows: 10/64 bit, CPU: Inteli7-4700, RAM: 16.00GB, Development software: TensorFlow1.12.0 auxiliary tool: Excel

2. Evaluation standard of testing ability

   The essence of intrusion detection system is to classify feature values. When dealing with classification problems, the confusion matrix is often used as the evaluation standard. Commonly used performance indicators of intrusion detection systems include accuracy rate, detection rate, and false alarm rate.

3. Confusion matrix

   To verify the detection performance of the DBN-SVM model, that is, to identify the abnormal network data, the confusion matrix of the two categories is set as shown in Table 1. There are four situations, namely, to predict the normal normal record TN, predict the abnormal normal record FP, predict the normal abnormal record FN, and predict the abnormal abnormal record TP [49].

A high-performance intrusion detection system requires the detection rate and accuracy to be as high as possible. The false alarm rate is as low as possible

The accuracy rate (accuracy) calculation method is calculated as follows:

The calculation method of detection rate (DR) is calculated as follows:

The false alarm rate (FPR) is calculated as follows:

4.2 Experimental results

Adjusting parameters is a very critical step in deep learning. The quality of a model depends on its parameters. The DBN-SVM model of this experiment adjusts the corresponding parameters in terms of training rounds, number of neurons, batch size, and so on, and it is expected that good classification accuracy and speed can be obtained [50]. The impact of training rounds on the results is very important, and there are few training rounds, and it is difficult to learn the relationship between features; as there are too many training rounds, the model is prone to overfitting. At the same time, the training time will be longer. An early-stopping strategy is adopted to give the model a threshold, and when the accuracy difference between the two training results is less than this threshold, training is stopped. Hence, this can reduce training time and also prevent overfitting. As shown in Figures 2 and 3, when the training sequence reaches 20 times, the accuracy rate and the loss rate tend to be stable. To reduce the training time of the model, the training round is set to 20 times [51,52,53,54,55].

Figure 2

Changes in accuracy rate with rounds.

Figure 3

Changes in loss rate with rounds.

The learning ability of a neural network depends on the number of neurons. The greater the number, the stronger the learning ability, and it will also bring more training time and overfitting problems [56]. As shown in Figures 4 and 5, when the number of neurons is 20, 40, 60, 80, 100, and 120, the model’s accuracy rate and loss rate change the graph. As the number of neurons increases, the accuracy of the verification set shows a trend of increasing first and then decreasing, and the maximum value is taken where the independent variable is 100. Then, the model is overfitted, and increasing the number of neurons will only increase the training time and no longer increase the accuracy of the validation set. Therefore, the number of neuron nodes in the model is set to 100.

Figure 4

Changes in accuracy rate.

Figure 5

Changes in loss rate.

Choosing an appropriate batch size can speed up model optimization and prevent the missing of the optimal solution in the process of gradient descent.

The experimental results of varying batch size is depicted in Figures 6–7.

Figure 6

Changes in accuracy.

Figure 7

Changes in loss rate.

As shown in Figure 6, the accuracy of the test set reaches its maximum when the batch size reaches 64. It shows that in the process of the increasing batch size, the accuracy first increases and then decreases. When the batch size continues to increase, the model will inevitably fall into a local optimum, leading to a decrease in the detection performance of the system. As shown in Figure 7, the loss rate of the system increases with the increase of batch processing, and too large batch size will increase the loss rate of the system and reduce the classification ability of the system. To reduce training time, overfitting has to be prevented, the detection ability of the model has to be improved, and the batch size of the experiment is set to 64 [57,58,59,60].

4.3 Intelligent monitoring and analysis solution

Through diversified acquisition, big data storage and retrieval, and AI intelligent analysis, the system presents six main functions, including situation awareness, traffic perspective, backtracking analysis, performance monitoring, security detection, and asset management. It also combines all kinds of equipment and topology management, thematic analysis, machine learning modeling analysis, and attack countermeasures. Nondestructive detection, abnormal file identification and restoration, active measurement, industrial control network monitoring, and other functions create an integrated network comprehensive, intelligent monitoring, and analysis solutions.

1. Situational awareness. The virtual reality visualization displays the network trend, traffic composition and distribution, and performance and alarm information. The virtual reality visualization displays the security event tracks from the perspectives of the attacker and the victim and displays the attack type, severity level, serious geographical region, attack, and the most serious information of the attacked department, organization, and individual.

2. Traffic perspective. Monitors traffic in real time, displays the time granularity up to 1 s, and displays the applications, users, and external addresses of the current traffic in real time. The system supports virtual link as the basic object. Data among network traffic applications, application groups, users, user groups, countries, cities, external addresses, virtual links, and academic platforms should support correlation and multidimensional drill-down analysis.

3. Performance monitoring. The system can comprehensively evaluate and analyze mainstream service access services such as Web page, DNS, mail, database, and voice, including key performance indicators such as connection establishment time, response time, and connection success rate. Supports comprehensive service comparison and analysis by region and server to evaluate service status and locate performance faults and bottlenecks.

4. Retrospective analysis. Session record data contains more than 25 key indicators, such as recording time, port, MAC address, duration, total bytes, total packets, and rate. Security events can automatically trigger the preservation of original data packets, save attack, intrusion, and virus data packets, and decode, analyze, and download data packets online. You can use baseline alarms to trigger the correlation of service performance, network performance, network session, and security event data. You can view associated session records in service performance, associated network performance indicators in session records, and associated original data in security events

   Package to view associated session records in security events.

5. Detect all kinds of attacks in the network. It includes 35 categories such as port scanning attack, code overflow attack, Trojan virus attack, worm attack, SQL injection attack, DOS attack, ActiveX control attack, mail attack, bad IP detection, personal Internet access detection, remote procedure call attack, system vulnerability attack, and other attack detection behaviors. User-defined attacks: Users define security events by setting the source/destination IP address, port, location of feature characters in the payload, packet flag, and packet frequency. Multilevel association analysis, multidimensional drill-down analysis according to any dimension (such as alarm type, alarm information, target country, target city, protocol, source address, destination address, suspect user, suspect user group, severity level), In addition, we can check the alarm trend, event number, flow pattern, and other details.

6. Asset management. Monitors the overall asset/virtual asset overview within a specific range and provides summary statistical classification to display the overall status and security alarms of selected assets. Supports type filtering, core setting, and legitimate device configuration. Supports periodic asset scanning and manual immediate asset scanning. Supports asset life-cycle management and asset safety status score, indicating high-risk assets, detection and discovery of lost assets, and provides security hardening suggestions.