WO2019154202A1 - 一种安全防护方法及装置 - Google Patents
一种安全防护方法及装置 Download PDFInfo
- Publication number
- WO2019154202A1 WO2019154202A1 PCT/CN2019/073841 CN2019073841W WO2019154202A1 WO 2019154202 A1 WO2019154202 A1 WO 2019154202A1 CN 2019073841 W CN2019073841 W CN 2019073841W WO 2019154202 A1 WO2019154202 A1 WO 2019154202A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- software version
- software
- version
- network element
- pool
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000006870 function Effects 0.000 claims description 49
- 238000013507 mapping Methods 0.000 claims description 14
- 238000007726 management method Methods 0.000 description 21
- 238000005516 engineering process Methods 0.000 description 15
- 238000012545 processing Methods 0.000 description 11
- 230000008569 process Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 230000009466 transformation Effects 0.000 description 6
- 230000007123 defense Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000008859 change Effects 0.000 description 4
- 230000008602 contraction Effects 0.000 description 4
- 230000003278 mimic effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 238000013508 migration Methods 0.000 description 2
- 230000005012 migration Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000001568 sexual effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/125—Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/71—Version control; Configuration management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/76—Adapting program code to run in a different environment; Porting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Definitions
- the present disclosure relates to the field of computer communication technologies, and in particular, to a security protection method and apparatus.
- each network element is composed of a software version + a hardware platform, wherein the hardware platform mainly includes a proprietary hardware platform and a general server hardware platform.
- Cloud service systems are mostly built with software and hardware. Unknown vulnerabilities and backdoor uncertainty threats cannot be avoided.
- the cloud environment hardware and software components are homogenized, and the hazards of the same vulnerability backdoors are broader.
- the software version is the same during stable operation.
- the replacement of the software version is generally triggered by consideration of function expansion, performance expansion or factors based on system stability.
- the technical problem to be solved by the present disclosure is to provide a security protection method and device, which can dynamically deploy the software version of the scheduling and management network element by using the software version generated by the multi-division compilation as a heterogeneous functional equivalent. Active protection that relies on attack signatures.
- Embodiments of the present disclosure provide a security protection method, including:
- the software version is dynamically deployed on the network element according to the software version pool.
- Embodiments of the present disclosure provide a security protection device, including:
- a software version pool establishing module configured to generate a software version based on the diversity compilation, and construct a software version pool in which the software version is a heterogeneous functional equivalent
- the software version deployment module is configured to dynamically deploy the software version on the network element according to the software version pool.
- Embodiments of the present disclosure provide a security protection device, including:
- a memory a processor, and a security program stored on the memory and operable on the processor, the security protection program being implemented by the processor to implement the steps of the security protection method described above.
- An embodiment of the present disclosure provides a computer readable storage medium having a security protection program stored thereon, the security protection program being implemented by the processor to implement the steps of the security protection method.
- the security protection method and device can dynamically deploy the software version of the scheduling and management network element by using the software version generated by the multi-division compilation as a heterogeneous functional equivalent. Active protection that does not depend on attack characteristics.
- FIG. 1 is a flowchart of a security protection method according to Embodiment 1 of the present disclosure
- FIG. 2 is a schematic diagram of a safety protection device according to Embodiment 2 of the present disclosure.
- Example 3 is a structural diagram of a communication system of Example 1 of the present disclosure.
- Example 4 is a structural diagram of a virtualized cloud service system in Example 2 of the present disclosure.
- Example 5 is a schematic diagram of an elastic stretching scheduling device of a heterogeneous functional equivalent in Example 2 of the present disclosure
- FIG. 6 is a flowchart of a security protection method in an elastic expansion scenario in Example 2.
- the unknown security threat in a single space can be transformed into a joint probability problem in a multi-dimensional heterogeneous space: unknown security threats (unknown vulnerabilities, unknown backdoors, etc.) in a single space are unknown. Uncertain features. Unknown security threats in a single space are placed in multi-dimensional heterogeneous spaces, and multiple independent unknown events are converted into their joint probability problems by multiple decision or consistency decision.
- the principle of mimetic security defense of heterogeneous redundancy proposes that multiple executables with random, diverse and dynamic features appear different results in the same attack path, and multiple results are collectively voted to determine the system output. Therefore, the security of the system does not depend on a single individual, but is determined by a number of different isomers.
- a compiler is a program that translates "one language (usually a high-level language)" into “another language (usually a low-level language)."
- the compiler is an effective tool for generating diverse executables. Diversified compilation technology can realize diversified code generation strategies and data arrangement forms for the characteristics of multi-layer protocol stacks of different functional software. Using runtime analysis technology, instruction and control flow obfuscation technology, code optimization technology and executive heterogeneity evaluation technology, it is efficiently built in different levels such as address space, namespace, instruction system, kernel data, and executable file structure. Execution bodies with different degrees of heterogeneity.
- the embodiments of the present disclosure are based on the endogenous security technology of the mimic security defense architecture, and are proposed to generate and generate based on diversity.
- the information service and security protection are integrated, and the dynamic deployment scheduling and management based on the security policy is implemented on the network software version to realize the mimic transformation of time and space dimensions.
- Applications and infrastructure can continue to work as they are attacked, enabling proactive protection that is independent of attack signatures.
- an embodiment of the present disclosure provides a security protection method, including:
- Step S110 generating a software version based on the diversity compilation, and constructing a software version pool in which the software version is a heterogeneous functional equivalent;
- Step S120 Dynamically deploy a software version on the network element according to the software version pool.
- the heterogeneous functional equivalence refers to a set of functional components having the same function and different implementation structures.
- the differences in the ideas, methods, tools, and conditions that implement the functions will make the architecture, algorithm selection, or method creation of the functions, and the structural design that meets the functional requirements appear different in the specific implementation methods, so that the same functions are usually various.
- Implementation structure including: global symbols (global variables, functions, etc.) layout differences, key data structure layout differences, program address space (code segment, data segment, BSS (Block Started by Symbol)) And so on.
- the heterogeneous functional equivalent may include: a plurality of software versions generated by the homologous code based on the diversity compilation; and/or a plurality of software versions generated by the heterogeneous code based on the diversity compilation;
- the diversity compilation is to transform the existing operating system, inject security features (dynamic, random, diversity) to change the system law on which the attack process depends, and generate multi-variant with random and diverse features through the compiler.
- the possible attack paths are also presented as random and diverse features.
- a variety of code generation strategies and data layout formats are implemented for the characteristics of multi-layer protocol stacks of different functional software.
- runtime analysis technology, instruction and control flow obfuscation technology, code optimization technology and executive heterogeneity evaluation technology it is efficiently built in different levels such as address space, namespace, instruction system, kernel data, and executable file structure.
- Software executables with different degrees of heterogeneity Due to the dependence of the attack means on the environment, the homologous or heterogeneous code can be compiled to a certain degree of security gains for exploits such as vulnerabilities and Trojans due to the different structures.
- the software version in the software version pool includes the following management attributes: a software function version management attribute and a heterogeneous function equivalent version management attribute;
- the software function version management attribute includes: a software function version number; the software function version number is used to mark a logical function difference between the software versions;
- the heterogeneous functional equivalent version management attribute includes: a diversity compiled version number; the diversity compiled version number is used to mark a result difference of software version diversity compilation; and there is a heterogeneous functional equivalent version management attribute difference The software version is marked with a different version number.
- the method further includes:
- the software version mapping table records a correspondence between the rich compiled version number and the network element identifier as a heterogeneous functional equivalent
- the network element identifier includes at least one of the following: an IP address of the network element, a host identifier of the network element, and a logical identifier of the network element;
- the dynamically deploying the software version on the network element according to the software version pool includes:
- a software version is randomly selected from the software version pool or selected based on the security policy and deployed to the physical resource after the network element is expanded;
- the service is migrated from the first network element to the second network element according to the security policy, and the first software version is deployed on the first network element, and the second software element is deployed on the second network element.
- the software version on the NE is replaced periodically or according to the security policy.
- the replaced software version is randomly selected from the software version pool or selected based on the security policy.
- Software versions correspond to the same software features and different compiled versions;
- the software version (V1, V2, V3...Vn) generated based on the diversity compilation technique constitutes a software version pool as a heterogeneous functional equivalent.
- the attack path also presents random and diverse features. For example, when different network elements load different versions of the software version, the dynamic deployment scheduling and management based on the security policy implements the mimic transformation of the time and space dimensions, and determines the unknown security problems, backdoors, or vulnerabilities in a single space. The result of sexual attacks, converted to probability problems in multidimensional space, makes the probability of being attacked lower.
- the software version in the software version pool in addition to basic management attributes based on functions, performance, stability, etc., also adds heterogeneous functional equivalent version management attributes.
- Software versions that have differences in heterogeneous functional equivalent version management attributes are marked with different version numbers.
- a software function version number and a diversity compilation version number are assigned to the software version, the software function version number is used to mark a logical function difference between the software versions, and the diversity compiled version number is used to mark the result of the software version diversity compilation. difference.
- the same software function version number can correspond to one or more diverse compiled version numbers, and the same diversity compiled version number can only uniquely correspond to a certain software function version number.
- the software version manager centrally manages the software version pool and maintains the software version mapping table.
- the software version mapping table records the correspondence between the software version number and the network element identifier of each software version that is a heterogeneous functional equivalent.
- the network element identifier includes at least one of the following: an IP address of the network element, a host identifier of the network element, and a logical identifier of the network element.
- the software version manager When the system is initialized, the software version manager pre-installs the required software version, and assigns the software function version number Fm and the diversity compiled version number Vm to the software version.
- the service network element submits a version deployment request to the software version manager, and the software version manager allocates the rich compilation version number to the service network element based on the security policy.
- the software version manager After the version is successfully loaded, the software version manager records the correspondence between the rich compilation version number and the network element identifier, and marks the usage status as used. As shown in Table 1 below, the software version manager records the correspondence between the software function version number, the diversity compilation version number, and the network element identifier, and records the usage status of the software version on the network element, such as the software version on the network element. If the loading is successful, the status is "Y”. If the software version is not loaded on the NE or the loading fails, the status is "N".
- the software version can be dynamically deployed, scheduled, and managed based on security policies to implement mimetic transformation of time and space dimensions.
- VNF virtual network function
- the same virtual network function (VNF) can be implemented by executing different rich compiled versions on different virtual machines.
- the business process can be run in different diversified compiled versions, and the mimetic transformation of the spatial dimension is realized.
- a virtual private network VPN
- the Virtualised Network Function Manager VNFM
- VNFM can dynamically perform the business processing on the VPN connection service flow Service1 to other diverse compiled versions Vj based on the security policy.
- the attack path of backdoor and vulnerability is also inconsistent.
- the execution conditions of backdoor and vulnerability dependencies change, and the attack effect is also inconsistent.
- the mimetic transformation and active transition of spatial dimension are realized.
- the VNFM can periodically initiate a replacement software version process for a certain VNF. The deployment of this software version is done by the software version manager together with the specific network element.
- the functions are the same in the time dimension, different versions of the compiled versions are executed in different time periods, and the attack paths of the backdoor and the vulnerability are also inconsistent.
- the execution conditions of the backdoor and the vulnerability dependencies change, and the attack effect is also inconsistent.
- the mimetic transformation and active transition of the time dimension are realized.
- an embodiment of the present disclosure provides a security protection device, including:
- a software version pool establishing module 201 configured to generate a software version based on the diversity compilation, and construct a software version pool in which the software version is a heterogeneous functional equivalent;
- the software version deployment module 202 is configured to dynamically deploy the software version on the network element according to the software version pool.
- the software version in the software version pool includes the following version attributes: a software function version attribute and a diversity compiled version attribute; wherein the software function version attribute is used to mark a logical function between software versions Difference; the diversity compiled version attribute is used to mark the difference in results of the diversity compilation.
- the heterogeneous functional equivalent may include: multiple software versions generated by the homologous code based on the diversity compilation; and/or multiple software versions generated by the heterogeneous code based on the diversity compilation;
- the software version pool establishing module is further configured to establish a software version mapping table.
- the software version mapping table records version attributes of each software version as a heterogeneous functional equivalent and deploys the software. Correspondence between network elements of the version.
- the software version deployment module is configured to dynamically deploy the software version on the network element according to the software version pool in the following manner: when the network element is initially generated, randomly selected from the software version pool or based on security The policy selects a software version to be deployed to the physical resources of the network element.
- the software version deployment module is further configured to: dynamically deploy the software version on the network element according to the software version pool in the following manner: when the network element is elastically expanded, randomly select from the software version pool or Selecting a software version to be deployed on the physical resource after the network element is expanded based on the security policy; and/or migrating the service from the first network element to the second network element according to the security policy during the system operation, where the first network element is Deploying a first software version in the software version pool, where a second software version in the software version pool is deployed on the second network element, where the first software version and the second software version correspond to the same software a function and a different compiled version; and/or during the operation of the system, periodically or according to a security policy, replacing the software version on the network element, the replaced software version being randomly selected from the software version pool or based on a security policy selection, The software version before the replacement and the software version after the replacement correspond to the same software function and different compiled versions.
- software versions (V1, V2, V3, ..., Vn) are generated based on the diversity compilation technology. These software versions have the same function and different implementation structures, and constitute a software version pool as a heterogeneous functional equivalent.
- the attack path After each software version generated by randomized and diverse compilation, the attack path also presents random and diverse features. For example, when different network elements load different versions of the software version, through the dynamic deployment scheduling and management based on the security policy, the deterministic attack results of unknown security problems, backdoors or vulnerabilities in a single space can be converted into multidimensional The probability problem under space makes the probability of being attacked lower.
- Embodiments of the present disclosure provide a security protection device, including:
- An embodiment of the present disclosure provides a computer readable storage medium having a security protection program stored thereon, and the security protection program is implemented by the processor to implement the security protection described in Embodiment 1 above. The steps of the method.
- a typical communication system may include: a background server, a main control board, and a service board.
- the software version of each service board can be stored in the background server.
- the main control board is responsible for extracting the software version from the background server and distributing the software version to each service board according to the slot number of the service board.
- the service boards of the communication system can be configured in active/standby mode.
- a software version manager is added to the background server of the communication system.
- the software version pool is pre-installed in the software version manager when the system is initialized.
- the software version pool includes multiple software versions, which are generated based on the multi-division compilation technology, including: different software versions generated by the homologous code after being compiled by diversity, and different software versions generated by the heterogeneous code being compiled by diversity. These different software versions (V1, V2, V3...Vn) form the heterogeneous functional equivalents required for the mimetic security defense principle.
- the software version in the software version pool adds heterogeneous functional equivalent version management attributes, and the heterogeneous functional equivalent version management attributes include software function version attributes and diversity compiled version attributes, and heterogeneous functional equivalent versions exist. Software versions that manage attribute differences are marked with different version numbers.
- This example provides a security protection method that can include the following steps:
- the various software versions in the software version pool are different software versions generated by homogenous or heterogeneous code compiled by diversity.
- the software version manager randomly selects a version Vm from the software version pool (V1, V2, V3...Vn) or selects a version Vm based on the security policy.
- the service board (network element) loads the version and runs.
- the corresponding relationship between the Vm version number and the NE identifier is recorded in the software version manager.
- the NE ID can be the IP address of the NE, the host ID of the NE, or the logical ID of the NE.
- the software version is randomly selected from the software version pool or selected based on the security policy.
- the corresponding relationship between the replaced version number and the NE ID is recorded in the software version manager.
- the software version replacement process may include: the main machine runs the software version Vj, and the backup machine downloads the version Vi from the software version manager, and the version Vi is different from the running version Vj in the main machine. .
- the standby machine loads the version Vi to run, synchronizing the status data from the main machine.
- the Vi version should include a state data conversion module to complete the state data format and semantic conversion between different software versions Vi and Vj.
- the virtualized cloud service system described in this example mainly includes: NFVO (Network Functions Virtualisation Orchestrator), VNFM (Virtualised Network Function Manager), VIM (Virtualised Infrastructure). Manager, Virtualized Infrastructure Management), Multiple NFV (Network Functions Virtualisation), Virtualization Platform, and Software Version Manager.
- NFVO Network Functions Virtualisation Orchestrator
- VNFM Virtualised Network Function Manager
- VIM Virtualised Infrastructure Management
- Manager Virtualized Infrastructure Management
- Multiple NFV Network Functions Virtualisation
- Virtualization Platform Virtualization Platform
- Software Version Manager mainly responsible for the layout of NFV.
- VNFM is mainly responsible for the management and automation deployment of NFV.
- the software-formed NFV runs on the virtualization platform.
- the scheduling device includes: a software version manager, a VNFM (including a security policy manager), and an OMU (Operating Maintenance Unit).
- Unit and SPU Service Processing Unit
- OMU and SPU are hardware platform resources for NFV operation
- OMU is responsible for system management of virtualized network functions
- SPU is responsible for business processing of virtualized network functions.
- the elastic scaling function is an important system function.
- the elastic scaling function requires that the resources occupied by the virtualized service network element can be flexibly adjusted according to the size of the traffic.
- the virtualized service network element is elastically scaled.
- the measure of elastic scalability is the current business volume and business strategy.
- the elastic auto-extension strategy may be: when the load recorded by the OMU reaches a set threshold, and the load of each SPU of the other service processing unit reaches the set threshold, the virtual network function manager VNFM is applied for a new virtual machine.
- a security protection method may include the following steps:
- S101 Collect information such as processing load of SPU1, SPU2, ..., SPUn during OMU operation. If the OMU determines that the elastic expansion condition is met, the elastic expansion process is started.
- the VNFM creates a new virtual machine main standby resource (SPUm), and installs an operating system and system management software.
- the VNFM notifies the OMU and the SPUm to perform elastic expansion preprocessing.
- the OMU and SPUm perform elastic capacity pre-processing, including system hardware resource allocation, master and backup machine settings, and data area initialization.
- the SPUm which is the main running machine of the service, is in the state of the software version to be installed.
- the main machine SPUm and the software version manager start the version deployment process.
- the software version manager randomly selects a version Vm from the software version pool (V1, V2, V3...Vn); or, the software version manager selects a certain security policy from the software version pool (V1, V2, V3...Vn) A version of Vm.
- the OMU downloads the software version Vm from the software version manager to the main machine SPUm to load and run.
- the master SPUm is configured to disable the active/standby switchover and notify the standby SPUm to flexibly expand.
- the SPUm of the main machine is successfully started, and the OMU version is notified to be deployed.
- the OMU notifies the VNFM version that the deployment is complete, and the VNFM updates the VNF (corresponding to SPUm) status recorded in the storage area.
- a software version mapping table is saved in the software version manager, and the software version mapping table records the correspondence between the software version number and the network element identifier.
- the NE ID can be the IP address of the NE, the host ID of the NE, or the logical ID of the NE.
- the standby machine SPUm queries the software version mapping table through the software version manager to obtain version number information of the Vm.
- the standby SPUm downloads the software version Vm from the software version manager and loads and runs.
- the standby SPUm started successfully.
- the backup machine SPUm notifies the SPUm of the main machine that the elastic expansion is successful.
- the main machine SPUm receives the "elastic expansion success" message of the standby SPUm, and notifies the backup machine SPUm to cancel the prohibition of the active/standby switchover.
- the standby SPUm receives the unblock active/standby switchover command and responds to the active machine SPUm.
- the main machine SPUm receives the notification, and the current elastic expansion ends.
- the VNFM receives the flexible expansion success message of the VNF (corresponding to the SPUm), and retains the VNF information, such as the service type, performance, and load, in the local storage area.
- the OMU is notified that the deployment is complete, and the resource information, such as network bandwidth, is delivered.
- the OMU sends an online notification to the SPUm, and the OMU completes the resource change processing.
- the OMU notifies other SPUs that a new VNF (corresponding to SPUm) is online, and other SPUs perform corresponding processing according to a preset policy.
- a security protection method may include the following steps:
- S201 Collect information such as processing load of SPU1, SPU2, ..., SPUn during OMU operation. According to the conditions of traffic volume, processing load, etc., if the OMU judges that the elastic contraction condition is satisfied, the elastic contraction process is started.
- the OMU notifies the main machine SPUm to start the elastic contraction process.
- the active device SPUm prohibits the active/standby switchover and starts to migrate the ongoing service connection to other SPUs according to the preset policy.
- S203 After the service connection migration in the main machine SPUm is completed.
- the main machine SPUm requests the VNFM to delete the virtual machine, and requests the software version manager to log out using the version number Vm.
- the software version manager deletes the Vm entry in the software version mapping table, responds to the OMU, and the SPUm is elastically contracted.
- the OMU After receiving the response message, deletes the SPUm related information, and releases the SPUm resource, where the SPUm resource includes the SPUm main machine resource and the backup machine resource;
- the VNFM receives the notification message of the OMU, and deletes the corresponding VNF information.
- the present disclosure is applicable to the field of computer communication technology, and is used as a heterogeneous functional equivalent by dynamically compiling the generated software version, dynamically deploying and managing the software version of the network element, and implementing active protection independent of the attack feature in the system. .
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Stored Programmes (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
Claims (12)
- 一种安全防护方法,包括:基于多样性编译生成软件版本,构建以所述软件版本为异构功能等价体的软件版本池;根据所述软件版本池在网元上动态部署软件版本。
- 如权利要求1所述的方法,其中:所述软件版本池中的软件版本包括以下版本属性:软件功能版本属性和多样性编译版本属性;其中,所述软件功能版本属性用于标记软件版本之间的逻辑功能差异;所述多样性编译版本属性用于标记多样性编译的结果差异。
- 如权利要求2所述的方法,其中,所述方法还包括:建立软件版本映射表;所述软件版本映射表中记录了作为异构功能等价体的各个软件版本的版本属性与部署所述软件版本的网元之间的对应关系。
- 如权利要求1或2或3所述的方法,其中:所述根据所述软件版本池在网元上动态部署软件版本,包括:初始生成网元时,从所述软件版本池中随机挑选或基于安全策略挑选一个软件版本部署到网元的物理资源上。
- 如权利要求4所述的方法,其中,所述根据所述软件版本池在网元上动态部署软件版本,还包括:在网元弹性扩容时,从所述软件版本池中随机挑选或基于安全策略挑选一个软件版本部署到网元扩容后的物理资源上;和/或在系统运行期间,根据安全策略将业务从第一网元迁移到第二网元,所述第一网元上部署所述软件版本池中的第一软件版本,所述第二网元上部署所述软件版本池中的第二软件版本,所述第一软件版本和所述第二软件版本对应相同的软件功能和不同的编译版本;和/或在系统运行期间,定时或根据安全策略更换网元上的软件版本,更换后的软件版本从所述软件版本池中随机选择或基于安全策略选择,所述更换前的软件版本和所述更换后的软件版本对应相同的软件功能和不同的编译版本。
- 一种安全防护装置,包括:软件版本池建立模块,设置为基于多样性编译生成软件版本,构建以所述软件版本为异构功能等价体的软件版本池;软件版本部署模块,设置为根据所述软件版本池在网元上动态部署软件版本。
- 如权利要求6所述的装置,其中:所述软件版本池中的软件版本包括以下版本属性:软件功能版本属性和多样性编译版本属性;其中,所述软件功能版本属性用于标记软件版本之间的逻辑功能差异;所述多样性编译版本属性用于标记多样性编译的结果差异。
- 如权利要求7所述的装置,其中:软件版本池建立模块,还设置为建立软件版本映射表;所述软件版本映射表中记录了作为异构功能等价体的各个软件版本的版本属性与部署所述软件版本的网元之间的对应关系。
- 如权利要求6或7或8所述的装置,其中:软件版本部署模块,设置为采用以下方式根据所述软件版本池在网元上动态部署软件版本:初始生成网元时,从所述软件版本池中随机挑选或基于安全策略挑选一个软件版本部署到网元的物理资源上。
- 如权利要求9所述的装置,其中:软件版本部署模块,还设置为采用以下方式根据所述软件版本池在网元上动态部署软件版本:在网元弹性扩容时,从所述软件版本池中随机挑选或基于安全策略挑选一个软件版本部署到网元扩容后的物理资源上;和/或在系统运行期间,根据安全策略将业务从第一网元迁移到第二网元,所述第一网元上部署所述软件版本池中的第一软件版本,所述第二网元上部署所述软件版本池中的第二软件版本,所述第一软件版本和所述第二软件版本对应相同的软件功能和不同的编译版本;和/或在系统运行期间,定时或根据安全策略更换网元上的软件版本,更换后的软件版本从所述软件版本池中随机选择或基于安全策略选择,所述更换前的软件版本和所述更换后的软件版本对应相同的软件功能和不同的编译版本。
- 一种安全防护装置,包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的安全防护程序,所述安全防护程序被所述处理器执行时实现上述权利要求1-5中任一项所述的安全防护方法的步骤。
- 一种计算机可读存储介质,所述计算机可读存储介质上存储有安全防护程序,所述安全防护程序被所述处理器执行时实现上述权利要求1-5中任一项所述的安全防护方法的步骤。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/960,587 US11934530B2 (en) | 2018-02-09 | 2019-01-30 | Security protection method and apparatus |
EP19751256.9A EP3751416B1 (en) | 2018-02-09 | 2019-01-30 | Security protection method and apparatus |
KR1020207026068A KR102419704B1 (ko) | 2018-02-09 | 2019-01-30 | 보안 보호 방법 및 장치 |
JP2020542841A JP7082673B2 (ja) | 2018-02-09 | 2019-01-30 | セキュリティ保護方法および装置 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810135941.4 | 2018-02-09 | ||
CN201810135941.4A CN110134428B (zh) | 2018-02-09 | 2018-02-09 | 一种安全防护方法及装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019154202A1 true WO2019154202A1 (zh) | 2019-08-15 |
Family
ID=67549263
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/073841 WO2019154202A1 (zh) | 2018-02-09 | 2019-01-30 | 一种安全防护方法及装置 |
Country Status (6)
Country | Link |
---|---|
US (1) | US11934530B2 (zh) |
EP (1) | EP3751416B1 (zh) |
JP (1) | JP7082673B2 (zh) |
KR (1) | KR102419704B1 (zh) |
CN (1) | CN110134428B (zh) |
WO (1) | WO2019154202A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112839036A (zh) * | 2020-12-30 | 2021-05-25 | 中国人民解放军战略支援部队信息工程大学 | 基于拟态防御理论的软件运行环境生成方法及系统 |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106549935A (zh) * | 2016-09-27 | 2017-03-29 | 上海红阵信息科技有限公司 | 一种异构功能等价体生成装置及方法 |
CN110610068B (zh) * | 2019-09-16 | 2021-11-23 | 郑州昂视信息科技有限公司 | 一种应用异构化的方法及装置 |
CN111338942B (zh) * | 2020-02-21 | 2022-09-09 | 郑州昂视信息科技有限公司 | 一种软件多样性的评估方法及系统 |
CN112612999B (zh) * | 2020-12-30 | 2022-11-15 | 中国人民解放军战略支援部队信息工程大学 | 基于树结构的多样化变体生成方法及系统 |
CN112632530B (zh) * | 2020-12-30 | 2022-11-08 | 中国人民解放军战略支援部队信息工程大学 | 拟态架构下多样化变体生成方法及系统 |
CN113973018B (zh) * | 2021-12-22 | 2022-03-25 | 南京微滋德科技有限公司 | 一种基于内生安全的物联网终端数据处理方法及系统 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090172821A1 (en) * | 2004-06-30 | 2009-07-02 | Faycal Daira | System and method for securing computer stations and/or communication networks |
CN107145376A (zh) * | 2016-03-01 | 2017-09-08 | 中兴通讯股份有限公司 | 一种主动防御方法和装置 |
CN107196803A (zh) * | 2017-05-31 | 2017-09-22 | 中国人民解放军信息工程大学 | 异构云主机的动态生成与维护方法 |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7363618B2 (en) | 2001-02-14 | 2008-04-22 | International Business Machines Corporation | Software testing |
US7539985B2 (en) * | 2003-02-26 | 2009-05-26 | Bea Systems, Inc. | Systems and methods for dynamic component versioning |
US7512936B2 (en) * | 2004-12-17 | 2009-03-31 | Sap Aktiengesellschaft | Code diversification |
WO2006066446A1 (fr) * | 2004-12-21 | 2006-06-29 | Zte Corporation | Methode de compatibilisation des logiciels de materiels dans des systemes de gestion repartis |
US7991866B2 (en) * | 2006-08-18 | 2011-08-02 | Control4 Corporation | Systems and methods for updating a site |
CN101938765B (zh) * | 2009-06-29 | 2015-12-16 | 中兴通讯股份有限公司 | 一种网管和网元自动适配的方法和系统 |
CN102939587B (zh) * | 2010-03-31 | 2016-08-03 | 爱迪德技术有限公司 | 用以保护应用程序的链接和加载的方法 |
CA2806768C (en) * | 2010-07-29 | 2018-07-03 | Irdeto Canada Corporation | System and method for efficiently deploying massively diverse program instances to resist differential attacks |
US8595715B2 (en) | 2010-12-31 | 2013-11-26 | International Business Machines Corporation | Dynamic software version selection |
CN104572202B (zh) * | 2015-01-08 | 2018-05-04 | 浪潮电子信息产业股份有限公司 | 一种云计算下企业级应用软件部署的方法 |
CN106657173B (zh) * | 2015-10-29 | 2020-01-17 | 华为技术有限公司 | 一种nfv架构下软件升级中的业务迁移方法、装置及服务器 |
-
2018
- 2018-02-09 CN CN201810135941.4A patent/CN110134428B/zh active Active
-
2019
- 2019-01-30 WO PCT/CN2019/073841 patent/WO2019154202A1/zh unknown
- 2019-01-30 JP JP2020542841A patent/JP7082673B2/ja active Active
- 2019-01-30 US US16/960,587 patent/US11934530B2/en active Active
- 2019-01-30 KR KR1020207026068A patent/KR102419704B1/ko active IP Right Grant
- 2019-01-30 EP EP19751256.9A patent/EP3751416B1/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090172821A1 (en) * | 2004-06-30 | 2009-07-02 | Faycal Daira | System and method for securing computer stations and/or communication networks |
CN107145376A (zh) * | 2016-03-01 | 2017-09-08 | 中兴通讯股份有限公司 | 一种主动防御方法和装置 |
CN107196803A (zh) * | 2017-05-31 | 2017-09-22 | 中国人民解放军信息工程大学 | 异构云主机的动态生成与维护方法 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112839036A (zh) * | 2020-12-30 | 2021-05-25 | 中国人民解放军战略支援部队信息工程大学 | 基于拟态防御理论的软件运行环境生成方法及系统 |
Also Published As
Publication number | Publication date |
---|---|
US20200394315A1 (en) | 2020-12-17 |
EP3751416A1 (en) | 2020-12-16 |
CN110134428A (zh) | 2019-08-16 |
CN110134428B (zh) | 2024-02-06 |
EP3751416A4 (en) | 2021-04-07 |
KR20200119849A (ko) | 2020-10-20 |
KR102419704B1 (ko) | 2022-07-12 |
JP7082673B2 (ja) | 2022-06-08 |
JP2021513706A (ja) | 2021-05-27 |
US11934530B2 (en) | 2024-03-19 |
EP3751416B1 (en) | 2023-09-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2019154202A1 (zh) | 一种安全防护方法及装置 | |
CN107515776B (zh) | 业务不间断升级方法、待升级节点和可读存储介质 | |
CN110519361B (zh) | 基于kubernetes的容器云平台多租户构建方法及装置 | |
CN113169952B (zh) | 一种基于区块链技术的容器云管理系统 | |
EP3588296A1 (en) | Dynamically scaled hyperconverged system | |
CN109189334B (zh) | 一种区块链网络服务平台及其扩容方法、存储介质 | |
CN106471472B (zh) | 用于多租户应用服务器环境中的分区迁移的系统和方法 | |
US7992032B2 (en) | Cluster system and failover method for cluster system | |
CN113296792B (zh) | 存储方法、装置、设备、存储介质和系统 | |
US20120102480A1 (en) | High availability of machines during patching | |
JP5352890B2 (ja) | 計算機システムの運用管理方法、計算機システム及びプログラムを記憶する計算機読み取り可能な媒体 | |
US9275238B2 (en) | Method and apparatus for data security reading | |
KR20110030447A (ko) | 가상 머신 및 애플리케이션 수명들의 동기화 | |
US10452387B2 (en) | System and method for partition-scoped patching in an application server environment | |
US8893272B2 (en) | Method and device for recombining runtime instruction | |
CN109614167B (zh) | 一种管理插件的方法和系统 | |
CN102571698A (zh) | 一种虚拟机访问权限的控制方法、系统及装置 | |
EP3442201B1 (en) | Cloud platform construction method and cloud platform | |
CN108073423A (zh) | 一种加速器加载方法、系统和加速器加载装置 | |
US9330266B2 (en) | Safe data storage method and device | |
CN113382077A (zh) | 微服务调度方法、装置、计算机设备和存储介质 | |
CN115618409A (zh) | 数据库云服务生成方法、装置、设备及可读存储介质 | |
JP2023135567A (ja) | 冗長性決定システム、冗長性決定方法 | |
CN115357338A (zh) | 容器调度及部署方法、装置、域控制器系统 | |
CN116303031A (zh) | 操作系统的工程的部署方法及装置、设备和存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19751256 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2020542841 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 20207026068 Country of ref document: KR Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2019751256 Country of ref document: EP Effective date: 20200909 |