CN115277076B - Side channel attack defense method and system, storage medium and electronic equipment - Google Patents

Side channel attack defense method and system, storage medium and electronic equipment Download PDF

Info

Publication number
CN115277076B
CN115277076B CN202210714193.1A CN202210714193A CN115277076B CN 115277076 B CN115277076 B CN 115277076B CN 202210714193 A CN202210714193 A CN 202210714193A CN 115277076 B CN115277076 B CN 115277076B
Authority
CN
China
Prior art keywords
data packet
attack
information
delay
delay information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210714193.1A
Other languages
Chinese (zh)
Other versions
CN115277076A (en
Inventor
王鸿
葛帅
袁淑美
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202210714193.1A priority Critical patent/CN115277076B/en
Publication of CN115277076A publication Critical patent/CN115277076A/en
Application granted granted Critical
Publication of CN115277076B publication Critical patent/CN115277076B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The disclosure relates to the technical field of internet, and relates to a side channel attack defense method and system, a storage medium and electronic equipment, wherein the method comprises the following steps: detecting the communication data packet according to the description information of the communication data packet corresponding to the container so as to determine an attack data packet; generating target delay information of the attack data packet according to a preset delay generation strategy according to the current data concurrency and actual delay information corresponding to the attack data packet; and forwarding the attack data packet based on the target time delay information. The method and the device for modifying the time delay information of the attack data packet adjust and modify the time delay information of the attack data packet, reduce the correlation between the time delay information and the data concurrency quantity, reduce the probability that the time delay information exposes the container information, and improve the attack defending capability of the side channel.

Description

Side channel attack defense method and system, storage medium and electronic equipment
Technical Field
The present disclosure relates to the field of internet technologies, and in particular, to a side channel attack defense method, a side channel attack defense system, a storage medium, and an electronic device.
Background
Side channel attack (Side Channel Attack is abbreviated as SCA), also called side channel attack, the core idea is to obtain ciphertext information through various leakage information generated during the operation of encryption software or hardware. With the development of the internet technology field, in the use process of the container, an illegal user seeks a side channel attack opportunity by sending a large number of malicious data packets.
However, in the related art, dangerous data cannot be accurately perceived through a situation awareness system, illegal attacks are difficult to actively resist, and container information exposure is easy to cause.
It should be noted that the information of the present invention in the above background section is only for enhancing understanding of the background of the present disclosure, and thus may include information that does not form the prior art that is already known to those of ordinary skill in the art.
Disclosure of Invention
The disclosure aims to provide a side channel attack defense method and system, a computer storage medium and electronic equipment, so as to improve the attack defense capability of a side channel.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
According to one aspect of the present disclosure, there is provided a side channel attack defense method, including:
detecting the communication data packet according to the description information of the communication data packet corresponding to the container so as to determine an attack data packet;
generating target delay information of the attack data packet according to a preset delay generation strategy according to the current data concurrency and actual delay information corresponding to the attack data packet;
And forwarding the attack data packet based on the target time delay information.
In an exemplary embodiment of the present disclosure, the detecting the communication data packet according to the description information of the communication data packet corresponding to the container to determine an attack data packet includes:
acquiring the description information characteristics of the communication data packet from the description information;
inputting the description information characteristics into a pre-trained data packet identification model for prediction to obtain a prediction result;
determining the attack data packet from the communication data packet according to the prediction result;
the data packet identification model is obtained by training description information characteristic samples corresponding to different data packet types, and the description information characteristic samples are obtained according to communication data packet samples corresponding to different internet surfing behaviors of access container services.
In an exemplary embodiment of the present disclosure, the generating, according to a preset delay generating policy, target delay information of the attack data packet according to the current data concurrency and actual delay information corresponding to the attack data packet includes:
randomly selecting a target delay generation strategy from a delay generation strategy set to serve as the preset delay generation strategy;
Calculating a delay offset according to the current data concurrency and the preset delay generation strategy;
and generating the target delay information based on the delay offset and the actual delay information.
In an exemplary embodiment of the present disclosure, the calculating, according to the current data concurrency, a delay offset according to the preset delay generation policy includes:
calculating an initial delay offset according to the preset delay generation strategy based on the current data concurrency;
and normalizing the initial delay offset to obtain the delay offset.
In an exemplary embodiment of the present disclosure, the actual delay information is a current network delay corresponding to the attack data packet when the attack data packet is received;
the generating the target delay information based on the delay offset and the actual delay information includes:
and fusing the delay offset to the current network delay to generate the target delay information.
In an exemplary embodiment of the present disclosure, after detecting the communication data packet according to the description information of the communication data packet corresponding to the container to determine an attack data packet, an attack flag is added to the attack data packet;
Before forwarding the attack data packet based on the target delay information, the method further includes:
the attack tag is cancelled in the attack data inclusion.
In an exemplary embodiment of the disclosure, before the forwarding the attack data packet based on the target delay information, the method further includes:
acquiring a first distribution result of the real network delay information along with the corresponding data concurrency when the communication data packet of the container is transmitted according to the real network delay information;
acquiring a second distribution result of network delay information of a communication data packet of the container along with corresponding data concurrency, wherein the network delay information comprises the target delay information;
and if the distribution trend difference of the second distribution result and the first distribution result accords with a time delay modification condition, determining to forward the attack data packet based on the target time delay information.
In an exemplary embodiment of the present disclosure, the description information includes at least source port information of the attack data packet, a source internet protocol IP address of the attack data packet, a protocol number of the attack data packet, a destination IP address of the attack data packet, destination port information of the attack data packet, TCP handshake delay information of a transmission control protocol, and matching result information of the intrusion detection system on the payload data.
According to one aspect of the present disclosure, there is provided a side channel attack defense system, the system comprising:
the detection module is used for detecting the communication data packet according to the description information of the communication data packet corresponding to the container so as to determine an attack data packet;
the time delay processing module is used for generating target time delay information of the attack data packet according to a preset time delay generation strategy according to the current data concurrency and the actual time delay information corresponding to the attack data packet;
and the information processing module is used for forwarding the attack data packet based on the target time delay information.
According to one aspect of the present disclosure, there is provided a computer storage medium having stored thereon a computer program which, when executed by a processor, implements the method of any of the above.
According to one aspect of the present disclosure, there is provided an electronic device including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the method of any of the above via execution of the executable instructions.
According to the side channel attack defense method in the exemplary embodiment of the disclosure, the communication data packet is detected according to the description information of the communication data packet communicated with the container, the attack data packet is determined, the target delay information of the attack data packet is generated according to the current data concurrency and the actual delay information corresponding to the attack data packet and a preset delay generation strategy, and the attack data packet is forwarded based on the target delay information. On one hand, as an effective supplement to unknown risks of the opposite side channel, through detecting the communication data packets of the container, the attack data packets possibly having malicious risks are identified, the perception capability of a situation perception system on dangerous data is made up, and the perception accuracy of the attack data packets is improved; on the other hand, the target time delay information of the attack data packet is generated, so that the attack data packet is forwarded by the target time delay information, the time delay information of the communication data packet in the use process of the container is confused, the correlation between the time delay information and the concurrency quantity is reduced, the exposure risk of the container information based on the time delay information is reduced, the risk exposure surface in the use process of the container is reduced, and the information security in the use process of the container is protected.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above, as well as additional purposes, features, and advantages of exemplary embodiments of the present disclosure will become readily apparent from the following detailed description when read in conjunction with the accompanying drawings. Several embodiments of the present disclosure are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings, in which:
FIG. 1 illustrates an application scenario diagram according to an exemplary embodiment of the present disclosure;
FIG. 2 illustrates a flow chart of a side channel attack defense method according to an exemplary embodiment of the present disclosure;
FIG. 3 illustrates a flow chart of detecting a communication data packet based on description information of the communication data packet according to an exemplary embodiment of the present disclosure;
FIG. 4 illustrates a flowchart of one implementation of generating target latency information according to an exemplary embodiment of the present disclosure;
FIG. 5 illustrates a schematic diagram of a marker attack packet according to an exemplary embodiment of the present disclosure;
FIG. 6 illustrates a schematic diagram of a untagged attack packet according to an exemplary embodiment of the present disclosure;
FIG. 7 illustrates a flowchart of a method of processing a data packet based on a container performance curve according to an exemplary embodiment of the present disclosure;
FIG. 8 illustrates a schematic diagram of a container performance curve generated from actual network latency information and data concurrency in accordance with an exemplary embodiment of the present disclosure;
FIG. 9 illustrates a schematic diagram of a container performance curve generated from network latency information and data concurrency in accordance with an exemplary embodiment of the present disclosure;
fig. 10 shows a flowchart of a side channel attack defense method using an embodiment of the present disclosure in an application scenario according to an exemplary embodiment of the present disclosure;
FIG. 11 illustrates an architectural diagram of a side channel attack defense system according to an exemplary embodiment of the present disclosure;
fig. 12 shows a block diagram of an electronic device according to an exemplary embodiment of the present disclosure.
In the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.
Detailed Description
Exemplary embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the exemplary embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar structures, and thus detailed descriptions thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the disclosed aspects may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known structures, methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, these functional entities may be implemented in software, or in one or more software-hardened modules, or in different networks and/or processor devices and/or microcontroller devices.
In the related art in the field, in the use process of the container, the containers with different version information have different performance performances, so that a trend graph reflecting the performance of the container can be obtained through a large amount of performance detection data observation, for example, an overhead curve of network overhead of different containers along with the concurrency of data is drawn. Therefore, the used container version information can be exposed in a side channel mode, the risk exposure surface is increased, and targeted malicious attacks can be performed on the opportunity for providing malicious attacks for illegal users.
However, in the related art, dangerous data cannot be accurately perceived through a situation awareness system, and further an active side channel attack defense strategy cannot be provided, so that information security of a user in a container using process is difficult to guarantee.
Based on this, in the exemplary embodiments of the present disclosure, a side channel attack defense method is provided first. Referring to fig. 1, an application scenario diagram according to an exemplary embodiment of the present disclosure is shown. As shown in fig. 1, during the use of the container, the latency RTT (Round Trip Time) is easily increased due to factors such as network mapping NAT (Network Address Translation ), disk I/O, CPU (central processing unit, central processing unit) memory, and the like. The number of the terminal devices 101 may be one or more, and the terminal devices may be smart phones, tablet computers, desktop computers, wearable electronic devices, etc., which are not limited herein.
It should be noted that the number of containers 102 in fig. 1 is merely illustrative, and any number of containers may be provided, such as a cluster of containers, depending on the actual implementation requirements. The present disclosure is not particularly limited thereto.
As shown in fig. 2, a flowchart of a side channel attack defense method according to an embodiment of the present disclosure, as shown in fig. 2, the side channel attack defense method of the embodiment of the present disclosure may include steps S210 to S230:
Step S210: detecting the communication data packet according to the description information of the communication data packet corresponding to the container so as to determine an attack data packet;
step S220: generating target delay information of the attack data packet according to a preset delay generation strategy according to the current data concurrency and actual delay information corresponding to the attack data packet;
step S230: and forwarding the attack data packet based on the target time delay information.
According to the side channel attack defense method, as an effective supplement to unknown risks of the side channel, through detecting the communication data packets of the container, the attack data packets possibly with malicious risks are identified, the perception capability of a situation perception system on dangerous data is made up, and the perception accuracy of the attack data packets is improved; generating target time delay information of the attack data packet, forwarding the attack data packet by the target time delay information, confusing the time delay information of the communication data packet in the use process of the container, reducing the correlation between the time delay information and the concurrency quantity, reducing the exposure risk of the container information based on the time delay information, reducing the risk exposure surface in the use process of the container, and protecting the information security in the use process of the container.
The side channel attack defense method according to the embodiment of the present disclosure is described in detail below with reference to fig. 2.
In step S210, the communication data packet is detected according to the description information of the communication data packet corresponding to the container, so as to determine an attack data packet.
In an exemplary embodiment of the present disclosure, the communication data packet is a data packet that is communicated with the container when the user accesses the service of the container during the use process of the container, and the description information is a description of the content of the data packet, including, but not limited to, source port information of the attack data packet, source internet protocol IP address of the attack data packet, protocol number of the attack data packet, destination IP address of the attack data packet, destination port information of the attack data packet, transmission control protocol TCP handshake delay information, and matching result information of the intrusion detection system on the payload data.
Wherein, the detecting the communication data packet according to the description information of the communication data packet may include the following steps S310 to S330:
step S310, the description information characteristics of the communication data packet are obtained from the description information.
When a user accesses the container service, extracting descriptive information features in the communication data packet, such as source port information of the attack data packet, a source Internet Protocol (IP) address of the attack data packet, a protocol number of the attack data packet, a target IP address of the attack data packet and the like, wherein the descriptive information features can reflect actual content of the communication data packet. Of course, the embodiment of the disclosure may extract the description information features of each communication data packet according to the actual side channel attack defense scenario and the actual situation of the communication data packet.
And step S320, inputting the description information characteristics into a pre-trained data packet identification model for prediction to obtain a prediction result.
The pre-trained data packet identification model is obtained by training according to descriptive information characteristic samples corresponding to different data packet types, and the descriptive information characteristic samples are obtained according to communication data packet samples corresponding to different internet surfing behaviors of access container services.
Communication data packets corresponding to different internet surfing behaviors can be collected, the different internet surfing behaviors can comprise a compliant internet surfing behavior and a malicious attack internet surfing behavior, and a communication data packet sample is constructed through the collected communication data packets. In some possible embodiments, if the collected communication data packet samples corresponding to the malicious attack internet surfing behavior are fewer, the malicious attack internet surfing behavior can be constructed, so as to obtain the communication data packet sample for constructing the malicious internet surfing behavior; correspondingly, in order to avoid that the constructed samples influence the model training and the prediction effect, the compliance internet surfing behavior can be constructed simultaneously, so that the communication data packet sample for constructing the compliance internet surfing behavior is obtained.
Further, a packet identification model is trained based on the obtained communication packet samples for detection of communication packets. The data packet identification model may be a random forest model, which may include a plurality of decision trees corresponding to different internet surfing behaviors and different descriptive information features.
Embodiments of the present disclosure may train a random forest classification model for packet identification based on a communication packet sample. And when the description information of the communication data packet corresponding to the container is obtained, extracting the description information characteristics and inputting the description information characteristics into a random forest classification model which is obtained through pre-training. The random forest classification model comprises a plurality of decision trees, the types of data packets corresponding to each decision tree can be the same or different, and the characteristics of descriptive information corresponding to each decision tree can be the same or different. For example, the type of the data packet corresponding to the decision tree a is an attack data packet, the type of the data packet corresponding to the decision tree B is a normal data packet, and the type of the data packet corresponding to the decision tree C is an attack data packet. The description information features corresponding to the decision tree a comprise a, B and C, the description information features corresponding to the decision tree B comprise a, B and e, the decision tree C can have the same description information features as the decision tree a or can correspond to different description information features, and the decision tree C can have the same description information features as the decision tree B or can be different.
In the random forest classification model of the embodiment of the disclosure, each decision tree has non-identical description information characteristics, and by fully combining various description information characteristics, the description information characteristics in each decision tree can be randomly selected, and decision trees with different attention points can be obtained, so that each decision tree can identify and classify communication data packets from different classification angles.
And step S330, determining an attack data packet from the communication data packets according to the prediction result.
Based on the prediction result of the packet identification model, an attack packet can be identified from the communication packets to and from the container. Taking a data packet recognition model as an example of a random forest classification model, each decision tree of the random forest classification model obtains a sub-prediction result, and the prediction results of a single decision tree may deviate, so in the embodiment of the disclosure, the prediction results of all decision trees can be combined to obtain the prediction result of each communication data packet, and various description information features of different data packet types can be considered based on the prediction results, so that the prediction accuracy is improved.
According to the embodiment of the disclosure, in side channel attack defense, since a situation awareness system cannot accurately perceive dangerous data, risk items are inevitably omitted, and information security of a user is caused, the embodiment of the disclosure captures an attack data packet possibly having risks by detecting description information of a communication data packet to and from a container so as to perform further active defense processing, thereby effectively supplementing unknown risk identification and defense of a side channel and improving the security of container operation.
In step S220, according to the current data concurrency and the actual delay information corresponding to the attack data packet, a preset delay generation strategy is used to generate target delay information of the attack data packet.
In an exemplary embodiment of the present disclosure, delay information, namely RTT (Round Trip Time), is used to characterize the total delay experienced from the Time when data is transmitted from the transmitting end to the Time when the transmitting end receives an acknowledgement from the receiving end (the acknowledgement is transmitted immediately after the receiving end has received the data). The current data concurrency refers to the corresponding data concurrency when the attack data packet is received, and the actual delay information refers to the delay from the time when the data is sent by the sending end to the time when the side channel attack defense system receives the supply data packet.
The target delay information is delay information added to the communication data packet. For example, if the communication data packet is a non-attack data packet, when the communication data packet is detected as a non-attack data packet, no processing is performed, and the communication data packet is forwarded according to a normal path. In contrast, if the communication data packet is an attack data packet, when the communication data packet is detected to be the attack data packet, the attack data packet is not directly forwarded, and the forwarding time is prolonged according to the target time delay information, namely, after waiting for the duration corresponding to the target time delay information, the attack data packet is forwarded.
Based on the method, for users who maliciously send out attack data packets, the acquired delay information is modified and confused delay, and the relation between the seeking delay and the data concurrency is interfered, so that the exposure of container information is avoided.
After capturing the attack data packet, generating target delay information according to the current data concurrency sum of the attack data packet and a preset delay generation strategy to attach the target delay information to the attack data packet.
In step 230, the attack packet is forwarded based on the target latency information.
In an exemplary embodiment of the present disclosure, after target delay information corresponding to each attack data packet is obtained, each attack data packet is forwarded according to the target delay information. The delay server can be called to obtain the target delay information of each attack data packet, and the forwarding of each attack data packet is controlled by the target delay information.
According to the method and the device for processing the data packet, the target time delay information of the attack data packet is generated, so that the attack data packet is forwarded by the target time delay information, the time delay information of the communication data packet in the use process of the container is confused, the correlation between the time delay information and the concurrency quantity is reduced, the exposure risk of the time delay information to the container information is reduced, the risk exposure surface in the use process of the container is reduced, and the information security in the use process of the container is protected for a user.
In an exemplary embodiment of the present disclosure, an implementation of generating target latency information is provided. According to the current data concurrency and the actual delay information corresponding to the attack data packet and a preset delay generation strategy, generating the target delay information of the attack data packet may include steps S410 to S430:
step S410: and randomly selecting a target time delay generation strategy from the time delay generation strategy set to serve as a preset time delay generation strategy.
In an exemplary embodiment of the present disclosure, a set of delay generation policies may be preset, where the set of delay generation policies includes different delay generation policies according to which irregular delay offsets may be randomly generated.
By way of example, the set of latency generation policies may include the following latency generation policies:
policy 1)
Policy 2)
Strategy 3) f (x) =x (x-1) (x-a)
Wherein x is the current data concurrency corresponding to the attack data packet, f (x) is the delay offset, a, b, n and L are preset calculation factors, which can be set according to actual requirements, and the embodiment of the disclosure is not limited in particular. It should be noted that, the above delay generation policies are only exemplary, and the embodiments of the present disclosure may add or delete delay generation policies in the delay generation policy set according to actual application requirements, so as to implement update maintenance of the delay generation policy set.
In the exemplary embodiment of the disclosure, after the communication data packet is determined to be the attack data packet, the target delay generation strategy can be randomly selected from the delay generation strategy set to serve as a preset delay generation strategy, and the randomness of calculating the delay offset is increased by randomly selecting the target delay generation strategy, so that the generation randomness of the delay information is improved.
Step S420: and calculating the delay offset according to the current data concurrency and a preset delay generation strategy.
In the present exemplary embodiment, after a preset delay generation policy is acquired, the current data concurrency is used as an argument, and a delay offset is calculated according to the preset delay generation policy.
The initial delay offset can be calculated according to a preset delay generation strategy based on the current data concurrency quantity, and then normalized to obtain the delay offset. The initial delay offset may be normalized according to the following formula:
wherein, gamma scale Delay offset, gamma is the initial delay offset, gamma min And gamma max The method is a parameter related to a specified range of normal time delay of an actual application scene, and the obtained time delay offset is controlled in the specified range of the normal time delay by carrying out normalization processing on the initial time delay offset obtained according to a preset time delay generation strategy, so that the influence of adjustment and modification of time delay information on the normal operation of the actual application project is avoided.
Step S430: and generating target delay information based on the delay offset and the actual delay information.
In this exemplary embodiment, when the actual delay information is the current network delay corresponding to the attack data packet when the attack data packet is received, that is, the delay from the time when the sending end sends data to the time when the side channel attack defense system receives the supply data packet is totally experienced. Based on the delay offset and the actual delay information, generating the target delay information can fuse the delay offset to the current network delay to generate the target delay information.
The delay offset may be fused to the current network delay using the following formula:
formula Δrtt=rtt×γ scale Xc% wherein DeltaRTT is the target delay information, gamma scale For the delay offset, c is a parameter related to a specified range of normal delay of the actual application scene, and is determined according to the actual application scene, for example, 10%.
According to the embodiment of the disclosure, the delay offset is added to the current network delay corresponding to the attack data packet, so that the actual distribution of delay information corresponding to the attack data packet is changed, and the exposure surface caused by the delay information is reduced.
In an exemplary embodiment of the present disclosure, an implementation of tagging an attack data packet is also provided. According to the embodiment of the disclosure, after the communication data packet is detected according to the description information of the communication data packet corresponding to the container so as to determine the attack data packet, an attack mark is added in the attack data packet.
Fig. 5 is a schematic diagram of a marker attack packet according to an embodiment of the present disclosure. As shown in fig. 5, the attack packet may be marked by editing (box selection area) reserved optional fields in the transport protocol control TCP packet (attack packet), for example, with the possible field set to 0X01 and vice versa to 0X 00. Accordingly, before forwarding the attack data packet based on the target delay information, the corresponding optional field in the TCP data packet may be recovered to 0X00, so that the attack data packet is consistent with the received data packet, as shown in fig. 6, and before forwarding the attack data packet through the TCP delay server, the attack flag of the TCP data packet is cancelled.
According to the embodiment of the disclosure, the attack data packet is marked, the time delay information of the attack data packet can be modified through the side channel attack defense system to obtain the target time delay information, and before the attack data packet is forwarded, the attack mark in the attack data packet is canceled, so that modification operation of the side channel attack defense system to the time delay information of the attack data packet is prevented from being exposed, and the risk of re-attack is reduced.
In an exemplary embodiment of the present disclosure, in order to further ensure the defending effectiveness of the target latency information generated by the embodiments of the present disclosure, a method for processing a data packet based on a container performance curve is also provided. Before forwarding the attack packet based on the target delay information, the following steps S710 to S730 may be further performed:
Step S710, obtaining a first distribution result of the real network delay information along with the corresponding data concurrency when the communication data packet of the container is transmitted according to the real network delay information.
When the delay information of the communication data packet of the container is not additionally modified, and the communication data packet of the container is transmitted according to the actual network delay, a first distribution result of the actual network delay information along with the corresponding data concurrency amount may be obtained, as shown in fig. 8, which is a schematic diagram of a container performance curve generated according to the actual network delay information and the data concurrency amount according to an exemplary embodiment of the present disclosure. As can be seen from fig. 8, corresponding network delay overhead curves can be obtained for different versions of containers, so that the actual corresponding container version information of each curve can be easily obtained according to the network delay overhead curves.
Step S720, obtaining a second distribution result of network delay information of the communication data packet of the container along with the corresponding data concurrency quantity, where the network delay information includes target delay information.
Wherein, a second distribution result of the network latency information including the target latency information and the corresponding data concurrency may be obtained, as shown in fig. 9, which is a schematic diagram of a container performance curve generated according to the network latency information (including the target latency information) and the data concurrency according to an exemplary embodiment of the present disclosure. As can be seen from fig. 9, by modifying the time delay with attachments, the concurrent amounts of the time delay information and the data are randomly distributed, so that the correlation between the time delay information and the data is reduced, the risk that the version information of the container is exposed by the time delay information is reduced, the risk exposure surface of the container in the use process is reduced, and the information security of the user in the use process of the container is protected.
In step S730, if the distribution trend difference between the second distribution result and the first distribution result meets the delay modification condition, it is determined that the attack data packet is forwarded based on the target delay information.
In this exemplary embodiment, it may be determined that the distribution trend difference of the second distribution result and the first distribution result meets the delay modification condition before forwarding the attack packet based on the target delay information.
The time delay modification condition may be that the second distribution result and the first distribution result have larger distribution trend difference, for example, the second distribution result cannot be fitted to obtain the distribution trend of the first distribution result, and then the second distribution result and the first distribution result are considered to have larger distribution trend difference, that is, the correlation of the time delay information and the data concurrency cannot be obtained through the second distribution result.
According to the embodiment of the disclosure, before forwarding the attack data packet based on the target delay information, the distribution trend difference between the second distribution result and the first distribution result is determined to be large, so that the target delay information can be further ensured to reduce the version probability of the exposed container. In contrast, if the distribution trend difference between the second distribution result and the first distribution result does not meet the time delay modification condition, for example, the first distribution result can be obtained by fitting the second distribution result, that is, the correlation between the time delay information and the data concurrency is obtained, the target time delay generation strategy can be reselected to generate the calculation target time delay information, so that the final second distribution result has larger distribution trend difference from the first distribution result.
Fig. 10 is a flow chart illustrating a method for defending a side channel attack using an embodiment of the present disclosure in an application scenario, as shown in fig. 10, in which a large amount of access is required to collect enough container information by attacking a data packet, the embodiment of the present disclosure detects a communication data packet corresponding to a container accessing a container service by a side channel attack defending system.
If the attack data packet is detected through the description information of the communication data packet, randomly selecting a target delay generation strategy from a delay generation strategy set to serve as a preset delay generation strategy;
calculating a delay offset according to a preset delay generation strategy and the current data concurrency; and fusing the delay offset to the current network delay to generate target delay information. Wherein the target delay information is typically not more than a specified range of normal delays required by the actual project, e.g., the target delay information is typically not more than 10% of the normal delays required by the actual project.
And finally, forwarding the attack data packet based on the target time delay information. The forwarding layer can increase the target delay information in actual delay of the attack data packet so as to increase randomness of the delay information and reduce side channel exposure risk.
As can be seen from the foregoing, according to the method for defending a side channel attack in the embodiment of the present disclosure, according to description information of a communication data packet that is communicated with a container, the communication data packet is detected, an attack data packet is determined, according to current data concurrency and actual delay information corresponding to the attack data packet, according to a preset delay generation policy, target delay information of the attack data packet is generated, and the attack data packet is forwarded based on the target delay information. As an effective supplement to unknown risks of the side channels, through detecting the communication data packets of the container, the attack data packets possibly having malicious risks are identified, the perception capability of the situation perception system on dangerous data is made up, and the perception accuracy of the attack data packets is improved; generating target time delay information of the attack data packet, forwarding the attack data packet by the target time delay information, confusing the time delay information of the communication data packet in the use process of the container, reducing the correlation between the time delay information and the concurrency quantity, reducing the exposure risk of the container information based on the time delay information, reducing the risk exposure surface in the use process of the container, and protecting the information security in the use process of the container.
In addition, according to an exemplary embodiment of the present disclosure, there is also provided a side channel attack defense system, as shown in fig. 11, the system 1100 includes:
the detection module 1110 is configured to detect, according to description information of a communication data packet corresponding to a container, the communication data packet to determine an attack data packet;
the delay processing module 1120 is configured to generate target delay information of the attack data packet according to a preset delay generating policy according to the current data concurrency and the actual delay information corresponding to the attack data packet;
and the information processing module 1130 is configured to forward the attack packet based on the target delay information.
In an exemplary embodiment of the present disclosure, the detection module 1110 may include:
an information extraction unit, configured to obtain a description information feature of the communication data packet from the description information;
the information prediction unit is used for inputting the description information characteristics into a pre-trained data packet identification model to predict so as to obtain a prediction result;
an information determining unit, configured to determine the attack data packet from the communication data packets according to the prediction result;
the data packet identification model is obtained by training description information characteristic samples corresponding to different data packet types, and the description information characteristic samples are obtained according to communication data packet samples corresponding to different internet surfing behaviors of access container services.
In an exemplary embodiment of the present disclosure, the delay processing module 1120 may include:
the strategy determining unit is used for randomly selecting a target time delay generating strategy from a time delay generating strategy set to serve as the preset time delay generating strategy;
the calculating unit is used for calculating the delay offset according to the current data concurrency and the preset delay generation strategy;
and the information generating unit is used for generating the target time delay information based on the time delay offset and the actual time delay information.
In an exemplary embodiment of the present disclosure, the computing unit may include:
the first calculation unit is used for calculating an initial delay offset according to the preset delay generation strategy based on the current data concurrency quantity;
and the normalization processing unit is used for normalizing the initial delay offset to obtain the delay offset.
In an exemplary embodiment of the present disclosure, the actual delay information is a current network delay corresponding to the attack data packet when the attack data packet is received;
the information generating unit is configured to: and fusing the delay offset to the current network delay to generate the target delay information.
In an exemplary embodiment of the present disclosure, the side channel attack defense system 1100 may further include a data marking module, configured to, after detecting the communication data packet according to the description information of the communication data packet corresponding to the container to determine an attack data packet, add an attack mark to the attack data packet;
and the data marking module is further used for canceling the attack mark in the attack data inclusion before forwarding the attack data packet based on the target delay information.
In an exemplary embodiment of the present disclosure, the side channel attack defense system 1100 may further include:
the first distribution acquisition module is used for acquiring a first distribution result of the real network delay information along with the corresponding data concurrency when the communication data packet of the container is transmitted according to the real network delay information;
the second distribution acquisition module is used for acquiring a second distribution result of network delay information of the communication data packet of the container along with corresponding data concurrency quantity, wherein the network delay information comprises the target delay information;
and the result processing module is used for determining to forward the attack data packet based on the target time delay information if the distribution trend difference of the second distribution result and the first distribution result accords with the time delay modification condition.
In an exemplary embodiment of the present disclosure, the description information includes at least source port information of the attack data packet, a source internet protocol IP address of the attack data packet, a protocol number of the attack data packet, a destination IP address of the attack data packet, destination port information of the attack data packet, TCP handshake delay information of a transmission control protocol, and matching result information of the intrusion detection system on the payload data.
Since the specific details of the respective functional modules (units) of the side channel attack defense system according to the exemplary embodiments of the present disclosure are already described in the above embodiments of the side channel attack defense method, they are not described in detail.
It should be noted that although several modules or units of a side channel attack defense system are mentioned in the above detailed description, this partitioning is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
Furthermore, in exemplary embodiments of the present disclosure, a computer storage medium capable of implementing the above-described method is also provided. On which a program product is stored which enables the implementation of the method described above in the present specification. In some possible embodiments, the various aspects of the present disclosure may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the disclosure as described in the "exemplary methods" section of this specification, when the program product is run on the terminal device.
The disclosed embodiments also provide a program product for implementing the above method, which may employ a portable compact disc read-only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
In addition, in an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided. Those skilled in the art will appreciate that the various aspects of the present disclosure may be implemented as a system, method, or program product. Accordingly, various aspects of the disclosure may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
An electronic device 1200 according to such an embodiment of the present disclosure is described below with reference to fig. 12. The electronic device 1200 shown in fig. 12 is merely an example, and should not be construed as limiting the functionality and scope of use of the disclosed embodiments.
As shown in fig. 12, the electronic device 1200 is in the form of a general purpose computing device. Components of electronic device 1200 may include, but are not limited to: the at least one processing unit 1210, the at least one memory unit 1220, a bus 1230 connecting the different system components (including the memory unit 1220 and the processing unit 1210), and a display unit 1240.
Wherein the storage unit stores program code that is executable by the processing unit 1210 such that the processing unit 1210 performs steps according to various exemplary embodiments of the present disclosure described in the above-described "exemplary methods" section of the present specification.
The storage unit 1220 may include readable media in the form of volatile storage units, such as Random Access Memory (RAM) 1221 and/or cache memory unit 1222, and may further include Read Only Memory (ROM) 1223.
Storage unit 1220 may also include a program/utility 1224 having a set (at least one) of program modules 1225, such program modules 1225 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 1230 may be a local bus representing one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or using any of a variety of bus architectures.
The electronic device 1200 may also communicate with one or more external devices 1300 (e.g., keyboard, pointing device, bluetooth device, etc.), one or more devices that enable a user to interact with the electronic device 1200, and/or any device (e.g., router, modem, etc.) that enables the electronic device 1200 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 1250. Also, the electronic device 1200 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet through the network adapter 1260. As shown, the network adapter 1260 communicates with other modules of the electronic device 1200 over bus 1230. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 1200, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
Furthermore, the above-described figures are only schematic illustrations of processes included in the method according to the exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any adaptations, uses, or adaptations of the disclosure following the general principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims (10)

1. A side channel attack defense method, comprising:
detecting the communication data packet according to the description information of the communication data packet corresponding to the container so as to determine an attack data packet;
generating target delay information of the attack data packet according to a preset delay generation strategy according to the current data concurrency and actual delay information corresponding to the attack data packet;
and forwarding the attack data packet based on the target time delay information.
2. The method according to claim 1, wherein detecting the communication data packet according to the description information of the communication data packet corresponding to the container to determine the attack data packet includes:
acquiring the description information characteristics of the communication data packet from the description information;
inputting the description information characteristics into a pre-trained data packet identification model for prediction to obtain a prediction result;
determining the attack data packet from the communication data packet according to the prediction result;
the data packet identification model is obtained by training description information characteristic samples corresponding to different data packet types, and the description information characteristic samples are obtained according to communication data packet samples corresponding to different internet surfing behaviors of access container services.
3. The method of claim 1, wherein the generating the target delay information of the attack data packet according to the current data concurrency and the actual delay information corresponding to the attack data packet and the preset delay generation policy includes:
randomly selecting a target delay generation strategy from a delay generation strategy set to serve as the preset delay generation strategy;
calculating a delay offset according to the current data concurrency and the preset delay generation strategy;
and generating the target delay information based on the delay offset and the actual delay information.
4. The method of claim 3, wherein calculating a delay offset according to the current data concurrency and the preset delay generation policy includes:
calculating an initial delay offset according to the preset delay generation strategy based on the current data concurrency;
and normalizing the initial delay offset to obtain the delay offset.
5. The method of claim 3, wherein the actual delay information is a current network delay corresponding to the attack data packet when the attack data packet is received;
The generating the target delay information based on the delay offset and the actual delay information includes:
and fusing the delay offset to the current network delay to generate the target delay information.
6. The method according to any one of claims 1 to 5, wherein after detecting the communication data packet according to the description information of the communication data packet corresponding to the container to determine an attack data packet, an attack flag is added to the attack data packet;
before forwarding the attack data packet based on the target delay information, the method further includes:
the attack tag is cancelled in the attack data inclusion.
7. The method according to any one of claims 1 to 5, wherein prior to said forwarding the attack data packet based on the target latency information, the method further comprises:
acquiring a first distribution result of the real network delay information along with the corresponding data concurrency when the communication data packet of the container is transmitted according to the real network delay information;
acquiring a second distribution result of network delay information of a communication data packet of the container along with corresponding data concurrency, wherein the network delay information comprises the target delay information;
And if the distribution trend difference of the second distribution result and the first distribution result accords with a time delay modification condition, determining to forward the attack data packet based on the target time delay information.
8. The method according to any one of claims 1 to 5, wherein the description information includes at least source port information of the attack packet, a source internet protocol IP address of the attack packet, a protocol number of the attack packet, a destination IP address of the attack packet, destination port information of the attack packet, transmission control protocol TCP handshake delay information, and matching result information of the intrusion detection system to the payload data.
9. A side channel attack defense system, the system comprising:
the detection module is used for detecting the communication data packet according to the description information of the communication data packet corresponding to the container so as to determine an attack data packet;
the time delay processing module is used for generating target time delay information of the attack data packet according to a preset time delay generation strategy according to the current data concurrency and the actual time delay information corresponding to the attack data packet;
and the information processing module is used for forwarding the attack data packet based on the target time delay information.
10. A storage medium having stored thereon a computer program which, when executed by a processor, implements the method according to any of claims 1 to 8.
CN202210714193.1A 2022-06-22 2022-06-22 Side channel attack defense method and system, storage medium and electronic equipment Active CN115277076B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210714193.1A CN115277076B (en) 2022-06-22 2022-06-22 Side channel attack defense method and system, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210714193.1A CN115277076B (en) 2022-06-22 2022-06-22 Side channel attack defense method and system, storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN115277076A CN115277076A (en) 2022-11-01
CN115277076B true CN115277076B (en) 2023-11-21

Family

ID=83760397

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210714193.1A Active CN115277076B (en) 2022-06-22 2022-06-22 Side channel attack defense method and system, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN115277076B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103997427A (en) * 2014-03-03 2014-08-20 浙江大学 Communication network detection and anti-attack protection method and device, communication equipment and communication system
US10298598B1 (en) * 2013-12-16 2019-05-21 Amazon Technologies, Inc. Countering service enumeration through imposter-driven response
CN110177060A (en) * 2019-05-15 2019-08-27 华中科技大学 A kind of active defense method of the timing side-channel attack towards SDN network
KR20200107143A (en) * 2019-03-06 2020-09-16 한국전자통신연구원 Method and apparatus for generating deceptive signal
CN112424783A (en) * 2018-07-09 2021-02-26 Arm有限公司 Repetitive side-channel attack countermeasures

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101418962B1 (en) * 2009-12-11 2014-07-15 한국전자통신연구원 Secure device and method for preventing side chnannel attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10298598B1 (en) * 2013-12-16 2019-05-21 Amazon Technologies, Inc. Countering service enumeration through imposter-driven response
CN103997427A (en) * 2014-03-03 2014-08-20 浙江大学 Communication network detection and anti-attack protection method and device, communication equipment and communication system
CN112424783A (en) * 2018-07-09 2021-02-26 Arm有限公司 Repetitive side-channel attack countermeasures
KR20200107143A (en) * 2019-03-06 2020-09-16 한국전자통신연구원 Method and apparatus for generating deceptive signal
CN110177060A (en) * 2019-05-15 2019-08-27 华中科技大学 A kind of active defense method of the timing side-channel attack towards SDN network

Also Published As

Publication number Publication date
CN115277076A (en) 2022-11-01

Similar Documents

Publication Publication Date Title
US11487903B2 (en) Systems and methods for controlling data exposure using artificial-intelligence-based modeling
US9531746B2 (en) Generating accurate preemptive security device policy tuning recommendations
US10715550B2 (en) Method and device for application information risk management
US11743276B2 (en) Methods, systems, articles of manufacture and apparatus for producing generic IP reputation through cross protocol analysis
US20230224232A1 (en) System and method for extracting identifiers from traffic of an unknown protocol
CN109271782B (en) Method, medium, system and computing device for detecting attack behavior
CN105009138A (en) Session attribute propagation through secure database server tiers
CN111612167B (en) Combined training method, device, equipment and storage medium of machine learning model
CN111401416A (en) Abnormal website identification method and device and abnormal countermeasure identification method
US20220188402A1 (en) Real-Time Detection and Blocking of Counterfeit Websites
CN107948199B (en) Method and device for rapidly detecting terminal shared access
CN110311925B (en) DDoS reflection type attack detection method and device, computer equipment and readable medium
CN104067283A (en) Identifying trojanized applications for mobile environments
CN110222775A (en) Image processing method, device, electronic equipment and computer readable storage medium
KR101262446B1 (en) Apparatus and Method for Preventing Leakage of Individual Information
CN109388722A (en) It is a kind of for adding or searching the method and apparatus of social connections people
CN111865996A (en) Data detection method and device and electronic equipment
CN113765846B (en) Intelligent detection and response method and device for network abnormal behaviors and electronic equipment
US20190138930A1 (en) Systems and methods for real-time data processing analytics engine with artificial intelligence for target information protection
CN115277076B (en) Side channel attack defense method and system, storage medium and electronic equipment
US11689550B2 (en) Methods and apparatus to analyze network traffic for malicious activity
CN114143042A (en) Vulnerability simulation method and device, computer equipment and storage medium
CN115514539B (en) Network attack protection method and device, storage medium and electronic equipment
CN114765634B (en) Network protocol identification method, device, electronic equipment and readable storage medium
CN111786937B (en) Method, apparatus, electronic device and readable medium for identifying malicious request

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant