CN114844684B - Active defense network evaluation method and system based on multiple fusion method - Google Patents

Active defense network evaluation method and system based on multiple fusion method Download PDF

Info

Publication number
CN114844684B
CN114844684B CN202210389928.8A CN202210389928A CN114844684B CN 114844684 B CN114844684 B CN 114844684B CN 202210389928 A CN202210389928 A CN 202210389928A CN 114844684 B CN114844684 B CN 114844684B
Authority
CN
China
Prior art keywords
attack
attacker
state
model
defense
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210389928.8A
Other languages
Chinese (zh)
Other versions
CN114844684A (en
Inventor
李挥
杨昕
乐易旺
张华宇
侯韩旭
李文军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Foshan Saisichen Technology Co ltd
Peking University Shenzhen Graduate School
Original Assignee
Foshan Saisichen Technology Co ltd
Peking University Shenzhen Graduate School
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Foshan Saisichen Technology Co ltd, Peking University Shenzhen Graduate School filed Critical Foshan Saisichen Technology Co ltd
Priority to CN202210389928.8A priority Critical patent/CN114844684B/en
Publication of CN114844684A publication Critical patent/CN114844684A/en
Application granted granted Critical
Publication of CN114844684B publication Critical patent/CN114844684B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention is applicable to the field of Internet technology improvement, and provides an active defense network evaluation method based on a multiple fusion method, which comprises the following steps: s1, describing the fight process of an attacker and a defender in an active defense system as a race model; s2, carrying out coarse-grained description and solving on the transfer process of the attack model through a half Markov chain; s3, describing attack, judgment and defense processes in a fine granularity mode through a random return network model in an active defense system, and carrying out expression solving by utilizing an intuitive graph; s4, performing network security assessment by using a SimPy real-time event generator through task execution, interruption, judgment and reconfiguration processes under attack in the experimental simulation defense process. The method solves the problem of evaluating the effectiveness of the ACD, and by comparing the characteristics of different evaluation methods, the method deduces the application scene which is respectively most suitable for different evaluation models, and provides guidance for designing and analyzing the ACD by using a proper method.

Description

Active defense network evaluation method and system based on multiple fusion method
Technical Field
The invention belongs to the field of internet technology improvement, and particularly relates to an active defense network evaluation method and system based on a multiple fusion method.
Background
Conventional networks provide static attack surfaces for attackers, and the attacker has enough time to prepare and launch the attack, which poses a significant threat to the network. Moving object defense (MTD) increases the cost and complexity of an attacker by creating asymmetric dynamics in the network security environment. The MTD alters the system configuration to increase the difficulty of sniffing information and maintaining privileges after an attack is successful, thereby reducing the available attack surface. In recent years, many variants of MTD have emerged, such as cyber-space mimicry defenses
(CMD), artificial diversity, and biomimetic defense. These new architectures are collectively referred to as active defense networks (ACDs) because they have the feature of being actively reconfigured to ensure network security. Traditional security methods provide static attacks, resulting in an asymmetric situation of status between defenders and aggressors. ACD becomes a "changer of game rules" capable of reversing this asymmetry by reconfiguring according to the network scenario.
Because of the security advantages of ACD, students at home and abroad develop a large number of applications based on ACD, such as migration-based dynamic platform technology, software application isomerization mechanisms, virtual machine migration, N-version programming, ACD distributed file systems.
In deploying ACD technology, we inevitably trade-off between security and overhead. Therefore, it is important to analyze and quantify the effectiveness of ACD. In this regard, existing past studies can be divided into the following categories: experience-based simulation methods, experimental methods, mathematical model evaluations, and hybrid analysis. Simulation experiment methods typically use fine-grained information to simulate an attack-resistant process to provide high reliability. However, their results are usually given according to some predefined scenario and are limited by the number of experimental samples and the usage scenario. This makes comparing or evaluating multiple ACDs a very difficult task. Mathematical model methods are typically based on various mathematical or security models, such as stochastic processes, petri nets, attack trees. Markov chains are one of the usual stochastic process models, but he has strict assumptions that the designer needs to gather coarse-grained information in order to meet, but this behavior results in some defensive details being discarded. Other mathematical tools, such as Petri nets, also face the problem of difficulty in balancing reliability against versatility. Reserving too many system details can trigger a large number of computations and state explosions, making the construction of functions more difficult. Since these mathematical model methods are limited by the conditions of the mathematical tools, the resulting model is always abstract from some practical application scenarios. While these models may provide generalized representations, such as attack success probabilities, they differ from real-world scenarios, reducing confidence. Furthermore, most existing studies use only one method to evaluate ACD. Previous studies on ACD analysis have focused more on studying system properties using experiment-based methods or evaluating their effectiveness through different mathematical modeling methods. However, few have been able to overcome the problem of the stand alone solution. There is an urgent need for an assessment method that provides a strategy for setting up a system according to security requirements by performing an in-depth analysis of ACD.
Mitchell et al (Mitchell R, chen R.modeling and analysis of attacks and counter defense mechanisms for cyber physical systems [ J ]. IEEE Transactions on Reliability,2015,65 (1): 350-358) divide system failures into wear, penetration and escape failures. Different faults and their transitions are described using a random Petri net to explore the trade-offs between different states. Another tradeoff between availability and safety arises because ACD reconfiguration can lead to system downtime. Chang et al (Chang X, Y Shi, zhang Z, et al Job Completion Time under Migration-based Dynamic Platform Technique [ J ]. IEEE Transactions on Services Computing, PP (99): 1-1.) have proposed an SRN-based analytical model to study the impact of migration-based dynamic platform technology on task completion time under attack.
1) Petri net modeling is limited by computational complexity and state diagram complexity, requiring discarding some detail.
2) In the above technology, although the Petri net is used, the calculation result is given by means of software, and explicit mathematical expression of variables is absent.
Connell et al (Connell W, menasce D A, albane M.Performance modeling of moving target defenses with reconfiguration limits [ J ]. IEEE Transactions on Dependable and Secure Computing, 2018) propose a Markov-based quantitative analysis model to evaluate task performance at MTD, which is more sensitive to mathematical methods than experimentation, favoring providing uniform explicit expression to general scenarios. This work provides a maximum reconfiguration rate that meets stability constraints, helping users trade-off safety and performance. Although their work further analyzed performance related to reconfiguration, security assessment was not involved.
1) The theoretical result of the mathematical method is difficult to verify, and the theoretical result is different from the actual situation.
2) The above technology only provides performance evaluation indexes such as reconfiguration rate, system stability and the like, and the safety related indexes are insufficient.
Disclosure of Invention
The invention aims to provide an active defense network evaluation method based on a multiple fusion method, which aims to solve the technical problems of evaluating the effectiveness of ACD and obtaining the characteristics of the evaluation method, finally deducing the most suitable application scene of the ACD and providing guidance for designing and analyzing the ACD by using a proper method.
The invention is realized in such a way that the active defense network evaluation method based on the multiple fusion method comprises the following steps:
s1, describing the fight process of an attacker and a defender in an active defense system as a race model;
s2, describing and solving a transfer process of the rough attack model through a half Markov chain;
s3, describing detailed attack, judgment and defense processes in an active defense system through a random return network model, and expressing and solving by using an intuitive graph;
s4, performing network security and performance evaluation by using a SimPy real-time event generator through task execution, interruption, judgment and reconfiguration processes under attack in the experimental simulation defense process.
The invention further adopts the technical scheme that: in the step S1, both the defending executor and the attacker aim to output enough convincing target results of RMS, the winner is the party which firstly generates k identical vectors, the maximum tamper consistent vector number of the executor is denoted as z, z is more than or equal to 0 and less than or equal to N according to the heterogeneous structure of the executor, and the executor is generalized to different states along with different z values.
The invention further adopts the technical scheme that: the different states of the tamper vector number of the execution body are respectively as follows: when z=0 is in a normal working state, the system has no damaged executive bodies, and all the executive bodies work normally; when 0<z is less than or equal to N-k and is in a nonspecific sensing state, the number of tampered results of an attacker is very small, so that the RMS cannot be confused; when N-k < z is less than or equal to N and is in a wearing state, an attacker and an defender both output a certain number of executives or the attacker falsifies most executives into different error vectors; when k is not less than z is not less than N and is in a penetration state, most execution bodies are tampered by attackers to be the same error vector, and the vector is judged to be a correct result by RMS and is output; when z=n is an attack escape state, in this case, the attack capability of the attacker is strong enough and the attack speed is fast enough, all execution body results are tampered, the same error vector is output in a short time, the attacker takes control of the system at this time, and the state is the state with the highest harmfulness without triggering an alarm to the defender.
The invention further adopts the technical scheme that: in an active defense network, system repair defense actions include: eviction and disabling, wherein eviction is divided into correct eviction and incorrect eviction; when the RMS receives different vectors, the majority of result vectors are judged to be correct vectors, and the executors outputting a few vectors are marked as suspicious executors and replaced by standby executors; for states N and S, the decision is correct, outputting the correct result and replacing the suspicious executable, a behavior called eviction; for state P, the RMS decision result is erroneous, replacing a small number of executives that give the correct result, a behavior called a miseviction; when there are at least two output vectors and neither of them satisfies the condition of the output threshold k, all online executors are replaced, which action is called disabling; in addition, virtual machine migration protects the system from E-failures by replacing all online executives with standby executives at a fixed frequency, the act of actively updating the overall system configuration is referred to as random disturbances.
The invention further adopts the technical scheme that: when a new execution body is attacked in the step S2, the attack direction of the attacker is the next target of attack and no decision is made or the initial state is returned due to the decision.
The invention further adopts the technical scheme that: in the step S2, according to the defending policy, if any executor completes the task and generates a correct result in the attack process, the system will be repaired after detecting the attacker, and will not enter the attack escape state; ultimate probability p of the final system being stuck in E failure E The method comprises the following steps:wherein T is E For steady state time of the trapped E fault, ω is the dynamic migration frequency, λ 1 To break through the probability of the first executable, lambda N To break the probability of the Nth execution body, T 0 To stay in the preparation time, T 1 To break the dwell time after the first effector, T N To break the dwell time after the Nth effector, T N-1 To break the N-1 th execution body after stay time lambda N-1 To break through the N-1 th executable.
The invention further adopts the technical scheme that: the random return network model consists of a task sub-model and an attack sub-model, wherein the task sub-model represents a task executed in an online execution body, and the result of the task is completed with correct output or is broken by attack; the attack submodel is from P 0 The token at the point begins, representing the attack entering the system and ready to attack.
The invention further adopts the technical scheme that: the guard function in the random return network model controls the turning of the attack token to different directions by monitoring the output conditions of all executors; the guard function is a boolean expression whose associated transitions are disabled when it returns false; the time delay transition in the random return network model is associated with the random time length, under the condition of no time delay, the instantaneous transition is controlled by a guard function and transition probability, the guard function controls whether the judgment of the random transition is carried out, and then the token moves to different judgment results with different transition probabilities.
The invention further adopts the technical scheme that: in the step S4, simPy is a discrete event simulation framework based on the standard Python process, and supports multiple processes competing for access to resources, such as event queuing will be automatically processed if the resources are busy, and the running process may be interrupted under a preset condition.
Another object of the present invention is to provide an active defense network evaluation system based on a multiple fusion method, which includes
The race model description module is used for describing the fight process of an attacker and a defender in the active defending system into a race model;
the transfer process module is used for describing and solving the transfer process of the rough attack model through a half Markov chain;
the visual graph module is used for describing detailed attack, judgment and defense processes through a random return network model in the active defense system, and expressing and solving by utilizing visual graphs;
the evaluation module is used for carrying out network security and performance evaluation through task execution, interruption, judgment and reconfiguration processes under attack in the experimental simulation defense process by using the SimPy real-time event generator;
The method comprises the steps that a defending executive body and an attacker in a race model description module are both target results aiming at outputting enough persuable RMS, a winner is one party which firstly generates k identical vectors, the maximum tamper consistent vector number of the executive body is recorded as z according to the heterogeneous structure of the executive body, z is more than or equal to 0 and less than or equal to N, and the executive body is induced to be in different states along with different z values;
the different states of the tamper vector number of the execution body are respectively as follows: when z=0 is in a normal working state, the system has no damaged executive bodies, and all the executive bodies work normally; when 0<z is less than or equal to N-k and is in a nonspecific sensing state, the number of tampered results of an attacker is very small, so that the RMS cannot be confused; when N-k < z is less than or equal to N and is in a wearing state, an attacker and an defender both output a certain number of executives or the attacker falsifies most executives into different error vectors; when k is not less than z is not less than N and is in a penetration state, most execution bodies are tampered by attackers to be the same error vector, and the vector is judged to be a correct result by RMS and is output; when z=n is an attack escape state, in this case, the attack capability of the attacker is strong enough and the attack speed is fast enough, all execution body results are tampered, the same error vector is output in a short time, at this time, the attacker takes charge of the system, and the state is the state with the highest harmfulness without triggering an alarm to the defender;
In an active defense network, system repair defense actions include: eviction and disabling, wherein eviction is divided into correct eviction and incorrect eviction; when the RMS receives different vectors, the majority of result vectors are judged to be correct vectors, and the executors outputting a few vectors are marked as suspicious executors and replaced by standby executors; for states N and S, the decision is correct, outputting the correct result and replacing the suspicious executable, a behavior called eviction; for state P, the RMS decision result is erroneous, and a small number of executives giving the correct result will be replaced, a behavior called miseviction; when there are at least two output vectors and neither of them satisfies the condition of the output threshold k, all online executors are replaced, which action is called disabling; in addition, virtual machine migration protects the system from E-failures by replacing all online executives with standby executives at a fixed frequency, the act of actively updating the overall system configuration is referred to as random disturbances;
when a new execution body is attacked in the transfer process module, the attack direction of an attacker is not judged for attacking the next target or returns to the initial state due to judgment;
The transferAccording to the defense strategy, if any executive body completes tasks and generates correct results in the attack process, the system is repaired after an attacker is detected, and the attack escape state is not entered; ultimate probability p of the final system being stuck in E failure E The method comprises the following steps: wherein T is E For steady state time of the trapped E fault, ω is the dynamic migration frequency, λ 1 To break through the probability of the first executable, lambda N To break the probability of the Nth execution body, T 0 To stay in the preparation time, T 1 To break the dwell time after the first effector, T N To break the dwell time after the Nth effector, T N-1 To break the N-1 th execution body after stay time lambda N-1 Probability for breaking through the N-1 th execution body;
the random return network model consists of a task sub-model and an attack sub-model, wherein the task sub-model represents a task executed in an online execution body, and the result of the task is completed with correct output or is broken by attack; the attack submodel is from P 0 The token at the place starts, represents the attack to enter the system and prepares for the attack;
the guard function in the random return network model controls the turning of the attack token to different directions by monitoring the output conditions of all executors; the guard function is a boolean expression whose associated transitions are disabled when it returns false; the time delay transition in the random return network model is associated with the random time length, under the condition of no time delay, the instantaneous transition is controlled by a guard function and transition probability, the guard function controls whether the judgment of the random transition is carried out, and then the token moves to different judgment results with different transition probabilities;
The SimPy in the simulation verification module is a discrete event simulation framework based on a standard Python process, and supports a plurality of processes competing for accessing resources, if the resources are busy, event queuing can be automatically processed, and the running process can be interrupted under a preset condition.
The beneficial effects of the invention are as follows: the method quantitatively and comprehensively evaluates the effectiveness of the ACD on one hand, and summarizes the characteristics of different evaluation models in the evaluation process to respectively give out the application scene suggestions of the ACD, thereby providing guidance for designing and analyzing the ACD by using a proper method.
Drawings
Fig. 1 is a schematic diagram of an ACD architecture according to an embodiment of the present invention.
Fig. 2 is a system state transition diagram provided in an embodiment of the present invention.
Fig. 3 is a schematic diagram of 5 SCVs according to an embodiment of the present invention.
Fig. 4 is a semi-markov chain state transition diagram of an attack model provided by an embodiment of the present invention.
Fig. 5 is a schematic diagram of an improved popularization of a semi-markov model according to an embodiment of the present invention.
FIG. 6 is a schematic diagram of an SRN model (i.e. [2, N-1], j.e. [2, N ]) provided by an embodiment of the present invention.
Fig. 7 is a schematic diagram of experimental control flow provided in an embodiment of the present invention.
Detailed Description
ACD Adaptive Cyber Defense active defense network
MTD Moving Target Defense Mobile object defense
CMD Cyber Mimic Defense network space mimicry defense
SRN Stochastic Reward Net random reporting network
SCV Service Component Version actuator (isomer)
RMS Resource Management System resource management system
VM Virtual Machine virtual machine
NVP N Version Programming N version programming
TBA To Be Added To Be supplemented
Technical problems to be solved by the application
In deploying ACD technology, we inevitably trade-off between security and overhead. However, most existing studies use only one method to evaluate ACD, and few studies comparing various methods to verify its reliability are currently lacking in studies of these methods and comparing their characteristics to overcome the problems of specialized and isolated solutions. The problem solved by the active defense network evaluation scheme based on the triple method is to evaluate the effectiveness of ACD, obtain the characteristics of the evaluation method, finally infer the most suitable application scene of the ACD, and provide guidance for designing and analyzing the ACD by using a proper method.
Introduction to the application
Table 1 variable names and description thereof
The application provides an active defense network effectiveness evaluation scheme based on three methods. We treat the defense process as race fight between an attacker and a defender. Based on this, we use and compare three methods of semi-markov, random report network (SRN) and simulation experiments, and finally, a comprehensive effectiveness evaluation is performed on ACD.
System description
Active defense system framework
The purpose of ACD is to build a security system with vulnerable component elements. A virtual system on a cloud computing platform is taken here as an example of an ACD, as shown in fig. 1. The virtual ACD system creates VMs and assigns them to physical servers. ACD systems consist of a pool of heterogeneous multi-Service Components (SCV), also known as isomers, and a Resource Management System (RMS). We assume that hardware-based RMS is trusted and SCVs do not hook up with each other.
NVP is a common redundancy heterogeneous technology that can improve the reliability of critical software or services. Different SCVs are functionally equivalent, but structurally heterogeneous. In the proposed architecture there are N SCVs, including online SCVs that perform the same tasks in parallel, and standby SCVs that serve as alternatives.
VM migration is another common technique for cloud computing security in ACDs. Based on VM migration, the online SCV is replaced with a new SCV of fixed frequency to expose potential hidden attackers.
The online SCV is dynamically managed by the RMS, which also acts as a determiner. The RMS distributes tasks to a plurality of online SCVs and makes decisions on their outputs according to predetermined voting rules. Common rules include majority voting, bayer pattern voting, and threshold voting. In the present invention we take threshold voting as an example. Based on the voting results, the RMS organizes the online SCV for the next round.
Processing procedure
The user request is assigned to the online SCV and is executed independently. After a period of time, each SCV may feed back its output vector to the RMS. The RMS waits and compares the received outputs until it receives enough identical vectors, or until all SCVs have completed their tasks in preparation for making a decision. Taking k as an output threshold, the decision rule is as follows:
1. if the same vector is received k times it is considered the correct output and will be given as a response to the user. Thus, other SCVs that send different vectors will be considered suspicious executives.
2. When all SCVs complete the task, if all vectors appear less than k times, the RMS will return an error message and treat all SCVs as suspicious executives.
On the next round, the RMS selects a new SCV from the standby SCVs to replace the suspicious SCV. Vectors from an unaddressed SCV are expression of the correct computation results and therefore must be consistent. However, because of the heterogeneity among executives, although an attacker targets a specific error vector, it is still difficult for him to reconcile all tamper results. The probability that any two SCVs have the same erroneous result can be measured and calculated according to the actual scene, taking 0.01% as an example in the present invention.
Attack rules
Depending on the extent of damage, three different attack scenarios are considered: (a) A confidentiality attack is performed by a method of the type described above,
(b) Availability attack, (c) authenticity attack. In the first case, the goal of an attacker is to destroy a small number of SCVs (< N-k) to scout some information, such as traffic analysis and eavesdropping, without intervening in the database. In the second case, an attacker aims at shutting down the system functionality by breaking a certain number (. Gtoreq.N-k) of SCVs, e.g. tamper, forgery, denial of service (DoS). In the third case, an attacker aims at tampering with the result of the system, thereby affecting the authenticity. In these cases, the attacker achieves their goal by destroying most SCVs (. Gtoreq.k). The former two cases can be regarded as special cases of the latter case, and the proposed models can be adapted to describe them. We assume that there is only one attacker in the system, that an attacker can only attack one SCV at a time, and that an attacker tries to destroy as many SCVs as possible.
An attacker sends requests with malware to the RMS. For RMS, these malicious requests are difficult to distinguish from other ordinary user requests, so RMS will be assigned to online SCV at the same time as the same batch of requests. An attacker prepares to launch an attack during the distribution process.
The response time of an SCV represents the time from the receiving task to the outputting vector, assuming that the time intervals are independent and exponentially distributed. An attacker cannot predict the order in which the multiple SCVs output results, so the executor is attacked in random order.
For an attack by a single executable, the attack may preempt task execution and occupy resources. Thus, the attack will succeed as long as the selected executable has not completed the task. If the selected SCV has output the results of this round, then the results have not been tampered with, and the attacker randomly selects the next SCV as the target. An attacker attacks the SCV one by one until the RMS makes a decision. We also consider more aggressive attackers that will automatically learn experiences from previous attacks to launch faster, more damaging attacks. That is, if a similar vulnerability reappears in a different SCV, the attack on the new SCV will be accelerated.
Race model
1) Definition of the definition
The present invention describes the process of an attacker's challenge with a defender as a race model. Multiple defending executives and aggressors all aim to output enough target results that can persuade RMS. The winner is the party that first generates k identical vectors.
We define 4 defensive actions and 5 corresponding states as shown in figure 2. The tamper results may not be the same due to the heterogeneous structure of the SCV. The maximum tamper consistent vector number is recorded as z (z is more than or equal to 0 and less than or equal to 2)
N). Red triangles and blue rectangles are used to distinguish between these different tamper vectors. The green dot indicates the correct result. The system is started in an operating state and can be attacked at any time.
z=0: normal operation (W). The system works properly without a damaged SCV. The N correct results are sent to the RMS and then output by the RMS to the user.
0<z N-k is less than or equal to: nonspecific Sensing (NS). The number of attacker tamper results is very small and cannot confuse RMS. The attacked SCV will be distinguished from other SCVs.
N-k < z.ltoreq.N: wear (a). In this state neither the attacker nor the defender takes up enough SCV, or the attacker jeopardizes most SCV with different vectors. At this point, none of the RMS collected results exceeds k to be dominant. Thus, no result can be output as a response.
k is not less than z is not less than N: penetration (P). Most SCVs are tampered with as the same vector, which is considered the correct result, which is output.
z=n: attack escape (E). In this case, the attacker's attack ability is strong enough and the attack speed is fast enough, the results of all executives are tampered with, and the same error vector is output in a short time. The attacker takes control of the system and does not trigger an alarm to the defender. This is the most dangerous situation, as an attacker can launch a devastating attack at any time.
For different states, the system repairs the corresponding defensive behavior as follows:
eviction (e) and miseviction (m). When the RMS receives different vectors, the majority of result vectors are judged to be correct vectors, and the executors outputting a few vectors are marked as suspicious executors and replaced by standby executors; for states N and S, the decision is correct, outputting the correct result and replacing the suspicious executable, a behavior called eviction; for state P, the RMS decision result is erroneous and a small number of executives giving the correct result will be replaced. Because of this erroneous decision, we call the RMS misexpel the honest SCV. Notably, RMS cannot immediately distinguish between e and m behaviors. They are backward differentiated based on whether the results of the new online SCV agree with the old. If the results still fail to agree, the RMS becomes aware that the decision is problematic and then takes follow-up processing such as deactivation.
Deactivation(s). When there are at least two output vectors but none of them satisfies the condition of the output threshold k, all online SCVs will be replaced.
Random disturbance (d). Most of the previous states were repaired by the defensive actions described above, except for the E failure, as it does not trigger any alarms of the system. Virtual machine migration protects the system from E-failures by replacing all online SCVs with backup SCVs at a fixed frequency. Updating the entire system configuration is called "random jamming", which makes it difficult to succeed in the illegal privileges of an attack.
The ACD techniques used can be categorized into three categories, heterogeneous, redundant and dynamic.
Redundancy. Redundancy represents the repeated configuration of critical components. It is measured by a pair of parameters (N, k).
And (3) isomerism. System defenses and isomerism are described in terms of (α, β). Attack time following parameter αt w An exponential distribution of the description, wherein t w Representing task response time. Consider the learning ability of an attacker, attack
i-1
SCV of attack executor i Will be affected, denoted as αt w β。
For example, describing an ideal system with (α=1, β=1), an attacker has the same speed as an defender. For such systems, the SCV is built in a completely heterogeneous structure. The learning ability of an attacker is counteracted because whatever a priori knowledge of the attacker is, the next executable he encounters is always completely heterogeneous to the executable he was attacking earlier, so he needs the same attack time.
Dynamic. The system is prevented from falling into the attack escape, and the RMS randomly migrates at the frequency omega.
2) Decision process
An example for further demonstrating a race model is shown in fig. 3. There are 5 online SCVs (n=5), and the output threshold is 3 (k=3).
The SCV numbers N o.1 to N o.5 according to the attack order. The same request is assigned to 5 SCVs at time 0 and the attack starts at the same time. At time t 3 ,SCV 1 Is destroyed by SCV only 2 And SCV (SCV) 5 The correct result is output, but the number of identical results is 2, which has not yet reached the threshold k. Thus, RMS needs to wait longer for other SCVs to send their results. For an attacker, SCV 2 Now becoming a new goal. But because SCV2 has completed its task, SCV 2 The result of (a) cannot be tampered with, and an attacker has no way to attack it. Thus, SCV 3 Become a new target for an attacker. Under attack of SCV 3 At the time of SCV 4 At time t 4 Outputting the correct result. This will provide k=3 identical vectors for RMS, reaching the decision condition. In this example, the SCV ultimately outputs three correct vectors and two tampered results. The RMS selects the correct vector in response, SCV 1 And SCV (SCV) 3 Will be replaced.
The example in fig. 3 illustrates a decision scenario. Depending on the speed of the offender and defenses, ACD may exhibit different abnormal conditions, requiring a series of subsequent defensive actions.
semi-Markov model
When a new SCV is attacked, there are two possible directions for the attacker: (1) The next target is attacked without decision or (2) the running model returns to the initial state due to decision, and the result of the running model is closely related to time related parameters such as attack and task completion speed. The transfer process is thus described in terms of a semi-markov chain. The semi-markov chain and the markov chain have the same transition state, but the transition time is random.
As shown in fig. 4, each state P i Representing an attack state. P (P) 0 Representing the operating state, with only one orientation P 1 The direction of the probability lambda 0 =1. This is because of the first target (SCV 1 ) And certainly will be tampered with successfully. P (P) i ,i∈[1,N]I represents the number of damaged SCVs within the system. Each P i There are two directions: attack the next SCV or return to the initial state P due to a decision 0 . When sufficient results are collected, a decision is made and the system is repaired. Mu (mu) i Representing the decision probability. Conversely, if there is no decision, the attacker will attack the next SCV, this probability being noted as λ i . When all online SCVs are tampered with, the attacker will be at 0.01% N-1 The probability of thoroughly destroying the system and escaping, resulting in attack escaping P E . Only VM migration can remove the system from P E State transition to P 0 Status of the device. By using a semi-Markov chain we can get an attack of i SCVs p i (i∈[1,N]) Limit probability p of (2) and limit probability p of attack escape E
If N increases, the number of conditions to be considered in calculating μ increases dramatically. Each decision probability mu i It needs to be deduced again. This introduces a high computational complexity, so we focus on whether the system is involved in the attack escape or not, to simplify the attack process, and build a semi-markov model as shown in fig. 5. We analyze the conditions that should be met if the system falls into an E-fault. According to the defending strategy, if any SCV completes the task and produces the correct result in the attack process, an attacker is detected, and then the system is repaired without entering the attack escape state E. Therefore, attack escaping will only occur if no correct output is available throughout the process.
1. Decision probability
Lambda as described above 0 =1
μ 1 Representing the decision probability after the first SCV is destroyed. When k is not equal to N, if at least k SCVs output resultsAnd judging. If k=n, SCV 1 It is not possible to collect enough correct results after tampering. In this case, a decision is made if all other SCVs complete their work. Then according to lambda 11 =1 to give λ 1
State P N-1 And P N The red arrow in between indicates that an attacker continues to launch an attack on the last SCV without making a decision after breaking N-1 SCVs, i.e., after breaking the SCV from 1 No correct results are output for the entire period of time to N-1 SCVs to deter attacks. The last SCV is still in operation at this time, so it will be interrupted and knocked. This situation requires that no SCV output results during the attack on the first SCV and the consecutive attacks on the second SCV through the N-1 th SCV. The corresponding probabilities are respectively qc N-1 And q N-1 And (3) representing.
qc N-1 The value of (2) is calculated as a conditional probability in the condition that there is no decision after the first is collapsed. The probability of not outputting a result after destroying the first SCV is:
in the "no decision" condition, qc N-1 The calculation is as follows:
during a continuous attack on the second SCV to N-1 SCVs, the non-attacked SCVs are always working. The number of unaddressed SCVs is reduced from N-2 to 1. As the number of infected SCVs increases, attacks continue to accelerate due to accumulated information and learning capabilities. SCV (SCV) i Attack time compliance parameter of (a)Is an exponential distribution of (c). Therefore, the probability of an incorrect result in this state is:
The probability of entering the next state and attacking the last SCV is:
λ N-1 =qc N-1 ·q N-1 . (5)
after the last SCV is destroyed, a decision must be made. Escape will only occur when all tamper results agree with each other. The probability is obtained by:
λ N =0.0001 N-1 (6)
2. limit probability for each state
Probability of steady state pi i The method meets the following conditions:
λ 0 π 0 =μ 1 π 11 π 1 (7)
λ 1 π 1 =μ N-1 π N-1N-1 π N-1 (8)
λ N-1 π N-1 =μ N π NN π N (9)
λ N π N =ωπ E (10)
then pi i Can use pi 0 To represent. Since the sum of all probabilities is equal to 1, pi 0 It can be calculated as:
according to pi i And pi 0 The relation between the two can be obtained through the calculation of the finite number of steps i Is a value of (2). Limit probability p representing the proportion of time the system stays in state i i Given by the formula:
T i the time spent in state i is represented, which is related to the time and probability of the corresponding direction. For example, if the RMS decision is taken after breaking the first SCV, 1 time unit is required to push the attacker back to P 0 . If an attacker continues the attack without a decision, it will take a x β time units to destroy the second SCV. Thus, in state P 1 The expected time spent on is mu 11 * α is β. Similarly, T i Roughly expressed as:
then, the limit probability p of E failure E The calculation can be as shown in equation (14). By combining formulae (1), (5), (6), (13) and (14), we obtain p E And system parameters including N, k, β, α, and ω.
Wherein T is E For steady state time of the trapped E fault, ω is the dynamic migration frequency, λ 1 To break through the probability of the first executable, lambda N To break the probability of the Nth execution body, T 0 To stay in the preparation time, T 1 To break the dwell time after the first effector, T N To break the dwell time after the Nth effector, T N-1 To break the N-1 th execution body after stay time lambda N-1 To break through the N-1 th executable.
Random return network model
The decision result depends on the received vector. The decision and defense process is complex and it is difficult to describe the whole process with only markov chains. Therefore, we have devised an SRN-based model to describe these details and provide intuitive graphical representations. The SRN-based model consists of a task sub-model and an attack sub-model, as shown in fig. 6.
A. Task sub-model
The task sub-model represents tasks performed in the online SCV. It has two possible outcomes: completed with the correct output or broken by the attack. Because the first SCV must be interrupted, the task sub-model describes the tasks performed by the remaining N-1 SCVs.
The positions are represented by circles, which represent the system state. Transient transitions are represented as solid rectangles, while delay transitions are represented as open rectangles. Transient transitions are controlled by transition probabilities and guard functions. Delay transitions are measured by transition rates, where transition delays are random variables that follow an exponential distribution.
Each position P jW Initially there is a token, representing the SCV j The task starts to be executed. Transfer t jw Describes the process of executing tasks and outputting results, transferring tokens to location P jO . The task may be interrupted by an attack. This interrupt is caused by transient transition t ji Representing it by the guard function guard j And (5) controlling. P when the result of the corresponding SCV is tampered with jI The location of the token is received. Whether the token is P jO Or P jI All of which indicate that SCV is output in the running of the round i As a result of (a). The system waits for an instantaneous transition t jf Or t jr The SCV is refreshed or repaired, indicating the start of a new round.
B. Attack submodel
Attack sub-model from P 0 The token at the point begins, representing the attack entering the system and ready to attack. If the token is located at P i Holding means that i SCVs are broken. When a new SCV is attacked, the attacked token can be turned in a different direction: either making a decision (following the horizontal direction) or attacking the next SCV (following the vertical direction) if the decision threshold has not been reached. This is controlled by the guard function by monitoring the output conditions of all SCVs. If a decision is made, the token will move to the left or right according to different probabilities. Different from The directions represent different decision results and thus also different subsequent corresponding defensive actions. Position P ix Consists of one element i and one element x, where i represents the number of corrupted SCVs and x represents the system state. If P iN S 、P iA Or P iP A token is held that represents the state of the overall presentation N S, a or P in the case of i compromised SCVs. If P i+1,T A hold token representing the transfer of the attack target to the SCV i+1 . Furthermore, the E failure is the most dangerous state, represented as position P E
Tables 2 and 3 list transitions in the attack submodel. First transition t f Indicating the start of a new run. t is t ijx Representing the number of damaged SCVs changing from i to j, behavior x. Exceptionally, after performing behavior x, if the number of damaged SCVs has not changed, i and j are represented as the last elements of the input and output location names. Specifically, behavior element x includes attack (a), eviction (e), miseviction (m), disabling(s), random perturbation (d), and arbitration (j).
C. Guard function
The SRN model embeds a guard function based on SPN language (CSPL) description of the C language, as shown in table 3. The guard function is a boolean expression whose associated transitions are disabled when it returns false.
TABLE 2 delay transitions in SRN model
TABLE 3 guard function
Position P 0 And P jW Initially there is oneTokens represent attack preparation and task allocation, respectively. Transition t 01a And t jw Associated with these initial positions to describe the first SCV at 1/αt w Is attacked at a rate of 1/t while other SCVs are attacked at w Is a rate processing task of (a). t is t 01a And t jws May be triggered in a different order, indicating a different order of completing the attack and task. Trigger transition t 01a Indicating that the first SCV has been destroyed, the token is placed in the P1 position. In the case that the decision condition is satisfied, according to the function arbitrator 1l () And an arbitrator 1d () Trigger connection to P 1 Transition t of (2) 1Sj And t 12a . At this time, P jO Token representing an unauthorised executor SCV j The task is completed before the first SCV is knocked down. If P is reached jO If the number of tokens exceeds a threshold k, then the arbitrate 1l () Return 1, and the arbitrate 1d () Returning to 0. At this point the system is ready to make decisions and the attacker cannot attack more SCVs.
If attack SCV 1 The decision condition has not been met, then it is indicated that there is an SCV that has not yet output the result. Attacker selects SCV 2 As a new target, its function interrupt 2 () Returning to 1. If SCV is 2 The token stays at P 2W Location, incomplete task is interrupted, SCV 2 Is attacked. If SCV is 2 The token stays at P 2O Location, SCV 2 Its task has been completed. An attacker will try to attack the SCV 3 Function interrupt 3 () Returning to 1. If SCV is 3 The token stays at P 3W Location, SCV 3 Will be attacked. If not, the attacker will SCV 4 As its new target, and so on. To describe the above procedure, SCV is set j Is the function of inter j () Defined as algorithm 1.
Every time a new SCV is attacked, it is checkedAnd checking judgment conditions. For an under-attack SCV number i of N-k or less, if the number of outputs from an under-attack SCV reaches k, then the arbitrate il Return 1 and the arbitrator id Returning to 0, indicating that the RMS is ready to make decisions. In this case, the decision result is certainly a non-specific perception. When the number i of attacked SCVs exceeds N-k, the number of honest SCVs is very small and cannot output sufficient results. In this case, if all honest SCVs have completed the task, then the arbitrator il Return 1, arbitrator id Returning to 0. Their decision results are distinguished by a and P states with different trigger probabilities. If all SCVs are corrupted i= N, the RMS is ready to make a decision.
The decision indicates the end of the run. Function flash a () And flash d () Is used to ensure that the participant begins the race at the same time for the next round. When the token of the attack submodel is placed at P ini At this point, the attacker comes to an initial state and prepares for the attack. Then function flash d () Returning to 1. Thereafter, the token for each task sub-model returns P iW Indicating that all SCVs have been repaired and are ready to operate. Therefore, function flash a () Returning to 1, this indicates the start of a new run.
D. Model parameterization
In SRN, delay transitions are associated with random time periods, as shown in table 2. For a delay transition to represent repair behavior we assume that there is a negative correlation between its delay and the number of SCVs involved. For example, the delay of e-behavior is i (i.e., r=1/i) because these behaviors only affect the i compromised SCVs that are evicted. Other transitions are associated with attack and task response times.
Transient transitions are controlled by daemons and transition probabilities without delay. The daemon controls whether the judged follower transitions and then the token moves to different judgment results with different transition probabilities. For i.ltoreq.N-k, the decision is necessarily N S, so the probability ε iSj =1. For i epsilon (N-k, k), neither the attacker nor defender can output a result that exceeds k times, thus epsilon iAj =1. For i ε [ k, N]There are two possible directions: t is t iA j Or t i pj The probabilities are epsilon respectively iAj And epsilon iPj . The choice of this direction depends on whether the maximum number of consistent reconciliation results z reaches k.
In particular, if i=n, ε iAj =1-ε iPj
ε NEj =1*10 -4*(N-1) And epsilon NAj =1-ε NPjNEj
After the SRN network is established, the solution can be performed by the SPNP software.
Experimental method
The two former methods (Semi-Markov and SRN) rely on mathematical models. We further simulated the defense process experimentally using SimPy. The latter is a process-based discrete event simulation framework based on standard Python. SimPy supports multiple processes competing for access to resources. If the resource is busy, it also automatically handles event queuing. The running process may be interrupted under preset conditions. Thus, simPy is well suited for use in real-time event generators to simulate task execution, interruption, decision, and reconfiguration under attack.
As shown in FIG. 7, the simulated ACDs run on different servers and initiate a separate task for each SCV. While an attack is initiated. An attacker attempts to destroy each online SCV with limited attack capability represented by the shared resources. Attacks on a particular SCV require that all attacks be shared so that they can access the same resources of the SCV that is working. Various different states are used to track the online SCV. The task flow keeps the online SCV busy. After receiving the task, the SCV processes the client's request in an operational state. Only SCVs in operation are vulnerable to attack. When an attacker obtains a shared attack resource, it will preempt the task and crash the SCV after the duration of the attack. After the attacked SCV is knocked down, the attacker releases the lock on the attacking resource, waiting for another SCV to be attacked. Every time a new SCV is destroyed, it is checked whether the number of SCVs in standby state and their outputs start a decision. If the judgment is successful, the damaged SCV is repaired by using the corresponding defensive behavior according to the judgment result so as to restore the working state. Otherwise, the attacker requests the released attack resource to attack the next SCV. After decision and repair, all SCVs will be refreshed to enter the next run. The simulator generates random values of the duration of work, attack and repair from the exponential distribution.
Evaluation scheme comparison
Based on the above method we compare common assessment methods and give using advice as in table 4.
TABLE 4 evaluation method comparison
1. Race model: this is the work that describes the defense process for the first time as a race model between an attacker and a defender. Compared with the prior probability-based evaluation method, the processing mechanism and the processing speed of the attacker and the defender are more easily obtained by the designer.
2. Semi-markov model: without considering attack and defending behavior details too much, a semi-Markov model is firstly established, generalization is carried out according to the capabilities of an attacker and a defender, and a rough research scope is determined.
Srn: the construction of the SRN is based on the same assumptions as used in the semi-markov model. The SRN captures various behaviors of an attacker and a defender by using fine-grained information, establishes an intuitive graphical interface to describe the system state change caused by the SRN, and presumes the attack result.
4. The experimental method comprises the following steps: to validate semi-Markov models and SRN-based models and further expand the analysis dimension, experiments were performed using Simpy, simulating the process of attacking an interrupted task schedule.
5. The method comprises the following steps: by combining the three methods, comprehensive evaluation of the active defense mechanism is obtained. The semi-markov-based model provides an explicit representation of the function, while the SRN-based model provides an intuitive graphical representation, and furthermore, the reliability of the evaluation is experimentally ensured. The degree of difference in the results of the above-described evaluation methods is described in terms of a relative error rate.
Another object of the present invention is to provide an active defense network evaluation system based on a multiple fusion method, which includes
The race model description module is used for describing the fight process of an attacker and a defender in the active defending system into a race model;
the transfer process module is used for describing the transfer process of the attack model of the attacker through a half Markov chain;
the visual graph module is used for describing attack judgment and defense processes through a random return network model in the active defense system and expressing by utilizing visual graphs;
and the evaluation module is used for simulating task execution, interruption, judgment and reconfiguration under attack through the SimPy through the real-time event generator in the experimental simulation defense process to perform network evaluation.
The defending execution body and the attacker in the race model description module are both aimed at outputting enough target results capable of convincing RMS, the winner is one party which firstly generates k identical vectors, the maximum tamper consistent vector number of the execution body is recorded as z which is more than or equal to 0 and less than or equal to N according to the heterogeneous structure of the execution body, and the execution body is induced into different states along with different z values.
The different states of the tamper vector number of the execution body are respectively as follows: when z=0 is normal operation, the state of the system without damaged execution body is selected to be normal operation; when 0<z is less than or equal to N-k and is nonspecific, the number of attacker tampered results is very small and RMS cannot be confused; when N-k < z is less than or equal to N and is abrasion, under the state, the attacker and the defender do not occupy enough executives or the attacker damages most executives with different vectors; when k.ltoreq.z.ltoreq.N is permeate, most executors are tampered with as the same vector, which is considered the correct result and output; when z=n is attack escape, in this case, the attack capability of the attacker is strong enough and the attack speed is fast enough, all execution body results are tampered, the same error vector is output in a short time, and the attacker takes control of the system and does not trigger an alarm to the defender.
The system modification repair defense of different states of the tamper vector of the executive body in the active defense network is respectively as follows: 1. eviction and miseviction, when the RMS receives different vectors, the majority of result vectors are judged to be correct vectors, and the executors outputting a few vectors are marked as suspicious executors and replaced by standby executors; for states N and S, the decision is correct, outputting the correct result and replacing the suspicious executable, a behavior called eviction; for state P, the RMS decision result is erroneous, replacing a small number of executives that give the correct result, a behavior called a miseviction; 2. disabling, when at least two output vectors do not meet the condition of the output threshold k, all online executors are replaced; 3. random perturbation, virtual machine migration updates the entire system configuration by replacing all online executives with standby executives at a fixed frequency to protect the system from E-faults, referred to as random perturbation.
When a new execution body is attacked in the transfer process module, the attack direction of an attacker is not judged for attacking the next target or returns to the initial state due to judgment.
According to the defense strategy, if any executive body completes tasks and generates correct results in the attack process, the system is repaired after an attacker is detected, and the attack escape state is not entered; limit probability p of system falling into E fault E The method comprises the following steps: wherein T is E For steady state time of the trapped E fault, ω is the dynamic migration frequency, λ 1 To break through the probability of the first executable, lambda N To break the probability of the Nth execution body, T 0 To stay in the preparation time, T 1 To break the dwell time after the first effector, T N To break the dwell time after the Nth effector, T N-1 To break the N-1 th execution body after stay time lambda N-1 To break through the N-1 th executable.
The random return network model consists of a task sub-model and an attack sub-model, wherein the task sub-model represents a task executed in an online execution body, and the result of the task is completed with correct output or is broken by attack; the attack submodel is from P 0 The token at the point begins, representing the attack entering the system and ready to attack.
The guard function in the random return network model controls the turning of the attack token to different directions by monitoring the output conditions of all executors; the guard function is a boolean expression whose associated transitions are disabled when it returns false; the time delay transition in the random return network model is associated with the random time length, under the condition of no time delay, the instantaneous transition is controlled by a guard function and transition probability, the guard function controls whether the judgment of the random transition is carried out, and then the token moves to different judgment results with different transition probabilities.
The SimPy in the simulation verification module is a discrete event simulation framework based on a standard Python process, and supports a plurality of processes competing for accessing resources, if the resources are busy, event queuing can be automatically processed, and the running process can be interrupted under a preset condition.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.

Claims (7)

1. The active defense network evaluation method based on the multiple fusion method is characterized by comprising the following steps of:
s1, describing the fight process of an attacker and a defender in an active defense system as a race model;
s2, describing and solving a transfer process of the rough attack model through a half Markov chain;
s3, describing detailed attack, judgment and defense processes in an active defense system through a random return network model, and expressing and solving by using an intuitive graph;
s4, performing network security and performance evaluation by using a SimPy real-time event generator through task execution, interruption, judgment and reconfiguration processes under attack in an experimental simulation defense process;
in the step S1, the defending executor and the attacker are both target results aimed at outputting enough convincing RMS, the winner is the party that generates k identical vectors at first, according to the heterogeneous structure of the executor, the maximum tamper consistent vector number of the executor is denoted as z, z is not less than 0 and not more than N, the executor is generalized to different states along with different z values, and RMS: resource Management System resource management system;
The different states of the tamper vector number of the execution body are respectively as follows: when z=0 is in a normal working state, the system has no damaged executive bodies, and all the executive bodies work normally; when 0<z is less than or equal to N-k and is in a nonspecific sensing state, the number of tampered results of an attacker is very small, so that the RMS cannot be confused; when N-k < z is less than or equal to N and is in a wearing state, an attacker and an defender both output a certain number of executives or the attacker falsifies most executives into different error vectors; when k is not less than z is not less than N and is in a penetration state, most execution bodies are tampered by attackers to be the same error vector, and the vector is judged to be a correct result by RMS and is output; when z=n is an attack escape state, in this case, the attack capability of the attacker is strong enough and the attack speed is fast enough, all execution body results are tampered, the same error vector is output in a short time, at this time, the attacker takes charge of the system, and the state is the state with the highest harmfulness without triggering an alarm to the defender;
in an active defense network, system repair defense actions include: eviction and disabling, wherein eviction is divided into correct eviction and incorrect eviction; when the RMS receives different vectors, the majority of result vectors are judged to be correct vectors, and the executors outputting a few vectors are marked as suspicious executors and replaced by standby executors; for states N and S, the decision is correct, outputting the correct result and replacing the suspicious executable, a behavior called eviction; for state P, the RMS decision result is erroneous, and a small number of executives giving the correct result will be replaced, a behavior called miseviction; when there are at least two output vectors and neither of them satisfies the condition of the output threshold k, all online executors are replaced, which action is called disabling; in addition, virtual machine migration protects the system from E-failures by replacing all online executives with standby executives at a fixed frequency, the act of actively updating the overall system configuration is referred to as random disturbances.
2. The method according to claim 1, wherein when a new execution body is attacked in the step S2, the attack direction of the attacker is the next target, and no decision is made or the attacker returns to the initial state due to the decision.
3. The method for evaluating an active defense network based on the multiple fusion method according to claim 2, wherein in the step S2, if any executor completes a task and generates a correct result in the attack process according to the defense strategy, it is detected that the system will be repaired after the attacker, and the attack escaping state will not be entered; ultimate probability p of the final system being stuck in E failure E The method comprises the following steps: wherein T is E For steady state time of the trapped E fault, ω is the dynamic migration frequency, λ 1 To break through the probability of the first executable, lambda N To break the probability of the Nth execution body, T 0 To stay in the preparation time, T 1 To break the dwell time after the first effector, T N To break the dwell time after the Nth effector, T N-1 To break the N-1 th execution body after stay time lambda N-1 To break through the N-1 th executable.
4. The method for evaluating an active defense network based on a multiple fusion method according to claim 3, wherein the random return network model consists of a task sub-model and an attack sub-model, the task sub-model represents a task executed in an online execution body, and the result of the task is completed with correct output or broken by attack; the attack submodel is from P 0 The token at the point begins, representing the attack entering the system and ready to attack.
5. The method for evaluating an active defense network based on a multiple fusion method according to claim 4, wherein a guard function in the random reward network model controls the turning of the attacked token in different directions by monitoring the output conditions of all executors; the guard function is a boolean expression whose associated transitions are disabled when it returns false; the time delay transition in the random return network model is associated with the random time length, under the condition of no time delay, the instantaneous transition is controlled by a guard function and transition probability, the guard function controls whether the judgment of the random transition is carried out, and then the token moves to different judgment results with different transition probabilities.
6. The method for evaluating an active defense network based on the multiple convergence method according to claim 5, wherein SimPy in step S4 is a discrete event simulation framework based on the standard Python process, and a plurality of processes supporting contention access to resources, such as busy resources, automatically process event queuing, and the running process can be interrupted under preset conditions.
7. An active defense network evaluation system based on a multiple fusion method is characterized in that the active defense network evaluation system based on the multiple fusion method comprises:
The race model description module is used for abstracting the countermeasure process of an attacker and an defender in the active defense system to summarize the race model and various parameters thereof;
the transfer process module is used for roughly describing the attack transfer process of the attack model through a half Markov chain to obtain a rough research range;
the visual graph module is used for establishing a random return network model for describing attack judgment and defense process aiming at the active defense system and expressing by utilizing visual graphs;
the simulation verification module is used for simulating task execution, interruption, judgment and reconfiguration under attack through a SimPy through an experimental simulation defense process real-time event generator to perform network evaluation;
the defending execution body and the attacker in the race model description module are both aimed at outputting enough target results capable of convincing the RMS, the winner is one party which firstly generates k identical vectors, the maximum tamper consistent vector number of the execution body is recorded as z according to the heterogeneous structure of the execution body, z is more than or equal to 0 and less than or equal to N, so that the system is distinguished to enter different states, and the RMS: resource Management System resource management system;
the different states of the tamper vector number of the execution body are respectively as follows: when z=0 is in a normal working state, the system has no damaged executive bodies, and all the executive bodies work normally; when 0<z is less than or equal to N-k and is in a nonspecific sensing state, the number of tampered results of an attacker is very small, so that the RMS cannot be confused; when N-k < z is less than or equal to N and is in a wearing state, an attacker and an defender both output a certain number of executives or the attacker falsifies most executives into different error vectors; when k is not less than z is not less than N and is in a penetration state, most execution bodies are tampered by attackers to be the same error vector, and the vector is judged to be a correct result by RMS and is output; when z=n is an attack escape state, in this case, the attack capability of the attacker is strong enough and the attack speed is fast enough, all execution body results are tampered, the same error vector is output in a short time, at this time, the attacker takes charge of the system, and the state is the state with the highest harmfulness without triggering an alarm to the defender;
In an active defense network, system repair defense actions include: eviction and disabling, wherein eviction is divided into correct eviction and incorrect eviction; when the RMS receives different vectors, the majority of result vectors are judged to be correct vectors, and the executors outputting a few vectors are marked as suspicious executors and replaced by standby executors; for states N and S, the decision is correct, outputting the correct result and replacing the suspicious executable, a behavior called eviction; for state P, the RMS decision result is erroneous, and a small number of executives giving the correct result will be replaced, a behavior called miseviction; when there are at least two output vectors and neither of them satisfies the condition of the output threshold k, all online executors are replaced, which action is called disabling; in addition, virtual machine migration protects the system from E-failures by replacing all online executives with standby executives at a fixed frequency, the act of actively updating the overall system configuration is referred to as random disturbances;
when a new execution body is attacked in the transfer process module, the attack direction of an attacker is as follows: the system does not judge, and an attacker attacks the next target; or the attacker returns to the initial state due to system judgment;
According to the defense strategy, if any executive body completes tasks and generates correct results in the attack process, the system is repaired after an attacker is detected, and the attack escape state is not entered; ultimate system-up to E failure limitProbability p E The method comprises the following steps: wherein T is E For steady state time of the trapped E fault, ω is the dynamic migration frequency, λ 1 To break through the probability of the first executable, lambda N To break the probability of the Nth execution body, T 0 To stay in the preparation time, T 1 To break the dwell time after the first effector, T N To break the dwell time after the Nth effector, T N-1 To break the N-1 th execution body after stay time lambda N-1 Probability for breaking through the N-1 th execution body;
the random return network model consists of a task sub-model and an attack sub-model, wherein the task sub-model represents a task executed in an online execution body, and the result of the task is completed with correct output or is broken by attack; the attack submodel is from P 0 The token at the place starts, represents the attack to enter the system and prepares for the attack;
the guard function in the random return network model controls the turning of the attack token to different directions by monitoring the output conditions of all executors; the guard function is a boolean expression whose associated transitions are disabled when it returns false; the time delay transition in the random return network model is associated with the random time length, under the condition of no time delay, the instantaneous transition is controlled by a guard function and transition probability, the guard function controls whether the judgment of the random transition is carried out, and then the token moves to different judgment results with different transition probabilities;
The SimPy in the simulation verification module is a discrete event simulation framework based on a standard Python process, and supports a plurality of processes competing for accessing resources, if the resources are busy, event queuing can be automatically processed, and the running process can be interrupted under a preset condition.
CN202210389928.8A 2022-04-14 2022-04-14 Active defense network evaluation method and system based on multiple fusion method Active CN114844684B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210389928.8A CN114844684B (en) 2022-04-14 2022-04-14 Active defense network evaluation method and system based on multiple fusion method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210389928.8A CN114844684B (en) 2022-04-14 2022-04-14 Active defense network evaluation method and system based on multiple fusion method

Publications (2)

Publication Number Publication Date
CN114844684A CN114844684A (en) 2022-08-02
CN114844684B true CN114844684B (en) 2023-09-26

Family

ID=82563194

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210389928.8A Active CN114844684B (en) 2022-04-14 2022-04-14 Active defense network evaluation method and system based on multiple fusion method

Country Status (1)

Country Link
CN (1) CN114844684B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116916321B (en) * 2023-09-12 2023-12-15 中国电子信息产业集团有限公司第六研究所 Method and system for defending satellite network system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110740067A (en) * 2019-11-06 2020-01-31 鹏城实验室 Active defense network security analysis method, storage medium and application server
WO2020093201A1 (en) * 2018-11-05 2020-05-14 北京大学深圳研究生院 Security modeling quantisation method for cyberspace mimic defence based on gspn and martingale theory

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020093201A1 (en) * 2018-11-05 2020-05-14 北京大学深圳研究生院 Security modeling quantisation method for cyberspace mimic defence based on gspn and martingale theory
CN110740067A (en) * 2019-11-06 2020-01-31 鹏城实验室 Active defense network security analysis method, storage medium and application server

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种基于托架的自蜕变主动防御网络框架;吴承荣;严明;金蒿林;刘巍;张世永;曾剑平;;信息安全学报(第04期);全文 *
大数据驱动下主动防御网络安全性评估技术;杨润佳;;计算机测量与控制(第10期);全文 *

Also Published As

Publication number Publication date
CN114844684A (en) 2022-08-02

Similar Documents

Publication Publication Date Title
US10440048B1 (en) Anti-attacking modelling for CMD systems based on GSPN and Martingale theory
CN112073411B (en) Network security deduction method, device, equipment and storage medium
Lalropuia et al. Modeling cyber-physical attacks based on stochastic game and Markov processes
CN110740067B (en) Active defense network security analysis method, storage medium and application server
CN111191229A (en) Power Web application mimicry defense system
CN111324889A (en) Security event prediction method, device, equipment and computer readable storage medium
EP3474174B1 (en) System and method of adapting patterns of dangerous behavior of programs to the computer systems of users
WO2018171810A1 (en) Method and apparatus for realising moving target defence, and storage medium
CN112491803A (en) Method for judging executive in mimicry WAF
US20220237285A1 (en) Cyber immunity system as a biological self-recognition model on operating systems
Tripathi et al. Model based security verification of Cyber-Physical System based on Petrinet: A case study of Nuclear power plant
Grechishnikov et al. Algorithmic model of functioning of the system to detect and counter cyber attacks on virtual private network
CN114844684B (en) Active defense network evaluation method and system based on multiple fusion method
CN117879970A (en) Network security protection method and system
CN110062009A (en) A kind of formalization detection method of information physical emerging system defence
Shahin et al. Frameworks proposed to address the threat of cyber-physical attacks to lean 4.0 systems
Pavlenko et al. Ensuring the sustainability of cyberphysical systems based on dynamic reconfiguration
CN116633694B (en) WEB defense method and system based on multimode heterogeneous component
Xiao et al. A workflow-based non-intrusive approach for enhancing the survivability of critical infrastructures in cyber environment
Perháč et al. Elimination of network intrusions via a resource oriented BDI architecture
Zheng et al. Security evaluation of a VM-based intrusion-tolerant system with pull-type patch management
Jiang et al. A stochastic game theoretic approach to attack prediction and optimal active defense strategy decision
CA3088604A1 (en) Systems and methods for detecting and mitigating code injection attacks
Lakhdhar et al. Proactive security for safety and sustainability of mission critical systems
Al Mallah et al. On the initial behavior monitoring issues in federated learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant