CN112615862A - Simulated defense-based attack defense device, method, equipment and medium - Google Patents

Simulated defense-based attack defense device, method, equipment and medium Download PDF

Info

Publication number
CN112615862A
CN112615862A CN202011499913.4A CN202011499913A CN112615862A CN 112615862 A CN112615862 A CN 112615862A CN 202011499913 A CN202011499913 A CN 202011499913A CN 112615862 A CN112615862 A CN 112615862A
Authority
CN
China
Prior art keywords
heterogeneous
data
mimicry
executive body
log
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011499913.4A
Other languages
Chinese (zh)
Other versions
CN112615862B (en
Inventor
张校臣
倪晓波
李彧
于波
武彦平
詹俊
林彦竹
吴树平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Network Communication and Security Zijinshan Laboratory
Original Assignee
Network Communication and Security Zijinshan Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Network Communication and Security Zijinshan Laboratory filed Critical Network Communication and Security Zijinshan Laboratory
Priority to CN202011499913.4A priority Critical patent/CN112615862B/en
Publication of CN112615862A publication Critical patent/CN112615862A/en
Application granted granted Critical
Publication of CN112615862B publication Critical patent/CN112615862B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an attack defense device, method, equipment and medium based on mimicry defense, wherein the device comprises a mimicry scheduler and a plurality of heterogeneous executors; the heterogeneous executive body receives and processes the message data sent by the mimicry scheduler; the mimicry scheduler comprises a mimicry judgment module and an attack defense module, and is used for receiving message data sent by the front-end chip and forwarding the message data to the heterogeneous executer to realize data distribution, mimicry judgment and cleaning management of the heterogeneous executer; the mimicry judgment module performs mimicry judgment on the downlink data of the heterogeneous executive body and sends the result of the mimicry judgment to the attack defense module; the attack defense module collects, extracts and stores the message data sent by the front-end chip, and updates the log, detects the attack defense and filters the attack data according to the mimicry judgment result of the mimicry judgment module. The invention performs attack detection judgment on the message data and effectively filters the abnormal message data, thereby reducing the cleaning times of the isomer executive body.

Description

Simulated defense-based attack defense device, method, equipment and medium
Technical Field
The invention relates to the technical field of computer network security, in particular to an attack defense device, method, equipment and medium based on mimicry defense.
Background
Currently, the network space is in a security situation of being easy to attack and guard, and how to improve the security of the network space is one of the most serious challenges in the information age at present. The mimicry defense technology is an endogenous safety theory taking a dynamic heterogeneous redundant structure as a core, can prevent safety threats based on unknown and known loophole backdoors and the like, and greatly enhances the capability of a key business network for coping with external invasion and internal penetration.
The mimicry product is a mimicry network infrastructure device which is implemented by fusing a mimicry defense technology on the basis of the existing network equipment, introducing a plurality of heterogeneous processing engines into the architecture of the mimicry product as heterogeneous executors and comprising hardware-implemented mimicry schedulers and other components, and can effectively deal with uncertain threats such as unknown vulnerability backdoor virus trojans and the like, greatly improve attack difficulty and attack cost and ensure the security of a network space.
The current scheme is that whether the heterogeneous executer is abnormal or not is judged according to a decision strategy of the mimicry scheduler, the heterogeneous executer with abnormal times reaching a certain threshold value is cleaned and recovered, and the heterogeneous executer is recovered to a normal usable state again. However, if the mimicry scheduler sends the same attack packet to the heterogeneous execution body again, the heterogeneous execution body still has an abnormal phenomenon after receiving the attack packet, so that the heterogeneous execution body is always in an unavailable state, the superiority of heterogeneous redundancy is greatly reduced, and the overall stability of the system is affected.
Disclosure of Invention
The technical purpose is as follows: aiming at the defects that heterogeneous executors are abnormal continuously and need to be cleaned repeatedly in the prior art, the invention discloses an attack defense device, a method, equipment and a medium based on mimicry defense.
The technical scheme is as follows: in order to achieve the technical purpose, the invention adopts the following technical scheme.
An attack defense device based on mimicry defense comprises a mimicry scheduler and a plurality of heterogeneous executors; the heterogeneous executive body is used for receiving and processing the message data sent by the mimicry scheduler, and sending the processed result to the mimicry scheduler as downlink data;
the mimicry scheduler is a unique data transmission interface between the heterogeneous executive body and the outside, is used for receiving message data sent by the front-end chip and forwarding the message data to the heterogeneous executive body so as to realize data distribution, mimicry judgment and cleaning management on the heterogeneous executive body, and comprises a mimicry judgment module and an attack defense module;
the mimicry judgment module receives downlink data of the heterogeneous executer, judges the downlink data according to the mimicry judgment strategy and sends a mimicry judgment result to the attack defense module;
the attack defense module is used for collecting, extracting and storing the message data sent by the front-end chip, and updating the log, detecting the attack defense and filtering the attack data by combining the mimicry judgment result sent by the mimicry judgment module.
Preferably, the attack defense module comprises a data acquisition and extraction module, a log module and an attack detection module; the data acquisition and extraction module is used for acquiring message data sent by the front-end chip and extracting key data in the message data, the log module is used for storing the key data extracted by the data acquisition and extraction module in a log and updating information stored in the log module according to a mimicry judgment result sent by the mimicry judgment module, and the attack detection module is used for judging whether abnormal attack exists in the message data according to the message data sent by the front-end chip and combining the key data stored in the log module, filtering the abnormal attack data and not sending the abnormal attack data to a corresponding heterogeneous executive.
Preferably, the content stored in the log module includes key data and heterogeneous executive data corresponding to the key data; the key data comprises a protocol type identifier and a protocol key parameter, and the heterogeneous executive body data comprises a heterogeneous executive body number corresponding to the protocol type identifier and corresponding abnormal times; the heterogeneous executive body data is extracted from the mimicry judgment result sent by the mimicry judgment module, the number of the heterogeneous executive body with the abnormal mimicry judgment result is updated in the log module, and the abnormal times of the heterogeneous executive body corresponding to the number of the heterogeneous executive body are updated.
Preferably, the plurality of heterogeneous executives adopt different structures, and the structures comprise processors with different architectures and heterogeneous operating systems.
An attack defense method based on mimicry defense comprises the following steps:
s1, data acquisition and extraction: the mimicry scheduler collects message data sent by a front-end chip, extracts key data in the message data and then stores the key data in a log of the mimicry scheduler;
s2, attack data judgment: the mimicry scheduler analyzes the currently stored key data and the historical storage content in the log, judges whether the current message data is abnormal attack data, and if so, enters step S3; if not, distributing the current message data to any of a plurality of heterogeneous executors for processing, and entering step S4;
s3, message filtering: the mimicry scheduler acquires heterogeneous executive body data corresponding to a protocol type identifier in current message data, acquires a heterogeneous executive body number corresponding to abnormal attack, filters the heterogeneous executive body corresponding to the heterogeneous executive body number, does not distribute the current message data to the heterogeneous executive body, and distributes the current message data to other heterogeneous executive bodies after filtration for processing;
s4, mimicry judgment: all heterogeneous executors which process the current message data send processing results to a mimicry scheduler, a mimicry judgment module in the mimicry scheduler judges all the processing results and outputs mimicry judgment results, and the mimicry judgment strategy comprises multi-choice judgment based on experience credibility, multi-choice judgment based on weight and composite single-choice judgment based on sampling multi-choice;
s5, log updating and cleaning management: sending the normal downlink data output by the heterogeneous executive body to a front-end chip according to the current mimicry judgment result; and marking the heterogeneous executors with the processing results consistent with the mimicry judgment results in the step S4 as normal heterogeneous executors, and the heterogeneous executors with the processing results inconsistent with the mimicry judgment results as abnormal heterogeneous executors, cleaning and managing the abnormal heterogeneous executors, acquiring the numbers of the heterogeneous executors corresponding to the marked heterogeneous executors according to the current mimicry judgment results, and storing and updating the numbers in a log.
Preferably, in step S2, the history storage content in the log includes key data and heterogeneous executive body data corresponding to the key data; the key data comprises a protocol type identifier and a protocol key parameter, and the heterogeneous executive body data comprises a heterogeneous executive body number corresponding to the protocol type identifier and corresponding abnormal times.
Preferably, in step S2, the process of determining whether the current packet data is the abnormal attack data includes:
s21, judging whether the current protocol type identification is the same as the historical storage content in the log: comparing the current protocol type identifier in the key data extracted from the current message data with the historical storage content in the log, if the historical storage content in the log contains the current protocol type identifier, proceeding to step S22, and if the historical storage content in the log does not contain the current protocol type identifier, proceeding to step S24;
s22, judging whether the abnormal frequency is larger than a set threshold value: obtaining heterogeneous executive body data of historical storage content in the log under the protocol type identification of the current message data, and if a heterogeneous executive body number exists and the corresponding abnormal times is greater than a set threshold value, entering step S23; if the abnormal times corresponding to all the heterogeneous executive body numbers are less than or equal to the set threshold, the step S24 is executed;
s23, judging whether the current protocol key parameter is the same as the history storage content in the log: comparing the current protocol key parameter in the key data extracted from the current message data with the historical storage content in the log, if the current protocol key parameter is completely the same as the historical storage content in the log, judging the current message data to be abnormal attack, screening out all the heterogeneous executive body numbers with the abnormal times larger than a threshold value, and otherwise, entering the step S24;
s24, judging whether the current message data is abnormal attack data, and storing the key data of the current message data in a log.
Preferably, in the step S5, the specific process of obtaining the number of the heterogeneous executors corresponding to the marked heterogeneous executors according to the current mimicry decision result and storing and updating the number in the log includes:
s51, judging whether the heterogeneous executive body is marked as a normal heterogeneous executive body: judging whether the heterogeneous executive body is marked as a normal heterogeneous executive body or not according to the mark,
if yes, obtaining a heterogeneous executive body number marked as a normal heterogeneous executive body, searching whether to record and search the heterogeneous executive body number under the current protocol type identification of the current message data in the log, if yes, setting the abnormal times corresponding to the heterogeneous executive body number to be 0, and if not, not processing;
if not, go to step S52;
s52, judging whether the current message data is recorded in the log: acquiring a current protocol type identifier of current message data, comparing the current protocol type identifier with historical storage content in a log, if the current message data is recorded in the log, entering a step S54, and if the current message data is not recorded in the log, entering a step S53;
s53, creating a storage space: creating a new storage space in a log, storing a protocol type identifier of current message data, and storing protocol key parameters and heterogeneous executive body data under the protocol type identifier, wherein the heterogeneous executive body data comprises heterogeneous executive body numbers with inconsistent processing results and abnormal times thereof, and the abnormal times are assigned with 1;
s54, judging whether the number of the heterogeneous executive body is recorded in the log: acquiring the number of a heterogeneous executive body under a current protocol type identifier in a log, if the number of the heterogeneous executive body corresponding to the heterogeneous executive body with inconsistent processing results in the current processing process is not in the log, storing the number of the heterogeneous executive body and the abnormal times thereof under the protocol type identifier, wherein the abnormal times are assigned to 1; and if the number of the heterogeneous executables corresponding to the heterogeneous executables with inconsistent processing results in the current processing process is in the log, adding 1 to the abnormal times corresponding to the number of the heterogeneous executables under the protocol type identifier.
An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing a method of impersonation-based attack defense as described in any one of the above when executing the program.
A computer-readable storage medium storing computer-executable instructions for performing a method of defending against a mimicry-based attack as described in any one of the above.
Has the advantages that: according to the invention, the attack defense module is added in the mimicry scheduler, the message data uploaded to each heterogeneous executive body is subjected to attack detection judgment, abnormal message data is not uploaded to the corresponding heterogeneous executive body, the probability that other protocol messages cannot be effectively processed after the heterogeneous executive body is restarted and cleaned for multiple times is reduced, the reliability and the availability of the heterogeneous executive body are improved, and the overall safety of the mimicry product is further enhanced; in addition, the system composition and the equipment volume of the existing equipment are not increased.
Drawings
FIG. 1 is a schematic view of the general structure of the present invention;
FIG. 2 is a schematic diagram of the pseudo scheduler of FIG. 1;
FIG. 3 is a general process flow diagram of the present invention;
FIG. 4 is a flow chart of a portion of a method in an embodiment of the present invention.
Detailed Description
The present invention will be further described and explained with reference to the drawings and examples, wherein the drawings are for the purpose of describing the principles of the invention.
As shown in FIG. 1, the attack defense device based on the mimicry defense comprises a mimicry scheduler and a plurality of heterogeneous executors. The invention discloses an attack defense device based on mimicry defense, which is a mimicry product, in particular to a plurality of network infrastructure equipment developed based on a mimicry defense mechanism, realizes effective defense for backdoors of known and unknown bugs, greatly enhances the capability of a key service network for coping with external invasion and internal penetration, and provides infrastructure guarantee for network safety.
The heterogeneous executive body is used for receiving and processing the message data sent by the mimicry scheduler, and sending the processed result to the mimicry scheduler as downlink data. Each heterogeneous executive body adopts different structures, and the structures comprise processors with different architectures, different operating systems and the like. The processor is ARM, MIPS, X86, PowerPC and the like, and the operating system is Windows 7, Ubuntu, Centos and the like.
The mimicry scheduler is a unique data transmission interface between the heterogeneous executive body and the outside, is used for receiving message data sent by the front-end chip and forwarding the message data to the heterogeneous executive body so as to realize data distribution, mimicry judgment, cleaning management and the like of the heterogeneous executive body, and comprises a mimicry judgment module and an attack defense module; the mimicry judgment module receives the downlink data of the heterogeneous executive body, judges the downlink data according to the mimicry judgment strategy and sends the mimicry judgment result to the attack defense module.
As shown in fig. 2, the attack defense module is configured to collect, extract, and store a log of message data sent by the front-end chip, and perform log update, attack defense detection, and attack data filtering in combination with a mimicry decision result sent by the mimicry decision module.
The attack defense module comprises a data acquisition and extraction module, a log module and an attack detection module; the data acquisition and extraction module is used for acquiring message data sent by the front-end chip and extracting key data in the message data, the log module is used for storing the key data extracted by the data acquisition and extraction module in a log and updating information stored in the log module according to a mimicry judgment result sent by the mimicry judgment module, and the attack detection module is used for judging whether the message data is abnormal attack data or not according to the combination of the message data sent by the front-end chip and the key data stored in the log module, filtering the abnormal attack data, not sending the abnormal attack data to a corresponding heterogeneous executive, and avoiding the heterogeneous executive from suffering from the same message attack.
The content stored in the log module comprises key data and heterogeneous executive body data corresponding to the key data; the key data comprises a protocol type identifier and a protocol key parameter, and the heterogeneous executive body data comprises a heterogeneous executive body number corresponding to the protocol type identifier and corresponding abnormal times; the data of the heterogeneous executors are extracted from the mimicry judgment result sent by the mimicry judgment module, the numbers of the heterogeneous executors with abnormal mimicry judgment result are updated in the log module, and the abnormal times of the heterogeneous executors corresponding to the numbers of the heterogeneous executors are updated. A description of the format of the custom log contents in the log module in some embodiments is given in table 1:
TABLE 1
Figure 712155DEST_PATH_IMAGE002
The format of the protocol information is further illustrated in table 2:
TABLE 2
Figure DEST_PATH_IMAGE004
The invention adds an attack defense module in the mimicry scheduler, and can realize state monitoring, abnormal condition recording, attack data detection and the like of all heterogeneous executors. The attack detection judgment is carried out on the message data which is uploaded to each heterogeneous executive body, the abnormal message data is not uploaded to the corresponding heterogeneous executive body, the probability that other protocol messages cannot be effectively processed due to repeated restarting and cleaning of the heterogeneous executive body is reduced, the reliability and the usability of the heterogeneous executive body are improved, and the overall safety of the mimicry product is further enhanced; in addition, the system composition and the equipment volume of the existing equipment are not increased.
The invention discloses an attack defense method based on mimicry defense, which can be divided into two stages, wherein one stage is a learning stage of attack data, and the other stage is a detection and filtration stage of the attack data. The work flow of the learning phase of the attack data comprises the following steps:
the method comprises the following steps that firstly, a mimicry scheduler collects message data sent by a front-end chip, extracts key parameters from the message data as a part of custom log content, and stores the custom log content;
secondly, the mimicry scheduler sends the message data to the heterogeneous executive, and the heterogeneous executive processes the message data and sends an output result to the mimicry scheduler;
and thirdly, performing mimicry judgment on the downlink result of the heterogeneous execution body by the mimicry scheduler, marking the result, and updating the result into the self-defined log content to serve as a data basis for attack detection. And the mimicry scheduler performs mimicry judgment on the downlink data of the heterogeneous executors, marks the heterogeneous executors with abnormal judgment as abnormal, marks the heterogeneous executors with normal judgment as normal, and updates the numerical value of the field of the 'abnormal times' of the self-defined log content. And the mimicry scheduler dynamically adjusts the value of the abnormal times according to the mimicry judgment result, adds 1 to the value of the abnormal times of the corresponding heterogeneous executer when the marking result is abnormal, and directly sets 0 to the value of the abnormal times when the marking result is normal. The marking result is normal, which indicates that the heterogeneous executive body can normally process the message data or has the possibility of misjudgment before, and the abnormal times are directly set to 0, so that the misjudgment phenomenon can be avoided, the error filtration of the data can be prevented, and the reliability of the attack defense module is improved.
The mimicry scheduler can record the specific message protocol of the message data through learning the attack data, can know the abnormal condition of each heterogeneous executive body, and can update in real time to prevent the misjudgment condition.
After the learning phase of the mimicry scheduler on the attack data is completed, the received protocol message can be detected according to the self-defined log content, wherein the working process of the detection phase of the attack data comprises the following steps:
step one, after receiving an uplink protocol message sent by a front-end chip, a mimicry scheduler extracts key parameters in the protocol message;
and step two, judging whether the abnormal times of the protocol message and the key parameter value extracted this time are the same as the value in the stored self-defined log content. If the abnormal times of a certain heterogeneous executive body reach the set maximum threshold value and the extracted key parameter value is the same as the stored value, the protocol message is not sent to the heterogeneous executive body, so that the heterogeneous executive body is prevented from being attacked by the protocol message.
The invention adds the self-defined log content which is not limited to one protocol in the mimicry scheduler, can carry out certain aggressive detection on most protocol messages, and even can realize the full coverage of the known network protocol.
As shown in fig. 3, the general flow of the attack defense method based on mimicry defense of the present invention includes the following steps:
s1, data acquisition and extraction: the mimicry scheduler collects message data sent by a front-end chip, extracts key data in the message data and then stores the key data in a log of the mimicry scheduler;
s2, attack data judgment: the mimicry scheduler analyzes the currently stored key data and the historical storage content in the log, judges whether the current message data is abnormal attack data, and if so, enters step S3; if not, distributing the current message data to any of a plurality of heterogeneous executors for processing, and entering step S4;
s3, message filtering: the mimicry scheduler acquires heterogeneous executive body data corresponding to a protocol type identifier in current message data, acquires a heterogeneous executive body number corresponding to abnormal attack, filters the heterogeneous executive body corresponding to the heterogeneous executive body number, does not distribute the current message data to the heterogeneous executive body, and distributes the current message data to other heterogeneous executive bodies after filtration for processing;
s4, mimicry judgment: all heterogeneous executors which process the current message data send processing results to a mimicry scheduler, the mimicry scheduler judges all the processing results and outputs mimicry judgment results, and the mimicry judgment strategy comprises multiple judgment based on experience credibility, multiple judgment based on weight and composite single selection judgment based on sampling multiple judgment;
s5, log updating and cleaning management: sending the normal downlink data output by the heterogeneous executive body to a front-end chip according to the current mimicry judgment result; and marking the heterogeneous executors with the processing results consistent with the mimicry judgment results in the step S4 as normal heterogeneous executors, and the heterogeneous executors with the processing results inconsistent with the mimicry judgment results as abnormal heterogeneous executors, cleaning and managing the abnormal heterogeneous executors, acquiring the numbers of the heterogeneous executors corresponding to the marked heterogeneous executors according to the current mimicry judgment results, and storing and updating the numbers in a log.
In step S2, the history storage content in the log includes key data and heterogeneous execution volume data corresponding to the key data; the key data comprises protocol type identification and protocol key parameters, and the mimicry scheduler can collect parameters which play a key role in the protocol according to different protocols in the message data and uses the parameters as part of the content of the self-defined log, so that the occupation of memory space is reduced and the basic characteristics of the protocol can be reflected.
The protocol type identifier in the log content is used for distinguishing network protocols, and because some network protocol messages have repeated named fields, the key parameter of which protocol message is determined by adding the protocol type field.
The protocol key parameters in the log content need to extract parameters playing a key role in the protocol according to the principle and flow of each protocol. For example, in the STP (Spanning Tree Protocol), the size of the bridge ID is one of the principles for selecting the root bridge, and if an attacker elaborately designs a BPDU with a smaller network ID, the BPDU is mistaken for the root bridge, which easily causes the STP to re-converge, thereby causing a loop and even causing a network crash. Critical fields in the STP protocol BPDU unit, such as bridge ID, root path cost, port ID, Hello Time, etc., need to be put into the log.
The heterogeneous executive body data comprises a heterogeneous executive body number corresponding to the protocol type identification and corresponding abnormal times, and the heterogeneous executive body number and the abnormal times are used for determining which heterogeneous executive body is specific and the corresponding times of receiving attack data.
In step S2, the process of determining whether the current packet data is an abnormal attack is:
s21, judging whether the current protocol type identification is the same as the historical storage content in the log: comparing the current protocol type identifier in the key data extracted from the current message data with the historical storage content in the log, if the historical storage content in the log contains the current protocol type identifier, proceeding to step S22, and if the historical storage content in the log does not contain the current protocol type identifier, proceeding to step S24;
s22, judging whether the abnormal frequency is larger than a set threshold value: obtaining heterogeneous executive body data of historical storage content in the log under the protocol type identification of the current message data, and if a heterogeneous executive body number exists and the corresponding abnormal times is greater than a set threshold value, entering step S23; if the abnormal times corresponding to all the heterogeneous executive body numbers are not greater than the set threshold, the step S24 is executed;
s23, judging whether the current protocol key parameter is the same as the history storage content in the log: comparing the current protocol key parameter in the key data extracted from the current message data with the historical storage content in the log, if the current protocol key parameter is completely the same as the historical storage content in the log, judging the current message data to be abnormal attack, screening out all the heterogeneous executive body numbers with the abnormal times larger than a threshold value, and otherwise, entering the step S24;
s24, judging whether the current message data is abnormal attack data, and storing the key data of the current message data in a log.
In step S5, the specific process of obtaining the number of the heterogeneous executor corresponding to the heterogeneous executor according to the current mimicry decision result and storing and updating the number in the log is as follows:
s51, judging whether the heterogeneous executive body is marked as a normal heterogeneous executive body: judging whether the heterogeneous executive body is marked as a normal heterogeneous executive body or not according to the mark,
if yes, obtaining a heterogeneous executive body number marked as a normal heterogeneous executive body, searching whether to record and search the heterogeneous executive body number under the current protocol type identification of the current message data in the log, if yes, setting the abnormal times corresponding to the heterogeneous executive body number to be 0, and if not, not processing;
if not, go to step S52;
s52, judging whether the current message data is recorded in the log: acquiring a current protocol type identifier of current message data, comparing the current protocol type identifier with historical storage content in a log, if the current message data is recorded in the log, entering a step S54, and if the current message data is not recorded in the log, entering a step S53;
s53, creating a storage space: creating a new storage space in a log, storing a protocol type identifier of current message data, and storing protocol key parameters and heterogeneous executive body data under the protocol type identifier, wherein the heterogeneous executive body data comprises heterogeneous executive body numbers with inconsistent processing results and abnormal times thereof, the abnormal times are assigned with 1, and the abnormal times assignment 1 refers to the initial value assignment of the abnormal times being 1;
s54, judging whether the number of the heterogeneous executive body is recorded in the log: acquiring the number of a heterogeneous executive body under a current protocol type identifier in a log, if the number of the heterogeneous executive body corresponding to the heterogeneous executive body with inconsistent processing results in the current processing process is not in the log, storing the number of the heterogeneous executive body and the abnormal times of the number of the heterogeneous executive body under the protocol type identifier, wherein the abnormal times are assigned with 1, and the abnormal times assignment 1 refers to the assignment of an initial value of the abnormal times to 1; and if the number of the heterogeneous executables corresponding to the heterogeneous executables with inconsistent processing results in the current processing process is in the log, adding 1 to the abnormal times corresponding to the number of the heterogeneous executables under the protocol type identifier.
According to the invention, the attack defense module is added in the mimicry scheduler, the message data uploaded to each heterogeneous executive body is subjected to attack detection judgment, abnormal message data is not uploaded to the corresponding heterogeneous executive body, the probability that other protocol messages cannot be effectively processed after the heterogeneous executive body is restarted and cleaned for multiple times is reduced, the reliability and the availability of the heterogeneous executive body are improved, and the overall safety of the mimicry product is further enhanced; in addition, the system composition and the equipment volume of the existing equipment are not increased.
An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing a method of impersonation-based attack defense as described in any one of the above when executing the program. The memory can be various types of memory, such as random access memory, read only memory, flash memory, and the like. The processor may be various types of processors, such as a central processing unit, a microprocessor, a digital signal processor, or an image processor.
A computer-readable storage medium storing computer-executable instructions for performing a method of defending against a mimicry-based attack as described in any one of the above.
Examples
In this embodiment, the apparatus for defending an attack based on mimicry defense of the present invention is a mimicry switch, the front-end chip is a switch chip, and the method for defending an attack based on mimicry defense of the present invention is applied to the mimicry switch, as shown in fig. 4, the specific process is as follows:
step one, a mimicry scheduler in a mimicry switch collects message data sent by a switch chip.
And secondly, extracting the key parameters in the message data by the mimicry scheduler.
The extracted key parameters are different due to different protocols in the message data. In this embodiment, the protocol in the message data sent by the switch chip is STP protocol, OSPF protocol, RIP protocol, TCP protocol, or the like.
And aiming at the STP protocol, extracting the BPDU message type, the zone bit, the root bridge ID, the root path overhead, the sender ID, the port ID, the message survival Time, the maximum survival Time, the Hello Time, the MAC address information and the like in the BPDU message.
Aiming at OSPF protocol, key field contents such as LSA timing refresh time, LSA maximum aging time, LSA sequence number, maximum sequence number, Hello packet time interval, DR election waiting time and the like in 5 messages of OSPF are extracted, and key parameters extracted from network protocols such as RIP, TCP, IP, ICMP and the like are also extracted.
And step three, judging whether the self-defined log content contains the protocol type.
And judging whether the protocol message needs to be subjected to abnormal attack judgment and detection according to the protocol type identifier in the self-defined log content. If not, then a mimicry decision is made and output.
And step four, judging whether the abnormal times corresponding to the heterogeneous executive bodies are larger than a set threshold value or not.
And when the judgment of the third step is successful, entering the step. When judging, the corresponding protocol type identification and the corresponding heterogeneous executive body need to be searched, and then whether the abnormal times corresponding to the number of the heterogeneous executive body is larger than the set abnormal time threshold value or not is judged. The threshold value of the number of abnormalities set in this embodiment is 5.
The number N of heterogeneous executors is determined by security requirements and system resource limitations, and is generally not less than three, and in this embodiment, 3 heterogeneous executors are used.
And step five, judging whether the key parameters of the protocol are the same.
And when the abnormal times are larger than the abnormal times threshold value, judging that the step four is successful, and judging whether the extracted protocol key parameters are the same as the key parameter values in the self-defined log content.
And step six, message filtering and mimicry judgment.
When the fourth judgment is failed, the abnormal times are not larger than the set threshold value, when the fifth judgment is failed, the message data are not in abnormal attack, the message data are not filtered, when the fifth judgment is successful, the heterogeneous executors with the abnormal times larger than the abnormal times threshold value are filtered, the current message data are not distributed to the heterogeneous executors, and the current message data are distributed to other heterogeneous executors for processing; and judging the processing result in the mimicry scheduler. For example, in the STP protocol interaction process, a hacker continuously sends fake BPDU messages to consume the resources of the heterogeneous executor 1, the mimicry scheduler marks that the heterogeneous executor 1 has an abnormality after judging, when the number of the abnormality reaches a threshold value and receives the BPDU messages again, the messages are not sent to the heterogeneous executor 1 and are normally sent to the heterogeneous executor 2 and the heterogeneous executor 3, so that the heterogeneous executor 1 is prevented from receiving the attack of the messages again.
And seventhly, updating the abnormal times value and the protocol key parameter value of the corresponding heterogeneous executive body according to the mimicry judgment result.
And updating the abnormal times value and the protocol key parameter value according to the mimicry judgment result. And adding 1 to the abnormal times corresponding to the abnormal heterogeneous executer in the mimicry judgment, and directly setting 0 to the abnormal times corresponding to the normal heterogeneous executer in the judgment, thereby realizing dynamic adjustment and ensuring the reliability of the system.
And when the key parameters of the protocol are different, namely the judgment in the fifth step fails, if the mimicry judgment result at this time is abnormal, updating the abnormal times value corresponding to the heterogeneous executive body to be 1, and updating the key parameter values of the protocol at the same time. If the mimicry judgment result is normal, updating the abnormal numerical value to be 0 and updating the protocol key parameters at the same time.
The above description is only of the preferred embodiments of the present invention, and it should be noted that: it will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the principles of the invention and these are intended to be within the scope of the invention.

Claims (10)

1. An attack defense device based on mimicry defense is characterized in that: the system comprises a mimicry scheduler and a plurality of heterogeneous executors; the heterogeneous executive body is used for receiving and processing the message data sent by the mimicry scheduler, and sending the processed result to the mimicry scheduler as downlink data;
the mimicry scheduler is a unique data transmission interface between the heterogeneous executive body and the outside, is used for receiving message data sent by the front-end chip and forwarding the message data to the heterogeneous executive body so as to realize data distribution, mimicry judgment and cleaning management on the heterogeneous executive body, and comprises a mimicry judgment module and an attack defense module;
the mimicry judgment module receives downlink data of the heterogeneous executer, judges the downlink data according to the mimicry judgment strategy and sends a mimicry judgment result to the attack defense module;
the attack defense module is used for collecting, extracting and storing the message data sent by the front-end chip, and updating the log, detecting the attack defense and filtering the attack data by combining the mimicry judgment result sent by the mimicry judgment module.
2. The apparatus of claim 1, wherein: the attack defense module comprises a data acquisition and extraction module, a log module and an attack detection module; the data acquisition and extraction module is used for acquiring message data sent by the front-end chip and extracting key data in the message data, the log module is used for storing the key data extracted by the data acquisition and extraction module in a log and updating information stored in the log module according to a mimicry judgment result sent by the mimicry judgment module, the attack detection module is used for judging whether the message data has abnormal attack or not according to the combination of the message data sent by the front-end chip and the key data stored in the log module, filtering the data with the abnormal attack and not sending the data to a corresponding heterogeneous executive.
3. The apparatus of claim 2, wherein: the content stored in the log module comprises key data and heterogeneous executive body data corresponding to the key data; the key data comprises a protocol type identifier and a protocol key parameter, and the heterogeneous executive body data comprises a heterogeneous executive body number corresponding to the protocol type identifier and corresponding abnormal times; the heterogeneous executive body data is extracted from the mimicry judgment result sent by the mimicry judgment module, the number of the heterogeneous executive body with the abnormal mimicry judgment result is updated in the log module, and the abnormal times of the heterogeneous executive body corresponding to the number of the heterogeneous executive body are updated.
4. The apparatus of claim 1, wherein: the heterogeneous executives adopt different structures, and the structures comprise processors with different architectures and different operating systems.
5. An attack defense method based on mimicry defense is characterized by comprising the following steps:
s1, data acquisition and extraction: the mimicry scheduler collects message data sent by a front-end chip, extracts key data in the message data and then stores the key data in a log of the mimicry scheduler;
s2, attack data judgment: the mimicry scheduler analyzes the currently stored key data and the historical storage content in the log, judges whether the current message data is abnormal attack data, and if so, enters step S3; if not, distributing the current message data to any of a plurality of heterogeneous executors for processing, and entering step S4;
s3, message filtering: the mimicry scheduler acquires heterogeneous executive body data corresponding to a protocol type identifier in current message data, acquires a heterogeneous executive body number corresponding to abnormal attack, filters the heterogeneous executive body corresponding to the heterogeneous executive body number, does not distribute the current message data to the heterogeneous executive body, and distributes the current message data to other heterogeneous executive bodies after filtration for processing;
s4, mimicry judgment: all heterogeneous executors which process the current message data send processing results to a mimicry scheduler, a mimicry judgment module in the mimicry scheduler judges all the processing results and outputs mimicry judgment results, and the mimicry judgment strategy comprises multi-choice judgment based on experience credibility, multi-choice judgment based on weight and composite single-choice judgment based on sampling multi-choice;
s5, log updating and cleaning management: sending the normal downlink data output by the heterogeneous executive body to a front-end chip according to the current mimicry judgment result; and marking the heterogeneous executors with the processing results consistent with the mimicry judgment results in the step S4 as normal heterogeneous executors, and the heterogeneous executors with the processing results inconsistent with the mimicry judgment results as abnormal heterogeneous executors, cleaning and managing the abnormal heterogeneous executors, acquiring the numbers of the heterogeneous executors corresponding to the marked heterogeneous executors according to the current mimicry judgment results, and storing and updating the numbers in a log.
6. The method for defending attacks based on mimicry defense of claim 5, wherein: in step S2, the history storage content in the log includes key data and heterogeneous executive body data corresponding to the key data; the key data comprises a protocol type identifier and a protocol key parameter, and the heterogeneous executive body data comprises a heterogeneous executive body number corresponding to the protocol type identifier and corresponding abnormal times.
7. The method for defending attacks based on mimicry defense of claim 5, wherein: in step S2, the process of determining whether the current packet data is abnormal attack data is as follows:
s21, judging whether the current protocol type identification is the same as the historical storage content in the log: comparing the current protocol type identifier in the key data extracted from the current message data with the historical storage content in the log, if the historical storage content in the log contains the current protocol type identifier, proceeding to step S22, and if the historical storage content in the log does not contain the current protocol type identifier, proceeding to step S24;
s22, judging whether the abnormal frequency is larger than a set threshold value: obtaining heterogeneous executive body data of historical storage content in the log under the protocol type identification of the current message data, and if a heterogeneous executive body number exists and the corresponding abnormal times is greater than a set threshold value, entering step S23; if the abnormal times corresponding to all the heterogeneous executive body numbers are less than or equal to the set threshold, the step S24 is executed;
s23, judging whether the current protocol key parameter is the same as the history storage content in the log: comparing the current protocol key parameter in the key data extracted from the current message data with the historical storage content in the log, if the current protocol key parameter is completely the same as the historical storage content in the log, judging the current message data to be abnormal attack, screening out all the heterogeneous executive body numbers with the abnormal times larger than a threshold value, and otherwise, entering the step S24;
s24, judging whether the current message data is abnormal attack data, and storing the key data of the current message data in a log.
8. The method for defending attacks based on mimicry defense of claim 5, wherein: in step S5, the specific process of obtaining the number of the heterogeneous executor corresponding to the marked heterogeneous executor according to the current mimicry decision result and storing and updating the number in the log includes:
s51, judging whether the heterogeneous executive body is marked as a normal heterogeneous executive body: judging whether the heterogeneous executive body is marked as a normal heterogeneous executive body or not according to the mark,
if yes, obtaining a heterogeneous executive body number marked as a normal heterogeneous executive body, searching whether to record and search the heterogeneous executive body number under the current protocol type identification of the current message data in the log, if yes, setting the abnormal times corresponding to the heterogeneous executive body number to be 0, and if not, not processing;
if not, go to step S52;
s52, judging whether the current message data is recorded in the log: acquiring a current protocol type identifier of current message data, comparing the current protocol type identifier with historical storage content in a log, if the current message data is recorded in the log, entering a step S54, and if the current message data is not recorded in the log, entering a step S53;
s53, creating a storage space: creating a new storage space in a log, storing a protocol type identifier of current message data, and storing protocol key parameters and heterogeneous executive body data under the protocol type identifier, wherein the heterogeneous executive body data comprises heterogeneous executive body numbers with inconsistent processing results and abnormal times thereof, and the abnormal times are assigned with 1;
s54, judging whether the number of the heterogeneous executive body is recorded in the log: acquiring the number of a heterogeneous executive body under a current protocol type identifier in a log, if the number of the heterogeneous executive body corresponding to the heterogeneous executive body with inconsistent processing results in the current processing process is not in the log, storing the number of the heterogeneous executive body and the abnormal times thereof under the protocol type identifier, wherein the abnormal times are assigned to 1; and if the number of the heterogeneous executables corresponding to the heterogeneous executables with inconsistent processing results in the current processing process is in the log, adding 1 to the abnormal times corresponding to the number of the heterogeneous executables under the protocol type identifier.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the program to implement a method of defending against an attack based on a mimicry defense as claimed in any one of claims 5 to 8.
10. A computer-readable storage medium having stored thereon computer-executable instructions for performing a method for defending against a mimicry-based attack as claimed in any one of claims 5 to 8.
CN202011499913.4A 2020-12-18 2020-12-18 Simulated defense-based attack defense device, method, equipment and medium Active CN112615862B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011499913.4A CN112615862B (en) 2020-12-18 2020-12-18 Simulated defense-based attack defense device, method, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011499913.4A CN112615862B (en) 2020-12-18 2020-12-18 Simulated defense-based attack defense device, method, equipment and medium

Publications (2)

Publication Number Publication Date
CN112615862A true CN112615862A (en) 2021-04-06
CN112615862B CN112615862B (en) 2022-08-05

Family

ID=75240982

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011499913.4A Active CN112615862B (en) 2020-12-18 2020-12-18 Simulated defense-based attack defense device, method, equipment and medium

Country Status (1)

Country Link
CN (1) CN112615862B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113079166A (en) * 2021-04-12 2021-07-06 华东计算技术研究所(中国电子科技集团公司第三十二研究所) Mimicry Web server-oriented executive management and scheduling method and system
CN113114696A (en) * 2021-04-19 2021-07-13 北京天融信网络安全技术有限公司 Mimicry defense processing method, mimicry defense processing device, electronic equipment and medium
CN113347085A (en) * 2021-06-02 2021-09-03 河南信大网御科技有限公司 Method for realizing STP protocol under mimicry environment
CN113973008A (en) * 2021-09-28 2022-01-25 佳源科技股份有限公司 Detection system, method, device and medium based on mimicry technology and machine learning
CN114884751A (en) * 2022-07-07 2022-08-09 国网江苏省电力有限公司信息通信分公司 Scheduling opportunity and scheduling quantity dynamic adjustment method of endogenous security system
CN115277607A (en) * 2022-07-15 2022-11-01 天津市滨海新区信息技术创新中心 Two-stage mimicry judgment method under heterogeneous system complex flow condition
CN115296839A (en) * 2022-06-24 2022-11-04 网络通信与安全紫金山实验室 Mimic routing method, device and storage medium based on BGP-LS arbitration
CN116015978A (en) * 2023-02-13 2023-04-25 中国南方电网有限责任公司 Heterogeneous redundant flow detection system based on mimicry safety technology
CN116893663A (en) * 2023-09-07 2023-10-17 之江实验室 Main control abnormality detection method and device, storage medium and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110177080A (en) * 2019-04-18 2019-08-27 中国人民解放军战略支援部队信息工程大学 Mimicry interchanger, the network equipment and system
CN111049677A (en) * 2019-11-27 2020-04-21 网络通信与安全紫金山实验室 Cleaning and recovering method and device for mimic switch heterogeneous execution body
CN111783079A (en) * 2020-06-04 2020-10-16 河南信大网御科技有限公司 Mimicry defense device, mimicry defense method and mimicry defense framework
CN111984975A (en) * 2020-07-24 2020-11-24 华东计算技术研究所(中国电子科技集团公司第三十二研究所) Vulnerability attack detection system, method and medium based on mimicry defense mechanism

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110177080A (en) * 2019-04-18 2019-08-27 中国人民解放军战略支援部队信息工程大学 Mimicry interchanger, the network equipment and system
CN111049677A (en) * 2019-11-27 2020-04-21 网络通信与安全紫金山实验室 Cleaning and recovering method and device for mimic switch heterogeneous execution body
CN111783079A (en) * 2020-06-04 2020-10-16 河南信大网御科技有限公司 Mimicry defense device, mimicry defense method and mimicry defense framework
CN111984975A (en) * 2020-07-24 2020-11-24 华东计算技术研究所(中国电子科技集团公司第三十二研究所) Vulnerability attack detection system, method and medium based on mimicry defense mechanism

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113079166B (en) * 2021-04-12 2022-11-11 华东计算技术研究所(中国电子科技集团公司第三十二研究所) Mimicry Web server-oriented executive management and scheduling method and system
CN113079166A (en) * 2021-04-12 2021-07-06 华东计算技术研究所(中国电子科技集团公司第三十二研究所) Mimicry Web server-oriented executive management and scheduling method and system
CN113114696A (en) * 2021-04-19 2021-07-13 北京天融信网络安全技术有限公司 Mimicry defense processing method, mimicry defense processing device, electronic equipment and medium
CN113114696B (en) * 2021-04-19 2022-12-09 北京天融信网络安全技术有限公司 Mimicry defense processing method, mimicry defense processing device, electronic equipment and medium
CN113347085A (en) * 2021-06-02 2021-09-03 河南信大网御科技有限公司 Method for realizing STP protocol under mimicry environment
CN113973008A (en) * 2021-09-28 2022-01-25 佳源科技股份有限公司 Detection system, method, device and medium based on mimicry technology and machine learning
CN113973008B (en) * 2021-09-28 2023-06-02 佳源科技股份有限公司 Detection system, method, equipment and medium based on mimicry technology and machine learning
CN115296839A (en) * 2022-06-24 2022-11-04 网络通信与安全紫金山实验室 Mimic routing method, device and storage medium based on BGP-LS arbitration
CN114884751A (en) * 2022-07-07 2022-08-09 国网江苏省电力有限公司信息通信分公司 Scheduling opportunity and scheduling quantity dynamic adjustment method of endogenous security system
CN114884751B (en) * 2022-07-07 2022-10-18 国网江苏省电力有限公司信息通信分公司 Scheduling opportunity and scheduling quantity dynamic adjustment method of endogenous security system
CN115277607A (en) * 2022-07-15 2022-11-01 天津市滨海新区信息技术创新中心 Two-stage mimicry judgment method under heterogeneous system complex flow condition
CN115277607B (en) * 2022-07-15 2023-12-26 天津市滨海新区信息技术创新中心 Two-stage mimicry judgment method under complex flow condition of heterogeneous system
CN116015978A (en) * 2023-02-13 2023-04-25 中国南方电网有限责任公司 Heterogeneous redundant flow detection system based on mimicry safety technology
CN116015978B (en) * 2023-02-13 2023-12-05 中国南方电网有限责任公司 Heterogeneous redundant flow detection system based on mimicry safety technology
CN116893663A (en) * 2023-09-07 2023-10-17 之江实验室 Main control abnormality detection method and device, storage medium and electronic equipment
CN116893663B (en) * 2023-09-07 2024-01-09 之江实验室 Main control abnormality detection method and device, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN112615862B (en) 2022-08-05

Similar Documents

Publication Publication Date Title
CN112615862B (en) Simulated defense-based attack defense device, method, equipment and medium
US9392004B2 (en) Method and system for dynamic protocol decoding and analysis
CN1771709B (en) Network attack signature generation method and apparatus
US10291630B2 (en) Monitoring apparatus and method
US8516573B1 (en) Method and apparatus for port scan detection in a network
CN105637831B (en) For analyzing the method and system of data flow
US20030167404A1 (en) Security system for networks and the method thereof
CN107612890B (en) Network monitoring method and system
JP7065444B2 (en) Information processing equipment and information processing system
CN113691550B (en) Behavior prediction system of network attack knowledge graph
CN115632878B (en) Data transmission method, device, equipment and storage medium based on network isolation
US11838318B2 (en) Data plane with connection validation circuits
CN111625841B (en) Virus processing method, device and equipment
CN113973008B (en) Detection system, method, equipment and medium based on mimicry technology and machine learning
US10291632B2 (en) Filtering of metadata signatures
CN113132349A (en) Agent-free cloud platform virtual flow intrusion detection method and device
CN106656975B (en) Attack defense method and device
JP5531064B2 (en) COMMUNICATION DEVICE, COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND COMMUNICATION PROGRAM
CN114697088B (en) Method and device for determining network attack and electronic equipment
USRE45381E1 (en) Network correction security system and method
CN113225356A (en) TTP-based network security threat hunting method and network equipment
KR20060042786A (en) Apparatus and method for detecting data looping status
US20150101036A1 (en) Network filtering device, network filtering method and computer-readable recording medium having stored therein a program
JP4411658B2 (en) Computer virus infected area detection method and network system
CN115499242B (en) Method and system for draining XDP from external network to internal network honeypot based on eBPF

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant