A Method Of Cyber Security Situational Awareness Based On EMD-LSTM And Hierarchy

Cyber Security Situational Awareness(CSSA)is an effective method for dynamic defense against cyber-attacks.For the network information system,its main work is to proactively extract and assess factors that affect cyber security in the network environment,and then predict and display cyber security status and trends,providing timely signals of cyber security incidents.At this stage,the research on cyber security situational awareness still has the problems of less quantification and integration of security factors,simple assessment metrics,and low prediction accuracy and efficiency.In response to the above problems,this thesis proposes a multi-factor hierarchical cyber security situation assessment and prediction method based on Empirical Mode Decomposition(EMD)and Long Short-Term Memory(LSTM).Major work and key issues addressed include:(1)Firstly,according to the characteristics of large-scale network systems,this thesis builds a cyber security situation assessment model based on four hierarchies:System,Subnet,Host,and Service,and proposes three assessment metrics of hierarchical attribute value,threat and vulnerability.Designing cyber situation assessment methods at all hierarchies in combining assessment metric,and finally the network situation assessment result at the current moment is expressed in numerical form.The method not only covers multiple assessment metrics,but also proposes a quantification method for security factors.(2)Secondly,this thesis introduces a fuzzy membership function into the situation assessment method,maps the situation assessment results to a specified range through the fuzzy membership function,and specifies the danger value that reaches the alarm level,so as to standardize the danger level of the network security situation.A collection of situational values that change over time is formed.This method lays a foundation for observing the fluctuation of the situation value,responding to cyber risk states and the predicting network security situation in the follow-up.Experiments show that,compared with the existing research,the situation assessment method proposed in this thesis has improved both the ability to predict and identify network attacks.(3)Finally,according to the characteristics of situation value with time series,this thesis adopts LSTM algorithm which is improved Time Recurrent Networks(RNN)to construct the prediction model.In view of the non-stationary and nonlinear characteristics of network security situation value,it is proposed to regard network security situation value as situation signal,and introduce EMD algorithm to decompose the situation signal.The EMD-LSTM situational prediction model includes three parts:EMD decomposition of network security situational signals,situational signal component prediction and situational signal component reconstruction.The prediction results are displayed as situational curves.Experiments show that,compared with existing research,the situation prediction model based on EMD-LSTM proposed in this thesis achieves higher accuracy and efficiency.