CN105871829A - Intrusion detection system configuration method and device based on cloud computing environment - Google Patents

Abstract

The invention relates to an intrusion detection system configuration method and device based on a cloud computing environment. The intrusion detection system configuration method based on the cloud computing environment is characterized in comprising following steps of obtaining current operation parameters of an intrusion detection system; establishing a defense optimum integral benefit model of the intrusion detection system according to the current operation parameters; obtaining an optimum consumption value which enables the defense optimum integral benefit model to reach a Nash equilibrium state; and configuring the consumption parameters of the intrusion detection system according to the optimum consumption value. According to the intrusion detection system configuration method and device based on the cloud computing environment provided by the invention, the corresponding intrusion detection system is enabled to adjust the configurations according to own operation parameters, and the security performance of the intrusion detection system is improved.

Description

Intruding detection system collocation method based on cloud computing environment and device

Technical field

The present invention relates to cloud computing field of information security technology, particularly relate to a kind of based on cloud computing environment Intruding detection system collocation method and device.

Background technology

Cloud computing can save the related resource of infrastructure construction and management for user, substantially reduces user Consumption, be the most also effectively increased the efficiency of user job.Along with network enters more freely with flexibly In the Web2.0 epoch, cloud computing application has obtained further development, and market scale expands the most rapidly so that it is will Becoming the public infrastructure of similar water power, coal gas, cloud security the most correspondingly becomes Jiao that industry is paid close attention to Point.It directly affects private data and the safety of important information of enterprises and individuals user, and these are potential Security risk makes the information security of enterprises and individuals be faced with stern challenge.

In order to meet the demand of information system and reach the standard of information war level, it is necessary to network intrusions is examined Surveying the technology with safety pre-warning system and industrialization carries out intensive research, network is being accelerated in this research The reply speed of system, reduce harm that network attack brings, strengthen the dynamic power of test of system, optimum The aspects such as policy selection have very important realistic meaning.

Owing to cloud computing environment is dynamic, but many defence/aggressive behaviors or state variable are to be separated Time, meanwhile, in the next moment, former optimum decision making may be no longer best, it may be possible to The worst, therefore the formulation of corresponding strategies needs to be adjusted in time according to environmental change.

Traditional intruding detection system, typically the relevant parameter after issuing or updating is fixing, holds It is easily caused its security performance low.

Summary of the invention

Based on this, it is necessary to for the technical problem that traditional scheme security performance is low, it is provided that a kind of based on cloud meter Calculate intruding detection system collocation method and the device of environment.

A kind of intruding detection system collocation method based on cloud computing environment, it is characterised in that include walking as follows Rapid:

Obtain the operational factor that intruding detection system is current；

The defence optimization integral benefit model of intruding detection system is built according to described operational factor；Wherein, Described defence optimization integral benefit model is the model describing intruding detection system Real-time defence ability；

Obtain the optimum consumption figures making described defence optimization integral benefit model reach Nash Equilibrium state；

The consumption parameter of described intruding detection system is configured according to described optimum consumption figures.

A kind of intruding detection system based on cloud computing environment configuration device, including:

First acquisition module, for obtaining the operational factor that intruding detection system is current；

Build module, receive for building the defence optimization entirety of intruding detection system according to described operational factor Benefit model；Wherein, described defence optimization integral benefit model is for describing intruding detection system Real-time defence energy The model of power；

Second acquisition module, makes described defence optimization integral benefit model reach Nash Equilibrium shape for acquisition The optimum consumption figures of state；

Configuration module, for configuring the consumption parameter of described intruding detection system according to described optimum consumption figures.

Above-mentioned intruding detection system collocation method based on cloud computing environment and device, by obtaining intrusion detection The operational factor that system is current, builds according to above-mentioned current operational factor and can characterize intruding detection system in fact Time running status defence optimization integral benefit model, then obtain make described defence optimization integral benefit mould Type reaches the optimum consumption figures of Nash Equilibrium state, configures described intrusion detection system according to above-mentioned optimum consumption figures The consumption parameter of system, makes corresponding intruding detection system can adjust its configuration according to himself operational factor, carries The high security performance of above-mentioned intruding detection system.

Accompanying drawing explanation

Fig. 1 is the intruding detection system collocation method flow chart based on cloud computing environment of an embodiment；

Fig. 2 is intruding detection system based on the cloud computing environment configuration apparatus structure schematic diagram of an embodiment.

Detailed description of the invention

Intruding detection system collocation method based on cloud computing environment and device to the present invention below in conjunction with the accompanying drawings Detailed description of the invention be described in detail.

The intruding detection system configuration side based on cloud computing environment of an embodiment it is shown with reference to Fig. 1, Fig. 1 Method flow chart, comprises the steps:

S10, obtains the operational factor that intruding detection system is current；

Before obtaining the operational factor that intruding detection system is current, can first above-mentioned intruding detection system be carried out Initialize, make acquired operational factor have higher precision.

The current operational factor of intruding detection system is referred to as real time execution parameter, typically may include that

R_m, the safe value parameter of cloud computing resources in intruding detection system.Cloud computing resources mainly includes CPU, Bandwidth, physics, virtual resource, during may be used for correlation model foundation, cloud computing resources safe value Expression, in model defender and assailant correlation energy metric calculate.

α_Attack, the unit consumption value of malicious user attack, specific consumption when assailant attacks can be represented, Can be used for the consumption calculating of assailant during betting model calculates.Above-mentioned unit consumption value can include Time loss value in unit interval and resource consumption value etc..

α_Monitor, the unit consumption value of intruding detection system monitoring.Represent the unit monitors consumption of monitoring assailant Amount, the consumption calculating of assailant during calculating at betting model.

α_False, the unit consumption value of intruding detection system wrong report, when can be used for intruding detection system generation false alarm The Resource Calculation spent.

u_AjT (), the attack consumption figures of t malicious user, for setting up differential game ability measure function process In important parameter.

u_DiT (), the defence consumption figures of t intruding detection system, for setting up differential game ability measure function mistake Important parameter in journey.

ρ_A, malicious user selects the probability attacked, and can be used for representing that assailant selects the probability attacked.

ρ_D, intruding detection system selects the probability of monitoring, can be used for representing the probability that defender selects monitoring.

g_i[], assailant and defender are at the ability measure function of time t.

X (t), intrusion detection defender finds the probability of malicious user assailant at moment t.

S_Di, the final ability value of t defender.

S_Aj, the final ability value of t malicious attacker.

S20, builds the defence optimization integral benefit model of intruding detection system according to described operational factor；Its In, described defence optimization integral benefit model is the model describing intruding detection system Real-time defence ability；

In above-mentioned steps, it is possible to use the real time execution parameter of above-mentioned intruding detection system sets up correlation function, Build the defence optimization integral benefit model of intruding detection system further according to the function set up, make constructed Defence optimization integral benefit model intruding detection system Real-time defence ability can be described.

S30, obtains the optimum consumption figures making described defence optimization integral benefit model reach Nash Equilibrium state；

Nash Equilibrium (Nash equilibrium), is also called Nash Equilibrium, and it can be used to solution never The associated dynamic strategies such as the defence of the intruding detection system of disconnected occurrence dynamics change.It can be that network security is asked Modeling and the analysis of topic provide a mathematical framework, and it can also provide a kind of defensive attack mistake for risk assessment The effective ways of journey, owing to cloud computing environment is dynamic, but many defence/aggressive behaviors or state variable are The time that can not be separated, meanwhile, in the next moment, former optimum decision making may be no longer best, Being likely to be the worst, therefore corresponding strategies maker needs to formulate in time corresponding countermeasure according to environmental change. In this case, the micropowder theory of games reaching Nash Equilibrium state is more suitable for solving based on risk profile Cloud computing environment under the allocation problem of intruding detection system.

S40, configures the consumption parameter of described intruding detection system according to described optimum consumption figures.

Above-mentioned optimum consumption figures can include optimum defence consumption figures and optimum attack consumption figures, can be according to Excellent defence consumption figures configuration intruding detection system defence consume parameter, according to optimum attack consumption figures configure into Invade the attack consumption figures parameter of detecting system, make configured intruding detection system can use minimum resource, Perform intrusion detection the protection of system to greatest extent.

The intruding detection system collocation method based on cloud computing environment that the present embodiment provides, is invaded by acquisition The operational factor that detecting system is current, builds according to above-mentioned current operational factor and can characterize intrusion detection system System real-time running state defence optimization integral benefit model, then obtain make described defence optimization entirety receive Benefit model reaches the optimum consumption figures of Nash Equilibrium state, according to above-mentioned optimum consumption figures configuration described invasion inspection The consumption parameter of examining system, makes corresponding intruding detection system can adjust its configuration according to himself operational factor, Improve the security performance of above-mentioned intruding detection system.

In one embodiment, above-mentioned operational factor can include safe value parameter R_m, malicious user attack Unit consumption value α_Attack, intruding detection system monitoring unit consumption value α_Monitor, intruding detection system wrong report Unit consumption value α_False, current time malicious user attack consumption figures, current time intruding detection system Defence consumption figures, malicious user select the probability ρ attacked_A, intruding detection system select monitoring probability ρ_DWith Intrusion detection defender finds the probability of malicious user assailant at current time.

As an embodiment, the above-mentioned defence optimization building intruding detection system according to described operational factor The process of integral benefit model may include that

The payoff matrix of intruding detection system is obtained according to described operational factor；Wherein said payoff matrix includes The attacking ability weighing apparatus of intruding detection system defence capability metric and corresponding malicious user under each defense attitude The ratio of value；

Ability weighing apparatus according to the defence parameter acquiring intruding detection system in described payoff matrix and operational factor Flow function；

The defence optimization integral benefit model of intruding detection system is built according to described ability measure function.

The process of the above-mentioned payoff matrix obtaining intruding detection system according to described operational factor may include that

Obtaining prospective ability parameter according to operational factor, above-mentioned prospective ability parameter may include that defender P^DInspection The prospective ability parameter surveyed: x (t) R_m-[1-x(t)]R_m=[2x (t)-1] R_m, assailant P^AProspective ability parameter is [1-2x(t)]R_m；

Initial attack is set and consumes parameter alpha_Attacku_Aj(t)²Parameter alpha is consumed with initial detecting_Monitoru_Di(t)², wherein, α_Attack And α_MonitorBeing non-negative parameter, x (t) is that intruding detection system finds the probability of malicious user assailant at moment t, α_FalseFor the unit consumption value of intruding detection system wrong report, α_MonitorThe unit consumption value monitored for intruding detection system, u_DiT () is the defence consumption figures of t intruding detection system, u_AjT () is the attack consumption figures of t malicious user, α_AttackThe unit consumption value attacked for malicious user, R_mFor safe value parameter；

Parameter and initial detecting consumption parameter foundation is consumed such as table 1 according to above-mentioned prospective ability parameter, initial attack Shown payoff matrix；

Table 1 payoff matrix

Above-mentioned table 1 include intruding detection system under attack, do not have under attack, implement monitoring and unreal The attacking ability executing the defence capability metric under each state combined by monitoring and corresponding malicious user is weighed The ratio of value, what its prospective ability parameter can also being expressed as under corresponding state was attacked with enforcement or detected disappears The difference of consumption parameter.

As an embodiment, aforementioned capabilities measure function may include that

g_Di[]=ρ_Aρ_DR_m+ 2 ρ_Aρ_DR_mX (t)+(ρ_Aρ_Dα_False-ρ_Dα_Monitor-ρ_Dα_False)u_Di(t)²,

g_Aj[]=ρ_AR_j-2ρ_Aρ_DR_mx(t)-ρ_Aα_Attacku_Aj(t)²,

In formula, g_Di[] is the ability measure function that intruding detection system selects monitoring, g_Aj[] is intrusion detection system System selects the ability measure function attacked, ρ_AThe probability attacked, ρ is selected for malicious user_DFor intrusion detection system System selects the probability of monitoring, R_mFor safe value parameter, x (t) is that intruding detection system finds malice at moment t The probability of user assailant, α_FalseFor the unit consumption value of intruding detection system wrong report, α_MonitorFor intrusion detection system The unit consumption value of system monitoring, u_DiT () is the defence consumption figures of t intruding detection system, u_AjT () is t The attack consumption figures of malicious user, α_AttackThe unit consumption value attacked for malicious user.

In the present embodiment, ρ_AIt is the probability of malicious user selection attack, 0≤ρ_A≤ 1, as assailant P^ASelect not The probability attacked is 1-ρ_A.Same ρ_DIt is the probability of intruding detection system selection monitoring, when defender selects not supervise The probability surveyed is 1-ρ_D.Ability measure function be by the defence capability metric under each state in payoff matrix and The ratio of the attacking ability metric of corresponding malicious user, and the probability multiplication under corresponding state, then sue for peace Computing.

As an embodiment, above-mentioned defence optimization integral benefit model may include that

$\underset{u_{Di}\left(t\right)}{\max }\{\underset{t_0}{\overset{T}{\∫}}{\mathrm{Ae}}^{-r(t-t_0)}ds+S_{Di}\left(x\right(T\left)\right)e^{-r(t-t_0)}\},$

$\underset{u_{Aj}\left(t\right)}{\max }\{\underset{t_0}{\overset{T}{\∫}}{\mathrm{Be}}^{-r(t-t_0)}ds+S_{Aj}(1-x(T\left)\right)e^{-r(t-t_0)}\},$

Wherein, A=ρ_Aρ_DR_m+2ρ_Aρ_DR_mx(t)+ζu_Di(t)², B=ρ_AR_j-2ρ_Aρ_DR_mx(t)-ρ_Aα_Attacku_Aj(t)², ζ=ρ_Aρ_Dα_False-ρ_Dα_Monitor-ρ_Dα_False, ρ_AThe probability attacked, ρ is selected for malicious user_DFor invasion Detecting system selects the probability of monitoring, R_mFor safe value parameter, x (t) is that intruding detection system is sent out at moment t The probability of existing malicious user assailant, α_FalseFor the unit consumption value of intruding detection system wrong report, α_MonitorFor invasion The unit consumption value of detecting system monitoring, u_AjT () is the attack consumption figures of t malicious user, u_DiWhen () is t t Carve the defence consumption figures of intruding detection system, α_AttackThe unit consumption value attacked for malicious user.

The present embodiment defends optimization integral benefit model by dynamic non-cooperative games the Theory Construction, time above-mentioned Between be spaced t can be t ∈ [t₀, T], time t is continuous print.γ is the discount rate in game, S_DiAnd S_AjIt is respectively The terminal income under fire controlled with defender.P^D/P^AResult be to find intruding detection system to defend Person and the optimal strategy of malicious user assailant, make above-mentioned defence optimization integral benefit model reach Na Shijun Weighing apparatus state, can improve efficiency of intrusion detection to greatest extent.

As an embodiment, above-mentioned acquisition makes described defence optimization integral benefit model reach Nash Equilibrium The process of the optimum consumption figures of state may include that

Calculate described defence optimization integral benefit model consumption parameter under reaching Nash Equilibrium state, To optimum consumption figures；

Described optimum consumption figures includes:

$u_{Di}^{*}\left(t\right)=-\frac{{(1-x(t\left)\right)}^{1/2}{V_x}^{Di}(t,x)e^{r(t-t_0)}}{2\mathrm{\ζ}},$

$u_{Aj}^{*}\left(t\right)=-\frac{x^{1/2}{V_x}^{Aj}(t,x)e^{r(t-t_0)}}{2{\mathrm{\ρ}}_A{\mathrm{\α}}_{Attack}},$

Wherein, ζ=ρ_Aρ_Dα_False-ρ_Dα_Monitor-ρ_Dα_False,Represent optimum t intrusion detection system The optimum defence consumption figures of system,Represent that the optimum of t malicious user attacks consumption figures, ρ_AUse for malice Family selects the probability attacked, ρ_DSelect the probability of monitoring for intruding detection system, x (t) is that intruding detection system exists Moment t finds the probability of malicious user assailant, α_FalseFor the unit consumption value of intruding detection system wrong report, α_Monitor For the unit consumption value of intruding detection system monitoring, α_AttackThe unit consumption value attacked for malicious user, t₀For entering Invading the initial runtime of detecting system, γ is the discount rate of intruding detection system, can be according to intruding detection system Real-time defence capability metric and initialize after defence capability metric between ratio determine, WithIt is V respectively^Di(t, x) and V^Aj(t, x) for the first-order partial derivative of x, above-mentionedFor intruding detection system Defence cost function, can determine according to the Real-time defence state of intruding detection system,For invasion inspection The attack cost function of examining system, can determine according to the real-time attack state of intruding detection system.

As an embodiment, above-mentioned calculating described defence optimization integral benefit model is reaching Nash Equilibrium The process of the consumption parameter under state may include that

At moment t, intruding detection system is found that probability x (t) of malicious user assailant is defined as state, and will It is abbreviated as x, t express time.V is setⁱ(t is x) that i game member is at time interval [t₀, T] cost function. For intrusion detection defender P_i ^D, when i ∈ 1,2 ..., during m}, its cost function can be written as:

$V^{Di}(t,x)=\underset{t_0}{\overset{T}{\∫}}{\mathrm{Ae}}^{-r(t-t_0)}dt---\left(1\right)$

Therefore can obtain:

$-{V_t}^{Di}(t,x)=\underset{u_{Di}}{\max }\{{\mathrm{Ae}}^{-r(t-t_0)}+{V_x}^{Di}(t,x)C_1\}---\left(2\right)$

${V_T}^{Di}(T,x)=S_{Di}{\mathrm{xe}}^{-r(T-t_0)}$

Wherein,

$C_1=u_{Di}\left(t\right){\[1-x\]}^{1/2}+\underset{k\≠i=1}{\overset{m}{\Σ}}{u}_{Dk}^{*}\left(t\right){\[1-x\]}^{1/2}-\underset{j=1}{\overset{n}{\Σ}}{u}_{Aj}^{*}\left(t\right)x^{1/2}$

It is V^Di(t, x) for the first-order partial derivative of t.Formula (2) is performed maximization, calculates partial derivative u_Di, And it equal to 0, we obtain equation below:

$2{\mathrm{\ζu}}_{Di}\left(t\right)e^{-r(t-t_0)}+{\[1-x\]}^{1/2}{V_x}^i(t,x)=0---\left(3\right)$

Wherein ζ=ρ_Aρ_Dα_False-ρ_Dα_Monitor-ρ_Dα_False,

Calculating the control problem (2) of Nash Equilibrium, result is as follows:

$u_{Di}^{*}\left(t\right)=-\frac{{\[1-x\]}^{1/2}{V_x}^{Di}(t,x)e^{r(t-t_0)}}{2\mathrm{\ζ}}---\left(4\right)$

It is similar to defender, for the malicious user assailant of cloudWherein j ∈ 1,2 ..., n}, above-mentioned defence is Optimize integral benefit model and can meet following condition:

$-{V_t}^{Aj}(t,x)=\underset{u_{Aj}}{\max }\{{\mathrm{Be}}^{-r(t-t_0)}+{V_x}^{Aj}(t,x)C_2\}---\left(5\right)$

${V_T}^{Aj}(T,x)=S_{Aj}(1-x)e^{-r(T-t_0)}$

Wherein,

$C_2=\underset{i=1}{\overset{m}{\Σ}}{u}_{Di}^{*}{\[1-x\]}^{1/2}-u_{Aj}{x}^{1/2}-\underset{l\≠j=1}{\overset{n}{\Σ}}{u}_{Aj}^{*}{x}^{1/2},$

It is calculated:

$u_{Aj}^{*}\left(t\right)=-\frac{x^{1/2}{V_x}^{Aj}(t,x)e^{r(t-t_0)}}{2{\mathrm{\ρ}}_A{\mathrm{\α}}_{Attack}}---\left(6\right)$

WillWithBring formula (3) and formula (5) into, can obtain:

$V^{Di}(t,x)=\[{\mathrm{\Φ}}_{Di}\left(t\right)x+{\mathrm{\Ψ}}_{Di}\left(t\right)\]e^{-r(t-t_0)}---\left(7\right)$

$V^{Ai}(t,x)=\[{\mathrm{\Φ}}_{Aj}\left(t\right)(1-x)+{\mathrm{\Ψ}}_{Aj}\left(t\right)\]e^{-r(t-t_0)}---\left(8\right)$

Wherein, i ∈ 1,2 ..., m}, j ∈ 1,2 ..., n}

It is provided with the parameter phi helping solving equation_Di,ψ_Di(t),φ_Aj(t) and ψ_Aj(t) so that it is meet:

$\frac{{\mathrm{d\Φ}}_{Di}\left(t\right)}{dt}={\mathrm{r\Φ}}_{Di}\left(t\right)-2{\mathrm{\ρ}}_A{\mathrm{\ρ}}_D{R}_m-\frac{{\mathrm{\Φ}}_{Di}{\left(t\right)}^2}{4\mathrm{\ζ}}-\underset{k\≠i=1}{\overset{m}{\Σ}}\frac{{\mathrm{\Φ}}_{Di}\left(t\right){\mathrm{\Φ}}_{Dk}\left(t\right)}{2\mathrm{\ζ}}-\underset{j=1}{\overset{n}{\Σ}}\frac{{\mathrm{\Φ}}_{Di}\left(t\right){\mathrm{\Φ}}_{Ai}\left(t\right)}{2{\mathrm{\ρ}}_A{\mathrm{\α}}_{Attack}}---\left(9\right)$

Take t=T and obtain transient solution, Ф_Di(T)=S_Di (10)

$\frac{{\mathrm{s\Ψ}}_{Di}\left(t\right)}{dt}={\mathrm{r\Ψ}}_{Di}\left(t\right)-{\mathrm{\ρ}}_A{\mathrm{\ρ}}_D{R}_m+\frac{{\mathrm{\Φ}}_{Di}{\left(t\right)}^2}{4\mathrm{\ζ}}+\underset{k\≠i=1}{\overset{m}{\Σ}}\frac{{\mathrm{\Φ}}_{Di}\left(t\right){\mathrm{\Φ}}_{Dk}\left(t\right)}{2\mathrm{\ζ}}---\left(11\right)$

Take t=T and obtain transient solution, Ψ_Di(T)=0 (12)

$\frac{{\mathrm{d\Φ}}_{Aj}\left(t\right)}{dt}={\mathrm{r\Φ}}_{Aj}\left(t\right)-2{\mathrm{\ρ}}_A{\mathrm{\ρ}}_D{R}_m+\frac{{\mathrm{\Φ}}_{Aj}{\left(t\right)}^2}{4{\mathrm{\ρ}}_A{\mathrm{\α}}_{Attack}}-\underset{k\≠i=1}{\overset{m}{\Σ}}\frac{{\mathrm{\Φ}}_{Di}\left(t\right){\mathrm{\Φ}}_{Aj}\left(t\right)}{2\mathrm{\ζ}}+\underset{l\≠j=1}{\overset{n}{\Σ}}\frac{{\mathrm{\Φ}}_{Aj}\left(t\right){\mathrm{\Φ}}_{Al}\left(t\right)}{2{\mathrm{\ρ}}_A{\mathrm{\α}}_{Attack}}---\left(13\right)$

Take t=T and obtain transient solution, Ф_Aj(T)=S_Ai (14)

$\frac{{\mathrm{d\Ψ}}_{Aj}\left(t\right)}{dt}={\mathrm{r\Ψ}}_{Aj}\left(t\right)-{\mathrm{\ρ}}_A{R}_j-\frac{{\mathrm{\Φ}}_{Aj}\left(t\right){\mathrm{\Φ}}_{Di}\left(t\right)}{2\mathrm{\ζ}}---\left(15\right)$

Take t=T and obtain transient solution, Ψ_Aj(T)=0 (16)

Again by V^Di(t, x) and V^Aj(t, partial derivative x) is brought formula (7) and formula (8) into, must be reached Nash Equilibrium shape Consumption parameter under state:

$u_{Di}^{*}\left(t\right)=-\frac{{(1-x)}^{1/2}{\mathrm{\Φ}}_{Di}\left(t\right)}{2\mathrm{\ζ}},$

$u_{Aj}^{*}\left(t\right)=\frac{x^{1/2}{A}_{Aj}\left(t\right)}{2{\mathrm{\ρ}}_A{\mathrm{\α}}_{Attack}}.$

In one embodiment, above-mentioned acquisition makes described defence optimization integral benefit model reach Nash Equilibrium Can also include after the step of the optimum consumption figures of state:

When the probability detecting that the malicious user of intruding detection system is attacked is 0, by intruding detection system Consume parameter and be set to the first preset value.

In the present embodiment, when intrusion detection defender is when the probability that moment t finds malicious user assailant is 0, I.e. x (t)=0, during this time, Intrusion Detection Protection System not any defensive measure to malicious attack, this The safety of whole cloud environment will be threatened, now the consumption parameter of intruding detection system can be set to first Preset value, the intensity defendd with above-mentioned intruding detection system.Above-mentioned first preset value can be according to corresponding invasion The network environment of detecting system is configured.

In one embodiment, above-mentioned described defence optimization integral benefit model is made to reach Nash Equilibrium state Optimum consumption figures step after can also include:

When the probability detecting that the malicious user of intruding detection system is attacked is 100%, by intruding detection system Consumption parameter be set to the second preset value.

In the present embodiment, when intrusion detection defender moment t find malicious user assailant probability be 1, I.e. during x (t)=1, the instant probability of detection malicious attack is 100%, if now carrying out according to above-mentioned collocation method Relevant configuration, may bring the most unnecessary resource consumption.Therefore, can disappearing intruding detection system Consumption parameter is set to the second preset value, to reduce the strength of defence policies, thus saves resource.Above-mentioned second Preset value can be configured according to the network environment of corresponding intruding detection system, the second preset value and first pre- If value can be identical, it is also possible to is set to different values.

As an embodiment, the probability of above-mentioned detection malicious user can dynamically be expressed as below equation.

$\left\{\begin{array}{c}\frac{dx\left(t\right)}{dt}=\underset{i=1}{\overset{m}{\Σ}}{u}_{Di}\left(t\right){\[1-x\left(t\right)\]}^{1/2}-\underset{j=1}{\overset{n}{\Σ}}{u}_{Aj}\left(t\right)x{\left(t\right)}^{1/2}\\ x\left(0\right)=x_0\end{array}\right.$

Wherein, x (t) is that intruding detection system finds the probability of malicious user assailant, u at moment t_DiWhen () is t t Carve the defence consumption figures of intruding detection system, u_AjT () is the attack consumption figures of t malicious user.x₀For with Initial value.

Intruding detection system based on the cloud computing environment configuration dress of an embodiment it is shown with reference to Fig. 2, Fig. 2 Put structural representation, including:

First acquisition module 10, for obtaining the operational factor that intruding detection system is current；

Build module 20, overall for building the defence optimization of intruding detection system according to described operational factor Earnings pattern；Wherein, described defence optimization integral benefit model is for describing intruding detection system Real-time defence The model of ability；

Second acquisition module 30, makes described defence optimization integral benefit model reach Nash Equilibrium for acquisition The optimum consumption figures of state；

Configuration module 40, for configuring the consumption parameter of described intruding detection system according to described optimum consumption figures.

In one embodiment, above-mentioned intruding detection system based on cloud computing environment configuration device, it is also possible to Including:

Module is set, is used for when the probability detecting that the malicious user of intruding detection system is attacked is 0, will The consumption parameter of intruding detection system is set to the first preset value.

The base that intruding detection system based on the cloud computing environment configuration device that the present invention provides provides with the present invention In the intruding detection system collocation method one_to_one corresponding of cloud computing environment, described based on cloud computing environment enter Technical characteristic and the beneficial effect thereof of invading the embodiment elaboration of detecting system collocation method are all applicable to based on cloud meter Calculate in the embodiment of intruding detection system configuration device of environment, hereby give notice that.

Each technical characteristic of embodiment described above can combine arbitrarily, for making description succinct, the most right The all possible combination of each technical characteristic in above-described embodiment is all described, but, if these skills There is not contradiction in the combination of art feature, is all considered to be the scope that this specification is recorded.

Embodiment described above only have expressed the several embodiments of the present invention, and it describes more concrete and detailed, But can not therefore be construed as limiting the scope of the patent.It should be pointed out that, for this area For those of ordinary skill, without departing from the inventive concept of the premise, it is also possible to make some deformation and change Entering, these broadly fall into protection scope of the present invention.Therefore, the protection domain of patent of the present invention should be with appended power Profit requires to be as the criterion.

Claims (10)

1. an intruding detection system collocation method based on cloud computing environment, it is characterised in that include as follows Step:

Obtain the operational factor that intruding detection system is current；

The defence optimization integral benefit model of intruding detection system is built according to described operational factor；Wherein, Described defence optimization integral benefit model is the model describing intruding detection system Real-time defence ability；

Obtain the optimum consumption figures making described defence optimization integral benefit model reach Nash Equilibrium state；

The consumption parameter of described intruding detection system is configured according to described optimum consumption figures.

Intruding detection system collocation method based on cloud computing environment the most according to claim 1, it is special Levying and be, described operational factor includes unit consumption value, the invasion that safe value parameter, malicious user attack The unit consumption value of detecting system monitoring, the unit consumption value of intruding detection system wrong report, current time malice User attacks consumption figures, the defence consumption figures of current time intruding detection system, malicious user selection attack Probability, intruding detection system select monitoring probability and intrusion detection defender current time find malice The probability of user assailant.

Intruding detection system collocation method based on cloud computing environment the most according to claim 2, it is special Levy and be, the described defence optimization integral benefit model building intruding detection system according to described operational factor Process include:

The payoff matrix of intruding detection system is obtained according to described operational factor；Wherein said payoff matrix includes The attacking ability weighing apparatus of intruding detection system defence capability metric and corresponding malicious user under each defense attitude The ratio of value；

Ability weighing apparatus according to the defence parameter acquiring intruding detection system in described payoff matrix and operational factor Flow function；

The defence optimization integral benefit model of intruding detection system is built according to described ability measure function.

Intruding detection system collocation method based on cloud computing environment the most according to claim 3, it is special Levying and be, described ability measure function includes:

g_Di[]=ρ_Aρ_DR_m+2ρ_Aρ_DR_mx(t)+(ρ_Aρ_Dα_False-ρ_Dα_Monitor-ρ_Dα_False)u_Di(t)²,

g_Aj[]=ρ_AR_j-2ρ_Aρ_DR_mx(t)-ρ_Aα_Attacku_Aj(t)²,

In formula, g_Di[] is the ability measure function that intruding detection system selects monitoring, g_Aj[] is intrusion detection system System selects the ability measure function attacked, ρ_AThe probability attacked, ρ is selected for malicious user_DFor intrusion detection system System selects the probability of monitoring, R_mFor safe value parameter, x (t) is that intruding detection system finds malice at moment t The probability of user assailant, α_FalseFor the unit consumption value of intruding detection system wrong report, α_MonitorFor intrusion detection system The unit consumption value of system monitoring, u_DiT () is the defence consumption figures of t intruding detection system, u_AjT () is t The attack consumption figures of malicious user, α_AttackThe unit consumption value attacked for malicious user.

Intruding detection system collocation method based on cloud computing environment the most according to claim 3, it is special Levying and be, described defence optimization integral benefit model includes:

$\underset{u_{Di}\left(t\right)}{max}\{\underset{t_0}{\overset{T}{\∫}}{\mathrm{Ae}}^{-r(t-t_0)}ds+S_{Di}\left(x\right(T\left)\right)e^{-r(t-t_0)}\},$

$\underset{u_{Aj}\left(t\right)}{max}\{\underset{t_0}{\overset{T}{\∫}}{\mathrm{Be}}^{-r(t-t_0)}ds+S_{Aj}(1-x(T\left)\right)e^{-r(t-t_0)}\},$

Wherein, A=ρ_Aρ_DR_m+2ρ_Aρ_DR_mx(t)+ζu_Di(t)², B=ρ_AR_j-2ρ_Aρ_DR_mx(t)-ρ_Aα_Attacku_Aj(t)², ζ=ρ_Aρ_Dα_False-ρ_Dα_Monitor-ρ_Dα_False, ρ_AThe probability attacked, ρ is selected for malicious user_DFor invasion Detecting system selects the probability of monitoring, R_mFor safe value parameter, x (t) is that intruding detection system is sent out at moment t The probability of existing malicious user assailant, α_FalseFor the unit consumption value of intruding detection system wrong report, α_MonitorFor invasion The unit consumption value of detecting system monitoring, u_AjT () is the attack consumption figures of t malicious user, u_DiWhen () is t t Carve the defence consumption figures of intruding detection system, α_AttackThe unit consumption value attacked for malicious user.

Intruding detection system collocation method based on cloud computing environment the most according to claim 5, it is special Levying and be, the optimum that described acquisition makes described defence optimization integral benefit model reach Nash Equilibrium state disappears The process of consumption value includes:

Calculate described defence optimization integral benefit model consumption parameter under reaching Nash Equilibrium state, To optimum consumption figures；

Described optimum consumption figures includes:

$u_{Di}^{*}\left(t\right)=-\frac{{(1-x(t\left)\right)}^{1/2}{V_x}^{Di}(t,x)e^{r(t-t_0)}}{2\mathrm{\ζ}},$

$u_{Aj}^{*}\left(t\right)=-\frac{x^{1/2}{V_x}^{Aj}(t,x)e^{r(t-t_0)}}{2{\mathrm{\ρ}}_A{\mathrm{\α}}_{Attack}},$

Wherein, ζ=ρ_Aρ_Dα_False-ρ_Dα_Monitor-ρ_Dα_False,Represent optimum t intrusion detection system The optimum defence consumption figures of system,Represent that the optimum of t malicious user attacks consumption figures, ρ_AUse for malice Family selects the probability attacked, ρ_DSelect the probability of monitoring for intruding detection system, x (t) is that intruding detection system exists Moment t finds the probability of malicious user assailant, α_FalseThe unit consumption value reported by mistake for intruding detection system, α_MonitorFor the unit consumption value of intruding detection system monitoring, α_AttackThe unit consumption value attacked for malicious user, t₀ For the initial runtime of intruding detection system, γ is the discount rate of intruding detection system,WithPoint It is not V^Di(t, x) and V^Aj(t, x) for the first-order partial derivative of x,For the defence cost function of intruding detection system,Attack cost function for intruding detection system.

Intruding detection system collocation method based on cloud computing environment the most according to claim 1, it is special Levying and be, the optimum that described acquisition makes described defence optimization integral benefit model reach Nash Equilibrium state disappears Also include after the step of consumption value:

When the probability detecting that the malicious user of intruding detection system is attacked is 0, by intruding detection system Consume parameter and be set to the first preset value.

Intruding detection system collocation method based on cloud computing environment the most according to claim 1, it is special Levy and be, obtain the optimum consumption figures making described defence optimization integral benefit model reach Nash Equilibrium state Step after also include:

When the probability detecting that the malicious user of intruding detection system is attacked is 100%, by intruding detection system Consumption parameter be set to the second preset value.

9. intruding detection system based on a cloud computing environment configuration device, it is characterised in that including:

First acquisition module, for obtaining the operational factor that intruding detection system is current；

Build module, receive for building the defence optimization entirety of intruding detection system according to described operational factor Benefit model；Wherein, described defence optimization integral benefit model is for describing intruding detection system Real-time defence energy The model of power；

Second acquisition module, makes described defence optimization integral benefit model reach Nash Equilibrium shape for acquisition The optimum consumption figures of state；

Configuration module, for configuring the consumption parameter of described intruding detection system according to described optimum consumption figures.

Intruding detection system based on cloud computing environment the most according to claim 9 configuration device, its It is characterised by, also includes:

Module is set, is used for when the probability detecting that the malicious user of intruding detection system is attacked is 0, will The consumption parameter of intruding detection system is set to the first preset value.