CN117241274B - Communication method of self-adaptive networking - Google Patents
Communication method of self-adaptive networking Download PDFInfo
- Publication number
- CN117241274B CN117241274B CN202311058108.1A CN202311058108A CN117241274B CN 117241274 B CN117241274 B CN 117241274B CN 202311058108 A CN202311058108 A CN 202311058108A CN 117241274 B CN117241274 B CN 117241274B
- Authority
- CN
- China
- Prior art keywords
- detection sensor
- threat detection
- network threat
- network
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000006855 networking Effects 0.000 title claims abstract description 80
- 238000004891 communication Methods 0.000 title claims abstract description 62
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000001514 detection method Methods 0.000 claims abstract description 194
- 238000000354 decomposition reaction Methods 0.000 claims abstract description 9
- 241000854291 Dianthus carthusianorum Species 0.000 claims description 48
- 230000008569 process Effects 0.000 claims description 25
- 238000010276 construction Methods 0.000 claims description 17
- 230000003044 adaptive effect Effects 0.000 claims description 12
- 230000004083 survival effect Effects 0.000 claims description 5
- 230000006378 damage Effects 0.000 claims description 4
- 230000006872 improvement Effects 0.000 claims description 3
- 230000001419 dependent effect Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 claims description 2
- 238000007670 refining Methods 0.000 claims description 2
- 239000013589 supplement Substances 0.000 claims description 2
- 238000007619 statistical method Methods 0.000 abstract description 2
- 238000007726 management method Methods 0.000 description 34
- 230000006399 behavior Effects 0.000 description 21
- 230000004044 response Effects 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 3
- 238000005457 optimization Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 230000006798 recombination Effects 0.000 description 1
- 238000005215 recombination Methods 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Abstract
The invention provides a communication method of a self-adaptive networking, which comprises the following steps: the network threat detection sensor host machine network behavior characteristic acquisition method is improved, and the host machine behavior characteristic acquisition method is suitable for host machine diversity of a target network; improving the network threat detection sensor network load initialization flow, and adopting port multiplexing to transmit internal communication information among network threat detection sensors and self-adaptive networking loads; improving the resource management of the network threat detection sensor, and optimizing the network threat detection sensor resource management group decomposition algorithm and the route selection algorithm; and constructing an optimized network threat detection sensor task cluster. The self-organizing property and the maneuverability of individual networking of the network threat detection sensor are met by using the minimum cost, the high safety and the high reliability as principle indexes and adopting a self-adapting networking method for statistical analysis of the network behavior of the network threat detection sensor host.
Description
Technical Field
The invention relates to the technical field of network security protection, in particular to a communication method of a self-adaptive networking.
Background
The network threat detection sensor is software which is deployed on a host machine and can automatically develop related security threat detection tasks. The self-adaptive networking is a key link of command control and task cooperation of the network threat detection sensor, and not only relates to whether the task of the network threat detection sensor can be successfully executed, but also relates to concealment and safety of individual survival of the network threat detection sensor.
(1) The self-adaptive networking is the basic requirement for meeting the task of the network threat detection sensor cluster
Tasks are performed in a non-cooperative network environment, either in a single individual manner or in a cooperative manner. However, the task delivery, execution, and feedback uploading must be accomplished in a coordinated fashion, requiring that each network threat detection sensor be a member of the clustered task organization. The process that the individual network threat detection sensor becomes a cluster task member is a network threat detection sensor networking process, and the process is the most basic requirement for meeting the cluster task of the network threat detection sensor.
(2) Adaptive networking cannot affect survival status
In order not to increase the risk of exposure during the adaptive networking process. On the premise of ensuring the safety, the self-adaptive safe networking is performed on the basis of minimum cost, high safety and high reliability. Wherein:
the minimum cost is that the network threat detection sensor should generate abnormal behaviors as little as possible in the self-adaptive networking process, so that the network threat detection sensor is prevented from being discovered by a security check mechanism of a host machine, the survival of an individual network threat detection sensor is affected, and the exposure risk of the whole network threat detection sensor cluster is further increased.
The high security means that a method with high security is needed to be adopted for networking information transmission which needs to be cooperated in the self-adaptive networking process, so that the exposure of a network threat detection sensor caused by the leakage of networking cooperated information is prevented.
The high reliability means that a reliable task cluster must be constructed through the adaptive networking, so that each network threat detection sensor individual has the capability of receiving control and completing tasks under the networking state.
(3) Adaptive networking should provide dynamic adaptation in non-cooperative network environments
Depending on whether the host machine is started or not and whether the network threat detection sensor individual is safe or not, the networking process is influenced. The self-adaptive networking has strong dynamic adaptability, and networking strategies are flexibly adjusted according to the online or survival states of the network threat detection sensors, so that networking requirements of cluster tasks are met.
Disclosure of Invention
In view of the above, the present invention has been made to provide a communication method of an adaptive networking that overcomes or at least partially solves the above-mentioned problems.
According to an aspect of the present invention, there is provided a communication method of an adaptive networking, the communication method comprising:
the network threat detection sensor host machine network behavior characteristic acquisition method is improved, and the host machine behavior characteristic acquisition method is suitable for host machine diversity of a target network;
improving the network threat detection sensor network load initialization flow, and adopting port multiplexing to transmit internal communication information among network threat detection sensors and self-adaptive networking loads;
improving the resource management of the network threat detection sensor, and optimizing the network threat detection sensor resource management group decomposition algorithm and the route selection algorithm; and constructing an optimized network threat detection sensor task cluster.
Optionally, the method for collecting the network behavior characteristics of the host machine by improving the network threat detection sensor specifically comprises the following steps:
according to the condition that the network threat detection sensor host machine multi-network card exists, distinguishing IP addresses for collecting network behavior characteristics, and increasing the collection of the service condition and the service frequency of the same IP lower port;
refining communication interval statistics of HTTP and SMTP protocol traffic, counting user active time periods in hours according to normal working flow rate, and extracting a plurality of active time periods;
feature statistics support for a multi-network card host is realized, statistics is carried out on a communication time period of a certain communication IP according to 24 intervals, but a statistical result is not listed in a networking policy table and is stored locally in a file form for reference during local communication.
Optionally, the improved host network behavior feature library defines: for the followingThe network behavior feature library is recorded as follows:
wherein: p is greater than or equal to n; NODEID is unique identifier of network threat detection sensor, ip k An IP address, F, representing host k communicating with the host k Representing the communication frequency with host k; http k Communication timing and traffic for HTTP protocol communication with host k; smtp (Smtp) k Port for SMTP protocol communication with host k k Is at ip k Port usage information and usage frequency information on the address.
Optionally, the improved network threat detection sensor network load initialization process specifically includes:
taking a host machine which accords with the characteristics of a server in a target network as a selection object of a network threat detection sensor cluster head, constructing a network threat detection sensor management system, checking whether the host machine meets the characteristics of the server after the network threat detection sensor enters the target network, if yes, opening 80 and 25 ports, if yes, marking the host machine as a cluster head node, otherwise, marking the host machine as a common node; if the existence of the cluster head network threat detection sensor in the same IP network segment is found when the self networking feature table is maintained later, the cluster head nodes which are ranked in front are actively marked as cluster head nodes.
Optionally, the internal communication information between the adaptive networking loads of the port multiplexing transmission network threat detection sensor specifically includes:
in the process of constructing and maintaining the network threat detection sensor resource management system, internal communication between the cluster head node and the common node self-adaptive networking load comprises the reporting of a networking strategy table and the task allocation information, and all the information needs to be transmitted by adopting a port multiplexing technology matched with the network behavior characteristics of the host machine.
Optionally, the improved network threat detection sensor resource management and optimizing network threat detection sensor resource management group decomposition algorithm and routing algorithm specifically include:
when the network threat detection sensor resources owned by the management node reach a quantity threshold, starting a network threat detection sensor resource decomposition flow:
the management node selects the backup management node as a new management node, the new management node selects a proper node from the original management nodes as management resources, and the management node removes the new management node and network threat detection sensor resources managed by the new management node from the management resources;
the management node and the new management node supplement the backup management node according to the cluster head selection algorithm, the management node informs the affiliated node of updating the backup management node information, and all the cluster heads and the backup cluster heads are server nodes in the target network.
Optionally, in the improved network threat detection sensor management system, the cluster head node grasps the node with the most network threat detection sensor resource, and optimizes the communication route retrieval.
Optionally, the node a first checks in the networking policy table whether there is direct communication with the node B, and if so, returns the routing information node a id+node B ID and exits; otherwise, the node A applies for checking whether the node A 'can communicate with the node B or not to the cluster head node A', and if the node B exists in the A 'networking strategy table, the node A returns routing information node AID+node A' ID+node B ID; otherwise, node A 'applies for checking whether it can communicate with node B to all cluster heads and backup cluster head nodes which can be inquired in the own networking strategy table according to the ordering in the networking strategy table, if node B exists in the networking strategy table of the cluster head or backup cluster head node C, the routing information node A ID+node A' ID+node C ID+node B ID is returned.
Optionally, the process of constructing the task cluster of the network threat detection sensor comprises active task cluster construction and passive task cluster construction;
when the network threat detection sensor resource is insufficient, applying for the network threat detection sensor resource to a cluster head or other network threat detection sensor resource management groups;
in the construction process of the task cluster of the network threat detection sensor, when the network threat detection sensor resource is insufficient and the network threat detection sensor resource needs to be applied, the cluster head host machine applied for the resource owns the maximized network threat detection sensor resource.
Optionally, the active task cluster construction support, the network threat detection sensor a selects and notifies a proper network threat detection sensor from the resources of the network threat detection sensors to construct a task cluster, and creates a task cluster table; dynamically adjusting network threat detection sensor resources in a task cluster according to feedback of task completion of each network threat detection sensor;
if a certain network threat detection sensor cannot execute a task or fails to execute the task, the network threat detection sensor is dynamically withdrawn from the task cluster table, and meanwhile, a proper network threat detection sensor is selected from the rest network threat detection sensors to dynamically join in the task cluster table;
if the resources of the network threat detection sensor A cannot meet the requirements of the task in the construction process of the task cluster, applying for resources from other network threat detection sensor resource management clusters; and when the A finishes the feedback according to each node in the task cluster, destroying the task cluster if the task is finished.
Optionally, if the network threat detection sensor resource of the network threat detection sensor a has enough network threat detection sensor resources, directly selecting and notifying a proper network threat detection sensor to construct a task cluster, and creating a task cluster table;
otherwise, the network threat detection sensor A applies for network threat detection sensor resources to the cluster head, the cluster head returns the network threat detection sensor resources meeting the task conditions to the network threat detection sensor A, and the network threat detection sensor A informs the selected network threat detection sensor to construct a task cluster, and a task cluster table is created;
the network threat detection sensor A dynamically adjusts network threat detection sensor resources in the task cluster according to the feedback of the completion task of each network threat detection sensor;
if a certain network threat detection sensor cannot execute a task or fails to execute the task, the network threat detection sensor is dynamically withdrawn from the task cluster table, and meanwhile, an appropriate network threat detection sensor is selected from the rest network threat detection sensors to dynamically join in the task cluster table.
Optionally, the passive task cluster construction support;
the task which is dependent by the passive task cluster management is not generated by itself, but is issued by a superior node, is called central task cluster management, and also comprises the generation of task clusters, the merging of clusters and the destruction of clusters;
the passive task clusters are managed by the cluster head in generation, combination, destruction and the like.
The invention provides a communication method of a self-adaptive networking, which comprises the following steps: the network threat detection sensor host machine network behavior characteristic acquisition method is improved, and the host machine behavior characteristic acquisition method is suitable for host machine diversity of a target network; improving the network threat detection sensor network load initialization flow, and adopting port multiplexing to transmit internal communication information among network threat detection sensors and self-adaptive networking loads; improving the resource management of the network threat detection sensor, and optimizing the network threat detection sensor resource management group decomposition algorithm and the route selection algorithm; and constructing an optimized network threat detection sensor task cluster. The self-organizing property and the maneuverability of individual networking of the network threat detection sensor are met by using the minimum cost, the high safety and the high reliability as principle indexes and adopting a self-adapting networking method for statistical analysis of the network behavior of the network threat detection sensor host.
The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of an adaptive networking process and steps provided in an embodiment of the present invention;
FIG. 2 is a flowchart of an improvement in initializing networking load according to an embodiment of the present invention;
FIG. 3 is a flowchart for optimizing the resource decomposition of a network threat detection sensor provided by an embodiment of the invention;
fig. 4 is a schematic diagram of security routing decision optimization of a network threat detection sensor according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The terms "comprising" and "having" and any variations thereof in the description embodiments of the invention and in the claims and drawings are intended to cover a non-exclusive inclusion, such as a series of steps or elements.
The technical scheme of the invention is further described in detail below with reference to the accompanying drawings and the examples.
Example 1
As shown in fig. 1, a communication method of an adaptive networking includes:
s01: the network behavior of individual hosts of the network threat detection sensor is statistically analyzed, the characteristics of the network behavior of the hosts are obtained, and a network behavior characteristic library of the hosts is constructed, and the network threat detection sensor mainly comprises: the main communication IP address, communication frequency, communication time period, communication duration, communication service type, communication traffic size, etc., and are ordered according to the communication frequency.
S02: the network threat detection sensor individual checks whether the network threat detection sensor individual host machine is an object which is frequently communicated with the host machine normally or not in a networking strategy table inherited by the network threat detection sensor individual according to a host machine network behavior feature library (a network threat detection sensor individual list capable of networking), and the network threat detection sensor individual host machine has the following 2 processing modes:
s02-1: the network threat detection sensor individual object is not used as an object of daily hidden communication in the network behavior feature library of the individual host, so that abnormal communication traffic is not generated, the risk of exposing the network threat detection sensor is reduced, and the network threat detection sensor is moved downwards in a networking strategy table.
S02-2: in a network behavior feature library of a host mechanism, sorting is performed in a networking policy table according to communication frequency, communication traffic size and the like of the host machine, and network threat detection sensor individual objects with the front sorting are selected for communication during daily hidden communication, and network threat detection sensor individual objects with the rear sorting are not selected as much as possible for communication.
As shown in fig. 2, the networking load initiates a modified method flow;
s03: and after all communication objects in the networking policy table are eliminated, whether the network threat detection sensor individuals exist in the rest and front-ranked network behavior objects of the host machine or not is detected according to the host machine network behavior feature library, and if the network threat detection sensor individuals exist, the network threat detection sensor individuals are added into the networking policy table and ranked.
S04: and the network threat detection sensor individuals send updated contents in the networking policy table to the command center according to a certain frequency.
S05: the network threat detection sensor individuals select the network threat detection sensor individual objects which are ranked at the front to communicate according to the networking policy table in a usual state, and two to three objects can be selected at a time to communicate in order to ensure the reliability of communication; under the task state and special condition, the networking and communication of the individual object of the detection sensor can be realized with any network threat in the networking policy table according to the cooperative instruction of the command node.
S06: after the network threat detection sensor completes the networking policy table, a task cluster needs to be formed in order to better adapt to the task demand. The command center firstly plans the task, then issues a task command, and the network threat detection sensor connected to the task firstly forms a task cluster, so that the task can be finished under cooperative control. According to the early-stage research on the task architecture of the network threat detection sensor cluster, the RC-chord protocol can be used for inquiring resources and constructing the cluster, so that after a task command is issued, the network threat detection sensor forms a task cluster in a self-adaptive manner through the established protocol. As shown in fig. 3, a flow chart of network threat detection sensor resource decomposition optimization.
S05-1: first a clustered task architecture of network threat detection sensors is formed. One or more super nodes are selected for forming the network threat detection sensor cluster, the super nodes are responsible for all processing of the whole network in an initial stage, one node is selected as the super node if only two nodes are provided in the initial stage, the node and the super node respectively add own routing information, and the most basic structure of the network is formed at the moment. The node sends a networking request to the super node, the super node is responsible for registering the node and notifying the corresponding node to update the routing information, when the nodes in the cluster reach a certain number along with the joining of the node, the second cluster starts to be established, the next layer of clusters are respectively established according to the process, and at the moment, the task architecture construction of the network threat detection sensor cluster is basically completed. As shown in fig. 4, a network threat detection sensor communication security routing decision optimization schematic is shown.
S05-2: the task clusters are formed in 2 ways:
first kind: the command center designates a task cluster super node and a common node of the network threat detection sensor according to a task planning scheme, and the cluster super node invokes a cluster construction algorithm according to a cluster construction scheme to realize the creation and management of the clusters.
Second kind: the command center only issues tasks and designates the super nodes of the network threat detection sensor cluster, the designated super nodes of the network threat detection sensor self-adaptively select safer nodes of the network threat detection sensor according to the networking strategy table information provided by the tasks and the self-adaptive networking module, and a cluster construction algorithm is called to realize the creation and management of the cluster.
S05-3: the invention adopts an improved RC-Chord (Resource ClusteredChord) algorithm to realize the creation and management of the network threat detection sensor cluster. RC-Chord is an extension to Chord protocol that combines HP2P architecture to solve the problem of joint formation in large-scale systems. The RC-Chord algorithm has the ability to extend the hierarchy into any number of levels, each consisting of one or more clusters, each of which is a separate Chord instance. In RC-chord, the cluster organization is similar to a tree, the cluster network is constructed from top to bottom, the highest-level cluster is called super cluster, and the number of sub-clusters each cluster can possess is determined by the branching coefficient. Each task cluster is provided with a super node, and the super node is responsible for managing the nodes in the cluster and communicating with a command center, and the command center manages the super nodes. Due to the dynamic nature of the network, the nodes may exit the task cluster or fail, the task cluster may also split or merge, and the task cluster nodes invoke an improved RC-Chord algorithm to realize the dynamic management of the network threat detection sensor cluster. In order to ensure the completion of tasks, a corresponding fault-tolerant mechanism (a standby super node is constructed) is adopted to realize the management of clusters, each task cluster is provided with a super node and a standby super node, in the process of cooperatively executing tasks, if the request information sent to the super node by a common node does not receive a response within a certain time, whether the super node fails is judged, and if the failure occurs, the standby super node is started immediately. After the task is completed, the super node is responsible for unbinding the task cluster.
In order to better adapt to the cluster task architecture, the specific process and steps of the cluster splitting algorithm are as follows:
s05-3-1: when the number of nodes in the cluster exceeds the upper limit, the master super node of the cluster selects half of the alternative super nodes from the super nodes as super nodes of the new cluster, and selects one master super node. The election principle is that the master super node distributes the resource types uniformly as far as possible according to the resource types of the clusters, so that the number of nodes owned by the two split clusters and the resource types are balanced as far as possible.
S05-3-2: the new cluster is added into the network as a chord instance, a corresponding routing table is established, and the super node of the related cluster updates the routing table.
S05-3-3: the original cluster selects a group of new backup super nodes from the common nodes, exchanges information with the original reserved super nodes, and other common nodes update own routing information.
S05-3-4: the new cluster selects a group of new backup super nodes from the common nodes, exchanges information with the super nodes which are just built, and other common nodes update own routing information.
S05-3-5: and reporting the owned resources to the upper layer cluster by the new cluster, updating the own routing information by the super node of the upper layer cluster, and completing the cluster splitting.
The specific process and steps of the cluster merging algorithm are as follows:
s05-3-1: when the number of nodes in the cluster i is smaller than the lower limit value, the master super node of the cluster searches a cluster j which is closer to the cluster in the same layer, and sends a merging request to the cluster j.
S05-3-2: when the super node of the cluster j receives the merging request, firstly detecting whether the node number of the cluster is smaller than a lower limit value, if so, detecting whether the cluster i is complementary with the resource types of the cluster, so that the merged cluster has as many resource types as possible, setting a threshold value for the complementation of the resources, and when the two clusters reach the threshold value, sending a merging response, otherwise, sending a refusing merging response.
S05-3-3: and after the cluster i receives the merging response of the cluster j, starting a merging program. And the cluster i informs the upper-layer cluster that the upper-layer cluster needs to exit, and the upper-layer cluster updates own routing information.
S05-3-4: and adding the whole cluster into the cluster j by the cluster i, selecting a new super node by a main super node in the cluster j according to an election strategy, and updating related routing information by other nodes.
S05-3-5: after cluster i receives the cluster j refusing merging response, cluster i searches for the next cluster which can be merged, and sends a merging request until the cluster which can be merged is found, and cluster merging is completed.
Example 2
An adaptive networking model based on network behavior characteristics is provided. The method specifically comprises the following steps:
(1) Model definition
Definition 1: command center: command= { ip command }。
Definition 2: super node set: supercraft= { ip i |1≤i≤m,m∈N},ip i Representing super node (cluster head) individuals;
definition 3: a set of cyber threat detection sensors: craft= { ip j |1≤j≤n,n∈N},Wherein n is greater than or equal to m, ip j Representing the individual network threat detection sensors.
Definition 4: host set: computer= { ip j |1≤j≤n,n∈N}。
Definition 5: host network behavior feature library: for the followingThe network behavior feature library is recorded asWherein p is greater than or equal to n; ip (internet protocol) k An IP address, F, representing host k communicating with the host k Representing the communication frequency with host k; http k Indicating communication timing and traffic of HTTP protocol communication with host k; smtp (Smtp) k The communication timing and the traffic volume of SMTP protocol communication with host k are shown.
Definition 6: networking policy table set of network threat detection sensors: for cyber threat detection sensor craft j E Craft, its networking Policy table set Policy j ={<ip jk ,F jk ,Http jk ,Smtp jk ,state jk ,payload jk > |1.ltoreq.k.ltoreq.q.epsilon.N, where state k Representing the online status of the kth network threat detection sensor in the table, payload k Representing the load carried by the kth network threat detection sensor in the table.
Definition 7: the task of the command control center for sending to the super nodes such as cluster heads is recorded as Misson= { m l |1≤l≤q,q∈N}。
Definition 8: cluster set of super nodes: for cyber threat detection sensor craft j E Supercraft, its task cluster set is denoted asAnd is also provided with
(2) Model rules
Rules of1: if a network threat detects a sensor craft j1 、craft j2 E Craft, and Craft j1 Is made of craft j2 Copy generation, then craft j2 Called craft j1 Threat detection sensor, craft j1 Called craft j2 Sub-network threat detection sensor, denoted craft j1 <craft j2 。
Rule 2: if network threat detects sensor craft j1、 craft j2 E Craft, and Craft j1 <craft j2 Craft of j1 Networking Policy table Policy carried during generation j1 Is craft j2 The subset of the networking strategy table only comprises super node information such as a command control center, a cluster head and the like, and the first three common node information.
Rule 3: if network threat detects sensor craft j1 Is generated by replication of the command control center or transmitted by the command control center, then craft j1 Defaulting to cluster heads, i.e. craft j1 ∈SuperCraft。
Rule 4: if network threat detects sensor craft j1 Is injected into a non-cooperative network in a cross-network mode, and defaults to a cluster head, namely a craft j1 ∈SuperCraft。
Rule 5: if network threat detects sensor craft j1 Appear in craft j2 Networking Policy table Policy of epsilon SuperCraft j2 Then consider craft j1 Super node craft j2 Jurisdiction, i.e. can support craft j2 Task-to-task based j1 Is recorded as craft j2 ——→craft j1 。
Rule 6: for a pair ofcraft j2 E Craft, if Craft j2 ——→craft j1 And craft j2 Practical use of craft j1 Constructing task clusters, which are marked as +.>
(3) Model description
Adaptive networking can be divided into two processes: individual self-adaptive construction of networking strategy tables and task-based self-adaptive networking.
Process 2: dynamic networking based on tasks to form task clusters
There are two dynamic networking modes based on tasks: one is that command is directly issued by a command control center to inform super nodes (cluster heads) of constructing all common nodes of a task cluster; the other is that the super node (cluster head) automatically selects common nodes to construct a task cluster according to tasks.
Process 3: separation and recombination of task clusters
When a certain task cluster is too large, a new cluster needs to be separated and expanded, so that the task is convenient to decompose and manage the common nodes. And when a certain task cluster is too small, the task cluster is combined with other task clusters, so that the task force can be conveniently integrated.
(1) Separation and extension of task clusters
(2) And (5) recombining and merging task clusters.
The beneficial effects are that: the method meets the demands of the networking of the individual network threat detection sensors on the self-organization and mobility by taking the minimum cost, high safety and high reliability as the principle.
The foregoing detailed description of the invention has been presented for purposes of illustration and description, and it should be understood that the invention is not limited to the particular embodiments disclosed, but is intended to cover all modifications, equivalents, alternatives, and improvements within the spirit and principles of the invention.
Claims (1)
1. A communication method of an adaptive networking, the communication method comprising:
the method for improving network threat detection sensor host machine network behavior characteristic acquisition adapts to host machine diversity of a target network, and specifically comprises the following steps:
according to the condition that the network threat detection sensor host machine multi-network card exists, distinguishing IP addresses for collecting network behavior characteristics, and increasing the collection of the service condition and the service frequency of the same IP lower port;
refining communication interval statistics of HTTP and SMTP protocol traffic, counting user active time periods in hours according to normal working flow rate, and extracting a plurality of active time periods;
feature statistics support for a multi-network card host is realized, statistics is carried out on a communication time period of a certain communication IP according to 24 intervals, but a statistical result is not listed in a networking policy table and is stored locally in a file form for reference during local communication;
defining a network behavior feature library of the host after improvement: for the followingThe network behavior feature library is recorded as follows:
wherein: p is greater than or equal to n; NODEID is unique identifier of network threat detection sensor, ip k An IP address, F, representing host k communicating with the host k Representing the communication frequency with host k; http k Communication timing and traffic for HTTP protocol communication with host k; smtp (Smtp) k Port for SMTP protocol communication with host k k Is at ip k Port usage information and usage frequency information on the address;
in the improved network threat detection sensor management system, cluster head nodes master nodes with the most network threat detection sensor resources, and communication route retrieval is optimized;
the node A firstly checks whether direct communication exists between the node A and the node B in a networking policy table, if so, returns routing information node A ID+node B ID and exits; otherwise, the node A applies for checking whether the node A 'can communicate with the node B or not to the cluster head node A', and if the node B exists in the A 'networking strategy table, the node A ID+the node A' ID+the node B ID of the routing information is returned; otherwise, node A ' applies for checking whether the cluster head and the backup cluster head nodes can be searched in the self-networking strategy table according to the sequence in the networking strategy table, if the cluster head or the backup cluster head node C has the node B, the node A ' ID+the node C ID+the node B ID are returned as the route information nodes AID+the node A ' ID;
the method comprises the steps of improving a network threat detection sensor network load initialization process, and specifically comprises the following steps of;
taking a host machine which accords with the characteristics of a server in a target network as a selection object of a network threat detection sensor cluster head, constructing a network threat detection sensor management system, checking whether the host machine meets the characteristics of the server after the network threat detection sensor enters the target network, if yes, opening 80 and 25 ports, if yes, marking the host machine as a cluster head node, otherwise, marking the host machine as a common node; if no cluster head node is found in the survival process of the common node network threat detection sensor, when a self networking feature table is maintained later, if the cluster head network threat detection sensor exists in the same IP network segment, the cluster head node which is ranked at the front is actively identified as the cluster head node;
the method adopts port multiplexing to transmit internal communication information among network threat detection sensors in a self-adaptive networking manner, and specifically comprises the following steps:
in the process of constructing and maintaining a network threat detection sensor resource management system, internal communication between cluster head nodes and common nodes self-adaptive networking loads comprises the steps of reporting networking strategy tables and task allocation information, and the internal communication is transmitted by adopting a port multiplexing technology matched with network behavior characteristics of a host;
the method for improving the resource management of the network threat detection sensor and optimizing the network threat detection sensor resource management group decomposition algorithm and the route selection algorithm specifically comprises the following steps:
when the network threat detection sensor resources owned by the management node reach a quantity threshold, starting a network threat detection sensor resource decomposition flow:
the management node selects the backup management node as a new management node, the new management node selects a proper node from the original management nodes as management resources, and the management node removes the new management node and network threat detection sensor resources managed by the new management node from the management resources;
the management node and the new management node supplement backup management nodes according to a cluster head selection algorithm, the management node informs the affiliated nodes of updating backup management node information, and all cluster heads and backup cluster heads are server nodes in a target network;
constructing an optimized network threat detection sensor task cluster, including active task cluster construction and passive task cluster construction;
when the network threat detection sensor resource is insufficient, applying for the network threat detection sensor resource to a cluster head or other network threat detection sensor resource management groups;
in the construction process of the task cluster of the network threat detection sensor, the cluster head host machine applied for resources has maximized network threat detection sensor resources, and when the network threat detection sensor resources are insufficient, the network threat detection sensor resources are required to be applied for;
the active task cluster construction support is that a network threat detection sensor A selects and informs a proper network threat detection sensor from the network threat detection sensor resources to construct a task cluster, and a task cluster table is created; dynamically adjusting network threat detection sensor resources in a task cluster according to feedback of task completion of each network threat detection sensor;
if a certain network threat detection sensor cannot execute a task or fails to execute the task, the network threat detection sensor is dynamically withdrawn from the task cluster table, and meanwhile, a proper network threat detection sensor is selected from the rest network threat detection sensors to dynamically join in the task cluster table;
if the resources of the network threat detection sensor A cannot meet the requirements of the task in the construction process of the task cluster, applying for resources from other network threat detection sensor resource management clusters; when the network threat detection sensor A finishes feedback of each node in the task cluster, if the task is finished, destroying the task cluster;
if the network threat detection sensor resources of the network threat detection sensor A have enough network threat detection sensor resources, directly selecting and informing a proper network threat detection sensor to construct a task cluster, and creating a task cluster table;
otherwise, the network threat detection sensor A applies for network threat detection sensor resources to the cluster head, the cluster head returns the network threat detection sensor resources meeting the task conditions to the network threat detection sensor A, and the network threat detection sensor A informs the selected network threat detection sensor to construct a task cluster, and a task cluster table is created;
the network threat detection sensor A dynamically adjusts network threat detection sensor resources in the task cluster according to the feedback of the completion task of each network threat detection sensor;
if a certain network threat detection sensor cannot execute a task or fails to execute the task, dynamically exiting the network threat detection sensor from the task cluster table, and simultaneously selecting a proper network threat detection sensor from the rest network threat detection sensors to dynamically join the task cluster table
The passive task cluster construction support;
the task which is dependent by the passive task cluster management is not generated by itself, but is issued by a superior node, is called central task cluster management, and also comprises the generation of task clusters, the merging of clusters and the destruction of clusters;
the passive task clusters are managed by the cluster head in generation, combination, destruction and the like.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311058108.1A CN117241274B (en) | 2023-08-22 | 2023-08-22 | Communication method of self-adaptive networking |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311058108.1A CN117241274B (en) | 2023-08-22 | 2023-08-22 | Communication method of self-adaptive networking |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117241274A CN117241274A (en) | 2023-12-15 |
| CN117241274B true CN117241274B (en) | 2024-03-19 |
Family
ID=89093775
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311058108.1A Active CN117241274B (en) | 2023-08-22 | 2023-08-22 | Communication method of self-adaptive networking |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117241274B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102006574A (en) * | 2011-01-05 | 2011-04-06 | 中国人民解放军理工大学 | Wireless self-organized network-based integrated heterogeneous emergency communication network |
| CN108712758A (en) * | 2018-04-27 | 2018-10-26 | 中山大学 | It is a kind of to be applied to dynamic stability cluster-dividing method safe in vehicular ad hoc network network |
| CN110913402A (en) * | 2019-11-27 | 2020-03-24 | 南京航空航天大学 | High-coverage-efficiency unmanned aerial vehicle ad hoc network clustering method for jointly optimizing communication and formation |
| CN112688899A (en) * | 2019-10-17 | 2021-04-20 | 中国移动通信集团重庆有限公司 | In-cloud security threat detection method and device, computing equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2640131A1 (en) * | 2012-03-14 | 2013-09-18 | British Telecommunications Public Limited Company | Method and system for preventing the propagation of ad-hoc networks |
| US9621568B2 (en) * | 2014-02-11 | 2017-04-11 | Varmour Networks, Inc. | Systems and methods for distributed threat detection in a computer network |
-
2023
- 2023-08-22 CN CN202311058108.1A patent/CN117241274B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102006574A (en) * | 2011-01-05 | 2011-04-06 | 中国人民解放军理工大学 | Wireless self-organized network-based integrated heterogeneous emergency communication network |
| CN108712758A (en) * | 2018-04-27 | 2018-10-26 | 中山大学 | It is a kind of to be applied to dynamic stability cluster-dividing method safe in vehicular ad hoc network network |
| CN112688899A (en) * | 2019-10-17 | 2021-04-20 | 中国移动通信集团重庆有限公司 | In-cloud security threat detection method and device, computing equipment and storage medium |
| CN110913402A (en) * | 2019-11-27 | 2020-03-24 | 南京航空航天大学 | High-coverage-efficiency unmanned aerial vehicle ad hoc network clustering method for jointly optimizing communication and formation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117241274A (en) | 2023-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11706102B2 (en) | Dynamically deployable self configuring distributed network management system | |
| CN112000448B (en) | Application management method based on micro-service architecture | |
| CN101095321B (en) | Method of operating a network | |
| US7120681B2 (en) | Cluster control in network systems | |
| CN102217228B (en) | Network operating system for managing and securing networks | |
| EP1810447B1 (en) | Method, system and program product for automated topology formation in dynamic distributed environments | |
| US9621419B2 (en) | Determining when to switch to a standby intelligent adjunct network device | |
| Yang et al. | Blockchain-based secure distributed control for software defined optical networking | |
| EP2544403B1 (en) | Method and system for terminal access and management in cloud computing | |
| CN104488238A (en) | System and method for cluster link aggregation control in a network environment | |
| CN103581307A (en) | Publishing/subscribing system based on clusters and method for guaranteeing reliability of publishing/subscribing system based on clusters | |
| CN101300779A (en) | Network configuration | |
| CN106796537A (en) | Distributed component in computing cluster | |
| CN109845192A (en) | Computer system and method for the network that dynamically internet adapter software defines | |
| CN109587026A (en) | A method of large and medium-sized enterprise's Network Programe Design based on Java | |
| CN117241274B (en) | Communication method of self-adaptive networking | |
| CN103957124A (en) | Distribution type collecting method and system of collection tasks | |
| CN115987778A (en) | Container communication method based on Kubernetes cluster | |
| Ghosh et al. | Peer-to-peer communication trade-offs for smart grid applications | |
| US20200252351A1 (en) | Switching fabric loop prevention system | |
| Xiaowei et al. | Research on SDN Network Structure Optimization System Based on Computer 5G Technology | |
| CN103227817A (en) | Super node selecting method and system based on P2P (peer-to-peer) network | |
| CN106603473A (en) | Processing method of network safety information and processing system of the network safety information | |
| CN117009033A (en) | Multi-cluster management method and system based on Kubernetes | |
| CN113518126A (en) | Cross fault-tolerant method for alliance chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |