网络空间拟态防御发展综述：从拟态概念到“拟态+”生态

doi:10.11959/j.issn.2096-109x.2022018

摘要/Abstract

摘要：

网络空间拟态防御（CMD，cyberspace mimic defense）基于动态异构冗余架构实现多体执行、多模裁决和多维重构，以不确定性系统应对网络空间泛在化的不确定性威胁。从纵向、横向、当前、发展和未来5个视角对其8年来的演进进行系统综述：纵向观，概述了CMD从概念提出，到理论、实践层面形成发展的历程；横向观，阐述了CMD的DHR（dynamical heterogeneous redundancy）核心架构、以CMD三定理为支柱的原理、安全增益、性能开销，将其与入侵容忍、移动目标防御、零信任架构、可信计算和计算机免疫学 5 类其他主动防御技术进行了综合对比辨析；当前观，综述了拟态路由器、拟态处理机、拟态 DNS服务器、拟态云平台等 11 类现有主要拟态产品的实现要素、性能表现、系统架构、异构策略、调度策略、表决策略等共性技术模式与特性技术特点；发展观，结合人工智能、物联网、云计算、大数据和软件定义网络5类新型技术探讨了“拟态+”AICDS（拟态+AI/ IoT/Cloud/Data/SDN）共生生态，提出了相应技术结合点和交叉研究价值；未来观，展望了未来拟态基线 2.0 产品生态、“拟态+5G/6G”“拟态+边缘计算”“拟态+云”和“拟态+区块链”5 类“拟态+”应用场景，分析归纳了拟态防御技术面临的存在多模决策攻击逃逸空间、异构与同步互制约、安全与功能难平衡和现有内生安全组件变换空间有限4点挑战。

关键词: 网络空间拟态防御, 系统架构, 异构策略, 调度策略, 非协同多模决策, 异构度增益

Abstract:

Build upon the dynamic-heterogeneous-redundant architecture for multi-body execution, multi-mode ruling and multi-dimension reconstruction, cyberspace mimic defense (CMD) uses uncertain system to deal with the uncertain threat to cyberspace ubiquity.The evolution of CMD over the past 8 years were reviewed systematically from the vertical, horizontal, current, developing and future perspectives.From the vertical perspective, the development process of CMD from concept to theory and practice was summarized.From the horizontal view, it elaborated the core structure DHR (dynamical heterogeneous redundancy) of CMD, the principles based on CMD’s three major theorems, safety gains and performance costs.A comparison was conducted between CMD and five other active defense technologies, namely intrusion tolerance, moving target defense, zero trust architecture, trusted computing and computer immunology.From the current perspective, it reviewed the implementation elements, performance, system architecture, heterogeneous strategies, scheduling strategies, voting strategies and other common technology patterns and characteristics of 11 types of main existing mimic products including mimicry router, mimicry processor, mimicry DNS server and mimicry cloud platform.From the developing perspective, it explored the “mimic+” AICDS (Mimic + AI/IoT/Cloud/Data/SDN) symbiotic ecology with respect to 5 types of new technologies, namely artificial intelligence, Internet of things, cloud computing, big data and software-defined network, and proposed the corresponding technology junctions and cross research value.From the future perspective, it looked into the future mimicry baseline 2.0 product ecology, “mimic +5G/6G”, “mimic + edge computing”,“mimic + cloud” and “mimic + blockchain” application scenarios.Besides, 4 types of challenges faced by CMD in the future were analyzed and summarized, including escape space of multi-mode decision attack, mutual restriction of heterogeneous and synchronous, difficult balance between security and function, and limited transformation space of existing endogenous security components.

Key words: cyberspace mimic defense, system architecture, heterogeneous strategy, scheduling strategy, non-cooperative multi-mode decision-making, heterogeneous gain

中图分类号:

TP309

马海龙, 王亮, 胡涛, 江逸茗, 曲彦泽. 网络空间拟态防御发展综述：从拟态概念到“拟态+”生态[J]. 网络与信息安全学报, 2022, 8(2): 15-38.

Hailong MA, Liang WANG, Tao HU, Yiming JIANG, Yanze QU. Survey on the development of mimic defense in cyberspace:from mimic concept to “mimic+” ecology[J]. Chinese Journal of Network and Information Security, 2022, 8(2): 15-38.

图/表 11

图1

图2

表1

图3

表2

表3

主要拟态平台共性技术实现Table 3 Realization of generic technology of main mimicry platform"

拟态平台	系统架构	异构策略	调度策略	表决策略
拟态蜜罐^[9]	拟态蜜罐子系统+宿主机操作系统+物理硬件	Web中间件+操作系统	状态回滚+轮换	行为记录、告警数据对比
拟态防火墙^[35]	分布式处理架构	硬件平台+操作系统+安全引擎	未明确	分层次、分阶段裁决
拟态交换机^[7]	异构执行体集+拟态调度器+交换芯片	CPU+操作系统	定时清洗+裁决清洗	基于信任权值的自清洗大数表决
拟态路由器	应用层+控制层+设备层	路由器+操作系统	执行体可信度+执行体性能权重	择多判决、权重判决、随机判决
拟态处理机^[28]	拟态调度器+异构处理机集+外围电路	操作系统	基于状态保存的两步清洗降级调度	基于可信度的比较择多策略+基于抽样择多的复合单选表决
拟态存储器	拟态调度器+异构处理机集+外围电路	存储编码	输出结果哈希值比对+纠删码	未明确
拟态Web服务器^[8,19]	中心调度器+动态执行体调度器+服务器池+请求分发均衡模块+表决器^[19]	服务器软件+文件系统+虚拟机操作系统+物理机操作系统^[19]；关键字标签化+文件标签化+目录随机化^[8]	基于可构成异构构件集种类数的执行体调度^[19]	多模裁决前端表决+SQL语句审查后端表决^[8]
拟态DNS服务器^[62]	异构DNS服务器池+选调器	DNS软件	基于执行体可信度、负载量确定选取系数的调度	大数表决+预表决
拟态计算服务器	CPU+GPU+FPGA+DSP+HRCA+RIC计算部件+其余部分	计算部件与结构	未明确	未明确
拟态云平台^[63-64]	基础设施层+异构网络交换层+拟态化括号层+拟态云管理器/拟态化 SaaS 应用层+运维管理层^[63]；原系统结构+服务层MSP化改造^[64]	拟态存储+拟态云管+异构网络交换^[63]；虚拟执行体^[64]	基于拟态表决、业务迁移和数据同步的调度^[63]；裁决触发、人工触发和策略触发相结合的调度^[64]	大数表决^[63-64]
拟态网络操作系统^[29]	应用层+控制层+拟态层+数据层	NOS+控制器	基于异构度增益的调度	基于博弈策略

