WO2026011691A1 - Method and system for ensuring trustworthiness and security of cyberspace - Google Patents

Abstract

Provided in the present invention are a method and system for ensuring the trustworthiness and security of cyberspace. The method comprises: step S1, on the basis of a multi-identifier network, implementing multi-identifier addressing having authentication and packet signing embedded therein; step S2, defining digital customs, a digital passport and a digital visa based on the multi-identifier network; step S3, on the basis of time data, a digital visa key and a hash function, performing calculation to obtain the digital visa based on the multi-identifier network; step S4, on the basis of the hash value of the digital visa and a cross-states passport key, performing calculation to obtain the digital passport based on the multi-identifier network; step S5, implementing the digital customs by means of a multi-identifier network router, and using and maintaining an exit border table by means of the digital customs; and step S6, by means of the digital customs, using an arrival border table to verify the digital passport, and updating the arrival border table. The present invention can effectively guarantee the trustworthiness and security of cyberspace, and enable the traceability of blockchain logs, thereby providing a better foundation for ensuring the order, rule of law and peace of cyberspace.

Description

A method and system for ensuring trustworthiness and security in cyberspace Technical Field

This invention relates to the technical field of cyberspace security, and more particularly to a method for ensuring the trustworthiness and security of cyberspace, and further to a system for ensuring the trustworthiness and security of cyberspace.

Background Technology

With the development of modern science and technology, the Internet has become an indispensable part of modern society. As a carrier of information, it has permeated various aspects of human life, including politics, economics, culture, education, and healthcare. While Internet content and demands are rapidly evolving, current network needs are increasingly revealing conflicts with the original IP design model. Under the existing IP system, problems such as the single-organizational control of the DNS root zone database and the semantic overload of IP addresses significantly limit the development of the Internet. The IP network system suffers from three fundamental flaws.

The first drawback is that centralized management allows the creators of the IP network to monopolize cyberspace management, forming cyber hegemony. The entire Domain Name System, including root servers (DNS), domain name resolution, and address allocation services, is managed by a single organization, meaning global network communications are essentially monitored and controlled by a single entity. Therefore, it is impossible to build a trustworthy, secure, orderly, law-abiding, and peaceful cyberspace on IP.

The second drawback is the lack of robust security features in IP networks. Data packet source addresses can be forged, tracing is difficult, and user data leaks are frequent, leading to ongoing security incidents, difficulties in protecting data privacy and digital assets, and the loss of individual and entity data rights. The Personal Information Protection Law classifies biometrics, specific identities, medical and health information, financial accounts, and location tracking as sensitive personal information. Centralized data management may result in the misuse of personal privacy data.

The third drawback is the rigidity of IP network architecture protocols, making evolution and upgrades difficult, time-consuming, and costly. For example, upgrading from IPv4 to IPv6 was a time-consuming and expensive task. IPv4 became the standard protocol for research on ARPANET in 1983, and by 1990, ARPANET was shut down, marking the end of experimental tasks and the beginning of commercial applications. In less than eight years, IPv4 replaced its competitors to become the de facto global industry standard. In 1998, the IETF began proposing a draft version of IPv6, which was officially released 20 years later in 2017, and it is incompatible with IPv4. In fact, the IPv6 DNS system is the same as IPv4, only with more addresses, with no other fundamental improvements. Therefore, major countries around the world are researching the future network after IP; the IP architecture is just a prelude, and the development of a new network architecture to replace the IP system is imperative.

It should be noted that the IP network architecture clearly presents cybersecurity risks. IP networks were initially designed for end-to-end transmission, and therefore security was not a primary focus. Within the TCP/IP network architecture, each layer is susceptible to several common malicious attack methods.

At the data link layer, there are attacks such as ARP poisoning and MAC address flooding. ARP spoofing attacks exploit Ethernet's communication mechanisms. If an IP host needs to automatically request the target host's MAC address, the ARP protocol must be used. Attackers can impersonate the source host to poison the victim's ARP mapping table, thereby achieving data theft. MAC flooding attacks, on the other hand, flood the victim host's MAC address table, causing it to overflow. This allows incoming data packets to be broadcast to every port, enabling intruders to successfully eavesdrop on all data on the switch from any port.

At the network layer, attacks include smurf flooding, IP spoofing, and ICMP routing spoofing. Smurf flooding attacks often combine with IP spoofing attacks. A smurf attack floods the victim host with ICMP ping request packets whose reply address is set to the victim network's broadcast address, causing all hosts on the network to respond to these ICMP ping requests, leading to network congestion. More sophisticated smurf attacks change the source address to that of a third party, ultimately causing the third party to crash. The essence of these attacks lies in the lack of signature and authentication mechanisms within the IP architecture.

At the transport layer, attackers typically use network attack techniques such as port scanning and UDP flooding. Port scanning works by having a host request a connection to a remote server on a specific port. If the server provides that service, it will respond; otherwise, it won't respond even if the request is sent to the corresponding port. By exploiting this principle, by establishing connections to all well-known ports or a selected range of well-known ports and recording the responses from the remote server, attackers can determine which services are installed on the target server by reviewing the records.

At the application layer, the IP system has seen a large number of network attack methods, such as deception, unauthorized access, identity theft, and flooding.

Therefore, it is clear that to ensure the credibility and security of cyberspace, and to guarantee its order, rule of law, and peace, there is an urgent need for a network system, methods, and mechanisms that are adapted to the current pace of development.

Summary of the Invention

The technical problem to be solved by this invention is to provide a method to ensure the trustworthiness and security of cyberspace. It aims to safeguard the trustworthiness and security of cyberspace through identity authentication based on multi-identifier networks, multi-identifier addressing, digital customs, digital passports, and digital visas, so as to provide a better foundation for ensuring the order, rule of law, and peace of cyberspace, and to provide network systems, methods, and systems that can adapt to the current pace of development.

To address this, the present invention provides a method for ensuring the trustworthiness and security of cyberspace, comprising the following steps:

Step S1: Implement embedded identity authentication and packet signing for multi-identity addressing based on a multi-identity network. After registration, the user first signs each published data packet with their private key and writes it into the signature area of the multi-identity network packet. The intermediate router periodically maintains the user information table obtained from the multi-identity management system. After receiving a packet, it extracts the signature information of the corresponding user from the table and then uses the public key information obtained from the multi-identity management system to authenticate the received multi-identity network packet. After successful authentication, multi-identity addressing is performed using a packet format that supports variable packet length.

Step S2, define digital customs, digital passports, and digital visas based on a multi-identifier network;

Step S3: Perform a bitwise XOR operation on the time data and the digital visa key, and use a hash function to perform a one-way mapping on the data after the bitwise XOR operation to obtain a digital visa based on a multi-identifier network.

Step S4: Calculate the digital passport based on the hash value of the digital visa and the cross-border passport key;

Step S5: Implement digital customs through a multi-identifier network router, and use and maintain the exit form through the digital customs.

Step S6: Verify the digital passport using the entry form through the digital customs and update the entry form.

A further improvement of the present invention is that step S1 includes the following sub-steps:

In step S101, the multi-identity network client generates a public key and a private key for the user locally, and then submits the public key and the identity information signed with the private key to any node in the multi-identity management system. When a node receives a request, it verifies it. After successful verification, the ledger node of the multi-identity management system consortium chain generates a transaction and sends it to all blockchain nodes. When a voting node in the blockchain receives a pre-block, it votes on whether to allow the pre-block to become a formal block. The leader node collects the voting results, counts them, generates a voting proof, stores the block information of the pre-block that passed the vote, and extracts the user registration information from the block information and stores it in the user registry.

Step S102: After registration, the user signs each data packet with their private key and writes the digital signature into the signature area of the multi-identifier network packet using the SM2 elliptic curve algorithm. The intermediate router periodically maintains the user information table obtained from the multi-identifier management system. After receiving a message, it extracts the signature information of the corresponding user from the table and then uses the public key information obtained from the multi-identifier management system to authenticate the received multi-identifier network packet.

Step S103: After successful authentication, multi-identifier addressing is performed using a message format that supports variable message length. The data packet of the message format includes four areas: an identifier area, a signature area, a read-only area, and a variable area. The identifier area stores one or more identifiers to distinguish different network packets. The signature area stores one or more digital signatures, each consisting of signature information and a signature value. The signature information refers to the signature type and the location of the certificate used to verify the signature. The read-only area stores data blocks filled by the network sender. The variable area includes a protected area and a dangerous area. The protected area stores modifiable fields that require signature, and the dangerous area stores modifiable fields that do not require signature.

In step S2, the digital customs based on the multi-identifier network refers to the border router used to process inbound and outbound multi-identifier network packets, issue digital passports for multi-identifier network packets leaving the country, and verify digital visas for multi-identifier network packets entering the country from abroad; the digital passport and digital visa based on the multi-identifier network refer to different specific fields carried on the multi-identifier network packet, and the specific fields are generated and verified by any one or more of encryption, hash calculation and certificates.

A further improvement of the present invention is that step S3 includes the following sub-steps:

Step S301: Calculate the time parameter Time using the formula Time = UNIX Time and 0xFFFFFFFFFFFFFFFF0, where UNIX Time is a 64-bit integer representing the number of seconds elapsed since the preset time, and the lowest 4 bits of the number of seconds UNIX Time in binary are set to 0.

Step S302: Obtain the 256-bit time data Time256 using the formula Time256＝Time×(1+2 ⁶⁴ +2 ¹²⁸ +2 ¹⁹² );

Step S303: Perform a bitwise XOR operation on the time data Time256 and the digital visa key CVK using the formula Visa = SHA256(Time256 xor CVK), and perform a one-way mapping of the hash function to obtain the digital visa based on the multi-identifier network; the digital visa key CVK is a 256-bit key, which is associated with the user's multi-identifier network identity information and real identity information.

A further improvement of the present invention is that, in step S3, the digital visa calculated using the current time and the time 16 seconds prior is valid.

A further improvement of the present invention is that, in step S4, a digital passport Pass based on a multi-identifier network is calculated using the formula Pass = SHA256 (Visa xor CPK), where CPK refers to a pre-agreed 256-bit cross-border passport key.

A further improvement of the present invention is that, in step S5, the digital customs stores multiple exit tables, each exit table corresponding to a target country; when the digital customs receives a multi-identifier network packet forwarded from the forwarding table, it first checks the target country corresponding to the multi-identifier network packet, and then assigns the multi-identifier network packet to the exit table of the corresponding country for processing. The processing includes the following sub-steps:

Step A1: The digital customs discards multi-identifier network packets from users without exit permits;

Step A2: When the digital visa carried in the multi-identifier network packet is the same as the LastVisa in the exit form, the digital customs directly signs the digital passport in the multi-identifier network packet using the LastPass in the exit form and forwards the multi-identifier network packet. LastVisa refers to the digital visa of the user's previous multi-identifier network packet, and LastPass refers to the digital passport calculated based on the digital visa LastVisa of the user's previous multi-identifier network packet.

Step A3: When the digital visa carried in the multi-identifier network packet is different from the LastVisa in the departure form, determine whether the difference between the current time and LastTime is less than 8 seconds. If so, digital customs directly uses LastPass as the digital passport, fills the digital passport into the multi-identifier network packet, and forwards it immediately. LastTime refers to the time when the user's previous multi-identifier network packet arrived. If not, calculate the new digital passport based on the current time, update the departure form based on the new digital passport, and issue the new digital passport into the multi-identifier network packet.

A further improvement of the present invention is that, in step S6, an entry form is used and maintained in the digital customs. When a multi-identifier network packet is about to enter the network border, the digital customs performs verification processing through the entry form. The verification process includes the following sub-steps:

Step B1: If the sender does not hold a digital passport and is not in a visa-free situation, the multi-identifier network packet is directly discarded through the digital customs.

Step B2: If the sender holds a digital passport, the validity of the digital passport is verified through digital customs. If it is determined to be invalid, the digital customs discards the multi-identifier network packet containing the invalid digital passport; if it is determined to be valid, the digital passport and its digital visa corresponding to the multi-identifier network packet are verified.

The process of updating the entry form in step S6 includes any of the following steps:

Step C: Digital Customs traverses all entries in the entry form, calculating and updating the LastPass, Pass, and NextPass fields at fixed intervals. LastPass refers to the digital passport calculated based on the LastVisa digital visa of the user's previous multi-identifier network packet. Pass refers to the digital passport calculated based on the digital visa calculated at a fixed time after LastTime. NextPass refers to the digital passport calculated based on twice the fixed time after LastTime.

Step D: When the digital customs receives a multi-identifier network packet, it determines whether the LastPass in the entry form has expired. If so, it replaces LastPass with Pass and Pass with NextPass; otherwise, it returns.

A further improvement of this invention is that it also includes a mimicry defense step based on a weighted centrality algorithm. In the mimicry defense step, the indicators of each device in the multi-identifier network are first obtained, including degree centrality, proximity centrality, and betweenness centrality. After obtaining the above three indicators, each indicator is sorted to obtain a score for that indicator. Then, the scores of the three indicators are summed to obtain a sum value sum. The sum value sum is sorted to obtain the final centrality rank value Rank. For the storage server, a first weight is assigned, and its sum value sum is divided by 3 to obtain a new sum value sum'. For the border router, a second weight is assigned, and its sum value sum is divided by 2 to obtain a new sum value sum'. For the forwarding server, a third weight is assigned, and its sum value sum remains unchanged. The first weight is greater than the second weight, and the second weight is greater than the third weight.

A further improvement of the present invention is that it also includes step S7, which is used to establish a cyberspace management system; AI detection and management are carried out in the cyberspace management system, and when the cyberspace is interfered with or attacked, network traffic, user behavior and system logs are monitored and analyzed by at least one of data analysis, deep learning, reinforcement learning and model training, and stored in the blockchain log record.

A further improvement of this invention is that, in the cyberspace management system, when the attacker corresponding to the interference or attack cannot be found, compensation is provided through an insurance service company in cyberspace, or emergency assistance and support are provided through a cyberspace emergency response department, which includes domestic and international emergency response departments in cyberspace; both the insurance service company and the cyberspace emergency response department implement embedded identity authentication based on a multi-identifier network and access blockchain log records through multi-identifier addressing.

A further improvement of the present invention is that it also includes step S8, which is used to establish a cyberspace adjudication system; in the cyberspace adjudication system, when disputes and conflicts involving data assets, data privacy or cyberspace are involved, an investigation is conducted based on blockchain log records, and the investigation results are sent to the corresponding domestic or international cyber courts; and the relevant judgment records are published in the blockchain cyberspace.

This invention also provides a system for ensuring the trustworthiness and security of cyberspace, employing the method described above, and comprising:

The identity authentication and multi-identity addressing module implements embedded identity authentication and packet signing multi-identity addressing based on a multi-identity network. After registration, users first sign each published data packet with their private key and write it into the signature area of the multi-identity network packet. Intermediate routers periodically maintain a user information table obtained from the multi-identity management system. Upon receiving a packet, they extract the corresponding user's signature information from the table and then use the public key information obtained from the multi-identity management system to authenticate the received multi-identity network packet. After successful authentication, multi-identity addressing is performed using a packet format that supports variable packet length.

Define the module to define digital customs, digital passports, and digital visas based on a multi-identifier network;

The digital visa module performs a bitwise XOR operation on the time data and the digital visa key, and then uses a hash function to perform a one-way mapping on the data after the bitwise XOR operation to obtain a digital visa based on a multi-identifier network.

The digital passport module calculates a digital passport based on a multi-identifier network, using the hash value of the digital visa and the cross-border passport key.

The exit form module is used and maintained, and digital customs is implemented through a multi-identifier network router. The exit form is used and maintained through the digital customs.

Use and update the entry form module to verify the digital passport through the digital customs and update the entry form.

Compared with existing technologies, the beneficial effects of this invention are as follows: First, it achieves multi-identifier addressing with embedded identity authentication and packet signature based on a multi-identifier network. Then, it realizes the use and maintenance of exit forms and the use and updating of entry forms through digital visas, digital passports, and digital customs based on the multi-identifier network. This effectively provides a network system, method, and framework adapted to the current pace of development through the multi-identifier network and its management system, thereby more effectively ensuring the trustworthiness and security of cyberspace and providing a better foundation for ensuring order, rule of law, and peace in cyberspace. When disputes and conflicts involving data assets, data privacy, or cyberspace arise, the victim can conduct investigations based on blockchain log records and send the investigation results to the corresponding domestic or international cyber courts, providing a reliable basis for domestic or international cyber court litigation. This invention can be better applied in global cyberspace, facilitating the management of national cyberspace boundaries, protecting national cyberspace sovereignty, and combating transnational cyberattacks and crimes.

Building upon this foundation, a mimicry defense based on a weighted centrality algorithm was further implemented to improve the efficiency of network protection in a targeted manner according to user security needs; a martingale quantization model for attack-resistant stochastic processes was established to enhance the flexibility of the hierarchical analysis structure of cyberspace and further improve network integrity; and a cyberspace management system and a cyberspace adjudication system were established to provide guarantees for the security and trustworthiness of cyberspace and to lay a solid foundation for ensuring the safe, peaceful, rule-of-law-based, and orderly management of cyberspace.

Attached Figure Description

Figure 1 is a schematic diagram of the workflow of an embodiment of the present invention;

Figure 2 is a schematic diagram of the overall network space scheme architecture according to an embodiment of the present invention;

Figure 3 is a schematic diagram of security protection for a multi-identifier network system according to an embodiment of the present invention;

Figure 4 is a schematic diagram of the format of a multi-identifier network packet according to an embodiment of the present invention;

Figure 5 is a network diagram of an embodiment of the present invention for building an international cyberspace based on digital customs;

Figure 6 is a schematic diagram of a multi-identifier network security defense scheme according to an embodiment of the present invention;

Figure 7 is a schematic diagram of a hierarchical security scheme for a multi-identifier network according to an embodiment of the present invention;

Figure 8 is a schematic diagram of a Markov chain for a random wandering process according to an embodiment of the present invention;

Figure 9 is a schematic diagram of a multi-identifier network security protection mechanism according to an embodiment of the present invention;

Figure 10 is a schematic diagram of attack transfer in a multi-identifier network according to an embodiment of the present invention;

Figure 11 is a schematic diagram of an active defense cloud environment architecture according to an embodiment of the present invention;

Figure 12 is a schematic diagram of a virtual machine migration architecture according to an embodiment of the present invention;

Figure 13 is a task execution flowchart of an embodiment of the present invention;

Figure 14 is a schematic diagram of the network attack process;

Figure 15 is a detailed flowchart of an embodiment of the present invention.

Detailed Implementation

Before introducing the preferred embodiments of the present invention, the relevant technical solutions will be described first.

The first relevant technical solution is IP-VPN.

IP-VPN is the earliest virtual private network based on the IP architecture. Traditional VPNs, in their traditional sense, refer to networks where the connection between any two nodes lacks the end-to-end physical link required by traditional private networks. By leveraging a network platform provided by a public network service provider, user data can be transmitted via a logical link. IP-VPN, however, utilizes existing power information network resources to establish a virtual private network through packet encapsulation and encryption of IP network data. It establishes a private data transmission channel via a shared IP network, connecting remote branch offices, business partners, and mobile workers, providing end-to-end Quality of Service (QoS) guarantees and security services.

Currently, IP-VPNs primarily rely on the following four technologies to ensure data security: First, tunneling, which establishes a tunnel over a public network to encapsulate data during transmission, protecting its confidentiality and integrity. Second, encryption, which uses encryption algorithms to encrypt data, preventing unauthorized access or tampering during transmission. Third, key management, used to generate, distribute, and manage the keys required for encrypted communication, ensuring secure key sharing between communicating parties. Fourth, user and device authentication, verifying the identities of users and devices to ensure only legitimate users and devices can access the IP-VPN, preventing unauthorized access and attacks.

This related technical solution has the following drawbacks: Although IP-VPN is called a Virtual Private Network, it is essentially a logical concept built on the IP protocol architecture, rather than a true private network, which leads to several shortcomings. Over the past 20-30 years, IP-VPN has failed to truly solve security problems, exhibiting the following limitations: First, security challenges: Because IP-VPN relies entirely on the IP protocol, it faces challenges from various network security threats, such as data breaches and intrusion attacks. Second, trust issues: In traditional IP-VPNs, all nodes are considered trustworthy, which can lead to unauthorized nodes gaining access, increasing security risks. Third, scalability limitations: As network size and complexity increase, traditional IP-VPNs struggle to adapt to large-scale networks and growing user demands. Fourth, management complexity: Traditional IP-VPNs require complex configuration and management, including key management and authentication, which increases management complexity and cost.

The second relevant technical solution is the traditional firewall.

Traditional firewalls are network security devices that control network traffic by filtering IP addresses and service ports in data packets. However, firewalls are often ineffective against attackers using legitimate IP addresses and port numbers for malicious activities, as they typically only perform surface-level packet inspections. Even with Deep Packet Inspection (DPI), they still face numerous challenges. Generally, each malicious attack code has a unique signature, which can be used to distinguish viruses from legitimate application code. Antivirus programs identify viruses by storing the signatures of known viruses. In the ISO/OSI seven-layer network model, firewalls primarily operate between layers two and four, performing traffic control and analysis at these layers, with only a minor impact on layers four through seven. Antivirus software primarily identifies viruses between layers five and seven.

Firewalls are a common network security technology, but they are still protection measures based on IP architecture. This type of technology has the following drawbacks: First, it cannot deal with advanced threats. Traditional firewalls mainly rely on known virus signatures or rules for detection, and cannot effectively deal with new advanced threats and unknown attack patterns. Second, it cannot identify application-layer threats. Traditional firewalls perform traffic control and analysis at network layers below Layer 4, and often cannot identify and block threats hidden at the application layer. Third, it is vulnerable to deception. Traditional firewalls are easily bypassed by attackers using deceptive techniques, such as encrypted communication or disguised traffic. Fourth, it limits network performance. Traditional firewalls require deep packet inspection and rule matching, which has a certain impact on network performance, especially in high-traffic environments, potentially leading to reduced network latency and throughput.

The third related technical solution is IDS and IPS.

To fill the gap between layers four and five of the seven-layer network model, where firewalls and antivirus software operate, the industry has introduced Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). IDS primarily detects and alerts on abnormal intrusion behavior. IPS, on the other hand, primarily detects malicious activities clearly identified as attacks that could harm the network and provides corresponding defenses. IPS, comparatively, places greater emphasis on risk control.

IDS (Intrusion Detection System) can monitor network traffic in real time and immediately alert administrators or firewalls when anomalies are detected. IDS is a monitoring device that can operate without being bridging any links. Therefore, deploying an IDS requires connecting it to a link that traffic must pass through. IDS is typically placed as close as possible to the attack source or protected resource, such as switches in server areas or LAN switches in protected network segments.

Similar to Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) focus on defense within the data itself, such as searching for attack code signatures, filtering or dropping malicious packets. Most IPS also incorporate anomalous behavior in applications or network transmissions to aid in attack identification. Examples include user programs violating security regulations, packet sending and unpacking during sensitive periods, and the exploitation of application vulnerabilities. IPS not only considers known virus signatures but, more importantly, identifies attack programs or malicious code and their clones and variants, taking preventative measures to prevent or at least mitigate their harm as early as possible. In practice, IPS is often used as a supplement to firewalls and antivirus software. When necessary, IPS can also provide valid evidence for pursuing the criminal liability of attackers.

However, this related technical solution has the following drawbacks: IDS systems lack effective solutions for identifying large-scale, combined, distributed intrusion attacks, resulting in severe false positives and false negatives. False positives distract administrators, hindering their ability to respond to genuine attacks. Conversely, false negatives raise concerns about whether IDS can detect all attacks on the network as attack methods evolve. IDS technology employs a pre-configured and signature-based operating principle, meaning that detection rules always lag behind updated attack methods, preventing proactive discovery of network security vulnerabilities and faults. Furthermore, IDS only detects and alerts; it lacks the ability to truly defend against and prevent attacks. By the time an alert is issued, the attack has already occurred.

IPS technology also suffers from single points of failure, performance bottlenecks, false positives, and false negatives. The design requires IPS to operate embedded in the network, which can lead to bottlenecks or single points of failure. While a faulty Intrusion Detection System (IDS) might at worst result in some attacks going undetected, a problem with an embedded IPS device can severely impact network operation. If an IPS fails and shuts down, users will face a denial-of-service (DoS) issue, preventing all customers from accessing applications provided by the enterprise network. Because it can detect and block attacks in real time, IPS significantly improves the efficiency and effectiveness of security protection. However, IPS's weaknesses also stem from its strengths. Using the same detection technology as IDS, IPS also faces the risk of false positives and false negatives. Upon detecting an intrusion, IPS needs to immediately decide whether to allow or block data packets, so false positives and false negatives in IPS can lead to more severe consequences than with IDS. While false positives in IDS might at most increase network noise and add hassle for network administrators, false positives in IPS can lead to a DoS, denying legitimate access.

The fourth related technical solution is a Web application firewall.

A Web Application Firewall (WAF) is a device specifically designed to protect web applications. It protects web applications by enforcing a series of security policies specific to HTTP/HTTPS. In recent years, as web applications have become increasingly rich and complex, web servers have gradually become a primary target for attackers, with security incidents such as SQL injection, website tampering, and malware injection occurring frequently. Traditional firewalls and similar devices are often ineffective against these threats, while web application protection systems can solve these problems.

Unlike traditional firewalls, Web Application Firewalls (WAFs) operate at the application layer. By learning the business processes and logic of web applications, WAFs can inspect various types of requests from web application clients, verifying the security and legitimacy of their content and promptly interrupting illegal requests, thereby protecting website security. The main functions of a WAF include auditing devices, access control devices, architecture design tools, and web application hardening tools. Auditing devices are used to intercept HTTP data or sessions that meet certain rules; access control devices control access to web applications, providing two security modes: active security and passive security; architecture design tools, in reverse proxy mode, are used for assigning functions, centralized control, and virtual infrastructure; and web application hardening tools enhance the security of protected web applications, including protection against attacks, vulnerabilities, hidden links, web crawlers, malware injection, and DDoS attacks.

This related technical solution has the following drawbacks: While WAF plays a role in mitigating hacker attacks, it also has significant limitations. First, WAFs have a certain chance of being bypassed. WAFs parse the HTTP(S) protocol themselves, which may lead to inconsistencies between their interpretation and the web server's understanding of HTTP(S) requests, resulting in bypass attempts. Second, WAF defenses often lag behind hacker attacks, failing to effectively identify and block new types of attacks. Most WAFs on the market are based on rule matching; that is, the WAF filters received data packets using regular expressions. If the regular expression matches attack code in an existing vulnerability knowledge base, it is considered malicious and blocked. Obviously, rule updates often lag behind attacks. Finally, WAFs are always inadequate in defending against logical vulnerabilities. WAF attack identification relies on a pre-defined rule base, rendering it powerless against seemingly "normal" business logic vulnerabilities, such as unauthorized access, arbitrary password resets, and weak password vulnerabilities.

The fifth related technical solution is situational awareness.

Situational awareness, proposed in the 1980s, encompasses three levels: perception, understanding, and prediction. Based on Endsley's theory, cybersecurity situational awareness is defined as the comprehensive analysis of cybersecurity elements, assessment of the cybersecurity situation, prediction of its development trends, and presentation of these findings to users in a visual manner, along with corresponding reports and countermeasures. A situational awareness platform should utilize big data and machine learning technologies to extract massive amounts of data and conduct multi-dimensional correlation analysis. It should provide alerts for security risks, trend prediction, and other capabilities. Massive data, correlation analysis, large-screen display, and trend prediction are the four key aspects. Among these, trend prediction is the most crucial and also the most challenging to implement.

Situational awareness focuses on enhancing the prediction of security trends through technologies such as big data and machine learning. Currently, domestic security vendors offer situational awareness products with functional modules including asset management, vulnerability management, big data platforms, log analysis platforms, threat intelligence, sandboxing, user behavior analysis, network traffic analysis, forensics and tracing, and threat capture. As the monitoring scope expands, so does the amount of data, necessitating a big data platform with large-scale processing and computing capabilities—a crucial foundation for the entire situational awareness platform. Threat intelligence is critical for reducing junk data and alarm noise in large volumes of data and alerts, helping to discover attack behaviors and attackers more quickly and efficiently. The quality of threat intelligence is a significant aspect of evaluating the capabilities of a situational awareness platform. The core purpose of utilizing such a platform is to monitor complex and advanced attacks. This requires the situational awareness platform to first capture micro-level states; low-cost, high-efficiency, full-element data collection capabilities are fundamental. Current cyberspace attack defense is no longer based on feature-based monitoring; it requires the use of threat intelligence and expert experience to build scenario-based analysis systems. This is a continuous learning and referencing process in the ever-evolving offensive and defensive confrontation, requiring continuous operation and management of such analysis.

This related technical solution has the following drawbacks: Traditional security situation awareness is designed only to collect and analyze network behavior data, primarily focusing on a single network environment. As network scale continues to expand, corresponding indicator systems emerge, but these indicators are often incomplete and lack accuracy and real-time performance. The emergence of big data technology has improved perception capabilities, while deep learning has enhanced predictive analysis capabilities. Therefore, security situation awareness systems possess practical application capabilities, but this relies on large amounts of historical and correlated data. However, the network landscape changes rapidly, and relying solely on prior knowledge is insufficient to accurately address fragmented and long-latent threat behaviors. Identifying new threats, in particular, presents significant challenges.

The sixth related technical solution is the zero-trust concept.

In 1994, the term "zero trust" was coined by Stephen Paul Marsh in his doctoral dissertation on computer security at the University of Stirling. Marsh viewed trust as something that could be mathematically described and argued, asserting that trust should not include human factors such as morality, ethics, legitimacy, justice, and judgment. In 2010, John Kindervag, an analyst at Forrester Research, used the term zero trust model to describe stricter cybersecurity initiatives and access controls within companies. In 2013, the Cloud Security Alliance (CSA) proposed a new generation of cybersecurity architecture—Software-Defined Perimeter (SDP)—as the first technical solution for zero trust. From 2018 to 2020, NIST and NCCoE conducted related work and released two draft versions of the zero trust standard, defining zero trust (ZT) as a set of concepts and ideas aimed at reducing uncertainty in making accurate, on-demand access decisions in information systems and services when faced with networks perceived as compromised.

Zero-trust security comprises five basic assumptions: First, the network is always in a dangerous environment; second, the network is always threatened by external or internal threats; third, the location of the network is insufficient to determine its trustworthiness; fourth, all devices, users, and network traffic should be authenticated and authorized; and fifth, network security policies must be dynamic and calculated based on as many data sources as possible.

Zero Trust is not a standalone product or single device, but rather an evolving cybersecurity paradigm that shifts the focus from static, perimeter-based traditional defenses to those addressing users, assets, and resources. Zero Trust does not completely abandon existing security technologies and start from scratch; it still utilizes many traditional cybersecurity techniques, such as authentication and access control. Zero Trust simply shifts the scope of authentication and control from the broad network perimeter to individual or small-group resources.

Zero Trust is underpinned by three key technologies. The development and deployment of the Zero Trust model inevitably involves complex technological iterations and upgrades, encompassing core technologies such as Identity and Access Management (IAM), Micro Segmentation, and Software-Defined Perimeter (SDP). First, Identity and Access Management (IAM) comprehensively verifies identities through dynamic authentication and authorization, forming the cornerstone of the Zero Trust architecture. IAM technology addresses key issues such as unique identity identification, identity attributes, and full lifecycle management of identities. Second, Micro Segmentation isolates internal and external system hosts through finer-grained resource segmentation and independently controls access permissions, effectively preventing the lateral propagation of unauthorized access. Finally, Software-Defined Perimeter (SDP) establishes virtual boundaries in "mobile + cloud" environments, allowing only users with device and identity authentication to access resources through temporary, single "access tunnels" without revealing resource locations. These three technologies are the core components of the Zero Trust architecture, and Zero Trust security has been widely adopted in recent years.

This related technical solution has the following drawbacks: The zero-trust concept has been promoted for decades since its inception in 1994, yet the global cybersecurity field still experiences one of the top ten impactful incidents every year. Furthermore, Facebook has also suffered a large-scale personal data breach. For other countries, zero trust requires trust in an IP network domain name system controlled by a single organization, making true zero trust even more difficult to achieve.

The rapid development of the internet has brought significant challenges to the existing network infrastructure. Despite decades of research into cybersecurity by key players in IP invention and network control, cybersecurity incidents still occur in the top ten cybersecurity incidents every year. Existing unilateral domain name management systems are inadequate in terms of professional service quality and security control. Furthermore, the aforementioned technical solutions cannot guarantee the trustworthiness and security of cyberspace in a globalized world. To ensure a trustworthy, secure, orderly, law-abiding, and peaceful cyberspace, a network architecture, methodology, and system adapted to the current pace of development is needed.

Therefore, this embodiment aims to provide a method and system for ensuring the trustworthiness and security of cyberspace, to meet the needs of network architectures, methods, and systems that adapt to the current pace of development. The preferred embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.

The next-generation network architecture should support a multi-identifier system encompassing content, identity, IP address, service, and geospatial attributes, creating a cyberspace shared by all humanity and governed, managed, and shared by all nations. This new network architecture should possess a high level of security, be scalable and evolvable to adapt to future network developments, and require a comprehensive framework for security awareness and embeddable modular design to prevent and respond to various attacks. When a low-probability attack breaches security defenses, the system needs appropriate mechanisms to resolve the conflict and feed the results back to the existing cyberspace to maintain peace, security, and the rule of law.

Therefore, as shown in Figures 1 to 14, this embodiment provides a method for ensuring the trustworthiness and security of cyberspace, including the following steps:

Step S1: Implement embedded identity authentication and packet signing for multi-identity addressing based on a multi-identity network. After registration, the user first signs each published data packet with their private key and writes it into the signature area of the multi-identity network packet. The intermediate router periodically maintains the user information table obtained from the multi-identity management system. After receiving a packet, it extracts the signature information of the corresponding user from the table and then uses the public key information obtained from the multi-identity management system to authenticate the received multi-identity network packet. After successful authentication, multi-identity addressing is performed using a packet format that supports variable packet length.

Step S2, define digital customs, digital passports, and digital visas based on a multi-identifier network;

Step S3: Perform a bitwise XOR operation on the time data and the digital visa key, and use a hash function to perform a one-way mapping on the data after the bitwise XOR operation to obtain a digital visa based on a multi-identifier network.

Step S4: Calculate the digital passport based on the hash value of the digital visa and the cross-border passport key;

Step S5: Implement digital customs through a multi-identifier network router, and use and maintain the exit form through the digital customs.

Step S6: Verify the digital passport using the entry form through the digital customs and update the entry form.

This embodiment also provides a system to ensure the trustworthiness and security of cyberspace. As shown in Figure 2, the system employs the aforementioned method for ensuring the trustworthiness and security of cyberspace, including a cyberspace based on the MIN architecture, security technologies, and packet data networks. This includes a cyberspace based on MIN, a cyberspace management system that provides security from a management perspective, and a cyberspace adjudication system based on MIN that provides security from a legal perspective, in order to provide a network system, method, and system that adapts to the current pace of development.

To ensure the credibility, security, order, law-abidingness, and peace of the global cyberspace shared by all countries, it is necessary to address technical issues. As shown in Figure 3, this can be achieved by combining security technologies, the management of various entity systems, and the domestic/global international legal arbitration systems. These systems can include online courts and traditional domestic/international courts.

First, technically, this embodiment employs a network based on the MIN architecture. In the MIN network, each country establishes a digital customs checkpoint at the entry/exit routers to issue digital passports for MIN network packets departing from its territory and verify digital visas for MIN network packets entering from abroad. Through this digital passport and digital visa mechanism, countries can effectively control the entry and exit of MIN network packets, combat transnational cybercrime and attacks, and safeguard their own cyberspace sovereignty. MIN stands for Multi-Identifier Network.

Second, various security technologies based on the MIN system network are adopted. Figure 3 is a schematic diagram of the MIN system's security protection. The MIN system relies on strong consistency that satisfies the CAP theorem, linear scalability, availability, and partition tolerance, with blockchain multilateral co-management of global and national cyberspace. It implements real-name registration for network use and uses cryptographic recording of various biometric technologies to achieve a balance between privacy protection and controllability. Each individual user and organization has a cryptographic account and public/private keys. Registration with the blockchain system is required before using the network. Each interaction and communication session verifies identity before communication, and each access, read, and write log is recorded by the blockchain for traceability and non-repudiation. The application of various new technologies, such as blockchain, quantum technology, quantum blockchain, intrinsic security, and mimicry defense, transforms unknown threats into known threats at the technical level, improving the security index.

Third, effective management is the fundamental guarantee of security; without it, technical solutions will be difficult to implement. Each unit and individual system can prevent and handle anomalies during network usage through AI-based proactive prediction and detection, combined with human administrator intervention. In the event of unattended incidents, the emergency response department will handle the matter and provide compensation.

Fourthly, there is the rule of law, legal system, and judicial system. Countries worldwide have laws related to cyberspace, allowing victims to report incidents involving asset, data privacy, or other cyber threats to the police. Since all interactions are logged and traceable, cyber police can use the logs recorded by the blockchain system to identify potential initiators. If the parties are from the same country, the case is adjudicated by that country's domestic cyber court; if they are from different countries, the case is adjudicated by an international cyber court. Those who commit negligence or crimes will receive legal sanctions, financial compensation, or imprisonment, and the records and execution of these judgments will be published in the blockchain cyberspace.

The MIN network used in this embodiment supports top-level identifiers being jointly managed by various countries, enabling interconnectivity; lower-level identifiers are managed independently by each country, ensuring sovereign autonomy. Simultaneously, digital customs technology facilitates the confirmation and protection of cross-border data assets for individuals and enterprises. Finally, by combining security technologies, the management of various entity systems, and legal arbitration mechanisms, the system's continuous establishment and operation are achieved, forming a closed loop. This provides a trustworthy and secure cyberspace method and system based on technological solutions, ensuring that no one dares to intentionally attack or damage another's network assets or reputation, or manipulate another's physical systems, such as controlling another's car or production equipment, including but not limited to manipulating a car to harm another's personal safety.

Step S1 in this embodiment is used to provide a multi-identifier addressing technology solution based on embedded identity authentication and packet signature of a multi-identifier network.

This embodiment employs a MIN system with embedded identity authentication and packet signing multi-identifier addressing. Before joining the network, each user and device must register their real identity information in the MIS consortium blockchain to obtain a unique identifier. Each subsequent data packet must be signed with the corresponding private key for authentication by forwarding and receiving nodes. This achieves a tight binding between users and content. If there is a problem with the published or requested content, the individual can be accurately located, ensuring effective management and control of behavior and resources. The participants in the overall identity registration and packet forwarding process include the MIN client, the MIS system, and the MIN router. MIS stands for Multi-Identifier System.

In this embodiment, step S1 preferably includes steps S101 to S103.

Step S101: In this embodiment, the user registration process is preferably based on asymmetric cryptography. The multi-identity network client generates a public key and a private key for the user locally, and then submits the public key and the identity information signed with the private key to any node in the multi-identity management system. When a node receives a request, it performs verification. First, it checks the format, then searches for user information in its local database, and performs simple verification on some of the content, including but not limited to whether the username is valid, whether there is duplicate user information, and whether the user's public and private keys are valid. If any of the above verifications fail, an error message is returned to the user. If all verifications are successful, the ledger node of the multi-identity management system consortium chain generates a transaction and sends it to all blockchain nodes. When a voting node in the blockchain receives a pre-block, it votes on whether to allow the pre-block to become a formal block. The formal block includes the form of -1, 0, or 1. The leader node collects the voting results, counts them, and generates a voting proof. The block information of the pre-block that passes the vote is stored, preferably in a MongoDB database, and user registration information is extracted from the block information and stored in the user registry.

In step S102, after registration, the user signs each published data packet with their private key. Preferably, the SM2 elliptic curve algorithm is used to write the digital signature into the signature area of the multi-identifier network packet. The intermediate router periodically maintains the user information table obtained from the multi-identifier management system (MIS). After receiving a message, it extracts the signature information of the corresponding user from the table and then uses the public key information obtained from the multi-identifier management system to authenticate the received multi-identifier network packet.

Besides security factors, considering that different users may have different addressing needs, the routing process should correspond to different identifiers. To support multiple identifiers and break free from the reliance on traditional network addressing, this embodiment combines the aforementioned identity authentication technical solutions to design a corresponding multi-identifier addressing method. Different identifiers are suitable for different transmission semantics, mainly including the "push" mode represented by IP network architecture and the "pull" mode represented by Content-Centric Network (CCN).

Therefore, in step S103 of this embodiment, after identity authentication is passed, corresponding multi-identifier addressing is performed through a message format that supports variable message length to enhance the flexibility and scalability of network packet definition; at the same time, in terms of security, the message format supports ensuring the integrity of network packets by embedding digital signatures in each network packet, and supports traceability.

As shown in Figure 4, this embodiment uses network packet encoding for multi-identifier-addressed messages, which includes three elements: type, size, and data. These three elements are represented by T (type), S (size), and D (data), respectively. This encoding method supports hierarchical nesting and has variable length characteristics, providing stronger scalability. The data packet in the message format includes four areas: an identification area, a signature area, a read-only area, and a variable area.

The Identifier area described in this embodiment stores one or more identifiers to distinguish different network packets. The Signature area stores one or more digital signatures. Each digital signature consists of signature information and a signature value. The signature information refers to the signature type and the location of the certificate used to verify the signature. After obtaining their public and private keys, users register in the MIS system. Each time a packet is sent, the user signs the packet information with their private key and writes it into this area for authentication of the sender by forwarding nodes or source nodes. This signature area is expandable, meaning that users can choose different security levels of signature schemes, such as hop-by-hop signing or source-end signing, according to their security requirements. The Read-Only area stores data blocks filled by the network sender, containing zero to multiple TSD data blocks, which cannot be tampered with by intermediate routers. The Read-Only area and the Signature area work together to ensure the authenticity, integrity, and non-repudiation of the sent content. The mutable area includes a protected area and a dangerous area. The protected area stores modifiable fields that require signatures, and is used to store relatively important but modifiable fields. The dangerous area stores modifiable fields that do not require signatures, and is used to store low-importance and modifiable information, such as Time To Live (TTL). During routing, pull semantics are used for different identifiers, content identifiers, and service identifiers, and interest packets and data packets are used for communication. Push semantics communication uses General Push Packets (GPPkt). Common identifiers using push semantics include identity, geographic information, and IP identifiers.

Routing devices preferably employ Multi-Identifier Routers (MIRs). An MIR includes logical interfaces, packet verification modules, forwarding modules, forwarding table modules, and decision-makers. Upon receiving a packet, the MIR first performs a format check and distinguishes the packet type by identifying the identifier type stored in the identifier area. Only multi-identifier network packets (also known as MIN packets) are forwarded. For each MIN packet, the MIR first verifies the validity of its signature using the packet verification module. If verification fails, the packet is discarded. If verification passes, the packet is passed to the identifier selection module, which selects the appropriate identifier for forwarding and distinguishes different network packets based on the identifier, executing the corresponding forwarding process accordingly.

(1) Interest Packet: First, query the local content cache. If the cache is hit, return the requested data directly. Otherwise, query the Pending Interest Table (PIT). If a matching entry exists in the PIT, it means that an interest packet with the same name has already been sent but not satisfied. Aggregate these identical interest packets, record the logical interface that received the interest packet in the corresponding PIT entry, and stop forwarding the interest packet. If no matching entry exists in the PIT, create a PIT entry for it and query the Forwarding Information Base (FIB) for a matching route. If the query is successful, forward the packet according to the forwarding policy; otherwise, discard the packet or return a NACK message according to the forwarding policy.

(2) Data packet: First, query the PIT table. If no matching entry is found, it means that the data packet is not requested by the user and is discarded directly; otherwise, the data packet is stored in the local cache and forwarded according to the forwarding policy.

(3) GPPkt packets: MIR processes them in a similar way to IP routers. It queries the destination identifier in FIB. If no matching entry is found, the packet is discarded. Otherwise, it is forwarded according to the forwarding policy.

In addition to the network layer, this embodiment also verifies the identity of each user at the application layer. Furthermore, all user access behaviors are subject to relevant constraints based on their access permissions. If the user's permissions allow them to perform the relevant operation, then the user can access the service normally; otherwise, the user's operation will be denied and recorded by the MIS.

In this embodiment, legitimate users undergo real-name authentication, and users are required to sign when retrieving data from the network. For data requested by users within the MIN system, both the content and the requester are recorded by the blockchain. In case of problems, immediate backtracking and accountability can be implemented, ensuring the authenticity and reliability of information and mitigating malicious operations by internal network users to a certain extent. The above technical solution enables countries to manage cyberspace in a manner similar to that in the real world, where everyone has a digital passport, and entering other countries requires a digital visa. All actions will leave an undeniable record in the consortium blockchain of each country's and its own digital customs or in the domestic cyberspace.

Step S2 in this embodiment defines digital customs, digital passports, and digital visas based on a multi-identifier network. In step S2, the digital customs based on a multi-identifier network refers to a border router that processes inbound and outbound multi-identifier network packets, determines whether domestic multi-identifier network packets can leave the country, issues digital passports for outbound domestic multi-identifier network packets, and verifies digital visas for inbound foreign multi-identifier network packets. The multi-identifier network packet is also called a MIN network packet or MIN packet. The main design requirements of the digital customs include, while meeting the functions of a regular multi-identifier network router, the ability to realize the functional requirements of a digital customs, with a single digital customs office capable of handling the network inbound and outbound needs of tens of millions of users. Digital customs can effectively control the inbound and outbound of MIN network packets, thereby shaping and maintaining the cyberspace sovereignty of various countries.

Digital passports and digital visas based on multi-identifier networks refer to different specific fields carried on multi-identifier network packets. These specific fields are generated and verified through one or more methods, including encryption, hash calculation, and certificates. Applying these digital passports and digital visas based on multi-identifier networks to cyberspace for the first time can manage national cyberspace boundaries through reliable technical solutions, protect national cyberspace sovereignty, and combat transnational cyberattacks and crimes.

Specifically, in a multi-identifier network, the digital passport refers to a specific field carried on the MIN network packet. This field can be generated and verified using methods such as encryption, hashing, or certificates. This field is added solely by digital customs to ensure its security and reliability. The digital passport cannot be forged by other countries and can resist cyberattacks such as replay attacks. The calculation of the digital passport is simple and efficient, reducing the computational burden on digital customs, a point that will be described later. The digital passport can reflect a country's endorsement and recognition of its cyberspace sovereignty over outbound MIN network packets, defining clearer boundaries of responsibility for cybersecurity incidents and promoting global cyberspace governance.

In multi-identity networks (MINs), a digital visa refers to a specific field on a MIN packet. This field can be generated and verified using methods such as encryption, hashing, or certificates. This field must be added by the user and cannot be forged by digital customs, thus ensuring that the MIN packet originates from an authorized overseas user and is not forged by a foreign country's digital customs. Digital visas can defend against cyberattacks, such as replay attacks. The computation of digital visas is simple and efficient, reducing the computational burden on digital customs, a point that will be described later. Digital visas can effectively protect cyberspace boundaries, prevent the leakage of domestic network data and assets, and effectively combat global transnational cyberattacks and crimes.

Due to the scalability and evolvability of multi-identifier networks, there are multiple options for implementing digital customs, digital passports, and digital visas, and these methods can evolve continuously with technological advancements. This embodiment provides a preferred implementation scheme in steps S3 to S6. Figure 5 shows a schematic diagram of digital customs governing the global network boundary, i.e., a network diagram of building an international cyberspace based on digital customs.

Step S3 in this embodiment aims to implement a digital visa based on a multi-identifier network. In this embodiment, the digital visa is defined as a 256-bit hash value used to determine whether a MIN network packet originating from outside the country can enter the sovereign nation's cyberspace. Considering that the multi-identifier network supports both push and pull semantics, the digital visa is only applicable to general push packets under push semantics and interest packets under pull semantics.

In a Multi-Identifier Network (MIN), each user obtains a 256-bit MIN identity from a Multi-Identifier Management System (MIS). Users apply for a CyberSpace Visa Key (CVK) from foreign digital customs using their real identity information and MIN identity information. Real identity information includes physical passport data and biometric data, while the CVK is a 256-bit key. Foreign digital customs records the user's MIN identity information, CVK, and real identity information. Users retain their CVK. If a CVK is leaked, the user should promptly report the loss to foreign digital customs and apply for a new one.

In the specific technical solution of the digital visa described in this embodiment, it is preferable to pre-agree on a 256-bit digital visa key (CVK) between the user and the foreign digital customs, and use a hash function based on the current international time to calculate and verify the digital visa, thereby ensuring fast calculation speed and high security; and without affecting the upper-layer protocol, it is suitable for the calculation needs of digital passports in large-scale cross-border scenarios.

Specifically, step S3 in this embodiment preferably includes the following sub-steps:

Step S301: Calculate the time parameter Time using the formula Time = UNIX Time and 0xFFFFFFFFFFFFFFFF0, where UNIX Time is a 64-bit integer representing the number of seconds elapsed since the preset time, and the lowest 4 bits of the number of seconds UNIX Time in binary are set to 0.

Step S302: Copy the time parameter Time four times and concatenate them bit by bit using the formula Time256＝Time×(1+2 ⁶⁴ +2 ¹²⁸ +2 ¹⁹² ) to obtain the 256-bit time data Time256;

Step S303: Perform a bitwise XOR operation on the time data Time256 and the digital visa key CVK using the formula Visa = SHA256(Time256 xor CVK), and perform a one-way mapping of the hash function to obtain the digital visa based on the multi-identity network; the digital visa key CVK is a 256-bit key, which is associated with the user's multi-identity network identity information and real identity information; xor represents the bitwise XOR operation.

In other words, this embodiment can calculate the digital visa corresponding to a MIN network packet as follows: UNIX Time is a 64-bit integer representing the number of seconds elapsed since a preset time, which defaults to the number of seconds elapsed since January 1, 1970 (midnight UTC/GMT), ignoring leap seconds. The preset time can be set and adjusted according to actual conditions and needs, with the default being January 1, 1970 (midnight UTC/GMT). This embodiment preferably assigns the lowest 4 bits of the seconds UNIX Time to 0 to obtain the time parameter Time, reducing computational complexity; the time parameter Time changes every 16 seconds, with values being multiples of 16. The 64-bit Time is copied four times and concatenated bitwise to form a 256-bit Time256. The time data Time256 and the digital visa key CVK are XORed bitwise, and then the SHA256 hash function is used for one-way mapping to the digital visa.

It should be noted that when the UNIX Time (seconds) is near a multiple of 16, the time used by the user to calculate the digital visa may differ by 16 seconds from the time used by digital customs to calculate the digital visa. This situation can prevent MIN network packets holding valid digital visas from entering the country smoothly, thus seriously affecting the reliability of cross-border network services. Therefore, in this embodiment, in step S3, both the digital visa calculated using the current time and the time 16 seconds ago are valid, thereby effectively avoiding this problem of affecting cross-border network services due to time differences.

This embodiment, based on a multi-identifier network, implements digital visas and, in addition to the scalability and security of multi-identifier networks, offers the following advantages: First, by using hash functions instead of symmetric or asymmetric encryption algorithms, the digital visa (CVK) can be calculated faster, adapting to high-volume scenarios in cross-border management. Second, the one-way nature of hash functions prevents reverse engineering of the digital visa key (CVK), making it highly secure. Third, aside from hash function operations, all operations in step S3 are binary bitwise operations, resulting in very high hardware execution efficiency. Fourth, the calculation of the digital visa is time-dependent, effectively preventing replay attacks.

In this embodiment, a digital visa key (CVK) is agreed upon by the user and the digital customs authority. When the hash value of the digital visa calculated by the user based on the CVK and time matches the hash value of the digital visa calculated by the digital customs authority based on the corresponding user's CVK and time, it can be confirmed that an authorized foreign user is entering sovereign cyberspace. When the hash values of the two digital visas do not match, the MIN network packet containing an invalid digital visa is directly discarded.

Therefore, through digital visas for cyberspace, digital customs can ensure that all MIN network packets entering cyberspace originate from authorized foreign users. Digital customs can revoke digital visas used for illicit activities and hold the corresponding digital visa holders accountable. This will effectively protect cyberspace boundaries from foreign attacks, prevent domestic data from being easily retrieved by foreign users, and provide a better foundation for shaping cyberspace sovereignty.

Step S4 in this embodiment is used to implement a digital passport based on a multi-identifier network. In this embodiment, the digital passport is defined as a 256-bit hash value signed by digital customs for a MIN network packet. The digital passport is applicable to interest packets and data packets under pull semantics, and general push packets (GPPkt) under push semantics.

Users apply for digital passport access from their country's digital customs using their real identity information and MIN identity information. Real identity information includes a physical passport and biometric data. Digital customs records the real identity information and MIN identity information of users holding online passport access.

Country A agrees with each of the other countries on a 256-bit Cross-State Passport Key (CPK). When a MIN packet is sent from Country A to Country B, Country A's digital customs issues a "digital passport" for the MIN packet in the following manner. The Cross-State Passport Key (CPK) is preferably pre-agreed between Country A and Country B.

Specifically, in step S4 of this embodiment, the digital passport Pass based on the multi-identifier network is calculated by the formula Pass = SHA256 (Visa xor CPK), where CPK refers to a pre-agreed 256-bit cross-border passport key.

This embodiment, based on a multi-identifier network, implements digital visas and, in addition to the advantages and characteristics of multi-identifier networks, offers the following advantages: First, since the calculation of a digital visa is time-dependent, and the digital passport is also calculated based on the digital visa, it is also time-dependent, thus preventing replay attacks on the digital passport. Second, hash functions are unidirectional, and the cross-border passport key CPK has high security; the cross-border passport key CPK is a pre-agreed private agreement between two countries, thus preventing the digital passport from being forged by other countries. Third, since the digital passport is calculated from the digital visa, digital customs only needs to verify the digital passport, which is equivalent to verifying the digital visa simultaneously, effectively reducing the workload and processes of digital customs and minimizing unnecessary latency in cross-border networks.

When Digital Customs receives a MIN packet, it calculates the hash of the user's valid digital passport pass using the cross-border passport key (CPK) and digital visa key (CVK), and verifies whether the hashes match. If the digital passport pass is incorrect, the MIN packet is discarded. MIN packets include, but are not limited to, interest packets, data packets, or GPPkts.

Through digital passports, digital customs can ensure that all MIN network packets entering the country's cyberspace are legally authorized by other countries. Simultaneously, digital customs can also deny access to foreign networks to certain users, such as those with a history of cyberattacks. By using digital passports based on multi-identifier networks, it can help reduce transnational cyberattacks and cybercrime, delineate clearer cyberspace boundaries, and ensure the trustworthiness and security of cyberspace.

Step S5 in this embodiment involves issuing digital passports through digital customs based on a multi-identifier network. Digital customs is a multi-identifier network router specifically designed for border management. Digital customs uses an Exit Border Table (EBT) to sign digital passports for outgoing MIN network packets. The Exit Border Table (EBT) stores some fields for each user, as shown in Table 1 below.

Table 1. Schematic diagram of storage fields in the Exit Form (EBT)

Because the cross-border passport key (CPK) is privately negotiated between countries, the hash value of the digital passport pass issued for travel to different countries is different. Therefore, there are multiple exit tables (EBTs) in digital customs, each corresponding to a destination country. In the table above, Identity is the user's MIN identity. Passport holder indicates whether the user's MIN packet is allowed to leave the country. LastVisa is the digital visa in the user's previous MIN packet. LastPass is the digital passport pass calculated based on LastVisa. LastTime is the arrival time of the user's previous MIN packet, in binary format with the lowest 4 bits set to 0.

When digital customs forwards an outbound MIN packet based on the Forwarding Information Base (FIB), it first checks the target country of the MIN packet and then assigns the MIN packet to the corresponding country's Exit Transaction Board (EBT) for processing. This process executed by digital customs is represented by the following pseudocode: the process of issuing a digital passport (Pass) through the MIN packet within digital customs.

Algorithm 1Sign the Cyberspace Passport for a MIN packet P

1:id＝P.ldentily

2:if EBTlid].Passportllold=False then:Drop the Packet P

4: return

5:end if

6:if EBTlid].LastVisa＝P.Visa then7:P.Pass＝EBTid].LastPass

7:P.Pass＝EBTid].LastPass

8:else

9:if NowTime-EBTlid].LastTime<8then

10:P.Pass＝EBTlid].LastPass

11: Send the Packet P

12:SlowUpdateEBT(id,P.Visa)

13:else

14: FastUpdateEBT(id, P.Visa)

15:P.Pass＝EBTlid].LastPass

16: Send the Packet P

17:end if

18:end if

19:return

Digital Customs first discards MIN network packets from users without exit permits. When the digital visa carried in the MIN network packet matches the LastVisa in the Exit Form EBT entry, Digital Customs directly signs the digital passport pass in the MIN network packet using the LastPass from the Exit Form EBT entry and forwards the MIN network packet. Based on this design, this embodiment can effectively reduce the load and latency caused by calculating the digital passport pass.

In other words, in step S5 of this embodiment, the digital customs stores multiple exit tables, each corresponding to a target country. When the digital customs receives a multi-identifier network packet forwarded from the forwarding table, it first checks the target country corresponding to the multi-identifier network packet, and then assigns the multi-identifier network packet to the exit table of the corresponding country for processing. The processing includes the following sub-steps:

Step A1: The digital customs discards multi-identifier network packets from users without exit permits;

Step A2: When the digital visa carried in the multi-identifier network packet is the same as the LastVisa in the exit form, the digital customs directly signs the digital passport in the multi-identifier network packet using the LastPass in the exit form and forwards the multi-identifier network packet. LastVisa refers to the digital visa of the user's previous multi-identifier network packet, and LastPass refers to the digital passport calculated based on the digital visa LastVisa of the user's previous multi-identifier network packet.

Step A3: When the digital visa carried in the multi-identifier network packet differs from the LastVisa in the departure form, since the digital visa calculated using the current time and the time 16 seconds ago are both valid in this embodiment, this embodiment determines whether the difference between the current time and LastTime is less than 8 seconds. If so (i.e., the difference between the current time and LastTime is less than 8 seconds), then the digital customs directly uses LastPass as the digital passport, fills the multi-identifier network packet with the digital passport, and forwards it immediately to effectively reduce the delay caused by calculating the digital passport Pass. LastTime refers to the time when the user's last multi-identifier network packet arrived. In addition, since the digital customs already knows the user's latest digital visa, the digital customs can use the latest digital visa to calculate the new digital passport Pass only after forwarding the MIN network packet, that is, to adopt Slow Update EBT to minimize network latency and ensure the validity of the next issuance.

If not (i.e., the difference between the current time and LastTime is greater than 8 seconds), and LastPass is used directly as the digital passport for the MIN network packet, the digital passport may have expired by the time the MIN network packet arrives at foreign digital customs. Therefore, a new digital passport must be calculated and updated immediately, using Fast Update EBT. Digital customs calculates the new digital passport based on the current time and updates the exit form accordingly, issuing the new digital passport into the multi-identifier network packet to prevent valid digital passports from expiring.

In this embodiment, step S6 verifies digital passport visas through digital customs based on a multi-identifier network. The digital customs uses an Arrival Border Table (ABT) to verify digital visas and digital passports from foreign MIN network packets. The Arrival Border Table (ABT) stores some fields for each foreign user, as shown in Table 2 below.

Table 2. Schematic diagram of storage fields in the Arrival Form ABT

In the digital customs system, there is only one entry form (ABT). Here, Identity is the user's MIN identity. The user's country of origin is SrcDomain. LastPass is a digital passport calculated based on LastTime. Pass is a digital passport calculated based on 16 seconds after LastTime. NextPass is a digital passport calculated based on 32 seconds after LastTime. When a MIN network packet is about to enter the network border, the process performed by the digital customs is represented by the following pseudocode: the process of verifying the digital passport (Pass) through the MIN data packet in the digital customs system. Verification is also called authentication processing.

Algorithm 2 Check the entry of a MIN packet P

1:id＝P.Identily

2:if ABTid.CVK＝None and VisaWaiver(P)＝False then

3: Drop the Packet P

4: return

5:end if

6:if ABTlid,.LastTime+32<NowTime then

7: FastUpdateABT(id)

8:end if

9:if ABTlid].LastPass/Pass/P.Pass then

10: Drop the Packet

11:return

12:end if

13:if P.type=Dala Packet then

14:Forward the Packet P to PT

15 returns

16:else

17:if P.type=Interest Packet then

18:Forward the Packet P lo CS

19:else

20:Forward the Packet P to FlB

21:end if

22:end if

23:return

Specifically, in step S6 of this embodiment, an entry form is used and maintained by the digital customs. When a multi-identifier network packet needs to enter the network border, the digital customs performs verification processing through the entry form. The verification process includes the following sub-steps:

Step B1: If the sender does not hold a digital passport and is not in a visa-free situation, the multi-identifier network packet is directly discarded through the digital customs.

Step B2: If the sender holds a digital passport, the validity of the digital passport is verified through digital customs. If it is determined to be invalid, the digital customs discards the multi-identifier network packet containing the invalid digital passport; if it is determined to be valid, the digital passport and its digital visa corresponding to the multi-identifier network packet pass the verification. The reason for this verification in this embodiment is that the digital passport is calculated based on cyberspace visa. As long as the digital passport is valid, the digital visa must be valid, so there is no need to verify the digital visa separately.

It is worth noting that the Arrival Form ABT in this embodiment has two update methods: one is Slow Update ABT, which is step C below; the other is Fast Update ABT, which is step D below.

Specifically, the process of updating the entry form in step S6 of this embodiment includes any of the following steps:

Step C: Digital Customs iterates through all entries in the arrival form, calculating and updating the LastPass, Pass, and NextPass fields at fixed intervals. LastPass refers to the digital passport calculated based on the LastVisa digital visa from the user's previous multi-identifier network packet. Pass refers to the digital passport calculated based on the LastVisa digital visa calculated at a fixed time after LastTime. NextPass refers to the digital passport calculated at twice the fixed time after LastTime. The fixed time refers to a preset fixed update cycle, defaulting to 16 seconds. Every 16 seconds at most, all entries in the Arrival Form ABT are updated. Because this involves calculations of digital visas and digital passports, it is called Slow Update ABT.

In step D, when the digital customs receives a multi-identifier network packet, it determines whether the LastPass in the entry form has expired. If so, it replaces LastPass with Pass and Pass with NextPass; otherwise, it returns. Because this update method does not require calculations for digital visas and digital passports, it is called Fast Update ABT. Combining Slow Update ABT and Fast Update ABT, and selecting different update methods according to different situations, can significantly reduce the latency of digital customs verifying digital passports.

This embodiment, by adding two additional forms: the Arrival Form (ABT) and the Exit Form (EBT), can complete the issuance of the digital passport and the verification of the digital visa and digital passport with almost no additional delay, making it suitable for serving tens of millions of users.

This embodiment also includes a mimicry defense step based on a weighted centrality algorithm.

In addition to user authentication, multi-identifier addressing, and digital passport and visa mechanisms, this embodiment also preferably uses the Weighted Network Centrality Measure (WNCM) algorithm to rank network devices by centrality and importance, selecting the most important and influential devices for focused protection. The Network Centrality Measure (NCM) algorithm is commonly used in graph theory and network analysis to identify the role of specific nodes in a graph and their impact on the network. In this embodiment, this algorithm is used to selectively choose nodes based on user security needs, given limited system resources, to improve the efficiency of network protection.

Taking the network topology shown in Figure 6 as an example, in the network environment shown in Figure 6, excluding external attackers, the internal network contains seven devices that can be prioritized for protection. These include two border routers, three servers providing internal network forwarding services, and two servers providing storage functions. Using the centrality algorithm, these devices are compared, and 2-3 devices are selected for key protection mechanisms. This embodiment selects three core indicators from the centrality algorithm series: Degree Centrality, Closeness Centrality, and Between Centrality.

Degree centrality describes the degree to which a node is connected to the other n-1 nodes in a network of n nodes. Closeness centrality describes the proximity of a node to other nodes and is related to the average length of the shortest paths from each node to other nodes. Between centrality measures the extent to which a node can act as a mediator for information transfer between other nodes. It is described by the proportion of times a node appears on the shortest path between any two other vertex pairs out of the total number of shortest paths between those vertex pairs.

If a node has a high Between Centrality score, it can be considered a core member, playing a significant mediating role and effectively controlling information transmission to influence the group. Therefore, in the mimicry defense step of this embodiment, the metrics for each device in the multi-identifier network are first obtained, including degree centrality, proximity centrality, and between centrality. After obtaining these three metrics, each metric is ranked to obtain its score. Then, the scores of the three metrics are summed (also known as summation) to obtain a sum value (sum). Finally, the sum value (sum) is ranked to obtain the final centrality rank value (Rank).

The weighted centrality level is represented by Rank'. Based on the characteristics of multi-identifier networks, this embodiment adjusts the weights of each node. Since the storage server stores the network's core data, it is assigned the highest first weight, and its sum (sum) is divided by 3 to obtain the new sum (sum'). The border router is responsible for connecting the internal and external networks, withstanding external attacks, and providing packet encapsulation and auditing functions. Therefore, it is assigned a medium second weight, and its sum (sum) is divided by 2 to obtain the new sum (sum'). The forwarding server is assigned the lowest third weight, and its sum (sum) remains unchanged. The first weight is greater than the second weight, and the second weight is greater than the third weight.

The proportion of nodes requiring enhanced protection is represented by δ. For example, if the system administrator sets δ = 30% and selects two nodes for protection, then using the original Rank metric will protect EMIR1 (i.e., the border router) and forwarding server 2; using the weighted Rank metric will protect storage server 1 and EMIR1. Defenders can adjust the weights and protection proportions δ according to system requirements.

Mimicry defense mechanisms will be deployed on nodes identified by WNCM as requiring enhanced protection. The concept of mimicry originates from dissimilar redundant structures in the reliability domain. By constructing and reconfiguring dissimilar internal structures, the attributes of an information system are transformed from homogeneous static to heterogeneous dynamic. This creates an inherent security effect, meaning the system possesses generalized robust control capabilities without relying on prior knowledge or attack behavior characteristics. Therefore, it presents attackers with a dynamic attack surface, disrupting the construction and effectiveness of the attack chain and increasing the cost and difficulty of attacks. At the application layer, core devices such as firewalls, critical routers, and servers have options for deploying mimicry architectures. This embodiment combines mimicry with coding to propose a mimicry storage server.

The mimicry storage service system comprises a client, a dynamic heterogeneous module, and an object storage module. The dynamic heterogeneous module further includes a dynamic configuration management module and a heterogeneous function module. The former is responsible for dynamically managing system configuration, including using pseudo-random methods to rotate erasure coding, making it impossible for attackers to determine the exact internal state of the system. The latter includes multiple heterogeneous executors responsible for processing received requests. The results are collected and judged by a redundancy voter in the dynamic configuration management module. When the erasure coding decoding outputs are inconsistent, the decision-maker rules the correct result and performs subsequent alerts and other operations. In addition, the dynamic configuration management module randomly replaces online heterogeneous executors with probability ω at regular intervals T to prevent the presence of lurking attackers in the system.

Some mimicry storage systems use open-source distributed file systems, such as HDFS, Ceph, or Lustre, as their heterogeneous execution entities. However, the heterogeneity between different distributed file systems is limited. This embodiment achieves heterogeneity by using various erasure coding methods to encode file data. As a fault-tolerant redundancy technology, erasure coding is widely used in distributed storage systems due to its high performance, offering advantages such as high utilization and strong fault tolerance. (k,n) erasure coding divides the original data into k data blocks, then encodes them into n (n>k) data blocks and stores them across multiple distributed nodes. Its (k,n) characteristic means that any k' (k'≥k) slices after encoding can recover the original complete data. This embodiment preferably embeds various different erasure codes into the system, such as Binary Reed-Solomon Code (BRS), Minimum Bandwidth Regeneration Code (MBR), and Minimum Storage Regeneration Code (MSR). Since each encoding method has different parameters, the size and number of encoded blocks obtained from the same data block vary significantly. This design can guarantee the heterogeneity between execution entities and the dynamism of the network from the underlying layer.

Below, this embodiment will analyze the reliability and computational complexity of implementation based on a multi-identifier network.

The differences between the MIN network architecture and the IP network architecture used in this embodiment begin at the network layer. The MIN network's transmission mechanism uses CS tables, PIT tables, and FIB tables to forward data packets. This mechanism greatly mitigates some of the flooding attacks common in IP networks. The MIN network routes data based on identity identifiers, and it signs and verifies every data packet in the network. These mechanisms ensure network layer security and largely solve the data packet spoofing and tampering problems that often occur in IP networks.

MIN not only boasts high security at the network layer but also mitigates and resists some IP-based attacks at the transport and application layers. In the MIN network, the concept of IP ports is eliminated, replaced by LogicalFace network interfaces. Therefore, network scanning, common in IP networks, is ineffective in the MIN network. Furthermore, since the MIN network is based on identity identification and authentication, it more easily achieves secure transmission channels. User identifiers in the MIN network contain a wealth of information, such as the user's device and certificates, which are stored on the MIN network's blockchain and managed by a Multi-Identifier System (MIS). This identity-based management makes many network attacks less effective in the MIN network, such as identity theft, brute-force attacks, and unauthorized access/operations. Figure 7 illustrates MIN's hierarchical security scheme.

Firstly, at the network's underlying layer, the MIN system is designed with a multi-identifier coexistence and routing scheme centered on real identities, ensuring network independence, manageability, and controllability, thus providing architectural security. This routing scheme embeds underlying identity authentication and packet signing, enabling MIN to trace the origin of each packet, ensuring network content traceability and guaranteeing the trustworthiness of entities entering the network. To address unknown vulnerability threats, MIN proposes the Weighted Centrality Metric (WNCM) algorithm to identify critical network nodes and deploys mimicry defenses to build an intrinsic security system, ensuring data security and service reliability.

Regarding reliability, this embodiment compares the network reliability under four important node selection strategies: WNCM, NCM, random strategy, and exhaustive strategy. The exhaustive strategy involves traversing all available options, comparing their attack resistance performance, and selecting the optimal strategy.

Taking the network topology shown in Figure 6 as an example, an external user wants to access data stored on storage server 1 and storage server 2 through the MIN network. Through testing, when the above four algorithms are used to select the same proportion of nodes for mimicry defense deployment, and other nodes randomly fail, the probability of the user failing to obtain data (i.e., access failure) is determined. Tables 3 and 4 below describe the probability of user access failure, p_{_f} , when 30% and 40% of the nodes in the MIN network randomly fail under the four selection strategies, respectively. Table 5 describes the probability of user access failure, p_{_f} , under different failure proportions when the protection ratio δ = 30%.

Table 3. Nodes with 30% random failures

Table 4. Nodes with 40% random failures

Table 5 Probability of User Access Failure

Tables 3 to 5 show that the overall trend is that WNCM performs similarly to the exhaustive approach, and both are superior to NCM, which in turn is superior to the random approach. The defensive effectiveness of both WNCM and NCM increases linearly with the protection ratio. For the network topology in Figure 6, when the protection ratio reaches 40%, i.e., protecting 3 nodes, both have constructed a complete information propagation chain, capable of resisting the failure of other nodes. The attack resistance of the random approach does not change with the increase of the protection ratio because its node protection and node failure are independent random strategies. According to the conditional probability formula and the law of total probability, when adopting a random protection strategy, the average access failure probability depends only on the number of failed nodes and is independent of how many key protection nodes the defender chooses.

The failure probability of the NCM scheme is higher than that of the random scheme only when 30% of the network fails randomly and only one key node is selected for protection (i.e., the first column of Table 3). This is because neither WNCM nor NCM schemes are the same as the exhaustive search scheme, which guarantees an optimal solution. The centrality algorithm selects relatively important nodes based on multiple indicators, which may not be the optimal solution for every scenario. In this scenario, the NCM scheme tends to protect important central nodes. However, in Figure 6, according to the exhaustive search method, the optimal strategy should be to select four end nodes for protection, which is why the failure probability of the NCM scheme is higher than that of the random scheme. As can be seen from the data in the three tables above, the weighted scheme WNCM in multi-identifier networks adjusts the weights of different devices according to the characteristics of the MIN network, and its calculation result is very close to the optimal strategy. In terms of computational complexity, the exhaustive search scheme can guarantee the optimal protection strategy, but its computational cost increases exponentially with the increase of network size. In contrast, both WNCM and NCM schemes have polynomial complexity. In summary, WNCM provides a node selection strategy that is quite close to the optimal solution with lower computational complexity, while maintaining the same protection ratio, i.e., defense cost.

Therefore, it is evident that the overall technical solution of this embodiment, based on a multi-identifier network, is highly secure and reliable, and can achieve better results and strategies with lower computational complexity.

This embodiment also preferably includes the step of establishing a stochastic process martingale quantization model, with the aim of providing an attack-resistant stochastic process martingale quantization model.

Adaptive Cyber Defense (ACD) is a new type of network defense technology that has emerged in recent years. It continuously changes the exploitable attack surface by spontaneously and randomly reconfiguring the network environment. The dynamic nature of ACD reverses the asymmetrical situation of traditional static networks, providing defenders with a tactical advantage in the offensive and defensive game.

This embodiment establishes a complete model of the entire attack and defense process of a complex active defense network, named SPM, and uses it to evaluate the security of the active defense network and the interaction of multiple defense technologies. SPM consists of three layers, integrating stochastic reward networks, Poisson processes, Markov chains, and martingale theory. The hierarchical analysis structure provides greater flexibility; the three-layer analysis model can be combined to analyze the security of the entire network, or each layer can be used independently to evaluate the effectiveness of a corresponding individual ACD (Active Defense) technology.

The martingale quantization model for this stochastic process consists of three interconnected sub-models. At the bottom layer is the SRN model, which evaluates the effectiveness of NVP technology in ensuring the security of a single node. At the top layer are Markov and martingale models, which analyze the effectiveness of VM migration. These two layers are connected by a Poisson model as an intermediate layer.

That is, in this embodiment, a single-step attack evaluation model based on a deep learning neural network SRN is established in the bottom-level model; a discrete-time Markov chain model and a martingale model are established in the top-level model, and the evaluation is performed using the formula... Calculate the network's average attack time (MTTA) using the formula. Calculate the network's Mean Time To Repair (MTTR), where L represents the number of protected devices an attacker passes through on their way to the target node, T represents the migration period, and ω represents the probability of dynamic migration. It represents the probability of an attack failing within a migration cycle; a Poisson model is used as an intermediate layer to connect the bottom-level model and the top-level model.

It is worth noting that although the bottom-level SRN model in the above three-layer model can essentially be isomorphic to a Markov process, this layer of modeling is not directly related to the top-level Markov chain of the SPM model. The SRN model focuses on the internal structure of the nodes, and its steady-state distribution describes the possible outcome distribution of an attack on an active defense node. The top-level Markov model, on the other hand, characterizes the attacker's position changes on the attack chain, and its steady-state description is the total number of compromised nodes in the attack chain, i.e., the possible position distribution of the attacker. Each of these three layers focuses on a single attack phase, with the output of the lower layer serving as the input of the upper layer. SRN, Poisson process, Markov, and martingale evaluation methods are chosen based on the characteristics of NVP and VM migration defense processes. The reasons for choosing the corresponding modeling method for each layer are explained below.

First, focusing on the single-step attack process of a single active defense node, this study emphasizes the detailed attack and defense process within the node after NVP protection. The attack and defense process of a single node involves many detailed behaviors and interactions between the attacker and defender. These detailed interactions increase the difficulty of describing it using more mathematical methods such as Markov or probabilistic methods. Therefore, for this process, a SRN-based modeling scheme is chosen to establish an SRN-based single-step attack evaluation model to characterize a single attack process within a single node, while providing quantitative calculation results and graphical representations. At this level, defense capability is quantitatively measured by the success rate of single-step attacks.

Then, during multiple migrations, the attacker's repeated attacks on a single node exhibit memorylessness. The Poisson distribution is the most suitable type of random distribution for simulating the timing of critical, memoryless events. Therefore, this embodiment uses a Poisson distribution to describe the number of attacks during each migration.

Finally, it is necessary to analyze the attacker's movement along the entire attack chain under the VM migration strategy, that is, the change in the attacker's attack node position in each migration cycle. Compared with the previous migration cycle, the attacker's position on the attack chain has three possible directions of movement: attacking the next node, returning to the previous node, or remaining on the same node. Throughout the attacker's movement along the attack chain, regardless of how the attacker reaches its current position, its position in the next migration cycle depends only on its current position and the probability of transitioning in different directions. This exhibits Markov characteristics. Therefore, in the third layer of SPM, a homogeneous discrete-time Markov chain (DTMC) is constructed to describe this process. The DTMC model can calculate the steady-state probability of target node failure and lays the foundation for the use of martingale theory. The martingale model further developed on this basis can calculate the failure time and repair time of the entire network.

The attack chain is shown in Figure 8. Assume the attacker has already compromised k nodes. Next, martingale theory is used to calculate the expected time for the attacker to move to the next L nodes (node k+L) or return to the previous L nodes (node k-L). L represents the number of protected devices the attacker passes through to reach the target node.

Here, this embodiment first introduces the concept of martingale:

Definition 1: A stochastic process Z _{_n}, n≥1 is a martingale process if: for all n, E[|Z _{_n} |]<∞, and E[Z _{_n+1}|Z _₁, Z_₂, …, Z_{_n} ]＝Z _{_n} . n is a natural number representing the index of the random variable Z.

When an attacker starts at node k in the nth reconfiguration cycle, the attack state in the next migration cycle can be predicted as follows: P{X _{_n+1} = k+1 | X_{_n} = k} = (1-ω)μ, P{X _{_n+1} = k | X _{_n} = k} = (1-ω)(1-μ), and P{X _{_n+1} = k-1 | X_{_n} = k} = ω. P{*|*} represents the probability of the attack state occurring, k represents the node number, X_{_n} represents a random variable, ω represents the probability of dynamic migration, and μ represents the probability of successfully attacking a single node.

Therefore, we can obtain E[X _n+1 |X _n = k] = k + (1-ω)μ-ω = X _n + (1-ω)μ-ω. E[X _n+1 |X _n = k] represents the conditional expectation of X _{n +1 given X n} = k.

Next, the martingale sequence is constructed.

Theorem 1: Let random variables M _₀, M _₁, ..., M _{_n} , where _Mi = _Xi - [(1-ω)μ-ω]·i, then the sequence M_{_n} is a martingale sequence of X _₀ , X _₁ , ..., X_{_n} . i is the sequence index, i∈0～n.

The proof formula is as follows:

After establishing the martingale sequence, a stopping time needs to be defined in order to calculate the attack time.

Definition 2: A random variable N, which may take the form of an infinite positive integer, is called a random moment in the process {Z _{_n}, N≥1}. If the event N = n is determined by the random variables Z _₁ , ..., Z _{_n}, that is, knowing Z _₁ , ..., Z_{_n} tells us whether N = n exists. If P{N<∞} = 1, then the random time N is called a stopping time.

The relative strength of attack and defense capabilities affects the attacker's overall movement direction along the attack chain. For example, if the attack capability ((1-ω)μ) is stronger than the defense capability (ω), the attacker can approach the target over time; conversely, the attacker will be affected by VM migration, losing the privileges they have gained, essentially being gradually removed from the system. This means that when E[X _{_n+1} | X_{_n} ] >X_{_n} , i.e., ω < μ/(μ+1), the time for the attacker to move L hops towards the target node along the attack chain tends to be positive. Conversely, when E[X _{_n+1} | X_{_n} ] < X _{_n}, i.e., ω > μ/(μ+1), the probability of moving to the next node is less than the probability of the attacker returning to the previous node. VM migration causes the attacker to gradually lose the illegal privileges they have gained, and the time to reach the Lth node in the direction of the target node tends to be negative. However, objectively, time can only be positive, so discussing the negative time of the downlink L hops becomes meaningless in this case, but the time of the uplink L hops can be calculated similarly. Therefore, based on the relative magnitude relationship between ω and μ/(μ+1), the time to reach different specific nodes for the first time in the corresponding scenario can be analyzed.

When ω < μ/(μ+1), the attack starts from the entrance, i.e., its initial position is _A0 = 0.

Definition 3: When ω < μ/(μ+1), the stopping time S of the martingale sequence is the minimum value of i, such that E[ _Xi ] = L. To derive the number of steps it takes for an attacker to reach the target node by jumping L hops down the attack chain, we introduce the martingale stopping time theorem, i.e., Lemma 1. The proof is shown below.

Lemma 1: S is a stopping time of a martingale sequence {Z _{_n}, n≥1}, and satisfies any of the following conditions: the stopping process Z _{_n} is uniformly bounded, or S is bounded, or E[S]≤∞, and there exists an M≤∞ such that E[|Z _{_n+1} - Z_n||Z_₁,…,Z _{_n} |]<M, then E[Z_{_S}]＝E[Z_₀ ].

Theorem 2: For an ACD attack and defense process, there is a probability μ of successfully attacking a single node. Every T time interval, each node is migrated and reconfigured with probability ω. If L nodes form an attack chain, the attacker wins. That is, the expected number of migration cycles to reach the target node L is: T represents the time interval period.

Proof: When (1-ω)μ>ω, the stopping time S is conditional on _XS = L, at which point the time to reach the Lth node tends to be positive. After n rounds of migration, we can determine whether n and S are equal based on the attacker's position, so time S is the stopping time of the martingale. Next, we verify the third condition of Lemma 1, proving that it can be expressed by the following formula:

Therefore, the expected number of steps to reach node L can be calculated according to Lemma 1: E[ _MS ] = E[ _M0 ] = E[ _X0 ] = 0. E[ _MS ] = E[ _XS - [(1-ω)μ-ω]·S] = E[ _XS ] - [(1-ω)μ-ω]·E[S] = 0.

Since E[X _S ] = L, we have L - [(1-ω)μ-ω]·E[S] = 0.

When ω = μ/(μ+1), the attacker's downlink and uplink probabilities are equal, the Markov state follows a uniform distribution, and the attacker's position remains stable over time, i.e., E[Xn ₊₁ | _Xn ] = _Xn . Therefore, the time it takes for him to reach any other node tends to positive infinity.

When ω > μ/(μ+1), the expected time to reach the next L nodes tends to be negative and has no practical significance. However, in this case, the attacker will gradually move away from the target and be pushed out of the network over time. Therefore, we can calculate the expected time required to expel the attacker. The expulsion time reflects the network's ability to self-repair (remove the attacker) from the worst-case scenario (more than L nodes being compromised).

In this scenario, we assume the attack was successful initially, i.e., _X′0 = L. _X′i represents the same distribution as _Xi , but the attacker's initial position differs; _X′i starts from node L instead of _X0 = 0. The attacker's position at the start of the i-th migration cycle is represented by the random variable _X′i . Next, we analyze the expected time before the attacker is expelled back to L nodes, i.e., before returning to the attack entry point.

Definition 4: When ω ≥ μ/(μ+1), the stopping time S' of the martingale sequence is the minimum value of i, such that E[ _X′i ] = 0. The condition for reaching the stopping time is X′S _′ = 0. The corresponding sequence _M′i = _X′i - [(1-ω)μ-ω]·i is still a martingale about _X′0 , _X′i , ..., _X′n . In this case, the different magnitudes of (1-ω)μ and ω only affect the subjective choice of the stopping time, and do not affect the objectively existing _Xn and _Mn sequences. _X′i and _M′i can be regarded as _Xi and _Mi sequences starting from other nodes.

Theorem 3: For an ACD attack and defense process, there is a probability μ of successfully attacking a single node. Every T time interval, each node is migrated and reconfigured with probability ω. When the attacker has conquered L nodes, the expected number of migration cycles to expel the attacker back to the entry node is:

Proof: Similar to the proof when (1-ω)ω>μ, time S′ is the stopping time of the martingale and satisfies the availability condition of Lemma 1.

According to Lemma 1, the number of migration cycles of the repair network satisfies: E[M′ _S′ ]＝E[M′ ₀ ]＝E[X′ ₀ ]＝L.

Therefore, according to Lemma 1 and E[M′ _S′ ]＝0, the number of migration cycles of the repair network can be obtained: E[M′ _S′ ]＝E[X′ _S′ ]－[(1-ω)μ-ω]·E[S′]＝L,

Corollary 1: For an ACD attack and defense process where μ is the probability of a single node being compromised and ω is the probability of a node being migrated within each period T, the expected time for an attacker to move down or up L nodes along the attack chain is:

Based on the above analysis, when attackers and defenders are at different relative strengths, attackers may gradually approach the target or lose their privileges and be removed from the system over time. Therefore, different defense strengths can be provided according to different scenarios to achieve the corresponding defense objectives. First, two scenarios are defined: (1) Normal defense scenario: No attackers are detected in routine defenses, and defenders tend to use lower defense costs to obtain a certain level of security. Attackers can approach the target, and the system's anti-attack capability is evaluated by Mean Time To Attack (MTTA). (2) Crisis scenario defense: The system may have detected the existence of attackers or has higher security protection requirements. At this time, defenders are willing to pay higher defense costs to obtain a higher level of security. More frequent and large-scale VM migration operations will make it difficult for attackers to approach the attack target, and they will gradually lose their illegal privileges. At this time, Mean Time To Repair (MTTR) is used as the evaluation index of anti-attack capability.

Given the system parameters L, ω, T, r, and _pA , MTTA and MTTR can be calculated as follows: and Where r represents the system's attack rate, and _pA represents the single-step attack success rate.

Below, this embodiment will analyze the security and computational complexity of implementing a multi-identifier network.

Because MIN is built around identity-centric networks, the system itself offers superior protection. This embodiment's identity-centric network data transmission method is completely different from existing IP networks. Therefore, attacks targeting IP networks lose their operational environment within the MIN and cannot be effectively launched. The MIN filters access information at the border router EMIR; only requests initiated actively within a multi-identity network can pass through the EMIR. In other words, attackers cannot continuously scan or attack the system as they would in a typical passive defense network, and it is even difficult for them to actively send malicious information into the MIN.

Users within MIN must be real-name authenticated, and they need to sign when pulling data from the network. For data requests initiated by MIN users, both the content and the requester are recorded on the blockchain. In case of problems, immediate backtracking and accountability can be implemented, ensuring the authenticity and reliability of information and mitigating malicious operations by internal users to some extent.

The first layer of security in Figure 9 primarily relies on cryptography and security mechanisms such as authentication. The attack difficulty of existing encryption algorithms has reached exponential levels. For example, even using the most powerful supercomputer currently available, it would take decades to crack the commonly used RSA algorithm.

The difficulty of cracking the RSA algorithm is related to the key length. For an RSA algorithm with a public key of e and a modulus of n, the brute-force attack complexity is O(n ^e ). The most common method is factorization. If the key length is less than or equal to 256 bits, it can be successfully factored by a high-speed computer in one day. The higher the number of bits, the longer the factorization time. With current computing power, cracking a 1024-bit key would take at least two years, and cracking a 2048-bit key would take at least 80 years. Taking the cracking time as 50 years, the calculated attack success rate per second is 6.34 × ^10⁻¹⁰ .

The attack chain consists of nodes that an attacker needs to breach, from the MIN's EMIR to the content request node and from the content request node to the core network. This stage of the attack process mainly involves the propagation of malicious information along the attack chain within the MIN, which can be viewed as the movement of malicious information along the attack chain.

After the content is transmitted to the MIN, it undergoes layer-by-layer filtering by firewalls, packet inspection, text recognition and detection, audio recognition and detection, image and video recognition and detection, and natural language processing between the EMIR and the core network. Attackers need to bypass each layer of protection to reach their target. To attack the core network along the attack chain, attackers need to attack each review node on the chain sequentially. As attackers advance along the attack chain, they move down one step after successfully passing each layer of filtering; if they are caught by the filtering, they move back one step; if they neither succeed in attacking nor are caught, they remain at that node.

Let μ be the probability of successfully attacking a single node (i.e., breaking through one layer of filtering), θ be the total number of nodes in the attack chain, and ω be the probability that the system selects a node for dynamic migration at a certain moment (i.e., selects a node to thoroughly clean it and re-filters the filtered content). Assuming that the attacker is currently at the k-th node, i.e. has already compromised k nodes, the attack transfer process is shown in Figure 10.

Based on the attack transition graph, an attack transition matrix M _θ×θ is constructed, where the element Mi _,j represents the probability of transitioning from the i-th node to the j-th node. During an attack, the attacker moves along the link, and after conquering a node, the attacker obtains information about the successor node. A single-node attack can only succeed if neither the attacked node nor the attack starting point is selected for migration. Clearly, the attack has three directions: backtracking, downlinking, and remaining stationary. The specific transition probabilities are as follows.

(1) Rollback. Regardless of whether the attacker launches an attack, if the attacker's node or the target node being attacked changes during the system's dynamic migration, the attack will fail. The attacker must roll back to the previous node that has already been attacked, i.e., Mi _,i-1 = ω. The attacker needs to launch a single-node attack on point i again. Only by conquering point i before the next dynamic migration can the attacker continue the downlink attack.

(2) Downlink. The probability that the attacker will successfully attack the next node is μ. During the transformation period, the probability that the system will not dynamically migrate the attack-related nodes is (1-ω). Therefore, the probability that the attacker will successfully attack the next node and that no dynamic migration will occur during the period is Mi _,i+1 = (1-ω)μ.

(3) Remaining in place. If the attacker fails to attack the next node and the system does not dynamically migrate the relevant nodes, the system state remains unchanged, with Mi _,i = (1-ω)(1-μ). Let _X0 , _X1 , _X2 , ..., _Xn represent a series of random variables, and _Xi represent the node position of the attacker at the beginning of the i-th time period. The value range of _Xi is [0, θ], where _X0 = 0, indicating that the initial position of the attack is the position of entering the attack chain. Given that the attacker is at position k at time n, the position of the next hop is: P{ _Xn+1 = k+1| _Xn = k} = (1-ω)μ, P{ _Xn+1 = k| _Xn = k} = (1-ω)(1-μ) and P{ _Xn+1 = k-1| _Xn = k} = ω.

According to Theorem 2, E[S] is the expected number of steps to reach the core network, which can be calculated using θ, ω, and μ. In this way, a quantitative relationship can be obtained between the limiting probability of system defeat and the system parameters. Θ represents the number of nodes in the attack chain.

Furthermore, this embodiment preferably employs an Adaptive Network Defense (AND) architecture, aiming to improve the network's resistance to attacks. The core idea of the AND architecture is to integrate network security defense tools to form a dynamic, adaptive network defense system that can quickly adapt and effectively defend against new types of attacks.

The AND architecture consists of the following four parts:

Attack detection layer: Responsible for monitoring attack behavior within the network. This layer typically includes tools such as intrusion detection systems, threat intelligence analysis, and behavioral analysis systems. These tools can detect potential attack behaviors by analyzing network traffic, logs, and other data sources.

Attack Response Layer: Responsible for responding to detected attacks. This layer typically includes tools such as intrusion prevention systems, antivirus software, and anti-spyware software. These tools can take appropriate defensive measures based on the detected attack behavior, such as blocking attack traffic or removing malware.

Collaboration Layer: Responsible for coordinating the interaction between the attack detection layer and the attack response layer. This layer typically includes tools such as a cybersecurity intelligence sharing platform and adaptive security controls. These tools facilitate rapid information sharing and response between the attack detection and attack response layers.

Operations Management Layer: Responsible for managing the overall operation of the AND system. This layer typically includes tools such as network security information and incident management systems, security analytics and decision support systems, and security policy and compliance management systems. These tools help administrators monitor the network's security status and formulate corresponding security policies and compliance management measures.

This embodiment features a unified technical design, implemented through a multi-identifier network. Based on this architecture, it leverages current and future technologies that enhance security, theoretically reducing the probability of a network node and its application being defeated by a single attack to an arbitrarily low level (related to the willingness to invest), such as ^10⁻¹⁵ , ^10⁻²⁰ , ^10⁻²⁵ , or ^10⁻³⁰ . At the system management level, relying on continuous system awareness and security responses, it promptly alerts users to potential threats to their accounts or managed devices via email, SMS, and telephone verification, and proactively addresses various attacks both online and offline, preventing them before they occur. Even when a low-probability attack does occur, it allows for timely source tracing, investigating risks in both physical and software systems, accurately locating the source, and making necessary system configuration or software modifications to effectively prevent similar attacks.

This embodiment also preferably provides an adaptive defense network architecture as shown in Figure 11: At the lower layer of the network, the NVP (Network Virtualization) concept is used to improve the security of individual nodes; at the upper layer of the network, VM migration brings dynamism to the network. In the figure, each network node consists of a Resource Management System (RMS) and multiple heterogeneous execution entities, also known as Heterogeneous Service Component Versions (SCVs). Each RMS is responsible for communicating with RMSs from different nodes and managing multiple SCVs within its own node. The network can be viewed as a two-layer structure: the upper network represents the RMS, i.e., the connection relationships between different nodes; the lower network represents the internal structure of each node, i.e., the connection relationships between the RMS and its internal SCVs.

The NVP concept is applied to the underlying nodes, distributing received tasks to multiple different SCVs for parallel execution; VM migration is applied to the upper network layer, periodically refactoring some nodes.

Security is enhanced using the principles of NVP (Variable Parameterization). Tasks are distributed to multiple heterogeneous executors, which can be heterogeneous in various levels, such as operating systems, software, and data formats. Nodes receive requests and tasks, which are then delivered to functionally equivalent executors, but with different structures or versions, for parallel execution. The outputs of these executors are then returned to RMS (Realm Management System), where they are adjudicated according to pre-defined voting rules to determine the final result, which is then returned to the user. The voting rules can be selected based on system requirements, such as threshold voting, with the output threshold denoted as M′.

When a node receives a request or task from a user, the RMS will assign it to N′ online SCVs, denoted as SCV ₁ , SCV ₂ , ..., SCV _N′ , waiting until enough result vectors are collected or all SCVs have completed their output. Among the collected results, those with the same vector appearing more than M′ times are considered correct vectors and output to the user. SCVs that return other results (not considered correct) are marked as suspicious SCVs and will be replaced by the node's backup SCVs in the next round of task assignment. This prevents attacks from spreading within the node. If all SCVs have completed their tasks, but the number of identical results is less than M′ (meaning no legitimate results were output), the RMS will return an error message prompting the node to proceed with further processing. To avoid multiple result vectors reaching the threshold simultaneously, M′ > N′/2 is generally chosen.

Regarding virtual machine migration, in the adaptive defense network architecture, within each fixed migration cycle T, each node is selected as a migration target with probability ω and undergoes random migration. For nodes requiring migration, the corresponding RMS (Real-Time Management System) is migrated to the new physical host, the old virtual machine is removed, and then the current state of the application, along with related data and services, is migrated to the new VM. Virtual machine migration renders information collected and monitored by attackers and any backdoors they have installed ineffective, making attack timing a crucial constraint for the success of an attack. This mechanism effectively prevents the spread of attacks within the network.

The development of cloud computing provides users with flexible and efficient services, allowing resources to be allocated and shared on demand. However, this also makes it possible for users to share some resources with malicious users, introducing additional security risks. Proactive defense, through dynamic migration, provides a solution against cohabitation attacks by reducing cohabitation time. Cloud computing allows multiple users to use various services on demand, such as storage, computing, and applications. The same user's tasks can be executed by creating and hosting multiple virtual machines on different physical servers. This virtualization method improves the utilization of the underlying hardware platform of cloud providers and outsources the maintenance of computing resources to users. However, because cloud users need to share IT resources such as physical servers with other tenants, they also face new security risks. Although multiple virtual machines running on the same server are logically isolated from each other, malicious tenants can bypass the isolation by creating various side channels. Therefore, when the attacking VM of a malicious neighbor resides on the same physical server as the target VM, data may be stolen or even destroyed.

Some defenses already exist that address this issue by eliminating or detecting side-channel attacks, such as side-channel elimination, co-occurrence attack detection, building virtual private clouds, adjusting VM allocation strategies, and NVP-based defense solutions. However, most of these defense methods either require changes to existing deployments or are specifically designed for a particular type of cross-VM side-channel attack.

Proactive defense technologies offer solutions from various perspectives, reducing cohabitation time by randomly moving the targets to be protected during task execution. Furthermore, a key advantage of proactive defense is its ability to be combined with other defense methods without altering the underlying deployment. For example, VM migration can be combined with VM allocation policies, using appropriate VM selection strategies for each migration to further reduce attack success rates. When these technologies are deployed in cloud environments, their effectiveness needs to be demonstrated, especially when combined with other cloud environment defense strategies. However, current analyses of their effectiveness either focus on evaluating the effectiveness of proactive defense itself or on studying the effectiveness of other static cloud computing strategies.

In the selected cloud computing scenarios, there are two types of VM placement to consider. The first is initial placement, which involves creating VMs for new service requests and assigning them to a server. The second is placement of VMs after dynamic migration, which requires selecting a suitable server for the VMs to be migrated based on migration and allocation rules each time a migration occurs. The following sections describe the VM migration, allocation strategies, and attack/defense processes in turn.

Figure 12 illustrates the virtualization system of a cloud computing platform. This system comprises a management node and multiple servers. Whenever a new task is received, the system creates a corresponding virtual machine (VM) and assigns it to a physical server. The management node is responsible for creating VMs, collecting information from each server, and allocating VMs to specific servers according to the allocation policy. If the management node receives n′ tasks from a user and m requests containing malware from an attacker, it has difficulty distinguishing them. Therefore, requests arriving in the same batch will all be assigned to corresponding VMs for task processing. The management node will create n′ Defender's VMs (DVMs) and m Attacker's VMs (AVMs), and assign them to s physical servers. While a task is executing on a server, it may coexist with an AVM, during which time the attacker may attempt to establish a side channel for information theft. To avoid this risk of information leakage, the management node dynamically migrates its DVMs between servers during task execution.

In terms of virtual machine allocation, existing strategies can be divided into two categories: stacking and distribution. Stacking strategies concentrate created virtual machines on a subset of physical servers, reducing the overall power consumption of the server cluster. Common stacking strategies include priority matching, workload stacking, energy/cost consumption strategies, and their variations. Distribution strategies, on the other hand, distribute virtual machines discretely throughout the data center to achieve load balancing and improve system reliability. Common distribution strategies include random, next-match, load balancing strategies, and their variations.

Consider a multi-tasking scenario where the system may be assigned multiple tasks simultaneously, which are executed independently. Each task entering the system may have two possible outcomes upon leaving: either it successfully migrates between several servers and is eventually completed, or it encounters an attacker during migration, has its information stolen, and fails to execute. Figure 13 illustrates the execution process of each task before leaving the system.

More specifically, this embodiment adopts an adaptive defense network architecture, and the execution process of each task before leaving the virtualization system includes the following steps:

Step E1: The management node receives a request from the user and creates a VM, i.e., creates a virtual machine.

Step E2: According to the allocation policy, assign this VM to a server; if the selected server has enough space, then proceed to step E3; otherwise, return to select a server again.

Step E3: After selecting a suitable server, the VM will stay on that server for t _server time. During this stay, if it coexists with the attacker's VM for longer than the time t _attack required to establish a side channel, the DVM will be attacked and information will be leaked. If the corresponding attack obtains some confidential information of the DVM, the attack is considered successful. If the DVM is successfully destroyed, the corresponding task will fail immediately. If the attack is unsuccessful, proceed to step E4.

Step E4: If the DVM has not been effectively attacked before the migration is required, the execution on that server is successfully completed. Preferably, at this point, it is further determined whether the task has been completed. If not, the process jumps to step E2, selects the next server for VM migration, and continues until the task is completed or fails due to an attack.

During this process, the task execution time T _{_task} and the migration interval T_{_server} are random. The task execution time follows a certain distribution, with its cumulative distribution function cdf denoted as F _{_ta} (t) and probability density function pdf denoted as F _{_ta} (t). Similarly, the migration interval follows the distributions cdf = F _{_m} (t) and pdf = F _{_m} (t).

To increase the probability of a successful attack, attackers may inject multiple malicious requests into the system, generating multiple AVMs. Once inside the system, the malicious AVMs migrate between multiple servers along with the normal DVMs until all tasks have left the system.

Attackers employ two strategies when launching AVMs: a stacking strategy and a distribution strategy. The stacking strategy launches as many virtual machines as possible at once, while the distribution strategy launches virtual machines in batches, spreading them across as many servers as possible. Figure 14 illustrates the process of generating, migrating, and deploying the attack corresponding to each malicious request, specifically including the following steps:

Step F1 is similar to the DVM creation process in step E1. In step F1, after receiving the request, the management node creates the AVM and assigns it to a legitimate server.

In step F2, the attacker obtains information from the legitimate server. If there is a co-habiting DVM, then proceed to step F3; otherwise, wait for the managed node to migrate to another server.

In step F3, the attacker selects one of the DVMs to attack, and after time t_{_attack}, a side channel is successfully established. During this time, if the DVM does not migrate, the attack is successful, and the task executed in that DVM fails. Otherwise, the DVM evades the attack, and the attack fails.

Regardless of whether the attack is successful or not, the attacker can continue to attack tasks still running in the system. This means waiting for the management node to migrate these tasks to other servers at a fixed migration cycle. After migration, the attacker returns to step F1 to continue the attack. If all tasks have left the system, the attack becomes meaningless and stops.

The _attack time t includes the time required to build the side channel and steal data, which is also a random variable that follows the distributions cdf＝F _m (t) and pdf＝F _m (t).

Therefore, this embodiment, based on a future network architecture composed of the MIN system, supports top-level identifiers to be jointly managed and interconnected by various countries, while lower-level identifiers are managed independently by each country, and utilizes digital customs to ensure cross-border data security. Furthermore, it employs a synergistic technical solution combining mimicry defense, martingale quantization models, adaptive defense network architecture, high-performance blockchain, quantum technology, embedded identity authentication, multi-identifier coexistence, digital passports, and digital visas. Based on this, and combined with the management of various entity systems, as well as national and global legal arbitration systems, it proposes a method and system to ensure a trustworthy, secure, orderly, law-abiding, and peaceful cyberspace.

Mathematical model analysis shows that future networks implemented through multi-identifier networks can achieve an exponential security improvement of ^{10-20-30 %} compared to traditional IP networks, with a very low probability of insecurity. Even if an attack occurs, the identity and activity logs of the active attacker will be recorded and locked in a globally multilaterally managed blockchain log. The attacked party can file a lawsuit in international or domestic cyber courts, and the domestic/international cyber courts will make judgments on the attacker's actions based on the immutable log records. By combining online and offline methods through technology, it is possible to ensure that cyberspace, supported by rules, laws, and technological systems, is secure and trustworthy, maintaining order and the rule of law in cyberspace based on technological solutions.

Therefore, in order to provide a method and system for ensuring the trustworthiness and security of cyberspace, as shown in Figures 2 and 15, this embodiment preferably includes step S7, which is used to establish a cyberspace management system; AI detection and management are carried out in the cyberspace management system, and when cyberspace is interfered with or attacked, network traffic, user behavior and system logs are monitored and analyzed through at least one of data analysis, deep learning, reinforcement learning and model training, and stored in the blockchain log record.

More specifically, the cyberspace management system described in this embodiment is also known as the cyberspace security and peace rule of law management system.

Cyberspace is the collection of all information systems and the information environment in which humans live, interacting and influencing each other with information. Therefore, cyberspace presents more prominent information security challenges, and its core essence remains information security. Faced with ever-increasing cyber threats and violations, a robust cyberspace management system needs to be established based on security technologies.

As shown in Figure 2, if cyberspace is interfered with or attacked, technologies such as big data (e.g., data analytics), deep learning, reinforcement learning, and large models (e.g., model training) will be used to monitor and analyze network traffic, user behavior, and system logs, promptly identifying potential security threats and violations. The AI system can learn and identify common network attack patterns, malware characteristics, and illegal content, thereby automatically issuing warnings and blocking such activities. Furthermore, it can analyze user behavior patterns, identify abnormal activities, and prompt administrators for further investigation. Secondly, the network management team or administrators are responsible for handling AI warnings and other security incidents. When an AI warning is triggered, the administrator will intervene promptly, investigate, and take appropriate measures to address the threat. For example, blocking malicious websites, disabling infected computers or network accounts, or cooperating with law enforcement agencies for further investigation. In addition, human administrators can handle complex problems that AI cannot solve, such as responding to new types of network attacks, investigating internal security violations, and assisting users in resolving security-related issues. The management system will be reviewed regularly and improved based on the results of each incident to adapt to constantly changing network threats and technological evolution, maintaining sensitivity to cybersecurity threats.

In the cyberspace management system, when the attacker corresponding to the interference or attack cannot be found, compensation is provided through insurance service companies in cyberspace, or emergency assistance and support are provided through cyberspace emergency departments, including domestic and international emergency departments in cyberspace. Both insurance service companies and cyberspace emergency departments implement embedded identity authentication based on multi-identifier networks and access blockchain log records through multi-identifier addressing, thereby providing a reliable and secure data foundation for compensation, emergency assistance, and support.

In extremely rare cases, such as incidents where the perpetrator cannot be found, or damage caused by force majeure, the overall solution based on a multi-identifier network can rely on cybersecurity insurance companies or cybersecurity emergency response departments (also known as cybersecurity emergency response agencies) for compensation and handling to reasonably resolve these issues. Cybersecurity insurance companies legally introduced through the multi-identifier network will provide corresponding compensation according to the conditions and terms stipulated in the insurance contract, providing a remedial mechanism for the victim. Cybersecurity emergency response departments can provide emergency assistance and support to facilitate the recovery and reconstruction efforts of the affected parties. These departments include domestic and international emergency response departments in cyberspace. For domestic interference or attacks, emergency assistance and support are provided by default through domestic emergency response departments; for transnational interference or attacks, emergency assistance and support are provided by default through international emergency response departments, such as the United Nations' security emergency response department. This design ensures that even when the responsible party cannot be identified, the injured party can still receive appropriate compensation and support.

As shown in Figures 2 and 15, this embodiment also includes step S8, which is used to establish a cyberspace adjudication system. In the cyberspace adjudication system, when disputes and conflicts involving data assets, data privacy, or cyberspace are involved, an investigation is conducted based on blockchain log records, and the investigation results are sent to the corresponding domestic or international cyber courts. The relevant judgment records are also published in the blockchain cyberspace.

Steps S7 and S8 in this embodiment are not sequential steps, but are implemented in parallel to jointly provide a complete safe, peaceful and law-based cyberspace from both management and legal perspectives, as shown in Figure 2.

The cyberspace adjudication system described in this embodiment is also known as the cyberspace security, peace, rule of law, and court adjudication system.

In the future, with the development of the internet, the complexity of cybersecurity issues will significantly increase, and the number of disputes arising from network data and data transactions will inevitably continue to rise. For disputes involving network data that administrators cannot resolve, it is necessary to utilize the online legal court system to resolve the disputes. When disputes and conflicts involve data assets, data privacy, or other cyberspace issues, the parties involved can resolve them through police intervention, arbitration, or litigation.

To identify potential parties involved in a dispute, cyber police will conduct investigations based on logs recorded by the blockchain system. If the parties belong to the same country, the case will be tried in that country's domestic cyber court. If there are foreign entities, foreign country/region/local laws, international bilateral/multilateral agreements/treaties, foreign-related contracts, or other foreign-related elements, the case can be transferred to an international cyber court. Through methods and systems implemented via multi-identifier networks to ensure the trustworthiness and security of cyberspace, judicial authorities can conduct judicial practice according to relevant legal provisions to ensure the fairness and timeliness of trials, ensuring that individuals or organizations committing negligence or crimes are subject to legal sanctions, economic compensation, or imprisonment, and that relevant judgment records are executed and published in the blockchain cyberspace.

In practical applications, functionality can be extended based on multi-identifier networks. Laws can be improved based on judicial practice and existing legislative experience to fill legal loopholes, amend outdated clauses, and establish new rules. This improvement process will continue to adapt to the ever-changing network environment and technological development needs, providing more reliable guarantees for the security and fairness of cyberspace.

As shown in Figures 1 to 14, this embodiment also provides a system for ensuring the trustworthiness and security of cyberspace, employing the method described above for ensuring the trustworthiness and security of cyberspace, and including:

The identity authentication and multi-identity addressing module implements embedded identity authentication and packet signing multi-identity addressing based on a multi-identity network. After registration, users first sign each published data packet with their private key and write it into the signature area of the multi-identity network packet. Intermediate routers periodically maintain a user information table obtained from the multi-identity management system. Upon receiving a packet, they extract the corresponding user's signature information from the table and then use the public key information obtained from the multi-identity management system to authenticate the received multi-identity network packet. After successful authentication, multi-identity addressing is performed using a packet format that supports variable packet length.

Define the module to define digital customs, digital passports, and digital visas based on a multi-identifier network;

The digital visa module performs a bitwise XOR operation on the time data and the digital visa key, and then uses a hash function to perform a one-way mapping on the data after the bitwise XOR operation to obtain a digital visa based on a multi-identifier network.

The digital passport module calculates a digital passport based on a multi-identifier network, using the hash value of the digital visa and the cross-border passport key.

The exit form module is used and maintained, and digital customs is implemented through a multi-identifier network router. The exit form is used and maintained through the digital customs.

Use and update the entry form module to verify the digital passport through the digital customs and update the entry form.

In summary, this embodiment first implements multi-identifier addressing with embedded identity authentication and packet signature based on a multi-identifier network. Then, it realizes the use and maintenance of exit forms and the use and updating of entry forms through digital visas, digital passports, and digital customs based on the multi-identifier network. This effectively provides a network system, method, and framework adapted to the current pace of development through the multi-identifier network and its management system, thereby more effectively ensuring the trustworthiness and security of cyberspace and providing a better foundation for ensuring order, rule of law, and peace in cyberspace. When disputes and conflicts involving data assets, data privacy, or cyberspace arise, the victim can conduct investigations based on blockchain log records and send the investigation results to the corresponding domestic or international cyber courts, providing a reliable basis for domestic or international cyber court litigation. This invention can be better applied in global cyberspace, facilitating the management of national cyberspace boundaries, protecting national cyberspace sovereignty, and combating transnational cyberattacks and crimes.

Building upon this foundation, this embodiment further implements mimicry defense based on a weighted centrality algorithm, enabling targeted improvement of network protection efficiency according to user security needs; establishes an attack-resistant stochastic process martingale quantization model to enhance the flexibility of the hierarchical analysis structure of cyberspace and further improve network integrity; and establishes a cyberspace management system and a cyberspace adjudication system, providing guarantees for the security and trustworthiness of cyberspace and laying a solid foundation for ensuring the safe, peaceful, rule-of-law, and orderly management of cyberspace.

The above description, in conjunction with specific preferred embodiments, provides a further detailed explanation of the present invention. It should not be construed that the specific implementation of the present invention is limited to these descriptions. For those skilled in the art, various simple deductions or substitutions can be made without departing from the concept of the present invention, and all such modifications and substitutions should be considered within the scope of protection of the present invention.

Claims (11)

A method for ensuring the trustworthiness and security of cyberspace, characterized by comprising the following steps: Step S1: Implement embedded identity authentication and packet signing for multi-identity addressing based on a multi-identity network. After registration, the user first signs each published data packet with their private key and writes it into the signature area of the multi-identity network packet. The intermediate router periodically maintains the user information table obtained from the multi-identity management system. After receiving a packet, it extracts the signature information of the corresponding user from the table and then uses the public key information obtained from the multi-identity management system to authenticate the received multi-identity network packet. After successful authentication, multi-identity addressing is performed using a packet format that supports variable packet length. Step S2, define digital customs, digital passports, and digital visas based on a multi-identifier network; Step S3: Perform a bitwise XOR operation on the time data and the digital visa key, and use a hash function to perform a one-way mapping on the data after the bitwise XOR operation to obtain a digital visa based on a multi-identifier network. Step S4: Calculate the digital passport based on the hash value of the digital visa and the cross-border passport key; Step S5: Implement digital customs through a multi-identifier network router, and use and maintain the exit form through the digital customs. Step S6: Verify the digital passport using the entry form through the digital customs and update the entry form. The method for ensuring the trustworthiness and security of cyberspace according to claim 1, wherein step S1 includes the following sub-steps: In step S101, the multi-identity network client generates a public key and a private key for the user locally, and then submits the public key and the identity information signed with the private key to any node in the multi-identity management system. When a node receives a request, it verifies it. After successful verification, the ledger node of the multi-identity management system consortium chain generates a transaction and sends it to all blockchain nodes. When a voting node in the blockchain receives a pre-block, it votes on whether to allow the pre-block to become a formal block. The leader node collects the voting results, counts them, generates a voting proof, stores the block information of the pre-block that passed the vote, and extracts the user registration information from the block information and stores it in the user registry. Step S102: After registration, the user signs each data packet with their private key and writes the digital signature into the signature area of the multi-identifier network packet using the SM2 elliptic curve algorithm. The intermediate router periodically maintains the user information table obtained from the multi-identifier management system. After receiving a message, it extracts the signature information of the corresponding user from the table and then uses the public key information obtained from the multi-identifier management system to authenticate the received multi-identifier network packet. Step S103: After successful authentication, multi-identifier addressing is performed using a message format that supports variable message length. The data packet of the message format includes four areas: an identifier area, a signature area, a read-only area, and a variable area. The identifier area stores one or more identifiers to distinguish different network packets. The signature area stores one or more digital signatures, each consisting of signature information and a signature value. The signature information refers to the signature type and the location of the certificate used to verify the signature. The read-only area stores data blocks filled by the network sender. The variable area includes a protected area and a dangerous area. The protected area stores modifiable fields that require signature, and the dangerous area stores modifiable fields that do not require signature. In step S2, the digital customs based on the multi-identifier network refers to the border router used to process inbound and outbound multi-identifier network packets, issue digital passports for multi-identifier network packets leaving the country, and verify digital visas for multi-identifier network packets entering the country from abroad; the digital passport and digital visa based on the multi-identifier network refer to different specific fields carried on the multi-identifier network packet, and the specific fields are generated and verified by any one or more of encryption, hash calculation and certificates. The method for ensuring the trustworthiness and security of cyberspace according to claim 1 or 2, characterized in that step S3 includes the following sub-steps: Step S301: Calculate the time parameter Time using the formula Time = UNIX Time and 0xFFFFFFFFFFFFFFFF0, where UNIX Time is a 64-bit integer representing the number of seconds elapsed since the preset time, and the lowest 4 bits of the number of seconds UNIX Time in binary are set to 0. Step S302: Obtain the 256-bit time data Time256 using the formula Time256＝Time×(1+2 ⁶⁴ +2 ¹²⁸ +2 ¹⁹² ); Step S303: Perform a bitwise XOR operation on the time data Time256 and the digital visa key CVK using the formula Visa = SHA256(Time256 xor CVK), and perform a one-way mapping of the hash function to obtain the digital visa based on the multi-identifier network; the digital visa key CVK is a 256-bit key, which is associated with the user's multi-identifier network identity information and real identity information. The method for ensuring the trustworthiness and security of cyberspace according to claim 3 is characterized in that, in step S4, a digital passport Pass based on a multi-identifier network is calculated using the formula Pass = SHA256 (Visa xor CPK), where CPK refers to a pre-agreed 256-bit cross-border passport key. The method for ensuring the trustworthiness and security of cyberspace according to claim 4 is characterized in that, in step S5, the digital customs stores multiple exit tables, each exit table corresponding to a target country; when the digital customs receives a multi-identified network packet forwarded from the forwarding table, it first checks the target country corresponding to the multi-identified network packet, and then assigns the multi-identified network packet to the exit table of the corresponding country for processing. The processing includes the following sub-steps: Step A1: The digital customs discards multi-identifier network packets from users without exit permits; Step A2: When the digital visa carried in the multi-identifier network packet is the same as the LastVisa in the exit form, the digital customs directly signs the digital passport in the multi-identifier network packet using the LastPass in the exit form and forwards the multi-identifier network packet. LastVisa refers to the digital visa of the user's previous multi-identifier network packet, and LastPass refers to the digital passport calculated based on the digital visa LastVisa of the user's previous multi-identifier network packet. Step A3: When the digital visa carried in the multi-identifier network packet is different from the LastVisa in the departure form, determine whether the difference between the current time and LastTime is less than 8 seconds. If so, digital customs directly uses LastPass as the digital passport, fills the digital passport into the multi-identifier network packet, and forwards it immediately. LastTime refers to the time when the user's previous multi-identifier network packet arrived. If not, calculate the new digital passport based on the current time, update the departure form based on the new digital passport, and issue the new digital passport into the multi-identifier network packet. The method for ensuring the trustworthiness and security of cyberspace according to claim 4 is characterized in that, in step S6, an entry form is used and maintained in the digital customs. When a multi-identifier network packet is about to enter the network border, the digital customs performs verification processing through the entry form. The verification process includes the following sub-steps: Step B1: If the sender does not hold a digital passport and is not in a visa-free situation, the multi-identifier network packet is directly discarded through the digital customs. Step B2: If the sender holds a digital passport, the validity of the digital passport is verified through digital customs. If it is determined to be invalid, the digital customs discards the multi-identifier network packet containing the invalid digital passport; if it is determined to be valid, the digital passport and its digital visa corresponding to the multi-identifier network packet are verified. The process of updating the entry form in step S6 includes any of the following steps: Step C: Digital Customs traverses all entries in the entry form, calculating and updating the LastPass, Pass, and NextPass fields at fixed intervals. LastPass refers to the digital passport calculated based on the LastVisa digital visa of the user's previous multi-identifier network packet. Pass refers to the digital passport calculated based on the digital visa calculated at a fixed time after LastTime. NextPass refers to the digital passport calculated based on twice the fixed time after LastTime. Step D: When the digital customs receives a multi-identifier network packet, it determines whether the LastPass in the entry form has expired. If so, it replaces LastPass with Pass and Pass with NextPass; otherwise, it returns. The method for ensuring the trustworthiness and security of cyberspace according to claim 1 or 2 is characterized by further including a mimicry defense step based on a weighted centrality algorithm. In the mimicry defense step, the indicators of each device in the multi-identifier network are first obtained, including degree centrality, proximity centrality, and betweenness centrality. After obtaining the above three indicators, each indicator is sorted to obtain a score for that indicator. Then, the scores of the three indicators are summed to obtain a sum value sum. The sum value sum is sorted to obtain the final centrality level value Rank. For storage servers, a first weight is assigned, and their sum value sum is divided by 3 to obtain a new sum value sum'. For border routers, a second weight is assigned, and their sum value sum is divided by 2 to obtain a new sum value sum'. For forwarding servers, a third weight is assigned, and their sum value sum remains unchanged. The first weight is greater than the second weight, and the second weight is greater than the third weight. The method for ensuring the trustworthiness and security of cyberspace according to claim 1 or 2 is characterized by further comprising step S7, for establishing a cyberspace management system; performing AI detection management in the cyberspace management system, and when cyberspace is interfered with or attacked, monitoring and analyzing network traffic, user behavior and system logs through at least one of data analysis, deep learning, reinforcement learning and model training, and storing them in blockchain log records. The method for ensuring the trustworthiness and security of cyberspace according to claim 8 is characterized in that, in the cyberspace management system, when the attacker corresponding to the interference or attack cannot be found, compensation is provided through an insurance service company in cyberspace, or emergency assistance and support are provided through a cyberspace emergency response department, which includes domestic and international emergency response departments in cyberspace; both the insurance service company and the cyberspace emergency response department implement embedded identity authentication based on a multi-identifier network and access blockchain log records through multi-identifier addressing. The method for ensuring the trustworthiness and security of cyberspace according to claim 1 or 2 is characterized by further including step S8, for establishing a cyberspace adjudication system; in the cyberspace adjudication system, when disputes and conflicts involving data assets, data privacy or cyberspace are involved, an investigation is conducted based on blockchain log records, and the investigation results are sent to the corresponding domestic or international cyber court; and the relevant judgment records are published in the blockchain cyberspace. A system for ensuring the trustworthiness and security of cyberspace, characterized in that it employs the method for ensuring the trustworthiness and security of cyberspace as described in any one of claims 1 to 10, and includes: The identity authentication and multi-identity addressing module implements embedded identity authentication and packet signing multi-identity addressing based on a multi-identity network. After registration, users first sign each published data packet with their private key and write it into the signature area of the multi-identity network packet. Intermediate routers periodically maintain a user information table obtained from the multi-identity management system. Upon receiving a packet, they extract the corresponding user's signature information from the table and then use the public key information obtained from the multi-identity management system to authenticate the received multi-identity network packet. After successful authentication, multi-identity addressing is performed using a packet format that supports variable packet length. Define the module to define digital customs, digital passports, and digital visas based on a multi-identifier network; The digital visa module performs a bitwise XOR operation on the time data and the digital visa key, and then uses a hash function to perform a one-way mapping on the data after the bitwise XOR operation to obtain a digital visa based on a multi-identifier network. The digital passport module calculates a digital passport based on a multi-identifier network, using the hash value of the digital visa and the cross-border passport key. The exit form module is used and maintained, and digital customs is implemented through a multi-identifier network router. The exit form is used and maintained through the digital customs. Use and update the entry form module to verify the digital passport through the digital customs and update the entry form.