CN101719842B - Cloud computing environment-based distributed network security pre-warning method - Google Patents

Cloud computing environment-based distributed network security pre-warning method Download PDF

Info

Publication number
CN101719842B
CN101719842B CN2009102384429A CN200910238442A CN101719842B CN 101719842 B CN101719842 B CN 101719842B CN 2009102384429 A CN2009102384429 A CN 2009102384429A CN 200910238442 A CN200910238442 A CN 200910238442A CN 101719842 B CN101719842 B CN 101719842B
Authority
CN
China
Prior art keywords
node
task
security agent
list
control centre
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2009102384429A
Other languages
Chinese (zh)
Other versions
CN101719842A (en
Inventor
许佳
苏璞睿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Software of CAS
Original Assignee
Institute of Software of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Software of CAS filed Critical Institute of Software of CAS
Priority to CN2009102384429A priority Critical patent/CN101719842B/en
Publication of CN101719842A publication Critical patent/CN101719842A/en
Application granted granted Critical
Publication of CN101719842B publication Critical patent/CN101719842B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a cloud computing environment-based distributed network security pre-warning method, which belongs to the technical field of network security. The method comprises that: a plurality of management domains are set, wherein each management domain comprises a control central node and more than one security proxy node, and the control central nodes are in peer connection; the security proxy nodes discover abnormal events through peripheral equipment, extract event information, generate warning messages and transmit warning information to the corresponding control central nodes; the control central nodes receive the warning messages transmitted by the corresponding security proxy nodes and the other control central nodes and combine the central nodes meeting a combination condition into a task group; the security proxy nodes in the task group are in the peer connection and one security proxy node serves as a task coordination central node to coordinate the security proxy nodes in the group to complete tasks together; and the task group is in data connection with the control central nodes through the task coordination central node.

Description

A kind of distributed network security pre-warning method based on cloud computing environment
Technical field
The present invention relates to distributed network, relate in particular to a kind of distributed network security pre-warning method, belong to the network security technology field based on cloud computing environment.
Background technology
Network malicious code Developing Trend in Technology has main features such as explosive propagation, self-organizing structures and distributed collaborative at present, be that the novel malicious code of representative is propagated with fulminant speed on the internet with worm, Botnet etc. in recent years, cause potential security risk difficult to the appraisal.The distributed platform that network hacker can utilize malicious code to build, implement large-scale network intrusions and attack, comprise and steal or destroy sensitive information, start large-scale Denial of Service attack, be engaged in economic criminal activity, even the service of paralysis backbone network.In order to address this problem, security protection facilities such as intruding detection system, fire compartment wall, vulnerability scanners, Anti Virus Gateway have all been disposed in nearly all network.Although these facilities can be made judgement and response to the attack and the feature of particular type, but because its security protection visual field only is confined to security domain separately, so the warning that produces has higher rate of false alarm and rate of failing to report unavoidably, also lack the means of anomalous event being carried out global analysis and assessment, especially antagonism when being the novel malicious code of feature with adaptive structure and distributed collaborative effect limited.Therefore, how to realize the dynamic self-adapting cooperation of network safety prevention system, organize all kinds of heterogeneous network safety devices effectively to share alert data, and the problem that presses for solution that the global collaborative association analysis has become present network safety filed is carried out in security incident.
Typical distribution formula network safety pre-warning system all is to be that the network safety prevention facility structure that unit disposes forms with the security domain, only the protective equipment in same security domain just has certain collaboration capabilities, the inevitable global state information that just can't verify about network intrusions and attack.And when attack be when implementing by the distributed platform that the wide-scale distribution of network malicious code is built, global information can help mechanism of linked groups to make promptly and accurately judgement, classification and response, and this is to rely on traditional network security protection system to be difficult to realize.Therefore, there is following defective in the distributed network pre-alarming system structure of main flow at present.The first, no adaptivity, present network Early-warning Model all adopts the architecture of fixed topology, does not possess the ability of adjusting according to the network safety situation self adaptation, is not suitable for large-scale network environment; The second, survivability is low, and the majority of network Early-warning Model adopts the framework at single early warning center, has higher single point failure risk, and can cause network congestion near this early warning center; The 3rd, a little less than the data flow con-trol ability, main flow network Early-warning Model all adopts the concentrated shared structure of secure data, can not select the mutual data set of needs dynamically according to attack type, and hardware resource and utilization of network bandwidth are all lower; The 4th, collaborative is poor, can't carry out effective polymerization to the alert data of the security protection facility of isomery, and the exchanges data of striding security domain also lacks effective solution.
At above problem, the inventor thinks that " working in coordination with safely " is the inexorable trend of the distributed attack of reply malicious code, and its basic goal just is to realize the data sharing and the scheduling of resource of isomery protective equipment in the different security domains.Therefore be necessary to propose a kind of novel, possess the dynamic self-adapting adjustment and stride the distributed network security pre-warning architecture of security domain collaboration capabilities.
Summary of the invention
The invention provides a kind of distributed network security pre-warning method based on cloud computing environment, this method is the data and the resource of various heterogeneous secure guard systems in the integration networks effectively, make the network safety prevention system possess the dynamic self-adapting adjustment and stride the ability of security domain cooperation, for in large scale network, disposing the invasion association analysis, worm feature extraction, Botnet detect the distributed security service facility that provides the foundation.
For realizing above-mentioned target, technical scheme of the present invention is:
A kind of distributed network security pre-warning method based on cloud computing environment, described method comprises a plurality of management domains is set, each management domain comprises control centre's node and the TSM Security Agent node that is connected of data with it more than, and equity connects between control centre's node of described a plurality of management domains
Described TSM Security Agent node extracts event information and generates warning message by setting form by the peripheral facility incident that notes abnormalities, and described warning message is sent to control centre's node of this management domain,
The control centre node receives the warning message that sends from the TSM Security Agent node of this management domain and other control centre's nodes, and an above Centroid that will satisfy the merging condition of setting is merged into a task groups;
Equity connects between the TSM Security Agent node in the task groups, and one of them TSM Security Agent node is served as the task coordinate Centroid, and the TSM Security Agent node is finished the task of setting jointly in the coordination group;
Described task groups is connected with control centre's node data by described task coordinate Centroid.
Preferably, a TSM Security Agent node can add a plurality of task groups simultaneously.
Preferably, the warning message of each member node carries out data fusion and association analysis in the described task coordinate Centroid collection group, extracts the feature of anomalous event thus, and described feature is sent to the control centre of this management domain; Simultaneously, described task coordinate Centroid is formulated access control policy, the order of issue Collaborative Control, the operation that each TSM Security Agent is executed outer periphery in the coordination group.
Preferably, the inventive method is disposed a plurality of control centres node in each management domain, only one of them is in state of activation, all the other are in resting state, when the control centre's node under the described state of activation was paralysed, the control centre's node that activates under the described resting state was served as new control centre's node.
Preferably, when in the described task coordinate during cardiaplegia, serve as new task coordinate Centroid according to one of other TSM Security Agent nodes in the regular appointed task group of setting.
Preferably, in said method, all connect between the TSM Security Agent node between control centre's node and in the task groups by the reciprocity nerve of a covering structure equity that adopts DHT algorithm route.In this equity nerve of a covering structure, use the XPath structured language as the overall situation of shared data is unified query interface.
Preferably, described task coordinate Centroid is finished the task of setting jointly by TSM Security Agent node in the following method coordination group:
A) ancestral task T is divided into subtask collection T s={ T Si| i=1...n}, and with T SiDistribute to each TSM Security Agent node in the group;
B) each TSM Security Agent node all has the thread of handling in this locality the subtask that is assigned with of scheduling and monitors another thread of the request message that other nodes send in the task groups;
C) each TSM Security Agent node is all safeguarded ancestor node tabulation ancestor_list in the task groups, and when this node was idle, the member node in ancestor_list sent request message in regular turn;
D) when node A receives the request message of Node B, if Node B is in the ancestor_list of node A, then node A abandons this request message; Otherwise, concentrate the subtask of selecting r not to be scheduled as yet in the subtask of this locality, with dispatch message recovery of node B, node A sends to Node B with its ancestor_list simultaneously, and Node B is upgraded the ancestor_list of self thus.
Further, described task coordinate Centroid is finished the task of setting jointly by TSM Security Agent node in the following method coordination group:
A) each TSM Security Agent joint structure child node tabulation child_list and superseded node listing obsolete_list, wherein child_list writes down the current child node that sorts from low to high by the M value of this node, described M=C+N d, wherein C represents the calculating throughput of child node, N dThe network delay of expression child node;
B) refresh child_list after each task scheduling finishes, and list the highest child node of M value in obsolete_list, the request message of the node among the obsolete_list can not get response in setting-up time;
C) child node that the M value is minimum sends to father node after the time of every section preseting length, and father node is listed it in self child_list.
Below the inventive method is made more detailed specific description.
The inventive method makes up the stratification dynamic equivalence nerve of a covering architecture that forms based on one group of autonomous node that extensively is distributed in the protected network.The purpose that designs this architecture is to provide the distributed collaborative and the data sharing framework of bottom, make all kinds of isomery protective equipments that are deployed in the large-scale network environment can both be linked in the adaptive global safety protection system, thereby possess the data sharing and the reciprocity collaboration capabilities of striding security domain, can carry out collaborative the detection and the protection task.
The schematic diagram of above-mentioned architecture as shown in Figure 1.The node that comprises four class roles in this architecture:
1) control centre: each management domain all disposes a control centre, and it is in charge of decision-making and coordination in the territory, and warning message gathers and issues.The control centre of each management domain is connected to form control centre's cluster by equity, thereby carries out data sharing and collaborative work, realizes global detection and protection.
2) TSM Security Agent: TSM Security Agent provides a general-purpose interface, and the peripheral facility of all kinds of isomeries can be linked in the global safety protection system.Each TSM Security Agent can add a plurality of task groups simultaneously, and on the one hand, security strategy and control command that it receives the issue of task coordinate center instruct peripheral facility to carry out collaborative work; On the other hand, TSM Security Agent is responsible for collecting the detected anomalous event of peripheral facility, carries out forming warning message after the preliminary treatment, is published in the task groups by the distributed message shared mechanism again.
3) peripheral facility: peripheral facility is that the function to all kinds of heterogeneous network security protection facilities such as IDS, fire compartment wall, vulnerability scanners, Anti Virus Gateways is abstract in the prior art, and it is the data set provider and the function follower of global safety protection system.
4) task coordinate center: more than one TSM Security Agent is dynamically set up a task groups.Task groups is the minimum organization unit that carries out distributed collaborative.Each task groups all can dispose a task coordinate center the TSM Security Agent in organizing, on the one hand, its accepts the task order from control centre, formulates security strategy, and all member node in the coordination of tasks group are carried out cotaskings; On the other hand, the warning message that the task coordinate center is responsible for each member node is collected carries out data fusion and association analysis, and the key feature of the anomalous event (such as network intrusions or attack) extracted is reported to the control centre of its place management domain.
It is emphasized that, above-mentioned node role category is the logical partitioning of the application level function in the reciprocity nerve of a covering system, it is not corresponding one by one physical network nodes, each physical network nodes can be served as one or more independently logical nodes in theory, as long as it has been disposed application corresponding layer module and has inserted reciprocity nerve of a covering system.
In addition, analyze from logical construction, above-mentioned architecture forms three layers of nerve of a covering structure:
1) management domain
The present invention is divided into several regions according to the distribution situation of network topology structure and security protection facility with protected network, is called management domain.Set up the purpose of management domain to be large scale network is divided into some autonomous areas, each zone is all possessed make decisions on one's own and control ability, realize the fail safe of whole protected network again by the mutual cooperation between all management domains.Though with the same in the legacy network security protection system according to the fixing security domain of dividing of physical structure, the all corresponding one or more IP network sections of each management domain, the main frame of the affiliated network segment, server, router, gateway etc. have the equipment of networked capabilities, all are the responsible scopes of this management domain.But security domain is the static structure of a sealing, does not have the ability of collaborative work and shared information between the facility of different security domains.And this architecture is the stratification peering structure of a dynamic organization, and all management domains all link together by reciprocity nerve of a covering, and a global network security protection system is formed in cooperation each other.
Be the relation of mutual exclusion between each management domain, any node all can only add a management domain.Mapping relations table between this architecture meeting domain maintenance management and the IP address is used for the initial guiding of node, and this mapping table is stored in all control centres, and can dynamically adjust.When a node application added this system, it at first needed to find the control centre of the affiliated management domain in its IP address.Since mapping table be distributed storage in each control centre, therefore wherein any one can obtain guidance information in inquiry.
Control centre is responsible for the initial guiding of peer node, the scheduling of task groups, the distributed storage in network attack characteristic storehouse, functions such as the formulation of security strategy and distribution in management domain.The application module of a plurality of node deployment control centre is all arranged in each management domain, but wherein have only one to be in state of activation, other the control centre's node that is in resting state is used for the backup of management domain core data, but the not control in participative management territory.If current control centre is owing to hardware fault or when attacked by DDOS to paralyse, this management domain can be selected to activate one of dormancy node at random and serve as new control centre.Even under opposite extreme situations, when the control centre of all dormancy all can't be activated, this architecture can also dynamically be adjusted the mapping relations table of management domain and IP address, current management domain is split into the control centre that some subdomains are incorporated other normal operation into.
2) task groups nerve of a covering
Task groups is the reciprocity nerve of a covering structure that adopts the DHT algorithm to make up, and makes up the distributed message shared mechanism on this basis.
When certain TSM Security Agent is found network exception event, can set up a task groups to control centre's application of place management domain.When finding to have the network exception event of similar features and apply for the creation task group if any other TSM Security Agent, control centre meeting requester network anomalous event storehouse, if find the current task groups of having set up this incident work in coordination with when analyzing, this TSM Security Agent can be assigned this task groups of adding.
All have a super node to serve as the task coordinate center in each task groups, its responsibility is that the network abnormal data implementation data that each TSM Security Agent is gathered is merged and association analysis, extracts information such as attack signature, invasion intention, attack path.In addition, the task coordinate center also is responsible for formulating access control policy according to the testing result of determining, the order of issue Collaborative Control is coordinated the operation that each TSM Security Agent is executed outer periphery, thereby the network protection ability of dynamic self-adapting is provided.When the task coordinate center owing to hardware fault or suffer that DDOS attacks when paralysing, and assigns one of all the other member node to serve as new task coordinate center according to super node Dynamic Selection algorithm.
In this architecture, be not mutex relation between each task groups, a TSM Security Agent can add the multinomial cotasking of a plurality of task groups executed in parallel simultaneously.But,, limit a TSM Security Agent usually and can only in a task groups, serve as the task coordinate center at most for fear of the cooperation relation of complexity.
3) control centre's cluster nerve of a covering
The control centre of all management domains forms the nerve of a covering that an equity connects in the protected network, is called control centre's cluster.Control centre's cluster is that the overall situation is unique, is positioned at the highest level of DPOH model, and its major function is realize the network attack characteristic storehouse distributed shared.For the efficient that improves data query and the robustness of peering structure, control centre's cluster adopts the DHT algorithm to carry out the node route, and makes up Distributed Storage mechanism on this basis.Each management domain all can be found a large amount of attack signature information in the collaborative testing process of portion within it, and by the data sharing mechanism of control centre's cluster, each management domain is these information of inquiry in network-wide basis efficiently, improve the efficient of collaborative protection.
Another critical function of control centre's cluster is that the management domain of striding of realizing cotasking is coordinated.With collaborative the detection is example, find the network exception event of a high threat degree when the TSM Security Agent of management domain A, and when the control centre of its subordinate proposes to work in coordination with the detection application, this control centre can carry out broadcast query in control centre's cluster, when if the control centre of management domain B finds that having set up task groups detects the similar network anomalous event, it just can reply relevant control messages to the control centre of management domain A, and the TSM Security Agent of management domain A just can join in the task groups of management domain B and carry out the once detection task of working in coordination with like this.
Generally speaking, compare with prior art, the inventive method has following advantage:
1) self adaptation peering structure: traditional network safety pre-warning architecture all adopts fixed topology, does not possess the ability of adjusting according to the network safety situation self adaptation, is not suitable for large-scale network environment.But one aspect of the present invention possesses good survivability, the problem that does not exist single-point to rely on, and after any one peer node lost efficacy, its function can be replaced by other node, makes the assailant to destroy whole system by some nodes of paralysing; The good row expanded is arranged again on the other hand, and each node need not to be concerned about the physical location and the topological structure at its place, just can add very easily among the overall system.
2) distributed message is shared: realizing that high efficiency distributed message is shared, is one of core technology that supports cloud computing environment.When attack is when implementing by the distributed platform that the wide-scale distribution of network malicious code is built, global information can help mechanism of linked groups to make promptly and accurately judgement, classification and response, and legacy network safe early warning architecture does not possess the ability of data sharing, perhaps adopt the concentrated shared structure of poor efficiency, can not select the mutual data set of needs dynamically according to attack type, hardware resource and utilization of network bandwidth are all lower.The present invention can realize effectively that safety-relevant data is distributed shared, thereby can integrate the data resource of all kinds of heterogeneous network security protection systems, realized the distributed storage and the inquiry mechanism of security alarm message, provide basic support under cloud computing environment, disposing the distributed network security service.
3) distributed task dispatching: realizing the distributed scheduling of calculation task, is another core technology that supports cloud computing environment.Under the distributed network early warning system based on cloud computing environment, the Network Security Service that client is obtained not is to be provided by single security protection system, but the achievement of a large amount of network security resource collaborative works.Therefore, distributed task dispatching mechanism can couple together all member node of task groups nerve of a covering and form one dynamically, equity with the grid system of self-organizing, make each node can both participate in analysis to data, analysis result gathers the most at last, thereby realizes the reasonable disposition of computational resource.Therefore, the present invention can be according to the global state and the scope of distributed attack, and dynamic tissue is striden collaborative detection of security domain and protection task, " distribution according to need " of the realization network security resource of maximum possible.
Description of drawings
Fig. 1 is a general structure schematic diagram of the present invention; Wherein: 1-control centre node; 2-TSM Security Agent node; The peripheral facility of 3-; 4-task coordinate Centroid; The 7-management domain; 8-control centre cluster nerve of a covering; 9-task groups nerve of a covering;
Fig. 2 concerns schematic diagram for system's composition of embodiment of the invention TSM Security Agent node in detail with intermodule;
Fig. 3 concerns schematic diagram for system's composition of embodiment of the invention task coordinate Centroid in detail with intermodule;
Fig. 4 concerns schematic diagram for system's composition of embodiment of the invention control centre node in detail with intermodule.
Embodiment
Core technology content of the present invention is described in further detail by embodiment below in conjunction with accompanying drawing.
Present embodiment is described a concrete distributed network security pre-warning architecture based on cloud computing environment.
The present embodiment architecture is by top-down three layers of reciprocity nerve of a covering and comprises control centre, the dynamic multilevel architecture that task coordinate center and TSM Security Agent become in interior three class core groups of nodes.The general function of the prototype system of Gou Jianing can be summarized as follows on its basis:
1) warning message that will come from disparate networks security protection facility carries out the unification processing, extracts attack signature by the collaborative association analysis of dynamic organization, thereby early warning is carried out in the network intrusions or the attack of part;
2) generate global attack scene graph and the attack intension and the path in future carried out anticipation, thus the further initiatively collaborative protection of tissue.
Module that present embodiment TSM Security Agent node is comprised and the relation between the module be as shown in Figure 2:
1) warning message generates
In the prototype system of present embodiment, select for use the Snort invader-inspecting software as peripheral facility, and be the plug-in unit of Snort exploitation by specialized protocol and TSM Security Agent node communication, it can be published to detected unusual network behavior among the whole distributed network pre-alarming system with the form of warning message by TSM Security Agent.Certainly, in concrete Secure Application, more heterogeneous network safety devices can be linked in this system, realize the more collaborative security mechanism of broad sense.
2) data preliminary treatment
The pretreated final result of data is that the alert data with different form of presentations that will be produced by all kinds of heterogeneous network security protection facilities is unified into the warning message with same format.Present embodiment further expands on the XML form basis based on IDMEF, forms the unification Message Processing Framework of this architecture.
3) warning message polymerization
Present embodiment adopts on the TSM Security Agent node based on the warning sub-clustering algorithm of analyzing warning root reason, thereby similar warning message can be divided into groups, and concludes and sums up, and reduces the load of redundant warning to system.The generation that a prerequisite hypothesis of this algorithm is exactly each warning all is the root reason of root in this warning, so the affirmation that focuses on the root reason and the analysis of this method.
Module that the task coordinate Centroid is comprised and the relation between the module be as shown in Figure 3:
1) secure resources storehouse
The information resources relevant with task groups are mainly preserved in the secure resources storehouse, are used to be supported in when carrying out association analysis and collaborative protection generate coordination model, and the concrete data of secure resources library storage comprise:
A) log-on message of all TSM Security Agent in this task groups, and corresponding access control rank.
B) the network safety prevention facility inventory of disposing in this task groups comprises the type codes of each facility, IP address, operating state, information such as the node ID of corresponding TSM Security Agent.
Frequency takes place, The result of statistics such as characteristic value in c) the IP address of the invasion report message that obtains in association analysis of this task groups.Control centre is preserved and submitted to these data, help control centre that the security postures of whole protected network is assessed.
2) coordination model generates
The coordination control of single task role is responsible at the task coordinate center, and its Core Feature is exactly for detecting and the adaptive coordination model of protection generation.In the present embodiment, with reference to the design principle of expert system, network alarming type and threaten degree at different preset corresponding safety regulation.The task coordinate center is according to the guidance of these rules, and in conjunction with intrusion feature database, the information in security policy database and the secure resources storehouse is set up preliminary cooperative detection and Protection Model.Thereafter, the concrete parameter of coordination model can also be adjusted, so that model has the ability of dynamic self-adapting to environmental change in real time according to the feedback information of TSM Security Agent in collaborative detection and protection process in the task coordinate center.
3) warning association analysis
In the present embodiment prototype system, adopt present comparative maturity and the related and attack scene graph generating algorithm that is easy to realize based on causal warning.The core concept of algorithm is that the generation of any attack must have its condition, thus at the prerequisite of attacking and structure just can with two independently attack combine, draw the coupling index according to the probability match algorithm simultaneously, and then generate the attack scene graph.
Module that control centre's node is comprised and the relation between the module as shown in Figure 4, in prototype system, control centre's node is mainly born following function:
1) receive and handle the warning message that the TSM Security Agent of this management domain sends, the organization task group is implemented collaborative the detection and protection;
2) accept and handle the warning message that the control centre of other management domain sends, in network-wide basis, implement the message polymerization, realize striding the collaborative detection and the protection of management domain.
3) the attack scene graph that each task groups is generated and the attack signature of extraction are saved in the intrusion feature database, and general safety situation in the management domain is implemented assessment.And in follow-up collaborative detection and protection task, the PRELIMINARY RESULTS of association analysis and the data in the intrusion feature database can be mated, and then the contingent from now on attack of hypothesis and guides and it is carried out active defends.
Be described in detail the realization of two core technologies that support whole cloud computing environment below.
1) based on the distributed message shared mechanism of DHT
In order to strengthen the interaction of heterogeneous network security protection facility, and make the present invention have enhanced scalability, present embodiment adopts the unification Message Processing Framework based on IDMEF, with the application standard of XML form as data representation and exchange.As described above, all be to adopt the DHT algorithm to carry out the node route as the task groups nerve of a covering of core topological structure and control centre's cluster nerve of a covering.Therefore, as one of core technology of cloud computing environment, the distributed of security message that present embodiment is implemented in the structuring equity nerve of a covering shared.
A) storing X ML tree
In each XML document, all intermediate nodes only comprise routing information, and the required information of practical application is included in the leaf node, and these leaf nodes comprise text node, attribute node and empty element.Therefore, the present embodiment algorithm only all is mapped to each leaf node in the XML tree in the Chord network, does not shine upon intermediate node.Specifically,, at first extract all leaf nodes, each leaf node be expressed as five-tuple for each XML document that will store:
(PID,DID,pe,tag,value),
Wherein PID provides the unique identifier of the Chord node of original XML document, DID is the unique identifier on ancestor node of XML document, pe is the path expression of this leaf node, and tag is the Dewey sequence of preserving node structure information, and value is exactly the value of this leaf node.This algorithm at first converts given XML document to XML tree, the contents extraction of wherein three leaves is come out, and preserve into above-mentioned quintuple form.Thereafter, with each leaf the name be referred to as keyword, carry out the DHT route with the Chord algorithm, thereby realize the distributed storage of whole XML document.
B) inquiry leaf node
In the present embodiment, use XPath form is constructed the query messages to distributed shared data.XPath expression formula use path sequence is chosen node and the set of node in the XML document, and each element in the path sequence all is by axle (Axes), and node (Nodes) and predicate (Predicates) three parts are formed.Practical application request according to prototype system, a subclass only choosing the XPath expression formula realizes the distributed query function, this subclass can be expressed three kinds of node relationships, is respectively child node axle ("/"), descendent node axle (" // ") and predicate (" [] ").
Here, the simplest situation is discussed earlier, promptly to the inquiry of leaf node.The expression formula of supposing XPath query messages r is:
|s 1|s 2|...|s n
S wherein iThe title of each node in the expression path sequence, s nBe leaf node, " | " expression axle comprises child node ("/") and two kinds of relations of descendent node (" // "), and the processing of predicate node is discussed hereinafter again.Search algorithm to leaf node is as follows:
I. the title of extracting last node from the XPath query messages (is leaf node s n), as keyword, use the Chord algorithm to carry out the DHT route it;
Ii. each that searches is mated keyword s in the Chord network nFive-tuple (PID, DID, pe, tag value), checks whether its path expression pe consistent with the character pattern of message r, and will be wherein incongruent filtering out.
C) inquiry internal node
To the inquiry of internal node is exactly that to want reconstruct be the XML fragment of root with this internal node.Though in the Chord network, do not store the value of any internal node, owing to preserved the Dewey sequence tag of leaf node, thereby have the necessary structured message of reconstruct XML subtree.Same, suppose that at first the expression formula of XPath query messages r is:
|s 1|s 2|...|s n
S wherein iThe title of each node in the expression path sequence, " | " expression axle comprises child node ("/") and two kinds of relations of descendent node (" // ").Search algorithm to internal node is as follows:
I. according to the pairing path sequence of query messages r, travel through the pairing path prefix tree of this XML document, if find s nDo not have child node, then message r is called algorithm 2 as input parameter);
Ii. if s nChild node is arranged, then to s nEach child node c i, structure query messages r i=| s 1| s 2| ... | s n| c i, repeating step i;
Iii. according to the content of all leaf nodes that inquire, reconstruct is with internal node s nBe the XML subtree of root, wherein the Dewey sequence tag of each leaf node can be in order to determine the relative position of this node and its brotgher of node.
D) inquiry predicate node
The predicate node is used for the condition query to the XML fragment, in order to support the predicate node, further expands out two stage search algorithms.Suppose such XPath query messages arranged:
r=/Alert[@messageid=″001″]/Source;
I. at first this query messages is split into two parts r 1=/Alert/@messageid and r 2=/Alert/Source;
Ii. phase I inquiry (condition query): with message r 1Be input parameter, call algorithm 2), to each five-tuple of inquiring (PID, DID, pe, tag value), checks whether its value is " 001 ", will meet this condition (PID is DID) to remaining, as the input parameter of next stage inquiry;
Iii. second stage inquiry (target query): with message r 2Be input parameter, call algorithm 3), to each five-tuple of inquiring (PID, DID, pe, tag, value), (whether PID DID) to is complementary with the result of phase I inquiry, and incongruent filtering out wherein to check it.
2) based on the distributed task dispatching algorithm of self-organizing grid
The task groups nerve of a covering is to carry out the least unit that distributed message is shared, but the analysis task of data is born by the task coordinate center, and the computational resource of the TSM Security Agent node in the task groups is by idle.The basic ideas of present embodiment are constructed one deck task scheduling nerve of a covering exactly again on task groups, all member node are coupled together form a small-sized grid system, make each node can both participate in analytical calculation by task scheduling algorithm to data, analysis result gathers the most at last, thereby realizes the configuration as required of computational resource.But different with traditional grid system, task groups be one dynamic, equity can't as traditional grid system, adopt the task scheduling algorithm of centralization with the architecture of self-organizing.In order to adapt to the real needs of distributed collaboration safety, one of present embodiment proposition is distributed, the task scheduling algorithm of self-organizing.
Basic dispatching algorithm is as follows:
I. start node is divided into subtask collection T with ancestral task T s={ T Si| i=1...n}, each element T wherein SiIt all is subtask independent of each other;
Ii. handle in this locality these subtasks of thread scheduling that in the task groups all there be each TSM Security Agent node, and another thread is monitored the request message that other nodes send;
Iii. each TSM Security Agent node all can be safeguarded ancestor node tabulation ancestor_list in the task groups, and when this node does not have task just when processed, it will be in order sends request message to the member node of ancestor_list;
If iv. node A receives the request message of Node B, will concentrate in the subtask of this locality and select r the subtask that is not scheduled as yet, with dispatch message recovery of node B, like this node A just and Node B formed a pair of parent/child and concerned.Node A can send to Node B with the ancestor_list of oneself simultaneously, makes Node B can upgrade the ancestor_list of oneself.
V. not occur round-robin scheduling in order guaranteeing in this task scheduling process, if node A receives the request message of Node B, but to find that Node B appears among the ancestor_list of oneself, node will be abandoned this request message like this.
Above-mentioned basic dispatching algorithm can make task groups from initial peering structure, constantly adjusts the task scheduling nerve of a covering that forms a comparatively stable tree.But the calculated performance of each member node of task groups and physical network bandwidth all exist difference, ideally should make the higher node of performance preferentially obtain scheduling, and the node that performance is lower obtains scheduling at last.But according to above-mentioned basic dispatching algorithm, the node of different performance on tree in distribution be at random basically, therefore, further design a dynamic optimization algorithm, make the more close tree root of high-performance node distribution, and the low node of performance concentrates on leaf.
The performance metric M=C+N of defined node at first d, wherein C represents to calculate throughput, N dThe expression network delay.When the M value can't accurately be measured, the computational methods of employing were the time interval T between r subtask of twice scheduling before and after the statistics r, and get R time mean value, as the approximation of M.
The dynamic optimization algorithm of distributed task dispatching is as follows:
I. each TSM Security Agent joint structure child node tabulation child_list and superseded node listing obsolete_list, child_list is writing down this node all child nodes at present, and sorts from low to high according to the M value;
Ii. horizontal optimization: the M value that recomputates member node among the child_list after each task scheduling finishes, the child node that performance is good preferentially obtains dispatching next time, performance is the poorest enters obsolete_list, and the request message of node in the formulation time that enters obsolete_list will can not meet with a response;
Iii. vertically optimize: the child node that the M value is minimum is recommended father node in each a period of time, thereby makes the child_list of father node obtain upgrading.
Although disclose specific embodiments of the invention and accompanying drawing for the purpose of illustration, its purpose is to help to understand content of the present invention and implement according to this, but it will be appreciated by those skilled in the art that: without departing from the spirit and scope of the invention and the appended claims, various replacements, variation and modification all are possible.Therefore, the present invention should not be limited to most preferred embodiment and the disclosed content of accompanying drawing, and the scope of protection of present invention is as the criterion with the scope that claims define.

Claims (9)

1. distributed network security pre-warning method based on cloud computing environment, it is characterized in that, described method comprises a plurality of management domains is set, each management domain comprises control centre's node and the TSM Security Agent node that is connected of data with it more than, equity connects between control centre's node of described a plurality of management domains
Described TSM Security Agent node extracts event information and generates warning message by setting form by the peripheral facility incident that notes abnormalities, and described warning message is sent to control centre's node of this management domain,
The control centre node receives the warning message that the control centre's node from the TSM Security Agent node of this management domain and other management domains sends, and the more than one TSM Security Agent node that will satisfy the merging condition of setting is merged into a task groups;
Equity connects between the TSM Security Agent node in the task groups, and one of them TSM Security Agent node is served as the task coordinate Centroid, and the TSM Security Agent node is finished the task of setting jointly in the coordination group; Described task coordinate Centroid is finished the task of setting jointly by TSM Security Agent node in the following method coordination group:
A) ancestral task T is divided into subtask collection T s={ T Si| i=1 ... n}, and with T SiDistribute to each TSM Security Agent node in the group;
B) each TSM Security Agent node all has the thread of handling in this locality the subtask that is assigned with of scheduling and monitors another thread of the request message that other nodes send in the task groups;
C) each TSM Security Agent node is all safeguarded ancestor node tabulation ancestor_list in the task groups, and when this node was idle, the member node in ancestor_list sent request message in regular turn;
D) when node A receives the request message of Node B, if Node B is in the ancestor_list of node A, then node A abandons this request message; Otherwise, concentrate the subtask of selecting r not to be scheduled as yet in the subtask of this locality, with dispatch message recovery of node B, node A sends to Node B with its ancestor_list simultaneously, and Node B is upgraded the ancestor_list of self thus;
Described task groups is connected with control centre's node data by described task coordinate Centroid.
2. the distributed network security pre-warning method based on cloud computing environment as claimed in claim 1, it is characterized in that, the warning message of each member node in the described task coordinate Centroid collection group, carry out data fusion and association analysis, extract the feature of anomalous event thus, and described feature is sent to the control centre of this management domain.
3. the distributed network security pre-warning method based on cloud computing environment as claimed in claim 2, it is characterized in that, described task coordinate Centroid is formulated access control policy, the order of issue Collaborative Control, the operation that each TSM Security Agent is executed outer periphery in the coordination group.
4. the distributed network security pre-warning method based on cloud computing environment as claimed in claim 1, it is characterized in that, in each management domain, dispose a plurality of control centres node, only one of them is in state of activation, all the other are in resting state, when the control centre's node under the described state of activation was paralysed, the control centre's node that activates under the described resting state was served as new control centre's node.
5. the distributed network security pre-warning method based on cloud computing environment as claimed in claim 1 is characterized in that, a TSM Security Agent node adds a plurality of task groups simultaneously.
6. the distributed network security pre-warning method based on cloud computing environment as claimed in claim 1, it is characterized in that, when in the described task coordinate during cardiaplegia, serve as new task coordinate Centroid according to one of other TSM Security Agent nodes in the regular appointed task group of setting.
7. the distributed network security pre-warning method based on cloud computing environment as claimed in claim 1, it is characterized in that, all connect between the described control centre node and between the TSM Security Agent node in the described task groups by the reciprocity nerve of a covering structure equity that adopts DHT algorithm route.
8. the distributed network security pre-warning method based on cloud computing environment as claimed in claim 7 is characterized in that, in described reciprocity nerve of a covering structure, uses the XPath structured language as the overall situation of shared data is unified query interface.
9. the distributed network security pre-warning method based on cloud computing environment as claimed in claim 1 is characterized in that, described method further comprises:
1) each TSM Security Agent joint structure child node tabulation child_list and superseded node listing obsolete_list, wherein child_list writes down the current child node that sorts from low to high by the M value of this node, described M=C+N d, wherein C represents the calculating throughput of child node, N dThe network delay of expression child node;
2) refresh child_list after each task scheduling finishes, and list the highest child node of M value in obsolete_list, the request message of the node among the obsolete_list can not get response in setting-up time;
3) child node that the M value is minimum sends to father node after the time of every section preseting length, and father node is listed it in self child_list.
CN2009102384429A 2009-11-20 2009-11-20 Cloud computing environment-based distributed network security pre-warning method Active CN101719842B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009102384429A CN101719842B (en) 2009-11-20 2009-11-20 Cloud computing environment-based distributed network security pre-warning method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009102384429A CN101719842B (en) 2009-11-20 2009-11-20 Cloud computing environment-based distributed network security pre-warning method

Publications (2)

Publication Number Publication Date
CN101719842A CN101719842A (en) 2010-06-02
CN101719842B true CN101719842B (en) 2011-09-21

Family

ID=42434363

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009102384429A Active CN101719842B (en) 2009-11-20 2009-11-20 Cloud computing environment-based distributed network security pre-warning method

Country Status (1)

Country Link
CN (1) CN101719842B (en)

Families Citing this family (42)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883101B (en) * 2010-06-23 2012-11-28 南京邮电大学 Vaccine distributing method based on double-layer Chord ring network
US8887169B2 (en) 2010-09-15 2014-11-11 Empire Technology Development Llc Task assignment in cloud computing environment
CN102025725B (en) * 2010-11-22 2016-12-07 北京百卓网络技术有限公司 Safety system of telecommunication service environment and its implementation
US8868984B2 (en) 2010-12-07 2014-10-21 International Business Machines Corporation Relevant alert delivery in a distributed processing system with event listeners and alert listeners
CN102394885B (en) * 2011-11-09 2015-07-15 中国人民解放军信息工程大学 Information classification protection automatic verification method based on data stream
CN102438047A (en) * 2011-12-13 2012-05-02 北京航空航天大学 Dynamic adaptive method of safety of cloud service under mobile internet environment
CN102523117A (en) * 2011-12-19 2012-06-27 中山爱科数字科技股份有限公司 Network management method applied in cloud environment
CN102591712B (en) * 2011-12-30 2013-11-20 大连理工大学 Decoupling parallel scheduling method for rely tasks in cloud computing
CN102693604B (en) * 2012-05-09 2014-03-26 中国安全生产科学研究院 Method of radio alarm
CN103491060B (en) * 2012-06-13 2017-11-21 北京新媒传信科技有限公司 A kind of method, apparatus and system of defence Web attacks
CN102749885B (en) * 2012-07-18 2014-08-06 石毅 Cloud numerical control system
CN102916940A (en) * 2012-09-19 2013-02-06 浪潮(北京)电子信息产业有限公司 Method and system for realizing network safety of cloud data center
CN102882981B (en) * 2012-10-19 2015-01-28 南京邮电大学 Load balancing method of node task under equivalence structural cloud platform
CN102984140B (en) * 2012-11-21 2015-06-17 中国人民解放军国防科学技术大学 Malicious software feature fusion analytical method and system based on shared behavior segments
CN102946443B (en) * 2012-12-06 2015-02-18 北京邮电大学 Multitask scheduling method for realizing large-scale data transmission
CN103023924B (en) * 2012-12-31 2015-10-14 网宿科技股份有限公司 The ddos attack means of defence of the cloud distribution platform of content-based distributing network and system
CN104063293B (en) * 2014-07-04 2017-06-27 华为技术有限公司 A kind of data back up method and stream calculation system
CN104199912B (en) * 2014-08-28 2018-10-26 无锡天脉聚源传媒科技有限公司 A kind of method and device of task processing
CN105592127B (en) * 2014-11-20 2019-10-25 中国银联股份有限公司 Application management system for cloud computing environment
CN104468632A (en) * 2014-12-31 2015-03-25 北京奇虎科技有限公司 Loophole attack prevention method, device and system
CN105991738B (en) * 2015-02-27 2019-05-14 中国移动通信集团四川有限公司 Method and system across security domain resource-sharing in a kind of cloud resource pond
CN104680028B (en) * 2015-03-13 2017-07-21 河南群智信息技术有限公司 Medical system case information optimization storage method based on cloud platform
CN105262768A (en) * 2015-11-04 2016-01-20 上海科技网络通信有限公司 Behavior detection system based on mixed models in cloud computing platform and method
CN105610944B (en) * 2015-12-29 2019-03-05 北京物联远信息技术有限公司 A kind of mist computing architecture of internet of things oriented
CN106060018B (en) * 2016-05-19 2019-11-15 中国电子科技网络信息安全有限公司 A kind of Cyberthreat intelligence sharing model
CN107479963A (en) * 2016-06-08 2017-12-15 国家计算机网络与信息安全管理中心 A kind of method for allocating tasks and system
CN107786564B (en) * 2017-11-02 2020-03-17 杭州安恒信息技术股份有限公司 Attack detection method and system based on threat intelligence and electronic equipment
CN107835177B (en) * 2017-11-10 2020-04-21 上海携程商务有限公司 Method, system, device and storage medium for virus protection
CN108055270B (en) * 2017-12-21 2020-11-27 王可 Network security cooperative defense method
CN108809984B (en) * 2018-06-13 2020-09-08 广东奥飞数据科技股份有限公司 Time domain-based cloud computing intelligent security system
CN108737197A (en) * 2018-06-20 2018-11-02 郑州云海信息技术有限公司 Failure prediction method and device under a kind of cloud environment
CN108881233B (en) * 2018-06-21 2021-06-01 中国联合网络通信集团有限公司 Anti-attack processing method, device, equipment and storage medium
CN109218415B (en) * 2018-08-28 2021-06-29 浪潮电子信息产业股份有限公司 Distributed node management method, node and storage medium
CN109413081B (en) * 2018-11-12 2021-09-07 郑州昂视信息科技有限公司 Web service scheduling method and scheduling system
CN109614181A (en) * 2018-11-15 2019-04-12 中国科学院计算机网络信息中心 Security postures methods of exhibiting, device and the storage medium of mobile terminal
CN109525581B (en) * 2018-11-19 2021-01-26 中国移动通信集团广东有限公司 Cloud resource security management and control method and system
US11412002B2 (en) * 2019-03-15 2022-08-09 Microsoft Technology Licensing, Llc Provision of policy compliant storage for DID data
CN110290215B (en) * 2019-06-28 2021-09-28 深圳前海微众银行股份有限公司 Signal transmission method and device
CN110363751B (en) * 2019-07-01 2021-08-03 浙江大学 Large intestine endoscope polyp detection method based on generation cooperative network
CN112422169B (en) * 2020-11-04 2022-07-26 中国空间技术研究院 Method, device and system for coordinating nodes of composite link
CN113127904B (en) * 2021-04-26 2021-12-28 北京中启赛博科技有限公司 Intelligent optimization system and method for access control strategy
CN114650166B (en) * 2022-02-07 2023-08-01 华东师范大学 Fusion anomaly detection system for open heterogeneous network

Also Published As

Publication number Publication date
CN101719842A (en) 2010-06-02

Similar Documents

Publication Publication Date Title
CN101719842B (en) Cloud computing environment-based distributed network security pre-warning method
Butun et al. Anomaly detection and privacy preservation in cloud-centric Internet of Things
Farahani Black hole attack detection using K-nearest neighbor algorithm and reputation calculation in mobile ad hoc networks
CN109587174A (en) Composite defense method and system for network protection
CN101834861A (en) Method for protecting track privacy by forwarding inquiries based on neighboring nodes in location service
CN101562537A (en) Distributed self-optimized intrusion detection alarm associated system
CN102984140B (en) Malicious software feature fusion analytical method and system based on shared behavior segments
Erritali et al. A review and classification of various VANET Intrusion Detection Systems
CN103118036A (en) Cloud end based intelligent security protection system and method
CN102106167A (en) Security message processing
Chen et al. FCM technique for efficient intrusion detection system for wireless networks in cloud environment
Erritali et al. A survey on VANET intrusion detection systems
Xu et al. CloudSEC: A cloud architecture for composing collaborative security services
Germanus et al. Increasing the resilience of critical scada systems using peer-to-peer overlays
Kumar et al. Fuzzy based malicious node detection and security-aware multipath routing for wireless multimedia sensor network
CN101754206B (en) Multi-dimensional en-route filtering method of wireless sensor network
Dong et al. Integration of edge computing and blockchain for provision of data fusion and secure big data analysis for Internet of Things
Zbakh et al. A multi-criteria analysis of intrusion detection architectures in cloud environments
Benattou et al. Intelligent agents for distributed intrusion detection system
CN114697141A (en) C4ISR situation perception analysis system and method based on state machine
Dozier et al. Vulnerability analysis of immunity-based intrusion detection systems using evolutionary hackers
CN110061961B (en) Anti-tracking network topology intelligent construction method and system based on limited Boltzmann machine
Reddy et al. Agent-based trust calculation in wireless sensor networks
Abramov et al. Trust management system for mobile cluster-based wireless sensor network
Tetarave et al. S-Gossip: Security enhanced gossip protocol for unstructured P2P networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant