CN113032782A - Virus transmission inhibition method - Google Patents
Virus transmission inhibition method Download PDFInfo
- Publication number
- CN113032782A CN113032782A CN202110256151.3A CN202110256151A CN113032782A CN 113032782 A CN113032782 A CN 113032782A CN 202110256151 A CN202110256151 A CN 202110256151A CN 113032782 A CN113032782 A CN 113032782A
- Authority
- CN
- China
- Prior art keywords
- trust
- trust value
- node
- value
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 69
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000005764 inhibitory process Effects 0.000 title claims abstract description 14
- 230000005540 biological transmission Effects 0.000 title description 4
- 208000015181 infectious disease Diseases 0.000 claims abstract description 44
- 230000007246 mechanism Effects 0.000 claims abstract description 29
- 230000002452 interceptive effect Effects 0.000 claims abstract description 24
- 230000002401 inhibitory effect Effects 0.000 claims abstract description 12
- 230000014599 transmission of virus Effects 0.000 claims abstract description 5
- 230000003993 interaction Effects 0.000 claims description 35
- 238000004422 calculation algorithm Methods 0.000 claims description 26
- 239000011159 matrix material Substances 0.000 claims description 21
- 230000007423 decrease Effects 0.000 claims description 6
- 230000001133 acceleration Effects 0.000 claims description 4
- 230000002829 reductive effect Effects 0.000 claims description 4
- 230000004044 response Effects 0.000 claims description 4
- 238000005259 measurement Methods 0.000 claims description 3
- 230000002093 peripheral effect Effects 0.000 claims description 2
- 239000000126 substance Substances 0.000 claims description 2
- 230000008859 change Effects 0.000 abstract description 12
- 230000008569 process Effects 0.000 description 22
- 230000006399 behavior Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 11
- 238000004088 simulation Methods 0.000 description 8
- 238000001514 detection method Methods 0.000 description 6
- 230000036039 immunity Effects 0.000 description 5
- 230000003247 decreasing effect Effects 0.000 description 4
- 230000001629 suppression Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 206010051379 Systemic Inflammatory Response Syndrome Diseases 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- ATJFFYVFTNAWJD-UHFFFAOYSA-N Tin Chemical compound [Sn] ATJFFYVFTNAWJD-UHFFFAOYSA-N 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000001363 autoimmune Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000010835 comparative analysis Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000036961 partial effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000007482 viral spreading Effects 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F30/00—Computer-aided design [CAD]
- G06F30/20—Design optimisation, verification or simulation
Abstract
The present disclosure relates to a method for inhibiting viral transmission, comprising the steps of: constructing a trust value model of an interactive trust value mechanism, and giving trust values for all links; evaluating infection parameters according to the current network infection condition, and calculating a strategy parameter threshold value for adopting a corresponding virus propagation inhibition strategy; receiving infection feedback information; and responding to the infection feedback information, and adjusting the current network security level according to the trust value. The method provided by the disclosure can reduce the damage of the network structure on the premise of inhibiting the spread of the network viruses, and can adapt to the change of the network security environment to dynamically adjust the network structure.
Description
Technical Field
The disclosure relates to the technical field of computer network information security, in particular to a virus propagation inhibition method.
Background
Viruses can often spread in the network and pose a potential threat to users. The traditional virus defense method by virus source code analysis is disadvantageous in time and cost, and is difficult to deal with increasingly complex network environment and diversified virus attacks.
In the related art, for enterprises, governments and military local area networks that can effectively manage their own network, dynamically changing the network structure (such as link interruption or node isolation) can inhibit the virus from spreading in the network. However, in the process of suppressing network virus propagation by adjusting the network structure, the randomness of the adjustment usually generates unnecessary network traffic loss. Therefore, there is a need to improve one or more of the above-mentioned problems in the related art solutions to reduce the network structure damage while suppressing the network virus propagation, and to dynamically adjust the network structure to adapt to the network security environment change.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The present disclosure provides a method for inhibiting virus propagation, so as to reduce network structure damage on the premise of inhibiting network virus propagation, and dynamically adjust a network structure to adapt to network security environment changes.
The present disclosure provides a method for inhibiting viral transmission, comprising the steps of:
constructing a trust value model of an interactive trust value mechanism, and giving trust values for all links;
evaluating infection parameters according to the current network infection condition, and calculating a strategy parameter threshold value for adopting a corresponding virus propagation inhibition strategy;
receiving infection feedback information;
and responding to the infection feedback information, and adjusting the current network security level according to the trust value.
In an embodiment of the present disclosure, the trust value model includes a trust value, a trust value update, and a trusted link identification;
the trust value is the trust measurement of the node on the peripheral nodes, and the corresponding trust matrix is as follows: trust (T) ═ Ti,j(T)), wherein Ti,j(t) user v in the network at time tiFor vjA trust value of;
the trust value update comprises direct update and trust value interaction;
the trusted link identification is preset with a trust threshold TthroWhen T isi,j(t)≥TthroAnd the corresponding link is a trusted link.
In an embodiment of the present disclosure, the infection feedback information includes an increase amount and an increase rate of an infected node, and the step of adjusting the current network security level according to a trust value in response to the infection feedback information includes:
when the increase of the infected node is 0, the network security level is improved;
when the increase of the infected node is larger than 0 and the acceleration of the infected node is reduced, maintaining the safety level;
when the increase of the infected node is larger than 0 and the acceleration of the infected node is increased, the safety level is adjusted downwards;
in an embodiment of the disclosure, in the step of adjusting the current network security level according to the trust value in response to the infection feedback information, the adjusting of the network security level includes adjusting the trust threshold TthroAnd adjustment of the policy parameter p;
wherein the strategy parameter p is a link interruption ratio.
In an embodiment of the present disclosure, the trust threshold T is adjusted according to the following rulethroAnd a policy parameter p:
wherein the content of the first and second substances,
represents the average number of newly added infected nodes in the current period,
the average number of newly-added infected nodes in the last period is shown.
In an embodiment of the present disclosure, the directly updating includes a direct trust value updating algorithm, and the trust value is updated by using a historical infection behavior.
In an embodiment of the present disclosure, the direct trust value updating algorithm includes:
and obtaining a trust matrix at the current moment according to the trust value matrix at the last moment, the infected node set in unit time, the trust threshold, the adjacent matrix and the lowest trust value.
In an embodiment of the present disclosure, the trust value interaction includes a trust value interaction algorithm.
In an embodiment of the present disclosure, the trust value interaction algorithm includes:
and obtaining the trust value matrix after interaction according to the current trust value matrix, the node number and the received trust value information.
In an embodiment of the present disclosure, the trust value uses a discrete value instead of a continuous value.
The technical scheme provided by the disclosure can comprise the following beneficial effects:
in the embodiment of the disclosure, a trust value model of an interactive trust value mechanism is constructed by combining a virus propagation immunity mechanism, a network structure is adjusted by taking a trust value as a basis, and a trust threshold value and a strategy parameter are adaptively adjusted according to the change of a network security environment. Theoretical analysis and simulation results show that in the process of marking an untrusted link, trust value interaction can effectively improve the accuracy and reduce the omission factor; compared with a random link interruption strategy, the proposed strategy can reduce the damage of the network structure on the premise of inhibiting the spread of network viruses and can adapt to the change of the network security environment to dynamically adjust the network structure.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is apparent that the drawings in the following description are only some embodiments of the disclosure, and that other drawings may be derived from those drawings by a person of ordinary skill in the art without inventive effort.
FIG. 1 shows a schematic diagram of the steps of a method of suppressing viral transmission in an exemplary embodiment of the present disclosure;
FIG. 2 illustrates a trust value model diagram in an exemplary embodiment of the present disclosure;
FIG. 3 is a diagram illustrating link tagging in a network before and after trust value interaction in an exemplary embodiment of the present disclosure;
FIG. 4 is a schematic diagram illustrating a network virus propagation suppression flow in an exemplary embodiment of the present disclosure;
figure 5 shows a SIRS model node state transition diagram in an exemplary embodiment of the present disclosure;
FIG. 6 shows a diagram of the statistics of the correctness at different trust values in an exemplary embodiment of the present disclosure;
FIG. 7 is a graph illustrating missed detection rate statistics in an exemplary embodiment of the disclosure;
FIG. 8 is a diagram illustrating a simulated virus propagation condition and its model evolution result mean square error in an exemplary embodiment of the disclosure;
FIG. 9 is a schematic diagram illustrating model evolution results and simulated virus propagation in an exemplary embodiment of the disclosure;
FIG. 10 is a graph illustrating parameter variation during policy enforcement in an exemplary embodiment of the present disclosure;
FIG. 11 is a schematic diagram illustrating a simulated virus propagation situation under a random link failure policy in an exemplary embodiment of the disclosure;
FIG. 12 is a schematic diagram illustrating a comparison of link interruption ratios during execution of different policies according to an exemplary embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
In the present exemplary embodiment, a virus propagation inhibiting method is provided, as shown with reference to fig. 1, which includes the steps of:
step S101: constructing a trust value model of an interactive trust value mechanism, and giving trust values for all links;
step S102: evaluating infection parameters according to the current network infection condition, and calculating a strategy parameter threshold value for adopting a corresponding virus propagation inhibition strategy;
step S103: receiving infection feedback information;
step S104: and responding to the infection feedback information, and adjusting the current network security level according to the trust value.
In the embodiment of the disclosure, a trust value model of an interactive trust value mechanism is constructed by combining a virus propagation immunity mechanism, a network structure is adjusted by taking a trust value as a basis, and a trust threshold value and a strategy parameter are adaptively adjusted according to the change of a network security environment. Theoretical analysis and simulation results show that in the process of marking an untrusted link, trust value interaction can effectively improve the accuracy and reduce the omission factor; compared with a random link interruption strategy, the proposed strategy can reduce the damage of the network structure on the premise of inhibiting the spread of network viruses and can adapt to the change of the network security environment to dynamically adjust the network structure.
Hereinafter, the above-described steps in the present exemplary embodiment will be described in more detail.
In step S101, the trust model mainly discriminates the untrusted entities according to the historical behaviors of the target object or related information, and is generally classified into a direct type and an indirect type. One type is a direct trust model, and trust degree updating and identification of trusted entities are implemented by using historical behaviors among network entities, however, information which can be contacted by real network entities is limited, and a single entity is difficult to directly identify some malicious entities which do not cause harm to the single entity. The other type is an indirect trust model, and the network entity in the model acquires relevant information from other entities so as to acquire the trust degree of a specific entity, and realizes more efficient malicious entity identification than a direct trust model through information sharing among users. In a word, the direct trust model emphasizes the collection and processing of historical behaviors among entities, and the indirect trust model emphasizes the sharing of trust among entities.
In the network virus propagation research process, nodes are generally divided into different states according to node immunity and infection conditions, and common states include a Susceptible state (S, Susceptible), an Infected state (I, Infected) and an immune state (R, Recovery). Generally, an infected node has the capability of infecting a susceptible node, and the starting point of network structure adjustment is to reduce the connection between two types of nodes, delay the transmission of virus-carrying information and further control the scale of the infected node in the network. In the virus transmission process, the infection behaviors among the nodes indicate the positions of the infected nodes to a certain extent. The direct trust model provides a thought for adjusting the trust according to the historical infection behaviors, and nodes with the infection behaviors can be marked. For a susceptible node, because historical information of infection behaviors is lacked before the node is infected, the situation of surrounding nodes cannot be identified by adopting a direct trust mode, and related information needs to be acquired from adjacent nodes by using an indirect trust mode. Therefore, the interactive trust value mechanism is constructed on the basis of the direct trust model and the indirect trust model by combining the network virus propagation immunity mechanism, the collection and utilization of the historical infection behavior information in the network and the sharing of the trust value among nodes are realized, the virus propagation inhibition strategy is provided on the basis, and the simulation verification is carried out by taking the link interruption as an example.
For internal networks such as governments and enterprises, the operating systems and software of the internal networks are basically consistent, and as long as a certain virus infects one computer, the virus can be copied by the infected user terminal and spread in the network. Once the virus causes harm to the user, the user can detect the existence of the virus and unilaterally think that the user is in a relatively dangerous network environment, in this case, in order to protect the user, the user can consider to reduce the trust level of the surrounding nodes, and if the subsequent corresponding nodes do not show infection behaviors, the user can gradually recover. The adjustment of the self trust value by the infection action belongs to the passive trust adjustment of a subsequent place, and the uninfected nodes can actively trust and adjust the subsequent place according to the trust information of the infected nodes by trust sharing. An interactive trust value mechanism is designed on the basis of a direct trust model and an indirect trust model and is used for marking links which are possibly connected with infected nodes in the network.
In one embodiment, a computer network is abstracted as a directed graph G ═ { V, E }, where V ═ E }i|i=1,2,…,N},viRepresenting a node i in the graph, corresponding to a network user i; e { (v)i,vj) I, j ≠ 1,2, …, N, and i ≠ j }, (vi,vj) Is a pair of ordered nodes, viTo vjIndicates that a logical connection exists between node i and node j. In particular, the trust value model is shown in fig. 2, and includes a trust value, a trust value update, and a trusted link identification.
The trust value is a trust measurement of the nodes around the node, and discrete values are adopted to replace continuous values in consideration of the calculation complexity and the interactive data quantity. Definition of Ti,j(t) is a net at time tIn the network user viFor vjThe trust value of (1) is set as-1 in the initial state of the trust value, which represents the highest trust level, TminFor the lowest trust value, the corresponding trust value matrix can be represented as:
Trust(t)=(Ti,j(t)) (1)
the trust value updating is a normalized behavior of network operation and maintenance, and has two modes of direct updating and trust value interaction. The direct updating means that the node updates the trust value according to the infected condition of the node, if the node is infected, the trust value of the node to all surrounding nodes is adjusted downwards, otherwise, the trust value is gradually restored. Trust value interaction refers to a node obtaining its trust value from a neighboring node and modifying its own trust value accordingly.
The trusted link identification means that the node judges the surrounding links through the trust value. Introduction of a trust threshold TthroIf T isi,j(t)≥TthroDenotes a node viIdentifying a node vjThe corresponding link is a credible link for a normal node; otherwise, node viIdentifying a node vjTo infect a node, the corresponding link is an untrusted link.
Specifically, the trust value updating algorithm includes a direct trust value updating algorithm and a trust value interaction algorithm. The direct trust value updating algorithm utilizes historical infection behaviors to update the trust value in a novel mode. When v isiAfter the infected node is infected, the trust values of all the adjacent nodes are adjusted to be the lowest; if the node is not infected, the trust value of the adjacent node is automatically recovered, and different recovery speeds are adopted when the trust value is in different stages by taking the slow start algorithm in the TCP congestion control mechanism as a reference. When the trust value is below the threshold, the trust value recovers slower, and when the trust value is above the threshold, the trust value recovers faster. Setting a dynamic adjustment threshold value T according to the overall network infection conditionthroIf the node trust value is smaller than the threshold value, the node is determined to be an infected node, otherwise, the node is determined to be a normal node. From the above analysis, an algorithm 1 is designed to directly trust value updating.
Algorithm 1-direct trust value update algorithm
Inputting: trust value matrix at last moment(t-1), the set of nodes N infected per unit timeIThreshold value TthroAdjacency matrix ADJ, minimum confidence value Tmin。
And (3) outputting: the trust value matrix trust (t) at the current moment.
The average degree of the network nodes is set as k, and the time complexity of the direct trust value updating algorithm is about O (Nk). The network node only needs to process the trust value of the network node to the adjacent node, and does not need to manage and maintain the whole trust value matrix. For a single node of the network, the time complexity of the direct trust value update algorithm is o (k).
And the network node processes the received trust value information according to a trust value interaction algorithm. In the trust value interaction process, the node viSending self-trust value information according to the following format:
wherein id represents a node viNumber of (identification information of the corresponding node, which can be regarded as the network user IP address), (ADJ _ id)k,trust_valuek) Representing a node viK is 1,2, …, m is node v and the corresponding trust value of one of the neighboring nodes, k is 1,2, …iThe number of neighboring nodes. Referring to a routing interaction algorithm in the RIP protocol, a designed trust value interaction algorithm is shown as an algorithm 2.
Algorithm 2-trust value interaction algorithm
Inputting: current trust value matrix Trust (t), node number ID, received trust value information
And (3) outputting: the trust value matrix Trust (t) after interaction.
The time complexity of the trust value interaction algorithm depends on the amount of received information of the trust values of the adjacent nodes, and for a network with the node average degree of k, the information of the trust values of the adjacent nodes received by the network node comprises k pieces of information of the trust values of the nodes. Thus, trust value interactive computationThe time complexity of the method is about O (k), a single node needs to process node trust value information sent by all adjacent nodes, and the time complexity is about O (k)2). The trust value needs to occupy storage space and bandwidth in the storage and interaction process, and the space required by the average trust value storage is about k (l)id+ltr) bit, wherein lidIdentifying the length of the information for the node,/trLength of the trust value itself; analyzing from the network node level, one node sends the self trust value information to all adjacent nodes, and the sent information amount is about k2(lid+ltr) bit, the sum of the information quantity sent by the network node is Nk2(lid+ltr) And (6) bit. In general, node viSent to its neighboring node vjContains 3 types: (1) v. ofjSelf trust value information; (2) trust value information of common neighboring nodes; (3) other new nodes trust value information. For the trust value receiver, only type 2 information is necessary, and in order to reduce the bandwidth occupation in the trust value sharing process, only type 2 trust value information is considered to be sent. Setting the average clustering coefficient of a certain node as clu, the link probability between adjacent nodes of the node is clu, and the total amount of information required to be sent by all nodes in the information interaction process is Nk2clu(lid+ltr) And (6) bit. In this case, each node needs to preliminarily grasp the link condition of the adjacent node, feedback can be performed after the first trust value interaction, the information receiver informs the information sender that the information is necessary in the feedback, and feedback is performed again when the link of the information receiver changes.
The trust value is used for marking the link credibility in the network, and the node needs to judge the security environment of the node according to the trust value, so that the marking effect of the trust value largely determines the final defense effect, and for this reason, the accuracy and the omission factor are respectively defined as follows:
wherein N isidenIndicating the number of links whose origin is marked as infected node, IidenIndicating the number of links whose starting points are infected nodes and which are marked, IactualThe number of links whose actual starting points in the network are infected nodes; accu is the correct rate, which represents the probability that the untrusted link marks the correct; miss is the miss rate, which represents the proportion of the untrusted link that is not marked.
As shown in FIG. 3, in a small network comprising 6 nodes, node v4And v6In order to infect a node, v is in communication3Is v by4Infection, likewise translates into infected nodes.
Update algorithm according to direct trust value, v, as shown with reference to FIG. 3(a)3The link trust value from all adjacent nodes to the adjacent nodes is adjusted downwards, and the corresponding links are marked as untrustworthy links; through trust value interaction, v, as shown in FIG. 3(b)3All neighboring nodes of (2) determine v from the trust value information3And in order to infect the node, the trust value of the corresponding link is adjusted downwards and marked as an untrusted link. And node v2,v4And v5According to node v3Determines v that it is common to the node3And the adjacent nodes are infected nodes, the trust values of the corresponding links are adjusted downwards, and the links are marked as untrusted links. According to the formula (3), the accuracy in fig. 3(a) is 0.25, and the omission factor is about 0.85; in fig. 3(b), the accuracy is 0.5 and the undetected rate is about 0.14.
As can be seen from the comparative analysis of fig. 3(a) (b), through the trust value interaction, the network marks more links as untrusted links, where the untrusted links include two parts, one is a link between adjacent nodes of an infected node, the adjacent nodes of the infected node are directly determined according to the trust value information of the infected node, the determination accuracy is determined by the accuracy of the determination at the source of the information, and the accuracy of the newly added untrusted links is 0.33; and the other part retries the judgment of the infected node by the adjacent node of the infected node according to the trust value information of the infected node, the judgment is accurate on the premise that the node publishes a correct trust value, and the accuracy of the newly added link is 1.
In conclusion, by trustValue exchange, links of more link-infected nodes in the network are marked, IidenIncrease, and link the total number of links I of the infected nodeactualThe detection omission rate is not changed, so that the detection omission rate is reduced; and in the correct rate part, the correct rate of the newly added untrusted link in the first part is equivalent to the correct rate of the untrusted link marked by the information source node, while the untrusted link marked by the second part is absolutely accurate, and the two parts show the improvement of the correct rate under the combined action.
During virus propagation, the interactive trust value mechanism gives trust values for all links, which are used to mark the trust level between nodes. The nodes can evaluate the surrounding security environment according to the trust value, and provide basis for accurate and effective inhibition of virus propagation. Specifically, the following provides a virus propagation suppression policy based on an interactive trust value mechanism, which corresponds to steps S102 to S104, and its corresponding execution flowchart is shown with reference to fig. 4.
In step S102, the network administrator roughly estimates infection parameters according to the current infection status in the network, and calculates a threshold value for adopting a corresponding virus propagation suppression policy according to the estimated parameter values.
In step S103, the user feeds back the infection status to the administrator, specifically, the infection feedback information includes the growth amount and the growth rate of the infected node.
In step S104, the administrator estimates the current network security level according to the feedback information and performs a targeted adjustment.
In a particular embodiment, the network security level is embodied as a trust threshold TthroAnd the strategy parameters can be adjusted according to the following rules, and the security level is improved: infected nodes do not appear in the network any more, the network can be preliminarily determined to reach a safe state TthroDescending; the safety level is lowered: according to the feedback information, the infected nodes in the network keep increasing or the number remains unchanged, and the current parameters are insufficient to completely eliminate the virus, TthroIs adjusted upward when TthroWhen the virus is not eliminated enough when the virus is adjusted to the maximum, the strategy parameters can be considered to be adjusted, and the adjustment degree is increased; the safety level is maintained, although newly added infected nodes still appear,but the size of the infected node begins to decrease overall, and the parameters can be kept unchanged.
Specifically, taking link interruption as an example, the constructed SIRS virus propagation model describes a virus propagation situation in a network, and a node state conversion relationship is shown in fig. 5.
Wherein S, I and R represent a susceptible state, an infected state and an immune state, respectively. Beta is the probability of contact infection, k is the mean of the nodes in the network, omega, delta and
respectively, representing the probability of transition between the corresponding states. The corresponding differential equation is:
the premise of the network being able to eliminate viruses by virtue of its autoimmune capacity is that the average degree should satisfy the following conditions:
when in use
In the process, part of links need to be interrupted to reduce the average degree, and if a policy parameter (link interruption ratio) is set to p, p needs to satisfy:
in the process of inhibiting virus propagation, only links marked as untrusted need to be disconnected, and in combination with fig. 4 and the above analysis, trust thresholds and policy parameters can be adjusted according to network infection feedback and the following rules:
in order to avoid misjudgment of the network security environment caused by the infected randomness of the nodes in the virus spreading process, a unit time period can be set according to actual conditions, and the change of the network security environment is judged according to the number of newly added infected nodes in the unit time period.
Represents the average number of newly added infected nodes in the current period,
the average number of newly-added infected nodes in the last period is shown.
Simulation analysis:
simulation analysis was performed from 3 aspects: (1) comparing a trust value mechanism and an interactive trust value mechanism from the correct rate and the missed detection rate; (2) verifying the effectiveness of a virus propagation inhibition strategy under an interactive trust value mechanism; (3) and analyzing the influence of the virus propagation inhibition strategy based on the interactive trust value mechanism on the network security and structure by comparing with the random link interruption strategy. In the simulation process, partial parameters of the SIR model are set as follows: t ismin=-32,k=16,N=2000,δ=0.1,ω=0.08,
The initial value is set to (S (0), I (0), R (0)) (1800,200, 0). When beta is less than 0.015, R0< 1, the network is stable at the virus-free balance point; when beta is greater than 0.015, R0> 1, the network is stable at the point of viral equilibrium. If an IP address is used as a node identifier, the average occupied space for storing trust value information of the network node is about 608 bits, and under the Internet environment, if a system administrator sets a number for each user, only 288 bits of storage space are needed.
The experimental environment is as follows:
considering that virus propagation needs to rely on information flow in the network, and therefore the virus propagation network is actually a mapping of a person's social network in a computer network, simulation experiments are performed below in a small-world network that can reflect the social network. The method specifically comprises the following steps: (1) a networkx complex network tool of python is adopted to generate a small-world network with the number of nodes of 2000 and the average degree of 16, and the reconnection probability of the small-world network is 0.3; (2) simulating the virus propagation condition in the network according to the state conversion relation shown in fig. 5 in the randomly generated small-world network, and recording the infection condition and the node number change in the virus propagation process; (3) the differential equation shown in the solved formula (4) of matlab is adopted, and the result is compared with the simulated virus propagation condition in the step (2); (4) and (3) establishing a trust value management table (a trust value matrix is adopted to store trust relationships in the disclosure) for each node in the generated small-world network, and updating the trust value in the trust matrix in real time according to the information recorded in the step (2).
Accuracy and omission ratio:
let β be 0.02, the statistics of the correctness at different trust values when there is no trust value interaction and when there is trust value interaction are shown in fig. 6, the corresponding undetected rate is shown in fig. 7, and the link ratio in the un-trusted state is shown in table 1, for example.
TABLE 1 proportion of links with confidence values below a confidence threshold
As can be seen from fig. 6, no matter the trust value mechanism or the interactive trust value mechanism, the lower the trust value, the higher the accuracy, because in the process of recovering the trust value, the immunity of the infected node which is partially marked decreases, and the contention rate decreases accordingly. Comparing and analyzing fig. 6(a) (b), it can be seen that the interactive trust value is higher at the lower trust value by 2 times as high as the accuracy when there is no trust value interaction, and is lower at the higher trust value than the accuracy when there is no trust value interaction.
Comparing fig. 7(a) (b), it can be seen that the missed detection rate of the interactive trust value mechanism is reduced by about 0.72, 0.7 and 0.6 when the trust threshold is-8, -16 and-24, respectively. The value is decreased to indicate that more untrustworthy links are marked through trust value interaction, and the change of the rate of the missed detection rate when the trust threshold value is different indicates that the proportion of the untrustworthy links at the position with the lower trust value is larger.
As can be seen from the analysis in table 1, fig. 6, and fig. 7, more links are marked as untrusted links through trust value interaction, the untrusted range is expanded, and trust value interaction increases the density of real untrusted links in the untrusted range, which can provide more beneficial reference for inhibiting virus propagation.
Strategy effectiveness:
taking link interruption as an example, the validity of the virus propagation inhibition strategy based on the interactive trust value mechanism is verified. Let β be 0.02, and simulate the virus propagation in the network as shown in fig. 8 (a); the mean square error of the model evolution result and the simulated virus propagation result at different infection rates β is shown in fig. 8(b), and when β is 0.175, the mean square error is the smallest.
The network is now stabilized at the virus equilibrium point P1(569.5,162.1,1268.4), it is substantially identical to the case of the simulated viral transmission. As is clear from the formulas (5) and (6), the virus-free state can be achieved when k is not more than 13.714. Setting initial parameter as TthroAnd 24, p is 22.8%, and the time period counted by the newly-added infected node is set to be 20 units of time. Fig. 9(a) shows the virus propagation of model evolution when p is 22.8%, fig. 9(b) shows the network virus propagation under the proposed strategy simulation, and fig. 10 shows the parameter change during the strategy execution.
As can be seen from fig. 9, the proposed strategy can effectively suppress virus propagation in the network. As can be seen from the analysis of fig. 10(a) and 9(b), the change of the trust threshold corresponds to the change of the number of infected nodes in the network, and when the number of infected nodes in the network increases, the trust threshold is adjusted upwards to expand the executable range of link interruption; and when the infected node is cleared, the trust threshold value is restored in time, so that the network is restored to a normal state. As can be seen from the observation of fig. 10(b), when the trust threshold is adjusted to the highest value, the virus still cannot be completely eliminated, the network can further eliminate the virus by adjusting the policy parameter (the untrusted link interruption ratio).
In conclusion, the virus propagation inhibition strategy based on the interactive trust value mechanism can utilize the infection information (the number of newly-added infected nodes) in the network to evaluate the network security environment in the execution process, so as to adjust the relevant parameters in a targeted manner, and finally achieve the purpose of completely inhibiting the virus propagation.
Security-network architecture comparison:
the interactable trust value mechanism is analyzed from 2 aspects of security and impact on network structure versus the random link interruption policy and the proposed policy. The same parameter configuration as above is adopted, and under the random link interruption strategy, the simulated virus evolution is shown in fig. 11.
Compared with fig. 9(b), analyzing the variation trend of the number of infected nodes can ensure the network security by the virus propagation inhibition strategy based on the interactive trust value mechanism, and the speed of eliminating the infected nodes by the network can be accelerated by adjusting the trust threshold and the link interruption ratio.
The main purpose of the interactable trust value mechanism is to provide a basis for the implementation of virus propagation suppression strategies in order to implement more precise isolation. The link is a carrier of communication service in the network, and when the link is interrupted, the network communication capability is affected while the network security is improved, the following steps mainly compare the random link interruption strategy with the number of links broken in the implementation process of the link interruption strategy based on the interactive trust value mechanism, and fig. 12 is a link interruption ratio comparison in the implementation process of the random link interruption strategy and the link interruption strategy. From the interruption scale, the random link interruption strategy based on the interactive trust value mechanism has smaller changes to the network structure than the random link interruption strategy.
As can be seen from a comparison of fig. 9(b), fig. 10 and fig. 12, the link interruption ratio in the implementation process of the strategy of the present disclosure matches with the number of infected nodes in the network and the trust threshold variation trend to some extent; since the link interruption ratio is continuously decreased although the trust threshold and the link interruption ratio are gradually increased with the decrease of the infected nodes, the links connecting the infected nodes and the links marked as untrustworthy are generally decreased with the decrease of the infected nodes and the infection behaviors, and the trust threshold is decreased and the network is gradually restored to a normal state as the network completely eliminates the virus. This shows that the interactive trust value mechanism can provide effective reference for the execution of the virus propagation policy, and can adjust parameters according to the specific security environment in the network, reduce the randomness in the link interruption process, and reduce the influence on the network structure while improving the security.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
Claims (10)
1. A method for inhibiting viral transmission, comprising the steps of:
constructing a trust value model of an interactive trust value mechanism, and giving trust values for all links;
evaluating infection parameters according to the current network infection condition, and calculating a strategy parameter threshold value for adopting a corresponding virus propagation inhibition strategy;
receiving infection feedback information;
and responding to the infection feedback information, and adjusting the current network security level according to the trust value.
2. The method of claim 1, wherein the trust value model comprises a trust value, a trust value update, and a trusted link identification;
the trust value is the trust measurement of the node on the peripheral nodes, and the corresponding trust matrix is as follows: trust (T) ═ Ti,j(T)), wherein Ti,j(t) user v in the network at time tiFor vjA trust value of;
the trust value update comprises direct update and trust value interaction;
the trusted link identification is preset with a trust threshold TthroWhen T isi,j(t)≥TthroAnd the corresponding link is a trusted link.
3. The method of claim 2, wherein the infection feedback information includes an increase and a decrease of infected nodes, and the step of adjusting the current network security level according to the trust value in response to the infection feedback information includes:
when the increase of the infected node is 0, the network security level is improved;
when the increase of the infected node is larger than 0 and the acceleration of the infected node is reduced, maintaining the safety level;
and when the increase of the infected node is larger than 0 and the acceleration of the infected node is increased, the safety level is adjusted downwards.
4. The method of claim 3, wherein in the step of adjusting the current network security level according to the trust value in response to the infection feedback information, the adjusting of the network security level comprises adjusting the trust threshold TthroAnd adjustment of the policy parameter p;
wherein the strategy parameter p is a link interruption ratio.
5. Method according to claim 4, characterized in that the trust threshold T is adjusted according to the following rulethroAnd a policy parameter p:
wherein the content of the first and second substances,
represents the average number of newly added infected nodes in the current period,
the average number of newly-added infected nodes in the last period is shown.
6. The method of claim 2, wherein the direct update comprises a direct trust value update algorithm that updates the trust value with historical infection behavior.
7. The method of claim 6, wherein the direct trust value update algorithm comprises:
and obtaining a trust matrix at the current moment according to the trust value matrix at the last moment, the infected node set in unit time, the trust threshold, the adjacent matrix and the lowest trust value.
8. The method of claim 2, wherein the trust value interaction comprises a trust value interaction algorithm.
9. The method of claim 8, wherein the trust value interaction algorithm comprises:
and obtaining the trust value matrix after interaction according to the current trust value matrix, the node number and the received trust value information.
10. The method of claim 1, wherein the trust value is a discrete value instead of a continuous value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110256151.3A CN113032782A (en) | 2021-03-09 | 2021-03-09 | Virus transmission inhibition method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110256151.3A CN113032782A (en) | 2021-03-09 | 2021-03-09 | Virus transmission inhibition method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113032782A true CN113032782A (en) | 2021-06-25 |
Family
ID=76467470
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110256151.3A Pending CN113032782A (en) | 2021-03-09 | 2021-03-09 | Virus transmission inhibition method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113032782A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113836535A (en) * | 2021-08-31 | 2021-12-24 | 中国人民解放军空军工程大学 | Dynamic defense method for zero-day virus |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070256130A1 (en) * | 2006-04-27 | 2007-11-01 | Searete Llc, A Limited Liability Corporation Of The State Of Delaware | Multi-network virus immunization with trust aspects |
| CN104091123A (en) * | 2014-06-27 | 2014-10-08 | 华中科技大学 | Community network level virus immunization method |
| US20150249685A1 (en) * | 2012-09-18 | 2015-09-03 | The George Washington University | Emergent network defence |
| CN107395598A (en) * | 2017-07-25 | 2017-11-24 | 重庆邮电大学 | A kind of adaptive defense method for suppressing viral transmission |
| CN108092832A (en) * | 2018-02-12 | 2018-05-29 | 山东师范大学 | A kind of social networks Virus Info suppressing method and system |
| WO2018236688A1 (en) * | 2017-06-22 | 2018-12-27 | Mark Cummings | Security orchestration and network immune system deployment framework |
-
2021
- 2021-03-09 CN CN202110256151.3A patent/CN113032782A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070256130A1 (en) * | 2006-04-27 | 2007-11-01 | Searete Llc, A Limited Liability Corporation Of The State Of Delaware | Multi-network virus immunization with trust aspects |
| US20150249685A1 (en) * | 2012-09-18 | 2015-09-03 | The George Washington University | Emergent network defence |
| CN104091123A (en) * | 2014-06-27 | 2014-10-08 | 华中科技大学 | Community network level virus immunization method |
| WO2018236688A1 (en) * | 2017-06-22 | 2018-12-27 | Mark Cummings | Security orchestration and network immune system deployment framework |
| CN107395598A (en) * | 2017-07-25 | 2017-11-24 | 重庆邮电大学 | A kind of adaptive defense method for suppressing viral transmission |
| CN108092832A (en) * | 2018-02-12 | 2018-05-29 | 山东师范大学 | A kind of social networks Virus Info suppressing method and system |
Non-Patent Citations (1)
| Title |
|---|
| 杨巍: "P2P蠕虫的传播建模及抑制策略研究", 《中国博士学位论文全文数据库·信息科技辑》, pages 8 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113836535A (en) * | 2021-08-31 | 2021-12-24 | 中国人民解放军空军工程大学 | Dynamic defense method for zero-day virus |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Swami et al. | Software-defined networking-based DDoS defense mechanisms | |
| CN101589595B (en) | A containment mechanism for potentially contaminated end systems | |
| US7464407B2 (en) | Attack defending system and attack defending method | |
| US20050249214A1 (en) | System and process for managing network traffic | |
| JP6433865B2 (en) | Communication device | |
| CN109768955A (en) | System and method based on software defined network defending distributed denial of service attack | |
| US11671405B2 (en) | Dynamic filter generation and distribution within computer networks | |
| CN110247899B (en) | System and method for detecting and relieving ARP attack based on SDN cloud environment | |
| CN114915476A (en) | Attack deduction graph generation method and system based on network security evaluation process | |
| Dharmadhikari et al. | A study of DDoS attacks in software defined networks | |
| Chen et al. | Detecting and Preventing IP-spoofed Distributed DoS Attacks. | |
| Dang-Van et al. | A multi-criteria based software defined networking system Architecture for DDoS-attack mitigation | |
| EP1595193A2 (en) | Detecting and protecting against worm traffic on a network | |
| CN106487790A (en) | Cleaning method and system that a kind of ACK FLOOD is attacked | |
| Murtuza et al. | Mitigation and detection of DDoS attacks in software defined networks | |
| JP2007325293A (en) | System and method for attack detection | |
| CN108810008A (en) | Transmission control protocol traffic filtering method, apparatus, server and storage medium | |
| JP2006067605A (en) | Attack detecting system and attack detecting method | |
| CN113032782A (en) | Virus transmission inhibition method | |
| CN112653658A (en) | DDoS attack detection method based on information entropy under SDN environment | |
| CN108521413A (en) | A kind of network of Future Information war is resisted and defence method and system | |
| Khirwadkar | Defense against network attacks using game theory | |
| CN113904804A (en) | Intranet safety protection method, system and medium based on behavior strategy | |
| Divya et al. | Malicious Traffic detection and containment based on connection attempt failures using kernelized ELM with automated worm containment algorithm | |
| Maswood et al. | A sliding window based monitoring scheme to detect and prevent ddos attack in data center networks in a dynamic traffic environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |