CN110784449A - Space arrangement-based network security system for distributed attack - Google Patents
Space arrangement-based network security system for distributed attack Download PDFInfo
- Publication number
- CN110784449A CN110784449A CN201910901811.1A CN201910901811A CN110784449A CN 110784449 A CN110784449 A CN 110784449A CN 201910901811 A CN201910901811 A CN 201910901811A CN 110784449 A CN110784449 A CN 110784449A
- Authority
- CN
- China
- Prior art keywords
- module
- space
- computer
- path
- clock signal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention relates to a network security system aiming at distributed attack based on spatial arrangement, which comprises: a network path module, a computer path module, a shift register module, the computer path module simulates the information transmission form of a network information transmission path acquired by the network path module in a computer system, the computer path module is provided with a plurality of recording points which divide the path simulated by the computer path module in real time, the shift register module comprises a plurality of shift registers which change the paths of the recording points, the virtual space module is attached to the computer path module, the virtual space module comprises a plurality of virtual position spaces which comprise a plurality of recording points, the space transposition module exchanges virtual position spaces by using the space position corresponding to each virtual position space, and the space transposition module can exchange the space position of any virtual position space.
Description
Technical Field
The invention relates to the field of network security, in particular to a network security system aiming at distributed attack based on spatial arrangement.
Background
With the rapid development and deep application of computer science and technology, the revolution in the network space is constantly changing and affecting people's lifestyle. As people have higher and higher dependence on the internet, and many confidential information about enterprises, individuals, and even countries are involved in the internet, the problem of network security has been an important issue in the technological development process. Among a plurality of network Attack methods existing in the internet, Distributed denial of Service Attack (DDoS) is the most common Attack method with strong destructive power. Distributed denial-of-service attacks, mostly from botnets, cooperate with each other to launch a denial-of-service attack on one or more targets. As the DDoS attack method is simple and has strong concealment, no means for completely defending the DDoS attack exists so far. In the prior art, for distributed attacks, a specific firewall is often arranged in a computer for defense, but in the process of defense, the defense is started after the distributed attacks penetrate into the computer, and when the defense is carried out with the firewall in the same area for a long time, the firewall itself may be invaded.
Disclosure of Invention
The purpose of the invention is as follows:
aiming at the problems that in the prior art, for distributed attacks, a specific firewall is usually arranged in a computer for defense, but in the process of defense, the defense is usually started after the distributed attacks penetrate into the computer, and the firewall itself is possibly invaded when the defense is carried out with the firewall in the same area for a long time, the invention provides a network security system aiming at the distributed attacks based on spatial arrangement.
The technical scheme is as follows:
a network security system for distributed attacks based on spatial orchestration, comprising: the network path module, the computer path module, the shift register module, the virtual space module and the space transposition module are connected with each other, the network path module acquires a network information transmission path, the computer path module simulates the information transmission form of the network information transmission path acquired by the network path module in a computer system, the computer path module is provided with a plurality of recording points which divide the real-time simulated path of the computer path module, the shift register module comprises a plurality of shift registers which change the paths of the recording points, the virtual space module is attached to the computer path module, and the virtual space module comprises a plurality of virtual position spaces, the virtual position space comprises a plurality of recording points, the virtual position space moves in accordance with the corresponding recording points, the space transposition module exchanges the virtual position space by using the space position corresponding to each virtual position space, and the space transposition module can exchange the space position of any virtual position space.
As a preferred mode of the present invention, for the virtual position space that has already been transposed, the space transposition module is authorized to perform transposition of the virtual position space that has already been transposed as it is.
As a preferred mode of the present invention, the network path module further includes a clock signal module, where the clock signal module is connected to the network path module and the computer path module, and the clock signal module acquires a clock signal of an information stream transmitted in the computer path module and analyzes a repetition condition of the clock signal.
As a preferred mode of the present invention, the clock signal module uses one period of the clock signal as an adjustment period, and the clock signal module adjusts information flows conducted in the computer path module for a plurality of different virtual location spaces within one period.
In a preferred embodiment of the present invention, the recording point is in a free state, and the shift register determines the position of the recording point according to a change node of the clock signal after the clock signal module confirms a change condition of the clock signal of the information stream.
In a preferred embodiment of the present invention, the shift register shifts the corresponding recording dot based on the clock signal.
As a preferred mode of the present invention, the present invention further includes a mirror module, where the mirror module mirrors the computer path module, the shift register module, and the virtual space module under the current condition, and the mirror result is a space position of the shift register and the virtual position space on the main path in the computer path module.
As a preferable mode of the present invention, the mirroring module performs mirroring simulation on the transposition condition of the virtual position space according to the space transposition module.
As a preferred mode of the present invention, the present invention further includes a connection transfer module, where the connection transfer module is connected to the computer path module and the external network, and transfers the connection of the external network to the mirror image result of the mirror image module after the clock signal module determines that a period is over.
The invention realizes the following beneficial effects:
the method comprises the steps of guiding the attack data flow by simulating an attack path of the attack data flow, analyzing the attack data flow when a characteristic value with a clock signal as a characteristic is obtained, and guiding the attack data flow to a virtual mirror image simulation result according to the periodical change condition of the clock signal, so that the problems that a specific firewall is always arranged in a computer for defense, the defense is always started after a distributed attack penetrates into the computer in the defense process, and the firewall itself is possibly invaded when the defense is performed by the firewall in the same area for a long time are solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
FIG. 1 is a system framework diagram of the present invention;
FIG. 2 is an abstract diagram of a computer path module edit path;
fig. 3 is a mirror image schematic.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments.
The first embodiment is as follows:
the reference figures are figures 1-3. A network security system for distributed attacks based on spatial orchestration, comprising: the network path module 1, the computer path module 2, the shift register module 3, the virtual space module 4, and the space transposition module 5 are connected with each other, the network path module 1 acquires a path for network information transmission, the computer path module 2 simulates an information transmission form of the network information transmission path acquired by the network path module 1 in a computer system, the computer path module 2 is provided with a plurality of recording points 6, the recording points 6 divide the path simulated by the computer path module 2 in real time, the shift register module 3 comprises a plurality of shift registers 7, the shift registers 7 change the path of the recording points 6, the virtual space module 4 is attached to the computer path module 2, the virtual space module 4 includes a plurality of virtual position spaces 8, the virtual position spaces 8 include a plurality of recording points 6, the virtual position spaces 8 act in accordance with the corresponding recording points 6, the space transposition module 5 exchanges the virtual position spaces 8 with the space position corresponding to each virtual position space 8, and the space transposition module 5 can exchange the space position of any virtual position space 8.
As a preferred mode of the present invention, for the virtual position space 8 that has been transposed, the space transposition module 5 performs transposition of the virtual position space 8 that has been transposed, as a legacy right.
As a preferred embodiment of the present invention, the network path module 1 further comprises a clock signal module 9, the clock signal module 9 is connected to the computer path module 2, and the clock signal module 9 acquires a clock signal of an information stream transmitted in the computer path module 2 and analyzes a repetition of the clock signal.
As a preferred mode of the present invention, the clock signal module 9 uses one period of the clock signal as an adjustment period, and the clock signal module 9 adjusts information flow conducted in the computer path module 2 for a plurality of different virtual location spaces 8 within one period.
In a preferred embodiment of the present invention, the recording dots 6 are in a free state, and the shift register 7 determines the positions of the recording dots 6 according to the changing nodes of the clock signal after the clock signal module 9 confirms the changing status of the clock signal of the information stream.
In a preferred embodiment of the present invention, the shift register 7 shifts the corresponding recording dot 6 based on the clock signal.
As a preferred embodiment of the present invention, the present invention further includes a mirror module 10, wherein the mirror module 10 mirrors the computer path module 2, the shift register module 3, and the virtual space module 4 under the current condition, and the mirror result is the spatial positions of the shift register 7 and the virtual position space 8 on the main path in the computer path module 2.
As a preferred aspect of the present invention, the mirroring module 10 performs mirroring simulation on the transposition status of the virtual position space 8 according to the space transposition module 5.
As a preferred mode of the present invention, the present invention further includes a connection transfer module, where the connection transfer module is connected to the computer path module 2 and the external network, and transfers the connection of the external network to the mirroring result of the mirroring module 10 after the clock signal module 9 determines that one period is finished.
In the specific implementation process, when network data flows into a computer, whether the data flow is distributed attack information or not is judged through a clock signal of the data flow and the repeatability of the content of the data flow, and if yes, a safety system is started.
After the security system, the network path module 1 obtains the transmission path state of the information stream in the internet when transmitting in the internet, for example, by what information transmission method, for this, the computer path module 2 simulates a data stream transmission path in the computer according to the transmission path state obtained by the network path module 1, and when transmitting the data stream as the distributed attack data to the computer, the computer path module 2 introduces the data stream into the simulated transmission path that has been calculated. When defense of the distributed attack data stream is carried out, a clock signal of the distributed attack data stream is obtained through a clock signal module 9, the position of high and low level change of the clock signal is used as the action position of a recording point 6, after the action position of the recording point 6 is obtained, the recording point 6 is randomly distributed into a virtual position space 8 in a virtual space module 4, any one recording point 6 is randomly selected for the recording point 6 in each virtual position space 8, and a corresponding shift register 7 on the recording point 6 is randomly replaced by any remaining shift register 7, so that a certain error is generated on a transmission path of the distributed attack data stream designed by a current computer path module 2; furthermore, the space transposition module 5 randomly selects any two virtual position spaces 8 for space interchange, and the interchange result causes the transmission path of the distributed attack data stream designed by the computer path module 2 to further generate an error, so that the distributed attack data stream is transmitted to the wrong transmission path under a normal clock signal of the distributed attack data stream.
For the shift register module 3 and the space transposition module 5, the replacement is performed only once in one cycle of the clock signal, and when the clock signal exceeds one cycle, the shift register module 3 and the space transposition module 5 exchange the shift register 7 and the space position again.
The mirror image module 10 mirrors the computer path module 2, the shift register module 3 and the virtual space module 4 under the current condition, the mirror image result is the space positions of the shift register 7 and the virtual position space 8 on the main path in the computer path module 2, the mirror image module 10 simulates the transposition condition of the virtual position space 8 according to the space transposition module 5, the mirror image simulation result is consistent with the original result, the connection transfer module is connected with the computer path module 2 and the external network, and the connection transfer module transfers the connection of the external network to the mirror image result of the mirror image module 10 after the clock signal module 9 judges that one period is finished. It is worth mentioning that the result of the mirror image can automatically replace the shift register module 3 and the space transposition module 5 under the mirror image, and after the result of the mirror image is connected to the external network, the path calculated by the original computer path module 2 is restored, and the data stream except the distributed attack data stream is acquired.
The above embodiments are merely illustrative of the technical ideas and features of the present invention, and are intended to enable those skilled in the art to understand the contents of the present invention and implement the present invention, and not to limit the scope of the present invention. All equivalent changes or modifications made according to the spirit of the present invention should be covered within the protection scope of the present invention.
Claims (9)
1. A network security system for distributed attacks based on spatial orchestration, comprising: the network path module, the computer path module, the shift register module, the virtual space module and the space transposition module are connected with each other, the network path module acquires a network information transmission path, the computer path module simulates the information transmission form of the network information transmission path acquired by the network path module in a computer system, the computer path module is provided with a plurality of recording points which divide the real-time simulated path of the computer path module, the shift register module comprises a plurality of shift registers which change the paths of the recording points, the virtual space module is attached to the computer path module, and the virtual space module comprises a plurality of virtual position spaces, the virtual position space comprises a plurality of recording points, the virtual position space moves in accordance with the corresponding recording points, the space transposition module exchanges the virtual position space by using the space position corresponding to each virtual position space, and the space transposition module can exchange the space position of any virtual position space.
2. A network security system for distributed attacks based on spatial orchestration according to claim 1, wherein: for the virtual position space which is already transposed, the space transposition module is authorized to transpose the transposed virtual position space according to the old virtual position space.
3. A network security system for distributed attacks based on spatial orchestration according to claim 2, wherein: the network path module is connected with the network path module and the computer path module, and the clock signal module acquires a clock signal of an information stream transmitted in the computer path module and analyzes the repetition condition of the clock signal.
4. A network security system for distributed attacks based on spatial orchestration according to claim 3, wherein: the clock signal module takes one period in the clock signal as an adjustment period, and the clock signal module adjusts information flow conducted in the computer path module for a plurality of different virtual position spaces in one period.
5. A network security system for distributed attacks based on spatial orchestration according to claim 4, wherein: the recording point is in a free state, and the shift register determines the position of the recording point according to a change node of a clock signal after the clock signal module confirms the clock signal change condition of the information stream.
6. A network security system for distributed attacks based on spatial orchestration according to claim 5, wherein: based on the clock signal, the shift register shifts the corresponding recording point.
7. A network security system for distributed attacks based on spatial orchestration according to claim 6, wherein: the computer path module is used for receiving a computer signal and a computer signal, and comprises a mirror image module which mirrors the computer path module, the shift register module and the virtual space module under the current condition, wherein the mirror image result is the space positions of the shift register and the virtual position space on a main path in the computer path module.
8. A network security system for distributed attacks based on spatial orchestration according to claim 7, wherein: and the mirror image module carries out mirror image simulation on the transposition condition of the virtual position space according to the space transposition module.
9. A network security system for distributed attacks based on spatial orchestration according to claim 8, wherein: the system comprises a clock signal module, a computer path module and a connection transfer module, wherein the clock signal module is used for judging whether a period is finished or not, the connection transfer module is connected with the computer path module and an external network, and the connection transfer module transfers the connection of the external network to the mirror image result of the mirror image module after the clock signal module judges that the period is finished.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910901811.1A CN110784449A (en) | 2019-09-23 | 2019-09-23 | Space arrangement-based network security system for distributed attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910901811.1A CN110784449A (en) | 2019-09-23 | 2019-09-23 | Space arrangement-based network security system for distributed attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110784449A true CN110784449A (en) | 2020-02-11 |
Family
ID=69383731
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910901811.1A Withdrawn CN110784449A (en) | 2019-09-23 | 2019-09-23 | Space arrangement-based network security system for distributed attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110784449A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111510459A (en) * | 2020-04-24 | 2020-08-07 | 太仓红码软件技术有限公司 | Network attack defense system based on clock signal |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105187437A (en) * | 2015-09-24 | 2015-12-23 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Centralized detection system of SDN denial of service attack |
| US20160205122A1 (en) * | 2013-04-10 | 2016-07-14 | Gabriel Bassett | System and Method for Cyber Security Analysis and Human Behavior Prediction |
| CN107404465A (en) * | 2016-05-20 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
| CN108900498A (en) * | 2018-06-25 | 2018-11-27 | 哈尔滨工业大学 | A kind of scheduling corpse machine attack method based on bgp network target range |
| CN109005157A (en) * | 2018-07-09 | 2018-12-14 | 华中科技大学 | Ddos attack detection and defence method and system in a kind of software defined network |
-
2019
- 2019-09-23 CN CN201910901811.1A patent/CN110784449A/en not_active Withdrawn
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160205122A1 (en) * | 2013-04-10 | 2016-07-14 | Gabriel Bassett | System and Method for Cyber Security Analysis and Human Behavior Prediction |
| CN105187437A (en) * | 2015-09-24 | 2015-12-23 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Centralized detection system of SDN denial of service attack |
| CN107404465A (en) * | 2016-05-20 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
| CN108900498A (en) * | 2018-06-25 | 2018-11-27 | 哈尔滨工业大学 | A kind of scheduling corpse machine attack method based on bgp network target range |
| CN109005157A (en) * | 2018-07-09 | 2018-12-14 | 华中科技大学 | Ddos attack detection and defence method and system in a kind of software defined network |
Non-Patent Citations (1)
| Title |
|---|
| 翟继强等: "利用分治策略实现DDoS攻击路径标识题", 《哈尔滨理工大学学报》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111510459A (en) * | 2020-04-24 | 2020-08-07 | 太仓红码软件技术有限公司 | Network attack defense system based on clock signal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Liu et al. | Incentive-based modeling and inference of attacker intent, objectives, and strategies | |
| KR101425107B1 (en) | Apparatus for sharing security information among network domains and method for the same | |
| Liljenstam et al. | A mixed abstraction level simulation model of large-scale Internet worm infestations | |
| He et al. | Security analysis of a space-based wireless network | |
| KR101534194B1 (en) | cybersecurity practical training system and method that reflects the intruder behavior patterns | |
| CN103916384A (en) | Penetration testing method for GAP isolation and exchange device | |
| CN110830456A (en) | Computer network safety system based on shift register | |
| CN105429940B (en) | A method of the extraction of network data flow zero watermarking is carried out using comentropy and hash function | |
| US10505979B2 (en) | Detection and warning of imposter web sites | |
| Alhaidary et al. | Vulnerability analysis for the authentication protocols in trusted computing platforms and a proposed enhancement of the offpad protocol | |
| Ebazadeh et al. | A reliable and secure method for network‐layer attack discovery and elimination in mobile ad‐hoc networks based on a probabilistic threshold | |
| CN110784449A (en) | Space arrangement-based network security system for distributed attack | |
| KR102118382B1 (en) | Providing training device for cyber threat | |
| Kesavamoorthy et al. | Classification of DDoS attacks–A survey | |
| RU2705773C1 (en) | Method of protecting an information network from intrusions | |
| Narteni et al. | Evaluating the Possibility to Perpetrate Tunneling Attacks Exploiting Short-Message-Service. | |
| Yasinsac | Detecting intrusions in security protocols | |
| Khorkov | Methods for testing network-intrusion detection systems | |
| Reti et al. | Honey Infiltrator: Injecting Honeytoken Using Netfilter | |
| Makkar et al. | SocioBot: a Twitter-based botnet | |
| Sun et al. | A distinction method of flooding DDoS and flash crowds based on user traffic behavior | |
| Shorov et al. | The framework for simulation of bioinspired security mechanisms against network infrastructure attacks | |
| Ellefsen | Critical information infrastructure protection for developing countries | |
| Ameer et al. | A REVIEW ON BOTNET DETECTION AND MIIGATION IN ADHOC NETWORKS | |
| Mosorov et al. | Data Traffic Modeling During Global Cyberattacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20200211 |