+91 9404 340 614    gyaanibuddy@gmail.com


A Security Situation Awareness System based on Wide & Deep

Last updated on March 1, 2021, 7:12 a.m. by talha

The authors have proposed a system which helps in reducing time in prediction of security situations. The model was built in the Tensorflow framework, and the PRelu function was used to make the model




The authors have proposed a system which helps in reducing time in prediction of security situations. The model was built in the Tensorflow framework, and the PRelu function was used to make the model more fitting. Softmax loss function was added to improve the performance and accuracy. The authors have implemented the prototype and the effectiveness and usability of situation awareness is evaluated. This is done with the help of the database provided by a safety monitoring system applied in State Grid Corporation of China.



Network security situation awareness provides the basis for the decision analysis of network security administrators. It improves the capabilities of network monitoring, emergency response, and predicting the development trend of a network. Many enterprises have security defense systems having low accuracy and a long response time. In traditional systems, there is a very huge requirement for data to come regularly. This affects the effectiveness of the security of the network. A wide & deep learning model of Tensorflow framework is proposed for network security awareness, which is a distributed cluster model.


System Design:

In the paper, the authors have extracted the security enterprise dataset.
The dataset consists of the following:

  1. bug

  2. configuration compliance

  3. policy effectiveness

  4. Irregularities

  5. attack alerts

  6. asset information


The situational awareness is defined by mathematical properties like: nonlinearity, randomness, and ambiguity. Therefore, we need a situational model for this purpose. This situational model consists of a distributed cluster model and a wide and deep learning model.

Distributed Cluster Model:

Distributed Cluster model

Distributed cluster model, consists of two types of copying:

  1. Inter-graph copying

  2. Intra-graph copying


As shown in the above diagram, the model consists of three parts, clients, master node, slave node, and the parameter server. These slave nodes are responsible for building and running the graph. Both the operations of running the graph and building the graph are done independently.

The master node is scheduled from the client. This scheduling is called as dispatch scheduling request. Slave nodes of the model are included in this request. Parameters server is used to store the model parameters, gradients, and is used to perform various operations like saving model variables, updating gradients. This parameter server consists of multiple machines.

Each parameter server corresponds to one task calculation unit of slave nodes.


Multiple jobs are run on this distributed cluster model. Each job is basically a combination of tasks. One job can be distributed across multiple hardwares. The basic flow is that the client initiates the request, operations are performed by the distributed cluster model, and the result is returned back to the client.


Wide and Deep Model:



Wide and deep learning model


Since, the distributed model consists of multiple nodes, the single node consists of a mathematical model which the authors refer to as Wide and Deep Learning model. This model is implemented in Tensorflow. The wide model is a linear model. It basically consists of high-dimensional features and feature combinations. This model is able to memorize various types of rules, and can be applied to large scenarios.

The deep model, is a deep learning model, consisting of a number of layers. Input data from one layer is passed to another layer. This happens until the last layer.

With the combination of wide and deep model, memory as well as generalization and removal of useless features is possible.


Situation Prediction:


Tensorflow is used to implement the above mentioned model. A pipeline system is used, which consists of preprocessing, organizing the data as per the model, etc.

As per the above figure, the loss function is used to improve the performance of the model, and increase accuracy in the predictions.

There are two types of features:

  1. Discrete features

  2. Continuous features


Discrete features are converted or brought into the same format as that of continuous features with the help of the embedding layer. These two features are combined and then passed through the activation function. On the other side, discrete features are converted using vector cross multiplication operation. These are passed to the loss function and the output is generated.


Related work:

Bass et al. of the US Air Force Communications and Information Center first proposed the application of situation awareness technology to multiple NIDS test results in 1999. However, it did not give a clear definition of the concept of network security situation awareness, but only emphasized that data fusion is the core means of situation awareness.

Some researchers discuss the concept of network security situation awareness, which is considered to acquire, understand, display, and predict the future development trend of the security elements that can cause changes in the network situation in the large-scale network environment. However, it is difficult to obtain the network security situation accurately in the large-scale network.


A distributed cluster model based on a wide and deep model was suggested by the authors for the security situation system. Also, the PRelu function was introduced. The experiments carried out by the authors indicate the reduction in time of situation prediction.


Area of paper: Security and Machine Learning


Type of paper: Conference


by talha

blog comments powered by Disqus