Proceedings of CCIS2018

A Security Situation Awareness System based on Wide & Deep

Peng Zhang1, Xiao Han1, Daojuan Zhang1ˈKexiang Qian1, Shenduo Xiong2
1
State Grid Key Laboratory of Information & Network Security,
Global Energy Interconnection Research Institute co., Ltd, Beijing, 102209, China
2
North China Electric Power University,Beijing 102206, China
E-mail: {zhpeng, qiankexiang, zhangdaojuan}@geiri.sgcc.com.cn

Abstract: Security situation awareness analysis is security.

trending to be an important part of the cyber security
currently. To assess the network security situation, a
security situation awareness system based on the
distributed cluster model is proposed in this paper. The
distributed cluster model of network security situation
awareness is built based on the improved wide & deep
model of TensorFlow. The PRelu activation function is
introduced to make the model more fitting and the
weight attenuation of the Softmax loss function is added
to improve the accuracy effectively and reduce the time
of the situation prediction process. In addition, we
implement the prototype and evaluate the effectiveness
and usability of the situation awareness system with the
database provided by a safety monitoring system applied
in State Grid Corporation of China. The experimental
results demonstrate that the system we proposed in this
paper improves the accuracy of the situation prediction
effectively and reduces the time of the situation
prediction.
Keywords: Network security; Situation awareness;
Distributed cluster model
1 Introduction
With the rapid development of computer networks, the
problem of network security has become increasingly
prominent, which has become a main focus of the
current research. The network security has always been a
main focus for enterprises at the same time. Although
various network security protection measures have been
adopted, the single security protection measure neither
consider the correlation among different protection
measures comprehensively, nor meet the needs of
assessing the network security from a macro perspective.
To solve these limitations, the research of network
security situation awareness is proposed, which is based
on the integration of various network security elements.
The network security situation awareness system
assesses the network security situation in real-time from
a macro perspective and predicts the development trend
of network security situation under certain conditions.
Network security situation awareness integrates all
information which is available, provides basis for the
decision analysis of network security administrators, and
minimizes the risks and losses caused by the unsafe
factors. It is of great significance in improving the
capabilities of network monitoring, emergency response,
and predicting the development trend of network
However, the current security defense system of many
enterprises has low accuracy and long response time in
security situation prejudgment. When new types of
attacks such as advanced persistent threats are constantly
emerging, a great threat is posed to the enterprise
network security. With the information technology such
as cloud computing and big data in many fields in recent
years, experts are beginning to try to integrate these
technologies into the enterprise network security
situation awareness. Due to the complexity of data
semantics in enterprise security data warehouses,
traditional modeling methods have high requirements on
the regularity of data, which affects the effectiveness of
network security event analysis.
In this paper, the situation elements are extracted from a
safety monitoring system applied in State Grid
Corporation of China, and a distributed cluster model of
enterprise network security situation awareness system
is proposed based on the wide & deep learning model of
the improved Tensorflow framework, which improves
the accuracy of the situation prediction effectively and
reduces the time of the situation prediction. The
contributions are as follows:
z To intelligently assess the security and trend of
network migration, we designed a network security
situation awareness system based on the wide &
deep learning models.
z To improve the accuracy of the situation prediction
effectively and reduce the time of the situation
prediction, we introduced the PRelu activation
function, and added the weight attenuation of the
Softmax loss function to improve the distributed
cluster model and the wide & deep learning model.
z We realized and evaluated the prototype of the
security situation awareness system. The
experimental results show that the system we
designed improve the accuracy of the situation
prediction effectively and reduce the time of the
situation prediction.
In the rest of this paper, Section 2 describes our system
design of network security situation awareness system
and Section 3 presents the experiments and results. The
related works are given in Section 4. Finally, the
conclusion of this paper was presented in Section 5.

978-1-5386-6005-8/18/$31.00 ©2018 IEEE

107
Proceedings of CCIS2018

2 System Design The distributed cluster model includes intra-graph and

inter-graph copying. In this paper, the inter-graph
A network security situation awareness system is copying model is used. The distributed cluster model of
proposed in this paper. Figure 1 illustrates the pipeline of intra-graph copying is shown in Figure 2. Each slave
the system. It mainly consists of three parts: (1) node builds the same graph independently, and then each
Situation Elements Extraction, (2) Situation Model, (3) slave node runs the graph independently. Slave nodes
Situation Prediction. and parameter servers share the gradients. As shown in
Figure 2, situation awareness distributed cluster model
2.1 Situation Elements Extraction consists of client, master node, slave node and parameter
The security dataset of enterprise is extracted in this server.
paper. The data types of enterprise resource platform are
The distributed cluster model based on the inter-graph
shown in Table 1. The dataset is consist of six kinds of
copy starts the scheduling of the master node from the
data type, which include bug, configuration compliance,
client. The master node performs a dispatch scheduling
policy effectiveness, irregularities, attack alerts and asset
request to the cluster model. The slave nodes which
information. With the preprocess of the security data
connected to any node in the cluster model are included
such as the filtering and aggregation, the vulnerability,
in the dispatch scheduling request. The slave node is
threat and importance attribute of the asset are extracted
responsible for scheduling multiple parameter servers.
as the situation elements.
By processing gradient operations, the gradient vector
9OZ[GZOUTKRKSKTZY 9OZ[GZOUTSUJKR obtained is passed to the parameter server. Parameter
server saves model variables, updates parameter
<[RTKXGHOROZ_ *OYZXOH[ZKJ)R[YZKX
operations, and provides execution services. The
.OYZUXOIGRJGZG
3UJKR parameter server is a cluster composed of multiple
VXKVXUIKYY :NXKGZ machines. Multiple slave nodes can create multiple
9KX\KX 9KX\KX graphs. If the slave nodes run the same code, the
VXUIKYY  VXUIKYY
)[XXKTZJGZG
/SVUXZGTIK constructed graphs are the same, and the parameters are
saved in the same parameter server.
9OZ[GZOUTLUXKIGYZ
)ROKTZ )ROKTZ Slave
VXUIKYY  VXUIKYY node

Clients
Master Parameter
'RMUXOZNS 6XKJOIZOUT node server
GTGR_YOY GRMUXOZNS =OJKJKKV
RKGXTOTMSUJKR

Master Parameter
Clients node server
Slave
Figure 1 System Design of Network Security Situational node
Awareness
Table I Security Data Figure 2 A distributed Cluster model Based on Inter-graph
Copy
Number Data Type
There is a one-to-one correspondence between the
1 Bug parameter server and the local task calculation unit of
2 Configuration Compliance the slave node, which allows multiple slave nodes to
3 Policy effectiveness read data, build graphs, and training models at the same
4 Irregularities time. It is suitable for the situation of enterprise big data
5 Attack Alerts
situation awareness.
6 Asset Information
The distributed cluster model consists of multiple jobs,
2.2 Situation Model and each job consist of multiple tasks. A job can be
The network security situation awareness system covers deployed on multiple hardware resources. A GPU with
a wide range of fields. Since the situation awareness is different hardware resources can deploy multiple tasks.
often demonstrated by mathematical characteristics such The TensorFlow cluster consists of tasks that are
as nonlinearity, randomness, and ambiguity, the situation distributed on multiple hardware resources on a large
model is the most important part of the security situation scale. Each task of the cluster node initiates a service.
awareness system. Based on the deep learning Using the distributed cluster model of TensorFlow,
framework of Tensor-Flow, a situation model that various data can be imported into the parameter server
integrates a distributed cluster model and a wide & deep as model inputs and the model can be published to the
learning model is designed in this paper. The situation system server. The client submits the request and
model consists of the distributed cluster model and the performs the above operations. Finally, the server returns
wide & deep learning model. the result.

2.2.1 Distributed Cluster Model 2.2.2 Wide & Deep Model

108
Proceedings of CCIS2018
The distributed cluster model is a resource scheduling
model for multiple nodes, so the mathematical model of
a single node should be considered. In this paper, the
wide & deep model of TensorFlow is used as shown in
Figure 3.
Wide & Deep
Wide Model Deep Model
Learning Model
Figure 3 Wide & Deep Learning Model
Wide model component is a traditional linear learning
based on L1 normalized classifier. It is a linear model
with sparse matrix and cross-feature vector, which is
characterized by high-dimensional features and feature
combinations. The cross-feature transformation in the
wide model can memorize all sparse specific rules,
which is significant for the classification of general
large-scale situation models with sparse inputs.
The deep model component is a deep neural network.
The training network has perceptron at each level. The
perceptron gradually pass the input messages to the next
layer of the neural network, and convert a large number
of classifications into a list of depth vectors. The
operation is stopped until the last layer of the neural
network is the output layer. Deep models can make
neural networks more effective.
The wide & deep model can not only reduce the useless
features, but also have both memory and generalization
functions. By deploying the wide & depth learning
model on each node of the cluster, the integration of the
distributed cluster model and the wide & deep learning
model is completed in this paper.
2.3 Situation Prediction
In this paper, the TensorFlow framework is utilized in
the network security situation prediction algorithm
which uses a pipeline processing mechanism and
organizes the situation element input vectors and
machine learning algorithms together. As shown in
Figure 4, the wide & deep model is used as the prototype,
and the activation function and loss function are
improved to obtain the network security situation
prediction output vectors.
The situation awareness system reads all input
information from the situational data files, extracts the
information features, and obtains the higher-level data.
The data is divided into continuous features and discrete
features.
The discrete feature data are used by the wide model to
perform vector cross-multiply conversion, establishes a
linear model, and obtains and memorizes the directly
related attributes of situational awareness. Both the
109
)UTZOT[U[Y ,KGZ[XK 'IZO\GZOUT
INGXGIZKXOYZOIY IUSHOTGZOUT L[TIZOUT
4KZ]UXQ
4KZ]UXQ
YKI[XOZ_
YOZ[GZOUT YKI[XOZ_
YOZ[GZOUT
KRKSKTZ 2UYY
/TV[Z +SHKJJOTMY L[TIZOUT
VXKJOIZOU
TU[ZV[Z
\KIZUX
\KIZUX
<KIZUXIXUYY
*OYIXKZK
S[RZOVR_
LKGZ[XKY
IUT\KXYOUT
3GINOTKRKGXTOTMGRMUXOZNS
Figure 4 Security Situation Prediction Algorithm based on
Tensorflow
continuous and discrete feature data are used for the
training of deep model. The continuous feature data can
be directly used as an input vector, which is denoted as
X1. The discrete feature data should be mapped to a
deep vector by an embedding method first, which is
denoted as X2. By the nonlinear transformation analysis
of the activation function, the new data vector formed
from different combinations of vectors X1 and X2 are
analyzed to obtain the output of the deep learning
neuron, i.e., the situation prediction output vector.
Assuming that no nonlinear activation function is
introduced, the input data is linearly mapped even if
multiple hidden layers are constructed. It is important to
select an appropriate activation function. The hidden
layer neuron of the commonly used sigmiod activation
function tends to change relative saturation. It is very
easy to cause information loss in deep learning and is
not suitable as the activation function of the prediction
algorithm. Due to the simple calculation and fast
convergence, the Relu activation function is choosed as
the activation function of the prediction algorithm in this
paper. Since the default Relu activation function of the
Tensor-Flow tool library shows a fragile aspect during
model training, the modified activation function PReLU
is used. The activation function PRelu is a backward
propagation training algorithm that updates an additional
parameter based on the tensorflow deep learning
network. Its properties are similar to those of weights of
neural networks. The advantage is that PRelu has a small
number of computational parameters, which does not
cause overfitting, and is more adaptable to wide & deep
learning models with sparse data characteristics.
The default target classification of TensorFlow is two
classifications, but the actual threat types of network
security are multi-category. We hope that the goal of
training feedback is multi-category, so the Softmax loss
function is introduced into the machine learning
algorithm. The Softmax loss function is improved by
adding a weight attenuation term, and the output layer of
the wide & deep learning model is redefined. The k
possible values of the class label are accumulated, and
the multi-classification output of the network security
situation prediction result is completed. The introduction
of Softmax loss function realizes the promotion of
logistic regression on multiple classification problems.
After adding a weight attenuation term to the Softmax
loss function, the larger value is reasonably handled.
Proceedings of CCIS2018

3 Experiments and results binary classification model is 185 minutes while the
improved multiple classification is 120 minutes.
To evaluate the effectiveness and usability of the
approach proposed in this paper, experiments are
conducted. 9 DELL PowerEdge R710 are used for the
test environment. The operation systems are centos6.7
x86 64, which deploy the Docker v1.13.0 and
TensorFlow v0.11.0rc0.

3.1 Dataset collection

The security dataset is abstracted from a safety
monitoring system applied in State Grid Corporation of
China. With the preprocessing, situation elements are
collected. The importance element has 55 attributes
which is abstracted from the asset information. The
vulnerability and threat element are abstracted from the
bug, configuration compliance, policy effectiveness,
irregularities, and attack alerts. The vulnerability
element has 41 attributes and the threat element has 61
attributes. Table 2 list some attributes of the three
situation elements.
Table II Situation Element Attribute
Elements Attribute
Improtance Asset IP
Asset Name
Asset Type
Asset Class
Vulnerability Source
Name
Type IP
Level
Times
Alert Log
Threat Source
Name
Type IP
Level
Times
Alert Log
3.2 Results
The situation elements are pre-processed such as
normalization first, and the pre-processed data are
randomly divided into 10 samples, each with 100
elements. 10 samples are divided into two sets, training
data set and testing data set. The results are shown in
Figure 5. The TPR-FPR of the improved
multi-classification is better.
The target attribute of the wide & deep model is divided
into two categories. When the binary classification
model is used to analyze multiple network security
threat events, it needs to compare each other and run
multiple times to achieve multiple classification. In this
paper, the improved model modify the loss function
based on the original model. With the introduction of the
Softmax function, the network security situation
awareness system speeds up the multiple classifications.
The average time from the input to the output of the
Figure 5 Comparison of TPR-FPR Curves
4 Related work
Network security situation awareness is a quantitative
expression of network security state based on network
security event fusion calculation [1],[2], which is
considered as a new approach to solve the network
security problems [3],[4]. Bass et al. [5] of the US Air
Force Communications and Information Center first
proposed the application of situation awareness
technology to multiple NIDS test results in 1999.
However, it did not give a clear definition of the concept
of network security situation awareness, but only
emphasized that data fusion is the core means of
situation awareness. Some researchers [6] discuss the
concept of network security situation awareness, which
is considered to acquire, understand, display, and predict
the future development trend of the security elements
that can cause changes in the network situation in the
large-scale network environment. However, it is difficult
to obtain the network security situation accurately in the
large-scale network.
5 Conclusions
To assess the network security situation, a security
situation awareness system based on distributed cluster
model is proposed in this paper. A distributed cluster
framework composed of multi-server and multi-client
processes is designed, and the wide & deep learning
models of TensorFlow are integrated into the framework
we designed. To make the model more fitting, the PRelu
activation function is introduced. The weight attenuation
of the Softmax loss function is added to improve the
accuracy effectively and reduce the time of the situation
prediction. We realized and evaluated the prototype of
the situation awareness system. The experimental results
show that the system we designed improves the accuracy
of the situation prediction effectively and reduces the
time of the situation prediction.

110
Proceedings of CCIS2018

Acknowledgements frontier: The empirical analysis on network security,

This work was supported by State Grid R&D project
under Grant No. SGRIXTKJ [2017] 133.
References
[1] X.-Z. Chen, Q.-H. Zheng, X.-H. Guan, and C.-G. Lin,
Quantitative hierarchical threat evaluation model for
network security, Journal of Software, vol. 17, no. 4, pp.
885C897, 2006.
[2] R.-r. Xi, X.-c. Yun, Y.-Z. Zhang, and Z.-y. Hao, An
improved quantitative evaluation method for network
security, Chinese Journal of Computers, vol. 38, no. 4, pp.
749C758, 2015.
[3] E. U. Opara and O. A. Soluade, Straddling the next cyber
exploits, and vulnerabilities, International Journal of
Electronics and Information Engineering, vol. 3, no. 1,
pp. 10C18, 2015.
[4] A. Tayal, N. Mishra, and S. Sharma, Active monitoring
& postmortem forensic analysis of network threats: A
survey, International Journal of Electronics and
Information Engineering, vol. 6, no. 1, pp. 49C59, 2017.
[5] T. Bass, Intrusion detection systems and multisensor data
fusion, Communications of the ACM, vol. 43, no. 4, pp.
99C105, 2000.
[6] M. R. Endsley, Toward a theory of situation awareness in
dynamic systems, Human factors, vol. 37, no. 1, pp.
32C64, 1995.

111