The key technology of computer network vulnerability assessment based on neural network

With the wide application of computer network, network security has attracted more and more attention. The main reason why all kinds of attacks on the network can pose a great threat to the network security is the vulnerability of the computer network system itself. Introducing neural network technology into computer network vulnerability assessment can give full play to the advantages of neural network in network vulnerability assessment. The purpose of this article is by organizing feature map neural network, and the combination of multilayer feedforward neural network, the training samples using SOM neural network clustering, the result of clustering are added to the original training samples and set a certain weight, based on the weighted iterative update ceaselessly, in order to improve the convergence speed of BP neural network. On the BP neural network, algorithm for LM algorithm was improved, the large matrix inversion in the LM algorithm using the parallel algorithm method is improved for solving system of linear equations, and use of computer network vulnerability assessment as the computer simulation and analysis on the actual example designs a set of computer network vulnerability assessment scheme, finally the vulnerability is lower than 0.75, which is beneficial to research on related theory and application to provide the reference and help.

According to the statistics reported by the Internet information center over the years, the number of hacker attacks on computer users worldwide increases by at least 10% on average every year. Network vulnerability analysis is a very complex work, and the correlation among vulnerabilities, the correlation between network hosts, the dynamic nature of network services and the complexity of network connections are worthy of attention. With the increasing attention paid to computer network security, computer network vulnerability assessment has important research and application value.

Due to its inherent super adaptability and learning ability, neural network has been widely studied and applied in many artificial intelligence fields and has solved many information processing problems that are difficult to be solved by other traditional artificial intelligence methods and technologies. Because of the unique ability of nonlinear adaptive information processing, neural network overcomes the shortcomings of many traditional artificial intelligence information processing methods in pattern recognition, voice information recognition, unstructured information processing and other visual functions, so that it has been successfully applied in many fields of artificial intelligence. The close combination of neural network and other traditional information processing methods of artificial intelligence will greatly promote the continuous innovation and development of related technologies such as traditional artificial intelligence and distributed information processing.

Several factors must be considered when designing large interconnections. Optimal design is important to achieve good performance and reduce construction and maintenance costs. Real communication networks are prone to network component failures. There are failures between nodes and connections, and network stability is desirable when a limited number of failures do not disrupt the entire system. The vulnerability of network topology is an important aspect of computer network design. Aysun Aytac proposed various methods to quantify network vulnerability and derived network reliability formulas using a large number of graph theory parameters. Based on the control concept in graph theory and the strong and weak control number of transformation graph Gxy+, this paper studies the vulnerability of the interconnection network to the failure of a single node and measures the vulnerability of the network [1]. Attack chart is an effective method to solve many problems in computer network security management. After a vulnerability scanner is used to identify a single vulnerability, the attack chart can relate a single vulnerability to the likelihood of an attack and then analyze and predict which privileges an attacker can gain through a multistep attack (in which multiple vulnerabilities are exploited in turn). Teodor Sommestad tested the practical application of this analytical method. The attack graph tool MulVAL obtained information from the vulnerability scanner Nexpose and network topology information from eight virtual organizations containing 199 machines. Two groups of attackers attempted to infiltrate these networks over a period of 2 days and reported which machines they had damaged and which attack paths they were trying to use [2]. Security metrics are powerful tools for organizations to understand the effectiveness of protecting computer networks. However, most of these measurement techniques are not sufficient to help companies make informed risk management decisions. Abraham proposes a stochastic security framework that allows for quantitative measures of security by considering vulnerability-related dynamic attributes over time. Abraham's model is that existing research in attack graph analysis does not take into account the timing of vulnerabilities, vulnerabilities and patch availability, etc., which can be interlinked based on how the entire network is affected by vulnerabilities and leverage compromise systems. In order to more realistically describe the changes of the security state of the network over time, an inhomogeneous model is proposed, which contains a time-dependent covariable [3].

In this paper, based on neural network are studied under the study of computer network vulnerability analysis method and the model of network vulnerability index calculation, on the basis of clear vulnerability index and related concepts, emphatically discusses the vulnerability analysis method and based on the index system of vulnerability and vulnerability database index calculation model, aims to provide a kind of multidimensional network security status display, macro, so that the relevant enterprises and departments in a timely manner to master the Internet network security macro situation.

2.1 Vulnerability of computer network

2.1.1 Definition of vulnerability

Computer security vulnerability research is a new field of network security research. In the research process, researchers put forward different definitions according to different understanding and application requirements [4].

1. 1

   Software vulnerability

   Software vulnerability is essentially a security vulnerability in software, which will endanger the security strategy of the system and eventually reduce the use value of the system [5].

2. 2

   Computer system vulnerability

   A computer management system consists of a series of state descriptions that ultimately constitute the current initial state configuration of the entity of the computer management system. By using such a set of transitions to the initial states, all the initial states that can be reached from a given initial state are ultimately partitioned by the management system as two types of initial states defined in the security policy. Vulnerability is an authorized state that converts an authorized state to an unauthorized state. The damaged state refers to the state achieved by the above method. An attack is a sequence of authorization state transitions that ends with a corrupted state [6].

3. 3

   Network unit vulnerability

   Vulnerability of a computer network refers to a set of characteristics of a computer network that can be used by malicious objects (attackers or attack programs) to gain unauthorized access to resources through authorized means and methods in the network, or cause damage to the network and the host network. Network vulnerability comes from the vulnerability of corresponding software providing services in the network and the vulnerability of hosts in the network [7, 8].

4. 4

   Vulnerability of information systems

   In the field of risk management technology system, there are system security process automation management system security automation and management automation, internal risk control, critical events, in the process of penetration can automatically prevent unauthorized access to information or damage the key steps of risk management, risk management weaknesses. Systematic risk management is in the technical field. Weaknesses in risk management exist in the process of system physical layout. Organizations, processes, people, management, hardware or software can infiltrate the automatic collection and processing system or data. The existence of the vulnerability itself does not cause any damage to the system. In an automated data attack, the vulnerability of a system is only one or a set of conditions that cause damage to two systems or behaviors. In the field of system risk management technology, any attack or vulnerability or attribute in the risk management system is defective. Any attack or harmful event or dangerous entity can provide a risk management opportunity to attack or implement automated data attacks. In the field of system information security, weaknesses that can be automatically evaluated are those that can be automatically infiltrated to overcome the risk attributes or security attributes of countermeasures [9, 10].

2.1.2 Vulnerability assessment

The evaluation of vulnerability is mainly to detect the vulnerability of the system by means of various management and scientific and technological means, to find out the potential security risks and the system vulnerability that may be damaged and utilized by illegal personnel in the process, and to analyze and evaluate the security and development status of the whole system according to the results of various tests. On this basis, according to the results of vulnerability assessment, appropriate security strategy is formulated, which provides reference and basis for the perfect design and implementation of security assessment system. One of the main objectives of vulnerability detection and assessment is to analyze and understand various security risks that may exist in the whole system development process and to provide scientific basis and intention for how to protect the security and development of the whole system. The whole system vulnerability here can be just one device as a service, or just the device stored on the network as a computer, or the entire computer network [11, 12].

2.1.3 Vulnerability analysis method

As shown in Fig. 1, from rule-based analysis to model-based analysis, from stand-alone analysis to distributed analysis, there are many methods of vulnerability assessment, which can be summarized into three categories: quantitative assessment method, qualitative assessment method and comprehensive assessment method combining qualitative and quantitative methods.

Attack diagram evaluation model

Full size image

In the attack tree method, the tree structure in the form of and-or is used to model the network vulnerability. The nodes in the attack tree represent the attack, the root node represents the attacker's ultimate target, AND the children of a node represent the methods to achieve this target.

Figure 2 shows an example of an attack tree in which the attacker's goal is to get a free lunch. The AND node represents the conjunction, which means that all its child nodes must meet to achieve the current goal; the OR node represents the disjunction, which means that the current goal can be reached as long as any of its children are satisfied [13].

Attack tree method

Full size image

2.1.4 Model-based quantitative analysis

1. 1

   Network elements

   Network element \(c_{i}\) is the set of network protocol entity \(e_{i}\):

   $$c_{i} = \left\{ {e_{i} \left| {u\left( {e_{i} } \right) = i} \right.} \right\},\quad i,j \in N$$

   (1)

   U is a mapping from the protocol entity to its network node number:

   $$u:\left| {e_{i} } \right| \to N,C \equiv \bigcup\limits_{i} {\left\{ {c_{i} } \right\}}$$

   (2)
2. 2

   Connection

   There is \(l_{k}\) between \(c_{i}\) and \(c_{j}\) if and only if:

   $$\exists e_{m} ,e_{n} ,u\left( {e_{m} } \right) = i \wedge u\left( {e_{n} } \right) = j \wedge u\left( {e_{m} } \right) = h\left( {e_{n} } \right) = k \wedge e_{ik} \leftrightarrow e_{jk}$$

   (3)

   h is a mapping from the protocol entity to its network level:

   $$h:\left| {e_{i} } \right| \to N,L \equiv \bigcup\limits_{k} {\left\{ {l_{k} } \right\}}$$

   (4)
3. 3

   Network

   Net is a binary group, net=<C, L>. The vector \(e_{i}\) made up of the variables \(e_{i}\) made up of state \(S_{j} \in S_{ej}\). Marked as safe if the expected value is met; if the expected value is not met but the security attribute of \(c_{i}\) is not destroyed, it is marked as an error state. Sets that do not meet expectations and break \(c_{i}\)'s security properties are marked as failing [14, 15].

4. 4

   Vulnerability point

   Vulnerability point \(v_{i}\) is a vulnerability in net and satisfies:

   $$\exists t \in T,t\left( {v_{i} ,S_{{{\text{net}}}} } \right) = S^{\prime}_{{{\text{net}}}} ,S_{{{\text{net}}}} \ne S^{\prime}_{{{\text{net}}}} ,S^{\prime}_{{{\text{net}}}} \in S_{{{\text{net}}}}^{{{\text{fail}}}}$$

   (5)
5. 5

   Vulnerability

   Vulnerability analysis measures the severity of vulnerability points in terms of availability and impact. Availability depends on the degree of vulnerability in W and is affected by the number of indirect precursors of vulnerability. The contribution of the precursor states to availability is inversely proportional to the distance between them and the vulnerability point [16]. Similarly, the influence of the vulnerability can be measured by the number of distances from the vulnerability to all its direct or indirect successor states. Its availability and impact are as follows:

   $$a_{vk} = \sum\limits_{i,j} {\frac{1}{{\left| {U_{ijk} } \right|}}}$$

   (6)
   $$b_{vk} = \sum\limits_{i,j} {\frac{1}{{\left| {E_{ijk} } \right|}}}$$

   (7)

   The severity of a single vulnerability and network vulnerability is as follows:

   $$\overline{v} k = a_{vk} + b_{vk}$$

   (8)
   $$\tilde{v} = \sum\limits_{k} {\overline{v} } k,k \in N$$

   (9)

   The advantage of the model-based quantitative analysis method of network vulnerability is that it can analyze and calculate the vulnerability independently of network attacks and can better reflect the degree of network vulnerability [17].

2.2 Neural network

2.2.1 Characteristics of neural network

1. 1

   The structure of neural network is different from that of current computers. It is composed of many small processing units connected with each other. The function of each processing unit is simple. This enables the neural network to be well applied to the parallel computer for calculation, which can greatly improve the speed of calculation [18].

2. 2

   Neural network has very strong fault tolerance. If one part of the neural network is destroyed, the overall performance of the network will decrease to some extent, but this does not prevent it from doing its job. The neural network still works. Even if the most important part of the network is damaged, it will not cause the complete loss of the whole network function [19, 20].

3. 3

   Neural network memory information is stored on the connection weight between neurons, and the content of stored information cannot be seen from a single weight, so it is a distributed storage mode. Effective segmentation is based on the training sample and training process, the whole sample set of learning are assigned to a distributed collaborative training neural network cluster environment, at the same time by competitive selection mechanism, and makes the individual learning performance good training can effectively migration in the neural network group, in order to obtain more resources for learning.

4. 4

   Neural network has excellent imitation ability. Through its excellent imitation learning ability, it is expected that future neural network computers will provide economic prediction, market prediction and benefit prediction for mankind [21].

2.2.2 Neural network model

The neuron model is often described by the first-order differential equation, which can simulate the change of synaptic potential in biological neural network over time:

In general, s-type function expressions are used to express the nonlinear characteristics of the network:

As a technology that can carry out adaptive pattern recognition, neural network learning not only needs to provide the experience analysis knowledge of adaptive patterns and neural pattern discrimination function in advance, but automatically forms the learning and decision-making region required by the neural network through its own neural network learning and decision-making mechanism [22]. The structure and characteristics of neural network are determined by its topology structure, neuron characteristics, learning and decision-making training rules and other factors. By making full use of the neuron information of different states, it can learn and train the neuron information of different states in the network one by one to obtain certain state mapping and relationship. In addition, network mapping can be continuously learned, and if the environment in the network changes, the mapping can also adjust the environment accordingly [23].

For fault diagnosis based on neural network, the input node of the network corresponds to the fault symptom, and the output node corresponds to the fault cause. First, the network was trained with a set of fault samples, and its structure (transfer function of the middle layer and number of neurons) and parameters (connection weights and thresholds between neurons) were determined [24, 25]. Fault mode classification is a process of realizing nonlinear mapping between symptom set and fault based on a group of signals after network training, as shown in Fig. 3.

Design of network nonlinear mapping process

Full size image

3.1 Experimental background

This system is mainly designed and developed on the platform of virtual resource environment provided by network shooting range. From the performance of platform compatibility considerations, in order to make the network range to provide users with the required test platform and realize the Metasploit adding auxiliary module Nmap, the function of the Nessus system mainly adopts the NS and Ruby script language, the NS script is established in order to realize the automation of network range experiment platform, and the Ruby language is in order to achieve the load based on the framework of Metasploit existing auxiliary module Nmap and Nessus. In the structure of the whole software transaction management system, it adopts the browser/front-end server (B/S) structure. B/S structure of management system is characteristic of this structure, which is one of the more popular software architectures; in this architecture, the processing of the user interface is implemented directly by the user and the browser, few major transaction logics are to handle the user and the front-end server implementation, the other major transaction logic processing is in the user and the server-side implementation, and it has the advantage that can well realize different people and from different time and place of user access.

The system is based on a set of system platform of real equipment, accurately determines the weapons and equipment evaluation and training, and completes the system platform, the file data layer and the combination of application service layer; the second is to build a high controllability, high availability, high reliability, system platform structure system; the system platform of network structure form domain includes the attack and defense domain and target domain. It includes six key function modules: hardware resource control, simulation and virtualization, operation control, detection and collection, evaluation and analysis, and network platform system display. The test process of network shooting range can be roughly divided into the following seven steps: determination of user needs, determination of experimental tasks, operational deployment, resource allocation, operational experiments, data collection and analysis and evaluation. All of the above are deeply explored by the system.

3.2 Experimental design

1. 1

   Determine the number of neurons in the input layer

   The input layer parameters of specific problems are used to determine the number of neurons in the input layer, and the number of evaluation indicators is generally used. The number of neurons in the input layer is a three-level index number of network vulnerability evaluation indexes; Table 1 shows that the degree of sensitivity involves 13 evaluation indexes, their coping capacity involves 15 evaluation index, so the sensitivity degree of BP neural network has 13 input neurons, and their coping capacity of BP neural network has 15 input neurons.

2. 2

   Determine the number of neurons in the output layer

   The number of neurons in the output layer is the evaluation result of network vulnerability, namely 1. The evaluation of computer network vulnerability is a process from qualitative to quantitative to qualitative. The simulation results of sample setting are shown in Table 2, while the simulation results without weight setting are shown in Table 3.

3. 3

   Number of hidden layer neurons

   In BP network, the selection of the number of hidden layer neurons is very important, which not only has a great impact on the performance of the established neural network model, but also is the direct cause of “overfitting” in training. However, there is no scientific and universal method to confirm it theoretically. At present, most formulas calculate the number of hidden layer neurons in the case of arbitrarily large number of training samples presented in most literature, and most of them are most unfavorable in the case that it is difficult to meet the general engineering practice and not suitable for use.

4. 4

   The learning rate affects the stability of the system learning process

   Large network learning rate may directly lead to the excessive weight correction of network weights and may even directly lead to the incomplete convergence of network weights due to the irregular jump of the minimum value beyond a certain weight error in the process of each correction. However, too small learning rate may lead to a relatively long learning time for weights, which can well ensure that weights converge to the minimum value of some error. If the learning rate is too small, it may lead to a slow rate of weight convergence, leading to a relatively long time for weight training. If the rate of weight learning is too high, it may directly lead to the instability of the system and may also cause the system to iterate violently. At the same time, the initial training needs to be effective network learning operation speed, later training may not be appropriate. Therefore, the general training tends to select a smaller network learning rate to ensure the stability and convergence (that is, the stability of the system) of the network learning system, usually between 0.01 and 0.8.

4.1 Network vulnerability assessment and analysis based on BP neural network algorithm

Because BP neural network algorithm is very sensitive to network structure, different network structures have different solving abilities. The more complex the neural network, the better its ability to deal with complex nonlinear problems, but the longer the training time. If the neural network structure is too simple, the network training is difficult to convergence or convergence time is too long. The topology of neural network includes the number of layers, the number of neurons per layer and the connections between neurons. In the BP network structure, the number of input neurons and output neurons is determined by the problem itself. Therefore, the design of BP network structure focuses on determining the number of hidden layer and the number of hidden layer neurons. The choice of the number of hidden layers depends on the complexity of the problem, and the relationship is shown in Fig. 4. The research shows that the increase in hidden layer can improve the ability of the network to solve complex nonlinear problems, but too much hidden layer can prolong the learning time of the network. For BP network, according to Kolmogorov theorem, three-layer BP network can complete arbitrary mapping from n dimension to m dimension, and implicit layer can meet the requirements. A hidden layer neural network, as long as the number of hidden layer neurons is reasonable, can meet the accuracy requirements. If the number of hidden layers changes from 1 to 2, it will not affect the accuracy much, but will make the network structure more complex and the training time will be greatly prolonged.

Changes of hidden layer neurons and layer number under BP neural network

Full size image

The representation and number of the input hidden layer neurons and the output hidden layer neurons of the neural network are determined by the problem itself and the requirements and representation of the data. Number of hidden layer neurons representation selection and parsing is a very complex mathematical problem, it and the requirement to the problem, the representation of a neural input layer and output unit type and the number is a direct relationship, often need to be based on the experience of the system designer and neural unit to determine, with the results of the experiment many times and therefore not may be an ideal implicit layer analytical formula for said. Because the expression and number of hidden layer neurons are too many, the learning time is too long, the error is not necessarily the least and the fault-tolerant and weak generalization ability may also be directly caused. Therefore, it is necessary to have an optimal number of hidden layer neurons.

According to the range of five grades of sensitivity index, 10 sets of data were randomly generated for each grade, and a total of 50 samples were formed. Choose one sample from each grade of sample (a total of five samples: samples 10, 20, 30, 40, and 50) as the test sample, the rest of the 45 samples as the training sample, which make all kinds of samples were distributed evenly, the BP neural network evaluation model is solved and set up without enough training samples and test samples. The sample processing of "self-coping ability" is similar, and the specific sample results are shown in Fig. 5.

Sensitivity-level sample training results

Full size image

4.2 Network vulnerability assessment and analysis based on SOM neural network algorithm

Analysis of computer network interface failure has generally four reasons of failure such as B1 interface problem, B2 network fault, B3 equipment existing congestion and B4 communication protocols, which are not compatible to as SOM neural network output node, MIB—2 of 2 interface state of five signs, A1 interface problem, characteristic values of A2 type A3 output characteristic values of A4 network utilization and A5 unknown agreement rate as input nodes of networks; the fault training result is shown in Fig. 6.

Training results of network fault samples

Full size image

Since the SOM neural network is learning without teachers, the network will automatically cluster it. The number of network input vector elements is 5, ranging from [0, 1]. In order to improve the network mapping and achieve the best clustering effect, the competition layer of the network is designed as a 4 × 3 structure after multiple neural network training. The number of training steps affects the clustering performance of the network. Here, the training times are set to 100, and the results are shown in Fig. 7. The training function of neural network toolbox in MATLAB is used to train the SOM neural network. With the increase in training steps, the distribution of neurons is gradually reasonable. After the network training, the weights are fixed. After each input value, the network will automatically cluster it.

Sample training results under SOM network

Full size image

For the above after the weighting of training samples, the trained BP neural network is used in the simulation; for general need of simulation data samples, the neural network training time for each training sample P two updates, the original R the elements of the columns Q transformation into the column vector R + 1, thus increasing the one-dimensional elements, make the neural network input node number R + 1. In the simulation with the trained neural network, one dimension should be added to each sample to be simulated. Since the clustering of the samples to be simulated could not be known in advance, the added one-dimensional data should be set to the same value 1 to reflect the same clustering characteristics. When setting the weight of the sample, the preset weight in the training is also used to improve the sample data.

With the popularization of the Internet, the rapid dissemination and sharing of information have been realized, which makes people's work and life more convenient and promotes the progress of the society. With the development of 3G, 4G and fiber optic broadband, the network speed has been greatly improved, the construction of enterprise informatization has been promoted, and the competitiveness of enterprises has been improved. However, while the Internet brings us convenience, there are also many security risks, such as website information leakage, software vulnerabilities, hacker attacks and other network threats, which bring serious economic losses to people. Therefore, accurate network security assessment and effective security defense strategy become very urgent and necessary.

In order to predict the possible attack path and make quantitative evaluation, this paper establishes an attack graph model based on neural network. In the attribute attack graph, an algorithm to eliminate the attack cycle is proposed, and a method to transform the acyclic attribute attack graph into a Bayesian network is proposed. This model takes network security state data as input, obtains all possible attack paths, and uses Bayesian formula to calculate the probability of each attack path, so as to quantitatively evaluate the vulnerability of the network. Network administrator according to the forecast results targeted to strengthen network security.

In this paper, the fault diagnosis of computer network is studied, and the computer network fault is simulated by using SOM method and BP neural network method. Based on the SOM neural network belonging to the self-organizing network of competitive learning, it is not necessary to specify in advance the fault type of training samples for the fault diagnosis of computer network, so it has good clustering ability. SOM neural network and BP neural network are effectively combined by adding weights, and LM algorithm is improved by using parallel algorithm. It is significant to diagnose by example.

We can provide the data.

B/S :

Browser/front-end server

The authors thank the editor and anonymous reviewers for their helpful comments and valuable suggestions.

This work was supported by Science and technology project of education department of Jilin province, Research on key technologies of network vulnerability assessment, JJKH20180950KJ.

Authors and Affiliations

1. School of Computer Science and Technology, Changchun University, Changchun, 130022, Jilin, China

   Shaoqiang Wang

Contributions

The author Shaoqiang Wang wrote the first version of the paper. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Shaoqiang Wang.

Competing interests

There are no potential competing interests in our paper. And all authors have seen the manuscript and approved to submit to your journal. We confirm that the content of the manuscript has not been published or submitted for publication elsewhere.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions