Computer network security evaluation model based on neural network

Abstract

In this paper, the simulation model of computer network security evaluation based on neural network is proposed. Network security has now become one of the focuses of computer communication researchers. Due to the suddenness and human nature of network security problems, it is often difficult to detect problems after they appear. Combined with the characteristics of network security situation prediction problem, the computer network security evaluation model is constructed by BP neural network algorithm, and the network system security detection algorithm is used to evaluate it, to predict the network security posture. Therefore, the defense can be implemented in advance, and the network security belt can be reduced. The resulting hazards will provide constructive advice on the future development of cybersecurity. Through test simulation, the algorithm can be well applied in the simulation model system; it is worth further promotion in practice.

Keywords

neural network computer network security evaluation simulation model

1. Introduction

The public has more valued the importance of cybersecurity in 2016. The Chinese Party Central Committee and the State Council have also continuously proposed protection measures for cybersecurity. At the same time, network leakage incidents have emerged in an endless stream, and there have been many Internet-related information disclosure incidents in China in 2015–2016 [1]. Such as railway website user information disclosure incidents, candidate information disclosure incidents, real estate information call information and a series of personal private information disclosure incidents. Existing network security defenses cannot guarantee user information security [2]. The network security problem has caused unprecedented damage to users [21]. Network security issues threaten mobile phone contacts, individual orders, personal information, bank accounts, and other important information [22]. Some related vendors have even introduced a variety of defensive measures, neither the relevant patches nor the firewall can provide comprehensive defense against all future network security because a single defense can no longer block such complex network environment problems [3]. If the current network security status in advance can be analyzed, predicting the future attack strength, more corresponding effectively measures can be taken to avoid significant damage. This also has great theoretical and practical significance for the future development of network security [23].

The simulation model of computer network security evaluation based on neural network is studied in this paper. Combining with the characteristics of network security situation prediction, a computer network security evaluation model is constructed by using BP neural network algorithm [24]. And the network system security detection algorithm is used to evaluate the network security situation prediction so that the network security posture can be predicted so that the network security can be prevented in advance and the harm caused by network security can be reduced.

Using the neural network to evaluate and simulate computer network security can effectively predict the network security situation with high accuracy, and can provide valuable constructive opinions on the future development of network security in China. At the same time, compared with other models, it has more efficient and accurate features and can be widely used in network security prediction and defense [4].

This paper contains five main sections. The first section briefly introduces the research background and significance. The second one mainly summarizes the current research situation. The third section presents the research methods, including the BP neural network model based on network security, network system security detection and evaluation algorithm. Section 4 discusses the network traffic and the network security relationship model. Finally, the fifth part summarizes the whole paper.

2. Related work

With the development of science and technology, the current computer technology and network technology are widely used, and the evaluation of computer network security plays a vital role in computer network management [5]. With the development of information technology and the improvement of the scientific and technological level, neural network technology is continuously expanding and deepening, and its application in computer network security is of great significance and effect, which has been studied by many scholars. To effectively solve the problem of computer network security, relevant experts have proposed a variety of neuronal models successively, and the neural network, which plays an important role, is often used in computer network security evaluation. Some scholars have established the GABP neural network model and applied this model to computer network security evaluation [6]. Therefore, a network security information evaluation system is designed and implemented, and good results have been achieved. Some scholars use the genetic algorithm to improve the computer network security evaluation simulation model from the BP neural network algorithm and optimize the effect of the original model [7]. In general, the current research on computer network security evaluation has been relatively increased, and this paper is based on the previous research, through the neural network algorithm to computer network security evaluation re-innovation [8].

3. Network security and evaluation algorithm

3.1. BP neural network model based on network security

According to the historical information of network security, predicting future network security is the practical significance of network security prediction [9–10]. The principle of situation prediction is to collect network security attacks in a certain period and then analyze various factors such as the time, frequency, type, and threat of the network according to different attack time, using scientific and reasonable methods to the network [25]. Security attack data is processed [11 –13]. The historical network security value is fitted to the time, and the formed function can predict the network security in the future time. The artificial neural network is an algorithm based on the human brain [14]. There are currently only two sets of data, one is input data, and the other is output data, but it is not known how the two sets of data are related. When input data is continuously inputted into the “network,” different output results are obtained. By adjusting the internal structure of the network through the output, the desired input and output can be obtained [15 –17]. This is a simple neural network model principle. The BP neural network is also a type of artificial neural network. It can be calculated by error backpropagation. The primary process is to transfer the training data between the neurons of the input layer and then fit the data between the hidden layer and the output layer [18, 19]. If there is an error in the fitted output value and the predicted value, and the error accuracy does not meet the requirements, the model is adjusted by adjusting the weight and the threshold until the output accuracy is satisfactory. The BP neural network is a single direction multi-level feedforward network, which consists of an input layer, an implicit layer (the number of layers is not necessarily 1, can be multiple layers) and three parts of the output layer [20]. Each layer consists of several neurons. Each neuron is called a node. The upper and lower nodes interact with each other by weights. The layers and layers are all interconnected, but the same nodes are independent of each other. The figure shows the structure of a 3-layer BP neural network.

Fig. 1

Schematic diagram of BP network structure.

Among them, the number of neurons (nodes) in the input layer is recorded as n, and the input vector is used. X ∈ Rⁿ, X = (x¹, x², …, xⁿ) ^T indicates that the number of neurons in the hidden layer is set to t, and the hidden layer vector is used. Z ∈ R^t, Z = (z₁, z₂, …, z_n) ^T indicates that the number of neurons in the output layer is recorded as m, and the output layer vector is used. Y ∈ R^m, Y = (y₁, y₂, …, y_m) ^T is said. Wij represents the connection weight between the input layer neuron i and the hidden layer nerve J; a_i is the value of the connection between the two; W jk is the connection weight between the hidden layer neuron j and the output layer neuron k, θ_k (k = 1, 2, …, m) depreciates the connection between the two. The relationship between the three is: $Z_{j} = f (\sum_{t = 1}^{n} W_{ij} \cdot X_{i} - θ_{j})$ (1) $Y_{k} = f (\sum_{j = 1}^{t} W_{jk} \cdot Z_{j} - θ_{k})$ (2)

In the middle f (·) corresponding to the activation function of the neuron, in the actual neural network construction process, the selected auxiliary modeling software generally provides a variety of activation functions, which can be achieved by directly calling the activation function. Since the chosen activation function is differentiable, compared with the linear research area, the BP neural network is a region composed of a nonlinear hyperplane, which is smoother and can accommodate more data structures, so it is built based on the activation function. The classification of neural networks is more accurate than single linearity and has better fault tolerance. Besides, the neural network established according to this can use the gradient descent method to develop training and learning, and the weights are continuously corrected, and the final learning is more accurate.

3.2. Network system security detection and evaluation algorithm

Suppose there is a network of n hosts, we consider this network as a whole system. In this way, we can get a collection, i.e. S = {s₁, s₂, …, s_n}. Then, each action of each host in this system can be recorded as an action unit, i.e., v. When the internal host of the system interacts with the host outside the network, the action unit starts counting. When the external host accesses the host in the system, the v value is incremented by 1. When the internal host accesses the host outside the system, the v value is reduced by 1. Defining state collection U = {μ₁, μ₂, …, μ_n}. The U set is a collection of state sequences after the system has undergone n actions. Through the state set U, you can get the set of this set activity A = {a₁, a₂, …, a_k}, among them a_i indicates the state after the system has passed the specified time or quantity. μ_i is the number of occurrences. By setting A, you can calculate the status μ_i Probability of occurrence within a specified time or number interval p_i for all a_i calculated probability p_i. After that, you can get the activity probability set of each state P = {p₁, p₂, …, p_k}. Applying the entropy theory to the above set of possibilities defines active entropy as shown in equation (1). $Ha = - \sum_{i = 1}^{k} (pi) log (pi)$ (3)

The method designed needs to adjust the size of the detection window according to the change of network traffic. It is not difficult to see that network traffic will change with time, but from the overall perspective and long-term perspective, traffic changes have a certain regularity. Adopting a unified treatment method for different traffic is inappropriate.

4. Network traffic and network security relationship model

Based on the previous analysis, the paper then validates the algorithm. Through the above analysis, the statistical rules of different traffic characteristics are shown in Table 1. The table shows the variation of the entropy values of different categories when such traffic anomalies occur. Through the various manifestations of the characteristic entropy of different, unusual events, we can distinguish different abnormal network traffic and realize the monitoring of the network.

Table 1
Reference table for the change of characteristic entropy

Exception name H(X(SIP)) H(X(DIP)) H(X(SPT)) H(X(DPT)) H(X(PKT)) Explain

download Smoothness and small Fluctuate, small Fluctuate, small Fluctuate, small stable

Video player stable stable stable stable stable Five kinds of entropy wave type similar

Webpage Volatility Volatility Volatility Volatility Volatility Five types

video and stability and stability and stability and stability and stability of entropy wave type and volatility

file transfer Very small, smoothness Very small, smoothness Very small, smoothness Very small, smoothness Very small, smoothness Five kinds of entropy value almost overlap

DoS Very small and smoothness Very small and smoothness Moderate and smoothness Very small and smoothness Very small and smoothness

DDoS stable Very small and smoothness Moderate and smoothness Very small and smoothness Very small and smoothness The height of SIP is closely related to the size of the botnet

Exception name	H(X(SIP))	H(X(DIP))	H(X(SPT))	H(X(DPT))	H(X(PKT))	Explain
download	Smoothness and small	Fluctuate, small	Fluctuate, small	Fluctuate, small	stable
Video player	stable	stable	stable	stable	stable	Five kinds of entropy wave type similar
Webpage	Volatility	Volatility	Volatility	Volatility	Volatility	Five types
video	and stability	and stability	and stability	and stability	and stability	of entropy wave type and volatility
file transfer	Very small, smoothness	Very small, smoothness	Very small, smoothness	Very small, smoothness	Very small, smoothness	Five kinds of entropy value almost overlap
DoS	Very small and smoothness	Very small and smoothness	Moderate and smoothness	Very small and smoothness	Very small and smoothness
DDoS	stable	Very small and smoothness	Moderate and smoothness	Very small and smoothness	Very small and smoothness	The height of SIP is closely related to the size of the botnet

As shown in Fig. 2, when a DDoS attack occurs, it can be seen that the source IP curves near a value above 0 and fluctuates within a small range. The target IP curve is almost zero. In subsequent research, it is found that when the number of attacking hosts that launched the attack increased, the source IP curve would appear near a higher value or at a higher value. The target IP curve continues to be close to a value of 0 or even stays at a value of 0 and tends to a straight line. Therefore, the entropy value can be used not only as a criterion for judging an attack, but also for estimating the size of the botnet of the attack, such as the source IP entropy value, and the larger the value, the larger the value.

Fig. 2

Comparison of DDoS attacks of different sizes.

Small-scale DDoS/DoS attack B. (large-scale DDoS attack).

Then the paper analyzes the results of the active entropy algorithm. The active entropy detection algorithm is applied to the network traffic in different time periods of the campus network to detect the traffic distribution of the campus network. We can understand that the traffic varies significantly in different periods. There is a clear change in law over time. During the day, traffic is dense and night traffic is reduced. Through analysis, after the botnet is detected, we can perform mining analysis on the data flow such as Netflow of the attacking host in the area to find the host information that has communicated with the attacking host. After removing the trusted host, the remaining hosts are listed as the suspicious controller. Perform deep packet analysis on the network data traffic mirroring information between the suspicious controller host and the attacking host to find the controlling host, and then take measures against the botnet initiator. Anomalies (two low troughs) occurred in the monitoring of the college network. Through the above graphs, lists and experiments, the feasibility and practical effects of feature detection based on feature entropy are verified. Experiments show that using feature entropy to describe the traffic characteristics of different network applications has certain research value, and it is ready to study the distribution law of flow information entropy further. However, this method is easily affected by the outside world, causing the features to be submerged, and it is difficult to effectively distinguish the changes in the flow characteristics, which needs to be further improved.

In the next simulation, after thinking, the simulation will accept the TOSSIM implementation of the wireless sensor network. We will perform a series of simulations on the analog sensor node Mica2. An attack is an offensive and defensive game between an attacker and an attacked system. In general, the attacker’s understanding of the attacked system is limited or even completely unknown. To achieve its attack purpose, an attacker needs to deploy a complete attack plan and take appropriate countermeasures according to the system response to implement its attack action. That is, the attacker takes action to advance its attack plan. Based on this, the network attack process is stimulated, and the algorithm is tested. The two sets of data for this experiment were from Lawrence Berkeley National Laboratory, Data Set DS 1, and DS 2: LBL-from http://ita.ee.lbl.gov/html/contrib/ Two pages of CONN-7.htm1 and NASA-HTTP.html are downloaded, and both data sets are recorded by TCP connection. The following are some of the connection records:

Table 2

Partial network connection technology

Timestamp	duration	Protocol bytes	Local Host	Remote Host	State flags
76484621.696684	0.236476	domain	106	16	SF L
76484266.236441	0.326144	telnet	176	12	SF L
76686462.326648	0.231464	nntp	122	4	SF L
76421668.326414	0.264126	nntp	21464	4	SF LN

The network record format is divided into attribute values of attribute groups {Timestamp, duration protocol bytes sre, bytes dst, localhost, remote we host, state, flags}. According to the principle of constraining rules by the main attribute and the reference attribute, and sorting according to the importance of the attribute, the data was preprocessed. And then eight attributes from the data set DS, and six attributes in the data set DSO were extracted, respectively for { protocol, srces host, destes host, timestamp, durat ion, src bytes, destes bytes, state} and {protocol, src_ost, request, timestamp, reply code, reply_bytes}. The data attribute values are separated from the bulk and continuous types. Convert different discrete attribute values into different integers, divide the con-tinuous attribute values into intervals, map the values of the same interval to the same value, and map the values of different intervals to different values. Data is continuously extracted from DS 1 and DS 2, respectively, and some incomplete network connection records are removed, each with 760000 and more than 890,000, and after preprocessing, they are stored in database D 1 and D respectively. In 2, an intrusion detection simulation experiment is performed on these network connection record data.

Fig. 3

Mining D1 running time comparison.

The algorithm is implemented in the Java language, the experimental data is read, and the data mining results are presented. The minimum support for each mining is manually set, and graph 3 is drawn according to the experimental results. In the case of a large amount of data and a minimum support, the number of projection databases is reduced, so the space-time efficiency is relatively high; when the preset minimum support is large, the mode that satisfies the condition will be quantitatively Sharp reduction thus illustrates the advantages of BP neural network algorithm in massive data mining.

It can be seen from the results that compared with the BP neural network, the radial basis function neural network has a significant improvement on the overall prediction effect of the network security situation. The overall prediction error is between –0.2 and 0.2, but there are points where the individual error values are significant. It can be seen from the error graph that the error of 7 points far exceeds the acceptable error range. This shows that although the model can reasonably predict the network security situation, the prediction difference is noticeable and needs to be improved. In Fig. 4, the number of attributes of the data set DS 2 is 6 (and DS 1 is 8), and a similar analysis is performed, which shows that the BP algorithm is efficient in long sequence pattern mining, and the above discussion is verified. Based on the reduction of the false positive rate in intrusion detection, the number of network data attributes captured should be as much as possible, and the BP neural network algorithm can better meet the demand when dealing with extended sequence mode, which also shows that the algorithm is more suitable for intrusion detection. The BP neural network algorithm is discussed above, and the algorithm is improved by using two-level projection, modifying the Prefix strategy, discarding the infrequent term and introducing the correlation degree, and applying the improved algorithm to the intrusion detection system. The experimental results show that the efficiency of the algorithm is higher than the original one. In the long sequence mode mining, the algorithm has more advantages and can better meet the high requirements of intrusion detection. However, due to the diversity and complexity of intrusion methods, data mining still needs more in-depth research and performance improvement in intrusion detection. In summary, the traditional BP neural network model to predict the data is used, and the prediction error is significant, so the model is abandoned. Based on the network security detection matrix, as the number of user visits increases, the average response time of systems using different interfaces increases gradually and increases with the rise of concurrent accesses, but the overall growth process is linear, and its growth rate is not fast, so it does not. There is a phenomenon that the system performance drops sharply with the increase in the number of users. It indicates that the system can bear concurrent access by a correspondingly large number of users, and the robustness of the system is better (Fig. 5). Then the radial basis function neural network model and the improved radial basis function using the particle swarm optimization algorithm are tested to compare the prediction results. The pre-diction results show that the radial basis function model improved by BP neural network algorithm is more accurate and less error than the original radial basis function network model. Therefore, it is proved that the radial basis function model improved by BP neural network algorithm has a specific value for the prediction of network security situation.

Fig. 4

Mining D2 running time comparison.

Fig. 5

The average encryption time.

5. Conclusion

Network security has now become one of the focuses of the public. Due to the suddenness and human nature of network security problems, it is often difficult to detect problems after they appear. Inadvertently, user information is leaked or even smeared. The prediction of the network security situation can prevent the loss in advance before the network security problem occurs. Based on this, based on the network security situation prediction problem, the computer network security evaluation simulation model based on the neural network is used. The predictive model of the network security situation is generally a neural network model. The neural network model can process big data quickly and has generalization ability, which can be used in various forecasting fields. Compared with the BP neural network model, the radial basis function network model has the capability of global approximation to avoid optimal local problems. Combined with the characteristics of network security situation prediction problem, the computer network security evaluation model is constructed by BP neural network algorithm, and the network system security detection algorithm is used to evaluate it, so as to predict the network security posture, so that defense can be implemented in advance and the network security belt can be reduced. The resulting hazards will provide constructive advice on the future development of cybersecurity. Through test simulation, the algorithm can be well applied in the simulation model system.

Footnotes

Acknowledgments

The study was supported by “Guangxi Natural Science, Foundation, China (Grant No. 2015GXNSFAA139299)”.

References

Wen ,

Wang , Computer network security evaluation simulation model based on neural network, Modern Electronics Technique274(1) (2017), 1–7.

Sun , Study on computer network security evaluation based on support vector regression machine, Modern Electronics Technique16(1) (2016), 1–5.

J.L.

Zhang , Network security risk dynamic evaluation method research, Computer Simulation76(9) (2016), 11961–11974.

Q.Y.

Lin and

Wang , Evaluation simulation on emergency evacuation capacity for large mart based on wavelet neu-ral network with particle crowd optimization, Journal of Liaoning Institute of Science & Technology76(2) (2018), 2331–2352.

Peng ,

School and

University , Evaluation of the performance management based on neural network topology structure, Computer & Digital Engineering32(5) (2017), 605–613.

G.E.

Chun ,

Wang and

Chang , Research of classroom teaching quality evaluation model based on improved BP neural network, Radio Engineering58(3) (2016), 216–222.

Chen ,

Zhu , and

Yan , Tool reliability evaluation based on grey neural network modeling, Modern Manufacturing Engineering18(1) (2017), 1–12.

W.P.

Zhang ,

J.Z.

Yang ,

Y.L.

Fang ,

H.Y.

Chen ,

Y.H.

Mao and

Kumar , Analytical fuzzy approach to biological data analysis, Saudi Journal of Biological Sciences24(3) (2017), 563–573.

Zhang ,

Thurow and

Stoll , A context-aware mHealth system for online physiological monitoring in remote healthcare, International Journal of Computers Communications & Control11(1) (2016), 142–156.

10.

Weiping

Zhang ,

Akbar

Maleki ,

Marc A.

Rosen and

Jingqing

Liu , Optimization with a simulated annealing algorithm of a hybrid system for renewable energy including battery and hydrogen storage, Energy163 (2018), 191–207.

11.

R.V.

Yampolskiy , Artificial Intelligence Safety Engineering: Why Machine Ethics Is a Wrong Approach.Philosophy and Theory of Artificial Intelligence.Springer Berlin Heidelberg,2013: 389–396.

12.

Moravík ,

Schmid and

Burch , DeepStack: Expertlevel artificial intelligence in heads-up no-limit poker, Science356(6337) (2017), 508.

13.

D.C.

Parkes and

M.P.

Wellman , Economic reasoning and artificial intelligence, Science349(6245) (2015), 267.

14.

E.S.

Rigas ,

S.D.

Ramchurn and

Bassiliades , Managing electric vehicles in the smart grid using artificial intelligence: A survey, IEEE Transactions on Intelligent Transportation Systems16(4) (2015), 1619–1635.

15.

Glauner ,

Boechat and

Dolberg , The challenge of non-technical loss detection using artificial intelligence: A survey, International Journal of Computational Intelligence Systems10(1) (2017), 760–775.

16.

Jennifer Hill ,

Randolph

Ford and

Ingrid G.

Farreras , Real conversations with artificial intelligence: A comparison between human-human online conversations and human-chatbot conversations, Computers in Human Behavior49 (2015), 245–250.

17.

Bundy , Preparing for the future of artificial intelligence, Ai & Society32(2) (2017), 1–3.

18.

Cismondi ,

L.A.

Celi and

A.S.

Fialho , Reducing unnecessary lab testing in the ICU with artificial intelligence, International Journal of Medical Informatics82(5) (2013), 345–358.

19.

K.P.

Singh ,

Gupta ,

Rai , Predicting acute aquatic toxi-city of structurally diverse chemicals in fish using artificial intelligence approaches, Ecotoxicology & Environmental Safety95(1) (2013), 221–233.

20.

Moravík ,

Schmid and

Burch , DeepStack: Expertlevel artificial intelligence in heads-up no-limit poker, Science356(6337) (2017), 508.

21.

Shankar ,

Mohamed

Elhoseny ,

Dhiravida chelvi ,

S.K.

Lakshmanaprabu and

Wanqing

Wu , An efficient optimal key based chaos function for medical image security.IEEE Access.2018. https://doi.org/10.1109/ACCESS.2018.2874026

22.

Mohamed

Elhoseny ,

Shankar ,

S.K.

Lakshmanaprabu ,

Andino

Maseleno and

Arunkumar , Hybrid optimization with cryptography encryption for medical image security in Internet of Things.Neural Computing and Applications.2018. https://doi.org/10.1007/s00521-018-3801-x

23.

I.S.

Farahat ,

A.S.

Tolba ,

Elhoseny and

Eladrosy , Data Security and Challenges in Smart Cities.In: Hassanien A., Elhoseny M., Ahmed S., Singh A. (eds)Security in Smart Cities: Models, Applications, and Challenges. Lecture Notes in Intelligent Transportation and Infrastructure.Springer, Cham,2019. https://doi.org/10.1007/978-3-030-01560-2-6

24.

Mohamed

Elhoseny ,

Xiaohui

Yuan ,

Hamdy K.

El-Minir and

Alaa

Mohamed Riad , An energy efficient encryption method for secure dynamic WSN, Security and Communication Networks9(13) (2016), 2024–2031.

25.

Mohamed

Elhoseny ,

Hamdy

Elminir ,

Alaa

Riad and

Xiao-hui

Yuana , A secure data routing schema for WSN using Elliptic Curve Cryptography and homomorphic encryption, Journal of King Saud University — Computer and Information Sciences28(3) (2016), 262–275.