CN111163070A - Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense - Google Patents

Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense Download PDF

Info

Publication number
CN111163070A
CN111163070A CN201911311849.XA CN201911311849A CN111163070A CN 111163070 A CN111163070 A CN 111163070A CN 201911311849 A CN201911311849 A CN 201911311849A CN 111163070 A CN111163070 A CN 111163070A
Authority
CN
China
Prior art keywords
service
data
service chain
class
deployment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911311849.XA
Other languages
Chinese (zh)
Inventor
汤中运
李传煌
王伟明
雷睿
叶晨轶
陈泽斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Gongshang University
Original Assignee
Zhejiang Gongshang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Gongshang University filed Critical Zhejiang Gongshang University
Priority to CN201911311849.XA priority Critical patent/CN111163070A/en
Publication of CN111163070A publication Critical patent/CN111163070A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application discloses a correct link judgment method, a device, equipment and a medium for service chain safety deployment under mimicry defense, wherein the method comprises the following steps: acquiring data of all service chain deployment executors, wherein the content of each group of data comprises a service function and a service path; respectively extracting and comparing all service functions, respectively extracting and comparing service paths, judging that two groups of data are consistent if the service functions of the two groups of data are the same and the service paths are the same, dividing the consistent data into one class, counting the data volume of each class, recording the class with the largest data volume as correct data, and taking the rest as abnormal data; and feeding back the executive bodies which output the abnormal data, and cleaning or offline. The method, the device, the equipment and the medium for judging the correct link of the service chain safety deployment under the mimicry defense enhance the safety of a mimicry service chain deployment system.

Description

Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense
Technical Field
The embodiment of the application relates to the field of service deployment and mimicry security defense, in particular to a correct link judgment method, device, equipment and medium for service chain security deployment under mimicry defense.
Background
With the advent and deployment of Software Defined Networking (SDN) technology and Network Function Virtualization (NFV) technology, the deployment of service Function chains has been renewed. Service function chain deployment is carried out based on an SDN/NFV technology, the NFV technology can virtualize common physical equipment, and resource pools can be constructed for various network service functions. SDN technology can dynamically and centrally schedule paths of traffic by separating control and forwarding of network devices, thereby providing customized and flexible interfacing. Users and operators can identify service requirements through NFV technology, create Virtual Network Functions (VNFs) on service Function chains, automatically configure service logics of the virtual service functions, and automatically guide related service flows to sequentially and orderly pass through the virtual service functions through SDNs, thereby completing creation of the service Function chains.
A Dynamic Heterogeneous Redundancy (DHR) model is a basic model of mimicry defense, under the model, an important link that a heterogeneous executive body set processes is that a scheduler duplicates the same input into M parts and sends the M parts of messages to the heterogeneous executive body set, the M parts of messages are processed by M executive bodies in the heterogeneous executive body set, the processed result is sent to a decision device for decision to obtain a unique relatively correct output result, and the scheduler generates a new heterogeneous executive body set to replace the current set according to a feedback control message when a system runs. The mimicry defense is based on the nature of the attack, and provides defense functions through the endogenous features of the system architecture. Thus, a strong defense effect against both known and unknown security threats can be achieved.
The decision device in the service deployment system under the mimicry defense mainly has two important functions: 1. and comparing the output results of the executors, namely the service function data and the service path data, to select a relatively large number of results as correct results to perform final service chain deployment and output. Therefore, if a part of execution bodies are attacked, correct results can be output, and normal deployment of a service chain is guaranteed. If an attacker wants to attack the system successfully, the attacker needs to attack different service deployment executors under most different systems successfully, which greatly increases the attack difficulty of the attacker. 2. The judger also feeds back the abnormal service chain deployment executables to the scheduler according to the judgment result, and the scheduler carries out offline and cleaning treatment, thereby ensuring the purity of the whole executables pool. The judging method of the invention needs to carry out two judging works at the same time, including service function arrangement and service path selection. Finally, the decision device randomly selects an executive body from the normal executive body set, and the executive body is connected with the bottom service resource pool through the executive body, so that the service function chain meeting the service requirements of the user is completed in a specific example.
Disclosure of Invention
In view of this, embodiments of the present application provide a correct link decision method, apparatus, device, and medium for service chain security deployment under pseudo-defense, which solve the problem of output result decision in a multi-executor cooperative working manner.
The technical scheme adopted by the embodiment of the application is as follows:
in a first aspect, an embodiment of the present application provides a correct link decision method for service chain security deployment under pseudo-defense, which is applied to include:
acquiring data of all service chain deployment executors, wherein the content of each group of data comprises a service function and a service path;
respectively extracting and comparing all service functions, respectively extracting and comparing service paths, judging that two groups of data are consistent if the service functions of the two groups of data are the same and the service paths are the same, dividing the consistent data into one class, counting the data volume of each class, recording the class with the largest data volume as correct data, and taking the rest as abnormal data;
feeding back the executive body which outputs the abnormal data;
and cleaning or offline the executive body which outputs the abnormal data.
Further, the receiving data of all service chain deployment executors, the content of each group of data including service functions and service paths, includes:
and expressing the output results of M executors in all the service chain deployment executors by using a set V:
V=(V1,V2,…,Vi,…,VM)
wherein the output result of each execution body is described by a quadruple, namely:
Vi=(Ii,Ei,SFi,SFPi)
wherein, Ii,EiRespectively representing the source address and the destination address through which the service chain request traffic passes in the output result of the ith executive body, SFiSFP, which represents the set of various service functions that the service chain in the output result of the ith executive body requests the traffic to pass throughiAnd the set of service paths through which the service chain request service flow passes in the output result of the ith executive body is represented.
Further, the extracting and comparing all the service functions, and extracting and comparing the service paths, if the service functions of two groups of data are the same and the service paths are the same, determining that the two groups of data are consistent, classifying the consistent data into one class, counting the data volume of each class, recording the class with the largest data volume as correct data, and the rest as abnormal data includes:
defining a service function comparison function w1(SFi,SFj) To show a comparison result between service functions passed by service chain request traffic in the output result of each executive, where i ≠ j, then:
Figure BDA0002324744970000021
defining a service path comparison function w2(SFPi,SFPj) To represent a comparison result between service paths through which service chain request traffic passes in the output result of each execution body, where i ≠ j, then:
Figure BDA0002324744970000031
when the decision results of the service function and the service path in the output results of the two executors are consistent, the output results of the two executors are considered to be consistent, that is:
SFi=SFj∪SFPi=SFPj
Vi=Vj
(i≠j)
and dividing the consistent data into one class, counting the data volume of each class, recording the class with the most data volume as correct data, and recording the rest as abnormal data.
Further, the cleaning or offline the execution body corresponding to the abnormal data includes:
let sign be the feedback flag function:
Figure BDA0002324744970000032
when the feedback flag function sign value is 1, it indicates that all executors in the execution entity set are normal, and when the feedback flag function sign value is-1, it indicates that there is an exception in the execution entity set, at this time, the decider will perform exception feedback to the scheduler, and the scheduler will perform cleaning or offline processing on the execution entities with the exception after receiving the feedback of the decider until only normal execution entities remain in the execution entity set.
In a second aspect, an embodiment of the present application provides a correct link decision device for service chain security deployment under pseudo defense, including:
the receiving module is used for acquiring data of all service chain deployment executors, and the content of each group of data comprises a service function and a service path;
the judging module is used for respectively extracting and comparing all service functions, respectively extracting and comparing service paths, judging that the two groups of data are consistent if the service functions of the two groups of data are the same and the service paths are the same, dividing the consistent data into one class, counting the data volume of each class, recording the class with the largest data volume as correct data and the rest as abnormal data;
the feedback module is used for feeding back the executive bodies which output the abnormal data;
and the clearing module is used for cleaning or offline the executive body which outputs the abnormal data.
In a third aspect, an embodiment of the present application provides an apparatus, including:
one or more processors;
a memory for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors implement a correct link decision method for service chain security deployment under a mimicry defense as described in the first aspect.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a method for determining a correct link for service chain security deployment under mimicry defense as described in the first aspect.
By adopting the technical scheme, the beneficial effects brought by the embodiment of the application are as follows:
the method for judging the safe deployment of the service chain under the mimicry defense is adopted, the workload of a hacker for attacking the system can be effectively increased by a method that the data result of the execution body is few and most obeys, and the hacker can attack successfully only when the hacker attacks more than half of the execution bodies. Meanwhile, the feedback and cleaning module can effectively protect the purity of the execution body set.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of a method for determining a correct link for service chain security deployment under a mimicry defense according to an embodiment of the present application;
fig. 2 is a flowchart of a specific work flow of decision processing provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of a correct link decision device for service chain security deployment under pseudo-defense according to a second embodiment of the present application;
fig. 4 is a schematic structural diagram of an apparatus provided in the third application embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The first embodiment is as follows:
fig. 1 is a flowchart of a method for determining a correct link for service chain security deployment under mimicry defense, which is applied to a server side and includes:
step S100, a decision device acquires data of deployment executors of all service chains, and the content of each group of data comprises a service function and a service path;
specifically, the set V is used to represent the output results of M executors in all service chain deployment executors:
V=(V1,V2,…,Vi,…,VM)
wherein the output result of each execution body is described by a quadruple, namely:
Vi=(Ii,Ei,SFi,SFPi)
V=(V1,V2,…,Vi,…,VM)Vi=(Ii,Ei,SFi,SFPi) Wherein, Ii,EiRespectively representing the ith execution block outputThe resulting service chain requests the source and destination addresses through which the traffic flows, SFiSFP, which represents the set of various service functions that the service chain in the output result of the ith executive body requests the traffic to pass throughiAnd the set of service paths through which the service chain request service flow passes in the output result of the ith executive body is represented.
Step S200, the decision device carries out decision processing again, namely all service functions are respectively extracted and compared, service paths are respectively extracted and compared, if the service functions of two groups of data are the same and the service paths are the same, the two groups of data are judged to be consistent, the consistent data are divided into one class, the data volume of each class is counted, the class with the largest data volume is recorded as correct data, and the rest are abnormal data; as shown in fig. 2, specifically:
defining a service function comparison function w1(SFi,SFj) To show a comparison result between service functions passed by service chain request traffic in the output result of each executive, where i ≠ j, then:
Figure BDA0002324744970000051
defining a service path comparison function w2(SFPi,SFPj) To represent a comparison result between service paths through which service chain request traffic passes in the output result of each execution body, where i ≠ j, then:
Figure BDA0002324744970000052
when the decision results of the service function and the service path in the output results of the two executors are consistent, the output results of the two executors are considered to be consistent, that is:
SFi=SFj∪SFPi=SFPj
Vi=Vj
(i≠j)
and dividing the consistent data into one class, counting the data volume of each class, recording the class with the most data volume as correct data, and recording the rest as abnormal data. The decision device outputs the correct data as a decision result.
Step S300, the decision device is in butt joint with the scheduler, and an executive body which outputs abnormal data in a decision result is fed back to the scheduler; specifically, the method comprises the following steps:
defining an abnormal executable feedback function
f*=feedback()
The calling format is as follows:
f*=feedback(D,S,sign)
wherein D represents a decision device module, S represents a scheduler module, sign is a feedback mark function:
Figure BDA0002324744970000053
when the value of the feedback flag function sign is 1, it indicates that all executors in the execution entity set are normal, and when the value of the feedback flag function sign is-1, it indicates that an exception occurs in an execution entity in the execution entity set, and at this time, the determiner will perform exception feedback to the scheduler.
In step S400, the scheduler cleans or takes the execution block that outputs the abnormal data off line.
After receiving the feedback of the decision device, the scheduler will perform cleaning or offline processing on the execution body with the exception, that is:
Figure BDA0002324744970000061
this indicates that the execution body in which the abnormality has occurred is subjected to cleaning processing. Wherein
Figure BDA0002324744970000062
For the n-th exception handler,
Figure BDA0002324744970000063
is the normal executive body after the nth cleaning.
When only normal executors remain in the executable set, the following is expressed:
Figure BDA0002324744970000064
indicating that the execution body with the exception is offline.
Both of these ways ensure the cleanliness of the set of executives.
The decision device mainly performs few majority-compliant decisions on output results of all executors in the heterogeneous execution body set, so that a relatively wrong or tampered service chain is discarded. The decider needs to perform two decision operations of the service function and the service path, mainly because the service chain deployment process includes two steps of service function arrangement and service path selection. And after the service chain deployment executor completes the service path selection work, the judgment is performed once to ensure the safety of the service path. The judgment process can realize the exception perception of the execution body in the system, and the execution body with the exception is fed back to the scheduler, and the scheduler cleans or carries out offline processing on the execution body with the exception. Finally, the decision device randomly selects an executive body from the normal executive body set, deploys the executive body through the service chain thereof to be connected with the bottom service resource pool, and deploys the service chain meeting the user requirement in the specific example.
The decision device is an important level for data gating, when an executive body is attacked or has abnormal behaviors, the abnormity of the service function and the service path of the executive body is perceived by the decision device, even if a few executive bodies are attacked successfully, the final correct result is not influenced, the abnormal executive bodies are fed back, the difficulty of attackers is greatly increased, and the safety of a mimicry service chain deployment system is enhanced.
According to the method and the device, the service chain deployment mimicry defense system is attacked by simulating an attacker, and whether the finally deployed service chain of the system is consistent with the service chain request issued by the user under two different states of mimicry closing and mimicry opening is observed. If the service chain deployed by the system under the attack condition is inconsistent with the service chain request issued by the user in the state that the mimicry is closed, and after the mimicry state is opened, the service chain deployed is consistent with the service chain request issued by the user, the service chain deploys the mimicry defense system to realize the effect of the mimicry defense, otherwise, the service chain deploys the mimicry defense system to realize the effect of the mimicry defense.
Firstly, the mimicry state is closed, an Nmap scanning tool is adopted to scan and detect the service chain deployment mimicry defense system, and information such as an open port, a started service and an operating system version of the service chain deployment mimicry defense system is obtained. Firstly, obtaining the result of the first scanning detection, after a period of time, carrying out the second scanning detection on the target system by using the Nmap tool again, wherein the result of the scanning detection is consistent with the first scanning detection, after a period of time, carrying out the third scanning detection on the target system by using the Nmap tool again, and the result of the scanning detection is still consistent with the first scanning detection, which indicates that the target system is in a static state at the moment. And simulating a user to perform corresponding service chain deployment operation, and inputting corresponding service chain request data such as a service function name, a service function MAC address and the like into a Web front-end interface. And then simulating an attacker to tamper the target system, and simulating the attacker to tamper the flow table item issued by the execution body to the switch.
And then starting the mimicry state, repeating the same operation, scanning and detecting the service chain service deployment mimicry defense system by adopting an Nmap scanning tool, and acquiring information such as a port opened by the service chain service deployment mimicry defense system, the started service, the version of the operating system and the like. Firstly, obtaining a result of first scanning detection, wherein the scanning result of the first scanning detection is a Windows operating system and a Floodlight controller, after a period of time, performing second scanning detection on a target system by using an Nmap tool again, the scanning result of the second scanning detection is a Linux operating system and an RYU controller, after a period of time, performing third scanning detection on the target system by using the Nmap tool again, the scanning result of the second scanning detection is a Linux operating system and an ONOS controller, the results of the third scanning detection are different, and the system is in dynamic transformation after the mimicry state is started. And the simulation user repeats the same service chain deployment operation as the previous time, and inputs corresponding service function name, service function MAC address and other service chain request data on the Web front-end interface. Similarly, a simulation attacker modifies the key field value of one execution body output flow table entry through a manual modification party, the output port of the execution 1 output flow table entry is changed, the execution 2 and the execution 3 issue the same flow table entry, but the decision device can still make a correct decision and output the correct flow table entry. Therefore, the 2 normal flow entries issued by the executor may still be issued to the switch, and the service chain finally deployed is observed to be consistent with the service chain request issued by the user.
Example two:
fig. 3 is a schematic structural diagram of a correct link decision device for service chain security deployment under mimicry defense provided in the second embodiment of the present application, where the device may execute a correct link decision method for service chain security deployment under mimicry defense provided in any embodiment of the present application, and has a functional module and a beneficial effect corresponding to the execution of the method. As shown in fig. 3, the apparatus includes:
a receiving module 100, configured to obtain data of all service chain deployment executors, where content of each set of data includes a service function and a service path;
the decision module 200 is configured to extract and compare all service functions, extract and compare service paths, determine that two sets of data are identical if the service functions of the two sets of data are identical and the service paths are identical, classify the identical data into one class, count the data amount of each class, record the class with the largest data amount as correct data, and record the rest as abnormal data;
a feedback module 300, configured to feed back an executor that outputs abnormal data;
and the clearing module 400 is used for cleaning or offline the execution body which outputs the abnormal data.
EXAMPLE III
Fig. 4 is a schematic structural diagram of an apparatus according to a third embodiment of the present invention. Fig. 4 shows a block diagram of an exemplary device 1 suitable for implementing an embodiment of the invention. The device shown in fig. 4 is only an example, and should not bring any limitation to the function and the scope of use of the embodiments of the present application.
As shown in fig. 4, the device 1 is in the form of a general purpose computing device. The components of the device 1 may include, but are not limited to: one or more processors or processing units 2, a memory 3, and a bus 4 that connects the various system components (including the memory 3 and the processing unit 2).
Bus 4 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
The device 1 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by device 1 and includes both volatile and nonvolatile media, removable and non-removable media.
The memory 3 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)5 and/or cache memory 6. The device 1 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, the storage system 8 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 4, commonly referred to as a "hard drive"). Although not shown in FIG. 4, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CDROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to the bus 4 by one or more data media interfaces. The memory 3 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
Having a set (at least one) of program modules 8 that may be stored, for example, in memory 3, such program modules 8 include, but are not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 8 generally perform the functions and/or methodologies of the described embodiments of the invention.
Device 1 may also communicate with one or more external devices 10 (e.g., keyboard, pointing device, display device 9, etc.), with one or more devices that enable a user to interact with device 1, and/or with any devices (e.g., network card, modem, etc.) that enable device 1 to communicate with one or more other computing devices. Such communication may be via an input/output (I/O) interface 11. Also, the device 1 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via the network adapter 12. As shown in fig. 4, the network adapter 12 communicates with the other modules of the device 1 via the bus 4. It should be understood that although not shown in fig. 4, other hardware and/or software modules may be used in conjunction with the device 1, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 2 executes various functional applications and data processing by running the program stored in the memory 3, for example, implementing a correct link decision method for service chain security deployment under the pseudo defense provided by the embodiment of the present invention.
Example four
A fourth embodiment of the present invention further provides a computer-readable storage medium, on which a computer program (or referred to as computer-executable instructions) is stored, where the computer program is used, when executed by a processor, to execute a method for determining a correct link for service chain security deployment under a pseudo-defense, where the method is described in the first embodiment of the present invention.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CDROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (7)

1. A correct link judgment method for service chain safety deployment under mimicry defense is characterized by comprising the following steps:
acquiring data of all service chain deployment executors, wherein the content of each group of data comprises a service function and a service path;
respectively extracting and comparing all service functions, respectively extracting and comparing service paths, judging that two groups of data are consistent if the service functions of the two groups of data are the same and the service paths are the same, dividing the consistent data into one class, counting the data volume of each class, recording the class with the largest data volume as correct data, and taking the rest as abnormal data;
feeding back the executive body which outputs the abnormal data;
and cleaning or offline the executive body which outputs the abnormal data.
2. The method for determining correct link for service chain security deployment under mimicry defense as claimed in claim 1, wherein the receiving data of all service chain deployment executors, the content of each group of data including service function and service path comprises:
and expressing the output results of M executors in all the service chain deployment executors by using a set V:
V=(V1,V2,…,Vi,…,VM)
wherein the output result of each execution body is described by a quadruple, namely:
Vi=(Ii,Ei,SFi,SFPi)
wherein, Ii,EiRespectively representing the source address and the destination address through which the service chain request traffic passes in the output result of the ith executive body, SFiSFP, which represents the set of various service functions that the service chain in the output result of the ith executive body requests the traffic to pass throughiAnd the set of service paths through which the service chain request service flow passes in the output result of the ith executive body is represented.
3. The method for judging the correct link for service chain safety deployment under mimicry defense according to claim 1, wherein the steps of respectively extracting and comparing all service functions, respectively extracting and comparing service paths, judging that two groups of data are consistent if the service functions of the two groups of data are the same and the service paths are the same, classifying the consistent data into one class, counting the data volume of each class, recording the class with the largest data volume as the correct data, and recording the rest as the abnormal data comprise:
defining a service function comparison function w1(SFi,SFj) To represent each execution body outputAnd comparing the service functions passed by the service chain request service flow in the result, wherein i is not equal to j, then:
Figure FDA0002324744960000011
defining a service path comparison function w2(SFPi,SFPj) To represent a comparison result between service paths through which service chain request traffic passes in the output result of each execution body, where i ≠ j, then:
Figure FDA0002324744960000012
when the decision results of the service function and the service path in the output results of the two executors are consistent, the output results of the two executors are considered to be consistent, that is:
SFi=SFj∪SFPi=SFPj
Vi=Vj
(i≠j)
and dividing the consistent data into one class, counting the data volume of each class, recording the class with the most data volume as correct data, and recording the rest as abnormal data.
4. The method for deciding on the correct link for service chain secure deployment under mimicry defense according to claim 1, wherein the performing on the executor whose output is abnormal data includes:
let sign be the feedback flag function:
Figure FDA0002324744960000021
when the feedback flag function sign value is 1, it indicates that all executors in the execution entity set are normal, and when the feedback flag function sign value is-1, it indicates that there is an exception in the execution entity set, at this time, the decider will perform exception feedback to the scheduler, and the scheduler will perform cleaning or offline processing on the execution entities with the exception after receiving the feedback of the decider until only normal execution entities remain in the execution entity set.
5. A correct link decision device for service chain security deployment under mimicry defense, comprising:
the receiving module is used for acquiring data of all service chain deployment executors, and the content of each group of data comprises a service function and a service path;
the judging module is used for respectively extracting and comparing all service functions, respectively extracting and comparing service paths, judging that the two groups of data are consistent if the service functions of the two groups of data are the same and the service paths are the same, dividing the consistent data into one class, counting the data volume of each class, recording the class with the largest data volume as correct data and the rest as abnormal data;
the feedback module is used for feeding back the executive bodies which output the abnormal data;
and the clearing module is used for cleaning or offline the executive body which outputs the abnormal data.
6. An apparatus, comprising:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement a method of correct link resolution for service chain security deployment under mimicry defense as claimed in any one of claims 1 to 4.
7. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out a method for deciding on correct links for a service chain security deployment under mimicry defense as claimed in any one of claims 1 to 4.
CN201911311849.XA 2019-12-18 2019-12-18 Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense Pending CN111163070A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911311849.XA CN111163070A (en) 2019-12-18 2019-12-18 Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911311849.XA CN111163070A (en) 2019-12-18 2019-12-18 Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense

Publications (1)

Publication Number Publication Date
CN111163070A true CN111163070A (en) 2020-05-15

Family

ID=70557774

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911311849.XA Pending CN111163070A (en) 2019-12-18 2019-12-18 Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense

Country Status (1)

Country Link
CN (1) CN111163070A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112866276A (en) * 2021-02-02 2021-05-28 浙江工商大学 Primary and secondary reset judgment system based on mimicry service function framework
CN115277607A (en) * 2022-07-15 2022-11-01 天津市滨海新区信息技术创新中心 Two-stage mimicry judgment method under heterogeneous system complex flow condition
CN116318945A (en) * 2023-03-09 2023-06-23 南京航空航天大学 Multi-target service function chain deployment method based on endophytic dynamic defense architecture

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109491668A (en) * 2018-10-11 2019-03-19 浙江工商大学 A kind of the mimicry defence framework and method of SDN/NFV service arrangement
CN109525418A (en) * 2018-10-11 2019-03-26 浙江工商大学 A kind of dispatching method that mimicry defends lower service arrangement execution body set isomery degree to guarantee

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109491668A (en) * 2018-10-11 2019-03-19 浙江工商大学 A kind of the mimicry defence framework and method of SDN/NFV service arrangement
CN109525418A (en) * 2018-10-11 2019-03-26 浙江工商大学 A kind of dispatching method that mimicry defends lower service arrangement execution body set isomery degree to guarantee

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王鹏等: "软件定义网络下的拟态防御实现架构", 《网络与信息安全学报》 *
齐星等: "多数据中心基于流量感知的DDoS攻击消除策略", 《计算机工程与应用》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112866276A (en) * 2021-02-02 2021-05-28 浙江工商大学 Primary and secondary reset judgment system based on mimicry service function framework
CN112866276B (en) * 2021-02-02 2022-05-24 浙江工商大学 Primary and secondary reset judgment system based on mimicry service function framework
CN115277607A (en) * 2022-07-15 2022-11-01 天津市滨海新区信息技术创新中心 Two-stage mimicry judgment method under heterogeneous system complex flow condition
CN115277607B (en) * 2022-07-15 2023-12-26 天津市滨海新区信息技术创新中心 Two-stage mimicry judgment method under complex flow condition of heterogeneous system
CN116318945A (en) * 2023-03-09 2023-06-23 南京航空航天大学 Multi-target service function chain deployment method based on endophytic dynamic defense architecture
CN116318945B (en) * 2023-03-09 2023-10-20 南京航空航天大学 Multi-target service function chain deployment method based on endophytic dynamic defense architecture
US12003528B1 (en) 2023-03-09 2024-06-04 Nanjing University Of Aeronautics And Astronautics Endogenous dynamic defense architecture-based multi-objective service function chain deployment method

Similar Documents

Publication Publication Date Title
JP7086972B2 (en) Continuous learning for intrusion detection
US10956477B1 (en) System and method for detecting malicious scripts through natural language processing modeling
US10516698B2 (en) Honeypot computing services that include simulated computing resources
US9734343B2 (en) Detection and prevention of sensitive information leaks
EP3789896B1 (en) Method and system for managing security vulnerability in host system using artificial neural network
CN111163070A (en) Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense
CN109271782B (en) Method, medium, system and computing device for detecting attack behavior
US8806648B2 (en) Automatic classification of security vulnerabilities in computer software applications
US20120272322A1 (en) Determining the vulnerability of computer software applications to privilege-escalation attacks
US11956264B2 (en) Method and system for verifying validity of detection result
US11797668B2 (en) Sample data generation apparatus, sample data generation method, and computer readable medium
US10929258B1 (en) Method and system for model-based event-driven anomalous behavior detection
CA2955457A1 (en) System, method and apparatus for detecting vulnerabilities in electronic devices
US20200234184A1 (en) Adversarial treatment to machine learning model adversary
US10645099B1 (en) Malware detection facilitated by copying a memory range from an emulator for analysis and signature generation
US11531748B2 (en) Method and system for autonomous malware analysis
US10931706B2 (en) System and method for detecting and identifying a cyber-attack on a network
CN107103237A (en) A kind of detection method and device of malicious file
Peddoju et al. Natural language processing based anomalous system call sequences detection with virtual memory introspection
JP2023523079A (en) Endpoint security using behavior prediction model
CN114070642A (en) Network security detection method, system, device and storage medium
CN117407926A (en) Storage terminal and method and device for processing destroyed data thereof
US20210097183A1 (en) Data scan system
US11347842B2 (en) Systems and methods for protecting a remotely hosted application from malicious attacks
US11290486B1 (en) Allocating defective computing resources for honeypot services

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200515