阅读说明：本技术 基于lstm和攻击者信息的攻击阶段预测方法 (Attack phase prediction method based on LSTM and attacker information ) 是由 李童 李战士 杨震 于 2021-07-04 设计创作，主要内容包括：基于LSTM和攻击者信息的攻击阶段预测方法属于攻击预测领域。本发明通过LSTM系统收集较长一段时间内的网络攻击的警告信息；并对大量警告信息中攻击者的历史信息进行收集；对这些历史数据进行预处理来构造LSTM模型训练所需的训练集、验证集、测试集；然后利用训练集训练LSTM模型,利用验证集的损失来决定是否提前停止LSTM在训练集上的学习；最终所得的模型可以对预处理后的,输入数据进行预测,预测得到未来的下一次攻击在多阶段网络攻击中所处的步骤。(An attack phase prediction method based on LSTM and attacker information belongs to the field of attack prediction. The invention collects the warning information of network attack in a long period of time through the LSTM system; collecting historical information of attackers in a large amount of warning information; preprocessing the historical data to construct a training set, a verification set and a test set required by LSTM model training; then, training an LSTM model by using a training set, and determining whether to stop learning of the LSTM on the training set in advance by using the loss of a verification set; the finally obtained model can predict the preprocessed input data, and predict the steps of the next attack in the multi-stage network attack in the future.)

1. The attack stage prediction method based on the LSTM and the attacker information is characterized by comprising the following steps of:

the method comprises the following steps: firstly, collecting historical warning data of an asset needing to be predicted; collecting historical attack information of attackers appearing in the historical warning data;

step two: then, carrying out normalization preprocessing on the collected historical data to construct training sample data and test sample data of the LSTM model to be trained;

step three: obtaining a pre-trained LSTM model through training sample data, then finely tuning parameters of the LSTM model obtained through the training through constructed verification sample data and test sample data, stopping fine tuning of the parameters when the F1 index reaches 0.75, and taking the finely tuned LSTM model as an attack prediction model;

step four: and taking the historical data of the preprocessed target asset for a period of time as input data of the LSTM model, learning the input data through the LSTM model, and finally outputting the LSTM model to obtain a stage of attack which is possibly received in the future.

2. The LSTM and attacker information based attack phase prediction method of claim 1, wherein: in the step 1, warning data of 1 year attack on the target asset is collected; and collecting historical attack information of attackers in the warning data, and supplementing 0 for part of historical information missing from the attackers.

3. The LSTM and attacker information based attack phase prediction method of claim 1, wherein: in step 2, an input feature vector of the LSTM model to be trained is constructed, and the input feature vector is divided into training sample data, verification sample data and test sample data according to the proportion of 80%, 10% and 10%.

4. The LSTM and attacker information based attack phase prediction method of claim 1, wherein: the input characteristic vector of the LSTM model is an n x 32 matrix, n rows of the matrix are respectively related data of the target asset subjected to network attacks for nearly n times, and each row is respectively composed of 32 dimensions; all dimensions are divided into 3 parts; the first part consists of target asset warning data; the second part is network flow data in attack; the third part is data of attacker history information.

5. The LSTM and attacker information based attack phase prediction method of claim 1, wherein: deriving dimensions from the target asset alert data: attack start time start _ time, attack end time end _ time, step sequence number of warning in the multi-stage attack chain, warning method sequence number and IP address of an attacker; attack start time and attack end time in the warning are usually in a data format of a time stamp, i.e. an integer of 10 bits or 13 bits, where 10 bits are units of seconds and 13 bits are units of milliseconds; followed by a 10-bit time stamp as a standard.

6. The LSTM and attacker information based attack phase prediction method of claim 1, wherein: the historical information data of the attacker is divided into the following dimensions: according to the historical data of the first 5 days of the network attack starting time, the data of each day is counted into the following dimensions, the attacker in the warning information counts all the attack times from the time start _ time-24 multiplied by 60-start _ time, namely the accumulated number of the attack times from 1 day before the network attack starting time to the network attack starting time, the attacker in the warning information counts all the attack times from the time start _ time-24 multiplied by 60-start _ time-16 multiplied by 60, namely the accumulated number of the attack times from 1 day before the network attack starting time to 8 hours before the network attack starting time, the attacker in the warning information counts all the attack times from the time start _ time-24 multiplied by 60-start _ time-16 multiplied by 60, namely the accumulated number of the attack times from 1 day before the network attack starting time to 16 hours before the network attack starting time, the attacker in the warning information counts all the attack times from the time start _ time-16 × 60 × 60 to the time start _ time-8 × 60 × 60, namely counts the cumulative number of attack times from 16 hours before the network attack start time to 8 hours before the network attack start time, and the attacker in the warning information counts all the attack times from the time start _ time-8 × 60 × 60 to the time start time, namely counts the cumulative number of attack times from 8 hours before the network attack start time to the network attack start time.

7. The LSTM and attacker information based attack phase prediction method of claim 1, wherein: network traffic data when an attack is warned in related data can be mainly divided into the following dimensions: the connection duration is defined as the time from the TCP connection being established with a 3-way handshake until the FIN/ACK connection is finished; if the UDP protocol type is adopted, each UDP data packet is taken as a connection; data traffic from a source address to a target address, data traffic from the target address to the source address, the number of error fragments, the number of urgent packets, and the number of times of accessing system sensitive files and directories; the times of failed login attempts, the times of root authority access, the times of file creation, the times of shell instruction use and the times of file access control; further, a time-based network traffic statistic feature is required, in the past two seconds, the number of connections having the same target host as the current connection, in the past two seconds, the percentage of connections having "SYN" error occurred in the connection having the same service as the current connection, in the past two seconds, the percentage of connections having "REJ" error occurred in the connection having the same target host as the current connection, in the past two seconds, the percentage of connections having the same service as the current connection, in the past two seconds, in the connection having the same target host as the current connection, percentage of connections with different services from the current connection, percentage of connections with different target hosts in the last two seconds, in connections with the same services as the current connection.

8. The attack prediction method based on LSTM and attacker history information as claimed in claim 1, wherein: in the step 3, the LSTM model is provided with 1 input layer, 5 hidden layers and 1 output layer;

the 5 hidden layers use an LSTM unit with three gates: the input gate determines how much the warning related information of the unit state at the previous moment is reserved to the current moment; the output gate determines how much the alarm-related information of the cell state is output to the current output value; the forgetting gate determines how much the warning related information of the unit state at the previous moment is reserved to the current moment;

the specific formula of the LSTM unit is as follows:

h_t＝o_ttanh(ct)

wherein σ is a logic sigmoid function; i, f, o, c and h are respectively used for representing input people, a forgetting gate, an output gate, a unit activation vector and a hidden layer unit;the weight matrixes are respectively input eigenvectors, hidden layer units, unit activation vectors and input gates;respectively are weight matrixes among input characteristic vectors, hidden layer units, unit activation vectors and forgetting gates;the weight matrixes are respectively input eigenvectors, hidden layer units, unit activation vectors and output gates;respectively inputting a weight matrix among the characteristic vector, the hidden layer unit and the unit activation vector, wherein the weight matrix is a diagonal matrix; b_i，b_f，b_c，b_oThe deviation values between the input gate, the forgetting gate, the output gates and the unit activation vectors are respectively, t is used as a subscript to represent sampling time, and tanh is used as an activation function.

9. The LSTM and attacker information based attack phase prediction method of claim 1, wherein: the classified cross entropy is selected as a loss function, and the input warning history information contains time sequence information, so that the matrix of the output layer only takes the output of the last M LSTM units: a loss function of

Wherein i represents a sample, N represents a total number of samples, and M represents a number of categories;representing 1 if the category is the same as that of the sample i, and 0 if not;representing the probability that the observed sample i belongs to the class c, is calculated from the output of the last LSTM via the Softmax function.

Technical Field

The invention relates to an attack prediction method based on an LSTM model and historical information of an attacker, and belongs to the field of attack prediction.

Background

In order to predict subsequent attacks, it is often necessary to record the behavior of the attacker and build a description of the attack for later use. Bou-Harb et al dissect the cyber attack as follows:

1. network scanning

2. Enumeration

3. Intrusion attempt

4. Elevating rights

5. Performing malicious tasks

6. Deploying malware/backdoors

7. Performing malicious tasks

8. Delete evidence and exit

Many types of network attacks follow this simple sequence of events, which can be observed on network traffic or the target system. The prediction of an ongoing attack is inherently very simple. If we see a series of events that fit the attack model, we can assume that the attack will proceed according to the model. Thus, we can predict the next action of the opponent. However, a fuzzy description of an attack cannot be used for algorithmic prediction, and therefore, a more formal description of the attack is required, for example, in the form of an attack graph. Furthermore, there are many different types of attacks, and therefore a model needs to be created for all attacks to be predicted. Historically, the original approach relied on attack libraries that had to be manually populated, which required a great deal of effort and constant updating. Therefore, modern methods rely more on data mining to automatically generate attack patterns for attack prediction. The methods and models for attack prediction are very numerous, from discrete models (such as attack graphs) to continuous models (such as time series), where discrete models that rely primarily on cyber attacks are represented by markov models and hidden markov models. Attack prediction using discrete models can start with malicious events that have been observed, or can start with the probability that a particular vulnerability in the network will be exploited. An example of a continuous model-based attack prediction approach is time series prediction, which represents the number or probability of a series of attacks on a system or network over a certain time. Time series prediction can be used to predict whether an attack will occur. More advanced methods can perform calculations based on the type of attack, the characteristics of the attacker and the victim, and thus estimate which type of attack will occur and who will become the attacker. Recent prediction methods often include non-technical data sources, e.g., based on social networking information, user behavior changes, overcoming the unpredictability of network attacks.

Disclosure of Invention

The invention solves the problems: the attack prediction method based on the LSTM model and the historical information of the attacker overcomes the defects of the prior art, has high prediction precision, and is easy to obtain the required data dimension.

The attack stage prediction method based on the LSTM and the attacker information is characterized by comprising the following steps of:

the method comprises the following steps: firstly, collecting historical warning data of an asset needing to be predicted; collecting historical attack information of attackers appearing in the historical warning data;

step two: then, carrying out normalization preprocessing on the collected historical data to construct training sample data and test sample data of the LSTM model to be trained;

step three: obtaining a pre-trained LSTM model through training sample data, then finely tuning parameters of the LSTM model obtained through the training through constructed verification sample data and test sample data, stopping fine tuning of the parameters when the F1 index reaches 0.75, and taking the finely tuned LSTM model as an attack prediction model;

step four: and taking the historical data of the preprocessed target asset for a period of time as input data of the LSTM model, learning the input data through the LSTM model, and finally outputting the LSTM model to obtain a stage of attack which is possibly received in the future.

The technical scheme of the invention is as follows: an attack prediction method based on an LSTM model and historical information of an attacker comprises the following steps:

the method comprises the following steps: historical warning data is first collected for the asset for which a prediction is desired. And collecting historical attack information of attackers appearing in the historical warning data, and collecting warning data of the attack on the target assets for one year. And collecting historical attack information of attackers in the warning data, wherein all the historical information missing from the attackers are supplemented with 0. Since the stage of the next occurring network attack is to be predicted, y is the step number of the next occurring warning in the multi-stage attack chain. The input characteristic vector of the LSTM model is an n x 32 matrix, n rows of the matrix are respectively related data of the target asset which is subjected to network attacks for nearly n times, and each row is respectively composed of 32 dimensions. All dimensions can be divided into 3 parts.

The first part consists of target asset warning data; the second part is network flow data in attack; the third part is data of attacker history information. The first component derives dimensions from the target asset warning data: attack start time start _ time, attack end time end _ time, step sequence number of the warning in the multi-stage attack chain, warning method sequence number and four parts of the IP address of the attacker. In general, the attack start time and the attack end time in the warning are usually in a data format of a time stamp, i.e., an integer of 10 bits or 13 bits, where 10 bits are units of seconds and 13 bits are units of milliseconds. Followed by a 10-bit time stamp as a standard.

The second part is divided by historical information data of an attacker into the following dimensions: based on the historical data of the first 5 days of the network attack start time, the data of each day can be counted as the dimension that an attacker in the warning information counts all the attack times (i.e. the accumulated number of attack times from 1 day before the network attack start time to the network attack start time) from the time start _ time-24 × 60 × 60-start _ time, counts all the attack times (i.e. the accumulated number of attack times from 1 day before the network attack start time to 8 hours before the network attack start time) from the time start _ time-24 × 60 × 60-start _ time-16 × 60 × 60, counts all the attack times (i.e. from 1 day before the network attack start time to 8 hours before the network attack start time) from the time start _ time-24 × 60 × 60-start _ time-16 × 60 × 60), the cumulative number of attack times before 16 hours to the network attack start time), the attacker in the warning information counts all the attack times from the time start _ time-16 × 60 × 60 to the time start _ time-8 × 60 × 60 (i.e., the cumulative number of attack times from 16 hours before the network attack start time to 8 hours before the network attack start time), and the attacker in the warning information counts all the attack times from the time start _ time-8 × 60 × 60 to the time start _ time (i.e., the cumulative number of attack times from 8 hours before the network attack start time to the network attack start time).

In the third part, when the attack is performed by warning related data, the network traffic data can be mainly divided into the following dimensions: connection duration (in seconds, continuous type, range [0,58329 ]. The definition is the time from TCP connection establishment with 3 handshakes to FIN/ACK connection end, if UDP protocol type, with each UDP packet as a connection.), data traffic from source address to destination address (number of bytes of data from source host to destination host, continuous type, range [0,1379963888]), data traffic from destination address to source address (number of bytes of data from destination host to source host, continuous type, range [0,1379963888]), number of error fragments (number of error fragments, continuous type, range [0,3]), number of urgent packets (continuous type, range [0,14]), number of accesses to system sensitive files and directories (number of accesses to system sensitive files and directories, continuous, the range is [0,101 ]. Such as accessing a system directory, creating or executing a program, etc. ) The number of failed login attempts (the number of failed login attempts). Continuously, [0,5]), the number of root authority accesses (root user access number, continuously, [0,7468]), the number of file creation (number of file creation operations, continuously, [0,100]), the number of shell instruction uses (number of uses shell commands, continuously, [0,5]), the number of access control files (number of access control files, continuously, [0,9 ]. Such as access to/etc/passswd or. ). Further, a time-based network traffic statistical feature is required, in the past two seconds, the number of connections having the same target host as the current connection (continuous type, [0,511]), in the past two seconds, the number of connections having the same service as the current connection (continuous type, [0,511]), in the past two seconds, the percentage of connections in which "SYN" error occurs in the connection having the same target host as the current connection (continuous type, [0.00,1.00]), in the past two seconds, the percentage of connections in which "REJ" error occurs in the connection having the same service as the current connection (continuous type, [0.00,1.00]), in the past two seconds, in the connection having the same target host as the current connection, the percentage of connections in which "REJ" error occurs (continuous type, [0.00,1.00]), in the past two seconds, in the connection having the same service as the current connection, the percentage of connections in which "REJ" errors occur (continuous type, [0.00,1.00]), the percentage of connections having the same service as the current connection in the connection having the same target host as the current connection (continuous type, [0.00,1.00]) in the past two seconds, the percentage of connections having different service from the current connection in the connection having the same target host as the current connection (continuous type, [0.00,1.00]) in the past two seconds, and the percentage of connections having different target host from the current connection in the connection having the same service as the current connection (continuous type, [0.00,1.00 ]).

Step two: and then, preprocessing the collected historical data, constructing training sample data and test sample data of the LSTM model to be trained, constructing an input feature vector of the LSTM model to be trained, and dividing the input feature vector into the training sample data, the verification sample data and the test sample data according to the proportion of 80%, 10% and 10%.

Step three: obtaining a pre-trained LSTM model through training sample data, then finely adjusting and training the parameters of the obtained LSTM model through constructed verification sample data and test sample data, further correcting the parameters of the LSTM model to improve the precision of the LSTM model, and taking the corrected LSTM model as an attack prediction model. The LSTM model used has 1 input layer, 5 hidden layers, 1 output layer. The 5 hidden layers use an LSTM unit with three gates: the input gate determines how much the warning related information of the unit state at the previous moment is reserved to the current moment; outputting how much warning-related information that determines the state of the cell is output to the current output value; the forgetting gate determines how much the warning related information of the unit state at the previous time is retained to the current time. The 5 hidden layers use an LSTM unit with three gates: the input gate determines how much the warning related information of the unit state at the previous moment is reserved to the current moment; outputting how much warning-related information that determines the state of the cell is output to the current output value; the forgetting gate determines how much the warning related information of the unit state at the previous time is retained to the current time. The specific formula of the LSTM unit is as follows:

h_t＝o_ttanh(c_t)

where σ is a logical sigmoid function. i, f, o, c, h respectively represent input people, forget gates, output people, unit activation vectors and hidden layer units.Respectively, the weight matrixes between the input eigenvector, the hidden layer unit, the unit activation vector and the input gate.The weight matrixes are respectively input characteristic vectors, hidden layer units, unit activation vectors and forgetting gates.Between input eigenvectors, hidden layer elements, element activation vectors and output gates, respectivelyA weight matrix.Respectively inputting a weight matrix among the characteristic vector, the hidden layer unit and the unit activation vector, wherein the weight matrix is a diagonal matrix; b_i,b_f,b_c,b_oThe deviation values between the input gate, the forgetting gate, the output gates and the unit activation vectors are respectively, t is used as a subscript to represent sampling time, and tanh is used as an activation function.

In addition, the prediction target is to predict the next attack type, therefore, the patent selects the classification cross entropy as a loss function, and in addition, the input warning history information contains time sequence information, so that the matrix output by the last LSTM unit is taken as the output layer: a loss function of

Wherein M represents the number of categories;representing a variable (0 or 1), which is 1 if the class is the same as the class of sample i, and 0 otherwise;representing the probability that the observed sample i belongs to class c.

Drawings

FIG. 1 is a flow chart of the present patent

Detailed Description

As shown in fig. 1, the implementation herein is as follows:

warning related data acquisition: collecting network attack warning fed back by a target asset intrusion detection system, and acquiring warning data of network attack on the target asset for one year, wherein an input feature vector of an LSTM model is an n x 32 matrix, n rows of the matrix are respectively related data of the target asset subjected to the network attack for nearly n times, and each row is respectively composed of 32 dimensions. Since the stage of the next occurring network attack is to be predicted, y is the step number of the next occurring warning in the multi-stage attack chain. All dimensions of X in the training set can be divided into 3 parts.

The first part consists of target asset warning data; the second part is network flow data in attack; the third part is data of attacker history information. The first component derives dimensions from the target asset warning data: attack start time start _ time, attack end time end _ time, step sequence number of the warning in the multi-stage attack chain, warning method sequence number and four parts of the IP address of the attacker. In general, the attack start time and the attack end time in the warning are usually in a data format of a time stamp, i.e., an integer of 10 bits or 13 bits, where 10 bits are units of seconds and 13 bits are units of milliseconds. Followed by a 10-bit time stamp as a standard.

The second part is divided by historical information data of an attacker into the following dimensions: based on the historical data of the first 5 days of the network attack start time, the data of each day can be counted as the dimension that an attacker in the warning information counts all the attack times (i.e. the accumulated number of attack times from 1 day before the network attack start time to the network attack start time) from the time start _ time-24 × 60 × 60-start _ time, counts all the attack times (i.e. the accumulated number of attack times from 1 day before the network attack start time to 8 hours before the network attack start time) from the time start _ time-24 × 60 × 60-start _ time-16 × 60 × 60, counts all the attack times (i.e. from 1 day before the network attack start time to 8 hours before the network attack start time) from the time start _ time-24 × 60 × 60-start _ time-16 × 60 × 60), the cumulative number of attack times before 16 hours to the network attack start time), the attacker in the warning information counts all the attack times from the time start _ time-16 × 60 × 60 to the time start _ time-8 × 60 × 60 (i.e., the cumulative number of attack times from 16 hours before the network attack start time to 8 hours before the network attack start time), and the attacker in the warning information counts all the attack times from the time start _ time-8 × 60 × 60 to the time start _ time (i.e., the cumulative number of attack times from 8 hours before the network attack start time to the network attack start time).

In the third part, when the attack is performed by warning related data, the network traffic data can be mainly divided into the following dimensions: connection duration (in seconds, continuous type, range [0,58329 ]. The definition is the time from TCP connection establishment with 3 handshakes to FIN/ACK connection end, if UDP protocol type, with each UDP packet as a connection.), data traffic from source address to destination address (number of bytes of data from source host to destination host, continuous type, range [0,1379963888]), data traffic from destination address to source address (number of bytes of data from destination host to source host, continuous type, range [0,1379963888]), number of error fragments (number of error fragments, continuous type, range [0,3]), number of urgent packets (continuous type, range [0,14]), number of accesses to system sensitive files and directories (number of accesses to system sensitive files and directories, continuous, the range is [0,101 ]. Such as accessing a system directory, creating or executing a program, etc. ) The number of failed login attempts (the number of failed login attempts). Continuously, [0,5]), the number of root authority accesses (root user access number, continuously, [0,7468]), the number of file creation (number of file creation operations, continuously, [0,100]), the number of shell instruction uses (number of uses shell commands, continuously, [0,5]), the number of access control files (number of access control files, continuously, [0,9 ]. Such as access to/etc/passswd or. ). Further, a time-based network traffic statistical feature is required, in the past two seconds, the number of connections having the same target host as the current connection (continuous type, [0,511]), in the past two seconds, the number of connections having the same service as the current connection (continuous type, [0,511]), in the past two seconds, the percentage of connections in which "SYN" error occurs in the connection having the same target host as the current connection (continuous type, [0.00,1.00]), in the past two seconds, the percentage of connections in which "REJ" error occurs in the connection having the same service as the current connection (continuous type, [0.00,1.00]), in the past two seconds, in the connection having the same target host as the current connection, the percentage of connections in which "REJ" error occurs (continuous type, [0.00,1.00]), in the past two seconds, in the connection having the same service as the current connection, the percentage of connections in which "REJ" errors occur (continuous type, [0.00,1.00]), the percentage of connections having the same service as the current connection in the connection having the same target host as the current connection (continuous type, [0.00,1.00]) in the past two seconds, the percentage of connections having different service from the current connection in the connection having the same target host as the current connection (continuous type, [0.00,1.00]) in the past two seconds, and the percentage of connections having different target host from the current connection in the connection having the same service as the current connection (continuous type, [0.00,1.00 ]). Data preprocessing: before training the neural network, the collected network attack warning vectors need to be normalized, namely, the data are mapped to a [0,1] or a [ -1,1] interval, so that the input data in different data ranges can play the same role. The normalization processing formula adopted in the invention is as follows:

wherein x is the original data to be normalized_min，x_maxMinimum and maximum values, x, respectively, in the raw data_normIs normalized data.

After normalization, the training sample data, the verification sample data and the test sample data are divided according to the proportion of 80%, 10% and 10%.

The network model structure: obtaining a pre-trained LSTM model through training sample data, then finely adjusting and training the parameters of the obtained LSTM model through constructed verification sample data and test sample data, further correcting the parameters of the LSTM model to improve the precision of the LSTM model, and taking the corrected LSTM model as an attack prediction model. The LSTM model used has 1 input layer, 5 hidden layers, 1 output layer. The 5 hidden layers each use 30 LSTM cells with three gates: the input gate determines how much the warning related information of the unit state at the previous moment is reserved to the current moment; outputting how much warning-related information that determines the state of the cell is output to the current output value; the forgetting gate determines how much the warning related information of the unit state at the previous time is retained to the current time. The 5 hidden layers use an LSTM unit with three gates: the input gate determines how much the warning related information of the unit state at the previous moment is reserved to the current moment; outputting how much warning-related information that determines the state of the cell is output to the current output value; the forgetting gate determines how much the warning related information of the unit state at the previous time is retained to the current time. The specific formula of the LSTM unit is as follows:

h_t＝o_ttanh(c_t)

where σ is a logical sigmoid function. i, f, o, c, h respectively represent input people, forget gates, output people, unit activation vectors and hidden layer units.Respectively, the weight matrixes between the input eigenvector, the hidden layer unit, the unit activation vector and the input gate.The weight matrixes are respectively input characteristic vectors, hidden layer units, unit activation vectors and forgetting gates.Respectively, the weight matrixes among the input feature vector, the hidden layer unit, the unit activation vector and the output gate.Respectively inputting a weight matrix among the characteristic vector, the hidden layer unit and the unit activation vector, wherein the weight matrix is a diagonal matrix; v. of_i,b_f,b_c,b_oThe deviation values between the input gate, the forgetting gate, the output gates and the unit activation vectors are respectively, t is used as a subscript to represent sampling time, and tanh is used as an activation function.

In addition, the prediction target is to predict the next attack type, therefore, the patent selects the classification cross entropy as a loss function, and in addition, the input warning history information contains time sequence information, so that only the matrix output by the last M LSTM units is taken in the output layer: a loss function of

Wherein i represents a sample, N represents a total number of samples, and represents a number of categories; representing 1 if the category is the same as that of the sample, and 0 if not; the probability of the observed sample belonging to the category is represented and calculated by the output of the LSTM through a Softmax function.

Network training: during this patent training, the initialization hidden state is 0, regards the final hidden state of current batch size as the initial hidden state of follow-up batch size, and the size of every batch size is 64. In the invention, the hidden layer parameters are initialized randomly in the range of [ -0.05,0.05 ]. dropout is 0.2, reducing the risk of overfitting. The optimizer aspect updates the parameters using Adam. In the invention, an LSTM model is used for training 1000epochs, the learning rate is 0.001, and the learning rate of every 250epochs is multiplied by a coefficient of 1.1. In the calculation process, the classification cross entropy function is adopted as a loss function to calculate errors, and the weight is updated according to a back propagation algorithm. And during training, the training set is used as training input, the test on the verification set is performed once when the data of the verification set iterates 100epochs every time, and the training of the network is stopped in advance when the loss value on the verification set does not decrease any more.

And finally, constructing the test set into a matrix according to a group of 30 samples, so that the next possible attack step can be predicted.

The method utilizes and integrates the time series relation of the warning historical information and the information of the possibility of attack occurring in different stages, and in addition, the historical information of an attacker is introduced, so that the possibility of attack continuing to follow by the attacker can be calculated through the historical information of the attacker, the prediction accuracy of network attack prediction is improved, and the method has certain use value.