CN117375961A

CN117375961A - Network intrusion active defense method and system based on mobile attack surface

Info

Publication number: CN117375961A
Application number: CN202311417772.0A
Authority: CN
Inventors: 张五一; 田学成; 赵谦; 李圣泉; 刘雪梅; 田叶; 陈燕峰; 江楠
Original assignee: Nanjing Nanzi Transformer Substation Automatization Co ltd
Current assignee: Nanjing Nanzi Transformer Substation Automatization Co ltd
Priority date: 2023-10-27
Filing date: 2023-10-27
Publication date: 2024-01-09

Abstract

The invention provides a network intrusion active defense method and system based on a mobile attack surface, wherein the method comprises the following steps: the method comprises the steps of leading a mobile attack surface of an industrial control system; dynamically disguising and confusing network assets of the industrial control system through virtual and real nodes; performing terminal address periodic jump and dynamic configuration on virtual and real nodes; and determining an optimal defense strategy of dynamic camouflage of the virtual and real nodes by utilizing the multi-stage signal game. The invention applies the attack surface moving target defense to the service agent, realizes real business service and port forwarding through the front-end agent, and simultaneously applies the moving attack surface defense technology to the system network to realize the active defense of the system network intrusion of the new energy wind power industrial control. Meanwhile, the intrusion perception defensive capability is added on the mobile attack surface, and the method has important significance for researching the network security attack and defense technology of the new energy industrial control system.

Description

Network intrusion active defense method and system based on mobile attack surface

Technical Field

The invention belongs to the technical field of network security defense, and particularly relates to a network intrusion active defense method and system based on a mobile attack surface.

Background

With the rapid development of internet technology, we are facing increasingly serious network security problems. Although the internet brings great convenience to us, it also brings various cyber security threats including worms, trojans, and advanced persistent threats with very strong latency. Various industries involving network technology experience almost all degrees of security events, which result in data leakage and economic loss experienced by government departments, industrial systems, power, and other industries. New energy wind power is deployed as an important energy strategy for the development of national renewable energy, and the network safety research of an industrial control system of the new energy wind power has important significance. As the dependency of the power industry on the network is deepened, network attacks pose a great threat to the safe operation of the system.

The existing network security defense means are unfavorable for timely finding and rapidly processing unknown security threats due to hysteresis and passivity. In the process of attacking the new energy wind power industrial control system, an attacker can only launch effective attacks on a certain weak point of the system to successfully destroy the system, because the traditional network attack surface is usually bound with the service surface, an defender cannot respond to the attack in time, the attacker can directly access related services to cause information leakage and other problems after the attack is successful, and the attacker can further expand the damage by utilizing the vulnerability of the attacker, even the topology structure of the whole network and even other hosts in the control network can be obtained. The inadequacies of the existing static protection mechanisms allow an attacker to start from any weak point in the system, further increasing the potential hazard. Once the network infrastructure is compromised, the data may be subject to security threats such as loss, tampering, forgery, etc. Thus, to effectively address this challenge, we need to further optimize network security measures.

Disclosure of Invention

In order to solve the technical problems, the invention provides a network intrusion active defense method and system based on a mobile attack surface. The key idea of the scheme is that aiming at the scanning and investigation behaviors of an attacker, the service is isolated from the potential attack surface through the front network attack surface, and when the attack traffic is captured by the front attack surface, the system can rapidly respond to the attack behaviors to prevent the attacker from stealing the attack target information or accessing the service server. The strategy can effectively utilize the load and buffering characteristics of the mobile attack surface, and apply the defending technology of the mobile attack surface to a system network, so that the active defending of the new energy wind power industrial control system is realized.

The technical scheme provided by the invention is as follows:

a network intrusion active defense method based on a mobile attack surface comprises the following steps:

the method comprises the steps of leading a mobile attack surface of an industrial control system;

dynamically disguising and confusing network assets of the industrial control system through virtual and real nodes;

performing terminal address periodic jump and dynamic configuration on virtual and real nodes;

and determining an optimal defense strategy of dynamic camouflage of the virtual and real nodes by utilizing the multi-stage signal game.

Further, the pre-positioning the mobile attack surface of the industrial control system includes: separating a service server and a mobile attack surface of an industrial control system, and introducing a reverse proxy to serve as a middle layer between mobile application and the service server before the service server is erected; the reverse proxy is used for intercepting and filtering requests initiated by the mobile application and providing a security function; the mobile attack surface is deployed in a cloud environment by using virtualization and cloud technology, so that the mobile attack surface can be accessed and managed through cloud services.

Further, the dynamically masquerading the network asset of the confusion industrial control system through the virtual-real node comprises: creating a security application program on the SDN controller, and realizing a disguising mechanism of virtual and real nodes by using an application program interface of the SDN controller; the masquerading mechanism includes a response time adjustment mechanism, a dynamic redirection mechanism, and an IP address randomization mechanism.

Further, the response time adjustment mechanism is to improve the response priority of the false node to the attacker request by adjusting the response time of all the service nodes, so as to confuse the judgment of the attacker to the false node, and specifically includes:

s101, defining an adjustment rule for deciding how to adjust the response time of the node according to the time t; defining a reference response time baselnesponse, representing the normal response time of the node; defining an amplitude representing a range of amplitudes of the response time variations; defining a period, which represents the length of the adjustment period;

s102, in each period, calculating an adjustment factor adjustment_factor according to the time t and the period; for each node, a new response time is calculated as: new_response=base_response+adjustment_factor;

s103, introducing a feedback mechanism, and adjusting an adjustment rule according to the change of the actual response time.

Further, the dynamic redirection mechanism refers to redirecting requests for real service nodes to other real nodes, so as to increase response time of the real nodes without interrupting normal traffic:

assuming that three real service nodes are used to process the request, denoted a, b, c, respectively, then:

s201, an attacker sends a large number of requests to a node c, and the response time of the node c is increased;

s202, when the load balancer sends these requests to node c, the defender actually redirects the requests to node a and/or b, instead of sending them to node c;

s203, the response time of the node c is greatly increased, and an attacker mistakens the real node as a virtual node by matching with a response time adjustment mechanism;

and S204, the defender gradually restores the node c to a normal state, so that the node c is added into the active node list of the load balancer again, and the service is provided for the real user.

Further, the IP address randomization mechanism refers to storing available IP addresses of all servers in an IP address pool, and when most of the virtual-real nodes fail to an attacker or the attacker can already distinguish between the virtual-real nodes, randomly changing the IP addresses of a group of servers, and updating the configuration of all service nodes under the server.

Further, in the periodic jump and dynamic configuration of the end address of the virtual-real node, a mixed trigger mechanism based on a time driving mechanism and a threat event driving mechanism is adopted to change the IP address and the port number of the end node;

the threat event-based driving mechanism relies on a threat analysis engine, and when the threat analysis engine detects a threat event and generates a safety alarm, a jump instruction is immediately transmitted to a jump configuration manager to trigger corresponding terminal address jump operation;

and the time-based driving mechanism actively transmits a jump instruction to the jump configuration manager according to a preset time period, and updates the terminal address configuration information of all terminal nodes at present.

Further, performing the end address periodic hopping on the virtual-real node further includes: jump space self-adjusting strategy: when the terminal address jump is carried out, the terminal address space which is used under the current network segment is avoided, and new terminal address configuration information is randomly distributed for the node by eliminating the unavailable terminal address and the configuration of the attack target terminal address in the threat event; jump period self-adjusting strategy: according to the security alarm detected by the threat analysis engine, the duration of the address information in the periodic address jump is adaptively adjusted; half address hopping strategy: and selecting different terminal address hopping strategies according to the communication mode of the terminal node to be configured.

Further, assuming that the end node a needs to communicate with the end node B, the process of dynamically configuring the virtual-real node end address includes:

s301, an end node A requests end address information of an end node B from an SDN controller, and receives an IP address vIP and a port number vPort4 returned by the SDN controller after the end node A verifies the identity of the end node A;

s302, an end node A sends a data packet to an end node B, wherein the data packet comprises an IP address rIP before the jump of the end node A, a port number rPort1, and an end address vIP and a vPort4 of the end node B;

s303, when a data packet sent by an end node A passes through a switch, the data packet is sent to an SDN controller, and the SDN controller hops an end address rIP1 and an rPort1 of the end node A into vIP and a vPort1 according to a hopping rule, and generates a flow table entry to send to the switch;

s304, after the exchanger receives the flow table item and modifies the target address of the data packet into the real address rIP and rPort4 of the end node B, the data packet sent by the end node A successfully arrives at the end node B;

s305, the end node a receives a response packet sent by the end node B, where the response packet hops, through a flow entry generated by the SDN controller on a transmission path, a real end address rIP and a rPort4 of the end node B originally contained therein to vIP and vPort4, and hops an end address vIP1 and a vPort1 of the end node a originally contained therein to a real end address rIP1 and a rPort1 of the end node a.

Further, assuming that the host a needs to communicate with the host B, the process of dynamically configuring the virtual-real node address includes:

s401, a host A sends an ARP request to a first SDN switch to request the MAC address of a host B, the first SDN switch sends a Packet-In message to an SDN controller, the SDN controller receives the Packet-Out message sent to a second SDN switch, and the second SDN switch requests the real MAC address rMAC to the host B;

s402, the host B responds to the ARP request and sends a real MAC address rMAC to a second SDN switch, the second SDN switch sends a Packet-In message to an SDN controller, the SDN controller sends a Packet-Out message to a first SDN switch and simultaneously sends a flow table modification rule back to the second SDN switch, and the first SDN switch uses a virtual MAC address vMAC spoofed response of the host B;

s403, the host A sends data to the virtual MAC address vAMC of the host B, the first SDN controller forwards the data to the virtual MAC address vMAC of the host B, and the second SDN switch converts the vMAC into rMAC according to the flow table modification rule and forwards the data to the rMAC.

Further, in the optimal defense strategy for determining the dynamic camouflage of the virtual and real nodes by utilizing the multi-stage signal game, both the attack and the defense are analyzed through the dynamic game, and the optimal defense strategy is determined by calculating perfect Bayesian Nash balance in the game.

A network intrusion active defense system based on a mobile attack surface comprises a defense deployment module, a threat perception module and a service agent module; the defense deployment module is used for deploying the network intrusion active defense method, and dynamically disguising the network assets of the confusion industrial control system through virtual and real nodes; the threat perception module is used for identifying known attacks aiming at the end nodes and accurately judging the types of the known attacks, and simultaneously carrying out periodic jump and dynamic configuration on the virtual and real nodes according to threat analysis results; the service agent module is used for realizing real business service and port forwarding.

Further, the threat awareness module manages each end node by the SDN controller, performs operations including filtering, converting, normalizing and dimension reduction on data of each end node, and builds a multi-category attack recognition model based on ensemble learning.

Further, three independent classifiers are trained by adopting C4.5, random Forest and Forest PA algorithms to serve as a base learner, and the voing algorithm is used for integrating the base learner to form a multi-class attack recognition model.

Further, the defense deployment module is applied to a data plane, a control plane and an application plane, and a dynamic decision module, a virtual-real disguising module and a security check agent module are deployed on each plane.

Further, the dynamic decision module is deployed on the SDN controller as a security application, and is configured to dynamically update game parameters according to system requirements in combination with continuously updated security monitoring logs and service node states, determine an optimal defense strategy for dynamic disguising of virtual and real nodes by using the multi-stage signal game in the method, and make corresponding optimal defense decisions for each service node at each time step of the game.

Further, the virtual and real disguising module is realized based on an application program interface of the SDN controller, creates a corresponding independent security application program to be embedded into the SDN controller, and executes a corresponding security function after receiving a control command and configuration parameters of the dynamic decision module.

Further, the security check agent module is embedded in the cloud server and the switch and is used for recording the real-time system performance of the real service node and monitoring the security events of the false nodes.

Compared with the prior art, the invention has the beneficial effects that:

1) The invention provides a network intrusion active defense method and system based on a mobile attack surface, which are based on a new energy wind power industrial control system, increase the difficulty of attacking the new energy wind power industrial control system and enlarge the attack surface of the new energy wind power industrial control system.

2) The invention provides a monitoring technology of a mobile attack surface in a new energy wind power industrial control system scene, which utilizes an SDN framework to monitor the mobile attack surface, and utilizes an end node deployment threat sensing module to sense the known threat to the end node and accurately identify the type of the threat, utilizes an SDN controller to receive attacker information and an end address jump request transmitted by each end node, and transmits the information received from the end node to a new energy wind power industrial control system, thereby realizing the monitoring of the mobile attack surface in the new energy wind power industrial control system scene and effectively improving the active defense capability of the new energy wind power industrial control system.

3) The invention applies the attack surface moving target defense to the service agent, realizes real business service and port forwarding through the front-end agent, and simultaneously applies the moving attack surface defense technology to the system network to realize the active defense of the system network intrusion of the new energy wind power industrial control. Meanwhile, the intrusion perception defensive capability is added on the mobile attack surface, and the method has important significance for researching the network security attack and defense technology of the new energy industrial control system.

Drawings

The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention.

Fig. 1 is a flow chart of an active defense method for network intrusion according to an embodiment of the present invention;

FIG. 2 is a schematic diagram illustrating an address hopping procedure according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of dynamic MAC address translation according to an embodiment of the present invention;

fig. 4 is a schematic diagram of a network intrusion active defense system according to an embodiment of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Example 1

As shown in fig. 1, this embodiment provides a network intrusion active defense method based on a mobile attack surface, including:

(1) Front-mounted mobile attack surface of new energy wind power industrial control system

Separating a service server and a mobile attack surface of the new energy wind power industrial control system, and introducing a reverse proxy to serve as a middle layer between mobile application and the service server before the service server is erected. The reverse proxy may intercept and filter requests initiated by the mobile application and provide additional security functions. And meanwhile, the mobile attack surface is deployed in a cloud environment by using virtualization and cloud technology, so that the mobile attack surface can be accessed and managed through cloud services, and flexible migration and scalability of the attack surface can be realized.

(2) Dynamic disguising of confusing network assets through virtual-to-real nodes

And (3) implementing active defense transformation on all the managed service end nodes based on the SDN controller, creating independent security application programs on the SDN controller, and realizing a disguising mechanism of virtual and real nodes by using an application program interface of the SDN controller. The virtual-real camouflage mechanism mainly comprises three types of active defense mechanisms: response time adjustment mechanism, dynamic redirection mechanism, and IP address randomization mechanism.

1) The response time adjustment mechanism is used for improving the response priority of the false node to the attacker request by dynamically and frequently adjusting the response time of all the service nodes and confusing the judgment of the attacker to the false node and the real node. The method specifically comprises the following steps:

s102, in each period, calculating an adjustment factor adjustment_factor, which can be calculated according to time t and period by using a sine function or a cosine function; for each node, a new response time may be calculated as: new_response=base_response+adjustment_factor.

S103, introducing a feedback mechanism, and adjusting an adjustment rule according to the change of the actual response time. This will help ensure that the system is able to accommodate different loads and requirements.

2) The dynamic redirection mechanism refers to redirecting requests for real service nodes to other real nodes, thereby increasing response time of the real nodes without interrupting normal traffic. In this way, the real node can be disguised as a false node, so that an attacker can generate misjudgment, and the attack on the real target is abandoned.

s201, an attacker sends a large number of requests to a node c, and the response time of the node c is obviously increased;

s203, the response time of the node c is greatly increased due to a dynamic redirection mechanism, and an attacker mistakes a real node as a virtual node by matching with a response time adjustment mechanism;

and S204, the defender can gradually restore the node c to a normal state, so that the node c can be added into the active node list of the load balancer again, and the service can be provided for the real user.

3) The IP address randomization mechanism stores the available IP addresses of all servers in one IP address pool, and reconstructs the game process by randomly changing the IP addresses of a group of servers and updating the overall service node configuration. The mechanism is generally used for most failures of the virtual and real nodes to the attacker or when the attacker can distinguish the virtual and real nodes, so that the complexity and difficulty of network attack can be increased, and the attacker can not accurately judge the virtual and real nodes any more.

Through the three active defense measures, the SDN controller can effectively protect the safety of all service nodes and enhance the monitoring and defending capability of a mobile attack surface.

(3) Performing end address periodic jump and dynamic configuration on virtual-real nodes

And carrying out network attack face dynamic transformation on the IP address and the port number of the end node managed by the SDN controller, and changing the IP address and the port number by adopting a hybrid trigger mechanism based on time driving and threat event driving. Wherein:

based on threat event-driven trigger mechanism, threat perception and attack recognition capability of threat analysis engine are relied on, when threat analysis engine detects threat event and generates security alarm, jump instruction is immediately transferred to jump configuration manager to trigger corresponding end address jump operation.

The trigger mechanism based on time driving can actively transmit a jump instruction to the jump configuration manager according to a preset time period, even if a threat analysis engine does not generate a safety alarm, the terminal address jump can be ensured to be carried out regularly, the terminal address configuration information of all terminal nodes at present is updated, and the defending effect is improved.

Through a jump trigger mechanism combining active and passive, the system can flexibly adjust an end address jump strategy according to threat conditions, and the safety and usability of the network are ensured.

Assume a set of global address configuration informationWherein phi represents the total IP address set under the network segment,/->Representing the total port set, the above sets are all finite sets, and the dynamic randomized end address space self-tuning algorithm based on the available hop space is shown in the following table.

TABLE 1 dynamic randomized end address space self-tuning algorithm based on available hop space

As can be seen from table 1, performing the address periodic hopping on the virtual-real node further includes:

jump space self-adjusting strategy: when the address jump is carried out, the used address space under the current network segment is avoided, and new address configuration information is rapidly and efficiently allocated to the node by eliminating the unavailable address and the configuration of the attack target address in the threat event.

Jump period self-adjusting strategy: according to the security alarm detected by the threat analysis engine, the duration of the address information in the periodic address hopping is adaptively adjusted to improve the network communication service quality and avoid unnecessary defending overhead.

Half address hopping strategy: and selecting different end address hopping strategies according to the communication mode of the end node to be configured so as to flexibly apply the half-end address hopping strategy and improve the defending effect.

As shown in fig. 2, the process of dynamically configuring the virtual-real node address includes:

s301, when the end node 1 establishes communication with the end node 4, the end node 1 requests end address information of the end node 4 to the SDN controller, and after the controller verifies the identity of the end node 1, the controller returns an IP address vIP and a port number vPort4 after the end node 4 hops;

s302, after receiving the end address information, the end node 1 sends a data packet to the end node 4, wherein the data packet comprises an IP address rIP1 and a port number rPort1 before the end node 1 jumps, and a destination end address vIP4 and a vPort4;

s303, the data packet is firstly sent to an SDN controller when passing through an OpenFlow switch without a flow table entry, the controller transforms rIP1 and rPort1 into vIP and vPort1 according to a jump rule, and generates the flow table entry and sends the flow table entry to the OpenFlow switch;

s304, after receiving the flow table entry, the OpenFlow switch modifies the destination address of the data packet into a real address rIP and rPort4 of the end node 4 and sends the data packet to the end node 4;

s305, after receiving the data packet, the end node 4 sends a response data packet to the end node 1, where the response data packet includes the real address rIP and rPort4 of the end node 4, and the destination address vIP1 and vPort1, and similarly, the OpenFlow switch on the path modifies the address information one by one.

As shown in fig. 3, the dynamic configuration of the virtual-real node end address further includes dynamic conversion of the MAC address, where the host a in the new energy wind power industrial control system wants to communicate with the host B under the same system, and the middle needs to pass through an SDN switch and an SDN controller, and specifically includes the following steps:

s401, a host A sends an ARP request to an SDN switch 1 to request the MAC address of a host B, the SDN switch 1 sends a Packet-In message to an SDN controller, the SDN controller receives the Packet-Out message sent to an SDN switch 2, and the SDN switch 2 requests the real MAC address (rMAC) to the host B;

s402, the host B responds to the ARP request and sends a real MAC address (rMAC) to the SDN switch 2, the SDN switch 2 sends a Packet-In message to the SDN controller, the SDN controller sends a Packet-Out message to the SDN switch 1 and simultaneously sends a flow table modification rule (vMAC-rMAC) back to the SDN switch 2, and the SDN switch 1 spoofs the response by utilizing the virtual MAC address (vMAC) of the host B;

at this time, the host a may send data to the virtual MAC address (vMAC) of the host B, and the SDN controller 1 forwards the data to the virtual MAC address vMAC of the host B, and the SDN switch 2 forwards the data after converting the MAC address according to the flow table modification rule (vMAC-rMAC).

(4) Optimal defense strategy for determining dynamic masquerading of virtual and real nodes by utilizing multi-stage signal gaming

Analyzing both the attack and the defense through the dynamic game, and determining the optimal defense strategy for confusing the network core assets through virtual and real camouflage through calculating perfect Bayesian Nash balance (PBNE) in the game. In the dynamic game process, each service node controlled by the defender becomes a sender in the signal game, and transmits messages to the attacker through various camouflage mechanisms, and meanwhile, the dynamic camouflage deployment can be carried out in an optimal efficiency mode so as to confuse the attacker's knowledge of network assets and protect core assets.

The game model firstly formally defines the information transmitted by the defender to the attacker, the action space of the two parties, the belief function and the utility function, and ensures the accurate description of the information exchange and the behavior selection of the attacking and defending parties in the game.

Claim 1: when the receiver R receives the message m from the sender S, the receiver stores a belief value ζ (θ|m) for the type of sender, satisfying the following requirements:

claim 2: for a given belief value ζ (θm), the recipient R will adjust its game strategy to maximize its expected utility value U ^R . Thus, the gaming policy λ of the recipient ^R The following requirements are met:

claim 3: policy lambda for a given sender type theta and receiver ^R Policy lambda for each sender ^s It must be possible to maximize its utility value, satisfying the following requirements:

claim 4: if a specific sender type theta exists, the game policy of the sender satisfying the type lambda ^R ＝m ^* Wherein m is ^* E.m. Then, regarding the transmission message m ^* The sender type of (2) for which the receiver R must have believes that the following bayesian rule is satisfied:

the model then analyzes the dynamic gaming process of both the offender and the defensive party, including action selection and information transfer in different stages. By considering the multi-stage gaming process, both parties can adjust and optimize the strategy according to the behavior and information of the other party.

The model determines the optimal defense strategy for confusing network core assets by computing Perfect Bayesian Nash Equalization (PBNE) in gaming. Through the model, the optimal defense strategy can be found to cope with different attack scenes and protect the security of network core assets. The best strategy selection algorithm is shown in table 2.

Table 2 optimal policy selection algorithm

If the attacker is judged to realize that the defender adopts virtual-real nodes to dynamically disguise and the whole real service nodes are known, executing the decision of the randomization of the IP addresses, and endowing a group of new IP addresses to the whole end nodes. When the belief of an attacker is influenced by dynamic disguise of the virtual and real nodes, the dynamic redirection operation is carried out on the real service node to disguise the real service node into a false node, and meanwhile, the false node is packaged into the real node by adopting a response time adjustment mode. And finally, returning to the optimal defense strategy aiming at each server node, and continuing the next time step to realize a continuous dynamic decision process. Through the steps, the system can dynamically adjust the defending strategy according to different conditions, so that the attacking and defending parties can keep balance in the game, and the effective protection of network core assets is realized.

Example two

As shown in fig. 4, the present example provides a network intrusion active defense system based on a mobile attack surface, which mainly includes a defense deployment module, a threat perception module and a service agent module. The defending and deploying module is responsible for an active defending method of the mobile attack surface, and the network asset is confused by dynamic disguising of virtual and real nodes in the method. The threat perception module is mainly responsible for perceiving the known threat aiming at the end node and accurately identifying the type of the threat, and for improving the detection precision and the detection efficiency of the threat, and meanwhile, carrying out end address periodic jump and dynamic configuration on the virtual and real nodes aiming at threat analysis results. The service agent module mainly realizes real business service and port forwarding.

The threat perception module controls the end nodes by the SDN controller, filters, converts, normalizes and the like the data and performs dimension reduction processing on the data. In order to improve the accuracy of threat identification, in ensemble learning, a classification method usually combines multiple independent base classifiers to effectively solve the same problem, and can predict classification results together with higher stability and accuracy. In the embodiment, three independent classifiers are trained by adopting C4.5, random Forest and Forest PA algorithms to serve as a base learner to construct an integrated learning-based multi-class attack recognition model, and a Voting algorithm is used for integrating the base learner based on the integrated learning-based multi-class attack recognition model.

1) C4.5 is a typical decision tree algorithm that traverses the decision tree to access each node and selects the best branch based on maximization of the gain ratio. It is represented as follows:

in this process C4.5 will select the attribute with the highest information gain as the branching attribute of node N. The information gain generally represents the uncertainty that decreases after partitioning the set D over the attribute a, which can be calculated by entropy, the formula of which can be defined as:

where X is the set of categories in set D and p (X) is the ratio of the number of elements contained in category X to the number of elements in set D. Split info describes an equal division of data by attributes, and its calculation formula is as follows:

2) The Random Forest (RF) algorithm proposed by breimansis can be described as a collection of classification trees, where each decision tree votes once on the classification task of the most frequent class in the input data, with fewer parameters being specified to run RF than other machine learning methods. In RF, a set of single tree structure classifiers can be defined as:

{h(x,θ _k },k＝1,2…i…

3) The Forest PA is an algorithm for constructing a set of highly accurate decision trees by utilizing all non-class attributes in a dataset, and combines a weight distribution strategy and a weight addition strategy to maintain individual accuracy and guarantee strong diversity. For weights of attributes that appear in the new tree, the Forest PA will randomly update the weights of these attributes in a certain Weight Range (WR), which can be defined as follows:

4) The voing algorithm combines the functions of a plurality of individual classifiers in ensemble learning and selects different ensemble rules, e.g., minimum probability, maximum probability, majority vote, probability product sum, probability average, etc., for the decision process of its classification.

Let us assume that we have l classifiers c= { C ₁ ,...,C _l ' have c categories Ω { ω } ₁ ,...,ω _c In threat detection, l depends on the number of base classifiers, which may be set to 3, while the value of c depends on the number of attack types. For classifier C _i :R ⁿ →[0,1] ^c When it accepts an object x e R ⁿ When a vector is to be outputWherein the method comprises the steps ofRepresentation classifier c _i The assigned object x belongs to category w _j Is a probability of (2). For each w _j Let m _j Representing the probability average assigned by the l classifiers, can be calculated by the following formula: />

The defending and deploying module carries out active defending transformation on all the managed service end nodes based on the SDN controller, and the cognition of an attacker on the real nodes is confused in a dynamic camouflage mode, so that the attacker is misled to hit the false nodes. The defending deployment module is applied to a data plane, a control plane and an application plane; and core composition modules such as dynamic decision, false and actual disguising, security check agent and the like are deployed on the plane.

1) The security check agent module is embedded in the cloud server and the OpenFlow switch and is mainly responsible for recording the real-time system performance of the real service node and monitoring the security event of the false node.

2) The dynamic decision module is deployed on the SDN controller as a security application and is mainly responsible for evaluating the security efficacy of the defense strategy and selecting a proper active defense mechanism and corresponding parameter configuration. And dynamically updating game parameters according to requirements in combination with the continuously updated security monitoring log and service node states, determining an optimal defense strategy of dynamic disguising of virtual and real nodes by utilizing a multi-stage signal game model, and making corresponding optimal defense decisions for each service node at each time step of a game.

3) The virtual-real camouflage module is realized based on an application program interface of the SDN controller, creates a corresponding independent safety application program to be embedded into the SDN controller, and executes a corresponding safety function after receiving a control command and configuration parameters of the dynamic decision module. The defense deployment module also contains IP address, port randomization, flow splitting techniques, which modify the IP address parameters of the ensemble of service nodes when most core network assets are compromised by an attack, thereby dynamically reconstructing the current game.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; the technical features of the above embodiments or in the different embodiments may also be combined within the idea of the invention, the steps may be implemented in any order, and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present application.

Claims

1. The network intrusion active defense method based on the mobile attack surface is characterized by comprising the following steps of:

network assets of the confusing industrial control system are dynamically disguised through virtual and real nodes: an application program interface of the SDN controller is utilized to realize a disguising mechanism of the virtual and real nodes, wherein the disguising mechanism comprises a response time adjusting mechanism, a dynamic redirection mechanism and an IP address randomizing mechanism;

analyzing both the attack and the defense by utilizing the multi-stage signal game, and determining the optimal defense strategy by calculating perfect Bayesian Nash balance in the game.

2. The network intrusion active defense method according to claim 1, wherein the pre-positioning the mobile attack of the industrial control system comprises: separating a service server and a mobile attack surface of an industrial control system, and introducing a reverse proxy to serve as a middle layer between mobile application and the service server before the service server is erected; the reverse proxy is used for intercepting and filtering requests initiated by the mobile application and providing a security function; the mobile attack surface is deployed in a cloud environment by using virtualization and cloud technology, so that the mobile attack surface can be accessed and managed through cloud services.

3. The network intrusion active defense method according to claim 1, wherein the response time adjustment mechanism is to improve response priority of the dummy node to the attacker request by adjusting response time of all service nodes, and confuse the attacker to judge the dummy node, and specifically comprises:

4. The network intrusion active defense method of claim 1, wherein the dynamic redirection mechanism is to redirect a request for a real service node to other real nodes, thereby increasing response time of the real nodes without interrupting normal traffic:

5. The network intrusion active defense method according to claim 1, wherein in the performing of the terminal address periodic hopping and the dynamic configuration on the virtual-real node, a hybrid trigger mechanism based on a time driving mechanism and a threat event driving mechanism is adopted to change the IP address and the port number of the terminal node;

6. The network intrusion active defense method of claim 1 wherein the process of dynamic configuration of the virtual-to-real node end address assuming that end node a needs to communicate with end node B comprises:

7. The network intrusion active defense method of claim 1, wherein the process of dynamically configuring the virtual-to-real node address assuming that the host a needs to communicate with the host B comprises:

8. The network intrusion active defense system based on the mobile attack surface is characterized by comprising a defense deployment module, a threat perception module and a service agent module; the defending and deploying module is used for deploying and realizing the network intrusion active defending method according to any one of claims 1 to 4, and dynamically disguising the network assets of the confusing industrial control system through virtual and real nodes; the threat perception module is used for identifying known attacks aiming at the end nodes and accurately judging the types of the known attacks, and simultaneously carrying out the periodic jump and dynamic configuration of the end address in the method according to any one of claims 5 to 7 on the virtual and real nodes according to threat analysis results; the service agent module is used for realizing real business service and port forwarding.

9. The network intrusion active defense system of claim 8, wherein the threat awareness module manages each end node by an SDN controller, performs operations including filtering, converting, normalizing and dimension reduction on data of each end node, and builds an ensemble learning-based multi-class attack recognition model; the defending and deploying module is applied to a data plane, a control plane and an application plane, and a dynamic decision module, a virtual and actual disguising module and a security check agent module are deployed on each plane.

10. The network intrusion active defense system of claim 9,

the dynamic decision module is deployed on the SDN controller as a security application and is used for dynamically updating game parameters according to the system requirements by combining the continuously updated security monitoring log and the service node state, and making corresponding optimal defense decisions for each service node in each time step of the game;

the virtual and real disguising module is realized based on an application program interface of the SDN controller, creates a corresponding independent safety application program to be embedded into the SDN controller, and executes a corresponding safety function after receiving a control command and configuration parameters of the dynamic decision module;

the security check agent module is embedded in the cloud server and the switch and is used for recording the real-time system performance of the real service node and monitoring the security event of the false node.