CN114115068A - Heterogeneous redundancy defense strategy issuing method of endogenous security switch - Google Patents
Heterogeneous redundancy defense strategy issuing method of endogenous security switch Download PDFInfo
- Publication number
- CN114115068A CN114115068A CN202111471268.XA CN202111471268A CN114115068A CN 114115068 A CN114115068 A CN 114115068A CN 202111471268 A CN202111471268 A CN 202111471268A CN 114115068 A CN114115068 A CN 114115068A
- Authority
- CN
- China
- Prior art keywords
- switch
- attack
- threat
- defense
- endogenous
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007123 defense Effects 0.000 title claims abstract description 84
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000002955 isolation Methods 0.000 claims abstract description 21
- 238000004140 cleaning Methods 0.000 claims abstract description 14
- 238000013508 migration Methods 0.000 claims abstract description 10
- 230000005012 migration Effects 0.000 claims abstract description 10
- 230000004044 response Effects 0.000 claims description 31
- 238000005259 measurement Methods 0.000 claims description 7
- 238000010606 normalization Methods 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 7
- 238000013461 design Methods 0.000 claims description 4
- 238000013139 quantization Methods 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 3
- 230000008859 change Effects 0.000 claims description 3
- 238000010801 machine learning Methods 0.000 claims description 3
- 238000012546 transfer Methods 0.000 claims description 3
- 238000007789 sealing Methods 0.000 claims 1
- 230000008260 defense mechanism Effects 0.000 abstract description 2
- 230000007246 mechanism Effects 0.000 description 25
- 238000002474 experimental method Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 6
- 239000013598 vector Substances 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 230000007547 defect Effects 0.000 description 3
- 238000005242 forging Methods 0.000 description 3
- 241000894006 Bacteria Species 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000000691 measurement method Methods 0.000 description 2
- 239000013589 supplement Substances 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000005284 excitation Effects 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000006798 recombination Effects 0.000 description 1
- 238000005215 recombination Methods 0.000 description 1
- 231100000331 toxic Toxicity 0.000 description 1
- 230000002588 toxic effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0421—Multiprocessor system
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24182—Redundancy
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a heterogeneous redundancy defense strategy issuing method of an endogenous security switch, which comprises the steps of analyzing and modeling expression forms of multiple network attacks on a data plane, generating a set of multi-means heterogeneous defense strategy set aiming at each network attack, realizing strategy elasticity, and finally utilizing an MRV knowledge base and a boundary resource intelligent voting selection strategy to complete strategy enabling under a mimicry condition. The invention is intended to attack 6 kinds of networks: the method comprises the steps of actively defending against VLAN jump attack, spanning tree attack, MAC table flood attack, ARP spoofing attack, UDP flood attack and MAC spoofing attack, introducing a hierarchical defense mechanism according to the severity of the current attacked network state, and respectively implementing a set method of four defense strategies of cleaning, isolation, asset migration and system jump.
Description
Technical Field
The invention belongs to the technical field of network attack and defense, and particularly relates to a heterogeneous redundancy defense strategy issuing method of an endogenous safety switch.
Background
The switch is used as a 'gate' for network information circulation, and the security of the switch is an important ring in network security construction. With the development of the network information era, the network information industry gradually occupies more and more important position, the attack frequency aiming at the network switch is higher and higher, and the attack types are increased, such as MAC table flooding attack, ARP spoofing attack, spanning tree loop attack and the like. Traditional ethernet switch often adopts the mode of adding passive defences such as preventing hot wall, port binding, can't deal with a great variety of network attacks, especially when the attacker utilizes the unknown leak of switch and unknown back door to attack for traditional prevention hand section is like virtual, causes great hidden danger to network information safety.
Aiming at the inherent defects of passive defense, Wu Jiang xing academy provides an active defense method, namely a mimicry defense (endogenous security) technology, and a kernel of the active defense technology adopts a dynamic heterogeneous redundancy system mechanism, so that the active defense technology not only can effectively prevent known various network attacks, but also can defend network attacks which utilize unknown vulnerabilities and unknown backdoors from the outside. The mimicry defense technology is an active defense technology, has strong attack resistance, and allows the switch platform to have good network attack defense capability under the condition of toxic bacteria.
The dynamic heterogeneous redundancy mechanism is the core of the mimicry defense technology, and has three characteristics, namely, dynamics, heterogeneity and redundancy. The dynamic property refers to that when network attacks are encountered, the strategy scheduling module selects different strategy schemes from the heterogeneous execution body pool so as to prevent an attacker from permeating the internal defense framework of the switch; heterogeneity means that there are differences between executors with the same function, such as different systems, different protocols or different programming languages; redundancy means that a plurality of executors can play a defense role against the same attack, and a plurality of alternative schemes are provided for the same threat situation. Therefore, the dynamic heterogeneous redundancy mechanism is beneficial to the introduction of dynamics, randomness and diversity on an uncertainty mechanism, benefits from the cooperative attack difficulty under the uncoordinated condition caused by the cooperative environment on the attack difficulty, and derives from the application of a multi-dimensional dynamic reconstruction mechanism under the functional equivalent condition on an implementation method.
Disclosure of Invention
Aiming at the problems, the invention provides a heterogeneous redundancy defense strategy issuing method of an endogenous security switch, which is used for effectively defending various attacks aiming at or approaching a network switch based on a dynamic heterogeneous redundancy mechanism and network information and software and hardware resource data acquired by implementation.
In order to realize the purpose of the invention, the technical scheme adopted by the invention is a heterogeneous redundancy defense strategy issuing method of an endogenous security switch.
The invention is intended to measure the self state information and the link state information of the endogenous switch, and the required measurement is as follows: memory utilization rate, CPU utilization rate, link time delay, link bandwidth and link packet loss rate of the switch. Different weights are assigned to the measures, normalization and quantization are carried out, a grading mechanism is introduced, and defense strategies are intelligently selected according to the severity of threat conditions.
A heterogeneous redundancy defense strategy issuing method of an endogenous security switch mainly comprises the following steps:
(1) collecting and measuring link state information of an intrinsic safety switch in a path and state information of the switch, and managing state data of the switch and the link to construct a network resource view;
(2) threat intelligence is generated according to the network resource view, response grading is carried out, different types of defense modes are started by responses at different levels, and therefore the resource overhead of the switch is controlled and the normal operation of the current network is maintained to the maximum extent;
the first type is: according to the current threat information, if the resources of the network layer of the switch are threatened, a third-level response is started, and the endogenous safety switch adopts an isolation scheme aiming at the current attack;
the second type: if the hard disk and the internal data are tampered according to the current threat information, a secondary response is started, and the endogenous safety switch adopts a cleaning scheme aiming at the current attack;
the third type: if the switch is contended for control according to the current threat information, a primary response is started, and the endogenous safety switch adopts an asset migration scheme or a system hopping scheme aiming at the current attack.
In the step (1), the method for collecting the switch state information and the link information to construct the network resource attempt comprises the following steps:
(1.1) the switch measures the state information of the switch in real time, wherein the measurement comprises the utilization rate of a CPU (Central processing Unit) of the switch, the utilization rate of a memory and the IP (Internet protocol) address of the switch;
(1.2) the switch measures link state information, the measurement comprises link delay, link bandwidth and link packet loss rate, the measurement method is that an ICMP protocol message original socket is used for constructing a detection packet with a fixed size, the detection packet is sent to a target node at the other end of a link, and the link bandwidth, RTT and packet loss rate are obtained through returned data;
(1.3) preliminarily constructing a network resource view according to the collected and measured state information and the network resource information, as shown in FIG. 2.
In the step (2), the design scheme of the response grading mechanism is as follows:
(2.1) the endogenous security switch generates threat information according to the current network resource view, and judges whether the endogenous security switch is attacked by the network;
(2.2) the exchanger carries out normalization and quantization according to the generated threat information;
and (2.3) grading the quantified threat intelligence data, and grading the threat intelligence data according to the severity of the threat situation, wherein the threat degree is extremely high and can be determined as one grade.
Wherein, in step (2.2), for the quintuple of threat intelligence: the CPU utilization rate C, the memory occupancy rate M, the link bandwidth B, the link time delay L and the packet loss rate P of the switch are calculated according to the formula:
obtaining normalized data: c ', M ', B ', L ', P '. To which different weights are assigned, respectively K1,K2,K3,K4,K5And:
K1+K2+K3+K4+K5=1
normalized quantized threat intelligence data S may be represented as:
S=C′K1+M′K2+B′K3+L′K4+P′K5
in step (2.3), two levels of thresholds are to be set on threat intelligence data S: s1,S2. When S is more than or equal to S1When the attack is determined as a first-level response, the current attack generates control right contention for the switch, and a strong measure needs to be taken for protection; when S is2≤S<S1Then, setting secondary response to indicate that the current attack tampers the hard disk and the internal data, wherein the defense strategy adopted at the moment needs to take resource overhead into consideration; when S is<S2Meanwhile, the current attack threatens the resources of the network layer of the switch, and a defense strategy with high cost is not suitable to be adopted.
Meanwhile, it is noted that the purpose of the hierarchical response mechanism is to reasonably control the overhead cost brought by defense, the switch dynamically selects defense strategies of other levels to supplement according to the situation, and after a plurality of obtained output vectors, the output result is judged according to the voting mechanism.
In the first type, the isolation mechanism has the following specific flow:
aiming at VLAN relay attack, security setting can be carried out on a network switch, namely all relay ports of the network switch need to use VLAN ID, if the switch receives DTP negotiation information without arranging ports, the information is considered to be illegal, and an isolation mechanism blocks a source IP address of the information so as to prevent a relay from being established; aiming at spanning tree spoofing attack, an attacker sends a bridgeID smaller than the current root switch to declare the attacker as a root bridge, seizes the role of the root switch, isolates a port for receiving forged BPDU (bridge bandwidth protocol data Unit), and the port does not forward any flow, so that the position of the root bridge in the network is forcibly established; aiming at the flood attack of the MAC table, the isolation strategy limits the upper limit of the number of the MAC which can be learned by the port of the switch, and if the number exceeds the upper limit, the MAC is discarded; aiming at ARP spoofing attack, the switch can reserve the MAC address of each computer on the network by means of DHCP, the switch can detect the MAC address when a forged ARP data packet is sent out, and the isolation strategy is to seal the IP; aiming at UDP flooding attack, for IP addresses with more than 1500 bytes which are repeatedly sent, according to information provided by threat information, such as credit value of the IP, an isolation strategy can seal the IP addresses, and messages with obviously abnormal TTL can be filtered through the normal range of the TTL value in the messages; for the MAC spoofing attack, the isolation strategy is also based on the information provided by the threat information, for example, the switch can check whether the source IP and the source MAC in the IP message are consistent with the information set by the administrator in the switch, if not, the IP address is forbidden, and the alarm information is sent.
In the second type, the specific flow of the cleaning mechanism is as follows:
the invention uses a method for identifying the threatening flow based on IP credit value, and endows a certain credit value to the IP address on the Internet, and certain IP addresses which are used as zombie hosts and generate malicious attack behaviors can endow lower credit values, and the IP with low credit values can possibly become the source of network attack, and the flow sent by the IP address with low credit value is cleaned preferentially in the flow cleaning process. The specific process is that all the flow is transferred to a cloud computing center through HPENP, threat flow is classified by using information provided by threat information and a more complex machine learning method, after a threat flow quintuple is found out definitely, the threat flow is discarded, and the residual flow is forwarded back to an exchanger to complete the cleaning process.
In the third type, two specific procedures for defense strategies are proposed as follows:
the asset migration is to firstly carry out redundancy backup on an endogenous safety switch, dynamically transfer an attack surface, directly migrate system resources into another switch when the endogenous safety switch is threatened and attacked, specifically, establish route backup by a host, and connect the redundant switch by using a backup switch IP in a route table when the current switch is detected to be seriously attacked and cannot normally work; the system jump is to enable jump protocol, start to change the port, address, time slot to various adjacent points of data transmission at random according to the protocol, realize the initiative network protection, the concrete operation is in the fixed jump interval, the endogenous safe exchanger will be according to the cipher key, source ID, switchboard ID and time shared with communication host computer, utilize the pseudo-random function to produce new IP address and communication port, make in different time slots, both sides of communication must use different IP, port to attack, so resist the network attack.
Compared with the prior art, the technical scheme of the invention has the following beneficial technical effects:
(1) the invention can design an endogenous safety switch with an active defense function aiming at the inherent defects of passive defense of the network switch, overcomes the defense defects of the prior switch and has important practical significance.
(2) The invention provides a dynamic heterogeneous redundancy defense strategy issuing method with endogenous security property, and an endogenous security switch can dynamically adopt different defense strategy sets aiming at each network attack, presents uncertainty of an internal defense mechanism to the outside, and greatly increases the expenses of reconnaissance and attack implementation of an attacker.
(3) Meanwhile, the endogenous security switch provided by the invention introduces a hierarchical response mechanism, completes hierarchical issuing of defense strategies according to the severity of attack according to information provided by threat information, and greatly saves the resource overhead and cost of the endogenous security switch.
Drawings
FIG. 1 is a diagram illustrating decision voting for defense of heterogeneous redundancy;
FIG. 2 is a schematic view of a network resource;
FIG. 3 is a diagram of an endogenous security switch architecture;
FIG. 4 is a diagram of a VLAN relay attack;
fig. 5 is a schematic diagram of an experimental topology.
Detailed Description
In order to enhance the understanding and comprehension of the present invention, the technical solution is further described below with reference to the accompanying drawings and embodiments.
Example 1: referring to fig. 1 to 5, a heterogeneous redundancy defense strategy issuing method for an endogenous security switch mainly includes the following steps:
(1) collecting and measuring link state information of an intrinsic safety switch in a path and state information of the switch, and managing state data of the switch and the link to construct a network resource view;
(2) threat intelligence is generated according to the network resource view, response grading is carried out, different types of defense modes are started by responses at different levels, and therefore the resource overhead of the switch is controlled and the normal operation of the current network is maintained to the maximum extent;
the first type is: according to the current threat information, if the resources of the network layer of the switch are threatened, a third-level response is started, and the endogenous safety switch adopts an isolation scheme aiming at the current attack;
the second type: if the hard disk and the internal data are tampered according to the current threat information, a secondary response is started, and the endogenous safety switch adopts a cleaning scheme aiming at the current attack;
the third type: if the switch is contended for control according to the current threat information, a primary response is started, and the endogenous safety switch adopts an asset migration scheme or a system hopping scheme aiming at the current attack.
In the step (1), the method for collecting the switch state information and the link information to construct the network resource attempt comprises the following steps:
(1.1) the switch measures the state information of the switch in real time, wherein the measurement comprises the utilization rate of a CPU (Central processing Unit) of the switch, the utilization rate of a memory and the IP (Internet protocol) address of the switch;
(1.2) the switch measures link state information, the measurement comprises link delay, link bandwidth and link packet loss rate, the measurement method is that an ICMP protocol message original socket is used for constructing a detection packet with a fixed size, the detection packet is sent to a target node at the other end of a link, and the link bandwidth, RTT and packet loss rate are obtained through returned data;
(1.3) preliminarily constructing a network resource view according to the collected and measured state information and the network resource information, as shown in FIG. 2.
In the step (2), the design scheme of the response grading mechanism is as follows:
(2.1) the endogenous security switch generates threat information according to the current network resource view, and judges whether the endogenous security switch is attacked by the network;
(2.2) the exchanger carries out normalization and quantization according to the generated threat information;
and (2.3) grading the quantified threat intelligence data, and grading the threat intelligence data according to the severity of the threat situation, wherein the threat degree is extremely high and can be determined as one grade.
Wherein, in step (2.2), for the quintuple of threat intelligence: the CPU utilization rate C, the memory occupancy rate M, the link bandwidth B, the link time delay L and the packet loss rate P of the switch are calculated according to the formula:
obtaining normalized data: c ', M ', B ', L ', P '. To which different weights are assigned, respectively K1,K2,K3,K4,K5And:
K1+K2+K3+K4+K5=1
normalized quantized threat intelligence data S may be represented as:
S=C′K1+M′K2+B′K3+L′K4+P′K5
in step (2.3), two levels of thresholds are to be set on threat intelligence data S: s1,S2. When S is more than or equal to S1When the attack is determined as a first-level response, the current attack generates control right contention for the switch, and a strong measure needs to be taken for protection; when S is2≤S<S1Then, setting secondary response to indicate that the current attack tampers the hard disk and the internal data, wherein the defense strategy adopted at the moment needs to take resource overhead into consideration; when S is<S2Meanwhile, the current attack threatens the resources of the network layer of the switch, and a defense strategy with high cost is not suitable to be adopted.
Meanwhile, it is noted that the purpose of the hierarchical response mechanism is to reasonably control the overhead cost brought by defense, the switch dynamically selects defense strategies of other levels to supplement according to the situation, and after a plurality of obtained output vectors, the output result is judged according to the voting mechanism.
In the first type, the isolation mechanism has the following specific flow:
aiming at VLAN relay attack, security setting can be carried out on a network switch, namely all relay ports of the network switch need to use VLAN ID, if the switch receives DTP negotiation information without arranging ports, the information is considered to be illegal, and an isolation mechanism blocks a source IP address of the information so as to prevent a relay from being established; aiming at spanning tree spoofing attack, an attacker sends a bridgeID smaller than the current root switch to declare the attacker as a root bridge, seizes the role of the root switch, isolates a port for receiving forged BPDU (bridge bandwidth protocol data Unit), and the port does not forward any flow, so that the position of the root bridge in the network is forcibly established; aiming at the flood attack of the MAC table, the isolation strategy limits the upper limit of the number of the MAC which can be learned by the port of the switch, and if the number exceeds the upper limit, the MAC is discarded; aiming at ARP spoofing attack, the switch can reserve the MAC address of each computer on the network by means of DHCP, the switch can detect the MAC address when a forged ARP data packet is sent out, and the isolation strategy is to seal the IP; aiming at UDP flooding attack, for IP addresses with more than 1500 bytes which are repeatedly sent, according to information provided by threat information, such as credit value of the IP, an isolation strategy can seal the IP addresses, and messages with obviously abnormal TTL can be filtered through the normal range of the TTL value in the messages; for the MAC spoofing attack, the isolation strategy is also based on the information provided by the threat information, for example, the switch can check whether the source IP and the source MAC in the IP message are consistent with the information set by the administrator in the switch, if not, the IP address is forbidden, and the alarm information is sent.
In the second type, the specific flow of the cleaning mechanism is as follows:
the invention uses a method for identifying the threatening flow based on IP credit value, and endows a certain credit value to the IP address on the Internet, and certain IP addresses which are used as zombie hosts and generate malicious attack behaviors can endow lower credit values, and the IP with low credit values can possibly become the source of network attack, and the flow sent by the IP address with low credit value is cleaned preferentially in the flow cleaning process. The specific process is that all the flow is transferred to a cloud computing center through HPENP, threat flow is classified by using information provided by threat information and a more complex machine learning method, after a threat flow quintuple is found out definitely, the threat flow is discarded, and the residual flow is forwarded back to an exchanger to complete the cleaning process.
The specific flow of two defense strategies proposed in the third type is as follows:
the asset migration is to firstly carry out redundancy backup on an endogenous safety switch, dynamically transfer an attack surface, directly migrate system resources into another switch when the endogenous safety switch is threatened and attacked, specifically, establish route backup by a host, and connect the redundant switch by using a backup switch IP in a route table when the current switch is detected to be seriously attacked and cannot normally work; the system jump is to enable jump protocol, start to change the port, address, time slot to various adjacent points of data transmission at random according to the protocol, realize the initiative network protection, the concrete operation is in the fixed jump interval, the endogenous safe exchanger will be according to the cipher key, source ID, switchboard ID and time shared with communication host computer, utilize the pseudo-random function to produce new IP address and communication port, make in different time slots, both sides of communication must use different IP, port to attack, so resist the network attack.
Fig. 1 shows a voting diagram of defense decisions of heterogeneous redundancy. The multi-mode elastic intelligent judging module judges the output of the heterogeneous executive body by comparison mainly according to a judging strategy, judges the state of the executive body according to the comparison result, reports the state information to the dispatching control module, delivers the judging result to the agency module and outputs the judging result by the agency. The mimicry arbitration mechanism carries out consistency judgment on the output result of the heterogeneous executive body through the sensing capability of element perception and situation understanding of the formed abnormal conditions, and can effectively avoid the non-cooperative attack or random failure condition on the mimicry interface. Based on the arbitration result, the feedback controller can perform a reconfiguration of the executive service set based on a given policy.
In general, there are fundamental conditions for implementing a mimicry defense, wherever there are interfaces of standardized or normalizable function or operation. Due to the fact that at least time difference, value range difference (calculation precision) or allowed version difference (grammar, options, default values and extended field filling conditions) exist among output vectors of the intra-boundary diversified redundancy defense executors. Different application scenes, different performance requirements and safety standards have great influence on the implementation complexity of issuing the elastic intelligent defense decision instruction.
Under the same input excitation specification, the situation that multiple mode output vectors are mostly the same or completely consistent is a probable event, but the difference in output response will certainly exist due to the difference in the preprocessing mode, the implementation algorithm, the support environment of the heterogeneous executors and even in the processing platform (FPGA or CPU issue) among the heterogeneous executors. In order not to affect the multi-mode arbitration of the output vector, vector normalization processing and output agent functions need to be added before arbitration, so as to ensure that the mimicry bracket not only can shield all differences outside the defense scene pair as much as possible, but also can allow some differences between executives inside the defense scene pair. For endogenous security switches, the available normalization means are strongly relevant specific application scenarios. And in the situation awareness stage, the endogenous security switch already masters the network multidimensional resource view. And designing a controller to analyze the current network situation in a normalized mode by combining the view and the current switch resource situation. And (4) grading threat information solved by combining situation theory, intelligently selecting a required defense strategy, carrying out hot deployment under the condition of not interfering the service as much as possible, and ensuring the efficiency of the switch.
The invention is to subdivide the strategy into cleaning, isolation, asset migration and system jump. The cleaning operation is accurate but consumes network resources, while the isolation means is rough and does not occupy bandwidth, but is easy to discard normal traffic. The asset migration strategy and the system hopping strategy are strong in attack resistance and active, so that the platform can live with bacteria, but the cost is too large, even the hot deployment cannot be realized, and the service of the switch can be interrupted temporarily. The four strategies are good and bad respectively, and a defense strategy needs to be intelligently selected according to the attack severity of the current endogenous security switch. The invention is intended to defend against the following 6 kinds of network attacks:
(1) VLAN relay attack: the VLAN trunk attack is a spoofing type attack, and the attack flow is shown in fig. 4, which means that an attacker impersonates another switch to send a false DTP negotiation message to a switch in a specific VLAN, declares that the attacker wants to become a trunk, and after the attacked switch receives the DTP message, if the trunk function is enabled, all information streams passing through the VLAN are sent to the computer of the attacker.
(2) And (3) spanning tree attack: the Spanning Tree Protocol (STP) is a communication Protocol of a data link layer working in an OSI network model, and a basic application is to prevent a loop generated by a redundant link of a switch, thereby preventing a broadcast storm from generating and greatly occupying resources of the switch. The spanning tree attack belongs to a cheating type attack, which means that an attacker sends a well-designed Bridge Protocol Data Unit (BPDU) to a switch to cheat the switch, so that the BPDU is the root bridge, which can cause the STP to be re-converged, and because the STP protocol is slow in convergence, a loop can be generated within a certain time, so that the network is crashed.
(3) MAC table flood attack: when a frame enters the switch it records the source MAC address, and a record is made of the MAC address associated with the port on which the frame entered, and later the flow to that MAC address will be sent only through that port. This record is stored in a Content Addressable Memory (CAM) for fast lookup when forwarding data. The MAC table flooding attack means that an attacker utilizes limited capacity of a CAM memory to send a large number of data packets for forging multi-source M AC addresses to the CAM, so that the C AC addresses are fully occupied, a subsequent data packet can cause a switch to send data in a broadcasting mode, the bandwidth of the switch is rapidly fully occupied, and the switch is caused to refuse service.
(4) The ARP attack Address Resolution Protocol (ARP) is to resolve the IP Address of a target machine into a unique MAC Address, and then the ARP will automatically search for the Resolution from IP to MAC and send a request in a broadcast manner, so that all hosts can receive message information. The ARP attack refers to that an attacker connects a target host in a deceptive manner and performs communication, so that a large amount of abnormal messages appear in the target host, and the network switch is paralyzed.
(5) UDP flooding attack: the UDP (User data Protocol) is a connectionless Protocol, and provides a method for sending encapsulated IP packets without establishing a connection for an application. UDP flooding attacks are DDOS type attacks, of which there are two types: small packet attacks and large packet attacks. The packet attack means that an attacker sends a large number of small UDP packets, generally 64 bytes, forging source IP addresses to an attack target, so that under the condition of the same flow, the number of data packets is increased, the cost for checking is increased, and finally the bandwidth resources of the attack target are exhausted; the large packet attack means that an attacker sends a large number of large UDP packets forging source IP addresses, generally more than 1500 bytes, and due to the large pressure of fragment recombination of the large data packets, bandwidth resources can be quickly exhausted.
(6) MAC spoofing attack: MAC address spoofing is commonly used to break local area network access control based on MAC addresses, e.g., defining on a switch that only the forwarding source MAC address is modified to break the access restriction for some MAC address present in the access list, and such modification is dynamic and easy to recover. The other access control method binds the IP address and the MAC, so that one switch port can only be provided for one host of one user, and at this time, an attacker needs to modify the IP address and the MAC address of the attacker to break through the limitation.
For the above 6 different types of network attacks, the endogenous security switch basically can adopt cleaning, isolation, system hopping or asset migration strategies. The invention determines which defense strategy is adopted when the switch is attacked by the network through a grading mechanism, and reduces the resource overhead of the switch for maintaining normal operation to the maximum extent. For this purpose, the endogenous security switch will perform the construction of the network resource view.
The three experimental schemes are designed below to verify the effectiveness of the defense strategy of the endogenous security switch.
Experiment one: single attack single defense test
Purpose of the experiment:
verifying the effectiveness of four defense strategies
The experimental steps are as follows:
1. the server is started, a Docker network is established, and the experimental topology is shown in FIG. 5. An attack node and a defense node are deployed in the Docker network, wherein the attack node consists of six containers, and each container can launch an attack mode; the defense node consists of two containers, wherein one container is used as a redundant backup, the other container is used as a main attacked object, and the container has the functions of isolation, flow forwarding, system jump and the like
2. Randomly selecting one of the above six attacks, and adopting one of the above four defense strategies to perform attack and defense experiments
3. The attack type and the defense type are selected without repetition, and multiple experiments are carried out.
Experiment two: single attack multiple defense testing
Purpose of the experiment:
verifying the effect of combining a dynamic heterogeneous redundancy mechanism with a defense strategy
The experimental steps are as follows:
1. initiating a created Docker network
2. Randomly selecting one of the six attacks, selecting a defense strategy set by the defense node according to a hierarchical response mechanism and a dynamic selection strategy for defense, and comparing the resource consumption and the defense effect of the defense node with those of the first experiment
3. Multiple experiments were performed without repeated selection of the attack type.
Experiment three: multiple attack multiple defense test
Purpose of the experiment:
testing the overall defense performance of an endogenous security switch
The experimental steps are as follows:
1. initiating a created Docker network
2. Randomly selecting multiple attack types to attack the defense nodes, and selecting a defense strategy set by the defense nodes according to a hierarchical response mechanism and a dynamic selection strategy to defend
3. And comparing the resource consumption and the defense effect of the defense nodes with the first experiment and the second experiment.
Claims (8)
1. A heterogeneous redundancy defense strategy issuing method of an endogenous security switch is characterized by comprising the following steps:
(1) acquiring and measuring the network flow of the path-originated security switch, and managing initial state data of the switch and a link to construct a network resource view;
(2) grading responses according to threat intelligence, wherein different levels of responses start different types of defense modes to control the resource overhead of the switch and maintain the normal operation of the current network to the maximum extent;
the first type is: according to the current threat information, if the resources of the network layer of the switch are threatened, a third-level response is started, and the endogenous security switch adopts an isolation strategy aiming at the current attack;
the second type: if the hard disk and the internal data are tampered according to the current threat information, a secondary response is started, and the endogenous safety switch adopts a cleaning strategy aiming at the current attack;
the third type: according to the current threat intelligence, if the control right of the switch is contended, a primary response is started, and the endogenous safety switch adopts an asset migration strategy or a system hopping strategy aiming at the current attack.
2. The heterogeneous redundancy defense strategy issuing method of the endogenous security switch according to claim 1, characterized in that the specific method of the step (1) is as follows:
(1.1) the switch measures the state information of the switch, and the measurement comprises the CPU utilization rate and the memory utilization rate;
(1.2) the exchanger collects the link state information, and the measurement comprises link time delay, link bandwidth and link packet loss rate;
and (1.3) constructing a network resource view according to the collected and measured state information and the network resource information.
3. The heterogeneous redundancy defense strategy issuing method of the endogenous security switch according to claim 1, characterized in that the design method in the step (2) is as follows:
(2.1) the endogenous security switch generates threat information according to the current network resource view, and judges whether the endogenous security switch is attacked by the network;
(2.2) the exchanger carries out normalization and quantization according to the generated threat information;
and (2.3) grading the quantified threat intelligence data, wherein the threat degree is extremely high and can be determined as one grade according to the severity of the threat condition.
4. The method for issuing the heterogeneous redundancy defense strategy of the endogenous security switch according to claim 3,
wherein, in step (2.2), for the quintuple of threat intelligence: the CPU utilization rate C, the memory occupancy rate M, the link bandwidth B, the link time delay L and the packet loss rate P of the switch are calculated according to a normalization formula:
wherein x represents the original data, min is the minimum value of the original data set, max is the maximum value of the original data set, x' is the normalized data, and the normalized data is as follows: c ', M ', B ', L ', P ' are given different weight coefficients, K1,K2,K3,K4,K5And:
K1+K2+K3+K4+K5=1;
normalized quantized threat intelligence data S may be represented as:
S=C′K1+M′K2+B′K3+L′K4+P′K5。
5. the method for issuing the heterogeneous redundancy defense strategy of the endogenous security switch according to claim 3,
in step (2.3), the threat information data S is setSetting two levels of thresholds: s1,S2When S is greater than or equal to S1When the attack is determined as a first-level response, the current attack generates control right contention for the switch, and a strong measure needs to be taken for protection; when S is2≤S<S1Then, setting secondary response to indicate that the current attack tampers the hard disk and the internal data, wherein the defense strategy adopted at the moment needs to take resource overhead into consideration; when S is<S2Meanwhile, the current attack threatens the resources of the network layer of the switch, and a defense strategy with high cost is not suitable to be adopted.
6. The heterogeneous redundancy defense strategy issuing method of the endogenous security switch according to claim 1, characterized in that the first type of specific method is as follows: after the endogenous safety switch starts three-level response, the isolation means is to directly carry out time slice sealing on the IP address of the threat flow in the switch, and carry out brief backtracking according to the situation information number corresponding to the threat information to determine the threat IP.
7. The heterogeneous redundancy defense strategy issuing method of the endogenous security switch according to claim 1, characterized in that the second type of specific method is as follows: transferring all the flow in the endogenous security switch to a cloud computing center through HPENP; classifying the threat flow by using a machine learning method according to information provided by the threat information, and discarding the threat flow after definitely finding out a threat flow quintuple; and forwarding the residual flow back to the exchanger to finish the cleaning process.
8. The issuing method of the heterogeneous redundancy defense strategy of the endogenous security switch according to claim 1 comprises the following specific steps: after the endogenous security switch starts a primary response, the asset migration strategy performs redundancy backup on the endogenous security switch, dynamically transfers an attack surface, and directly migrates system resources into another switch when the endogenous security switch is attacked by a threat; the system jump is to enable jump protocol, start to change the port, address, time slot randomly according to the protocol to various adjacent points of data transmission, realize the active network protection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111471268.XA CN114115068A (en) | 2021-12-03 | 2021-12-03 | Heterogeneous redundancy defense strategy issuing method of endogenous security switch |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111471268.XA CN114115068A (en) | 2021-12-03 | 2021-12-03 | Heterogeneous redundancy defense strategy issuing method of endogenous security switch |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114115068A true CN114115068A (en) | 2022-03-01 |
Family
ID=80366429
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111471268.XA Pending CN114115068A (en) | 2021-12-03 | 2021-12-03 | Heterogeneous redundancy defense strategy issuing method of endogenous security switch |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114115068A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114760095A (en) * | 2022-03-09 | 2022-07-15 | 西安电子科技大学 | Intention-driven network defense strategy generation method, system and application |
| CN114793248A (en) * | 2022-03-02 | 2022-07-26 | 上海图灵智算量子科技有限公司 | Mimicry-based encryption communication method |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506507A (en) * | 2014-12-15 | 2015-04-08 | 蓝盾信息安全技术股份有限公司 | Honey net safeguard system and honey net safeguard method for SDN (self-defending network) |
| CN105187437A (en) * | 2015-09-24 | 2015-12-23 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Centralized detection system of SDN denial of service attack |
| CN106921666A (en) * | 2017-03-06 | 2017-07-04 | 中山大学 | A kind of ddos attack system of defense and method based on Synergy |
| CN106941493A (en) * | 2017-03-30 | 2017-07-11 | 北京奇艺世纪科技有限公司 | A kind of network security situation awareness result output intent and device |
| US20190052663A1 (en) * | 2017-08-10 | 2019-02-14 | Electronics And Telecommunications Research Institute | Apparatus for enhancing network security and method for the same |
| CN111294365A (en) * | 2020-05-12 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Attack flow protection system, method and device, electronic equipment and storage medium |
| CN111385288A (en) * | 2020-02-20 | 2020-07-07 | 中国人民解放军战略支援部队信息工程大学 | Mobile target defense opportunity selection method and device based on hidden countermeasures |
| CN112261042A (en) * | 2020-10-21 | 2021-01-22 | 中国科学院信息工程研究所 | Anti-seepage system based on attack hazard assessment |
| WO2021227322A1 (en) * | 2020-05-13 | 2021-11-18 | 南京邮电大学 | Ddos attack detection and defense method for sdn environment |
-
2021
- 2021-12-03 CN CN202111471268.XA patent/CN114115068A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506507A (en) * | 2014-12-15 | 2015-04-08 | 蓝盾信息安全技术股份有限公司 | Honey net safeguard system and honey net safeguard method for SDN (self-defending network) |
| CN105187437A (en) * | 2015-09-24 | 2015-12-23 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Centralized detection system of SDN denial of service attack |
| CN106921666A (en) * | 2017-03-06 | 2017-07-04 | 中山大学 | A kind of ddos attack system of defense and method based on Synergy |
| CN106941493A (en) * | 2017-03-30 | 2017-07-11 | 北京奇艺世纪科技有限公司 | A kind of network security situation awareness result output intent and device |
| US20190052663A1 (en) * | 2017-08-10 | 2019-02-14 | Electronics And Telecommunications Research Institute | Apparatus for enhancing network security and method for the same |
| CN111385288A (en) * | 2020-02-20 | 2020-07-07 | 中国人民解放军战略支援部队信息工程大学 | Mobile target defense opportunity selection method and device based on hidden countermeasures |
| CN111294365A (en) * | 2020-05-12 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Attack flow protection system, method and device, electronic equipment and storage medium |
| WO2021227322A1 (en) * | 2020-05-13 | 2021-11-18 | 南京邮电大学 | Ddos attack detection and defense method for sdn environment |
| CN112261042A (en) * | 2020-10-21 | 2021-01-22 | 中国科学院信息工程研究所 | Anti-seepage system based on attack hazard assessment |
Non-Patent Citations (4)
| Title |
|---|
| 宋全振等: "基于粗糙集算法的DDoS 攻击威胁评估", 《通信技术》, vol. 50, no. 1, 31 January 2017 (2017-01-31), pages 109 - 115 * |
| 张卓;陈毓端;唐伽佳;陈新宇;: "基于威胁的网络安全动态防御研究", 保密科学技术, no. 06, 20 June 2020 (2020-06-20) * |
| 赵呈亮;李爱平;江荣;: "基于TOPSIS-GRA集成评估法的DDoS攻击效果评估技术研究", 信息网络安全, no. 10, 10 October 2016 (2016-10-10) * |
| 马海龙;伊鹏;江逸茗;贺磊;: "基于动态异构冗余机制的路由器拟态防御体系结构", 信息安全学报, no. 01, 15 January 2017 (2017-01-15) * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114793248A (en) * | 2022-03-02 | 2022-07-26 | 上海图灵智算量子科技有限公司 | Mimicry-based encryption communication method |
| CN114793248B (en) * | 2022-03-02 | 2024-02-23 | 上海图灵智算量子科技有限公司 | Mimicry-based encryption communication method |
| CN114760095A (en) * | 2022-03-09 | 2022-07-15 | 西安电子科技大学 | Intention-driven network defense strategy generation method, system and application |
| CN114760095B (en) * | 2022-03-09 | 2023-04-07 | 西安电子科技大学 | Intention-driven network defense strategy generation method, system and application |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Dhawan et al. | Sphinx: detecting security attacks in software-defined networks. | |
| Ellis et al. | A behavioral approach to worm detection | |
| Berk et al. | Using sensor networks and data fusion for early detection of active worms | |
| CN110224990A (en) | A kind of intruding detection system based on software definition security architecture | |
| Igbe et al. | Deterministic dendritic cell algorithm application to smart grid cyber-attack detection | |
| Chen et al. | Detecting early worm propagation through packet matching | |
| CN105812318B (en) | For preventing method, controller and the system of attack in a network | |
| CN114115068A (en) | Heterogeneous redundancy defense strategy issuing method of endogenous security switch | |
| Gao et al. | Defending against Packet-In messages flooding attack under SDN context | |
| Azad et al. | Preventive determination and avoidance of ddos attack with sdn over the iot networks | |
| Singh et al. | Prevention mechanism for infrastructure based denial-of-service attack over software defined network | |
| Unal et al. | Towards prediction of security attacks on software defined networks: A big data analytic approach | |
| CN108322454B (en) | Network security detection method and device | |
| Valizadeh et al. | Ddos attacks detection in multi-controller based software defined network | |
| Fenil et al. | Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches | |
| CN106357661B (en) | A kind of distributed refusal service attack defending method based on interchanger rotation | |
| Seth et al. | DADCNF: Diagnoser design for duplicate address detection threat using conjunctive Normal form | |
| Koganti et al. | Internet worms and its detection | |
| RU2531878C1 (en) | Method of detection of computer attacks in information and telecommunication network | |
| Shrivastava et al. | Detection of topology poisoning by silent relay attacker in SDN | |
| Gad et al. | Hierarchical events for efficient distributed network analysis and surveillance | |
| Li et al. | Improved automated graph and FCM based DDoS attack detection mechanism in software defined networks | |
| CN210444303U (en) | Network protection test system | |
| Mudgal et al. | Spark-Based Network Security Honeypot System: Detailed Performance Analysis | |
| Kannan et al. | Analyzing Cooperative Containment of Fast Scanning Worms. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |