CN113315763A - Network security defense method based on heterogeneous group evolution game - Google Patents

Network security defense method based on heterogeneous group evolution game Download PDF

Info

Publication number
CN113315763A
CN113315763A CN202110557062.2A CN202110557062A CN113315763A CN 113315763 A CN113315763 A CN 113315763A CN 202110557062 A CN202110557062 A CN 202110557062A CN 113315763 A CN113315763 A CN 113315763A
Authority
CN
China
Prior art keywords
game
strategy
population
defender
defense
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110557062.2A
Other languages
Chinese (zh)
Other versions
CN113315763B (en
Inventor
王刚
张恩宁
马润年
伍维甲
严丽娜
唐剑
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Air Force Engineering University of PLA
Original Assignee
Air Force Engineering University of PLA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Air Force Engineering University of PLA filed Critical Air Force Engineering University of PLA
Priority to CN202110557062.2A priority Critical patent/CN113315763B/en
Publication of CN113315763A publication Critical patent/CN113315763A/en
Application granted granted Critical
Publication of CN113315763B publication Critical patent/CN113315763B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The disclosure relates to a network security defense method based on heterogeneous group evolution game, which comprises the following steps: dividing an attacker and a defender into different game groups according to the difference of decision behaviors of the attacker and the defender; constructing a heterogeneous group evolution game model according to the game groups; constructing a heterogeneous group replication dynamic equation according to the heterogeneous group evolution game model; and determining an optimal defense strategy by copying a dynamic equation through the heterogeneous population. The method and the device improve the accuracy of network security defense decisions.

Description

Network security defense method based on heterogeneous group evolution game
Technical Field
The disclosure relates to the technical field of computer network information security, in particular to a network security defense method based on heterogeneous group evolution game.
Background
The information network technologies such as 5G and block chains accelerate the development of informatization to intellectualization, and meanwhile, the hidden, efficient and targeted network attack represented by Advanced Persistent Threat (APT) makes the network security situation and defense decision become more and more complex. The network security defense decision is a precondition and a key link for the application of network defense technology and tactics, and is established on the basis of accurate control of elements such as network attack and defense action characteristic rules, network service load dynamic requirements and the like.
In the related art, the network security defense method has limitations on the assumption of a game type, does not fully consider experience reference values and the intelligent requirements of decision behaviors, and cannot show the difference between an attack and defense party, so that the finally obtained network security defense decision is not accurate. Therefore, there is a need to improve one or more of the above problems in the related art solutions to improve the efficiency of platform dynamic defense under persistent and staged attacks.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The embodiment of the disclosure aims to provide a network security defense method based on heterogeneous group evolution game, so as to improve the accuracy of network security defense decision.
The invention provides a network security defense method based on heterogeneous group evolution game, which comprises the following steps:
dividing an attacker and a defender into different game groups according to the difference of decision behaviors of the attacker and the defender;
constructing a heterogeneous group evolution game model according to the game groups;
constructing a heterogeneous group replication dynamic equation according to the heterogeneous group evolution game model;
and determining an optimal defense strategy by copying a dynamic equation through the heterogeneous population.
In one embodiment of the present disclosure, the heterogeneous population evolution game model is a 4-tuple model (N, S, P, U), wherein,
N=(NA,ND),NAis the aggressor participant total space, NA=(NA1,NA2,…,NAj),NA1,NA2,…,NAjIs a subgroup of aggressor participants, NDIs the defense participant total space, ND=(ND1,ND2,…,NDi),ND1,ND2,…,NDiIs a subset of defender participants;
S=(SA,SB) Hybrid strategy space for a group of attacking and defending game participants, SAIs the pure policy total space, S, of the aggressor participantA=(SA1,SA2,…,SAj),SA1,SA2,…,SAjIs a pure strategy for the selection of a subgroup of aggressor participants, SDIs the defensive party participant pure policy total space, SD=(SD1,SD2,…,SDi),SD1,SD2,…,SDiIs a pure strategy for the selection of a sub-population of defender participants;
P=(PA,PD) For game belief sets, PAIs a set of game beliefs of aggressors, PA=(PA1,PA2,…,PAj),PAjIs to select a policy SAjProbability of (P)DIs a set of game beliefs of aggressors, PD=(PD1,PD2,…,PDi),PDiIs to select a policy SDiThe probability of (d);
U=(UA,UD) For game income collection, UAIs the aggressor game revenue set, UA=(UA1,UA2,…,UAj),UAjIs a subgroup NAjBy adopting a pure strategy SAjExpected benefit, U, achieved in a one-stage gameDIs the defensive party game income set, UD=(UD1,UD2,…,UDi),UDiIs a subgroup NDiBy adopting a pure strategy SDiThe desired benefit obtained in a one stage game.
In an embodiment of the present disclosureThe game profit set U ═ UA,UD) In (1),
Figure BDA0003077675470000021
is the average gain in space of the aggressor participant population,
Figure BDA0003077675470000022
Figure BDA0003077675470000023
is the average revenue of the defense participant population space,
Figure BDA0003077675470000024
in an embodiment of the disclosure, the profit calculation formula of the defender is UD=δ·Cr-OcostThe income calculation formula of the attacker is UA=λ·Cr-AcostWherein, in the step (A),
Crthe importance degree of the target resources of the attack party in a complete attack and defense process;
Ocostthe cost of the defender to make targeted adjustments to defeat the aggressor attack;
Acostthe cost paid for the attacker to attack;
lambda is the probability of the attacking party successfully utilizing the vulnerability to infect the defending party;
delta is the probability of the defender successfully clearing the virus with the defending action.
In an embodiment of the disclosure, the step of constructing the heterogeneous population replication dynamic equation according to the heterogeneous population evolution game model includes:
obtaining a basic replication dynamic equation according to the game belief set and the time derivative of the sub-population;
and improving the basic replication dynamic equation to obtain the heterogeneous population replication dynamic equation. In one embodiment of the present disclosure, the base copy dynamic equation is
Figure BDA0003077675470000031
PDi' (t) corresponds to the defender gaming beliefs at time t.
In an embodiment of the disclosure, the step of improving the basic replication dynamic equation to obtain the heterogeneous population replication dynamic equation includes:
and establishing a system dynamic equation according to a preset strategy learning mechanism, and improving the basic replication dynamic equation.
In an embodiment of the disclosure, the preset policy learning mechanism is that after each stage of game is finished, each sub-group of the attacker and the defender randomly extracts one other sub-group from the groups as a countering object to perform policy learning.
In one embodiment of the present disclosure, the heterogeneous population replication dynamic equation is
Figure BDA0003077675470000032
Wherein b is the resistance to thinking.
In an embodiment of the present disclosure, the heterogeneous group evolution game model is a dual heterogeneous group evolution game model.
The technical scheme provided by the disclosure can comprise the following beneficial effects:
in the embodiment of the disclosure, a heterogeneous population evolution game model is constructed through differential analysis of decision behaviors of an attacker and a defender, a heterogeneous population replication dynamic equation consistent with the heterogeneous population evolution game model is established, an optimal defense strategy is determined through the heterogeneous population replication dynamic equation, and the accuracy of network security defense decisions is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is apparent that the drawings in the following description are only some embodiments of the disclosure, and that other drawings may be derived from those drawings by a person of ordinary skill in the art without inventive effort.
Fig. 1 is a schematic diagram illustrating steps of a network security defense method based on heterogeneous group evolution gaming in an exemplary embodiment of the present disclosure;
FIG. 2 is a schematic diagram illustrating steps of a method for constructing a heterogeneous population replication dynamic equation according to a heterogeneous population evolution game model in an exemplary embodiment of the present disclosure;
FIG. 3 illustrates a convergence trajectory of an evolving stable solution in an exemplary embodiment of the disclosure;
FIG. 4 illustrates a convergence trajectory of a classical model evolution stable solution in an exemplary embodiment of the present disclosure;
FIG. 5 is a schematic diagram illustrating a topological environment of a network information system in an exemplary embodiment of the present disclosure;
FIG. 6 shows a policy selection probability variation trend of both attacking and defending parties in an exemplary embodiment of the disclosure;
fig. 7 shows a policy selection probability variation trend of both attacking and defending parties under different values of b in the exemplary embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
In this exemplary embodiment, a network security defense method based on heterogeneous group evolution game is first provided, and referring to fig. 1, the method may include the following steps:
step S101: dividing an attacker and a defender into different game groups according to the difference of decision behaviors of the attacker and the defender;
step S102: constructing a heterogeneous group evolution game model according to the game groups;
step S103: constructing a heterogeneous group replication dynamic equation according to the heterogeneous group evolution game model;
step S104: and determining an optimal defense strategy by copying a dynamic equation through the heterogeneous population.
In the embodiment of the disclosure, a heterogeneous population evolution game model is constructed through differential analysis of decision behaviors of an attacker and a defender, a heterogeneous population replication dynamic equation consistent with the heterogeneous population evolution game model is established, an optimal defense strategy is determined through the heterogeneous population replication dynamic equation, and the accuracy of network security defense decisions is improved.
Hereinafter, each step of the above-described method in the present exemplary embodiment will be described in more detail.
In step S101, the "Population (Population) in the evolutionary game is derived from the Population concept in biology. In biology, different populations of the same species have differences in traits due to different living environments, and objects need to be distinguished into heterogeneous populations in the research process. In the field of academia, a "population" in biology is mapped to a "population" in game theory, and different populations represent game participants with the same attribute types but different decision manners in a game. In some network attack and defense gaming scenarios, both gaming parties can be set as limited rational game participants, but there is a certain difference in their decision-making manner. For example, in the aspect of decision criteria, a defender needs to balance the resource importance degree of a protection node, the security deployment cost and the defense operation cost; the attacking party needs to consider factors such as attack cost and attack income. Therefore, the traditional evolutionary game with the same decision-making mode is set for game participants, and essentially belongs to a homogeneous population evolutionary game; in contrast, the heterogeneous group evolution game can better reflect the influence of different decision-making modes of game participants on game balance, and belongs to a double heterogeneous group evolution game according to a network attack and defense game with different income functions of attack and defense parties.
Specifically, in a real-world environment, the incompleteness of network situation information and the limited rationality of decision makers make it difficult for network attacking and defending parties to completely know the accurate real-time information of opponents, and under the condition of incomplete information, the cognition and decision modes of the attacking and defending parties are different, so that the difference of attacking and defending behaviors and heterogeneous population evolution game characteristics of attacking and defending decisions are caused.
In step S102, concepts in biology are mapped into a game model. The group in the game model represents a set of individuals in the same category, namely the group; the sub-population represents a set of individuals with the same characteristics, i.e., a set of individuals with the same traits, and the sub-population belongs to the population.
The network attack and defense game is a symmetrical game, and all game participants are divided into network attackers and network defenders according to the attributes of the game participants. And constructing a Dual Heterogeneous group evolution Game Model (DHPEGM) according to the Game groups. Specifically, the dual heterogeneous population evolution game model can be represented as a 4-element ordered set (N, S, P, U). Wherein:
N=(NA,ND),NAis the aggressor participant total space, NA=(NA1,NA2,…,NAj),NA1,NA2,…,NAjIs a subgroup of aggressor participants, NDIs the defense participant total space, ND=(ND1,ND2,…,NDi),ND1,ND2,…,NDiIs a subset of defender participants;
S=(SA,SB) For attackingHybrid strategy space for preventing game participant groups, SAIs the pure policy total space, S, of the aggressor participantA=(SA1,SA2,…,SAj),SA1,SA2,…,SAjIs a pure strategy for the selection of a subgroup of aggressor participants, SDIs the defensive party participant pure policy total space, SD=(SD1,SD2,…,SDi),SD1,SD2,…,SDiIs a pure strategy for the selection of a sub-population of defender participants;
P=(PA,PD) For game belief sets, PAIs a set of game beliefs of aggressors, PA=(PA1,PA2,…,PAj),PAjIs to select a policy SAjProbability of (P)DIs a set of game beliefs of aggressors, PD=(PD1,PD2,…,PDi),PDiIs to select a policy SDiThe probability of (d);
U=(UA,UD) For game income collection, UAIs the aggressor game revenue set, UA=(UA1,UA2,…,UAj),UAjIs a subgroup NAjBy adopting a pure strategy SAjExpected benefit, U, achieved in a one-stage gameDIs the defensive party game income set, UD=(UD1,UD2,…,UDi),UDiIs a subgroup NDiBy adopting a pure strategy SDiThe desired benefit obtained in a one stage game.
In one embodiment, the set of game benefits U ═ U (U ═ U)A,UD) In (1),
Figure BDA0003077675470000061
is the average gain in space of the aggressor participant population,
Figure BDA0003077675470000062
Figure BDA0003077675470000063
is the average revenue of the defense participant population space,
Figure BDA0003077675470000064
in particular, the benefit refers to the incremental effect of the game on the adaptive impact of the game participants. Take defense as an example, UDiThe game does not influence the game strategy selection when the game is 1, and UDiThe strategy selection is positively influenced when > 1, UDiStrategy selection is negatively impacted < 1.
In step S103, a heterogeneous population replication dynamic equation is constructed according to the heterogeneous population evolution game model. And a pure strategy stable feasible solution and an optimal defense pure strategy selection algorithm based on a potential function are designed by combining the deterministic requirement of a network security defense single decision and the limitation of the traditional Nash equilibrium solution.
In one embodiment, referring to fig. 2, step S103 further includes steps S201 and S202.
Step S201: obtaining a basic replication dynamic equation according to the game belief set and the time derivative of the sub-population;
step S202: and improving the basic replication dynamic equation to obtain the heterogeneous population replication dynamic equation.
Specifically, the network defense game is a multi-stage game, and each stage of game is to randomly draw one person from each game party subgroup for game. In the latter stage, each gaming participant "mimics" the gaming strategy of the previous stage. For each stage, the natural birth rate of the game participants is beta (beta is more than or equal to 0), the natural death rate is delta (delta is more than or equal to 0), and the natural birth rate represents the adaptability of the game participants to the environment of the stage, namely the probability that the two network attacking and defending parties quit the game before and in the stage due to the network breaking, disconnection and other irresistible factors.
Then in step S201, the sub-population N is determined at time tDiTime derivative N of (t)Di' (t) is:
NDi′(t)=(β+UDi(t)-δ)·NDi(t) (1)
combining the meaning of game belief sets, the method can obtain that at any time t:
PDi(t)·ND(t)=NDi(t) (2)
and (3) simultaneously performing derivation on t at two sides of the formula (2) and finishing to obtain:
Figure BDA0003077675470000071
equation (3) is based on duplicating the dynamic equation, PDi' (t) corresponds to the defender gaming beliefs at time t.
For example, in a certain stage of game, the profit of the defender can be expressed as:
UD=δ·Cr-Ocost (4)
the gain of the attacker is derived from the gain obtained after the infection platform and is related to the infection probability, and then the gain of the attacker can be expressed as:
UA=λ·Cr-Acost (5)
wherein, CrIs the important degree of attacking target resources in a complete attack and defense process. O iscostThe cost of targeted adjustment for the defender to defeat the aggressor, such as increased system overhead, decreased quality of service, etc., is a penalty. A. thecostThe attack cost is related to the threat level of the vulnerability in the embodiment, and the higher the threat level of the vulnerability is, the lower the attack cost is. And lambda is the probability of the attacker successfully utilizing the vulnerability to infect the defender. Delta is the probability of the defender successfully clearing the virus with the defending action.
In step S202, a system dynamics equation may be established according to a preset strategy learning mechanism, and the basic replication dynamics equation may be modified.
In multi-stage gaming, the gaming parties are generally not satisfied with the benefits of the current stage gaming strategy, and it is believed that a more optimal strategy exists. Under this dissatisfaction assumption, the two parties in the game seek other strategies to learn, and adopt a new strategy in the next stage of the game, namely a strategy "thinking-learning" mechanism. In a specific embodiment, the preset policy learning mechanism is that after each stage of game is finished, each sub-population of the attacker and the defender randomly extracts one other sub-population from the population as a countering object to perform policy learning.
Obviously, the actual network attack and defense game decision should be based on the mechanism of "thinking-learning" in nature. After each stage of game is finished, the backstepping-learning mechanism can be combined with modeling analysis to establish an evolutionary game model and a system kinetic equation which are consistent with the modeling analysis. Under the condition of limited rationality, the network attack and defense sub-group adjusts the behavior based on the strategy of a backstepping-learning mechanism, and can be regarded as an independent incremental process for accumulating the occurrence times of random events, namely a poisson process. The 'backstepping-learning' time of the sub-population can be approximated as the arrival time of the Poisson process, and the arrival rate of the Poisson process is the average backstepping rate Rs. Assuming that the Poisson distributions of the sub-populations are statistically independent of each other, a defense strategy S is takenDiThe sum of the sub-population 'backstepping-learning' time of (A) is a Poisson process, the arrival rate P of whicharriveComprises the following steps:
Parrive=PDi·Rs(NDi) (6)
defining defense policy transition probabilities
Figure BDA0003077675470000081
Removal of N in defense groupDiSub-populations other than the one that transform the defense strategy into SDiThe probability of (c). In this example, the reflexes are driven by the dissatisfaction of the sub-population with its own strategy, while the sub-population of each reflexes draw is random, and therefore
Figure BDA0003077675470000082
Transitioning from other policies to S in a population if the transition of defense policies is also statistically independentDiOverall poisson process arrival rate ParriveComprises the following steps:
Figure BDA0003077675470000083
according to the law of large numbers, a group random process is set as a deterministic flow, and then a sub-group NDiFrom selection of defense strategy SDjSubgroup N ofDjInflow P ofinComprises the following steps:
Figure BDA0003077675470000084
subgroup NDiOutflow P ofoutComprises the following steps:
Figure BDA0003077675470000091
game beliefs of defense strategy PDiThe following steps are changed:
Figure BDA0003077675470000092
if the thought rate of the sub-population with unsuccessful strategy in the population is higher than that of the sub-population with more successful strategy, the selection dynamic with strictly monotone decreasing income occurs. Introducing a Lipschitz continuous potential function rho (x), and setting the potential function rho (x) to strictly monotonically decrease on the independent variable x, the average backstepping rate can be expressed as:
Rs(NDi)=ρ(UDi) (11)
defense strategy SDiIs selected probability PDiCan be expressed as:
Figure BDA0003077675470000093
assuming that the rate of thought of the subpopulation is linearly decreasing in its current yield, then
ρ(UDi)=a-b·UDi(a,b∈R) (13)
Let the inverse thinking rate Rs(NDi) Not negative, thenObtain heterogeneous population replication dynamic equation of
Figure BDA0003077675470000094
At this time, PDi' with strict Nash equilibrium, if the time argument is ignored, then equation (14) is a constant multiple of equation (3); b is the rate of the countering ability, which is adjusted to a steady state corresponding to the strategy.
The stability analysis is further carried out on the method, starting from the essential condition that the heterogeneous group evolution game evolution is stable, and the credibility and the reasonability of the decision are verified through stability verification and example analysis of the pure strategy evolution equilibrium solution of the game model.
1. Mathematical proof
Firstly, the definition of an evolution stable and optimal strategy set is introduced:
different mixing strategies S for game participantsx,SyIf present, ofyE (0,1) satisfies the inequality U (S)x,Sω)≥U(Sy,Sω) For all epsilon e (0, epsilon)y) Are all true, then SxIs an evolutionary stabilization strategy. Wherein S isω=εSy+(1-ε)SxIs a hybrid strategy SyNew mixed strategy, epsilon, formed after invading the original mixed strategy spaceyIs intrusion strategy SyProbability of picking in a game, U (S)x,Sω) Is the original strategy space is strategy SyIncome after invasion, U (S)y,Sω) Is the benefit of the intrusion strategy.
Optimal policy set
Figure BDA0003077675470000095
Refers to all game participants NiOf (2) an evolving stabilization strategy SiThe set of (a) and (b),
Figure BDA0003077675470000101
obvious set
Figure BDA0003077675470000102
Is a strict nash equilibrium for gaming.
Theorem 1: the essential condition for the stable evolution of N in heterogeneous populations is the strict nash equilibrium of N.
The sufficiency: setting heterogeneous population N to be stable in evolution and fixing position N of game participants in game total spacei. Order to
Figure BDA0003077675470000103
And all j ≠ i have Syj=Sxj. Hybrid strategy Sω=εSy+(1-ε)SxWherein ε ∈ (0, ε)y) Then for any i there is U (S)xi,Sωi)=U(Syi,Sωi) And for all j ≠ i, there is U (S)xj,S-ωj)=U(Syj,S-ωj) In which S is-ωiIs the policy space to gambling party NiMixed strategy S ofωiThe complement of (c). According to evolution stability, Sy=SxAnd is
Figure BDA0003077675470000104
Thus, it is possible to provide
Figure BDA0003077675470000105
So that a strict nash equilibrium exists for N.
The necessity: setting the heterogeneous group N to have strict Nash equilibrium and fixing the position N of the game participant in the total game spaceiAnd order Sy≠Sx. For any i, there is U (S)xi,S-xi)=U(Sxi)>U(Syi,S-xi) Due to the profit U (S)xi) Is a continuous function, must have epsilonyE (0,1) such that for any e (0, e)y) And Sω=εSy+(1-ε)SxAll have U (S)xi,S)>U(Syi,S) I.e. the heterogeneous population N is evolutionarily stable.
From the above analysis, RsThe form of (c) determines whether the equation has a progressively stable evolutionary equilibrium solution. In the case of the game model,unstable evolutionary equilibrium solutions cannot form a feasible and credible preferred strategy, so potential games and potential function concepts are introduced, namely if the strategy change of each sub-population is monotonous and can be mapped into a global monotonous function, the global monotonous function is a potential function, and strict nash equilibrium must exist in the games. Therefore, the potential function is introduced into the formula (12), so that the heterogeneous population evolution game model can obtain an evolution stable solution, and effective and accurate decision of defense is realized.
Each potential game has a pure strategy evolution stable solution.
Heterogeneous group game is N ═ N (N)1,N2…Nm) The function ρ (x) is a potential function of the heterogeneous group game, thus NiThe stable solution of (a) can be mapped into N (ρ (i)), if and only if U (ρ (i)) > U (- ρ (i)). Since the potential function is monotonic, there is a pure policy-evolving stable solution for N (ρ (i)), NiThere is a pure policy evolution stable solution.
2. Example analysis
Taking a 2 x 2 attack and defense symmetrical game as an example, the process of solving the equilibrium solution of deductive evolution is performed. Both attacking and defending parties respectively contain two sub-groups NA1,NA2;ND1,ND2The corresponding pure policy is SA1,SA2;SD1,SD2. Taking the game defender as an example, the revenue matrix can be expressed as:
Figure BDA0003077675470000106
matrix UDIs a standardized matrix, reducing the number of variables that need to be observed. u. of1Is that the attacker adopts a pure strategy SA1The defender then adopts a pure strategy SD1The relative gain obtained; u. of2Is that the attacker adopts a pure strategy SA2The defender then adopts a pure strategy SD2The relative gain achieved. Substituting equation (14) to derive the replication dynamic equation of the corresponding defender and attacker:
PA1′=b·[(u1+u2)·PD1-u2]·PA1·(1-PA1)
PD1′=b·[(u1+u2)·PA1-u2]PD1·(1-PD1) (16)
PA2′=-PA1′,PD2′=-PD1
and analyzing the stability of the game evolution stable solution by using a MATLAB experimental tool. From the formula (15), u1,u2The positive and negative values of (c) will influence the evolution trend of the game, u1,u2The numerical value of the game cannot influence the evolution trend of the game; the value of b affects the rate of evolution of the game. In the experiment, for u1,u2And b, adjusting the value of b for multiple times, and finding that the convergence result of the evolution stable solution is not influenced. Setting | u1|=0.4,|u20.6, 1, initial game belief PA1,PD1Is a random number of (0,1), and fig. 3 corresponds to the results of 100 monte carlo simulation experiments.
In fig. 3, the dots in the middle of the box are pure strategy solution convergence points, and the dots at the corners of the box are mixed strategy solution convergence points. When u is shown in FIGS. 1(b) and (d)1·u2When the number is less than 0, the game beliefs do not change symbols in the state space, and starting from any initial position in the state space, the overall states of the game parties can converge to a strict dominance pure strategy, namely when u is1=0.4,u2Pure strategy S is adopted by an attacker when the time is-0.6 hoursA1The defensive party adopts a pure strategy SD1;u1=-0.4,u2The attacker adopts a pure strategy S when the time is 0.6 hoursA2The defensive party adopts a pure strategy SD2
When analyzing FIGS. 3(a) and (c), it can be seen that u is the same as1·u2Above 0, the game has two strict pure strategy nash balances and one mixed strategy nash balance. In combination with equation (16), it can be seen that P is the value of the game when it converges to the Nash equilibrium of the hybrid strategyA1=u2/(u1+u2),PD1=u2/(u1+u2). The mixing strategy Nash equilibrium point of the game is unstable and follows u1,u2Of a numerical valueChanges occur. Therefore, when u1·u2At > 0, gaming has only two stable strict pure policy nash equilibria. Further analysis of FIG. 3(a) shows that the hybrid strategy Nash equilibrium is a saddle point, and besides the curve passing through the saddle point, other solution trajectories converge to two stable pure strategy Nash equilibrium, i.e. when u is equal to u1=0.4,u2The attacker adopts a pure strategy S when the time is 0.6 hoursA1The defensive party adopts a pure strategy SD1Or the attacker adopts a pure strategy SA2The defensive party adopts a pure strategy SD2. Further analysis of FIG. 3(c) shows that the game strategy of both sides of the attack and defense game can converge to the more extreme case, i.e. when u is1=-0.4,u2Pure strategy S is adopted by an attacker when the time is-0.6 hoursA1The defensive party adopts a pure strategy SD2Or the attacker adopts a pure strategy SA2The defensive party adopts a pure strategy SD1
Compared with other related documents, in the double-homogeneous group evolution game model, the mixed strategy evolution stable solution of the 2 x 2 symmetric game model is stable and can be used as a reference of an optimal defense strategy [10,15], but in the double-heterogeneous group game model, the mixed strategy evolution stable solution of the 2 x 2 symmetric game model is saddle points and is not strictly stable. This also follows the characteristics of the actual gaming process, i.e. when the game occurs in two distinct groups, the behavior will show a tendency of "extreme" and the decision will be more and more biased towards a single strategy.
In order to further embody the capability of the model and the algorithm to overcome the fact deviation, a group of comparison experiments are set. The replication dynamic equation in the classical model is:
PA1′=[(u1+u2)·PA1-u2]·PA1·(1-PA1)
PD1′=[(u1+u2)·PD1-u2]·PD1·(1-PD1) (17)
PA2′=-PA1′,PD2′=-PD1
the classical model can be found by comparing the formulas (16) and (17)The strategy adjustment of the middle attacking and defending party does not consider the game strategy change of the other party, but adjusts the strategy selection through the income change. However, the real network attack and defense game is a normal game, and the profit measurement modes of the attack and defense parties are different. The optimal defense strategy is selected by applying a classical model, and the optimal defense strategy can be induced by a deceptive strategy of an attacker to generate an error strategy reference result. To demonstrate this, | u is held1|=0.4,|u2Initial game belief P with | -0.6 invariantA1,PD1Is a random number of (0,1), fig. 4 corresponds to 100 monte carlo simulation experiments of the classical model.
When u is found by analyzing FIG. 4(a)1>0,u2When the game is more than 0, the game result and the initial game beliefs PA1,PD1Cannot realize the policy preference. When u is found by analyzing FIG. 4(c)1<0,u2When the frequency is less than 0, the game converges to a mixed strategy Nash equilibrium point (0.6 ), and the game result appears in a probability form at the moment, which is not beneficial to the certainty requirement of decision in reality. Comparative analysis of FIGS. 3(b) (d) and 4(b) (d) when u1·u2When the evolution stability solution of the classical model and the dual heterogeneous evolution game model is completely opposite when the evolution stability solution is less than 0. It should be noted that, because the change of the game beliefs of the attacker is not considered in the evolution of the defense strategy in the classical model, the attacker can completely utilize the vulnerability design cheating strategy to mislead the defense. In contrast, the model and the algorithm provided by the embodiment can overcome the fact deviation caused by the homogeneous group assumption in the classical model, and provide a credible defense decision reference for network security defense.
3. Simulation analysis
By taking a classic network information system design idea as a reference, a simple network information system is deployed for simulation experiments for verifying the effectiveness of the disclosed model and method. The topological environment of the network information system is shown in fig. 5.
The firewall and the gateway divide the network into an external network area where an attacker is located, an isolation area (DMZ) where experiments are performed, and an internal network area where a defending party (user) is located. The access control strategy of the firewall is that the non-intranet host can only access the FTP server, the Web server, the E-MAIL server and the bastion host H of the DMZ zone, and three servers in the DMZ zone are Cisco servers. The experimental network Information system is scanned by using a Nessus tool, Vulnerability Information provided by a National Information Security Vulnerability library (CNNVD) and definitions of network defense strategies and operation costs such as Jiangwei are combined, the atomic attack strategy used in the experiment is shown in table 1, and the atomic defense strategy is shown in table 2.
TABLE 1 atomic attack strategy
Figure BDA0003077675470000131
TABLE 2 atomic defense strategy
Figure BDA0003077675470000132
The attacker utilizes the high-score vulnerability to attack the short-term income gain and take effect quickly, but is not beneficial to the income increase value after long-term holding (the zero-day vulnerability is a classic example), and selects the low-score vulnerability as the target attack with high cost and low single income. In this embodiment, the attack strategy S is set to risk type by using top-scoring vulnerabilityA1=(a1,a2,a3) Setting a conservative attack strategy S by using a low-score vulnerabilityA2=(a4,a5)。
The policy yield of the defender depends mainly on the operating cost OcostDefense strategies that operate at low cost tend to be less effective. Thus, the use of the high operational cost policy is set herein as the adventure-type defense policy SD1=(b4,b5) Setting as a conservative defense strategy S using a low operating cost strategyD2=(b1,b2). Setting the resource importance degree C by combining with the income calculation formulas (4) and (5)rThe available attack and defense strategy gains are shown in table 3.
TABLE 4 attack and defense strategy revenue quantification
Figure BDA0003077675470000141
When strategy income is calculated, the strategy income is considered to be equal to the average income of atomic attack and defense actions contained in the strategy, and an income quantization matrix of both the attack and defense parties is given by combining a formula (15):
Figure BDA0003077675470000142
Figure BDA0003077675470000143
experiment 1 attack and defense strategy selection probability variation trend
In conjunction with equations (17) and (18), the convergence of the evolution stabilization strategy under experimental conditions was first investigated with the control variable b equal to 1. Initial game beliefs (P)A1,PD1) The four groups of initial game beliefs respectively represent the strategy-free picking tendency of both attacking and defending parties; the attacker tends to choose strategy SA1The defenders tend to select policy SD2(ii) a The attacker tends to choose strategy SA2The defenders tend to select policy SD1(ii) a The attacker tends to choose strategy SA1The defenders tend to select policy SD1And so on for different situations. Fig. 6 shows a simulation result of the strategy selection probability variation trend of both the attacking and defending parties.
Analysis of FIGS. 6(a) (b) reveals that the game credits (P) correspond to different initial game creditsA1,PD1)=(0.5,0.5),(0.7,0.3),(0.3,0.7),(0.6,0.6),PA1Always converge to 1, PA2Always converge to 0; pD1Always converge to 1, PD2Always converging to 0. Combined with experimental conditions UA,UDFurther analysis of the values of (A) shows that the relative yield u in an adventure type strategy1Relative gain u far greater than conservative strategy2Under the condition, both the network attacking and defending parties can finally select the strategy no matter whether the attacking and defending parties have the strategy selection tendency before the game startsAn adventure-type strategy is selected.
Experiment 2 influence of the counterintuitive ability b on attack and defense strategy selection
Keep u1,u2Setting initial game beliefs (P) without changeA1,PD1) The influence of parameter b on the game results was studied, taking b as 0.5,1,1.5, respectively, (0.7, 0.3). Fig. 7 shows a simulation result of the strategy selection probability variation trend of both attacking and defending parties under different values of b.
As can be seen from the analysis of fig. 7, when b is 0.5,1,1.5, the strategy PA1The evolution times required for achieving stable evolution are 36 times, 15 times and 7 times respectively; policy PD1The number of evolutions required to reach stability of evolution was 117, 59 and 39, respectively. Taking b as the reference, when b is less than 1, the game strategy needs more evolution times to reach an evolution stable state; when b > 1, the gaming strategy requires fewer evolutions to reach the evolutionary steady state. Therefore, the backstepping capability b can influence the solving speed of the game result. The practical significance is that the sub-population with weak thinking resistance (b is less than 1) needs more time to adapt to the environment to make a decision; the sub-population (b is more than 1) with stronger thinking resistance has stronger environmental adaptability and quicker decision response. The parameter b is reasonably adjusted theoretically so as to correspond to the time window of each game, and the time sensitivity of the game result can be improved.
The network security defense method based on the heterogeneous group evolution game is characterized in that decision method research based on a heterogeneous group evolution game is carried out aiming at a network security defense accurate decision problem, limitations of a traditional homogeneous group game model are analyzed by combining a population concept in biology, a heterogeneous group evolution game model is constructed, an optimal defense strategy selection algorithm based on a strategy backstepping mechanism is designed, and feasibility and stability of a global monotonous potential function analysis model solution are introduced. The feasibility and the credibility of the double heterogeneous population evolution game model and the strategy selection algorithm are verified through simulation.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims (10)

1. A network security defense method based on heterogeneous group evolution game is characterized by comprising the following steps:
dividing an attacker and a defender into different game groups according to the difference of decision behaviors of the attacker and the defender;
constructing a heterogeneous group evolution game model according to the game groups;
constructing a heterogeneous group replication dynamic equation according to the heterogeneous group evolution game model;
and determining an optimal defense strategy by copying a dynamic equation through the heterogeneous population.
2. The method of claim 1, wherein the heterogeneous population evolution game model is a 4-tuple model (N, S, P, U),
N=(NA,ND),NAis the aggressor participant total space, NA=(NA1,NA2,…,NAj),NA1,NA2,…,NAjIs a subgroup of aggressor participants, NDIs the defense participant total space, ND=(ND1,ND2,…,NDi),ND1,ND2,…,NDiIs a subset of defender participants;
S=(SA,SB) Hybrid strategy space for a group of attacking and defending game participants, SAIs the pure policy total space, S, of the aggressor participantA=(SA1,SA2,…,SAj),SA1,SA2,…,SAjIs a pure strategy for the selection of a subgroup of aggressor participants, SDIs the pure policy total space of the defender participantM, SD=(SD1,SD2,…,SDi),SD1,SD2,…,SDiIs a pure strategy for the selection of a sub-population of defender participants;
P=(PA,PD) For game belief sets, PAIs a set of game beliefs of aggressors, PA=(PA1,PA2,…,PAj),PAjIs to select a policy SAjProbability of (P)DIs a set of game beliefs of aggressors, PD=(PD1,PD2,…,PDi),PDiIs to select a policy SDiThe probability of (d);
U=(UA,UD) For game income collection, UAIs the aggressor game revenue set, UA=(UA1,UA2,…,UAj),UAjIs a subgroup NAjBy adopting a pure strategy SAjExpected benefit, U, achieved in a one-stage gameDIs the defensive party game income set, UD=(UD1,UD2,…,UDi),UDiIs a subgroup NDiBy adopting a pure strategy SDiThe desired benefit obtained in a one stage game.
3. The method of claim 2, wherein the set of game benefits is U ═ U (U ═ U)A,UD) In (1),
Figure FDA0003077675460000011
is the average gain in space of the aggressor participant population,
Figure FDA0003077675460000012
Figure FDA0003077675460000013
is the average revenue of the defense participant population space,
Figure FDA0003077675460000021
4. the method of claim 2, wherein the yield calculation formula of the defender is UD=δ·Cr-OcostThe income calculation formula of the attacker is UA=λ·Cr-AcostWherein, in the step (A),
Crthe importance degree of the target resources of the attack party in a complete attack and defense process;
Ocostthe cost of the defender to make targeted adjustments to defeat the aggressor attack;
Acostthe cost paid for the attacker to attack;
lambda is the probability of the attacking party successfully utilizing the vulnerability to infect the defending party;
delta is the probability of the defender successfully clearing the virus with the defending action.
5. The method of claim 2, wherein the step of constructing the heterogeneous population replication dynamic equation according to the heterogeneous population evolution game model comprises:
obtaining a basic replication dynamic equation according to the game belief set and the time derivative of the sub-population;
and improving the basic replication dynamic equation to obtain the heterogeneous population replication dynamic equation.
6. The method of claim 5, wherein the base replication dynamic equation is
Figure FDA0003077675460000022
PDi' (t) corresponds to the defender gaming beliefs at time t.
7. The method of claim 6, wherein the step of refining the base replication dynamic equation to obtain the heterogeneous population replication dynamic equation comprises:
and establishing a system dynamic equation according to a preset strategy learning mechanism, and improving the basic replication dynamic equation.
8. The method of claim 7, wherein the predetermined strategy learning mechanism is that after each stage of game is over, each sub-population of the attacker and the defender randomly extracts one other sub-population from the population as a countering object to perform strategy learning.
9. The method of claim 7, wherein the heterogeneous population replication dynamic equation is
Figure FDA0003077675460000023
Wherein b is the resistance to thinking.
10. The method of claim 1, wherein the heterogeneous population evolution game model is a dual heterogeneous population evolution game model.
CN202110557062.2A 2021-05-21 2021-05-21 Network security defense method based on heterogeneous group evolution game Active CN113315763B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110557062.2A CN113315763B (en) 2021-05-21 2021-05-21 Network security defense method based on heterogeneous group evolution game

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110557062.2A CN113315763B (en) 2021-05-21 2021-05-21 Network security defense method based on heterogeneous group evolution game

Publications (2)

Publication Number Publication Date
CN113315763A true CN113315763A (en) 2021-08-27
CN113315763B CN113315763B (en) 2022-12-09

Family

ID=77373955

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110557062.2A Active CN113315763B (en) 2021-05-21 2021-05-21 Network security defense method based on heterogeneous group evolution game

Country Status (1)

Country Link
CN (1) CN113315763B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114428999A (en) * 2022-04-02 2022-05-03 中国人民解放军96901部队 Unmanned aerial vehicle earth attack and defense strategy selection method based on evolutionary game model

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2271047A1 (en) * 2009-06-22 2011-01-05 Deutsche Telekom AG Game theoretic recommendation system and method for security alert dissemination
CN108833402A (en) * 2018-06-11 2018-11-16 中国人民解放军战略支援部队信息工程大学 A kind of optimal defence policies choosing method of network based on game of bounded rationality theory and device
CN109617863A (en) * 2018-11-27 2019-04-12 杭州电子科技大学 A method of the mobile target based on game theory defends optimal defence policies to choose
CN111224966A (en) * 2019-12-31 2020-06-02 中国人民解放军战略支援部队信息工程大学 Optimal defense strategy selection method based on evolutionary network game
CN111935161A (en) * 2020-08-14 2020-11-13 国网重庆市电力公司电力科学研究院 Network attack and defense analysis method and system based on game theory

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2271047A1 (en) * 2009-06-22 2011-01-05 Deutsche Telekom AG Game theoretic recommendation system and method for security alert dissemination
CN108833402A (en) * 2018-06-11 2018-11-16 中国人民解放军战略支援部队信息工程大学 A kind of optimal defence policies choosing method of network based on game of bounded rationality theory and device
CN109617863A (en) * 2018-11-27 2019-04-12 杭州电子科技大学 A method of the mobile target based on game theory defends optimal defence policies to choose
CN111224966A (en) * 2019-12-31 2020-06-02 中国人民解放军战略支援部队信息工程大学 Optimal defense strategy selection method based on evolutionary network game
CN111935161A (en) * 2020-08-14 2020-11-13 国网重庆市电力公司电力科学研究院 Network attack and defense analysis method and system based on game theory

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
GANG WANG;: "《Threat Models and Security of Phase-Change Memory》", 《IEEE》 *
杨峻楠等: "基于随机博弈与改进WoLF-PHC的网络防御决策方法", 《计算机研究与发展》 *
黄健明等: "《基于攻防演化博弈模型的防御策略选取方法》", 《通信学报》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114428999A (en) * 2022-04-02 2022-05-03 中国人民解放军96901部队 Unmanned aerial vehicle earth attack and defense strategy selection method based on evolutionary game model

Also Published As

Publication number Publication date
CN113315763B (en) 2022-12-09

Similar Documents

Publication Publication Date Title
CN106936855B (en) Network security defense decision-making determination method and device based on attack and defense differential game
CN110300106B (en) Moving target defense decision selection method, device and system based on Markov time game
Amin et al. Safe and secure networked control systems under denial-of-service attacks
CN107566387B (en) Network defense action decision method based on attack and defense evolution game analysis
Hu et al. Optimal network defense strategy selection based on incomplete information evolutionary game
Shen et al. Adaptive Markov game theoretic data fusion approach for cyber network defense
CN108898010A (en) A method of establishing the attacking and defending Stochastic Game Model towards malicious code defending
CN109714364A (en) A kind of network security defence method based on Bayes&#39;s improved model
CN111245828A (en) Defense strategy generation method based on three-party dynamic game
CN112003854B (en) Network security dynamic defense decision method based on space-time game
CN113315763B (en) Network security defense method based on heterogeneous group evolution game
CN111045334A (en) Active defense elastic sliding mode control method of information physical fusion system
Gao et al. Reinforcement learning based self-adaptive moving target defense against DDoS attacks
Li et al. Anti-honeypot enabled optimal attack strategy for industrial cyber-physical systems
Qu et al. An empirical study of morphing on behavior‐based network traffic classification
CN114024738A (en) Network defense method based on multi-stage attack and defense signals
CN113132398A (en) Array honeypot system defense strategy prediction method based on Q learning
Chen et al. An optimal seed scheduling strategy algorithm applied to cyberspace mimic defense
CN116248335A (en) Network attack and defense strategy selection method and system based on intelligent evolution game
Wang et al. Optimal network defense strategy selection based on Bayesian game
Wang et al. Optimal network defense strategy selection based on Markov Bayesian game
Yang et al. Attack-defense utility quantification and security risk assessment
CN115834100A (en) Multi-stage network defense decision-making method based on improved evolution game model
Wang et al. Nash mixed detection strategy of multi-type network attack based on zero-sum stochastic game
Xia et al. DDoS Traffic Control Using Transfer Learning DQN With Structure Information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant