CN114297652B

CN114297652B - Endorsement chain system capable of preventing unknown network attack

Info

Publication number: CN114297652B
Application number: CN202111645858.XA
Authority: CN
Inventors: 方滨兴; 崔翔; 杜春来
Original assignee: Individual
Current assignee: Individual
Priority date: 2021-12-30
Filing date: 2021-12-30
Publication date: 2022-07-26
Anticipated expiration: 2041-12-30
Also published as: CN114297652A

Abstract

The invention discloses an endorsement chain system capable of preventing unknown network attacks, and provides a mode for constructing an endorsement chain by fusing sensitive service extraction, backward authentication shift, external authentication, a chain structure, dynamic credibility and the like.

Description

Endorsement chain system capable of preventing unknown network attack

Technical Field

The invention belongs to the technical field of network space security, and particularly relates to an endorsement chain system capable of preventing unknown network attacks.

Background

The cyberspace security domain does not give a well-recognized, definite definition of "unknown cyber attacks," which can be generally considered to be unknown when they satisfy the following two conditions: when an attacker launches a network attack on an information system of a defender through the Internet, the defender is unknown whether a vulnerability exists in the information system to be protected or not and what vulnerability exists; the attack characteristics, attack methods, tools used, attack samples, activity time, etc. of the defender to the attacker are also unknown.

In recent years, with the continuous improvement of network security defense technologies and products (hereinafter referred to as "defense products"), the defense effect of the defense products on known network attacks has been high, and some defense products even try to detect network attacks with unknown characteristics based on a large number of acquired attack samples by using big data analysis and artificial intelligence technology. However, at present, besides trusted computing, mimicry defense and zero trust, no other technology can realize effective defense against unknown network attacks on the premise of unknown attack characteristics, samples, methods and the like, and how to effectively prevent the unknown network attacks on the premise of resource limitation still remains an open problem which puzzles all network forcing countries in the world.

The trusted computing refers to security protection of the information system while computing operation of the information system is performed, so that the whole computing process of the information system can be measured, controlled and free from interference, and the obtained computing result is consistent with an expected result. Trusted computing is a unique active defense technology based on an overall security concept, from an early TPM (Trusted Platform Module) to a current Trusted execution environment represented by an ARM TrustZone and an Intel SGX, Trusted computing core key technologies such as secure boot, a Trusted execution environment, measurement and certification, Trusted storage and the like are used as supports to construct a Trusted security support Platform, so that a security base stone is provided for various types of terminals, edge terminals and cloud computing environments. The basic idea of implementing trusted computing is: firstly, a trust root is constructed, then a trust chain is established, starting from the trust root to a hardware platform, to an operating system and then to an application, and the trust is expanded to the whole computer system by one level of authentication and one level of trust, thereby ensuring the trust of the whole computer system. Trusted computing is a "static" system of trust that signs programs and is concerned with whether the software and hardware themselves are trusted.

The mimicry defense is a dynamic redundancy structure based on a network space endogenous safety mechanism and proposed by Wu Jiangxing academy of China in 2008, and is used for dealing with unknown threats in a network space. Wu academicians consider that the biggest problem faced in the current cyberspace field is that the vulnerabilities and backdoors in software and hardware cannot be exhaustively or thoroughly checked, that is, the intrinsic safety problem of cyberspace, which causes the biggest threat faced by cyberspace to be an unknown attack implemented by an attacker based on the unknown vulnerabilities or backdoors, whereas the existing defense system of cyberspace is established based on the prior knowledge, and is essentially a static, similar and definite defense system which cannot defend the unknown safety threat. The basic assumption of mimicry defense is that heterogeneous executives are almost unlikely to have the same errors, with the core ideas being heterogeneous, dynamic, and redundant. Specifically, the larger the heterogeneity of the executors is, the lower the probability of the same vulnerability being exploited is, the dynamism is in a way of generating a new execution set to replace the current execution set, and the redundancy means that a plurality of executors respond to the request of the user, and by comparing the execution results of different isomers, a correct response is returned to the user by using a voting mechanism.

Zero trust is a network security paradigm with resource protection as a core, and the premise is that: trust is never implicitly granted, but must be continually evaluated. The zero trust model removes trust in any one element, node, and service by assuming that a miss is inevitable or has occurred, looking for anomalous or malicious activity while continuing access control. The zero trust architecture accurately controls the Access nodes and the resource nodes and depends on Identity Identification and Access Management (IAM), Identity and Access Management, and Gartner defines the following: the IAM is a specification that enables the correct individual to access the correct resources at the correct time for the correct reasons. IAMs are able to meet mission critical requirements to ensure proper access to resources in an increasingly diverse technical environment and to meet increasingly stringent regulatory requirements. Of widespread interest are risk-based access control techniques, combined with a continuous rating of a user's risk during login to determine the operational rights that the user can have. Compared with the endorsement chain, the zero trust provides a defense concept taking the IAM as a core, and the endorsement chain provides an enhanced landing scheme. Zero trust considers dynamic authentication and authorization to be of paramount importance, while the endorsement chain presents a way of how dynamic authentication and authorization is not bypassed by attackers. It can be seen that the cognitive difference in the probability that the authentication and authorization mechanisms are bypassed is the first core difference between the two; zero trust requires constant monitoring of abnormal activity in accounts, devices, network activity and data access to perform dynamic authorization; the endorsement chain considers that since it is an unknown network attack scenario, it is likely that any anomaly cannot be perceived, and therefore the endorsement chain does not activate itself based on the anomaly detection result. It can be seen that the confidence level for "anomaly detection" is the second core difference between the two; zero trust attempts to reduce the exposure of the resource to be protected, while the endorsement chain considers that the resource to be protected must eventually be accessed, so its defense strategy is to embed a "security gene" inside the resource to be protected without considering the resource exposure. It can be seen that the handling policy for resources to be protected is the third core difference between the two.

In summary, although the trusted computing can ensure the trust of the whole computer system, in most cases, the computer system needs to be used by people, and "computer system + people" constitutes an open complex huge system, because of the existence of people, the computer system has to introduce and receive external information, and most of the external information is unsigned untrusted content, and after the untrusted content enters the computer system, the untrusted content can be linked with the trusted program in the computer system to achieve the effect of effectively launching malicious attacks. For example, in the Windows operating system, when a user receives a "document" by mail and opens, the system will run a trusted winword. However, if the document docx contains the malicious macro, the malicious macro is activated and operated by the winword. Similarly, when the user opens the unsafe website by using the browser, the malicious script on the website can also be executed by the trusted browser (e.g., iexplor. In summary, even if the computer system itself is trusted, the trusted computing defense system is bypassed because the computer system has to interact with the outside world during the actual application process. Currently, the industry recognized trusted systems that are prominently characterized are the Apple Mac series products, such as iPhone, Macbook. Such products only allow trusted programs from Apple stores to run, however, even so, the Safari browser on such products has been successfully compromised many times in the Pwn2Own challenge.

The core idea of mimicry defense is multi-mode voting (especially three-mode voting), and the theoretical basis is as follows: the probability that multiple heterogeneous systems will behave identically in error is infinitely close to 0, but will often behave identically when working correctly. For example, critical decision making systems on aircraft often require the installation of three different types of products, and when the system makes a decision inconsistent, a few majority-compliant principles are taken because it is unlikely 2/3 that the decision making systems are both at the same time in error and draw exactly the same false conclusion. The mimicry defense concept is just based on multi-mode voting in the fault tolerance field, so that at least two heterogeneous executives are inevitably required to be customized and additionally developed for a deterministic system to be protected, the work is high in cost and easy to make mistakes, and the overall cost of time and labor is high.

The core idea of zero trust is that trust is no longer defaulted for all behaviors, but rather a dynamic trust model is built. For example, after an employee remotely logs into an important system within the company using his or her assigned notebook, account number, and password, the employee may need to continue to provide the required credentials if they need to use other resources of the company. However, if the zero-trust gateway used for verifying the identity of the user has a vulnerability, an attacker may bypass the zero-trust access control mechanism without a notebook, an unknown account number and a password which are recorded by a company, and further be considered as a legal user to normally use sensitive resources in an enterprise. Zero trust presents such a risk because its starting point is dynamic authentication authorization, emphasized "dynamic", rather than how to prevent such dynamic authentication authorization from being bypassed by "unknown attack methods".

Disclosure of Invention

In view of this, the present invention provides an endorsement chain system capable of preventing unknown network attacks, and dynamic defense of a deterministic system to be protected is realized by constructing an endorsement chain.

The invention provides an endorsement chain system capable of preventing unknown network attack, which comprises: the system comprises a deterministic system, a heterogeneous endorsement node cluster and an endorsement chain scheduler;

wherein authentication move-back code is embedded in sensitive services of the deterministic system; the authentication backward shift code is used for collecting relevant information of sensitive services to form a meta-information group and sending the meta-information group to the heterogeneous endorsement node cluster; the heterogeneous endorsement node cluster comprises a plurality of endorsement nodes, each endorsement node adopts a chain topological structure to form an endorsement chain, and each endorsement chain is used for judging whether a user has the authority to access sensitive services or not according to the meta-information group; the endorsement chain scheduler operates in a safe trusted environment and is used for realizing linkage between a deterministic system and a heterogeneous endorsement node cluster; the deterministic system and heterogeneous endorsement node clusters are deployed in two different physical environments respectively and allow only endorsement-related communication between the two.

Further, the endorsement chain scheduler comprises a deterministic system management module, a sensitive service management module, an endorsement node management module, a user management module and an access control management module;

the deterministic system management module is used for managing the deterministic system to be protected and comprises basic information for configuring the deterministic system; the sensitive service management module is used for determining and managing sensitive services in the deterministic system, including configuring basic information of the sensitive services, customizing and embedding authentication backward-moving codes for the sensitive services; the endorsement node management module is used for setting basic information, an authentication program, a networking program and a communication program of the endorsement node; the user management module is used for managing users with access sensitive service authority; and the access control management module is used for establishing access rights among the user, the sensitive service and the endorsement node.

Further, the authentication move-back code is a code sequence or an encapsulated API.

Further, the embedded position of the authentication backward shift code in the sensitive service is determined in a random mode.

Further, the basic information of the deterministic system includes the name, domain name, IP address and port of the deterministic system.

Further, the basic information of the sensitive service comprises a deterministic system to which the sensitive service belongs, a sensitive service name, associated endorsement node information, an effective time and a forbidden time.

Further, the basic information of the endorsement node comprises an internal serial number, a global unique ID and addressing information of the endorsement node.

Further, the user information comprises mnemonics corresponding to the user ID, the nickname, the password, the certificate and the endorsement node ID and the allowed access time.

The invention provides a defense method for preventing unknown network attack by adopting an endorsement chain system, which is characterized by comprising the following steps:

selecting a deterministic system to be protected, and screening out sensitive services from the services provided by the deterministic system according to business requirements and security expectations; customizing an authentication backward moving code for the sensitive service, and embedding the authentication backward moving code into the sensitive service; an endorsement chain scheduler configures a deterministic system, a sensitive service, an endorsement node and basic information of a user, and establishes access rights among the user, the sensitive service and the endorsement node; the endorsement chain scheduler deploys heterogeneous endorsement nodes to form a heterogeneous endorsement node cluster; the endorsement chain system is started.

Furthermore, when the endorsement chain scheduler deploys heterogeneous endorsement nodes to form a heterogeneous endorsement node cluster, an endorsement chain is constructed in a manner that each endorsement node performs endorsement on other two endorsement nodes, the other two endorsement nodes perform endorsement on each endorsement node, and the endorsement nodes do not perform endorsement with each other to form the heterogeneous endorsement node cluster.

Has the beneficial effects that:

1. the invention provides a mode of constructing an endorsement chain by fusing sensitive service extraction, authentication backward movement, authentication external arrangement, a chain structure, dynamic credibility and the like, establishes an endorsement chain system capable of preventing unknown network attacks based on the endorsement chain, can defend authentication by-pass attacks by adopting the authentication backward movement, and can defend unauthorized or rights-lifting attacks by adopting the authentication external arrangement.

2. The invention provides a method for constructing a sensitive service pool to uniformly control a sensitive system, which comprises the steps of screening all sensitive services of a deterministic system to be protected to form the sensitive service pool, embedding authentication backward shift related codes into all the sensitive services in the sensitive service pool, and triggering authentication action of an endorsement chain once a certain user sends a certain operation to the sensitive services. By integrally protecting the sensitive service pool, even if an attacker sinks the system to be protected, the attacker still cannot use the sensitive service provided by the system.

3. The invention provides an endorsement chain topological structure with staggered endorsement and elastic recombination, the construction mode of the endorsement chain determines the safety attributes of the authentication system, such as robustness, expansibility, elasticity, damage resistance and reconfigurability, the design of the endorsement chain directly influences the safety of the authentication system, and the safety of the authentication system can be effectively ensured by allocating credible endorsement nodes, a plurality of nodes participating in endorsement, staggered endorsement among the nodes and the design of the endorsement chain topological structure with elastic recombination among a large number of nodes during initialization; meanwhile, a dynamic credibility can be established by using a staggered endorsement mechanism in a chain structure, so that nodes without a credible computing environment can enable the nodes to become credible by means of endorsements of other nodes.

Drawings

Fig. 1 is an architecture diagram of an endorsement chain system capable of preventing unknown network attacks according to the present invention.

Fig. 2 is a schematic diagram of a protection target sensitive service pool of an endorsement chain system capable of preventing unknown network attacks provided in the present invention.

Fig. 3 is a schematic diagram of a sensitive service of an embedded authentication backward shift code of an endorsement chaining system for preventing unknown network attacks provided by the present invention.

Fig. 4 is a schematic diagram of an endorsement chain topology structure of an endorsement chain system capable of preventing unknown network attacks provided in the present invention.

Detailed Description

The present invention will be described in detail below with reference to the accompanying drawings.

The invention provides an endorsement chain system capable of preventing unknown network attacks, which has the basic idea that: the invention provides a method for constructing an endorsement chain by fusion sensitive service extraction, authentication backward movement, authentication external arrangement, chain structure, dynamic credibility and the like, which can protect an important information system from unknown network attack.

The technical problem is that: how to defend against circumvention of unknown authentication.

Sensitive services provided by deterministic systems generally only allow specific users to access and use them, however, attackers may employ various methods to bypass the deterministic system authentication methods to achieve illegal access and use of sensitive services, such as: stealing cookies, stealing tokens, double authentication interception, etc. The deterministic system according to the invention is: the system has the advantages of high definition and fixation of the target, the function, the operation mode and the like, no interference of a large number of frequently uncertain factors, and high expectation on safe and reliable operation. Aiming at the technical problem, the invention provides a thought of 'authentication backward movement', namely, the important security link of authentication is embedded into the sensitive service, so that even though an attacker bypasses various conventional authentication mechanisms in an access path, the attacker has to trigger the relevant codes of the authentication backward movement when finally arriving and actually accessing the sensitive service, thereby ensuring that the previous various authentication backward movement methods cannot work, and causing the calling failure and self exposure of the sensitive service.

No matter where the original authentication function of the deterministic system to be protected is located and when triggered, the method embeds an additional authentication module which can be communicated with an authentication system in the sensitive service to be protected, so that the authentication is moved backwards to a position which cannot be moved backwards continuously, even if an attacker bypasses various conventional authentication mechanisms (by using a known or unknown method), the attacker has to trigger the authentication and further activate the authentication system when finally and actually calling the sensitive service, and thus, the previous various authentication bypassing methods finally fail, and the sensitive service is failed to be called and exposed.

The second technical problem is that: how to defend against unknown unauthorized attacks.

When the sensitive service provided by the deterministic system is called, the tuple consisting of the user, the role, the authority, the behavior and the like is generally judged to realize authority identification, and the user can be released to use the sensitive service only within the permission range. However, attackers may employ various methods to bypass the authentication mechanism of a deterministic system to achieve illegitimate access, use sensitive services, such as: right-lifting, right-surmounting and escape, etc. Therefore, the invention provides an external authentication idea, which separates an important security link of authentication from a deterministic system and independently and externally arranges the authentication system in the deterministic system, thereby effectively defending various rights-raising, unauthorized and escape attacks surrounding the deterministic system.

The invention constructs a safe and credible authentication system in a heterogeneous computing cluster outside the system to be protected no matter where the original authentication function of the deterministic system to be protected is positioned and when the original authentication function is triggered, separates the key link of authentication from the deterministic system and the operating environment of the deterministic system, and independently and externally arranges the authentication system in the deterministic system, thereby effectively defending various attacks such as unauthorized, rights-taking, escape and the like.

The technical problem three is as follows: how to ensure the safety and credibility of the endorsement chain.

When the sensitive service provided by the deterministic system is called, the built-in authentication backward-moving code is triggered, and the external authentication system is further activated. The authentication system operates within a heterogeneous computing cluster comprised of a large number of heterogeneous nodes, referred to in the present invention as "endorsement nodes". Besides the authentication program, the endorsement node also needs to run a networking program and a communication program so as to connect the large-scale distributed endorsement nodes together in a chain structure to form an endorsement chain. The security of the authentication system is of crucial importance, since it directly determines the security of the sensitive service authentication process. And because the authentication program runs on the endorsement node, the safety of the endorsement chain directly influences the safety of the authentication system. The invention provides a chain type topological structure design for staggered evidence printing among endorsement nodes, which can effectively ensure the safety and the credibility of an endorsement chain and further ensure the safety and the credibility of an authentication process.

The technical problem is four: how to defend against dynamically introduced attack code.

When a deterministic system has to introduce dynamic code in the running process, attack code processed by disguising or hiding and the like is introduced into the system to initiate an attack even if the deterministic system adopts trusted computing protection. The invention expands the static credibility into the dynamic credibility by adopting the staggered endorsement mechanism, namely, the staggered endorsement mechanism in the chain structure is used for establishing the dynamic trust, so that the nodes which originally do not have the credible calculation condition can be credible by virtue of the endorsement of the credible nodes. Thus, even dynamically introduced attack code can still be detected and intercepted when trying to bypass authentication and authorization mechanisms to illegally invoke sensitive services.

In summary, the authentication backward shift, the authentication external, the chain topology, the dynamic trusted mechanism and the like are collectively referred to as an endorsement chain, the defense system constructed based on the endorsement chain idea is referred to as an endorsement chain system, the programs run on the endorsement nodes include an authentication program, a networking program and a communication program, and the endorsement chain system embeds the authentication backward shift code into the deterministic system and arranges the authentication system outside the deterministic system. The application of the endorsement chain system does not require an in-depth understanding, substantial modification, or reconfiguration of the system. After the endorsement chain system is applied, the deterministic system can prevent the sensitive service from being illegally used due to the existence of 0day bug, password leakage of the visitor, unauthorized access of the attacker and the like, or the sensitive service is illegally used on the premise of being attacked, so that the deterministic system is prevented from generating security events with small probability and great harm. The more important a deterministic system is, the greater the value of the endorsement chain and the more acceptable the performance of the system degraded by the intervention of the endorsement chain.

The endorsement chain system capable of preventing unknown network attacks provided by the invention, as shown in fig. 1, specifically comprises: a deterministic system, a heterogeneous endorsement node cluster, and an endorsement chain scheduler.

The deterministic system is a protected object, and all protected sensitive services contained in the deterministic system are embedded with the same service-independent authentication backward-moving code.

The authentication backward-shifting code is used for extracting meta-information such as time, an accessor, accessed sensitive service, access types and the like, and sending a meta-information group to an authentication program in a heterogeneous endorsement node cluster after the meta-information and endorsement node addressing mode and accessor signature meta-information provided by the accessor form the meta-information group, and the authentication program identifies whether the current accessor has permission to access the sensitive service or not according to the meta-information group, and the authentication backward-shifting code does not check and judge whether the current access is in compliance or not. The authentication backward shift code may be a code sequence, or may be a packaged API in order to modify the source code to facilitate authentication backward shift. Furthermore, in order to improve the security of the authentication backward-moving code, an attacker is prevented from directly jumping to the sensitive service binary code in the memory to call, and the authentication backward-moving code is embedded into a random position in the sensitive service code sequence.

Specifically, the authentication move-back code sends a meta-information group consisting of meta-information such as < time, visitor, visited sensitive service, visit type, endorsement node addressing mode, visitor signature > to the authentication program in the heterogeneous endorsement node cluster. In the meta-information group, the endorsement node addressing mode and the visitor signature meta-information are provided by the visitor, and other meta-information is generated by the authentication backward-moving code. The visitor may be an authorized user or attacker. In fig. 1, VIP _ FuncX and the like represent sensitive services, origin _ Code and the like represent original codes of the sensitive services, and embedded _ Code represents an authentication backward shift Code.

The heterogeneous endorsement node cluster is formed by a large-scale heterogeneous computing environment, nodes in the cluster are called endorsement nodes, an authentication program, a networking program and a communication program are operated on each endorsement node and have the functions of authentication, communication and networking, and the endorsement nodes are connected together through a chain architecture to form an endorsement chain. The networking program and the communication program are used for maintaining communication between endorsement nodes, and can be realized by adopting a P2P system, or can be realized by adopting modes of independent construction, formation of alliance construction, use of heterogeneous cloud computing platforms provided by different manufacturers and the like; when the authentication program on a specific endorsement node provides authentication for a sensitive service, the authentication programs on other endorsement nodes also provide endorsements for the authentication program to prove the credibility of the authentication program. The endorsement node is a logical concept and can exist in the forms of physical computers, virtual machines, containers and the like. For example, in fig. 1, when node 3 is used as an authentication node to authenticate a sensitive service, the authentication procedures at node 1 and node 2 are 3 endorsements to prove the authenticity of node 3. Similarly, when node 2 acts as an authentication node, there will be

nodes

1 and 12 endorsed for it, and so on.

In particular, a deterministic system and a heterogeneous endorsement node cluster are respectively deployed in two physical environments, only endorsement-related communication is allowed between the two, interactive communication is realized between the two through connection of a gateway, and therefore the deterministic system and an endorsement chain have no intersection on software and hardware.

The endorsement chain scheduler is used for realizing organic linkage between the deterministic system and the heterogeneous endorsement node cluster. The endorsement chain scheduler runs in a safe and reliable environment, all computers and related administrators need to be safe, reliable and reliable, and the trusted administrators are responsible for operation and need to perform auditing. Operations on the trusted computer can be regarded as safe and trusted as long as executable factors such as codes or scripts are not introduced from the outside. The method is practical and feasible for constructing the closed safe and trusted environment, and the closed safe and trusted environment is the safe and trusted environment like a computer environment for signing software, a U shield system for signing bank transaction information and the like.

The endorsement chain scheduler comprises a deterministic system management module, a sensitive service management module, an endorsement node management module, a user management module and an access control management module:

and the deterministic system management module is used for managing all the deterministic systems to be protected, establishing a global view and supporting the configuration of basic information of the deterministic systems, such as names, domain names, IP addresses, ports and the like.

And the sensitive service management module is used for managing all sensitive services, including operations of adding, deleting, changing, searching and the like of the sensitive services, and supporting the basic information of the configured sensitive services and the customized personalized authentication backward-moving code. Basic information of the sensitive service, such as a deterministic system to which the sensitive service belongs, a sensitive service name, associated endorsement node information, effective time, forbidden time and the like. The authentication backward shift code generally needs to be written into personalized information of the sensitive service, so that the personalized information is embedded (for example, in a copying and pasting manner) into the sensitive service to realize linkage with an authentication program. For example, each sensitive service needs to be configured with its associated endorsement node (which is one type of personalized information). For example, if the addressing information of the (r) endorsement node (as shown in fig. 1) is embedded into the authentication move-back code in sensitive service a, then when the authentication move-back code is activated, the authentication procedure on the (r) endorsement node will be contacted to authenticate the visitor's operation.

And the endorsement node management module is used for managing the endorsement nodes to establish a global view, and comprises basic information, an authentication program, a topological relation and the like which are input into the endorsement nodes, wherein the basic information of the endorsement nodes comprises a node internal sequence number, a global unique ID, addressing information and the like. Taking a heterogeneous cloud as an example, when all endorsement nodes in the cloud are ready, an administrator needs to enter endorsement node information, such as internal serial numbers of the nodes (shown as (r) and (r)) in a scheduler one by one, a globally unique ID (which may be considered to use a public key or a public key hash, etc. as an ID), addressing information (IP: Port), and the like. In this way, the scheduler can manage all endorsement nodes uniformly to establish a global view. In addition, since the authentication backward shift code in the sensitive service needs to communicate with the authentication program on the endorsement node, two-way dynamic authentication is needed between the two, and information needed by the authentication needs to be configured in the scheduler.

After the endorsement node information is input, the administrator connects to the endorsement nodes one by one through a trusted computer (through the IP addresses and ports thereof), deploys authentication programs and the like to the endorsement nodes and runs the authentication programs. Meanwhile, the topological relationship between endorsement nodes (that is, which 2 nodes each node can endorse and which 2 nodes each node must endorse) also needs to be configured at this link, and thereafter, the endorsement nodes no longer operate in isolation, but form the topological relationship shown in fig. 4.

And the user management module is used for managing users with access authority to specific sensitive services and establishing a global view, wherein the user information comprises user IDs, nicknames, passwords, certificates, mnemonics corresponding to endorsement node IDs, allowed access time and the like.

And the access control management module is used for establishing a many-to-many association relationship among the user, the sensitive service, the endorsement node and the authority. For example, user A may access sensitive services S1 and S2, and S1 may request endorsement node x to authenticate itself, which in turn requires x-1, x-2 to endorse for its trustworthiness. The implementation of the endorsement procedure is not limited, for example, when a accesses S1, it will activate the authentication move-back code embedded in S1 to ask a for 2 endorsement node mnemonics, a will send its associated meta-information (such as < time, visitor, visited sensitive service, visit type, endorsement node mnemonics, visitor signature >) to S1 together, S1 knows that it should communicate with endorsement node x and present its authentication information and the mnemonics provided by a, x contacts the scheduler and requests 2 endorsement node information (especially current IP: Port) associated with the mnemonics, then after establishing a connection with 2 endorsement nodes and authenticating bi-directionally, x asks each of the 2 endorsement nodes whether the content is that a has the right to access S1, and if this right has been configured previously at the dispatcher, a can therefore obtain authorization.

The process of the endorsement link system protection information system capable of preventing unknown network attack provided by the invention comprises the following steps:

step 1, selecting a deterministic system to be protected.

The information system must have certainty to be suitable for protection using the endorsement chaining system provided by the present invention. The certainty of the information system means that the target, the function, the operation mode and the like of the information system are highly definite and fixed, and cannot be interfered by a large number of frequently uncertain factors, and the information system has high expectation on safe and reliable operation. For example, a highly secure server servicing the sensitive business of a banking system is a deterministic system, whereas a personal computer of a home user is not a deterministic system because it is possible to install new software or change the originally intended use at any time.

After the deterministic system to be protected is determined, a plurality of sensitive services need to be screened from the information system for protection. For non-sensitive services, traditional defense products can be employed to provide protection without the need for endorsement chaining protection, since even malicious exploitation by an attacker will not cause unacceptable harm.

And 2, selecting and determining sensitive services from the services provided by the deterministic system to be protected, and constructing a sensitive service pool.

Screening a plurality of sensitive services from the services provided by the deterministic system to be protected according to business requirements and security expectations, wherein a set formed by the sensitive services is called a sensitive service pool, and the sensitive services are as follows: and sending a specific instruction, reading and writing a specific file, reading and writing a database password table, uploading data and the like. All sensitive services in the sensitive service pool are within the protection range, so that the authentication move-back code needs to be embedded in the sensitive service pool, and once a visitor tries to use the sensitive service, the authentication move-back code is triggered to further activate the authentication system. A sensitive service pool composed of one or more sensitive services is shown in fig. 2, in which five actions, i.e., issuing an instruction, writing a file, starting an external transmission, outputting control, and changing a registry, are classified as the sensitive services, and in actual application, the sensitive services are screened according to business requirements and security expectations.

And 3, embedding an authentication backward shift code for the sensitive service.

And embedding an authentication backward shift code in a source code of the sensitive service, wherein the embedding position of the authentication backward shift code is not fixed under the best condition, and the embedding position is randomly selected. The deterministic system has the possibility of being attacked, but the protected object of the endorsement chain is a sensitive service, so that the sensitive service can be prevented from being utilized by an attacker even if the deterministic system is attacked. Schematic diagrams of embedding authentication move-back codes in sensitive services are shown in fig. 1 and 3.

After the authentication move-back code is embedded in the sensitive service, the relationship between the user access, the sensitive service, the authentication move-back code and the endorsement node is shown in fig. 2. The sensitive service of 'issuing an instruction' is taken as an example for explanation: when the visitor successfully accesses the 'instruction issuing' sensitive service after passing through the conventional authentication mechanism of the deterministic system, an authentication backward-moving code embedded in the 'instruction issuing' sensitive service is triggered; the authentication backward shift code sends the meta-information group of < time, visitor, visited sensitive service, visit type, endorsement node addressing mode and visitor signature > to the heterogeneous endorsement node cluster, and an authentication program in the endorsement node identifies whether the current visitor has the right to visit the sensitive service according to the meta-information group.

Through the processing from step 1 to step 3, the authentication backward shift code is embedded in all the sensitive services of the deterministic system, and the adaptation of the deterministic system is completed.

And 4, deploying an endorsement chain system scheduler.

And configuring information required by a deterministic system management module, a sensitive service management module, an endorsement node management module, a user management module and an access control management module of the endorsement chain system scheduler.

And 5, deploying the heterogeneous endorsement node cluster to realize external authentication.

A private heterogeneous cloud platform (hereinafter referred to as heterogeneous cloud) is selected as an endorsement chain system host environment, the heterogeneous cloud comprises a large number of heterogeneous computing environments (such as virtual machines and containers with different operating systems), terminal computing environments in the heterogeneous cloud are endorsement nodes, and an authentication program, a networking program and a communication program are run on each terminal computing environment.

Therefore, the authentication function originally responsible for the deterministic system or the operating environment where the deterministic system is located is transferred to the external heterogeneous cloud, and the probability of an attacker attacking the heterogeneous cloud is greatly reduced compared with that of an attacker attacking the deterministic system. Besides the heterogeneous cloud scheme, the same purpose can be achieved by adopting computer clusters and the like except for cloud computing.

Further, based on heterogeneous cloud, in order to realize mutual dynamic trusted connection between endorsement nodes, the invention provides a staggered-certified endorsement chain topology structure, which can form a dynamic trusted chain structure. The endorsement chain topology is shown in fig. 4, wherein each circle with a number represents an endorsement node, and the number in the circle represents the globally unique number of the node.

In the process of constructing the endorsement chain topology structure, each node endorses other two nodes, and each node also has other two nodes as endorsements, but the nodes do not endorse each other but alternately endorse each other to form an endorsement chain. For example, node 1 is endorsed by nodes 2 and 3, while nodes 11 and 12 are endorsed by node 1. Such a staggered endorsement structure can prevent fault contamination, i.e. prevent "two bad persons hijack a good person". Through the interlocking effect of the endorsement chain, 51% of good nodes can be finally cleared from 49% of bad nodes. Thus, each node has two nodes endorsed by it, and two nodes endorsed by the rest of the nodes. When a node performs a sensitive operation, two nodes must be guaranteed for it. The entry of an attack results in the inability to perform sensitive operations because it is unknown who the vouching is to be made by, and the vouching content is not pre-generated.

And 6, starting a dynamic and credible endorsement chain system.

After the configuration is completed, the entire endorsement chain can start to boot and provide protection for the deterministic system. In the future, if a new endorsement node needs to be added into an endorsement chain, a new sensitive service needs to be protected, a new user needs to obtain authorization and the like, the operations need to be repeated. This is similar to trusted computing-when a new program is introduced to a trusted computer, it needs to be signed.

In summary, the above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims

1. An endorsement chaining system for protection against unknown network attacks, comprising: the system comprises a deterministic system, a heterogeneous endorsement node cluster and an endorsement chain scheduler;

wherein authentication move-back code is embedded in sensitive services of the deterministic system; the authentication backward shift code is used for acquiring relevant information of the sensitive service to form a meta-information group and sending the meta-information group to the heterogeneous endorsement node cluster to identify whether an accessor has permission to access the sensitive service, and the authentication backward shift code does not check and judges whether the current access is in compliance; the heterogeneous endorsement node cluster comprises a plurality of endorsement nodes, the endorsement nodes adopt a chain topology structure to form an endorsement chain, and the endorsement chain is used for judging whether a user has the authority to access the sensitive service or not according to the meta-information group; the endorsement chain scheduler operates in a safe trusted environment and is used for realizing linkage between a deterministic system and a heterogeneous endorsement node cluster; the deterministic system and heterogeneous endorsement node clusters are deployed in two different physical environments respectively and allow only endorsement-related communication between the two.

2. The endorsement chain system of claim 1, wherein the endorsement chain scheduler comprises a deterministic system management module, a sensitive service management module, an endorsement node management module, a user management module, and an access control management module;

3. The endorsement chain system of claim 1, wherein the authentication move back code is a code sequence or an encapsulated API.

4. The endorsement chain system of claim 1, wherein the location of the embedding of the authentication move-back code in the sensitive service is determined in a random manner.

5. The endorsement chain system of claim 2, wherein the essential information of the deterministic system comprises a name, a domain name, an IP address, and a port of the deterministic system.

6. The endorsement chain system of claim 2, wherein the basic information of the sensitive service comprises a deterministic system to which the sensitive service belongs, a sensitive service name, associated endorsement node information, an effective time, and a disabled time.

7. The endorsement chain system of claim 2, wherein the basic information of the endorsement node comprises an internal serial number of the endorsement node, a globally unique ID, and addressing information.

8. The endorsement chain system of claim 2, wherein the basic information of the user comprises a user ID, a nickname, a password, a certificate, a mnemonic corresponding to the endorsement node ID, and an allowed access time.

9. A defense method against unknown network attacks using the endorsement chain system of claim 1, comprising the following steps:

selecting a deterministic system to be protected, and screening out sensitive services from the services provided by the deterministic system according to business requirements and security expectations; customizing an authentication backward moving code for the sensitive service, and embedding the authentication backward moving code into the sensitive service; the endorsement chain scheduler configures a deterministic system, sensitive services, endorsement nodes and basic information of a user, and establishes access rights among the user, the sensitive services and the endorsement nodes; the endorsement chain scheduler deploys heterogeneous endorsement nodes to form a heterogeneous endorsement node cluster; the endorsement chain system is activated.

10. The defense method according to claim 9, wherein the endorsement chain scheduler deploys heterogeneous endorsement nodes to form a heterogeneous endorsement node cluster, and each endorsement node performs endorsement on two other endorsement nodes, and each endorsement node performs endorsement on the other two nodes simultaneously, and the endorsement nodes do not perform endorsement with each other, so as to form the heterogeneous endorsement node cluster.