CN110071931A - Mimicry honey jar evolution method, device, equipment and computer readable storage medium - Google Patents
Mimicry honey jar evolution method, device, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN110071931A CN110071931A CN201910355888.3A CN201910355888A CN110071931A CN 110071931 A CN110071931 A CN 110071931A CN 201910355888 A CN201910355888 A CN 201910355888A CN 110071931 A CN110071931 A CN 110071931A
- Authority
- CN
- China
- Prior art keywords
- honey jar
- mimicry
- service
- evolution
- solution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
This application discloses a kind of mimicry honey jar evolution methods, device, equipment and computer readable storage medium, mimicry service features library is established according to the network environment information and information on services of honey jar or server first, a variety of mimicry services with service features and honey jar feature are formed in mimicry service features library, then the network flow of real-time monitoring honey jar or server, when reaching evolution trigger condition, triggering is developed, the service of the TABU search based on mimicry service features library is carried out to honey jar or server to develop, optimal evolution result is exported as current mimicry service, and TABU search provided herein services and develops, due to using tabu search algorithm, input condition only needs an initial feasible solution, the population scale requirement that optimal evolution result is not limited to genetic algorithm can be obtained by the evolution of Tabu search algorithm, more Without carrying out selection cross and variation operation, operation time can be saved, is improved efficiency.
Description
Technical field
This application involves honeynet technical field more particularly to a kind of mimicry honey jar evolution method, device, equipment and meters
Calculation machine readable storage medium storing program for executing
Background technique
With the rapid development of Internet, hacker attacks event occurs again and again, the loss caused by social economy also with
Day all increasings.Existing defensive measure such as firewall, intrusion detection etc. seems excessively passive so that fail to report, rate of false alarm it is very high, up to not
To ideal protection effect.
Honeypot Techniques compensate for the deficiency of existing safeguard procedures, increasingly as a kind of active network defense means just
The concern of people is received, basic thought is to make attacker by these networks as trap by the fragile target resource of simulation
Trap reaches the attack of delay, fascination attacker to real target as target of attack, to protect really valuable money
Source.But with the continuous variation of network-combination yarn, attacker comes to realise honey jar and brings great restriction to them, anti-honey
Tank technology is come into being.Anti- Honeypot Techniques are a kind of Anti-Honeypots, are the attacks from attacker's angle pin to Honeypot Techniques,
That is the trace that is left by certain detection method or honey jar of attacker finds the honey jar being arranged in target network, to bypass
The monitoring of honey jar.And defender has investigated pseudo- Honeypot Techniques, utilizes the one of honey jar to cope with the anti-Honeypot Techniques of attacker
A little features and the deliberate some clues of manufacture of behavior achieve the effect that draw back attacker with fear.A large amount of honey jar consumption is disposed in a network
It is bigger to take resource, general user also can not be oneself configuration honey jar, and therefore, a normal host can disguise oneself as honey jar energy
Attacker is enough drawn back with fear, to improve the safety of system.Attacker find a honey jar, the measure taken may be leave or after
It is continuous, but it is a honey jar that attacker, which assert, in emotion, can be reduced to attack interests bring enthusiasm, thus normal host
The honey jar that disguises oneself as is effective.
For critical defect existing for traditional honey jar " i.e. broken to fail ", due to itself being a static state, fixing not
Dynamic network trap, not only deployment is difficult but also poor for the adaptivity of dynamic network, honey jar flexibility and trick property compared with
Difference.By biotic population struggle against in synaposematism inspiration, be currently suggested the concept of mimicry formula honey jar, be a kind of " i.e. broken to drill
The dynamic security technology of change ", it is believed that on traditional honey jar network foundation, by perception and artificial network and service content, effectively
Mimicry feature construction dynamic evolution is carried out using protective coloration, warning coloration mechanism, that is, can reach fascination and inveigles the mesh of attacker
, and existing mimicry honey jar evolution method is then the evolution method based on genetic algorithm, the mimicry honey jar based on genetic algorithm
Although evolution method can be realized effective evolution, but its algorithm itself requires initial population scale larger (general due to existing
It is required that more than 100 individuals), and selection cross and variation operation is carried out, therefore operation spends duration longer, efficiency compares
It is low.
Summary of the invention
This application provides a kind of mimicry honey jar evolution method, device, equipment and computer readable storage mediums, for solving
Certainly existing mimicry honey jar evolution method spends duration longer using operation existing for Genetic Algorithm Evolution, the relatively low skill of efficiency
Art problem.
In view of this, the application first aspect provides a kind of mimicry honey jar evolution method, comprising the following steps:
101, according to honey jar or the network environment information and information on services of server, building has service features and honey jar special
The mimicry service features library of sign;
102, the network flow for detecting presently described honey jar or the server, judges whether to reach according to the network flow
To evolution trigger condition, if so, thening follow the steps 103;
103, TABU search service is carried out based on mimicry service features library to develop, export optimal evolution result and be used as and work as
Preceding mimicry service.
Preferably, step 103 specifically includes:
1031, the service features and the honey jar feature are encoded according to mimicry service features library, is obtained
Service features coding vector and honey jar feature coding vector;
1032, using the service features coding vector or the honey jar feature coding vector as the defeated of tabu search algorithm
Enter, preset maximum number of iterations;
1033, initialization service solution, and taboo list is initialized as sky;
1034, judge whether the number of iterations reaches maximum number of iterations, if so, the current solution of output is used as optimal service
Otherwise solution executes step 1035;
1035, the candidate disaggregation currently solved is generated, according to preset target function calculating target function value;
1036, it is concentrated in the candidate solution, the target function value for judging whether there is a candidate solution is greater than history
The target function value of optimal solution if so, the candidate solution is updated to currently solve, and updates the history optimal solution
With the taboo list, otherwise the best candidate solution that do not avoided is updated to currently solve by return step 1034, and described in update
Taboo list, return step 1034.
Preferably, the objective function are as follows:
Hi(t+Th)=λ ln (Qi(t))+(1-λ)ln(Pi(t))-α
Or
Wherein, λ is empirical value, and α is the honey jar service cost factor, ThFor the period of honey jar service, QiIt is attacker in t
~t+ThPeriod, Pi was in t~t+T to the attack frequency of service ihPeriod client accesses the frequency of service i, and Δ N is that attacker exists
TsAttack increment in period, β are due to other consumption such as pseudo- honey jar bring server memory, time.
Preferably, the coding mode of the service features and the honey jar feature is binary coding mode.
Preferably, the evolution trigger condition specifically:
W > FH;
Wherein, w is incremental loading, FHTo attack delta threshold.
The application second aspect additionally provides a kind of mimicry honey jar evolution device, comprises the following modules:
Feature library module, for the network environment information and information on services according to honey jar or server, building has service
The mimicry service features library of feature and honey jar feature;
Trigger module, for detecting the network flow of presently described honey jar or the server, according to the network flow
Judge whether to reach evolution trigger condition, if so, triggering genetic module;
The genetic module develops for carrying out TABU search service based on mimicry service features library, exports optimal
Evolution result is as current mimicry service.
Preferably, the genetic module specifically includes:
Coded sub-units, for being carried out according to mimicry service features library to the service features and the honey jar feature
Coding, obtains service features coding vector and honey jar feature coding vector;
Subelement is inputted, for searching using the service features coding vector or the honey jar feature coding vector as taboo
The input of rope algorithm, preset maximum number of iterations;
Subelement is initialized, for initializing service solution, and initializes taboo list as sky;
Iteration exports subelement, for judging whether the number of iterations reaches maximum number of iterations, if so, the current solution of output
As optimal service solution, otherwise, computation subunit is triggered;
The computation subunit, for generating the candidate disaggregation currently solved, according to preset target function calculating target function
Value;
Judgement updates subelement, for concentrating in the candidate solution, judges whether there is the target an of candidate solution
Functional value is greater than the target function value of history optimal solution, if so, the candidate solution is updated to currently solve, and updates
The history optimal solution and the taboo list trigger the iteration output subelement, otherwise, the best candidate solution that will do not avoided
It is updated to currently solve, and updates the taboo list, trigger the iteration output subelement.
The application third aspect additionally provides a kind of mimicry honey jar evolution equipment, and the equipment includes processor and storage
Device:
Said program code is transferred to the processor for storing program code by the memory;
The processor develops for the mimicry honey jar according to the instruction execution first aspect in said program code
Method.
The application fourth aspect additionally provides a kind of computer readable storage medium, and the computer readable storage medium is used
In storage program code, said program code is for executing mimicry honey jar evolution method described in first aspect.
The 5th aspect of the application additionally provides a kind of computer program product including instruction, when it runs on computers
When, so that the computer executes mimicry honey jar evolution method described in first aspect.
As can be seen from the above technical solutions, the embodiment of the present application has the advantage that
In the application, a kind of mimicry honey jar evolution method is provided, comprising the following steps: 101, according to honey jar or server
Network environment information and information on services, construct have service features and honey jar feature mimicry service features library;102, it detects
The network flow of current honey jar or server, judges whether to reach evolution trigger condition according to network flow, if so, executing step
Rapid 103;103, TABU search service is carried out based on mimicry service features library to develop, export optimal evolution result as current mimicry
Service.Mimicry honey jar evolution method provided by the present application is believed according to the network environment information of honey jar or server and service first
Breath establishes mimicry service features library, and a variety of mimicrys clothes with service features and honey jar feature are formed in mimicry service features library
Business, the then network flow of real-time monitoring honey jar or server, when reaching evolution trigger condition, triggering is developed, to honey jar or
Server carries out the service of the TABU search based on mimicry service features library and develops, and exports optimal evolution result and takes as current mimicry
Business, and TABU search provided herein services and develops, due to using tabu search algorithm, input condition only needs one
The population rule that optimal evolution result is not limited to genetic algorithm can be obtained by the evolution of Tabu search algorithm in a initial feasible solution
Mould requirement can save operation time, improve efficiency, solve existing mimicry there are no that need to carry out selection cross and variation operation
Honey jar evolution method spends duration longer using operation existing for Genetic Algorithm Evolution, the relatively low technical problem of efficiency.
Meanwhile tabu search algorithm is a kind of Meta-heuristics random search algorithm, from an initial feasible solution, choosing
The a series of specific direction of search is selected as souning out, selection, which is realized, allows specific target function value to change most movements, uses
Taboo list is recorded and is selected to the optimization process carried out, and the direction of search of next step is instructed, and can be avoided part most
Excellent, evolved structure is accurate and reliable.
Detailed description of the invention
Fig. 1 is a kind of flow diagram of one embodiment of mimicry honey jar evolution method provided by the present application;
Fig. 2 is a kind of flow diagram of another embodiment of mimicry honey jar evolution method provided by the present application;
Fig. 3 is a kind of structural schematic diagram of one embodiment of mimicry honey jar evolution device provided by the present application.
Specific embodiment
In order to make those skilled in the art more fully understand application scheme, below in conjunction in the embodiment of the present application
Attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is only this
Apply for a part of the embodiment, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art exist
Every other embodiment obtained under the premise of creative work is not made, shall fall in the protection scope of this application.
In order to make it easy to understand, referring to Fig. 1, a kind of one embodiment of mimicry honey jar evolution method provided by the present application,
The following steps are included:
Step 101, according to the network environment information and information on services of honey jar or server, building has service features and honey
The mimicry service features library of tank feature.
It should be noted that mimicry honey jar is the protective coloration mechanism and simulation honey jar by integrated use analog service environment
The warning coloration mechanism of feature carries out mimicry evolution, so as to effectively confuse and inveigle attacker, realizes network confrontation.In net
In network environment, protective coloration is characterized in some parameters or information of real network environment, such as: network flow, serve port, the space IP
Deng.Honey jar is by imitating these protection color characteristics in network environment, to have the function that protect honey jar, honey jar can be at this time
Tool as analytical attack person's behavioural information well.Warning color characteristic is some features or behavior of honey jar, such as: honey jar
Special ACK/SYN retransmission mechanism, VMware network interface card, honey jar residual clue etc..
Mimicry honey jar mechanism is mainly made of mimic, simulated object, lamb, service state and mechanism of Evolution, wherein
Mimic mainly has two kinds of forms of service and honey jar, and according to the difference of ambient network environment, honey jar is quasi- in protective coloration mechanism
State person, and server is then mimic in warning coloration mechanism, lamb is then attacker, and mimicry honey jar passes through protective coloration and police
The switching of color mechanism is guarded against to achieve the purpose that spoofing attack person.Since honey jar deployment can take a substantial amount of time and fund, it is clear that
A large amount of honey jar will not be set in network, i.e., true host number is far longer than the quantity of honey jar, in order to make honey jar be not easy by
Identification can be honey jar as mimic, by imitating real system or service, itself when attack probability is lower
It is hidden among real system, here it is protective coloration mechanism.And warning coloration be then when attack probability it is larger when, what system was attacked
Possibility greatly increases, at this point, defender can be modeled to real system or service the i.e. pseudo- honey jar of honey jar, to draw back attack with fear
Person.Service state has service features and honey jar feature two types.And mechanism of Evolution is the chief component of mimicry honey jar,
When protective coloration mechanism or warning coloration mechanism failure or when the information and strategy of attacking and defending both sides change, mimicry honey jar can be real
When carry out develop, i.e., service state can be switched over dynamically.
In the embodiment of the present application, it can be obtained in such a way that active is interactive with drive sweep by mimicry sensing module first
Current network environment information and information on services construct mimicry service features library by way of formalization, so that being formed has clothes
The various mimicry services for the feature and honey jar feature of being engaged in.
The network flow of step 102, the current honey jar of detection or server judges whether to reach evolution touching according to network flow
Clockwork spring part, if so, thening follow the steps 103.
It should be noted that the value of honey jar is decoy attack person to collect the information of attacker, without being to provide
Normal service, thus, honey jar, which develops, uses period trigger mechanism and flow triggering, at given periodic quantity T, when honey jar lures
When deceiving threshold value H of the QoS less than setting, constantly develops, so as to constantly adapt to the variation of network, preferably pretended, allowed
Attacker is difficult to penetrate.In the embodiment of the present application, the flow that is provided to legitimate user of setting server be it is stable, attacker's
Attack, exploration are continually changing.Setting attack delta threshold FH, trigger is established for the incremental loading w of server, when
w>FHWhen, show that pseudo- honey jar has the risk penetrated in mimicry honey jar, needs to develop.
Step 103 carries out TABU search service evolution based on mimicry service features library, exports optimal evolution result and is used as and works as
Preceding mimicry service.
It should be noted that it is the evolution based on tabu search algorithm that TABU search service, which is developed, in the embodiment of the present application
Mechanism, tabu search algorithm are a kind of global Stepwise optimization algorithms, from an initial feasible solution, then solution procedure is
Excellent method is selected using neighborhood, recent historical search process is stored in taboo list in search process, only
Preferable solution not in taboo list, is just accepted as the initial solution of next iteration, is then blocked using taboo list and is just searched
The region that rope is crossed avoids detour from searching for, while absolving some excellent conditions in taboo list, and then guarantees the diversity of search,
To reach global optimum.
In the embodiment of the present application, in mimicry honey jar service process, mimicry control module is by real-time detection honey jar or server
Network flow judges whether to the evolution of honey jar or service according to development condition.When development condition triggers, analysis, which is developed, to be taken
Be engaged in feature, determination is to carry out after the evolution of honey jar feature services or service features service develop, using tabu search algorithm into
The corresponding service of row is developed, and output meets the optimal solution of termination condition, is finally carried out mimicry service corresponding with optimal solution and is completed
Mimicry honey jar, which develops, to be serviced.
The mimicry honey jar evolution method provided in the embodiment of the present application is believed according to the network environment of honey jar or server first
Breath and information on services establish mimicry service features library, and being formed in mimicry service features library has service features and honey jar feature
A variety of mimicry services, the then network flow of real-time monitoring honey jar or server, when reaching evolution trigger condition, triggering is drilled
Change, the service of the TABU search based on mimicry service features library is carried out to honey jar or server and is developed, optimal evolution result is exported and makees
For current mimicry service, and TABU search provided herein services and develops, and due to using tabu search algorithm, inputs
Condition only needs an initial feasible solution, and optimal evolution result can be obtained by the evolution of Tabu search algorithm and be not limited to heredity
The population scale requirement of algorithm can save operation time, improve efficiency, solve there are no that need to carry out selection cross and variation operation
Existing mimicry honey jar evolution method spends duration longer using operation existing for Genetic Algorithm Evolution, efficiency relatively low skill
Art problem.
Meanwhile tabu search algorithm is a kind of Meta-heuristics random search algorithm, from an initial feasible solution, choosing
The a series of specific direction of search is selected as souning out, selection, which is realized, allows specific target function value to change most movements, uses
Taboo list is recorded and is selected to the optimization process carried out, and the direction of search of next step is instructed, and can be avoided part most
Excellent, evolved structure is accurate and reliable.
In order to make it easy to understand, referring to Fig. 2, present invention also provides a kind of another implementations of mimicry honey jar evolution method
Example, comprising the following steps:
Step 201, according to the network environment information and information on services of honey jar or server, building has service features and honey
The mimicry service features library of tank feature.
The network flow of step 202, the current honey jar of detection or server judges whether to reach evolution touching according to network flow
Clockwork spring part, if so, thening follow the steps 203 to step 208.
Step 203 encodes service features and honey jar feature according to mimicry service features library, obtains service features volume
Code vector and honey jar feature coding vector.
Step 204, using service features coding vector or honey jar feature coding vector as the input of tabu search algorithm, in advance
Set maximum number of iterations.
Step 205, initialization service solution, and taboo list is initialized as sky.
Step 206 judges whether the number of iterations reaches maximum number of iterations, if so, the current solution of output is used as optimal clothes
Otherwise business solution executes step 207.
The candidate disaggregation that step 207, generation currently solve, according to preset target function calculating target function value.
Step 208 is concentrated in candidate solution, and the target function value for judging whether there is a candidate solution is greater than history optimal solution
Target function value, if so, the candidate solution is updated to currently solve, and more new historical optimal solution and taboo list, return step
206, otherwise, the best candidate solution that do not avoided is updated to currently solve, and update taboo list, return step 206.
It should be noted that the evolution service optimization of mimicry honey jar is carried out using tabu search algorithm in the embodiment of the present application,
Its detailed process can be described as:
1) input of the initial coding characteristic vector as tabu search algorithm is given;
Before being developed, first have to encode feature, it is generally the case that if service may include dry run,
But in order to simplify statement, the service in the embodiment of the present application represents an operation of service, the input/output argument pair of service
The object that should be determined will service in the embodiment of the present application in order to which formal definitions to be suitble to encode the feature vector of mimicry evolution
Feature is described with a four-tuple:
Service=f1,f2,f3…fn={ Input, Output, Description, QoS };
Wherein, Inpu is input parameter sets, i.e. request input content and input type;Output is output parameter set
It closes, i.e. response output content and output type;Description is service function description and basic description, function description: is taken
Business command function parameter sets;Basic description include: service IP address, port numbers, service type, using protocol type, service
Version etc.;QoS represents one group of QoS of service, the QoS of regular service generally comprises service response time, service fee, service can
By property etc..
In order to simplify the complexity that service is developed, binary coding mode is used to carry out mimicry honey jar in the embodiment of the present application
The feature coding of service, i.e. Service=f1,f2,f3…fnIt is equivalent to { 0,1 } set.
Current more commonly used honey jar mode is collected for honey jar feature coding, in the embodiment of the present application, analyzes its feature,
It is simulated in server terminal, such as often using the ARP of virtual machine MAC to cheat based on honey jar, (common 3 class of virtual machine is compared in simulation
MAC Address), delay Ping delay response, simulation Honeyd deformity IP packet respond, forge out-of-date, false service etc., component one
Then feature coding set carries out binary coding for feature coding set, 1 indicates to call the honey jar feature, and 0 indicates uncomfortable
With.
2) maximum number of iterations is set, initial taboo list is set as empty;Taboo list is for preventing from occurring in search process
It recycles, taboo list is dimensioned to 25 by the Tabu search algorithm in the embodiment of the present application, and taboo list is usually noted nearest received 20
Secondary movement is avoided being accessed again within 20 times, and after coming 20 times, these movements are exited from taboo list, and can be weighed
It is new accessed.Meanwhile to avoid output resultant error larger, maximum number of iterations is unsuitable very few, and in order to avoid the number of iterations
Excessive operand increases, and efficiency reduces, and maximum number of iterations should rationally be arranged, be set as in the embodiment of the present application 50 times.
3) judge whether to meet maximum number of iterations, if so, otherwise output optimal service executes step 4);
4) the candidate disaggregation currently solved is generated, according to objective function calculating target function value;Movement is generated from current solution
The approach of new explanation, tabu search algorithm, can be into from current solution using the movement rule of switch type two-by-two in the embodiment of the present application
Capable all mobile composition neighborhoods, search each time are all based on the candidate disaggregation currently solved, and candidate disaggregation is the true of neighborhood
Subset scans a part of neighborhood only to constitute candidate disaggregation, the mobile number of candidate disaggregation being sized to taboo list
Unanimously, 20 are likewise provided as.
Honey jar service QoS is described using honey jar service features similarity Hu and feature-sensitive degree Ha.It is first in honey jar deployment
Phase, feature of the selection with sensibility can be more effective to the trick performance of attacker, comparatively, make in normal access process
It is higher with frequency, it is believed that these information can be more interesting for attacker, and opposite honey jar similarity will be high, because
This passes through the sensitivity for using frequency as feature of certain normal service feature in perception current network service device within the unit time
Spend Hu.The single feature that feature-sensitive degree Ha intuitively quantifies is to attacker's decoy capability, and attacker is to certain in the statistical unit time
The scan frequency of feature.Certainly, due to the independence of attacker and uncertainty, the high feature of similarity not necessarily has very high
Decoy capability, susceptibility height may not have high similarity with service.Thus, it is balanced using Cobb-Douglas utility function
Characteristic similarity Hu and feature-sensitive degree Ha obtains honey jar and inveigles QoS quantitative formula, as follows:
HQoS=λ ln (Hu)+(1- λ) ln (Ha)-α;
Wherein, λ is empirical value, and α is the honey jar service cost factor.
Therefore, fitness function in honey jar evolution: QoS quantitative formula is inveigled to obtain service in evolutionary process referring to honey jar
Fitness function, that is, objective function of body:
Hi(t+Th)=λ ln (Qi(t))+(1-λ)ln(Pi(t))-α;
Wherein, ThFor the period of honey jar service, QiIt is attacker in t~t+ThAttack frequency of the period to service i, Pi
For in t~t+ThPeriod client accesses the frequency of service i.
Pseudo- honey jar is that server disguises oneself as honey jar, substantially or server, its purpose be not attract attack but
In order to draw back attacker with fear.Pseudo- honey jar can only be more effective at attacker's scanning probe initial stage.By in detection, statistical unit time
Reciprocal trick QoS as pseudo- honey jar of the server by exception or the times N of attack.Thus, the quantization of pseudo- honey jar QoS
Formula are as follows:
Wherein, N is t~t+TsAttacker's access times in period, β are due in pseudo- honey jar bring server
It deposits, other consumption such as time.However, server consumption is not emphasis of the present invention, β is a rough estimate value.
The fitness function that pseudo- honey jar develops: serve individual in evolutionary process is obtained referring to the quantitative formula of pseudo- honey jar QoS
Fitness function:
Wherein: Δ N is attacker in TsAttack increment in period.
5) it is concentrated in candidate solution, the target function value for judging whether there is a candidate solution is greater than the target of history optimal solution
The candidate solution then is updated to currently solve by functional value if so, the candidate solution meets aspiration level, and more new historical optimal solution
And taboo list, return step 3), otherwise, the best candidate solution that do not avoided is updated to currently solve, and update taboo list, be returned
Step 3).
Aspiration level refers under the conditions of certain specific, regardless of some movement is whether in taboo list, all receives this
It is mobile, and current solution and history optimal solution are updated, meet the specified conditions of this movement.Specific aspiration level refers to, in institute
Having in candidate solution, the target function value for judging whether there is a candidate solution is greater than the target function value of history optimal solution, if so,
Then the candidate solution for meeting aspiration level is updated to currently solve, while more new historical optimal solution and taboo list, if it is not, then will not
The best candidate solution avoided is updated to currently solve, while updating taboo list.
In the embodiment of the present application, TABU search is developed, and service is main to complete Analysis Service feature, carries out feature volume to service
After code, according to honey jar to the income of attacker, design object function, and under objective function guidance, the time generated from current solution
Xie Jizhong is selected, selection meets the candidate solution of aspiration level and carries out cycle-index judgement, is finally updated to last solution currently quasi-
State service has the advantages that develop high-efficient and accurate and reliable.
In order to make it easy to understand, referring to Fig. 3, being wrapped present invention also provides a kind of embodiment of mimicry honey jar evolution device
It includes with lower module:
Feature library module 301, for the network environment information and information on services according to honey jar or server, building has clothes
The mimicry service features library for the feature and honey jar feature of being engaged in.
Trigger module 302 judges whether to reach for detecting the network flow of current honey jar or server according to network flow
To evolution trigger condition, if so, triggering genetic module 303.
Genetic module 303 develops for carrying out TABU search service based on mimicry service features library, exports optimal evolution knot
Fruit is as current mimicry service.
Further, genetic module 303 specifically includes:
Coded sub-units 3031 are obtained for being encoded according to mimicry service features library to service features and honey jar feature
To service features coding vector and honey jar feature coding vector.
Subelement 3032 is inputted, for calculating using service features coding vector or honey jar feature coding vector as TABU search
The input of method, preset maximum number of iterations.
Subelement 3033 is initialized, for initializing service solution, and initializes taboo list as sky.
Iteration exports subelement 3034, for judging whether the number of iterations reaches maximum number of iterations, if so, output is worked as
Preceding solution is used as optimal service solution, otherwise, triggers computation subunit 3035.
Computation subunit 3035, for generating the candidate disaggregation currently solved, according to preset target function calculating target function
Value.
Judgement updates subelement 3036, for concentrating in candidate solution, judges whether there is the objective function of a candidate solution
Value is greater than the target function value of history optimal solution, if so, the candidate solution is updated to currently solve, and more new historical optimal solution and
Otherwise the best candidate solution that do not avoided is updated to currently solve, and update by taboo list, triggering iteration output subelement 3034
The taboo list, triggering iteration export subelement 3034.
A kind of embodiment of mimicry honey jar evolution equipment is additionally provided in the application, which includes processor and storage
Device:
Program code is transferred to processor for storing program code by memory;
Processor is used for according to quasi- in the instruction execution mimicry honey jar evolution method embodiment above-mentioned in program code
State honey jar evolution method.
A kind of embodiment of computer readable storage medium is additionally provided in the application, which uses
In storage program code, program code is used to execute the mimicry honey jar evolution side in mimicry honey jar evolution method embodiment above-mentioned
Method.
A kind of computer program product including instruction is additionally provided in the application to be made when run on a computer
Obtain the mimicry honey jar evolution method in computer execution execution mimicry honey jar evolution method embodiment above-mentioned.
In several embodiments provided herein, it should be understood that disclosed device and method can pass through it
Its mode is realized.For example, system embodiment described above is only schematical, for example, the division of the unit, only
Only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components can be tied
Another device is closed or is desirably integrated into, or some features can be ignored or not executed.Another point, it is shown or discussed
Mutual coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or logical of system or unit
Letter connection can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can be personal computer, server or the network equipment etc.) executes the complete of each embodiment the method for the application
Portion or part steps.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (full name in English: Read-Only
Memory, english abbreviation: ROM), random access memory (full name in English: Random Access Memory, english abbreviation:
RAM), the various media that can store program code such as magnetic or disk.
The above, above embodiments are only to illustrate the technical solution of the application, rather than its limitations;Although referring to before
Embodiment is stated the application is described in detail, those skilled in the art should understand that: it still can be to preceding
Technical solution documented by each embodiment is stated to modify or equivalent replacement of some of the technical features;And these
It modifies or replaces, the spirit and scope of each embodiment technical solution of the application that it does not separate the essence of the corresponding technical solution.
Claims (10)
1. a kind of mimicry honey jar evolution method, which comprises the following steps:
101, according to honey jar or the network environment information and information on services of server, constructing has service features and honey jar feature
Mimicry service features library;
102, the network flow for detecting presently described honey jar or the server, judges whether to reach and drill according to the network flow
Change trigger condition, if so, thening follow the steps 103;
103, TABU search service is carried out based on mimicry service features library to develop, export optimal evolution result as current quasi-
State service.
2. mimicry honey jar evolution method according to claim 1, which is characterized in that step 103 specifically includes:
1031, the service features and the honey jar feature are encoded according to mimicry service features library, is serviced
Feature coding vector sum honey jar feature coding vector;
1032, using the service features coding vector or the honey jar feature coding vector as the input of tabu search algorithm,
Preset maximum number of iterations;
1033, initialization service solution, and taboo list is initialized as sky;
1034, judge whether the number of iterations reaches maximum number of iterations, if so, the current solution of output is used as optimal service solution, it is no
Then, step 1035 is executed;
1035, the candidate disaggregation currently solved is generated, according to preset target function calculating target function value;
1036, it is concentrated in the candidate solution, the target function value for judging whether there is a candidate solution is optimal greater than history
The target function value of solution, if so, the candidate solution is updated to currently solve, and updates the history optimal solution and institute
Taboo list is stated, otherwise the best candidate solution that do not avoided is updated to currently solve, and update the taboo by return step 1034
Table, return step 1034.
3. mimicry honey jar evolution method according to claim 2, which is characterized in that the objective function are as follows:
Hi(t+Th)=λ ln (Qi(t))+(1-λ)ln(Pi(t))-α
Or
Wherein, λ is empirical value, and α is the honey jar service cost factor, ThFor the period of honey jar service, QiIt is attacker in t~t+
ThPeriod, Pi was in t~t+T to the attack frequency of service ihPeriod client accesses the frequency of service i, and Δ N is attacker in TsWhen
Attack increment in section, β are due to other consumption such as pseudo- honey jar bring server memory, time.
4. mimicry honey jar evolution method according to claim 2, which is characterized in that the service features and the honey jar are special
The coding mode of sign is binary coding mode.
5. mimicry honey jar evolution method according to claim 1, which is characterized in that the evolution trigger condition specifically:
W > FH;
Wherein, w is incremental loading, FHTo attack delta threshold.
6. a kind of mimicry honey jar evolution device, which is characterized in that comprise the following modules:
Feature library module, for the network environment information and information on services according to honey jar or server, building has service features
With the mimicry service features library of honey jar feature;
Trigger module judges for detecting the network flow of presently described honey jar or the server according to the network flow
Whether evolution trigger condition is reached, if so, triggering genetic module;
The genetic module develops for carrying out TABU search service based on mimicry service features library, exports optimal evolution
As a result it is used as current mimicry service.
7. mimicry honey jar evolution device according to claim 6, which is characterized in that the genetic module specifically includes:
Coded sub-units, for being compiled according to mimicry service features library to the service features and the honey jar feature
Code, obtains service features coding vector and honey jar feature coding vector;
Subelement is inputted, for calculating using the service features coding vector or the honey jar feature coding vector as TABU search
The input of method, preset maximum number of iterations;
Subelement is initialized, for initializing service solution, and initializes taboo list as sky;
Iteration exports subelement, for judging whether the number of iterations reaches maximum number of iterations, if so, the current solution conduct of output
Otherwise optimal service solution triggers computation subunit;
The computation subunit, for generating the candidate disaggregation currently solved, according to preset target function calculating target function value;
Judgement updates subelement, for concentrating in the candidate solution, judges whether there is the objective function an of candidate solution
Value is greater than the target function value of history optimal solution, if so, the candidate solution is updated to currently solve, and described in update
History optimal solution and the taboo list trigger the iteration output subelement and otherwise update the best candidate solution that do not avoided
Currently to solve, and the taboo list is updated, triggers the iteration output subelement.
8. a kind of mimicry honey jar evolution equipment, which is characterized in that the equipment includes processor and memory:
Said program code is transferred to the processor for storing program code by the memory;
The processor is used for according to the described in any item mimicry honey jars of instruction execution claim 1-5 in said program code
Evolution method.
9. a kind of computer readable storage medium, which is characterized in that the computer readable storage medium is for storing program generation
Code, said program code require the described in any item mimicry honey jar evolution methods of 1-5 for perform claim.
10. a kind of computer program product including instruction, which is characterized in that when run on a computer, so that described
Computer perform claim requires the described in any item mimicry honey jar evolution methods of 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910355888.3A CN110071931A (en) | 2019-04-29 | 2019-04-29 | Mimicry honey jar evolution method, device, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910355888.3A CN110071931A (en) | 2019-04-29 | 2019-04-29 | Mimicry honey jar evolution method, device, equipment and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110071931A true CN110071931A (en) | 2019-07-30 |
Family
ID=67369523
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910355888.3A Pending CN110071931A (en) | 2019-04-29 | 2019-04-29 | Mimicry honey jar evolution method, device, equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110071931A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110581844A (en) * | 2019-08-21 | 2019-12-17 | 浙江大学 | method of forensics in mimicry defense |
| CN111930483A (en) * | 2020-07-22 | 2020-11-13 | 河南信大网御科技有限公司 | Strategy scheduling method and device based on problem scene and mimicry construction framework |
| CN112491892A (en) * | 2020-11-27 | 2021-03-12 | 杭州安恒信息安全技术有限公司 | Network attack inducing method, device, equipment and medium |
| CN114070575A (en) * | 2020-08-07 | 2022-02-18 | 奇安信科技集团股份有限公司 | Device detection processing method, device, electronic device, storage medium, and program |
| US11947694B2 (en) | 2021-06-29 | 2024-04-02 | International Business Machines Corporation | Dynamic virtual honeypot utilizing honey tokens and data masking |
| CN114070575B (en) * | 2020-08-07 | 2024-05-28 | 奇安信科技集团股份有限公司 | Device detection processing method, device, electronic device, storage medium, and program |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040128543A1 (en) * | 2002-12-31 | 2004-07-01 | International Business Machines Corporation | Method and system for morphing honeypot with computer security incident correlation |
| CN105897517A (en) * | 2016-06-20 | 2016-08-24 | 广东电网有限责任公司信息中心 | Network traffic abnormality detection method based on SVM (Support Vector Machine) |
| CN109389181A (en) * | 2018-10-30 | 2019-02-26 | 全球能源互联网研究院有限公司 | The correlation rule generation method and device of power grid anomalous event |
| CN109657452A (en) * | 2018-12-20 | 2019-04-19 | 广东电网有限责任公司 | A kind of mobile application behavior dynamic credible appraisal procedure and device |
-
2019
- 2019-04-29 CN CN201910355888.3A patent/CN110071931A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040128543A1 (en) * | 2002-12-31 | 2004-07-01 | International Business Machines Corporation | Method and system for morphing honeypot with computer security incident correlation |
| CN105897517A (en) * | 2016-06-20 | 2016-08-24 | 广东电网有限责任公司信息中心 | Network traffic abnormality detection method based on SVM (Support Vector Machine) |
| CN109389181A (en) * | 2018-10-30 | 2019-02-26 | 全球能源互联网研究院有限公司 | The correlation rule generation method and device of power grid anomalous event |
| CN109657452A (en) * | 2018-12-20 | 2019-04-19 | 广东电网有限责任公司 | A kind of mobile application behavior dynamic credible appraisal procedure and device |
Non-Patent Citations (6)
| Title |
|---|
| SHI LEYI,ET.AL: "《Game Theoretic Simulation on the Mimicry Honeypot》", 《WUHAN UNIVERSITY JOURNAL OF NATURAL SCIENCES》 * |
| 刘德莉: "《基于遗传算法的拟态蜜罐系统研究》", 《中国优秀硕士学位论文全文数据库(电子期刊)》 * |
| 张昊等: "《基于KNN算法及禁忌搜索算法的特征选择方法在入侵检测中的应用研究》", 《电子学报》 * |
| 张震等: "《改进粒子群联合禁忌搜索的特征选择算法》", 《通信学报》 * |
| 石乐义等: "《基于自适应遗传算法的拟态蜜罐演化策略》", 《华中科技大学学报(自然科学版)》 * |
| 范志超: "《基于禁忌搜索算法的特征选择研究》", 《中国优秀硕士学位论文全文数据(电子期刊)》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110581844A (en) * | 2019-08-21 | 2019-12-17 | 浙江大学 | method of forensics in mimicry defense |
| CN111930483A (en) * | 2020-07-22 | 2020-11-13 | 河南信大网御科技有限公司 | Strategy scheduling method and device based on problem scene and mimicry construction framework |
| CN114070575A (en) * | 2020-08-07 | 2022-02-18 | 奇安信科技集团股份有限公司 | Device detection processing method, device, electronic device, storage medium, and program |
| CN114070575B (en) * | 2020-08-07 | 2024-05-28 | 奇安信科技集团股份有限公司 | Device detection processing method, device, electronic device, storage medium, and program |
| CN112491892A (en) * | 2020-11-27 | 2021-03-12 | 杭州安恒信息安全技术有限公司 | Network attack inducing method, device, equipment and medium |
| US11947694B2 (en) | 2021-06-29 | 2024-04-02 | International Business Machines Corporation | Dynamic virtual honeypot utilizing honey tokens and data masking |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110071931A (en) | Mimicry honey jar evolution method, device, equipment and computer readable storage medium | |
| CN110768987A (en) | SDN-based dynamic deployment method and system for virtual honey network | |
| Li et al. | LNNLS-KH: a feature selection method for network intrusion detection | |
| CN110300106A (en) | Mobile target based on Markov time game defends decision choosing method, apparatus and system | |
| CN111371758A (en) | Network spoofing efficiency evaluation method based on dynamic Bayesian attack graph | |
| CN110493238A (en) | Defence method, device, honey pot system and honey jar management server based on honey jar | |
| CN109714364A (en) | A kind of network security defence method based on Bayes's improved model | |
| O’Reilly et al. | Adversarial genetic programming for cyber security: A rising application domain where GP matters | |
| Guo et al. | Towards comprehensive testing on the robustness of cooperative multi-agent reinforcement learning | |
| CN106411576B (en) | Attack drawing generating method based on state transition network network challenge model | |
| Suratkar et al. | An adaptive honeypot using Q-Learning with severity analyzer | |
| CN114491541B (en) | Automatic arrangement method of safe operation script based on knowledge graph path analysis | |
| CN115580430A (en) | Attack tree-pot deployment defense method and device based on deep reinforcement learning | |
| Rajesh et al. | Analysis of cyber threat detection and emulation using mitre attack framework | |
| Deshmukh et al. | Attacker behaviour profiling using stochastic ensemble of hidden markov models | |
| Patra et al. | Using online planning and acting to recover from cyberattacks on software-defined networks | |
| Amarasinghe et al. | AI based cyber threats and vulnerability detection, prevention and prediction system | |
| Devprasad et al. | Context adaptive ensemble classification mechanism with multi‐criteria decision making for network intrusion detection | |
| Amin et al. | Online cyber deception system using partially observable Monte-Carlo planning framework | |
| CN111552717B (en) | Method, device, server and storage medium for identifying disguised object | |
| Ostaszewski et al. | Immune anomaly detection enhanced with evolutionary paradigms | |
| Standen et al. | Sok: Adversarial machine learning attacks and defences in multi-agent reinforcement learning | |
| Pogossian et al. | Effective discovery of intrusion protection strategies | |
| Pashaei et al. | Honeypot intrusion detection system using an adversarial reinforcement learning for industrial control networks | |
| CN111431865B (en) | Network deep threat detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190730 |
|
| RJ01 | Rejection of invention patent application after publication |