[go: up one dir, main page]

CN108400968A - A kind of efficient method for realizing mimicry defence model distributor - Google Patents

A kind of efficient method for realizing mimicry defence model distributor Download PDF

Info

Publication number
CN108400968A
CN108400968A CN201810038734.7A CN201810038734A CN108400968A CN 108400968 A CN108400968 A CN 108400968A CN 201810038734 A CN201810038734 A CN 201810038734A CN 108400968 A CN108400968 A CN 108400968A
Authority
CN
China
Prior art keywords
sessionid
distributor
request
virtual
mapping table
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810038734.7A
Other languages
Chinese (zh)
Other versions
CN108400968B (en
Inventor
张旻
梁惠兵
姜明
胡恩超
汤景凡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dianzi University
Original Assignee
Hangzhou Dianzi University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dianzi University filed Critical Hangzhou Dianzi University
Priority to CN201810038734.7A priority Critical patent/CN108400968B/en
Publication of CN108400968A publication Critical patent/CN108400968A/en
Application granted granted Critical
Publication of CN108400968B publication Critical patent/CN108400968B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/255Maintenance or indexing of mapping tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/142Managing session states for stateless protocols; Signalling session states; State transitions; Keeping-state mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种高效的实现拟态防御模型分发器的方法。本发明步骤如下:步骤(1)对于每个客户端发来的数据包,将其存放在分发器中,在分发器中维护一个虚拟SessionId到真实SessionId的映射表,客户端发来的请求中SessionId为虚拟SessionId,在映射表中替换为真实SessionId;步骤(2)当用户请求过大时,我们采取了“头复制,体链接”的方式,只对HTTP请求头进行复制,而请求体的数据采用链接方式即可。当分发器将请求复制分发给N个服务器后,此请求所占用空间即可收回;步骤(3)经过如上所述的两次预处理后,分发器就可以高效的将用户请求发送到服务器后端的执行体上,实现分发器的功能。本发明尽可能降低延时、提高效率,为整套系统提供了更加高效的解决方案。

The invention discloses an efficient method for realizing a mimic defense model distributor. The steps of the present invention are as follows: Step (1) stores the data packet sent by each client in the distributor, maintains a mapping table from a virtual SessionId to a real SessionId in the distributor, and in the request sent by the client SessionId is a virtual SessionId, which is replaced with a real SessionId in the mapping table; Step (2) When the user request is too large, we adopt the method of "header copy, body link", only the HTTP request header is copied, and the request body The data can be linked. After the distributor copies and distributes the request to N servers, the space occupied by the request can be recovered; after step (3) has undergone the two preprocessing steps mentioned above, the distributor can efficiently send the user request to the server On the execution body of the terminal, the function of the distributor is realized. The present invention reduces delay as much as possible, improves efficiency, and provides a more efficient solution for the entire system.

Description

一种高效的实现拟态防御模型分发器的方法An Efficient Method for Implementing a Mimic Defense Model Distributor

技术领域technical field

本发明属于计算机软件技术领域,具体是一种高效的实现拟态防御模型分发器的方法。The invention belongs to the technical field of computer software, in particular to an efficient method for realizing a mimic defense model distributor.

背景技术Background technique

Web服务器系统面临的安全问题日益严重,而传统防御技术又处在被动防御位置,难以很好地应对未知攻击威胁的问题。于是美国提出了移动目标防御(moving targetdefense,MTD)的设想,这是美国针对防御者当前所处劣势地位而提出的一个“改变游戏规则”的网络安全发展方向,期望通过实施持续、动态的变化迷惑攻击者,以增加其攻击成本和复杂度,降低其攻击成功率。The security problems faced by the Web server system are becoming more and more serious, and the traditional defense technology is in a passive defense position, and it is difficult to deal with the unknown attack threat well. Therefore, the United States proposed the idea of moving target defense (MTD), which is a "game-changing" network security development direction proposed by the United States in response to the current disadvantaged position of defenders. It is expected that through the implementation of continuous and dynamic changes Confuse attackers to increase the cost and complexity of their attacks and reduce their attack success rate.

有人提出了基于“动态异构冗余”结构的拟态防御模型,期望通过在主动和被动触发条件下动态地、伪随机地选择执行各种硬件变体以及相应的软件变体,使得内外部攻击者观察到的硬件执行环境和软件工作状况非常不确定,无法或很难构建起基于漏洞(bug)或后门的攻击链,以达成降低系统安全风险的目的。“动态异构冗余”结构在“处理”环节使用异构执行体集合进行处理,将同一输入通过输入代理复制为N份,并分发给执行体集中的N个异构执行体进行处理,将处理结果收集至表决器进行表决,得到唯一的相对正确的输出。这样就可以大大提高Web服务器的安全性。Someone proposed a mimic defense model based on the "dynamic heterogeneous redundancy" structure, expecting to dynamically and pseudo-randomly select and execute various hardware variants and corresponding software variants under active and passive trigger conditions, so that internal and external attacks The hardware execution environment and software working conditions observed by the researchers are very uncertain, and it is impossible or difficult to build an attack chain based on bugs or backdoors to achieve the purpose of reducing system security risks. The "dynamic heterogeneous redundancy" structure uses a heterogeneous executive body set for processing in the "processing" link. The same input is copied into N copies through the input agent and distributed to N heterogeneous executive bodies in the executive body set for processing. The processing results are collected to the voter for voting, and the only relatively correct output is obtained. This can greatly improve the security of the Web server.

发明内容Contents of the invention

本发明的目的是针对现有技术的不足,提供一种高效的实现拟态防御模型分发器的方法。The purpose of the present invention is to provide an efficient method for realizing a mimic defense model distributor aiming at the deficiencies of the prior art.

本发明解决其技术问题所采用的技术方案包括如下步骤:The technical solution adopted by the present invention to solve its technical problems comprises the steps:

步骤(1)对于每个客户端发来的数据包,将其存放在分发器中,由于多个后端服务器中保存有多个不同的SessionId,所以需要在分发器中维护一个虚拟SessionId到真实SessionId的映射表,客户端发来的请求中SessionId为虚拟SessionId,在映射表中替换为真实SessionId,映射表的key值为虚拟SessionId,value值为N个服务器的真实SessionId,虚拟SessionId由分发器生成,客户端收到的HTTP返回包中,只有这个虚拟的SessionId,客户端也只需要使用这个虚拟的SessionId和服务器端交互;Step (1) For each data packet sent by the client, store it in the distributor. Since there are multiple different SessionIds stored in multiple back-end servers, it is necessary to maintain a virtual SessionId in the distributor. SessionId mapping table, the SessionId in the request sent by the client is a virtual SessionId, which is replaced by the real SessionId in the mapping table, the key value of the mapping table is the virtual SessionId, the value is the real SessionId of N servers, and the virtual SessionId is provided by the distributor Generated, in the HTTP return packet received by the client, there is only this virtual SessionId, and the client only needs to use this virtual SessionId to interact with the server;

步骤(2)当用户请求过大时,如果单纯的将请求的数据复制N份,那么将会多占用分发器N倍的空间,采取“头复制,体链接”的方式,即只对HTTP请求头进行复制,HTTP请求头中包含有Cookie、SessionId等信息,而请求体的数据并不需要发生变化,所以只需要保存HTTP请求体的链接即可。当分发器将请求复制分发给N个服务器后,此请求所占用空间即可收回;Step (2) When the user's request is too large, if the requested data is simply copied N times, it will take up N times more space in the distributor, and the method of "copying the header and linking the body" is adopted, that is, only for HTTP requests The HTTP request header contains Cookie, SessionId and other information, and the data of the request body does not need to be changed, so it is only necessary to save the link of the HTTP request body. When the distributor copies and distributes the request to N servers, the space occupied by the request can be recovered;

步骤(3)经过步骤(1)和(2)的两次预处理后,分发器就能够高效的将用户请求发送到服务器后端的执行体上,实现分发器的功能。Step (3) After the two preprocessing steps of steps (1) and (2), the distributor can efficiently send user requests to the execution body at the backend of the server to realize the function of the distributor.

本发明有益效果:Beneficial effects of the present invention:

本发明通过采用映射表维护虚拟SessionId到真实SessionId的映射,并且采用“头复制,体链接”的方案,实现了分发器模块,从而尽可能降低延时、提高效率,为整套系统提供了更加高效的解决方案。The present invention maintains the mapping from the virtual SessionId to the real SessionId by using the mapping table, and adopts the scheme of "head copying, body linking" to realize the distributor module, thereby reducing the delay as much as possible, improving the efficiency, and providing a more efficient session for the whole system. s solution.

本发明借助映射表和指针的精细操作,实现了一个高效的拟态防御模型的分发器模块。The present invention realizes a high-efficiency distributor module of the mimetic defense model by virtue of the fine operation of the mapping table and the pointer.

附图说明Description of drawings

图1为本发明示意图。Fig. 1 is a schematic diagram of the present invention.

具体实施方式Detailed ways

下面结合附图和实施例对本发明作进一步说明。The present invention will be further described below in conjunction with drawings and embodiments.

如图1所示,一种高效的实现拟态防御模型分发器的方法,包括如下步骤:As shown in Figure 1, an efficient method for implementing a mimic defense model distributor includes the following steps:

步骤(1)对于每个客户端发来的数据包,将其存放在分发器中,由于多个后端服务器中保存有多个不同的SessionId,所以需要在分发器中维护一个虚拟SessionId到真实SessionId的映射表,客户端发来的请求中SessionId为虚拟SessionId,在映射表中替换为真实SessionId,映射表的key值为虚拟SessionId,value值为N个服务器的真实SessionId,虚拟SessionId由分发器生成,客户端收到的HTTP返回包中,只有这个虚拟的SessionId,客户端也只需要使用这个虚拟的SessionId和服务器端交互;Step (1) For each data packet sent by the client, store it in the distributor. Since there are multiple different SessionIds stored in multiple back-end servers, it is necessary to maintain a virtual SessionId in the distributor. SessionId mapping table, the SessionId in the request sent by the client is a virtual SessionId, which is replaced by the real SessionId in the mapping table, the key value of the mapping table is the virtual SessionId, the value is the real SessionId of N servers, and the virtual SessionId is provided by the distributor Generated, in the HTTP return packet received by the client, there is only this virtual SessionId, and the client only needs to use this virtual SessionId to interact with the server;

步骤(2)当用户请求过大时,如果单纯的将请求的数据复制N份,那么将会多占用分发器N倍的空间,我们采取了“头复制,体链接”的方式,即只对HTTP请求头进行复制,HTTP请求头中包含有Cookie、SessionId等信息,而请求体的数据并不需要发生变化,所以只需要保存HTTP请求体的链接即可。当分发器将请求复制分发给N个服务器后,此请求所占用空间即可收回;Step (2) When the user request is too large, if the requested data is simply copied N copies, it will take up N times more space in the distributor. We have adopted the method of "head copy, body link", that is, only for The HTTP request header is copied. The HTTP request header contains Cookie, SessionId and other information, and the data of the request body does not need to change, so it is only necessary to save the link of the HTTP request body. When the distributor copies and distributes the request to N servers, the space occupied by the request can be recovered;

步骤(3)经过如上所述的两次预处理后,分发器就可以高效的将用户请求发送到服务器后端的执行体上,实现分发器的功能。Step (3) After the above two preprocessing steps, the distributor can efficiently send the user request to the execution body at the backend of the server to realize the function of the distributor.

Claims (1)

1. a kind of efficient method for realizing mimicry defence model distributor, it is characterised in that include the following steps:
The data packet that step (1) sends each client, is deposited into distributor, due in multiple back-end servers Multiple and different SessionId is preserved, so needing to safeguard a virtual SessionId to really in distributor The mapping table of SessionId, SessionId is virtual SessionId in the request that client is sent, and is replaced in the mapping table The key values of true SessionId, mapping table are virtual SessionId, and value values are the true SessionId of N number of server, Virtual SessionId is generated by distributor, and the HTTP that client receives returns to only this virtual SessionId, visitor in packet Family end also only needs to interact using this virtual SessionId and server end;
Step (2) takes the mode of " head replicates, body link " when user's request is excessive:Only HTTP request head is answered It makes, includes Cookie, SessionId information in HTTP request head, and the data of body is asked not need to change, so Only need the link of preservation HTTP request body;After distributor, which replicates request, is distributed to N number of server, shared by this request With space, that is, recoverable;
After the pretreatment twice of step (1) and (2), user's request can be efficiently sent to step (3) by distributor On the execution body of server back end, the function of distributor is realized.
CN201810038734.7A 2018-01-16 2018-01-16 A method of implementing a mimic defense model distributor Expired - Fee Related CN108400968B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810038734.7A CN108400968B (en) 2018-01-16 2018-01-16 A method of implementing a mimic defense model distributor

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810038734.7A CN108400968B (en) 2018-01-16 2018-01-16 A method of implementing a mimic defense model distributor

Publications (2)

Publication Number Publication Date
CN108400968A true CN108400968A (en) 2018-08-14
CN108400968B CN108400968B (en) 2019-12-24

Family

ID=63094861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810038734.7A Expired - Fee Related CN108400968B (en) 2018-01-16 2018-01-16 A method of implementing a mimic defense model distributor

Country Status (1)

Country Link
CN (1) CN108400968B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110557437A (en) * 2019-08-05 2019-12-10 上海拟态数据技术有限公司 universal mimicry distribution voting scheduling device and method based on user-defined protocol
CN112422579A (en) * 2020-11-30 2021-02-26 福州大学 A method of constructing executive body based on Mimic Defense Sketch

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7139792B1 (en) * 2000-09-29 2006-11-21 Intel Corporation Mechanism for locking client requests to a particular server
CN101247367A (en) * 2008-04-08 2008-08-20 中国电信股份有限公司 Content providing method and system based on content distribution network and peer-to-peer network
CN101483662A (en) * 2008-01-09 2009-07-15 财团法人工业技术研究院 Packet forwarding device and method for virtual storage network switch
CN103036910A (en) * 2013-01-05 2013-04-10 北京网康科技有限公司 Method and device for controlling user web access behaviors
CN104954384A (en) * 2015-06-24 2015-09-30 浙江大学 Url (uniform resource locator) pseudo method for protecting Web application security
CN106656834A (en) * 2016-11-16 2017-05-10 上海红阵信息科技有限公司 IS-IS routing protocol heterogeneous function equivalent body parallel normalization device and method
CN106874755A (en) * 2017-01-22 2017-06-20 中国人民解放军信息工程大学 The consistent escape error processing apparatus of majority and its method based on mimicry Prevention-Security zero-day attacks
CN107092518A (en) * 2017-04-17 2017-08-25 上海红神信息技术有限公司 A kind of Compilation Method for protecting mimicry system of defense software layer safe

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7139792B1 (en) * 2000-09-29 2006-11-21 Intel Corporation Mechanism for locking client requests to a particular server
CN101483662A (en) * 2008-01-09 2009-07-15 财团法人工业技术研究院 Packet forwarding device and method for virtual storage network switch
CN101247367A (en) * 2008-04-08 2008-08-20 中国电信股份有限公司 Content providing method and system based on content distribution network and peer-to-peer network
CN103036910A (en) * 2013-01-05 2013-04-10 北京网康科技有限公司 Method and device for controlling user web access behaviors
CN104954384A (en) * 2015-06-24 2015-09-30 浙江大学 Url (uniform resource locator) pseudo method for protecting Web application security
CN106656834A (en) * 2016-11-16 2017-05-10 上海红阵信息科技有限公司 IS-IS routing protocol heterogeneous function equivalent body parallel normalization device and method
CN106874755A (en) * 2017-01-22 2017-06-20 中国人民解放军信息工程大学 The consistent escape error processing apparatus of majority and its method based on mimicry Prevention-Security zero-day attacks
CN107092518A (en) * 2017-04-17 2017-08-25 上海红神信息技术有限公司 A kind of Compilation Method for protecting mimicry system of defense software layer safe

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
梁慧兵等: "The Implement of Voting Device in Mimicry Defense Model", 《REVISTA DE LA FACULTAD DE INGENIERIA》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110557437A (en) * 2019-08-05 2019-12-10 上海拟态数据技术有限公司 universal mimicry distribution voting scheduling device and method based on user-defined protocol
CN110557437B (en) * 2019-08-05 2021-11-19 上海拟态数据技术有限公司 Universal mimicry distribution voting scheduling device and method based on user-defined protocol
CN112422579A (en) * 2020-11-30 2021-02-26 福州大学 A method of constructing executive body based on Mimic Defense Sketch

Also Published As

Publication number Publication date
CN108400968B (en) 2019-12-24

Similar Documents

Publication Publication Date Title
CN104935680B (en) A kind of the recurrence Domain Name Service System and method of multi-layer shared buffer memory
Sanka et al. Efficient high performance FPGA based NoSQL caching system for blockchain scalability and throughput improvement
Grover et al. Data Ingestion in AsterixDB.
Charyyev et al. Towards securing data transfers against silent data corruption
Sanka et al. Efficient high-performance FPGA-Redis Hybrid NoSQL caching system for blockchain scalability
Sakakibara et al. An fpga nic based hardware caching for blockchain
CN111083113A (en) Mimic distribution system, method and medium
Sakakibara et al. A hardware-based caching system on FPGA NIC for Blockchain
CN108400968B (en) A method of implementing a mimic defense model distributor
WO2022183518A1 (en) Cloud-computing-oriented high-performance blockchain architecture method
Chen et al. Automatic performance-optimal offloading of network functions on programmable switches
Zeno et al. SwiShmem: Distributed shared state abstractions for programmable switches
CN107995202A (en) A kind of method that mimicry defence model voting machine is realized using Hash table packs
CN102571949B (en) Network-based data self-destruction method
Rajab et al. Dynamic fault tolerance aware scheduling for healthcare system on fog computing
Marcu et al. Towards a unified storage and ingestion architecture for stream processing
CN107070953A (en) Link guard system and its method based on Dynamic Programming
Reumann et al. Stateful distributed interposition
Alhussen et al. Is end-to-end integrity verification really end-to-end?
Chen et al. BufferBank storage: an economic, scalable and universally usable in-network storage model for streaming data applications
Sheng et al. Toward Distributed Write-Back Caching in Programmable Switches
Yang Research on Optimization of Adaptive Cache Replacement Algorithm Strategy
Lancellotti et al. A scalable architecture for cooperative web caching
Ma et al. Toward Scalable RDMA Through Resource Prefetching
Fagin et al. Making DNS servers resistant to cyber attacks: An empirical study on formal methods and performance

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20180814

Assignee: Hangzhou Greentown Information Technology Co.,Ltd.

Assignor: HANGZHOU DIANZI University

Contract record no.: X2023330000109

Denomination of invention: A Method for Implementing a Pseudo Defense Model Distributor

Granted publication date: 20191224

License type: Common License

Record date: 20230311

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20191224