CN111385299A - Multi-mode arbitration system based on time iteration and negative feedback mechanism - Google Patents
Multi-mode arbitration system based on time iteration and negative feedback mechanism Download PDFInfo
- Publication number
- CN111385299A CN111385299A CN202010147962.5A CN202010147962A CN111385299A CN 111385299 A CN111385299 A CN 111385299A CN 202010147962 A CN202010147962 A CN 202010147962A CN 111385299 A CN111385299 A CN 111385299A
- Authority
- CN
- China
- Prior art keywords
- heterogeneous
- arbitration
- sdn
- sdn controller
- negative feedback
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention discloses a multimode arbitration system based on time iteration and negative feedback mechanism, comprising: the system comprises a heterogeneous pool unit, a multimode arbitrator and a negative feedback unit; the heterogeneous pool unit contains more than 3 heterogeneous SDN controllers; in each SDN control layer, a heterogeneous SDN controller is used for simultaneously processing input requests, and an output result set of each SDN controller in unit time is submitted to a multi-module resolver; the multi-mode arbitrator carries out consistency arbitration on the information distribution in the flow table of the output result set and sends the arbitration result to the switch; after each judgment, the negative feedback unit adjusts the confidence of the corresponding heterogeneous SDN controller according to the judgment result, so that the heterogeneous SDN controller in the heterogeneous pool is dynamically selected, and the security defense capability of the system is improved.
Description
Technical Field
The invention belongs to the technical field of mimicry defense, and particularly relates to a multi-mode arbitration system based on time iteration and a negative feedback mechanism.
Background
With the rapid development of network technologies, SDN (software defined network) is gradually applied by various enterprises because it can reduce cost and enhance flexibility. However, new security risk issues are also associated with this. Today, coping methods are mainly through some traditional methods, but the traditional methods are extremely difficult to cope with unknown vulnerability threats.
The uniqueness of the SDN controller is changed by introducing the heterogeneous SDN controller, the overall randomness and the dynamic property are increased, and therefore the defense capability of an unknown threat initiated by an unknown vulnerability is improved.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a multi-mode arbitration system based on time iteration and a negative feedback mechanism.
The technical scheme adopted by the invention for solving the technical problems is as follows: a multi-modal arbitration system based on temporal iteration and negative feedback mechanism, the multi-modal arbitration system comprising: the system comprises a heterogeneous pool unit, a multimode arbitrator and a negative feedback unit; the heterogeneous pool unit contains more than 3 heterogeneous SDN controllers; in each SDN control layer, a heterogeneous SDN controller is used for simultaneously processing input requests, and an output result set of each SDN controller in unit time is submitted to a multi-module resolver; the multi-mode arbitrator carries out consistency arbitration on the information distribution in the flow table of the output result set and sends the arbitration result to the switch; and after each judgment, the negative feedback unit adjusts the confidence of the corresponding heterogeneous SDN controller according to the judgment result, and records the output result and the judgment result of each SDN controller.
Further, the number of heterogeneous SDN controllers for simultaneously processing the input request by using the heterogeneous SDN controllers is at least 3, and the number of the heterogeneous SDN controllers in each time of processing the input request is smaller than that of the heterogeneous SDN controllers in the heterogeneous pool unit.
Further, the SDN controllers in the heterogeneous pool units are SDN controllers with completely different architectures but equivalent functions.
Further, the method for consistency adjudication specifically comprises the following steps: and drawing flow table information distribution in unit time, calculating distribution similarity by the multi-mode arbitrator, performing multi-arbitration, outputting a result, and recording an arbitration result.
Further, the method for multi-decision selection comprises the following steps: and if the similarity of the information distribution of the processing results of more than half of the heterogeneous SDN controllers in unit time exceeds a threshold value, issuing the processing results to the router as arbitration results.
Further, the method for adjusting the confidence of the corresponding heterogeneous SDN controller according to the decision result specifically includes:
step one, counting a judgment result;
step two, the SDN controller with the largest weight value in the SDN controllers meeting the requirement of the majority arbitration result is still used as one of the SDN controllers selected in the next request processing period;
and step three, calculating the similarity of the judgment result, judging whether the SDN controller needs to be cleaned and reset according to the similarity statistics by the negative feedback unit, if the similarity is smaller than a threshold value, cleaning the SDN controller and resetting a weight value, and putting the SDN controller into the heterogeneous pool unit again after the operation is finished. If the similarity is greater than or equal to the threshold, adjusting the weight of the SDN controller, if the weight exceeds the maximum value, not changing the weight, otherwise, increasing the weight.
Compared with the prior art, the invention has the following beneficial effects: the method adopts the heterogeneous pool, and because the heterogeneous pool comprises the SDN controllers with different architectures, backdoors and bugs of the SDN controllers with different architectures are completely different, the possibility of successful attack is greatly reduced due to the characteristic. In addition, due to the existence of a negative feedback mechanism, the SDN controllers in the heterogeneous pool are enabled to dynamically and randomly adjust respective weight values, so that the overall security defense capability is effectively improved. The combination of heterogeneous redundancy and a negative feedback mechanism in the system well improves the endogenous safety of the system, so that the system can have a good defense effect in the face of unknown threats.
Drawings
FIG. 1 is a block diagram of the multi-mode arbitration system based on time iteration and negative feedback mechanism;
fig. 2 is a negative feedback flowchart.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings in the present invention.
Fig. 1 is a block diagram of a multi-mode arbitration system based on time iteration and negative feedback mechanism according to the present invention, the multi-mode arbitration system includes: the system comprises a heterogeneous pool unit, a multimode arbitrator and a negative feedback unit; the heterogeneous pool unit contains more than 3 heterogeneous SDN controllers; in each SDN control layer, a heterogeneous SDN controller is used for simultaneously processing input requests, and an output result set of each SDN controller in unit time is submitted to a multi-module resolver; the multi-mode arbitrator carries out consistency arbitration on the information distribution in the flow table of the output result set and sends the arbitration result to the switch; and after each judgment, the negative feedback unit adjusts the confidence of the corresponding heterogeneous SDN controller according to the judgment result, so as to realize the dynamic selection of the heterogeneous SDN controller in the heterogeneous pool unit. And recording the output result and the arbitration result of each SDN controller.
The specific operation process of the multi-mode arbitration system is as follows:
the method comprises the following steps: and in unit request processing time, randomly selecting N SDN controllers (N is larger than or equal to 3) from the heterogeneous pool unit according to weight values, and if m SDN controllers meeting multiple decision results exist in the last unit request time, selecting N-m SDN controllers from the heterogeneous pool unit.
The SDN controller in a heterogeneous pool unit needs to comply with the following requirements:
1. the SDN controllers in the heterogeneous pool units are SDN controllers with completely different structures and equivalent functions;
2. the number of the heterogeneous SDN controllers which process the input requests simultaneously by using the heterogeneous SDN controllers is at least 3, and the number of the SDN controllers in each time of processing the input requests is smaller than that of the heterogeneous SDN controllers in the heterogeneous pool unit.
The SDN controllers with the heterogeneous structures have different structural compositions and implementation principles, but have the same outputs with the same effect for the same inputs, that is, each SDN controller has a unique vulnerability and backgate, and thus the SDN controllers with the completely different architectures may not simultaneously fail the heterogeneous SDN controllers with the same functions under the same attack. In each request processing period, the arbitrator judges only two possibilities according to the result of arbitrating the similarity, wherein the similarity is greater than or equal to the threshold, or the similarity is less than the threshold, so that in order to guarantee the feasibility of each multi-arbitration, it is necessary to guarantee that the number of heterogeneous SDN controllers participating in the request processing must be greater than the number of possibilities, that is, not less than 3. In addition, the number of heterogeneous SDN controllers represents the diversity of the system, and it can be intuitively considered that the sensing accuracy of the threat is improved by increasing the number of heterogeneous SDN controllers in a unit request processing period, but the working cost of the system is increased at the same time.
Step two: for the same request, the request is distributed to a plurality of SDN controllers selected from the heterogeneous pool at the same time and then processed, a processing result and a set of output results of the SDN controllers in unit time are submitted to the multi-mode resolver, and meanwhile, the output result of each heterogeneous SDN controller is recorded.
Step three: the multimode arbitrator performs consistency arbitration on information distribution in the flow table of the output result set, and the method specifically comprises the following steps: and drawing flow table information distribution in unit time, calculating distribution similarity by the multi-mode arbitrator, performing multi-arbitration to output arbitration results, recording the arbitration results, and issuing the arbitration results to the switch.
Drawing flow table information distribution to perform statistics on the contents of the flow table in the SDN controller, including but not limited to match fields and events;
calculating the similarity is to calculate the mutual similarity of the content distribution of the flow table information by a similarity calculation method;
and if the similarity of the output results of more than half of the heterogeneous SDN controllers is judged to be greater than or equal to a specified threshold value, issuing the calculation result of the SDN controller with the highest weight value in the SDN controller to the router.
Step four: after each arbitration, the negative feedback unit adjusts the confidence of the corresponding heterogeneous SDN controller according to the arbitration result, and records the output result and the arbitration result of each SDN controller, as shown in fig. 2; the specific method comprises the following steps: counting the resolution result of the resolver, and taking the SDN controller with the largest weight value in the SDN controllers which meet the requirement as one of the SDN controllers selected in the next request processing period; and in addition, the similarity of the judgment result is calculated, and the negative feedback unit judges whether the SDN controller in the request processing period needs to be cleaned and reset according to the similarity statistics. If the similarity is smaller than the threshold, the SDN control is required to be cleaned and the weight value is required to be reset, and the SDN control is placed in the heterogeneous pool unit again after the operation is finished. If the similarity is greater than or equal to the threshold, adjusting the weight of the SDN controller, if the weight exceeds the maximum value, not changing the weight, otherwise, increasing the weight.
Claims (6)
1. A multimode arbitration system based on time iteration and negative feedback mechanism is characterized in that: the multi-mode arbitration system comprises: the system comprises a heterogeneous pool unit, a multimode arbitrator and a negative feedback unit; the heterogeneous pool unit contains more than 3 heterogeneous SDN controllers; in each SDN control layer, a heterogeneous SDN controller is used for simultaneously processing input requests, and an output result set of each SDN controller in unit time is submitted to a multi-module resolver; the multi-mode arbitrator carries out consistency arbitration on the information distribution in the flow table of the output result set and sends the arbitration result to the switch; and after each judgment, the negative feedback unit adjusts the confidence of the corresponding heterogeneous SDN controller according to the judgment result, and records the output result and the judgment result of each SDN controller.
2. The multi-modal arbitration system of claim 1, wherein: the number of heterogeneous SDN controllers for simultaneously processing the input requests by using the heterogeneous SDN controllers is at least 3, and the number of the heterogeneous SDN controllers in each time of processing the input requests is smaller than that of the heterogeneous SDN controllers in the heterogeneous pool unit.
3. The multi-modal arbitration system of claim 1, wherein: the SDN controllers in the heterogeneous pool units are SDN controllers with completely different structures and equivalent functions.
4. The multi-modal arbitration system of claim 1, wherein: the method for judging the consistency specifically comprises the following steps: and drawing flow table information distribution in unit time, calculating distribution similarity by the multi-mode arbitrator, performing multi-arbitration, outputting a result, and recording an arbitration result.
5. The multi-modal arbitration system of claim 4, wherein: the method for selecting multiple decisions comprises the following steps: and if the similarity of the information distribution of the processing results of more than half of the heterogeneous SDN controllers in unit time exceeds a threshold value, issuing the processing results to the router as arbitration results.
6. The multi-modal arbitration system of claim 1, wherein: the method for adjusting the confidence of the corresponding heterogeneous SDN controller according to the decision result specifically comprises the following steps:
step one, counting a judgment result;
step two, the SDN controller with the largest weight value in the SDN controllers meeting the requirement of the majority arbitration result is still used as one of the SDN controllers selected in the next request processing period;
and step three, calculating the similarity of the judgment result, judging whether the SDN controller needs to be cleaned and reset according to the similarity statistics by the negative feedback unit, if the similarity is smaller than a threshold value, cleaning the SDN controller and resetting a weight value, and putting the SDN controller into the heterogeneous pool unit again after the operation is finished. If the similarity is greater than or equal to the threshold, adjusting the weight of the SDN controller, if the weight exceeds the maximum value, not changing the weight, otherwise, increasing the weight.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010147962.5A CN111385299B (en) | 2020-03-05 | 2020-03-05 | Multi-mode arbitration system based on time iteration and negative feedback mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010147962.5A CN111385299B (en) | 2020-03-05 | 2020-03-05 | Multi-mode arbitration system based on time iteration and negative feedback mechanism |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111385299A true CN111385299A (en) | 2020-07-07 |
| CN111385299B CN111385299B (en) | 2021-05-11 |
Family
ID=71218714
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010147962.5A Active CN111385299B (en) | 2020-03-05 | 2020-03-05 | Multi-mode arbitration system based on time iteration and negative feedback mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111385299B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111813070A (en) * | 2020-09-11 | 2020-10-23 | 之江实验室 | Data grading synchronization method between master control units of mimicry industrial controller |
| CN112073394A (en) * | 2020-08-27 | 2020-12-11 | 之江实验室 | Mimicry judging method based on executive body consensus and judging device |
| CN113792290A (en) * | 2021-06-02 | 2021-12-14 | 国网河南省电力公司信息通信公司 | Decision method and scheduling system for mimicry defense |
| CN114826782A (en) * | 2022-06-28 | 2022-07-29 | 之江实验室 | Multi-mode arbitration negative feedback system based on multi-objective optimization algorithm |
| CN116094948A (en) * | 2023-04-12 | 2023-05-09 | 乾讯信息技术(无锡)有限公司 | Service type password product realization system and method with mimicry structure |
| CN116455627A (en) * | 2023-04-12 | 2023-07-18 | 乾讯信息技术(无锡)有限公司 | Network cipher machine with mimicry structure and its implementation method |
| CN116633694A (en) * | 2023-07-24 | 2023-08-22 | 南京赛宁信息技术有限公司 | WEB defense method and system based on multimode heterogeneous component |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107395414A (en) * | 2017-07-19 | 2017-11-24 | 上海红阵信息科技有限公司 | A kind of negative feedback control method and system based on output ruling |
| CN110445803A (en) * | 2019-08-21 | 2019-11-12 | 之江实验室 | A kind of traffic smoothing moving method of isomery cloud platform |
| CN110460658A (en) * | 2019-08-05 | 2019-11-15 | 上海拟态数据技术有限公司 | A kind of distributed storage construction method based on mimicry construction |
| CN110545260A (en) * | 2019-08-05 | 2019-12-06 | 上海拟态数据技术有限公司 | Cloud management platform construction method based on mimicry structure |
| CN110768966A (en) * | 2019-10-10 | 2020-02-07 | 中国人民解放军战略支援部队信息工程大学 | Secure cloud management system construction method and device based on mimicry defense |
-
2020
- 2020-03-05 CN CN202010147962.5A patent/CN111385299B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107395414A (en) * | 2017-07-19 | 2017-11-24 | 上海红阵信息科技有限公司 | A kind of negative feedback control method and system based on output ruling |
| CN110460658A (en) * | 2019-08-05 | 2019-11-15 | 上海拟态数据技术有限公司 | A kind of distributed storage construction method based on mimicry construction |
| CN110545260A (en) * | 2019-08-05 | 2019-12-06 | 上海拟态数据技术有限公司 | Cloud management platform construction method based on mimicry structure |
| CN110445803A (en) * | 2019-08-21 | 2019-11-12 | 之江实验室 | A kind of traffic smoothing moving method of isomery cloud platform |
| CN110768966A (en) * | 2019-10-10 | 2020-02-07 | 中国人民解放军战略支援部队信息工程大学 | Secure cloud management system construction method and device based on mimicry defense |
Non-Patent Citations (1)
| Title |
|---|
| 沈丛麒等: "基于信誉度与相异度的自适应拟态控制器研究", 《通信学报》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112073394A (en) * | 2020-08-27 | 2020-12-11 | 之江实验室 | Mimicry judging method based on executive body consensus and judging device |
| CN111813070A (en) * | 2020-09-11 | 2020-10-23 | 之江实验室 | Data grading synchronization method between master control units of mimicry industrial controller |
| CN113792290A (en) * | 2021-06-02 | 2021-12-14 | 国网河南省电力公司信息通信公司 | Decision method and scheduling system for mimicry defense |
| CN113792290B (en) * | 2021-06-02 | 2024-02-02 | 国网河南省电力公司信息通信公司 | Judgment method and dispatch system for mimicry defense |
| CN114826782A (en) * | 2022-06-28 | 2022-07-29 | 之江实验室 | Multi-mode arbitration negative feedback system based on multi-objective optimization algorithm |
| CN116094948A (en) * | 2023-04-12 | 2023-05-09 | 乾讯信息技术(无锡)有限公司 | Service type password product realization system and method with mimicry structure |
| CN116455627A (en) * | 2023-04-12 | 2023-07-18 | 乾讯信息技术(无锡)有限公司 | Network cipher machine with mimicry structure and its implementation method |
| CN116455627B (en) * | 2023-04-12 | 2023-10-27 | 乾讯信息技术(无锡)有限公司 | Network cipher machine with mimicry structure and its implementation method |
| CN116633694A (en) * | 2023-07-24 | 2023-08-22 | 南京赛宁信息技术有限公司 | WEB defense method and system based on multimode heterogeneous component |
| CN116633694B (en) * | 2023-07-24 | 2023-11-10 | 南京赛宁信息技术有限公司 | WEB defense method and system based on multimode heterogeneous component |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111385299B (en) | 2021-05-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111385299B (en) | Multi-mode arbitration system based on time iteration and negative feedback mechanism | |
| CN109587168B (en) | Network function deployment method based on mimicry defense in software defined network | |
| CN110545260B (en) | Cloud management platform construction method based on mimicry structure | |
| US7958295B1 (en) | Method and apparatus for finding subset maxima and minima in SAS expanders and related devices | |
| US10614010B2 (en) | Handling queued interrupts in a data processing system based on a saturate value | |
| US10027602B2 (en) | Packet queue depth sorting scheme for switch fabric | |
| CN105553975A (en) | Method for providing network service, device and system | |
| US9020911B2 (en) | Name search using multiple bitmap distributions | |
| CN111813070B (en) | Data grading synchronization method between master control units of mimicry industrial controller | |
| CN111092912A (en) | Security defense method and device | |
| Kim et al. | Cost optimization in SIS model of worm infection | |
| CN109388609B (en) | Data processing method and device based on acceleration core | |
| CN111752730B (en) | Mimicry scheduling judgment method, mimicry scheduler and readable storage medium | |
| US20210304884A1 (en) | Medical data processing method, cluster processing system and method thereof | |
| CN112367288B (en) | Single mimicry bracket device, method, readable storage medium, and mimicry defense architecture | |
| US8352804B2 (en) | Systems and methods for secure interrupt handling | |
| CN114826782A (en) | Multi-mode arbitration negative feedback system based on multi-objective optimization algorithm | |
| Xing et al. | Optimal liveness Petri net controllers with minimal structures for automated manufacturing systems | |
| CN111221755B (en) | Io interrupt control method for FPGA2 submodule | |
| CN110932733B (en) | Key scanning method and input device | |
| CN109614854B (en) | Video data processing method and device, computer device and readable storage medium | |
| CN108848093B (en) | Route calculation unit and network node device | |
| CN112950833A (en) | Authorization method, device, equipment and storage medium of access control equipment | |
| CN116132178A (en) | Behavior data processing method, device, equipment and storage medium | |
| CN116405243B (en) | Heterogeneous redundant flow detection device based on mimicry safety technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |