WO2021180017A1 - Data service-oriented adaptive intrusion response game method and system thereof - Google Patents

Data service-oriented adaptive intrusion response game method and system thereof Download PDF

Info

Publication number
WO2021180017A1
WO2021180017A1 PCT/CN2021/079481 CN2021079481W WO2021180017A1 WO 2021180017 A1 WO2021180017 A1 WO 2021180017A1 CN 2021079481 W CN2021079481 W CN 2021079481W WO 2021180017 A1 WO2021180017 A1 WO 2021180017A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
intrusion
response
user
objects
Prior art date
Application number
PCT/CN2021/079481
Other languages
French (fr)
Chinese (zh)
Inventor
邓松
祝展望
张建堂
岳东
袁新雅
陈福林
蔡清媛
董霞
Original Assignee
南京邮电大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 南京邮电大学 filed Critical 南京邮电大学
Publication of WO2021180017A1 publication Critical patent/WO2021180017A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the invention is a data service-oriented adaptive intrusion response game method and a system thereof, and belongs to the field of network security.
  • Energy Internet is a comprehensive application of advanced power electronic technology, information technology and intelligent management technology to interconnect a large number of new power network nodes composed of distributed energy harvesting devices, distributed energy storage devices and various types of loads to achieve two-way energy Flowing energy peer-to-peer exchange and sharing network.
  • Energy Internet is a new type of energy system structure that is compatible with traditional power grids, can fully, widely and effectively utilize distributed renewable energy, and meets the diverse power needs of users.
  • the intrusion of energy Internet is becoming more and more rampant. As an effective method to fight against intrusions, intrusion response is becoming more and more important for protecting the security of the system.
  • the current intrusion response is mostly implemented in the intrusion detection system, and the response method is mostly manual response, so the response capability is limited to a certain extent.
  • Adaptive intrusion response means that when the system is under attack, it can effectively evaluate the potential impact of the attack on energy Internet data services such as the power grid, and then adjust the response strategy based on the loss assessment and response cost.
  • the adaptive intrusion response game method for data services has become another detection method for network attacks against energy Internet data services.
  • Intrusion response is mainly divided into two types: active response and passive response.
  • Commonly used active response techniques include methods such as canceling TCP connections, disconnecting network connections, and shielding internal abnormal hosts.
  • the most common passive response technologies include alerts and notifications, and isolation of untrusted connections.
  • the risk of network intrusion has increased correspondingly, and intrusion incidents have shown a rapid growth trend. This has led to research on intrusion in the context of the energy Internet. The method of response becomes very important.
  • Data service-oriented adaptive intrusion response means that when the system is under attack, it can effectively evaluate the potential impact of the attack on the energy Internet data service, and then adjust the response strategy according to the loss assessment and response cost.
  • traditional intrusion detection technology is a passive defense technology, which cannot effectively monitor the activities in the energy Internet, does not have active defense capabilities, lacks adaptive response capabilities to intrusions, and can no longer prevent increasingly serious network security. threat.
  • Compared with traditional intrusion response technologies there are currently some new theories and new methods, such as adaptive intrusion response research based on large-scale networks, and adaptive intrusion response research based on cost analysis.
  • the data service-oriented adaptive intrusion response game method mainly needs to consider three aspects: (1) How to build a game model between users and detection systems. Only by constructing the game model first can we judge whether there is a pure strategy Nash equilibrium between the two, and if it does not exist, then the mixed strategy Nash equilibrium can be solved. (2) What method is used to solve the Nash equilibrium point of the best response, and use the solved Nash equilibrium to adjust the response strategy, reduce manual intervention, and achieve rapid response. (3) According to the Nash equilibrium optimal strategy, how should the system respond to minimize the impact of attacks on data services in the Energy Internet.
  • the purpose of the present invention is to provide a data service-oriented adaptive intrusion response game method and its system to solve the problem of adaptive response to network attacks against data services.
  • losses can be taken. Minimal response strategy.
  • a data service-oriented adaptive intrusion response game method including the following steps:
  • Step 1 Discover intrusion attacks
  • Step 2 Define variables based on the IDS response and the impact caused by user intrusion, and build a game model; the variables include: the positive utility that the user obtains due to the successful intrusion, the cost of performing an intrusion response, and the penalty for the intruder. Utility, recovery of data after successful detection, the cost of damage to data caused by a successful intrusion, and the probability of a successful response of the data intrusion detection system;
  • Step 3 Establish the payment functions g system and g user of the detection system and the user based on the game model and the expected utility function theory:
  • g user ⁇ [pR i +(1-p)(-B e )] ⁇ +(-B e )(1- ⁇ ) ⁇ (2)
  • B e represents the positive utility obtained by the user as a result of a successful intrusion
  • N represents the cost of executing an intrusion response
  • R i represents the negative effect of punishment on the intruder
  • K d represents the recovery of data after successful detection
  • H j represents the damage cost caused by a successful intrusion to the data
  • p represents the probability of a successful response of the data intrusion detection system
  • represents the probability that the detection system chooses to alarm
  • 1- ⁇ represents the probability that the detection system chooses not to alarm
  • represents the user's intrusion probability
  • 1- ⁇ represents the probability that the user performs normal activity
  • Step 4 Take the partial derivative of the payment function g system of the detection system with respect to ⁇ and set the equation to zero, and take the partial derivative of the payment function g user of the user with respect to ⁇ and set the equation to zero, and obtain:
  • Step 5 Determine whether the probability ⁇ of the user's intrusion is less than the threshold ⁇ * , if it is less, the optimal choice of the detection system is no alarm, otherwise the optimal choice of the detection system is alarm; when the detection system selects an alarm, it will serve the data Respond to the attack, if the detection system does not alarm, continue to perform normal operations;
  • responding to the data service attack specifically includes the following steps:
  • S1 Collect data in the data service to form data set D, mark all data objects in data set D as unread, and filter all data objects to obtain core objects by defining ⁇ -neighborhood;
  • Minkowski distance formula is used to define the ⁇ -neighborhood:
  • N ⁇ (x i ) represents the collection of all data objects in the ⁇ -neighborhood of the data object x i, and ⁇ represents the radius parameter;
  • the data object x i is called the core object, where ⁇ is the minimum object parameter.
  • the invention also discloses a data service-oriented adaptive intrusion response game system, which includes:
  • a game model generator used to define variables based on the IDS response and the impact of user intrusion to construct a game model when an intrusion attack is found;
  • a hybrid strategy generator based on the game model and expected utility function theory, establishes the payment function of the detection system and the user, and obtains the mixed strategy Nash equilibrium point of the game model based on the payment function, and obtains the optimal mixed strategy according to the mixed strategy Nash equilibrium point;
  • An alarm responds according to the optimal mixing strategy.
  • a data filter after the alarm, filters the data collected in the data service to obtain the core object
  • An object recognizer which classifies all core objects and their corresponding density-reachable data objects, and the remaining unclassified data objects are abnormal data
  • a data restorer removes the abnormal data, and replaces the abnormal data with the mean value of the normal data collection of different data types to perform normal operations.
  • the method of the present invention proposes a data service-oriented adaptive intrusion response game method and its system, which is mainly used to solve the problem of adaptive response to network attacks against data services.
  • the method proposed by the present invention can be used for current
  • the power grid environment is tested for security, and the behavior of the detection system and the attacker is quantified by quoting the idea of game theory, so that the system can get the best response, effectively using computing resources, and then further processing the attacked data through the DBSCAN algorithm. So as to ensure the safe and reliable operation of the power grid;
  • the mixed strategy generator of the present invention formulates the mixed strategies of the two sides of the game according to the game model of the two sides of the game. According to the profit relationship between the detection system and the user, the expected benefit function can be obtained, and then the mixed strategy is further obtained by solving the payment function of the two parties. Nash equilibrium to provide support for the follow-up response of the system;
  • the data filter of the present invention mainly uses the DBSCAN algorithm to cluster the data, marks all the initialized data as unread, defines the ⁇ -neighborhood, filters out the core objects, and takes the data containing any number of data objects p from the data set D data set D i, and D i mark as read, the data is judged by ⁇ p and ⁇ parameters, so as to filter out different types of transactions;
  • the target recognizer of the present invention satisfies the condition that the intersection of two adjacent data sets is an empty set, when all the data is marked as read, one of the core objects is used as a seed, and all the density reachable points of the object are Grouped into one category, forming a larger range of clusters. Repeat the cycle to finally realize the identification of abnormal data.
  • Figure 1 is a diagram of the architecture of the present invention
  • Figure 2 is a schematic flow diagram of the present invention.
  • the big data in the active distribution network has many types, multiple dimensions, and a large amount of data, which are of great value to enterprises and users.
  • the present invention refers to the game theory in game theory. Evaluate the potential threat of the system when it is attacked and the cost of the system's response, and then establish a mathematical model of conflict of interest between the data intrusion detection system and the end users in each link of the energy Internet, and adjust the response strategy in time, thereby To achieve the purpose of adaptive intrusion response, combined with the DBSCAN algorithm to filter out the attacked data.
  • a data service-oriented adaptive intrusion response game method of the present invention includes the following steps:
  • Step 1 Discover intrusion attacks
  • Step 2 Based on the IDS response and the impact of user intrusion, quantitatively analyze the benefits and losses of both parties, and define the following variables: B e represents the positive utility of the user as a result of the successful intrusion, and N represents the cost of performing an intrusion response.
  • R i represents the negative effect of punishment to the intruder
  • K d represents the recovery of the data after the detection is successful
  • H j represents the damage cost of the data caused by a successful intrusion
  • p represents the probability of a successful response of the data intrusion detection system, 0 ⁇ p ⁇ 1; the above parameters satisfy: B e, N, K d , R i> 0 and B e ⁇ R i, N ⁇ K d, K d ⁇ H j; build out both the game game model based on the above constraints ,As shown in Table 1:
  • Step 3 Assume that the mixed strategy of the detection system is ( ⁇ , 1- ⁇ ), that is, the system chooses to alarm with the probability of ⁇ , and chooses not to alarm with the probability of (1- ⁇ ); the user's mixed strategy is ( ⁇ , 1- ⁇ ) ), that is, the invasion is carried out with the probability of ⁇ , the normal activities are carried out with the probability of (1- ⁇ ), and the payment functions g system and g user of the user and the detection system are solved by the expected utility function theory;
  • g user ⁇ [pR i +(1-p)(-B e )] ⁇ +(-B e )(1- ⁇ ) ⁇ (2)
  • the optimal choice of the detection system is not to alarm; when the probability ⁇ of the user's intrusion is greater than or equal to ⁇ * , the optimal choice of the detection system is to alarm.
  • Step 4 Determine whether the detection system alarms, if it alarms, proceed to step 5, otherwise the system continues to detect, and when an intrusion attack is found, proceed to step 1;
  • Step 5 Initialize the data set D collected in the data service and mark all data objects as unread, and define the ⁇ -neighborhood through the Minkowski distance formula:
  • N ⁇ (x i ) represents the collection of all data objects in the ⁇ -neighborhood
  • represents the radius parameter
  • the radius parameter
  • the minimum object parameter
  • Step 7 After meeting Under the condition of, repeat step 6 until all data objects are marked as read;
  • Step 8 Use one of the core objects as a seed, and classify all the density-reachable data objects of the core object into one category to form a larger range of data object collections, also called clusters;
  • Step 9 Repeat step 8 until all core objects have been traversed, and the remaining data that is not classified into one category are abnormal data.
  • Step 10 Take the average of all density-reachable data of all core objects to replace abnormal data to perform normal operations.
  • Step 11 The loop ends.
  • the game model generator is the benefit to both parties when the system detects an attack. Perform analysis to obtain the game model between the system and the user; the hybrid strategy generator is based on the game model to obtain the optimal decision of the system; the data filter is to filter out the core objects from the collected data; the target recognizer is the core of all Objects are classified, and the remaining unclassified data is abnormal data.
  • the data restorer takes the average of normal data sets of different data types to replace abnormal data to perform normal operations. The details are as follows:
  • the game model generator is mainly to quantitatively analyze the benefits and losses of both parties when the data detection system detects an attack, and define variables based on the IDS response and the impact caused by the user intrusion: the positive utility obtained by the user due to the successful intrusion is represented by B e ; The cost required to perform an intrusion response is denoted by N; R i denotes the negative effect of punishment on the intruder; K D denotes the recovery of data after successful detection; H j denotes the cost of damage to data caused by a successful intrusion; p Indicates the probability of a successful response of the data intrusion detection system (0 ⁇ p ⁇ 1).
  • the mixed strategy generator is mainly based on the game model of the two parties to formulate the mixed strategy of the detection system and the user.
  • the expected utility function is used to solve the payout matrix of both parties to obtain the Nash equilibrium point of the hybrid strategy, and then the optimal strategy of the system can be known to provide support for the subsequent response of the system.
  • the data filter mainly marks all the initialized data as unread, and defines the ⁇ -neighborhood. When the number of data objects in the ⁇ -neighborhood of the object x i is greater than the minimum object parameter ⁇ , that is
  • An edge object indicates that the data object is not a core object, but exists in the ⁇ -neighborhood of a certain core object;
  • a noise object indicates that the data object is not a core object, nor does it exist in the ⁇ -neighborhood of any core object;
  • the data m is judged by the ⁇ and ⁇ parameters. If m is the core object, find all the data objects whose density can reach m and mark them as read. If m is not a core object, and no object can reach the density of m, mark m as noise data to filter out different types of data.
  • the target recognizer is used to satisfy Under the condition of, when all data is marked as read, one of the core objects is used as a seed, and all the density reachable points of the object are classified into one category, forming a larger-range data object collection, also called Cluster clusters. Repeatedly loop until all core objects have been traversed, and the remaining data that is not classified into one category is abnormal data.
  • the data restorer is used to eliminate the identified abnormal data, and replace the abnormal data with the normal data set of different data types to take the arithmetic mean to perform normal operations.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are a data service-oriented adaptive intrusion response game method and a system thereof, which are mainly used for solving the problem of adaptive response for a network attack of data service. The method provided in the present invention is used to construct a game model of a detection system and a user, so as to determine whether there is a pure-strategy Nash equilibrium, and if not, a hybrid strategy of the detection system is established, and then a payoff function between the two is established to solve an optimal first-order condition, thereby deriving a Nash equilibrium value of optimal response of two parties of the game, and obtaining an optimal response policy to respond.

Description

一种面向数据服务的自适应入侵响应博弈方法及其系统A data service-oriented adaptive intrusion response game method and system 技术领域Technical field
本发明是面向数据服务的自适应入侵响应博弈方法及其系统,属于网络安全领域。The invention is a data service-oriented adaptive intrusion response game method and a system thereof, and belongs to the field of network security.
背景技术Background technique
能源互联网是综合运用先进的电力电子技术、信息技术和智能管理技术,将大量由分布式能量采集装置、分布式能量储存装置和各种类型负载构成的新型电力网络节点互联起来,以实现能量双向流动的能量对等交换与共享网络。能源互联网是兼容传统电网的,可以充分、广泛和有效地利用分布式可再生能源的、满足用户多样化电力需求的一种新型能源体系结构。随着计算机网络的不断普及和发展,针对能源互联网入侵日益猖獗,作为一种对抗入侵的有效方法――入侵响应对保护系统安全性显得越来越重要。目前的入侵响应大都只是在入侵检测系统中实现,响应方式多为手动响应,因而响应能力受到一定限制。为了能够快速及时的响应各种入侵,人们研究了多种自动响应技术来响应入侵。自适应入侵响应就是系统在受到攻击时,可以有效评估因攻击对诸如电网的能源互联网数据服务所带来的潜在影响,然后根据损失评估和响应成本来调整响应策略。在现代入侵响应的方法中,面向数据服务的自适应入侵响应博弈方法成为了另一种针对能源互联网数据服务的网络攻击的检测方法。入侵响应主要分为主动响应和被动响应两种类型,常用的主动响应的技术有撤销TCP连接、断开网络连接、屏蔽内部异常的主机等方法。被动响应最常见的有警报和通知、隔离不信任连接技术。近年来信息和网络技术高速发展的同时,由于政治、经济、军事等方面利益的驱动,网络入侵的风险也相应增多,入侵事件已呈较快增长趋势,这就使得在能源互联网背景下研究入侵响应的方法变得十分重要。Energy Internet is a comprehensive application of advanced power electronic technology, information technology and intelligent management technology to interconnect a large number of new power network nodes composed of distributed energy harvesting devices, distributed energy storage devices and various types of loads to achieve two-way energy Flowing energy peer-to-peer exchange and sharing network. Energy Internet is a new type of energy system structure that is compatible with traditional power grids, can fully, widely and effectively utilize distributed renewable energy, and meets the diverse power needs of users. With the continuous popularization and development of computer networks, the intrusion of energy Internet is becoming more and more rampant. As an effective method to fight against intrusions, intrusion response is becoming more and more important for protecting the security of the system. The current intrusion response is mostly implemented in the intrusion detection system, and the response method is mostly manual response, so the response capability is limited to a certain extent. In order to respond to various intrusions quickly and in time, people have studied a variety of automatic response technologies to respond to intrusions. Adaptive intrusion response means that when the system is under attack, it can effectively evaluate the potential impact of the attack on energy Internet data services such as the power grid, and then adjust the response strategy based on the loss assessment and response cost. Among modern intrusion response methods, the adaptive intrusion response game method for data services has become another detection method for network attacks against energy Internet data services. Intrusion response is mainly divided into two types: active response and passive response. Commonly used active response techniques include methods such as canceling TCP connections, disconnecting network connections, and shielding internal abnormal hosts. The most common passive response technologies include alerts and notifications, and isolation of untrusted connections. In recent years, with the rapid development of information and network technology, driven by the interests of politics, economy, and military, the risk of network intrusion has increased correspondingly, and intrusion incidents have shown a rapid growth trend. This has led to research on intrusion in the context of the energy Internet. The method of response becomes very important.
面向数据服务的自适应入侵响应就是系统在受到攻击时,可以有效评估因攻击对能源互联网数据服务所带来的潜在影响,然后根据损失评估和响应成本来调整响应策略。总体来说,传统的入侵检测技术是一种被动防御技术,不能对能源互联网中的活动进行有效监控,不具备主动防御能力,缺乏对入侵的自适应响应能力,已不能防范日益严重的网络安全威胁。相对于传统的入侵响应技术,目前有一些新理论、新方法,基于大规模网络的自适应入侵响应研究、基于成本分析的自适应入侵响应研究等,响应系统在响应时所采取的活动,在抵御系统免遭入侵者破坏的同时,对于系统的合法的用户的活动也可能带来负面影响,所导致的损失可能比真实攻击所造成的损失更大。针对这一问题,提出首先就供给对系统带来的潜在威胁以及系统进行响应的成本进行预估,然后根据损失评估和响应成本分析调整响应策略,从而达到自适应入侵响应的目的。Data service-oriented adaptive intrusion response means that when the system is under attack, it can effectively evaluate the potential impact of the attack on the energy Internet data service, and then adjust the response strategy according to the loss assessment and response cost. Generally speaking, traditional intrusion detection technology is a passive defense technology, which cannot effectively monitor the activities in the energy Internet, does not have active defense capabilities, lacks adaptive response capabilities to intrusions, and can no longer prevent increasingly serious network security. threat. Compared with traditional intrusion response technologies, there are currently some new theories and new methods, such as adaptive intrusion response research based on large-scale networks, and adaptive intrusion response research based on cost analysis. While defending the system from damage by intruders, it may also have a negative impact on the activities of legitimate users of the system, and the resulting losses may be greater than the losses caused by real attacks. To solve this problem, it is proposed to first estimate the potential threats brought by the supply to the system and the cost of the system's response, and then adjust the response strategy according to the loss assessment and response cost analysis, so as to achieve the purpose of adaptive intrusion response.
面向数据服务的自适应入侵响应博弈方法主要需考虑三个方面的问题:(1)如何构建用户和检测系统的博弈模型。只有先构建出博弈模型,才能判断出两者之间是否存在纯策略纳什均衡,若不存在则求解混合策略的纳什均衡。(2)利用什么方法求解最佳响应的纳什均衡点,并用求解出的纳什均衡调整响应策略,减少人工干预,达到快速响应。(3)根据纳什均衡最优策略系统该如何进行响应使得攻击对能源互联网中数据服务的影响达到最 低。The data service-oriented adaptive intrusion response game method mainly needs to consider three aspects: (1) How to build a game model between users and detection systems. Only by constructing the game model first can we judge whether there is a pure strategy Nash equilibrium between the two, and if it does not exist, then the mixed strategy Nash equilibrium can be solved. (2) What method is used to solve the Nash equilibrium point of the best response, and use the solved Nash equilibrium to adjust the response strategy, reduce manual intervention, and achieve rapid response. (3) According to the Nash equilibrium optimal strategy, how should the system respond to minimize the impact of attacks on data services in the Energy Internet.
发明内容Summary of the invention
本发明的目的就是提供一种面向数据服务的自适应入侵响应博弈方法及其系统,来解决针对数据服务的网络攻击的自适应响应问题,当系统在受到针对数据服务的网络攻击时可以采取损失最小的响应策略。The purpose of the present invention is to provide a data service-oriented adaptive intrusion response game method and its system to solve the problem of adaptive response to network attacks against data services. When the system is subjected to network attacks against data services, losses can be taken. Minimal response strategy.
技术方案:一种面向数据服务的自适应入侵响应博弈方法,包括以下步骤:Technical solution: A data service-oriented adaptive intrusion response game method, including the following steps:
步骤1:发现入侵攻击行为;Step 1: Discover intrusion attacks;
步骤2:根据IDS响应和用户入侵造成的影响定义变量,构建博弈模型;所述变量包括:用户因入侵成功而获得的正效用、执行一次入侵响应所需成本、惩罚给入侵者带来的负效用、检测成功后对数据的恢复、成功入侵对数据带来的破坏成本和数据入侵检测系统成功响应的概率;Step 2: Define variables based on the IDS response and the impact caused by user intrusion, and build a game model; the variables include: the positive utility that the user obtains due to the successful intrusion, the cost of performing an intrusion response, and the penalty for the intruder. Utility, recovery of data after successful detection, the cost of damage to data caused by a successful intrusion, and the probability of a successful response of the data intrusion detection system;
步骤3:基于博弈模型和期望效用函数理论建立检测系统和用户的支付函数g system和g user Step 3: Establish the payment functions g system and g user of the detection system and the user based on the game model and the expected utility function theory:
g system=θ{[H j+p(-K d+N)γ+N(1-γ)]}   (1) g system =θ{[H j +p(-K d +N)γ+N(1-γ)]} (1)
g user=γ{[pR i+(1-p)(-B e)]θ+(-B e)(1-θ)}   (2) g user =γ{[pR i +(1-p)(-B e )]θ+(-B e )(1-θ)} (2)
式中,B e表示用户因入侵成功而获得的正效用,N表示执行一次入侵响应所需成本,R i表示惩罚给入侵者带来的负效用,K d表示检测成功后对数据的恢复,H j表示成功入侵对数据带来的破坏成本,p表示数据入侵检测系统成功响应的概率,θ表示检测系统选择报警的概率,1-θ表示检测系统选择不报警的概率,γ表示用户实施入侵的概率,1-γ表示用户执行正常活动的概率;其中,B e、N、K d、R i>0,B e<R i,N<K d,K d<H j;0<p≤1; In the formula, B e represents the positive utility obtained by the user as a result of a successful intrusion, N represents the cost of executing an intrusion response, R i represents the negative effect of punishment on the intruder, K d represents the recovery of data after successful detection, H j represents the damage cost caused by a successful intrusion to the data, p represents the probability of a successful response of the data intrusion detection system, θ represents the probability that the detection system chooses to alarm, 1-θ represents the probability that the detection system chooses not to alarm, and γ represents the user's intrusion probability, 1-γ represents the probability that the user performs normal activity; wherein, B e, N, K d , R i> 0, B e <R i, N <K d, K d <H j; 0 <p≤ 1;
步骤4:对检测系统的支付函数g system关于θ求偏导并令等式为零,对用户的支付函数g user关于γ求偏导并令等式为零,求得: Step 4: Take the partial derivative of the payment function g system of the detection system with respect to θ and set the equation to zero, and take the partial derivative of the payment function g user of the user with respect to γ and set the equation to zero, and obtain:
Figure PCTCN2021079481-appb-000001
Figure PCTCN2021079481-appb-000001
Figure PCTCN2021079481-appb-000002
Figure PCTCN2021079481-appb-000002
步骤5:判断用户实施入侵的概率γ是否小于阈值γ *,若小于,则检测系统的最优选择为不报警,否则检测系统的最优选择为报警;当检测系统选择报警时,对数据服务攻击进行响应,若检测系统没有报警,则继续执行正常操作; Step 5: Determine whether the probability γ of the user's intrusion is less than the threshold γ * , if it is less, the optimal choice of the detection system is no alarm, otherwise the optimal choice of the detection system is alarm; when the detection system selects an alarm, it will serve the data Respond to the attack, if the detection system does not alarm, continue to perform normal operations;
其中,γ *的值等于
Figure PCTCN2021079481-appb-000003
Among them, the value of γ * is equal to
Figure PCTCN2021079481-appb-000003
进一步的,在步骤5中,对数据服务攻击进行响应,具体包括以下步骤:Further, in step 5, responding to the data service attack specifically includes the following steps:
S1:采集数据服务中的数据,构成数据集D,将数据集D中的所有数据对象标记为未读,通过定义ε-邻域从所有数据对象中筛选得到核心对象;S1: Collect data in the data service to form data set D, mark all data objects in data set D as unread, and filter all data objects to obtain core objects by defining ε-neighborhood;
S2:从数据集D中取子集D i,将子集D i中的所有数据对象标记为已读,判断子集D i中的数据对象m是否为核心对象,若是,则找出数据对象m的所有密度可达数据对象,将所有密度可达数据对象标记为已读;否则将数据对象m标记为噪声数据; S2: Take the subset D i from the data set D, mark all the data objects in the subset D i as read, determine whether the data object m in the subset D i is the core object, and if so, find the data object All density-reachable data objects of m are marked as read; otherwise, the data object m is marked as noise data;
S3:在满足
Figure PCTCN2021079481-appb-000004
的条件下,重复S2,直至所有数据对象均被标记为已读,执行S4; S3: Being satisfied
Figure PCTCN2021079481-appb-000004
Under the condition of, repeat S2 until all data objects are marked as read, and execute S4;
S4:将每个核心对象的所有密度可达数据对象归为一类,形成一数据对象集合,当所有核心对象遍历完后,没有归为一类的剩下数据为异常数据;S4: All the data objects with reachable density of each core object are classified into one category to form a data object set. After all core objects are traversed, the remaining data that is not classified into one category are abnormal data;
S5:取所有核心对象对应的所有密度可达数据的均值替代异常数据,执行正常操作,结束攻击响应。S5: Replace the abnormal data with the average of all density-reachable data corresponding to all core objects, perform normal operations, and end the attack response.
进一步的,在S1中,采用闵科夫斯基距离公式定义ε-邻域:Furthermore, in S1, the Minkowski distance formula is used to define the ε-neighborhood:
N ε(x i)=(x i∈D|dist(x i,x j)≤ε)   (8) N ε (x i )=(x i ∈D|dist(x i , x j )≤ε) (8)
其中N ε(x i)表示数据对象x i的ε-邻域内所有数据对象的集合,ε表示半径参数; Where N ε (x i ) represents the collection of all data objects in the ε-neighborhood of the data object x i, and ε represents the radius parameter;
当数据对象x i的ε-邻域中数据对象个数大于ρ时,则称数据对象x i为核心对象,其中,ρ为最小对象参数。 When the number of data objects in the ε-neighborhood of the data object x i is greater than ρ, the data object x i is called the core object, where ρ is the minimum object parameter.
本发明还公开了一种面向数据服务的自适应入侵响应博弈系统,包括:The invention also discloses a data service-oriented adaptive intrusion response game system, which includes:
一博弈模型生成器,用于当发现入侵攻击行为时,根据IDS响应和用户入侵造成的影响定义变量,构建博弈模型;A game model generator, used to define variables based on the IDS response and the impact of user intrusion to construct a game model when an intrusion attack is found;
一混合策略生成器,基于博弈模型和期望效用函数理论建立检测系统和用户的支付函数,基于支付函数求解得到博弈模型的混合策略纳什均衡点,根据混合策略纳什均衡点得到最优混合策略;A hybrid strategy generator, based on the game model and expected utility function theory, establishes the payment function of the detection system and the user, and obtains the mixed strategy Nash equilibrium point of the game model based on the payment function, and obtains the optimal mixed strategy according to the mixed strategy Nash equilibrium point;
一报警器,根据最优混合策略作出响应。An alarm responds according to the optimal mixing strategy.
进一步的,还包括:Further, it also includes:
一数据筛选器,报警后,对数据服务中采集到的数据进行筛选,得到核心对象;A data filter, after the alarm, filters the data collected in the data service to obtain the core object;
一目标识别器,将所有的核心对象和其对应的密度可达数据对象进行归类,剩余的未得到归类的数据对象为异常数据;An object recognizer, which classifies all core objects and their corresponding density-reachable data objects, and the remaining unclassified data objects are abnormal data;
一数据恢复器,将异常数据进行剔除,用正常的不同数据类型的数据集合的均值替代异常数据执行正常操作。A data restorer removes the abnormal data, and replaces the abnormal data with the mean value of the normal data collection of different data types to perform normal operations.
有益效果:本发明方法提出了一种面向数据服务的自适应入侵响应博弈方法及其系统,主要用于解决针对数据服务的网络攻击自适应响应问题,通过使用本发明所提出的方法可以对当前电网环境进行安全检测,引用博弈论的思想对检测系统和攻击者的行为进行量化,使系统得出最佳响应,有效的利用了计算资源,再进一步通过DBSCAN算法对被攻击的数据进行处理,从而很好地保证电网安全可靠的运行;Beneficial effects: The method of the present invention proposes a data service-oriented adaptive intrusion response game method and its system, which is mainly used to solve the problem of adaptive response to network attacks against data services. The method proposed by the present invention can be used for current The power grid environment is tested for security, and the behavior of the detection system and the attacker is quantified by quoting the idea of game theory, so that the system can get the best response, effectively using computing resources, and then further processing the attacked data through the DBSCAN algorithm. So as to ensure the safe and reliable operation of the power grid;
本发明的混合策略生成器是根据博弈双方的博弈模型制定博弈双方的混合策略,根据检测系统和用户之间的收益关系可以得到期望效益函数,再通过求解双方的支付函数,进一步得出混合策略的纳什均衡,为系统的后续响应提供支持;The mixed strategy generator of the present invention formulates the mixed strategies of the two sides of the game according to the game model of the two sides of the game. According to the profit relationship between the detection system and the user, the expected benefit function can be obtained, and then the mixed strategy is further obtained by solving the payment function of the two parties. Nash equilibrium to provide support for the follow-up response of the system;
本发明的数据筛选器主要是利用DBSCAN算法对数据聚类,将初始化后的数据全部标记未读,定义ε-邻域,筛选出核心对象,从数据集D中取包含任意个数据对象p的数据集D i,并将D i标记为已读,通过ε和ρ参数对数据p进行判断,从而筛选出不同类型的数据; The data filter of the present invention mainly uses the DBSCAN algorithm to cluster the data, marks all the initialized data as unread, defines the ε-neighborhood, filters out the core objects, and takes the data containing any number of data objects p from the data set D data set D i, and D i mark as read, the data is judged by ε p and ρ parameters, so as to filter out different types of transactions;
本发明的目标识别器在满足相邻两个数据集交集为空集的条件下,当所有数据都标记为已读时,将其中一个核心对象作为种子,将该对象的所有密度可达点都归为一类,形成一个较大范围的聚类簇。反复循环,最终实现异常数据的识别。The target recognizer of the present invention satisfies the condition that the intersection of two adjacent data sets is an empty set, when all the data is marked as read, one of the core objects is used as a seed, and all the density reachable points of the object are Grouped into one category, forming a larger range of clusters. Repeat the cycle to finally realize the identification of abnormal data.
附图说明Description of the drawings
图1为本发明的体系结构图;Figure 1 is a diagram of the architecture of the present invention;
图2是本发明的流程示意图。Figure 2 is a schematic flow diagram of the present invention.
具体实施方式Detailed ways
现结合附图和实施例进一步阐述本发明的技术方案。The technical scheme of the present invention will be further described with reference to the drawings and embodiments.
有源配电网中的大数据种类多、维度多、数据量大,对企业和用户都有巨大的价值,在进行数据服务时假设电网遭受了攻击,本发明通过引用博弈论中的博弈思想对系统在受到攻击时存在的潜在威胁以及系统进行响应的成本进行评估,然后在数据入侵检测系统与能源互联网各环节的终端用户之间建立一个关于利益冲突的数学模型,及时调整响应策略,从而达到自适应入侵响应的目的,再结合DBSCAN算法筛选出遭受到攻击的数据。The big data in the active distribution network has many types, multiple dimensions, and a large amount of data, which are of great value to enterprises and users. When performing data services, it is assumed that the power grid is attacked. The present invention refers to the game theory in game theory. Evaluate the potential threat of the system when it is attacked and the cost of the system's response, and then establish a mathematical model of conflict of interest between the data intrusion detection system and the end users in each link of the energy Internet, and adjust the response strategy in time, thereby To achieve the purpose of adaptive intrusion response, combined with the DBSCAN algorithm to filter out the attacked data.
如图2所述,本发明的一种面向数据服务的自适应入侵响应博弈方法,包括以下步骤:As shown in Figure 2, a data service-oriented adaptive intrusion response game method of the present invention includes the following steps:
步骤1:发现入侵攻击行为;Step 1: Discover intrusion attacks;
步骤2:基于IDS响应和用户入侵造成的影响,对双方的收益与损失进行量化分析,定义以下变量:B e表示用户因入侵成功而获得的正效用,N表示执行一次入侵响应所需成本,R i表示惩罚给入侵者带来的负效用,K d表示检测成功后对数据的恢复,H j表示成功入侵对数据带来的破坏成本,p表示数据入侵检测系统成功响应的概率,0<p≤1;以上各参数满足:B e、N、K d、R i>0且B e<R i,N<K d,K d<H j;基于以上限制条件搭建出博弈双方的博弈模型,如表1所示: Step 2: Based on the IDS response and the impact of user intrusion, quantitatively analyze the benefits and losses of both parties, and define the following variables: B e represents the positive utility of the user as a result of the successful intrusion, and N represents the cost of performing an intrusion response. R i represents the negative effect of punishment to the intruder, K d represents the recovery of the data after the detection is successful, H j represents the damage cost of the data caused by a successful intrusion, p represents the probability of a successful response of the data intrusion detection system, 0 <p≤1; the above parameters satisfy: B e, N, K d , R i> 0 and B e <R i, N < K d, K d <H j; build out both the game game model based on the above constraints ,As shown in Table 1:
表1入侵检测与响应的博弈模型Table 1 Game model of intrusion detection and response
Figure PCTCN2021079481-appb-000005
Figure PCTCN2021079481-appb-000005
步骤3:假定检测系统的混合策略为(θ,1-θ),即系统以θ的概率选择报警,以(1-θ)的概率选择不报警;用户的混合策略为(γ,1-γ),即以γ的概率实施入侵,以(1-γ)的概率执行正常活动,利用期望效用函数理论求解用户和检测系统的支付函数g system和g userStep 3: Assume that the mixed strategy of the detection system is (θ, 1-θ), that is, the system chooses to alarm with the probability of θ, and chooses not to alarm with the probability of (1-θ); the user's mixed strategy is (γ, 1-γ) ), that is, the invasion is carried out with the probability of γ, the normal activities are carried out with the probability of (1-γ), and the payment functions g system and g user of the user and the detection system are solved by the expected utility function theory;
g system=θ{[H j+p(-K d+N)γ+N(1-γ)]}   (1) g system =θ{[H j +p(-K d +N)γ+N(1-γ)]} (1)
g user=γ{[pR i+(1-p)(-B e)]θ+(-B e)(1-θ)}   (2) g user =γ{[pR i +(1-p)(-B e )]θ+(-B e )(1-θ)} (2)
对g system对θ求偏导并令等式为零,和对g user对γ求偏导并令等式为零,得到: Taking the partial derivative of g system to θ and setting the equation to zero, and taking the partial derivative of g user to γ and setting the equation to zero, we get:
Figure PCTCN2021079481-appb-000006
Figure PCTCN2021079481-appb-000006
Figure PCTCN2021079481-appb-000007
Figure PCTCN2021079481-appb-000007
可求得:Available:
Figure PCTCN2021079481-appb-000008
Figure PCTCN2021079481-appb-000008
Figure PCTCN2021079481-appb-000009
Figure PCTCN2021079481-appb-000009
所以混合策略的纳什均衡为:So the Nash equilibrium of the mixed strategy is:
Figure PCTCN2021079481-appb-000010
Figure PCTCN2021079481-appb-000010
当p趋近于0,检测系统成功响应的概率几乎为0时,γ *的值趋近于1,即用户将几乎总是选择入侵。由于N<K D,因此随着p的增大,γ *的值将减小;当p增大到1时,γ *的值等于
Figure PCTCN2021079481-appb-000011
可以得到最佳响应策略; When p approaches 0 and the probability of a successful response of the detection system is almost 0, the value of γ* approaches 1, that is, the user will almost always choose to invade. Since N<K D , as p increases, the value of γ * will decrease; when p increases to 1, the value of γ * is equal to
Figure PCTCN2021079481-appb-000011
Can get the best response strategy;
当用户实施入侵的概率γ小于γ *时,检测系统的最优选择是不报警;当用户实施入侵的概率γ大于等于γ *时,检测系统的最优选择是报警。 When the probability γ of the user's intrusion is less than γ * , the optimal choice of the detection system is not to alarm; when the probability γ of the user's intrusion is greater than or equal to γ * , the optimal choice of the detection system is to alarm.
步骤4:判断检测系统是否报警,若报警则进行步骤5,否则系统继续检测,当发现入侵攻击时进行步骤1;Step 4: Determine whether the detection system alarms, if it alarms, proceed to step 5, otherwise the system continues to detect, and when an intrusion attack is found, proceed to step 1;
步骤5:将数据服务中采集到的数据集D初始化并且将所有数据对象标记为未读,通过闵科夫斯基距离公式定义ε-邻域:Step 5: Initialize the data set D collected in the data service and mark all data objects as unread, and define the ε-neighborhood through the Minkowski distance formula:
N ε(x i)=(x i∈D|dist(x i,x j)≤ε)   (8) N ε (x i )=(x i ∈D|dist(x i , x j )≤ε) (8)
其中,N ε(x i)表示ε-邻域内所有数据对象的集合,ε表示半径参数,定义ρ为最小对象参数。当数据对象x i的ε-邻域中数据对象个数大于ρ时称数据对象x i为核心对象。 Among them, N ε (x i ) represents the collection of all data objects in the ε-neighborhood, ε represents the radius parameter, and defines ρ as the minimum object parameter. When the number of data objects in the ε-neighborhood of the data object x i is greater than ρ, the data object x i is called the core object.
步骤6:从数据集D中取包含任意个数据对象m的数据集D i,其中D i∈D,i=1,2,3...,并将D i标记为已读,通过半径参数ε和最小对象参数ρ对数据对象m进行判断,如果数据对象m为核心对象,找出数据对象m的所有密度可达数据对象,并标记为已读,若数据对象m不是核心对象,且没有哪个数据对象对数据对象m密度可达,将数据对象m标记为噪声数据; Step 6: Take the data set D i containing any number of data objects m from the data set D, where D i ∈ D, i = 1, 2, 3..., mark D i as read, and pass the radius parameter ε and the minimum object parameter ρ judge the data object m. If the data object m is the core object, find out all the density of the data object m can reach the data object, and mark it as read. If the data object m is not the core object and there is no Which data object can reach the density of data object m, and mark data object m as noise data;
步骤7:在满足
Figure PCTCN2021079481-appb-000012
的条件下,重复步骤6,直至所有数据对象都标记为已读; Step 7: After meeting
Figure PCTCN2021079481-appb-000012
Under the condition of, repeat step 6 until all data objects are marked as read;
步骤8:将其中一个核心对象作为种子,将该核心对象的所有密度可达数据对象都归为一类,形成一个较大范围的数据对象集合,也称为聚类簇;Step 8: Use one of the core objects as a seed, and classify all the density-reachable data objects of the core object into one category to form a larger range of data object collections, also called clusters;
步骤9:循环步骤8直至所有核心对象都遍历完,剩下没有归为一类的数据为异常数据。Step 9: Repeat step 8 until all core objects have been traversed, and the remaining data that is not classified into one category are abnormal data.
步骤10:将所有核心对象的所有密度可达数据取均值用来替代异常数据执行正常 操作。Step 10: Take the average of all density-reachable data of all core objects to replace abnormal data to perform normal operations.
步骤11:循环结束。Step 11: The loop ends.
针对上述一种面向数据服务的自适应入侵响应博弈方法的系统,其体系结构为:Aiming at the above-mentioned data service-oriented adaptive intrusion response game method system, its system structure is:
如图1所示,其主要包括四个部分:博弈模型生成器、混合策略生成器、数据筛选器、目标识别器和数据恢复器,博弈模型生成器是在系统检测到攻击时对双方收益情况进行分析,得到系统和用户双方的博弈模型;混合策略生成器是基于博弈模型得出系统最优决策;数据筛选器是在采集到的数据中筛选出核心对象;目标识别器是把所有的核心对象归类,剩余的未归类的数据为异常数据,数据恢复器是将正常的不同数据类型的数据集合取均值用来替代异常数据执行正常操作。具体介绍如下:As shown in Figure 1, it mainly includes four parts: game model generator, hybrid strategy generator, data filter, target recognizer, and data restorer. The game model generator is the benefit to both parties when the system detects an attack. Perform analysis to obtain the game model between the system and the user; the hybrid strategy generator is based on the game model to obtain the optimal decision of the system; the data filter is to filter out the core objects from the collected data; the target recognizer is the core of all Objects are classified, and the remaining unclassified data is abnormal data. The data restorer takes the average of normal data sets of different data types to replace abnormal data to perform normal operations. The details are as follows:
博弈模型生成器主要是在数据检测系统检测到攻击时,对双方的收益与损失进行量化分析,基于IDS响应和用户入侵造成的影响定义变量:用户因入侵成功而获得的正效用用B e表示;执行一次入侵响应所需成本用N表示;R i表示惩罚给入侵者带来的负效用;K D表示检测成功后对数据的恢复;H j表示成功入侵对数据带来的破坏成本;p表示数据入侵检测系统成功响应的概率(0<p≤1)。以上各参数满足:B e,N,R i,K D>0且B e<R i,N<K D,K D<H j。基于以上用户与检测系统之间的限制条件最终搭建出博弈双方的博弈模型,可参见表1。 The game model generator is mainly to quantitatively analyze the benefits and losses of both parties when the data detection system detects an attack, and define variables based on the IDS response and the impact caused by the user intrusion: the positive utility obtained by the user due to the successful intrusion is represented by B e ; The cost required to perform an intrusion response is denoted by N; R i denotes the negative effect of punishment on the intruder; K D denotes the recovery of data after successful detection; H j denotes the cost of damage to data caused by a successful intrusion; p Indicates the probability of a successful response of the data intrusion detection system (0<p≤1). The above parameters satisfy: B e, N, R i , K D> 0 , and B e <R i, N < K D, K D <H j. Based on the above constraints between the user and the detection system, a game model between the two parties is finally built, which can be seen in Table 1.
混合策略生成器主要是基于博弈双方的博弈模型制定检测系统和用户的混合策略。利用期望效用函数求解双方的支付矩阵,得出混合策略的纳什均衡点,进而可以知道系统的最优策略,为系统的后续响应提供支持。数据筛选器主要是将初始化后的数据全部标记未读,定义ε-邻域,当对象x i的ε-邻域中数据对象个数大于最小对象参数ρ,即|N ε(x i)|>ρ时,则称x i为核心对象,在一个数据集中,并不是所有数据对象都是核心对象,还有边缘对象和噪声对象。边缘对象表示数据对象不是核心对象,但是存在于某个核心对象的ε-邻域中;噪声对象表示该数据对象不是核心对象,也不存在于任何核心对象的ε-邻域中; The mixed strategy generator is mainly based on the game model of the two parties to formulate the mixed strategy of the detection system and the user. The expected utility function is used to solve the payout matrix of both parties to obtain the Nash equilibrium point of the hybrid strategy, and then the optimal strategy of the system can be known to provide support for the subsequent response of the system. The data filter mainly marks all the initialized data as unread, and defines the ε-neighborhood. When the number of data objects in the ε-neighborhood of the object x i is greater than the minimum object parameter ρ, that is |N ε (x i )| When >ρ, x i is called the core object. In a data set, not all data objects are core objects, and there are edge objects and noise objects. An edge object indicates that the data object is not a core object, but exists in the ε-neighborhood of a certain core object; a noise object indicates that the data object is not a core object, nor does it exist in the ε-neighborhood of any core object;
从数据集D中取包含任意个数据对象m的数据集D i,其中D i∈D,i=1,2,3...,并将D i标记为已读。通过ε和ρ参数对数据m进行判断,如果m为核心对象,找出m的所有密度可达数据对象,并标记为已读。若m不是核心对象,且没有哪个对象对m密度可达,将m标记为噪声数据,从而筛选出不同类型的数据。 Taken from the data set D m contain any data objects in the data set D i, where D i ∈D, i = 1,2,3 ... , I and D marked as read. The data m is judged by the ε and ρ parameters. If m is the core object, find all the data objects whose density can reach m and mark them as read. If m is not a core object, and no object can reach the density of m, mark m as noise data to filter out different types of data.
目标识别器用于在满足
Figure PCTCN2021079481-appb-000013
的条件下,当所有数据都标记为已读时,将其中一个核心对象作为种子,将该对象的所有密度可达点都归为一类,形成一个较大范围的数据对象集合,也称为聚类簇。反复循环直至所有核心对象都遍历完,剩下没有归为一类的数据便为异常数据。 The target recognizer is used to satisfy
Figure PCTCN2021079481-appb-000013
Under the condition of, when all data is marked as read, one of the core objects is used as a seed, and all the density reachable points of the object are classified into one category, forming a larger-range data object collection, also called Cluster clusters. Repeatedly loop until all core objects have been traversed, and the remaining data that is not classified into one category is abnormal data.
数据恢复器用于将识别出来的这些异常数据剔除,用正常的不同数据类型的数据集合取算数均值来替代异常数据执行正常操作。The data restorer is used to eliminate the identified abnormal data, and replace the abnormal data with the normal data set of different data types to take the arithmetic mean to perform normal operations.

Claims (5)

  1. 一种面向数据服务的自适应入侵响应博弈方法,其特征在于:包括以下步骤:A data service-oriented adaptive intrusion response game method is characterized in that it includes the following steps:
    步骤1:发现入侵攻击行为;Step 1: Discover intrusion attacks;
    步骤2:根据IDS响应和用户入侵造成的影响定义变量,构建博弈模型;所述变量包括:用户因入侵成功而获得的正效用、执行一次入侵响应所需成本、惩罚给入侵者带来的负效用、检测成功后对数据的恢复、成功入侵对数据带来的破坏成本和数据入侵检测系统成功响应的概率;Step 2: Define variables based on the IDS response and the impact caused by user intrusion, and build a game model; the variables include: the positive utility that the user obtains due to the successful intrusion, the cost of performing an intrusion response, and the penalty for the intruder. Utility, recovery of data after successful detection, the cost of damage to data caused by a successful intrusion, and the probability of a successful response of the data intrusion detection system;
    步骤3:基于博弈模型和期望效用函数理论建立检测系统和用户的支付函数g system和g user Step 3: Establish the payment functions g system and g user of the detection system and the user based on the game model and the expected utility function theory:
    g system=θ{[H j+p(-K d+N)γ+N(1-γ)]}  (1) g system =θ{[H j +p(-K d +N)γ+N(1-γ)]} (1)
    g user=γ{[pR i+(1-p)(-B e)]θ+(-B e)(1-θ)}  (2) g user =γ{[pR i +(1-p)(-B e )]θ+(-B e )(1-θ)} (2)
    式中,B e表示用户因入侵成功而获得的正效用,N表示执行一次入侵响应所需成本,R i表示惩罚给入侵者带来的负效用,K d表示检测成功后对数据的恢复,H j表示成功入侵对数据带来的破坏成本,p表示数据入侵检测系统成功响应的概率,θ表示检测系统选择报警的概率,1-θ表示检测系统选择不报警的概率,γ表示用户实施入侵的概率,1-γ表示用户执行正常活动的概率;其中,B e、N、K d、R i>0,B e<R i,N<K d,K d<H j;0<p≤1; In the formula, B e represents the positive utility obtained by the user as a result of a successful intrusion, N represents the cost of executing an intrusion response, R i represents the negative effect of punishment on the intruder, K d represents the recovery of data after successful detection, H j represents the damage cost caused by a successful intrusion to the data, p represents the probability of a successful response of the data intrusion detection system, θ represents the probability that the detection system chooses to alarm, 1-θ represents the probability that the detection system chooses not to alarm, and γ represents the user's intrusion probability, 1-γ represents the probability that the user performs normal activity; wherein, B e, N, K d , R i> 0, B e <R i, N <K d, K d <H j; 0 <p≤ 1;
    步骤4:对检测系统的支付函数g system关于θ求偏导并令等式为零,对用户的支付函数g user关于γ求偏导并令等式为零,求得: Step 4: Take the partial derivative of the payment function g system of the detection system with respect to θ and set the equation to zero, and take the partial derivative of the payment function g user of the user with respect to γ and set the equation to zero, and obtain:
    Figure PCTCN2021079481-appb-100001
    Figure PCTCN2021079481-appb-100001
    Figure PCTCN2021079481-appb-100002
    Figure PCTCN2021079481-appb-100002
    步骤5:判断用户实施入侵的概率γ是否小于阈值γ *,若小于,则检测系统的最优选择为不报警,否则检测系统的最优选择为报警;当检测系统选择报警时,对数据服务攻击进行响应,若检测系统没有报警,则继续执行正常操作; Step 5: Determine whether the probability γ of the user's intrusion is less than the threshold γ * , if it is less, the optimal choice of the detection system is no alarm, otherwise the optimal choice of the detection system is alarm; when the detection system selects an alarm, it will serve the data Respond to the attack, if the detection system does not alarm, continue to perform normal operations;
    其中,γ *的值等于
    Figure PCTCN2021079481-appb-100003
    Among them, the value of γ * is equal to
    Figure PCTCN2021079481-appb-100003
  2. 根据权利要求1所述的一种面向数据服务的自适应入侵响应博弈方法,其特征在于:在步骤5中,对数据服务攻击进行响应,具体包括以下步骤:A data service-oriented adaptive intrusion response game method according to claim 1, characterized in that: in step 5, responding to a data service attack specifically includes the following steps:
    S1:采集数据服务中的数据,构成数据集D,将数据集D中的所有数据对象标记为未读,通过定义ε-邻域从所有数据对象中筛选得到核心对象;S1: Collect data in the data service to form data set D, mark all data objects in data set D as unread, and filter all data objects to obtain core objects by defining ε-neighborhood;
    S2:从数据集D中取子集D i,将子集D i中的所有数据对象标记为已读,判断子集D i中的数据对象m是否为核心对象,若是,则找出数据对象m的所有密度可达数据对象,将所有密度可达数据对象标记为已读;否则将数据对象m标记为噪声数据; S2: Take the subset D i from the data set D, mark all the data objects in the subset D i as read, determine whether the data object m in the subset D i is the core object, and if so, find the data object All density-reachable data objects of m are marked as read; otherwise, the data object m is marked as noise data;
    S3:在满足
    Figure PCTCN2021079481-appb-100004
    的条件下,重复S2,直至所有数据对象均被标记为已读,执行S4;     S3: Being satisfied
    Figure PCTCN2021079481-appb-100004
    Under the condition of, repeat S2 until all data objects are marked as read, and execute S4;
    S4:将每个核心对象的所有密度可达数据对象归为一类,形成一数据对象集合,当所有核心对象遍历完后,没有归为一类的剩下数据为异常数据;S4: All the data objects with reachable density of each core object are classified into one category to form a data object set. After all core objects are traversed, the remaining data that is not classified into one category are abnormal data;
    S5:取所有核心对象对应的所有密度可达数据的均值替代异常数据,执行正常操作,结 束攻击响应。S5: Replace the abnormal data with the average of all the density-reachable data corresponding to all core objects, perform normal operations, and end the attack response.
  3. 根据权利要求2所述的一种面向数据服务的自适应入侵响应博弈方法,其特征在于:在S1中,采用闵科夫斯基距离公式定义ε-邻域:A data service-oriented adaptive intrusion response game method according to claim 2, characterized in that: in S1, the Minkowski distance formula is used to define the ε-neighborhood:
    N ε(x i)=(x i∈D|dist(x i,x j)≤ε)  (8) N ε (x i )=(x i ∈D|dist(x i , x j )≤ε) (8)
    其中N ε(x i)表示数据对象x i的ε-邻域内所有数据对象的集合,ε表示半径参数; Where N ε (x i ) represents the collection of all data objects in the ε-neighborhood of the data object x i, and ε represents the radius parameter;
    当数据对象x i的ε-邻域中数据对象个数大于ρ时,则称数据对象x i为核心对象,其中,ρ为最小对象参数。 When the number of data objects in the ε-neighborhood of the data object x i is greater than ρ, the data object x i is called the core object, where ρ is the minimum object parameter.
  4. 基于权利要求1至3任意一项所述的一种面向数据服务的自适应入侵响应博弈方法的入侵响应博弈系统,其特征在于:包括:An intrusion response game system based on a data service-oriented adaptive intrusion response game method according to any one of claims 1 to 3, characterized in that it comprises:
    一博弈模型生成器,用于当发现入侵攻击行为时,根据IDS响应和用户入侵造成的影响定义变量,构建博弈模型;A game model generator, used to define variables based on the IDS response and the impact of user intrusion to construct a game model when an intrusion attack is found;
    一混合策略生成器,基于博弈模型和期望效用函数理论建立检测系统和用户的支付函数,基于支付函数求解得到博弈模型的混合策略纳什均衡点,根据混合策略纳什均衡点得到最优混合策略;A hybrid strategy generator, based on the game model and expected utility function theory, establishes the payment function of the detection system and the user, and obtains the mixed strategy Nash equilibrium point of the game model based on the payment function, and obtains the optimal mixed strategy according to the mixed strategy Nash equilibrium point;
    一报警器,根据最优混合策略作出响应。An alarm responds according to the optimal mixing strategy.
  5. 根据权利要求4所述的入侵响应博弈系统,其特征在于:还包括:The intrusion response game system according to claim 4, characterized in that it further comprises:
    一数据筛选器,报警后,对数据服务中采集到的数据进行筛选,得到核心对象;A data filter, after the alarm, filters the data collected in the data service to obtain the core object;
    一目标识别器,将所有的核心对象和其对应的密度可达数据对象进行归类,剩余的未得到归类的数据对象为异常数据;An object recognizer, which classifies all core objects and their corresponding density-reachable data objects, and the remaining unclassified data objects are abnormal data;
    一数据恢复器,将异常数据进行剔除,用所有的核心对象对应的所有密度可达数据的均值替代异常数据执行正常操作。A data restorer removes abnormal data, and replaces the abnormal data with the average of all the density-reachable data corresponding to all core objects to perform normal operations.
PCT/CN2021/079481 2020-03-09 2021-03-08 Data service-oriented adaptive intrusion response game method and system thereof WO2021180017A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010156384.1A CN111464501A (en) 2020-03-09 2020-03-09 Data service-oriented adaptive intrusion response gaming method and system thereof
CN202010156384.1 2020-03-09

Publications (1)

Publication Number Publication Date
WO2021180017A1 true WO2021180017A1 (en) 2021-09-16

Family

ID=71680011

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/079481 WO2021180017A1 (en) 2020-03-09 2021-03-08 Data service-oriented adaptive intrusion response game method and system thereof

Country Status (2)

Country Link
CN (1) CN111464501A (en)
WO (1) WO2021180017A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114157478A (en) * 2021-12-01 2022-03-08 浙江大学 False data injection attack defense method based on differential game
CN114221819A (en) * 2021-12-30 2022-03-22 全球能源互联网研究院有限公司 Network scanning method and device based on game theory
CN114826737A (en) * 2022-04-26 2022-07-29 天津大学 Scale-free network defense performance improving method based on AI-assisted game
CN114826732A (en) * 2022-04-25 2022-07-29 南京大学 Dynamic detection and tracing method for android system privacy stealing behavior
CN115118495A (en) * 2022-06-27 2022-09-27 西安电子科技大学 User information intrusion detection method based on empirical mode decomposition and spectral characteristic quantity detection
CN115296830A (en) * 2022-05-27 2022-11-04 南京邮电大学 Network collaborative attack modeling and harm quantitative analysis method based on game theory

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111464501A (en) * 2020-03-09 2020-07-28 南京邮电大学 Data service-oriented adaptive intrusion response gaming method and system thereof

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102314569A (en) * 2011-09-19 2012-01-11 南京大学 Method for dynamic intrusion response
US20170257396A1 (en) * 2016-03-01 2017-09-07 Intelligent Fusion Technology, Inc Methods and systems providing cyber security
CN109710754A (en) * 2018-11-12 2019-05-03 中国科学院信息工程研究所 A kind of group abnormality behavioral value method based on depth structure study
CN111464501A (en) * 2020-03-09 2020-07-28 南京邮电大学 Data service-oriented adaptive intrusion response gaming method and system thereof

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789906A (en) * 2016-11-22 2017-05-31 全球能源互联网研究院 Betting data analysis method and device
CN107612878B (en) * 2017-07-21 2020-08-25 西安电子科技大学 Dynamic window selection method based on game theory and wireless network trust management system
CN108366047B (en) * 2018-01-08 2019-08-27 南京邮电大学 Active power distribution network data safety high efficiency of transmission optimization method and device based on game theory

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102314569A (en) * 2011-09-19 2012-01-11 南京大学 Method for dynamic intrusion response
US20170257396A1 (en) * 2016-03-01 2017-09-07 Intelligent Fusion Technology, Inc Methods and systems providing cyber security
CN109710754A (en) * 2018-11-12 2019-05-03 中国科学院信息工程研究所 A kind of group abnormality behavioral value method based on depth structure study
CN111464501A (en) * 2020-03-09 2020-07-28 南京邮电大学 Data service-oriented adaptive intrusion response gaming method and system thereof

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
GUO YUAN-BO, MA JIAN-FENG: "Game theoretical framework for adaptive intrusion detection and response", SYSTEMS ENGINEERING AND ELECTRONICS, GAI KAN BIANJIBU, BEIJING, CN, vol. 27, no. 5, 20 May 2005 (2005-05-20), CN, pages 914 - 917, XP055846783, ISSN: 1001-506X *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114157478A (en) * 2021-12-01 2022-03-08 浙江大学 False data injection attack defense method based on differential game
CN114157478B (en) * 2021-12-01 2022-10-18 浙江大学 False data injection attack defense method based on differential game
CN114221819A (en) * 2021-12-30 2022-03-22 全球能源互联网研究院有限公司 Network scanning method and device based on game theory
CN114221819B (en) * 2021-12-30 2023-07-28 全球能源互联网研究院有限公司 Network scanning method and device based on game theory
CN114826732A (en) * 2022-04-25 2022-07-29 南京大学 Dynamic detection and tracing method for android system privacy stealing behavior
CN114826737A (en) * 2022-04-26 2022-07-29 天津大学 Scale-free network defense performance improving method based on AI-assisted game
CN115296830A (en) * 2022-05-27 2022-11-04 南京邮电大学 Network collaborative attack modeling and harm quantitative analysis method based on game theory
CN115296830B (en) * 2022-05-27 2024-02-13 南京邮电大学 Network collaborative attack modeling and hazard quantitative analysis method based on game theory
CN115118495A (en) * 2022-06-27 2022-09-27 西安电子科技大学 User information intrusion detection method based on empirical mode decomposition and spectral characteristic quantity detection
CN115118495B (en) * 2022-06-27 2023-08-22 西安电子科技大学 User information intrusion detection method based on empirical mode decomposition and spectrum characteristic quantity detection

Also Published As

Publication number Publication date
CN111464501A (en) 2020-07-28

Similar Documents

Publication Publication Date Title
WO2021180017A1 (en) Data service-oriented adaptive intrusion response game method and system thereof
Xin et al. Machine learning and deep learning methods for cybersecurity
CN111614627B (en) SDN-oriented cross-plane cooperation DDOS detection and defense method and system
Praveena et al. Optimal deep reinforcement learning for intrusion detection in UAVs
Zhe et al. DoS attack detection model of smart grid based on machine learning method
Ullah et al. A filter-based feature selection model for anomaly-based intrusion detection systems
Satpute et al. A survey on anomaly detection in network intrusion detection system using particle swarm optimization based machine learning techniques
Stampar et al. Artificial intelligence in network intrusion detection
Lu et al. Intrusion detection of wireless sensor networks based on IPSO algorithm and BP neural network
Zuo et al. Power information network intrusion detection based on data mining algorithm
Milan et al. Reducing false alarms in intrusion detection systems–a survey
Yu et al. An Intrusion Detection Algorithm Based on Feature Graph.
Gao et al. Anomaly traffic detection in IoT security using graph neural networks
Chen et al. Dynamic threshold strategy optimization for security protection in Internet of Things: An adversarial deep learning‐based game‐theoretical approach
Xu Research on network intrusion detection method based on machine learning
Moulad et al. Implementation of a hierarchical hybrid intrusion detection mechanism in wireless sensors network
Kaur et al. Multidimensional attacks classification based on genetic algorithm and SVM
Khaleefah et al. Detection of iot botnet cyber attacks using machine learning
CN115296830B (en) Network collaborative attack modeling and hazard quantitative analysis method based on game theory
Yu A new model of intelligent hybrid network intrusion detection system
Zhang et al. Network security situation awareness technology based on multi-source heterogeneous data
Ming Computer network security evaluation based on intelligent algorithm
Dong A malicious intrusion detection model of network communication in cloud data center
Cui et al. Multi-layer anomaly detection for internet traffic based on data mining
Mohamed et al. Optimal Wavelet Neural Network-Based Intrusion Detection in Internet of Things Environment.

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21766862

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21766862

Country of ref document: EP

Kind code of ref document: A1