CN111385288A - Mobile target defense opportunity selection method and device based on hidden countermeasures - Google Patents

Mobile target defense opportunity selection method and device based on hidden countermeasures Download PDF

Info

Publication number
CN111385288A
CN111385288A CN202010105929.6A CN202010105929A CN111385288A CN 111385288 A CN111385288 A CN 111385288A CN 202010105929 A CN202010105929 A CN 202010105929A CN 111385288 A CN111385288 A CN 111385288A
Authority
CN
China
Prior art keywords
attack
defense
mtd
strategy
game
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010105929.6A
Other languages
Chinese (zh)
Other versions
CN111385288B (en
Inventor
张恒巍
谭晶磊
张红旗
张玉臣
王晋东
胡浩
刘小虎
程相然
胡瑞钦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202010105929.6A priority Critical patent/CN111385288B/en
Publication of CN111385288A publication Critical patent/CN111385288A/en
Application granted granted Critical
Publication of CN111385288B publication Critical patent/CN111385288B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the field of network security, and particularly relates to a moving target defense opportunity selection method and a device based on hidden countermeasures, wherein the method comprises the following steps: analyzing an attack process based on a network killer chain; constructing an MTD network attack surface state migration model based on the SIRM infectious disease model; constructing an MTD attack and defense opportunity selection model based on a time game; and carrying out game equilibrium solution on the MTD attack and defense opportunity selection model based on the time game, and selecting the MTD optimal opportunity. The method is fit with a real network attack and defense scene, and analyzes the optimal balance point of strategy implementation time of an attacker and a defender in a time game theory framework so as to guide the implementation time of MTD of the defender and balance the SDN service quality and the MTD decision yield.

Description

Mobile target defense opportunity selection method and device based on hidden countermeasures
Technical Field
The invention belongs to the field of network security, and particularly relates to a moving target defense opportunity selection method and device based on hidden countermeasures.
Background
With the continuous development of network attack means such as Advanced Persistent Threat Attack (APT), internet security faces a serious challenge. Software Defined Networking (SDN) is a new Network system of next generation, and faces increasingly prominent security threat. Due to the characteristic of centralized control of the SDN, the SDN controller becomes a single-point attack target of an attacker, and meanwhile, a southbound interface between a control layer and a data layer is also very easy to be attacked by networks such as scanning detection, denial of service, and spoofing implantation, so that a need for analyzing and predicting security attack and defense behaviors in the SDN is urgent. In order to solve the actual problems and potential threats faced by the current SDN, Moving Target Defense (MTD) is taken as a Defense idea of "changing game rules", and aims to confuse an attacker by implementing continuous and dynamic changes, increase the attack cost and complexity, and reduce the attack success rate.
Although the existing research has proposed a method for selecting an MTD policy under different network security scenarios, the key of defense implementation aims to maximize the benefit by changing the transformation opportunity and selecting the transformation attribute value in a limited transformation space, and therefore, the method is particularly important for the research on the MTD implementation opportunity problem. How to select a defense opportunity based on a network attack and defense confrontation scene, balance network availability and MTD security, and realize MTD profit maximization becomes one of the hot and key problems of the current research. The game theory is an analysis tool for describing interaction of decision-making main bodies, and the time game is used as a game theory framework for modeling a computer security scene, is widely applied to security attack and defense scenes such as directional attack modeling, encryption key updating, password strategy changing and cloud auditing, but is applied to the research of the selection problem of the defense time of a moving target by few scholars.
Disclosure of Invention
The invention aims to provide a mobile target defense opportunity selection method and device based on hidden countermeasures, which are fit with a real network defense scene, and analyze the optimal balance point of strategy implementation opportunities of an attacker and a defender in a time game theory framework so as to guide the implementation opportunities of an MTD (maximum transmission delay) of the defender and balance the SDN service quality and the MTD decision yield.
In order to solve the technical problems, the invention adopts the following technical scheme:
the invention provides a moving target defense opportunity selection method based on hidden countermeasures, which comprises the following steps:
analyzing an attack process based on a network killer chain;
constructing an MTD (Moving Target failure, MTD) network attack surface state migration model based on a SIRM (systemic-reactive-metallic, SIRM) infectious disease model;
constructing an MTD attack and defense opportunity selection model based on a time game;
and carrying out game equilibrium solution on the MTD attack and defense opportunity selection model based on the time game, and selecting the MTD optimal opportunity.
Further, the network killing chain is divided into an offline attack type and an online attack type;
the offline attack type is used for detecting a target system and constructing a weapon base, and by detecting the vulnerability of the resources which can be utilized for the discovery and locking of the target system and establishing a corresponding attack tool and method according to the analysis result, the attack destructive power is small and is defined as a low-level attacker;
the online attack type is used for implementing attack and expanding the damage range, the target system is enabled to reach an expected state by implementing attack behaviors, the attack range is expanded by utilizing similar vulnerability so as to improve the attack effect, and the attack destructive power is strong and is defined as a high-level attacker.
Further, the offline attack type comprises a detection and tracking attack strategy for detecting valuable information of the target system and a weapon construction attack strategy for creating targeted attack loads for the target system; the online attack types include a load delivery attack policy for delivering a payload to a target system, a defense exploitation attack policy for an attacker to exploit and trigger malicious code to run, an installation implantation attack policy for installing malicious software on the target system, a communication control attack policy for remote manipulation of the target system, a targeting attack policy for an attacker to target an attack, and an extended damage attack policy for extending the scope of attack damage in the target system.
Furthermore, an MTD network attack surface state migration model based on the SIRM infectious disease model is constructed, the MTD attack and defense process is characterized as the conversion of the network attack surface state, and the support of state variables is provided for the construction of a time selection model and game analysis.
Further, the network attack surface comprises a susceptible attack surface, an infected attack surface, a recovered attack surface and a damaged attack surface, and the susceptible attack surface is defined as follows: at the moment, the attack surface is in a safe state, but can be subjected to attack behavior because no defense measures are taken; infection attack surface: at the moment, the attack surface is attacked, but still in the attack stage of a low-level attacker, so that the defender is difficult to perceive, and the attack surface is in an infection state at the moment; restoring an attack surface: at the moment, the attack surface is protected by a defense strategy, the attack surface has an immune function on the attack behavior, and the attack surface is in an immune state; damaged attack surface: at this time, the attack surface is completely controlled by the attacker and is in a damaged state, and the network cannot provide services normally.
Further, an MTD network attack surface state migration model based on the SIRM infectious disease model is constructed, and the method specifically comprises the following steps:
susceptible attack face → infectious attack face: when the susceptible attack surface faces the discrete attack strategy, if the discrete attack strategy fails, the susceptible attack surface is converted into an infection attack surface;
susceptible attack surface → restorative attack surface: when the susceptible attack surface faces the discrete attack strategy, if the discrete attack strategy is successful, the susceptible attack surface is converted into a recovery attack surface;
infection attack surface → recovery attack surface: when the infection attack surface faces the online attack strategy, if the online attack strategy is successful, the infection attack surface is converted into a recovery attack surface;
infection attack face → damaged attack face: when the infection attack surface faces the online attack strategy, if the online attack strategy fails, the infection attack surface is converted into a damaged attack surface.
Further, based on an MTD (maximum transmission resolution) attack and defense opportunity selection model of the Time Game, the confrontation process of both attack and defense parties is characterized as the control power alternation of the attack surfaces, and the confrontation process is expressed as a six-tuple TG-MTD (Time Game-Moving Target DefenseMeodel, TG-MTD), TG-MTD is (N, T, S, D, P, U), wherein N represents a network attack and defense Game participant set, T represents the total Time of the network attack and defense Game, S represents a network attack and defense Game state, D represents an action set of the network attack and defense Game, P represents a Time period strategy set of the network attack and defense Game, and U represents a revenue function set of the network attack and defense Game.
Further, a time period strategy set P ═ P (P) of network attack and defense game is adoptedA,PD) Defining game model TG-MTD as G (P)A,PD),PASet of time period policies representing aggressor optionality, PDSet of time period policies selectable by a representation defensive party, according to the underlying game theory, G (P)A,PD) The nash equalization strategy of (a) is:
Figure BDA0002387774160000041
wherein
Figure BDA0002387774160000042
The optimal time of the defense party is shown,
Figure BDA0002387774160000043
representing the best opportunity for the attacker.
Further, a game balancing strategy is solved by utilizing a revenue function:
suppose PA>PDWhen it is used, order
Figure BDA0002387774160000044
Representing the probability of random action of an attacker in a defense time period, wherein the control period of the attacker in the defense time period is
Figure BDA0002387774160000045
Thus, the following revenue function is defined:
aggressor revenue functionDefender's income function
Figure BDA0002387774160000047
In the same way, when PA≤PDTime, attacker revenue function
Figure BDA0002387774160000051
Defender's income function
Figure BDA0002387774160000052
Wherein, BARepresenting the return of the attack, BDIndicating a return of defense, CARepresents the cost of the attack, CDRepresents a defense cost;
attack and defense time period strategy combination P by calculating each attack typeAAnd PDAnd selecting the optimal time of the TG-MTD model according to the attack and defense benefits.
The invention also provides a mobile target defense opportunity selecting device based on hidden countermeasures, which comprises:
the analysis module is used for analyzing the attack process based on the network killer chain;
the first model building module is used for building an MTD network attack surface state migration model based on the SIRM infectious disease model;
the second model building module is used for building an MTD attack and defense opportunity selection model based on the time game;
and the equilibrium solving module is used for carrying out game equilibrium solving on the MTD attack and defense opportunity selecting model based on the time game and selecting the MTD optimal opportunity.
Compared with the prior art, the invention has the following advantages:
aiming at the problem that an existing game model is difficult to effectively depict MTD (maximum transmission range) attack and defense game characteristics and then to effectively select defense opportunities to balance SDN service quality and MTD decision income, the hidden countermeasures of two real attack and defense parties are taken as starting points, and the existing attack and defense scenes are abstractly depicted.
The invention constructs an MTD network attack surface state migration model based on the SIRM infectious disease model, and describes the MTD attack and defense process as the change of the attack surface state, thereby providing the support of state variables for the construction of an opportunity selection model and game analysis; an MTD attack and defense opportunity selection model based on time game is constructed, the confrontation process of both attack and defense parties is characterized as the control right alternation of attack surfaces, the real network attack and defense process is more matched, and the method has better practice guidance value; and game equilibrium solution provides decision support for selecting MTD implementation opportunity under moderate safety.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a moving target defense opportunity selection method based on covert countermeasure in the embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a mobile target defense opportunity selecting device based on covert countermeasure in the embodiment of the present invention;
FIG. 3 is a schematic diagram of a time game (Flipit game);
FIG. 4 is a flow chart of different attack strategy implementation in a network killing chain;
FIG. 5 is a graph of state transformation of four cyber-attack surfaces in a SIRM infectious disease model;
FIG. 6 is a schematic diagram of an experimental system configuration;
FIG. 7 is a state proportion diagram of attack surfaces of different MTD networks changing along with time;
FIG. 8 is a graph of attack cost versus high-level attack strategy yield;
FIG. 9 is a graph of attack cost versus low level attack strategy yield;
FIG. 10 is a graph of defense period versus high level attack strategy yield;
FIG. 11 is a graph of defense period versus low level attack strategy yield;
FIG. 12 is a graph of attack period versus high-level defense strategy revenue;
FIG. 13 is a graph of attack period versus low level defense policy revenue;
FIG. 14 is a graph of defense cost versus high-level defense strategy revenue;
FIG. 15 is a graph of defense cost versus low level defense policy revenue.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
With the rapid development of SDN, its safety also faces serious challenges. MTD is used as a novel active defense strategy for changing game rules, but the MTD opportunity decision problem is still in a starting stage based on game theory analysis, so that various limitations still exist in the aspects of theoretical basis, game model, equilibrium solution and the like, and the MTD decision is difficult to be guided by establishing a general effective theoretical basis for the MTD opportunity problem.
As shown in fig. 1, in the present embodiment, a moving target defense opportunity selection method based on hidden countermeasures is proposed from the perspective of MTD decision opportunities, taking SDN as a research object, and includes the following contents:
s101, analyzing an attack process based on a network killing chain;
s102, constructing an MTD network attack surface state migration model based on the SIRM infectious disease model;
s103, constructing an MTD attack and defense opportunity selection model based on a time game;
and S104, carrying out game equilibrium solution on the MTD attack and defense opportunity selection model based on the time game, and selecting the MTD optimal opportunity.
For a better understanding of embodiments of the present invention, the following background information is first presented.
A1 fundamental principles of game theory and time game
Game theory is a mathematical tool for studying decisions of people in different offices, and the basic assumptions are: the human actions in each office target the optimal strategy while taking into account the human decisions in the other offices. Nash equilibrium is a solution that describes the steady state of the game, i.e., each player receives the best profit, while strategies that deviate from nash equilibrium always result in less profit.
In 2013, Marten van Dijk et al in RSA laboratories of The United states put forward a time Game (Flipit Game) for The first time against APT attacks (see Dijk M V, Juels A, Oprea A, et al. Flipit: The Game of "Stealthy Takeover" [ J ]. Journal of Cryptology,2013,26(4):655 and 713), as shown in FIG. 3, unlike most existing games, The time Game consists of two local owners, defenders and attackers, and a common resource, which allows The local owners to control The common resource with a certain cost of action at any time. However, until the person in the office actually acts, the common resource control rights are not displayed, and thus concealment is the greatest feature of time gaming. The goal of each office man is to maximize control resource time while minimizing action costs.
The black and gray circles represent defender and attacker actions, respectively. The shaded rectangle represents the current resource control right, the black represents the defender controlling the public resource, the gray represents the attacker controlling the public resource, and the defender has the control right at the moment t-0.
In recent years, some foreign researchers have begun to study the MTD using time gaming, Jones et al, by allowing defenders to "morph" the system to break down the knowledge of the attack they obtained, and extend to the MTD (see s. Jones, a. outkin, j. gearhart, j. hobbs, j. sirola, c. phillips, s. verzi, d. tauritz, s. mulder, and a. naughe. evaluating moving target destination with display. technical report, sandia national Laboratories (SNL-NM), alburque, NM united states, 2015).
A2, MTD timing problem
We separate the MTD strategies into the following three categories: an active MTD strategy based on time-only driving (JT-MTD), a reactive MTD strategy based on event-only driving (JE-MTD), and a mixed MTD strategy based on time and event (TE-MTD). In an active MTD strategy based on time drive, MTD attack surface conversion time is divided into a fixed period (FT-MTD) and a random period (RT-MTD), and the method is an active triggering mode, pre-judges possible network attack behaviors, and changes an attack surface under the condition of ensuring that a network is not interrupted by a method of changing system parameters (IP addresses, port numbers, MAC addresses and the like) so as to realize active defense. However, JT-MTD is too dependent on historical experience, and in an event-driven policy, an MTD attack plane is triggered by using auxiliary information such as a specific security alarm and a security policy.
The MTD attack surface action is carried out based on the MTD strategy driven by the mixture of time and events, and an MTD attack surface transformation model driven by the mixture of time and events is provided and is divided into the following two types: based on a fixed period and event hybrid driving strategy (FTE-MTD), based on a random period and event hybrid driving strategy (RTE-MTD).
However, no theoretical analysis framework of the MTD timing problem is constructed in the existing research, so that the MTD timing problem is integrated and systematized, a clear research system is combed, a solid theoretical basis of the MTD timing research is constructed, and the method has important research value and application significance.
The network defense and attack process is analyzed as follows:
firstly, network attack and defense behaviors are modeled into control rights of attackers and defenders to attack surfaces, network confrontation processes are analyzed from the angles of the attackers and the defenders respectively, as people in the game process can dynamically adjust decisions according to game historical information, aiming at information feedback in the game process, in order to fit a real network attack and defense scene, the embodiment describes an MTD opportunity selection model based on time game from the angle of incomplete information, and supposing that both the attackers and the defenders can not obtain game time information. And then analyzing the network attack and defense confrontation scene from two angles of an attacker and a defender respectively.
B1, analyzing an attack process based on a network killing chain;
the network attack aims to search for existing vulnerability attack surfaces by analyzing a target system, safety threat is brought by the vulnerability attack surfaces, and loss is caused by implementation of intrusion behaviors. The network killer Chain (CKC) defined by Lockerhimamatin is an existing widely agreed sectional model for describing network intrusion, can be used for collecting, classifying and correlating relevant data of network attack, and is a general behavior pattern which is provided on the basis of analyzing a large number of network attacks and is used for describing the compliance of an attacker in attacking a network target according to a military field F2T2EA model. The analysis of the CKC attack stage is important for network defense decision, and can help network security personnel to deploy proper defense strategies aiming at different attack stages. Thus, we now describe the different phases of CKC for APT scenarios and then use it to know how to use MTD policies in the different phases of CKC.
CKC divides attack behavior into eight strategies, different strategies may be recursive or incoherent, and multiple spanning invasion isBased on the result of the previous intrusion. As shown in fig. 4, the network killer chain can be divided into two attack types, off-line and on-line. The offline attack type (left-of-attack) mainly comprises the steps of detecting a target system, constructing a weapon library, exploring and locking the vulnerability of the utilized resources by detecting the target system, and establishing a corresponding attack tool and a corresponding attack method according to the analysis result, wherein the attack destructive power is small, the attack tool can be defined as a low-level attacker, and the method specifically comprises the steps of detecting, tracking and tracing
Figure BDA0002387774160000101
And weapon construction
Figure BDA0002387774160000102
Two attack strategies; the type of online attack (right-of-attack) is mainly to implement attack and expand the damage range, to make the target system reach the expected state by implementing attack action, and to expand the attack range by using similar vulnerability to improve the attack effect, the attack destructive power is strong, and can be defined as a high-level attacker, specifically including load delivery
Figure BDA0002387774160000103
Use of fire-fighting
Figure BDA0002387774160000111
Installing an implant
Figure BDA0002387774160000112
Communication control
Figure BDA0002387774160000113
Achieve the object
Figure BDA0002387774160000114
Enlargement of lesions
Figure BDA0002387774160000115
Six attack strategies. The method comprises the following specific steps:
1) scout tracking
Figure BDA0002387774160000116
An attacker utilizes automation tools such as Trace-Route, Nmap and the like to detect valuable information (such as operating system type, service version, network topology, routing information and the like) of a target system.
2) Weapon construction
Figure BDA0002387774160000117
And the attacker determines an attack mode and completes attack preparation by using tools and technologies such as phishing e-mails or malicious software infected files according to the information obtained in the reconnaissance and tracking stage, and creates a targeted attack load for the target system.
3) Payload delivery
Figure BDA0002387774160000118
The attacker delivers the payload to the target system. For example, an attacker may leave a USB infected with malware at the target system or send a malicious email to the target system.
4) Use of fire-fighting
Figure BDA0002387774160000119
The attacker performs defense outburst by triggering malicious codes to run, and obtains higher control authority for the target system.
5) Installing an implant
Figure BDA00023877741600001110
Once attackers gain rights elevation in the break-through exploitation phase, they install malware on the target system or gather useful information in the target system database, keeping control of the target system.
6) Communication control
Figure BDA00023877741600001111
The attacker realizes remote control on the target system through communication control.
7) Achieve the object
Figure BDA00023877741600001112
Attackers achieve the goal of attackThe target implements a breach (service interruption) of the target system or theft of sensitive data.
8) Enlargement of lesions
Figure BDA00023877741600001113
The attacker identifies similar target nodes that have been exploited and acts laterally in the target system to extend the scope of attack damage.
B2, MTD network attack surface transformation analysis based on the SIRM infectious disease model;
since the attack behavior is persistent, the following assumptions are defined:
assume that 1: the attack surfaces are not immediately fully controlled by the attacker and are interconnected with each other.
Assume 2: the attack behavior of an attacker does not have a priority path in the network.
In order to represent the state change caused by the alternate control of attack and defense sides on attack surfaces, in a real network attack and defense countermeasure scene, the CKC utilizes the vulnerability attack surface to permeate and control the process of other attack surfaces and has similarity with the virus propagation mechanism of an SIR infectious disease model, so that the expanded SIR infectious disease model is utilized to depict the state change of the attack surfaces in the attack and defense game process, and according to the basic definitions of the attack surfaces and the transformation attack surfaces, the states of the network attack surfaces are divided into four types, which are specifically defined as follows:
define 1 Susceptible Attack Surface (SAS): the attack surface is now in a secure state, but is most likely to be subject to attack because no defensive measures are taken.
Define 2 Infection Attack Surface (IAS): at this time, the attack surface is already attacked, but still in the attack stage of the low-level attacker, and the defender cannot perceive the attack surface, and at this time, the attack surface is in an infection state.
Definition 3 Recovery Attack Surface (RAS): at the moment, the attack surface is protected by a defense strategy, the attack surface has an immune function on the attack behavior, and the attack surface is in an immune state at the moment.
Define 4 damaged Attack Surface (MAS): at this time, the attack surface is completely controlled by the attacker and is in a damaged state, and the network cannot provide services normally.
As shown in FIG. 5, assuming that the total number of network attack planes is AAS, the numbers of attack planes in the above state at time t are SAS (t), IAS (t), RAS (t) and MAS (t), respectively, and for each of the above states, the total number of attack planes is AAS
Figure BDA0002387774160000121
Sas (t), ias (t), ras (t), mas (t) ≧ 0 and sas (t) + ias (t) + ras (t) + mas (t) ═ AAS.
In order to simplify analysis, the MTD strategy is divided into two MTD defense types, namely a low-level MTD strategy and a high-level MTD strategy, and then an MTD network attack surface state migration model based on a SIRM infectious disease model is constructed by using four defined attack surfaces:
SAS → IAS: when a susceptible attack surface faces an APT low-level (offline) attack strategy, if the low-level MTD strategy fails, the susceptible attack surface is infected by an APT attacker, the attacker is still in an attack offline preparation stage at the moment, and the system cannot generate the condition of service quality reduction; but at this time, the APT attacker can use the infection attack surface to prevent and use other susceptible attack surfaces to obtain further attack effect. For example, after an APT attacker discovers a system bug, the APT attacker is not anxious to launch an attack, but is continuously entitled to achieve higher control authority.
SAS → RAS: when the susceptible attack surface faces the APT low-level (offline) attack strategy, if the low-level MTD strategy is successful, the susceptible attack surface is converted into a recovery attack surface, and a certain resisting effect on the APT attack can be achieved. And the reconnaissance tracking strategy is used for effectively resisting the APT attack by a defender through a strategy such as patch upgrading in advance.
IAS → RAS: when the infection attack surface faces the APT high-level (on-line) attack strategy, if the high-level MTD strategy is successful, the infection attack surface is converted into a recovery attack surface, and the system is prevented from being damaged. Strategies such as network fingerprinting, forwarding path hopping, etc. are utilized by defenders to make APT attackers unable to install implantation attack strategies.
IAS → MAS: when the infected attack surface faces the APT high-level (on-line) attack strategy, if the high-level MTD strategy fails, the infected attack surface is converted into a damaged attack surface, and the system gradually loses the service function. For example, APT attackers bypass defense strategies through load delivery strategies, causing system disruption and consequently service disruption.
In combination with the above, for
Figure BDA0002387774160000131
The differential equation set of the state transformation of the MTD network attack surface based on the SIRM infectious disease model is represented as follows:
Figure BDA0002387774160000141
the above differential equation system describes the time-dependent change rates of the susceptible attack surface, the infected attack surface, the recovered attack surface and the damaged attack surface, respectively, where α represents the probability of transformation from the susceptible attack surface to the infected attack surface, β represents the probability of transformation from the infected attack surface to the recovered attack surface, λ represents the probability of transformation from the infected attack surface to the damaged attack surface, and μ represents the probability of transformation from the infected attack surface to the recovered attack surface.
On the basis of the network attack and Defense process analysis, a Time Game-Moving Target Defense Model TG-MTD (Time Game-Moving Target Defense Model) based on the MTD attack and Defense opportunity selection Model of the Time Game can be expressed as a 6-tuple TG-MTD (N, T, S, D, P, U), wherein
1)N=(NA,ND) Is a network attack and defense game participant set, wherein NDFor defense, NAIs an attacker;
2)T=TA+TD∈ [0, + ∞) is the total time of the network attack and defense game, which represents the sum of the total time the attacker takes to control the attack surface and the total time the defender takes to control the public resource, where TAControlling the total time of the attack surface, T, for an attackerDFor the defensive player to control the total time of the attack surface, divided into discrete and continuous time cases, for the sake of simplifying the analysis, it is assumed here that a finite discrete game time is used, i.e. T ═ T1,t2,...,tm},m∈N+
3)S=(SA,SD) Is a network attack and defense game state, SAIAS number + MAS number, SDSAS number + RAS number.
4)D=(DA,DD) Is the action set of the network attack and defense game,
Figure BDA0002387774160000142
the set of selectable attack actions of an attacker is divided into two categories of high-level attack strategies and low-level attack strategies,
Figure BDA0002387774160000143
the set of selectable defense actions of the defensive party is divided into two categories, namely a high-level defense strategy and a low-level defense strategy, wherein the high-level defense strategy consists of six MTD strategies, and the low-level defense strategy consists of four conventional defense strategies. At any discrete time t, it is possible for both the offending and defending parties to take action to gain control over the common resource.
5)P=(PA,PD) Is a time period strategy set of the network attack and defense game,
Figure BDA0002387774160000151
represents a set of aggressor-selectable time period policies,
Figure BDA0002387774160000152
representing a set of time period policies selectable by a defender. Both are determined by the existence time of four types of attack surfaces in the SIRM model, and have randomness, wherein
Figure BDA0002387774160000153
6)U=(UA,UD) Is the income function set, U, of the network attack and defense gameAAnd UDRepresenting the revenue functions of the aggressor and the defender, respectively.
The attack and defense opportunity income quantification is the basis of MTD opportunity selection, and whether the quantification reasonably and directly influences opportunity selection results. In order to objectively measure the income, the embodiment of the invention selects a model based on TG-MTD opportunity, takes the attack and defense time period as the income unified index, and makes the following definitions:
define 5 attack and defense costs CAD(Attack-Defense Cost): attack and defense cost CAD={CA,CDIn which C isARepresents the cost of the attack, CDThe defense cost is represented, and the attack and defense costs are different for different elements of the attack and defense action set. The attack cost is determined by the attack complexity, the higher the attack complexity is, the higher the attack cost is, and similarly, the defense cost is increased along with the increase of the defense implementation complexity.
Definition 6 attack and defense reporting BAD(Attack-Defense Benefit): attack and defense reporting BAD={BA,BDDenotes the direct profit of both attacking and defending parties, BARepresenting the return of the attack, BDRepresenting defense return, selecting scenes for MTD (maximum transmission delay) opportunity aiming at the embodiment, defining attack and defense return by game time, and enabling T to be BA+BD
Define 7 attack and defense return rate rADB(Attack-Defense Benefit Rate): to simplify the calculation, the attack and defense return is normalized, i.e. the attack and defense return rate rADB=rAB+rDB=1,rABRepresents the attack return rate, rDBIndicating the defense return rate.
Definition of 8 attack and defense gains UAD(Attack-Defense Utility):UAD=BAD-CADThe attack and defense income is equal to the difference between the attack and defense return and the attack and defense cost, and the attack income UA=BA-CADefense profit UD=BD-CD
Define 9 attack and defense profitability
Figure BDA0002387774160000161
For simplifying calculation, the attack and defense benefits are normalized, namely attack and defense profitability
Figure BDA0002387774160000162
Figure BDA0002387774160000163
The rate of return for the attack is expressed,
Figure BDA0002387774160000164
indicating the defense profitability. Wherein
Figure BDA0002387774160000165
The method comprises the steps of carrying out game equilibrium solving on an MTD attack and defense opportunity selection model based on time game, selecting MTD optimal opportunity, giving the concept of TG-MTD game strategy, and analyzing how to solve the game equilibrium strategy by utilizing a gain function.
Time period strategy set P ═ P (P) adopting network attack and defense gameA,PD) Defining game model TG-MTD as G (P)A,PD) According to the basic game theory, G (P)A,PD) The nash equalization strategy of (a) is:
Figure BDA0002387774160000166
wherein
Figure BDA0002387774160000167
The optimal time of the defense party is shown,
Figure BDA0002387774160000168
representing the best opportunity for the attacker.
Suppose PA>PDLet us order
Figure BDA0002387774160000169
Representing the probability of random action of an attacker in a defense time period, wherein the control period of the attacker in the defense time period is
Figure BDA00023877741600001610
Thus, the following revenue function is defined:
attacker revenue function:
Figure BDA00023877741600001611
defender revenue function:
Figure BDA00023877741600001612
in the same way, when PA≤PDThe aggressor and defender revenue functions of time are expressed as follows:
Figure BDA00023877741600001613
theorem 1 MTD model TG-MTDG (P) based on time gameA,PD) There is nash equilibrium:
Figure BDA0002387774160000171
based on the TG-MTD game model, the optimal time selection algorithm flow is given as follows.
Figure BDA0002387774160000172
Figure BDA0002387774160000181
Taking an actual SDN application system as an example, the MTD opportunity selection model based on the time game and the related equilibrium solving method are verified, experimental environment information is described firstly, then the gains of the attack and defense strategies are calculated, and on the basis, experimental numerical analysis results and comprehensive comparison analysis are explained.
C1, Experimental Environment
An experimental network environment is established by utilizing partial node topology of the SDN, as shown in fig. 6, wherein control servers such as an LDAP server, an FTP server, and an application server serve as application targets of a moving target defense policy, wherein the application servers serve as application providers of the control servers, and meanwhile, an APT attacker destroys availability of the SDN network according to an illustrated intrusion path. APT attackers have user-level access to LDAP servers with the goal of stealing sensitive information stored in Linux database servers. The related vulnerability information of each server is shown in table 1 below.
The possible attack paths for the action target attacker are as follows:
route 1: LDAP Server → FTP Server → Linux database
Route 2: LDAP Server → Application Server → FTP Server → Linux database
TABLE 1 Server leakage information
Figure BDA0002387774160000182
According to the analysis of the network attack and defense process, attack and defense action information is given, as shown in the following table 2, the attack strategies mainly comprise 8, the defense strategies mainly comprise 10, namely 6 high-level MTD strategies such as IP addresses, communication ports, communication protocols, forwarding paths, fingerprints and data storage jumping, and 4 low-level conventional defense strategies such as monitoring detection, patch upgrading, data deletion and service shutdown.
TABLE 2 network attack and defense strategy description involved in the experiment
Figure BDA0002387774160000191
C1, numerical experiment
Based on the time-week strategy sets of both the attacking and defending parties, the numerical analysis is performed on the proposed TG-MTD model in the embodiment, and firstly, the trend of the MTD network attack surface state changing with time is analyzed according to the income quantification method by using the basic definition of the time game income function as reference, as shown in fig. 7.
The number of susceptible attack surfaces is decreasing and the number of recovery attack surfaces is increasing over time, while the number of susceptible attack surfaces and damaged attack surfaces is always in a relatively small state, reducing the number of susceptible attack surfaces by 95.4% from the [0,6] time period, while the recovery attack surfaces are increasing by 93.2% in the [0,4] time period due to the right MTD defense timing. Therefore, the selection of defense opportunity is crucial, and if the defense opportunity is improper, the proportion of infection attack surfaces is increased, and the system is paralyzed.
Then using P toA>PDFor example, specific numerical values are used for analyzing specific influences of MTD implementation time on attack and defense benefits and carrying out quantitative analysis on different types of attack and defense strategies.
For different types of attack strategies, the correlation between the attack profit and the attack period is analyzed as shown in fig. 8 and 9. When the defense period PDWhen the attack period is 1, for the high-level attack strategy, the attack yield is still in an increasing trend along with the increase of the attack period, so that the attack period has little influence on the high-level attack strategy, and the attack cost is a key factor for restricting the yield of the high-level attack strategy; for the low-level attack strategy, the attack cost is low, and the attack yield of the low-level attack strategy tends to decline with the increase of the attack period, so that the attack period has a significant influence on the attack yield of the low-level attack strategy. Similarly, as the attack cost increases, the attack profit shows a downward trend regardless of the high-level attack strategy or the low-level attack strategy.
As shown in fig. 10 and 11, in the case of a certain defense period, for a high-level attack strategy, the attack profit increases with the increase of the attack period, and for a low-level attack strategy, the attack profit decreases with the increase of the attack period; for the high-level attack strategy, although the attack period is continuously increased, the attack yield of the high-level attack strategy is continuously increased, so that the influence of the attack period on the high-level attack strategy is small. On the other hand, as the defense period is continuously reduced, the attack profit is in a continuously reduced trend regardless of the high-level attack strategy or the low-level attack strategy, so that the defense period is very important for resisting different types of attackers.
The relationship between defense benefits and defense periods for different attack periods is shown in FIGS. 12 and 13The period step size is 0.01, and for a low-level defense strategy, as the defense period increases, the defense benefit increases and then decreases, particularly when the attack period P is increasedAWhen the time is 5.5, the optimal defense period of defender
Figure BDA0002387774160000201
At this time, the defense benefits
Figure BDA0002387774160000202
When attacking period P A7, optimal defense period of defender
Figure BDA0002387774160000211
At this time, the defense benefits
Figure BDA0002387774160000212
Therefore, for a low-level defense strategy, an optimal defense period exists in the face of attacks in different attack periods, so that defense benefits are maximized; for a high-level defense strategy, as the defense period increases, the defense benefits are continuously increased, so that for the high-level defense strategy, the influence of the defense period on the high-level defense strategy is small, meanwhile, the influence of different attack periods on the high-level defense strategy is also small, but as the deployment cost is high, the defense benefits of the high-level defense strategy obviously resist the defense benefits of low-level defenders. On the other hand, as the attack period is increased, the defender's income is reduced, and when the defense period is too large, the defense income is reduced.
Thus, it is contemplated that a high level defense strategy may be employed for critical core devices to enforce MTD defense with a larger defense period, while a low level defense strategy may be employed for non-core devices to enforce MTD with an appropriate defense period.
For different types of defenders, a relationship graph of defense income and defense period is shown in fig. 14 and 15, the step length of the defense period is 0.01, and when the attack period P is fixedA6, the defense benefit of the high-level defense strategy increases with the increase of the defense period, and the influence of the defense period on the defense benefit gradually decreases when the defense period continuously increases and approaches the attack period(ii) a While the low-level attack strategy increases along with the continuous increase of the defense period, the defense profit increases firstly and then decreases, in particular, when the defense cost C of a defenderDWhen the value is 0.5, the optimal defense period
Figure BDA0002387774160000213
At this time, the defense benefits
Figure BDA0002387774160000214
While the defense cost CDWhen 1.5, the best defense benefit of defender
Figure BDA0002387774160000215
And the defense period can be in the range of 4.20-4.28]And (4) internal random selection. On the other hand, whether it is a high-level defense strategy or a low-level defense strategy, as defense costs are increasing, defense benefits are decreasing.
In conclusion, the numerical experiment results show that:
1) for different types of attack strategies, the defense period and the attack cost are main factors influencing attack returns, for high-level attack strategies, the influence of the attack cost on the attack returns is far larger than the effect of the attack period, for low-level attack strategies, the attack period still has a negative correlation effect on the attack returns, so that the attack timing problem is particularly important in the attack returns of low-level attackers, and therefore, the search of the optimal defense timing is crucial to defend attacks.
2) For different types of defense strategies, defense cost is a main factor influencing defense benefits, for low-level defense strategies, an optimal defense opportunity exists, so that a defense period plays a critical decision role in the defense benefits of low-level defenders, for high-level defense strategies, the defense cost is a key factor restricting the benefits, and therefore the implementation cost of trying to reduce the MTD strategy is a key breakthrough of MTD strategy design in the future.
C3 analysis of results
Table 3 comparison of performance with other methods herein
Figure BDA0002387774160000221
In MTD decision-making research, most of the existing documents develop research based on a strategy selection method, neglect time factors which are also important for defense decision-making, and compare and analyze the existing research, Kambrampati et al propose a strategy selection method based on Bayesian game, but the static single-stage game model is difficult to effectively depict attack and defense scenes, Liu et al propose an MTD strategy selection method based on signal game, provide ideas for MTD attack and defense cost quantification, but cannot accurately depict the dynamic characteristics of MTD, based on the above, the previous work introduces Markov into MTD strategy selection, depicts the transformation process of MTD state through the Markov decision process, and provides an optimal defense strategy selection algorithm, further, Chowdhary et al carry out MTD strategy detection in a cloud network environment based on incomplete information random game, and the above researches are all focused on MTD strategy selection research, the invention introduces the time game into the MTD opportunity decision, provides the decision method based on the time game on the basis of analyzing the attack method based on the CKC and the MTD network attack surface transformation method based on the SIRM infectious disease model, and provides theoretical support for the MTD opportunity problem.
Correspondingly to the above method, as shown in fig. 2, an embodiment of the present invention further provides a moving target defense opportunity selecting device based on hidden countermeasures, including:
the analysis module 101 is used for analyzing an attack process based on a network killer chain;
the first model building module 102 is used for building an MTD network attack surface state migration model based on the SIRM infectious disease model;
the second model construction module 103 is used for constructing an MTD attack and defense opportunity selection model based on the time game;
and the equilibrium solving module 104 is used for carrying out game equilibrium solving on the MTD attack and defense opportunity selecting model based on the time game and selecting the MTD optimal opportunity.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it is to be noted that: the above description is only a preferred embodiment of the present invention, and is only used to illustrate the technical solutions of the present invention, and not to limit the protection scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (10)

1. A moving target defense opportunity selection method based on hidden countermeasures is characterized by comprising the following steps:
analyzing an attack process based on a network killer chain;
constructing an MTD network attack surface state migration model based on the SIRM infectious disease model;
constructing an MTD attack and defense opportunity selection model based on a time game;
and carrying out game equilibrium solution on the MTD attack and defense opportunity selection model based on the time game, and selecting the MTD optimal opportunity.
2. The hidden countermeasure-based mobile target defense opportunity selection method of claim 1, wherein the network killing link is divided into an offline attack type and an online attack type;
the offline attack type is used for detecting a target system and constructing a weapon base, and by detecting the vulnerability of the resources which can be utilized for the discovery and locking of the target system and establishing a corresponding attack tool and method according to the analysis result, the attack destructive power is small and is defined as a low-level attacker;
the online attack type is used for implementing attack and expanding the damage range, the target system is enabled to reach an expected state by implementing attack behaviors, the attack range is expanded by utilizing similar vulnerability so as to improve the attack effect, and the attack destructive power is strong and is defined as a high-level attacker.
3. The hidden countermeasure-based mobile target defense opportunity selection method according to claim 2, wherein the offline attack types include a reconnaissance tracking attack strategy for detecting valuable information of the target system and a weapon construction attack strategy for creating a targeted attack load for the target system; the online attack types include a load delivery attack policy for delivering a payload to a target system, a defense exploitation attack policy for an attacker to exploit and trigger malicious code to run, an installation implantation attack policy for installing malicious software on the target system, a communication control attack policy for remote manipulation of the target system, a targeting attack policy for an attacker to target an attack, and an extended damage attack policy for extending the scope of attack damage in the target system.
4. The hidden countermeasure-based mobile target defense opportunity selection method of claim 3, wherein an MTD network attack surface state migration model based on a SIRM infectious disease model is constructed, an MTD attack and defense process is characterized as transformation of a network attack surface state, and support of state variables is provided for construction of an opportunity selection model and game analysis.
5. The hidden countermeasure-based moving target defense opportunity selection method of claim 4, wherein the network attack surface comprises a susceptible attack surface, an infected attack surface, a recovered attack surface and a damaged attack surface, and the susceptible attack surface is defined as follows: at the moment, the attack surface is in a safe state, but can be subjected to attack behavior because no defense measures are taken; infection attack surface: at the moment, the attack surface is attacked, but still in the attack stage of a low-level attacker, so that the defender is difficult to perceive, and the attack surface is in an infection state at the moment; restoring an attack surface: at the moment, the attack surface is protected by a defense strategy, the attack surface has an immune function on the attack behavior, and the attack surface is in an immune state; damaged attack surface: at this time, the attack surface is completely controlled by the attacker and is in a damaged state, and the network cannot provide services normally.
6. The hidden countermeasure-based mobile target defense opportunity selection method according to claim 5, characterized in that an MTD network attack surface state migration model based on a SIRM infectious disease model is constructed, specifically as follows:
susceptible attack face → infectious attack face: when the susceptible attack surface faces the discrete attack strategy, if the discrete attack strategy fails, the susceptible attack surface is converted into an infection attack surface;
susceptible attack surface → restorative attack surface: when the susceptible attack surface faces the discrete attack strategy, if the discrete attack strategy is successful, the susceptible attack surface is converted into a recovery attack surface;
infection attack surface → recovery attack surface: when the infection attack surface faces the online attack strategy, if the online attack strategy is successful, the infection attack surface is converted into a recovery attack surface;
infection attack face → damaged attack face: when the infection attack surface faces the online attack strategy, if the online attack strategy fails, the infection attack surface is converted into a damaged attack surface.
7. The hidden countermeasure based mobile target defense opportunity picking method according to claim 6, characterized in that the time game based MTD attack and defense opportunity picking model characterizes in that the countermeasure process of both the attack and defense parties is characterized as the control right alternation of the attack surface, which is expressed as a six-tuple TG-MTD (N, T, S, D, P, U), where N represents the network attack and defense game participant set, T represents the network attack and defense game total time, S represents the network attack and defense game state, D represents the network attack and defense game action set, P represents the network attack and defense game time period strategy set, and U represents the network attack and defense game revenue function set.
8. The hidden countermeasure-based mobile target defense opportunity selection method according to claim 7, characterized in that a time period strategy set P ═ P (P) of a network attack and defense game is adoptedA,PD) Defining game model TG-MTD as G (P)A,PD),PASet of time period policies representing aggressor optionality, PDSet of time period policies selectable by a representation defensive party, according to the underlying game theory, G (P)A,PD) The nash equalization strategy of (a) is:
Figure FDA0002387774150000031
wherein
Figure FDA0002387774150000032
The optimal time of the defense party is shown,
Figure FDA0002387774150000033
representing the best opportunity for the attacker.
9. The hidden countermeasure-based mobile target defense opportunity selection method of claim 8, characterized in that a revenue function is utilized to solve a game balancing strategy:
suppose PA>PDLet us order
Figure FDA0002387774150000034
Representing the probability of random action of an attacker in a defense time period, wherein the control period of the attacker in the defense time period is
Figure FDA0002387774150000035
Thus, the following revenue function is defined:
aggressor revenue function
Figure FDA0002387774150000036
Defender's income function
Figure FDA0002387774150000037
In the same way, when PA≤PDTime, attacker revenue function
Figure FDA0002387774150000041
Defender's income function
Figure FDA0002387774150000042
Wherein, BARepresenting the return of the attack, BDIndicating a return of defense, CARepresents the cost of the attack, CDRepresents a defense cost;
attack and defense time period strategy combination P by calculating each attack typeAAnd PDAnd selecting the optimal time of the TG-MTD model according to the attack and defense benefits.
10. A moving target defense opportunity selection device based on hidden countermeasures is characterized by comprising:
the analysis module is used for analyzing the attack process based on the network killer chain;
the first model building module is used for building an MTD network attack surface state migration model based on the SIRM infectious disease model;
the second model building module is used for building an MTD attack and defense opportunity selection model based on the time game;
and the equilibrium solving module is used for carrying out game equilibrium solving on the MTD attack and defense opportunity selecting model based on the time game and selecting the MTD optimal opportunity.
CN202010105929.6A 2020-02-20 2020-02-20 Mobile target defense opportunity selection method and device based on hidden countermeasures Active CN111385288B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010105929.6A CN111385288B (en) 2020-02-20 2020-02-20 Mobile target defense opportunity selection method and device based on hidden countermeasures

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010105929.6A CN111385288B (en) 2020-02-20 2020-02-20 Mobile target defense opportunity selection method and device based on hidden countermeasures

Publications (2)

Publication Number Publication Date
CN111385288A true CN111385288A (en) 2020-07-07
CN111385288B CN111385288B (en) 2022-03-01

Family

ID=71221540

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010105929.6A Active CN111385288B (en) 2020-02-20 2020-02-20 Mobile target defense opportunity selection method and device based on hidden countermeasures

Country Status (1)

Country Link
CN (1) CN111385288B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112291257A (en) * 2020-11-11 2021-01-29 福建奇点时空数字科技有限公司 Platform dynamic defense method based on event driving and timing migration
CN112969180A (en) * 2021-03-31 2021-06-15 山东大学 Wireless sensor network attack defense method and system under fuzzy environment
CN113194059A (en) * 2021-02-24 2021-07-30 天津大学 Method for selecting defense strategy of moving target
CN113537461A (en) * 2021-06-30 2021-10-22 中国人民解放军战略支援部队信息工程大学 Network key node discovery method and system based on SIR value learning
CN114115068A (en) * 2021-12-03 2022-03-01 东南大学 Heterogeneous redundancy defense strategy issuing method of endogenous security switch
CN114124546A (en) * 2021-11-25 2022-03-01 广东电网有限责任公司 Hidden type moving target defense strategy generation method and device
WO2022090840A1 (en) * 2020-10-28 2022-05-05 Kyndryl, Inc. Adaptive security for resource constraint devices

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109617863A (en) * 2018-11-27 2019-04-12 杭州电子科技大学 A method of the mobile target based on game theory defends optimal defence policies to choose
CN110300106A (en) * 2019-06-24 2019-10-01 中国人民解放军战略支援部队信息工程大学 Mobile target based on Markov time game defends decision choosing method, apparatus and system
US10440048B1 (en) * 2018-11-05 2019-10-08 Peking University Shenzhen Graduate School Anti-attacking modelling for CMD systems based on GSPN and Martingale theory
CN110460572A (en) * 2019-07-06 2019-11-15 中国人民解放军战略支援部队信息工程大学 Mobile target defence policies choosing method and equipment based on Markov signaling games

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10440048B1 (en) * 2018-11-05 2019-10-08 Peking University Shenzhen Graduate School Anti-attacking modelling for CMD systems based on GSPN and Martingale theory
CN109617863A (en) * 2018-11-27 2019-04-12 杭州电子科技大学 A method of the mobile target based on game theory defends optimal defence policies to choose
CN110300106A (en) * 2019-06-24 2019-10-01 中国人民解放军战略支援部队信息工程大学 Mobile target based on Markov time game defends decision choosing method, apparatus and system
CN110460572A (en) * 2019-07-06 2019-11-15 中国人民解放军战略支援部队信息工程大学 Mobile target defence policies choosing method and equipment based on Markov signaling games

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HENGER LI AND ZIZHAN ZHENG: ""Optimal Timing of Moving Target Defense: A Stackelberg Game Model"", 《MILCOM 2019》 *
谭晶磊 等: ""基于Markov 时间博弈的移动目标防御最优策略选取方法"", 《通信学报》 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022090840A1 (en) * 2020-10-28 2022-05-05 Kyndryl, Inc. Adaptive security for resource constraint devices
GB2614962A (en) * 2020-10-28 2023-07-26 Kyndryl Inc Adaptive security for resource constraint devices
US11539737B2 (en) 2020-10-28 2022-12-27 Kyndryl, Inc. Adaptive security for resource constraint devices
CN112291257B (en) * 2020-11-11 2022-08-12 福建奇点时空数字科技有限公司 Platform dynamic defense method based on event driving and timing migration
CN112291257A (en) * 2020-11-11 2021-01-29 福建奇点时空数字科技有限公司 Platform dynamic defense method based on event driving and timing migration
CN113194059B (en) * 2021-02-24 2022-06-14 天津大学 Method for selecting defense strategy of moving target
CN113194059A (en) * 2021-02-24 2021-07-30 天津大学 Method for selecting defense strategy of moving target
CN112969180B (en) * 2021-03-31 2022-07-01 山东大学 Wireless sensor network attack defense method and system in fuzzy environment
CN112969180A (en) * 2021-03-31 2021-06-15 山东大学 Wireless sensor network attack defense method and system under fuzzy environment
CN113537461A (en) * 2021-06-30 2021-10-22 中国人民解放军战略支援部队信息工程大学 Network key node discovery method and system based on SIR value learning
CN114124546A (en) * 2021-11-25 2022-03-01 广东电网有限责任公司 Hidden type moving target defense strategy generation method and device
CN114124546B (en) * 2021-11-25 2023-06-20 广东电网有限责任公司 Hidden type moving target defense strategy generation method and device
CN114115068A (en) * 2021-12-03 2022-03-01 东南大学 Heterogeneous redundancy defense strategy issuing method of endogenous security switch

Also Published As

Publication number Publication date
CN111385288B (en) 2022-03-01

Similar Documents

Publication Publication Date Title
CN111385288B (en) Mobile target defense opportunity selection method and device based on hidden countermeasures
Meng Intrusion detection in the era of IoT: Building trust via traffic filtering and sampling
Roy et al. A survey of game theory as applied to network security
CN110300106B (en) Moving target defense decision selection method, device and system based on Markov time game
Shen et al. Adaptive Markov game theoretic data fusion approach for cyber network defense
CN111064702B (en) Active defense strategy selection method and device based on bidirectional signal game
Lin et al. Constructing detection knowledge for DDoS intrusion tolerance
Shen et al. A markov game theoretic data fusion approach for cyber situational awareness
CN112003854B (en) Network security dynamic defense decision method based on space-time game
Fielder et al. Defense-in-depth vs. critical component defense for industrial control systems
Chen et al. Optimal defense strategy selection for spear-phishing attack based on a multistage signaling game
Zhou et al. Toward proactive and efficient DDoS mitigation in IIoT systems: A moving target defense approach
Li et al. Defensive deception framework against reconnaissance attacks in the cloud with deep reinforcement learning
Meier et al. Towards an AI-powered Player in Cyber Defence Exercises
Wang et al. Distributed denial of service attack defence simulation based on honeynet technology
Al Amin et al. Dynamic cyber deception using partially observable Monte‐Carlo planning framework
Shi et al. Survey on APT attack detection in industrial cyber-physical system
Mukkamala et al. Hybrid multi-agent framework for detection of stealthy probes
Hancock et al. Multi agent systems on military networks
Wang et al. Optimal network defense strategy selection based on Markov Bayesian game
Wang et al. Optimal network defense strategy selection based on Bayesian game
Li et al. Defending Against Man-In-The-Middle Attack in Repeated Games.
Paxton et al. Towards practical framework for collecting and analyzing network-centric attacks
Jinfeng et al. An effects analysis method for C4ISR system structure based on information flow
Lin et al. Maximization of network survivability under malicious and epidemic attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant