A Situation Awareness Approach for Network Security Using the Fusion Model

College of Computer and Cyber Security, Hebei Normal University, Shijiazhuang, Hebei 050024, China Hebei Provincial Key Laboratory of Network and Information Security, Shijiazhuang, Hebei 050024, China Hebei Provincial Engineering Research Center for Supply Chain Big Data Analytics & Data Security, Shijiazhuang, Hebei 050024, China School of Information Science and Engineering, Hebei University of Science and Technology, Shijiazhuang, Hebei 050018, China


Introduction
With the prompt growth of 5G networks, the Internet, and smart cities, it is becoming more and more di cult to defend against attacks. Traditional network security facilities include anti-virus software, rewalls, vulnerability scanning, and other facilities, all of which belong to passive protection systems. When each new virus appears, it often takes several days or tens of days for manufacturers to make the passive protection system detect. When it comes to these new viruses, the time di erence between them will stance a great threat to the network security, and it is challenging to encounter the network security requirements of the current era. erefore, the research on this passive protection system has encountered a bottleneck. Being able to evaluate the current situation of the network security in a timely manner, and founded on the present and past security situation, forecast the change tendency of the situation for network security in the next period of time is particularly critical to protect resource security. For that reason, the research on awareness of the network security situation is an urgent need. e idea of situation awareness and assessment was rst suggested by Endsley [1] in 1988. With the goal of improving pilots' air combat capability, the authors constructed a classic three-layer situation awareness model, namely situation: (i) element extraction, (ii) assessment, and (iii) prediction. e application of perception is only in the Air Force combat domain. Subsequently, Bass et al. [2] combined the concept of situational awareness with the cybersecurity, which indicated that the next-generation network intrusion detection system (IDS) should be integrated with the data gathered by multiple short-term network sensors and long-term data to achieve cyberspace situation awareness. Due to these limitations, the situation awareness in the network security has become a major research hotspot.
Yan et al. [3] constructed a network security threat assessment model by combining the fuzzy concept with the game matrix and demonstrated the evaluation usefulness of the suggested model with an example. Zhang et al. [4] applied convolutional neural networks (CNN) to network security situation prediction. In order to enhance the learning capability of the CNN and reduce the training time of the CNN, a network based on composite convolution structure was suggested. e network security condition is well predicted, but in fact, the effect of the CNN on time series prediction problems needs to be improved. Chen et al. [5] constructed a network security condition prediction prototype which is established on the Gravitational Search Algorithm (GSA) that can help to elevate Support Vector Machine (SVM). To a certain extent, the accuracy of situation forecasting has been improved, but SVM is slightly insufficient in the ability of time series forecasting, and the accuracy of situation prediction needs to be improved. Zhang et al. [6] constructed a network security condition assessment model using a deep self-encoding network, combining unsupervised training and supervised fine-tuning training. e investigational outcomes expressed that the suggested model has high evaluation correctness, but the disadvantage is the data set used. It is too old and needs to be verified on a new dataset. Wang et al. [7] optimized the correction factor of probabilistic neural networks (PNN) through genetic algorithm (GA), which improved the stability and accuracy of the model, but when dealing with small sample data. e disadvantage is that the evaluation takes a relatively long time. Xu et al. [8] proposed a reasoning method to realize network security situational awareness, which is more capable than traditional methods. Zhang et al. [9] combined LSTM and decision tree to achieve network security situation prediction. LSTM was used to predict data sets, and DT to identify attack types. e experiments proved that the situational awareness model proposed in this paper has a high accuracy.Dai et al. [10] constructed a zero-trust method situational awareness model, which is a new theory emerging in recent years and has good application prospects.
To sum up, machine learning models are being used to a greater extent in the arena of network security, in particular for situation awareness, nonetheless, we believe that the learning ability of a distinct model is still limited. Bestowing to the advantages and characteristics of dissimilar models, this paper will conduct in-depth investigation on the two key parts of network security, that is, (i) position assessment, and (ii) prediction. e suggested work is in fact established on the fusion model, so that relevant personnel can have a deeper understanding of the network security condition, and at that moment make reasonable decisions. In terms of the former point (i) for network security, a situation calculation method for the network security is suggested that combines both the classical CNN and LSTM networks. In fact, the CNN and the LSTM are two models with strong learning abilities in deep learning. Similarly, in order to build a model with stronger learning ability and to realize condition assessment in the network security, CNN's convolution and pooling operations can extract important local features, while LSTM has certain advantages in extracting time series data. e model evaluation after the fusion of the two models is that the accuracy can reach 85.19% and 92.59%.
In terms of situation prediction within the context of network security, in this paper, we suggest a forecasting model which is established over the idea of an IPSO, Attention, Fusion, and Bidirectional Long Short Term Memory (IPSO-ABiLSTM) network with improved particle swarm optimization and attention mechanism. is should be noted that the IPSO balances the global and the local searching abilities, speed up the convergence swiftness, and relieves the procedure from deteriorating into the local optimal solution. Furthermore, the BiLSTM approach can combine the before and after conditions, and then integrate the BiLSTM approach with the attention technique to improve the model's attention to key information. e network structure of the ABiLSTM approach is optimized by IPSO algorithm to increase the performance of the suggested model. e investigational outcomes express that associated with other models, in this paper, the forecasting influence of the suggested technique is better than others. e fundamental contributions of this research are listed, in bullets form, as follows: (i) A network security situation assessment model which is established on the fusion of CNN and LSTM techniques is suggested.
(ii) According to the different fusion methods, the parallel serial CNN-LSTM fusion models were constructed to evaluate the UNSW-NB15 data set, and both the situation values and levels were obtained.
(iii) A condition forecasting model which is grounded on the IPSO, as well as, the ABiLSTM, that is, IPSO-ABiLSTM is suggested. (iv) e IPSO has the characteristics of faster convergence speed to optimize the ABiLSTM network parameters and obtain the optimal parameters for situation prediction.
e rest of this manuscript is prescribed in the following fashion: in Section 2, we talk over the CNN-LSTM fusion network security condition valuation model. In Section 3, creation of the network security condition indicator system is deliberated. In Section 4, we discuss BiLSTM fusion Attention Mechanism network security situation prediction. In Section 5, experimental analysis and the attained outcomes are discussed in detail. Finally, Section 6 completes this article and delivers future research guidelines and instructions.

The CNN-LSTM Fusion Network Security
Situation Assessment Model 2.1. e CNN Model. In 1989, LeCun suggested that the LeNet5 convolutional neural network is constructed on gradient descent for reading documents and text recognition [11]. e LeNet5 is the classic structure of modern CNN, and then CNN was widely used to solve multiclass problems, such as image segmentation [12], object recognition [13], and computer vision [14]. e basic structure of the CNN model, in fact, comprises five layers, that is (i) an input layer, (ii) a convolutional layer, (iii) a fully connected layer, (iv) a pooling layer, and (v) an output layer. e basic view of the CNN construction and various layers is shown in Figure 1. We assume, in this paper, that the activation function of each layer of the CNN model embraces the RELU function.
e RELU function can answer the main issue of gradient disappearance that may potentially exist in the model training. Furthermore, this may also help to reduce the computation and calculation amount of the model training, over the datasets, and subsequently accelerate the training process of the network model.

e LSTM Model.
e recurrent neural network (RNN) model establishes a connection between neurons in the concealed layer. In other words, that is, the output of a neuron can be used as an input at the next moment, so that the entire network structure has a memory function. For that reason, it can be used as an input and also can be used to deal with the computation timing issues.
After a lot of practice, the RNN has been proved to have the major issue of gradient explosion and gradient disappearance [15]. erefore, it only has the ability of short-term memory. In order to recover the issues existing in the RNN model, Schmidhuber et al. [16] suggested the LSTM approach. e LSTM model, in fact, improves the working principle of the concealed layer which is used in the RNN model. is should be noted that the LSTM structure comprises forgetting gate, input gate, output gate, memory unit, candidate memory unit, and output value. e specific mathematical equations of a particular LSTM unit at particular time, denoted by t, are as follows from formula (1 to 6): In equations (1) to (6), W and b are the equivalent weights and biases, tan h is the tangent activation function, σ is the sigmoid activation function, and ⊗ represents the matrix Hadamard product. Note that further discussion and explanation of these equations are given in subsequent sections.

Implementation of the Situation Assessment for Network
Security Founded on the CNN-LSTM Fusion Model. Each neural network model has its own unique advantages. For example, CNN can successfully excerpt local structures and characteristics of data through convolution kernels, but cannot learn the relationship between data time series. e gating mechanism introduced in LSTM can be very good. In case of handling relative time series data, it should be kept in mind that the features in the network attack PCP data that are complex and changeable and have different degrees of importance. ere may also be some relationship between the attack data. According to the respective advantages of CNN and LSTM, this paper combines the two neural network models. Each has its own advantages to increase the correctness of network attack recognition.
In fact, the fusion of CNN and LSTM has two methods: serial and parallel. Serial fusion is to extract the input data through CNN features and then go through LSTM. e parallel fusion is that CNN and LSTM approaches usually extract various characteristics from the input data at the same time, and then subsequently connect the extracted features from the two parts. e effects of the two methods may also be different on different problems. In this paper, Serial CNN-LSTM (CNN-LSTM-S) and Parallel CNN-LSTM (CNN-LSTM-P) are constructed, respectively. Two models are used to verify the advantages of the fusion model for situation assessment in the network security. e specific structures of the CNN-LSTM-S and the CNN-LSTM-P models that are used in this paper are revealed in Figures 2  and 3, respectively. e situation assessment process of the network security system of the CNN-LSTM approach is shown in Figure 4.

Construction of the Network Security
Condition Indicator System e realization of situation assessment for the network security first requires the support of the network security condition index system, and at that moment builds a suitable evaluation model. e model evaluates the network security position value as well as its level rendering to the index system of the network security situation. e assessment results can enable relevant personnel to comprehend the present situation of the network security. Whether it is safe and what kind of threats exist, make corresponding decisions according to the problems existing in the network.

Network Security Position Indicator System Established on
Attack Impact. In this paper, we establish a situation indicator system for the network security founded on the attack impact. First, fully consider the internal correlation of each main influencing element in the network. Second, the means of network attacks are increasingly complex, diversified, and frequent, and different types of attacks have different impacts on the entire network. Only by improving the detection rate of the network attacks received can the network status be more accurately perceived.
Situation indicator factors include the following: (1) Attack quantity factor: is factor refers to the number of attack samples received by the network in a certain period of time, represented by N.
(2) Attack threat factor: is factor refers to the degree of threat to network security by different attack types in the network, represented by X.
e calculation formula of the situation value of the period is as follows in formula (7): e attack traffic characteristics and methods collected by the commonly used KDD cup99 and NSL-KDD [17,18] datasets can no longer represent the network conditions of the current era. e novel UNSW-NB15 dataset [19,20] does not contain the situation value in the UNSW-NB15 dataset, so we adopt the above calculation method to generate the situation value representing the security degree of the network. According to the sequence of each sample collected in UNSW-NB15, 3000 samples are taken as a period. e threat factors corresponding to the attacks in the data set are shown in Table 1 e true situation value of the data set is calculated according to formula (7), and the data set is the situation values of all periods are converted into the [0, 1] interval. After quantification, the UNSW-NB15 test set consists of 27 periods in total.
e UNSW-NB15 dataset attack threat factors are presented in Table 1.

Classification of Network Security Situation Levels.
is paper combines the introduction of the straightforward network security condition, along with a simple assessment model, of the National Internet Emergency Center with the actual situation of modern networks. e network security level is divided into four levels, which correspond to different situation value intervals. By dividing the security level, relevant departments can understand more intuitively and quickly the current state of the network. e grading rules are displayed in Table 2.

e BiLSTM
Model. e BiLSTM model consists of forward and reverse LSTM layers superimposed [21]on each other, and the output is jointly determined by the two LSTM layers, and its structure is shown in Figure 5. is should be noted that the forward layer of the LSTM model can be regarded as a forward calculation from the start time to the last time. On the other way, the reverse layer of the LSTM model can be regarded as a reverse calculation from the last time to the start time. Note that both layers are treated and handled in the same manner. Finally, the model combines the outputs of the model's forward layer and the model's reverse layer, at each moment, in order to get the output of the model at that particular moment.

4.2.
e Attention Mechanism. e BiLSTM model has achieved good results in extracting sequence information, but the importance of different features in real network conditions is also very different. BiLSTM alone cannot identify the importance of features in sequences. e attention mechanism is inspired by the working mechanism of human brain. In the process of cognition of the things around us, people will always give priority to what they want to see, thus ignoring some things they do not need.
is is evident from the literature that the attention method has been widely implemented and used in many research fields. For example, literatures [22][23][24] applied the attention mechanism in the arenas of image analysis, computer vision, and natural language processing, and accomplished worthy and noble outcomes. Adding the attention mechanism to BiLSTM can offer more consideration to the influence of different inputs on the output and focus on selective learning of the input to improve the learning effects of the neural network [25]. e basic view of various layers and organization of the ABiLSTM model, constructed in this paper, is exposed in Figure 6.
For the ABiLSTM network, the parameter selection in its structure is crucial to the effect of the model, for instance, the total amount of hidden layers, weights, the quantity of hidden layer units, and the frequency or rate of learning. Many researchers determine these parameters based on    Mobile Information Systems experience or trial and error. Parameters which make the robustness and accuracy of the model unreliable. erefore, this paper selects the well-known and widely used particle swarm optimization procedure, which is simple in principle, low in complexity, fast in convergence speed, and suitable for dealing with real-valued problems, to optimize the structural parameters of the ABiLSTM network.

e IPSO Method.
e PSO method is a bionic swarm optimization procedure suggested by Dr. Eberhart and Dr. Kennedy [26] in the year 1995. e algorithm originated from the investigation on the regular predation comportment of birds. e straightforward knowledge of the PSO method is to treat each answer of the problem as a D-dimensional massless particle. Moreover, every particle has a fitness value which is computed through the fitness function. In the search space, each particle is optimal according to the individual. e location and, more formally, the global optimal location are used to update its own speed and position, and through iterative search, the optimal station of the complete particle swarm is obtained [27].
In each iteration, the particles in the swarm determine the direction and distance of their search by their velocity. e update formulas both for the particle's velocity, as well as, position of the basic particle swarm are as given in equations (8) and (9), respectively: In equations (8) and (9), w exemplifies the inertia weight factor, that is, the ability of the particle to inherit the speed of the previous iteration, and k exemplifies the present iteration number. Furthermore, c 1 and c 2 represents the two acceleration factors, which are used to regulate the guidance of the specific optimal solution and the global optimal solution on the speed of each iteration. Note that the sum is a random number between [0, 1]. Moreover, both the V k id and X k id variables characterize the speed and position of the d-dimensional space of the ith particle in the kth iteration, correspondingly. Finally, the pbest k id and the gbest k g d

BiLS TM
BiLS TM variable correspondingly characterize the specific optimal position (the former one) and the global optimal position (the latter one) of the dth dimensional space of the ith particle in the kth iteration.
In the PSO algorithm, the factor of inertia weight and the factor of acceleration are very important to the efficiency and results of the PSO algorithm. When the factor of inertia weight and the factor of acceleration are significantly large, then the global optimization ability is better. However, if the factor of inertia weight and the factor of acceleration is small, then the smaller the factor, the better is the local optimization ability. Since the factor of inertia weight and the factor of acceleration coefficient in the traditional particle swarm optimization procedure are stationary, then along with the local optimization capability, the global optimization ability of the procedure is also limited. Furthermore, it is also very trivial and easy to make the algorithm fall into the local minimum value, that is, premature convergence. In view of the limitations of the algorithm, the factor of inertia weight and the factor of acceleration are improved in this paper, so that the change of speed is changed from linear to nonlinear. e improvement to the inertia weight factor w is mathematically illustrated using (10) as follows: w � −π * arcsin(0.01 * (t − max iter)).
e improvements to the acceleration factors are as follows and mathematically illustrated in (11) and (12): In equations (11) and (12), max iter exemplifies the maximum amount of iterations, and t symbolizes the present numeral figure of iterations. Similarly, the two variables c 2 max and c 2 min characterizes the maximum and minimum values for the factors of acceleration, in the previous iteration, correspondingly. It should be noted that the two variables denoted by c 1 max and c 1 min exemplifies the maximum and minimum values for the factor of acceleration coefficient, after the update, correspondingly.

Implementation of the Situation Assessment in the Network Security Constructed on the Suggested IPSO-ABiLSTM
Model.
e process for situation prediction in the network security using the suggested IPSO-ABiLSTM model is given away in Figure 7.

Experimental Analysis
e computer and its hardware specification that was used for the tests to evaluate the method suggested in this paper, which is as follows: the system model was Intel(R) Core(TM) i5-8250U CPU @ 1.60 GHz CPU and having 1 TB mechanical hard disk, 12  In order to authenticate the model's performance that is suggested in this paper, we choose the commonly used evaluation indexes and metrics in the field of network intrusion detection, prediction, and machine learning, that is, (i) Accuracy, (ii) Precision, (iii) Recall, and (iv) F1 score. Using these indexes, we compare the performance of suggested model with other state-of-theart techniques and closest rivals.
(1) Accuracy is represented by Acc and is defined as the proportion of data samples that were appropriately categorized or predicted by the suggested approach to the entire quantity of data samples. (2) Precision is represented by P and is defined as the proportion of ordinary data samples that were properly categorized or predicted by the suggested approach to entire data samples categorized as positive.
(3) Recall is represented by R and defined as the proportion of normal data samples that were acceptably categorized or predicted by the suggested approach to the complete amount of true normal samples. (4) F1 score is represented by F1 − score, is in fact denotes the harmonic average of accuracy (precision), and the recall rate. Taking precision recall into consideration, the higher the F1 score, the more balanced the precision and recall, and the improved or higher the overall performance of the model. e above four evaluation metrics are calculated using formulas (13)- (16) which are given as follows: In equations (13)- (16), TP refers to the quantity of normal data samples appropriately classified, and TN represents the amount of abnormal data samples acceptably classified by a particular model. Furthermore, FP represents the abnormal data samples that were in fact erroneously classified, and FN represents the inappropriate and incorrect classification by the model in terms of the normal data sample.

Two Classification Experimental Analysis.
In the first experiment, the labels of the dataset are distributed into two groupings: (i) normal, and (ii) abnormal. In order to prove that the suggested CNN-LSTM fusion technique has a stronger learning ability, it is compared with a single model. e evaluation index results of each model are given away in Table 3.
By observing Table 3, it can be comprehended that the correctness, as well as, the recall rate of the CNN-LSTM-P and CNN-LSTM-S methods that were suggested above are significantly higher than the closest rivals, that is, the four single models, ranking first and second, respectively. At the same time, the precision rate is also second only to CNN. Considering the contradiction among the accuracy rate and the recall rate, we further investigated and observed the index of the F1 score. e F1 score of the two models suggested in this paper are 88.36% and 84.35%, respectively, ranking first and second. Second place, and well above the F1 score of the other models.
Model time is also a very realistic metric. In the same experimental environment, the detection time of the two models suggested in this paper is shown in Table 4. is can be comprehended from the observations and assessment that the two-classification time of the CNN-LSTM-P technique is approximately 79.41s less than that of the CNN-LSTM-S method. Moreover, we also noted that the attack recognition effectiveness of the CNN-LSTM-P model is significantly higher than the CNN-LSTM-S method.

Ten Classification Experimental Analysis.
e second experiment is a ten-category experiment. e model that is suggested in this paper is matched with a single model. e evaluation index outcomes of various models and methods are shown in Table 5.
By observing Table 5, this can be easily comprehended that the correctness, exactness, recall, and the F1 score index of the suggested CNN-LSTM-P and CNN-LSTM-S models are meaningfully superior than the other four single methods. Among them, the correctness rate, recall rate, and F1 score of the CNN-LSTM-S method are the best values among all compared models. e CNN-LSTM-P model accuracy, recall, and F1 score are all suboptimal values for all models, and the precision is the optimal value. Combining the experimental results of two-class and ten-class, this could be observed and well understood that the learning performance of the suggested model has been meaningfully enriched as matched with the traditional single methods.
In the subsequent discussion, we further investigate and analyze the performance of the suggested model from the perspective of time consumption. Under the same experimental environment, the detection time of the two models suggested in this paper is shown in Table 6. e ten-class time-consuming of the CNN-LSTM-P method is approximately 93.15s less than that of the CNN-LSTM-S method. Furthermore, the CNN-LSTM-S method has relatively lower performance. e detection efficiency of the CNN-LSTM-P model is higher than all the closest rivals. Combining the time-consuming comparison of the two classifications methods, it can be understood that the suggested CNN-LSTM-P method is always less time-consuming than the CNN-LSTM-S method, and is more efficient while maintaining accuracy.

Analysis of Network Security Situation Assessment
Results. e training results of the suggested CNN-LSTM-P method, as well as, the CNN-LSTM-S model are quantified according to Formula (7). In this way, we are able to acquire the situation value of each and every period, and the network security level corresponding to each period is divided according to Table 2, and the security level of 27 periods is obtained.
e comparison between the network security situation assessment outcomes of the suggested model and the real situation level is presented in Figure 8.
Observing Figure 8, this could be easily understood that the suggested CNN-LSTM-S method has errors in only two periods. In the fourth period, the "high risk" error is evaluated as "medium risk," and in the eighth period, the "medium risk" error is evaluated as "Low risk." In fact, through analyzing this, this could be even more easy to found that the suggested CNN-LSTM-S method has a weak ability to identify attacks with a high degree of threat and tends to identify attacks with a relatively low degree of threat. e evaluation grades for the remaining periods matched the true grades exactly. is should be noted that the CNN-LSTM-P model has more mis-evaluation periods, which are in 8, 23, 25, and 27 periods, respectively.
In the 27 evaluation periods, the number of correct evaluations and the correct rate of the model in this paper are shown in Table 7.
By observing Table 7, the number of correct samples for the evaluation of the CNN-LSTM-P model is 23, and the correct rate is approximately 85.19%. Similarly, the number of correct samples for the evaluation of the CNN-LSTM-S model is 25, and the correct rate reaches 92.59%. Although, the model still has many shortcomings, it is enough to prove that the suggested model can be precisely implemented on situation assessment in the network security.

Number of BiLSTM Input and Output Neurons.
According to the sliding window idea, the situation value data set used for prediction is divided according to its time sequence, and the organization of the divided data set is presented in Table 8.
In the second row of Table 8, m + 1 represents the size of the sliding window, and the amount of neurons in the input layer of the LSTM model is equivalent to m during prediction. As the experiment in this paper is a single-value prediction, we assume that the amount of neurons in the output layer is 1.

Experiment Evaluation Index.
In order to confirm the predictive capability of numerous methods that are used in this paper, the Coefficient of Determination (R 2 ) and the Mean Absolute Percentage Error (MAPE) were selected as the model evaluation indicators. e calculation formulas for the MAPE and R 2 metrics are as given in (17) and (18), respectively.
In equations (17) and (18), the variable y i exemplifies the true situation value, while the variable y i symbolizes the forecasted situation value. Furthermore, N characterizes the quantity of samples, while the variable y signifies the   Mobile Information Systems 9 statistical mean value of the true situation value. is should be noted that the lesser the mean percentage error, the better and superior will be the model performance and vice versa. Furthermore, the coefficient of determination of the goodness of fit is between the range of [0, 1]. Note that, for the goodness of the fit, the nearer its value to 1, the superior will be the model fitting and vice versa.

Experimental Analysis of Situation Prediction for
Network Security. In order to confirm the specific prediction effect of each model, this paper provides the prediction outcomes of every method when the window size is 2, 3, and 4, as shown in Figures 9-11. A window of 3 means that the situation values of the previous two time periods are selected to predict the situation values of the next time period. In fact, this can be comprehended from Figures 9 to 11 that when the window is 2, the IPSO-ABiLSTM suggested in this paper almost completely fits the real situation value, while the other three models all have a certain degree of fitting deviation. e window size is 3 and 4. In the first three time periods, the IPSO-ABiLSTM prediction effect suggested in this paper is not ideal, but it is almost completely fitted in the later time periods. Overall, the fit of IPSO-ABiLSTM is still better than the other three models. e evaluation indicators of each model in different windows are presented in Table 9.
From the outcomes of various methods and their analysis, as given away in Table 9, the following fundamental conclusions can be drawn: (1) When the window value is 2, the MAPE value of the suggested IPSO-ABiLSTM method is 0.0223, 0.1583, and 0.2278 lower than that of PSO-BiLSTM, PSO-LSTM, and BiLSTM, respectively, and the fitting coefficient R 2 is compared with the other three models. ey were 0.0115, 0.1203, and 0.2277 higher, respectively. In fact, this confirms that the performance of the suggested approach is superior than the other three methods when the window value is 2.  4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 CNN-LSTM-P CNN-LSTM-S TRUE    fitting coefficient R 2 is lower than the other three models are 0.0522, 0.2171, and 0.0424 higher, respectively. e performance of the suggested approach is superior than the other three methods when the window value is 3.
(3) When the window value is 4, the MAPE value of the suggested IPSO-ABiLSTM approach is 0.1187 and 0.1076 lower than that of PSO-BiLSTM and PSO-LSTM, respectively, and the fitting coefficient R 2 is higher than that of the other three models: 0.1281, 0.5899, and 0.1143. Combining the two indicators, the suggested method performs superior than the other three models when the window value is 4.
(4) For prediction problems, different window sizes often have an influence on the prediction outcomes. is paper also conducts comparative experiments on more window values. As far as the method in this paper is concerned, when in fact the value of the window is slighter, then the prediction effect of each model is often the better. rough the lateral analysis of (1)-(3), when the sliding window size is the same, the IPSO-BiLSTM model suggested in this paper has a higher fitting degree than the PSO-LSTM method, the PSO-BiLSTM approach, and the traditional BiLSTM approach. is should be kept in mind that, at the same time, the fitting coefficient R 2 of each model is compared longitudinally when the window value is 2, 3, and 4. As displayed in Figure 12, this can be easily comprehended and concluded that when the window value is 2, the model in this paper can accomplish the paramount fitting impact, and the fitting coefficient can be 0.9922, which is almost a complete fit. Subsequently, the above discussion and  analysis of the outcomes prove the efficiency of the prediction approach suggested in this paper, in particular, for the problem of network security situation prediction.

Conclusions and Future Work
Aiming at the problem of insufficient learning ability of a single model, in this paper, we constructed a network security position assessment and forecasting model which is established on the fusion model, and expounds the specific implementation of the fusion model. In fact, for network security condition assessment, this paper constructs two fusion models, that is, (i) CNN-LSTM-P; and (ii) CNN-LSTM-S, respectively, and conducts twoclass and ten-class experiments on the UNSW-NB15 dataset. e attained outcomes illustrate that the detection effect of the CNN-LSTM fusion model is better, and the correct rate of situation assessment can reach 85.19% and 92.59%. Moreover, for network security condition forecast, we also suggest a network security condition extrapolation model which is established on the IPSO-ABiLSTM method. In the model construction, in view of the defects of slow convergence of the PSO technique and its defect of informal collapse into the local minimum, nonlinear inertia weight, and acceleration are introduced. We believe, these factors can help to improve the PSO algorithm and its immature convergence. At the same time, in order to learn more about the correlation between sequences, the BiLSTM network integrating the attention mechanism is introduced to forecast the situation, and the suggested IPSO mechanism is implemented to enhance and boost the ABiLSTM, as well as, to increase the forecasting ability of the suggested model. e investigational outcomes confirm that the IPSO-ABiLSTM model has higher fitting degree and smaller prediction error.
In the future, we will use other variants of the PSO method that have the capabilities to adaptively adjust numerous factors with the aim of the algorithm convergence can be enriched. Moreover, we will consider the Markov jumping technique in the PSO that can divide the entire populations in to substages and avoid the local optima convergence. On the hand, we will also look deeply into other deep learning models and improve the prediction accuracy. Limited resources are also considered as a fundamental issue that unswervingly distresses the training and prediction durations of the network. erefore, we will investigate, in the future, how the big data analysis and technologies like cloud and edge infrastructure within the domain of networks will help to reduce the durations for the model training and prediction.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.