表3

表4

图4

图5

图6

表5

参考文献 113

[1]	邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10.
	WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10.
[2]	王珊, 王会举, 覃雄派 ,等. 架构大数据:挑战、现状与展望[J]. 计算机学报, 2011,34(10): 1741-1752.
	WANG S , WANG H J , QIN X P ,et al. Architecting big data:chal-lenges,studies and forecasts[J]. Chinese Journal of Computers, 2011,34(10): 1741-1752.
[3]	陈钟, 孟宏伟, 关志 . 未来互联网体系结构中的内生安全研究[J]. 信息安全学报, 2016,1(2): 36-45.
	CHEN Z , MENG H W , GUAN Z . Research on intrinsic security in future Internet architecture[J]. Journal of Cyber Security, 2016,1(2): 36-45.
[4]	邬江兴 . 拟态计算与拟态安全防御的原意和愿景[J]. 电信科学, 2014,30(7): 2-7.
	WU J X . Meaning and vision of mimic computing and mimic secu-rity defense[J]. Telecommunications Science, 2014,30(7): 2-7.
[5]	邬江兴 . 网络空间拟态防御原理简介(下)[J]. 网信军民融合, 2017(2): 43-47.
	WU J X . An introduction to principles of mimic defense in cyber-space(Part 2)[J]. Civil-Military Integration on Cyberspace, 2017(2): 43-47.
[6]	佘平, 李宁波, 谢彬 ,等. 面向拟态防御系统的存储校验模型[J]. 数字技术与应用, 2018,36(9): 54-56,58.
	SHE P , LI N B , XIE B ,et al. The model of storage verification un-der mimic defense theory[J]. Digital Technology ＆ Application, 2018,36(9): 54-56,58.
[7]	宋克, 刘勤让, 魏帅 ,等. 基于拟态防御的以太网交换机内生安全体系结构[J]. 通信学报, 2020,41(5): 18-26.
	SONG K , LIU Q R , WEI S ,et al. Endogenous security architecture of Ethernet switch based on mimic defense[J]. Journal on Commu-nications, 2020,41(5): 18-26.
[8]	仝青, 张铮, 张为华 ,等. 拟态防御 Web 服务器设计与实现[J]. 软件学报, 2017,28(4): 883-897.
	TONG Q , ZHANG Z , ZHANG W H ,et al. Design and implemen-tation of mimic defense web server[J]. Journal of Software, 2017,28(4): 883-897.
[9]	王涵, 卜佑军, 江逸茗 ,等. 一种拟态蜜罐系统的设计与研究[J]. 网络安全技术与应用, 2021(2): 1-3.
	WANG H , BU Y J , JIANG Y M ,et al. Design and research of a mimic honeypot system[J]. Network Security Technology and Ap-plication, 2021(2): 1-3.
[10]	朱正彬, 刘勤让, 刘冬培 ,等. 拟态多执行体调度算法研究进展[J]. 通信学报, 2021,42(5): 179-190.
	ZHU Z B , LIU Q R , LIU D P ,et al. Research progress of mimic multi-execution scheduling algorithm[J]. Journal on Communica-tions, 2021,42(5): 179-190.
[11]	姚文斌, 杨孝宗 . 相异性软件组件选择算法设计[J]. 哈尔滨工业大学学报, 2003,35(3): 261-264.
	YAO W B , YANG X Z . The design of different software component selection algorithm[J]. Journal of Harbin Institute of Technology, 2003,35(3): 261-264.
[12]	吕迎迎, 郭云飞, 王禛鹏 ,等. SDN中基于历史信息的负反馈调度算法[J]. 网络与信息安全学报, 2018,4(6): 45-51.
	LYU Y Y , GUO Y F , WANG Z P ,et al. Negative feedback schedul-ing algorithm based on historical information in SDN[J]. Chinese Journal of Network and Information Security, 2018,4(6): 45-51.
[13]	张震骁 . 拟态防御动态调度策略研究[D]. 郑州:郑州大学, 2018.
	ZHANG Z X . Research on dynamic dispatch strategy of mimic de-fense[D]. Zhengzhou:Zhengzhou University, 2018.
[14]	LI J F , WU J X , HU Y X ,et al. DSL:dynamic and self-learning schedule method of multiple controllers in SDN[J]. ETRI Journal, 2017,39(3): 364-372.
[15]	沈丛麒, 陈双喜, 吴春明 ,等. 基于信誉度与相异度的自适应拟态控制器研究[J]. 通信学报, 2018,39(S2): 173-180.
	SHEN C Q , CHEN S X , WU C M ,et al. Adaptive mimic defensive controller framework based on reputation and dissimilarity[J]. Journal on Communications, 2018,39(S2): 173-180.
[16]	王晓梅, 杨文晗, 张维 ,等. 基于BSG的拟态Web服务器调度策略研究[J]. 通信学报, 2018,39(S2): 112-120.
	WANG X M , YANG W H , ZHANG W ,et al. Research on schedul-ing strategy of mimic Web server based on BSG[J]. Journal on Communications, 2018,39(S2): 112-120.
[17]	李传煌, 任云方, 汤中运 ,等. SDN中服务部署的拟态防御方法[J]. 通信学报, 2018,39(S2): 121-130.
	LI C H , REN Y F , TANG Z Y ,et al. Mimic defense method for ser-vice deployment in SDN[J]. Journal on Communications, 2018,39(S2): 121-130.
[18]	TWU P , MOSTOFI Y , EGERSTEDT M . A measure of heterogeneity in multi-agent systems[C]// Proceedings of 2014 American Control Conference. 2014: 3972-3977.
[19]	张杰鑫, 庞建民, 张铮 ,等. 面向拟态构造Web服务器的执行体调度算法[J]. 计算机工程, 2019,45(8): 14-21.
	ZHANG J X , PANG J M , ZHANG Z ,et al. Executors scheduling algorithm for Web server with mimic structure[J]. Computer Engi-neering, 2019,45(8): 14-21.
[20]	GARCIA M , BESSANI A , GASHI I ,et al. Analysis of operating system diversity for intrusion tolerance[J]. Software:Practice and Experience, 2014,44(6): 735-770.
[21]	普黎明, 刘树新, 丁瑞浩 ,等. 面向拟态云服务的异构执行体调度算法[J]. 通信学报, 2020,41(3): 17-24.
	PU L M , LIU S X , DING R H ,et al. Heterogeneous executor sche-duling algorithm for mimic cloud service[J]. Journal on Communi-cations, 2020,41(3): 17-24.
[22]	WU Z Q , WEI J . Heterogeneous executors scheduling algorithm for mimic defense systems[C]// Proceedings of 2019 IEEE 2nd International Conference on Computer and Communication Engineering Technology. 2019: 279-284.
[23]	QIU D H , LI H , SUN J L . Measuring software similarity based on structure and property of class diagram[C]// Proceedings of 2013 Sixth International Conference on Advanced Computational Intelligence (ICACI). 2013: 75-80.
[24]	顾泽宇, 张兴明, 林森杰 . 基于安全策略的负载感知动态调度机制[J]. 计算机应用, 2017,37(11): 3304-3310.
	GU Z Y , ZHANG X M , LIN S J . Load-aware dynamic scheduling mechanism based on security strategies[J]. Journal of Computer Applications, 2017,37(11): 3304-3310.
[25]	高明, 罗锦, 周慧颖 ,等. 一种基于拟态防御的差异化反馈调度判决算法[J]. 电信科学, 2020,36(5): 73-82.
	GAO M , LUO J , ZHOU H Y ,et al. A differential feedback sche-duling decision algorithm based on mimic defense[J]. Telecommu-nications Science, 2020,36(5): 73-82.
[26]	LU Z P , CHEN F C , CHENG G Z ,et al. Towards a dynamic controller scheduling-timing problem in software-defined networking[J]. China Communications, 2017,14(10): 26-38.
[27]	GUO W , WU Z Q , ZHANG F ,et al. Scheduling sequence control method based on sliding window in cyberspace mimic defense[J]. IEEE Access, 2019,8: 1517-1533.
[28]	魏帅, 于洪, 顾泽宇 ,等. 面向工控领域的拟态安全处理机架构[J]. 信息安全学报, 2017,2(1): 54-73.
	WEI S , YU H , GU Z Y ,et al. Architecture of mimic security pro-cessor for industry control system[J]. Journal of Cyber Security, 2017,2(1): 54-73.
[29]	王禛鹏, 扈红超, 程国振 . MNOS:拟态网络操作系统设计与实现[J]. 计算机研究与发展, 2017,54(10): 2321-2333.
	WANG Z P , HU H C , CHENG G Z . Design and implementation of mimic network operating system[J]. Journal of Computer Research and Development, 2017,54(10): 2321-2333.
[30]	胡爱群, 方兰婷, 李涛 . 基于仿生机理的内生安全防御体系研究[J]. 网络与信息安全学报, 2021,7(1): 11-19.
	HU A Q , FANG L T , LI T . Research on bionic mechanism based endogenous security defense system[J]. Chinese Journal of Network and Information Security, 2021,7(1): 11-19.
[31]	张启浩, 邓中, 周冬梅 . 拟态防御与国外网络安全研究成果比较分析[J]. 智能建筑, 2018(8): 17-22.
	ZHANG Q , DENG Z , ZHOU D M . Comparative analysis of mimic defense and foreign network security research results[J]. Intelligent Building, 2018(8): 17-22.
[32]	张举, 耿海军, 刘洁琦 . 基于网络熵的域内节能路由方案[J]. 计算机科学, 2019,46(2): 76-80.
	ZHANG J , GENG H J , LIU J Q . Intra-domain energy efficiency routing scheme based on network entropy[J]. Computer Science, 2019,46(2): 76-80.
[33]	TAN P N , STEINBACK M , KUMAR V . Introduction to data mining[M]. Posts ＆ Telecom Press, 2006.
[34]	陈福才, 扈红超, 刘文彦 ,等. 网络空间主动防御技术[M]. 北京: 科学出版社, 2018: 260-264.
	CHEN F CI , HU H C , LIU W Y ,et al. Active defense technology in cyberspace[M]. Beijing: Science Press, 2018: 260-264.
[35]	北京天融信网络安全技术有限公司,等. 一种基于网络的数据处理方法及电子设备:中国,110311850A[P]. 2019-10-08.
	Beijing Topsec Network Security Technology Co.,Ltd..,et al. A network-based data processing method and electronic equipment:China,110311850A[P]. 2019-10-08.
[36]	刘勤让, 林森杰, 顾泽宇 . 面向拟态安全防御的异构功能等价体调度算法[J]. 通信学报, 2018,39(7): 188-198.
	LIU Q R , LIN S J , GU Z Y . Heterogeneous redundancies schedul-ing algorithm for mimic security defense[J]. Journal on Communi-cations, 2018,39(7): 188-198.
[37]	杨维永, 廖鹏, 刘金锁 ,等. 应对新型网络威胁下的数据保护技术研究[J]. 电力信息与通信技术, 2014,12(5): 136-139.
	YANG W Y , LIAO P , LIU J S ,et al. Research on data protection technology in response to new cyber threats[J]. Electric Power In-formation and Communication Technology, 2014,12(5): 136-139.
[38]	ZHENG L , NIE X Q , TAO Y ,et al. Applications of intrusion-tolerance pre-response in the grid enterprises[C]// Proceedings of 2012 Fourth International Conference on Computational and Information Sciences. 2012: 985-988.
[39]	扈红超, 陈福才, 王禛鹏 . 拟态防御 DHR 模型若干问题探讨和性能评估[J]. 信息安全学报, 2016,1(4): 40-51.
	HU H C , CHEN F C , WANGZ P . Performances valuations on DHR for cyberspace mimic defense[J]. Journal of Cyber Security, 2016,1(4): 40-51.
[40]	ROBERTM G . Entropy and information theory[M]. Berlin: Springer, 2011.
[41]	潘计辉, 张盛兵, 张小林 ,等. 三余度机载计算机设计与实现[J]. 西北工业大学学报, 2013,31(5): 798-802.
	PAN J H , ZHANG S B , ZHANG X L ,et al. Design and implemen-tation of airborne computer with triple degrees[J]. Journal of Northwestern Polytechnical University, 2013,31(5): 798-802.
[42]	LI Z J , HU B , LU T Q ,et al. Research on risk prevention and control strategy of power grid CPS system based on intrusion tolerance[J]. IOP Conference Series:Earth and Environmental Science, 2021,675(1): 147-156.
[43]	WANG F Y , UPPPALLI R . SITAR:a scalable intrusion-tolerant architecture for distributed services-a technology summary[C]// Proceedings of Proceedings DARPA Information Survivability Conference and Exposition. 2003: 153-155.
[44]	STROUD R , WELCH I , WARNE J ,et al. A qualitative analysis of the intrusion-tolerance capabilities of the MAFTIA architecture[C]// Proceedings of International Conference on Dependable Systems and Networks. 2004: 453-461.
[45]	BANGALORE A K , SOOD A K . Securing web servers using self cleansing intrusion tolerance (SCIT)[C]// Proceedings of 2009 Second International Conference on Dependability. 2009: 60-65.
[46]	DAI Q N , TIAN Y H . Optimal design of MTD filter based on FIR[C]// Proceedings of 2019 IEEE International Conference on Signal,Information and Data Processing. 2019: 1-4.
[47]	KAMPANAKIS P , PERROS H , BEYENE T . SDN-based solutions for Moving Target Defense network protection[C]// Proceedings of Proceeding of IEEE International Symposium on a World of Wireless,Mobile and Multimedia Networks 2014. 2014: 1-6.
[48]	樊琳娜, 马宇峰, 黄河 ,等. 移动目标防御技术研究综述[J]. 中国电子科学研究院学报, 2017,12(2): 209-214.
	FAN L N , MA Y F , HUANG H ,et al. The research summary of moving target defense technology[J]. Journal of China Academy of Electronics and Information Technology, 2017,12(2): 209-214.
[49]	PENG W , LI F , HUANG C T ,et al. A moving-target defense strategy for Cloud-based services with heterogeneous and dynamic attack surfaces[C]// Proceedings of 2014 IEEE International Conference on Communications. 2014: 804-809.
[50]	HU P F , LI H X , FU H ,et al. Dynamic defense strategy against advanced persistent threat with insiders[C]// Proceedings of 2015 IEEE Conference on Computer Communications. 2015: 747-755.
[51]	SEO J , LEE B , KIM S ,et al. SGX-shield:enabling address space layout randomization for SGX programs[C]// Proceedings 2017 Network and Distributed System Security Symposium. 2017.
[52]	WANG J , YAO Y , ZHANG G F ,et al. Defense method of ruby code injection attack based on instruction set randomization[C]// Proceedings of ICCCM'20:Proceedings of the 8th International Conference on Computer and Communications Management. 2020: 63-67.
[53]	WANG H X , SHU N N , WANG Y J ,et al. Survey of software defined network and mutable network[C]// Proceedings of the International Conference on Communication and Electronic Information Engineering (CEIE 2016). 2017.
[54]	HUANG Y , GHOSH A K . Introducing diversity and uncertainty to create moving attack surfaces for Web services[R]. 2011.
[55]	TAO C , LV Y , QI Z ,et al. An implementation method of zero-trust architecture[J]. Journal of Physics:Conference Series, 2020,1651(1).
[56]	GARBIS J , CHAPMAN J W . Zero trust architectures[R]. 2021.
[57]	秦中元, 胡爱群 . 可信计算系统及其研究现状[J]. 计算机工程, 2006,32(14): 111-113.
	QIN Z Y , HU A Q . Trusted computing system and its current re-search[J]. Computer Engineering, 2006,32(14): 111-113.
[58]	樊佩佩, 杨德义 . 浅析计算机网络入侵检测中免疫机制的应用[J]. 科学技术创新, 2018(18): 69-70.
	FAN P P , YANG D Y . Analysis of the application of immune me-chanism in computer network intrusion detection[J]. Scientific and Technological Innovation, 2018(18): 69-70.
[59]	王亚奇, 蒋国平 . 考虑网络流量的无标度网络病毒免疫策略研究[J]. 物理学报, 2011,60(6): 6-13.
	WANG Y Q , JIANG G P . Epidemic immunization on scale-free networks with traffic flow[J]. Acta Physica Sinica, 2011,60(6): 6-13.
[60]	张楠, 张建华, 陈建英 . WSN中基于免疫Multi-Agent的入侵检测机制[J]. 计算机工程与科学, 2010,32(5): 10-14.
	ZHANG N , ZHANG J H , CHEN J Y . An intrusion detection me-chanism based on immune multi-agents in WSN[J]. Computer En-gineering ＆ Science, 2010,32(5): 10-14.
[61]	侯家利, 朱梅阶, 彭宏 . 模块化免疫神经网络的模型研究[J]. 电子学报, 2005,33(8): 1502-1505.
	HOU J L , ZHU M J , PENG H . Research on modular-based immune neural network model[J]. Acta Electronica Sinica, 2005,33(8): 1502-1505.
[62]	王禛鹏, 扈红超, 程国振 . 一种基于拟态安全防御的 DNS 框架设计[J]. 电子学报, 2017,45(11): 2705-2714.
	WANG Z P , HU H C , CHENG G Z . A DNS architecture based on mimic security defense[J]. Acta Electronica Sinica, 2017,45(11): 2705-2714.
[63]	张帆, 谢光伟, 郭威 ,等. 基于拟态架构的内生安全云数据中心关键技术和实现方法[J]. 电信科学, 2021,37(3): 39-48.
	ZHANG F , XIE G W , GUO W ,et al. Key technologies and imple-mentation methods of endogenous safety and security cloud data center based on mimic architecture[J]. Telecommunications Science, 2021,37(3): 39-48.
[64]	普黎明, 卫红权, 李星 ,等. 面向云应用的拟态云服务架构[J]. 网络与信息安全学报, 2021,7(1): 101-112.
	PU L M , WEI H Q , LI X ,et al. Mimic cloud service architecture for cloud applications[J]. Chinese Journal of Network and Informa-tion Security, 2021,7(1): 101-112.
[65]	马海龙, 伊鹏, 江逸茗 ,等. 基于动态异构冗余机制的路由器拟态防御体系结构[J]. 信息安全学报, 2017,2(1): 29-42.
	MA H L , YI P , JIANG Y M ,et al. Router mimic defense architec-ture based on dynamic heterogeneous redundancy mechan-ism[J]. Journal of Information Security[J].Journal of Cyber Security, 2017,2(1): 29-42.
[66]	LARSEN P , HOMESCU A , BRUNTHALER S ,et al. SoK:automated software diversity[C]// Proceedings of 2014 IEEE Symposium on Security and Privacy. 2014: 276-291.
[67]	姚东, 张铮, 张高斐 ,等. 多变体执行安全防御技术研究综述[J]. 信息安全学报, 2020,5(5): 77-94.
	YAO D , ZHANG Z , ZHANG G F ,et al. A survey on multi-variant execution security defense technology[J]. Journal of Cyber Security, 2020,5(5): 77-94.
[68]	张铮, 李方云, 邬江兴 ,等. 一种网络攻击防御方法及系统:CN110012038A[P].20190712.
	ZHANG Z , LI F Y , WU J X ,et al. Network attack defense method and system:CN110012038A[P].20190712.
[69]	信息处理装置及信息处理装置的控制方法:CN101963926A[P]. 2011-02-02.
	Information processing apparatus and control method of the infor-mation processing apparatus:CN101963926A[P]. 2011-02-02.
[70]	马海龙, 江逸茗, 白冰 ,等. 路由器拟态防御能力测试与分析[J]. 信息安全学报, 2017,2(1): 43-53.
	MA H L , JIANG Y M , BAI B ,et al. Tests and analyses for mimic de-fense ability of routers[J]. Journal of Cyber Security, 2017,2(1): 43-53.
[71]	王强, 姚磊, 李团营 . 业务板间信息的同步方法、装置、存储介质及计算机设备:CN108093061A[P]. 2018-05-29.
	WANG Q , YAO L , LI T Y . Synchronization method and device of information between service boards,storage medium and computer equipment:CN108093061A[P]. 2018-05-29.
[72]	崔冰萌, 倪明, 凌幸华 . 基于FPGA的拟态服务器设计[J]. 计算机系统应用, 2018,27(4): 219-225.
	CUI B M , NI M , LING X H . Design of mimicry computing server with FPGA[J]. Computer Systems ＆ Applications, 2018,27(4): 219-225.
[73]	LORCZAK P R , CAGLAYAN A K , ECKHARDT D E . A theoretical investigation of generalized voters for redundant systems[C]// Proceedings of the Nineteenth International Symposium on Fault-Tolerant Computing.Digest of Papers. 1989: 444-451.
[74]	BASS J M . Voting in real-time distributed computer control systems[D]. Sheffield,UK:The University of Sheffield. 1995.
[75]	KANEKAWAN , MAEJIMA H , KATO H , et al . Dependable onboard computer systems with a new method-stepwise negotiating voting[C]// Proceedings of the Nineteenth International Symposium on Fault-Tolerant Computing.Digest of Papers. Piscataway:IEEE Press, 1989: 13-19.
[76]	MOORE J S . A fast majority vote algorithm[J]. Springer Netherlands, 2000.
[77]	周海涛, 朱纪洪 . 基于自检测的多数一致表决算法[J]. 清华大学学报(自然科学版), 2005,45(4): 488-491.
	ZHOU H T , ZHU J H . Majority voting algorithm based on self-test[J]. Journal of Tsinghua University (Science and Technolo-gy), 2005,45(4): 488-491.
[78]	俞功兵, 王俊峰 . 基于自检测的自适应一致表决算法[J]. 电子设计工程, 2012,20(21): 19-21.
	YU G B , WANG J F . Adaptive consensus voting algorithm based on self-test[J]. Electronic Design Engineering, 2012,20(21): 19-21.
[79]	欧阳城添, 王曦, 郑剑 . 自适应一致表决算法[J]. 计算机科学, 2011,38(7): 130-133.
	OUYANG C T , WANG X , ZHENG J . Adaptive consensus voting algorithm[J]. Computer Science, 2011,38(7): 130-133.
[80]	吴一凡, 冉晓旻 . CNN 神经网络在航迹预测中的应用[J]. 电子设计工程, 2019,27(12): 13-20.
	WU Y F , RAN X M . Application of CNN neural network in route forecasting[J]. Electronic Design Engineering, 2019,27(12): 13-20.
[81]	KONG J , HUANG J , YU H ,et al. RNN-based default logic for route planning in urban environments[J]. Neurocomputing, 2019,338: 307-320.
[82]	BUSCH J , KOCHETUROV A , TRESP V ,et al. NF-GNN:network flow graph neural networks for malware detection and classification[R]. 2021.
[83]	FU R , ZHANG Z , LI L . Using LSTM and GRU neural network methods for traffic flow prediction[C]// Proceedings of 2016 31st Youth Academic Annual Conference of Chinese Association of Automation (YAC). 2016: 324-328.
[84]	LIN C K , WILD A , CHINYA G N ,et al. Programming spiking neural networks on intel's loihi[J]. Computer, 2018,51(3): 52-61.
[85]	宫学源 . 英特尔发布神经拟态计算芯片,可模拟人类大脑自主学习[J]. 科技中国, 2018.
	GONG X Y . Intel released a neuromorphic computing chip that can simulate the autonomous learning of the human brain[J]. Technol-ogy China, 2018.
[86]	MICHAUD F . EMIB-computational architecture based on emotion and motivation for intentional selection and configuration of behaviour-producing modules[J]. Clinical Advances in Hematology ＆Oncology, 2004.
[87]	PRASAD C , CHUGH S , GREVE H ,et al. Silicon reliability characterization of intel's foveros 3D integration technology for logic-on-logic Die stacking[C]// Proceedings of 2020 IEEE International Reliability Physics Symposium. 2020: 1-5.
[88]	李卫超, 张铮, 王立群 ,等. 一种拟态构造的Web威胁态势分析方法[J]. 计算机工程, 2019,45(8): 1-6.
	LI W C , ZHANG Z , WANG L Q ,et al. A web threat situation anal-ysis method for mimic structure[J]. Computer Engineering, 2019,45(8): 1-6.
[89]	GUBBI J , BUYYA R , MARUSIC S ,et al. Internet of things (IoT):a vision,architectural elements,and future directions[J]. Future Generation Computer Systems, 2013,29(7): 1645-1660.
[90]	ZHANG Z K , CHO M C Y , WANG C W ,et al. IoT security:ongoing challenges and research opportunities[C]// Proceedings of 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications. Piscataway:IEEE Press, 2014: 230-234.
[91]	何意, 刘兴伟, 马宏亮 . 车联网拟态防御系统研究[J]. 信息安全研究, 2020,6(3): 244-251.
	HE Y , LIU X W , MA H L . Research on mimic defense system of Internet of vehicles[J]. Journal of Information Security Research, 2020,6(3): 244-251.
[92]	普黎明, 柏溢, 游伟 ,等. 面向拟态云服务的异构执行体输出裁决方法[J]. 信息工程大学学报, 2020,21(3): 344-351.
	PU L M , BAI Y , YOU W ,et al. Heterogeneous executors output de-cision method for mimic cloud service[J]. Journal of Information Engineering University, 2020,21(3): 344-351.
[93]	陈福才, 周梦丽, 刘文彦 ,等. 云环境下面向拟态防御的反馈控制方法[J]. 信息网络安全, 2021,21(1): 49-56.
	CHEN F C , ZHOU M L , LIU W Y ,et al. Feedback control method for mimic defense in cloud environment[J]. Netinfo Security, 2021,21(1): 49-56.
[94]	徐悦, 倪明, 余新胜 ,等. 云环境下拟态应用行为预测方法研究[J]. 信息技术, 2021,45(1): 53-59.
	XU Y , NI M , YU X S ,et al. Research on prediction method of mimic application behavior in cloud environment[J]. Information Technology, 2021,45(1): 53-59.
[95]	于敏 . 基于ARIMA的云资源编排优化[D]. 北京：北京工业大学, 2019.
	YU M . ARIMA-based cloud resource orchestration optimization[D]. Beijing：Beijing University of Technology, 2019.
[96]	赵双蕊, 闫弈棋, 韩晓丽 . 基于云理论和 RBF 神经网络的预测模型[J]. 科学导报, 2016,(4): 255-256.
	ZHAO S R , YAN Y Q , HAN X L . Predictive model based on cloud theory and RBF neural network[J]. Science Herald, 2016,(4): 255-256.
[97]	GEORGE L , . HBase-the definitive guide:random access to your planet-size data[C]// DBLP, 2011.
[98]	黄方, 朱强, 李丽 ,等. 一种基于Web框架的高性能地学计算服务系统:CN106371931B[P]. 2019-11-05.
	WANG F , ZHU Q , LI L ,et al. A high-performance geoscience computing service system based on a Web framework:CN106-371931B[P]. 2019-11-05.
[99]	顾青, 冯四风, 梁佐泉 ,等. 大数据处理方法及其处理系统:CN110209631A[P].20190906
	GU Q , FENG S F , LIANG Z Q ,et al. Big data processing method and system:CN110209631A[P].20190906
[100]	李斌, 周清雷, 斯雪明 ,等. 基于拟态计算的大数据高效能平台设计方法[J]. 计算机应用研究, 2019,36(7): 2059-2064.
	LI B , ZHOU Q L , SI X M ,et al. Design method of big data high-efficiency platform based on mimic computing[J]. Application Research of Computers, 2019,36(7): 2059-2064.
[101]	龙虎, 彭志勇 . 基于拟态计算的大数据精准服务架构研究[J]. 信息与电脑(理论版), 2020,32(5): 147-149.
	LONG H , PENG Z Y . Research on big data précis eservice archi-tecture based on mimic computer[J]. China Computer ＆ Commu-nication, 2020,32(5): 147-149.
[102]	龙虎, 王振龙, 杨建菊 . 基于拟态计算的高效能大数据应用平台构建研究[J]. 电脑知识与技术, 2021,17(1): 36-37,40.
	LONG H , WANG Z L , YANG J J . Research on the construction of high performance big data application platform based on mimic computing[J]. Computer Knowledge and Technology, 2021,17(1): 36-37,40.
[103]	BRISCOE B . Network functions virtualisation(NFV)[M]// Security Problem Statement. 2014.
[104]	黄前淼 . 基于拟态防御的 SDN 服务路径配置及其验证机制研究[D]. 杭州:浙江工商大学.
	HUANG Q M . Research on SDN service path configuration and verification mechanism based on mimic defense[D]. Hangzhou:Zhejiang Gongshang University.
[105]	丁绍虎, 李军飞, 季新生 . 基于拟态防御的 SDN 控制层安全机制研究[J]. 信息安全学报, 2019,4(4): 84-93.
	DING S H , LI J F , JI X S . Research on SDN control layer security based on mimic defense[J]. Journal of Cyber Security, 2019,4(4): 84-93.
[106]	吕迎迎 . 拟态SDN控制器架构安全关键技术研究[D]. 郑州:信息工程大学, 2018.
	LYU Y Y . Research on the key technologies of mimic SDN con-troller architecture security[D]. Zhengzhou:Information Engineer-ing University, 2018.
[107]	高洁, 邬江兴, 李军飞 ,等. 拟态化 SDN 控制层裁决机制研究[J]. 信息工程大学学报, 2018,19(6): 641-646.
	GAO J , WU J X , LI J F ,et al. Research on the arbitrament mechan-ism in the mimic SDN control layer[J]. Journal of Information En-gineering University, 2018,19(6): 641-646.
[108]	雷波, 赵倩颖, 赵慧玲 . 边缘计算与算力网络综述[J]. 中兴通讯技术, 2021,27(3): 3-6.
	LEI B , ZHAO Q Y , ZHAO H L . Overview of edge computing and computing power network[J]. ZTE Technology Journal, 2021,27(3): 3-6.
[109]	梁启锋 . 边缘计算安全威胁现状及防护技术分析[J]. 网络安全技术与应用, 2020(4): 9-10.
	LIANG Q F . The current situation of edge computing security threats and analysis of protection technology[J]. Network Security Technology and Application, 2020(4): 9-10.
[110]	朱泓艺, 陆肖元, 李毅 . 基于拟态防御原理的分布式多接入边缘计算研究[J]. 物联网学报, 2019,3(3): 76-83.
	ZHU H Y , LU X Y , LI Y . Research on distributed multi-access edge computing based on mimic defense theory[J]. Chinese Journal on Internet of Things, 2019,3(3): 76-83.
[111]	DELMOLINO K , ARNETT M , KOSBA A ,et al. Step by step towards creating a safe smart contract:lessons and insights from a crypto currency lab[M]// Financial Cryptography and Data Security. Berlin,Heidelberg: Springer Berlin Heidelberg, 2016: 79-94.
[112]	SAPIRSHTEIN A , SOMPOLINSKY Y , ZOHAR A . Optimal selfish mining strategies in bitcoin[M]// Financial Cryptography and Data Security. Berlin,Heidelberg: Springer Berlin Heidelberg, 2017: 515-532.
[113]	徐蜜雪, 苑超, 王永娟 ,等. 拟态区块链:区块链安全解决方案[J]. 软件学报, 2019,30(6): 1681-1691.
	XUM X , YUAN C , WANGY J ,et al. Mimic blockchain—solution to the security of blockchain[J]. Journal of Software, 2019,30(6): 1681-1691.

调度算法	动态性指标（取值1~5）	平均失效率	异构度	系统开销	服务质量
MD	1	1.14×10^-4	0.114 3	O(1)	—
OMD	1	3.60×10^-4	0.218 3	O(1)	0.450 3
随机调度	5	7.66×10^-4	0.272 3	O(1)	—
RSMS^[9]	2	2.77×10^-4	0.155 0	O(n)	—
PSPT^[21]	5	—	0.249 0	O(1)	—
RSMHQ^[19]	2	—	0.376 8	O(n)	0.519 3
RSMHQH^[22]	2	—	—	O(1)	—
基于正态分布^[13]	4	—	—	O(2ⁿ)	—
基于BSG^[16]	2	—	MOSS	O(n)	—
基于反馈判决^[25]	3	—	MOSS	O(n)	—
基于自学习^[17]	3	—	—	O(2ⁿ)	—
基于安全策略^[26]	2	—	—	O(n)	—
基于滑动窗口^[27]	4	—	—	O(n)	—
注：动态性指标取值越大表示动态性越强，MOSS表示采用基于软件相似性度量衡量执行体间异构度，“—”表示研究未衡量该指标。

技术	发布时间	技术本质	核心特性	典型架构	具体实现	先验知识无关性	组件动态水平	风险感知能力	威胁规避能力
CMD	2016年	异构执行体策略裁决与动态调度	动态、异构、冗余	DHR	拟态交换机/路由器/处理机等	5	5	4	5
入侵容忍	1985年	配置冗余资源容忍入侵	冗余	基于入侵检测的容忍触发、算法驱动、周期性恢复	SITAR/MAFTIA/SCIT	2	3	3	4
MTD	2009年	移动攻击面	多样、动态、随机	动态网络+动态平台+动态环境+动态应用+动态数据	MUTE/MAS	5	5	3	5
ZTA	2010年	基于信任传递建立信任关系	信任授权	强认证+最小特权授权	无	1	4	5	5
TC	1985年	以身份取代传统网络边界	信任授权	TPM+TSS+应用	SGX^[49]/可信云^[50]	5	1	1	5
计算机免疫学	20 世纪90年代	将网络威胁视为待优化问题求解	免疫	抗原识别+抗体群体产生+群体更新	IMMSIM/ARTIS/Multi-Agent	1	1	4	4

拟态平台	测试方案			安全性能（攻击成功概率）	开销（平均时延）
拟态平台	扫描	漏洞利用	后门利用	安全性能（攻击成功概率）	开销（平均时延）
拟态交换机^[7]	√	√	—	5项测试均通过	10 ms
				漏洞利用率35%（余度为3）	32 ms（500条路由）
拟态路由器^[65]	√	√	√	漏洞利用率18%（余度为7）
				后门利用率4%以下	52 ms（1 500条路由）
拟态处理机^[28]	√	√	√	3个测试项均通过	未测试
拟态存储器	—	—	—	100个文件经1 000次拟态变换持续可用	0.2~1s
拟态Web服务器^[8]	√	√	√	13项测试均通过	未测试
拟态DNS服务器^[62]	—	√	√	攻击难度提升10¹⁰个数量级	506 ms（余度为5）
拟态云平台^[64]	—	√		3项测试均通过	530 ms（余度为3）
拟态网络操作系统^[29]	—	√	√	0.3%~2%	20 ms

			软件					硬件
应用软件^[8,19]	服务器软件^[8,19,62]	数据库/SQL脚本^[8]	SDN控制器^[29]	文件系统^[8,19]	虚拟/物理主机操作系统^[8,19]	CPU^[28]	其他计算部件^[68]	路由器^[65]	路由器控制方式^[65]	防火墙^[35]
	RedHat 7				Ubuntu
	Windows 7		Floodlight		Windows Server 2003/
	Debian 7.0		OpenDaylight		2008/2012/2016/2018	Intel	GPU	Quagga0.99.22.4	软件迁移	Linux
	Windows		RYU	ext2	RedHat 7	Atom	DSP	XORP1.8.5	控制路由	NGTOS
PHP	Server	未异构化	NOX	ext4	IIS 6.0	AMD	HRCA	思科c2600	器接口改	IPS
	2012	处理	ONOS	FAT	CentOS	E3930	RIC	Juniper10.2	造组合运	SSL
	IIS 6.0		BEACON		Windows XP	龙芯	FPGA	MP3900	用实体设	DLP
	Apache		MAESTRO		Windows 7			ZXR10	备和SDN
	Lightpd		RAW		Vx Works				交换机
	Nginx				中标麒麟