CN115102791A - Password service monitoring system and method based on mimicry defense - Google Patents

Password service monitoring system and method based on mimicry defense Download PDF

Info

Publication number
CN115102791A
CN115102791A CN202211015580.2A CN202211015580A CN115102791A CN 115102791 A CN115102791 A CN 115102791A CN 202211015580 A CN202211015580 A CN 202211015580A CN 115102791 A CN115102791 A CN 115102791A
Authority
CN
China
Prior art keywords
defense
module
monitoring system
key
service monitoring
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211015580.2A
Other languages
Chinese (zh)
Other versions
CN115102791B (en
Inventor
张五一
江楠
兰先登
汤敏杰
刘雪梅
田叶
杨乘胜
蒋啸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Nanzi Huadun Digital Technology Co ltd
Original Assignee
Nanjing Huadun Power Information Security Evaluation Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Huadun Power Information Security Evaluation Co Ltd filed Critical Nanjing Huadun Power Information Security Evaluation Co Ltd
Priority to CN202211015580.2A priority Critical patent/CN115102791B/en
Publication of CN115102791A publication Critical patent/CN115102791A/en
Application granted granted Critical
Publication of CN115102791B publication Critical patent/CN115102791B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a password service monitoring system and method based on mimicry defense, belonging to the technical field of information security of the power Internet of things and comprising the following steps: the password service platform is at least provided with two redundant backup systems, and a first-level password service monitoring system of the password service platform generates a key service request and sends the key service request to a second-level password service monitoring system through a preset network protocol; the primary password service monitoring system comprises a key management module, a certificate management module, a digital signature verification module, an identity authentication module and a dynamic defense switching module; the secondary password service monitoring system comprises a password service module, a detection module and a mimicry heterogeneous defense module; and the dynamic defense switching module analyzes the judgment result of the mimicry heterogeneous defense module and combines a defense strategy to directly and dynamically transfer an attack surface and switch the system to a redundant backup password service platform when a key service request has threat attack. Greatly increasing the attack cost, consuming the attack time and realizing the dynamic defense of the system.

Description

Password service monitoring system and method based on mimicry defense
Technical Field
The invention belongs to the technical field of information security of power internet of things, and particularly relates to a password service monitoring system and method based on mimicry defense.
Background
With the rapid development of smart grids and the deep application of advanced information technologies such as perception, calculation, communication, control and the like, the power system gradually realizes informatization, networking and intellectualization. The open communication network and the equipment terminal interface bring potential safety hazards while promoting real-time analysis, scientific decision and efficient configuration of power resources.
The national power grid company develops and constructs a unified password service platform which is used for intensively and uniformly constructing, managing and maintaining password infrastructure resources and standardizing the application of passwords in each business system. The password service platform provides software and hardware facilities such as a password machine, micro-service and a database for each business system, and is used for supporting password services such as digital certificate issuing, user identity authentication, real-name authentication and business data encryption and decryption. However, due to inherent reasons of the power system and the communication and information system, the communication and information system still has potential safety hazards, and the possibility that the network attack cannot be defended or can be defended but has high cost still exists. In order to ensure the normal operation of various software and hardware devices and services in the password service platform, a targeted elastic defense system needs to be constructed, and a proper defense strategy is executed in an active defense mode, so that the risk faced by the system is reduced.
Disclosure of Invention
Aiming at the problems in the prior art, the invention aims to provide a password service monitoring system and method based on mimicry defense, which are used for carrying out redundant backup on a password service platform system, monitoring a key service request transmitted between networks in real time, analyzing whether the key service request carries threatening data or not, and directly and dynamically transferring an attack surface and switching the password service platform system to the redundant backup system when the password service platform system faces threat attack, so that a fixed bug is difficult to find during attack, the attack cost is greatly increased, and the attack time is greatly consumed.
In order to achieve the purpose, the technical scheme of the invention is as follows:
a cryptographic service monitoring system based on mimicry defense, the system comprising:
the password service platform is provided with at least two redundant backup systems and comprises a primary password service monitoring system, the primary password service monitoring system is in communication connection with at least one secondary password service monitoring system, and the primary password service monitoring system generates a key service request and sends the key service request to the secondary password service monitoring system through a preset network protocol;
the primary password service monitoring system comprises a key management module, a certificate management module, a digital signature verification module, an identity authentication module and a dynamic defense switching module;
the identity authentication module is used for authorizing a corresponding operation level for a user identifier logged in the password service platform;
the key management module acquires a key pair generated by the cipher machine and stores, encrypts and distributes the key pair;
the certificate management module generates corresponding signature certificates based on the public key of the key pair in combination with the user identifications of different operation levels;
a digital signature verification module digitally signs the key service request based on a private key of the key pair to generate an encrypted key service request;
the primary password service monitoring system issues an encrypted key service request with a user identification signature to the secondary password service monitoring system;
the secondary password service monitoring system comprises a password service module, a detection module and a mimicry heterogeneous defense module;
the detection module is used for automatically detecting and acquiring an encrypted key service request with a user identification signature;
the cryptographic service module obtains a public key of the key pair in the signature certificate to decrypt the cryptographic service request;
the mimicry heterogeneous defense module comprises a distribution unit, a scheduling unit, an execution unit, a judging unit, an execution body pool and a plurality of execution bodies in the execution body pool;
the executive unit acquires executors with the same function from the executive pool;
the distribution unit dynamically and randomly distributes the decrypted key service request to a plurality of executors of the executor unit for normalization processing and returns a processing result to the arbitration unit;
the judging unit compares and judges the normalization processing result and outputs a judging result;
the scheduling unit schedules a plurality of executives from the executor pool to the executor unit based on a dynamic scheduling algorithm and a judgment result, and replaces the executives with abnormal output in the executor unit;
and the dynamic defense switching module is used for analyzing the judgment result of the mimicry heterogeneous defense module and combining a defense strategy, and is used for directly and dynamically transferring an attack surface and switching a system to the redundancy backup password service platform when the key service request has threat attack.
Preferably, the secondary cryptographic service monitoring system generates a key obtaining request according to the key service request and sends the key obtaining request to the primary cryptographic service monitoring system, the key management module includes a key distribution unit, the key distribution unit determines a key issuing mode according to the key obtaining request, issues the stored key pair to the cryptographic service module, and the cryptographic service module analyzes the key pair and issues the key pair to the terminal internet of things device using the key pair.
Preferably, the secondary cryptographic service monitoring system further comprises an exception alarm module, and the exception alarm module classifies the threat level of the cryptographic key service request according to an execution log generated by an execution body with the same function and outputs alarm information.
Preferably, the primary cryptographic service monitoring system further comprises a security analysis module, the security analysis module is arranged at the front end of the primary cryptographic service monitoring system, the security analysis module presets a feature information rule base, monitors the operation state of the cryptographic service platform communication network, collects network messages, extracts feature information, performs security assessment on the operation state of the communication network based on the feature information rule base, and responds to abnormal network messages.
Preferably, the primary cryptographic service monitoring system further includes a monitoring module and an interception module, the monitoring module and the interception module are disposed at the rear end of the primary cryptographic service monitoring system, the monitoring module captures the network packet and analyzes the data packet of the network packet, the interception module presets an abnormal interception rule base, and the interception module detects the analyzed data packet based on an abnormal judgment rule of the abnormal interception rule base to capture and intercept the abnormal network packet.
Preferably, the defense strategy is a defense strategy set interval composed of an interval endpoint which is a required defense strategy type representing the highest priority and an unnecessary defense strategy type representing the lowest priority, and a corresponding available defense strategy is selected from the defense strategy set interval according to a defense strategy weight factor.
Preferably, the secondary cryptographic service monitoring system further includes a defense strategy updating module, and the defense strategy updating module monitors and analyzes execution logs generated by the multiple executors in real time, and is configured to update the defense strategy weight factors, and selects an optimal defense strategy from the defense strategy set interval based on the updated defense strategy weight factors.
Preferably, the calculation model for selecting the defense strategy from the defense strategy set interval according to the defense strategy weight factor is as follows:
Figure 408505DEST_PATH_IMAGE001
wherein D represents a set of defense policies,
Figure 591224DEST_PATH_IMAGE002
the probability of adopting the ith defense strategy, n the total number of attack strategies,
Figure 433278DEST_PATH_IMAGE003
calculating and generating corresponding defense strategy weight factors according to execution logs generated by a plurality of executors, wherein alpha is a correlation factor of a current defense strategy and a previous defense strategy,
Figure 375958DEST_PATH_IMAGE004
based on the correlation factor alpha and the defense strategy weight factor
Figure 721488DEST_PATH_IMAGE003
The protection strategy is defined and the protection strategy is defined,
Figure 278372DEST_PATH_IMAGE005
in order to defend the utility of the strategy,
Figure 342143DEST_PATH_IMAGE006
to select the utility of the corresponding available defense strategy from the set of defense strategies.
Preferably, the cryptographic service platform adopts a distributed micro-service architecture.
The invention also provides a crypto service monitoring method based on mimicry defense, which is applied to the crypto service monitoring system based on mimicry defense and comprises the following steps:
step S1: the password service platform is initialized and configured to be provided with at least two redundant backup systems, wherein the password service platform is configured with a primary password service monitoring system and at least one secondary password service monitoring system;
step S2: the primary password service monitoring system and the secondary password service monitoring system establish communication connection;
step S3: acquiring a key pair generated by a cipher machine, and generating a corresponding signature certificate by combining the key pair with an authorized operation level corresponding to a user identifier logged in the cipher service platform;
step S4: generating a key service request, performing digital signature on the password service request based on a private key of the key pair to generate an encrypted password service request, and issuing the encrypted password service request to the secondary password service monitoring system;
step S5: automatically detecting and acquiring an encrypted password service request with a user identification signature, and decrypting the password service request based on a public key of the key pair in the signature certificate;
step S6: dynamically and randomly distributing the decrypted password service request to a plurality of execution bodies in an execution body unit for normalization processing, comparing and judging the normalization processing result, and outputting a judgment result;
step S7: finding out an execution body with abnormal output in the execution body unit based on a dynamic scheduling algorithm and a judgment result, and scheduling a plurality of execution bodies from an execution body pool to replace the execution body with the abnormal output;
step S8: analyzing the judgment result and combining with a defense strategy, directly and dynamically transferring an attack surface and switching the system to the redundancy backup password service platform when the password service request has threat attack.
The technical scheme of the invention has the beneficial effects that:
the invention is based on a mimicry defense technology, adopts a redundant backup protection architecture for a cryptographic service platform, automatically detects a cryptographic key service request transmitted between networks in real time, analyzes whether the cryptographic key service request has threatened data, dynamically schedules an executive body to enable the threatened data of the cryptographic key service request to be in dynamic change, increases the difficulty of falsification of the decrypted data by adding the limitation of multi-mode judgment, sets a mimicry heterogeneous defense module to directly and dynamically transfer an attack surface and switch the cryptographic service platform system to a redundant backup system, is difficult to find fixed bugs during attack, avoids the whole system from being exposed in security threats, greatly increases the attack cost and attack time, enables the platform to live with bacteria, and realizes the dynamic defense of the system.
Further, the primary cryptographic service monitoring system acquires a key pair generated by a local cryptographic key machine, different operation levels are given based on different user identifications authorized to log in the cryptographic service platform, and corresponding signature certificates are generated, the signature certificates are used for carrying out signature encryption protection on the cryptographic service request, the cryptographic key data is prevented from being maliciously stolen and tampered and attacked in the early stage, the corresponding signature certificates and the cryptographic service request data are sent according to a communication protocol, the secondary cryptographic service monitoring system decrypts the cryptographic service request by using the signature certificates, the correctness and normal output of key data are guaranteed, and the security of distributing the cryptographic key to the intelligent internet of things terminal equipment by the cryptographic service platform is guaranteed.
Drawings
The above and other objects, features and advantages of the present invention will become more apparent by describing in more detail exemplary embodiments thereof with reference to the attached drawings, in which like reference numerals generally represent like parts throughout.
FIG. 1 is a schematic structural diagram of a cryptographic service monitoring system based on mimicry defense provided by an embodiment of the present invention;
fig. 2 is a schematic structural diagram illustrating a pseudo-heterogeneous defense module of a cryptographic service monitoring system based on pseudo-defense according to an embodiment of the present invention;
FIG. 3 is a flow chart of a cryptographic service monitoring method based on mimicry defense according to an embodiment of the present invention;
description of the reference numerals:
1. a cryptographic service platform; 11. a primary cryptographic service monitoring system; 12. a secondary cryptographic service monitoring system; 111. a key management module; 112. a certificate management module; 113. a digital signature verification module; 114. an identity authentication module; 115. a dynamic defense switching module; 116. a security analysis module; 117. a monitoring module; 118. an interception module; 121. a cryptographic service module; 122. a detection module; 123. a mimicry heterogeneous defense module; 124. an anomaly alarm module; 125. a defense strategy updating module; 1231. a distribution unit; 1232. a scheduling unit; 1233. an execution unit; 1234. an arbitration unit; 1235. an executive pool; 12351. an execution body; 2. terminal thing allies oneself with equipment.
Detailed Description
Preferred embodiments of the present invention will be described in more detail below. While the following describes preferred embodiments of the present invention, it should be understood that the present invention may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Example one
Referring to fig. 1 and 2, the present invention provides a cryptographic service monitoring system based on mimicry defense, the system includes:
the password service platform 1, the password service platform 1 has two redundant backup systems at least, the password service platform 1 includes the first-class password service monitoring system 11, the first-class password service monitoring system communication connects at least one second-class password service monitoring system 12, the first-class password service monitoring system 11 generates the cipher key service request and sends to the second-class password service monitoring system 12 through the preset network communication protocol;
the primary cryptographic service monitoring system 11 comprises a key management module 111, a certificate management module 112, a digital signature verification module 113, an identity authentication module 114 and a dynamic defense switching module 115;
the identity authentication module 114 is used for authorizing a corresponding operation level for the user identifier logged in the password service platform 1;
the key management module 111 acquires the key pair generated by the cipher machine and stores, encrypts and distributes the key pair;
the certificate management module 112 generates corresponding signature certificates based on the public keys of the key pairs in combination with the user identifications of different operation levels;
the digital signature verification module 113 digitally signs the key service request based on a private key of the key pair to generate an encrypted key service request;
the primary cryptographic service monitoring system 11 issues the encrypted cryptographic key service request with the user identification signature to the secondary cryptographic service monitoring system 12;
the secondary cryptographic service monitoring system 12 includes a cryptographic service module 121, a detection module 122, and a mimicry heterogeneous defense module 123;
the detecting module 122 is configured to automatically detect and obtain an encrypted key service request with a user identification signature;
the cryptographic service module 121 obtains a public key of a key pair in the signature certificate to decrypt the cryptographic service request;
the mimicry heterogeneous defense module 123 includes a distribution unit 1231, a scheduling unit 1232, an executive unit 1233, an arbitration unit 1234, an executive pool 1235, and a plurality of executors 12351 in the executive pool;
the executor unit 1233 obtains an executor 12351 having the same function from the executor pool 1235;
the distributing unit 1231 dynamically and randomly distributes the decrypted key service request to the multiple executives 12351 of the executor unit 1233 for normalization processing, and returns the processing result to the arbitrating unit 1234;
the arbitration unit 1234 compares and arbitrates the normalization processing result, and outputs an arbitration result;
the scheduling unit 1232 schedules a plurality of executables from the executor pool 1235 to the executor unit 1233 based on the dynamic scheduling algorithm and the arbitration result, and replaces the executor 12351 with abnormal output in the executor unit 1233;
the dynamic defense switching module 115 analyzes the arbitration result of the mimicry heterogeneous defense module 123 and combines a defense strategy, so as to directly and dynamically transfer an attack surface and switch the system to the redundant backup cryptographic service platform 1 when there is a threat attack in the key service request.
Specifically, the invention is based on a mimicry defense technology, a password service platform 1 adopts a redundant backup protection architecture, the password service platform 1 comprises a primary password service monitoring system 11 and at least one secondary password service monitoring system 12 which are communicated with each other, the primary password service monitoring system 11 is a global password service monitoring system, the secondary password service monitoring system 12 is a regional password service monitoring system (a plurality of systems can be adopted), the two systems adopt preset communication protocols to transmit data, and the communication protocols comprise various network protocols such as RPC, TCP, UDP, HTTP, HTTPS and the like. The detection module 122 automatically detects the key service request transmitted between the primary cryptographic service monitoring system 11 and the secondary cryptographic service monitoring system 12 in real time, analyzes whether the key service request carries threatening data, the mimicry heterogeneous defense module 123 dynamically schedules the executive 12351 to make the threat existing in the key service request in the dynamic change, the executive pool 1235 is an N-variant structure, the back doors arranged in the structures of the executive 12351 are different, the threat attack cannot know the isomer attributes in the executive unit 1233 to effectively attack, and the difficulty of tampering the decrypted data is increased by the limitation of multi-module arbitration of the arbitration unit 1234. The mimicry heterogeneous defense module 123 arranged in the secondary password service monitoring system 12 can directly and dynamically transfer an attack surface and switch the password service platform system to a redundant backup system, so that a fixed leak is difficult to find during attack, the whole system is prevented from being exposed to security threats, the attack cost is greatly increased, the attack time is greatly consumed, the platform can live with bacteria, and the dynamic defense of the system is realized. Meanwhile, the scheduling unit 1232 performs cleaning or offline processing on the executives 12351 with the abnormality in the executives pool 1235 according to the feedback control message sent by the arbitration unit 1234, thereby ensuring the purity of the executives pool 1235.
Further, the primary cryptographic service monitoring system 11 obtains a key pair generated by a local key machine, different operation levels are given based on different user identifications authorized to log in the cryptographic service platform 1, and corresponding signature certificates are generated, the signature certificates are used for carrying out signature encryption protection on the cryptographic service request, the cryptographic key data is prevented from being maliciously stolen and tampered and attacked in the early stage, the corresponding signature certificates and the cryptographic service request data are sent according to a communication protocol, the secondary cryptographic service monitoring system 12 decrypts the cryptographic service request by using the signature certificates, the correctness and normal output of key data are ensured, and the security of distributing the key to the terminal internet of things equipment 2 of the intelligent internet of things by the cryptographic service platform 1 is ensured.
In a preferred example, the secondary cryptographic service monitoring system 12 generates a key obtaining request according to the key service request and sends the key obtaining request to the primary cryptographic service monitoring system 11, the key management module 111 includes a key distribution unit, the key distribution unit determines a key issuing mode according to the key obtaining request, issues a stored key pair to the cryptographic service module 121, and the cryptographic service module 121 parses the key pair and issues the key pair to the terminal equipment 2 using the key pair.
Specifically, the key issuing mode may be an online issuing mode or an offline issuing mode, the key distribution unit applies a key acquisition application to the key management module 111 by using an acquisition rule corresponding to the determined key issuing mode, transmits the acquired key pair to the cryptographic service module 121 according to a predetermined communication protocol, and the key distribution software of the cryptographic service module 121 analyzes the key pair and issues the key pair to the terminal internet of things device 2 using the key pair. The interactive process of key acquisition and distribution between the key management module 111 and the cryptographic service module 121 is made clear, so that the terminal internet of things device 2 which obtains the key pair can be safely accessed.
In a preferred example, the secondary cryptographic service monitoring system 12 further includes an exception alarm module 124, and the exception alarm module 124 classifies the threat level of the key service request according to the execution log generated by the executant with the same function and outputs an alarm message.
Specifically, the exception alarm module 124 receives all execution logs generated by executors with the same function to perform correlation analysis, extracts key feature information of error information from the mimicry defense execution logs, determines the threat degree existing in the key service request, performs information classification on the existing threat degree and outputs alarm information, the alarm information records the threat and threat degree existing in the executors corresponding to the log source of the key feature information, the threat degree is divided into high-level threat, middle-level threat, low-level threat and no threat, if the target user requests to generate high-level threat, a scheduling request is sent to the scheduling unit, the scheduling unit performs offline and exception data elimination processing on the executors 12351 generating the threat, schedules a plurality of executors from the executor pool 1235 to the executor unit 1233 based on a dynamic scheduling algorithm and a decision result, replaces the executor 12351 with exception output in the executor unit 1233, based on threat degree information classification, frequent scheduling and cleaning caused by excessive alarming are avoided, and system overhead is saved.
In a preferred example, the primary cryptographic service monitoring system 11 further includes a security analysis module 116, the security analysis module 116 is disposed at the front end of the primary cryptographic service monitoring system 11, the security analysis module 116 presets a feature information rule base, monitors the operation state of the communication network of the cryptographic service platform 1, collects network messages, extracts feature information, performs security assessment on the operation state of the communication network based on the feature information rule base, and responds to an abnormal network message.
Specifically, the security analysis module 116 collects network messages to extract feature information, summarizes and collates abnormal conditions occurring in the communication network, records the results to a feature information rule base according to a specified format, forms training samples for training the feature information rule base, continuously corrects and perfects the rule base, and performs query analysis through a network port visual interface of background monitoring software arranged in the primary cryptographic service monitoring system 11, filters illegal access traffic at the front end of the primary cryptographic service monitoring system 11 as much as possible, responds and inhibits the sending and receiving of abnormal network messages, quickly pre-judges abnormal changes generated in the network, and gives an auxiliary processing strategy (the auxiliary processing strategy is, for example, starting abnormal message recording, reporting abnormal alarms, and running event recording), thereby ensuring the normal running of the passing network.
In a preferred example, the primary cryptographic service monitoring system 11 further includes a monitoring module 117 and an intercepting module 118, the monitoring module 117 and the intercepting module 118 are disposed at the rear end of the primary cryptographic service monitoring system 11, the monitoring module 117 captures a network packet and parses a data packet of the network packet, the intercepting module 118 presets an abnormal intercepting rule base, and the intercepting module 118 detects the parsed data packet based on an abnormal determination rule of the abnormal intercepting rule base, so as to capture and intercept an abnormal network packet.
Specifically, the abnormal interception rule base preset by the interception module 118 is generated by a network rule database arranged in the global network monitoring master station according to the configuration of network nodes (servers, workstations, routers, switches, HUBS, etc.), and is stored in the interception module 118 in a file form. The exception intercept rule may be logically divided into two parts: a rule header and a rule option. The rule head defines the behavior of the rule, the protocol of the matched network message, a source address, a target address, a source port, a target port and other information; the rule options include a network message abnormity judgment method and required alarm information. The security analysis module 116 is disposed at the front end of the primary cryptographic service monitoring system 11, and the monitoring module 117 and the interception module 118 are disposed at the back end of the primary cryptographic service monitoring system 11, so as to avoid the disadvantage of high hysteresis due to passive defense by security analysis, active monitoring and interception, and solve the problem of network attack missing report caused by lack of network attack monitoring and analysis capability at the global side of the primary cryptographic service monitoring system 11.
According to a preferred example, the defense strategies are defense strategy set intervals which are respectively composed of a required defense strategy type representing the highest priority and an unnecessary defense strategy type representing the lowest priority, and the corresponding available defense strategies are selected from the defense strategy set intervals according to defense strategy weight factors.
Specifically, the types of defense strategies include prevention, monitoring, recovery, and their importance is measured as critical (C) or non-critical (N). C is the highest priority, representing the type of defense strategy required; n is the lowest priority, i.e. the type of defense policy that is not needed. In this example, based on the dynamic switching condition of the mimicry defense, the importance of each defense strategy type under different malicious targets is measured, a targeted defense strategy interval is finally determined, a corresponding available defense strategy is selected, and the defense strategy is executed in an active defense manner.
In a preferred example, the secondary cryptographic service monitoring system 12 further includes a defense policy updating module 125, where the defense policy updating module 125 monitors and analyzes execution logs generated by a plurality of executives in real time, and is configured to update the defense policy weight factors, and select an optimal defense policy from the defense policy set interval based on the updated defense policy weight factors.
In a preferred example, the calculation model for selecting the defense strategy from the defense strategy set interval according to the defense strategy weight factor is as follows:
Figure 275464DEST_PATH_IMAGE001
wherein D represents a set of defense policies,
Figure 741080DEST_PATH_IMAGE002
the probability of adopting the ith defense strategy, n is the total number of attack strategies,
Figure 626122DEST_PATH_IMAGE003
calculating and generating corresponding defense strategy weight factors according to execution logs generated by a plurality of executors, wherein alpha is a correlation factor of the current defense strategy and the previous defense strategy,
Figure 911609DEST_PATH_IMAGE004
based on the correlation factor alpha and the defense strategy weight factor
Figure 445359DEST_PATH_IMAGE003
The protection strategy is defined and the protection strategy is defined,
Figure 234323DEST_PATH_IMAGE005
in order to defend the utility of the strategy,
Figure 736937DEST_PATH_IMAGE006
to select the utility of the corresponding available defense strategy from the set of defense strategies.
Specifically, the defense policy update module 125 is configured to monitor and analyze execution logs generated by a plurality of executives in real time according to the weight factors of the defense policies
Figure 244142DEST_PATH_IMAGE003
And selecting a corresponding available defense strategy from the defense strategy set interval. During execution of the defense strategy scenario, the system may still be subject to new attacks, and therefore, to determine if it is necessary to re-plan the defense strategy. When a new attack is received, the new attack only affects the order of execution of the defense strategies since the mimicry defense is not changed, and therefore by introducing the defense strategy weighting factors
Figure 50424DEST_PATH_IMAGE003
And establishing a calculation model for selecting the defense strategies according to the association factor alpha of the front defense strategy and the rear defense strategy, and selecting and executing the defense strategy scheme with the highest utility.
In a preferred example, the cryptographic service platform 1 employs a distributed microservice architecture.
Specifically, the password service platform 1 adopts a distributed micro-service architecture design, and the password service platform 1 is split into different services according to functional modules, and is independently developed, independently deployed and independently maintained. Compared with the traditional service, the micro service architecture has higher reliability and scalability, single module responsibility, easier maintenance and development and clustered deployment of the system. And the data interaction between the background of the primary password service monitoring system 11 and the background of the secondary password service monitoring system 12 is realized by adopting a WebService technology, and the method is convenient and quick.
Example two
Referring to fig. 3, the present embodiment provides a cryptographic service monitoring method based on mimicry defense, in which the cryptographic service monitoring system based on mimicry defense is applied, and the method includes the following steps:
step S1: the password service platform 1 is initialized and configured to have at least two redundant backup systems, wherein the password service platform 1 is configured with a primary password service monitoring system 11 and at least one secondary password service monitoring system 12;
step S2: the primary password service monitoring system 11 establishes communication connection with the secondary password service monitoring system 12;
step S3: acquiring a key pair generated by a cipher machine, and generating a corresponding signature certificate by combining the key pair with an authorized operation level corresponding to a user identifier logged in a cipher service platform;
step S4: generating a key service request, performing digital signature on the password service request based on a private key of a key pair to generate an encrypted password service request, and issuing the encrypted password service request to a secondary password service monitoring system;
step S5: automatically detecting and acquiring an encrypted password service request with a user identification signature, and decrypting the password service request based on a public key of a key pair in a signature certificate;
step S6: the decrypted cryptographic service request is dynamically and randomly distributed to a plurality of execution bodies in the execution body unit for normalization processing, the normalization processing result is compared and arbitrated, and the arbitration result is output;
step S7: finding out an execution body with abnormal output in the execution body unit based on a dynamic scheduling algorithm and a judgment result, and scheduling a plurality of execution bodies from an execution body pool to replace the execution body with the abnormal output;
step S8: analyzing the judgment result and combining with a defense strategy, directly and dynamically transferring an attack surface and switching the system to a redundancy backup cryptographic service platform 1 when the cryptographic service request has threat attack.
The method applies the crypto service monitoring system based on the mimicry defense, so that the system is difficult to find a fixed vulnerability when being attacked, the whole system is prevented from being exposed to the security threat, the attack cost is greatly increased, the attack time is greatly consumed, the platform can live with bacteria, and the dynamic defense of the system is realized. Specific reference is made to the description of the first embodiment, which is not repeated herein.
While embodiments of the present invention have been described above, the above description is illustrative, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments.

Claims (10)

1. A cryptographic service monitoring system based on mimicry defense, the system comprising:
the password service platform is provided with at least two redundant backup systems and comprises a primary password service monitoring system, the primary password service monitoring system is in communication connection with at least one secondary password service monitoring system, and the primary password service monitoring system generates a key service request and sends the key service request to the secondary password service monitoring system through a preset network protocol;
the primary password service monitoring system comprises a key management module, a certificate management module, a digital signature verification module, an identity authentication module and a dynamic defense switching module;
the identity authentication module is used for authorizing a corresponding operation level for a user identifier logged in the password service platform;
the key management module acquires a key pair generated by the cipher machine and stores, encrypts and distributes the key pair;
the certificate management module generates corresponding signature certificates based on the public key of the key pair in combination with the user identifications of different operation levels;
a digital signature verification module digitally signs the key service request based on a private key of the key pair to generate an encrypted key service request;
the first-level password service monitoring system issues an encrypted key service request with a user identification signature to the second-level password service monitoring system;
the secondary password service monitoring system comprises a password service module, a detection module and a mimicry heterogeneous defense module;
the detection module is used for automatically detecting and acquiring an encrypted key service request with a user identification signature;
the cryptographic service module acquires a public key of the key pair in the signature certificate to decrypt the cryptographic service request;
the mimicry heterogeneous defense module comprises a distribution unit, a scheduling unit, an execution unit, a judging unit, an execution body pool and a plurality of execution bodies in the execution body pool;
the executive unit acquires executors with the same function from the executive pool;
the distribution unit dynamically and randomly distributes the decrypted key service request to a plurality of executors of the executor unit for normalization processing and returns a processing result to the arbitration unit;
the judging unit compares and judges the normalization processing result and outputs a judging result;
the scheduling unit schedules a plurality of executables from the executive pool to the executive unit based on a dynamic scheduling algorithm and a resolution result, and replaces the executive with abnormal output in the executive unit;
and the dynamic defense switching module analyzes the judgment result of the mimicry heterogeneous defense module and combines a defense strategy, and is used for directly and dynamically transferring an attack surface and switching the system to the redundancy backup password service platform when the key service request has threat attack.
2. The pseudo-defense-based cryptographic service monitoring system of claim 1, wherein the secondary cryptographic service monitoring system generates a key acquisition request according to the key service request and sends the key acquisition request to the primary cryptographic service monitoring system, the key management module comprises a key distribution unit, the key distribution unit determines a key distribution mode according to the key acquisition request, distributes the stored key pair to the cryptographic service module, and the cryptographic service module analyzes the key pair and distributes the key pair to a terminal physical connection device using the key pair.
3. The impersonation-based cryptographic service monitoring system of claim 1, wherein the secondary cryptographic service monitoring system further comprises an exception alarm module, which classifies the threat level of the key service request according to an execution log generated by an executable with the same function and outputs alarm information.
4. The crypto-service monitoring system based on mimicry defense as claimed in claim 1, wherein the primary crypto-service monitoring system further comprises a security analysis module, the security analysis module is disposed at a front end of the primary crypto-service monitoring system, the security analysis module presets a feature information rule base, monitors an operation state of the crypto-service platform communication network, collects network messages to extract feature information, performs security assessment on the operation state of the communication network based on the feature information rule base, and responds to abnormal network messages.
5. The cryptographic service monitoring system based on mimicry defense according to claim 1, wherein the primary cryptographic service monitoring system further comprises a monitoring module and an intercepting module, the monitoring module and the intercepting module are disposed at a back end of the primary cryptographic service monitoring system, the monitoring module captures the network packet and analyzes a data packet of the network packet, the intercepting module presets an abnormal intercepting rule base, and the intercepting module detects the analyzed data packet based on an abnormal judgment rule of the abnormal intercepting rule base to capture and intercept an abnormal network packet.
6. The cryptographic service monitoring system based on mimicry defense as claimed in claim 1, wherein the defense strategy is a defense strategy set interval composed of an interval endpoint of a required defense strategy type representing the highest priority and an unnecessary defense strategy type representing the lowest priority, respectively, and the corresponding available defense strategy is selected from the defense strategy set interval according to a defense strategy weight factor.
7. The pseudo-defense based cryptographic service monitoring system of claim 6, further comprising a defense policy updating module, wherein the defense policy updating module monitors and analyzes execution logs generated by a plurality of executors in real time for updating the defense policy weighting factors, and selects an optimal defense policy from the defense policy set interval based on the updated defense policy weighting factors.
8. The pseudo-defense based cryptographic service monitoring system of claim 6, wherein the computational model of selecting a defense strategy from the defense strategy set interval according to defense strategy weight factors is:
Figure DEST_PATH_IMAGE001
wherein D represents a set of defense policies,
Figure 338375DEST_PATH_IMAGE002
the probability of adopting the ith defense strategy, n is the total number of attack strategies,
Figure DEST_PATH_IMAGE003
calculating and generating corresponding defense strategy weight factors according to execution logs generated by a plurality of executors, wherein alpha is a correlation factor of a current defense strategy and a previous defense strategy,
Figure 317833DEST_PATH_IMAGE004
based on the correlation factor alpha and the defense strategy weight factor
Figure 363149DEST_PATH_IMAGE003
The protection strategy is defined and the protection strategy is defined,
Figure DEST_PATH_IMAGE005
in order to defend the utility of the strategy,
Figure 555096DEST_PATH_IMAGE006
to choose the utility of the corresponding available defense strategy from the set of defense strategies.
9. The mimicry defense based cryptographic service monitoring system of claim 1, wherein the cryptographic service platform employs a distributed microservice architecture.
10. A cryptographic service monitoring method based on mimicry defense, which applies the cryptographic service monitoring system based on mimicry defense as claimed in any one of claims 1-9, characterized by comprising the following steps:
step S1: the method comprises the following steps that a password service platform is initialized and configured to be provided with at least two redundant backup systems, wherein the password service platform is configured with a primary password service monitoring system and at least one secondary password service monitoring system;
step S2: the primary password service monitoring system and the secondary password service monitoring system establish communication connection;
step S3: acquiring a key pair generated by a cipher machine, and generating a corresponding signature certificate by combining the key pair with an authorized operation level corresponding to a user identifier logged in the cipher service platform;
step S4: generating a key service request, performing digital signature on the password service request based on a private key of the key pair to generate an encrypted password service request, and issuing the encrypted password service request to the secondary password service monitoring system;
step S5: automatically detecting and acquiring an encrypted password service request with a user identification signature, and decrypting the password service request based on a public key of the key pair in the signature certificate;
step S6: dynamically and randomly distributing the decrypted password service request to a plurality of execution bodies in an execution body unit for normalization processing, comparing and judging the normalization processing result, and outputting a judgment result;
step S7: finding out an execution body with abnormal output in the execution body unit based on a dynamic scheduling algorithm and a resolution result, and scheduling a plurality of execution bodies from an execution body pool to replace the execution body with the abnormal output;
step S8: analyzing the judgment result and combining with a defense strategy, directly and dynamically transferring an attack surface and switching the system to the redundancy backup password service platform when the password service request has threat attack.
CN202211015580.2A 2022-08-24 2022-08-24 Password service monitoring system and method based on mimicry defense Active CN115102791B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211015580.2A CN115102791B (en) 2022-08-24 2022-08-24 Password service monitoring system and method based on mimicry defense

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211015580.2A CN115102791B (en) 2022-08-24 2022-08-24 Password service monitoring system and method based on mimicry defense

Publications (2)

Publication Number Publication Date
CN115102791A true CN115102791A (en) 2022-09-23
CN115102791B CN115102791B (en) 2023-01-03

Family

ID=83300273

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211015580.2A Active CN115102791B (en) 2022-08-24 2022-08-24 Password service monitoring system and method based on mimicry defense

Country Status (1)

Country Link
CN (1) CN115102791B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115408371A (en) * 2022-10-31 2022-11-29 之江实验室 Dynamic redundancy deployment method and device for redis database
CN115987642A (en) * 2022-12-25 2023-04-18 众芯汉创(北京)科技有限公司 Electric power remote equipment encryption transmission system and method based on public network
CN116094948A (en) * 2023-04-12 2023-05-09 乾讯信息技术(无锡)有限公司 Service type password product realization system and method with mimicry structure
CN116781434A (en) * 2023-08-25 2023-09-19 北京傲星科技有限公司 Access control method, system and related equipment based on mimicry defense
CN117097564A (en) * 2023-10-18 2023-11-21 沃通电子认证服务有限公司 Password service calling method, device, terminal equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111010410A (en) * 2020-03-09 2020-04-14 南京红阵网络安全技术研究院有限公司 Mimicry defense system based on certificate identity authentication and certificate signing and issuing method
CN111478970A (en) * 2020-04-13 2020-07-31 国网福建省电力有限公司 Power grid Web application mimicry defense system
CN111741008A (en) * 2020-07-08 2020-10-02 南京红阵网络安全技术研究院有限公司 Two-way anonymous authentication system and method based on mimicry defense principle
CN114793248A (en) * 2022-03-02 2022-07-26 上海图灵智算量子科技有限公司 Mimicry-based encryption communication method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111010410A (en) * 2020-03-09 2020-04-14 南京红阵网络安全技术研究院有限公司 Mimicry defense system based on certificate identity authentication and certificate signing and issuing method
WO2021179449A1 (en) * 2020-03-09 2021-09-16 南京红阵网络安全技术研究院有限公司 Mimic defense system based on certificate identity authentication, and certificate issuing method
CN111478970A (en) * 2020-04-13 2020-07-31 国网福建省电力有限公司 Power grid Web application mimicry defense system
CN111741008A (en) * 2020-07-08 2020-10-02 南京红阵网络安全技术研究院有限公司 Two-way anonymous authentication system and method based on mimicry defense principle
CN114793248A (en) * 2022-03-02 2022-07-26 上海图灵智算量子科技有限公司 Mimicry-based encryption communication method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
冯峰等: "基于拟态防御技术针对关键数据进行保护的架构研究", 《现代计算机》 *
张翼英等: "面向能源互联的电力物联网安全架构及技术", 《电信科学》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115408371A (en) * 2022-10-31 2022-11-29 之江实验室 Dynamic redundancy deployment method and device for redis database
CN115987642A (en) * 2022-12-25 2023-04-18 众芯汉创(北京)科技有限公司 Electric power remote equipment encryption transmission system and method based on public network
CN116094948A (en) * 2023-04-12 2023-05-09 乾讯信息技术(无锡)有限公司 Service type password product realization system and method with mimicry structure
CN116094948B (en) * 2023-04-12 2023-07-04 乾讯信息技术(无锡)有限公司 Service type password product realization system and method with mimicry structure
CN116781434A (en) * 2023-08-25 2023-09-19 北京傲星科技有限公司 Access control method, system and related equipment based on mimicry defense
CN116781434B (en) * 2023-08-25 2023-11-14 北京傲星科技有限公司 Access control method, system and related equipment based on mimicry defense
CN117097564A (en) * 2023-10-18 2023-11-21 沃通电子认证服务有限公司 Password service calling method, device, terminal equipment and storage medium
CN117097564B (en) * 2023-10-18 2024-02-02 沃通电子认证服务有限公司 Password service calling method, device, terminal equipment and storage medium

Also Published As

Publication number Publication date
CN115102791B (en) 2023-01-03

Similar Documents

Publication Publication Date Title
CN115102791B (en) Password service monitoring system and method based on mimicry defense
Puthal et al. SEEN: A selective encryption method to ensure confidentiality for big sensing data streams
Lee et al. A data mining and CIDF based approach for detecting novel and distributed intrusions
US6775657B1 (en) Multilayered intrusion detection system and method
KR101294280B1 (en) System and Method capable of Preventing Individual Information Leakage by Monitoring Encrypted HTTPS-based Communication Data via Network Packet Mirroring
WO2005125078A1 (en) A network security enforcement system
CN111447067A (en) Encryption authentication method for power sensing equipment
US20210306145A1 (en) Systems and methods of post-quantum security management
CN117040896A (en) Internet of things management method and Internet of things management platform
CN110474921A (en) A kind of perception layer data fidelity method towards local Internet of Things
Rivera et al. Towards security and privacy of SCADA systems through decentralized architecture
CN117390656B (en) Security management method and system for encryption equipment
Gu et al. Cluster-based malicious node detection for false downstream data in fog computing-based VANETs
KR20130085473A (en) Encryption system for intrusion detection system of cloud computing service
Pradeepa et al. A hybrid OpenFlow with intelligent detection and prediction models for preventing BGP path hijack on SDN
Jena et al. A Pragmatic Analysis of Security Concerns in Cloud, Fog, and Edge Environment
Liang et al. Collaborative intrusion detection as a service in cloud computing environment
Premathilaka et al. Review on state of art intrusion detection systems designed for the cloud computing paradigm
Kamatchi et al. An efficient security framework to detect intrusions at virtual network layer of cloud computing
CN115225415B (en) Password application platform for new energy centralized control system and monitoring and early warning method
KR100933986B1 (en) Integrated Signature Management and Distribution System and Method for Network Attack
CN117254954B (en) Direct-drinking water cloud platform safety access method for scheduling management
Chen et al. IDSIC: an intrusion detection system with identification capability
Kaskar et al. A system for detection of distributed denial of service (DDoS) attacks using KDD cup data set
KR102505081B1 (en) Method for decoding Adavanced Encryption Standard employing Multi Layer Perceptron according to analysis of Advanced Virtual RISC equipment with AES

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: No. 38, New Model Road, Gulou District, Nanjing City, Jiangsu Province, 210000

Patentee after: Nanjing Nanzi Huadun Digital Technology Co.,Ltd.

Address before: No. 38, New Model Road, Gulou District, Nanjing City, Jiangsu Province, 210000

Patentee before: NANJING HUADUN POWER INFORMATION SECURITY EVALUATION CO.,LTD.

CP01 Change in the name or title of a patent holder