CN108400968B - Method for realizing mimicry defense model distributor - Google Patents
Method for realizing mimicry defense model distributor Download PDFInfo
- Publication number
- CN108400968B CN108400968B CN201810038734.7A CN201810038734A CN108400968B CN 108400968 B CN108400968 B CN 108400968B CN 201810038734 A CN201810038734 A CN 201810038734A CN 108400968 B CN108400968 B CN 108400968B
- Authority
- CN
- China
- Prior art keywords
- sessionid
- distributor
- request
- virtual
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/255—Maintenance or indexing of mapping tables
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/142—Managing session states for stateless protocols; Signalling session states; State transitions; Keeping-state mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/146—Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method for efficiently realizing a mimicry defense model distributor. The invention comprises the following steps: step (1), storing the data packet sent by each client in a distributor, maintaining a mapping table from a virtual SessionId to a real SessionId in the distributor, wherein the SessionId in the request sent by the client is the virtual SessionId and is replaced by the real SessionId in the mapping table; and (2) when the user request is too large, copying the HTTP request head only by adopting a head copying and body linking mode, and only needing to adopt a linking mode for the data of the request body. When the distributor copies and distributes the request to the N servers, the space occupied by the request can be recovered; after the two preprocessing steps in the step (3), the distributor can efficiently send the user request to the executive body at the rear end of the server, so that the function of the distributor is realized. The invention reduces time delay and improves efficiency as much as possible, and provides a more efficient solution for the whole set of system.
Description
Technical Field
The invention belongs to the technical field of computer software, and particularly relates to a method for realizing a mimicry defense model distributor.
Background
The security problem faced by the Web server system is increasingly serious, and the traditional defense technology is in a passive defense position and is difficult to well deal with the problem of unknown attack threat. Therefore, the united states of america has proposed a Moving Target Defense (MTD), which is a network security development direction of "changing game rules" proposed by the united states of america for the current disadvantage of defenders, and it is expected to confuse attackers by implementing continuous and dynamic changes to increase the attack cost and complexity and reduce the attack success rate.
A mimicry defense model based on a dynamic heterogeneous redundancy structure is proposed, and various hardware variants and corresponding software variants are expected to be dynamically and pseudo-randomly selected and executed under active and passive triggering conditions, so that hardware execution environments and software working conditions observed by internal and external attackers are extremely uncertain, and an attack chain based on bugs (bugs) or backgates cannot be or is difficult to construct, and the purpose of reducing the security risk of the system is achieved. The dynamic heterogeneous redundancy structure uses a heterogeneous executive body set to process in a processing link, the same input is copied into N parts through an input proxy and is distributed to N heterogeneous executive bodies in the executive body set to process, and a processing result is collected to a voter to be voted to obtain unique relatively correct output. Thus, the safety of the Web server can be greatly improved.
Disclosure of Invention
The invention aims to provide a method for realizing a mimicry defense model distributor, aiming at the defects of the prior art.
The technical scheme adopted by the invention for solving the technical problem comprises the following steps:
step (1) for each data packet sent by the client, storing the data packet in a distributor, wherein a plurality of back-end servers store a plurality of different sessionids, so that a mapping table from a virtual SessionId to a real SessionId needs to be maintained in the distributor, the SessionId in the request sent by the client is the virtual SessionId, the virtual SessionId is replaced by the real SessionId in the mapping table, the key value of the mapping table is the virtual SessionId, the value of the key is the real sessionids of the N servers, the virtual SessionId is generated by the distributor, and the client only needs to use the virtual SessionId to interact with the server side in the HTTP return packet received by the client;
and (2) when the user request is too large, if the requested data is simply copied by N times, the distributor occupies N times of space, and a 'head copy and body link' mode is adopted, namely, only the HTTP request head is copied, the HTTP request head contains information such as Cookie and Sessinid, and the data of the request body does not need to be changed, so that only the link of the HTTP request body needs to be stored. When the distributor copies and distributes the request to the N servers, the space occupied by the request can be recovered;
and (3) after the two times of preprocessing in the steps (1) and (2), the distributor can send the user request to an executive body at the rear end of the server to realize the function of the distributor.
The invention has the beneficial effects that:
the invention maintains the mapping from the virtual sessionId to the real sessionId by adopting the mapping table and adopts the scheme of 'head copy and body link', thereby realizing the distributor module, reducing the time delay as much as possible, improving the efficiency and providing a more efficient solution for the whole system.
The invention realizes a high-efficiency distributor module of the mimicry defense model by means of the fine operation of the mapping table and the pointer.
Drawings
FIG. 1 is a schematic view of the present invention.
Detailed Description
The invention is further illustrated by the following figures and examples.
As shown in fig. 1, a method for implementing a mimicry defense model distributor includes the following steps:
step (1) for each data packet sent by the client, storing the data packet in a distributor, wherein a plurality of back-end servers store a plurality of different sessionids, so that a mapping table from a virtual SessionId to a real SessionId needs to be maintained in the distributor, the SessionId in the request sent by the client is the virtual SessionId, the virtual SessionId is replaced by the real SessionId in the mapping table, the key value of the mapping table is the virtual SessionId, the value of the key is the real sessionids of the N servers, the virtual SessionId is generated by the distributor, and the client only needs to use the virtual SessionId to interact with the server side in the HTTP return packet received by the client;
and (2) when the user request is too large, if the requested data is simply copied by N times, the distributor occupies N times of space, and a 'head copy and body link' mode is adopted, namely, only the HTTP request head is copied, the HTTP request head contains information such as Cookie and Sessinid, and the data of the request body does not need to be changed, so that only the link of the HTTP request body needs to be stored. When the distributor copies and distributes the request to the N servers, the space occupied by the request can be recovered;
after the two pre-treatments in the step (3), the distributor can send the user request to the executive body at the back end of the server, so as to realize the function of the distributor.
Claims (1)
1. A method of implementing a mimicry defense model distributor, comprising the steps of:
step (1) for each data packet sent by the client, storing the data packet in a distributor, wherein a plurality of back-end servers store a plurality of different sessionids, so that a mapping table from a virtual SessionId to a real SessionId needs to be maintained in the distributor, the SessionId in the request sent by the client is the virtual SessionId, the virtual SessionId is replaced by the real SessionId in the mapping table, the key value of the mapping table is the virtual SessionId, the value of the key is the real sessionids of the N servers, the virtual SessionId is generated by the distributor, the HTTP return packet received by the client only has the virtual SessionId, and the client only needs to use the virtual SessionId to interact with the server;
and (2) when the user request is too large, adopting a 'head copying and body linking' mode: the HTTP request header only needs to be copied, the HTTP request header contains Cookie and SessioneId information, and the data of the request body does not need to be changed, so that the link of the HTTP request body only needs to be saved; when the distributor copies and distributes the request to the N servers, the space occupied by the request can be recovered;
and (3) after the two times of preprocessing in the steps (1) and (2), the distributor can send the user request to an executive body at the rear end of the server to realize the function of the distributor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810038734.7A CN108400968B (en) | 2018-01-16 | 2018-01-16 | Method for realizing mimicry defense model distributor |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810038734.7A CN108400968B (en) | 2018-01-16 | 2018-01-16 | Method for realizing mimicry defense model distributor |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108400968A CN108400968A (en) | 2018-08-14 |
CN108400968B true CN108400968B (en) | 2019-12-24 |
Family
ID=63094861
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810038734.7A Active CN108400968B (en) | 2018-01-16 | 2018-01-16 | Method for realizing mimicry defense model distributor |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108400968B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112422579A (en) * | 2020-11-30 | 2021-02-26 | 福州大学 | Execution body set construction method based on mimicry defense Sketch |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110557437B (en) * | 2019-08-05 | 2021-11-19 | 上海拟态数据技术有限公司 | Universal mimicry distribution voting scheduling device and method based on user-defined protocol |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7139792B1 (en) * | 2000-09-29 | 2006-11-21 | Intel Corporation | Mechanism for locking client requests to a particular server |
CN101483662A (en) * | 2008-01-09 | 2009-07-15 | 财团法人工业技术研究院 | Packet forwarding apparatus and method for virtual storage network switch |
CN106656834A (en) * | 2016-11-16 | 2017-05-10 | 上海红阵信息科技有限公司 | IS-IS routing protocol heterogeneous function equivalent body parallel normalization device and method |
CN106874755A (en) * | 2017-01-22 | 2017-06-20 | 中国人民解放军信息工程大学 | The consistent escape error processing apparatus of majority and its method based on mimicry Prevention-Security zero-day attacks |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101247367B (en) * | 2008-04-08 | 2011-03-23 | 中国电信股份有限公司 | Content providing method and system based on content distribution network and peer-to-peer network |
CN103036910B (en) * | 2013-01-05 | 2015-10-07 | 北京网康科技有限公司 | A kind of user's web access Behavior-Based control method and device |
CN104954384B (en) * | 2015-06-24 | 2018-04-27 | 浙江大学 | A kind of url mimicry methods of protection Web applications safety |
CN107092518A (en) * | 2017-04-17 | 2017-08-25 | 上海红神信息技术有限公司 | A kind of Compilation Method for protecting mimicry system of defense software layer safe |
-
2018
- 2018-01-16 CN CN201810038734.7A patent/CN108400968B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7139792B1 (en) * | 2000-09-29 | 2006-11-21 | Intel Corporation | Mechanism for locking client requests to a particular server |
CN101483662A (en) * | 2008-01-09 | 2009-07-15 | 财团法人工业技术研究院 | Packet forwarding apparatus and method for virtual storage network switch |
CN106656834A (en) * | 2016-11-16 | 2017-05-10 | 上海红阵信息科技有限公司 | IS-IS routing protocol heterogeneous function equivalent body parallel normalization device and method |
CN106874755A (en) * | 2017-01-22 | 2017-06-20 | 中国人民解放军信息工程大学 | The consistent escape error processing apparatus of majority and its method based on mimicry Prevention-Security zero-day attacks |
Non-Patent Citations (1)
Title |
---|
The Implement of Voting Device in Mimicry Defense Model;梁慧兵等;《Revista de la Facultad de Ingenieria》;20170131;全文 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112422579A (en) * | 2020-11-30 | 2021-02-26 | 福州大学 | Execution body set construction method based on mimicry defense Sketch |
Also Published As
Publication number | Publication date |
---|---|
CN108400968A (en) | 2018-08-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Dorier et al. | Damaris: How to efficiently leverage multicore parallelism to achieve scalable, jitter-free I/O | |
CN110460658A (en) | A kind of distributed storage construction method based on mimicry construction | |
CN108400968B (en) | Method for realizing mimicry defense model distributor | |
Grover et al. | Data Ingestion in AsterixDB. | |
CN108268208A (en) | A kind of distributed memory file system based on RDMA | |
CN111488202B (en) | Transaction processing method, device, equipment, system and medium of multi-chain system | |
CN105138615A (en) | Method and system for building big data distributed log | |
US20050097300A1 (en) | Processing system and method including a dedicated collective offload engine providing collective processing in a distributed computing environment | |
CA2649172A1 (en) | Methods of resolving datagram corruption over an internetworking protocol | |
US20160117196A1 (en) | Log analysis | |
CN105939361A (en) | Method and device for defensing CC (Challenge Collapsar) attack | |
CN105956032A (en) | Cache data synchronization method, system and apparatus | |
Gochhayat et al. | Yugala: Blockchain based encrypted cloud storage for IoT data | |
CN110502583A (en) | Distributed Data Synchronization method, apparatus, equipment and readable storage medium storing program for executing | |
Sakakibara et al. | An fpga nic based hardware caching for blockchain | |
Sakakibara et al. | A hardware-based caching system on FPGA NIC for Blockchain | |
Bhowmik et al. | Distributed control plane for software-defined networks: A case study using event-based middleware | |
CN110545324B (en) | Data processing method, device, system, network equipment and storage medium | |
CN102571949B (en) | Network-based data self-destruction method | |
CN110535842A (en) | A kind of mimicry security system and method based on sampling Detection | |
CN109697136A (en) | A kind of data reconstruction method, apparatus and system | |
Choi et al. | Toward scalable replication systems with predictable tails using programmable data planes | |
Kong et al. | Agile store: Experience with quorum-based data replication techniques for adaptive Byzantine fault tolerance | |
CN108647269A (en) | A method of management storage device data variation | |
Jang et al. | Hybrid recovery-based intrusion tolerant system for practical cyber-defense |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
EE01 | Entry into force of recordation of patent licensing contract | ||
EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20180814 Assignee: Hangzhou Greentown Information Technology Co.,Ltd. Assignor: HANGZHOU DIANZI University Contract record no.: X2023330000109 Denomination of invention: A Method for Implementing a Pseudo Defense Model Distributor Granted publication date: 20191224 License type: Common License Record date: 20230311 |