Detailed description of the invention
Intruding detection system collocation method based on cloud computing environment and device to the present invention below in conjunction with the accompanying drawings
Detailed description of the invention be described in detail.
The intruding detection system configuration side based on cloud computing environment of an embodiment it is shown with reference to Fig. 1, Fig. 1
Method flow chart, comprises the steps:
S10, obtains the operational factor that intruding detection system is current;
Before obtaining the operational factor that intruding detection system is current, can first above-mentioned intruding detection system be carried out
Initialize, make acquired operational factor have higher precision.
The current operational factor of intruding detection system is referred to as real time execution parameter, typically may include that
Rm, the safe value parameter of cloud computing resources in intruding detection system.Cloud computing resources mainly includes CPU,
Bandwidth, physics, virtual resource, during may be used for correlation model foundation, cloud computing resources safe value
Expression, in model defender and assailant correlation energy metric calculate.
αAttack, the unit consumption value of malicious user attack, specific consumption when assailant attacks can be represented,
Can be used for the consumption calculating of assailant during betting model calculates.Above-mentioned unit consumption value can include
Time loss value in unit interval and resource consumption value etc..
αMonitor, the unit consumption value of intruding detection system monitoring.Represent the unit monitors consumption of monitoring assailant
Amount, the consumption calculating of assailant during calculating at betting model.
αFalse, the unit consumption value of intruding detection system wrong report, when can be used for intruding detection system generation false alarm
The Resource Calculation spent.
uAjT (), the attack consumption figures of t malicious user, for setting up differential game ability measure function process
In important parameter.
uDiT (), the defence consumption figures of t intruding detection system, for setting up differential game ability measure function mistake
Important parameter in journey.
ρA, malicious user selects the probability attacked, and can be used for representing that assailant selects the probability attacked.
ρD, intruding detection system selects the probability of monitoring, can be used for representing the probability that defender selects monitoring.
gi[], assailant and defender are at the ability measure function of time t.
X (t), intrusion detection defender finds the probability of malicious user assailant at moment t.
SDi, the final ability value of t defender.
SAj, the final ability value of t malicious attacker.
S20, builds the defence optimization integral benefit model of intruding detection system according to described operational factor;Its
In, described defence optimization integral benefit model is the model describing intruding detection system Real-time defence ability;
In above-mentioned steps, it is possible to use the real time execution parameter of above-mentioned intruding detection system sets up correlation function,
Build the defence optimization integral benefit model of intruding detection system further according to the function set up, make constructed
Defence optimization integral benefit model intruding detection system Real-time defence ability can be described.
S30, obtains the optimum consumption figures making described defence optimization integral benefit model reach Nash Equilibrium state;
Nash Equilibrium (Nash equilibrium), is also called Nash Equilibrium, and it can be used to solution never
The associated dynamic strategies such as the defence of the intruding detection system of disconnected occurrence dynamics change.It can be that network security is asked
Modeling and the analysis of topic provide a mathematical framework, and it can also provide a kind of defensive attack mistake for risk assessment
The effective ways of journey, owing to cloud computing environment is dynamic, but many defence/aggressive behaviors or state variable are
The time that can not be separated, meanwhile, in the next moment, former optimum decision making may be no longer best,
Being likely to be the worst, therefore corresponding strategies maker needs to formulate in time corresponding countermeasure according to environmental change.
In this case, the micropowder theory of games reaching Nash Equilibrium state is more suitable for solving based on risk profile
Cloud computing environment under the allocation problem of intruding detection system.
S40, configures the consumption parameter of described intruding detection system according to described optimum consumption figures.
Above-mentioned optimum consumption figures can include optimum defence consumption figures and optimum attack consumption figures, can be according to
Excellent defence consumption figures configuration intruding detection system defence consume parameter, according to optimum attack consumption figures configure into
Invade the attack consumption figures parameter of detecting system, make configured intruding detection system can use minimum resource,
Perform intrusion detection the protection of system to greatest extent.
The intruding detection system collocation method based on cloud computing environment that the present embodiment provides, is invaded by acquisition
The operational factor that detecting system is current, builds according to above-mentioned current operational factor and can characterize intrusion detection system
System real-time running state defence optimization integral benefit model, then obtain make described defence optimization entirety receive
Benefit model reaches the optimum consumption figures of Nash Equilibrium state, according to above-mentioned optimum consumption figures configuration described invasion inspection
The consumption parameter of examining system, makes corresponding intruding detection system can adjust its configuration according to himself operational factor,
Improve the security performance of above-mentioned intruding detection system.
In one embodiment, above-mentioned operational factor can include safe value parameter Rm, malicious user attack
Unit consumption value αAttack, intruding detection system monitoring unit consumption value αMonitor, intruding detection system wrong report
Unit consumption value αFalse, current time malicious user attack consumption figures, current time intruding detection system
Defence consumption figures, malicious user select the probability ρ attackedA, intruding detection system select monitoring probability ρDWith
Intrusion detection defender finds the probability of malicious user assailant at current time.
As an embodiment, the above-mentioned defence optimization building intruding detection system according to described operational factor
The process of integral benefit model may include that
The payoff matrix of intruding detection system is obtained according to described operational factor;Wherein said payoff matrix includes
The attacking ability weighing apparatus of intruding detection system defence capability metric and corresponding malicious user under each defense attitude
The ratio of value;
Ability weighing apparatus according to the defence parameter acquiring intruding detection system in described payoff matrix and operational factor
Flow function;
The defence optimization integral benefit model of intruding detection system is built according to described ability measure function.
The process of the above-mentioned payoff matrix obtaining intruding detection system according to described operational factor may include that
Obtaining prospective ability parameter according to operational factor, above-mentioned prospective ability parameter may include that defender PDInspection
The prospective ability parameter surveyed: x (t) Rm-[1-x(t)]Rm=[2x (t)-1] Rm, assailant PAProspective ability parameter is
[1-2x(t)]Rm;
Initial attack is set and consumes parameter alphaAttackuAj(t)2Parameter alpha is consumed with initial detectingMonitoruDi(t)2, wherein, αAttack
And αMonitorBeing non-negative parameter, x (t) is that intruding detection system finds the probability of malicious user assailant at moment t,
αFalseFor the unit consumption value of intruding detection system wrong report, αMonitorThe unit consumption value monitored for intruding detection system,
uDiT () is the defence consumption figures of t intruding detection system, uAjT () is the attack consumption figures of t malicious user,
αAttackThe unit consumption value attacked for malicious user, RmFor safe value parameter;
Parameter and initial detecting consumption parameter foundation is consumed such as table 1 according to above-mentioned prospective ability parameter, initial attack
Shown payoff matrix;
Table 1 payoff matrix
Above-mentioned table 1 include intruding detection system under attack, do not have under attack, implement monitoring and unreal
The attacking ability executing the defence capability metric under each state combined by monitoring and corresponding malicious user is weighed
The ratio of value, what its prospective ability parameter can also being expressed as under corresponding state was attacked with enforcement or detected disappears
The difference of consumption parameter.
As an embodiment, aforementioned capabilities measure function may include that
gDi[]=ρAρDRm+ 2 ρAρDRmX (t)+(ρAρDαFalse-ρDαMonitor-ρDαFalse)uDi(t)2,
gAj[]=ρARj-2ρAρDRmx(t)-ρAαAttackuAj(t)2,
In formula, gDi[] is the ability measure function that intruding detection system selects monitoring, gAj[] is intrusion detection system
System selects the ability measure function attacked, ρAThe probability attacked, ρ is selected for malicious userDFor intrusion detection system
System selects the probability of monitoring, RmFor safe value parameter, x (t) is that intruding detection system finds malice at moment t
The probability of user assailant, αFalseFor the unit consumption value of intruding detection system wrong report, αMonitorFor intrusion detection system
The unit consumption value of system monitoring, uDiT () is the defence consumption figures of t intruding detection system, uAjT () is t
The attack consumption figures of malicious user, αAttackThe unit consumption value attacked for malicious user.
In the present embodiment, ρAIt is the probability of malicious user selection attack, 0≤ρA≤ 1, as assailant PASelect not
The probability attacked is 1-ρA.Same ρDIt is the probability of intruding detection system selection monitoring, when defender selects not supervise
The probability surveyed is 1-ρD.Ability measure function be by the defence capability metric under each state in payoff matrix and
The ratio of the attacking ability metric of corresponding malicious user, and the probability multiplication under corresponding state, then sue for peace
Computing.
As an embodiment, above-mentioned defence optimization integral benefit model may include that
Wherein, A=ρAρDRm+2ρAρDRmx(t)+ζuDi(t)2, B=ρARj-2ρAρDRmx(t)-ρAαAttackuAj(t)2,
ζ=ρAρDαFalse-ρDαMonitor-ρDαFalse, ρAThe probability attacked, ρ is selected for malicious userDFor invasion
Detecting system selects the probability of monitoring, RmFor safe value parameter, x (t) is that intruding detection system is sent out at moment t
The probability of existing malicious user assailant, αFalseFor the unit consumption value of intruding detection system wrong report, αMonitorFor invasion
The unit consumption value of detecting system monitoring, uAjT () is the attack consumption figures of t malicious user, uDiWhen () is t t
Carve the defence consumption figures of intruding detection system, αAttackThe unit consumption value attacked for malicious user.
The present embodiment defends optimization integral benefit model by dynamic non-cooperative games the Theory Construction, time above-mentioned
Between be spaced t can be t ∈ [t0, T], time t is continuous print.γ is the discount rate in game, SDiAnd SAjIt is respectively
The terminal income under fire controlled with defender.PD/PAResult be to find intruding detection system to defend
Person and the optimal strategy of malicious user assailant, make above-mentioned defence optimization integral benefit model reach Na Shijun
Weighing apparatus state, can improve efficiency of intrusion detection to greatest extent.
As an embodiment, above-mentioned acquisition makes described defence optimization integral benefit model reach Nash Equilibrium
The process of the optimum consumption figures of state may include that
Calculate described defence optimization integral benefit model consumption parameter under reaching Nash Equilibrium state,
To optimum consumption figures;
Described optimum consumption figures includes:
Wherein, ζ=ρAρDαFalse-ρDαMonitor-ρDαFalse,Represent optimum t intrusion detection system
The optimum defence consumption figures of system,Represent that the optimum of t malicious user attacks consumption figures, ρAUse for malice
Family selects the probability attacked, ρDSelect the probability of monitoring for intruding detection system, x (t) is that intruding detection system exists
Moment t finds the probability of malicious user assailant, αFalseFor the unit consumption value of intruding detection system wrong report, αMonitor
For the unit consumption value of intruding detection system monitoring, αAttackThe unit consumption value attacked for malicious user, t0For entering
Invading the initial runtime of detecting system, γ is the discount rate of intruding detection system, can be according to intruding detection system
Real-time defence capability metric and initialize after defence capability metric between ratio determine,
WithIt is V respectivelyDi(t, x) and VAj(t, x) for the first-order partial derivative of x, above-mentionedFor intruding detection system
Defence cost function, can determine according to the Real-time defence state of intruding detection system,For invasion inspection
The attack cost function of examining system, can determine according to the real-time attack state of intruding detection system.
As an embodiment, above-mentioned calculating described defence optimization integral benefit model is reaching Nash Equilibrium
The process of the consumption parameter under state may include that
At moment t, intruding detection system is found that probability x (t) of malicious user assailant is defined as state, and will
It is abbreviated as x, t express time.V is seti(t is x) that i game member is at time interval [t0, T] cost function.
For intrusion detection defender Pi D, when i ∈ 1,2 ..., during m}, its cost function can be written as:
Therefore can obtain:
Wherein,
It is VDi(t, x) for the first-order partial derivative of t.Formula (2) is performed maximization, calculates partial derivative uDi,
And it equal to 0, we obtain equation below:
Wherein ζ=ρAρDαFalse-ρDαMonitor-ρDαFalse,
Calculating the control problem (2) of Nash Equilibrium, result is as follows:
It is similar to defender, for the malicious user assailant of cloudWherein j ∈ 1,2 ..., n}, above-mentioned defence is
Optimize integral benefit model and can meet following condition:
Wherein,
It is calculated:
WillWithBring formula (3) and formula (5) into, can obtain:
Wherein, i ∈ 1,2 ..., m}, j ∈ 1,2 ..., n}
It is provided with the parameter phi helping solving equationDi,ψDi(t),φAj(t) and ψAj(t) so that it is meet:
Take t=T and obtain transient solution, ФDi(T)=SDi (10)
Take t=T and obtain transient solution, ΨDi(T)=0 (12)
Take t=T and obtain transient solution, ФAj(T)=SAi (14)
Take t=T and obtain transient solution, ΨAj(T)=0 (16)
Again by VDi(t, x) and VAj(t, partial derivative x) is brought formula (7) and formula (8) into, must be reached Nash Equilibrium shape
Consumption parameter under state:
In one embodiment, above-mentioned acquisition makes described defence optimization integral benefit model reach Nash Equilibrium
Can also include after the step of the optimum consumption figures of state:
When the probability detecting that the malicious user of intruding detection system is attacked is 0, by intruding detection system
Consume parameter and be set to the first preset value.
In the present embodiment, when intrusion detection defender is when the probability that moment t finds malicious user assailant is 0,
I.e. x (t)=0, during this time, Intrusion Detection Protection System not any defensive measure to malicious attack, this
The safety of whole cloud environment will be threatened, now the consumption parameter of intruding detection system can be set to first
Preset value, the intensity defendd with above-mentioned intruding detection system.Above-mentioned first preset value can be according to corresponding invasion
The network environment of detecting system is configured.
In one embodiment, above-mentioned described defence optimization integral benefit model is made to reach Nash Equilibrium state
Optimum consumption figures step after can also include:
When the probability detecting that the malicious user of intruding detection system is attacked is 100%, by intruding detection system
Consumption parameter be set to the second preset value.
In the present embodiment, when intrusion detection defender moment t find malicious user assailant probability be 1,
I.e. during x (t)=1, the instant probability of detection malicious attack is 100%, if now carrying out according to above-mentioned collocation method
Relevant configuration, may bring the most unnecessary resource consumption.Therefore, can disappearing intruding detection system
Consumption parameter is set to the second preset value, to reduce the strength of defence policies, thus saves resource.Above-mentioned second
Preset value can be configured according to the network environment of corresponding intruding detection system, the second preset value and first pre-
If value can be identical, it is also possible to is set to different values.
As an embodiment, the probability of above-mentioned detection malicious user can dynamically be expressed as below equation.
Wherein, x (t) is that intruding detection system finds the probability of malicious user assailant, u at moment tDiWhen () is t t
Carve the defence consumption figures of intruding detection system, uAjT () is the attack consumption figures of t malicious user.x0For with
Initial value.
Intruding detection system based on the cloud computing environment configuration dress of an embodiment it is shown with reference to Fig. 2, Fig. 2
Put structural representation, including:
First acquisition module 10, for obtaining the operational factor that intruding detection system is current;
Build module 20, overall for building the defence optimization of intruding detection system according to described operational factor
Earnings pattern;Wherein, described defence optimization integral benefit model is for describing intruding detection system Real-time defence
The model of ability;
Second acquisition module 30, makes described defence optimization integral benefit model reach Nash Equilibrium for acquisition
The optimum consumption figures of state;
Configuration module 40, for configuring the consumption parameter of described intruding detection system according to described optimum consumption figures.
In one embodiment, above-mentioned intruding detection system based on cloud computing environment configuration device, it is also possible to
Including:
Module is set, is used for when the probability detecting that the malicious user of intruding detection system is attacked is 0, will
The consumption parameter of intruding detection system is set to the first preset value.
The base that intruding detection system based on the cloud computing environment configuration device that the present invention provides provides with the present invention
In the intruding detection system collocation method one_to_one corresponding of cloud computing environment, described based on cloud computing environment enter
Technical characteristic and the beneficial effect thereof of invading the embodiment elaboration of detecting system collocation method are all applicable to based on cloud meter
Calculate in the embodiment of intruding detection system configuration device of environment, hereby give notice that.
Each technical characteristic of embodiment described above can combine arbitrarily, for making description succinct, the most right
The all possible combination of each technical characteristic in above-described embodiment is all described, but, if these skills
There is not contradiction in the combination of art feature, is all considered to be the scope that this specification is recorded.
Embodiment described above only have expressed the several embodiments of the present invention, and it describes more concrete and detailed,
But can not therefore be construed as limiting the scope of the patent.It should be pointed out that, for this area
For those of ordinary skill, without departing from the inventive concept of the premise, it is also possible to make some deformation and change
Entering, these broadly fall into protection scope of the present invention.Therefore, the protection domain of patent of the present invention should be with appended power
Profit requires to be as the criterion.