CN110290122B - Intrusion response strategy generation method and device - Google Patents

Intrusion response strategy generation method and device Download PDF

Info

Publication number
CN110290122B
CN110290122B CN201910511661.3A CN201910511661A CN110290122B CN 110290122 B CN110290122 B CN 110290122B CN 201910511661 A CN201910511661 A CN 201910511661A CN 110290122 B CN110290122 B CN 110290122B
Authority
CN
China
Prior art keywords
strategy
deployment
meta
measure
policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910511661.3A
Other languages
Chinese (zh)
Other versions
CN110290122A (en
Inventor
郭云川
李凤华
张晗
李勇俊
房梁
张玲翠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201910511661.3A priority Critical patent/CN110290122B/en
Publication of CN110290122A publication Critical patent/CN110290122A/en
Application granted granted Critical
Publication of CN110290122B publication Critical patent/CN110290122B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The embodiment of the invention provides an intrusion response strategy generation method and a device, wherein the method comprises the following steps: determining a candidate measure set and a deployment point set for responding to the attack according to the received alarm information and the network topology structure; taking the measures, the deployment points and the time sequence of measure deployment as three dimensions of an array, taking the duration of measure execution as an element in the array, and coding the candidate strategies by utilizing the three-dimensional array to generate a plurality of candidate strategies; performing iterative evolution on the candidate strategies based on a genetic algorithm according to a preset fitness function until a preset condition is reached, and acquiring a target strategy for realizing intrusion prevention; each strategy comprises at least one meta-strategy, and each meta-strategy comprises measures, a deployment point, a time sequence of measure deployment and a duration of measure execution. The method and the system also determine the time sequence and the execution duration of the deployment of each selected measure while selecting the measure and the deployment point, thereby ensuring the accuracy of generating the strategy and obtaining higher safety benefits.

