CN111756731B - Credibility measuring method and system for private network - Google Patents
Credibility measuring method and system for private network Download PDFInfo
- Publication number
- CN111756731B CN111756731B CN202010582657.9A CN202010582657A CN111756731B CN 111756731 B CN111756731 B CN 111756731B CN 202010582657 A CN202010582657 A CN 202010582657A CN 111756731 B CN111756731 B CN 111756731B
- Authority
- CN
- China
- Prior art keywords
- access record
- record data
- path
- decision
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000005259 measurement Methods 0.000 claims abstract description 36
- 230000004044 response Effects 0.000 claims abstract description 26
- 230000015654 memory Effects 0.000 claims description 21
- 238000004364 calculation method Methods 0.000 claims description 14
- 238000010276 construction Methods 0.000 claims description 2
- 238000004891 communication Methods 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 9
- 238000003066 decision tree Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000002955 isolation Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 238000004422 calculation algorithm Methods 0.000 description 5
- 230000005856 abnormality Effects 0.000 description 4
- 230000007123 defense Effects 0.000 description 4
- 230000008447 perception Effects 0.000 description 4
- 230000006978 adaptation Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000008092 positive effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000001186 cumulative effect Effects 0.000 description 2
- 238000005184 irreversible process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000035515 penetration Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 239000000654 additive Substances 0.000 description 1
- 230000000996 additive effect Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000000739 chaotic effect Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 208000035475 disorder Diseases 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000012804 iterative process Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 208000011580 syndromic disease Diseases 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Abstract
The invention discloses a credibility measuring method and a credibility measuring system for a private network, wherein the method comprises the steps of obtaining access record data between DNS application and the private network to be tested; establishing a decision path of a request and a response corresponding to each access record according to the access record data; determining a reliability measuring value of the special network to be measured according to the access record data; calculating the information entropy of the access record data according to the access record data and each decision path; and determining the credibility measurement result of the special network to be measured according to the relationship between the information entropy and the credibility measurement value. By implementing the method and the device, the credibility measurement result of the special network to be detected is determined by judging the relationship between the information entropy and the credibility measurement value and is used for judging whether the special network to be detected is credible or not, so that the potential network safety hazard caused by abuse and misuse of DNS recursive domain name service is avoided, and the safe communication of the special network is ensured.
Description
Technical Field
The invention relates to the technical field of information communication, in particular to a credibility measuring method and system for a private network.
Background
In most network environments of national key information infrastructure, a gatekeeper, a firewall, an intrusion detection system, antivirus software and the like are generally configured to control data traffic of a TCP/IP and other network protocols, so that an internal network cannot be directly or indirectly connected with a public internet, namely, physical isolation is realized, and the physical isolation is also standard configuration of a general private network to be tested.
In a TCP/IP network architecture, a Domain Name System (DNS) is a typical application of Software Defined Networking (SDN), and the function and function thereof are very important. Since open source DNS software is used as a de facto standard, initial DNS design lacks security concerns, such that DNS and its applications and service procedures present security concerns. In particular, in some scenarios known as "physically isolated" networks, DNS applications are used as a carrier of trust attacks, not only to transparently communicate across internal and external networks, but also to significantly act as a covert tunnel for network penetration intrusion and data leakage transmission. For a long time, this type of security risk and hidden danger has been overlooked in "physically isolated" intranets running TCP/IP protocols.
On the other hand, due to the passive service mode of the DNS, the recursive domain name service for selecting the DNS namespace entry has the characteristics of multiple sources, diversification and virtualization, and due to the selection right of the DNS recursive domain name service in the terminal system and the user, if misuse or misuse occurs in a wrong zone or blind zone formed by the DNS recursive domain name service, the "physical isolation" of the internal and external networks will be similar to the dummy, and due to lack of corresponding supervision measures, we cannot know whether these private networks under the DNS design are credible. Therefore, a method for determining the reliability and credibility of the DNS private network is urgently needed to determine whether the private network is reliable.
Disclosure of Invention
Therefore, the technical problem to be solved by the present invention is to overcome the defect that the prior art cannot judge whether the private network to be tested is trusted, thereby providing a method and a system for measuring the trustworthiness of the private network.
In order to achieve the purpose, the invention provides the following technical scheme:
the embodiment of the invention provides a credibility measuring method of a private network, which comprises the following steps: acquiring access record data between the DNS application and a special network to be tested; establishing a decision path of a request and a response corresponding to each access record according to the access record data; determining a reliability measuring value of the special network to be measured according to the access record data; calculating the information entropy of the access record data according to the access record data and each decision path; and determining a credibility result of the special network to be tested according to the relationship between the information entropy and the credibility measured value.
In an embodiment, the establishing a decision path for a request and a response corresponding to each access record according to the access record data includes: acquiring record data corresponding to the access record from the access record data; determining path nodes according to the recorded data; and establishing the decision path according to each path node.
In an embodiment, the determining a reliability measurement value of the private network to be tested according to the access record data includes: determining probability distribution of all path nodes in the access record data according to the access record data; and calculating the reliability measuring value according to the probability distribution.
In one embodiment, the calculation formula of the confidence measure is:
wherein H (X) represents a reliability measuring value, X represents a set formed by path nodes on all decision paths in the access record data, n represents the number of the path nodes in the set X, and p representsiAnd the probability of the ith path node on the decision path is shown, and i and n are positive integers.
In one embodiment, the calculation formula of the information entropy is as follows:
wherein H (Y/X) represents information entropy, X represents a set of path nodes on all decision paths in the access record data, and H (Y/X ═ X)i) Path node x represented on a known decision pathiUnder the condition(s) of (a), the probability of occurrence of a set Y of path nodes on a decision path, n represents the number of path nodes in the set X, piRepresenting path node x on all decision pathsiI and n are positive integers.
In an embodiment, the determining the reliability measurement result of the private network to be tested according to the relationship between the information entropy and the reliability measurement value includes: judging whether the information entropy is smaller than the reliability measuring value or not; and when the information entropy is smaller than the reliability measuring value, determining that the reliability measuring result of the special network to be measured is credible.
In an embodiment, the determining the reliability measurement result of the private network to be tested according to the relationship between the information entropy and the reliability measurement value further includes: and when the information entropy is not less than the reliability measuring value, determining that the reliability measuring result of the special network to be measured is not trusted.
In a second aspect, an embodiment of the present invention provides a system for measuring trustworthiness of a private network, where the system includes: the acquisition module is used for acquiring access record data between the DNS application and the special network to be detected; the construction module is used for establishing a decision path of a request and a response corresponding to each access record according to the access record data; the first calculation module is used for determining the credibility measurement value of the special network to be tested according to the access record data; the second calculation module is used for calculating the information entropy of the access record data according to the access record data and each decision path; and the judging module is used for determining the credibility measurement result of the special network to be measured according to the relationship between the information entropy and the credibility measurement value.
In a third aspect, an embodiment of the present invention provides a computer-readable storage medium, where computer instructions are stored, and the computer instructions are configured to cause the computer to execute the method for measuring the trustworthiness of a private network according to the first aspect of the present invention.
In a fourth aspect, an embodiment of the present invention provides a computer device, including: the device comprises a memory and a processor, wherein the memory and the processor are connected with each other in a communication mode, the memory stores computer instructions, and the processor executes the computer instructions so as to execute the method for measuring the credibility of the private network according to the first aspect of the embodiment of the invention.
The technical scheme of the invention has the following advantages:
the credibility measuring method of the special network provided by the invention comprises the steps of obtaining access record data between DNS application and the special network to be measured; establishing a decision path of a request and a response corresponding to each access record according to the access record data; determining the reliability measuring value of the special network to be measured according to the access record data; calculating the information entropy of the access record data according to the access record data and each decision path; and determining the credibility result of the special network to be tested according to the relation between the information entropy and the credibility measured value. By establishing a request and response decision path corresponding to each access record, a learning method and an algorithm of a decision tree are determined, and further the generalization capability and the capability of processing unseen examples of the special network to be tested are improved. The credibility result of the special network to be detected is determined by judging the relation between the information entropy and the credibility measured value, the credibility result can be used as the reliable credibility of the special network to be detected, and the information entropy is used as a credibility reference for judging whether the special network to be detected is credible or not, so that the potential network safety hazard caused by misuse and misuse of DNS recursive domain name service is avoided, and the safe communication of the special network is ensured. By applying the credibility method of the private network, the unknown extension capability is favorably improved, and the situation perception based on the network boundary and the protection of the security of the sound network letter are favorably strengthened. By constructing a special network with DNS application normal state supervision as the center, the method can generate positive effects on the security defense of the network and the adaptation to the development of the Internet.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic diagram of a logical entity set association relationship in a DNS application scenario according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of the architecture of a domain name system in an embodiment of the present invention;
FIG. 3 is a schematic diagram of domain name resolution and iteration processes in an embodiment of the present invention;
fig. 4 is a flowchart of a specific example of a method for measuring the trustworthiness of a private network according to an embodiment of the present invention;
FIG. 5 is a diagram illustrating a bipartite graph model for a DNS application according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a decision tree for requests and responses corresponding to access records in an embodiment of the present invention;
FIG. 7 is a diagram illustrating a reliability entropy distribution and a reliability measurement probability distribution of the reliability of the private network to be measured according to the embodiment of the present invention;
FIG. 8 is a schematic block diagram of a specific example of a confidence measure system for a private network in an embodiment of the present invention;
Fig. 9 is a composition diagram of a specific example of a computer device according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it is to be understood that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Furthermore, the technical features involved in the different embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
As shown in fig. 1, a DNS (Domain Name System, Domain Name System protocol) application scenario may be divided into three logical entity sets, including: authoritative domain name servers (i.e., the namespace), recursive domain name servers (i.e., namespace entries), end systems, and users (i.e., the driver for the domain name application, or "last mile"). Among them, Software Defined Networking (SDN) refers to domain name system application Software (e.g., BIND Software) that transparently performs the location of DNS applications and services and directs and controls network behavior.
The centralized hierarchical system architecture of the DNS is mainly a domain name space composed of a root domain name, a top-level domain name, and an authority, and the step-by-step iterative resolution of domain names is an irreversible process. In order to improve the availability and reliability of network communication native services, the DNS adopts a distributed virtualization system operation mode, that is, an ad hoc domain name service network through an "anycast" protocol. "anycast" is a group of service-specific distributed hosts on a network sharing the same IP address, according to specific policies and algorithms to provide stateless, best-effort domain name resolution services.
For example, the IPv4 address of google's public recursive domain name server is: 8.8.8.8, and 8.8.4.4, but there are hundreds of sites distributed throughout the global internet, with "anycast" providing the best matching (e.g., fastest response time, shortest path, etc.) site for domain name service. Whereas DNS services are passive, recursive domain name servers are both entries in the domain name space and the "first kilometer" of domain name services. Because of their status and importance, recursive domain name servers are the focus of multi-party play and competition, also known as "inherently political" technologies and services.
On the other hand, since the domain name system application software is only "de facto standard" and is an open source, there are various known and unknown "back doors" in different versions, such as the workaround, boolean switches, etc.
The DNS innovation date is implemented by taking main domain name system service providers and domain name application software developers in the industry as representatives, and the DNS innovation date is mainly used for deleting an 'flexible method' so as to strengthen the 'unity' of domain name system software and extending DNS application to TCP and http.
However, in the TCP/IP network architecture, since the open source DNS software is used as a de facto standard, the initial DNS design lacks security considerations, so that the DNS and its application and service procedures present security risks. In particular, in some scenarios known as "physically isolated" networks, DNS applications are used as a carrier of trust attacks, not only to transparently communicate across internal and external networks, but also to significantly act as a covert tunnel for network penetration intrusion and data leakage transmission.
However, for a long time, this type of security risk and hidden danger has been overlooked in "physically isolated" intranets running the TCP/IP protocol. Therefore, in fact, not only the abnormal behavior of the internal network DNS application is usually "clear" (e.g., 53 ports of an open firewall), but also the information leakage through the ubiquitous dead zone of the DNS application (e.g., misuse and misuse of DNS) is in a state of disapproval and runaway. Since the internal and external networks are transparently connected by the DNS application, there are known DNS applications and hidden tunnels which are abused and utilized as network intrusion, inevitably creating unknown security risks.
Although DNS is a centralized hierarchical architecture and a distributed virtualization system structure, DNS provides a passive service, that is, a corresponding domain name resolution response is made if and only if a DNS server receives a user request. In view of the "tree" type structure of the hierarchy of domain name systems as shown in fig. 2, the request and response service process of domain name resolution is composed of irreversible recursive and iterative processes as shown in fig. 3.
Because the selection right of the DNS recursive domain name service is in a terminal system and a user, if misuse and misuse of the DNS recursive domain name service form error zones and blind zones, the physical isolation of an inner network and an outer network can be similar to a nominal mode, and due to lack of corresponding supervision measures, people can not know whether a special network to be tested is credible. Therefore, a method for determining the reliability of the private network to be tested is needed to determine whether the private network to be tested is reliable.
To solve the above problem, an embodiment of the present invention provides a method for measuring the trustworthiness of a private network, which is applied to a private network under a DNS architecture, and as shown in fig. 4, the method includes the following steps:
step S1: and acquiring access record data between the DNS application and the special network to be tested.
In a specific embodiment, assuming that the private network to be tested is a dedicated local area network, for the dedicated local area network, according to the standard recommendation, at least 2 (3 are recommended, and no more than 5) recursive domain name servers should be deployed in a distributed manner to avoid single-point failure; and the recursive domain name server is taken as a component of the exclusive and dedicated local area network, and the DNS application and the access record data of the exclusive and dedicated local area network can be scheduled under the condition of management and control capability. It should be noted that, in the embodiment of the present invention, as shown in fig. 1, 3 recursive domain name servers outside, inside, and unknown are deployed as an example for description, in practical applications, the number of deployed recursive domain name servers and the classification condition of the deployed servers may be adjusted according to actual needs, and the present invention is not limited thereto.
As shown in fig. 1, the access relationship between the DNS application and the private network to be tested is located in the "first kilometer" of the physically isolated network, i.e. between the end system and the user and the recursive domain name server. Specifically, as shown in fig. 5, without loss of generality, monitoring of "first kilometer" is applied from the domain name, and it is set that: the terminal system of the DNS application is a point set V1; the recursive domain name resolution server is a point set V2, V1 and V2 are not intersected with each other, and (V1 ═ V2 ═ V, 
) (ii) a The set of edges connecting V1 and V2 is E. The sufficiency and necessity are proved to obtain a graph G<V,E>Is a bipartite graph. The specific proving process is as follows, and the sufficiency proving process is as follows: in either V1 or V2, there are no two vertices adjacent. That is, according to the definition and constraint conditions of the rule and irreversible process of domain name resolution, any two terminal systems do notThere is a request or response for domain name resolution; any two recursive domain name resolution servers are independent of each other, which is obviously proved. The necessity demonstration process is as follows: v. the0∈V1,v1∈V2,v2∈V1,v3∈V1,…v2i∈V1,v2i+1E.g. V2. Because v is0∈V1,vkE.v 2, k is odd, so V0Loop (v)0,v1,v2,v3,…vk,v0) The length (k +1) is an even number. After the syndrome is confirmed.
The access record data between the DNS application and the special network to be tested comprises: requests (Q) are associated directly with responses (R) and their primary attributes. In particular, it can be concluded from the above proof that the request and response of the DNS application are peer-to-peer relationships, and there is no intersection between any two points in the same entity set, i.e. the points are independent of each other. For example, a request from point a to point B can only be a response from point B.
In the embodiment of the invention, the access record data between the DNS application and the special network to be tested is acquired and counted from the historical access record data between the DNS application and the special network to be tested. In the embodiment of the invention, 2290 ten thousand pieces of access record data (33 days) are intercepted from the data continuously collected in the terminal system, the user and the recursive domain name server. For example only, the number of days for accessing the log data may be selected according to actual needs.
Step S2: and establishing a decision path of a request and a response corresponding to each access record according to the access record data.
In a specific embodiment, establishing a decision path for a request and a response corresponding to each access record according to the access record data includes: acquiring record data corresponding to the access record from the access record data; determining path nodes according to the recorded data; and establishing a decision path according to each path node.
Wherein the decision path is an if-then chain from a root node to a leaf node in the decision tree. The path node corresponds to the condition of the if-then rule; the leaf nodes correspond to decision conclusions. By establishing the decision path, the learning method and algorithm of the decision tree are determined, and further the generalization capability and the capability of processing unseen examples of the special network to be tested are improved.
Specifically, as shown in fig. 6, a decision tree of requests and responses corresponding to each access record is established according to the access record data. Wherein, the service of the DNS is divided into domestic and foreign; the compliance of the DNS includes normal and abnormal; the safe state includes known and unknown. Each if-then chain from the root node to the leaf node in the decision tree is a decision path.
In the embodiment of the invention, according to 2290 ten thousand pieces of intercepted access record data, record data corresponding to the access record is obtained from the access record data, path nodes are further determined according to the record data, a decision path of a request and a response corresponding to each access record is established according to each path node, and boundary condition classification is carried out according to the decision path. The table 1 shows a classification table of boundary conditions for partially accessing the recorded data.
TABLE 1
| Visiting the home | Object property | Target state | Reliability of physical isolation network |
| Overseas environment | Is normal and normal | It is known that | Is not credible |
| Overseas | Is normal | Is unknown | Is not credible |
| Overseas | Abnormality (S) | It is known that | Is not credible |
| Overseas | Abnormality (S) | Is unknown | Is not credible |
| In the environment | Is normal | It is known that | Is not credible |
| In the environment | Is normal | Is unknown | Is not credible |
| In the environment | Abnormality (S) | It is known that | Is not credible |
| In the environment | Abnormality (S) | Is unknown | Is not credible |
| In the environment | Is normal | Self-owned | Credible |
Step S3: and determining the reliability measuring value of the special network to be measured according to the access record data.
In an embodiment, determining the reliability measurement value of the private network to be tested according to the access log data includes: determining probability distribution of all path nodes in the access record data according to the access record data; a confidence measure is calculated from the probability distribution.
The reliability measurement value is an information entropy critical value for judging whether the private network to be tested is reliable or not. In physics, entropy is a parameter describing the disorder of things, and the larger the entropy is, the more chaotic things are presented (or the larger the information quantity is). Entropy is a measure of the amount of information that is received in relation to a particular occurrence of an event. Thus, the magnitude of the information volume is related to the probability of a random event; events with smaller probabilities produce larger amounts of information. In other words, the information quantity measure is the information brought by the occurrence of a specific event, and the information entropy is the expectation of the information quantity which is not determined that the result can be generated, namely the expectation of the information quantity brought by all the possible events
In an embodiment of the present invention, the size of the information amount is related to the probability distribution of the path nodes on the decision path. In other words, the information amount measure is the information brought by an already-occurring path node, and the information entropy is the expectation of the information amount which can be generated by an undetermined path node.
Specifically, the probability distribution formula of the path nodes on the decision path is:
P=(X=xi)=pii is 1,2, … n, where X represents a set of path nodes on all decision paths in the access log data, piRepresenting the probability of the ith path node on the decision path.
Calculating the reliability measurement value according to the probability distribution calculated by the formula, wherein the specific calculation formula is as follows:
wherein H (X) represents a reliability measuring value, X represents a set formed by path nodes on all decision paths in the access record data, n represents the number of the path nodes in the set X, and p representsiAnd the probability of the ith path node on the decision path is shown, and i and n are positive integers.
In the embodiment of the present invention, as shown in fig. 7, a schematic diagram of the reliability entropy distribution and the reliability measurement value for measuring the reliability of the private network to be measured is shown. Setting: the reliability measure boundary of the special network to be tested is as follows: can be regarded as 1 and can not be regarded as 0.5. For example only, and not limited thereto, in other embodiments, the reliability measure boundary may be determined according to actual needs. The reliability measure boundary can be adjusted in real time according to actual conditions, and the reliability measure value of the special network to be measured can be adjusted by adjusting the reliability measure boundary in real time so as to meet the requirements of different special networks to be measured. T ═ 0.5, 1 ]Probability distribution of random variables P ═ X (X ═ X)i)=piE.t, i is 1,2, … n, and P (X is 0.5) is P, and P (X is 1) is 1-P, then the measured value of the reliability of the private network under test is h (X) is 0.30.
Step S4: and calculating the information entropy of the access record data according to the access record data and each decision path.
In one embodiment, since one of the properties of the information entropy is additive, that is, the reliability measurement of the uncertainty of the simultaneous occurrence of multiple random events can be represented as the cumulative sum of the reliability measurements of the uncertainties of the events. In the embodiment of the present invention, the information entropy of uncertainty existing in a plurality of concurrent and independent path nodes may be represented as the cumulative sum of the information entropy of uncertainty of each concurrent and independent path node.
The information entropy H (Y/X) represents the uncertainty of the set of path nodes Y on the decision path given the set of path nodes X on the decision path. Specifically, the calculation formula of the information entropy of the access record data is as follows:
wherein H (Y/X) represents information entropy, X represents a set of path nodes on all decision paths in the access record data, and H (Y/X ═ X)i) Path node x represented on a known decision path iUnder the condition(s) of (a), the probability of occurrence of a set Y of path nodes on a decision path, n represents the number of path nodes in the set X, piRepresenting path node x on all decision pathsiI and n are positive integers.
In the embodiment of the present invention, it is assumed that: the reliability of the special network to be tested is Y (unreliable, credible). According to the statistics of the access record data between the collected DNS application and the special network to be tested, the following results can be obtained:
p (X) ═ 0.73; p (X within 0.03); p (X) 0.24
Calculating the reliability of the special network to be tested as credible information entropy:
h (Y/X) ═ P (X) × H (Y/X) ═ out) + P (X ═ in) × H (Y/X ═ in ═ 0.40
Step S5: and determining the credibility result of the special network to be tested according to the relation between the information entropy and the credibility measured value.
In one embodiment, for a proprietary private local area network, a necessary condition for a confidence measure of reliability is that the following definitions are satisfied: the system has the capability of customization, manageability, controllability, perception and traceability of a DNS recursive domain name server, can realize interconnection and intercommunication logic isolation and is used as an indispensable complementary increment for network security defense; the sufficient condition is that the information entropy of the access record data is smaller than the credibility measured value of the special network to be tested. In the embodiment of the invention, the relation between the information entropy of the access record data and the credibility measuring value of the special network to be measured is required to be judged, and the credibility measuring result of the special network to be measured is determined.
Specifically, whether the information entropy is smaller than the reliability measurement value is judged; and when the information entropy is smaller than the reliability measuring value, determining that the reliability measuring result of the special network to be measured is credible. And when the information entropy is not less than the credibility measured value, determining that the credibility result of the special network to be measured is not credible.
In the embodiment of the present invention, the information entropy H (Y/X) of the access log data is 0.40, and 0.40 > 0.30, so that the result of the confidence measure of the private network to be tested is not trusted and is in an uncontrollable state. It should be noted that this assumption is only a necessary boundary condition for "confidence".
The credibility measuring method of the special network provided by the invention comprises the steps of obtaining access record data between DNS application and the special network to be measured; establishing a decision path of a request and a response corresponding to each access record according to the access record data; determining a reliability measuring value of the special network to be measured according to the access record data; calculating the information entropy of the access record data according to the access record data and each decision path; and determining a credibility result of the special network to be tested according to the relationship between the information entropy and the credibility measured value. By establishing a request and response decision path corresponding to each access record, a learning method and an algorithm of a decision tree are determined, and further the generalization capability and the capability of processing unseen examples of the special network to be tested are improved. And determining a credibility result of the special network to be detected by judging the relation between the information entropy and the credibility measurement value, wherein the credibility result can be used as the reliable credibility of the special network to be detected, and the information entropy is used as a credibility reference for judging whether the special network to be detected is credible, so that the potential network safety hazard caused by misuse and misuse of DNS recursive domain name service is avoided, and the safe communication of the special network is ensured. By applying the credibility method of the private network, the unknown extension capability is favorably improved, and the situation perception based on the network boundary and the protection of the security of the sound network letter are favorably strengthened. By constructing a special network with DNS application normal state supervision as the center, the method can generate positive effects on the security defense of the network and the adaptation to the development of the Internet.
An embodiment of the present invention further provides a system for measuring the trustworthiness of a private network, as shown in fig. 8, where the system includes:
the acquisition module 1 is used for acquiring access record data between the DNS application and the special network to be tested. For details, refer to the related description of step S1 in the above method embodiment, and are not described herein again.
And the building module 2 is used for building a decision path of a request and a response corresponding to each access record according to the access record data. For details, refer to the related description of step S2 in the above method embodiment, and are not described herein again.
And the first calculation module 3 is used for determining the credibility measuring value of the special network to be measured according to the access record data. For details, refer to the related description of step S3 in the above method embodiment, and are not described herein again.
And the second calculation module 4 is used for calculating the information entropy of the access record data according to the access record data and each decision path. For details, refer to the related description of step S4 in the above method embodiment, and are not described herein again.
And the judging module 5 is used for determining the credibility result of the special network to be tested according to the relationship between the information entropy and the credibility measuring value. For details, refer to the related description of step S5 in the above method embodiment, and are not described herein again.
The credibility measuring system of the private network provided by the invention utilizes a credibility measuring method of the private network to obtain access record data between DNS application and the private network to be measured; establishing a decision path of a request and a response corresponding to each access record according to the access record data; determining a reliability measuring value of the special network to be measured according to the access record data; calculating the information entropy of the access record data according to the access record data and each decision path; and determining a credibility result of the special network to be tested according to the relationship between the information entropy and the credibility measured value. By establishing a request and response decision path corresponding to each access record, a learning method and an algorithm of a decision tree are determined, and further the generalization capability and the capability of processing unseen examples of the special network to be tested are improved. And determining a credibility result of the special network to be detected by judging the relation between the information entropy and the credibility measurement value, wherein the credibility result can be used as the reliable credibility of the special network to be detected, and the information entropy is used as a credibility reference for judging whether the special network to be detected is credible, so that the potential network safety hazard caused by misuse and misuse of DNS recursive domain name service is avoided, and the safe communication of the special network is ensured. By applying the credibility method of the private network, the unknown extension capability is favorably improved, and the situation perception based on the network boundary and the protection of the security of the sound network letter are favorably strengthened. By constructing a special network with DNS application normal state supervision as the center, the method can generate positive effects on the security defense of the network and the adaptation to the development of the Internet.
An embodiment of the present invention provides a computer device, as shown in fig. 9, the device may include a processor 61 and a memory 62, where the processor 61 and the memory 62 may be connected through a bus or in other ways, and fig. 9 takes the connection through the bus as an example.
The memory 62, which is a non-transitory computer-readable storage medium, may be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as the corresponding program instructions/modules in the embodiments of the present invention. The processor 61 executes various functional applications and data processing of the processor by running non-transitory software programs, instructions and modules stored in the memory 62, namely, the method for measuring the trustworthiness of the private network in the above method embodiment.
The memory 62 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor 61, and the like. Further, the memory 62 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 62 may optionally include memory located remotely from the processor 61, and these remote memories may be connected to the processor 61 via a network. Examples of such networks include, but are not limited to, the internet, intranets, mobile communication networks, and combinations thereof.
One or more modules are stored in memory 62 and, when executed by processor 61, perform the method for trustworthiness measurement of a private network as in the embodiments of fig. 1-7.
The details of the computer device can be understood by referring to the corresponding descriptions and effects in the embodiments shown in fig. 1 to 7, and are not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program that can be stored in a computer-readable storage medium and that when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD) or a Solid State Drive (SSD), etc.; the storage medium may also comprise a combination of memories of the kind described above.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. This need not be, nor should it be exhaustive of all embodiments. And obvious variations or modifications of the invention may be made without departing from the scope of the invention.
Claims (7)
1. A method for measuring trustworthiness of a private network, comprising:
acquiring access record data between the DNS application and a special network to be tested;
establishing a decision path of a request and a response corresponding to each access record according to the access record data;
determining a reliability measuring value of the special network to be measured according to the access record data;
calculating the information entropy of the access record data according to the access record data and each decision path;
determining a credibility result of the special network to be tested according to the relation between the information entropy and the credibility measuring value;
the determining the reliability measurement value of the private network to be tested according to the access record data includes:
Determining probability distribution of all path nodes in the access record data according to the access record data;
calculating the confidence measure according to the probability distribution;
the calculation formula of the reliability measurement value is as follows:
wherein H (X) represents a reliability measuring value, X represents a set formed by path nodes on all decision paths in the access record data, n represents the number of the path nodes in the set X, and p representsiRepresenting the probability of the ith path node on the decision path, wherein i and n are positive integers;
the calculation formula of the information entropy is as follows:
wherein H (Y/X) represents information entropy, X represents a set of path nodes on all decision paths in the access record data, and H (Y/X ═ X)i) Path node x represented on a known decision pathiUnder the condition(s) of (a), the probability of occurrence of a set Y of path nodes on a decision path, n represents the number of path nodes in the set X, piRepresenting path node x on all decision pathsiI and n are positive integers.
2. The method for measuring the credibility of the private network according to claim 1, wherein the establishing a decision path of a request and a response corresponding to each access record according to the access record data comprises:
Acquiring record data corresponding to the access record from the access record data;
determining path nodes according to the recorded data;
and establishing the decision path according to each path node.
3. The method according to claim 1, wherein the determining the reliability measurement result of the private network to be tested according to the relationship between the information entropy and the reliability measurement value comprises:
judging whether the information entropy is smaller than the reliability measuring value or not;
and when the information entropy is smaller than the reliability measuring value, determining that the reliability measuring result of the special network to be measured is credible.
4. The method for trustworthiness measurement of private network of claim 3, further comprising:
and when the information entropy is not less than the reliability measuring value, determining that the reliability measuring result of the special network to be measured is not credible.
5. A system for trustworthiness measurement of a private network, comprising:
the acquisition module is used for acquiring access record data between the DNS application and the special network to be tested;
the construction module is used for establishing a decision path of a request and a response corresponding to each access record according to the access record data;
The first calculation module is used for determining the credibility measurement value of the special network to be tested according to the access record data;
the second calculation module is used for calculating the information entropy of the access record data according to the access record data and each decision path;
the judging module is used for determining a credibility measurement result of the special network to be measured according to the relationship between the information entropy and the credibility measurement value;
the determining the reliability measurement value of the private network to be tested according to the access record data includes:
determining probability distribution of all path nodes in the access record data according to the access record data;
calculating the reliability measure value according to the probability distribution;
the calculation formula of the reliability measurement value is as follows:
wherein, H (X) represents a credibility measured value, X represents a set formed by path nodes on all decision paths in the access record data, n represents the number of the path nodes in the set X, and p representsiRepresenting the probability of the ith path node on the decision path, wherein i and n are positive integers;
the calculation formula of the information entropy is as follows:
wherein H (Y/X) represents information entropy, X represents a set of path nodes on all decision paths in the access record data, and H (Y/X ═ X) i) Path node x represented on a known decision pathiUnder which a probability of occurrence of a set of path nodes Y on a decision pathN denotes the number of path nodes in set X, piRepresenting path node x on all decision pathsiI and n are positive integers.
6. A computer-readable storage medium storing computer instructions for causing a computer to execute the method for trustworthiness measurement of a private network of any of claims 1-4.
7. A computer device, comprising: a memory and a processor, the memory and the processor being communicatively connected to each other, the memory storing computer instructions, the processor executing the computer instructions to perform the method for trustworthiness measurement of a private network according to any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010582657.9A CN111756731B (en) | 2020-06-23 | 2020-06-23 | Credibility measuring method and system for private network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010582657.9A CN111756731B (en) | 2020-06-23 | 2020-06-23 | Credibility measuring method and system for private network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111756731A CN111756731A (en) | 2020-10-09 |
| CN111756731B true CN111756731B (en) | 2022-06-28 |
Family
ID=72676910
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010582657.9A Active CN111756731B (en) | 2020-06-23 | 2020-06-23 | Credibility measuring method and system for private network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111756731B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101257386A (en) * | 2008-03-11 | 2008-09-03 | 南京邮电大学 | Dynamic accesses control method based on trust model |
| CN103780395A (en) * | 2014-01-24 | 2014-05-07 | 广东电网公司电力科学研究院 | Method and system for proving bidirectional measurement through network access |
| CN104935556A (en) * | 2014-03-20 | 2015-09-23 | 腾讯科技(深圳)有限公司 | Network security processing method, device and system |
| CN107222433A (en) * | 2017-04-18 | 2017-09-29 | 中国科学院信息工程研究所 | A kind of access control method and system based on SDN path |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106612523B (en) * | 2015-12-22 | 2020-03-31 | 中国电子科技集团公司第二十研究所 | Information theory-based trusted route establishment method for distributed wireless network |
| CN106992938B (en) * | 2017-05-15 | 2020-03-31 | 网宿科技股份有限公司 | Network flow dynamic scheduling and distributing method and system |
| CN110019074B (en) * | 2017-12-30 | 2021-03-23 | 中国移动通信集团河北有限公司 | Access path analysis method, device, equipment and medium |
-
2020
- 2020-06-23 CN CN202010582657.9A patent/CN111756731B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101257386A (en) * | 2008-03-11 | 2008-09-03 | 南京邮电大学 | Dynamic accesses control method based on trust model |
| CN103780395A (en) * | 2014-01-24 | 2014-05-07 | 广东电网公司电力科学研究院 | Method and system for proving bidirectional measurement through network access |
| CN104935556A (en) * | 2014-03-20 | 2015-09-23 | 腾讯科技(深圳)有限公司 | Network security processing method, device and system |
| CN107222433A (en) * | 2017-04-18 | 2017-09-29 | 中国科学院信息工程研究所 | A kind of access control method and system based on SDN path |
Non-Patent Citations (1)
| Title |
|---|
| 基于信任环境中的Ad_hoc网络性能研究与改进;刘岸洋;《中国优秀硕士学位论文全文数据库 (信息科技辑)》;20130430;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111756731A (en) | 2020-10-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Hamza et al. | Verifying and monitoring iots network behavior using mud profiles | |
| US11330016B2 (en) | Generating collection rules based on security rules | |
| Greschbach et al. | The effect of dns on tor's anonymity | |
| US11777992B1 (en) | Security model utilizing multi-channel data | |
| US20200304506A1 (en) | Broker-coordinated selective sharing of data | |
| CN112534432A (en) | Real-time mitigation of unfamiliar threat scenarios | |
| US10469499B2 (en) | Website filtering using bifurcated domain name system | |
| Hu et al. | Security risk situation quantification method based on threat prediction for multimedia communication network | |
| WO2020035871A1 (en) | Method and system for prediction of smart contract violation using dynamic state space creation | |
| US20170366441A1 (en) | Transmitting test traffic on a communication link | |
| Basile et al. | Inter‐function anomaly analysis for correct SDN/NFV deployment | |
| US11595267B2 (en) | Methods and systems for distributed network verification | |
| CN112398857B (en) | Firewall testing method, device, computer equipment and storage medium | |
| CN111756731B (en) | Credibility measuring method and system for private network | |
| US11924232B2 (en) | Establishing and maintaining secure device communication | |
| KR102084473B1 (en) | Method and apparatus for semantic verification | |
| Lopez et al. | Behavior evaluation for trust management based on formal distributed network monitoring | |
| US20230267326A1 (en) | Machine Learning Model Management Method and Apparatus, and System | |
| Moorthy et al. | RETRACTED ARTICLE: Bayesian trust analysis of flooding attacks in distributed software defined networking nodes | |
| US9722874B2 (en) | Inference-based network route control | |
| Oxford et al. | Quantitative verification of certificate transparency gossip protocols | |
| Park et al. | Quantifying DDS-cerberus network control overhead | |
| CN113194159A (en) | DNS authoritative data management method and system | |
| CN114095186A (en) | Threat information emergency response method and device | |
| CN107342975B (en) | Domain division-based trust computing method in untrusted cloud environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |