Network Situation Assessment Method Based on Improved BP Neural Network

Abstract

Although a software defined network (SDN) realizes the flexible configuration and centralized control of network resources, there are potential security risks and challenges. Network security situation awareness (NSSA) technology associates and integrates multi-source heterogeneous information to analyze the impact of the information on the whole network, and network security situation assessment can grasp the network security situation information in real time. However, the existing situation assessment methods have low assessment accuracy, and most of the studies focus on traditional networks, while there are few situation assessment studies in the SDN environment. In this paper, by summarizing the important index parameters of SDN, a network security situation assessment model based on the improved back propagation (BP) neural network (based on the cuckoo search algorithm) is proposed, and the step factor of the cuckoo search algorithm (CS) was improved to improve the search accuracy. The model maps the situation elements to the layers of the neural network, and optimizes the weights and thresholds of the BP neural network through the cuckoo search algorithm to obtain the global optimal solution; it finally realizes the purpose of situation assessment and the comprehensive rating of the SDN environment. In this paper, the evaluation model was verified on the network set up in Mininet. The experimental results show that the situation assessment curve of this model is closer to the real situation value, and the accuracy rate is 97.61%, with good situation assessment results.

1. Introduction

With the gradual expansion of the network scale, the distributed control architecture of a traditional network faces difficult management and complicated maintenance. The software-defined network decoupled the software and hardware of the network, separated the data plane from the control plane, controlled the device by the controller, and changed the forwarding behavior through the flow table. Although SDN optimizes traditional network architectures, this open, centralized, programmable architecture is also subject to security threats [1]. As a result, network managers need intelligent means to obtain the current state of the network in a timely and accurate manner, to predict the evolution trend of the network’s security state in advance, and to formulate corresponding strategies to deal with threat events in the network.

Researchers have proposed a variety of network security defenses, such as intrusion detection technology, virus protection technology, firewall technology, data encryption technology, and physical security technologies, in light of the numerous factors that influence network security. These technologies attempt to discover, understand, and report to administrators any network security problems that may exist [2]. Although each approach has its own benefits, they all fall under the category of passive defense and are unrelated to one another; therefore, they are unable to deal with network threats in a holistic and intuitive manner. Therefore, network managers need intelligent means to timely and accurately obtain the current status of the network and to predict the evolution trend of the network’s security status in advance. NSSA [3] makes comprehensive judgments on the collected network information, such as the network devices, link status, user behaviors, and security events. The comprehensive quantitative evaluation of the situation and security level of SDN by using the situation indicators shows the overall operating status of the network to the managers in a visual way.

As the core step of network security situation awareness, network security situation assessment establishes an appropriate assessment model on the basis of the constructed situation index system, completes the model training of situation data, and then uses the model to reflect the results of the security situation and assessment level, to evaluate the security degree of the network’s environment. The hardware and software equipment of each layer in the network environment involve a complex linear system, and there is uncertainty among various situation indicators. The BP neural network has a strong nonlinear mapping ability, which can find rules from massive data, and it has high evaluation efficiency. Therefore, this paper chose the BP neural network for the network security situation assessment. In this paper, based on the characteristics of SDN, 16 situation indicators that reflect the running states of SDN were extracted, and the cuckoo search algorithm was used to improve the BP neural network; the improved neural network was quantitatively evaluated to obtain the situation value and the security level of the current network.

The contributions made in this paper are as follows:

(1)

A network security situation assessment index system based on SDN was constructed. Based on the existing index system, key factors characterizing the operating environment of SDN are introduced; the situation indicators are divided into first-level indicators and second-level indicators for quantitative evaluation.

(2)

The network security situation assessment model based on CS-BPNN is proposed; the second-level indicators were used as the input of the BP neural network. The training of datasets proves that the improved BP neural network has good situation assessment ability.

(3)

The cuckoo search algorithm was used to optimize the weights and thresholds of the BP neural network to obtain the global optimal solution, and the step size factor of the individual sparrow in the Levy flight was optimized to improve the search accuracy of the cuckoo search algorithm.

The remainder of this paper is structured as follows: Section 2 presents related work; Section 3 presents the network situation awareness model and introduces the implementation of the improved BP neural network assessment model. Section 4 presents our simulation experiments and compares the different algorithms, and Section 5 proposes future research directions.

2. Related Work

2.1. Network Security Situational Awareness Model

Researchers have conducted extensive research on the network situational awareness model and proposed classical situational awareness models, such as the Joint Directors of Laboratories (JDL) model, Endsley model, and Boyd control cycle model [4]. The author of [5] proposed a formal model of the SDN network’s vulnerability propagation based on Bio-PEPA, and analyzed the network vulnerability propagation mechanism from two dimensions (horizontal and vertical). The authors of [6] designed the network situation awareness model based on SDN, and realized the awareness and assessment of the network, host, and service situations through JDL multi-sensor data fusion. After analyzing the security requirements of SDN, the authors of [7] proposed a staged network situation awareness model based on SDN. The authors of [8] uses the flow rules of SDN to dynamically slice the network, and proposed a network situation assessment model based on machine learning. The authors of [9] studied the existing framework of network security situation awareness from the logical level, proposed a five-stage network situation awareness model, and made a horizontal comparison of mainstream methods.

Table 1. Relevant research on the network situation awareness model.

Author(s)	Year	Model	Main Contribution
Li [5]	2018	A formal model of SDN vulnerability Diffusion based on Bio-PEPA	In terms of layers, it analyzes the vulnerability diffusion of upper applications, controllers, and underlying devices in horizontal and vertical dimensions after being attacked
Liu et al. [7]	2018	Phased network security situational awareness model based on SDN	Combining SDN with network situation awareness technology, the security problems faced by SDN at the control layer and infrastructure layer are analyzed
Li et al. [9]	2019	Network situation awareness model with five layers	The existing research progress of each stage of the model is summarized, the core technology of each stage is analyzed, and the practical application results of the typical methods are discussed
Zheng et al. [6]	2020	Network security situation awareness model based on JDL multi-sensor data fusion	Uses the JDL model to fuse the collected multi-source heterogeneous information to realize the perception and evaluation of the network, hosts, and services
Yannis et al. [8]	2021	Network situation awareness model based on machine learning	Uses the model to monitor the underlying infrastructure and realize the vulnerability assessment of network entities

shows the relevant research on the network security situational awareness model.

2.2. Network Security Situation Assessment Algorithm

At present, network situation assessment models can be divided into three categories: mathematical model, stochastic model, and biological inspired model. A single evaluation model has certain limitations, so many scholars combine multiple algorithms to achieve the effects of optimization and complementary. The authors of [10] proposed a fuzzy comprehensive evaluation model, which combines the analytic hierarchy process (AHP) and fuzzy evaluation method to evaluate the network security situation. In Reference [11], a network security risk assessment model based on the fuzzy theory was proposed, as well as particle swarm optimization (PSO) and the radial basis function (RBF) neural network. The results show that the fuzzy theory prediction model using the PSO-RBF neural network has faster and more effective evaluation results than the fuzzy theory prediction model only using the RBF neural network. The authors of [12] proposed a network security assessment method based on the improved Dempster–Shaferenvidence theory (DST) to evaluate the network situation level of host nodes in the network. The author of [13] rapidly collected network information from a data plane through an SDN controller, and then quantified the information with the Bayesian theory to obtain trust values of various attacks, so as to calculate the network security situation. The authors of [14] used the programmable characteristics of SDN to collect data packets, traffic, and equipment information from the network, and used the hidden Markov model (HMM)-weighted summation to quantify the network status and situation assessment. The authors of [15] proposed a network security situation assessment method based on the improved artificial bee colony (ABC) optimization neural network, and the effectiveness of this method was verified through the established actual network environment. The authors of [16], focusing on the accuracy and convergence of the existing network security situation assessment model needing to be improved, used the simulated annealing algorithm (SAA) and sparrow search algorithm (SSA) to improve the BP neural network (BPNN), and proposed a network security situation assessment model based on SAA-SSA-BPNN. The author of [17] designed attack index factors to reflect network attack behaviors, and used a genetic algorithm (GA) to optimize the weight of the BP neural network to achieve real-time statistics and monitoring of the network security state.

Table 2. Relevant research on the network security situation assessment model.

Author(s)	Year	Main Contribution	Field
He [13]	2014	Proposed a network security evaluation method based on the Bayesian theory	mathematical model
Fan et al. [14]	2019	Proposed a network security assessment method based on HMM	stochastic model
Huang [17]	2020	Proposed a network security situation assessment model based on GA-BPNN	biological inspired model
Yi et al. [11]	2020	Proposed a network security risk assessment model based on the fuzzy theory	mathematical model
He L et al. [12]	2021	Proposed a network security assessment method based on improved DST	mathematical model
Kong D et al. [10]	2021	Combined AHP and the fuzzy evaluation method to put forward a fuzzy comprehensive evaluation model	mathematical model
Yu et al. [15]	2021	Proposed a network security situation assessment model based on ABC-BPNN	biological inspired model
Zhang et al. [16]	2022	Proposed a network security situation assessment model based on SAA-SSA-BPNN	biological inspired model

presents relevant research on the network security situation assessment model.

3. Network Security Situation Assessment Model Based on CS-BPNN

3.1. Hierarchical Network Situational Awareness Model

3.1.1. Hierarchical Network Situational Awareness Model Based on SDN

As the control center of the entire network, the SDN controller can achieve the purpose of controlling and managing all current network devices and network resources, collect real-time network traffic information and resource information from a global perspective, and detect the real-time security status of the network. This centralized management feature provides a new method for network security situational awareness [18]. In response to changes in the large-scale network environment, network security situation awareness technology analyzes the key elements that affect network operation, so that the network has comprehensive security awareness capabilities. Therefore, based on the classic network situational awareness model and combined with SDN technology, this paper proposes an SDN-based network situational awareness model (SNSAM), as shown in Figure 1.

The framework shown in Figure 1 collects and measures various data changes and status information of devices in SDN from underlying devices, evaluates the security situation and change trend of SDN through the situational awareness model, and obtains quantitative evaluation results. The model mainly includes the following modules.

(1)

Data acquisition: obtains the SDN network environment, network equipment, switches, and controllers, such as the data link and network status information.

(2)

Data preprocessing: using dimensionless and normalization methods, raw data are analyzed to obtain the normalized dataset.

(3)

Situation assessment: analyzes the pre-processed data and fuses the data of various network security elements to quantitatively describe the security situation of the system using a situation assessment algorithm.

(4)

Situation prediction: combining historical and current data, the situation data of the network at any time is dynamically monitored, and the hidden unknown information is found by using the situation prediction algorithm, analyzing and predicting the future security situation changes of SDN at any time.

(5)

Situation visualization: the dynamic display of the network running status in various ways is an intuitive embodiment of situation assessment and prediction, helping administrators better manage network resources and discover security threats.

3.1.2. The Construction of Index System

The traditional network security situation assessment methods mainly have two problems [19]. First, the data source is single, and only the security data provided by a single detection device is used to analyze the situation of the entire network. Second, the network security situation is only considered from the host node level, ignoring the impact of network links on the network security situation, resulting in a large deviation between the theoretical results of network security situation analysis and the actual situation. Based on the indicators proposed in references [20,21] and combined with the complexity, uncertainty, and dynamic characteristics of SDN, this paper establishes a multi-level situation indicator system. First, four main indicators were selected as the first-level indicators. These indicators require high independence and strong generality. Secondly, we selected secondary indicators as auxiliaries to describe the primary indicators. The network security situation assessment index system constructed in this paper is shown in

Table 3. Situation indicator system based on SDN.

First Level Indicators	Secondary Indicators
Threat indicator	The number of security incidents per unit of time
	Alerts
	Attack frequency
	Service type used by the attack
Stability indicator	Available link bandwidth
	Number of packets received/sent by switch ports
	Data packets of different protocols
	Average port forwarding rate
Vulnerability indicator	Packet_in rate
	Packet_out rate
	Memory usage
	CPU utilization
Safety indicator	Frequency of security incident
	Data inflow/outflow
	Bandwidth usage
	Switch port inflow growth rate

.

3.1.3. Indicators of Quantitative

There are many kinds of factors that affect the security of a SDN network environment, and the raw data formats of these factors are different. As a result, this paper performs quantitative operations on the data collected, and some of the equations are as follows:

Definition 1.

Equation (1) is used to calculate the change rate of data traffic [22]. P_i is the port number of the SDN switch; the number of sending bytes and transmission bytes of each port of the SDN switch are represented by tx and rx, respectively. The total amount of data on each port of the switch at moment t ST is:

$$ST={{\displaystyle \sum }}_i^n{P}_i\left(tx+rx\right),i=1, 2,\dots ,n$$

(1)

The rate of change of network data volume at this time is NR, as:

$$NR=\frac{S{T}_i}{{{\displaystyle \sum }}_{i=1}^{n}S{T}_i}\times 100\%$$

(2)

Definition 2.

Packet_In and Packet_Out packet sending rates are among the controller’s indicators. The switch sends the Packet_In packet to the controller to report packets that do not match flow entries. The controller sends the Packet_Out packet to the switch, which contains the command to send the packet. If the SDN switch frequently reports to the controller the failure to match packets with flow entries, it will consume a large amount of network resources and have a significant impact on network traffic. The Packet_InRate rate represents the total number of Packet_In packets sent by all switches in one unit of time. The Packet_OutRate rate is the total number of Packet_Out packets sent by all switches in a unit of time, and N is the number of switches.

$$Packet\_InRate=\frac{{{\displaystyle \sum }}_n{\mathit{Packet}}_{\_}{\mathit{InNumber}}_n}{T}$$

(3)

$$Packet\_OutRate=\frac{{{\displaystyle \sum }}_n{\mathit{Packet}}_{\_}{\mathit{OutNumber}}_n}{T}$$

(4)

Definition 3.

The SDN controller delivers the port_stats message to obtain the status information of the switch port and calculate the used bandwidth and link utilization. Assume that the byte number sent and received by a port on the switch on time t1 and time t2 are bytes1 and bytes2, respectively; then the average port forwarding rate on time t1 and time t2 is:

$${\overline{p}}_{\mathit{speed} }=\frac{\mathit{bytes}\mathit{1}-\mathit{bytes}\mathit{2}}{t\mathit{1}-t\mathit{2}}$$

(5)

The bandwidth of this port is P_bw, the available bandwidth is:

$$P_{\mathit{free} }=P_{bw}-{\overline{p}}_{\mathit{speed}}$$

(6)

The available bandwidth of a link is the minimum available bandwidth of ports p1 and p2 connected to the link. If the available bandwidths of ports p1 and p2 are P_{bw_free_p1} and P_{bw_free_p2}, the available bandwidth of the link is:

$$Lin{k}_{b{w}_{-}\mathit{free} }=min\left(p_{b{w}_{-}\mathit{free}\_p\mathit{1}},p_{b{w}_{-}\mathit{free}\_p\mathit{2}}\right)$$

(7)

If the bandwidths of p1 and p2 are p_{bw_p1} and p_{bw_p2}, the link bandwidth is:

$$Lin{k}_{bw}=min\left(p_{b{w}_{-}p\mathit{1}},p_{b{w}_{-}p\mathit{2}}\right)$$

(8)

The link utilization is:

$$Lin{k}_{\mathit{utilization}}=\frac{Lin{k}_{bw\_\mathit{free}}}{Lin{k}_{bw}}$$

(9)

Definition 4.

The distribution of packets of different protocols on the network indicates a number of packets of different protocols in the total number. Assume that there are n protocol packets in the network, denoted as p = {p₁, p₂, …, p_n}, p_i represents the number of packets of the i-th protocol, and the distribution x_i of the i-th protocol is:

$$x_i=\frac{p_i}{{{\displaystyle \sum }}_{j=1}^n{p}_i}·100\%$$

(10)

3.1.4. Network Security Situation Level

To maintain network security, corresponding strategies can be implemented based on the level of the network security. Existing research categorizes network security into three to five levels [23]. As shown in

Table 4. Network security level divisions.

Security Index	Security Level	Network Operation
0~0.2	security (I)	The entire network is operating normally, with no malicious attacks or security time threats
0.2~0.5	mild risk (II)	Minor disruptions to network operations, attacks or minor security threats
0.5~0.8	moderate risk (III)	The network operation is greatly affected, with a higher frequency of attack events generated, threatening network equipment
0.8~1	severe risk (IV)	The network operation is seriously threatened, and there are many attacks or security threats

, this paper uses the value of 0~1 is used for the quantitative analysis of the situation assessment value of SDN, so as achieving the purpose of quantitative assessment and classification, and the security level of SDN is divided into four levels: severe danger, moderate danger, mild danger, and security.

3.2. Evaluation Model Based on the Improved BP Neural Network

3.2.1. BP Neural Network

The BP neural network, which is a type of multi-layer feed-forward neural network [24], creates a simplified biological model by mimicking the neural network structure of the human brain. It is akin to a “universal model + error correction function”, and its calculation process consists of the forward calculation process and reverse calculation process [25].

Because all security elements in the process of situation assessment are uncertain [26], the BP neural network can find potential laws through adaptive learning via continuous training of massive data and it has certain assessment ability. Generally speaking, the three-layer BP neural network can solve the problem of arbitrary precision approximation of any mapping relationship, and the training time is not too long [27]. As shown in Figure 2, it is a three-layer BP neural network situation assessment model.

Situation data input, situation mapping, and situation output make up the model. Each part’s function design is as follows.

(1)

Input of situational data. The situation indicator system collects situation-related data in the SDN network at different times, and the secondary indicators are used as input data for the BP neural network.

(2)

Data mapping for the situation. This section is made up of three layers: input, concealed, and output. The possible input data are utilized as the input layer’s node, the number of hidden layers is determined using Equation (11) as shown below, and the hidden layer’s output is acquired using the hidden layer’s operation. The output layer’s result is used to determine the final situation value.

$$m=\sqrt{s+l}+\alpha$$

(11)

where m is the number of hidden layer nodes, s is the number of output layer nodes, l is the number of input nodes, and α is a constant between 1 and 10.

(3)

Output of situation data. The value of the output layer is the result of the evaluation of indicators at each level, and its output range is [0, 1].

3.2.2. Improved BP Neural Network Evaluation Algorithm

In nature, cuckoos use random or quasi-random flight patterns to find the locations of their nests suitable for laying eggs. Inspired by the parasitic reproduction of cuckoos, Yang and Deb proposed the cuckoo search algorithm in 2009 [28]. This algorithm is an iterative search intelligent algorithm, which has the advantages of a simple structure, few parameters, and easy convergence to the global optimal solution. The cuckoo search algorithm has three rules:

(1)

After laying eggs, each cuckoo will randomly select a nest in a location for hatching.

(2)

Among the selected bird nests, the best bird’s nest will be kept to the next generation.

(3)

Since the number of available nests is fixed, if the host cuckoo finds alien eggs, the probability is Pa, between 0 and 1. When the host cuckoo finds a foreign cuckoo egg, it will discard the cuckoo egg or rebuild a new nest.

In the cuckoo search algorithm, cuckoos jointly search for the optimal bird nest in the search space through Levy flight, and the position update formula of its individual is:

$$x_i^{t+1}=x_i^t+\alpha \otimes \mathrm{Levy}\left(\lambda \right)$$

(12)

where α is the step size factor, which is used to control the range of random search; ⊗ is the point-to-point product, x_i^t is the position of the i-th cuckoo in the t-th generation; α ⊗ Levy(λ) is the Levy flight step length, which represents the flight distance from the i-th generation bird’s nest (feasible solution) to the i + 1-th generation bird’s nest (feasible solution) in the way of Levy random distribution.

Levy(λ) is the Levy flight search, representing a random search path, so it can be expressed as:

$$Levy\left(\lambda \right)\sim u=t^{-\lambda },(1<\lambda <3)$$

(13)

where t represents the cuckoo’s flight time, $\lambda$ represents the power coefficient, and u is the random step size.

After the above calculations, the new solution of this generation of cuckoos is obtained, and the fitness value is calculated to find the optimal cuckoo individual x_i^(t)_.

We use the following formula to generate Levy random numbers:

$$Levy\left(\lambda \right)=\frac{\varphi u}{|v{|}^{1/\beta }}$$

(14)

Among them, u and v obey the standard normal distributions, and σ is taken as 1.5.

$$\varphi ={\left\{\frac{\mathsf{\Gamma }\left(1+\sigma \right)\times \mathit{sin}\left(\pi \times \frac{\sigma }{2}\right)}{\mathsf{\Gamma }\left\{\left[\frac{1+\sigma }{2}\right]\times \sigma \times 2^{\frac{\sigma -1}{2}}\right\}}\right\}}^{\frac{1}{\sigma }}$$

(15)

In the above formula, Γ is the gamma function.

When the cuckoo updates the bird’s nest position through the Levy flight, it generates a random number and compares it with the discovery probability Pa. When the random number is greater than Pa, it indicates that the current cuckoo egg is found, and the position of X_i^t+1 is changed by the method of preferring a random walk, as follows:

$$X_i^{t+1}=X_i^t+r\left(X_j^t-X_k^t\right)$$

(16)

Among them, r is the control factor, and its value is between 0 and 1; X_j^t and X_k^t represent the random solutions of the cuckoo in the t-th generation, respectively. When a population iteration is completed, the contemporary optimal solution and the corresponding fitness value will be retained, and then the above process will be repeated until the maximum number of iterations is reached, and the global optimal solution will be output.

According to Equation (12), parameter α has a significant influence on the step size control of the Levy flight [29]. However, in the original cuckoo search algorithm, parameter α is usually set as a constant (0.01), which cannot meet the search requirements in different search stages. Therefore, this paper proposes a logarithmic adaptive improvement for parameter α, which calculates the formula as:

$$\alpha =0.5-0.499lo{g}_{T}t$$

(17)

Among them, T is the maximum number of iterations, and t is the current number of iterations. Parameter α is dynamically decreased from 0.5 to 0.001 with the algorithm search process. Compared with a fixed constant, a larger search step size in the early stage and a smaller search step size in the later stage are beneficial at improving the convergence speed and search accuracy.

3.3. Algorithm Process

CIVICIOGLU P et al. [30] compared another swarm intelligence optimization algorithms (particle swarm algorithm, artificial bee colony algorithm) with the cuckoo search algorithm on the benchmark function, and the results show that the cuckoo search algorithm finds the benchmark function. The time complexity of the global optimal value is low and the success rate of obtaining the optimal value is high.

Therefore, in view of the problems of randomly initializing the weights and thresholds of the BP neural network, which may cause the network to converge slowly and fall into local minima, this paper proposes a network situation assessment method based on the improved cuckoo search algorithm to optimize the BP neural network. The cuckoo search algorithm is used to search the network weights to improve the convergence speed of the weights, and to ensure the approximation accuracy of the network to the empirical data with the optimal solution. Algorithm 1’s process is as follows:

Step 1: Collect situation-related data of each node in the network, perform data preprocessing, and obtain training data;

Step 2: Randomly generate the bird’s nest position as the initial solution x(i), calculate the corresponding initial fitness value f(i), and record the current optimal function value;

Step 3: Use Levy flight to update the solution and calculate the corresponding fitness value f(j);

Step 4: Compare the fitness values of fi and fj. If fj is smaller, assign the fitness value and the solution represented by the egg to the original nest x(i).

Step 5: Determine whether the egg will be found. Compare the random number r with the maximum discovery probability Pa. If r > Pa, update the position of the cuckoo, and calculate and compare the fitness values of the new cuckoo individual and the original cuckoo individual. Retain the individual cuckoo with a larger fitness value; otherwise, it will not change;

Step 6: Rank the fitness values of each solution, and retain the solution with the optimal fitness value;

Step 7: Repeat steps 3–6 until the maximum number of iterations is reached or the termination conditions are satisfied; then the algorithm terminates;

Step 8: Use the training data to train the CS-BPNN model to complete the mapping of the situation data to the situation value. Next, input the situation index data into the trained CS-BPNN model, and finally obtain the network situation value.

Algorithm 1: CS-BPNN algorithm training process

Input: The number of nests n, the maximum number of iterations MaxGeneration, the maximum discovery probability Pa;

Output: optimal weight

1 Randomly split the train_set and test set

2 Randomly initialize all weights and thresholds in the range [0, 1]

Randomly generate the initial solution x(i), calculate the corresponding initial fitness value f(i), and record the current optimal function value;

3 While iterations < N do

4  Get a cuckoo randomly

5  Use Levy flight to update the solution, and calculate the corresponding fitness value f(j);

6  if (fj < fi) then

7   Replace j by the new solution i

8  end if

9   A fraction (pa) of worse nests are abandoned

10   generate a random number r

11  if (r > pa) then

12   New nests/solutions are built/generated by Equation (16)

13  end if

14 Sort the fitness values of each solution, and retain the solution with the optimal fitness value

15 Update t←t + 1

16 End while

17 Train with training data

4. Experimental Design and Analysis

4.1. Experimental Environment

This paper verifies the validity of the evaluation model by simulating test scenarios. Floodlight is used as the SDN controller, and OpenvSwitch is used to build a virtual OVS software switch; Snort acts as the detection probe of the system; hping3 software is a packet-sending tool that can be used to simulate some network attacks.

As shown in Figure 3, the experimental topology includes a SDN controller responsible for managing the entire network; four OpenvSwitch switches build the main forwarding network; each switch is equipped with a Snort, which is responsible for detecting network traffic flowing through the switch; each switch connects to the host as a test terminal; Snort detects attacks and sends alarms to the SDN controller for collection; during the experiment, hping3 is used to make the host group under Open vSwitch2 continuously send TCP SYN flood, UDP flood, and ICMP flood messages [31].

4.2. The Experimental Process

4.2.1. Dataset Acquisition

Existing datasets are based on data generated by traditional network switches and routers, and their data differ from that of SDN, SDN controller, and switch. As a result, this paper uses the hping3 network tool to simulate attacks in the Mininet network and generate training datasets by itself.

Datasets are acquired through active and passive acquisitions [32]. Active acquisition is detected by the SDN controller. The SDN controller will obtain the packets sent and received from each port of the switch, and then calculate the QoS parameters of the network/Passive detection is implemented through third-party tools (sFlow and Snort). sFlow collects traffic information from traditional switches, and Snort collects network status and threat information.

Table 5. Important fields for Snort.

Field Name	Description
Alert_time	Alarm time
Attack_name	Attack types
serverity	Security level
Service_name	Service type used by the attack
Port_name	Protocol type

and

Table 6. Important fields for sFlow.

Field Name	Description
srcip	The source IP address
dstip	The destination IP address
nextip	IP address of the next-hop router
ifspeed	Interface rate
flow_num	Number of Network traffic
tos	IP Service Type

show the important fields that Snort and sFlow need to extract, respectively.

4.2.2. Simulating the Attack Process

In the dataset, there are four types of network state data: one normal state and three attacked states. The three attacked states are: ICMP Flood, UDP Flood, and TCP SYN Flood. Due to the performance limitations of running Mininet, sending too many packets will cause the machine to crash, so the duration of each attack lasts 3–5 min, and the number of packets sent is also limited.

Table 7. Attack time table.

Types of Attacks	Number of Attacks	Attack Time
ICMP Flood	15	20~40, 60~70
UDP Flood	15	30~50, 60~70
TCP SYN Flood	10	40~50, 90~100

shows the attack time table.

Hping3 tools are commonly used to detect networks and hosts and can send almost any TCP/IP packets [33]. This section uses SYN Flood as an example to describe the process of using hping3 to inject traffic into Mininet:

(1)

Execute hping3 on host1, initiate syn_flood; the command is as follows.

hping3 -c 1000 -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.20.71 --interface h4-eth0 -i u1000.

This command generates a TCP packet with a random source IP address from Host1 to the destination host (Host5) with IP address 192.168.20.71; the -c option specifies the number of packets to send; the -d option is used to set the size of the packet to be sent; the -S option sets the SYN flag, the -w option represents the sliding window of win, the -p option specifies the open port of the destination IP; the --flood option means to send data packets as fast as possible; that is, the flood attack mode; the --rand-source option means to use a random source IP address; the --interface option specifies the interface of the network card; the -i option means the sending time interval, specified as 1000 microseconds.

(2)

Add detection rules in the/etc/snort/rules/local.rules file and warn if there are more than 20 packets in 60 s.

alert tcp any any -> $HOME_NET any (msg:“synflood”;flags:S;threshold:type both,track by_dst,count 20,seconds 60;classtype:misc-attack;sid:1000006;rev:1;)

4.2.3. Data Preprocessing

Because each situation indicator had a different value range, the collected data were processed with dimensionality elimination [34] before the model was trained and evaluated; Equation (18) is used for normalization.

$$x_i=\frac{x_i^{\prime }-x_{\mathit{min}}}{x_{\mathit{max}}-x_i^{\prime }}$$

(18)

where x_i represents the normalized value of the situation indicator, x_i’ represents the data value of a single situation indicator, x_min represents the minimum value of the situation indicator data in the dataset, and x_max represents the maximum value of the situation indicator data in the dataset.

The extracted situational elements are quantified according to the formula in Section 3.1.3 as feature parameters, and divided into the training set and test set. The 16 characteristic parameters in the training samples are divided according to the first-level indicators of network security situation indicators, and divided into 4 groups for training. The characteristic indexes of the test samples are divided according to the same division method, input into the trained BP neural network model, and the output results of the first-level indexes are obtained. The values and weights of the first-level situation indicators are obtained by training the BP neural network, and the multi-factor weighted model is used to calculate the network situation value.

$$S_{\mathit{value} }={{\displaystyle \sum }}_{i=1}^n{w}_i·{\mathit{Index}}_i$$

(19)

where S_value represents the situation value of the current network, w_i represents the weight value of the i-th first-level indicator, and Index_i represents the first-level situation indicator value obtained by the BP neural network output.

4.3. Situation Assessment and Effect Test

4.3.1. Algorithm Performance Comparison

For reference to the benchmark test function proposed in [35,36], this paper compares the two single-peak test functions and two multi-peak test functions of GA, PSO, and CS used in this paper, and calculates the best value, average value, and standard deviation of the two algorithms on the benchmark function, respectively. The four benchmark functions selected are shown in

Table 8. Benchmarking functions.

Test Functions	Dimension	Search Range	Optimum Value
$F_1\left(x\right)={{\displaystyle \sum }}_{i=1}^n{x}_i^2$	30	[−100, 100]	0
$F_2\left(x\right)={{\displaystyle \sum }}_{i=1}^n\left[100{\left(x_{i+1}-x_i^2\right)}^2+{\left(x_i-1\right)}^2\right]$	30	[−100, 100]	0
$F_3\left(x\right)={{\displaystyle \sum }}_{i=1}^n\left[x_i^2-10\cos \left(2\pi x_i\right)+10\right]$	30	[−5.12, 5.12]	0
$F_4\left(x\right)=\frac{1}{4000}{{\displaystyle \sum }}_{i=1}^n{x}_i^2-{{{\displaystyle \prod }}^{ }}_{i=1}^n\cos \left(\frac{x_i}{\sqrt{i}}\right)+1$	30	[−600, 600]	0

:

Table 9. Comparison of optimization results of the benchmark test functions.

Algorithm	Test Function	Optimum Value	Average Value	Standard Deviation
GA	F1	3.89 × 10−41	7.57 × 10−34	2.14 × 10−33
	F2	2.61 × 10−107	6.11 × 10−94	1.36 × 10−93
	F3	1.64 × 10−169	8.89 × 10−163	2.41 × 10−162
	F4	6.12 × 10−117	1.49 × 10−109	3.05 × 10−109
PSO	F1	0	0	0
	F2	2.74 × 10−180	9.08 × 10−173	3.17 × 10−172
	F3	0	0	0
	F4	3.56 × 10−193	5.84 × 10−179	5.18 × 10−179
CS	F1	0	0	0
	F2	3.83 × 10−251	1.12 × 10−243	7.19 × 10−243
	F3	0	0	0
	F4	0	0	0

shows the optimization results of the three algorithms on the benchmark function. Figure 4 shows the convergence curves of the three algorithms on the benchmark functions. It can be seen from Table 9 and Figure 4 that the CS algorithm is superior to the other two algorithms in the search ability of test functions.

4.3.2. Comparison of Evaluation Results

Through simulation studies, the suggested method is contrasted with the BPNN, GA-BPNN, and PSO-BPNN algorithms in order to assess its performance. The assessment values are displayed by a line chart in Figure 5 to make the situation assessment outcome analysis more apparent.

Figure 5 shows that only in the 80th minute does the situation value curve of the BPNN assessment model experience a significant general volatility. The situation value curves of the GA-BPNN evaluation model showed extreme values at the 30th minute and the 60th minute, and the situation trend was opposite to the actual situation after the 80th minute. The variation of the overall situation value curve of the CS-BPNN evaluation model is more compatible with the real situation curve than the situation trend of the PSO-BPNN evaluation model from the 20th minute to the 50th minute.

Table 10. Comparison of the evaluation levels.

Time	Level	BPNN	GA-BPNN	PSO-BPNN	CS-BPNN
10	II	III	II	II	II
20	III	III	II	II	III
30	II	III	I	II	II
40	II	III	II	II	II
50	I	III	II	II	I
60	III	III	IV	III	III
70	II	III	II	II	II
80	II	II	II	II	II
90	I	III	II	II	I
100	II	III	III	III	II

gives the evaluation grades obtained by applying the four evaluation models of BPNN, GA-BPNN, PSO-BPNN, and CS-BPNN, and compares them with the situational evaluation grades. An analysis of Table 10 shows that the situation level of the BPNN evaluation model results is inconsistent with the real situation level with seven test data points; the situation level of the PSO-BPNN evaluation model results is inconsistent with the situation level with four test data points; while the CS-BPNN evaluation model’s situational assessment result level on the test data point is exactly the same as the level of the assessment result. Therefore, the CS-BPNN evaluation model can most objectively reflect the current network security situation.

4.3.3. Error Analysis

In order to verify the evaluation accuracy of the evaluation model proposed in this paper in the SDN network, this paper selects the evaluation indicators of the mean square error (MSE), mean absolute error (MAE) and root mean square error (RMSE), which are used to evaluate the proposed evaluation model. Comparing the errors of the four algorithms in the sample iteration process, the results are shown in Figure 6.

It can be seen from Figure 6 that the error between the situation assessment value obtained by using the assessment model of this paper and the situation assessment value is significantly smaller than those of the other three assessment models, which also shows that the situation assessment model of this paper has a higher accuracy assessment.

4.3.4. Convergence Comparison

In this experiment, the sum of the absolute values of the evaluation errors of the training data was taken as the individual fitness value. The smaller the fitness value, the better the particle individual. Therefore, the change of the fitness value can also represent the convergence of the evaluation model. The convergence of the BPNN evaluation model, the GA-BPNN evaluation model, the PSO-BPNN evaluation model, and the evaluation model in this paper are compared, as shown in Figure 7.

It can be seen from Figure 7 that when the number of iterations is 200, BPNN has a poor ability to jump out of the local optimal value during the training process, and the error is large. The GA-BPNN model and PSO-BPNN model are better than the BPNN model, while the evaluation algorithm proposed in this paper has a better error performance, consumes little resources, and has higher stability.

Based on the above analysis, a comparison of four different algorithms can be obtained, as shown in

Table 11. Comparison of different algorithms.

Algorithm	Number of Iterations	MSE	Accuracy
BPNN	139	1.236	93.03%
GA-BPNN	151	1.025	96.37%
PSO-BPNN	118	0.511	96.77%
CS-BPNN	104	0.227	97.61%

:

An analysis of Table 11 shows that by comparing BPNN and GA-BPNN, the error of GA-BPNN is smaller than that of BPNN, and the number of iterations is less; comparing the BP algorithm and the GA-BPNN algorithm, the GA-BPNN algorithm has more iterations than BPNN, but its error is higher. Compared with other algorithms, the algorithm proposed in this paper not only has fewer iterations, but it also has smaller training in the training process, which has good performance.

5. Conclusions

A reasonable situation assessment model can improve the network’s overall security and ensure the accuracy of the situation prediction. The index system was first established in this paper from four aspects: threat index, stability index, vulnerability index, and security index. The situation assessment model was established through the BP neural network to monitor and analyze the overall status of the network in real time. The attack methods in the network were simulated by hping3, and the improved algorithm was used to evaluate the situation of the SDN network. Finally, the test network constructed in this paper validates the feasibility of the situation assessment model. The higher the risk value in the SDN network environment, the higher the value obtained from the situation assessment; otherwise, the SDN network operated normally and no network attack occurred. The experimental results show that the evaluation model optimized by CS-BPNN has better convergence effects in a real-time evaluation of SDN, and the evaluation efficiency is more in line with the expected value. In the future, we will study scenarios where more attacks occur in the real world and will seek more comprehensive data to further enrich the indicator system and improve the effectiveness of the overall SDN situation assessment.