CN114115068A - A Heterogeneous Redundancy Defense Policy Delivery Method for Endogenous Security Switches - Google Patents
A Heterogeneous Redundancy Defense Policy Delivery Method for Endogenous Security Switches Download PDFInfo
- Publication number
- CN114115068A CN114115068A CN202111471268.XA CN202111471268A CN114115068A CN 114115068 A CN114115068 A CN 114115068A CN 202111471268 A CN202111471268 A CN 202111471268A CN 114115068 A CN114115068 A CN 114115068A
- Authority
- CN
- China
- Prior art keywords
- switch
- attack
- threat
- defense
- endogenous
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0421—Multiprocessor system
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24182—Redundancy
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
本发明公开了一种内生安全交换机的异构冗余防御策略下发方法,该方法通过对多种网络攻击在数据平面的表现形式分析和建模,针对每一种网络攻击都生成一套多手段的异构防御方法策略集合,实现策略弹性,最后利用MRV知识库和边界资源智能投票选择策略,完成拟态条件下的策略使能。本发明拟对6种网络攻击:VLAN跳跃攻击、生成树攻击、MAC表洪水攻击、ARP欺骗攻击、UDP洪泛攻击、MAC欺骗攻击进行主动防御,根据当前受到攻击的网络状态严重性,引入分级防御机制,分别实施清洗,隔离,资产迁移和系统跳变四种防御策略的集合方法。
The invention discloses a method for issuing a heterogeneous redundant defense strategy of an endogenous security switch. The method generates a set of network attacks for each network attack by analyzing and modeling the manifestations of various network attacks in the data plane. The multi-means heterogeneous defense method strategy collection realizes strategy flexibility, and finally uses the MRV knowledge base and boundary resources to intelligently vote to select strategies to complete the strategy enablement under mimic conditions. The present invention intends to actively defend against 6 kinds of network attacks: VLAN hopping attack, spanning tree attack, MAC table flood attack, ARP spoofing attack, UDP flooding attack, and MAC spoofing attack. Defense mechanism, which implements a collection of four defense strategies, namely cleaning, isolation, asset migration and system hopping.
Description
Technical Field
The invention belongs to the technical field of network attack and defense, and particularly relates to a heterogeneous redundancy defense strategy issuing method of an endogenous safety switch.
Background
The switch is used as a 'gate' for network information circulation, and the security of the switch is an important ring in network security construction. With the development of the network information era, the network information industry gradually occupies more and more important position, the attack frequency aiming at the network switch is higher and higher, and the attack types are increased, such as MAC table flooding attack, ARP spoofing attack, spanning tree loop attack and the like. Traditional ethernet switch often adopts the mode of adding passive defences such as preventing hot wall, port binding, can't deal with a great variety of network attacks, especially when the attacker utilizes the unknown leak of switch and unknown back door to attack for traditional prevention hand section is like virtual, causes great hidden danger to network information safety.
Aiming at the inherent defects of passive defense, Wu Jiang xing academy provides an active defense method, namely a mimicry defense (endogenous security) technology, and a kernel of the active defense technology adopts a dynamic heterogeneous redundancy system mechanism, so that the active defense technology not only can effectively prevent known various network attacks, but also can defend network attacks which utilize unknown vulnerabilities and unknown backdoors from the outside. The mimicry defense technology is an active defense technology, has strong attack resistance, and allows the switch platform to have good network attack defense capability under the condition of toxic bacteria.
The dynamic heterogeneous redundancy mechanism is the core of the mimicry defense technology, and has three characteristics, namely, dynamics, heterogeneity and redundancy. The dynamic property refers to that when network attacks are encountered, the strategy scheduling module selects different strategy schemes from the heterogeneous execution body pool so as to prevent an attacker from permeating the internal defense framework of the switch; heterogeneity means that there are differences between executors with the same function, such as different systems, different protocols or different programming languages; redundancy means that a plurality of executors can play a defense role against the same attack, and a plurality of alternative schemes are provided for the same threat situation. Therefore, the dynamic heterogeneous redundancy mechanism is beneficial to the introduction of dynamics, randomness and diversity on an uncertainty mechanism, benefits from the cooperative attack difficulty under the uncoordinated condition caused by the cooperative environment on the attack difficulty, and derives from the application of a multi-dimensional dynamic reconstruction mechanism under the functional equivalent condition on an implementation method.
Disclosure of Invention
Aiming at the problems, the invention provides a heterogeneous redundancy defense strategy issuing method of an endogenous security switch, which is used for effectively defending various attacks aiming at or approaching a network switch based on a dynamic heterogeneous redundancy mechanism and network information and software and hardware resource data acquired by implementation.
In order to realize the purpose of the invention, the technical scheme adopted by the invention is a heterogeneous redundancy defense strategy issuing method of an endogenous security switch.
The invention is intended to measure the self state information and the link state information of the endogenous switch, and the required measurement is as follows: memory utilization rate, CPU utilization rate, link time delay, link bandwidth and link packet loss rate of the switch. Different weights are assigned to the measures, normalization and quantization are carried out, a grading mechanism is introduced, and defense strategies are intelligently selected according to the severity of threat conditions.
A heterogeneous redundancy defense strategy issuing method of an endogenous security switch mainly comprises the following steps:
(1) collecting and measuring link state information of an intrinsic safety switch in a path and state information of the switch, and managing state data of the switch and the link to construct a network resource view;
(2) threat intelligence is generated according to the network resource view, response grading is carried out, different types of defense modes are started by responses at different levels, and therefore the resource overhead of the switch is controlled and the normal operation of the current network is maintained to the maximum extent;
the first type is: according to the current threat information, if the resources of the network layer of the switch are threatened, a third-level response is started, and the endogenous safety switch adopts an isolation scheme aiming at the current attack;
the second type: if the hard disk and the internal data are tampered according to the current threat information, a secondary response is started, and the endogenous safety switch adopts a cleaning scheme aiming at the current attack;
the third type: if the switch is contended for control according to the current threat information, a primary response is started, and the endogenous safety switch adopts an asset migration scheme or a system hopping scheme aiming at the current attack.
In the step (1), the method for collecting the switch state information and the link information to construct the network resource attempt comprises the following steps:
(1.1) the switch measures the state information of the switch in real time, wherein the measurement comprises the utilization rate of a CPU (Central processing Unit) of the switch, the utilization rate of a memory and the IP (Internet protocol) address of the switch;
(1.2) the switch measures link state information, the measurement comprises link delay, link bandwidth and link packet loss rate, the measurement method is that an ICMP protocol message original socket is used for constructing a detection packet with a fixed size, the detection packet is sent to a target node at the other end of a link, and the link bandwidth, RTT and packet loss rate are obtained through returned data;
(1.3) preliminarily constructing a network resource view according to the collected and measured state information and the network resource information, as shown in FIG. 2.
In the step (2), the design scheme of the response grading mechanism is as follows:
(2.1) the endogenous security switch generates threat information according to the current network resource view, and judges whether the endogenous security switch is attacked by the network;
(2.2) the exchanger carries out normalization and quantization according to the generated threat information;
and (2.3) grading the quantified threat intelligence data, and grading the threat intelligence data according to the severity of the threat situation, wherein the threat degree is extremely high and can be determined as one grade.
Wherein, in step (2.2), for the quintuple of threat intelligence: the CPU utilization rate C, the memory occupancy rate M, the link bandwidth B, the link time delay L and the packet loss rate P of the switch are calculated according to the formula:
obtaining normalized data: c ', M ', B ', L ', P '. To which different weights are assigned, respectively K1,K2,K3,K4,K5And:
K1+K2+K3+K4+K5=1
normalized quantized threat intelligence data S may be represented as:
S=C′K1+M′K2+B′K3+L′K4+P′K5
in step (2.3), two levels of thresholds are to be set on threat intelligence data S: s1,S2. When S is more than or equal to S1When the attack is determined as a first-level response, the current attack generates control right contention for the switch, and a strong measure needs to be taken for protection; when S is2≤S<S1Then, setting secondary response to indicate that the current attack tampers the hard disk and the internal data, wherein the defense strategy adopted at the moment needs to take resource overhead into consideration; when S is<S2Meanwhile, the current attack threatens the resources of the network layer of the switch, and a defense strategy with high cost is not suitable to be adopted.
Meanwhile, it is noted that the purpose of the hierarchical response mechanism is to reasonably control the overhead cost brought by defense, the switch dynamically selects defense strategies of other levels to supplement according to the situation, and after a plurality of obtained output vectors, the output result is judged according to the voting mechanism.
In the first type, the isolation mechanism has the following specific flow:
aiming at VLAN relay attack, security setting can be carried out on a network switch, namely all relay ports of the network switch need to use VLAN ID, if the switch receives DTP negotiation information without arranging ports, the information is considered to be illegal, and an isolation mechanism blocks a source IP address of the information so as to prevent a relay from being established; aiming at spanning tree spoofing attack, an attacker sends a bridgeID smaller than the current root switch to declare the attacker as a root bridge, seizes the role of the root switch, isolates a port for receiving forged BPDU (bridge bandwidth protocol data Unit), and the port does not forward any flow, so that the position of the root bridge in the network is forcibly established; aiming at the flood attack of the MAC table, the isolation strategy limits the upper limit of the number of the MAC which can be learned by the port of the switch, and if the number exceeds the upper limit, the MAC is discarded; aiming at ARP spoofing attack, the switch can reserve the MAC address of each computer on the network by means of DHCP, the switch can detect the MAC address when a forged ARP data packet is sent out, and the isolation strategy is to seal the IP; aiming at UDP flooding attack, for IP addresses with more than 1500 bytes which are repeatedly sent, according to information provided by threat information, such as credit value of the IP, an isolation strategy can seal the IP addresses, and messages with obviously abnormal TTL can be filtered through the normal range of the TTL value in the messages; for the MAC spoofing attack, the isolation strategy is also based on the information provided by the threat information, for example, the switch can check whether the source IP and the source MAC in the IP message are consistent with the information set by the administrator in the switch, if not, the IP address is forbidden, and the alarm information is sent.
In the second type, the specific flow of the cleaning mechanism is as follows:
the invention uses a method for identifying the threatening flow based on IP credit value, and endows a certain credit value to the IP address on the Internet, and certain IP addresses which are used as zombie hosts and generate malicious attack behaviors can endow lower credit values, and the IP with low credit values can possibly become the source of network attack, and the flow sent by the IP address with low credit value is cleaned preferentially in the flow cleaning process. The specific process is that all the flow is transferred to a cloud computing center through HPENP, threat flow is classified by using information provided by threat information and a more complex machine learning method, after a threat flow quintuple is found out definitely, the threat flow is discarded, and the residual flow is forwarded back to an exchanger to complete the cleaning process.
In the third type, two specific procedures for defense strategies are proposed as follows:
the asset migration is to firstly carry out redundancy backup on an endogenous safety switch, dynamically transfer an attack surface, directly migrate system resources into another switch when the endogenous safety switch is threatened and attacked, specifically, establish route backup by a host, and connect the redundant switch by using a backup switch IP in a route table when the current switch is detected to be seriously attacked and cannot normally work; the system jump is to enable jump protocol, start to change the port, address, time slot to various adjacent points of data transmission at random according to the protocol, realize the initiative network protection, the concrete operation is in the fixed jump interval, the endogenous safe exchanger will be according to the cipher key, source ID, switchboard ID and time shared with communication host computer, utilize the pseudo-random function to produce new IP address and communication port, make in different time slots, both sides of communication must use different IP, port to attack, so resist the network attack.
Compared with the prior art, the technical scheme of the invention has the following beneficial technical effects:
(1) the invention can design an endogenous safety switch with an active defense function aiming at the inherent defects of passive defense of the network switch, overcomes the defense defects of the prior switch and has important practical significance.
(2) The invention provides a dynamic heterogeneous redundancy defense strategy issuing method with endogenous security property, and an endogenous security switch can dynamically adopt different defense strategy sets aiming at each network attack, presents uncertainty of an internal defense mechanism to the outside, and greatly increases the expenses of reconnaissance and attack implementation of an attacker.
(3) Meanwhile, the endogenous security switch provided by the invention introduces a hierarchical response mechanism, completes hierarchical issuing of defense strategies according to the severity of attack according to information provided by threat information, and greatly saves the resource overhead and cost of the endogenous security switch.
Drawings
FIG. 1 is a diagram illustrating decision voting for defense of heterogeneous redundancy;
FIG. 2 is a schematic view of a network resource;
FIG. 3 is a diagram of an endogenous security switch architecture;
FIG. 4 is a diagram of a VLAN relay attack;
fig. 5 is a schematic diagram of an experimental topology.
Detailed Description
In order to enhance the understanding and comprehension of the present invention, the technical solution is further described below with reference to the accompanying drawings and embodiments.
Example 1: referring to fig. 1 to 5, a heterogeneous redundancy defense strategy issuing method for an endogenous security switch mainly includes the following steps:
(1) collecting and measuring link state information of an intrinsic safety switch in a path and state information of the switch, and managing state data of the switch and the link to construct a network resource view;
(2) threat intelligence is generated according to the network resource view, response grading is carried out, different types of defense modes are started by responses at different levels, and therefore the resource overhead of the switch is controlled and the normal operation of the current network is maintained to the maximum extent;
the first type is: according to the current threat information, if the resources of the network layer of the switch are threatened, a third-level response is started, and the endogenous safety switch adopts an isolation scheme aiming at the current attack;
the second type: if the hard disk and the internal data are tampered according to the current threat information, a secondary response is started, and the endogenous safety switch adopts a cleaning scheme aiming at the current attack;
the third type: if the switch is contended for control according to the current threat information, a primary response is started, and the endogenous safety switch adopts an asset migration scheme or a system hopping scheme aiming at the current attack.
In the step (1), the method for collecting the switch state information and the link information to construct the network resource attempt comprises the following steps:
(1.1) the switch measures the state information of the switch in real time, wherein the measurement comprises the utilization rate of a CPU (Central processing Unit) of the switch, the utilization rate of a memory and the IP (Internet protocol) address of the switch;
(1.2) the switch measures link state information, the measurement comprises link delay, link bandwidth and link packet loss rate, the measurement method is that an ICMP protocol message original socket is used for constructing a detection packet with a fixed size, the detection packet is sent to a target node at the other end of a link, and the link bandwidth, RTT and packet loss rate are obtained through returned data;
(1.3) preliminarily constructing a network resource view according to the collected and measured state information and the network resource information, as shown in FIG. 2.
In the step (2), the design scheme of the response grading mechanism is as follows:
(2.1) the endogenous security switch generates threat information according to the current network resource view, and judges whether the endogenous security switch is attacked by the network;
(2.2) the exchanger carries out normalization and quantization according to the generated threat information;
and (2.3) grading the quantified threat intelligence data, and grading the threat intelligence data according to the severity of the threat situation, wherein the threat degree is extremely high and can be determined as one grade.
Wherein, in step (2.2), for the quintuple of threat intelligence: the CPU utilization rate C, the memory occupancy rate M, the link bandwidth B, the link time delay L and the packet loss rate P of the switch are calculated according to the formula:
obtaining normalized data: c ', M ', B ', L ', P '. To which different weights are assigned, respectively K1,K2,K3,K4,K5And:
K1+K2+K3+K4+K5=1
normalized quantized threat intelligence data S may be represented as:
S=C′K1+M′K2+B′K3+L′K4+P′K5
in step (2.3), two levels of thresholds are to be set on threat intelligence data S: s1,S2. When S is more than or equal to S1When the attack is determined as a first-level response, the current attack generates control right contention for the switch, and a strong measure needs to be taken for protection; when S is2≤S<S1Then, setting secondary response to indicate that the current attack tampers the hard disk and the internal data, wherein the defense strategy adopted at the moment needs to take resource overhead into consideration; when S is<S2Meanwhile, the current attack threatens the resources of the network layer of the switch, and a defense strategy with high cost is not suitable to be adopted.
Meanwhile, it is noted that the purpose of the hierarchical response mechanism is to reasonably control the overhead cost brought by defense, the switch dynamically selects defense strategies of other levels to supplement according to the situation, and after a plurality of obtained output vectors, the output result is judged according to the voting mechanism.
In the first type, the isolation mechanism has the following specific flow:
aiming at VLAN relay attack, security setting can be carried out on a network switch, namely all relay ports of the network switch need to use VLAN ID, if the switch receives DTP negotiation information without arranging ports, the information is considered to be illegal, and an isolation mechanism blocks a source IP address of the information so as to prevent a relay from being established; aiming at spanning tree spoofing attack, an attacker sends a bridgeID smaller than the current root switch to declare the attacker as a root bridge, seizes the role of the root switch, isolates a port for receiving forged BPDU (bridge bandwidth protocol data Unit), and the port does not forward any flow, so that the position of the root bridge in the network is forcibly established; aiming at the flood attack of the MAC table, the isolation strategy limits the upper limit of the number of the MAC which can be learned by the port of the switch, and if the number exceeds the upper limit, the MAC is discarded; aiming at ARP spoofing attack, the switch can reserve the MAC address of each computer on the network by means of DHCP, the switch can detect the MAC address when a forged ARP data packet is sent out, and the isolation strategy is to seal the IP; aiming at UDP flooding attack, for IP addresses with more than 1500 bytes which are repeatedly sent, according to information provided by threat information, such as credit value of the IP, an isolation strategy can seal the IP addresses, and messages with obviously abnormal TTL can be filtered through the normal range of the TTL value in the messages; for the MAC spoofing attack, the isolation strategy is also based on the information provided by the threat information, for example, the switch can check whether the source IP and the source MAC in the IP message are consistent with the information set by the administrator in the switch, if not, the IP address is forbidden, and the alarm information is sent.
In the second type, the specific flow of the cleaning mechanism is as follows:
the invention uses a method for identifying the threatening flow based on IP credit value, and endows a certain credit value to the IP address on the Internet, and certain IP addresses which are used as zombie hosts and generate malicious attack behaviors can endow lower credit values, and the IP with low credit values can possibly become the source of network attack, and the flow sent by the IP address with low credit value is cleaned preferentially in the flow cleaning process. The specific process is that all the flow is transferred to a cloud computing center through HPENP, threat flow is classified by using information provided by threat information and a more complex machine learning method, after a threat flow quintuple is found out definitely, the threat flow is discarded, and the residual flow is forwarded back to an exchanger to complete the cleaning process.
The specific flow of two defense strategies proposed in the third type is as follows:
the asset migration is to firstly carry out redundancy backup on an endogenous safety switch, dynamically transfer an attack surface, directly migrate system resources into another switch when the endogenous safety switch is threatened and attacked, specifically, establish route backup by a host, and connect the redundant switch by using a backup switch IP in a route table when the current switch is detected to be seriously attacked and cannot normally work; the system jump is to enable jump protocol, start to change the port, address, time slot to various adjacent points of data transmission at random according to the protocol, realize the initiative network protection, the concrete operation is in the fixed jump interval, the endogenous safe exchanger will be according to the cipher key, source ID, switchboard ID and time shared with communication host computer, utilize the pseudo-random function to produce new IP address and communication port, make in different time slots, both sides of communication must use different IP, port to attack, so resist the network attack.
Fig. 1 shows a voting diagram of defense decisions of heterogeneous redundancy. The multi-mode elastic intelligent judging module judges the output of the heterogeneous executive body by comparison mainly according to a judging strategy, judges the state of the executive body according to the comparison result, reports the state information to the dispatching control module, delivers the judging result to the agency module and outputs the judging result by the agency. The mimicry arbitration mechanism carries out consistency judgment on the output result of the heterogeneous executive body through the sensing capability of element perception and situation understanding of the formed abnormal conditions, and can effectively avoid the non-cooperative attack or random failure condition on the mimicry interface. Based on the arbitration result, the feedback controller can perform a reconfiguration of the executive service set based on a given policy.
In general, there are fundamental conditions for implementing a mimicry defense, wherever there are interfaces of standardized or normalizable function or operation. Due to the fact that at least time difference, value range difference (calculation precision) or allowed version difference (grammar, options, default values and extended field filling conditions) exist among output vectors of the intra-boundary diversified redundancy defense executors. Different application scenes, different performance requirements and safety standards have great influence on the implementation complexity of issuing the elastic intelligent defense decision instruction.
Under the same input excitation specification, the situation that multiple mode output vectors are mostly the same or completely consistent is a probable event, but the difference in output response will certainly exist due to the difference in the preprocessing mode, the implementation algorithm, the support environment of the heterogeneous executors and even in the processing platform (FPGA or CPU issue) among the heterogeneous executors. In order not to affect the multi-mode arbitration of the output vector, vector normalization processing and output agent functions need to be added before arbitration, so as to ensure that the mimicry bracket not only can shield all differences outside the defense scene pair as much as possible, but also can allow some differences between executives inside the defense scene pair. For endogenous security switches, the available normalization means are strongly relevant specific application scenarios. And in the situation awareness stage, the endogenous security switch already masters the network multidimensional resource view. And designing a controller to analyze the current network situation in a normalized mode by combining the view and the current switch resource situation. And (4) grading threat information solved by combining situation theory, intelligently selecting a required defense strategy, carrying out hot deployment under the condition of not interfering the service as much as possible, and ensuring the efficiency of the switch.
The invention is to subdivide the strategy into cleaning, isolation, asset migration and system jump. The cleaning operation is accurate but consumes network resources, while the isolation means is rough and does not occupy bandwidth, but is easy to discard normal traffic. The asset migration strategy and the system hopping strategy are strong in attack resistance and active, so that the platform can live with bacteria, but the cost is too large, even the hot deployment cannot be realized, and the service of the switch can be interrupted temporarily. The four strategies are good and bad respectively, and a defense strategy needs to be intelligently selected according to the attack severity of the current endogenous security switch. The invention is intended to defend against the following 6 kinds of network attacks:
(1) VLAN relay attack: the VLAN trunk attack is a spoofing type attack, and the attack flow is shown in fig. 4, which means that an attacker impersonates another switch to send a false DTP negotiation message to a switch in a specific VLAN, declares that the attacker wants to become a trunk, and after the attacked switch receives the DTP message, if the trunk function is enabled, all information streams passing through the VLAN are sent to the computer of the attacker.
(2) And (3) spanning tree attack: the Spanning Tree Protocol (STP) is a communication Protocol of a data link layer working in an OSI network model, and a basic application is to prevent a loop generated by a redundant link of a switch, thereby preventing a broadcast storm from generating and greatly occupying resources of the switch. The spanning tree attack belongs to a cheating type attack, which means that an attacker sends a well-designed Bridge Protocol Data Unit (BPDU) to a switch to cheat the switch, so that the BPDU is the root bridge, which can cause the STP to be re-converged, and because the STP protocol is slow in convergence, a loop can be generated within a certain time, so that the network is crashed.
(3) MAC table flood attack: when a frame enters the switch it records the source MAC address, and a record is made of the MAC address associated with the port on which the frame entered, and later the flow to that MAC address will be sent only through that port. This record is stored in a Content Addressable Memory (CAM) for fast lookup when forwarding data. The MAC table flooding attack means that an attacker utilizes limited capacity of a CAM memory to send a large number of data packets for forging multi-source M AC addresses to the CAM, so that the C AC addresses are fully occupied, a subsequent data packet can cause a switch to send data in a broadcasting mode, the bandwidth of the switch is rapidly fully occupied, and the switch is caused to refuse service.
(4) The ARP attack Address Resolution Protocol (ARP) is to resolve the IP Address of a target machine into a unique MAC Address, and then the ARP will automatically search for the Resolution from IP to MAC and send a request in a broadcast manner, so that all hosts can receive message information. The ARP attack refers to that an attacker connects a target host in a deceptive manner and performs communication, so that a large amount of abnormal messages appear in the target host, and the network switch is paralyzed.
(5) UDP flooding attack: the UDP (User data Protocol) is a connectionless Protocol, and provides a method for sending encapsulated IP packets without establishing a connection for an application. UDP flooding attacks are DDOS type attacks, of which there are two types: small packet attacks and large packet attacks. The packet attack means that an attacker sends a large number of small UDP packets, generally 64 bytes, forging source IP addresses to an attack target, so that under the condition of the same flow, the number of data packets is increased, the cost for checking is increased, and finally the bandwidth resources of the attack target are exhausted; the large packet attack means that an attacker sends a large number of large UDP packets forging source IP addresses, generally more than 1500 bytes, and due to the large pressure of fragment recombination of the large data packets, bandwidth resources can be quickly exhausted.
(6) MAC spoofing attack: MAC address spoofing is commonly used to break local area network access control based on MAC addresses, e.g., defining on a switch that only the forwarding source MAC address is modified to break the access restriction for some MAC address present in the access list, and such modification is dynamic and easy to recover. The other access control method binds the IP address and the MAC, so that one switch port can only be provided for one host of one user, and at this time, an attacker needs to modify the IP address and the MAC address of the attacker to break through the limitation.
For the above 6 different types of network attacks, the endogenous security switch basically can adopt cleaning, isolation, system hopping or asset migration strategies. The invention determines which defense strategy is adopted when the switch is attacked by the network through a grading mechanism, and reduces the resource overhead of the switch for maintaining normal operation to the maximum extent. For this purpose, the endogenous security switch will perform the construction of the network resource view.
The three experimental schemes are designed below to verify the effectiveness of the defense strategy of the endogenous security switch.
Experiment one: single attack single defense test
Purpose of the experiment:
verifying the effectiveness of four defense strategies
The experimental steps are as follows:
1. the server is started, a Docker network is established, and the experimental topology is shown in FIG. 5. An attack node and a defense node are deployed in the Docker network, wherein the attack node consists of six containers, and each container can launch an attack mode; the defense node consists of two containers, wherein one container is used as a redundant backup, the other container is used as a main attacked object, and the container has the functions of isolation, flow forwarding, system jump and the like
2. Randomly selecting one of the above six attacks, and adopting one of the above four defense strategies to perform attack and defense experiments
3. The attack type and the defense type are selected without repetition, and multiple experiments are carried out.
Experiment two: single attack multiple defense testing
Purpose of the experiment:
verifying the effect of combining a dynamic heterogeneous redundancy mechanism with a defense strategy
The experimental steps are as follows:
1. initiating a created Docker network
2. Randomly selecting one of the six attacks, selecting a defense strategy set by the defense node according to a hierarchical response mechanism and a dynamic selection strategy for defense, and comparing the resource consumption and the defense effect of the defense node with those of the first experiment
3. Multiple experiments were performed without repeated selection of the attack type.
Experiment three: multiple attack multiple defense test
Purpose of the experiment:
testing the overall defense performance of an endogenous security switch
The experimental steps are as follows:
1. initiating a created Docker network
2. Randomly selecting multiple attack types to attack the defense nodes, and selecting a defense strategy set by the defense nodes according to a hierarchical response mechanism and a dynamic selection strategy to defend
3. And comparing the resource consumption and the defense effect of the defense nodes with the first experiment and the second experiment.
Claims (8)
1. A heterogeneous redundancy defense strategy issuing method of an endogenous security switch is characterized by comprising the following steps:
(1) acquiring and measuring the network flow of the path-originated security switch, and managing initial state data of the switch and a link to construct a network resource view;
(2) grading responses according to threat intelligence, wherein different levels of responses start different types of defense modes to control the resource overhead of the switch and maintain the normal operation of the current network to the maximum extent;
the first type is: according to the current threat information, if the resources of the network layer of the switch are threatened, a third-level response is started, and the endogenous security switch adopts an isolation strategy aiming at the current attack;
the second type: if the hard disk and the internal data are tampered according to the current threat information, a secondary response is started, and the endogenous safety switch adopts a cleaning strategy aiming at the current attack;
the third type: according to the current threat intelligence, if the control right of the switch is contended, a primary response is started, and the endogenous safety switch adopts an asset migration strategy or a system hopping strategy aiming at the current attack.
2. The heterogeneous redundancy defense strategy issuing method of the endogenous security switch according to claim 1, characterized in that the specific method of the step (1) is as follows:
(1.1) the switch measures the state information of the switch, and the measurement comprises the CPU utilization rate and the memory utilization rate;
(1.2) the exchanger collects the link state information, and the measurement comprises link time delay, link bandwidth and link packet loss rate;
and (1.3) constructing a network resource view according to the collected and measured state information and the network resource information.
3. The heterogeneous redundancy defense strategy issuing method of the endogenous security switch according to claim 1, characterized in that the design method in the step (2) is as follows:
(2.1) the endogenous security switch generates threat information according to the current network resource view, and judges whether the endogenous security switch is attacked by the network;
(2.2) the exchanger carries out normalization and quantization according to the generated threat information;
and (2.3) grading the quantified threat intelligence data, wherein the threat degree is extremely high and can be determined as one grade according to the severity of the threat condition.
4. The method for issuing the heterogeneous redundancy defense strategy of the endogenous security switch according to claim 3,
wherein, in step (2.2), for the quintuple of threat intelligence: the CPU utilization rate C, the memory occupancy rate M, the link bandwidth B, the link time delay L and the packet loss rate P of the switch are calculated according to a normalization formula:
wherein x represents the original data, min is the minimum value of the original data set, max is the maximum value of the original data set, x' is the normalized data, and the normalized data is as follows: c ', M ', B ', L ', P ' are given different weight coefficients, K1,K2,K3,K4,K5And:
K1+K2+K3+K4+K5=1;
normalized quantized threat intelligence data S may be represented as:
S=C′K1+M′K2+B′K3+L′K4+P′K5。
5. the method for issuing the heterogeneous redundancy defense strategy of the endogenous security switch according to claim 3,
in step (2.3), the threat information data S is setSetting two levels of thresholds: s1,S2When S is greater than or equal to S1When the attack is determined as a first-level response, the current attack generates control right contention for the switch, and a strong measure needs to be taken for protection; when S is2≤S<S1Then, setting secondary response to indicate that the current attack tampers the hard disk and the internal data, wherein the defense strategy adopted at the moment needs to take resource overhead into consideration; when S is<S2Meanwhile, the current attack threatens the resources of the network layer of the switch, and a defense strategy with high cost is not suitable to be adopted.
6. The heterogeneous redundancy defense strategy issuing method of the endogenous security switch according to claim 1, characterized in that the first type of specific method is as follows: after the endogenous safety switch starts three-level response, the isolation means is to directly carry out time slice sealing on the IP address of the threat flow in the switch, and carry out brief backtracking according to the situation information number corresponding to the threat information to determine the threat IP.
7. The heterogeneous redundancy defense strategy issuing method of the endogenous security switch according to claim 1, characterized in that the second type of specific method is as follows: transferring all the flow in the endogenous security switch to a cloud computing center through HPENP; classifying the threat flow by using a machine learning method according to information provided by the threat information, and discarding the threat flow after definitely finding out a threat flow quintuple; and forwarding the residual flow back to the exchanger to finish the cleaning process.
8. The issuing method of the heterogeneous redundancy defense strategy of the endogenous security switch according to claim 1 comprises the following specific steps: after the endogenous security switch starts a primary response, the asset migration strategy performs redundancy backup on the endogenous security switch, dynamically transfers an attack surface, and directly migrates system resources into another switch when the endogenous security switch is attacked by a threat; the system jump is to enable jump protocol, start to change the port, address, time slot randomly according to the protocol to various adjacent points of data transmission, realize the active network protection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111471268.XA CN114115068B (en) | 2021-12-03 | 2021-12-03 | A method for issuing heterogeneous redundant defense strategies for intrinsically secure switches |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111471268.XA CN114115068B (en) | 2021-12-03 | 2021-12-03 | A method for issuing heterogeneous redundant defense strategies for intrinsically secure switches |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114115068A true CN114115068A (en) | 2022-03-01 |
| CN114115068B CN114115068B (en) | 2025-03-28 |
Family
ID=80366429
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111471268.XA Active CN114115068B (en) | 2021-12-03 | 2021-12-03 | A method for issuing heterogeneous redundant defense strategies for intrinsically secure switches |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114115068B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114760095A (en) * | 2022-03-09 | 2022-07-15 | 西安电子科技大学 | Intention-driven network defense strategy generation method, system and application |
| CN114793248A (en) * | 2022-03-02 | 2022-07-26 | 上海图灵智算量子科技有限公司 | Mimicry-based encryption communication method |
| CN115378650A (en) * | 2022-07-19 | 2022-11-22 | 桂林电子科技大学 | A method to improve the security of industrial control systems by exploiting vulnerability mining and attack traceability |
| CN115766571A (en) * | 2022-12-02 | 2023-03-07 | 安徽皖通邮电股份有限公司 | Dual-send redundancy method and storage medium based on traffic mirroring |
| CN117336094A (en) * | 2023-11-10 | 2024-01-02 | 北京国信蓝盾科技有限公司 | An intelligent defense system and method for containerized scenarios |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506507A (en) * | 2014-12-15 | 2015-04-08 | 蓝盾信息安全技术股份有限公司 | Honey net safeguard system and honey net safeguard method for SDN (self-defending network) |
| CN105187437A (en) * | 2015-09-24 | 2015-12-23 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Centralized detection system of SDN denial of service attack |
| CN106921666A (en) * | 2017-03-06 | 2017-07-04 | 中山大学 | A kind of ddos attack system of defense and method based on Synergy |
| CN106941493A (en) * | 2017-03-30 | 2017-07-11 | 北京奇艺世纪科技有限公司 | A kind of network security situation awareness result output intent and device |
| US20190052663A1 (en) * | 2017-08-10 | 2019-02-14 | Electronics And Telecommunications Research Institute | Apparatus for enhancing network security and method for the same |
| CN111092821A (en) * | 2018-10-24 | 2020-05-01 | 杨晨曦 | SDN network load balancing method based on dynamic migration |
| CN111294365A (en) * | 2020-05-12 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Attack flow protection system, method and device, electronic equipment and storage medium |
| CN111385288A (en) * | 2020-02-20 | 2020-07-07 | 中国人民解放军战略支援部队信息工程大学 | Mobile target defense opportunity selection method and device based on hidden countermeasures |
| CN112261042A (en) * | 2020-10-21 | 2021-01-22 | 中国科学院信息工程研究所 | An anti-penetration system based on attack hazard assessment |
| WO2021227322A1 (en) * | 2020-05-13 | 2021-11-18 | 南京邮电大学 | Ddos attack detection and defense method for sdn environment |
-
2021
- 2021-12-03 CN CN202111471268.XA patent/CN114115068B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506507A (en) * | 2014-12-15 | 2015-04-08 | 蓝盾信息安全技术股份有限公司 | Honey net safeguard system and honey net safeguard method for SDN (self-defending network) |
| CN105187437A (en) * | 2015-09-24 | 2015-12-23 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Centralized detection system of SDN denial of service attack |
| CN106921666A (en) * | 2017-03-06 | 2017-07-04 | 中山大学 | A kind of ddos attack system of defense and method based on Synergy |
| CN106941493A (en) * | 2017-03-30 | 2017-07-11 | 北京奇艺世纪科技有限公司 | A kind of network security situation awareness result output intent and device |
| US20190052663A1 (en) * | 2017-08-10 | 2019-02-14 | Electronics And Telecommunications Research Institute | Apparatus for enhancing network security and method for the same |
| CN111092821A (en) * | 2018-10-24 | 2020-05-01 | 杨晨曦 | SDN network load balancing method based on dynamic migration |
| CN111385288A (en) * | 2020-02-20 | 2020-07-07 | 中国人民解放军战略支援部队信息工程大学 | Mobile target defense opportunity selection method and device based on hidden countermeasures |
| CN111294365A (en) * | 2020-05-12 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Attack flow protection system, method and device, electronic equipment and storage medium |
| WO2021227322A1 (en) * | 2020-05-13 | 2021-11-18 | 南京邮电大学 | Ddos attack detection and defense method for sdn environment |
| CN112261042A (en) * | 2020-10-21 | 2021-01-22 | 中国科学院信息工程研究所 | An anti-penetration system based on attack hazard assessment |
Non-Patent Citations (5)
| Title |
|---|
| 宋全振等: "基于粗糙集算法的DDoS 攻击威胁评估", 《通信技术》, vol. 50, no. 1, 31 January 2017 (2017-01-31), pages 109 - 115 * |
| 张卓;陈毓端;唐伽佳;陈新宇;: "基于威胁的网络安全动态防御研究", 保密科学技术, no. 06, 20 June 2020 (2020-06-20) * |
| 秦华;阎钢;: "基于OpenFlow网络的数据中心服务器负载均衡策略", 计算机工程, no. 03, 15 March 2016 (2016-03-15) * |
| 赵呈亮;李爱平;江荣;: "基于TOPSIS-GRA集成评估法的DDoS攻击效果评估技术研究", 信息网络安全, no. 10, 10 October 2016 (2016-10-10) * |
| 马海龙;伊鹏;江逸茗;贺磊;: "基于动态异构冗余机制的路由器拟态防御体系结构", 信息安全学报, no. 01, 15 January 2017 (2017-01-15) * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114793248A (en) * | 2022-03-02 | 2022-07-26 | 上海图灵智算量子科技有限公司 | Mimicry-based encryption communication method |
| CN114793248B (en) * | 2022-03-02 | 2024-02-23 | 上海图灵智算量子科技有限公司 | Mimicry-based encryption communication method |
| CN114760095A (en) * | 2022-03-09 | 2022-07-15 | 西安电子科技大学 | Intention-driven network defense strategy generation method, system and application |
| CN114760095B (en) * | 2022-03-09 | 2023-04-07 | 西安电子科技大学 | Intention-driven network defense strategy generation method, system and application |
| CN115378650A (en) * | 2022-07-19 | 2022-11-22 | 桂林电子科技大学 | A method to improve the security of industrial control systems by exploiting vulnerability mining and attack traceability |
| CN115766571A (en) * | 2022-12-02 | 2023-03-07 | 安徽皖通邮电股份有限公司 | Dual-send redundancy method and storage medium based on traffic mirroring |
| CN117336094A (en) * | 2023-11-10 | 2024-01-02 | 北京国信蓝盾科技有限公司 | An intelligent defense system and method for containerized scenarios |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114115068B (en) | 2025-03-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114115068A (en) | A Heterogeneous Redundancy Defense Policy Delivery Method for Endogenous Security Switches | |
| CN112073411B (en) | Network security deduction method, device, equipment and storage medium | |
| Dhawan et al. | Sphinx: detecting security attacks in software-defined networks. | |
| Ellis et al. | A behavioral approach to worm detection | |
| Berk et al. | Using sensor networks and data fusion for early detection of active worms | |
| Gao et al. | Defending against Packet-In messages flooding attack under SDN context: D. Gao et al. | |
| CN109905361A (en) | IoT DDoS attack defense method, device, system and storage medium | |
| Azad et al. | Preventive determination and avoidance of ddos attack with sdn over the iot networks | |
| CN105812318B (en) | For preventing method, controller and the system of attack in a network | |
| Osman et al. | Sandnet: Towards high quality of deception in container-based microservice architectures | |
| CN116471064A (en) | Network safety protection system, method and device based on active defense strategy | |
| Valizadeh et al. | DDoS attacks detection in multi-controller based software defined network | |
| Koganti et al. | Internet worms and its detection | |
| Mudgal et al. | Spark-based network security honeypot system: detailed performance analysis | |
| RU2531878C1 (en) | Method of detection of computer attacks in information and telecommunication network | |
| EP4612850A1 (en) | Intelligent manipulation of denial-of-service attack traffic | |
| Kopylova et al. | Mutual information applied to anomaly detection | |
| Sanguankotchakorn et al. | Hybrid controller for securing SDN from switched DDoS and ARP poisoning attacks | |
| Kannan et al. | Analyzing Cooperative Containment of Fast Scanning Worms. | |
| CN210444303U (en) | Network Protection Test System | |
| Meredith et al. | Increasing network resilience to persistent OSPF attacks | |
| CN110601878B (en) | Method for constructing stealth network | |
| Rohrmair et al. | Using CSP to detect insertion and evasion possibilities within the intrusion detection area | |
| Salim et al. | A client/server based mechanism to prevent Arp spoofing attacks | |
| Abdelhafez et al. | Evaluation of worm containment algorithms and their effect on legitimate traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |