Network security situation assessment with network attack behavior classification

To solve the problems that existing network security situation assessment (NSSA) methods are difficult to extract features and have poor timeliness, an NSSA method with network attack behavior classification (NABC) is proposed. First, an NABC model is designed. The model combines features and advantages of a parallel feature extraction network (PFEN), a bidirectional gate recurrent unit (BiGRU), and the attention mechanism (ATT). The PFEN module is composed of parallel sparse autoencoders which extract key data from different network attack behaviors. The BiGRU module gets the time-series relationship from the state of three different time periods, finds potential representation rules from network attack behaviors. The ATT module pays more attention to the network traffic key information and improves the NABC accuracy. Second, the NABC detects and classifies attacks from network behaviors, the occurrence number of each attack behavior, and the error probability matrix are counted. Finally, the occurrence number of each attack behavior is corrected according to the error probability matrix, and the network security situation value is calculated through combining the severity factor of each attack behavior. The experimental results show that the precision and recall of the NABC model are improved by 5.28% and 5.65%, respectively, compared with the conventional method. The comparison experiment with the classical situation assessment method also proves that the proposed method can assess the overall situation of network security more effectively and comprehensively.