CN110545268A - multidimensional mimicry voting method based on process elements - Google Patents

multidimensional mimicry voting method based on process elements Download PDF

Info

Publication number
CN110545268A
CN110545268A CN201910772350.2A CN201910772350A CN110545268A CN 110545268 A CN110545268 A CN 110545268A CN 201910772350 A CN201910772350 A CN 201910772350A CN 110545268 A CN110545268 A CN 110545268A
Authority
CN
China
Prior art keywords
node
nodes
mimicry
attacked
voting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910772350.2A
Other languages
Chinese (zh)
Inventor
陈双喜
吴春明
张帆
张兴明
张汝云
谢辰承
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhijiang Laboratory
Zhejiang Lab
Original Assignee
Zhijiang Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhijiang Laboratory filed Critical Zhijiang Laboratory
Priority to CN201910772350.2A priority Critical patent/CN110545268A/en
Publication of CN110545268A publication Critical patent/CN110545268A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1008Server selection for load balancing based on parameters of servers, e.g. available memory or workload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

the invention discloses a multidimensional mimicry voting method based on process elements, which synchronizes execution results of nodes to other nodes by deploying a plurality of nodes; if the node is attacked, a target file of a current node is synchronized to the abnormal node according to the load condition and the computing capacity. The invention comprehensively considers factors such as system resources, working efficiency and the like, and the voter discovers the attacked node by monitoring the process data and the element resources of the node; compared with the existing result voting method, the method has the advantages of stronger applicability and more timely voting.

Description

Multidimensional mimicry voting method based on process elements
Technical Field
The invention belongs to the technical field of network security, particularly belongs to the technical field of network security mimicry defense, and particularly relates to a multidimensional mimicry voting method based on process elements.
background
With the continuous evolution of the internet and the continuous evolution of the attack technology, the network attack has the characteristics of concealment, cooperativity, accuracy and the like, and the network security is in the situation of easy attack and difficult guard. In order to thoroughly change the traditional protection modes of passive response such as 'plugging checking and killing' and the like, the active defense capability is formed, and a mimicry defense technology is developed. The mimicry defense technology is an active defense technology which is provided on the basis of a dynamic heterogeneous redundant structure in a system and can deal with various unknown threats in a network space. Due to the adoption of comprehensive defense means, the mimicry defense technology has good reliability and universality, and becomes a research hotspot in academia and industry in recent years.
The multidimensional mimicry voting method based on the process elements is an important component in the mimicry defense technology. The multidimensional mimicry voting method based on the process elements refers to that a voter in a mimicry product discovers attacked nodes through monitoring target files for realizing the functions of the nodes. When the node normally runs, the target file for realizing the node function is compared in real time to judge whether the node is attacked or not. The target file is: real-time data in the running process such as process state data, memory data, network state data and the like and related files in the running process such as executable files, configuration files, log files and the like. The multidimensional mimicry voting method based on the process elements can enlarge the range of mimicry voting, carry out mimicry voting in real time and discover attacked nodes more quickly. The existing mimicry voting algorithm only votes on result elements, can not vote on process elements in a mimicry manner, and finds that attack nodes have certain delay, so that the applicability of the mimicry voting is limited. Therefore, the process element-based multidimensional mimicry voting method in mimicry defense is particularly important in mimicry defense.
the existing mimicry voting method based on result elements is to input a user request into a plurality of nodes, each node outputs a result after the request is executed in the node, and a voter performs mimicry voting on the output results of the plurality of nodes, so that an attacked node is found. This method has two drawbacks: firstly, the method has certain limitation, and the mimicry voting can not be realized for the requests without output results; secondly, the existing mimicry voting method is not real-time enough, and whether the attack happens can be discovered after the output result is waited;
therefore, the existing mimicry voting method cannot meet the use requirement of real-time mimicry voting and process voting. In order to ensure high reliability and high availability of the actual mimicry defense technology, a multidimensional mimicry voting method based on process elements is urgently needed, the scope of mimicry voting is enlarged, and the voting result is responded more quickly.
Disclosure of Invention
the invention aims to provide a multidimensional mimicry voting method based on process elements, aiming at the defects of the prior art. The method has the advantages of breaking mimicry voting limitation and voting in real time.
the purpose of the invention is realized by the following technical scheme: a multidimensional mimicry voting method based on process elements comprises the following steps:
(1) Deploying a plurality of nodes with the same function by adopting heterogeneous hardware equipment, and realizing mimicry heterogeneity by the heterogeneous hardware equipment; distributing the user request to one of the nodes, executing the request in the node, and synchronizing the execution result to other nodes;
(2) The voter detects a target file for realizing the node function, and judges whether the node is attacked or not by comparing the target file for realizing the node function: if the node is not attacked, the normal operation is continued; if the node is attacked, the next step is carried out;
(3) Detecting the running state of the nodes, sequencing according to the load condition and the computing capacity of the current node, and selecting a proper node, wherein the method comprises the following substeps:
(3.1) acquiring the load condition and the computing capacity of the current normal operation node; the number of nodes is represented by N, the computing capacity of the ith node is represented by Ci, the load condition of the ith node is represented by Vi, and i is 1,2, … and N;
(3.2) sorting the values of the nodes according to the load condition Vi and the computing capacity Ci obtained in the step (3.1), and selecting the node with the minimum value;
(4) And (3) synchronizing the target file for realizing the node function of the node selected in the step (3.2) to the node attacked in the step (2) to enable the node to be recovered to be normal.
the invention has the beneficial effects that: the method realizes the target file of the node function through real-time comparison, comprehensively considers factors such as system resources, working efficiency and the like, meets the requirement of real-time mimicry voting, and breaks the limitation of the traditional mimicry voting. Compared with the prior mimicry voting, the method has stronger instantaneity and can realize the mimicry voting for the requests based on the process elements.
Drawings
FIG. 1 is a diagram illustrating a request transmission model according to an embodiment of the present invention;
FIG. 2 is a flow chart of the method of the present invention.
Detailed Description
The invention is further described in detail below by way of examples and with reference to the accompanying drawings.
The invention discloses a multidimensional mimicry voting method based on process elements in mimicry defense, which comprises the following steps of:
(1) Deploying a plurality of nodes with the same function by adopting heterogeneous hardware equipment, and realizing mimicry heterogeneity by the heterogeneous hardware equipment; distributing the user request to one of the nodes, executing the request in the node, and synchronizing the execution result to other nodes;
(2) the voter detects a target file for realizing the node function, and judges whether the node is attacked or not by comparing the target file for realizing the node function: if the node is not attacked, the normal operation is continued; if the node is attacked, the next step is carried out;
(3) detecting the running state of the nodes, sequencing according to the load condition and the computing capacity of the current node, and selecting a proper node, wherein the method comprises the following substeps:
(3.1) acquiring the load condition and the computing capacity of the current normal operation node; the number of nodes is represented by N, the computing capacity of the ith node is represented by Ci, the load condition of the ith node is represented by Vi, and i is 1,2, … and N;
(3.2) sorting the values of the nodes according to the load condition Vi and the computing capacity Ci obtained in the step (3.1), and selecting the node with the minimum value;
(4) and (3) synchronizing the target file for realizing the node function of the node selected in the step (3.2) to the node attacked in the step (2) to enable the node to be recovered to be normal.
Examples
The example works in mimicry cloud defense, as shown in fig. 1, the management nodes operate a 1-a 33 clouds together, and the traffic formed by user requests enters the server from the management nodes; the method of the invention selects A2 by the following concrete steps, while processing the user request, A2 compares the target files for realizing multiple functions of the node, if the voter finds that the A2 target file is not consistent with the target files of A1 and A3; and judging that the A2 cloud is attacked, detecting the running states of A1 and A3, selecting a proper node, and performing real-time synchronization to enable the attacked node to be normal.
as shown in fig. 2, this example is specifically realized by the following steps:
step one, deploying a plurality of nodes with the same function by adopting heterogeneous hardware equipment, wherein one of the nodes receives a user request, executes the request inside the node and synchronizes an execution result to other nodes;
Step two, the voter monitors a target file for realizing a plurality of functions of the node in real time, and if the voter detects that the node executing the request is attacked; the server internally acquires the load conditions Vi (i is 1, 3) of A1 and A3 and the current computing capacity Ci (i is 1, 3), sorts the load conditions and the current computing capacity Ci, and selects the smallest node A1;
and step three, synchronizing the content of the target file of the A1 to enable the A2 to be normal.
the above is an embodiment of the present invention, and the present invention is not limited by the above embodiment, and the specific implementation method may be determined by combining the technical scheme of the present invention with an actual application scenario.

Claims (1)

1. A multidimensional mimicry voting method based on process elements is characterized by comprising the following steps:
(1) Deploying a plurality of nodes with the same function by adopting heterogeneous hardware equipment, and realizing mimicry heterogeneity by the heterogeneous hardware equipment; the user request is distributed to one of the nodes, the node internally executes the request, and the execution result is synchronized to other nodes.
(2) The voter detects a target file for realizing the node function, and judges whether the node is attacked or not by comparing the target file for realizing the node function: if the node is not attacked, the normal operation is continued; if the node is attacked, the next step is performed.
(3) Detecting the running state of the nodes, sequencing according to the load condition and the computing capacity of the current node, and selecting a proper node, wherein the method comprises the following substeps:
(3.1) acquiring the load condition and the computing capacity of the current normal operation node; the number of nodes is represented by N, the computing capacity of the ith node is represented by Ci, the load of the ith node is represented by Vi, and i is 1,2, … and N.
And (3.2) sorting the values of the nodes according to the load condition Vi and the computing capacity Ci obtained in the step (3.1), and selecting the node with the minimum value.
(4) And (3) synchronizing the target file for realizing the node function of the node selected in the step (3.2) to the node attacked in the step (2) to enable the node to be recovered to be normal.
CN201910772350.2A 2019-08-21 2019-08-21 multidimensional mimicry voting method based on process elements Pending CN110545268A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910772350.2A CN110545268A (en) 2019-08-21 2019-08-21 multidimensional mimicry voting method based on process elements

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910772350.2A CN110545268A (en) 2019-08-21 2019-08-21 multidimensional mimicry voting method based on process elements

Publications (1)

Publication Number Publication Date
CN110545268A true CN110545268A (en) 2019-12-06

Family

ID=68711698

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910772350.2A Pending CN110545268A (en) 2019-08-21 2019-08-21 multidimensional mimicry voting method based on process elements

Country Status (1)

Country Link
CN (1) CN110545268A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111624869A (en) * 2020-04-25 2020-09-04 中国人民解放军战略支援部队信息工程大学 Method and system for automatically sensing attack behavior and Ethernet switch
CN114257519A (en) * 2021-11-02 2022-03-29 中国人民解放军战略支援部队信息工程大学 Method and device for evaluating isomerism of multifunctional equivalent execution system

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102521058A (en) * 2011-12-01 2012-06-27 北京威视数据系统有限公司 Disk data pre-migration method of RAID (Redundant Array of Independent Disks) group
CN104506487A (en) * 2014-11-21 2015-04-08 北京工业大学 Credible execution method for privacy policy in cloud environment
CN104951354A (en) * 2015-06-08 2015-09-30 北京大学 Virtual machine dispatch algorithm security verification method based on dynamic migration
CN105608150A (en) * 2015-12-17 2016-05-25 浪潮电子信息产业股份有限公司 Business data processing method and system
CN106534063A (en) * 2016-09-27 2017-03-22 上海红阵信息科技有限公司 Device, method and apparatus for encapsulating heterogeneous function equivalent bodies
CN106874755A (en) * 2017-01-22 2017-06-20 中国人民解放军信息工程大学 The consistent escape error processing apparatus of majority and its method based on mimicry Prevention-Security zero-day attacks
CN107291538A (en) * 2017-06-14 2017-10-24 中国人民解放军信息工程大学 The mimicry cloud construction method of oriented mission and the method for scheduling task based on mimicry cloud, device, system
CN107294991A (en) * 2017-07-04 2017-10-24 中国人民解放军信息工程大学 Network function system of defense and safety protecting method based on output judgement
CN109936517A (en) * 2018-12-19 2019-06-25 国网浙江省电力有限公司电力科学研究院 Adaptive dynamic traffic distribution method in mimicry defence

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102521058A (en) * 2011-12-01 2012-06-27 北京威视数据系统有限公司 Disk data pre-migration method of RAID (Redundant Array of Independent Disks) group
CN104506487A (en) * 2014-11-21 2015-04-08 北京工业大学 Credible execution method for privacy policy in cloud environment
CN104951354A (en) * 2015-06-08 2015-09-30 北京大学 Virtual machine dispatch algorithm security verification method based on dynamic migration
CN105608150A (en) * 2015-12-17 2016-05-25 浪潮电子信息产业股份有限公司 Business data processing method and system
CN106534063A (en) * 2016-09-27 2017-03-22 上海红阵信息科技有限公司 Device, method and apparatus for encapsulating heterogeneous function equivalent bodies
CN106874755A (en) * 2017-01-22 2017-06-20 中国人民解放军信息工程大学 The consistent escape error processing apparatus of majority and its method based on mimicry Prevention-Security zero-day attacks
CN107291538A (en) * 2017-06-14 2017-10-24 中国人民解放军信息工程大学 The mimicry cloud construction method of oriented mission and the method for scheduling task based on mimicry cloud, device, system
CN107294991A (en) * 2017-07-04 2017-10-24 中国人民解放军信息工程大学 Network function system of defense and safety protecting method based on output judgement
CN109936517A (en) * 2018-12-19 2019-06-25 国网浙江省电力有限公司电力科学研究院 Adaptive dynamic traffic distribution method in mimicry defence

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111624869A (en) * 2020-04-25 2020-09-04 中国人民解放军战略支援部队信息工程大学 Method and system for automatically sensing attack behavior and Ethernet switch
CN114257519A (en) * 2021-11-02 2022-03-29 中国人民解放军战略支援部队信息工程大学 Method and device for evaluating isomerism of multifunctional equivalent execution system

Similar Documents

Publication Publication Date Title
EP2987090B1 (en) Distributed event correlation system
CN110933072B (en) Data transmission method and device based on block chain and electronic equipment
US11818014B2 (en) Multi-baseline unsupervised security-incident and network behavioral anomaly detection in cloud-based compute environments
US20160197947A1 (en) System for detecting abnormal behavior by analyzing personalized use behavior pattern during entire access period
CN112422484B (en) Method, apparatus, and storage medium for determining scenario for processing security event
US20160197948A1 (en) System for detecting abnormal behavior by analyzing personalized initial use behavior pattern
US20160269428A1 (en) Data processing
CN109831507B (en) Internet of things system, load balancing method and storage medium
CN106936620B (en) Alarm event processing method and processing device
CN111163173B (en) Cluster configuration method and device, server and readable storage medium
US20080148272A1 (en) Job allocation program, method and apparatus
CN110545268A (en) multidimensional mimicry voting method based on process elements
CN110868313A (en) Inspection method, related device and readable storage medium
RU2630415C2 (en) Method for detecting anomalous work of network server (options)
CN113342893B (en) Node synchronization method and device based on block chain, storage medium and server
CN112436962B (en) Block chain consensus network dynamic expansion method, electronic device, system and medium
CN113422696B (en) Monitoring data updating method, system, equipment and readable storage medium
CN113190347A (en) Edge cloud system and task management method
CN112367386A (en) Ignite-based automatic operation and maintenance method, apparatus and computer equipment
Porter et al. A decentralized approach to architecture-based self-protecting software systems
CN108900492B (en) Internet of things virus identification and self-adaptive remote searching and killing method and system
KR102672651B1 (en) Method for identification iot devices, and network management apparatus implementing the method
CN116938605B (en) Network attack protection method and device, electronic equipment and readable storage medium
CN112532450B (en) Dynamic updating method and system for data stream distribution process configuration
KR20230009307A (en) Method for identification iot devices, and network management apparatus implementing the method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20191206