Research on Intelligent Network Security Event Detection and Emergency Disposal Technology

Within the scope of exploring intelligent techniques for network security event detection, this paper introduces a detection algorithm grounded in deep learning. This algorithm synergistically merges the attributes of Convolutional Neural Networks (CNN) with those of Long Short-Term Memory networks (LSTM), with the objective of autonomously discerning patterns within network traffic data to flag aberrant activities. Labeled as "CNN-LSTM-HMNID" (CNN-LSTM Hybrid Model for Network Intrusion Detection), the model initially employs CNN layers to mechanically extract local characteristics from network traffic, followed by LSTM layers that apprehend the time-related connections among these traits, culminating in precise identification of network security incidents (Figure 1).

Figure 1.

CNN-LSTM_HMNID model structure

Pre-process the network traffic data before inputting the data into the model. This includes data cleaning, normalization and coding to ensure the quality and consistency of data.

The CNN layer is chiefly employed for the autonomous extraction of local characteristics from network traffic data (refer to Figure 2). In this document, a series of convolution layers have been meticulously crafted, with each layer utilizing a diverse set of convolution kernels to discern features across varying dimensions. The convolution process endows the model with the capacity to assimilate spatial structural insights from the data, which in turn lays the groundwork for the ensuing temporal sequence analysis [16].

Figure 2.

CNN structure

When designing CNN, the size of convolution layer is an important parameter, which directly affects the learning ability of the network and the effect of feature extraction. Assume that the network traffic data is a series of time series data, and the length of each time series data is 1000, that is, each sample is a 1000-dimensional vector. These vectors are treated as 1D images (that is, one-dimensional arrays with a length of 1000) [17–18].

In the initial convolutional tier, the convolution kernel's dimensions are fixed at 5, signifying the extent of sequential data points engulfed by the kernel. The count of convolution kernels is set to 32, enabling this stratum to assimilate 32 distinct feature maps. The designated step length is preserved at 1, indicative of the kernel's progression increments. The padding value stands at 0, ensuring no artificial zeros are appended to the input data's periphery. The ReLU function is employed for activation. This layer is architected with the intention of seizing localized and brief temporal characteristics within network traffic datasets.

In the subsequent convolutional layer, the size of the convolution kernel is expanded to 10, allowing for a broader temporal scope to be encompassed. The count of convolution kernels rises to 64, facilitating the mapping of an increased number of features to glean more intricate characteristics. The stride is adjusted to 2, which serves to diminish the feature map's dimensions. This second layer, with its expansive convolution kernel and augmented feature map capacity, is strategically designed to ensnare attributes over an extended timeframe and to curtail the data dimensions through the utilization of an augmented stride.

A pooling layer is added after the convolution layer to further reduce the dimension of data and prevent over-fitting. According to the needs of this study, we will continue to add more convolution layers, pooling layers, and even fully connected layers and dropout layers to build a deeper network structure.

If X is the input network traffic data matrix, W is the weight matrix of the convolutional kernel, and b is the bias term, then the output C of the convolutional layer can be expressed as: 1C=f(W∗X+b)

Where * represents convolution operation and f is activation function, such as ReLU.

The LSTM layer is implemented to discern the temporal interrelations among the features previously abstracted by the CNN layer (refer to Figure 3). The LSTM, a specialized form of recurrent neural network (RNN), is adept at addressing the issue of prolonged dependencies within sequential data [19].

Figure 3.

LSTM structure

Let h_t be the hidden state of the LSTM unit at time t and c_t be the cell state, then the updating process of the LSTM unit can be expressed as: 2it=σ(Wxixt+Whiht−1+bi) 3ft=σ(Wxfxt+Whfht−1+bf) 4ot=σ(Wxoxt+Whoht−1+bo) 5gt=tanh(Wxcxt+Whcht−1+bc) 6ct=ft⊗ct−1+it⊗gt 7ht=ot⊗tanh(ct)

Where σ is sigmoid function, ⊗ represents element-by-element multiplication, W,b is weight matrix and bias term respectively, and x_t is the input of t at time.

Add a fully connected layer as the output layer after the LSTM layer. This layer maps the output of the LSTM layer to the final classification result. If y is the output vector of the output layer, W_o is the weight matrix of the output layer, and b_o is the bias term, then the output layer can be represented as: 8y=softmax(WohT+bo)

Where h_T is the hidden state of the LSTM layer at the last moment, and the ^softmax function is used to convert the output into probability distribution.

The innovation of this study is mainly reflected in the combination of the advantages of CNN and LSTM deep learning models, which can not only automatically extract the local features of data, but also capture the temporal dependence between these features. According to the characteristics of network security event detection task, a specific network structure and parameter configuration are designed to improve the accuracy and efficiency of detection.

As network technology advances at a rapid pace, occurrences of network security incidents are escalating on a daily basis. Addressing these security incidents swiftly and efficiently has emerged as a critical concern within the realm of information security. Emerging as a focal point of research in recent years, intelligent emergency response technology endeavors to enhance the efficacy and precision of emergency responses through intelligent methodologies. This segment delves into the underlying principles and implementation strategies of intelligent emergency management technology.

At the heart of intelligent emergency response technology lies the utilization of sophisticated machine learning and artificial intelligence techniques to autonomously detect and respond to anomalous behaviors within network systems. The specific execution methodology is illustrated in Figure 4 depicted below:

Figure 4.

Realization method of intelligent emergency disposal technology

Figure 5.

Loss curve

First of all, the system needs to collect all kinds of data in the network environment, including network traffic, system logs, user behavior and so on. Then, using data analysis technology to process the collected data and extract useful feature information. Based on the extracted feature information, an anomaly detection model is constructed by using machine learning algorithm. The model can automatically identify abnormal behaviors that are inconsistent with normal behavior patterns, thus triggering emergency response processes. Once abnormal behavior is detected, the intelligent emergency response system will automatically deal with it according to the preset response strategy. These response strategies may include isolating attack sources, blocking malicious IP addresses, and notifying administrators. Intelligent emergency response system also has the ability of continuous learning and optimization [20]. By continuously analyzing new security incidents and disposal results, the system can automatically adjust and optimize the detection model and response strategy to improve the future disposal efficiency.

Intelligent emergency response technology is not to completely replace the traditional emergency response technology, but to combine with it to jointly improve the network security protection capability. Intelligent emergency handling technology can automatically handle most routine safety incidents, but for complex or special situations, manual intervention is needed to make decisions. This man-machine cooperation not only improves the efficiency, but also ensures the accuracy of disposal.

Traditional emergency disposal technology is usually based on rules and experience, while intelligent emergency disposal technology relies on data-driven and model prediction. The combination of the two can form complementary strategies and improve the ability to deal with various types of security incidents. By continuously collecting and analyzing new security incident data, intelligent emergency response technology can continuously learn and optimize its own detection model and response strategy. The traditional emergency disposal technology can be adjusted and improved according to these optimization results, so as to continuously improve the overall safety protection level.

In order to verify the validity of CNN-LSTM_HMNID model, this paper uses open data sets for experiments. The main data sources include network traffic data and security log data. Network traffic data records the detailed information of network communication, such as source IP, destination IP, port number, packet size, etc. These data are very important for detecting abnormal network behavior. Security log data records system security-related events, such as login attempts, file access, etc., which provides rich contextual information for the model.

Experiments are carried out on a server equipped with a high-performance GPU to ensure the efficiency of model training and testing. Use deep learning frameworks such as TensorFlow and Keras to build and train CNN-LSTM_HMNID model. In addition, in order to evaluate the performance of the model, accuracy, recall, F1 score and other indicators are used.

Within the CNN-LSTM_HMNID model, a series of convolutional layers are configured to automatically extract localized features from network traffic data. Each convolutional layer employs a distinct convolutional kernel size to capture features across varying scales. The LSTM layer is subsequently employed to capture the temporal dependencies among these features. The specific parameters are established as follows:

The architecture of the CNN layer comprises three distinct convolutional tiers, with kernel dimensions of 3*3, 5*5, and 7*7, and corresponding numbers of kernels amounting to 64, 128, and 256. The ReLU activation function is consistently applied across these layers, and a max pooling stage is added subsequent to the convolutional operations to curtail the feature map's complexity.

For capturing temporal dependencies within the data, the LSTM layer is constructed with 128 units. To counteract the issue of model overfitting, a dropout layer, calibrated with a rate of 0.2, is positioned post-LSTM layer.

Ultimately, the output layer employs a fully connected design, utilizing the sigmoid activation function to translate the model's output onto a binary classification spectrum, distinguishing between normal and abnormal conditions.

is the loss curve of CNN-LSTM_HMNID model after 100 iterations of training. This curve reflects the performance changes of the model in the training process, especially in learning to identify abnormal behaviors in network traffic data.

As can be seen from the figure, in the initial stage of training (about the first 35 iterations), the loss value is relatively high and fluctuates greatly. This is usually because CNN-LSTM_HMNID model is adapting to the data in the early stage of learning and adjusting its internal parameters to better fit the training data. At this juncture, the model may not have identified the optimal weight and bias values, leading to a significant discrepancy between the predicted outcomes and the actual values, thereby resulting in a higher loss value. Nevertheless, as the number of iterations increased, the loss value commenced a gradual descent and stabilized approximately after the 35th iteration. This indicates that the CNN-LSTM_HMNID model has progressively adapted to the data and commenced learning the pivotal features within the data. At this phase, the model is capable of more effectively distinguishing between normal and anomalous behaviors within network traffic data, thereby enhancing the precision of its predictions.

It is noteworthy that even after the loss value exhibits a tendency towards stability, there persist some fluctuations. These could potentially be attributed to the presence of noise within the data, the intricacies of the model's architecture, or the selection of the learning rate. Nonetheless, these fluctuations did not substantially impact the model's performance, as the loss value consistently maintained a low level.

As shown in Table 1, CNN-LSTM_HMNID model shows high recognition accuracy on different data sets, but it is also accompanied by a certain false alarm rate.

First of all, from the perspective of recognition accuracy, CNN-LSTM_HMNID model generally has a high recognition accuracy on normal traffic and various abnormal traffic (such as Distributed Denial of Service (DDoS) attacks, port scanning, phishing and malware downloads), most of which exceed 95%. This shows that CNN-LSTM_HMNID model has strong ability in distinguishing normal and abnormal network traffic, and can effectively detect abnormal behavior in the network.

However, from the perspective of false alarm rate, although the false alarm rate of CNN-LSTM_HMNID model is relatively low, there are still some misjudgments. The false positive rate refers to the proportion of all the samples identified as abnormal by the model that are actually normal samples. The data table shows that the false positive rate fluctuates on different types of data sets, but it remains at a low level (up to 4.5%). This means that in practical application, CNN-LSTM_HMNID model may misjudge some normal network traffic as abnormal, but this situation is relatively rare.

On the whole, CNN-LSTM_HMNID model has achieved a good balance between recognition accuracy and false alarm rate. The high recognition accuracy ensures that the model can effectively detect abnormal behaviors in the network, while the relatively low false alarm rate reduces unnecessary interference caused by misjudgment. This makes CNN-LSTM_HMNID model have high practicability and reliability in practical application. Of course, in order to further improve the performance of the model, future research can consider methods such as optimizing the model structure, adjusting parameter settings and introducing more feature information.

Fig. 6 intuitively shows the recognition accuracy of CNN-LSTM_HMNID model in the binary classification task of normal and abnormal traffic. As can be seen from the figure, CNN-LSTM_HMNID model has relatively high recognition accuracy for Abnormal traffic (marked as "abnormal"), and the number of TP (True Positives, TP is obviously more than FN (False Negatives), which means that the model can detect abnormal traffic more accurately. At the same time, the model also performs well in identifying Normal traffic (marked as "normal"), with more TN (True Negatives) and less FP (False Positives), indicating that the model also has high accuracy in identifying normal traffic.

Figure 6.

Confusion Matrix

Generally speaking, CNN-LSTM_HMNID model shows high recognition accuracy in the task of binary classification of normal and abnormal traffic. Table 2 shows the performance evaluation indicators of CNN-LSTM_HMNID model in two-category tasks (normal and abnormal traffic).

The box diagram shown in Figure 7 reflects the distribution of response time of intelligent emergency response technology after detecting abnormal behavior. The median line in the box chart is located at about 1.4s, which indicates that in many experiments, about half of the response time is less than 1.4s, indicating that the data distribution is relatively symmetrical and there is no serious skew.

Figure 7.

Response time

From the shape and distribution of the box diagram, it can be seen that the response time of the intelligent emergency disposal technology is relatively fast as a whole, and it has good stability and consistency. This shows that the technology can respond quickly after detecting abnormal behavior, so as to take necessary measures in time.

According to Figure 8, it can be seen that the recovery time of the system after each attack fluctuates, but it remains in a relatively stable range as a whole. Specifically, the recovery time is between 3 and 6 minutes, which shows that the recovery mechanism of the system is effective and can resume normal operation in a short time.

Figure 8.

System recovery time after attack

Generally speaking, the system has a consistent recovery performance after the attack, and the recovery time is maintained in an acceptable range, which is very significant for evaluating the robustness and emergency response capability of the system.

It can be seen from Figure 9 that the accuracy of CNN-LSTM_HMNID model fluctuated within six months, but the overall trend was relatively stable, with no significant decline or increase. This shows that the model has maintained a relatively stable performance during this period.

Figure 9.

Change of model performance with time

Although the overall trend is stable, the accuracy of CNN-LSTM_HMNID model fluctuates from month to month. This fluctuation may be caused by many factors, such as the difference of data sets, the adjustment of model parameters and the interference of external environment. However, the fluctuation range is not large, which shows that the model has certain robustness and adaptability. It can be seen from the area diagram that with the passage of time, the cumulative value of model performance is gradually increasing. This implies that the model is constantly learning and optimizing. Although the accuracy fluctuates every month, the overall model performance is gradually improving.

Although the performance of the model is improving, it can be seen from the figure that the accuracy of CNN-LSTM_HMNID model has not reached a very high level. This means that the model has room for further improvement. The performance of CNN-LSTM_HMNID model is relatively stable within six months, and it shows a certain upward trend. However, the model still has room for further improvement, and the performance can be improved by adjusting the model structure and optimizing parameters. In the future research and application, we should pay attention to the stability and performance improvement of the model to better meet the actual needs.

Table 3 compares the performance of three models (CNN-LSTM_HMNID, SVM model and Random Forest model) in identifying DDoS attacks, port scanning and phishing attacks. Performance evaluation indicators include precision, accuracy, recall and F1 score.

CNN-LSTM_HMNID model has the best performance in identifying DDoS attacks, and its precision, accuracy and recall all exceed 0.94, which shows that this model has high accuracy and reliability in identifying such attacks. Although the performance of SVM model and Random Forest model is somewhat inferior, they have reached a fairly high recognition level, and all their indexes are above 0.90.

In identifying port scanning, CNN-LSTM_HMNID model also shows superior performance, and its accuracy and F1 score are close to 0.95, indicating that the model is accurate and comprehensive in detecting such attacks. The performance of SVM model and Random Forest model in identifying port scanning is also quite good, but slightly lower than CNN-LSTM_HMNID model.

For the identification of phishing attacks, CNN-LSTM_HMNID model continues to maintain its leading position, and all indicators are stable between 0.91 and 0.93. SVM model and Random Forest model are similar in identifying phishing attacks, but their performance is slightly lower than CNN-LSTM_HMNID model.

CNN-LSTM_HMNID model performs well in identifying different types of network attacks such as DDoS attacks, port scanning and phishing, and its performance is better than SVM model and Random Forest model. This is attributed to CNN-LSTM_HMNID model, which combines the advantages of CNN and LSTM, and can process sequence data and extract features more effectively.

From the experimental results, CNN-LSTM_HM NID model shows excellent performance in network security event detection. Its high accuracy and low false alarm rate show that the model can effectively extract key features from network traffic data and accurately identify abnormal behaviors. This is due to the ability of CNN layer to automatically extract local features and the effective capture of time series dependence by LSTM layer. At the same time, we were deeply impressed by the rapid response and efficient recovery of intelligent emergency disposal technology. This is mainly due to the application of advanced machine learning and artificial intelligence technology, which enables the system to find and automatically handle abnormal behaviors in the first time, thus greatly reducing the impact of security incidents on the system.

Overall, the experimental results are highly consistent with our expected goals. The performance of CNN-LSTM_HM NID model and the performance of intelligent emergency disposal technology have reached our expected level. Nonetheless, certain discrepancies were observed during the experiment. For instance, under specific types of network assaults, the model's recognition accuracy experienced a decline. This could be due to the dissimilarity in traffic characteristics of these attack types compared to those in the training data, posing challenges in precise identification by the model. To further enhance the model's generalization capability, we intend to incorporate a broader array of attack traffic data for training in the future and refine the model's architecture to better align with the intricate and dynamic network environment.

In addition, in the practical application of intelligent emergency disposal technology, the research also found some places that can be improved. For instance, in the construction of an automated response strategy, it is imperative to contemplate a multitude of potential anomalies to ensure the system's stability and security. Concurrently, we shall persistently delve into the integration of artificial intelligence with the discernment of human experts to further elevate the precision and efficacy of emergency responses.