CN110519253B - Virtual private network mimicry method in mimicry defense - Google Patents

Virtual private network mimicry method in mimicry defense Download PDF

Info

Publication number
CN110519253B
CN110519253B CN201910772472.1A CN201910772472A CN110519253B CN 110519253 B CN110519253 B CN 110519253B CN 201910772472 A CN201910772472 A CN 201910772472A CN 110519253 B CN110519253 B CN 110519253B
Authority
CN
China
Prior art keywords
virtual private
private network
tunnel
communication
mimicry
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910772472.1A
Other languages
Chinese (zh)
Other versions
CN110519253A (en
Inventor
吴春明
陈双喜
吴安邦
张继学
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN201910772472.1A priority Critical patent/CN110519253B/en
Publication of CN110519253A publication Critical patent/CN110519253A/en
Application granted granted Critical
Publication of CN110519253B publication Critical patent/CN110519253B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a virtual private network mimicry method in mimicry defense. The method comprehensively considers factors such as communication safety and system resources of the virtual private network, aims to optimize the mimicry idea for the virtual private network originally keeping single long connection and performs dynamic heterogeneous virtual private network tunnel switching in the communication process; the time window length from the next turn to the virtual private network tunnel is determined according to the rate of the safe transmission of the message through the channel; the invention has the characteristics of less system resource consumption, safe conversation between two communication parties, quick tunnel switching and strong universality.

Description

Virtual private network mimicry method in mimicry defense
Technical Field
The invention belongs to the technical field of network security, particularly belongs to the technical field of network security mimicry defense, and particularly relates to a virtual private network mimicry method in mimicry defense.
Background
With the continuous evolution of the internet and the continuous evolution of the attack technology, the network attack has the characteristics of concealment, cooperativity, accuracy and the like, and the network security is in the situation of easy attack and difficult guard. In order to thoroughly change the traditional protection modes of passive response such as 'plugging checking and killing' and the like, the active defense capability is formed, and a mimicry defense technology is developed. The mimicry defense technology is an active defense technology which is provided on the basis of a dynamic heterogeneous redundant structure in a system and can deal with various unknown threats in a network space. Due to the adoption of comprehensive defense means, the mimicry defense technology has good reliability and universality, and becomes a research hotspot in academia and industry in recent years.
The mimicry virtual private network method is an important component in the mimicry defense technology. Virtual private network refers to a technology for establishing a private network on an internet service provider, and a technology for establishing a private data communication network in a public network through a point-to-point connection. In the virtual private network, the connection between any two nodes does not have an end-to-end physical link required by the traditional private network, but is dynamically formed by using the resources of a public network, and the connection is mainly used for remote office, cloud resource management and the like. The security problem is a core problem of the virtual private network. The security of the virtual private network is mainly realized by a firewall technology, a router matched with a tunnel technology, an encryption protocol and a security key, and the secure communication between two communication parties can be ensured to a certain extent. However, today's virtual private networks often need to be extended to remote access and maintain long-term connections, these always-on connections will become the main target of hacking, and unknown vulnerabilities and backdoors may exist in the protocol stacks and data stream processing planes of different virtual private network vendors themselves. Therefore, it is very important to design a pseudo virtual private network after modifying the traditional virtual private network architecture based on the pseudo defense dynamic heterogeneous redundancy architecture (DHR) theory and break the traditional long connection form of the virtual private network.
The existing virtual private network uses the encrypted channel protocol to achieve the security effects of communication messages such as confidentiality, sender authentication, message accuracy and the like. The technique may use an unsecure network (e.g., the internet) to establish a secure tunnel to send reliable, secure messages. However, there are three drawbacks to such a virtual private network that maintains long connections: firstly, the connected virtual private network is kept for a long time, so that an attacker has a single attack target and relatively abundant attack time, and the risk is high; secondly, various heterogeneous virtual private network software exists at present, the protocol and software level safety of the software in the virtual private network implementation process cannot be guaranteed, and unreliable and unsafe communication processes can be directly caused if the used virtual private network has security holes; third, a single piece of virtual private network software may be backdoor and run the risk of being utilized.
Therefore, the existing virtual private network method cannot meet the requirement that the two communication parties guarantee the safe communication of connection for a long time. In order to ensure high reliability and high availability of the actual mimicry defense technology, a novel efficient and dynamic virtual private network is urgently needed, dynamic switching of different virtual private networks can be realized under the condition of having smaller expenditure, and attack difficulty is obviously increased.
Disclosure of Invention
The invention aims to provide a virtual private network mimicry method in mimicry defense, aiming at the defects of the prior art. Compared with the existing virtual private network method, the mimicry virtual private network established by the invention has higher communication security.
The purpose of the invention is realized by the following technical scheme: a virtual private network mimicry method in mimicry defense, comprising the steps of:
(1) n heterogeneous virtual private network tunnels are established between two communication parties simultaneously;
(2) the two communication parties realize synchronous selection of the tunnel, and determine the corresponding time window length according to the safe transmission rate of each channel, which specifically comprises the following steps: using N to represent the number of virtual private network tunnels between the two communication parties established in the step (1); the total execution period of both-side communication is T, and a length of T is allocated to each virtual private network tunneliA sub-time window of (c); with CiIndicating the safe transmission rate of the ith virtual private network tunnel, CiIs 1; the length of the sub-time window occupied by the ith virtual private network tunnel in the total execution period T is
Figure GDA0002569383970000021
Wherein i is 1, 2.., N;
Figure GDA0002569383970000022
to all CiThe sum of (1); sequentially calculating the length T of the sub-time windows corresponding to the N virtual private network tunnelsi
(3) Starting from the 1 st virtual private network tunnel, selecting a virtual private network tunnel for two-party communication; when the communication time reaches the sub-time window length T obtained in the step (2)iDetecting the tunnel of virtual special network, recording the safe transmission rate according to the latest tunnel communication conditioniSelecting the next virtual private network tunnel for two-party communication, and sequentially rotating;
(4) after all the virtual private network tunnel rotations established in the step (1) are completed, uniformly updating the safe transmission rate CiAnd is used for determining the length of the sub-time window of the next communication.
The invention has the beneficial effects that: the method comprehensively considers factors such as communication safety and system resources of the virtual private network, aims to optimize the mimicry idea for the virtual private network originally keeping single long connection and performs dynamic heterogeneous virtual private network tunnel switching in the communication process; the time window length from the next turn to the virtual private network tunnel is determined according to the rate of the safe transmission of the message through the channel; the invention has the characteristics of less system resource consumption, safe conversation between two communication parties, quick tunnel switching and strong universality.
Drawings
FIG. 1 is a diagram illustrating a pseudo-virtual private network model according to an embodiment of the present invention;
FIG. 2 is a flow chart of the method of the present invention.
Detailed Description
The invention is further described in detail below by way of examples and with reference to the accompanying drawings.
The invention relates to a mimicry virtual private network method in mimicry defense, which comprises the following specific steps:
(1) establishing N heterogeneous virtual private network tunnels between two communication parties at the same time, and requiring the N virtual private network tunnels to be mutually heterogeneous; the isomerism is embodied in that the mutual difference of protocol design, encryption authentication method and the like of a virtual private network is realized, the isomerism of software codes of the virtual private network is realized, and the like;
(2) the two communication parties realize synchronous selection of the tunnel, and determine the corresponding time window length according to the safe transmission rate of each channel, which specifically comprises the following steps:
(2.1) using N to represent the number of virtual private network tunnels between the two communication parties established in the step (1); when two-party communication is needed, the client selects a virtual private network tunnel in sequence to carry out the communication in the private networks of the two parties, the total execution period of the two-party communication is T, and each virtual private network tunnel is allocated with a length of TiA sub-time window of (c); with CiIndicating the safe transmission rate of the ith virtual private network tunnel, CiInitializing to 1; the length of the sub-time window occupied by the ith virtual private network tunnel in the total execution period T is
Figure GDA0002569383970000031
Wherein i is 1, 2.., N;
Figure GDA0002569383970000032
to all CiK is a natural number from 1 to N; for any virtual private network tunnel, we want the time to communicate securely over that tunnel to be proportional to the secure transmission rate of the message in its channel;
(2.2) sequentially calculating the length T of the sub-time windows corresponding to the N virtual private network tunnels according to the sequence of the virtual private network tunnelsi
(3) Selecting the ith virtual private network tunnel, and forwarding the traffic of the two parties to enable the communication traffic to pass through the virtual private network; when the communication time reaches the sub-time window length T obtained in the step (2.2)iDetecting the tunnel of virtual special network, recording the safe transmission rate according to the latest tunnel communication conditioniSelecting the next virtual private network tunnel for two-party communication, and sequentially rotating;
(4) after all the virtual private network tunnel rotations established in the step (1) are completed, uniformly updating the safe transmission rate CiIn order to determine the sub-time window length for the next communication.
Examples
This example operates between two communicating parties, as shown in FIG. 1, with a virtual private network tunnel established between the communicating parties A, B1Virtual private network tunnel33 virtual private network tunnels; the method of the invention switches different virtual private network links in turn to carry out safe communication according to the following concrete steps; after the switching of all virtual private games in one round is finished, the information safety transmission rate of all corresponding virtual private network links is ensured.
As shown in fig. 2, this example is specifically realized by the following steps:
establishing three virtual private networks between two communication parties AB, wherein the three virtual private networks are mutually heterogeneous and are realized by using different software and protocols, before message transmission, firstly judging whether the current virtual private network connection exceeds a time window, and if not, continuing to use the current virtual private network for message transmission; if yes, entering the step two;
step two, the current time window is expired, and the tunnel selection algorithm needs to switch to the link of the next virtual private network, according to the period, the safe transmission rate C of each channeli(i is 1-3) and the total time period T are calculated, and the corresponding time window length is obtained when a certain virtual private network is selected for transmission;
step three, transmitting data in the selected virtual private network tunnel until the time window is exhausted, recording the safe transmission rate of the transmission, but not updating temporarily;
step four, after the three virtual private network tunnels are used in sequence, uniformly updating the safe transmission rate CiAnd (i is 1-3) so as to distribute the time window occupied by each virtual private network in the next period, and make the period length uniform, thereby facilitating the synchronous management tunnel establishment of both communication parties.
The above is an embodiment of the present invention, and the present invention is not limited by the above embodiment, and the specific implementation method may be determined by combining the technical scheme of the present invention with an actual application scenario.

Claims (1)

1. A virtual private network mimicry method in mimicry defense, characterized by comprising the following steps:
(1) n heterogeneous virtual private network tunnels are established between two communication parties simultaneously;
(2) the two communication parties realize synchronous selection of the tunnels, and determine the corresponding time window length according to the safe transmission rate of each tunnel, which specifically comprises the following steps: using N to represent the number of virtual private network tunnels between the two communication parties established in the step (1); the total execution period of both-side communication is T, and a length of T is allocated to each virtual private network tunneliA sub-time window of (c); with CiIndicating the safe transmission rate of the ith virtual private network tunnel, CiIs 1; the ith virtual private network tunnel is in the aggregateThe length of the sub-time window occupied in the line period T is
Figure FDA0002569383960000011
Wherein i is 1,2, …, N;
Figure FDA0002569383960000012
to all CiK is a natural number from 1 to N; sequentially calculating the length T of the sub-time windows corresponding to the N virtual private network tunnelsi
(3) Starting from the 1 st virtual private network tunnel, selecting a virtual private network tunnel for two-party communication; when the communication time reaches the sub-time window length T obtained in the step (2)iDetecting the tunnel of virtual special network, recording the safe transmission rate according to the latest tunnel communication conditioniSelecting the next virtual private network tunnel for two-party communication, and sequentially rotating;
(4) after all the virtual private network tunnel rotations established in the step (1) are completed, uniformly updating the safe transmission rate CiAnd is used for determining the length of the sub-time window of the next communication.
CN201910772472.1A 2019-08-21 2019-08-21 Virtual private network mimicry method in mimicry defense Active CN110519253B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910772472.1A CN110519253B (en) 2019-08-21 2019-08-21 Virtual private network mimicry method in mimicry defense

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910772472.1A CN110519253B (en) 2019-08-21 2019-08-21 Virtual private network mimicry method in mimicry defense

Publications (2)

Publication Number Publication Date
CN110519253A CN110519253A (en) 2019-11-29
CN110519253B true CN110519253B (en) 2020-08-28

Family

ID=68625924

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910772472.1A Active CN110519253B (en) 2019-08-21 2019-08-21 Virtual private network mimicry method in mimicry defense

Country Status (1)

Country Link
CN (1) CN110519253B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101753401A (en) * 2008-12-03 2010-06-23 北京天融信科技有限公司 A method for realizing backup and load of IPSec virtual private network tunnel
CN107145376A (en) * 2016-03-01 2017-09-08 中兴通讯股份有限公司 A kind of active defense method and device
US10038709B1 (en) * 2015-09-30 2018-07-31 EMC IP Holding Company LLC Computer network defense system employing multiplayer gaming functionality
CN109936517A (en) * 2018-12-19 2019-06-25 国网浙江省电力有限公司电力科学研究院 Adaptive dynamic traffic distribution method in mimicry defence

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9141823B2 (en) * 2013-03-15 2015-09-22 Veridicom, Sa De Cv Abstraction layer for default encryption with orthogonal encryption logic session object; and automated authentication, with a method for online litigation
CN107147509B (en) * 2016-03-01 2022-03-11 中兴通讯股份有限公司 Virtual private network service implementation method, device and communication system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101753401A (en) * 2008-12-03 2010-06-23 北京天融信科技有限公司 A method for realizing backup and load of IPSec virtual private network tunnel
US10038709B1 (en) * 2015-09-30 2018-07-31 EMC IP Holding Company LLC Computer network defense system employing multiplayer gaming functionality
CN107145376A (en) * 2016-03-01 2017-09-08 中兴通讯股份有限公司 A kind of active defense method and device
CN109936517A (en) * 2018-12-19 2019-06-25 国网浙江省电力有限公司电力科学研究院 Adaptive dynamic traffic distribution method in mimicry defence

Also Published As

Publication number Publication date
CN110519253A (en) 2019-11-29

Similar Documents

Publication Publication Date Title
CN110771118B (en) Seamless mobility and session continuity with TCP mobility options
CN107682284B (en) Method and network equipment for sending message
Shin et al. A security protocol for route optimization in DMM-based smart home IoT networks
US10356054B2 (en) Method for establishing a secure private interconnection over a multipath network
JP2009508403A (en) Dynamic network connection based on compliance
JP5415563B2 (en) Methods and apparatus related to address generation, communication and / or validity checking
Khashan et al. Efficient hybrid centralized and blockchain-based authentication architecture for heterogeneous IoT systems
EP3146668A1 (en) A method for establishing a secure private interconnection over a multipath network
US8955049B2 (en) Method and a program for controlling communication of target apparatus
US11665143B2 (en) Method, device and medium for transmission of fragmented IP addresses and data packets through a network
US11784993B2 (en) Cross site request forgery (CSRF) protection for web browsers
Rothenberg et al. Self-routing denial-of-service resistant capabilities using in-packet Bloom filters
US8688077B2 (en) Communication system and method for providing a mobile communications service
JP2006185194A (en) Server device, communication control method, and program
CN114124381A (en) Multi-party address hopping pattern generation method and device based on quantum key distribution
JP4183664B2 (en) Authentication method, server computer, client computer, and program
KR102581039B1 (en) Computational puzzle against DoS attacks
CN110519253B (en) Virtual private network mimicry method in mimicry defense
KR101971995B1 (en) Method for decryping secure sockets layer for security
WO2019165235A1 (en) Secure encrypted network tunnels using osi layer 2 protocol
US20160054949A1 (en) Method for storing data in a computer system performing data deduplication
JP2004134855A (en) Sender authentication method in packet communication network
CN110120907B (en) Proposed group-based IPSec VPN tunnel communication method and device
US20230261990A1 (en) Methods for exchanging content routing information in exclusive path routing overlay network
JP7433620B1 (en) Communication method, communication device and computer program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant