CN112436957B - PDRR network security guarantee model parallel implementation system based on cloud computing - Google Patents

PDRR network security guarantee model parallel implementation system based on cloud computing Download PDF

Info

Publication number
CN112436957B
CN112436957B CN202011206792.XA CN202011206792A CN112436957B CN 112436957 B CN112436957 B CN 112436957B CN 202011206792 A CN202011206792 A CN 202011206792A CN 112436957 B CN112436957 B CN 112436957B
Authority
CN
China
Prior art keywords
layer
computing
pdrr
detection
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011206792.XA
Other languages
Chinese (zh)
Other versions
CN112436957A (en
Inventor
戚建淮
郑伟范
刘建辉
唐娟
宋晶
彭华
孙秋明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Y&D Electronics Information Co Ltd
Original Assignee
Shenzhen Y&D Electronics Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Y&D Electronics Information Co Ltd filed Critical Shenzhen Y&D Electronics Information Co Ltd
Priority to CN202011206792.XA priority Critical patent/CN112436957B/en
Publication of CN112436957A publication Critical patent/CN112436957A/en
Application granted granted Critical
Publication of CN112436957B publication Critical patent/CN112436957B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/044Network management architectures or arrangements comprising hierarchical management structures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a technical scheme of a cloud computing PDRR network security guarantee model parallel implementation system, which comprises the following steps: the PDRR safety model comprises a protective layer, a detection layer, a response layer and a recovery layer; the protective layer is used for receiving the data packet, preprocessing the data packet and distributing the data packet to the detection layer; the detection layer is used for carrying out one or more detections on the data packet according to the detection configuration to obtain a detection result; the response layer is used for executing corresponding protection processing according to the detection result and the protection strategy, and is also used for configuring the protection layer, the detection layer and the recovery layer; the recovery layer is used for executing recovery processing on the detected abnormity according to the configuration; the PDRR safety model is arranged in a cloud computing framework, and computing support is provided for the PDRR model through a brain-like computing platform. The invention has the beneficial effects that: the PDRR-based network security model is realized, data and network resources are comprehensively protected, and the usability, confidentiality, integrity, authenticity and non-repudiation security targets of the information system are realized.

Description

PDRR network security guarantee model parallel implementation system based on cloud computing
Technical Field
The invention relates to the field of computer security, in particular to a cloud computing-based PDRR network security guarantee model parallel implementation system.
Background
With the continuous development of computer and network technology, the informatization process at home and abroad is rapidly developed, and the application of the information systems of e-commerce and large and medium-sized enterprises is gradually widened and complicated. The information brought by the application of the information network system is convenient and quick, and meanwhile, the information security problem becomes a main problem in application development. The importance of network security is found in the aspects of calculation and operation, data security maintenance, operation problem guarantee and the like which need to guarantee the network security. Among various computer network security protection technologies, firewall technology is widely used in network security protection as a product for protecting against network attacks.
The network firewall technology is a special network interconnection equipment for strengthening access control between networks, preventing external network users from entering internal networks by illegal means, accessing internal network resources and protecting internal network operation environment, and it carries out check on data packets transmitted between two or more networks according to a certain security policy to determine whether communication between networks is allowed or not and monitors network operation state. Compared with other computer network security technologies, the firewall technology has the obvious advantages that: firstly, through a filtering technology, an agent technology, a detection technology and a protocol technology, an attack path and a mode can be actively identified in a constantly changing network attack behavior, the attribute of the attack behavior is judged, and an effective protection measure is provided; second, the firewall can quickly detect dangerous attack activities, prevent the network system from being attacked in a short time, and maintain the security and the overall performance of the computer network system.
The development process of the firewall mainly comprises a first-generation software firewall, a second-generation hardware firewall, a third-generation ASIC firewall, a fourth-generation UTM firewall and a fifth-generation cloud firewall based on web2.0. The fifth generation of cloud fire wall belongs to an active and dynamic safety protection system and has the following characteristics that 1) a cloud data center dynamic updating strategy is adopted; 2) Establishing reputation association writing by utilizing an IPS module; 3) Providing mobile secure access of a virtual cloud, namely a novel secure solution technology for realizing remote access by adopting an SSL (secure sockets layer) protocol; 4) And the Netflow technology is supported to monitor the flow in the cloud. Therefore, compared with the prior four-generation firewall, the cloud firewall integrates the advantages of cloud computing platform elastic service, resource pooling, on-demand service, ubiquitous access and the like, has the characteristics of high availability, cross-platform performance and high expansibility, and has obvious advantages of deployment, operation and maintenance, virus prevention, DDoS attack resistance, flow access and the like. However, with the development of big data, internet of things, mobile internet and the like, the services of firewalls are rapidly increasing, and the fifth generation of cloud firewall still faces the problems: when a fifth-generation firewall is faced with network attack with strong dynamic complex and hidden threat behaviors based on web2.0, the security operation and maintenance guarantee mechanism is incomplete, the model is simple, and the capability of the firewall only focusing on the defense function in the aspect of comprehensively protecting data and network resources still needs to be improved; another problem is that the fire-proof cloud product faces low computational efficiency in the trend of increasingly complex network information systems and richer contents needing maintenance. Therefore, an architecture capable of supporting mass computing is needed, a more complete security protection model can ensure the security of a computer network, a large amount of computing can be efficiently completed to ensure the real-time performance of large data analysis execution tasks such as data detection, policy control, routing forwarding and the like, and the overall network security of a large-scale complex system in a modern cloud computing environment can be met.
Disclosure of Invention
The invention aims to solve at least one of the technical problems in the prior art, provides a PDRR network security guarantee model parallel implementation system based on cloud computing, realizes a network security model based on PDRR, comprehensively protects data and network resources, and achieves the usability, confidentiality, integrity, authenticity and non-repudiation security targets of an information system.
The technical scheme of the invention comprises a cloud computing-based PDRR network security guarantee model parallel implementation system, which comprises a PDRR security model and is characterized in that: the PDRR safety model comprises a protective layer, a detection layer, a response layer and a recovery layer; the protection layer is used for receiving a data packet, preprocessing the data packet and distributing the data packet to the detection layer; the detection layer is used for carrying out one or more detections on the data packet according to detection configuration to obtain a detection result; the response layer is used for executing corresponding protection processing according to the detection result and the protection strategy, and is also used for configuring the protection layer, the detection layer and the recovery layer; the recovery layer is used for executing recovery processing on the detected abnormity according to configuration; the PDRR safety model is arranged in a cloud computing architecture, and the cloud computing architecture provides computational support for the PDRR model through a brain-like computing platform.
According to the cloud computing-based PDRR network security guarantee model parallel implementation system, the protective layer is used for collecting the data packets, packaging the data packets into a plurality of sub-packets, decoding the sub-packets according to a protocol model, acquiring protocol and load information, distributing corresponding calculation flow, TCP session management, TCP recombination and application layer data analysis processing to the sub-packets, and transmitting the sub-packets to the detection layer after decoding is completed.
According to the cloud computing-based PDRR network security guarantee model parallel implementation system, the protective layer is used for shunting data flow in parallel through an SDN manager controller, and sequentially executing intrusion detection, integrity detection, vulnerability detection, aggressivity detection, flow analysis and white list detection for detection, wherein detection takes a configured security rule base and a security policy base as detection bases.
According to the cloud computing-based PDRR network security guarantee model parallel implementation system, a response layer comprises: and after the protection layer is detected, carrying out corresponding intrusion prevention and blocking on the data source with the detected abnormality, simultaneously carrying out linkage with the recovery layer, starting a security policy to reset and intercept, and further configuring parameters, policies and rules of the protection layer, the detection layer and the recovery layer, and checking security events and log information.
And according to the cloud computing-based PDRR network security guarantee model parallel implementation system, the recovery layer is used for carrying out corresponding data backup, data recovery and system recovery processing according to a configured security strategy when the data packet is detected to be abnormal.
According to the cloud computing-based PDRR network security guarantee model parallel implementation system, the recovery layer further comprises: and calling a third-party interface to perform corresponding data backup, data recovery and system recovery processing.
According to the cloud computing-based PDRR network security guarantee model parallel implementation system, a brain-like computing platform comprises brain-like main control nodes and a hierarchical and hierarchical full-switching network distributed computing cluster, wherein the brain-like main control nodes comprise basic parallel brain neuron computing units based on a stable Hopfield neural network structure without self-feedback and are used for executing brain-like computing and cluster management, the brain-like computing comprises classification, clustering, sequencing and searching, and the cluster management comprises login management, task scheduling, node management and network management; the hierarchical, fully switched network is configured as an SDN network for interaction of a PDRR security model with the brain-like computing platform; the computing cluster comprises a plurality of computing node clusters, each computing node cluster comprises a plurality of computing nodes, and each computing node is used for computing sample data.
According to the cloud computing-based PDRR network security guarantee model parallel implementation system, the hierarchical full-switching network is used for collecting weight vectors obtained by computing the computing nodes, constructing a weight matrix and predicting sample data through the weight matrix.
According to the cloud computing-based PDRR network security guarantee model parallel implementation system, the computing nodes comprise: the calculation of the sample data is a known linear calculation problem, and linear modeling is adopted for calculation; the calculation of the sample data is unknown calculation, and training and final calculation are carried out in a machine learning modeling mode; and the calculation of the sample data is incomplete or the modeling precision is inaccurate, and an exhaustive modeling mode is adopted for traversal calculation.
According to the cloud computing-based PDRR network security guarantee model parallel implementation system, a cloud computing architecture is used for: dynamic scheduling, namely dynamically allocating resources according to the size of the workload; resource sharing, namely constructing a resource pool and sharing resources through the resource pool; and the fireproof cloud trains and models a mandatory access control business operation process based on role authority subdivision according to the behavior big data of the business mode in the protected network system, and correspondingly releases, intercepts and alarms the data entering each time through the PDRR security model.
The beneficial effects of the invention are as follows: a PDRR security guarantee model is realized through a cloud defense system, and the traditional single passive security defense idea is improved by utilizing the PDRR model on the fireproof cloud. The brain-like computing platform architecture is used for supporting parallel realization of the PDRR model, computing power is provided for the cloud computing architecture, and instantaneity of big data analysis execution tasks is guaranteed.
Drawings
The invention is further described below with reference to the accompanying drawings and examples;
FIG. 1 is a block diagram of an overall system according to an embodiment of the present invention.
Fig. 2 shows a first embodiment according to the present invention.
Fig. 3 is a schematic diagram of a computing node according to a first embodiment of the present invention.
Detailed Description
Reference will now be made in detail to the present preferred embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to like elements throughout.
In the description of the present invention, a plurality of means is one or more, a plurality of means is two or more, and greater than, less than, more than, etc. are understood as excluding the essential numbers, and greater than, less than, etc. are understood as including the essential numbers.
In the description of the present invention, the consecutive reference numbers of the method steps are for convenience of examination and understanding, and the implementation order between the steps is adjusted without affecting the technical effect achieved by the technical solution of the present invention by combining the whole technical solution of the present invention and the logical relationship between the steps.
FIG. 1 is a block diagram of an overall system according to an embodiment of the present invention. As in fig. 1, includes: the PDRR security model comprises a protective layer, a detection layer, a response layer and a recovery layer; the protective layer is used for receiving the data packet, preprocessing the data packet and distributing the data packet to the detection layer; the detection layer is used for carrying out one or more detections on the data packet according to the detection configuration to obtain a detection result; the response layer is used for executing corresponding protection processing according to the detection result and the protection strategy, and is also used for configuring the protection layer, the detection layer and the recovery layer; the recovery layer is used for executing recovery processing on the detected abnormity according to the configuration; the PDRR safety model is arranged in a cloud computing architecture, and the cloud computing architecture provides computing support for the PDRR model through a brain-like computing platform.
Fig. 2 shows a first embodiment according to the present invention. The method comprises the following specific steps:
(1) Fire prevention cloud product PDRR security guarantee framework
The PDRR architecture of the fireproof cloud product is composed of a protective layer, a detection layer, a response layer and a recovery layer.
Protective layer: there are encryption mechanism, digital signature mechanism, access control, authentication mechanism, information hiding, firewall technology, etc. Collecting network data packets, packaging the network data packets into packets, decoding the packets according to protocol models (a data link layer, a network layer, a transmission layer and an application layer), acquiring protocol and load information, distributing flow, tcp session management, TCP recombination, analyzing and processing application layer data, and transmitting the packets to each detection subsystem submodule after decoding is completed.
Detection layer: and the data flow is parallelly distributed to an intrusion detection sub-module, an integrity detection sub-module, a vulnerability detection sub-module, an aggressivity detection sub-module, a flow analysis sub-module and a white list detection sub-module through an SDN manager controller for comprehensive detection, wherein the detection is based on a configured security rule base and a security policy base.
Response layer: the system has the functions of emergency strategy, emergency mechanism, emergency means, intrusion process analysis, safety state evaluation and the like. And after the comprehensive detection of each subsystem, carrying out intrusion prevention and blocking on the data source with the detected abnormality. And simultaneously, the system is linked with other safety components and works cooperatively, and a safety strategy is started to reset and intercept. Configuring parameters, strategies and rules of each safety subsystem, and checking safety events and log information.
A recovery layer: when the system detects the abnormality, the system can perform data backup, data recovery and system recovery operations according to the configured security policy, and also supports a third-party interface to perform recovery.
The PDRR architecture improves the traditional single safety defense idea only paying attention to protection, and emphasizes four important links of PDRR of information safety guarantee.
(2) PDRR security model implemented by cloud defense system
The PDRR network security model is realized based on a cloud defense system, a cloud computing architecture and a brain-like computing platform are utilized to realize the PDRR model in parallel, data and network resources are protected comprehensively, and the usability, confidentiality, integrity, authenticity and non-repudiation security targets of an information system are realized.
The PDRR model is placed in a cloud computing architecture, and the advantages of the cloud computing architecture are utilized. The service on the cloud computing platform is elastic, and the service can dynamically allocate resources according to the size of the workload, so that the PDRR model deployed on the cloud computing platform can adapt to the change of the resources and can respond according to the change, thereby avoiding the waste of computing resources and storage resources. Second, the cloud computing architecture can satisfy the sharing of large-scale resource pools, and the resource reuse rate is improved through the sharing. Based on the characteristics of flexible service, resource pooling, on-demand service, chargeable service and ubiquitous access of a cloud computing architecture, the method can meet the requirement that large and medium-sized enterprises automatically adapt to dynamic changes of service load in the process of using a firewall, so that the resources occupied by the enterprises are consistent with service requirements, the reduction of service quality caused by overload or redundancy of server performance is avoided, resources can be shared to different users by using a virtualization technology, resources such as application programs, data storage, infrastructure and the like are automatically allocated according to the requirements of the users, other advantages also include monitoring the resource usage of the users, charging the service according to the use condition and meeting the requirement that any equipment can be accessed to the internet to access the cloud computing service at any time and any place.
The fire prevention cloud is supported by high-performance advanced computing capability and a self-adaptive elastic network architecture, a normal business pattern library is controlled by mandatory access based on role authority subdivision, a multi-scale identification pattern is used for providing behavior audit evidence obtaining and data integrity protection functions, network behaviors which are in strong consistency with business patterns are correctly executed, unknown application of deviation and abnormal threats are accurately locked, and therefore safety risks are remarkably reduced. The method specifically comprises the following steps: the behavior big data of a business mode in a protected network system is used for training and modeling a mandatory access control business operation flow based on role authority subdivision; under the high-performance connection and computing environment supported by the SDN/NFV, standard conformity determination of network behaviors in a protected network system under each scale is promoted through multi-factor joint diagnosis, and a workflow-based business trace auditing and evidence obtaining system is formed. All data pass through the trusted fire protection cloud before reaching the server. Arriving first at the SDN, intelligently allocates data flows to the detection arrays. And the detection units at all levels of the fire cloud cooperatively complete detection, and measures such as releasing, intercepting, alarming and the like are taken according to the detection result. The SDN/NFV realizes decoupling of hardware and safety functions, creates network computing infrastructure capable of perceiving reconstruction and dynamically evolving, ensures a physical platform, communication resources and load integration and global optimization of computing resources based on a diversified resource adjusting strategy on the basis of realizing safety resource virtualization, supports service lossless elastic expansion, supports affinity deployment and shortest-path rigid optimization, and realizes intellectualization of fault migration and recovery. The SDN switch supports the variability and the adaptability of a fireproof cloud framework, a definable, reconfigurable and evolvable cloud service facility is constructed, the real-time performance of large data analysis such as data detection, decision control and routing forwarding is guaranteed by means of strong connection of network communication, parallelization of computing capacity and distribution of node resources, the safety strategies required by maximum-efficiency distribution and execution are guaranteed, and the SDN switch has the capability of adapting to various budget ranges and system elastic frameworks. Based on the advantages of cloud deployment of a cloud computing architecture and a firewall architecture, the capability of flexibly distributing security services on demand is formed, namely, the functions of detecting, filtering, accessing, controlling and the like of the firewall are provided on demand. A PDRR security model is realized based on a cloud defense system, and the conformity calculation identification of an on-demand normal business mode library can be carried out on network behaviors aiming at the multi-dimensionality of user identity, role authority, application type, transmission content and the like aiming at large and medium enterprise systems such as a railway ticket system and the like of an electronic transaction system, so that DDoS attack can be effectively resisted, viruses are protected, and security access control is carried out.
(3) Parallel computing support provided by brain-like computing platform for cloud defense system
The hardware architecture of the brain-like computing platform adopts a hypercube structure, a 3U host consists of 3 layers of structures, each layer of 7x7=49 nodes and 147 nodes in total, every 6 adjacent nodes are interconnected and intercommunicated, each layer of 13 expansion ports is connected with 3/4 adjacent nodes of each layer. The software architecture mainly comprises: the method comprises the following steps of OS realization of a computing node, software realization of memory calculation, software realization of OVS (optical virtual system) while computing, and a computing mode scheduling mode oriented to computing tasks.
And a computing node OS: the linux operating system is a multi-user, multi-task and multi-CPU supporting operating system based on POSIX and UNIX. It can run the main UNIX tool software, applications and network protocols. It supports 32-bit and 64-bit hardware. The Unix network-based multi-user network operating system inherits the design idea that the Unix takes the network as the core and has stable performance. The product is customized and cut on the basis of open source linux, provides an operating system environment for the operation of a brain-like parallel computing program, supports related computing systems such as brain-like computing nodes, a management node controller and the like, and supports the installation and the operation of a full-exchange network system.
And (3) realizing memory calculation: and a memory cloud (RAMcloud) mode is adopted to realize high-performance calculation and storage. The information stored in the memory cloud is as persistent as the hard disk, and a failure of a single storage server cannot cause data loss and even a few seconds of service unavailability. RAMCloud stores all data in DRAM, with performance 100-1000 times higher than the current highest performance hard disk storage systems. In terms of access delay, a process running in the application server of RAMCloud only needs 5-10 μ s to read hundreds of bytes of data from the storage server in the same data center through the network, while the actual system generally takes 0.5-10 ms at present, depending on whether the data is in the server memory cache or the hard disk. Moreover, a multi-core storage server may service at least 100 million small read requests per second. While the same machine in a hard disk system can only service 1000-10000 requests per second. RAMCloud's latency is 5-10 microseconds, which is 1000 times faster than a traditional disk and around 5 times faster than flash memory. RAMCloud is characterized as follows: general storage system, all data in memory (no cache invalidation), persistence and availability, scalability (1000 + servers,32-64GB DRAM/server,100+ TB), low latency (5-10 us remote access), high throughput (1M ops/sec/server).
Brain-like computer system logical architecture: the system adopts a parallel computing hypercube architecture system integrating computation, storage and communication. The method is characterized in that a basic parallel type brain neuron computing unit is realized based on a stable Hopfield neural network structure without self-feedback, a fully-meshed decentralized advanced computing system is realized under the support of a perpetual customized operating system, an SDN fully-switched network and a big data elastic storage network, super computing capacity is achieved, elastic expansion of computing nodes and resources is supported, deployment and installation are convenient, and computing support is provided for a cloud defense system. Based on the stability of a weighting coefficient symmetric Hopfield neural network without self-feedback and the storage characteristics of a steady-state space attractor of the neural network, the calculation and storage integration is realized on each neural network node by taking the structure of the Hopfield neural network as reference, and the calculation and communication integration is realized by combining with an SDN full-switched network.
Brain-like computer system physical architecture: the physical architecture of the brain-like platform mainly comprises six computing (or network) functional modules. The system mainly comprises a management node, a login node, a calculation node, an exchange function, an I/O (input/output) and storage function module and an acceleration node which adopts a CPU + acceleration processor heterogeneous mode. Each node module resides on a complete custom operating system, as well as management control middleware, supporting system images and high availability.
The strategy of parallel scheduling of the computing mode (task) is connected with the computing node by the management and control node, and data are sent and received. The management and control node is responsible for distributing calculation tasks and managing calculation results, each calculation node is responsible for processing the calculation tasks, and the calculation results are obtained through independent parallel calculation. According to the characteristics of the neural network, the management and control node of the project realizes task scheduling, distribution and summarization of weight parallel computation. In the method, each calculation node utilizes all sample data to calculate, and each calculation node is responsible for calculating to obtain a row of weights, namely weight vectors. After the calculation of each calculation node is completed, the control node can obtain a weight matrix by combining weight vectors obtained by collecting each calculation node. According to the weight matrix, the mode prediction can be performed on the test sample, i.e. the category to which the test sample belongs is determined.
Fig. 3 is a schematic diagram of a computing node according to a first embodiment of the present invention. General idea of computing method of computing node refer to fig. 3: the complex nonlinear calculation is decomposed through a deep structured calculation mode and converted into combination or integration of linear calculation, linear space calculation is firstly carried out, and then the linear calculation is integrated through a certain combination and integration method to form a total calculation method. For the known linear calculation problem, a linear modeling mode is adopted; training and finally calculating the condition of an unknown calculation mode in a machine learning modeling mode; for the calculation condition that the data is incomplete or the modeling precision is insufficient, an exhaustive modeling mode is adopted for traversal calculation; namely, the whole calculation space is covered by adopting a mode of linear modeling, machine learning modeling and exhaustive set modeling.
The embodiments of the present invention have been described in detail with reference to the accompanying drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.

Claims (8)

1. A PDRR network security guarantee model parallel implementation system based on cloud computing comprises a PDRR security model and a cloud computing architecture, and is characterized in that:
the PDRR safety model comprises a protective layer, a detection layer, a response layer and a recovery layer;
the protection layer is used for receiving a data packet, preprocessing the data packet and distributing the data packet to the detection layer;
the detection layer is used for carrying out one or more detections on the data packet according to detection configuration to obtain a detection result;
the response layer is used for executing corresponding protection processing according to the detection result and the protection strategy, and is also used for configuring the protection layer, the detection layer and the recovery layer;
the recovery layer is used for executing recovery processing on the detected abnormity according to configuration;
the PDRR security model is arranged in a cloud computing architecture, and the cloud computing architecture provides computational support for the PDRR security model through a brain-like computing platform;
the recovery layer is used for carrying out corresponding data backup, data recovery and system recovery processing according to a configured security strategy when the data packet is detected to be abnormal;
the brain-like computing platform comprises brain-like main control nodes and a hierarchical and hierarchical full-switching network distributed computing cluster, wherein the brain-like main control nodes comprise a basic parallel brain-like neuron computing unit based on a stable Hopfield neural network structure without self-feedback and are used for executing brain-like computing and cluster management, the brain-like computing comprises classification, clustering, sorting and searching, and the cluster management comprises login management, task scheduling, node management and network management; the hierarchical fully-switched network is configured as an SDN network for interaction of a PDRR security model with the brain-like computing platform; the computing cluster comprises a plurality of computing node clusters, each computing node cluster comprises a plurality of computing nodes, and each computing node is used for computing sample data.
2. The cloud-computing-based PDRR network security guarantee model parallel implementation system of claim 1, wherein the protective layer is used for collecting the data packets, packaging the data packets into a plurality of sub-packets, decoding the sub-packets according to a protocol model, acquiring protocol and load information, distributing corresponding calculation flow, TCP session management, TCP reassembly and application layer data analysis processing to the sub-packets, and transmitting the sub-packets to the detection layer after decoding is completed.
3. The cloud-computing-based PDRR network security assurance model parallel implementation system of claim 1, wherein the protection layer is configured to shunt data flows in parallel through an SDN manager, and sequentially perform intrusion detection, integrity detection, vulnerability detection, aggression detection, traffic analysis, and white list detection for detection, where detection uses a configured security rule base and a security policy base as detection bases.
4. The cloud-computing PDRR network security assurance model parallel implementation system of claim 1, wherein the response layer comprises:
and after the detection of the protective layer, performing corresponding intrusion prevention and blocking on the data source with the detected abnormality, simultaneously linking with the recovery layer, starting a security policy to reset and intercept, and configuring parameters, policies and rules of the protective layer, the detection layer and the recovery layer, and checking security events and log information.
5. The cloud-computing PDRR network security assurance model parallel implementation system of claim 1, wherein the recovery layer further comprises: and calling a third-party interface to perform corresponding data backup, data recovery and system recovery processing.
6. The cloud-computing PDRR network security guarantee model parallel implementation system of claim 1, wherein the hierarchical full-switching network is configured to collect weight vectors computed by the computing nodes, construct a weight matrix, and predict sample data through the weight matrix.
7. The cloud computing PDRR network security assurance model parallel implementation system as claimed in claim 1, wherein the computing node comprises:
the calculation of the sample data is a known linear calculation problem, and linear modeling is adopted for calculation;
the calculation of the sample data is unknown calculation, and training and final calculation are carried out in a machine learning modeling mode;
and the calculation of the sample data is incomplete or the modeling precision is inaccurate, and an exhaustive modeling mode is adopted for traversal calculation.
8. The cloud-computing PDRR network security assurance model parallel implementation system of claim 1, wherein the cloud computing architecture is configured to:
dynamic scheduling, namely dynamically allocating resources according to the size of the workload;
resource sharing, namely constructing a resource pool and sharing resources through the resource pool;
and the fireproof cloud trains and models a mandatory access control business operation process based on role authority subdivision according to the behavior big data of the business mode in the protected network system, and correspondingly releases, intercepts and alarms the data entering each time through the PDRR security model.
CN202011206792.XA 2020-11-03 2020-11-03 PDRR network security guarantee model parallel implementation system based on cloud computing Active CN112436957B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011206792.XA CN112436957B (en) 2020-11-03 2020-11-03 PDRR network security guarantee model parallel implementation system based on cloud computing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011206792.XA CN112436957B (en) 2020-11-03 2020-11-03 PDRR network security guarantee model parallel implementation system based on cloud computing

Publications (2)

Publication Number Publication Date
CN112436957A CN112436957A (en) 2021-03-02
CN112436957B true CN112436957B (en) 2023-03-14

Family

ID=74695105

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011206792.XA Active CN112436957B (en) 2020-11-03 2020-11-03 PDRR network security guarantee model parallel implementation system based on cloud computing

Country Status (1)

Country Link
CN (1) CN112436957B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113240116B (en) * 2021-07-12 2021-11-19 深圳市永达电子信息股份有限公司 Wisdom fire prevention cloud system based on class brain platform
CN113240100B (en) * 2021-07-12 2021-11-30 深圳市永达电子信息股份有限公司 Parallel computing method and system based on discrete Hopfield neural network
CN113283594B (en) * 2021-07-12 2021-11-09 深圳市永达电子信息股份有限公司 Intrusion detection system based on brain-like calculation
CN113254946A (en) * 2021-07-12 2021-08-13 深圳市永达电子信息股份有限公司 Brain-like computing platform and manageable control vulnerability scanning system
CN113242267A (en) * 2021-07-12 2021-08-10 深圳市永达电子信息股份有限公司 Situation perception method based on brain-like calculation
CN114401137B (en) * 2022-01-14 2023-09-08 中国人民解放军国防科技大学 Backup network shortest path blocking method and device based on dual algorithm
CN114330698B (en) * 2022-03-15 2022-08-05 之江实验室 Neural model storage system and method of brain-like computer operating system
CN115080968B (en) * 2022-06-08 2023-06-02 陕西天诚软件有限公司 Artificial intelligence server with intelligent safety protection
CN116301668B (en) * 2023-05-25 2023-08-04 北京致趣科技有限公司 CDP-based data storage system and method
CN116760633B (en) * 2023-08-11 2024-03-08 深圳市永达电子信息股份有限公司 Method for realizing safe trusted physical network gateway

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103518359A (en) * 2013-02-08 2014-01-15 华为技术有限公司 Method, device and network for achieving attack resistance of cloud computing
CN111325321A (en) * 2020-02-13 2020-06-23 中国科学院自动化研究所 Brain-like computing system based on multi-neural network fusion and execution method of instruction set

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103518359A (en) * 2013-02-08 2014-01-15 华为技术有限公司 Method, device and network for achieving attack resistance of cloud computing
CN111325321A (en) * 2020-02-13 2020-06-23 中国科学院自动化研究所 Brain-like computing system based on multi-neural network fusion and execution method of instruction set

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"信息系统信息安全风险管理方法研究";陈光;《中国博士学位论文全文数据库信息科技辑》;20070515;正文第2章 *

Also Published As

Publication number Publication date
CN112436957A (en) 2021-03-02

Similar Documents

Publication Publication Date Title
CN112436957B (en) PDRR network security guarantee model parallel implementation system based on cloud computing
Pandeeswari et al. Anomaly detection system in cloud environment using fuzzy clustering based ANN
CN107291538B (en) Mimicry cloud construction method for tasks and task scheduling method, device and system based on mimicry cloud
Khan et al. Hatman: Intra-cloud trust management for Hadoop
US7076801B2 (en) Intrusion tolerant server system
US20150128262A1 (en) Taint vector locations and granularity
KR102542720B1 (en) System for providing internet of behavior based intelligent data security platform service for zero trust security
CN112766672A (en) Network security guarantee method and system based on comprehensive evaluation
Li et al. CloudMon: a resource‐efficient IaaS cloud monitoring system based on networked intrusion detection system virtual appliances
Uemura et al. Availability analysis of an intrusion tolerant distributed server system with preventive maintenance
Arunkumar et al. Malicious attack detection approach in cloud computing using machine learning techniques
Naseer Implementation of Hybrid Mesh firewall and its future impacts on Enhancement of cyber security
CN112579288A (en) Cloud computing-based intelligent security data management system
CN112433808A (en) Network security event detection system and method based on grid computing
Sharma et al. Survey of intrusion detection techniques and architectures in cloud computing
Baarzi et al. Microservices made attack-resilient using unsupervised service fissioning
CN112688914A (en) Intelligent cloud platform dynamic sensing method
Halabi et al. Evaluation and selection of Cloud security services based on Multi-Criteria Analysis MCA
CN111641652A (en) Application security service platform based on cloud computing
Schulter et al. Intrusion detection for computational grids
Kamatchi et al. An efficient security framework to detect intrusions at virtual network layer of cloud computing
CN116244046A (en) Mechanism for reducing exposure of sensitive telemetry data in a computing network
Florez et al. Lightweight monitoring of mpi programs in real time
Ambikavathi et al. Improving virtual machine security through intelligent intrusion detection system
Deshmukh et al. Intrusion detection system for cloud computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant