CN114928481B - Processing system, method and device for unknown attack defense, central scheduling point and storage medium - Google Patents
Processing system, method and device for unknown attack defense, central scheduling point and storage medium Download PDFInfo
- Publication number
- CN114928481B CN114928481B CN202210519480.7A CN202210519480A CN114928481B CN 114928481 B CN114928481 B CN 114928481B CN 202210519480 A CN202210519480 A CN 202210519480A CN 114928481 B CN114928481 B CN 114928481B
- Authority
- CN
- China
- Prior art keywords
- interlocking
- node
- chain
- nodes
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000007123 defense Effects 0.000 title claims abstract description 45
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000012545 processing Methods 0.000 title claims abstract description 25
- 238000012795 verification Methods 0.000 claims abstract description 136
- 238000001514 detection method Methods 0.000 claims abstract description 26
- 230000002159 abnormal effect Effects 0.000 claims description 37
- 238000003672 processing method Methods 0.000 claims description 13
- 230000003213 activating effect Effects 0.000 claims description 8
- 238000007639 printing Methods 0.000 claims description 8
- 230000004044 response Effects 0.000 claims description 6
- 230000007246 mechanism Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 6
- 238000010200 validation analysis Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000008520 organization Effects 0.000 description 5
- 238000002790 cross-validation Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000000295 complement effect Effects 0.000 description 2
- 230000008260 defense mechanism Effects 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000005215 recombination Methods 0.000 description 1
- 230000006798 recombination Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a processing system, a method, a device and related equipment facing unknown attack defense, wherein a central dispatching point of the processing system can respond to a certificate request of a first node for obtaining a corresponding operation instruction and call a constructed dynamic cross certificate chain; furthermore, the central scheduling point positions a target interlocking chain which takes a first node in the dynamic cross-certification chain as an operation point, returns node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node, and carries out interlocking verification on the first node and the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain; further, the central dispatching point captures an interlocking verification result, and performs anomaly detection on the first node and the at least two second nodes based on the interlocking verification result.
Description
Technical Field
The invention relates to the technical field of network space security, in particular to a processing system, a method, a device and related equipment for unknown attack defense.
Background
In recent years, network security defense technologies and products are continuously perfected, the defense effect of the network security defense technologies and products on known network attacks is high, and partial defense products also try to detect network attacks with unknown characteristics by utilizing big data analysis and artificial intelligence technologies.
However, how to realize effective defense against unknown network attacks on the premise of unknown attack characteristics, attack samples, attack methods and the like is still an open problem which besets countries in the world.
Disclosure of Invention
In view of the above, to solve the above problems, the present invention provides a processing system, method, apparatus and related device for unknown attack defense, and the technical solution is as follows:
a processing system oriented towards unknown attack defense, the system comprising: a central scheduling point and a plurality of nodes;
the first node is used for obtaining a corresponding operation instruction and sending a certificate request to the central dispatching point;
the central scheduling point is used for responding to the authentication request and calling the constructed dynamic cross-authentication chain, wherein the dynamic cross-authentication chain comprises a plurality of parallel interlocking chains, each interlocking chain consists of an operation point and at least two verification points establishing safe interlocking with the operation point in the interlocking chain, and the node serving as the operation point in each interlocking chain is simultaneously used as the verification point in at least two other interlocking chains; positioning a target interlocking chain taking the first node in the dynamic cross-certificate chain as an operation point, and returning node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node;
the first node is further configured to perform interlock verification with the at least two second nodes based on the node information to obtain an interlock verification result corresponding to the target interlock chain;
the central dispatching point is further configured to capture the interlock verification result, and perform anomaly detection on the first node and the at least two second nodes based on the interlock verification result.
Preferably, the first node configured to perform the interlock verification with the at least two second nodes based on the node information is specifically configured to:
performing interlock verification with the at least two second nodes in a state voting manner based on the node information; or,
performing interlocking verification with the at least two second nodes in a dynamic authority authentication mode based on the node information; or,
performing interlock verification with the at least two second nodes in a manner of three-terminal heterogeneous observation based on the node information.
Preferably, the central scheduling point, configured to perform anomaly detection on the first node and the at least two second nodes based on the interlock verification result, is specifically configured to:
determining that the first node and the at least two second nodes are both normal nodes when the interlock verification result meets an expected result;
activating other interlocking chains in the dynamic cross-certification chain except the target interlocking chain under the condition that the interlocking verification result does not accord with an expected result, and performing cross-certification on the target interlocking chain and the other interlocking chains; and determining abnormal nodes in the first node and the at least two second nodes according to the cross-certified voting result.
Preferably, the central scheduling point is further configured to:
and under the condition that an abnormal node in the first node and the at least two second nodes is determined, deleting and replacing the abnormal node.
A processing method facing unknown attack defense, wherein the method is applied to a central scheduling point, and comprises the following steps:
responding to a seal request sent by a first node to obtain a corresponding operation instruction, and calling a constructed dynamic cross seal chain, wherein the dynamic cross seal chain comprises a plurality of parallel interlocking chains, each interlocking chain consists of an operation point and at least two verification points establishing safe interlocking with the operation point in the interlocking chain, and the node serving as the operation point in each interlocking chain is simultaneously used as the verification point in at least two other interlocking chains;
positioning a target interlocking chain taking the first node as an operation point in the dynamic cross-certification chain, and returning node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node, so that the first node performs interlocking verification with the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain;
and capturing the interlock verification result, and carrying out anomaly detection on the first node and the at least two second nodes based on the interlock verification result.
Preferably, the performing anomaly detection on the first node and the at least two second nodes based on the interlock verification result includes:
determining that the first node and the at least two second nodes are normal nodes under the condition that the interlocking verification result conforms to an expected result;
activating other interlocking chains in the dynamic cross-certification chain except the target interlocking chain under the condition that the interlocking verification result does not accord with an expected result, and performing cross-certification on the target interlocking chain and the other interlocking chains; and determining abnormal nodes in the first node and the at least two second nodes according to the cross-certified voting result.
Preferably, the method further comprises:
and under the condition that the abnormal node in the first node and the at least two second nodes is determined, deleting and replacing the abnormal node.
A processing device facing unknown attack defense, the device comprising:
a request response module, configured to respond to a credential request sent by a first node to obtain a corresponding operation instruction and invoke a constructed dynamic cross credential chain, where the dynamic cross credential chain includes multiple parallel interlocking chains, each interlocking chain is composed of an operation point and at least two verification points that establish safe interlocking with the operation point in the interlocking chain, and a node serving as the operation point in each interlocking chain is simultaneously used as a verification point in at least two other interlocking chains; positioning a target interlocking chain taking the first node as an operation point in the dynamic cross-certification chain, and returning node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node, so that the first node performs interlocking verification with the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain;
and the abnormality detection module is used for capturing the interlocking verification result and carrying out abnormality detection on the first node and the at least two second nodes based on the interlocking verification result.
A central scheduling point, the central scheduling point comprising: at least one memory and at least one processor; the memory stores an application program, and the processor calls the application program stored in the memory, wherein the application program is used for realizing the processing method facing the unknown attack defense.
A storage medium having stored therein computer-executable instructions for performing the processing method for unknown attack defense.
Compared with the prior art, the invention has the following beneficial effects:
the invention provides a processing system, a method, a device and related equipment facing unknown attack defense, wherein a central dispatching point of the processing system can respond to a certificate printing request of a first node for obtaining a corresponding operation instruction and call a constructed dynamic cross certificate printing chain; furthermore, the central scheduling point positions a target interlocking chain taking a first node in the dynamic cross-certification chain as an operation point, and returns node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node, and the first node performs interlocking verification on the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain; further, the central dispatching point captures an interlocking verification result, and performs anomaly detection on the first node and the at least two second nodes based on the interlocking verification result. According to the invention, a safety linkage effect can be expected to be realized by constructing the interlocking certificates among the multiple nodes, and after one node is broken, the quick sensing can be realized through other nodes establishing the safety interlocking, so that the attack is locked.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a system architecture diagram of a processing system facing unknown attack defense according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a dynamic cross-ink chain according to an embodiment of the present invention;
fig. 3 is a flowchart of a method of a processing method for unknown attack defense according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a processing device for unknown attack defense according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Aiming at normalized application service, the invention provides a processing scheme facing unknown attack defense, a set of security interlocking chains for defending unknown attack is constructed, a security consensus is achieved through a verification mechanism of interlocking between nodes, and the consensus is used for guaranteeing the execution of sensitive service.
The inventor finds that the implementation scheme of the network security defense at present can be positioned on the implementation of a "zero trust security gateway", specifically:
the zero trust security gateway divides the devices in an enterprise/organization into 'access devices' and 'resources' according to different roles, all the resources only receive access from the security gateway, and all users only access the resources through the security gateway. The zero-trust security gateway examines a combined object of 'access equipment + user' and realizes persistent access control in accordance with a 'dynamic minimum authority' principle in an enterprise or an organization, so that if a certain resource or equipment in the enterprise is infected, the whole network environment security is not threatened.
The zero trust breaks through the traditional boundary protection thought, and a set of dynamic security architecture which takes identity as the center, takes minimized real-time authorization as the core and takes a multidimensional trust algorithm as the basis to authenticate the terminal is established. However, the current zero trust landing application faces the difficult problems of technology transformation, enterprise management thinking transformation, infrastructure migration and the like, and due to chain authentication and access control, service access established on the zero trust landing application faces timeliness challenges, possibly resulting in concurrent service blocking, which is very easy to cause distributed denial of service (DDoS) attacks, and the security problem of the zero trust system itself also needs to be focused on continuously.
In contrast, the security interlocking chain mechanism facing unknown attack defense and the zero trust security gateway provided by the invention work at different levels, and the two mechanisms are in a complementary relationship. The zero-trust security gateway works in a network layer, focuses on reaching the deterministic identity authentication and the network admission of an enterprise/organization, and aims to solve the attacks from an external network to an internal network and from the internal network to the internal network. The security interlocking chain mechanism facing unknown attack defense works in an application layer, does not care about the identity of a user, and reaches the protection scope after the user passes through a zero trust security gateway. The invention realizes the automatic recovery of cross-prints and attackers without perception by establishing 'unreleasable marketing' of a defense party, and can achieve a safety linkage effect highly sensitive to suspicious behaviors.
Furthermore, the present invention is not limited to security defense against internal environments of an enterprise or organization, and may be equally applicable to network environments such as public services, public clouds, and the like.
Referring to fig. 1, fig. 1 is a system architecture diagram of a processing system facing unknown attack defense, according to an embodiment of the present invention, where the system includes: a central scheduling point 10 and a plurality of nodes 20, wherein N nodes 20 are shown in fig. 1.
In the embodiment of the present invention, the central scheduling point 10 is a machine that is internal to the organization and does not provide service to the outside, and an external attacker cannot access and attack the central scheduling point 10.
The first node is used for obtaining a corresponding operation instruction and sending a certificate request to the central dispatching point 10;
a central dispatching point 10, configured to invoke a constructed dynamic cross-certificate chain in response to a certificate request, where the dynamic cross-certificate chain includes multiple parallel interlocking chains, each interlocking chain is composed of an operation point and at least two verification points that establish a safety interlock with the operation point in the interlocking chain, and a node 20 in each interlocking chain as the operation point is simultaneously used as a verification point in at least two other interlocking chains; positioning a target interlocking chain taking a first node in the dynamic cross-certificate chain as an operation point, and returning node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node;
the first node is also used for carrying out interlocking verification with at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain;
the central dispatching point 10 is further configured to capture an interlock verification result, and perform anomaly detection on the first node and the at least two second nodes based on the interlock verification result.
In the embodiment of the present invention, the first node is a node 20 that currently obtains an operation instruction and sends a verification request to the central scheduling point 10, and the first node, as an operation point, may execute the corresponding operation instruction. Referring to the following table, the operation instructions executed at the operation point may be divided into two types, where one type belongs to the security-related instruction and the other type belongs to the security-unrelated instruction, for example, the operation instruction of "login system" may be the security-related instruction, and the operation instruction of "create account" may be the security-unrelated instruction, and the distinction between the security-related instruction and the security-unrelated instruction may be defined by considering different requirements under different scenarios, which is not limited by the present invention.
For an operation instruction belonging to a safety related instruction, the execution of the operation instruction strongly depends on the cross-certification of an interlocking chain, at least two verification points are required to carry out the cross-certification, the certification is allowed to be executed only after passing, otherwise, the interlocking chain where the operation point is located is considered to be abnormal, and then an abnormal node in the interlocking chain is detected; for the operation instruction belonging to the safety irrelevant instruction, the execution of the operation instruction does not depend on the verification mechanism of the interlocking chain, and the operation instruction can be independently executed at an operation point.
In this regard, after obtaining the corresponding operation instruction, any one of the nodes 20 may send a request for a certificate to the central scheduling point 10 if it is determined that the operation instruction belongs to the security-related instruction.
The central dispatching point 10 may construct a dynamic cross-validation chain by responding to an input operation of an operator thereof, and if the resource and performance limitations are not considered, the dynamic cross-validation chain may include any multiple parallel interlocking chains, each of which includes at least three interlocking validation nodes, that is, an operating point and at least two validation points that establish a safety interlock with the operating point (the correspondence between the validation points and the operating point is dynamically allocated by the central dispatching point 10), and each of the interlocking validation nodes appears on at least three interlocking chains, that is, the operating point on each interlocking chain may appear as a validation point in at least two other interlocking chains, that is, the node 20 as the operating point in each interlocking chain simultaneously serves as a validation point in at least two other interlocking chains.
For convenience of understanding, a dynamic cross-certificate chain composed of 5 nodes (respectively named as nodes a, B, C, D, and E) is taken as an example for description, and refer to fig. 2, where fig. 2 is a schematic structural diagram of the dynamic cross-certificate chain according to an embodiment of the present invention. As shown in fig. 2, the nodes a, B, C, D, E constitute 5 parallel interlocking chains, each interlocking chain is a triple (an operation point, a verification point 1, a verification point 2), that is, (a, B, C), (B, C, D), (C, D, E), (D, E, a), (E, a, B), that is, there are three interlocking certified nodes in each interlocking chain, and the nodes a, B, C, D, E all exist in three parallel interlocking chains, and respectively assume different roles.
For example, the node a executes an operation instruction of "write file", which is regarded as an unreleasable battle by the defender, i.e. belongs to the security-related instruction. Therefore, after obtaining the operation instruction of "write file", the node a may send a certificate request to the central scheduling point 10; the central scheduling point 10 schedules the constructed dynamic cross-certified chain in response to the certification request sent by the node a, and further determines that the node a is used as an operation point in an interlocking chain (a, B, C), and further determines that at least two verification points establishing safety interlocking with the node a in the interlocking chain are respectively the node B and the node C, thereby returning node information of the node B and the node C to the node a.
And the node A performs interlocking verification with the node B and the node C based on the node information returned by the central scheduling point 10 to obtain an interlocking verification result corresponding to the interlocking chain (A, B, C). Specifically, the interlock verification may be performed in any one of three ways, that is, status voting, dynamic authority authentication, and triple-terminal heterogeneous observation. The state voting mechanism is used to illustrate that:
by implementing hook operations on the operation instructions of "write files", state information collection for visitors using the operation instructions can be implemented, including but not limited to state information representing time, geographical location, software environment, etc. And the node A locally verifies the time information, transmits the collected geographic position information to the node B, transmits the software environment information to the node C, and performs state interlocking verification by the nodes A, B and C, so that an interlocking verification result corresponding to the interlocking chain (A, B and C) can be obtained.
The central dispatching point 10 obtains an interlocking verification result corresponding to the interlocking chains (A, B, C); if the interlocking verification result represents that the verification is passed, allowing the node A to execute an operation instruction of writing a file; if the interlocking verification result represents that the verification fails, the operation instruction of writing the file is executed on the node a to perform rejection or other countermeasures, and meanwhile, the central dispatching point 10 further detects abnormal nodes in the nodes a, B and C in a cross-validation manner.
It should be noted that, after an actual scene, in addition to the state voting mechanism, interlocking verification may be performed in a dynamic authority authentication manner, which may also be implemented by hook operation on an operation instruction, dynamic authority authentication on a sensitive service is completed based on pre-configuration on a dynamic cross-certificate chain, and only if all interlocking certificate nodes on the interlocking chain pass authentication, a secure consensus may be achieved. Furthermore, interlock verification can be performed in a way of three-terminal heterogeneous observation, for example, consistency voting can be performed based on file, communication and a heterogeneous observation mechanism of three terminals of a process.
In some embodiments, the central dispatching point 10 performs anomaly detection on the first node and the at least two second nodes based on the interlock verification result, including:
under the condition that the interlocking verification result accords with an expected result, determining that the first node and the at least two second nodes are normal nodes;
under the condition that the interlocking verification result does not accord with the expected result, activating other interlocking chains in the dynamic cross-certification chain except the target interlocking chain, and performing cross-certification on the target interlocking chain and the other interlocking chains; and determining abnormal nodes in the first node and the at least two second nodes according to the cross-certified voting result.
For ease of understanding, the description continues with the dynamic cross-ink chain shown in fig. 2. Continuing with the example of the node a executing the operation instruction of "writing a file", the central scheduling point 10 obtains an interlock verification result corresponding to the interlock chain (a, B, C).
And if the interlocking verification result accords with the expected result, determining that the verification is passed, and further determining that the nodes A, B and C are normal nodes.
If the interlocking verification result does not meet the expected result, the verification is determined not to pass, other interlocking chains except the interlocking chains (A, B, C) in the dynamic cross-certification chain are activated, namely the cross-certification of the interlocking chains (B, C, D), (C, D, E), (D, E, A), (E, A, B) is activated, the interlocking chains (A, B, C) and the interlocking chains (B, C, D), (C, D, E), (D, E, A), (E, A, B) are carried out, and the abnormal nodes are positioned by adopting a method which obeys majority judgment according to the voting result of the cross-certification, so that a plurality of nodes in the interlocking chains (A, B, C) are prevented from being maliciously controlled by attackers to blacken the benign nodes. From a security point of view, assuming that nodes a, B are maliciously controlled by an attacker, their functions as both operation points and verification points are not trusted, node C will be blackened as a malicious node in the voting result of the interlocking chain (a, B, C), whereas if node a appears as a verification point in the interlocking chain (D, E, a), (E, a, B) at the same time, node a controlled by the attacker will not want to provide trusted verification and trusted operation, as will be the case with node B, and therefore, in the interlocking chain (B, C, D), (C, D, E), (D, E, a), the nodes a, B can be directly or indirectly certified as malicious nodes, although node E will also be blackened as a malicious node in the voting result of the interlocking chain (E, a, B), but by simple "minority majority-compliant" cross-verification, it is possible to use 3:2, the nodes A and B are considered as malicious nodes, and the nodes C and E are considered as benign nodes, so that the nodes A and B can be determined as abnormal nodes.
On the basis, the central scheduling point 10 deletes and replaces the abnormal node when determining the abnormal node. In the embodiment of the present invention, for an abnormal node in an interlocking chain, the central scheduling point 10 may delete the abnormal node based on a preconfigured scheduling policy and replace the abnormal node with another node. The central scheduling point 10 integrates a real-time scheduling mechanism, the scheduling mechanism is established on the basis of checking a voting result of cross-certification among interlocking chains in a dynamic cross-certification chain in real time, the central scheduling point 10 does not respond to the interlocking verification result which is in line with expectation by capturing the interlocking verification result of the interlocking chains in real time, and the central scheduling point 10 automatically activates other parallel interlocking chains to perform cross-certification for the interlocking verification result which is not in line with the expectation, and performs accurate positioning and flexible replacement for abnormal nodes by a method which is in line with majority judgment, and the deletion and replacement of the abnormal nodes are completed by the central scheduling point 10, which is not sensible for a user requesting service execution, so that the automatic recovery of the interlocking chains can be realized.
Based on the interlocking chain automatic restoration mechanism, even if an attacker can break one of the nodes, the attacked abnormal node can be deleted from the interlocking chain through the reasonable scheduling mechanism of the central scheduling point 10, and the node which is not sensed by other attackers is used for replacement, so that the interlocking chain is automatically restored.
Therefore, the interlocking voting mechanism of the cross-certificate realizes that other nodes establishing interlocking can be sensed as long as one node is attacked by an attacker, so that a safe linkage effect is formed. The automatic restoration of the interlocking chain realized by the central scheduling point 10 can realize the defense effect of guarding the 'missing-proof camp' (sensitive service or sensitive resource) which is not sensed by the attacker.
It should be noted that, in the present invention, for an interlocking chain on a dynamic cross-validation chain, an attacker may trap one node on the chain, it is extremely difficult to trap two nodes on the chain at the same time, and it is impossible to trap three nodes on the chain at the same time for two reasons: firstly, nodes on a chain are strange with each other, an attacker needs to carry out attack traversal on large-scale cloud nodes when trying to simultaneously attack and trap, and the cost is extremely high; and secondly, when an abnormal node is found, the central scheduling node immediately deletes and replaces the abnormal node, and the real-time performance of the dynamic scheduling ensures that the situation that a plurality of nodes are simultaneously attacked is almost impossible to occur on the chain.
The processing system for unknown attack defense, provided by the invention, is oriented to a generalized application scene, and a set of interlocking defense mechanism is constructed to complement the existing unknown attack defense method. The existing unknown attack defense technology lacks an endogenous self defense mechanism, and for this reason, the invention also focuses on the self safety problem of the unknown attack defense system, and realizes an interlocking mechanism based on elastic recombination.
Based on the processing system for unknown attack defense provided by the embodiment, the embodiment of the invention correspondingly provides a processing method for unknown attack defense, the method is applied to a central dispatching point, and a flow chart of the method is shown in fig. 3, and the method comprises the following steps:
s10, the established dynamic cross-certification chain is called in response to the certification request sent by the first node to obtain the corresponding operation instruction, wherein the dynamic cross-certification chain comprises a plurality of parallel interlocking chains, each interlocking chain consists of an operation point and at least two verification points establishing safety interlocking with the operation point in the interlocking chain, and the node serving as the operation point in each interlocking chain is simultaneously used as the verification point in at least two other interlocking chains.
And S20, positioning a target interlocking chain with a first node as an operation point in the dynamic cross-certification chain, and returning node information of at least two second nodes as at least two verification points in the target interlocking chain to the first node, so that the first node performs interlocking verification with the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain.
And S30, capturing the interlocking verification result, and carrying out abnormity detection on the first node and the at least two second nodes based on the interlocking verification result.
Optionally, in step S30, "performing anomaly detection on the first node and the at least two second nodes based on the interlock verification result" may include the following steps:
under the condition that the interlocking verification result accords with an expected result, determining that the first node and the at least two second nodes are normal nodes;
under the condition that the interlocking verification result does not accord with the expected result, activating other interlocking chains in the dynamic cross-certification chain except the target interlocking chain, and performing cross-certification on the target interlocking chain and the other interlocking chains; and determining abnormal nodes in the first node and the at least two second nodes according to the cross-certified voting result.
Optionally, the method further includes the following steps:
and under the condition that the abnormal node in the first node and the at least two second nodes is determined, deleting and replacing the abnormal node.
It should be noted that, for specific implementation of each step in the processing method according to the embodiment of the present invention, reference may be made to corresponding disclosure parts of the processing system, and details are not described herein again.
Based on the processing method for unknown attack defense provided by the above embodiment, the embodiment of the present invention correspondingly provides a processing device for unknown attack defense, and a schematic structural diagram of the device is shown in fig. 4, and the processing device includes:
a request response module 101, configured to respond to a first node to obtain a built dynamic cross-certificate chain called by a certificate request sent by a corresponding operation instruction, where the dynamic cross-certificate chain includes multiple parallel interlocking chains, each interlocking chain is composed of an operation point and at least two verification points that establish a safety interlock with the operation point in the interlocking chain, and a node serving as the operation point in each interlocking chain is simultaneously used as a verification point in at least two other interlocking chains; positioning a target interlocking chain with a first node as an operation point in the dynamic cross-certificate chain, and returning node information of at least two second nodes as at least two verification points in the target interlocking chain to the first node, so that the first node performs interlocking verification with the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain;
and the anomaly detection module 102 is configured to capture an interlock verification result, and perform anomaly detection on the first node and the at least two second nodes based on the interlock verification result.
Optionally, the anomaly detection module 102 performs anomaly detection on the first node and the at least two second nodes based on the interlock verification result, including:
under the condition that the interlocking verification result accords with an expected result, determining that the first node and the at least two second nodes are normal nodes;
under the condition that the interlocking verification result does not accord with the expected result, activating other interlocking chains except the target interlocking chain in the dynamic cross-certification chain, and performing cross-certification on the target interlocking chain and the other interlocking chains; and determining abnormal nodes in the first node and the at least two second nodes according to the cross-certified voting result.
Optionally, the anomaly detection module 102 is further configured to:
and under the condition that the abnormal node in the first node and the at least two second nodes is determined, deleting and replacing the abnormal node.
It should be noted that, for specific implementation of each module in the processing apparatus according to the embodiment of the present invention, reference may be made to corresponding disclosure portions of the processing system, and details are not described herein again.
Based on the processing method for unknown attack defense provided by the embodiment, the embodiment of the invention correspondingly provides a central scheduling point, and the central scheduling point comprises: at least one memory and at least one processor; the memory stores an application program, the processor calls the application program stored in the memory, and the application program is used for realizing a processing method facing unknown attack defense.
Based on the processing method for unknown attack defense provided by the above embodiment, embodiments of the present invention correspondingly provide a storage medium, where a computer executable instruction is stored in the storage medium, and the computer executable instruction is used to execute the processing method for unknown attack defense.
The processing system, the method, the device and the related equipment for unknown attack defense provided by the invention are described in detail, a specific example is applied in the text to explain the principle and the implementation mode of the invention, and the description of the embodiment is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include or include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (6)
1. A processing system oriented towards unknown attack defense, the system comprising: a central scheduling point and a plurality of nodes;
the first node is used for obtaining a corresponding operation instruction and sending a certificate request to the central dispatching point;
the central scheduling point is used for responding to the evidence request and calling the constructed dynamic cross evidence chain, wherein the dynamic cross evidence chain comprises a plurality of parallel interlocking chains, each interlocking chain consists of an operation point and at least two verification points establishing safe interlocking with the operation point in the interlocking chain, and the node serving as the operation point in each interlocking chain is simultaneously used as the verification point in at least two other interlocking chains; positioning a target interlocking chain taking the first node in the dynamic cross-certificate chain as an operation point, and returning node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node;
the first node is further configured to perform interlock verification with the at least two second nodes based on the node information to obtain an interlock verification result corresponding to the target interlock chain;
the central dispatching point is also used for capturing the interlocking verification result and carrying out anomaly detection on the first node and the at least two second nodes based on the interlocking verification result;
the central scheduling point, configured to perform anomaly detection on the first node and the at least two second nodes based on the interlock verification result, is specifically configured to:
determining that the first node and the at least two second nodes are normal nodes under the condition that the interlocking verification result conforms to an expected result;
activating other interlocking chains in the dynamic cross-seal chain except the target interlocking chain under the condition that the interlocking verification result does not accord with an expected result, and performing cross-seal on the target interlocking chain and other interlocking chains; determining abnormal nodes in the first node and the at least two second nodes according to the cross-certified voting result;
the central scheduling point is further configured to:
and under the condition that the abnormal node in the first node and the at least two second nodes is determined, deleting and replacing the abnormal node.
2. The system according to claim 1, wherein the first node configured to perform the interlock verification with the at least two second nodes based on the node information is specifically configured to:
performing interlock verification with the at least two second nodes in a state voting manner based on the node information; or,
performing interlocking verification with the at least two second nodes in a dynamic authority authentication mode based on the node information; or,
performing interlock verification with the at least two second nodes in a manner of three-terminal heterogeneous observation based on the node information.
3. A processing method facing unknown attack defense is characterized in that the method is applied to a central scheduling point, and the method comprises the following steps:
responding to a first node to obtain a printing request sent by a corresponding operation instruction, and calling a constructed dynamic cross printing chain, wherein the dynamic cross printing chain comprises a plurality of parallel interlocking chains, each interlocking chain consists of an operation point and at least two verification points establishing safe interlocking with the operation point in the interlocking chain, and a node serving as the operation point in each interlocking chain is simultaneously used as the verification point in at least two other interlocking chains;
positioning a target interlocking chain taking the first node as an operation point in the dynamic cross-certification chain, and returning node information of at least two second nodes which are taken as at least two verification points in the target interlocking chain to the first node, so that the first node performs interlocking verification with the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain;
capturing the interlock verification result, and performing anomaly detection on the first node and the at least two second nodes based on the interlock verification result;
wherein the performing anomaly detection on the first node and the at least two second nodes based on the interlock verification result comprises:
determining that the first node and the at least two second nodes are both normal nodes when the interlock verification result meets an expected result;
activating other interlocking chains in the dynamic cross-certification chain except the target interlocking chain under the condition that the interlocking verification result does not accord with an expected result, and performing cross-certification on the target interlocking chain and the other interlocking chains; determining abnormal nodes in the first node and the at least two second nodes according to the cross-certified voting result; the method further comprises the following steps:
and under the condition that an abnormal node in the first node and the at least two second nodes is determined, deleting and replacing the abnormal node.
4. A processing device oriented towards unknown attack defense, the device comprising:
the request response module is used for responding to a first node to obtain a printing request sent by a corresponding operation instruction and calling a constructed dynamic cross printing chain, wherein the dynamic cross printing chain comprises a plurality of parallel interlocking chains, each interlocking chain consists of an operation point and at least two verification points establishing safe interlocking with the operation point in the interlocking chain, and the node serving as the operation point in each interlocking chain is simultaneously used as the verification point in at least two other interlocking chains; positioning a target interlocking chain taking the first node as an operation point in the dynamic cross-certification chain, and returning node information of at least two second nodes serving as at least two verification points in the target interlocking chain to the first node, so that the first node performs interlocking verification on the at least two second nodes based on the node information to obtain an interlocking verification result corresponding to the target interlocking chain;
an anomaly detection module, configured to capture the interlock verification result, and perform anomaly detection on the first node and the at least two second nodes based on the interlock verification result;
wherein the anomaly detection module performs anomaly detection on the first node and the at least two second nodes based on the interlock verification result, and includes:
determining that the first node and the at least two second nodes are normal nodes under the condition that the interlocking verification result conforms to an expected result;
activating other interlocking chains in the dynamic cross-seal chain except the target interlocking chain under the condition that the interlocking verification result does not accord with an expected result, and performing cross-seal on the target interlocking chain and other interlocking chains; determining abnormal nodes in the first node and the at least two second nodes according to the cross-certified voting result;
the anomaly detection module is further configured to:
and under the condition that the abnormal node in the first node and the at least two second nodes is determined, deleting and replacing the abnormal node.
5. A central scheduling point, wherein the central scheduling point comprises: at least one memory and at least one processor; the memory stores an application, the processor invokes the memory stored application, the application is used to implement the unknown attack defense oriented processing method of claim 3.
6. A storage medium having stored thereon computer-executable instructions for performing the method of claim 3 for processing against unknown attack defenses.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210519480.7A CN114928481B (en) | 2022-05-13 | 2022-05-13 | Processing system, method and device for unknown attack defense, central scheduling point and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210519480.7A CN114928481B (en) | 2022-05-13 | 2022-05-13 | Processing system, method and device for unknown attack defense, central scheduling point and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114928481A CN114928481A (en) | 2022-08-19 |
| CN114928481B true CN114928481B (en) | 2022-12-20 |
Family
ID=82808272
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210519480.7A Active CN114928481B (en) | 2022-05-13 | 2022-05-13 | Processing system, method and device for unknown attack defense, central scheduling point and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114928481B (en) |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105931052A (en) * | 2016-04-21 | 2016-09-07 | 四川大学 | Virtual currency transaction validation method based on block chain multi-factor cross-validation |
| US11146380B2 (en) * | 2017-08-03 | 2021-10-12 | Parity Technologies Ltd. | Methods and systems for a heterogeneous multi-chain framework |
| WO2019209291A1 (en) * | 2018-04-24 | 2019-10-31 | Black Gold Coin, Inc. | Systems and methods for providing a universal decentralized solution for verification of users with cross-verification features |
| CN111931245A (en) * | 2019-05-13 | 2020-11-13 | 阿里巴巴集团控股有限公司 | Information processing method and device |
| CN113256297B (en) * | 2021-07-02 | 2021-09-14 | 腾讯科技(深圳)有限公司 | Data processing method, device and equipment based on block chain and readable storage medium |
| CN114328133A (en) * | 2022-03-16 | 2022-04-12 | 北京微芯感知科技有限公司 | Single-mechanism distributed conflict detection method and system and deposit separation framework |
-
2022
- 2022-05-13 CN CN202210519480.7A patent/CN114928481B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN114928481A (en) | 2022-08-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Tabrizchi et al. | A survey on security challenges in cloud computing: issues, threats, and solutions | |
| Xiao et al. | Edge computing security: State of the art and challenges | |
| Chica et al. | Security in SDN: A comprehensive survey | |
| Singh et al. | Cloud security issues and challenges: A survey | |
| US11888897B2 (en) | Implementing decoys in a network environment | |
| Jimenez et al. | A survey of the main security issues and solutions for the SDN architecture | |
| Hong et al. | Systematic identification of threats in the cloud: A survey | |
| Bhushan et al. | Security challenges in cloud computing: state-of-art | |
| US10341350B2 (en) | Actively identifying and neutralizing network hot spots | |
| US11888882B2 (en) | Network traffic correlation engine | |
| US20190379697A1 (en) | Deceiving Attackers Accessing Active Directory Data | |
| Wang et al. | Attack and defence of ethereum remote apis | |
| Mishra et al. | Software defined internet of things security: Properties, state of the art, and future research | |
| Mukherjee et al. | Security and privacy issues and solutions for fog | |
| Ali et al. | A maturity framework for zero‐trust security in multiaccess edge computing | |
| CN115987644A (en) | Intelligent power distribution internet of things safety authentication system | |
| US20240106729A1 (en) | Artificial Intelligence-Based Lateral Movement Identification Tool | |
| Wali | Analysis of security challenges in cloud-based SCADA systems: A survey | |
| CN114928481B (en) | Processing system, method and device for unknown attack defense, central scheduling point and storage medium | |
| Salvakkam et al. | MESSB–LWE: multi-extractable somewhere statistically binding and learning with error-based integrity and authentication for cloud storage | |
| Elkabbany et al. | Security issues in distributed computing system models | |
| Chouhan et al. | Software as a service: Analyzing security issues | |
| Rani et al. | Classification of Security Issues and Cyber Attacks in Layered Internet of Things | |
| Kaviyazhiny et al. | Fog computing perspective: technical trends, security practices, and recommendations | |
| Greco et al. | Facing lateral movements using widespread behavioral probes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |