CN110581845A - quantitative characterization method for potential threat degree of mimicry controller executive body - Google Patents

quantitative characterization method for potential threat degree of mimicry controller executive body Download PDF

Info

Publication number
CN110581845A
CN110581845A CN201910772464.7A CN201910772464A CN110581845A CN 110581845 A CN110581845 A CN 110581845A CN 201910772464 A CN201910772464 A CN 201910772464A CN 110581845 A CN110581845 A CN 110581845A
Authority
CN
China
Prior art keywords
mimicry
controller
confidence
executive
executor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910772464.7A
Other languages
Chinese (zh)
Inventor
吴春明
陈双喜
姜鑫悦
潘高宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN201910772464.7A priority Critical patent/CN110581845A/en
Publication of CN110581845A publication Critical patent/CN110581845A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

the invention discloses a quantitative characterization method for potential threat degree of a mimicry controller executor, which records the difference between each processing input of the executor and a multi-mode voter through the mimicry controller, calculates the confidence degree of the executor, updates the confidence degree and sorts the confidence degree after a period of time, puts the executor with the lowest confidence degree off line, and selects the executor on line from off-line candidate executors. The method comprehensively considers to further improve the reliability of the mimicry controller, carries out quantitative characterization on the potential threat degree of the executing body of the mimicry controller, introduces the concept of confidence coefficient, and reliably adjusts the operation of the executing body according to the confidence coefficient; under the condition of the existing lack of an effective quantitative characterization method, the invention greatly improves the robustness of the mimicry defense system under the condition of basically not changing software and hardware expenses.

Description

Quantitative characterization method for potential threat degree of mimicry controller executive body
Technical Field
the invention belongs to the technical field of network security, particularly relates to the technical field of network security mimicry defense, and particularly relates to a quantitative characterization method for potential threat degree of a mimicry controller executor.
background
With the continuous evolution of the internet and the continuous evolution of the attack technology, the network attack has the characteristics of concealment, cooperativity, accuracy and the like, and the network security is in the situation of easy attack and difficult guard. In order to thoroughly change the traditional protection modes of passive response such as 'plugging checking and killing' and the like, the active defense capability is formed, and a mimicry defense technology is developed. The mimicry defense technology is an active defense technology which is provided on the basis of a dynamic heterogeneous redundant structure in a system and can deal with various unknown threats in a network space. Due to the adoption of comprehensive defense means, the mimicry defense technology has good reliability and universality, and becomes a research hotspot in academia and industry in recent years.
The mimicry controller has a plurality of functional equivalent redundancy executors on line at the same time, when a server of the mimicry defense technology receives an access request, the access request is firstly input into the mimicry controller, the mimicry controller is simultaneously distributed to the plurality of functional equivalent redundancy executors, if the plurality of functional equivalent redundancy executors output normally, the plurality of functional equivalent redundancy executors output the same result to the multi-mode voter, and the multi-mode voter outputs the correct result according to the principle of majority decision. When a certain or some functional equivalent redundancy execution bodies are attacked to generate a vulnerability, the functional equivalent redundancy execution bodies output a wrong result, although the majority result can not be always correct theoretically, the probability of occurrence of the majority error can be proved to be non-linearly reduced along with the increase of the redundancy number of the DRS, but a plurality of functional equivalent redundancy execution bodies with vulnerabilities are simultaneously operated in a certain period, the wrong output is likely to occur, and the safety of the mimicry defense technology server is threatened. Therefore, the quantitative characterization method for the potential threat degree of the mimicry controller executive body greatly reduces the possible error rate of majority decision and further enhances the robustness of the whole mimicry defense system.
the existing mimicry defense system does not have a suitable quantitative characterization method for the potential threat degree of a mimicry controller execution body, and the safety degree of the whole mimicry controller is improved by manually judging a functional equivalent redundant execution body and then manually online and offline corresponding execution bodies in a main mode for enhancing the correctness of the mimicry controller at present, so that the robustness of the whole mimicry defense system is ensured to be maintained. However, this method has three disadvantages: firstly, the potential threat degree of a marked functional equivalent redundancy executive is difficult to accurately judge; secondly, manpower is consumed and the detection period cannot be guaranteed; finally, there is great bias in manual judgment and manual online and offline execution.
Therefore, for the lack of the quantitative characterization method of the potential threat degree of the current mimicry controller executor, in order to ensure the high reliability and high availability of the actual mimicry defense technology, an efficient and accurate quantitative characterization method of the potential threat degree of the mimicry controller executor is urgently needed, and the robustness and reliability of the mimicry defense system are maximized.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a method for quantitatively characterizing the potential threat degree of a mimicry controller executive body. The method performs the round-robin execution on the execution body set according to the accumulated confidence coefficients of the execution bodies in different time periods through continuous input, and has the advantages of higher safety and reliability.
The purpose of the invention is realized by the following technical scheme: a quantitative characterization method for potential threat degree of a mimicry controller executive body comprises the following steps:
(1) For a user access request, judging whether the IP address belongs to a honeypot blacklist list or not; if yes, the attack is introduced into the honeypot to be executed, and all the steps are ended; if not, carrying out the subsequent steps;
(2) The mimicry controller records the difference between each processing input of the executive and the multi-mode voter, calculates the confidence of each executive, updates the confidence every time a fixed time period passes, and reorders the confidence, and comprises the following sub-steps:
(2.1) using M to represent the total number of isomeric structures to be provided with service; when input is received, selecting the online of N isomerous bodies as an executive body set of a mimicry controller, delivering the input to the online executive body by the mimicry controller, and collecting the output result of each executive body to a voter for carrying out multi-choice judgment;
(2.2) the mimicry controller updates the confidence of the executant: after a fixed time period t, representing an executive body in the current time period by QThe number of accepted inputs; by ViIndicating the number of times of error handling of the ith executable, and updating V of the executable after each error of the executablei=Vi+ 1; after the current time period is over, updating the total input number P accepted by all the current executors by Qi=Pi+q, recording the total input number P accepted by the ith executivei;CiThe confidence coefficient of the ith executive body is represented and calculated by the following formula:
wherein i is 1,2, …, N;
(2.3) obtaining the confidence C of the executive body according to the step (2.1)iThe values of (a) are sorted;
(3) The executive body with the lowest confidence level in the executive body sequencing obtained in the step (2.3) is offline, and the last bit of the offline candidate executive body sequencing is arranged; sequentially extracting the upper lines of the execution bodies from the lower line candidate execution bodies; then jump to step (2.2) and enter the next time period t.
Further, the isomorphs in step (2.1) include an executable and an offline candidate executable.
Further, the error processing in the step (2.2) means that the voter determines a consistent output, and if an execution body output inconsistent with the determination result is output, the execution body output is regarded as an error output.
the invention has the beneficial effects that: the method comprehensively considers to further improve the reliability of the mimicry controller, and the optimization aim is to carry out quantitative characterization on the potential threat degrees of all functionally equivalent redundant executors in the mimicry controller, introduce the concept of confidence coefficient and reliably regulate the operation of the executors according to the confidence coefficient so as to further enhance the safety and the reliability of the mimicry defense system. Under the condition that the existing quantitative characterization method for the potential threat degree of the mimicry controller execution body is lacked, the method greatly improves the robustness of the mimicry defense system under the condition that the software and hardware expenses are basically not changed.
drawings
FIG. 1 is a diagram illustrating an embodiment of a controller receiving an input model;
FIG. 2 is a flow chart of the method of the present invention.
Detailed Description
The invention is further described in detail below by way of examples and with reference to the accompanying drawings.
The invention discloses a quantitative characterization method for potential threat degree of a mimicry controller executive body, which comprises the following steps of:
(1) Judging whether the IP address of the user belongs to a blacklist: honeypot mechanisms can be used to detect and withstand detected attack behavior; the server collects information of attack flow in real time by using the existing honeypot mechanism and dynamically updates an IP blacklist; for a user access request, judging whether the IP address belongs to a honeypot blacklist list or not; if yes, the attack is introduced into the honeypot to be executed, and all the steps are ended; if not, carrying out the subsequent steps;
(2) The mimicry controller records the difference between each processing input of the executive and the multi-mode voter, calculates the confidence of each executive, updates the confidence every time a fixed time period passes, and reorders the confidence, and comprises the following sub-steps:
(2.1) using M to represent the total number of isomorphism bodies to be provided with service, wherein the isomorphism bodies comprise an executive body and an offline candidate executive body; when input is received, selecting the online of N isomerous bodies as an executive body set of a mimicry controller, delivering the input to the online executive body by the mimicry controller, and collecting the output result of each executive body to a voter for carrying out multi-choice judgment;
(2.2) the mimicry controller updates the confidence of the executant: after a fixed time period t, representing the input number accepted by an executive in the current time period by Q; by Virepresenting the error processing times of the ith executive body, wherein the error processing refers to that the voter judges the consistent output, and if the executive body output inconsistent with the judgment result is output, the output is regarded as the error output; updating V of executable after each error of executablei=Vi+ 1; after the current time period is over, updating the total input number P accepted by all the current executors by Qi=Pi+q, recording the total input number P accepted by the ith executivei;CiThe confidence coefficient of the ith executive body is represented and calculated by the following formula:
Wherein i is 1,2, …, N;
(2.3) obtaining the confidence C of the executive body according to the step (2.1)iThe values of (a) are ordered from high to low;
(3) The executive body with the lowest confidence level in the executive body sequencing obtained in the step (2.3) is offline, and the last bit of the offline candidate executive body sequencing is arranged; sequentially extracting the upper lines of the execution bodies from the lower line candidate execution bodies; then jump to step (2.2) and enter the next time period t.
Examples
The embodiment works in the mimicry controller in the mimicry defense server, as shown in figure 1, the mimicry controller runs A1~A6a total of 6 executors, and E1~E66 offline candidate executives are input into the controller and then delivered to the 6 online executives; the method of the invention replaces the online and offline executives at intervals of the same time period t according to the following specific steps, ensures that the final result output by the final voter according to the algorithm is real and reliable, and completes the processing of the access request.
As shown in fig. 2, this example is specifically realized by the following steps:
Step one, receiving a user access request, inputting an agent to judge whether a user IP is in a blacklist of a honeypot server, and if so, introducing the request into the honeypot server to execute; if not, entering the step two;
Inputting the result into a mimic controller, delivering the result to an online executive body, outputting and collecting the result of each executive body each time, inputting the result into a voter, and finally collecting the error output V of the executive body i in a time interval ti(i 1-6) and a total acceptance input PiAnd calculating confidence C according to a formulai(i=1~6),Ciequals 1 minus the executiveV of iiAnd PiThe difference of the ratios, for example, after the first time period t, 100 times of input is received, and the error input results of 6 executions are 0, 0, 1,2, 0, 0; updating P according to dataiAnd ViThen calculate confidence and followSorting is carried out;
Step three, selecting the lowest CiExecutive A4Go offline and from candidate executive Ei(i 1-6) in-line execution entity E1
Step four, after a same time interval t continues to pass, the error output V of the current execution body i continues to be updatedi(i 1-6) and a total acceptance input PiAnd calculating confidence C according to a formulai(i 1-6), then according toAnd sorting, and then continuing to carry out online and offline processing on the execution body through a quantitative representation replacement algorithm.
The above is an embodiment of the present invention, and the present invention is not limited by the above embodiment, and the specific implementation method may be determined by combining the technical scheme of the present invention with an actual application scenario.

Claims (3)

1. A method for quantitatively characterizing the potential threat level of a mimicry controller executive is characterized by comprising the following steps:
(1) For a user access request, judging whether the IP address belongs to a honeypot blacklist list or not; if yes, the attack is introduced into the honeypot to be executed, and all the steps are ended; if not, the subsequent steps are performed.
(2) The mimicry controller records the difference between each processing input of the executive and the multi-mode voter, calculates the confidence of each executive, updates the confidence every time a fixed time period passes, and reorders the confidence, and comprises the following sub-steps:
(2.1) using M to represent the total number of isomeric structures to be provided with service; and when receiving input, selecting the on-line of N isomorphs as an executive body set of the mimicry controller, delivering the input to the on-line executive body by the mimicry controller, and collecting the output result of each executive body to a voter for carrying out multi-choice judgment.
(2.2) the mimicry controller updates the confidence of the executant: after a fixed time period t, representing the input number accepted by an executive in the current time period by Q; by ViIndicating the number of times of error handling of the ith executable, and updating V of the executable after each error of the executablei=Vi+ 1; after the current time period is over, updating the total input number P accepted by all the current executors by Qi=Pi+Q, recording the total input number P accepted by the ith executivei;CiThe confidence coefficient of the ith executive body is represented and calculated by the following formula:
wherein i is 1,2, …, N.
(2.3) obtaining the confidence C of the executive body according to the step (2.1)iThe values of (a) are sorted;
(3) The executive body with the lowest confidence level in the executive body sequencing obtained in the step (2.3) is offline, and the last bit of the offline candidate executive body sequencing is arranged; sequentially extracting the upper lines of the execution bodies from the lower line candidate execution bodies; then jump to step (2.2) and enter the next time period t.
2. The method for quantitatively characterizing the potential threat level of a mimicry controller executor according to claim 1, wherein the isomorphs in step (2.1) comprise an executor and a candidate offline executor.
3. the method for quantitatively characterizing the potential threat level of an executor of a mimicry controller as claimed in claim 1, wherein the error processing in step (2.2) is that a voter decides a consistent output and if the executor output is inconsistent with the decision result, the output is regarded as an error output.
CN201910772464.7A 2019-08-21 2019-08-21 quantitative characterization method for potential threat degree of mimicry controller executive body Pending CN110581845A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910772464.7A CN110581845A (en) 2019-08-21 2019-08-21 quantitative characterization method for potential threat degree of mimicry controller executive body

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910772464.7A CN110581845A (en) 2019-08-21 2019-08-21 quantitative characterization method for potential threat degree of mimicry controller executive body

Publications (1)

Publication Number Publication Date
CN110581845A true CN110581845A (en) 2019-12-17

Family

ID=68811663

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910772464.7A Pending CN110581845A (en) 2019-08-21 2019-08-21 quantitative characterization method for potential threat degree of mimicry controller executive body

Country Status (1)

Country Link
CN (1) CN110581845A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111314337A (en) * 2020-02-11 2020-06-19 之江实验室 Mimicry scheduling method based on credibility and credibility coefficient
CN112202645A (en) * 2020-11-12 2021-01-08 福州大学 Measuring system based on mimicry defense and Sketch algorithm and abnormal flow detection method
CN112367317A (en) * 2020-11-09 2021-02-12 浙江大学 Endogenous safe WAF fingerprint transformation method
CN113946122A (en) * 2021-10-22 2022-01-18 中国科学院工程热物理研究所 Gas turbine parameter redundancy voting method based on confidence coefficient weight floating

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150127822A1 (en) * 2013-11-06 2015-05-07 MyOmega Systems Technologies GmbH Managing devices in a heterogeneouus network
CN109871682A (en) * 2018-12-19 2019-06-11 国网浙江省电力有限公司电力科学研究院 The execution body unified control method of isomery virtual machine platform
CN109936517A (en) * 2018-12-19 2019-06-25 国网浙江省电力有限公司电力科学研究院 Adaptive dynamic traffic distribution method in mimicry defence
CN110011965A (en) * 2019-02-28 2019-07-12 中国人民解放军战略支援部队信息工程大学 A kind of execution body based on confidence level non-uniform output judging method and device completely

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150127822A1 (en) * 2013-11-06 2015-05-07 MyOmega Systems Technologies GmbH Managing devices in a heterogeneouus network
CN109871682A (en) * 2018-12-19 2019-06-11 国网浙江省电力有限公司电力科学研究院 The execution body unified control method of isomery virtual machine platform
CN109936517A (en) * 2018-12-19 2019-06-25 国网浙江省电力有限公司电力科学研究院 Adaptive dynamic traffic distribution method in mimicry defence
CN110011965A (en) * 2019-02-28 2019-07-12 中国人民解放军战略支援部队信息工程大学 A kind of execution body based on confidence level non-uniform output judging method and device completely

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
沈丛麒、陈双喜、吴春明: "基于信誉度与相异度的自适应拟态控制器研究", 《通信学报》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111314337A (en) * 2020-02-11 2020-06-19 之江实验室 Mimicry scheduling method based on credibility and credibility coefficient
CN111314337B (en) * 2020-02-11 2022-07-15 之江实验室 Mimicry scheduling method based on credibility and credibility coefficient
CN112367317A (en) * 2020-11-09 2021-02-12 浙江大学 Endogenous safe WAF fingerprint transformation method
CN112367317B (en) * 2020-11-09 2021-09-03 浙江大学 Endogenous safe WAF fingerprint transformation method
CN112202645A (en) * 2020-11-12 2021-01-08 福州大学 Measuring system based on mimicry defense and Sketch algorithm and abnormal flow detection method
CN113946122A (en) * 2021-10-22 2022-01-18 中国科学院工程热物理研究所 Gas turbine parameter redundancy voting method based on confidence coefficient weight floating
CN113946122B (en) * 2021-10-22 2024-02-13 中国科学院工程热物理研究所 Gas turbine parameter redundancy voting method based on confidence weight floating

Similar Documents

Publication Publication Date Title
CN110581845A (en) quantitative characterization method for potential threat degree of mimicry controller executive body
Pereira et al. Landmark-based heuristics for goal recognition
CN106341414B (en) A kind of multi-step attack safety situation evaluation method based on Bayesian network
CN106548343B (en) Illegal transaction detection method and device
US9521156B2 (en) Method and product for providing a predictive security product and evaluating existing security products
CN103793650A (en) Static analysis method and static analysis device for Android application program
CN109818951B (en) Functional equivalent executive body reliability assessment method and device
US20230156043A1 (en) System and method of supporting decision-making for security management
CN116886329A (en) Quantitative index optimization method for industrial control system safety
CN115296984B (en) Abnormal network node detection method and device, equipment and storage medium
CN112784281A (en) Safety assessment method, device, equipment and storage medium for industrial internet
CN113962712A (en) Method for predicting fraud gangs and related equipment
CN111935149A (en) Vulnerability detection method and system
CN113269327A (en) Flow anomaly prediction method based on machine learning
CN114936083A (en) Method and device for efficient scheduling of mimicry web executive based on micro-service
CN113807452B (en) Business process abnormality detection method based on attention mechanism
CN110880117A (en) False service identification method, device, equipment and storage medium
CN117376228B (en) Network security testing tool determining method and device
US11665185B2 (en) Method and apparatus to detect scripted network traffic
CN114201199B (en) Protection upgrading method based on big data of information security and information security system
Chang et al. Implementation of ransomware prediction system based on weighted-KNN and real-time isolation architecture on SDN Networks
CN108763925A (en) A kind of sensor attack detection method measured based on fusion interval and history
US20220108189A1 (en) Graph summarization apparatus, graph summarization method and program
LU506573B1 (en) A quantitative characterization method of the potential threat degree of the mimic controller actuator
CN114039837A (en) Alarm data processing method, device, system, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191217

RJ01 Rejection of invention patent application after publication