Description

Intrusion response strategy generation method and device
Technical Field
The invention relates to the technical field of information security, in particular to an intrusion response strategy generation method and device.
Background
With the dramatic increase in network size, intrusion events have become increasingly complex in recent years and often have serious consequences. To combat attacks, intrusion response systems are designed to generate appropriate response strategies to eliminate potential impacts and reduce system risk. Most of the existing intrusion response strategy methods focus on selecting appropriate measures and deployment points. In terms of measure selection, existing methods typically select one or more measures to cope with malicious behavior and provide a balance between attack loss and measure revenue. The existing single measure selection method generally considers aspects such as intrusion cost, incidental loss, measure safety income and the like comprehensively, ranks measures and selects the optimal measure. Although a single measure can cope with both single path attacks and multi-path attacks with a cut-set of 1, a single measure typically fails under multi-path attacks with a cut-set of not 1. Therefore, currently, multiple-action selection schemes are increasingly applied to intrusion responses. The existing multi-measure selection scheme usually considers the profit coverage relation among measures and selects the measure combination with the highest overall profit.
However, these measure selection schemes ignore the impact of different deployment points on security benefits. In the aspect of selecting the measure deployment point, the existing scheme usually forms the measure deployment problem (including the measure selection process) into a multi-objective optimization problem, and selects an optimal deployment point for each measure while selecting the response measure.
The existing response strategy generation scheme only considers two problems of measure selection and measure deployment point selection in the intrusion response and does not consider the deployment time sequence of the selected measures and the execution time of the selected measures. Therefore, the current intrusion response strategy method cannot effectively ensure that enough response effectiveness is obtained.
Disclosure of Invention
In order to solve the above problem, embodiments of the present invention provide an intrusion response policy generation method and apparatus.
In a first aspect, an embodiment of the present invention provides an intrusion response policy generation method, including: determining a candidate measure set and a deployment point set for responding to the attack according to the received alarm information and the network topology structure; taking the measures, the deployment points and the time sequence of measure deployment as three dimensions of an array, taking the duration of measure execution as an element in the array, and coding the candidate strategies by utilizing the three-dimensional array to generate a plurality of candidate strategies; performing iterative evolution on the candidate strategies based on a genetic algorithm according to a preset fitness function until a preset condition is reached, and acquiring a target strategy for realizing intrusion prevention; each strategy comprises at least one meta-strategy, and each meta-strategy comprises measures, a deployment point, a time sequence of measure deployment and a duration of measure execution.
In a second aspect, an embodiment of the present invention provides an intrusion response policy generation apparatus, including: the first processing module is used for determining a candidate measure set and a deployment point set for responding to attacks according to the received alarm information and the network topology structure; the second processing module is used for taking the measures, the deployment points and the time sequence of measure deployment as three dimensions of the array, taking the duration of measure execution as an element in the array, and encoding the candidate strategies by utilizing the three-dimensional array to generate a plurality of candidate strategies; the strategy generation module is used for carrying out iterative evolution on the candidate strategies based on a genetic algorithm according to a preset fitness function until a preset condition is reached and acquiring a target strategy for realizing intrusion prevention; each strategy comprises at least one meta-strategy, and each meta-strategy comprises measures, a deployment point, a time sequence of measure deployment and a duration of measure execution.
In a third aspect, an embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the intrusion response policy generation method according to the first aspect of the present invention when executing the program.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the intrusion response policy generation method according to the first aspect of the present invention.
According to the method and the device for generating the intrusion response strategy, the measures, the deployment points and the time sequence of measure deployment are taken as three dimensions of an array, the time length of measure execution is taken as an element in the array, the candidate strategies are coded by utilizing the three-dimensional array, and a plurality of candidate strategies are generated, so that each selected measure, the deployment points, the deployment time sequence and the execution time length of the selected measure are effectively described. Because a plurality of candidate strategies are generated and are subjected to iterative evolution based on a genetic algorithm according to a preset fitness function until a preset condition is reached, a target strategy is obtained, so that a strategy with high response utility is selected under the condition of considering selection measures, deployment points, deployment time sequences and execution duration, the accuracy of generating the strategy is ensured, and higher response utility is obtained.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a flowchart of an intrusion response policy generation method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of policy encoding according to an embodiment of the present invention;
fig. 3 is an application scenario diagram of an intrusion response policy generation method according to an embodiment of the present invention;
fig. 4 is a structural diagram of an intrusion response policy generation apparatus according to an embodiment of the present invention;
fig. 5 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The existing response strategy generation scheme mainly solves two problems of measure selection and measure deployment point selection in intrusion response. However, in practice, in order to defend against attacks as accurately as possible, the generated response strategy also needs to solve the following two problems.
In what order the selected measures are deployed? When a plurality of measures are selected to cope with the attack, different deployment time sequences of the selected measures can influence the response effect. For example, measures "service migration" and "blocking traffic" are usually selected to deal with denial of service attack (DDoS), and when the two measures are deployed and executed in the order of "blocking traffic" first and "service migration" later, that is, "blocking traffic" is deployed in a first time sequence and "service migration" is deployed in a second time sequence, after "blocking traffic" is deployed and executed, resources occupied by DDoS attack will be released, and the released resources may be used to deploy "service migration", so that the loss caused by attack may be greatly reduced; on the contrary, when the deployment and execution are performed in the order of "service migration" and then "blocking traffic", because the DDoS attack occupies a large amount of resources of the attacked machine, the remaining resources of the attacked machine will be insufficient to complete the deployment and execution of the "service migration". As can be seen from the above example, the timing of the measure deployment significantly affects the response effect.
How long the selected measures are performed respectively? The duration of the action also affects the response. In the above example, the stop time of the "blocking traffic" should be after the successful migration of the attacked service. If the "service migration" has been completed while the "blocking traffic" is still being performed, the quality of service will be significantly affected. Therefore, an appropriate execution time period is necessary for the selection measure.
To solve the above problem, an embodiment of the present invention provides an intrusion response policy generation method. The execution subject corresponding to the method may be a server, a gateway, a terminal, and other devices, which is not specifically limited in this embodiment of the present invention. For convenience of description, the embodiment of the present invention takes an execution subject as an example, and explains the method provided by the embodiment of the present invention. When intrusion happens, the strategy generation method provided by the invention can be used for quickly and effectively generating a response strategy, and the generated response strategy can simultaneously solve the problem of' which response measures are selected? At which deployment points? In what order are the selected measures deployed? How long each selected measure is performed? "four problems. For convenience of the subsequent description of the scheme, the following symbols are first defined:
CM={cm0,cm1,…,cmn-1and the step of obtaining the candidate measure set according to the alarm information, wherein n is the number of the candidate measures. The measures are specific processing methods that can be implemented for network attacks, for example, one measure may be "block some/some IP addresses", "block some/some ports", "block all traffic", "modify routing tables", "close/restart services", "close/restart devices", "disconnect", "close connections", "bug fixes", "close processes", "modify registry", "modify user permissions", "modify file access permissions", "modify user passwords", "service migration", "data backup", or "data recovery", etc.
DP={dp0,dp1,…,dpm-1And m is the number of candidate deployment points. The deployment points are security devices that can deploy and perform measures, for example, one deployment point can be a terminal (fixed terminal, mobile terminal, satellite terminal), server, router, access gateway, internet gateway, content filtering device, firewall, cryptographic device, authentication device, VPN, honeypot, switch, modem, hub or bridge, etc.
Figure BDA0002093685150000051
Representing the timing of the deployment approach to the deployment point, where N+Is a set of positive integers. For example, a "block certain IP address" measure is deployed to the firewall at the 2 nd timing (i.e., k 2). In practiceThe maximum deployment time sequence can be set according to the requirements of the user.
ed∈{0}∪N+Representing the length of time that the selected action was performed. It should be noted that the execution time duration is in units of time units, and the units of time units can be set by a user, such as second, minute, hour, day, week, month, season, year, etc., for example, if the time units are set to minute, i.e., one time unit is one minute, then 5 time units, i.e., 5 minutes, are executed when ed is 5. The time length concept in the following description is the number of time units, and the time concept is the number of time units lasting from the occurrence of the attack. In practice, the upper limit ed of the execution time of the measure can be set according to the requirement of the usermaxAnd lower limit edmin
Given the above notation, a response policy for an attack is defined
Figure BDA0002093685150000052
Is a collection of meta-policies, i.e.
Figure BDA0002093685150000053
Wherein the meta-strategy is defined as a four-tuple comprising the selection measure and the corresponding deployment point, deployment timing sequence and execution duration of the measure, that is
Figure BDA0002093685150000054
The meta-strategy represents deploying measures cm to a deployment point dp at the kth time sequence and then executing ed time units.
Fig. 1 is a flowchart of an intrusion response policy generation method according to an embodiment of the present invention, and as shown in fig. 1, an intrusion response policy generation method according to an embodiment of the present invention includes:
101. and determining a candidate measure set and a deployment point set for responding to the attack according to the received alarm information and the network topology structure.
And the server receives the alarm information, and acquires a candidate measure set and a deployment point set which can be used for responding to the attack according to the alarm information and the network topology information. The alarm information includes but is not limited to alarm ID, attack type, attack severity, alarm confidence, attack duration, attacker IP address, attacker port number, attacker ID, and attacker ID.
102. And taking the measures, the deployment points and the time sequence of measure deployment as three dimensions of the array, taking the duration of the measure execution as an element in the array, and encoding the candidate strategies by using the three-dimensional array to generate a plurality of candidate strategies.
And based on the acquired candidate measure set, the deployment point set and the maximum deployment time sequence, the maximum execution time length and the minimum execution time length of the set measures, encoding the candidate strategies by utilizing the three-dimensional array and generating a plurality of candidate strategies. Wherein the generated candidate policies may be randomly generated or generated by the user on a customized basis. FIG. 2 is a schematic diagram of policy coding according to an embodiment of the present invention, as shown in FIG. 2, three dimensions of the array represent a candidate measure, a deployment point, and a deployment timing, respectively, and each element in the array represents a duration of execution of the measure, an index (i, j, k), and an element edi,j,kComposing a meta-policy
Figure BDA0002093685150000061
Means selected measure cmiIs deployed to a deployment point dp at the k-th timingjAnd execute edi,j,kA time unit. The duration ed when the measures in the meta-policy are executedi,j,kGreater than zero, this meta-policy is denoted as a valid meta-policy. All valid meta-policies constitute one candidate policy.
In practice, some measures cannot be deployed at some deployment points, and furthermore, the following constraints are given: (1) the same deployment point cannot deploy a plurality of measures under the same deployment time sequence; (2) the same measure cannot be deployed at the same deployment point at multiple timings. The above features and assumptions are formalized as three constraints: (1) let Ψ (cm) ═ dp1,dp2,...,dpm′If the deployment point is set of deployable measure cm, K ∈ K, dP does not existj∈DP\{Ψ(cmi) Is caused byi,j,kIs greater than 0; (2) given cma∈CM,dpj∈DP,k∈K,If eda,j,kIf > 0, there is no cmi∈CM\{cmaIs caused toi,j,kIs greater than 0; (3) given cmi∈CM,dpj∈ DP, c ∈ K, if edi,j,cIf > 0, then K ∈ K \ c } is not present so that edi,j,kIs greater than 0. Each of the generated initial candidate strategies satisfies the above three constraints.
103. And carrying out iterative evolution on a plurality of candidate strategies based on a genetic algorithm according to a preset fitness function until a preset condition is reached, and acquiring a target strategy for realizing intrusion prevention.
And taking the generated initial candidate strategy as an individual in an initial population, continuously evolving the individual in the population through iterative individual crossing, variation, fitness calculation and natural selection, and outputting a final individual, namely a target strategy, when a preset condition, namely an iteration termination condition is reached for realizing intrusion defense. Individual crossover, variation, fitness calculation and natural selection are basic steps in genetic algorithms.
The selection of the crossover, mutation and natural selection operators can be designed by combining the three-dimensional coding scheme in the method according to the requirements of users. For example, the crossover operator may select an existing single-point crossover, double-point crossover, uniform crossover, arithmetic crossover, real arithmetic crossover, etc., the mutation operator may select an existing uniform mutation, non-uniform mutation, boundary mutation, etc., and the natural selection operator may select an existing roulette selection, sort selection, expectation selection, etc. The preset condition, i.e. the iteration termination condition, can be set according to the user's requirements. For example, the iteration termination condition may be set such that a predetermined maximum number of iterations is reached or the individual fitness value increases less than a predetermined threshold within a predetermined iteration number. The fitness function may be set according to particular needs.
In addition, whether the deployed measures are executed immediately or not can be customized by a user.
The method for generating the intrusion response strategy provided by the embodiment of the invention takes the measures, the deployment points and the measure deployment time sequence as three dimensions of the array, takes the measure execution time as an element in the array, and utilizes the three-dimensional array to code the candidate strategies and generate a plurality of candidate strategies, thereby effectively describing each selected measure and the deployment points, deployment time sequence and execution time sequence thereof. Because a plurality of candidate strategies are generated and are subjected to iterative evolution based on a genetic algorithm according to a preset fitness function until a preset condition is reached, a target strategy is obtained, so that a strategy with high response utility is selected under the condition of considering selection measures, deployment points, deployment time sequences and execution duration, the accuracy of generating the strategy is ensured, and higher response utility is obtained.
Based on the content of the foregoing embodiment, as an optional embodiment, before performing iterative evolution on the multiple candidate strategies based on a genetic algorithm according to a preset fitness function, the method further includes: and determining a fitness function according to the attack loss, the security profit and the strategy overhead.
Taking the example that the policy overhead includes deployment cost and service quality impact, that is, the policy overhead in the embodiment of the present invention includes: deployment cost and quality of service impact. When the individual fitness calculation is carried out, attributes such as attack loss, deployment cost, service quality influence, safety income and the like are considered, and a fitness function is designed as follows:
Figure BDA0002093685150000071
wherein, AD is the attack loss,
Figure BDA0002093685150000072
and
Figure BDA0002093685150000073
are respectively a strategy
Figure BDA0002093685150000074
Deployment cost, quality of service impact, and security benefits.
According to the intrusion response strategy generation method provided by the embodiment, the fitness function is determined according to the attack loss, the security profit and the strategy overhead, the profit and the overhead can be effectively considered, the set fitness function is more objective, the finally obtained intrusion response strategy has enough response utility, and the accuracy of the strategy generation is ensured in the iterative selection process of the method.
Based on the content of the foregoing embodiment, as an optional embodiment, before determining the fitness function according to the attack loss, the security profit, and the policy overhead, the method further includes: selecting an attack influence function according to the attack severity; and determining the attack loss based on the attack influence function according to the time length from the attack start to the attack response.
Three impact equations are used to describe the trend of attack loss, security yield and quality of service impact over time, as shown below.
Constant influence function:
Figure BDA0002093685150000081
linear influence function:
Figure BDA0002093685150000082
exponential influence function:
Figure BDA0002093685150000083
wherein the weight factor w1And w2Can be respectively set according to the requirements of users.
According to the alarm information, firstly extracting attack duration in the alarm information and converting the attack duration into the number of time units as response starting time; then, selecting an attack influence function according to the attack severity, for example, when the severity is higher than a set threshold, describing the change trend of the attack loss along with the time by adopting an exponential attack influence function; and finally, evaluating the attack loss according to the response starting time and an attack influence function, wherein the attack loss is the accumulated influence of the attack on the system from the attack occurrence to the response start, and therefore, calculating the integral of the attack influence function from zero to the response starting time as the attack loss, and the following formula is shown:
Figure BDA0002093685150000084
wherein, λ is the response start time,
Figure BDA0002093685150000085
is an attack impact function selected according to the severity of the attack.
According to the intrusion response strategy generation method provided by the embodiment, the attack influence function is selected according to the attack severity, the attack loss is determined based on the attack influence function according to the time length from the attack start to the response attack, so that the loss caused by the attack can be objectively evaluated, and the generated intrusion response strategy is more accurate.
Based on the content of the foregoing embodiment, as an optional embodiment, before determining the fitness function according to the attack loss, the security profit, and the policy overhead, the policy overhead includes a deployment cost, and accordingly, the method further includes: determining the deployment cost of each meta-policy according to the overhead of each meta-policy, and taking the sum of the deployment costs of all the meta-policies in the policies as the deployment cost of the policies; the overhead of each meta-policy includes deployment duration of measures in the meta-policy, resource consumption level of the measures, and importance of deployment points.
Cost of deployment
Figure BDA0002093685150000091
To deploy policies
Figure BDA0002093685150000092
The resources that need to be consumed are calculated as the sum of the deployment costs of each meta-policy in the policies:
Figure BDA0002093685150000093
wherein the content of the first and second substances,
Figure BDA0002093685150000094
policy for element
Figure BDA0002093685150000095
The evaluation of the deployment cost of each meta-policy considers the deployment duration of the selected measure, the measure resource consumption level and the importance degree of the deployment point, and the specific calculation is exemplified as shown in the following formula:
Figure BDA0002093685150000096
wherein, DT (cm)i) Measure cmiDeployment time of, RS (cm)i)∈N+Measure cmiResource consumption level of, Im (dp)j)∈N+For deploying points dpjα and gamma are the impact weighting factors.
According to the intrusion response strategy generation method provided by the embodiment, the deployment cost of each meta-strategy is determined according to the overhead of each meta-strategy, so that the deployment cost of the strategy can be objectively evaluated, and the generated intrusion response strategy is more accurate.
Based on the content of the foregoing embodiment, as an optional embodiment, before determining the fitness function according to the attack loss, the security profit, and the policy overhead, the policy overhead includes a quality of service impact, and accordingly, the method further includes: determining the influence of each meta-strategy on the service quality of the directly influenced service according to the influence degree of each meta-strategy on the directly influenced service, the execution duration of measures in the meta-strategy and the importance degree of the directly influenced service; determining the influence of each meta-strategy on the service quality of the indirectly influenced service according to the degree of the indirectly influenced service of each meta-strategy on the directly influenced service, the duration of the execution of measures in each meta-strategy and the combination of the importance degree of the indirectly influenced service and the influence degree of the meta-strategy on the indirectly influenced service; and determining the service quality influence of the corresponding strategy according to the sum of the service quality influence of all the meta-strategies on the directly influenced service and the service quality influence of the indirectly influenced service.
Quality of service impact
Figure BDA0002093685150000097
As a policy
Figure BDA0002093685150000098
Negative impact on the quality of service after execution. It is calculated as the sum of the direct and indirect quality of service impact for each meta-policy, as shown in the following equation:
Figure BDA0002093685150000101
wherein the content of the first and second substances,
Figure BDA0002093685150000102
and
Figure BDA0002093685150000103
respectively for deploying meta-policies
Figure BDA0002093685150000104
Direct quality of service impact and indirect quality of service impact. In the evaluation of the direct service quality influence of each meta-policy, the service directly influenced by the meta-policy and the importance degree thereof are considered at the same time, and the cumulative influence on the directly influenced service in the measure execution time period is considered, as shown in the following formula:
Figure BDA0002093685150000105
wherein the content of the first and second substances,
Figure BDA0002093685150000106
policy for element
Figure BDA0002093685150000107
Directly affected service List, Im(s)p)∈[0,1]As a service spTo the degree of importance of (a) the,
Figure BDA0002093685150000108
policy for element
Figure BDA0002093685150000109
To service spThe cumulative effect of (c) is calculated as follows:
Figure BDA00020936851500001010
wherein the content of the first and second substances,
Figure BDA00020936851500001011
one of the above-described constant impact function, linear impact function, and exponential impact function, which is set according to the service importance level and the severity level at which the meta-policy impacts the service.
In the evaluation of the indirect service quality influence of each meta-policy, the importance degree of the services indirectly influenced by the meta-policy, the dependency degree of the services on the services directly influenced by the meta-policy, and the cumulative influence on the indirectly influenced services within the measure execution time period are considered at the same time, as shown in the following formula:
Figure BDA00020936851500001012
wherein D(s)p) To depend on service spService list of dl,p∈[0,1]As a service slFor service spThe degree of dependence of (c).
The intrusion response policy generation method provided in this embodiment determines the qos impact of the corresponding policy according to the sum of the qos impact of all meta-policies on the directly affected service and the qos impact on the indirectly affected service, so that the qos impact can be objectively evaluated, and the generated intrusion response policy is more accurate.
Based on the content of the foregoing embodiment, as an optional embodiment, before determining the fitness function according to the attack loss, the security profit, and the policy overhead, the method further includes: determining security benefits according to the sum of the benefit gains of each element strategy coverage vulnerability; and the gain is the gain of the meta-strategy for covering the vulnerability and is compared with the maximum coverage gain of other meta-strategies for the vulnerability before the deployment of the meta-strategy.
And evaluating the security benefits of the strategy through the vulnerability coverage benefits. Firstly, all meta-policies in the policies and a vulnerability list covered by each meta-policy are obtained, and the policy security benefit is defined as the sum of benefit gains of the vulnerabilities covered by each meta-policy, and the following formula is shown:
Figure BDA0002093685150000111
wherein, V (cm)i,dpj) Measure cmiDeployed at deployment point dpjA list of the vulnerabilities to be covered,
Figure BDA0002093685150000112
for deploying meta-policies
Figure BDA0002093685150000113
The resulting coverage gain for the vulnerability v; the coverage gain of the meta-policy for a certain vulnerability is the gain of the meta-policy for the vulnerability compared with the maximum coverage gain of the meta-policy for the vulnerability before deployment, and is specifically calculated as follows:
Figure BDA0002093685150000114
wherein the content of the first and second substances,
Figure BDA0002093685150000115
policy for element
Figure BDA0002093685150000116
For the coverage gain of the vulnerability v,
Figure BDA0002093685150000117
policy for element
Figure BDA0002093685150000118
Meta-policy with maximum coverage revenue for vulnerability v before deployment.
According to the intrusion response strategy generation method provided by the embodiment, the security benefit is determined according to the sum of the benefit gains of the loopholes covered by each element strategy, so that the security benefit can be objectively evaluated, and the generated intrusion response strategy is more accurate.
Based on the content of the foregoing embodiment, as an optional embodiment, before determining the security benefit according to the sum of the benefit gains of each policy coverage vulnerability, the method further includes: and determining the coverage benefit of each unitary strategy to the corresponding vulnerability according to the effectiveness of each unitary strategy at the corresponding deployment point and the corresponding accumulated security benefit.
For the evaluation of the coverage benefit of each meta-policy on a certain vulnerability covered by the meta-policy, considering the effectiveness of the selected measures in the meta-policy deployed at the corresponding deployment points and the accumulated security benefit of the meta-policy during the execution of the measures, the following formula is shown:
Figure BDA0002093685150000119
wherein the content of the first and second substances,
Figure BDA00020936851500001110
measure cmiDeployed at deployment point dpjThe effectiveness of (1) is in the range of [0, 1]]。
Figure BDA00020936851500001111
Policy for element
Figure BDA00020936851500001112
At time period [ ts, te]Inner cumulative safety gains, wherein ts and te ts + edi,j,kMeasures Cm in the respective Meta-strategyiThe execution start and end time units of (a),
Figure BDA00020936851500001113
the calculation is as follows:
Figure BDA0002093685150000121
wherein the content of the first and second substances,
Figure BDA0002093685150000122
one of the above constant influence function, linear influence function, and exponential influence function set according to the effectiveness of the measure deployment in the meta-policy.
According to the intrusion response strategy generation method provided by the embodiment, the coverage income of each meta-strategy for the corresponding vulnerability is determined according to the effectiveness of each meta-strategy at the corresponding deployment point and the corresponding accumulated security income, so that the coverage income of the meta-strategy for the corresponding vulnerability is objectively evaluated.
Fig. 3 is an application scenario diagram of an intrusion response policy generation method according to an embodiment of the present invention, taking an intrusion response policy generation process of a network attack as an example, a network topology is shown in fig. 3, where the network topology includes a trusted area, an isolation area, and two Firewalls (FWs)1And FW2) A Router (RT) and a switch 1 (SW)1). The trusted zone comprises an administrator workstation (workstation), a database server (DBS), a File Server (FS) and a switch 2 (SW)2). The isolation zone contains four servers, respectively web server 1 (WS)1) Web server 2 (WS)2) DNS servers (DNS) and Mail Servers (MS).
Suppose the attacker targets the FS and there are 7 candidates that can be selected to respond to the attack, as shown in Table 1.
TABLE 1
Measure numbering Content of the measures
cm1 BlockIPPort(WS1,http)
cm2 BlockIPPort(WS2,http)
cm3 BlockIPPort(FS1,FTP)
cm4 BlockAllTraffic()
cm5 CloseConnection(ftp)
cm6 rebootDevice()
cm7 Patch()
Since FS is located in a trusted area, an attacker can only first invade WS1And WS2To indirectly access the FS. Table 2 shows 10 candidate deployment points and their importance levels.
TABLE 2
Numbering Deployment point Degree of importance
dp1 DBS 90
dp2 FS 80
dp3 Workstation 75
dp4 FW1 80
dp5 WS1 70
dp6 WS2 70
dp7 FW2 90
dp8 RT 90
dp9 SW1 80
dp10 SW2 75
Setting the maximum deployment time sequence to be 2, the minimum execution time length to be 0 time unit, the maximum execution time length to be 100 time units, the number of individuals in the initial population to be 210, the variation probability to be 0.1, and setting the termination condition that the amplification of the maximum fitness value in each iteration of 20 iterations is less than 10-8. The strategy generation process is as follows:
1. receiving alarm information, extracting attack duration in the alarm information, converting the attack duration into time unit number and using the time unit number as response starting time; extracting attack severity in alarm information, and selecting an attack influence function according to the severity: when the attack severity is less than 0.3, a constant attack influence function is selected to describe the attack influence; when the attack severity is larger than 0.3 and smaller than 0.7, a linear attack influence function is selected to describe the attack influence; when the attack severity is greater than 0.7, an exponential attack influence function is selected to describe the attack influence; and setting specific parameters for the selected attack influence function according to the attack confidence degree, the severity and the severity of the attacked object in the alarm information, and calculating the integral of the function from zero to the response starting time interval as the attack loss.
2. And randomly generating 210 three-dimensional arrays of 7 x 10 x 2 as an initial population, wherein the value of each element in the arrays is within an interval [0, 100], each array in the initial population is an individual, each individual represents an initial strategy, and the strategy meets the three predefined constraints.
3. And performing crossing, variation, fitness calculation and natural selection operation on the individuals in the population. The specific execution of each step of operation is as follows:
1) the intersection operator can select a real number intersection operator, and the specific operation is as follows: (1) randomly selecting three individuals from the population without returning, wherein every two individuals form a pair to form threeFor an individual; (2) for each pair of individuals (
Figure BDA0002093685150000141
And
Figure BDA0002093685150000142
) First, a square area with random size and position is generated for one individual, a square area with the same size and position is also generated for another individual, and two offspring individuals are generated (
Figure BDA0002093685150000143
And
Figure BDA0002093685150000144
) Generated by the following operators:
Figure BDA0002093685150000145
wherein the content of the first and second substances,
Figure BDA0002093685150000146
and
Figure BDA0002093685150000147
are respectively an individual
Figure BDA0002093685150000148
And
Figure BDA0002093685150000149
the index in the block area in (i, j, k),
Figure BDA00020936851500001410
and
Figure BDA00020936851500001411
respectively are offspring individuals
Figure BDA00020936851500001412
And
Figure BDA00020936851500001413
the value of the element with the index of (i, j, k) in the block area is crossed,
Figure BDA00020936851500001414
is a weighting factor that is a function of,
Figure BDA00020936851500001415
is the fitness function defined above; (3) six offspring individuals generated by crossing the three pairs of individuals are added into an offspring population; (4) repeating steps (1) - (3) until the number of offspring populations is 420, i.e. twice the number of initial populations.
2) The mutation operator can select a non-uniform mutation operator, and each individual performs mutation operation with a probability of 0.1. Similar to the crossover operation, we generate a variance block region with random size and position for each variance individual, and for each index (i, j, k) element in the variance block region, the variance operation is as follows:
Figure BDA00020936851500001416
wherein edi,j,kAnd ed'i,j,kThe values before and after the variation of the element with index (i, j, k), rnd (1) ∈ {0, 1} is random number, g is the current iteration number, and the function (g, y) is defined as follows:
Figure BDA00020936851500001417
wherein, G is the maximum iteration number 500, θ ∈ [0, 1] is a random value, and τ plays a role in adjusting the search domain, and is usually set to [2, 5 ].
3) Evaluating the fitness of each individual according to a fitness equation defined in the scheme, wherein the attack loss AD in the fitness equation is calculated in the step 1, and the safety benefit is obtained
Figure BDA0002093685150000151
Cost of deployment
Figure BDA0002093685150000152
And quality of service impact
Figure BDA0002093685150000153
The evaluation mode is defined as in the scheme.
4) And selecting 210 individuals with highest fitness in the population to form a new population, judging whether a termination condition is reached, executing the step 4 if the termination condition is reached, and otherwise, executing the current step 3 in an iterative manner.
4. And outputting the final individual as a response strategy. The response strategy contains 3 meta-strategies, respectively<BlockIPPort(WS1,http),WS1,0,11>,<BlockIPPort(WS2,http),WS2,0,26>And<CloseConnection(ftp),FS,1,1>the response policy specifically represents the measure "BlockIPPort (WS)1Http) "and" BlockIPPort (WS)2Http) "is first deployed separately on WS1And WS2And 11 and 26 time units are performed, respectively; then the measure "closeconnection (ftp)" is deployed on the FS and 1 time unit is executed.
Fig. 4 is a structural diagram of an intrusion response policy generating apparatus according to an embodiment of the present invention, and as shown in fig. 4, the intrusion response policy generating apparatus is applicable to a server, a gateway, a firewall, and the like, and the apparatus includes: a first processing module 401, a second processing module 402 and a policy generation module 403. The first processing module 401 is configured to determine a candidate measure set and a deployment point set for responding to an attack according to the received alarm information and the network topology; the second processing module 402 is configured to use the measure, the deployment point, and the measure deployment time sequence as three dimensions of an array, use the duration of the measure execution as an element in the array, and encode the candidate policy by using the three-dimensional array to generate a plurality of candidate policies; the policy generation module 403 is configured to iteratively evolve the multiple candidate policies based on a genetic algorithm according to a preset fitness function until a preset condition is reached, and obtain a target policy for implementing intrusion prevention; each strategy comprises at least one meta-strategy, and each meta-strategy comprises measures, a deployment point, a time sequence of measure deployment and a duration of measure execution.
The first processing module 401 receives the alarm information, and obtains a candidate measure set and a deployment point set that can be used for responding to the attack according to the alarm information and the network topology information. The alarm information includes but is not limited to alarm ID, attack type, attack severity, alarm confidence, attack duration, attacker IP address, attacker port number, attacker ID, and attacker ID.
The second processing module 402 encodes the candidate strategy using a three-dimensional group based on the obtained candidate measure set, the deployment point set, and the maximum deployment timing sequence and the maximum and minimum execution durations of the set measures, and generates a plurality of candidate strategies, three dimensions of the array respectively represent the candidate measures, the deployment points, and the deployment timing sequence, each element in the array represents the duration of the measure execution, and indexes (i, j, k) and elements edi,j,kComposing a meta-policy
Figure BDA0002093685150000161
Means selected measure cmiIs deployed to a deployment point dp at the k-th timingjAnd execute edi,j,kA time unit. The duration ed when the measures in the meta-policy are executedi,j,kGreater than zero, this meta-policy is denoted as a valid meta-policy. All valid meta-policies constitute one candidate policy.
The strategy generation module 403 uses the generated initial candidate strategy as an individual in the initial population, continuously evolves the individual in the population through iterative individual crossing, variation, fitness calculation and natural selection, and outputs a final individual, i.e., a target strategy, for implementing intrusion prevention when a preset condition, i.e., an iteration termination condition, is reached. Individual crossover, variation, fitness calculation and natural selection are basic steps in genetic algorithms.
The device embodiment provided in the embodiments of the present invention is for implementing the above method embodiments, and for details of the process and the details, reference is made to the above method embodiments, which are not described herein again.
The intrusion response strategy generation device provided by the embodiment of the invention takes the measures, the deployment points and the measure deployment time sequence as three dimensions of the array, takes the measure execution time length as an element in the array, and utilizes the three-dimensional array to code the candidate strategies and generate a plurality of candidate strategies, thereby effectively describing each selected measure and the deployment points, deployment time sequence and execution time length thereof. Because a plurality of candidate strategies are generated and are subjected to iterative evolution based on a genetic algorithm according to a preset fitness function until a preset condition is reached, a target strategy is obtained, so that a strategy with high response utility is selected under the condition of considering selection measures, deployment points, deployment time sequences and execution duration, the accuracy of generating the strategy is ensured, and higher response utility is obtained.
Fig. 5 is a schematic entity structure diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 5, the electronic device may include: a processor (processor)501, a communication Interface (Communications Interface)502, a memory (memory)503, and a bus 504, wherein the processor 501, the communication Interface 502, and the memory 503 are configured to communicate with each other via the bus 504. The communication interface 502 may be used for information transfer of an electronic device. The processor 501 may call logic instructions in the memory 503 to perform a method comprising: determining a candidate measure set and a deployment point set for responding to the attack according to the received alarm information and the network topology structure; taking the measures, the deployment points and the time sequence of measure deployment as three dimensions of an array, taking the duration of measure execution as an element in the array, and coding the candidate strategies by utilizing the three-dimensional array to generate a plurality of candidate strategies; performing iterative evolution on the candidate strategies based on a genetic algorithm according to a preset fitness function until a preset condition is reached, and acquiring a target strategy for realizing intrusion prevention; each strategy comprises at least one meta-strategy, and each meta-strategy comprises measures, a deployment point, a time sequence of measure deployment and a duration of measure execution.
In addition, the logic instructions in the memory 503 may be implemented in the form of software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the above-described method embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented by a processor to perform the method provided by the foregoing embodiments, for example, including: determining a candidate measure set and a deployment point set for responding to the attack according to the received alarm information and the network topology structure; taking the measures, the deployment points and the time sequence of measure deployment as three dimensions of an array, taking the duration of measure execution as an element in the array, and coding the candidate strategies by utilizing the three-dimensional array to generate a plurality of candidate strategies; performing iterative evolution on the candidate strategies based on a genetic algorithm according to a preset fitness function until a preset condition is reached, and acquiring a target strategy for realizing intrusion prevention; each strategy comprises at least one meta-strategy, and each meta-strategy comprises measures, a deployment point, a time sequence of measure deployment and a duration of measure execution.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods of the various embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (9)

1. An intrusion response policy generation method, comprising:
determining a candidate measure set and a deployment point set for responding to the attack according to the received alarm information and the network topology structure;
taking the measures, the deployment points and the time sequence of measure deployment as three dimensions of an array, taking the duration of measure execution as an element in the array, and coding the candidate strategies by utilizing the three-dimensional array to generate a plurality of candidate strategies;
performing iterative evolution on the candidate strategies based on a genetic algorithm according to a preset fitness function until a preset condition is reached, and acquiring a target strategy for realizing intrusion prevention;
each candidate strategy comprises at least one meta-strategy, and each meta-strategy comprises a measure, a deployment point, a measure deployment time sequence and a measure execution time length;
before the iterative evolution of the candidate strategies based on the genetic algorithm according to the preset fitness function, the method further includes:
and determining the fitness function according to the attack loss, the security profit and the strategy overhead.
2. The method of generating an intrusion response policy according to claim 1, wherein before determining the fitness function according to the attack loss, the security gain, and the policy overhead, further comprising:
selecting an attack influence function according to the attack severity;
and determining the attack loss based on the attack influence function according to the time length from the attack start to the attack response.
3. The method of claim 1, wherein the policy overhead includes deployment cost, and accordingly, before determining the fitness function according to attack loss, security revenue and policy overhead, the method further comprises:
determining the deployment cost of each unary strategy according to the overhead of each unary strategy,
taking the sum of the deployment costs of all the meta-policies in the policy as the deployment cost of the policy;
the overhead of each meta-policy includes deployment duration of measures in the meta-policy, resource consumption level of the measures, and importance of deployment points.
4. The method of claim 1, wherein the policy overhead includes qos impact, and accordingly, before determining the fitness function according to attack loss, security revenue and policy overhead, the method further comprises:
determining the influence of each meta-strategy on the service quality of the directly influenced service according to the influence degree of each meta-strategy on the directly influenced service, the execution time length of measures in the meta-strategy and the importance degree of the directly influenced service;
determining the influence of each meta-strategy on the service quality of the indirectly influenced service according to the degree of the indirectly influenced service of each meta-strategy on the directly influenced service, the duration of the execution of measures in the meta-strategy and the combination of the importance degree of the indirectly influenced service and the influence degree of the meta-strategy on the indirectly influenced service;
and determining the service quality influence of the corresponding strategy according to the sum of the service quality influence of all the meta-strategies on the directly influenced service and the service quality influence of the indirectly influenced service.
5. The method of generating an intrusion response policy according to claim 1, wherein before determining the fitness function according to the attack loss, the security gain, and the policy overhead, further comprising:
determining security benefits according to the sum of the benefit gains of each element strategy coverage vulnerability;
and the gain is the gain of the meta-strategy for covering the vulnerability and is compared with the maximum coverage gain of other meta-strategies for the vulnerability before the deployment of the meta-strategy.
6. The method of claim 5, wherein before determining the security benefits according to the sum of the benefits gained by covering the vulnerability with each meta-policy, the method further comprises:
and determining the coverage benefit of each unitary strategy to the corresponding vulnerability according to the effectiveness of each unitary strategy at the corresponding deployment point and the corresponding accumulated security benefit.
7. An intrusion response policy generation apparatus, comprising:
the first processing module is used for determining a candidate measure set and a deployment point set for responding to attacks according to the received alarm information and the network topology structure;
the second processing module is used for taking the measures, the deployment points and the time sequence of measure deployment as three dimensions of the array, taking the duration of measure execution as an element in the array, and encoding the candidate strategies by utilizing the three-dimensional array to generate a plurality of candidate strategies;
the strategy generation module is used for carrying out iterative evolution on the candidate strategies based on a genetic algorithm according to a preset fitness function until a preset condition is reached and acquiring a target strategy for realizing intrusion prevention;
each candidate strategy comprises at least one meta-strategy, and each meta-strategy comprises a measure, a deployment point, a measure deployment time sequence and a measure execution time length;
before the iterative evolution of the candidate strategies based on the genetic algorithm according to the preset fitness function, the method further includes:
and determining the fitness function according to the attack loss, the security profit and the strategy overhead.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the intrusion response policy generation method according to any one of claims 1 to 6 are implemented when the processor executes the program.
9. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the steps of the intrusion response policy generation method according to any one of claims 1 to 6.
CN201910511661.3A 2019-06-13 2019-06-13 Intrusion response strategy generation method and device Active CN110290122B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910511661.3A CN110290122B (en) 2019-06-13 2019-06-13 Intrusion response strategy generation method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910511661.3A CN110290122B (en) 2019-06-13 2019-06-13 Intrusion response strategy generation method and device

Publications (2)

Publication Number Publication Date
CN110290122A CN110290122A (en) 2019-09-27
CN110290122B true CN110290122B (en) 2020-07-17

Family

ID=68004086

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910511661.3A Active CN110290122B (en) 2019-06-13 2019-06-13 Intrusion response strategy generation method and device

Country Status (1)

Country Link
CN (1) CN110290122B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113037811B (en) * 2021-02-24 2022-07-12 中国联合网络通信集团有限公司 Deployment strategy selection method and device
CN115718865A (en) * 2021-08-23 2023-02-28 中兴通讯股份有限公司 Policy management method, device and computer-readable storage medium
CN115632891B (en) * 2022-12-23 2023-03-10 上海飞旗网络技术股份有限公司 Active security defense technology-oriented confrontation model design method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101808020A (en) * 2010-04-19 2010-08-18 吉林大学 Intrusion response decision-making method based on incomplete information dynamic game
CN108809979A (en) * 2018-06-11 2018-11-13 中国人民解放军战略支援部队信息工程大学 Automatic intrusion response decision-making technique based on Q-learning
CN109361690A (en) * 2018-11-19 2019-02-19 中国科学院信息工程研究所 Threat Disposal Strategies generation method and system in a kind of network

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7581249B2 (en) * 2003-11-14 2009-08-25 Enterasys Networks, Inc. Distributed intrusion response system
KR100623552B1 (en) * 2003-12-29 2006-09-18 한국정보보호진흥원 Method of risk analysis in automatic intrusion response system
CN101557327A (en) * 2009-03-20 2009-10-14 扬州永信计算机有限公司 Intrusion detection method based on support vector machine (SVM)
CN106027550B (en) * 2016-06-29 2019-04-12 北京邮电大学 A kind of defence policies systematic analytic method and device
CN107943754B (en) * 2017-12-08 2021-01-05 杭州电子科技大学 Heterogeneous redundancy system optimization method based on genetic algorithm

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101808020A (en) * 2010-04-19 2010-08-18 吉林大学 Intrusion response decision-making method based on incomplete information dynamic game
CN108809979A (en) * 2018-06-11 2018-11-13 中国人民解放军战略支援部队信息工程大学 Automatic intrusion response decision-making technique based on Q-learning
CN109361690A (en) * 2018-11-19 2019-02-19 中国科学院信息工程研究所 Threat Disposal Strategies generation method and system in a kind of network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Selecting Combined Countermeasures for Multi-Attack Paths in Intrusion Response System;Fenghua Li et al;《2018 27th International Conference on Computer Communication and Networks (ICCCN)》;20181011;正文第1-9页 *
具有免疫响应能力的入侵防御关键技术研究;李勇征;《中国博士学位论文全文数据库(电子期刊),信息科技辑》;20131215(第12期);正文第73页 *

Also Published As

Publication number Publication date
CN110290122A (en) 2019-09-27

Similar Documents

Publication Publication Date Title
CN110290122B (en) Intrusion response strategy generation method and device
CN107465648B (en) Abnormal equipment identification method and device
US8275899B2 (en) Methods, devices and computer program products for regulating network activity using a subscriber scoring system
US10003607B1 (en) Automated detection of session-based access anomalies in a computer network through processing of session data
US8935785B2 (en) IP prioritization and scoring system for DDoS detection and mitigation
EP2816773B1 (en) Method for calculating and analysing risks and corresponding device
Shawahna et al. EDoS-ADS: An enhanced mitigation technique against economic denial of sustainability (EDoS) attacks
Iyengar et al. A fuzzy logic based defense mechanism against distributed denial of service attack in cloud computing environment
CN108337219B (en) Method for preventing Internet of things from being invaded and storage medium
CN108574668B (en) DDoS attack flow peak value prediction method based on machine learning
US20220006783A1 (en) Privacy preserving cooperative firewall rule optimizer
CN114726557A (en) Network security protection method and device
Liu et al. TorPolice: Towards enforcing service-defined access policies for anonymous communication in the Tor network
CN110602062A (en) Network active defense method and device based on reinforcement learning
Smith-perrone et al. Securing cloud, SDN and large data network environments from emerging DDoS attacks
Bock et al. Application of routine activity theory to cyber intrusion location and time
US11677765B1 (en) Distributed denial of service attack mitigation
Wan et al. Foureye: Defensive deception based on hypergame theory against advanced persistent threats
Sokol et al. Definition of attack in the context of low-level interaction server honeypots
JP6538618B2 (en) Management device and management method
Goldstein et al. Bayes optimal ddos mitigation by adaptive history-based ip filtering
Liu et al. Deception Maze: A Stackelberg Game-Theoretic Defense Mechanism for Intranet Threats
US9936008B2 (en) Method and system for dynamically shifting a service
Seth et al. An effective DOS attack detection model in cloud using artificial bee colony optimization
US11902308B2 (en) Detecting threat pathways using sequence graphs

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant