CN111711703A - Equipment library self-adaption system and method for network target range actual combat drilling scene - Google Patents

Equipment library self-adaption system and method for network target range actual combat drilling scene Download PDF

Info

Publication number
CN111711703A
CN111711703A CN202010840731.2A CN202010840731A CN111711703A CN 111711703 A CN111711703 A CN 111711703A CN 202010840731 A CN202010840731 A CN 202010840731A CN 111711703 A CN111711703 A CN 111711703A
Authority
CN
China
Prior art keywords
machine
equipment machine
equipment
address
mapping
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010840731.2A
Other languages
Chinese (zh)
Other versions
CN111711703B (en
Inventor
程能杰
谢峥
高庆官
唐海均
高丽彪
王鹏
于靖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Cyber Peace Technology Co Ltd
Original Assignee
Nanjing Cyber Peace Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Cyber Peace Technology Co Ltd filed Critical Nanjing Cyber Peace Technology Co Ltd
Priority to CN202010840731.2A priority Critical patent/CN111711703B/en
Publication of CN111711703A publication Critical patent/CN111711703A/en
Application granted granted Critical
Publication of CN111711703B publication Critical patent/CN111711703B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/50Queue scheduling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Medical Informatics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses an equipment library self-adaptive system and a method for a network target range actual combat drilling scene, which comprises a snapshot storage module, an equipment machine management module, an equipment machine scheduling module and an IP mapping management module; the snapshot storage module is used for storing the memory and disk snapshots of the main equipment machine; the equipment machine management module is used for freezing/unfreezing the main equipment machine and creating/releasing the secondary equipment machine; the equipment machine scheduling module is used for storing the type and the IP address of the equipment machine, the corresponding IP address of the main equipment machine, the state of the equipment machine and the utilization rate of equipment resources; scheduling the equipment machines according to the capacity, and unfreezing the main equipment machine or creating the secondary equipment machine when the capacity is insufficient; the IP mapping management module is used for storing an IP mapping relation and finishing load forwarding of the main equipment machine and the secondary equipment machine based on an IP address modification mode; and regularly cleaning the overdue IP mapping relation, and informing to freeze the main equipment or release the secondary equipment. The invention can reduce resource waste and improve the operation and maintenance efficiency and the combat supporting capability of the equipment warehouse.

Description

Equipment library self-adaption system and method for network target range actual combat drilling scene
Technical Field
The invention relates to an equipment library self-adaption system and method for a network target range actual combat drilling scene, and belongs to the technical field of networks.
Background
The network target range is a test platform which is combined with a real device through a virtual environment, simulates a real network space attack and defense combat environment and can support combat capability research and weapon equipment verification. With the continuous development of the information era, the network environment is increasingly severe, and the requirement of building a large-scale network environment for actual combat drilling is continuously provided.
The deployment diagram of the network target range actual combat drilling scene is shown in fig. 1, the network target range is connected with a control node, a computing node and the internet through a plurality of kinds of entity network equipment, and the network target range establishes a virtual machine and a virtual network of the drilling scene at the computing node through a virtualization technology. The network target range generates virtual machines for all the team members as network target range operation machines, the team members of all the team members remotely control the operation machines through the virtual machine access management module of the network target range control nodes, and the team members connect the equipment machines in the equipment base through the operation machines to use network equipment for operations such as penetration, attack, scanning and the like.
The operation process of the current network target range actual combat drilling scene mainly comprises the following steps: a network target range creates an equipment library, and a plurality of equipment machines for providing services to the outside are arranged in the equipment library; the command center appoints a combat task and assigns the task to a corresponding combat squad or a combat team member; the combat squad receives the assigned combat mission, and creates a mission-specific operation machine at a computing node in the network target range, and all combat operations aiming at the current mission are executed on the operation machine; the team member host computer of the battle is connected with the operation machine management module to initiate an operation machine connection request; the operation machine management module authenticates the identity and the authority of the team member of the combat squad and is connected with the operation machine through a remote control protocol; the team members of the combat squad execute tasks through the operation machines, connect the equipment machines in the equipment warehouse and use the equipment; and releasing the operating machine after the combat team member completes the combat task. The equipment library management in the prior network target range actual combat drilling scene has the following problems: 1. and part of remote equipment occupies equipment warehouse resources for a long time, so that resource waste is caused. 2. The equipment machine cannot flexibly support the capacity expansion processing of the equipment use peak value. The operation and maintenance personnel of the equipment warehouse need to predict the use peak value of the specific equipment in advance and make capacity expansion preparation in advance, and release the peak value after use, so that the flexibility is poor, and the time for controlling the capacity expansion and the capacity reduction cannot be well controlled by manpower.
Disclosure of Invention
The purpose of the invention is as follows: in view of the problems in the prior art, the present invention is to provide an equipment library adaptive system and method for a network shooting range actual combat drilling scene, so as to reduce resource waste, improve operation and maintenance efficiency of the equipment library, and integrally improve operational support capability of the equipment library.
The technical scheme is as follows: in order to achieve the purpose, the invention adopts the following technical scheme:
an equipment library adaptive system for a network shooting range actual combat rehearsal scene, comprising: the equipment scheduling management system comprises a snapshot storage module, an equipment management module, an equipment scheduling module and an IP mapping management module;
the snapshot storage module is used for storing the memory and disk snapshots of the main equipment machine;
the equipment management module is used for freezing or unfreezing the main equipment and creating or releasing the secondary equipment;
the equipment scheduling module is used for storing the type and the IP address of the equipment in the equipment library, the corresponding IP address of the main equipment, the state of the equipment and the utilization rate of equipment resources; the type of the equipment machine comprises a main equipment machine and a secondary equipment machine, the IP address of the main equipment machine is open to the operating machine, the IP address of the secondary equipment machine is not open to the operating machine, and the state of the equipment machine comprises freezing and normal; matching and returning the IP address of the equipment machine with capacity according to the scheduling request of the IP mapping management module, requesting the equipment machine management module to unfreeze the main equipment machine when the matching fails due to freezing of the main equipment machine, and requesting the equipment machine management module to create a secondary equipment machine when the main equipment machine is normal but the matching fails due to insufficient capacity;
the IP mapping management module is used for storing the mapping relation among the IP address of the operating machine, the IP address of the main assembling machine, the IP address of the after-mapping assembling machine and the corresponding latest effective message forwarding time; completing load forwarding of the main equipment machine and the secondary equipment machine based on an IP address modification mode, directly correcting the IP address when the mapping record of the IP address of the operating machine and the IP address of the main equipment machine exists, or requesting a scheduling module of the equipment machine to acquire the IP address of the equipment machine with capacity and increase the mapping record, and then correcting the IP address; and the system is used for regularly clearing the overdue IP mapping relation according to the latest effective message forwarding time, and informing the main equipment machine or the secondary equipment machine which does not have the IP mapping relation to the equipment machine management module or informing the equipment machine management module to freeze the main equipment machine or release the secondary equipment machine through the equipment machine scheduling module.
Further, the equipment scheduling module is provided with an equipment state record table, and the equipment state record table comprises fields: the equipment machine type, the equipment machine IP address, the main equipment machine IP address, the equipment machine state, the equipment machine CPU utilization rate, the equipment machine memory utilization rate and the equipment resource utilization rate; and the equipment resource utilization rate is weighted and summed through the equipment machine CPU utilization rate and the equipment machine memory utilization rate.
Further, the IP mapping management module is provided with an IP packet forwarding policy table, where the IP packet forwarding policy table includes fields: the IP address of the operating machine, the IP address of the main assembling machine, the IP address of the after-mapping assembling machine and the forwarding time of the last effective message.
Further, the arming machine scheduling module includes:
the capacity selection unit is used for selecting the master equipment machine or the slave equipment machine with normal state and capacity according to the IP address of the master equipment machine; when the equipment resource utilization rate is lower than a set threshold value, the equipment is considered to have capacity;
the main equipment machine unfreezing unit is used for sending a unfreezing signal to the equipment machine management module when matching fails due to freezing of the main equipment machine, updating the equipment machine state after the main equipment machine is unfrozen, and matching according to the IP address of the main equipment machine by the capacity selection unit;
the secondary equipment machine creating unit is used for sending a secondary equipment machine creating signal to the equipment machine management module when the main equipment machine is normal but the matching fails due to insufficient capacity, adding corresponding records after the secondary equipment machine is created, and matching according to the IP address of the main equipment machine by the capacity selecting unit;
the main equipment machine freezing unit is used for transmitting a freezing signal to the equipment machine management module and updating the state of the equipment machine after the main equipment machine is frozen;
the secondary equipment machine releasing unit is used for transmitting a releasing signal to the equipment machine management module and deleting the corresponding record after the secondary equipment machine is released;
and the IP message caching unit is used for caching the IP message into an IP message caching queue before informing the equipment management module to unfreeze the main equipment or create the secondary equipment.
Further, the IP mapping management module includes:
the IP address correction unit is used for judging whether a mapping record of the IP address of the operating machine and the IP address of the main equipment machine exists or not when receiving the request message of the operating machine, correcting the target IP address in the IP message according to the mapping record to be the IP address of the after-mapping equipment machine if the mapping record exists, forwarding the message and updating the forwarding time of the last effective message in the mapping record; otherwise, requesting the equipment machine scheduling module to acquire the IP address of the equipment machine with capacity, adding corresponding IP mapping records after acquiring the matched equipment machine, correcting the target IP address of the IP message, forwarding the message and updating the last effective message forwarding time in the mapping records; when receiving the response message of the equipment machine, correcting the source IP address in the IP message into the IP address of the main equipment machine according to the mapping record;
the IP mapping relation cleaning unit is used for periodically cleaning the overdue IP mapping relation according to the last effective message forwarding time; and when the secondary equipment machine does not have the IP mapping relation, sending a secondary equipment machine release signal, and when the main equipment machine does not have the IP mapping relation, sending a main equipment machine freezing signal.
Further, the IP mapping management module implements IP address correction in an asynchronous manner, and when the main equipment machine needs to be thawed or the secondary equipment machine needs to be created, the equipment machine scheduling module caches the IP packet in the IP packet cache queue, and after the main equipment machine is thawed or the secondary equipment machine is created, the IP mapping management module corrects the target IP address of the IP packet in the IP packet cache queue.
Further, when the equipment scheduling module processes the equipment request of the IP mapping management module, the equipment scheduling module selects the equipment with capacity according to the equipment creating sequence in the equipment list matched according to the IP address of the main equipment.
An equipment library self-adaption method for a network shooting range actual combat drilling scene comprises the following steps:
(1) when receiving an operating machine request message, judging whether an IP mapping relation between an operating machine IP address and a main equipment IP address exists, if so, entering the step (2), otherwise, entering the step (3);
(2) correcting the IP address according to the IP mapping record, forwarding the message and updating the forwarding time of the last effective message in the mapping record, and entering the step (4);
(3) judging whether a corresponding equipment machine with capacity exists according to the IP address of the main equipment machine, if the main equipment machine is frozen, unfreezing the main equipment machine and utilizing the stored memory and the disk snapshot to carry out snapshot recovery, updating the state of the equipment machine to be normal after the main equipment machine is unfrozen, adding a corresponding IP mapping relation, and entering the step (2); if the main equipment machine is normal but the matching cannot be achieved due to insufficient capacity, creating a secondary equipment machine of the main equipment machine, adding a record of the newly created equipment machine after the secondary equipment machine is created, adding a corresponding IP mapping relation, and entering the step (2); if the matched equipment exists, adding a corresponding IP mapping relation, and entering the step (2);
(4) when receiving the response message of the equipment machine, correcting the IP address according to the IP mapping relation;
(5) and cleaning an expired IP mapping relation regularly according to the latest effective message forwarding time, freezing the main equipment machine without the IP mapping relation, and releasing the secondary equipment machine without the IP mapping relation.
Further, in the step (3), before the main equipment machine is unfrozen or the secondary equipment machine is created, the IP packet is cached in the IP packet cache queue, and after the main equipment machine is unfrozen or the secondary equipment machine is created, the target IP address of the IP packet in the IP packet cache queue is corrected.
Has the advantages that: the invention realizes the capacity-based scale self-adaptive scheduling of the equipment library through the equipment scheduling module, realizes the load scheduling of protocols above the IP layer of the equipment library through the IP mapping management module, further designs the IP message buffer queue to ensure that the service is not lost, and supports the equipment state switching without influence and perception on the service. Compared with the prior art, the invention has the following advantages: 1. the operation and maintenance efficiency of the equipment warehouse is improved, and the working efficiency of operation and maintenance personnel is improved by quickly expanding and reducing the capacity; 2. the resource utilization rate is improved, and the equipment library self-adaptive system supports the equipment machine to realize the flexibility from 0 (none) to N (much), so that the waste of idle resources is greatly reduced; 3. the capacity of the equipment storehouse for responding to the peak and the valley of the equipment in the service life is improved, and the fighting support capacity of the equipment storehouse is integrally improved.
Drawings
FIG. 1 is a deployment diagram of a network shooting range actual combat drilling scene.
Fig. 2 is a schematic view of an application structure of the equipment library adaptive system in a network target range actual combat drilling scene according to the embodiment of the present invention.
Fig. 3 is a flowchart illustrating an equipment library adaptation method according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments that can be obtained by a person skilled in the art based on the embodiments of the present invention without any inventive step are within the scope of the present invention.
As shown in fig. 2, an equipment library adaptive system for a network target range actual combat drilling scene disclosed in the embodiment of the present invention mainly includes a snapshot storage module, an equipment management module, an equipment scheduling module, and an IP mapping management module. The snapshot storage module is used for storing the memory and disk snapshot of the main equipment machine; the equipment machine management module is used for freezing/unfreezing the main equipment machine and creating/releasing the secondary equipment machine.
The equipment scheduling module is provided with an equipment state recording table and is used for storing the type and the IP address of the equipment in the equipment library, the corresponding IP address of the main equipment, the state of the equipment and the utilization rate of equipment resources; matching and returning the IP address of the equipment machine with capacity according to the scheduling request of the IP mapping management module, requesting the equipment machine management module to unfreeze the main equipment machine when the matching fails due to freezing of the main equipment machine, and requesting the equipment machine management module to create a secondary equipment machine when the main equipment machine is normal but the matching fails due to insufficient capacity;
the IP mapping management module is provided with an IP message forwarding policy table and is used for storing the mapping relation among the IP address of the operating machine, the IP address of the main assembling machine, the IP address of the after-mapping assembling machine and the corresponding latest effective message forwarding time; the IP mapping management module finishes the load forwarding of the main equipment machine and the secondary equipment machine based on an IP address modification mode, when the mapping record of the IP address of the operating machine and the IP address of the main equipment machine exists, the IP address is directly corrected, otherwise, the equipment machine scheduling module is requested to acquire the IP address of the equipment machine with capacity and increase the mapping record, and then the IP address correction is carried out; and the system is used for regularly clearing the overdue IP mapping relation according to the latest effective message forwarding time, and informing the main equipment machine or the secondary equipment machine which does not have the IP mapping relation to the equipment machine management module or informing the equipment machine management module to freeze the main equipment machine or release the secondary equipment machine through the equipment machine scheduling module.
Specifically, the equipment state record table may include fields: the equipment machine type, the equipment machine IP address, the main equipment machine IP address, the equipment machine state, the equipment machine CPU utilization rate, the equipment machine memory utilization rate and the equipment resource utilization rate. The IP packet forwarding policy table may include fields: the IP address of the operating machine, the IP address of the main assembling machine, the IP address of the after-mapping assembling machine and the forwarding time of the last effective message.
The equipment scheduling module can comprise a capacity selection unit, a main equipment unfreezing unit, a secondary equipment creating unit, a main equipment freezing unit, a secondary equipment releasing unit and an IP message caching unit. The capacity selection unit is used for selecting a main equipment machine or a slave equipment machine with normal state and capacity according to the IP address of the main equipment machine; the main equipment machine unfreezing unit is used for sending a unfreezing signal to the equipment machine management module when matching fails due to freezing of the main equipment machine, updating the equipment machine state after the main equipment machine is unfrozen, and matching according to the IP address of the main equipment machine by the capacity selection unit; the secondary equipment machine creating unit is used for sending a secondary equipment machine creating signal to the equipment machine management module when the main equipment machine is normal but the matching fails due to insufficient capacity, adding a corresponding record after the secondary equipment machine is created, and matching according to the IP address of the main equipment machine by the capacity selecting unit; the main equipment machine freezing unit is used for transmitting a freezing signal to the equipment machine management module and updating the state of the equipment machine after the main equipment machine is frozen; the secondary equipment machine release unit is used for transmitting a release signal to the equipment machine management module and deleting corresponding records after the secondary equipment machine is released; the IP message caching unit is used for caching the IP message into an IP message caching queue before informing the equipment management module to unfreeze the main equipment or create the secondary equipment.
The IP mapping management module can comprise an IP address correction unit and an IP mapping relation cleaning unit. The IP address correction unit is used for judging whether a mapping record of an IP address of the operating machine and an IP address of the main equipment and the standby equipment exists or not when receiving the request message of the operating machine, correcting a target IP address in the IP message according to the mapping record to be the IP address of the standby equipment after mapping if the mapping record exists, forwarding the message and updating the forwarding time of the last effective message in the mapping record; otherwise, requesting the equipment machine scheduling module to acquire the IP address of the equipment machine with capacity, adding corresponding IP mapping records after acquiring the matched equipment machine, correcting the target IP address of the IP message, forwarding the message and updating the last effective message forwarding time in the mapping records; and when receiving the response message of the equipment machine, correcting the source IP address in the IP message into the IP address of the main equipment machine according to the mapping record. The IP mapping relation cleaning unit is used for periodically cleaning the overdue IP mapping relation according to the last effective message forwarding time; and when the secondary equipment machine does not have the IP mapping relation, sending a secondary equipment machine release signal, and when the main equipment machine does not have the IP mapping relation, sending a main equipment machine freezing signal.
In specific implementation, the IP mapping management module may implement IP address correction in an asynchronous manner, and in a case where the main equipment machine needs to be thawed or the secondary equipment machine needs to be created, the equipment machine scheduling module caches the IP packet in the IP packet cache queue, and after the main equipment machine is thawed or the secondary equipment machine is created, the IP mapping management module corrects the target IP address of the IP packet in the IP packet cache queue.
The equipment library self-adaptive system provided by the embodiment of the invention mainly operates in a network target range computing node for creating the equipment machines, the equipment machine management module can be deployed in a network target range control node, the equipment machines in the equipment library are in the same local area network, and the equipment machine scheduling module and the IP mapping management module are deployed in a virtual switch on the computing node or only deployed in a virtual switch at the inlet of the equipment library. For different virtualization schemes, corresponding traffic monitoring components and snapshot management components can be adopted.
It will be appreciated by those skilled in the art that the modules of the above embodiments may be adapted and arranged in one or more devices, and that different modules/units may be combined into one module/unit or divided into sub-modules/sub-units.
As shown in fig. 3, the equipment library adaptive method for the network target range actual combat drilling scene disclosed in the embodiment of the present invention mainly includes the following steps:
(1) when receiving an operating machine request message, judging whether an IP mapping relation between an operating machine IP address and a main equipment IP address exists, if so, entering the step (2), otherwise, entering the step (3);
(2) correcting the IP address according to the IP mapping record, forwarding the message and updating the forwarding time of the last effective message in the mapping record, and entering the step (4);
(3) judging whether a corresponding equipment machine with capacity exists according to the IP address of the main equipment machine, if the main equipment machine is frozen, unfreezing the main equipment machine and utilizing the stored memory and the disk snapshot to carry out snapshot recovery, updating the state of the equipment machine to be normal after the main equipment machine is unfrozen, adding a corresponding IP mapping relation, and entering the step (2); if the main equipment machine is normal but the matching cannot be achieved due to insufficient capacity, creating a secondary equipment machine of the main equipment machine, adding a record of the newly created equipment machine after the secondary equipment machine is created, adding a corresponding IP mapping relation, and entering the step (2); if the matched equipment exists, adding a corresponding IP mapping relation, and entering the step (2);
(4) when receiving the response message of the equipment machine, correcting the IP address according to the IP mapping relation;
(5) and cleaning an expired IP mapping relation regularly according to the latest effective message forwarding time, freezing the main equipment machine without the IP mapping relation, and releasing the secondary equipment machine without the IP mapping relation.
In the step (3), an asynchronous mode can be adopted, before the main equipment machine is unfrozen or the secondary equipment machine is established, the IP message is cached in the IP message cache queue, and after the main equipment machine is unfrozen or the secondary equipment machine is established, the target IP address of the IP message in the IP message cache queue is corrected.
The operation flow of the network target range actual combat drilling scene adopting the embodiment of the invention is further explained below. The specific combat process comprises the following steps:
1) and (4) establishing an equipment library in the network target range, storing snapshots and network configuration, and releasing resources. The network shooting range creates a virtual machine on a computing node as equipment in an equipment library, an attack tool, a penetration tool, a scanning tool and the like are respectively installed in the virtual machine and provide services to the outside, a memory and a disk snapshot are generated after creation is completed, the snapshot is stored in a snapshot storage module, network configuration information is reserved, the equipment machine is switched into a frozen state, the frozen state is synchronized to an equipment machine scheduling module in an equipment library virtual switch, and meanwhile, equipment machine resources are released. The equipment machine initialized in the stage is called a main equipment machine, and considering that the part of the equipment machines have a sudden use peak period, the part of the secondary equipment machines can be expanded temporarily, the initialization process of the secondary equipment machines is consistent with that of the main equipment machine, and the secondary equipment machines are temporary resources and are released after use is finished. The equipment scheduling module stores an equipment state record table, wherein the table comprises the following fields: the method comprises the following steps that the type of a standby machine (a main standby machine and a secondary standby machine), the IP address of the standby machine, the IP address of the main standby machine, the state (freezing and normal) of the standby machine, the CPU utilization rate of the standby machine, the memory utilization rate of the standby machine and the resource utilization rate of the standby machine (weighted sum of the CPU and the memory utilization rate), the frozen state of the main standby machine exists, the frozen state of the secondary standby machine does not exist, the freezing state of the main standby machine does not exist, the releasing state of the secondary standby machine does not exist, the IP address of the main standby machine is directly opened to an operating machine, the IP address of the secondary standby machine does not directly opened to the operating machine, the operating machine only accesses the IP address of the main standby machine, and the IP mapping management module in the virtual switch completes the load forwarding. In practical application, a common virtual machine is formed by directly initializing a mirror image containing an attack and defense tool, services can be provided through an SSH protocol, a TCP protocol and an HTTP protocol, a main equipment machine is generally generated by the same equipment, a snapshot storage module is generally shared and stored for an NFS network, and storage ensures that each equipment computer node can directly access a snapshot of the main equipment machine; snapshot generation tools such as virsh, snapshot generation instructions: virsh snapshot-create-as.
2) The command center creates a task. And a commander of the command center is connected with a task management module (the existing module of the network shooting range platform) in the control node through a host to create a combat task and assigns the task to a corresponding combat squad or a combat crew.
3) The team members of the combat squad receive the tasks and create task-specific manipulators. The combat squadron receives the assigned combat mission through the team member host computer connection task management module, and creates a virtual machine as an operational manipulator for the combat at the computing node in the network shooting range, and all the combat operations aiming at the current mission are executed on the manipulator.
4) The team member host computer of the combat team is connected with the operation machine management module (the existing module of the network shooting range platform) to initiate an operation machine connection request. The team member host computer is connected with an operation machine management module of the network target range control node, the operation machine management module completes identity verification, authorization control and safety audit functions, and bears functions of the bastion machine, and practical application components such as JumpServer and Guacamole are used.
5) And the operation machine management module authenticates the identity and the authority of the team member of the combat squad and is connected with the operation machine. The operation machine management module authenticates the identity information of the team member of the combat squad, verifies the authority of the team member on the operation machine, and after the verification is passed, the operation machine is connected through a remote control protocol, wherein the remote control protocol comprises RDP, SSH, Telnet, VNC and the like, so that the team member host is connected with the operation machine through the network target range operation machine management module.
6) The team member of the combat team performs tasks through the operating machine and requests to connect the equipment in-depot spare machines (through the IP address connection of the main spare machine opened to the operating machine) when the network equipment is needed. The fighter connects the services on the equipment machines in the equipment library to use the equipment in the equipment library to perform operations such as penetration, attack, scanning and the like, and the equipment machines record the equipment use record and save unified log storage module (the equipment use record and save unified log storage module can be saved in a storage system which can be accessed by the computing nodes together). In practical application, SSH protocol, TCP protocol, HTTP protocol and the like are supported, and only the access and calling of an operating machine in the computing node are provided.
7) The virtual switch remaps the target IP address to the IP message through the internal IP mapping management module. The IP mapping management module stores an IP message forwarding policy table, which comprises the following fields: the IP address of the operating machine, the IP address of the main assembling machine, the IP address of the after-mapping assembling machine and the latest effective message forwarding time. And inquiring the mapping record according to the source IP address (namely the IP address of the operating machine) and the target IP address (the IP address of the main equipment machine) in the IP message. If the mapping record exists, the target IP address of the IP message can be corrected directly according to the mapping record, the routing strategy based on the IP message is completed for the main equipment machine and the secondary equipment machine in an IP correction mode, the message is forwarded, the latest effective message forwarding time field in the mapping record is updated, and the returned response message completes the correction of the source IP address (namely the IP address of the equipment machine) through the IP mapping management module.
8) If no mapping record exists, the IP address of the main equipment machine is used for inquiring the equipment scheduling module, and the equipment scheduling module sequentially selects the equipment machines with capacity according to the equipment list corresponding to the IP address of the specified main equipment machine and records the IP mapping relation. The default sequence of the equipment machine list is a creation sequence, the capacity is measured according to the equipment resource utilization rate, and when the capacity is lower than the maximum capacity, the equipment machine is determined to be in the capacity, and the maximum capacity is the maximum equipment resource utilization rate. The typical maximum capacity in the application is set at 85%.
9) If the matching of the equipment machine fails according to the record of the equipment machine scheduling module, the type of the IP message is judged when the main equipment is frozen to cause the matching failure, and if the IP message is a non-service type IP message, the IP message is directly discarded. If the service type IP message is the service type IP message, caching the message to an IP message caching queue, sending a unfreezing signal to an equipment management module, unfreezing the equipment by the equipment management module, retrieving a snapshot of the specified equipment in a snapshot storage module, restoring the state of a memory and a disk before the equipment is frozen according to the snapshot, deleting the snapshot of the equipment, and synchronizing the state of the equipment to an equipment scheduling module. In practical application, the non-service protocol may include ICMP protocol, ARP protocol, RARP protocol, DHCP protocol, DNS protocol, and the snapshot recovery tool has a snapshot recovery instruction: virsh snapshot-reverse.
10) If the matching standby machine fails according to the record of the standby machine scheduling module, the main standby machine is normal, when the matching fails due to insufficient capacity, a cache message is sent to an IP message cache queue, a secondary equipment creating signal is sent to the standby machine management module, the standby machine management module creates a secondary standby machine (initialized by adopting the same mirror image as the main standby machine) of a specified equipment type, and the state of the standby machine is synchronized to the standby machine scheduling module.
11) If the main equipment machine needs to be unfrozen or the secondary equipment machine is created due to insufficient capacity, the IP mapping management module asynchronously receives the available equipment machine IP returned by the equipment machine scheduling module, records the IP mapping relation, acquires a corresponding IP message from the IP message cache queue, and completes the correction of the IP address and then forwards the IP address.
12) The IP mapping management module in the virtual switch regularly clears an overdue IP mapping relation according to the latest effective message forwarding time field, when the secondary equipment machine does not have the IP mapping relation, a secondary equipment release signal is sent to the equipment machine management module, the equipment machine management module directly releases secondary equipment resources without reserving any information, and the equipment machine state is synchronized to the equipment machine scheduling module; and when the main equipment machine does not have the IP mapping relation, sending a main equipment freezing signal to the equipment machine management module, storing the network configuration information of the main equipment by the equipment machine management module, freezing the main equipment, and synchronizing the state of the equipment machine to the equipment machine scheduling module. The expiration time is typically set to 30 minutes for practical applications.
13) And (4) completing the task by the team members of the combat team and releasing the operation machine. After the combat team member finishes the combat task, the operation machine used for the current task is released, namely the virtual machine resource is released.

Claims (9)

1. An equipment library adaptive system for a network shooting range actual combat drilling scene, comprising: the equipment scheduling management system comprises a snapshot storage module, an equipment management module, an equipment scheduling module and an IP mapping management module;
the snapshot storage module is used for storing the memory and disk snapshots of the main equipment machine;
the equipment management module is used for freezing or unfreezing the main equipment and creating or releasing the secondary equipment;
the equipment scheduling module is used for storing the type and the IP address of the equipment in the equipment library, the corresponding IP address of the main equipment, the state of the equipment and the utilization rate of equipment resources; the type of the equipment machine comprises a main equipment machine and a secondary equipment machine, the IP address of the main equipment machine is open to the operating machine, the IP address of the secondary equipment machine is not open to the operating machine, and the state of the equipment machine comprises freezing and normal; matching and returning the IP address of the equipment machine with capacity according to the scheduling request of the IP mapping management module, requesting the equipment machine management module to unfreeze the main equipment machine when the matching fails due to freezing of the main equipment machine, and requesting the equipment machine management module to create a secondary equipment machine when the main equipment machine is normal but the matching fails due to insufficient capacity;
the IP mapping management module is used for storing the mapping relation among the IP address of the operating machine, the IP address of the main assembling machine, the IP address of the after-mapping assembling machine and the corresponding latest effective message forwarding time; completing load forwarding of the main equipment machine and the secondary equipment machine based on an IP address modification mode, directly correcting the IP address when the mapping record of the IP address of the operating machine and the IP address of the main equipment machine exists, or requesting a scheduling module of the equipment machine to acquire the IP address of the equipment machine with capacity and increase the mapping record, and then correcting the IP address; and the system is used for regularly clearing the overdue IP mapping relation according to the latest effective message forwarding time, and informing the main equipment machine or the secondary equipment machine which does not have the IP mapping relation to the equipment machine management module or informing the equipment machine management module to freeze the main equipment machine or release the secondary equipment machine through the equipment machine scheduling module.
2. The system of claim 1, wherein the loader scheduling module is configured with an loader state record table comprising fields: the equipment machine type, the equipment machine IP address, the main equipment machine IP address, the equipment machine state, the equipment machine CPU utilization rate, the equipment machine memory utilization rate and the equipment resource utilization rate; and the equipment resource utilization rate is weighted and summed through the equipment machine CPU utilization rate and the equipment machine memory utilization rate.
3. The equipment library adaptive system for the network range actual combat drill scene of claim 1, wherein the IP mapping management module is provided with an IP packet forwarding policy table, the IP packet forwarding policy table comprising fields: the IP address of the operating machine, the IP address of the main assembling machine, the IP address of the after-mapping assembling machine and the forwarding time of the last effective message.
4. The system of claim 1, wherein the loader scheduling module comprises:
the capacity selection unit is used for selecting the master equipment machine or the slave equipment machine with normal state and capacity according to the IP address of the master equipment machine; when the equipment resource utilization rate is lower than a set threshold value, the equipment is considered to have capacity;
the main equipment machine unfreezing unit is used for sending a unfreezing signal to the equipment machine management module when matching fails due to freezing of the main equipment machine, updating the equipment machine state after the main equipment machine is unfrozen, and matching according to the IP address of the main equipment machine by the capacity selection unit;
the secondary equipment machine creating unit is used for sending a secondary equipment machine creating signal to the equipment machine management module when the main equipment machine is normal but the matching fails due to insufficient capacity, adding corresponding records after the secondary equipment machine is created, and matching according to the IP address of the main equipment machine by the capacity selecting unit;
the main equipment machine freezing unit is used for transmitting a freezing signal to the equipment machine management module and updating the state of the equipment machine after the main equipment machine is frozen;
the secondary equipment machine releasing unit is used for transmitting a releasing signal to the equipment machine management module and deleting the corresponding record after the secondary equipment machine is released;
and the IP message caching unit is used for caching the IP message into an IP message caching queue before informing the equipment management module to unfreeze the main equipment or create the secondary equipment.
5. The system of claim 1, wherein the IP mapping management module comprises:
the IP address correction unit is used for judging whether a mapping record of the IP address of the operating machine and the IP address of the main equipment machine exists or not when receiving the request message of the operating machine, correcting the target IP address in the IP message according to the mapping record to be the IP address of the after-mapping equipment machine if the mapping record exists, forwarding the message and updating the forwarding time of the last effective message in the mapping record; otherwise, requesting the equipment machine scheduling module to acquire the IP address of the equipment machine with capacity, adding corresponding IP mapping records after acquiring the matched equipment machine, correcting the target IP address of the IP message, forwarding the message and updating the last effective message forwarding time in the mapping records; when receiving the response message of the equipment machine, correcting the source IP address in the IP message into the IP address of the main equipment machine according to the mapping record;
the IP mapping relation cleaning unit is used for periodically cleaning the overdue IP mapping relation according to the last effective message forwarding time; and when the secondary equipment machine does not have the IP mapping relation, sending a secondary equipment machine release signal, and when the main equipment machine does not have the IP mapping relation, sending a main equipment machine freezing signal.
6. The equipment library adaptive system for the network firing ground actual combat drilling scene according to claim 1, wherein the IP mapping management module implements IP address correction in an asynchronous manner, and in case that the main equipment machine needs to be unfrozen or the secondary equipment machine needs to be created, the equipment machine scheduling module caches the IP packets in the IP packet cache queue, and after the main equipment machine is unfrozen or the secondary equipment machine is created, the IP mapping management module corrects the target IP addresses of the IP packets in the IP packet cache queue.
7. The system of claim 1, wherein the loader scheduling module selects the loaders with capacity in the loader creation order from a list of loaders matched according to the IP address of the main loader when processing the loader request of the IP mapping management module.
8. An equipment library self-adaption method for a network shooting range actual combat drilling scene is characterized by comprising the following steps:
(1) when receiving an operating machine request message, judging whether an IP mapping relation between an operating machine IP address and a main equipment IP address exists, if so, entering the step (2), otherwise, entering the step (3);
(2) correcting the IP address according to the IP mapping record, forwarding the message and updating the forwarding time of the last effective message in the mapping record, and entering the step (4);
(3) judging whether a corresponding equipment machine with capacity exists according to the IP address of the main equipment machine, if the main equipment machine is frozen, unfreezing the main equipment machine and utilizing the stored memory and the disk snapshot to carry out snapshot recovery, updating the state of the equipment machine to be normal after the main equipment machine is unfrozen, adding a corresponding IP mapping relation, and entering the step (2); if the main equipment machine is normal but the matching cannot be achieved due to insufficient capacity, creating a secondary equipment machine of the main equipment machine, adding a record of the newly created equipment machine after the secondary equipment machine is created, adding a corresponding IP mapping relation, and entering the step (2); if the matched equipment exists, adding a corresponding IP mapping relation, and entering the step (2);
(4) when receiving the response message of the equipment machine, correcting the IP address according to the IP mapping relation;
(5) and cleaning an expired IP mapping relation regularly according to the latest effective message forwarding time, freezing the main equipment machine without the IP mapping relation, and releasing the secondary equipment machine without the IP mapping relation.
9. The equipment library adaptive method for the network firing ground actual combat drilling scene according to claim 8, wherein in the step (3), before the main equipment machine is unfrozen or the secondary equipment machine is created, the IP message is cached in the IP message caching queue, and after the main equipment machine is unfrozen or the secondary equipment machine is created, the target IP address of the IP message in the IP message caching queue is corrected.
CN202010840731.2A 2020-08-20 2020-08-20 Equipment library self-adaption system and method for network target range actual combat drilling scene Active CN111711703B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010840731.2A CN111711703B (en) 2020-08-20 2020-08-20 Equipment library self-adaption system and method for network target range actual combat drilling scene

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010840731.2A CN111711703B (en) 2020-08-20 2020-08-20 Equipment library self-adaption system and method for network target range actual combat drilling scene

Publications (2)

Publication Number Publication Date
CN111711703A true CN111711703A (en) 2020-09-25
CN111711703B CN111711703B (en) 2020-11-24

Family

ID=72547383

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010840731.2A Active CN111711703B (en) 2020-08-20 2020-08-20 Equipment library self-adaption system and method for network target range actual combat drilling scene

Country Status (1)

Country Link
CN (1) CN111711703B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117459401A (en) * 2023-09-15 2024-01-26 永信至诚科技集团股份有限公司 Method, device, equipment and storage medium for generating network target range environment snapshot

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105024990A (en) * 2015-03-30 2015-11-04 清华大学 Deployment method and device for network security attack and defense exercise environment
CN108021428A (en) * 2017-12-05 2018-05-11 华迪计算机集团有限公司 A kind of method and system that network target range is realized based on Docker
CN109768892A (en) * 2019-03-04 2019-05-17 中山大学 A kind of network security experimental system of micro services
CN110362380A (en) * 2019-06-17 2019-10-22 东南大学 A kind of multiple-objection optimization virtual machine deployment method in network-oriented target range
CN110389813A (en) * 2019-06-17 2019-10-29 东南大学 A kind of dynamic migration of virtual machine method in network-oriented target range
US10600335B1 (en) * 2017-09-18 2020-03-24 Architecture Technology Corporation Adaptive team training evaluation system and method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105024990A (en) * 2015-03-30 2015-11-04 清华大学 Deployment method and device for network security attack and defense exercise environment
US10600335B1 (en) * 2017-09-18 2020-03-24 Architecture Technology Corporation Adaptive team training evaluation system and method
CN108021428A (en) * 2017-12-05 2018-05-11 华迪计算机集团有限公司 A kind of method and system that network target range is realized based on Docker
CN109768892A (en) * 2019-03-04 2019-05-17 中山大学 A kind of network security experimental system of micro services
CN110362380A (en) * 2019-06-17 2019-10-22 东南大学 A kind of multiple-objection optimization virtual machine deployment method in network-oriented target range
CN110389813A (en) * 2019-06-17 2019-10-29 东南大学 A kind of dynamic migration of virtual machine method in network-oriented target range

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
安彩虹: ""网络靶场中动态可配置虚拟网络技术研究与实现"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
张月红: ""高等院校网络靶场建设的需求分析及架构功能设计"", 《软件工程》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117459401A (en) * 2023-09-15 2024-01-26 永信至诚科技集团股份有限公司 Method, device, equipment and storage medium for generating network target range environment snapshot

Also Published As

Publication number Publication date
CN111711703B (en) 2020-11-24

Similar Documents

Publication Publication Date Title
CN112040020B (en) Equipment machine sleep network hosting system and method for network target range actual combat drilling scene
CN111651242B (en) System and method for scheduling operating machine in network target range actual combat drilling scene
EP3995955B1 (en) Data processing method, network interface card, and server
CN101834875B (en) Method, device and system for defending DDoS (Distributed Denial of Service) attacks
JP3372455B2 (en) Packet relay control method, packet relay device, and program storage medium
CN111478820A (en) Network equipment configuration system and method for large-scale network environment of network target range
US11558345B2 (en) System and method of using a global discovery service to enable routing of packets from a source container to a destination container
US9262244B2 (en) Method and system for efficient inter-process communication in a high availability system
EP2939401B1 (en) Method for guaranteeing service continuity in a telecommunication network and system thereof
CA2691266C (en) Methods and devices for communicating diagnostic data in a real time communication network
CN111711703B (en) Equipment library self-adaption system and method for network target range actual combat drilling scene
US11665090B1 (en) Using fast-path nodes of packet processing services as intermediaries for workload migration workflows
CN110247899B (en) System and method for detecting and relieving ARP attack based on SDN cloud environment
JP2012533129A (en) High performance automated management method and system for virtual networks
CN105912422A (en) Data backup method, backup client and data backup system
CN104202420A (en) Method and device for supporting expansion of internet-of-things middleware cluster
CN115296925B (en) Data transmission control method and system in network target range
US20140204730A1 (en) Implementing Gateway Redundancy in a Network
JP2010505156A (en) Method and system for information management system
CN112040021B (en) System and method for operating machine dormant network hosting in network target range actual combat drilling scene
US11799950B1 (en) Seamless migration of packet processing workloads between exception path node groups
CN114024971B (en) Service data processing method, kubernetes cluster and medium
KR101541349B1 (en) System and method for transferring packet in network
CN111835858A (en) Equipment access method, equipment and system
JP4768558B2 (en) Network monitoring method and monitoring apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant