CN110519253B - Virtual private network mimicry method in mimicry defense - Google Patents
Virtual private network mimicry method in mimicry defense Download PDFInfo
- Publication number
- CN110519253B CN110519253B CN201910772472.1A CN201910772472A CN110519253B CN 110519253 B CN110519253 B CN 110519253B CN 201910772472 A CN201910772472 A CN 201910772472A CN 110519253 B CN110519253 B CN 110519253B
- Authority
- CN
- China
- Prior art keywords
- virtual private
- private network
- tunnel
- communication
- mimicry
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a virtual private network mimicry method in mimicry defense. The method comprehensively considers factors such as communication safety and system resources of the virtual private network, aims to optimize the mimicry idea for the virtual private network originally keeping single long connection and performs dynamic heterogeneous virtual private network tunnel switching in the communication process; the time window length from the next turn to the virtual private network tunnel is determined according to the rate of the safe transmission of the message through the channel; the invention has the characteristics of less system resource consumption, safe conversation between two communication parties, quick tunnel switching and strong universality.
Description
Technical Field
The invention belongs to the technical field of network security, particularly belongs to the technical field of network security mimicry defense, and particularly relates to a virtual private network mimicry method in mimicry defense.
Background
With the continuous evolution of the internet and the continuous evolution of the attack technology, the network attack has the characteristics of concealment, cooperativity, accuracy and the like, and the network security is in the situation of easy attack and difficult guard. In order to thoroughly change the traditional protection modes of passive response such as 'plugging checking and killing' and the like, the active defense capability is formed, and a mimicry defense technology is developed. The mimicry defense technology is an active defense technology which is provided on the basis of a dynamic heterogeneous redundant structure in a system and can deal with various unknown threats in a network space. Due to the adoption of comprehensive defense means, the mimicry defense technology has good reliability and universality, and becomes a research hotspot in academia and industry in recent years.
The mimicry virtual private network method is an important component in the mimicry defense technology. Virtual private network refers to a technology for establishing a private network on an internet service provider, and a technology for establishing a private data communication network in a public network through a point-to-point connection. In the virtual private network, the connection between any two nodes does not have an end-to-end physical link required by the traditional private network, but is dynamically formed by using the resources of a public network, and the connection is mainly used for remote office, cloud resource management and the like. The security problem is a core problem of the virtual private network. The security of the virtual private network is mainly realized by a firewall technology, a router matched with a tunnel technology, an encryption protocol and a security key, and the secure communication between two communication parties can be ensured to a certain extent. However, today's virtual private networks often need to be extended to remote access and maintain long-term connections, these always-on connections will become the main target of hacking, and unknown vulnerabilities and backdoors may exist in the protocol stacks and data stream processing planes of different virtual private network vendors themselves. Therefore, it is very important to design a pseudo virtual private network after modifying the traditional virtual private network architecture based on the pseudo defense dynamic heterogeneous redundancy architecture (DHR) theory and break the traditional long connection form of the virtual private network.
The existing virtual private network uses the encrypted channel protocol to achieve the security effects of communication messages such as confidentiality, sender authentication, message accuracy and the like. The technique may use an unsecure network (e.g., the internet) to establish a secure tunnel to send reliable, secure messages. However, there are three drawbacks to such a virtual private network that maintains long connections: firstly, the connected virtual private network is kept for a long time, so that an attacker has a single attack target and relatively abundant attack time, and the risk is high; secondly, various heterogeneous virtual private network software exists at present, the protocol and software level safety of the software in the virtual private network implementation process cannot be guaranteed, and unreliable and unsafe communication processes can be directly caused if the used virtual private network has security holes; third, a single piece of virtual private network software may be backdoor and run the risk of being utilized.
Therefore, the existing virtual private network method cannot meet the requirement that the two communication parties guarantee the safe communication of connection for a long time. In order to ensure high reliability and high availability of the actual mimicry defense technology, a novel efficient and dynamic virtual private network is urgently needed, dynamic switching of different virtual private networks can be realized under the condition of having smaller expenditure, and attack difficulty is obviously increased.
Disclosure of Invention
The invention aims to provide a virtual private network mimicry method in mimicry defense, aiming at the defects of the prior art. Compared with the existing virtual private network method, the mimicry virtual private network established by the invention has higher communication security.
The purpose of the invention is realized by the following technical scheme: a virtual private network mimicry method in mimicry defense, comprising the steps of:
(1) n heterogeneous virtual private network tunnels are established between two communication parties simultaneously;
(2) the two communication parties realize synchronous selection of the tunnel, and determine the corresponding time window length according to the safe transmission rate of each channel, which specifically comprises the following steps: using N to represent the number of virtual private network tunnels between the two communication parties established in the step (1); the total execution period of both-side communication is T, and a length of T is allocated to each virtual private network tunneliA sub-time window of (c); with CiIndicating the safe transmission rate of the ith virtual private network tunnel, CiIs 1; the length of the sub-time window occupied by the ith virtual private network tunnel in the total execution period T is
Wherein i is 1, 2.., N;to all CiThe sum of (1); sequentially calculating the length T of the sub-time windows corresponding to the N virtual private network tunnelsi;
(3) Starting from the 1 st virtual private network tunnel, selecting a virtual private network tunnel for two-party communication; when the communication time reaches the sub-time window length T obtained in the step (2)iDetecting the tunnel of virtual special network, recording the safe transmission rate according to the latest tunnel communication conditioniSelecting the next virtual private network tunnel for two-party communication, and sequentially rotating;
(4) after all the virtual private network tunnel rotations established in the step (1) are completed, uniformly updating the safe transmission rate CiAnd is used for determining the length of the sub-time window of the next communication.
The invention has the beneficial effects that: the method comprehensively considers factors such as communication safety and system resources of the virtual private network, aims to optimize the mimicry idea for the virtual private network originally keeping single long connection and performs dynamic heterogeneous virtual private network tunnel switching in the communication process; the time window length from the next turn to the virtual private network tunnel is determined according to the rate of the safe transmission of the message through the channel; the invention has the characteristics of less system resource consumption, safe conversation between two communication parties, quick tunnel switching and strong universality.
Drawings
FIG. 1 is a diagram illustrating a pseudo-virtual private network model according to an embodiment of the present invention;
FIG. 2 is a flow chart of the method of the present invention.
Detailed Description
The invention is further described in detail below by way of examples and with reference to the accompanying drawings.
The invention relates to a mimicry virtual private network method in mimicry defense, which comprises the following specific steps:
(1) establishing N heterogeneous virtual private network tunnels between two communication parties at the same time, and requiring the N virtual private network tunnels to be mutually heterogeneous; the isomerism is embodied in that the mutual difference of protocol design, encryption authentication method and the like of a virtual private network is realized, the isomerism of software codes of the virtual private network is realized, and the like;
(2) the two communication parties realize synchronous selection of the tunnel, and determine the corresponding time window length according to the safe transmission rate of each channel, which specifically comprises the following steps:
(2.1) using N to represent the number of virtual private network tunnels between the two communication parties established in the step (1); when two-party communication is needed, the client selects a virtual private network tunnel in sequence to carry out the communication in the private networks of the two parties, the total execution period of the two-party communication is T, and each virtual private network tunnel is allocated with a length of TiA sub-time window of (c); with CiIndicating the safe transmission rate of the ith virtual private network tunnel, CiInitializing to 1; the length of the sub-time window occupied by the ith virtual private network tunnel in the total execution period T isWherein i is 1, 2.., N;to all CiK is a natural number from 1 to N; for any virtual private network tunnel, we want the time to communicate securely over that tunnel to be proportional to the secure transmission rate of the message in its channel;
(2.2) sequentially calculating the length T of the sub-time windows corresponding to the N virtual private network tunnels according to the sequence of the virtual private network tunnelsi:
(3) Selecting the ith virtual private network tunnel, and forwarding the traffic of the two parties to enable the communication traffic to pass through the virtual private network; when the communication time reaches the sub-time window length T obtained in the step (2.2)iDetecting the tunnel of virtual special network, recording the safe transmission rate according to the latest tunnel communication conditioniSelecting the next virtual private network tunnel for two-party communication, and sequentially rotating;
(4) after all the virtual private network tunnel rotations established in the step (1) are completed, uniformly updating the safe transmission rate CiIn order to determine the sub-time window length for the next communication.
Examples
This example operates between two communicating parties, as shown in FIG. 1, with a virtual private network tunnel established between the communicating parties A, B1Virtual private network tunnel33 virtual private network tunnels; the method of the invention switches different virtual private network links in turn to carry out safe communication according to the following concrete steps; after the switching of all virtual private games in one round is finished, the information safety transmission rate of all corresponding virtual private network links is ensured.
As shown in fig. 2, this example is specifically realized by the following steps:
establishing three virtual private networks between two communication parties AB, wherein the three virtual private networks are mutually heterogeneous and are realized by using different software and protocols, before message transmission, firstly judging whether the current virtual private network connection exceeds a time window, and if not, continuing to use the current virtual private network for message transmission; if yes, entering the step two;
step two, the current time window is expired, and the tunnel selection algorithm needs to switch to the link of the next virtual private network, according to the period, the safe transmission rate C of each channeli(i is 1-3) and the total time period T are calculated, and the corresponding time window length is obtained when a certain virtual private network is selected for transmission;
step three, transmitting data in the selected virtual private network tunnel until the time window is exhausted, recording the safe transmission rate of the transmission, but not updating temporarily;
step four, after the three virtual private network tunnels are used in sequence, uniformly updating the safe transmission rate CiAnd (i is 1-3) so as to distribute the time window occupied by each virtual private network in the next period, and make the period length uniform, thereby facilitating the synchronous management tunnel establishment of both communication parties.
The above is an embodiment of the present invention, and the present invention is not limited by the above embodiment, and the specific implementation method may be determined by combining the technical scheme of the present invention with an actual application scenario.
Claims (1)
1. A virtual private network mimicry method in mimicry defense, characterized by comprising the following steps:
(1) n heterogeneous virtual private network tunnels are established between two communication parties simultaneously;
(2) the two communication parties realize synchronous selection of the tunnels, and determine the corresponding time window length according to the safe transmission rate of each tunnel, which specifically comprises the following steps: using N to represent the number of virtual private network tunnels between the two communication parties established in the step (1); the total execution period of both-side communication is T, and a length of T is allocated to each virtual private network tunneliA sub-time window of (c); with CiIndicating the safe transmission rate of the ith virtual private network tunnel, CiIs 1; the ith virtual private network tunnel is in the aggregateThe length of the sub-time window occupied in the line period T is
Wherein i is 1,2, …, N;to all CiK is a natural number from 1 to N; sequentially calculating the length T of the sub-time windows corresponding to the N virtual private network tunnelsi;
(3) Starting from the 1 st virtual private network tunnel, selecting a virtual private network tunnel for two-party communication; when the communication time reaches the sub-time window length T obtained in the step (2)iDetecting the tunnel of virtual special network, recording the safe transmission rate according to the latest tunnel communication conditioniSelecting the next virtual private network tunnel for two-party communication, and sequentially rotating;
(4) after all the virtual private network tunnel rotations established in the step (1) are completed, uniformly updating the safe transmission rate CiAnd is used for determining the length of the sub-time window of the next communication.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910772472.1A CN110519253B (en) | 2019-08-21 | 2019-08-21 | Virtual private network mimicry method in mimicry defense |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910772472.1A CN110519253B (en) | 2019-08-21 | 2019-08-21 | Virtual private network mimicry method in mimicry defense |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110519253A CN110519253A (en) | 2019-11-29 |
CN110519253B true CN110519253B (en) | 2020-08-28 |
Family
ID=68625924
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910772472.1A Active CN110519253B (en) | 2019-08-21 | 2019-08-21 | Virtual private network mimicry method in mimicry defense |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110519253B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101753401A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信科技有限公司 | A method for realizing backup and load of IPSec virtual private network tunnel |
CN107145376A (en) * | 2016-03-01 | 2017-09-08 | 中兴通讯股份有限公司 | A kind of active defense method and device |
US10038709B1 (en) * | 2015-09-30 | 2018-07-31 | EMC IP Holding Company LLC | Computer network defense system employing multiplayer gaming functionality |
CN109936517A (en) * | 2018-12-19 | 2019-06-25 | 国网浙江省电力有限公司电力科学研究院 | Adaptive dynamic traffic distribution method in mimicry defence |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9141823B2 (en) * | 2013-03-15 | 2015-09-22 | Veridicom, Sa De Cv | Abstraction layer for default encryption with orthogonal encryption logic session object; and automated authentication, with a method for online litigation |
CN107147509B (en) * | 2016-03-01 | 2022-03-11 | 中兴通讯股份有限公司 | Virtual private network service implementation method, device and communication system |
-
2019
- 2019-08-21 CN CN201910772472.1A patent/CN110519253B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101753401A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信科技有限公司 | A method for realizing backup and load of IPSec virtual private network tunnel |
US10038709B1 (en) * | 2015-09-30 | 2018-07-31 | EMC IP Holding Company LLC | Computer network defense system employing multiplayer gaming functionality |
CN107145376A (en) * | 2016-03-01 | 2017-09-08 | 中兴通讯股份有限公司 | A kind of active defense method and device |
CN109936517A (en) * | 2018-12-19 | 2019-06-25 | 国网浙江省电力有限公司电力科学研究院 | Adaptive dynamic traffic distribution method in mimicry defence |
Also Published As
Publication number | Publication date |
---|---|
CN110519253A (en) | 2019-11-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110771118B (en) | Seamless mobility and session continuity with TCP mobility options | |
CN107682284B (en) | Method and network equipment for sending message | |
Shin et al. | A security protocol for route optimization in DMM-based smart home IoT networks | |
US10356054B2 (en) | Method for establishing a secure private interconnection over a multipath network | |
JP2009508403A (en) | Dynamic network connection based on compliance | |
JP5415563B2 (en) | Methods and apparatus related to address generation, communication and / or validity checking | |
Khashan et al. | Efficient hybrid centralized and blockchain-based authentication architecture for heterogeneous IoT systems | |
EP3146668A1 (en) | A method for establishing a secure private interconnection over a multipath network | |
US8955049B2 (en) | Method and a program for controlling communication of target apparatus | |
US11665143B2 (en) | Method, device and medium for transmission of fragmented IP addresses and data packets through a network | |
US11784993B2 (en) | Cross site request forgery (CSRF) protection for web browsers | |
Rothenberg et al. | Self-routing denial-of-service resistant capabilities using in-packet Bloom filters | |
US8688077B2 (en) | Communication system and method for providing a mobile communications service | |
JP2006185194A (en) | Server device, communication control method, and program | |
CN114124381A (en) | Multi-party address hopping pattern generation method and device based on quantum key distribution | |
JP4183664B2 (en) | Authentication method, server computer, client computer, and program | |
KR102581039B1 (en) | Computational puzzle against DoS attacks | |
CN110519253B (en) | Virtual private network mimicry method in mimicry defense | |
KR101971995B1 (en) | Method for decryping secure sockets layer for security | |
WO2019165235A1 (en) | Secure encrypted network tunnels using osi layer 2 protocol | |
US20160054949A1 (en) | Method for storing data in a computer system performing data deduplication | |
JP2004134855A (en) | Sender authentication method in packet communication network | |
CN110120907B (en) | Proposed group-based IPSec VPN tunnel communication method and device | |
US20230261990A1 (en) | Methods for exchanging content routing information in exclusive path routing overlay network | |
JP7433620B1 (en) | Communication method, communication device and computer program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |