Hidden target recognition method for high-speed network security threats based on attack graph theory

Abstract

Instantaneous traffic changes in high-speed networks will interfere with abnormal traffic characteristics, making it difficult to accurately identify hidden targets of security threats. This paper designs a high-speed network security threat hidden target recognition method based on attack graph theory. Using the high-speed network traffic reduction method, under the condition that the network topology remains unchanged, the instantaneous input traffic is reduced according to a certain proportion, and after compressing the flow data scale, the abnormal traffic of the high-speed network is identified through the convolutional recurrent neural network, and the information entropy is used to describe the high-speed network. The abnormal traffic characteristics of the network are used as constraints to design an attack graph of hidden targets of high-speed network security threats, and an attack path discovery method based on multi-heuristic information fusion is designed to extract attack paths of high-speed networks, locate attacking hosts, and identify hidden threat targets. In the experiment, the method can accurately identify the hidden targets of high-speed network security threats, and has better identification ability.

Keywords

Attack graph theory high-speed network security threat hidden target target identification abnormal traffic

1. Introduction

Computer viruses, all kinds of harmful information, cyber-crimes and other network and information security problems are becoming more and more serious, which not only restricts the development of the information industry, but also brings serious problems to the country’s economic construction and people’s social life. The continuous expansion of high-speed network applications has promoted the development and progress of related technologies, and at the same time, more network security threats have emerged [11,14]. In the application process of network products, information security is very important. In recent years, various network malicious intrusion behaviors and network vulnerabilities have appeared continuously, and network intrusion practices have emerged in an endless stream. Some complex high-speed networks are easy to be attacked, and the network security form has become more severe [15,17]. Especially in the face of some network security threats, the identification of hidden targets has become a key topic in related fields, and some meaningful research results have also appeared in recent years.

Jahromi et al. [7] proposed an augmented stacked LSTM method without random initialization for malware threat hunting. This method uses a deep recurrent neural network solution as a stacked long short-term memory, avoids random network initialization through a pre-training regularization method, improves the accuracy and robustness of searching for hidden threats of malware, and achieves the hidden goal of network security threats. identify. However, this method requires a long time for attack identification due to the need for constant comparison. Abdullayeva [1] proposed a cloud computing persistent threat attack detection method based on auto encoder and Softmax regression algorithm. The method realizes the advanced persistent threat attack classification by identifying the complex relationship between the features in the database, at the same time reduces the data size in the encoder, simplifies the large data classification process, effectively prevents the advanced persistent threat attack, and strengthens the security of the cloud information system. The rule fitness of this method is high, but this method relies too much on the classification accuracy, and the attack recognition efficiency is low. Braun et al. [4] proposed a hierarchical attack target recognition method under distributed robust nonlinear control. The method uses distributed control to set the information of the coupling variables. After the system is attacked, the evolution of the coupling variables is monitored, and the hierarchical network attack identification is realized through the attack and uncertain influence of adjacent subsystems. But this method is computationally expensive.

Attack graph is a model-based network security assessment technique. From the attacker’s point of view, on the basis of comprehensive analysis of various network configurations and vulnerability information, all possible attack paths are found, and a visualization method for representing attack process scenarios is provided, which helps network security managers intuitively Understand the relationship between various vulnerabilities within the target network, the relationship between vulnerabilities and network security configurations, and the resulting potential threats [2]. Therefore, this paper proposes a high-speed network security threat hidden target recognition method based on attack graph theory. Under the premise of keeping the network topology unchanged, the algorithm reduces the instantaneous traffic at a certain rate. After the data size is compressed, the convolutional recurrent neural network is used to identify the abnormal traffic in the high-speed network, and the hidden target attack graph is designed with the abnormal traffic characteristics as the constraint condition. A new information fusion algorithm based on multi-point heuristic is proposed. This algorithm can effectively extract the attack path of high-speed network, locate the attack host, and identify the potential threat.

2. Design of hidden target recognition method for high-speed network security threats

The security threats existing in high-speed networks are mainly the behavior of attackers using network vulnerabilities to conduct illegal attacks, and network attacks can be effectively detected by using network characteristics recommended by collaboration [20]. Since the high-speed network traffic mutation fluctuates very little under normal conditions, the network traffic will be abnormal under the condition of security threat. Abnormal traffic can be used as a signature to identify some hidden attack targets. However, some hidden targets have identifiable attributes and will also be disturbed by such abnormal fluctuations in network traffic. In order to identify hidden targets of high-speed network security threats, this paper combines the characteristics of abnormal traffic to construct a network attack graph and extract the attacks in this attack graph. Path, realize attack source traceability, and complete the identification of hidden targets of security threats. Considering the large scale of network traffic data and the low efficiency of direct operation, high-speed network traffic should be reduced first.

2.1. High-speed network traffic reduction method

In order to reduce the computational overhead in the identification of hidden targets of high-speed network security threats, this paper reduces the instantaneous input rate of the network, and adjusts the reduced high-speed network behavior parameters to ensure the validity and authenticity of the network behavior parameters. Figure 1 is a schematic diagram of the reduction method.

Fig. 1.

Schematic diagram of high-speed network traffic reduction method.

The proposed traffic reduction method [13] refers to: under the condition that the network topology remains unchanged, the instantaneous input traffic [3] is reduced according to a certain proportion, and other network parameters are adjusted accordingly to ensure the authenticity of network traffic data analysis, while the key parameters remain unchanged.

Before traffic reduction is performed, the ratio of the input rate of network traffic to the input rate of network traffic after reduction is called the reduction coefficient ∂, which reflects the detail degree of traffic reduction, and is also used to measure the degree of network traffic simplification. The traffic characteristics can be used as objective feature of attack detection because the larger the coefficient, the larger the reduction ratio [18].

Let the instantaneous traffic rate flowing into the routing queue before the traffic reduction be $T (s)$ , the instantaneous byte length of the cache queue be $L (s)$ , the parameter threshold of the router management queue algorithm parameter is μ, the network bandwidth of the outgoing link of the routing queue is $C_{v}$ , and the inflow route after the traffic reduction is The instantaneous traffic rate of the queue is $T^{'} (s)$ , the instantaneous buffer queue length is $L^{'} (s)$ , the parameter threshold of the routing queue management algorithm is $μ^{'}$ , and the network bandwidth of the outgoing link of the routing queue is $C_{v}^{'}$ . According to the definition of the reduction coefficient, due to the instantaneous traffic rate is reduced to $\frac{1}{\partial}$ , so the traffic rate of each routing queue is reduced to $\frac{1}{\partial}$ , and the network behavior data changes as: $\begin{matrix} (1) & \{\begin{matrix} μ^{'} = \frac{μ}{\partial} \\ T^{'} (s) = \frac{T (s)}{\partial} \\ C_{v}^{'} = \frac{C_{v}}{\sqrt{\partial}} \\ L^{'} (s) = \frac{C_{v}}{\sqrt{\partial}} \end{matrix} \end{matrix}$

2.2. Network abnormal traffic detection based on convolutional recurrent neural network

In recent years, convolutional neural networks have achieved excellent results on object classification problems [10]. Compared with the general deep neural network, the convolutional neural network has the characteristics of local connection, weight sharing and pooling operation [8], and has strong spatial feature learning ability. Recurrent neural networks have also achieved excellent results in natural language processing problems. By adding self-connected weights to the neurons in the middle layer, the recurrent neural network enables each round of training to record the state information of the previous training, realizes the ability to save sequence information, and has a strong ability to learn temporal features.

In this paper, a network abnormal traffic detection algorithm is designed, which can convert the simplified network traffic data in Section 2.1 into a wave graph, extract spatial and temporal features through a convolutional recurrent neural network, and classify them to achieve network abnormal traffic detection.

The input of this method is K groups of high-speed network traffic data packets $X_{1}, X_{2}, \dots, X_{K}$ with the same quintuple, the number of sample data packets M, and the standard input size N after 2.1 min. The output is the classification result of high-speed network traffic sample data. The detailed steps are as follows:

Reasonably divide the high-speed network traffic data after 2.1 small savings and simplify, and obtain image-based network traffic samples.

For each group of high-speed network traffic data $X_{j}$ in $X_{1}, X_{2}, \dots, X_{K}$ , every M traffic data packets are divided into one sample, and $γ_{j} = \frac{| X_{j} |}{M}$ samples are obtained. Among them, $| X_{j} |$ represents the number of high-speed network traffic data packets in this group. For each sample obtained from $X_{j}$ , calculate its total number of bytes $N_{0}$ . If $N_{0}$ is greater than N, truncate the sample to N bytes; otherwise, add hexadecimal numbers to N bytes at the end of the sample. In this step, an image-type high-speed network traffic sample $Y_{j i}$ can be established based on each group of high-speed network traffic data $X_{j}$ , where j and i are the sequence number of the group and the sequence number of the sample in sequence.

Using the image samples of each high-speed network traffic obtained in Step 1 as input, construct a convolutional recurrent neural network model.

\begin{matrix} (2) & Y_{j i} = y_{1} y_{2} \dots y_{θ} \dots y_{N} \end{matrix}

Among them, $y_{θ}$ is the decimal value of each byte that constitutes $Y_{j i}$ of high-speed network traffic, and θ is the byte index. The characteristic value of high-speed network traffic obtained after inputting the first layer of convolutional neural network is: $\begin{matrix} (3) & x_{θ c}^{1} = ζ (\sum_{r = 1}^{R} ϖ y_{θ} + K_{c}^{0}) \end{matrix}$

Among them, ζ is the activation function, and the ReLU function is selected in this paper; c is the index of the convolution feature map of high-speed network traffic, R is the filter size; ϖ is the weight of the convolution kernel, and $K_{c}^{0}$ is the bias of the cth feature map of high-speed network traffic. Therefore, the output of the zth convolutional layer is: $\begin{matrix} (4) & x_{θ c}^{z} = ζ (\sum_{r = 1}^{R} ϖ y_{θ} + K_{c}^{z}) \end{matrix}$ where $K_{c}^{z}$ is the bias of the cth feature map output by the zth convolutional layer. After iteration on each convolutional layer, the constraints can be reduced [16]. Then the proposed method chooses to add a max pooling layer to reduce network parameters, reduce computational complexity, and prevent overfitting to a certain extent. The maximum pooling dimension reduction operation is shown in formula (5): $\begin{matrix} (5) & D_{θ c}^{z} = max_{s} (ζ \cdot y_{θ}) \end{matrix}$

Among them, $D_{θ c}^{z}$ is the dimensionality reduction result of high-speed network traffic features. After the last max pooling layer, a layer of bidirectional long short-term memory network LSTM is used as a recurrent neural network layer. The bidirectional LSTM layer processes the incoming high-speed network traffic in the forward and reverse directions, and combines the processing results to capture the inherent patterns of network traffic better than the unidirectional LSTM layer. The advantage of using a bidirectional LSTM layer is that it can carry information states across multiple time steps. Specifically, each LSTM layer has gating units that control the flow of information, and the update of its state is controlled according to these gating units. After getting the output $D_{θ c}^{z}$ of the max pooling layer of the lth layer, $D_{θ c}^{z}$ will be used as the input of the LSTM layer. If the output vector of the LSTM layer is $k^{t}$ , the update of the forget gate $g^{t}$ , input gate $h^{t}$ and output gate $p^{t}$ of the LSTM layer at each time step is performed as follows: $\begin{array}{l} (6) & g^{t} = ζ (A^{f} + V^{f} D_{θ c}^{z} + L^{f} \times k^{t}) \\ (7) & h^{t} = ζ (A^{g} + V^{g} D_{θ c}^{z} + L^{g} \times k^{t}) \\ (8) & p^{t} = ζ (A^{p} + V^{p} D_{θ c}^{z} + L^{p} \times k^{t}) \end{array}$

Among them, $A^{f}$ , $V^{f}$ , $Z^{f}$ are the bias, input weight and cycle weight of the forget gate of the LSTM layer respectively; $A^{g}$ , $V^{g}$ , $L^{g}$ are the bias, input weight and cycle weight of the input gate respectively; $A^{p}$ , $V^{p}$ , $Z^{p}$ are the output respectively Bias, input weights, and loop weights for gates. Therefore, the information state update and output of the LSTM layer are shown in formulas (9) and (10): $\begin{array}{l} (9) & t^{t} = g^{t} \times k^{t} + h^{t} ζ A + h^{t} ζ {VD}_{θ c}^{z} + h^{t} ζ L \times k^{t} \\ (10) & k^{t} = ζ (t^{t}) \times p^{t} \end{array}$ where A, V, L are the bias, input weight and loop weight of the newly generated high-speed network traffic information of the LSTM layer. After obtaining the high-speed network traffic feature $k^{t}$ output by the bidirectional LSTM layer. It is input into the fully connected layer, and finally classified by the Sigmoid function classifier. The Sigmoid function is shown in formula (11), where x represents any network traffic variable. $\begin{matrix} (11) & o (k^{t}) = \frac{1}{1 + e^{- k^{t}}} \end{matrix}$

Here, $o (k^{t})$ is the classification probability of high-speed network traffic feature $k^{t}$ , and e is a natural constant.

Train the neural network model obtained in step (2) to complete the high-speed network abnormal traffic detection [12].

Considering the small variability of patterns and interactions in network security [19], all network traffic data can be divided into training, validation, and test sets. Let the training rounds be n, use the training set to train the model, and calculate the two-category cross-entropy loss function $K_{p}$ according to the formula (12) for the classification result of high-speed network traffic: $\begin{matrix} (12) & K_{p} = - \frac{1}{M} π_{j} log (o (k^{t})) + (1 - π_{j}) log (1 - o (k^{t})) \end{matrix}$

Among them, M represents the total number of high-speed network traffic samples, and $π_{j} = 0$ or $π_{j} = 1$ is the label of the jth high-speed network traffic sample, which in this paper represents the high-speed network traffic classification result. If the classification result is 0, it means that the high-speed network traffic sample is a positive class; if the classification result is 1, it means that the high-speed network traffic sample is a negative class, and there is an abnormality. $o (k^{t})$ is the probability that high-speed network traffic samples belong to abnormal traffic.

2.3. Feature extraction of abnormal traffic information entropy in high-speed network

In this paper, by extracting the four characteristic attribute information of source IP address traffic attribute, destination IP address traffic attribute, source port traffic attribute and destination port traffic attribute of abnormal network traffic Y, it is used to analyze the change status of abnormal traffic characteristics in four locations, and construct Attack map.

The method for extracting abnormal traffic characteristics of high-speed network based on information entropy mainly extracts the temporal and spatial characteristics of abnormal traffic samples Y. Information entropy is used to represent the uncertainty of random variables in complex information systems. Its mathematical expression is: $\begin{matrix} (13) & S (Y) = - \sum_{j = 1}^{m} q (y_{j}) {log}_{2} (q (y_{j})) \end{matrix}$

Among them, $S (Y)$ represents the information entropy of the four abnormal traffic characteristic variables Y of abnormal high-speed network traffic; $x_{j}$ represents the jth random characteristic variable in the abnormal traffic of high-speed network, $Y = {y_{j} | j = 1, 2, \dots, m}$ , m are the total number of random variables; $q (y_{j})$ represents the abnormal traffic of high-speed network Yth The probability of occurrence of j random feature variables. When the value of $S (Y)$ is 0, it means that the random characteristic variable in the abnormal traffic of the high-speed network is certain. When the high-speed network abnormal flow Y random characteristic variable is evenly distributed, the $S (Y)$ value reaches the maximum, that is $S (Y) = {log}_{2} m$ .

In the high-speed network abnormal traffic Y detection, the abnormal traffic characteristic attribute can be regarded as a random characteristic variable of the network traffic. By calculating the information entropy of each characteristic attribute, the characteristic attribute change and distribution of the current network traffic Y can be effectively reflected. From the formula (13), the mathematical expression of the information entropy of the abnormal traffic characteristic attribute of the high-speed network can be obtained, as shown in the formula (14): $\begin{matrix} (14) & \{\begin{matrix} S^{'} (Y^{'}) = - \sum_{α = 1}^{M} (\frac{m_{α}^{'}}{R}) {log}_{2} (\frac{m_{α}^{'}}{R}) \\ R = \sum_{α = 1}^{M} \frac{m_{α}^{' 2}}{R m_{α}^{'}} \end{matrix} \end{matrix}$

In the formula, $S^{'} (Y)$ represents the information entropy of the abnormal traffic characteristic attribute of the high-speed network, $Y^{'} = {y_{α}^{'} | α = 1, 2, \dots, M}$ , $x_{α}^{'}$ represent the αth attribute variable in the abnormal traffic characteristic attribute of the high-speed network, M represents the number of attribute variables in the abnormal traffic characteristic attribute; $m_{α}^{'}$ represents the abnormal traffic characteristic the number of occurrences of the αth attribute variable in the attribute, R represents the total number of occurrences of the M variables in the abnormal traffic characteristic attribute, and $\frac{m_{α}^{'}}{R}$ represents the probability of the αth attribute variable in the abnormal traffic characteristic attribute. In order to reduce the impact of abnormal traffic feature sample data on the detection performance of hidden targets of network security threats, after calculating the information entropy of each feature attribute, it is normalized to analyze the abnormal feature change state in abnormal traffic. $\begin{matrix} (15) & \bar{S^{'}} (Y^{'}) = \frac{S^{'} (Y^{'})}{{log}_{2} R} \end{matrix}$

2.4. High-speed network security threat attack graph design

In the abnormal traffic existing in the high-speed network, the abnormal feature set is ${\bar{S^{'}} Y_{1}^{'}, \bar{S^{'}} Y_{2}^{'}, \dots, \bar{S^{'}} Y_{m}^{'}}$ , and the abnormal level vector of the source IP address traffic attribute, destination IP address traffic attribute, source port traffic attribute and destination port traffic attribute of this set is $(K_{1}, K_{2}, \dots, K_{m})$ , then the abnormal traffic The triangular matrix of the feature change state is shown in Fig. 2.

Fig. 2.

Triangular matrix of abnormal traffic utilization relation.

In the matrix, $Q_{(ϕ, φ)}$ represents the possibility of abnormal network traffic when an attack is launched directly from the network port using vulnerability φ. As shown in Fig. 2, the triangular matrix of abnormal flow characteristic change state is the lower triangular matrix, and all the coefficients on the upper right of the diagonal are zero.

A high-speed network security threat attack graph P is established based on the triangular matrix, as shown in Fig. 3.

Fig. 3.

High speed network security threat model based on attack graph.

P is the high-speed network attack graph. There is an abnormal network traffic node $Y^{*}$ in P. In this paper, the attack path discovery method based on multi-heuristic information fusion is used to extract the attack path of the high-speed network. To improve the reliability of attack path discovery, the key point is to integrate network security domain knowledge into the planning process as much as possible, and consider various practical factors in planning [9]. Different heuristic functions focus on information. If only a single heuristic is used, it is often unable to fully reflect the many influencing factors in the attack path discovery. While multiple heuristics guide the search at the same time, the information of each heuristic can be integrated to improve the usability of planning results.

Considering that there are often the following options in the actual attack process:

If there are multiple vulnerabilities on each host, how to select the vulnerabilities that can not only improve the attack effect but also ensure the success of the attack to be exploited;

If there are many hosts in the subnet, how to select the host that is most beneficial to the attacker as the target. Therefore, according to the actual needs of attack path discovery, this paper uses the three indicators of vulnerability threat degree, vulnerability success rate and host assets as heuristic functions for search guidance.

The degree of vulnerability threat mainly reflects the value of vulnerability exploitation. Vulnerabilities with a high degree of threat can often exert greater destructive power in the attack process, and their utilization difficulty is relatively small, which is often the first choice of attackers. In addition to the degree of vulnerability threat, in the actual vulnerability exploitation process, the success rate of vulnerability exploitation directly affects whether the entire attack can be carried out smoothly. If the vulnerability success rate is low, even the threat level of the vulnerability is often not selected. Therefore, it is necessary to use the vulnerability success rate as part of the planning basis in attack planning.

In the process of attack path selection, not only will the selection of vulnerabilities be considered, but also suitable hosts will be selected as attack targets. Different hosts play different roles in a network, and the importance of their information assets is also different. During the attack process, attackers often consider infiltrating hosts with higher value in order to obtain better attack benefits. The value of host assets is often related to the network location, running services, stored resources, etc. The importance of host assets is often related to the assets of the entire network. In order to simplify the measurement of the value of the host assets, the importance of the host assets is expressed in the form of grades. Referring to the existing research, this paper divides the asset level of the host into 5 levels, indicating the corresponding degree of asset importance. The host asset class and typical host types are shown in Table 1. The higher the asset values of the host, the higher the attack value.

Table 1

Host asset ranks and typical host types

Host asset level	Host type
Level 1	DNS server, backbone router, database server
Level 2	Mail servers, hosts that store critical information
Level 3	Firewall, web server
Level 4	Common host, etc.
Level 5	Temporary host

To sum up, in the high-speed network attack graph, network applications can be implemented only after the host is connected to the high-speed network, and attackers will have the opportunity to attack the host. Therefore, after designing the attack graph in combination with the abnormal traffic characteristic change state, it will be based on multiple heuristics. The attack path discovery problem of information fusion can be expressed as $Ω = ⟨ L, B, G ⟩$ , where L, B, and G are in turn the set of all hosts, the set of all exploit actions, and the connectivity between hosts in the high-speed network attack graph. $l_{attack}$ , $l_{t arg et}$ are the attacker host and the attack target host in turn. A single host l can be represented as $l = ⟨ ne, bt, f, cp ⟩$ , which respectively represent the name of the host, the status of the host assets, the current path cost value of the host and its corresponding forward host node; a single exploit action can be expressed as $b = ⟨ ne, si, rv ⟩$ , which respectively represent the name of the exploit action, the vulnerability threat level and vulnerability success rate. A single connectivity relationship can be denoted as $g = ⟨ l, l^{'}, e ⟩$ , which means that the host $l^{'}$ can be accessed from the host l, and the cost of launching an attack from the host l is e. Note that the connectivity between hosts is directional. At the same time, $Succ (l)$ is defined as the set of all accessible hosts of host l, $f^{*} (l)$ represents the cost of the best attack path from the attacker’s host $l_{attack}$ to the host l, and $f (l)$ represents the current best attack path cost from the attacker’s host $l_{attack}$ to the host l.

The multi-heuristic attack path discovery algorithm proposed in this paper uses three heuristic functions of vulnerability threat value, vulnerability success rate and host asset value for planning guidance, which are denoted as $t_{0}$ , $t_{1}$ , $t_{2}$ respectively.

First perform the initialization operation, set the path cost of the target host to infinity, the path cost value of the initial attack host is 0, set the forward node value of the initial attack host and the target host to null, and insert the initial host node into each priority queue at the same time; When the condition that the minimum value in the general priority queue is less than the minimum value of the positive search queue is satisfied, the algorithm expands each other search queue with the best priority in a round-robin manner; otherwise, the key of the expansion node in the priority queue is expanded. value to improve network connectivity, security and network efficiency [6]. When expanding a host node, the current node needs to be deleted from all priority queues first to ensure that the host node will not be expanded again. Then consider all subsequent host nodes $l^{'}$ of the current host, if $l^{'}$ has not been expanded, then expand the key value information of the host node in the priority queue, and update it in all priority queues at the same time; if $l^{'}$ is in a general search Expanded, but not expanded during the search, only insert $l^{'}$ into other search queues. Considering the problem of repeated intrusions [5], if $l^{'}$ is already expanded during the search process, then the host node will not be inserted into any priority queue and will not be expanded again. The algorithm stops when $l_{t arg et}$ has the smallest key value in any queue. At this time, the path extraction result can be traced back to the attacker host $l_{attack}$ according to the forward host node of the current path of the host l, so as to complete the network security threat hidden target identification.

3. Experiment and result analysis

In order to analyze the effect of the method in this paper, a network experiment environment under APT attack was built in the simulation software. The experiment set up five user terminal hosts (A1, A2, A3, A4, A5) and one attacker host (A6). Access the web server through a high-speed optical fiber network. At this time, the APT attacker can continuously attack the host for a specific target, threatening network security. Figure 4 is a schematic diagram of the experimental environment.

In the above experimental environment, there is one hidden target source of high-speed network security threats. Using the set experimental environment, some common hidden attack tools are used to conduct attack tests of different attack types and attack tools in different time periods. The attack behaviors are shown in Table 2.

Fig. 4.

Experimental environment.

Table 2

Design of experimental conditions

Attack type	Content	Total attacks
Illegal scan detection	Scan IP host information	50
Machine intrusion	Login user host	50
Illegal editing	Edit user host important information	50

In the experiment, it is assumed that A1–A5 hosts store users’ private information. Under the condition that the network topology remains unchanged, the method in this paper is used to reduce the instantaneous input traffic in a certain proportion and compress the size of the traffic data. After that, the convolutional recursive neural network is used to identify the abnormal traffic in the high-speed network, and the information entropy is used to describe the high-speed network and identify the hidden targets of the security threats in the high-speed network. The attack diagram is shown in Fig. 5.

From the analysis results in Table 3, it can be seen that after scanning the document information of the A1 host, the A6 host cracks the password of the A2 host, illegally logs in to the A3 host, modifies important files in the A4 host, and clears data files in the A5 host. Before identifying the hidden targets of high-speed network security threats, the method in this paper extracts the abnormal traffic characteristics of the high-speed network of A1 ∼ A5 hosts as shown in Fig. 6.

Fig. 5.

Attack graph.

Table 3

Attack behavior

Attack path	Content
A6–A1	A6 host scans the document information of A1 host
A6–A2	A6 host decrypts the password of A2 host
A6–A3	A6 host illegally logs into A3 host
A6–A4	A6 host modifies important files in A4 host
A6–A5	A6 host clears data files in A5 host

Fig. 6.

Effect of feature extraction of abnormal traffic in high-speed network.

The attack behaviors in Fig. 5 are shown in Table 3.

According to the analysis results in Table 3, A6 host scans the document information of A1 host, cracks the password of A2 host, logs in A3 host illegally, modifies important files in A4 host, and clears data files in A5 host. Before identifying hidden targets of high-speed network security threats, this method uses high-speed network traffic reduction method to compress the scale of traffic data, and uses information entropy to describe the characteristics of high-speed network abnormal traffic. The effect of extracting the characteristics of high-speed network abnormal traffic of A1 ∼ A5 hosts is shown in Fig. 6.

As can be seen from Fig. 6, when extracting abnormal traffic features of high-speed network, the extraction results of destination IP information entropy and source IP information entropy have a high degree of matching with the actual values, indicating that the extraction accuracy of abnormal traffic features of high-speed network is good. This is because the method in this paper adopts the high-speed network traffic reduction method, Under the condition that the network topology remains unchanged, the instantaneous input traffic is reduced in a certain proportion. After the traffic data size is compressed, the abnormal traffic of the high-speed network is identified through the convolutional recursive neural network, so that the abnormal traffic characteristics can be accurately obtained and the information entropy can be used to describe the high-speed network.

Test the target recognition accuracy of five attack behaviors of high-speed network before and after using the method in this paper, and draw the ROC curve. The results are shown in Fig. 7.

Fig. 7.

The accuracy of this method in identifying hidden targets of high-speed network security threats.

The ROC curve takes the false positive class rate as the abscissa and the true class rate as the ordinate, and calculates a series of false positive class rates and true class rates, which are connected to form a curve. For a certain point in the ROC space, for different ROC curves, the closer to the upper left, the higher the recognition accuracy.As shown in Fig. 7, the method in this paper can improve the recognition accuracy of the hidden targets of high-speed network security threats,the recognition accuracy is stabilized at 0.95.

In summary, the proposed method has a good extraction accuracy for abnormal traffic features of high-speed networks, and can improve the identification accuracy of hidden targets of high-speed network security threats, which is stable at 0.95.

4. Discussion

Combined with the research content of this paper, some countermeasures are put forward on how to strengthen network security:

Strengthen equipment protection

First of all, ensuring the physical security of various devices in the network system is the premise of the security of the entire network system. Physical security is the process of protecting computer network equipment, facilities and other media from environmental accidents such as earthquakes, floods, fires, and damage caused by human error or error and various computer crimes. It mainly includes four aspects:

Environmental security: security protection for the environment where the system is located, such as regional protection and disaster protection;

Equipment safety: including anti-theft, anti-destruction, anti-electromagnetic information radiation leakage, anti-electromagnetic interference and power protection of equipment;

Media security: including the security of media data and the security of the media itself;

Operation security: There should be professional technical maintenance personnel to monitor and manage the operation of the network, and the main backup strategy should be implemented for the system. Monitor network operation and security alarm information, audit and log analysis at all levels of the network, and handle network security events.

Secondly, it is necessary to ensure the security of the network transmission link. Link security mainly solves the security on the link-level point-to-point public channel in the network system. Adopting certain security measures on the public link can ensure the security of information transmission and resist attacks such as eavesdropping, tampering, replay, and traffic analysis on the communication link. Link encryption is the main means to solve link security, and link encryption is mainly realized by link encryption machine. For the security of the interconnection in the network system, a hardware firewall can be used to realize the security access mechanism of the two. At the same time, the connection IP address in the local area network adopts the reserved address, which not only solves the problem of insufficient IP address, but also eliminates the direct connection with the Internet. And the VPN function of the firewall can be used in the local area network to realize the confidentiality and integrity protection of the information.

Finally, regular testing of network equipment is required. Mainly firewall, strengthen firewall technology. In the process of preventing and controlling network risks, the most commonly used technology is network firewall technology. This technology is mainly to strengthen access control between networks, block some external network users who want to illegally invade, and limit their access to internal resources. to ensure the security of the internal network environment. The application advantages of firewall technology are mainly reflected in that it can automatically check the data transmitted between two or more networks according to the security policy set in advance, and can also better monitor the network operation status and judge its situation. In preventing hacker intrusion, the application of firewall technology has shown a very obvious effect. Therefore, in order to further strengthen the prevention of network security risks, a firewall should be established in an all-round way. To prevent hacker attacks, network security provides necessary guarantees.

Enhance user safety awareness

In addition to relying on the basic protection of hardware and software equipment, in fact, the fundamental way to prevent it is that users must have security awareness and maintain good computer and network usage habits. That is to say, “people” are the key. At present, many enterprises and ordinary netizens are still in a passive position. In fact, the active attack of network security defense is more urgent than passive defense, and the strengthening of security awareness is the premise of active attack. In the face of network security threats, as direct users of the network, if users lack their own security awareness and do not recognize the existence of security threats, they will be helpless in the face of network security threats, causing losses to users. Moreover, users also lack due understanding of their own technology and management status. Therefore, they must strengthen their security awareness, especially now that network security threats are increasing, new threat factors are emerging one after another, and users are hard to guard against. Use habits and plan ahead. It can be seen that solving the problem of network security is also a problem of security awareness. The easiest and most effective way is to strengthen the security awareness of users. Network users are jointly responsible for network security. It is believed that the threat of network security will be greatly curbed.

5. Conclusion

This paper proposes a method of identifying hidden targets of high-speed network security threats based on attack graph theory, which can extract the attack path of high-speed network, locate the attack host, and identify hidden threat targets. The experimental results show that the proposed method has a high recognition accuracy for hidden objects, and can accurately identify hidden targets of high-speed network security threats. It plays a positive role in building a harmonious network.

In future research, the research direction will be to identify multiple hidden targets of high-speed network security threats at the same time, in order to improve the efficiency of high-speed network security threat hidden multi-target identification, and further optimize the hidden target identification method of high-speed network security threats based on attack graph.

Conflict of interest

None to report.

References

F.J.

Abdullayeva, Advanced persistent threat attack detection method in cloud computing based on autoencoder and softmax regression algorithm, Array 10(4) (2021), 100067. doi:10.1016/j.array.2021.100067.

Alaaraji,

Ahmad and

R.S.

Abdullah, Propose vulnerability metrics to measure network secure using attack graph, International Journal of Advanced Computer Science and Applications 12(5) (2021), 51–58.

A.W.

Bohannon,

V.J.

Lawhern,

N.R.

Waytowich et al., The autoregressive linear mixture model: A time-series model for an instantaneous mixture of network processes, IEEE Transactions on Signal Processing 68(4) (2020), 4481–4496. doi:10.1109/TSP.2020.3012946.

Braun,

Albrecht and

Lucia, Hierarchical attack identification for distributed robust nonlinear control, IFAC-PapersOnLine 53(2) (2020), 6113–6120. doi:10.1016/j.ifacol.2020.12.1688.

L.J.

Hang,

Z.L.

Liu and

H.L.

Zhou, Simulation of repeated game theory intrusion detection model in mobile Internet of things, Computer Simulation 36(05) (2019), 337–340.

A.M.

Hegland,

Hauge and

Holtzer, Federating tactical edge networks: Ways to improve connectivity, security, and network efficiency in tactical heterogeneous networks, IEEE Communications Magazine 58(2) (2020), 72–78. doi:10.1109/MCOM.001.1900508.

A.N.

Jahromi,

Hashemi,

Dehghantanha et al., An enhanced stacked LSTM method with no random initialization for malware threat hunting in safety and time-critical systems, IEEE Transactions on Emerging Topics in Computational Intelligence 4(5) (2020), 630–640. doi:10.1109/TETCI.2019.2910243.

A.R.

Javed, Anomaly detection in automated vehicles using multistage attention-based convolutional neural network, IEEE Transactions on Intelligent Transportation Systems 22(7) (2020), 4291–4300. doi:10.1109/TITS.2020.3025875.

P.D.B.

Kenfack,

F.K.

Mbakop and

Eyong-Ebai, Implementation of machine learning method for the detection and prevention of attack in supervised network, Open Access Library Journal 8(12) (2021), 1–25.

10.

Liu,

Wang,

Liu,

C.T.

Lin and

Lv, Fuzzy detection aided real-time and robust visual tracking under complex environments, IEEE Transactions on Fuzzy Systems 29(1) (2021), 90–102. doi:10.1109/TFUZZ.2020.3006520.

11.

Liu,

Xu,

Zhang,

Khan and

Fu, A reliable sample selection strategy for weakly-supervised visual tracking, IEEE Transactions on Reliability (2022), online first. doi:10.1109/TR.2022.3162346.

12.

Mazurczyk,

Bisson and

R.P.

Jover, Challenges and novel solutions for 5G network security, privacy and trust, IEEE Wireless Communications 27(4) (2020), 6–7. doi:10.1109/MWC.2020.9170261.

13.

Melhim,

Jemmali,

Assadhan and

Alquhayz, Network traffic reduction and representation, International Journal of Sensor Networks 33(4) (2020), 239. doi:10.1504/IJSNET.2020.109193.

14.

Sarhan and

Spruit, Open-CyKG: An open cyber threat intelligence knowledge graph, Knowledge-Based Systems 233 (2021), 107524. doi:10.1016/j.knosys.2021.107524.

15.

Sengupta,

Chowdhary,

Sabur et al., A survey of moving target defenses for network security, IEEE Communications Surveys & Tutorials 22(3) (2020), 1909–1941. doi:10.1109/COMST.2020.2982955.

16.

Sharma and

D.B.

Jayagopi, Towards efficient unconstrained handwriting recognition using dilated temporal convolution network, Expert Systems with Applications 164(2) (2021), 114004. doi:10.1016/j.eswa.2020.114004.

17.

Shuai,

Tenghui,

Li,

Yating and

Akshi, An effective learning evaluation method based on text data with real-time attribution – a case study for mathematical class with students of junior middle school in China, ACM Transactions on Asian and Low-Resource Language Information Processing 22(3) (2022), 63, online first, 10.1145/3474367.

18.

Yao,

Gao and

Zhang, Hybrid intrusion detection system for edge-based IIoT relying on machine-learning-aided detection, IEEE Network 33(5) (2019), 75–81. doi:10.1109/MNET.001.1800479.

19.

Zave and

Rexford, Patterns and interactions in network security, ACM Computing Surveys 53(6) (2020), 1–37.

20.

Zhang,

Qu and

Xu, Graph embedding-based approach for detecting group shilling attacks in collaborative recommender systems, Knowledge-Based Systems 199(7) (2020), 105984. doi:10.1016/j.knosys.2020.105984.