CN111163070A - Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense - Google Patents

Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense Download PDF

Info

Publication number
CN111163070A
CN111163070A CN201911311849.XA CN201911311849A CN111163070A CN 111163070 A CN111163070 A CN 111163070A CN 201911311849 A CN201911311849 A CN 201911311849A CN 111163070 A CN111163070 A CN 111163070A
Authority
CN
China
Prior art keywords
service
data
deployment
service chain
category
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911311849.XA
Other languages
Chinese (zh)
Inventor
汤中运
李传煌
王伟明
雷睿
叶晨轶
陈泽斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Gongshang University
Original Assignee
Zhejiang Gongshang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Gongshang University filed Critical Zhejiang Gongshang University
Priority to CN201911311849.XA priority Critical patent/CN111163070A/en
Publication of CN111163070A publication Critical patent/CN111163070A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本申请公开了一种拟态防御下服务链安全部署的正确链路判决方法、装置、设备及介质,该方法包括:获取所有服务链部署执行体的数据,每组数据的内容包括服务功能和服务路径;将所有服务功能分别提取对比,并对服务路径分别提取对比,若两组数据的服务功能相同且服务路径相同则判定为两组数据一致,将一致数据分为一类,统计每一类的数据量,将数据量最多的类记录为正确数据,其余为异常数据;将输出为异常数据的执行体进行反馈,并进行清洗或下线。本申请提供的一种拟态防御下服务链安全部署的正确链路判决方法、装置、设备及介质,增强了拟态服务链部署系统的安全性。The present application discloses a correct link determination method, device, equipment and medium for safe deployment of service chains under mimic defense. The method includes: acquiring data of all service chain deployment executors, and the content of each group of data includes service functions and services Path; extract and compare all service functions separately, and extract and compare service paths respectively. If the service functions of the two groups of data are the same and the service paths are the same, the two groups of data are judged to be consistent, and the consistent data is divided into one category, and each category is counted. The class with the largest amount of data is recorded as correct data, and the rest are abnormal data; the executive body outputting abnormal data is fed back and cleaned or offline. The present application provides a correct link determination method, device, equipment and medium for the security deployment of a service chain under mimetic defense, which enhances the security of the mimetic service chain deployment system.

Description

Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense
Technical Field
The embodiment of the application relates to the field of service deployment and mimicry security defense, in particular to a correct link judgment method, device, equipment and medium for service chain security deployment under mimicry defense.
Background
With the advent and deployment of Software Defined Networking (SDN) technology and Network Function Virtualization (NFV) technology, the deployment of service Function chains has been renewed. Service function chain deployment is carried out based on an SDN/NFV technology, the NFV technology can virtualize common physical equipment, and resource pools can be constructed for various network service functions. SDN technology can dynamically and centrally schedule paths of traffic by separating control and forwarding of network devices, thereby providing customized and flexible interfacing. Users and operators can identify service requirements through NFV technology, create Virtual Network Functions (VNFs) on service Function chains, automatically configure service logics of the virtual service functions, and automatically guide related service flows to sequentially and orderly pass through the virtual service functions through SDNs, thereby completing creation of the service Function chains.
A Dynamic Heterogeneous Redundancy (DHR) model is a basic model of mimicry defense, under the model, an important link that a heterogeneous executive body set processes is that a scheduler duplicates the same input into M parts and sends the M parts of messages to the heterogeneous executive body set, the M parts of messages are processed by M executive bodies in the heterogeneous executive body set, the processed result is sent to a decision device for decision to obtain a unique relatively correct output result, and the scheduler generates a new heterogeneous executive body set to replace the current set according to a feedback control message when a system runs. The mimicry defense is based on the nature of the attack, and provides defense functions through the endogenous features of the system architecture. Thus, a strong defense effect against both known and unknown security threats can be achieved.
The decision device in the service deployment system under the mimicry defense mainly has two important functions: 1. and comparing the output results of the executors, namely the service function data and the service path data, to select a relatively large number of results as correct results to perform final service chain deployment and output. Therefore, if a part of execution bodies are attacked, correct results can be output, and normal deployment of a service chain is guaranteed. If an attacker wants to attack the system successfully, the attacker needs to attack different service deployment executors under most different systems successfully, which greatly increases the attack difficulty of the attacker. 2. The judger also feeds back the abnormal service chain deployment executables to the scheduler according to the judgment result, and the scheduler carries out offline and cleaning treatment, thereby ensuring the purity of the whole executables pool. The judging method of the invention needs to carry out two judging works at the same time, including service function arrangement and service path selection. Finally, the decision device randomly selects an executive body from the normal executive body set, and the executive body is connected with the bottom service resource pool through the executive body, so that the service function chain meeting the service requirements of the user is completed in a specific example.
Disclosure of Invention
In view of this, embodiments of the present application provide a correct link decision method, apparatus, device, and medium for service chain security deployment under pseudo-defense, which solve the problem of output result decision in a multi-executor cooperative working manner.
The technical scheme adopted by the embodiment of the application is as follows:
in a first aspect, an embodiment of the present application provides a correct link decision method for service chain security deployment under pseudo-defense, which is applied to include:
acquiring data of all service chain deployment executors, wherein the content of each group of data comprises a service function and a service path;
respectively extracting and comparing all service functions, respectively extracting and comparing service paths, judging that two groups of data are consistent if the service functions of the two groups of data are the same and the service paths are the same, dividing the consistent data into one class, counting the data volume of each class, recording the class with the largest data volume as correct data, and taking the rest as abnormal data;
feeding back the executive body which outputs the abnormal data;
and cleaning or offline the executive body which outputs the abnormal data.
Further, the receiving data of all service chain deployment executors, the content of each group of data including service functions and service paths, includes:
and expressing the output results of M executors in all the service chain deployment executors by using a set V:
V=(V1,V2,…,Vi,…,VM)
wherein the output result of each execution body is described by a quadruple, namely:
Vi=(Ii,Ei,SFi,SFPi)
wherein, Ii,EiRespectively representing the source address and the destination address through which the service chain request traffic passes in the output result of the ith executive body, SFiSFP, which represents the set of various service functions that the service chain in the output result of the ith executive body requests the traffic to pass throughiAnd the set of service paths through which the service chain request service flow passes in the output result of the ith executive body is represented.
Further, the extracting and comparing all the service functions, and extracting and comparing the service paths, if the service functions of two groups of data are the same and the service paths are the same, determining that the two groups of data are consistent, classifying the consistent data into one class, counting the data volume of each class, recording the class with the largest data volume as correct data, and the rest as abnormal data includes:
defining a service function comparison function w1(SFi,SFj) To show a comparison result between service functions passed by service chain request traffic in the output result of each executive, where i ≠ j, then:
Figure BDA0002324744970000021
defining a service path comparison function w2(SFPi,SFPj) To represent a comparison result between service paths through which service chain request traffic passes in the output result of each execution body, where i ≠ j, then:
Figure BDA0002324744970000031
when the decision results of the service function and the service path in the output results of the two executors are consistent, the output results of the two executors are considered to be consistent, that is:
SFi=SFj∪SFPi=SFPj
Vi=Vj
(i≠j)
and dividing the consistent data into one class, counting the data volume of each class, recording the class with the most data volume as correct data, and recording the rest as abnormal data.
Further, the cleaning or offline the execution body corresponding to the abnormal data includes:
let sign be the feedback flag function:
Figure BDA0002324744970000032
when the feedback flag function sign value is 1, it indicates that all executors in the execution entity set are normal, and when the feedback flag function sign value is-1, it indicates that there is an exception in the execution entity set, at this time, the decider will perform exception feedback to the scheduler, and the scheduler will perform cleaning or offline processing on the execution entities with the exception after receiving the feedback of the decider until only normal execution entities remain in the execution entity set.
In a second aspect, an embodiment of the present application provides a correct link decision device for service chain security deployment under pseudo defense, including:
the receiving module is used for acquiring data of all service chain deployment executors, and the content of each group of data comprises a service function and a service path;
the judging module is used for respectively extracting and comparing all service functions, respectively extracting and comparing service paths, judging that the two groups of data are consistent if the service functions of the two groups of data are the same and the service paths are the same, dividing the consistent data into one class, counting the data volume of each class, recording the class with the largest data volume as correct data and the rest as abnormal data;
the feedback module is used for feeding back the executive bodies which output the abnormal data;
and the clearing module is used for cleaning or offline the executive body which outputs the abnormal data.
In a third aspect, an embodiment of the present application provides an apparatus, including:
one or more processors;
a memory for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors implement a correct link decision method for service chain security deployment under a mimicry defense as described in the first aspect.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a method for determining a correct link for service chain security deployment under mimicry defense as described in the first aspect.
By adopting the technical scheme, the beneficial effects brought by the embodiment of the application are as follows:
the method for judging the safe deployment of the service chain under the mimicry defense is adopted, the workload of a hacker for attacking the system can be effectively increased by a method that the data result of the execution body is few and most obeys, and the hacker can attack successfully only when the hacker attacks more than half of the execution bodies. Meanwhile, the feedback and cleaning module can effectively protect the purity of the execution body set.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of a method for determining a correct link for service chain security deployment under a mimicry defense according to an embodiment of the present application;
fig. 2 is a flowchart of a specific work flow of decision processing provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of a correct link decision device for service chain security deployment under pseudo-defense according to a second embodiment of the present application;
fig. 4 is a schematic structural diagram of an apparatus provided in the third application embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The first embodiment is as follows:
fig. 1 is a flowchart of a method for determining a correct link for service chain security deployment under mimicry defense, which is applied to a server side and includes:
step S100, a decision device acquires data of deployment executors of all service chains, and the content of each group of data comprises a service function and a service path;
specifically, the set V is used to represent the output results of M executors in all service chain deployment executors:
V=(V1,V2,…,Vi,…,VM)
wherein the output result of each execution body is described by a quadruple, namely:
Vi=(Ii,Ei,SFi,SFPi)
V=(V1,V2,…,Vi,…,VM)Vi=(Ii,Ei,SFi,SFPi) Wherein, Ii,EiRespectively representing the ith execution block outputThe resulting service chain requests the source and destination addresses through which the traffic flows, SFiSFP, which represents the set of various service functions that the service chain in the output result of the ith executive body requests the traffic to pass throughiAnd the set of service paths through which the service chain request service flow passes in the output result of the ith executive body is represented.
Step S200, the decision device carries out decision processing again, namely all service functions are respectively extracted and compared, service paths are respectively extracted and compared, if the service functions of two groups of data are the same and the service paths are the same, the two groups of data are judged to be consistent, the consistent data are divided into one class, the data volume of each class is counted, the class with the largest data volume is recorded as correct data, and the rest are abnormal data; as shown in fig. 2, specifically:
defining a service function comparison function w1(SFi,SFj) To show a comparison result between service functions passed by service chain request traffic in the output result of each executive, where i ≠ j, then:
Figure BDA0002324744970000051
defining a service path comparison function w2(SFPi,SFPj) To represent a comparison result between service paths through which service chain request traffic passes in the output result of each execution body, where i ≠ j, then:
Figure BDA0002324744970000052
when the decision results of the service function and the service path in the output results of the two executors are consistent, the output results of the two executors are considered to be consistent, that is:
SFi=SFj∪SFPi=SFPj
Vi=Vj
(i≠j)
and dividing the consistent data into one class, counting the data volume of each class, recording the class with the most data volume as correct data, and recording the rest as abnormal data. The decision device outputs the correct data as a decision result.
Step S300, the decision device is in butt joint with the scheduler, and an executive body which outputs abnormal data in a decision result is fed back to the scheduler; specifically, the method comprises the following steps:
defining an abnormal executable feedback function
f*=feedback()
The calling format is as follows:
f*=feedback(D,S,sign)
wherein D represents a decision device module, S represents a scheduler module, sign is a feedback mark function:
Figure BDA0002324744970000053
when the value of the feedback flag function sign is 1, it indicates that all executors in the execution entity set are normal, and when the value of the feedback flag function sign is-1, it indicates that an exception occurs in an execution entity in the execution entity set, and at this time, the determiner will perform exception feedback to the scheduler.
In step S400, the scheduler cleans or takes the execution block that outputs the abnormal data off line.
After receiving the feedback of the decision device, the scheduler will perform cleaning or offline processing on the execution body with the exception, that is:
Figure BDA0002324744970000061
this indicates that the execution body in which the abnormality has occurred is subjected to cleaning processing. Wherein
Figure BDA0002324744970000062
For the n-th exception handler,
Figure BDA0002324744970000063
is the normal executive body after the nth cleaning.
When only normal executors remain in the executable set, the following is expressed:
Figure BDA0002324744970000064
indicating that the execution body with the exception is offline.
Both of these ways ensure the cleanliness of the set of executives.
The decision device mainly performs few majority-compliant decisions on output results of all executors in the heterogeneous execution body set, so that a relatively wrong or tampered service chain is discarded. The decider needs to perform two decision operations of the service function and the service path, mainly because the service chain deployment process includes two steps of service function arrangement and service path selection. And after the service chain deployment executor completes the service path selection work, the judgment is performed once to ensure the safety of the service path. The judgment process can realize the exception perception of the execution body in the system, and the execution body with the exception is fed back to the scheduler, and the scheduler cleans or carries out offline processing on the execution body with the exception. Finally, the decision device randomly selects an executive body from the normal executive body set, deploys the executive body through the service chain thereof to be connected with the bottom service resource pool, and deploys the service chain meeting the user requirement in the specific example.
The decision device is an important level for data gating, when an executive body is attacked or has abnormal behaviors, the abnormity of the service function and the service path of the executive body is perceived by the decision device, even if a few executive bodies are attacked successfully, the final correct result is not influenced, the abnormal executive bodies are fed back, the difficulty of attackers is greatly increased, and the safety of a mimicry service chain deployment system is enhanced.
According to the method and the device, the service chain deployment mimicry defense system is attacked by simulating an attacker, and whether the finally deployed service chain of the system is consistent with the service chain request issued by the user under two different states of mimicry closing and mimicry opening is observed. If the service chain deployed by the system under the attack condition is inconsistent with the service chain request issued by the user in the state that the mimicry is closed, and after the mimicry state is opened, the service chain deployed is consistent with the service chain request issued by the user, the service chain deploys the mimicry defense system to realize the effect of the mimicry defense, otherwise, the service chain deploys the mimicry defense system to realize the effect of the mimicry defense.
Firstly, the mimicry state is closed, an Nmap scanning tool is adopted to scan and detect the service chain deployment mimicry defense system, and information such as an open port, a started service and an operating system version of the service chain deployment mimicry defense system is obtained. Firstly, obtaining the result of the first scanning detection, after a period of time, carrying out the second scanning detection on the target system by using the Nmap tool again, wherein the result of the scanning detection is consistent with the first scanning detection, after a period of time, carrying out the third scanning detection on the target system by using the Nmap tool again, and the result of the scanning detection is still consistent with the first scanning detection, which indicates that the target system is in a static state at the moment. And simulating a user to perform corresponding service chain deployment operation, and inputting corresponding service chain request data such as a service function name, a service function MAC address and the like into a Web front-end interface. And then simulating an attacker to tamper the target system, and simulating the attacker to tamper the flow table item issued by the execution body to the switch.
And then starting the mimicry state, repeating the same operation, scanning and detecting the service chain service deployment mimicry defense system by adopting an Nmap scanning tool, and acquiring information such as a port opened by the service chain service deployment mimicry defense system, the started service, the version of the operating system and the like. Firstly, obtaining a result of first scanning detection, wherein the scanning result of the first scanning detection is a Windows operating system and a Floodlight controller, after a period of time, performing second scanning detection on a target system by using an Nmap tool again, the scanning result of the second scanning detection is a Linux operating system and an RYU controller, after a period of time, performing third scanning detection on the target system by using the Nmap tool again, the scanning result of the second scanning detection is a Linux operating system and an ONOS controller, the results of the third scanning detection are different, and the system is in dynamic transformation after the mimicry state is started. And the simulation user repeats the same service chain deployment operation as the previous time, and inputs corresponding service function name, service function MAC address and other service chain request data on the Web front-end interface. Similarly, a simulation attacker modifies the key field value of one execution body output flow table entry through a manual modification party, the output port of the execution 1 output flow table entry is changed, the execution 2 and the execution 3 issue the same flow table entry, but the decision device can still make a correct decision and output the correct flow table entry. Therefore, the 2 normal flow entries issued by the executor may still be issued to the switch, and the service chain finally deployed is observed to be consistent with the service chain request issued by the user.
Example two:
fig. 3 is a schematic structural diagram of a correct link decision device for service chain security deployment under mimicry defense provided in the second embodiment of the present application, where the device may execute a correct link decision method for service chain security deployment under mimicry defense provided in any embodiment of the present application, and has a functional module and a beneficial effect corresponding to the execution of the method. As shown in fig. 3, the apparatus includes:
a receiving module 100, configured to obtain data of all service chain deployment executors, where content of each set of data includes a service function and a service path;
the decision module 200 is configured to extract and compare all service functions, extract and compare service paths, determine that two sets of data are identical if the service functions of the two sets of data are identical and the service paths are identical, classify the identical data into one class, count the data amount of each class, record the class with the largest data amount as correct data, and record the rest as abnormal data;
a feedback module 300, configured to feed back an executor that outputs abnormal data;
and the clearing module 400 is used for cleaning or offline the execution body which outputs the abnormal data.
EXAMPLE III
Fig. 4 is a schematic structural diagram of an apparatus according to a third embodiment of the present invention. Fig. 4 shows a block diagram of an exemplary device 1 suitable for implementing an embodiment of the invention. The device shown in fig. 4 is only an example, and should not bring any limitation to the function and the scope of use of the embodiments of the present application.
As shown in fig. 4, the device 1 is in the form of a general purpose computing device. The components of the device 1 may include, but are not limited to: one or more processors or processing units 2, a memory 3, and a bus 4 that connects the various system components (including the memory 3 and the processing unit 2).
Bus 4 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
The device 1 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by device 1 and includes both volatile and nonvolatile media, removable and non-removable media.
The memory 3 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)5 and/or cache memory 6. The device 1 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, the storage system 8 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 4, commonly referred to as a "hard drive"). Although not shown in FIG. 4, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CDROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to the bus 4 by one or more data media interfaces. The memory 3 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
Having a set (at least one) of program modules 8 that may be stored, for example, in memory 3, such program modules 8 include, but are not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 8 generally perform the functions and/or methodologies of the described embodiments of the invention.
Device 1 may also communicate with one or more external devices 10 (e.g., keyboard, pointing device, display device 9, etc.), with one or more devices that enable a user to interact with device 1, and/or with any devices (e.g., network card, modem, etc.) that enable device 1 to communicate with one or more other computing devices. Such communication may be via an input/output (I/O) interface 11. Also, the device 1 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via the network adapter 12. As shown in fig. 4, the network adapter 12 communicates with the other modules of the device 1 via the bus 4. It should be understood that although not shown in fig. 4, other hardware and/or software modules may be used in conjunction with the device 1, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 2 executes various functional applications and data processing by running the program stored in the memory 3, for example, implementing a correct link decision method for service chain security deployment under the pseudo defense provided by the embodiment of the present invention.
Example four
A fourth embodiment of the present invention further provides a computer-readable storage medium, on which a computer program (or referred to as computer-executable instructions) is stored, where the computer program is used, when executed by a processor, to execute a method for determining a correct link for service chain security deployment under a pseudo-defense, where the method is described in the first embodiment of the present invention.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CDROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (7)

1.一种拟态防御下服务链安全部署的正确链路判决方法,其特征在于,包括:1. A correct link judgment method for service chain security deployment under mimic defense, is characterized in that, comprises: 获取所有服务链部署执行体的数据,每组数据的内容包括服务功能和服务路径;Obtain the data of all service chain deployment executors, and the content of each group of data includes service functions and service paths; 将所有服务功能分别提取对比,并对服务路径分别提取对比,若两组数据的服务功能相同且服务路径相同则判定为两组数据一致,将一致数据分为一类,统计每一类的数据量,将数据量最多的类记录为正确数据,其余为异常数据;Extract and compare all service functions separately, and extract and compare service paths respectively. If the service functions of the two groups of data are the same and the service paths are the same, it is determined that the two groups of data are consistent, and the consistent data is divided into one category, and the data of each category is counted. The class with the largest amount of data is recorded as correct data, and the rest are abnormal data; 将输出为异常数据的执行体进行反馈;Feedback the executor whose output is abnormal data; 对输出为异常数据的执行体进行清洗或下线。Clean or offline the execution body whose output is abnormal data. 2.根据权利要求1所述的一种拟态防御下服务链安全部署的正确链路判决方法,其特征在于,所述接收所有服务链部署执行体的数据,每组数据的内容包括服务功能和服务路径,包括:2. The correct link judgment method for the safe deployment of service chains under a kind of mimetic defense according to claim 1, is characterized in that, described receiving the data of all service chain deployment executors, the content of each group of data comprises service function and Service paths, including: 用集合V来表示所有服务链部署执行体中M个执行体的输出结果:The set V is used to represent the output results of M executives in all service chain deployment executives: V=(V1,V2,…,Vi,…,VM)V=(V 1 , V 2 ,...,V i ,..., VM ) 其中每个执行体的输出结果用一个四元组来描述,即:The output of each execution body is described by a quadruple, namely: Vi=(Ii,Ei,SFi,SFPi)V i =(I i , E i , SF i , SFP i ) 其中,Ii,Ei分别表示第i个执行体输出结果中的服务链请求业务流量经过的源地址和目的地址,SFi表示第i个执行体输出结果中的服务链请求业务流量经过的各种服务功能的集合,SFPi表示第i个执行体输出结果中服务链请求业务流量经过的服务路径的集合。Among them, I i , E i respectively represent the source address and destination address of the service chain request service flow in the output result of the ith executive body, and SF i represent the service chain request service flow in the output result of the ith executive body. A set of various service functions, SFP i represents the set of service paths through which the service chain requests business traffic in the output result of the ith executor. 3.根据权利要求1所述的一种拟态防御下服务链安全部署的正确链路判决方法,其特征在于,所述将所有服务功能分别提取对比,并对服务路径分别提取对比,若两组数据的服务功能相同且服务路径相同则判定为两组数据一致,将一致数据分为一类,统计每一类的数据量,将数据量最多的类记录为正确数据,其余为异常数据,包括:3. the correct link judgment method for the security deployment of service chain under a kind of mimic defense according to claim 1, is characterized in that, all service functions are extracted and contrasted respectively, and the service path is extracted and contrasted respectively, if two groups of If the service functions of the data are the same and the service paths are the same, the two sets of data are determined to be consistent. The consistent data is divided into one category, the data volume of each category is counted, and the category with the largest amount of data is recorded as the correct data, and the rest are abnormal data, including : 定义服务功能比较函数w1(SFi,SFj)来表示各个执行体输出结果中的服务链请求业务流量经过的服务功能相互之间的比较结果,其中i≠j,则:A service function comparison function w 1 (SF i , SF j ) is defined to represent the comparison result between the service functions passed through by the service chain request service flow in the output results of each executive, where i≠j, then:
Figure FDA0002324744960000011
Figure FDA0002324744960000011
 定义服务路径比较函数w2(SFPi,SFPj)来表示各个执行体的输出结果中的服务链请求业务流量经过的服务路径相互之间的比较结果,其中i≠j,则:A service path comparison function w 2 (SFP i , SFP j ) is defined to represent the comparison result between the service paths passed by the service chain request service traffic in the output results of each executor, where i≠j, then:
Figure FDA0002324744960000012
Figure FDA0002324744960000012
 当两个执行体的输出结果中的服务功能和服务路径两者的判决结果均一致时,认为两个执行体的输出结果是一致的,即:When the judgment results of the service function and the service path in the output results of the two executive bodies are consistent, the output results of the two executive bodies are considered to be consistent, that is: SFi=SFj∪SFPi=SFPj SF i =SF j ∪SFP i =SFP j Vi=Vj V i =V j (i≠j)(i≠j) 将一致数据分为一类,统计每一类的数据量,将数据量最多的类记录为正确数据,其余为异常数据。Divide consistent data into one category, count the amount of data in each category, record the category with the largest amount of data as correct data, and the rest as abnormal data. 4.根据权利要求1所述的一种拟态防御下服务链安全部署的正确链路判决方法,其特征在于,所述对输出为异常数据的执行体进行,包括:4. The correct link judgment method for the security deployment of service chain under a kind of mimic defense according to claim 1, is characterized in that, described to the executive body whose output is abnormal data, comprises: 令sign为反馈标志函数:Let sign be the feedback sign function:
Figure FDA0002324744960000021
Figure FDA0002324744960000021
 当反馈标志函数sign值为1时,表示执行体集合中的执行体均是正常的,当反馈标志函数sign值为-1时,表示执行体集合中有执行体发生了异常,此时判决器会向调度器进行异常反馈,调度器在收到判决器的反馈后会对发生异常的执行体进行清洗或下线处理,直到执行体集合中只剩下了正常的执行体。When the value of the feedback flag function sign is 1, it means that the executive bodies in the set of executive bodies are all normal. When the value of the feedback flag function sign is -1, it means that there is an abnormal body in the set of executive bodies. At this time, the decider Exception feedback will be sent to the scheduler. After receiving the feedback from the judger, the scheduler will clean or offline the abnormal execution body until only the normal execution body is left in the execution body set. 5.一种拟态防御下服务链安全部署的正确链路判决装置,其特征在于,包括:5. A correct link judgment device for the security deployment of service chain under mimetic defense, is characterized in that, comprises: 接收模块,用于获取所有服务链部署执行体的数据,每组数据的内容包括服务功能和服务路径;The receiving module is used to obtain the data of all service chain deployment executors, and the content of each group of data includes service functions and service paths; 判决模块,用于将所有服务功能分别提取对比,并对服务路径分别提取对比,若两组数据的服务功能相同且服务路径相同则判定为两组数据一致,将一致数据分为一类,统计每一类的数据量,将数据量最多的类记录为正确数据,其余为异常数据;The judgment module is used to extract and compare all service functions and service paths respectively. If the service functions of the two groups of data are the same and the service paths are the same, it is determined that the two groups of data are consistent, and the consistent data are divided into one category and counted. For the data volume of each category, the category with the largest amount of data is recorded as correct data, and the rest are abnormal data; 反馈模块,用于将输出为异常数据的执行体进行反馈;The feedback module is used to feed back the executive body whose output is abnormal data; 清除模块,用于对输出为异常数据的执行体进行清洗或下线。The clearing module is used to clean or log off the execution body whose output is abnormal data. 6.一种设备,其特征在于,包括:6. A device, characterized in that, comprising: 一个或多个处理器;one or more processors; 存储器,用于存储一个或多个程序;memory for storing one or more programs; 当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现如权利要求1-4任一项所述的一种拟态防御下服务链安全部署的正确链路判决方法。When the one or more programs are executed by the one or more processors, the one or more processors implement the security deployment of the service chain under a mimetic defense according to any one of claims 1-4 correct link decision method. 7.一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该程序被处理器执行时实现如权利要求1-4中任一项所述的一种拟态防御下服务链安全部署的正确链路判决方法。7. A computer-readable storage medium on which a computer program is stored, characterized in that, when the program is executed by a processor, the service chain security under a kind of mimetic defense according to any one of claims 1-4 is realized The correct link decision method for deployment.
CN201911311849.XA 2019-12-18 2019-12-18 Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense Pending CN111163070A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911311849.XA CN111163070A (en) 2019-12-18 2019-12-18 Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911311849.XA CN111163070A (en) 2019-12-18 2019-12-18 Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense

Publications (1)

Publication Number Publication Date
CN111163070A true CN111163070A (en) 2020-05-15

Family

ID=70557774

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911311849.XA Pending CN111163070A (en) 2019-12-18 2019-12-18 Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense

Country Status (1)

Country Link
CN (1) CN111163070A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112866276A (en) * 2021-02-02 2021-05-28 浙江工商大学 Primary and secondary reset judgment system based on mimicry service function framework
CN115277607A (en) * 2022-07-15 2022-11-01 天津市滨海新区信息技术创新中心 Two-stage mimicry judgment method under heterogeneous system complex flow condition
CN116112427A (en) * 2022-12-15 2023-05-12 郑州昂视信息科技有限公司 Virtual communication device, method, equipment and readable storage medium
CN116318945A (en) * 2023-03-09 2023-06-23 南京航空航天大学 Multi-target service function chain deployment method based on endophytic dynamic defense architecture

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109491668A (en) * 2018-10-11 2019-03-19 浙江工商大学 A kind of the mimicry defence framework and method of SDN/NFV service arrangement
CN109525418A (en) * 2018-10-11 2019-03-26 浙江工商大学 A kind of dispatching method that mimicry defends lower service arrangement execution body set isomery degree to guarantee

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109491668A (en) * 2018-10-11 2019-03-19 浙江工商大学 A kind of the mimicry defence framework and method of SDN/NFV service arrangement
CN109525418A (en) * 2018-10-11 2019-03-26 浙江工商大学 A kind of dispatching method that mimicry defends lower service arrangement execution body set isomery degree to guarantee

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王鹏等: "软件定义网络下的拟态防御实现架构", 《网络与信息安全学报》 *
齐星等: "多数据中心基于流量感知的DDoS攻击消除策略", 《计算机工程与应用》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112866276A (en) * 2021-02-02 2021-05-28 浙江工商大学 Primary and secondary reset judgment system based on mimicry service function framework
CN112866276B (en) * 2021-02-02 2022-05-24 浙江工商大学 A Primary and Secondary Reset Judgment System Based on Mimic Service Functional Framework
CN115277607A (en) * 2022-07-15 2022-11-01 天津市滨海新区信息技术创新中心 Two-stage mimicry judgment method under heterogeneous system complex flow condition
CN115277607B (en) * 2022-07-15 2023-12-26 天津市滨海新区信息技术创新中心 Two-stage mimicry judgment method under complex flow condition of heterogeneous system
CN116112427A (en) * 2022-12-15 2023-05-12 郑州昂视信息科技有限公司 Virtual communication device, method, equipment and readable storage medium
CN116318945A (en) * 2023-03-09 2023-06-23 南京航空航天大学 Multi-target service function chain deployment method based on endophytic dynamic defense architecture
CN116318945B (en) * 2023-03-09 2023-10-20 南京航空航天大学 A multi-target service function chain deployment method based on endogenous dynamic defense architecture
US12003528B1 (en) 2023-03-09 2024-06-04 Nanjing University Of Aeronautics And Astronautics Endogenous dynamic defense architecture-based multi-objective service function chain deployment method

Similar Documents

Publication Publication Date Title
CN111163070A (en) Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense
US10516698B2 (en) Honeypot computing services that include simulated computing resources
JP7086972B2 (en) Continuous learning for intrusion detection
JP6916112B2 (en) Network data characterization system and method
US9734343B2 (en) Detection and prevention of sensitive information leaks
US11930022B2 (en) Cloud-based orchestration of incident response using multi-feed security event classifications
US9294442B1 (en) System and method for threat-driven security policy controls
US8910293B2 (en) Determining the vulnerability of computer software applications to privilege-escalation attacks
US8881279B2 (en) Systems and methods for zone-based intrusion detection
EP3789896A1 (en) Method and system for managing security vulnerability in host system using artificial neural network
US8806648B2 (en) Automatic classification of security vulnerabilities in computer software applications
US20210157909A1 (en) Sample data generation apparatus, sample data generation method, and computer readable medium
CN111651768B (en) Method and device for recognizing link library function name of computer binary program
US20170359376A1 (en) Automated threat validation for improved incident response
US20190260797A1 (en) Method and system for verifying validity of detection result
JP2016091549A (en) Systems, devices, and methods for separating malware and background events
US20230160860A1 (en) Stack pivot exploit detection and mitigation
US11290486B1 (en) Allocating defective computing resources for honeypot services
CN107103237A (en) A kind of detection method and device of malicious file
CN113079151A (en) Exception handling method and device, electronic equipment and readable storage medium
US20210312046A1 (en) Ransomware detection and prevention
US11347842B2 (en) Systems and methods for protecting a remotely hosted application from malicious attacks
US20240356939A1 (en) Security analysis assistance apparatus, security analysis assistance method, and computer-readable recording medium
US20220391507A1 (en) Malware identification
US20200036737A1 (en) Identification of deviant engineering modifications to programmable logic controllers

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200515

RJ01 Rejection of invention patent application after publication