CN114301650B - Mimicry WAF (wide area filter) judging method based on credibility - Google Patents

Mimicry WAF (wide area filter) judging method based on credibility Download PDF

Info

Publication number
CN114301650B
CN114301650B CN202111572735.8A CN202111572735A CN114301650B CN 114301650 B CN114301650 B CN 114301650B CN 202111572735 A CN202111572735 A CN 202111572735A CN 114301650 B CN114301650 B CN 114301650B
Authority
CN
China
Prior art keywords
arbitration
result
credibility
judgment
consistency
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111572735.8A
Other languages
Chinese (zh)
Other versions
CN114301650A (en
Inventor
吴春明
唐馨
陈双喜
张江瑜
曲振青
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN202111572735.8A priority Critical patent/CN114301650B/en
Publication of CN114301650A publication Critical patent/CN114301650A/en
Application granted granted Critical
Publication of CN114301650B publication Critical patent/CN114301650B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Developing Agents For Electrophotography (AREA)

Abstract

The invention discloses a mimicry WAF arbitration method based on credibility, which characterizes the effectiveness of each executive body arbitration result by defining the credibility, and introduces a primary credible executive body selection module, an arbitration result processing module and a credibility dynamic adjustment module to carry out flow arbitration. The primary credible executive body selection module selects a relatively credible executive body to participate in flow arbitration, the arbitration result processing module obtains an arbitration result through result fusion, consistency judgment and voting calculation, the credibility dynamic adjustment module updates the credibility of the executive body in combination with the consistency result, and the incredible executive body executes self-cleaning operation. The method can weaken the adverse effect of the threat of the executive body on the flow judgment result in the mimicry WAF, and effectively improve the defense capability of the mimicry defense system.

Description

Mimicry WAF (wide area filter) judging method based on credibility
Technical Field
The invention belongs to the technical field of network security mimicry defense, and particularly relates to a mimicry WAF judgment method based on credibility.
Background
The network space security problem exists all the time since the birth of the internet, and is becoming more severe, the security of the network infrastructure becomes the most unsafe factor at present, and an attacker can launch malicious attacks to the network infrastructure through backdoors or holes in software and hardware, so that the network security is easy to attack and defend, and therefore, the active defense capability of the network infrastructure is urgently improved. The mimicry defense provides a relatively safe system operation environment by applying a dynamic heterogeneous redundancy construction mechanism, and the active defense capability of the system is effectively improved. Compared with traditional defense means such as access control and intrusion detection, the mimicry defense is better with lower defense cost and higher defense capacity, and is widely concerned by the academic and industrial fields.
The mimic WAF judges the flow through a plurality of heterogeneous executives, the judging module judges whether the flow passes through a judging algorithm, each executor judges the current flow, and the judging algorithm generally uses a majority consensus voting algorithm. When the executive makes an error decision due to the threats such as self bugs, backdoors or attacks, the decision module may generate error output, the attack flow may enter the system, and the mimicry defense effect is weakened, so that the decision algorithm of the mimicry WAF is important for the mimicry defense.
Disclosure of Invention
The invention aims to provide a mimicry WAF judging method based on credibility aiming at the defects of the prior art.
The purpose of the invention is realized by the following technical scheme: a mimicry WAF arbitration method based on credibility comprises the following steps:
(1) deploying M functionally equivalent heterogeneous executives L ═ L i 1, 2., M }, where l i For the ith heterogeneous executable, use r i To indicate the confidence level of the ith execution block.
(2) When the flow passes through, based on the current credibility and the average credibility of each executive, the executive with a relatively credible arbitration result is selected to participate in flow arbitration, and the specific steps are as follows:
(2.1) calculate average confidence of all executives
Figure BDA0003424363010000011
(2.2) executing the entity i Reliability r of i And
Figure BDA0003424363010000012
comparing, selecting with reliability not lower than
Figure BDA0003424363010000013
Execution body ofAnd participating in the judgment. The executive body participating in the arbitration forms an arbitration executive body set E ═ { E } j 1,2, N, where e j For the jth executive participating in the arbitration, N is the number of executives participating in the arbitration, e j With a degree of confidence of r j . The result of arbitration U ═ U j 1, 2., N }, where u is j Is e j And (4) judging the result.
(3) The judgment result is output through result fusion, consistency judgment and voting calculation, and the method specifically comprises the following steps:
(3.1) fusing the judgment result U of the E to obtain a consistency judgment standard S;
(3.2) calculating the arbitration result u in turn j And (3) making consistency judgment according to the difference value of the consistency judgment standard S:
if the difference is lower than the set threshold d 1 Consider u to be j And (5) consistent with S, and no operation is performed.
Otherwise, the execution body is considered inconsistent, and the execution body is added into the execution body set Q ═ Q k 1, 2., Z }, where q is k And Z is the number of executors with inconsistent consistency judgment results.
(3.3) calculating a final judgment result, counting execution body judgment results with consistent consistency judgment results, and outputting a final judgment result U by using a majority consistency voting algorithm r
(4) And updating the credibility of the executive body by combining the consistency result, judging the credibility of the executive body, and executing self-cleaning operation by the untrusted executive body, wherein the self-cleaning operation comprises the following specific steps:
(4.1) for the executors q whose consistency judgment results are inconsistent k Punishment is carried out, the credibility is reduced, and the credibility is updated to r k
(4.2) to q k And (4) carrying out credibility judgment:
if q is k Below a set threshold d 2 Consider q as k Unreliable, q k A self-cleaning operation will be performed.
Otherwise, the operation is deemed to be credible and no operation is performed.
Further, theIn step (2.1), the average confidence of all executives can be calculated according to equation (1)
Figure BDA0003424363010000021
Figure BDA0003424363010000022
Further, according to the formula (2), the judgment result U of E is fused, and the consistency judgment standard S can be obtained:
Figure BDA0003424363010000023
further, the majority consensus voting algorithm may calculate the arbitration results of the executing entities with the larger number that arbitrate the passing or failing of the traffic respectively by counting the execution entity arbitration results with the consistent consistency judgment result, and output the arbitration results as the final arbitration results.
Further, the execution body is subjected to confidence penalty according to equation (3):
r k =r k -κ(|u k -U r |) (3)
where κ is the confidence penalty.
Further, r is i Is 1.
The invention has the beneficial effects that: the invention selects the heterogeneous executives participating in the decision based on the credibility of dynamic adjustment, and safely fuses the credibility and the execution entity judgment result, thereby weakening the influence of inaccurate flow judgment result caused by the self threat of the executives in the mimicry WAF and effectively improving the defense capability of the mimicry defense system.
Drawings
FIG. 1 is a diagram of the arbitration method architecture of the present invention.
Detailed Description
As shown in FIG. 1, the proposed WAF arbitration method based on credibility of the present invention characterizes the validity of each executive body arbitration result by defining credibility, and introduces a preliminary credible executive body selection module, an arbitration result processing module, and a credibility dynamic adjustment module to perform traffic arbitration. The method specifically comprises the following steps:
(1) deploying M functionally equivalent heterogeneous executives L ═ L i 1, 2., M }, where l i Defining a confidence level for each of the i-th heterogeneous executives to characterize the validity of each execution sanction result, using r i To indicate the trustworthiness of the i-th executable, r i Is 1.
(2) When the flow passes through, the primary credible execution body selection module selects the execution body with a relatively credible arbitration result based on the current credibility and the average credibility of each execution body, and participates in the flow arbitration, and the specific steps are as follows:
(2.1) calculating the average confidence of all executives based on equation (1)
Figure BDA0003424363010000031
Figure BDA0003424363010000032
(2.2) executing the entity i Reliability r of i And
Figure BDA0003424363010000033
comparing, selecting with reliability not lower than
Figure BDA0003424363010000034
The executives of (1) participate in the arbitration. The executive body participating in the arbitration forms an arbitration executive body set E ═ { E } j 1,2, N, where e j For the jth executive participating in the arbitration, N is the number of executives participating in the arbitration, e j With a degree of confidence of r j . The result of arbitration U ═ U j 1, 2., N }, where u is j Is e j And (4) judging the result.
(3) The judgment result processing module outputs a judgment result through result fusion, consistency judgment and voting calculation, and the method specifically comprises the following steps:
and (3.1) fusing the judgment result U of the E according to the formula (2) to obtain a consistency judgment standard S:
Figure BDA0003424363010000041
(3.2) calculating the arbitration result u in turn j And (3) making consistency judgment according to the difference value of the consistency judgment standard S:
if the difference is lower than the set threshold d 1 Consider u to be j And (5) consistent with S, and no operation is performed.
If the difference value is not lower than the set threshold value d 1 Consider u to be j Inconsistent with S and adding the executive to the executive set Q ═ Q k 1, 2., Z }, where q is k And executing bodies with the reliability needing to be dynamically adjusted for the inconsistency of the kth consistency judgment result, wherein Z is the number of the executing bodies with the inconsistency of the consistency judgment result.
(3.3) calculating a final judgment result, counting execution body judgment results with consistent consistency judgment results, and outputting a final judgment result U by using a majority consistency voting algorithm r
The majority consensus voting algorithm is as follows: and respectively calculating the number of the executive bodies for judging whether the flow passes through or not by counting the executive body judging results with consistent consistency judging results, and outputting the judging result of the party with a larger number as a final judging result.
(4) The credibility dynamic adjustment module is combined with the consistency result to update the credibility of the executive body and carry out credibility judgment on the credibility, and the incredible executive body executes self-cleaning operation, and the method comprises the following specific steps:
(4.1) execution entity q whose consistency determination result is inconsistent is judged according to expression (3) k Punishment of credibility is carried out to reduce the credibility, and the credibility is updated to r k
r k =r k -κ(|u k -U r |) (3)
Where κ is the confidence penalty.
(4.2) to q k And (4) carrying out credibility judgment: if q is k Below a set threshold d 2 Consider q as k Unreliable, q k A self-cleaning operation will be performed; if q is k Not lower than a set threshold d 2 Consider q as k Trusted and does not perform any operations.

Claims (6)

1. A mimicry WAF arbitration method based on credibility is characterized by comprising the following steps:
(1) deploying M functionally equivalent heterogeneous executives L ═ L i 1, 2., M }, where l i For the ith heterogeneous executable, use r i To represent the trustworthiness of the ith execution body;
(2) when the flow passes through, based on the current credibility and the average credibility of each executive, the executive with a relatively credible arbitration result is selected to participate in flow arbitration, and the specific steps are as follows:
(2.1) calculate average confidence of all executives
Figure FDA0003424361000000011
(2.2) executing the entity i Reliability r of i And
Figure FDA0003424361000000012
comparing, selecting with reliability not lower than
Figure FDA0003424361000000013
The executive of (1) participates in the arbitration; the executive body participating in the arbitration forms an arbitration executive body set E ═ { E } j 1,2, N, where e j For the jth executive participating in the arbitration, N is the number of executives participating in the arbitration, e j With a degree of confidence of r j (ii) a The result of arbitration U ═ U j 1, 2., N }, where u is j Is e j The result of the adjudication;
(3) outputting a decision result through result fusion, consistency judgment and voting calculation, and specifically comprising the following steps of:
(3.1) fusing the judgment result U of the E to obtain a consistency judgment standard S;
(3.2) calculating the arbitration result u in turn j And (3) making consistency judgment according to the difference value of the consistency judgment standard S:
if the difference is lower than the set threshold d 1 Consider u to be j The operation is consistent with the S, and no operation is performed;
otherwise, the execution body is considered inconsistent, and the execution body is added into the execution body set Q ═ Q k 1, 2., Z }, where q is k The execution units with inconsistent k-th consistency judgment results, and Z is the number of the execution units with inconsistent consistency judgment results;
(3.3) calculating a final judgment result, counting execution body judgment results with consistent consistency judgment results, and outputting a final judgment result U by using a majority consistency voting algorithm r
(4) And updating the credibility of the executive body by combining the consistency result, judging the credibility of the executive body, and executing self-cleaning operation by the untrusted executive body, wherein the self-cleaning operation comprises the following specific steps:
(4.1) for the executors q whose consistency judgment results are inconsistent k Punishment is carried out, the credibility is reduced, and the credibility is updated to be r k
(4.2) to q k And (4) carrying out credibility judgment:
if q is k Below a set threshold d 2 Consider q as k Unreliable, q k A self-cleaning operation is to be performed;
otherwise, the operation is deemed to be credible and no operation is performed.
2. The confidence-based mimicry WAF arbitration method according to claim 1, wherein in step (2.1), an average confidence level for all executives can be calculated according to equation (1)
Figure FDA0003424361000000021
Figure FDA0003424361000000024
3. The confidence-based mimicry WAF adjudication method according to claim 1, wherein in the step (3.1), the adjudication result U of E is fused according to equation (2), so as to obtain the consistency judgment standard S:
Figure FDA0003424361000000023
4. the proposed WAF arbitration method based on confidence of claim 1, wherein in the step (3.3), the majority consensus voting algorithm calculates the arbitration results of the executives that arbitrate the passing or failing traffic respectively by counting the execution entity arbitration results that are consistent with the consistency judgment result, and outputs the arbitration results of the party with a larger number of executives that arbitrate the passing or failing traffic as the final arbitration result.
5. A confidence-based mimicry WAF arbitration method according to claim 1, wherein in step (4.1), the executor is subjected to a confidence penalty according to equation (3):
r k =r k -κ(|u k -U r |) (3)
where κ is the confidence penalty.
6. The confidence-based mimicry WAF adjudication method of claim 1, wherein r is i Is 1.
CN202111572735.8A 2021-12-21 2021-12-21 Mimicry WAF (wide area filter) judging method based on credibility Active CN114301650B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111572735.8A CN114301650B (en) 2021-12-21 2021-12-21 Mimicry WAF (wide area filter) judging method based on credibility

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111572735.8A CN114301650B (en) 2021-12-21 2021-12-21 Mimicry WAF (wide area filter) judging method based on credibility

Publications (2)

Publication Number Publication Date
CN114301650A CN114301650A (en) 2022-04-08
CN114301650B true CN114301650B (en) 2022-08-30

Family

ID=80967702

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111572735.8A Active CN114301650B (en) 2021-12-21 2021-12-21 Mimicry WAF (wide area filter) judging method based on credibility

Country Status (1)

Country Link
CN (1) CN114301650B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109818951A (en) * 2019-01-18 2019-05-28 中国人民解放军战略支援部队信息工程大学 A kind of function equivalence executes body credibility evaluation method and device
CN110011965A (en) * 2019-02-28 2019-07-12 中国人民解放军战略支援部队信息工程大学 A kind of execution body based on confidence level non-uniform output judging method and device completely
CN111314337A (en) * 2020-02-11 2020-06-19 之江实验室 Mimicry scheduling method based on credibility and credibility coefficient
CN112367289A (en) * 2020-09-11 2021-02-12 浙江大学 Mimicry WAF construction method
CN112383528A (en) * 2020-11-09 2021-02-19 浙江大学 Method for constructing mimicry WAF executive body
CN112491803A (en) * 2020-11-03 2021-03-12 浙江大学 Method for judging executive in mimicry WAF
WO2021248740A1 (en) * 2020-06-10 2021-12-16 网络通信与安全紫金山实验室 Mimic router execution entity scheduling method, and mimic router

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109818951A (en) * 2019-01-18 2019-05-28 中国人民解放军战略支援部队信息工程大学 A kind of function equivalence executes body credibility evaluation method and device
CN110011965A (en) * 2019-02-28 2019-07-12 中国人民解放军战略支援部队信息工程大学 A kind of execution body based on confidence level non-uniform output judging method and device completely
CN111314337A (en) * 2020-02-11 2020-06-19 之江实验室 Mimicry scheduling method based on credibility and credibility coefficient
WO2021248740A1 (en) * 2020-06-10 2021-12-16 网络通信与安全紫金山实验室 Mimic router execution entity scheduling method, and mimic router
CN112367289A (en) * 2020-09-11 2021-02-12 浙江大学 Mimicry WAF construction method
CN112491803A (en) * 2020-11-03 2021-03-12 浙江大学 Method for judging executive in mimicry WAF
CN112383528A (en) * 2020-11-09 2021-02-19 浙江大学 Method for constructing mimicry WAF executive body

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Research on Executive Control Strategy of Mimic Web Defense Gateway;S. Chen, X;《2019 International Symposium on Networks, Computers and Communications (ISNCC)》;20191121;全文 *
The Attack Surface Shifting in the Mimic Defense System;Liqun Wang;《2018 IEEE 4th International Conference on Computer and Communications (ICCC)》;20190801;全文 *
一种基于执行体异构度的拟态裁决优化方法;武兆琪等;《计算机工程》;20200531(第05期);全文 *
基于异构冗余架构的拟态防御建模技术;秦俊宁等;《电信科学》;20200520(第05期);全文 *

Also Published As

Publication number Publication date
CN114301650A (en) 2022-04-08

Similar Documents

Publication Publication Date Title
WO2019108333A1 (en) Trust topology selection for distributed transaction processing in computing environments
WO2020093201A1 (en) Security modeling quantisation method for cyberspace mimic defence based on gspn and martingale theory
CN113536678B (en) XSS risk analysis method and device based on Bayesian network and STRIDE model
CN114491541B (en) Automatic arrangement method of safe operation script based on knowledge graph path analysis
Vidal et al. Online masquerade detection resistant to mimicry
CN114301650B (en) Mimicry WAF (wide area filter) judging method based on credibility
CN112488225A (en) Learning countermeasure defense model method for quantum fuzzy machine
CN115102166A (en) Active power distribution network dynamic defense performance optimization method based on game theory
Tang et al. A detection and mitigation scheme of LDoS Attacks via SDN Based on the FSS-RSR Algorithm
CN111163046B (en) Trust-based mimicry defense voting mechanism and system
CN116684152A (en) Active defense method, device and system for multiple aggressors
GB2586865A (en) Methods and Devices for Tracking and Measuring Proof-of-Work Contributions in a Mining Pool
CN116389040A (en) Reputation-based blockchain consensus method, device and computer equipment
CN115913572A (en) Data verification method, device, equipment, medium and system for mimicry storage system
CN115277065A (en) Method and device for resisting attack in abnormal traffic detection of Internet of things
CN112969180B (en) Wireless sensor network attack defense method and system in fuzzy environment
Feng et al. Sentinel: An Aggregation Function to Secure Decentralized Federated Learning
CN113132414A (en) Multi-step attack mode mining method
Nourmohammadi et al. Sharding and its impact on fork probability
EP3540624A1 (en) A methodology for anomaly detection of a sequence of computational events associated with a computational system
Li et al. Reputation is not enough: Ensuring strong order-fairness in Byzantine consensus
CN117978547B (en) TRP-PBFT consensus method, system, storage medium and equipment
Quan et al. A Data Sharing Model for Blockchain Trusted Sensor Leveraging Mimic Hash Mechanism
CN117499158B (en) Active defense method based on multi-attacker joint or non-joint attack
CN109510828B (en) Method and system for determining threat disposal effect in network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant