基于执行体划分的防御增强型动态异构冗余架构

吴铤; 胡程楠; 陈庆南; 陈安邦; 郑秋华

doi:10.11959/j.issn.1000-436x.2021022

您当前的位置：

首页 >

文章列表页 >

基于执行体划分的防御增强型动态异构冗余架构

学术论文 | 更新时间：2024-06-05

- 基于执行体划分的防御增强型动态异构冗余架构
- Defense-enhanced dynamic heterogeneous redundancy architecture based on executor partition
- 通信学报 2021年42卷第3期页码：122-134
- 作者机构：
  
  1. 杭州电子科技大学网络空间安全学院，浙江杭州 310018
  2. 北京航空航天大学杭州创新研究院，浙江杭州 310051
- 作者简介：
  
  [ "吴铤（1972- ），男，浙江杭州人，博士，杭州电子科技大学教授、博士生导师，主要研究方向为拟态安全、理论密码学、工控安全。" ]
  [ "胡程楠（1996- ），男，浙江杭州人，杭州电子科技大学硕士生，主要研究方向为拟态安全、工控安全。" ]
  [ "陈庆南（1994- ），男，浙江宁波人，杭州电子科技大学硕士生，主要研究方向为拟态安全、工控安全。" ]
  [ "陈安邦（1996- ），男，河南信阳人，杭州电子科技大学硕士生，主要研究方向为拟态安全、工控安全。" ]
  [ "郑秋华（1973- ），男，浙江杭州人，博士，杭州电子科技大学讲师，主要研究方向为拟态安全理论分析、拟态Web服务攻防技术、工控安全。" ]
- 基金信息：
  
  浙江省重点研发计划基金资助项目(2020C01078);浙江省重点研发计划基金资助项目(2019C01012);浙江省重点研发计划基金资助项目(2017C01062)
- DOI：10.11959/j.issn.1000-436x.2021022
  中图分类号： TP309.1
- 网络出版日期：2021-03，
  
  纸质出版日期：2021-03-25
- 稿件说明：
移动端阅览
吴铤, 胡程楠, 陈庆南, 等. 基于执行体划分的防御增强型动态异构冗余架构[J]. 通信学报, 2021,42(3):122-134.

Ting WU, Chengnan HU, Qingnan CHEN, et al. Defense-enhanced dynamic heterogeneous redundancy architecture based on executor partition[J]. Journal on communications, 2021, 42(3): 122-134.
吴铤, 胡程楠, 陈庆南, 等. 基于执行体划分的防御增强型动态异构冗余架构[J]. 通信学报, 2021,42(3):122-134. DOI： 10.11959/j.issn.1000-436x.2021022.

Ting WU, Chengnan HU, Qingnan CHEN, et al. Defense-enhanced dynamic heterogeneous redundancy architecture based on executor partition[J]. Journal on communications, 2021, 42(3): 122-134. DOI： 10.11959/j.issn.1000-436x.2021022.

摘要

针对DHR系统服务体在面临共同漏洞时的系统脆弱性问题，提出了一种改进的DHR架构——IDHR。该架构在 DHR 的基础上，首先引入根据执行体间的异构性对执行体集进行划分的执行体划分模块，以极大增强各执行体池之间的异构性。在此基础上，改进调度模块中的动态选择算法，即采用先随机选择执行体池，再从执行体池中随机选择执行体的方式，以提高在共同漏洞下 DHR 系统的安全性。最后，通过随机模拟执行体和仿真Web服务器2种实验方案，从攻击成功率和被控制率2个方面对所提IDHR架构进行安全性评估。实验结果表明， IDHR架构的安全性，尤其是在共同漏洞未知情况下，明显优于传统DHR架构。

Abstract

Aiming at the security problem when servants are faced with common vulnerabilities

an improved DHR architecture called IDHR was proposed.On the basis of DHR

an executor-partition module that divided the executor-set to several executor pools by the heterogeneity among the executors was introduced to improve the heterogeneity among the executor pools.Moreover

the scheduling algorithm was improved by choosing executor pools randomly at first

and then choosing the executors from these pools randomly.Finally

through two experimental schemes of random simulation and Web server emulation

the security evaluation of the proposed IDHR architecture was carried out from two aspects of attack success rate and control rate.Experimental results show that the security of the IDHR architecture

especially when the common vulnerability is unknown

is significantly better than the traditional DHR architecture.

关键词

Keywords

references

ALBERTS C J , DOROFEE A J , CREEL R , et al . A systemic approach for assessing software supply-chain risk [C ] // 2011 44th Hawaii International Conference on System Sciences . Piscataway:IEEE Press , 2011 : 1 - 8 .

陈福才 , 何威振 , 程国振 , 等 . 基于 DPDK 的内网动态网关关键技术设计 [J ] . 通信学报 , 2020 , 41 ( 6 ): 139 - 151 .

CHEN F C , HE W Z , CHENG G Z , et al . Design of key technologies for intranet dynamic gateway based on DPDK [J ] . Journal on Communications , 2020 , 41 ( 6 ): 139 - 151 .

HOUSE W . Trustworthy cyberspace:strategic plan for the federal cyber security research and development program [R ] . Report of the National Science and Technology Council,Executive Office of the President , 2011 .

谭晶磊 , 张恒巍 , 张红旗 , 等 . 基于Markov时间博弈的移动目标防御最优策略选取方法 [J ] . 通信学报 , 2020 , 41 ( 1 ): 42 - 52 .

TAN J L , ZHANG H W , ZHANG H Q , et al . Optimal strategy selection approach of moving target defense based on Markov time game [J ] . Journal on Communications , 2020 , 41 ( 1 ): 42 - 52 .

马多贺 , 李琼 , 林东岱 . 基于POF的网络窃听攻击移动目标防御方法 [J ] . 通信学报 , 2018 , 39 ( 2 ): 73 - 87 .

MA D H , LI Q , LIN D D . Moving target defense against network eavesdropping attack using POF [J ] . Journal on Communications , 2018 , 39 ( 2 ): 73 - 87 .

邬江兴 . 网络空间拟态安全防御 [J ] . 保密科学技术 , 2014 ( 10 ): 4 - 9 .

WU J X . Mimic defense in cyberspace security [J ] . Secrecy Science and Technology , 2014 ( 10 ): 4 - 9 .

邬江兴 . 拟态计算与拟态安全防御的原意和愿景 [J ] . 电信科学 , 2014 , 30 ( 7 ): 2 - 7 .

WU J X . Meaning and vision of mimic computing and mimic security defense [J ] . Telecommunications Science , 2014 , 30 ( 7 ): 2 - 7 .

邬江兴 . 网络空间拟态防御研究 [J ] . 信息安全学报 , 2016 , 1 ( 4 ): 1 - 10 .

WU J X . Research on cyber mimic defense [J ] . Journal of Cyber Security , 2016 , 1 ( 4 ): 1 - 10 .

张杰鑫 , 庞建民 , 张铮 , 等 . 基于非相似余度架构的网络空间安全系统异构性量化方法 [J ] . 电子与信息学报 , 2019 , 41 ( 7 ): 1594 - 1600 .

ZHANG J X , PANG J M , ZHANG Z , et al . Heterogeneity quantization method of cyberspace security system based on dissimilar redundancy structure [J ] . Journal of Electronics ＆ Information Technology , 2019 , 41 ( 7 ): 1594 - 1600 .

王伟 , 曾俊杰 , 李光松 , 等 . 动态异构冗余系统的安全性分析 [J ] . 计算机工程 , 2018 , 44 ( 10 ): 42 - 45 , 50 .

WANG W , ZENG J J , LI G S , et al . Security analysis of dynamic heterogeneous redundant system [J ] . Computer Engineering , 2018 , 44 ( 10 ): 42 - 45 , 50 .

扈红超 , 陈福才 , 王禛鹏 . 拟态防御 DHR 模型若干问题探讨和性能评估 [J ] . 信息安全学报 , 2016 , 1 ( 4 ): 40 - 51 .

HU H C , CHEN F C , WANG Z P . Performance evaluations on DHR for cyberspace mimic defense [J ] . Journal of Cyber Security , 2016 , 1 ( 4 ): 40 - 51 .

仝青 , 张铮 , 张为华 , 等 . 拟态防御 Web 服务器设计与实现 [J ] . 软件学报 , 2017 , 28 ( 4 ): 883 - 897 .

TONG Q , ZHANG Z , ZHANG W H , et al . Design and implementation of mimic defense Web server [J ] . Journal of Software , 2017 , 28 ( 4 ): 883 - 897 .

张铮 , 马博林 , 邬江兴 . Web 服务器拟态防御原理验证系统测试与分析 [J ] . 信息安全学报 , 2017 , 2 ( 1 ): 13 - 28 .

ZHANG Z , MA B L , WU J X . The test and analysis of prototype of mimic defense in Web servers [J ] . Journal of Cyber Security , 2017 , 2 ( 1 ): 13 - 28 .

宋克 , 刘勤让 , 魏帅 , 等 . 基于拟态防御的以太网交换机内生安全体系结构 [J ] . 通信学报 , 2020 , 41 ( 5 ): 18 - 26 .

SONG K , LIU Q R , WEI S , et al . Endogenous security architecture of Ethernet switch based on mimic defense [J ] . Journal on Communications , 2020 , 41 ( 5 ): 18 - 26 .

马海龙 , 伊鹏 , 江逸茗 , 等 . 基于动态异构冗余机制的路由器拟态防御体系结构 [J ] . 信息安全学报 , 2017 , 2 ( 1 ): 29 - 42 .

MA H L , YI P , JIANG Y M , et al . Dynamic heterogeneous redundancy based router architecture with mimic defenses [J ] . Journal of Cyber Security , 2017 , 2 ( 1 ): 29 - 42 .

丁绍虎 , 李军飞 , 季新生 . 基于拟态防御的 SDN 控制层安全机制研究 [J ] . 信息安全学报 , 2019 , 4 ( 4 ): 84 - 93 .

DING S H , LI J F , JI X S . Research on SDN control layer security based on mimic defense [J ] . Journal of Cyber Security , 2019 , 4 ( 4 ): 84 - 93 .

周清雷 , 班绍桓 , 韩英杰 , 等 . 针对物理访问控制的拟态防御认证方法 [J ] . 通信学报 , 2020 , 41 ( 6 ): 80 - 87 .

ZHOU Q L , BAN S H , HAN Y J , et al . Mimic defense authentication method for physical access control [J ] . Journal on Communications , 2020 , 41 ( 6 ): 80 - 87 .

任权 , 贺磊 , 邬江兴 . 基于离散马尔可夫链的不同抗干扰系统模型分析 [J ] . 网络与信息安全学报 , 2018 , 4 ( 4 ): 30 - 37 .

REN Q , HE L , WU J X . Analysis of different anti-interference system models based on discrete time Markov chain [J ] . Chinese Journal of Network and Information Security , 2018 , 4 ( 4 ): 30 - 37 .

朱维军 , 郭渊博 , 黄伯虎 . 动态异构冗余结构的拟态防御自动机模型 [J ] . 电子学报 , 2019 , 47 ( 10 ): 2025 - 2031 .

ZHU W J , GUO Y B , HUANG B H . A mimic defense automaton model of dynamic heterogeneous redundancy structures [J ] . Acta Electronica Sinica , 2019 , 47 ( 10 ): 2025 - 2031 .

ZHANG B , CHANG X , LI J . A generalized information security model SOCMD for CMD Systems [J ] . Chinese Journal of Electronics , 2020 , 29 ( 3 ): 417 - 426 .

李卫超 , 张铮 , 王立群 , 等 . 基于拟态防御架构的多余度裁决建模与风险分析 [J ] . 信息安全学报 , 2018 , 3 ( 5 ): 64 - 74 .

LI W C , ZHANG Z , WANG L Q , et al . The modeling and risk assessment on redundancy adjudication of mimic defense [J ] . Journal of Cyber Security , 2018 , 3 ( 5 ): 64 - 74 .

中国互联网络信息中心 . 第 42 次《中国互联网络发展状况统计报告》 [R ] . 2018 .

China Internet Network Information Center . The 42-nd report of statistics on china's internet development [R ] . 2018 .

SUBRAHMANIAN V S , OVELGONNE M , DUMITRAS T , et al . The global cyber-vulnerability report [R ] . 2015 .

MAQBOOL O , BABRI H . Hierarchical clustering for software architecture recovery [J ] . IEEE Transactions on Software Engineering , 2007 , 33 ( 11 ): 759 - 780 .

SHTERN M , TZERPOS V . Clustering methodologies for software engineering [J ] . Advances in Software Engineering , 2012 , 10 : 14 - 32 .

NASEEM R , MAQBOOL O , MUHAMMAD S . An improved similarity measure for binary features in software clustering [C ] // 2010 Second International Conference on Computational Intelligence,Modelling and Simulation . Piscataway:IEEE Press , 2010 : 111 - 116 .

NASEEM R , DERIS M M . A new binary similarity measure based on integration of the strengths of existing measures:application to software clustering [C ] // International Conference on Soft Computing and Data Mining . Berlin:Springer , 2016 : 304 - 315 .

CHOI S S , CHA S H , TAPPERT C C . A survey of binary similarity and distance measures [J ] . Journal of Systemics,Cybernetics and Informatics , 2010 , 8 ( 1 ): 43 - 48 .

JACCARD P . Étude comparative de la distribution florale dans une portion des Alpes et des Jura [J ] . Bulletin De La Societe Vaudoise Des Sciences Naturelles , 1901 , 37 : 547 - 579 .

SNEATH P H , SOKAL R R . The principles and practice of numerical classification [M ] . London : Oxford University Press , 1973 .

FERDOUS R , . An efficient k-means algorithm integrated with Jaccard distance measure for document clustering [C ] // 2009 First Asian Himalayas International Conference on Internet . Piscataway:IEEE Press , 2009 : 1 - 6 .

KAUFMANN L , . Clustering by means of medoids [C ] // International Conference on Statistical Data Analysis Based on the L1-norm and Related Methods .[S.n.:s.l. ] , 1987 : 1 - 10 .

郑秋华 , 胡程楠 , 吴铤 , 等 . 一种基于概率分析的拟态DHR模型安全性分析方法 [J ] . 电子学报 , 2020 ,doi:10.12263/DZXB.20201063.

ZHENG Q H , HU C N , WU T , et al . A security analysis approach for mimic DHR model based on probability analysis [J ] . Chinese Journal of Electronics , 2020 ,doi:10.12263/DZXB.20201063.

浏览量

564

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于高阶异构度的执行体动态调度算法

基于拟态防御的以太网交换机内生安全体系结构

面向软件定义晶上系统的安全互连接口架构

基于深度学习的拟态裁决方法研究

AEUR：基于uBlock轮函数的认证加密算法设计