CN114510712A - Mimicry quantity adjusting method, mimicry quantity adjusting device, host machine and storage medium - Google Patents
Mimicry quantity adjusting method, mimicry quantity adjusting device, host machine and storage medium Download PDFInfo
- Publication number
- CN114510712A CN114510712A CN202210412930.2A CN202210412930A CN114510712A CN 114510712 A CN114510712 A CN 114510712A CN 202210412930 A CN202210412930 A CN 202210412930A CN 114510712 A CN114510712 A CN 114510712A
- Authority
- CN
- China
- Prior art keywords
- mimicry
- current
- isomers
- target
- host machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a method and a device for adjusting mimicry quantity, a host machine and a storage medium, and relates to the technical field of computers, wherein the method comprises the following steps: determining a mimicry basis number based on a mimicry adjudication result of the host machine; determining the corresponding relation between the load of the host machine and the mimicry quantity according to the mimicry basic quantity; the simulation number in the corresponding relation and the simulation basic number have an association relation; determining the current load and the current mimicry quantity of the host machine; determining the target mimicry quantity corresponding to the current load in the corresponding relation; and judging whether the current mimicry quantity is equal to the target mimicry quantity, and if not, adjusting the mimicry quantity of the host machine from the current mimicry quantity to the target mimicry quantity. According to the scheme, balance between threat perception and resource consumption can be guaranteed.
Description
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a method and a device for adjusting mimicry quantity, a host machine and a storage medium.
Background
The mimicry defense is an active defense theory, the reliability of a corresponding environment is improved by adopting a multi-mode arbitration mode under a dynamic heterogeneous redundancy architecture, and the mimicry defense is used in network security to convert determined or uncertain threats in a network space based on unknown vulnerability backdoors, Trojan viruses and the like into a risk control problem described by available probability. The larger the number of mimicry for arbitration in the dynamic heterogeneous redundant architecture, the more beneficial it is to sense and detect threats with higher probability. However, the mimicry is required to consume system resources, and the more the number of mimicry is, the more system resources are consumed. Therefore, how to balance between threat awareness and resource consumption is an urgent problem to be solved.
Disclosure of Invention
The embodiment of the invention provides a mimicry quantity adjusting method, a mimicry quantity adjusting device, a host machine and a storage medium, which can ensure the balance between threat perception and resource consumption.
In a first aspect, an embodiment of the present invention provides a method for adjusting a mimicry number, including:
determining a mimicry basis number based on a mimicry adjudication result of the host machine;
determining the corresponding relation between the load of the host machine and the mimicry quantity according to the mimicry basic quantity; the simulation number in the corresponding relation and the simulation basic number have an association relation;
determining the current load and the current mimicry quantity of the host machine;
determining the target mimicry quantity corresponding to the current load in the corresponding relation;
and judging whether the current mimicry quantity is equal to the target mimicry quantity, and if not, adjusting the mimicry quantity of the host machine from the current mimicry quantity to the target mimicry quantity.
Preferably, the determining a mimicry basis number based on the mimicry arbitration result of the host machine comprises:
if the mimicry judging result is that no threat exists and the continuous number of the mimicry judging results without the threat is smaller than a set number, or if the mimicry judging result is that the threat exists, determining a first set value as the mimicry basic number;
if the mimicry judging result is that no threat exists and the continuous number of the mimicry judging results without the threat is not less than the set number, determining a second set value as the mimicry basic number;
the first set value is greater than the second set value.
Preferably, the adjusting the mimicry number of the host from the current mimicry number to the target mimicry number comprises:
comparing the current mimicry number with the target mimicry number;
if the current mimicry number is less than the target mimicry number, increasing isomers based on the current isomers of the host machine; increasing the number to be the absolute difference value of the current mimicry number and the target mimicry number;
if the current mimicry quantity is larger than the target mimicry quantity, deleting isomers from the current isomers of the host machine; the deletion amount is the absolute difference between the current mimicry amount and the target mimicry amount.
Preferably, the isomer increase based on the current isomer of the host comprises:
a1: calculating the similarity between any two isomers in the current isomers;
a2: determining whether the number of the current required increases is smaller than the number of the calculated similarity, if so, executing step A3, otherwise, executing step A4;
a3: determining the maximum similarity of a set number in the calculated similarities, and adding the isomer with the minimum similarity with any one isomer in the two isomers aiming at the two isomers corresponding to each maximum similarity; the set number is the number which needs to be increased currently;
a4: and for the two isomers corresponding to the maximum similarity in the similarities, adding the isomer with the minimum similarity to any one of the two isomers, and returning to execute the step A1 until the mimicry number after adding the isomers is equal to the target mimicry number.
Preferably, the deletion of an isomer from the current isomers of the host comprises:
b1: calculating the similarity between any two isomers in the current isomers;
b2: and deleting any one of the two isomers corresponding to the maximum similarity, and returning to execute the step B1 until the mimicry number after the isomer is deleted is equal to the target mimicry number.
Preferably, the calculation of the similarity between any two isomers includes: respectively generating corresponding state matrixes according to the state of each isomer of the two isomers, and calculating the similarity between the two state matrixes;
the state matrix comprises m multiplied by n elements, the element at the (i, j) th position is used for representing the content of the jth building unit in the ith framework layer, i takes the value of an integer in [1, m ], and j takes the value of an integer in [1, n ]; m =4, and the four architecture layers are a data layer, a software layer, a resource layer and a network layer, respectively, and each architecture layer includes a plurality of building units; n is the maximum number of the building units in each architecture layer; and if the number of the building units corresponding to the ith architecture layer is less than n, expanding by using null elements.
Preferably, the host machine load is a load other than the load required by the mimicry.
In a second aspect, an embodiment of the present invention further provides a mimetic amount adjustment apparatus, including:
the first determination unit is used for determining the mimicry basic quantity based on the mimicry judgment result of the host machine;
the second determining unit is used for determining the corresponding relation between the load of the host machine and the mimicry quantity according to the mimicry basic quantity; the simulation number in the corresponding relation and the simulation basic number have an association relation;
a third determining unit, configured to determine a current load and a current mimicry number of the host;
a fourth determining unit, configured to determine a target mimicry number corresponding to the current load in the correspondence relationship;
the judging unit is used for judging whether the current mimicry quantity is equal to the target mimicry quantity or not, and if not, the adjusting unit is triggered to execute corresponding operation;
the adjusting unit is used for adjusting the mimicry number of the host machine from the current mimicry number to the target mimicry number.
In a third aspect, an embodiment of the present invention further provides a host, including a memory and a processor, where the memory stores a computer program, and the processor implements the method described in any one of the above when executing the computer program.
In a fourth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed in a computer, the computer program causes the computer to execute any one of the methods described above.
The embodiment of the invention provides a mimicry quantity adjusting method, a device, a host and a storage medium, wherein the mimicry basic quantity is determined according to a mimicry judging result of the host, then the corresponding relation between the load of the host and the mimicry quantity is determined according to the mimicry basic quantity, then the target mimicry quantity corresponding to the current load in the corresponding relation is determined, and if the current mimicry quantity is not equal to the target mimicry quantity, the current mimicry quantity is adjusted to the target mimicry quantity. According to the scheme, the mimicry basic quantity determined by different mimicry judging results is different, the mimicry quantity has a certain relation with the threat perception capability and the resource consumption, the mimicry quantity of the host machine is dynamically adjusted by comprehensively considering the current load and the threat perception capability of the host machine, and the balance between the threat perception and the resource consumption can be ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a method for adjusting a mimicry number according to an embodiment of the present invention;
FIG. 2 is a diagram of a host hardware architecture according to an embodiment of the present invention;
fig. 3 is a structural diagram of an analog quantity adjusting apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
As described above, the more mimicry numbers arbitrated in the dynamic heterogeneous redundancy architecture are, the more beneficial to sensing and detecting the threat with higher probability is, but the mimicry needs to consume system resources, the mimicry number cannot be infinite, and the more the mimicry number is, the more system resources are consumed. Because the mimicry number has a certain relationship with threat perception and resource consumption, in order to ensure the balance between threat perception and resource consumption, the load of the host and the perceived threat need to be comprehensively considered to dynamically adjust the mimicry number.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a method for adjusting a mimicry number, including:
102, determining the corresponding relation between the load of the host machine and the mimicry quantity according to the mimicry basic quantity; the simulation number in the corresponding relation and the simulation basic number have an association relation;
104, determining the current load and the current mimicry quantity of the host machine;
step 108, judging whether the current mimicry quantity is equal to the target mimicry quantity, if not, adjusting the mimicry quantity of the host machine from the current mimicry quantity to the target mimicry quantity.
In the embodiment of the invention, the mimicry basis number is determined according to the mimicry judging result of the host, then the corresponding relation between the load of the host and the mimicry number is determined according to the mimicry basis number, then the target mimicry number corresponding to the current load in the corresponding relation is determined, and if the current mimicry number is not equal to the target mimicry number, the current mimicry number is adjusted to the target mimicry number. According to the scheme, the mimicry basic quantity determined by different mimicry judging results is different, the mimicry quantity has a certain relation with the threat perception capability and the resource consumption, the mimicry quantity of the host machine is dynamically adjusted by comprehensively considering the current load and the threat perception capability of the host machine, and the balance between the threat perception and the resource consumption can be ensured.
The manner in which the various steps shown in fig. 1 are performed is described below.
Firstly, determining a mimicry basic quantity based on a mimicry judging result of a host machine in a step 100 and determining a corresponding relation between the load of the host machine and the mimicry quantity according to the mimicry basic quantity in a step 102; and explaining the simulation number in the corresponding relation and the simulation basic number at the same time.
The host may be a host, a virtual machine, or other similar node, which may be a Docker, a virtual service node, or the like.
The mimicry decision result of the host machine is that a plurality of isomers in the host machine respectively decide the input access flow, and the final decision result after each decision is integrated. Wherein the plurality of isomers in the host may be selected from a set of isomers. An isomer set is a set of isomers in different states.
It can be understood that there is a positive correlation between the mimicry number and the threat perception capability, and when the mimicry arbitration results of the hosts are different, different mimicry basis numbers can be determined.
In one embodiment, step 100 may comprise: if the mimicry judging result is that no threat exists and the continuous number of the mimicry judging results without the threat is smaller than a set number, or if the mimicry judging result is that the threat exists, determining a first set value as the mimicry basic number; if the mimicry judging result is that no threat exists and the continuous number of the mimicry judging results without the threat is not less than the set number, determining a second set value as the mimicry basic number; the first set value is greater than the second set value.
When the mimicry arbitration result indicates that the host is currently under threat attack, the mimicry number needs to be increased on the basis of the mimicry number of the normal level so as to increase the probability of finding the detection threat. When the threat is relieved, the mimicry number is reduced to a normal level. Therefore, the first set value needs to be larger than the second set value, for example, the second set value is M (M is a positive integer), and the first set value is 2M.
It should be noted that, if the current mimicry arbitration result is that no threat exists, and the last mimicry arbitration result is that a threat exists, at this time, it may be determined that the threat is released; or a set number can be preset, and the threat can be ensured to be relieved only when the continuous number of the mimicry judgment results without the threat is less than the set number, so that the capability of perceiving the threat is improved. The set number may be 1 or an integer greater than 1. Preferably, the set number is 5.
Step 100 may include other embodiments besides the above embodiments, for example, determining the number of mimicry bases based on the number of isomers participating in the mimicry arbitration and the number of isomers with correct arbitration, and the higher the arbitration accuracy, the lower the number of mimicry bases may be.
The mimicry number is not only related to the capability of sensing threats, but also related to the resource consumption, and after the mimicry base number is determined, the corresponding relation between the load of the host machine and the mimicry number can be determined based on the mimicry base number. In one embodiment, the corresponding relationship includes a plurality of load sections, the plurality of load sections correspond to the plurality of mimicry numbers one to one, and the greater the load corresponding to the load section is, the smaller the mimicry number is.
For example, the correspondence is as follows: the host load is below 3% and the corresponding mimicry number is N (N is the mimicry base number, N = M when the mimicry base number is M, N =2M when the mimicry base number is 2M); the load of the host machine is 3% -10%, and the corresponding mimicry quantity is N/2; the load of the host machine is 10% -30%, and the corresponding mimicry quantity is N/3; the load of the host machine is 30-50%, and the corresponding mimicry quantity is N/10; the load of the host machine is more than 50 percent, and the corresponding mimicry quantity is N/20.
It can be seen that the larger the host machine load, the smaller the number of mimicry, thereby ensuring the balance between threat awareness and resource consumption.
After the mimicry arbitration result is output every time, the mimicry basis number is determined again, and if the mimicry basis number changes, the corresponding relation also changes, so that the mimicry number and the mimicry basis number are associated. The mimicry quantity in the corresponding relation is associated with the mimicry basic quantity, so that the capability of sensing the threat is associated with the load of the host machine, the capability of sensing the threat and the load of the host machine can be comprehensively considered when the mimicry quantity of the host machine is adjusted, a higher mimicry quantity can be ensured on the premise of ensuring the threat sensing quality, the threat sensing probability is improved, the level of the mimicry quantity can be improved when the threat is detected, the threat can be discovered more probably, and the balance between the threat sensing and the resource consumption is realized.
It should be noted that the host load is a load other than the load required for the mimicry. Since the isomerous object of the mimicry occupies a part of the load of the host machine, when the mimicry quantity is dynamically adjusted based on the load of the host machine, the adjustment needs to be carried out according to loads other than the load required by the mimicry, so as to ensure the accuracy in the adjustment process.
Then, it is determined whether the current mimicry number and the target mimicry number are equal or not according to the steps of "determining the current load and the current mimicry number of the host" in the step 104 ", determining the target mimicry number corresponding to the current load in the corresponding relationship in the step 106" and "108", and if not, the mimicry number of the host is adjusted from the current mimicry number to the target mimicry number "and the description is performed at the same time.
After the current load of the host is determined, which load interval the current load is in the corresponding relationship may be determined, and the target mimicry number corresponding to the load interval may be determined.
In step 108, if the current mimicry number is equal to the target mimicry number, the mimicry number does not need to be adjusted; if the current mimicry number is not equal to the target mimicry number, the mimicry number needs to be adjusted.
In one embodiment, the adjusting the mimicry number of the host from the current mimicry number to the target mimicry number in step 108 specifically includes the following steps S1-S3:
s1: comparing the current mimicry number with the target mimicry number; if the current mimicry number is less than the target mimicry number, performing step S2; if the current mimicry number is greater than the target mimicry number, go to step S3.
S2: increasing isomers based on the current isomer of the host; the increase amount is the absolute difference between the current mimicry amount and the target mimicry amount.
S3: deleting isomers from the current isomers of the host; the deletion amount is the absolute difference between the current mimicry amount and the target mimicry amount.
In the embodiment, when the mimicry number needs to be increased, the isomers are increased on the basis of the existing isomers, and when the mimicry number needs to be reduced, part of isomers are reduced in the existing isomers, so that a new combination does not need to be established in the isomer set again, and the establishment cost can be saved.
It should be noted that, in step 108, the mimicry number of the host is adjusted from the current mimicry number to the target mimicry number, and besides the above embodiments of steps S1-S3, other embodiments may be used, for example, a target mimicry number of isomers is randomly selected directly from the isomer set.
One implementation of step S2 may include the following steps A1-A4:
a1: calculating the similarity between any two isomers in the current isomers;
a2: determining whether the number of the current required increases is smaller than the number of the calculated similarities, if so, executing step A3, and if not, executing step A4;
under the initial condition that isomers are not increased, the currently required increase amount is the absolute difference value of the current mimicry amount and the target mimicry amount; if an isomer has been added, the amount currently required to be added is the absolute difference minus the added amount. In addition, in the process of isomer addition, the number of recalculated similarities increases for each isomer addition.
A3: determining the maximum similarity of a set number in the calculated similarities, and adding the isomer with the minimum similarity with any one isomer in the two isomers aiming at the two isomers corresponding to each maximum similarity; the set number is the number which needs to be increased currently;
a4: and for the two isomers corresponding to the maximum similarity in the similarities, adding the isomer with the minimum similarity to any one of the two isomers, and returning to execute the step A1 until the mimicry number after adding the isomers is equal to the target mimicry number.
In the above embodiment, based on the two isomers corresponding to the maximum similarity, it indicates that there are two isomers with high similarity in the current isomer, and if the isomers are randomly increased, the increased isomers may still have high similarity with the two isomers, which is not favorable for the adjudication result. By aiming at the two isomers with the maximum similarity, the isomer with the minimum similarity to any one of the two isomers is added, so that the isomer combination after the addition has larger isomerism, the result is more favorably judged, and the threat perception capability is improved.
One implementation of step S3 may include the following steps B1-B2:
b1: calculating the similarity between any two isomers in the current isomers;
b2: and deleting any one of the two isomers corresponding to the maximum similarity, and returning to execute the step B1 until the mimicry number after the isomer is deleted is equal to the target mimicry number.
Similarly, in the above embodiment, based on the two isomers corresponding to the maximum similarity, it is indicated that there are two isomers with high similarity in the current isomers, and if the isomers are randomly reduced, the reduced isomers may still have smaller similarity with the two isomers, which is not favorable for the adjudication result. Any one of the two isomers corresponding to the maximum similarity is deleted, so that the combination of the remaining isomers after reduction has larger isomerism, the result can be judged more easily, and the threat perception capability is improved.
In one embodiment of the invention, in order to reduce the calculated amount in the adjustment process, the similarity between two isomers is calculated in advance, and the similarity between any two isomers is stored; when the number of isomers needs to be adjusted, the similarity in each step can be directly determined by a table look-up method. This can reduce the influence of the load caused by the calculation amount on the number of mimicry states during the adjustment.
Since the isomers are responsible for determining whether there is a threat to access traffic, and the states of the isomers are factors influencing the determination result, in calculating the similarity between the two isomers, it is necessary to use features that can characterize the states of the isomers. In one embodiment, whether in step a1 or step B1, the similarity between any two isomers may be calculated by: respectively generating corresponding state matrixes according to the state of each isomer of the two isomers, and calculating the similarity between the two state matrixes; the state matrix comprises m multiplied by n elements, the element at the (i, j) th position is used for representing the content of the jth building unit in the ith framework layer, i takes the value of an integer in [1, m ], and j takes the value of an integer in [1, n ]; m =4, and the four architecture layers are a data layer, a software layer, a resource layer and a network layer, respectively, and each architecture layer includes a plurality of building units; n is the maximum number of the building units in each architecture layer; and if the number of the building units corresponding to the ith architecture layer is less than n, expanding by using null elements.
The arbitration of isoform outputs involves traffic safety inside the host, so the state of the host can be characterized by the state of the following architectural layers: a data layer, a software layer, a resource layer and a network layer. Specifically, the data layer comprises a database management system, a database, data and other building units; the software layer comprises software program instruction sequence, instruction format, internal data structure layout and other building units; the resource layer comprises an operating system, a storage system, a virtual machine instance and other building units; the network layer comprises protocol, address, port and other building units. The contents of each building unit form the isomeric state.
Based on the state of the isomers, the following state matrix T can be generated:
wherein, the first and the second end of the pipe are connected with each other,
the contents of the nth building block for the mth architectural level.
When the similarity of the two state matrixes is calculated, the similarity of cosine, Euclidean distance and other modes can be used for calculation.
In the above embodiment, the state matrix is constructed by the content of the framework layer and the construction unit thereof, and then the similarity of isomers is determined by using the state matrix, so that the calculation of the similarity is more accurate and closer to the feature of threat perception, the heterogeneity of the final isomer combination in the host is higher, and the threat detection probability is higher on the premise of consuming resources equally.
As shown in fig. 2 and fig. 3, an embodiment of the present invention provides a mimetic amount adjustment apparatus. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware aspect, as shown in fig. 2, a hardware architecture diagram of a computing device in which the mimic quantity adjusting device provided in the embodiment of the present invention is located is shown, where in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 2, the computing device in which the device is located in the embodiment may also generally include other hardware, such as a forwarding chip responsible for processing a packet, and the like. Taking a software implementation as an example, as shown in fig. 3, as a logical apparatus, a CPU of a computing device in which the apparatus is located reads a corresponding computer program in a non-volatile memory into a memory to run. The present embodiment provides a mimicry number adjusting apparatus, including:
a first determining unit 301, configured to determine a mimicry basis number based on a mimicry arbitration result of a host;
a second determining unit 302, configured to determine a corresponding relationship between the host machine load and the mimicry quantity according to the mimicry base quantity; the simulation number in the corresponding relation and the simulation basic number have an association relation;
a third determining unit 303, configured to determine a current load and a current mimicry number of the host;
a fourth determining unit 304, configured to determine a target mimicry number corresponding to the current load in the correspondence relationship;
a determining unit 305, configured to determine whether the current mimicry number is equal to the target mimicry number, and if not, trigger the adjusting unit 306 to perform a corresponding operation;
the adjusting unit 306 is configured to adjust the mimicry number of the host from the current mimicry number to the target mimicry number.
In an embodiment of the present invention, the first determining unit 301 is specifically configured to: if the mimicry judging result is that no threat exists and the continuous number of the mimicry judging results without the threat is smaller than a set number, or if the mimicry judging result is that the threat exists, determining a first set value as the mimicry basic number; if the mimicry judging result is that no threat exists and the continuous number of the mimicry judging results without the threat is not less than the set number, determining a second set value as the mimicry basic number; the first set value is greater than the second set value.
In an embodiment of the present invention, the adjusting unit 306 is specifically configured to: comparing the current mimicry number with the target mimicry number; if the current mimicry number is smaller than the target mimicry number, adding isomers based on the current isomers of the host machine; increasing the number to be the absolute difference value of the current mimicry number and the target mimicry number; if the current mimicry quantity is larger than the target mimicry quantity, deleting isomers from the current isomers of the host machine; the deletion amount is the absolute difference between the current mimicry amount and the target mimicry amount.
In an embodiment of the present invention, when the adjusting unit 306 performs the isomer addition based on the current isomer of the host, the method specifically includes:
a1: calculating the similarity between any two isomers in the current isomers;
a2: determining whether the number of the current required increases is smaller than the number of the calculated similarities, if so, executing step A3, and if not, executing step A4;
a3: determining the maximum similarity of a set number in the calculated similarities, and adding the isomer with the minimum similarity with any one isomer in the two isomers aiming at the two isomers corresponding to each maximum similarity; the set number is the number which needs to be increased currently;
a4: and for the two isomers corresponding to the maximum similarity in the similarities, adding the isomer with the minimum similarity to any one of the two isomers, and returning to execute the step A1 until the mimicry number after adding the isomers is equal to the target mimicry number.
In an embodiment of the present invention, when the adjusting unit 306 performs the deletion of the isomer from the current isomers of the host, the method specifically includes:
b1: calculating the similarity between any two isomers in the current isomers;
b2: and deleting any one of the two isomers corresponding to the maximum similarity, and returning to execute the step B1 until the mimicry number after the isomer is deleted is equal to the target mimicry number.
In one embodiment of the present invention, the similarity between any two isomers is calculated by: respectively generating corresponding state matrixes according to the state of each isomer of the two isomers, and calculating the similarity between the two state matrixes;
the state matrix comprises m multiplied by n elements, the element at the (i, j) th position is used for representing the content of the jth building unit in the ith framework layer, i takes the value of an integer in [1, m ], and j takes the value of an integer in [1, n ]; m =4, and the four architecture layers are a data layer, a software layer, a resource layer and a network layer, respectively, and each architecture layer includes a plurality of building units; n is the maximum number of the building units in each architecture layer; if the number of the building units corresponding to the ith architecture layer is less than n, the building units are expanded by using null elements.
In one embodiment of the invention, the host machine load is a load other than the load required by the mimicry.
It is to be understood that the illustrated structure of the embodiment of the present invention does not constitute a specific limitation to the mimetic number adjustment apparatus. In other embodiments of the invention, a mimetic amount adjustment means may comprise more or fewer components than shown, or some components may be combined, some components may be split, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
The embodiment of the invention also provides a host machine, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to realize a mimicry quantity adjusting method in any embodiment of the invention.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program causes the processor to execute a method for adjusting a mimicry quantity in any embodiment of the present invention.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the above-described embodiments are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion module to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an …" does not exclude the presence of other similar elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A method for adjusting a mimetic amount, comprising:
determining a mimicry basis number based on a mimicry adjudication result of the host machine;
determining the corresponding relation between the load of the host machine and the mimicry quantity according to the mimicry basic quantity; the simulation number in the corresponding relation and the simulation basic number have an association relation;
determining the current load and the current mimicry quantity of the host machine;
determining the target mimicry quantity corresponding to the current load in the corresponding relation;
and judging whether the current mimicry quantity is equal to the target mimicry quantity, and if not, adjusting the mimicry quantity of the host machine from the current mimicry quantity to the target mimicry quantity.
2. The method of claim 1, wherein determining the mimicry basis number based on the mimicry resolution of the host comprises:
if the mimicry judging result is that no threat exists and the continuous number of the mimicry judging results without the threat is smaller than a set number, or if the mimicry judging result is that the threat exists, determining a first set value as the mimicry basic number;
if the mimicry judging result is that no threat exists and the continuous number of the mimicry judging results without the threat is not less than the set number, determining a second set value as the mimicry basic number;
the first set value is greater than the second set value.
3. The method of claim 1, wherein adjusting the mimicry number of the host from the current mimicry number to the target mimicry number comprises:
comparing the current mimicry number with the target mimicry number;
if the current mimicry number is less than the target mimicry number, increasing isomers based on the current isomers of the host machine; increasing the number to be the absolute difference value of the current mimicry number and the target mimicry number;
if the current mimicry quantity is larger than the target mimicry quantity, deleting isomers from the current isomers of the host machine; the deletion amount is the absolute difference between the current mimicry amount and the target mimicry amount.
4. The method of claim 3, wherein said increasing isomers based on current isomers of said host comprises:
a1: calculating the similarity between any two isomers in the current isomers;
a2: determining whether the number of the current required increases is smaller than the number of the calculated similarities, if so, executing step A3, and if not, executing step A4;
a3: determining the maximum similarity of a set number in the calculated similarities, and adding the isomer with the minimum similarity with any one isomer in the two isomers aiming at the two isomers corresponding to each maximum similarity; the set number is the number which needs to be increased currently;
a4: and for the two isomers corresponding to the maximum similarity in the similarities, adding the isomer with the minimum similarity to any one of the two isomers, and returning to execute the step A1 until the mimicry number after adding the isomers is equal to the target mimicry number.
5. The method of claim 3, wherein said deleting isomers from the current isomers of the host machine comprises:
b1: calculating the similarity between any two isomers in the current isomers;
b2: and deleting any one of the two isomers corresponding to the maximum similarity, and returning to execute the step B1 until the mimicry number after the isomer is deleted is equal to the target mimicry number.
6. The method of claim 4 or 5, wherein the similarity between any two isomers is calculated by: respectively generating corresponding state matrixes aiming at the state of each isomer in the two isomers, and calculating the similarity between the two state matrixes;
the state matrix comprises m multiplied by n elements, the element at the (i, j) th position is used for representing the content of the jth building unit in the ith framework layer, i takes the value of an integer in [1, m ], and j takes the value of an integer in [1, n ]; m =4, and the four architecture layers are a data layer, a software layer, a resource layer and a network layer respectively, and each architecture layer comprises a plurality of building units; n is the maximum number of the building units in each architecture layer; if the number of the building units corresponding to the ith architecture layer is less than n, the building units are expanded by using null elements.
7. The method of any of claims 1-5, wherein the host machine load is a load other than a load required for mimicry.
8. A mimetic amount adjustment apparatus, comprising:
the first determination unit is used for determining the mimicry basic quantity based on the mimicry judgment result of the host machine;
the second determining unit is used for determining the corresponding relation between the load of the host machine and the mimicry quantity according to the mimicry basic quantity; the simulation number in the corresponding relation and the simulation basic number have an association relation;
a third determining unit, configured to determine a current load and a current mimicry number of the host;
a fourth determining unit, configured to determine a target mimicry number corresponding to the current load in the correspondence relationship;
the judging unit is used for judging whether the current mimicry quantity is equal to the target mimicry quantity or not, and if not, the adjusting unit is triggered to execute corresponding operation;
the adjusting unit is used for adjusting the mimicry number of the host machine from the current mimicry number to the target mimicry number.
9. A host machine comprising a memory having stored therein a computer program and a processor which, when executing the computer program, carries out the method according to any one of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210412930.2A CN114510712B (en) | 2022-04-20 | 2022-04-20 | Mimicry quantity adjusting method, mimicry quantity adjusting device, host machine and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210412930.2A CN114510712B (en) | 2022-04-20 | 2022-04-20 | Mimicry quantity adjusting method, mimicry quantity adjusting device, host machine and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114510712A true CN114510712A (en) | 2022-05-17 |
| CN114510712B CN114510712B (en) | 2022-06-28 |
Family
ID=81554816
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210412930.2A Active CN114510712B (en) | 2022-04-20 | 2022-04-20 | Mimicry quantity adjusting method, mimicry quantity adjusting device, host machine and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114510712B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107454082A (en) * | 2017-08-07 | 2017-12-08 | 中国人民解放军信息工程大学 | Secure cloud service construction method and device based on mimicry defence |
| US10440048B1 (en) * | 2018-11-05 | 2019-10-08 | Peking University Shenzhen Graduate School | Anti-attacking modelling for CMD systems based on GSPN and Martingale theory |
| CN110995409A (en) * | 2020-02-27 | 2020-04-10 | 南京红阵网络安全技术研究院有限公司 | Mimicry defense arbitration method and system based on partial homomorphic encryption algorithm |
| CN112153024A (en) * | 2020-09-11 | 2020-12-29 | 华东计算技术研究所(中国电子科技集团公司第三十二研究所) | Mimicry defense system based on SaaS platform |
| US10911471B1 (en) * | 2019-11-27 | 2021-02-02 | The Florida International University Board Of Trustees | Systems and methods for network-based intrusion detection |
| CN112632530A (en) * | 2020-12-30 | 2021-04-09 | 中国人民解放军战略支援部队信息工程大学 | Method and system for generating diversified variants under mimicry architecture |
| CN112839036A (en) * | 2020-12-30 | 2021-05-25 | 中国人民解放军战略支援部队信息工程大学 | Software running environment generation method and system based on mimicry defense theory |
| CN112995123A (en) * | 2020-04-13 | 2021-06-18 | 南京理工大学 | Mimicry defense dynamic scheduling method based on random threshold |
| CN113157384A (en) * | 2021-01-26 | 2021-07-23 | 北京邮电大学 | Dynamic migration defense method and system for virtual machine |
-
2022
- 2022-04-20 CN CN202210412930.2A patent/CN114510712B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107454082A (en) * | 2017-08-07 | 2017-12-08 | 中国人民解放军信息工程大学 | Secure cloud service construction method and device based on mimicry defence |
| US10440048B1 (en) * | 2018-11-05 | 2019-10-08 | Peking University Shenzhen Graduate School | Anti-attacking modelling for CMD systems based on GSPN and Martingale theory |
| US10911471B1 (en) * | 2019-11-27 | 2021-02-02 | The Florida International University Board Of Trustees | Systems and methods for network-based intrusion detection |
| CN110995409A (en) * | 2020-02-27 | 2020-04-10 | 南京红阵网络安全技术研究院有限公司 | Mimicry defense arbitration method and system based on partial homomorphic encryption algorithm |
| CN112995123A (en) * | 2020-04-13 | 2021-06-18 | 南京理工大学 | Mimicry defense dynamic scheduling method based on random threshold |
| CN112153024A (en) * | 2020-09-11 | 2020-12-29 | 华东计算技术研究所(中国电子科技集团公司第三十二研究所) | Mimicry defense system based on SaaS platform |
| CN112632530A (en) * | 2020-12-30 | 2021-04-09 | 中国人民解放军战略支援部队信息工程大学 | Method and system for generating diversified variants under mimicry architecture |
| CN112839036A (en) * | 2020-12-30 | 2021-05-25 | 中国人民解放军战略支援部队信息工程大学 | Software running environment generation method and system based on mimicry defense theory |
| CN113157384A (en) * | 2021-01-26 | 2021-07-23 | 北京邮电大学 | Dynamic migration defense method and system for virtual machine |
Non-Patent Citations (4)
| Title |
|---|
| HONGCHAO HU等: "《Mimic defense: a designed-in cybersecurity defense framework》", 《IET INFORMATION SECURITY》 * |
| 安全牛: "《拟态防御技术详解(核心技术篇)》", 《HTTPS://WWW.163.COM/DY/ARTICLE/GDR2CUP40511ALHJ.HTML#》 * |
| 施帆等: "《网络环境自适应的流量特征拟态技术》", 《计算机应用与软件》 * |
| 高振斌等: "《基于异常值的拟态裁决优化方法》", 《计算机应用研究》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114510712B (en) | 2022-06-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9158460B2 (en) | Selecting data nodes using multiple storage policies in cloud storage system | |
| CN111344706B (en) | Method and system for managing transactions on blockchain | |
| US7475217B2 (en) | Method of managing storage capacity in storage system, a storage device and a computer system | |
| US7320060B2 (en) | Method, apparatus, and computer readable medium for managing back-up | |
| US9177129B2 (en) | Devices, systems, and methods for monitoring and asserting trust level using persistent trust log | |
| CN102713853B (en) | Use the aggressiveness that the behavior of file popularity degree notice is soundd out | |
| US7904957B2 (en) | Computer-readable recording medium recording a security management program, computer-readable recording medium recording a job submission management program, and security management method | |
| US11263107B2 (en) | Application development support system and application development support method | |
| US11960506B2 (en) | Data processing method and system for cloud platform, and electronic apparatus and storage medium | |
| CN110633046A (en) | Storage method and device of distributed system, storage equipment and storage medium | |
| CN112835511B (en) | Data writing method, device, equipment and medium of distributed storage cluster | |
| CN111562884B (en) | Data storage method and device and electronic equipment | |
| JP4668556B2 (en) | Task management system | |
| CN114510712B (en) | Mimicry quantity adjusting method, mimicry quantity adjusting device, host machine and storage medium | |
| CN113472700A (en) | Message processing method, device, storage medium and network card | |
| CN112631994A (en) | Data migration method and system | |
| US10725877B2 (en) | System, method and computer program product for performing a data protection operation | |
| CN108769123B (en) | Data system and data processing method | |
| US20170149831A1 (en) | Apparatus and method for verifying detection rule | |
| US20220237320A1 (en) | Management apparatus, management method, verification apparatus, computer program and recording medium | |
| KR20200075725A (en) | Method and apparatus for detecting a device abnormality symptom through comprehensive analysis of a plurality of pieces of device information | |
| CN111459789A (en) | Detection method and device for application programming interface | |
| JP2004185609A (en) | Anticipatory application of measures for detecting and preventing or measure for ameliorating for potential logical unit thrashing in multiple requestors | |
| US11960942B2 (en) | System and method for identifying lock sequence conflicts | |
| US7801860B2 (en) | System and method for highly available data processing in cluster system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |