CN108055270B - Network security cooperative defense method - Google Patents

Network security cooperative defense method Download PDF

Info

Publication number
CN108055270B
CN108055270B CN201711392083.3A CN201711392083A CN108055270B CN 108055270 B CN108055270 B CN 108055270B CN 201711392083 A CN201711392083 A CN 201711392083A CN 108055270 B CN108055270 B CN 108055270B
Authority
CN
China
Prior art keywords
security
agent
security domain
service center
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711392083.3A
Other languages
Chinese (zh)
Other versions
CN108055270A (en
Inventor
李千目
王可
李建妹
于鹏程
侯君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201711392083.3A priority Critical patent/CN108055270B/en
Publication of CN108055270A publication Critical patent/CN108055270A/en
Application granted granted Critical
Publication of CN108055270B publication Critical patent/CN108055270B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a network security collaborative defense method. The method comprises the following steps: establishing a service-oriented collaborative defense model consisting of a security node, a security domain agent and a service center; deploying a plurality of security nodes in a security domain, wherein each security node monitors the abnormity of network flow through different security defense systems, realizes the cooperation among the different security defense systems, and uploads the monitoring condition to an agent of the security domain; the security domain agent processes and forwards the information in the whole security domain, and the security domain agent is responsible for the service center; the service center controls each security domain agent to manage the security nodes in the security domain, thereby coordinating the operation of the whole security system and realizing the overall network security collaborative defense. According to the invention, each safety defense system adopts a uniform transmission mode, so that the safety of the system is increased, and a cooperative defense effect is achieved; and through the cooperation among the security domain agents, the network security cooperative defense is realized, and the illegal invasion is efficiently resisted.

Description

Network security cooperative defense method
Technical Field
The invention relates to the technical field of network security, in particular to a network security collaborative defense method.
Background
Since the 20 th century, the internet has been developed vigorously, and people's daily work and life are inseparable from various network applications and software. But the accompanying network security problems still come up endlessly. Infrastructure and key infrastructure such as infrastructure, server systems, industrial-level interconnect applications, face greater security threats and network security events occur frequently.
Network attack and defense means are continuously developed, and the traditional defense means such as a firewall, an intrusion detection system, a security audit system, a log analysis system and the like are continuously perfected and become mature. However, these traditional defense means are designed for a certain kind of attacks, cannot work cooperatively under a unified platform, and even if deployed at the same time, only simple function superposition is performed, and the due defense effect cannot be achieved. The traditional defense means work simultaneously, the overall safety of the system is not the sum of the accumulation, but the whole safety is influenced by weak links, and the safety of the system is reduced.
Disclosure of Invention
The invention aims to provide a network security cooperative defense method capable of efficiently defending illegal invasion.
The technical solution for realizing the purpose of the invention is as follows: a network security cooperative defense method comprises the following steps:
step 1, establishing a service-oriented collaborative defense model consisting of a security node, a security domain agent and a service center;
step 2, deploying a plurality of security nodes in a security domain, monitoring the abnormity of the network flow by each security node through different security defense systems, realizing the cooperation among the different security defense systems, and uploading the monitored condition to an agent of the security domain;
step 3, the security domain agent processes and forwards the information in the whole security domain, and the security domain agent is responsible for the service center;
and 4, the service center controls each security domain agent to manage the security nodes in the security domain, so that the operation of the whole security system is coordinated, and the overall network security cooperative defense is realized.
Further, step 2 the security defense system comprises: intrusion detection system, firewall system, network camouflage system.
Further, the security node in step 2 is deployed in each corner of the network, that is, the security node is deployed at any network entrance or network exit to monitor the anomaly of the network flow, and the security node uploads the monitored condition to the agent in the security domain.
Further, the security domain agent in step 3 processes and forwards the message in the whole security domain, and the security domain agent is responsible for the service center, specifically as follows:
1) the security domain agent masters the operation condition of each security node in the security domain;
2) the security domain agent is used as a data relay center of each security node and performs uniform encryption authentication on data communication between the security nodes;
3) the security domain agents communicate with other security domain agents, the communication between the security domain agents is in a point-to-point mode, and each agent can serve as a client or a server: when the server is used, a fixed port is opened to the outside for communication with other agents, the agents communicate with each other at fixed time intervals, and the port is closed when the messages are not received after the time is exceeded; and the security domain agent is communicated with the service center, receives the instruction of the service center, executes and distributes the instruction to each security node.
Further, the service center in step 4 controls each security domain agent to manage the security nodes in the security domain, so as to coordinate the operation of the whole security system and implement the overall network security collaborative defense, which specifically includes:
1) when communication is carried out between each security domain agent, the service center provides a communication encryption key and selects an encryption authentication algorithm;
2) the service center masters the real-time state of each security domain agent, so that the operation of the whole security system is coordinated;
3) the service center controls each security domain agent to manage the security nodes in the security domain: a local area network can only have a primary service center, a larger local area network comprising the local area network has a high-level service center, and the high-level service center is responsible for managing communication between security domain agents comprising the primary service center among the local area networks; the primary service centers of all local area networks in the whole security center in the transverse direction are interconnected and communicated, and the high-level service center in the longitudinal direction manages all security domain agents in the local area networks.
Compared with the prior art, the invention has the following remarkable advantages: (1) establishing a service-oriented collaborative defense strategy model, and efficiently combining three security defense systems of intrusion detection, firewall and network camouflage so as to defend illegal intrusion; (2) in the security domain, the communication of each security node is uniformly managed by security domain agents, the communication is realized through XML, and the transmission mode of each security defense system is uniform, so that the security of the system is increased, the effect of cooperative defense is achieved, and then the cooperative defense of the security domain agents is realized, so that the network security cooperative defense is realized, and the illegal invasion is efficiently resisted; (3) the cooperative defense model is not limited to the three security defense systems, has good dynamic property and expansibility, and can be correspondingly expanded according to specific requirements; each system can independently complete own defense work and can also cooperate with other safety systems to jointly complete the defense work, thereby realizing comprehensive and three-dimensional integral defense effect;
drawings
Fig. 1 is a schematic view of a service-oriented collaborative defense model of the network security collaborative defense method of the present invention.
Fig. 2 is a schematic structural model diagram of a security domain agent of the network security collaborative defense method of the present invention.
Fig. 3 is a schematic view of a behavior model of a security domain agent of the network security collaborative defense method of the present invention.
Detailed Description
The invention relates to a network security collaborative defense method, which establishes a service-oriented collaborative defense model formed by combining three security defense systems, namely an intrusion detection system, a firewall system and a network camouflage system. The service-oriented collaborative defense model is composed of three parts, namely a security node, a security domain agent and a service center. The model is divided into a plurality of security domains; each security domain is provided with a plurality of security nodes, each security node monitors the abnormity of the network flow through the three different security defense systems, and uploads the monitored conditions to the agent of the security domain; each security domain has only one security domain agent and is responsible for processing and forwarding messages in the whole security domain, and the security domain agents are responsible for the service center; the service center controls each security domain agent to manage the security nodes in the security domain, so that the operation of the whole security system is coordinated. In the security domain, the communication of each security node is uniformly managed by security domain agents, the communication is realized through XML, and the transmission mode of each security defense system is uniform, so that the security of the system is increased, the cooperative defense effect is achieved, then the cooperative defense of the security domain agents is realized, and the network security cooperative defense is realized, and the illegal invasion is efficiently resisted.
The invention discloses a network security collaborative defense method, which comprises the following steps:
step 1, establishing a service-oriented collaborative defense model composed of a security node, a security domain agent and a service center.
And 2, deploying a plurality of security nodes in the security domain, monitoring the abnormity of the network flow by each security node through different security defense systems, realizing the cooperation among the different security defense systems, and uploading the monitored condition to an agent of the security domain.
And step 3, the security domain agent is responsible for processing and forwarding the messages in the whole security domain, and the security domain agent is responsible for the service center.
And 4, the service center controls each security domain agent to manage the security nodes in the security domain, so that the operation of the whole security system is coordinated, and the overall network security cooperative defense is realized.
Further, step 2 the security defense system comprises: intrusion detection system, firewall system, network camouflage system. The three defense systems cooperate with each other to detect network abnormality.
Further, the security node of step 2: may be deployed in each corner of the network. And (4) deploying a security node at any network entrance or network exit to monitor the abnormity of the network flow, and uploading the monitored condition to an agent of the security domain.
Further, step 3 the security domain agent: mastering the operation condition of each safety node in the safety domain; the data relay center is used as each safety node, and the data communication between the safety nodes is uniformly encrypted and authenticated; the method is characterized by communicating with other security domain agents, the communication between the security domain agents is in a point-to-point mode, each agent can be used as a client or a server, when the agent is used as the server, a fixed port is opened to communicate with other agents, the management is easy, and multi-port attack can be prevented; all agents communicate at fixed time intervals, and if no message is received after the time is exceeded, the port is closed; and the security domain agent is communicated with the service center, receives the instruction of the service center, executes and distributes the instruction to each security node.
Further, step 4, the service center: providing a communication encryption key and selecting an encryption authentication algorithm when communication is carried out between security domain agents; mastering the real-time state of each security domain agent so as to coordinate the operation of the whole security system; and controlling the management of the security nodes in the security domain by each security domain agent. A particular lan may only have one service center, and a larger lan containing the lan should also have one service center that is responsible for managing communications between agents containing the service center among the lans. The arrangement ensures that the whole security center has clear hierarchy, the service centers between the local area networks are communicated with each other in the transverse direction, and the service centers manage the security domain agents in the local area networks in the longitudinal direction.
A network security cooperative defense method comprises that in a security domain, communication of each security node is managed by security domain agents in a unified mode, communication is achieved through XML, and transmission modes of security defense systems are unified, so that the security of the systems is improved, the cooperative defense effect is achieved, then network security cooperative defense is achieved through cooperation among the security domain agents, and illegal invasion is resisted efficiently.
The technical scheme of the invention is further explained in detail by combining the drawings and the specific embodiments:
example 1
As shown in fig. 1, the service-oriented collaborative defense model is composed of a security node, a security domain agent, and a service center. The security node is a key position through which data flow passes, and comprises a routing inlet, a firewall inlet, a host inlet and the like; the security domain agents have only one in each security domain; the service center stores various security strategies including application security, data encryption, authentication and authorization, access control, audit trail, virus prevention and killing and the like.
And the security node: monitoring the abnormity of the network flow through different security defense systems, realizing the cooperation among the different security defense systems, and uploading the monitored condition to the agent of the security domain.
Security domain proxy: and the security domain agent is responsible for processing and forwarding the messages in the whole security domain, and the security domain agent is responsible for the service center.
The service center: the service center controls each security domain agent to manage the security nodes in the security domain, thereby coordinating the operation of the whole security system and realizing the overall network security collaborative defense.
The security node of each security domain can only communicate with the agent of the security domain, and comprises two angles: communication among all nodes in the security domain depends on agents of the security domain; when communication is carried out between different security domains, communication is carried out through agents of each security domain. Each safety node communicates with the agent through an interface function provided by the service center, when the safety node starts monitoring, the agent in the safety domain is informed, and the agent informs the upper-layer service center, so that the service center and the agent can know the state of each safety domain. In order to ensure smooth communication among the security nodes, the agents and the service center, the efficient and safe communication is realized through XML.
The structure of the cooperative defense model shows that the security domain agents are the hub of the whole model, so the cooperative strategy of the cooperative defense model is mainly embodied in the coordination inside each security domain agent and among the security domain agents. The security domain agent has the functions of receiving data and sending data, can interact with other agents under certain conditions, can coordinate the cooperative work of security nodes in the security domain under certain conditions, and can perform self-learning to adapt to a new system environment when the environment changes. The collaborative strategy model of the security domain agent is divided into two levels of structure and behavior.
The security domain agent is used as a hub of the whole security model, and has the main functions of performing information interaction (including intra-domain and inter-domain) with the outside, analyzing and processing the obtained information, and feeding back the processing condition to the intra-domain nodes or the inter-domain agent. The structure and behavior of the security domain agents are complementary, the structure supporting the implementation of the agent behavior, which in turn determines the structure of the agent.
The features of the security domain proxy can be summarized as follows:
(1) reaction force: the security domain agent can respond to the external data stream or the information sent by the adjacent security domain agent to realize the cooperative work in the security domain and between the security domains.
(2) Independence: each security domain agent has the independent operation capability, and when the service center fails and cannot command the security domain agents to act, the agents can normally operate for a certain time according to the local knowledge base.
(3) Stability: each behavior of the security domain agent is preset, and a corresponding action sequence is made according to different input information and internal parameters, so that the stability of the system is enhanced.
(4) Flexibility: the collaborative strategies of the security domain agents are uniformly distributed by the service center, and different collaborative strategy levels can be distributed according to different requirements of the system on security.
(5) And (3) synergy: each security domain agent has limited ability to process events independently, and cooperates with adjacent security domain agents to improve the information mastery degree of the individual security domain agent, thereby being beneficial to executing defense actions and enhancing the defense ability of the system.
(6) Self-adaptability: the security domain agents can self-learn through data flow and information of other security domain agents, the content of the knowledge base is enriched, and emergencies are processed according to the latest knowledge base information.
As shown in fig. 2, a security domain agent structure model of the network security collaborative defense method is given:
the security domain agent consists of six modules of two layers, namely an event processing layer and a self-learning layer, wherein the event processing layer comprises an interaction module, an analysis module, a processing module and a graphical interface; the self-learning level comprises an analysis module, a self-learning module and a knowledge base. The functions of the six modules are respectively as follows: an interaction module: the security domain agent is responsible for data information interaction among security domain agents, between security domains and security nodes, and between security domains and service centers; analysis module: analyzing the entry information according to a preset decision mechanism, and distributing an analysis result to a processing module and a self-learning module; processing module: processing in sequence according to the processing flow set by the system according to the analysis result of the analysis module, and distributing the processing result to the interaction module and the knowledge base; fourthly, a self-learning module: the analysis stage simultaneously carries out self-learning, accumulates knowledge according to new changes and stores the knowledge in a knowledge base; a knowledge base: the knowledge accumulation of the self-learning module is stored, and decision support is provided for the analysis module; sixthly, graphical interface: a user can configure model parameters through a graphical interface, and visually check the model dynamics in real time.
As shown in fig. 3, a security domain agent behavior model of the network security collaborative defense method is given:
the security domain agent comprises a plurality of characteristics, the agent behavior is one of the most important characteristics and complements the agent structure, the agent behavior describes the interaction execution sequence between the security domain agent and the agent, between the security domain agent and the service center, between the security domain agent and the node in detail, and the method is the realization of the cooperative defense strategy. Therefore, behavioral model modeling of security domain agents is very important.
The security domain agent behaviors can be divided into interaction behaviors and learning behaviors according to behavior objects, and meanwhile, the interaction and learning behaviors are more reasonable by utilizing behavior constraints. The interactive behavior refers to data exchange between the agents, and information exchange between the agents and the service center and between the agents and the security node; learning behavior refers to self-learning behavior of the new network environment, which is the agent's own set of activities. The behavior model of the security domain agent is composed of an input module, an inference module, a processing (error) module and an output module. The input module is responsible for summarizing and preprocessing input information, wherein the input information can be external environment change, information of other agents or change of internal variables; the reasoning module and the execution module are core parts of the model, are responsible for analyzing and deciding the input and take action according to a defined execution sequence; and the output module outputs the processing result to other agents or service centers.
The formal language description of the agent is a further description of the theoretical model, and is closer to the realization of the computer language. The security domain agent behavior model formalized language describes a specific operation flow for more specifically describing behaviors, and is closer to the hierarchy of algorithm implementation. Based on the behavior model, the formal language description considers two conditions of interactive behavior and learning behavior, and describes the security domain agent behavior model by using a policy (Strategy), a Trigger (Trigger), an Action sequence (Action), a Mode (Mode) and a Constraint (Constraint) quintuple according to the characteristics of the model.
(1) Interactive behavior formalized language description
The interactive behavior language description of the security domain proxy behavior model is shown in equation 1:
I=<S,T,A,M,Ci>,T=<Tin,Tout> (1)
in equation 1, I refers to agent interaction behavior, S denotes a set of all policies of an agent, T is a trigger of various events in the agent, TinIndicating a triggering event for entry into the agent, ToutIs the trigger event distributed after the agent process is finished, A represents the set of all actions of the agent, M represents the set of agent mode, CiA set of behavior constraints representing interaction behaviors.
The core work of the interactive behavior is to output a corresponding processing result through the decision of an inference engine according to different triggering conditions, or request other agents for cooperation, or request the service of a service center, so that the triggering formalization language description of the interactive behavior is as shown in formula 2:
Ci:Tin×A×M→Tout (2)
it can be seen from equation 2 that the output event is determined by the input trigger condition, the action sequence and the proxy mode. The triggering event comprises external flow information and other agent cooperative information, the triggering caused by the external flow information is network intrusion cooperative operation, intrusion detection can perform corresponding action sequence and mode conversion according to the flow information, and the result is notified to a firewall or a network camouflage system; other agent cooperative information such as network camouflage cooperative operation executes corresponding camouflage actions when receiving the alarm triggering condition of intrusion detection, changes the current agent mode into a cooperative mode, and finally feeds the camouflage result back to other agents and a service center.
(2) Learning behavior formalized language description
The learning behavior formalized language description of the security domain agent is shown in formula 3:
L=<S,T,A,M,Cl> (3)
l is the interaction behavior of the agent, S, A, M represents the definition in the formal language description of the interaction behavior with the agent, ClIs a learning behavior constraint and T is a trigger caused by a change in internal properties.
(ii) formalized expression of strategies
The policy expresses a set of actions taken by the agent for different trigger events. The trigger event comprises external environment change and other agent assistance information, and the formalized expression of the strategy is shown as formula 4:
S=<T,A,M> (4)
as can be seen from equation 4, a policy is composed of triggers, actions and modes, each policy is caused by a specific trigger, the trigger causes an agent to perform a series of actions, there is an explicit correspondence between the trigger and the action, and the trigger and the action cause the agent to enter a specific mode state, which ultimately affects the execution of the policy.
(ii) formalized representation of actions
The action is the most basic expression unit in the proxy model, a plurality of actions are combined in order to form an action sequence, and the formal expression of the action sequence is shown as the formula 5:
C:a→A,C=<CR,CS> (5)
in formula 5, a represents a single action, a plurality of single actions form an action set A, constraints are received in the action execution process, and the constraint set comprises a constraint C in the sequential executionRAnd sudden feelingsUnder-the-fly constraint CSThe purpose of the constraint is to make the action execution more accurate and stable.
(iii) formal representation of patterns
The mode is an abstraction which represents the current state of the agent in the agent model, the current mode is determined by the mode, the trigger and the action sequence of the current time node, and can change along with the change of the trigger and the action sequence in the process of time, and the formalization of the mode is represented as formula 6:
T×A×M→M (6)
the mode is an agent state expressed by the action execution of a certain action sequence in the agent, the state can clearly express the adaptive capacity of the agent to the environment, and when the external environment changes continuously, the mode changes correspondingly.

Claims (5)

1. A network security cooperative defense method is characterized by comprising the following steps:
step 1, establishing a service-oriented collaborative defense model consisting of a security node, a security domain agent and a service center;
step 2, deploying a plurality of security nodes in a security domain, monitoring the abnormity of the network flow by each security node through different security defense systems, realizing the cooperation among the different security defense systems, and uploading the monitored condition to an agent of the security domain;
step 3, the security domain agent processes and forwards the information in the whole security domain, and the security domain agent is responsible for the service center;
step 4, the service center controls each security domain agent to manage the security nodes in the security domain, thereby coordinating the operation of the whole security system and realizing the overall network security collaborative defense;
the security node is a key position through which data flow passes and comprises a routing inlet, a firewall inlet and a host inlet; the security domain agents have only one in each security domain; the service center stores various security strategies including application security, data encryption, authentication and authorization, access control, audit trail and virus prevention and killing;
and the security node: monitoring the abnormity of the network flow through different security defense systems, realizing the cooperation among the different security defense systems, and uploading the monitored condition to an agent of a security domain;
security domain proxy: the security domain agent is responsible for processing and forwarding the messages in the whole security domain and is responsible for the service center;
the service center: the service center controls each security domain agent to manage the security nodes in the security domain, thereby coordinating the operation of the whole security system and realizing the overall network security cooperative defense;
the security node of each security domain can only communicate with the agent of the security domain, and comprises two angles: communication among all nodes in the security domain depends on agents of the security domain; when communication is carried out between different security domains, communication is carried out through agents of each security domain; each safety node communicates with the agent through an interface function provided by the service center, when the safety node starts monitoring, the agent in the safety domain is informed, and the agent informs the upper-layer service center, so that the service center and the agent can know the state of each safety domain;
the security domain agent consists of six modules of two layers, namely an event processing layer and a self-learning layer, wherein the event processing layer comprises an interaction module, an analysis module, a processing module and a graphical interface; the self-learning level comprises an analysis module, a self-learning module and a knowledge base; the functions of the six modules are respectively as follows: an interaction module: the security domain agent is responsible for data information interaction among security domain agents, between security domains and security nodes, and between security domains and service centers; analysis module: analyzing the entry information according to a preset decision mechanism, and distributing an analysis result to a processing module and a self-learning module; processing module: processing in sequence according to the processing flow set by the system according to the analysis result of the analysis module, and distributing the processing result to the interaction module and the knowledge base; fourthly, a self-learning module: the analysis stage simultaneously carries out self-learning, accumulates knowledge according to new changes and stores the knowledge in a knowledge base; a knowledge base: the knowledge accumulation of the self-learning module is stored, and decision support is provided for the analysis module; sixthly, graphical interface: a user can configure model parameters through a graphical interface and visually check the model dynamics in real time;
the security domain proxy behavior model:
the security domain agent comprises a plurality of characteristics, the agent behavior describes the interaction execution sequence between the security domain agents, between the security domain agents and the service center, between the security domain agents and the nodes, and the interaction execution sequence is the realization of the cooperative defense strategy;
the security domain agent behaviors are divided into interactive behaviors and learning behaviors according to behavior objects, wherein the interactive behaviors refer to data exchange between agents and information exchange between the agents and a service center and between the agents and security nodes; the learning behavior refers to a self-learning behavior for a new network environment, and is an activity set of the agent;
the behavior model of the security domain agent consists of an input module, an inference module, a processing module and an output module; the input module is responsible for summarizing and preprocessing input information, wherein the input information comprises external environment change, information of other agents or change of internal variables; the reasoning module and the processing module are core parts of the model and are responsible for analyzing and deciding the input and taking action according to a defined execution sequence; the output module outputs the processing result to other agents or service centers;
based on the behavior model, the formal language description considers two conditions of interactive behavior and learning behavior, and describes a security domain agent behavior model by using a Strategy, a Trigger, an Action sequence Action, a Mode and a Constraint five-element group according to the characteristics of the model;
(1) interactive behavior formalized language description
The interactive behavior language description of the security domain proxy behavior model is as shown in equation (1):
I=<S,T,A,M,Ci>,T=<Tin,Tout> (1)
in formula (1), I refers to agent interaction behavior, S represents a set of all policies of an agent, T is a trigger of various events in the agent, TinIndicating a triggering event for entry into the agent, ToutIs a proxyTriggering events distributed after the processing is finished, A represents the set of all actions of the agent, M represents the set of the agent mode, CiA set of behavior constraints representing interaction behaviors;
the core work of the interactive behavior is to output a corresponding processing result through the decision of an inference engine according to different triggering conditions, or request other agents for cooperation, or request the service of a service center, so that the triggering formalization language description of the interactive behavior is as shown in formula (2):
Ci:Tin×A×M→Tout (2)
the output event is determined by the input trigger condition, the action sequence and the proxy mode according to the formula (2); the triggering event comprises external flow information and other agent cooperative information, the triggering caused by the external flow information is network intrusion cooperative operation, intrusion detection can perform corresponding action sequence and mode conversion according to the flow information, and the result is notified to a firewall or a network camouflage system; other agent cooperative information such as network camouflage cooperative operation executes corresponding camouflage actions when receiving alarm triggering conditions of intrusion detection, changes the current agent mode into a cooperative mode, and finally feeds back camouflage results to other agents and a service center;
(2) learning behavior formalized language description
The learning behavior formalized language description of the security domain agent is shown in formula (3):
L=<S,T,A,M,Cl> (3)
l is the interaction behavior of the agent, S, A, M represents the definition in the formal language description of the interaction behavior with the agent, C1Is a learning behavior constraint, T is a trigger caused by a change in internal properties;
(ii) formalized expression of strategies
The strategy expresses that the agent carries out a series of action sets for different trigger events; the trigger event comprises external environment change and other agent assistance information, and the formalized expression of the strategy is shown as the formula (4):
S=<T,A,M> (4)
as shown in equation (4), a policy is composed of a trigger, an action and a mode, each policy is caused by a specific trigger, the trigger causes an agent to perform a series of actions, there is an explicit correspondence between the trigger and the action, and the trigger and the action cause the agent to enter a specific mode state, which finally affects the execution of the policy;
(ii) formalized representation of actions
The action is the most basic expression unit in the proxy model, a plurality of actions are combined in order to form an action sequence, and the formal expression of the action sequence is shown in the formula (5):
C:a→A,C=<CR,Cs> (5)
in the formula (5), a represents a single action, a plurality of single actions form an action set A, constraints are received in the action execution process, and the constraint set comprises a constraint C in the sequential executionRAnd constraint C in case of emergencys
(iii) formal representation of patterns
The mode is an abstraction which represents the current state of the agent in the agent model, the current mode is determined by the mode, the trigger and the action sequence of the current time node, and can change along with the change of the trigger and the action sequence in the process of time, and the formalization of the mode is represented as formula (6):
T×A×M→M (6)
the mode is an agent state expressed by the action execution of a certain action sequence in the agent, the state can express the adaptive capacity of the agent to the environment, and when the external environment changes continuously, the mode changes correspondingly.
2. The network security collaborative defense method according to claim 1, wherein the security defense system of step 2 comprises: intrusion detection system, firewall system, network camouflage system.
3. The network security cooperative defense method according to claim 1, wherein the security node in step 2 is deployed in each corner of the network, that is, the security node is deployed at any network entrance or network exit to monitor the network flow for anomaly, and the security node uploads the monitored condition to the agent in the security domain.
4. The method for collaborative defense of network security according to claim 1, wherein the security domain agent performs processing and forwarding of messages in the entire security domain in step 3, and the security domain agent is responsible for a service center, specifically as follows:
1) the security domain agent masters the operation condition of each security node in the security domain;
2) the security domain agent is used as a data relay center of each security node and performs uniform encryption authentication on data communication between the security nodes;
3) the security domain agents communicate with other security domain agents, the communication between the security domain agents is in a point-to-point mode, and each agent can serve as a client or a server: when the server is used, a fixed port is opened to the outside for communication with other agents, the agents communicate with each other at fixed time intervals, and the port is closed when the messages are not received after the time is exceeded; and the security domain agent is communicated with the service center, receives the instruction of the service center, executes and distributes the instruction to each security node.
5. The network security collaborative defense method according to claim 1, wherein the service center in step 4 controls each security domain agent to manage the security nodes in the security domain, so as to coordinate operations of the whole security system and realize the overall network security collaborative defense, specifically as follows:
1) when communication is carried out between each security domain agent, the service center provides a communication encryption key and selects an encryption authentication algorithm;
2) the service center masters the real-time state of each security domain agent, so that the operation of the whole security system is coordinated;
3) the service center controls each security domain agent to manage the security nodes in the security domain: a local area network can only have a primary service center, a larger local area network comprising the local area network has a high-level service center, and the high-level service center is responsible for managing communication between security domain agents comprising the primary service center among the local area networks; the primary service centers of all local area networks in the whole security center in the transverse direction are interconnected and communicated, and the high-level service center in the longitudinal direction manages all security domain agents in the local area networks.
CN201711392083.3A 2017-12-21 2017-12-21 Network security cooperative defense method Active CN108055270B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711392083.3A CN108055270B (en) 2017-12-21 2017-12-21 Network security cooperative defense method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711392083.3A CN108055270B (en) 2017-12-21 2017-12-21 Network security cooperative defense method

Publications (2)

Publication Number Publication Date
CN108055270A CN108055270A (en) 2018-05-18
CN108055270B true CN108055270B (en) 2020-11-27

Family

ID=62131056

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711392083.3A Active CN108055270B (en) 2017-12-21 2017-12-21 Network security cooperative defense method

Country Status (1)

Country Link
CN (1) CN108055270B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108881233B (en) * 2018-06-21 2021-06-01 中国联合网络通信集团有限公司 Anti-attack processing method, device, equipment and storage medium
CN109714312B (en) * 2018-11-19 2020-04-24 中国科学院信息工程研究所 Acquisition strategy generation method and system based on external threats
CN109474605A (en) * 2018-11-26 2019-03-15 华北电力大学 A kind of source net lotus industrial control system composite defense method based on Autonomous Domain
CN110191118B (en) * 2019-05-28 2021-06-01 哈尔滨工程大学 Unified control method and system for network security equipment
CN110912882A (en) * 2019-11-19 2020-03-24 北京工业大学 Intrusion detection method and system based on intelligent algorithm
CN112039858A (en) * 2020-08-14 2020-12-04 深圳市迈科龙电子有限公司 Block chain service security reinforcement system and method
CN112437059B (en) * 2020-11-11 2022-07-15 中国电子科技集团公司第二十九研究所 Collaborative defense strategy transceiving method for networking group intelligent system
CN112929060B (en) * 2021-02-03 2022-10-04 中国水产科学研究院南海水产研究所 Fishery ship rescue communication system and method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101309218A (en) * 2008-07-09 2008-11-19 南京邮电大学 Hierarchical peer-to-peer network traffic detection and control method based on mobile proxy
CN101582883A (en) * 2009-06-26 2009-11-18 西安电子科技大学 System and method for managing security of general network
CN101719842A (en) * 2009-11-20 2010-06-02 中国科学院软件研究所 Cloud computing environment-based distributed network security pre-warning method
CN101938459A (en) * 2010-06-22 2011-01-05 北京豪讯美通科技有限公司 CRNET (China Railcom Net) sSafe cooperative defense system for whole course communication network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040193923A1 (en) * 2003-01-16 2004-09-30 Hammond Frank J. Systems and methods for enterprise security with collaborative peer to peer architecture

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101309218A (en) * 2008-07-09 2008-11-19 南京邮电大学 Hierarchical peer-to-peer network traffic detection and control method based on mobile proxy
CN101582883A (en) * 2009-06-26 2009-11-18 西安电子科技大学 System and method for managing security of general network
CN101719842A (en) * 2009-11-20 2010-06-02 中国科学院软件研究所 Cloud computing environment-based distributed network security pre-warning method
CN101938459A (en) * 2010-06-22 2011-01-05 北京豪讯美通科技有限公司 CRNET (China Railcom Net) sSafe cooperative defense system for whole course communication network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种基于自治域的协同入侵检测与防御机制;韩宗芬等;《华中科技大学学报(自然科学版)》;20061231;第34卷(第12期);第53-55页 *
大规模网络的主动协同防御模型研究;楼润瑜等;《厦门大学学报(自然科学版)》;20100331;第49卷(第2期);正文第2.1-3.2节,图1-3 *

Also Published As

Publication number Publication date
CN108055270A (en) 2018-05-18

Similar Documents

Publication Publication Date Title
CN108055270B (en) Network security cooperative defense method
CN112769825B (en) Network security guarantee method, system and computer storage medium
Zonouz et al. RRE: A game-theoretic intrusion response and recovery engine
Dilek et al. Applications of artificial intelligence techniques to combating cyber crimes: A review
Fernandez et al. Designing secure SCADA systems using security patterns
CN109587174A (en) Composite defense method and system for network protection
Chernov et al. Security incident detection technique for multilevel intelligent control systems on railway transport in Russia
Alalade Intrusion detection system in smart home network using artificial immune system and extreme learning machine hybrid approach
CN108259498A (en) A kind of intrusion detection method and its system of the BP algorithm based on artificial bee colony optimization
Qin et al. A risk-based dynamic decision-making approach for cybersecurity protection in industrial control systems
Lakhno et al. Development of the intelligent decision-making support system to manage cyber protection at the object of informatization
CN113240116B (en) Wisdom fire prevention cloud system based on class brain platform
Skopik et al. synERGY: Cross-correlation of operational and contextual data to timely detect and mitigate attacks to cyber-physical systems
Zbakh et al. A multi-criteria analysis of intrusion detection architectures in cloud environments
Garcia et al. Decentralized publish-subscribe system to prevent coordinated attacks via alert correlation
CN101834847A (en) Network intrusion prevention system based on multi-mobile agents and data mining technology
Sanz-Bobi et al. Idsai: A distributed system for intrusion detection based on intelligent agents
Ramanathan et al. Ontology-based collaborative framework for disaster recovery scenarios
Siraj et al. Decision making for network health assessment in an intelligent intrusion detection system architecture
Balducelli et al. Novelty detection and management to safeguard information-intensive critical infrastructures
Bakshi et al. WSN Security: Intrusion Detection Approaches Using Machine Learning
Trifonov et al. Applying the experience of artificial intelligence methods for information systems cyber protection at industrial control systems
Gamez et al. Safeguarding critical infrastructures
Bologna et al. Dependability and survivability of large complex critical infrastructures
Blackwell A multi-layered security architecture for modelling complex systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Li Qianmu

Inventor after: Wang Ke

Inventor after: Li Jianmei

Inventor after: Yu Pengcheng

Inventor after: Hou Jun

Inventor before: Wang Ke

Inventor before: Li Qianmu

Inventor before: Li Jianmei

Inventor before: Yu Pengcheng

Inventor before: Hou Jun

GR01 Patent grant
GR01 Patent grant