Research on Intelligent Analysis Technology of Network Security Risk Based on Big Data

Aiming at the severity and distribution of abnormal behaviour, attack behaviour, compliance, and vulnerability of equipment in the power information system, this article applies big data technology to analyse and evaluate abnormal behaviour in the network, and uses machine learning to improve the network, the ability to identify security risks and the accuracy of assessments provide strong guarantees and technical support for improving the security and reliability of power information systems.

IOP Publishing doi: 10.1088/1742-6596/1792/1/012036 2 of the original network traffic, and use deep belief networks to classify features, which have also achieved certain results. Xie Peng, Li Jianhua and others [5] used the Bayesian network analysis method to analyse network security. This method has achieved good results, but it lacks the calculation of the posterior probability of abnormal events.
Chen Xiaojun et al. [7] derived the probability of occurrence of the event through an abnormal event. This method solves the problem that Xie Peng et al. did not calculate the posterior probability of an abnormal event, but this method ignores the posterior probability of the node associated with the event. Impact.
Ma Chunguang et al. [9] used Bayesian methods to identify and evaluate the network, but as the number of nodes in the network increases, the computational complexity increases exponentially, and timely identification and evaluation may not be possible.
Based on the above analysis, this paper uses the support vector machine algorithm in machine learning to conduct intelligent analysis and research on network security risks.

Comparison of algorithms
KNN can be said to be one of the simplest classification algorithms. At the same time, it is also one of the most commonly used classification algorithms. The full name of KNN is K Nearest Neighbours. KNN performs classification by measuring the distance between different feature values. The idea of the KNN algorithm is very simple: for any n-dimensional input vector, it corresponds to a point in the feature space, and the output is the category label or predicted value corresponding to the feature vector.
The KNN algorithm is a very special machine learning algorithm because it has no learning process in the general sense. Its working principle is to use training data to divide the feature vector space and use the result of the division as the final algorithm model. There is a sample data set, also called a training sample set, and each data in the sample set has a label, that is, we know the correspondence between each data in the sample set and its classification. After inputting unlabelled data, compare each feature of the unlabelled data with the corresponding feature of the data in the sample set, and then extract the classification label of the data with the closest feature in the sample (nearest neighbour). Generally speaking, we only select the first k most similar data in the sample data set, which is the origin of K in the KNN algorithm, and finally select the category with the most occurrences of the k most similar data as the classification of the new data.
But the disadvantage of the KNN algorithm is that it is not sensitive enough to special points, and in the power system, every abnormal point will cause a huge threat to the system, so the KNN algorithm is not suitable in the power information system. The decision tree model is a tree structure. The decision tree is composed of nodes and directed edges. There are two types of nodes: internal nodes and leaf nodes. Internal nodes represent a feature or attribute, and leaf nodes represent a class. Decision tree (Decision Tree), also known as decision tree, is a predictive analysis model expressed in the form of a tree structure (including binary trees and polytrees). The decision tree algorithm is to classify each situation from the root node to the leaf node. The leaf node is the classification of each situation, The shortcoming of the decision tree algorithm is that it is easy to cause over-fitting. If there is over-fitting in the power grid information, it may lead to inaccurate judgments of abnormal conditions in the power grid information system, leading to system failure.

Selection of SVM model
The detection and evaluation of abnormal behaviours in the power information system can actually be regarded as a classification process and a supervised learning process. Therefore, the SVM support vector machine algorithm in machine learning can be used to classify abnormal behaviours, and the 3 relationship between abnormal behaviour categories and attack behaviours can be found through classification. The modelling process using support vector machines is shown in Figure 1. Support vector machine generalization and learning capabilities are stronger than other machine learning algorithms, and it is suitable for solving global optimal solutions. It is widely used in the process of network security risk identification and assessment. Different hyperplanes and classifications can be obtained according to different kernel functions. Function, and is suitable for small sample data sets.
The basic idea of using SVM learning is to solve the separation hyperplane that can correctly divide the training data set and have the largest geometric interval. As shown in Figure 1 below, it is the separating hyperplane (linearly separable).

Figure 2. SVM schematic
Because the abnormal behaviour in the power system is affected by many factors, we use the nonlinear support vector machine algorithm. The processing process of the nonlinear support vector machine algorithm is generally as follows: Input: training data set T x , y , x , y , . . . , x , y among them x ϵR , y ϵ 1, 1 , i 1,2, . . . N (2) Output: separation hyperplane and classification decision function (1) Select an appropriate kernel function K(x,z) and penalty parameter C>0, construct and solve the convex quadratic programming problem s. t. ∑ α y 0 (3) Classification decision function: Commonly used kernel function, Gaussian kernel function: The corresponding SVM is a Gaussian radial basis function classifier. In this case, the classification decision function is:

Data set processing
The experimental data comes from the network information captured in the power system. There are a total of 5000 network data information. Take 3000 of them as a training set for training to build a model, and 2000 pieces of data as a test set to test and evaluate the model, and judge the model's evaluation of abnormal behaviour of the power network.
Since the data provided in the power system may have missing and abnormal situations, we use feature engineering methods to process the data to make the data set better adapt to the SVM algorithm and train a better model. Data pre-processing generally includes four processes, namely data cleaning, data integration, data transformation, and data specification.
Data cleaning is generally to process missing values, generally using the mean method, median, and mode to fill in. Here we use the mean method for processing, and for outliers we use deletion or mean value replacement for correction. Data integration is mainly to merge data. For example, the data is basically the same. If the data is not merged, it may cause data redundancy and increase the training time of the model. Data transformation can be based on specific data features such as square, open, and logarithmic. The data specification is mainly to normalize the data. For example, the data range provided in the power information system is too large. We can use normalization to reduce the data to a smaller range. On the one hand, the model training time can be reduced. Improve model generalization performance.

Evaluation index
The evaluation indicators used in the thesis are precision rate and recall rate. The accuracy rate is the ratio of the prediction accuracy of all samples to the total number of samples. Recall rate is the ratio of positive samples being predicted to find all positive samples correctly. Since the power information system data used in this paper is multi-category, the detection is actually a multi-category task. Therefore

Experimental results
In the experiment, 3000 data sets are used for training, and k-person cross-validation is used during training to prevent over-fitting. The SVM model is set to iterate 10,000 times during training. The  The loss function is used to evaluate the difference between the predicted value of the model and the true value. The better the loss function, the better the performance of the model. The loss function used by different models is generally different. Loss function is divided into empirical risk loss function and structural risk loss function. The empirical risk loss function refers to the difference between the predicted result and the actual result, and the structural risk loss function refers to the empirical risk loss function plus the regular term. And this article uses the empirical risk loss function.
The following figure is the loss value curve of different categories on the data set. It can be seen that when the number of iterations reaches 10,000 times, the model has achieved good results. The results are shown in Figure 4 below.
In the experiment, the traditional method based on keywords and the deep learning method based on convolutional network is used. Using these two methods to compare with the SVM method, the experimental results on the same test set are shown in Table 1 below. It can be seen that the SVM classification method has achieved good results with the same samples.

Conclusions
With the complexity of the network environment, the network security in the power information system has attracted more and more attention. How to detect abnormal behaviours in the power system and their distribution is becoming more and more important. The detection of abnormal behaviours and attack behaviours in network security can generally be divided into four types, based on classification, statistics, clustering and information theory. According to the different processing methods of data characteristics, it can be divided into three different situations based on machine learning, deep learning and traditional methods using keywords. This article uses the SVM algorithm in machine learning to conduct intelligent analysis and research on network security risks. Compared with the keyword-based method, the operation steps are reduced and the accuracy is improved. Compared with the deep learning method, the complexity of the network security risk analysis model is reduced. From the experimental results, it can be seen that the SVM-based classifier detects abnormal behaviour in the power information system, and the accuracy and recall rate have been significantly improved compared with the other two methods. Therefore, good results have been