通信学报 ›› 2021, Vol. 42 ›› Issue (5): 179-190.doi: 10.11959/j.issn.1000-436x.2021072
朱正彬, 刘勤让, 刘冬培, 王崇
修回日期:
2021-03-17
出版日期:
2021-05-25
发布日期:
2021-05-01
作者简介:
朱正彬(1996- ),男,湖北荆门人,信息工程大学博士生,主要研究方向为网络空间安全、网络主动防御基金资助:
Zhengbin ZHU, Qinrang LIU, Dongpei LIU, Chong WANG
Revised:
2021-03-17
Online:
2021-05-25
Published:
2021-05-01
Supported by:
摘要:
拟态防御是一种基于动态异构冗余架构的新型主动防御技术,具有内在不确定、异构、冗余及负反馈等特性,从而能显著提高系统稳健性和安全性。其中多执行体调度算法是拟态防御技术的关键,其优劣直接影响拟态系统抵抗基于已知或未知漏洞后门攻击的能力。基于此,首先介绍了拟态调度算法技术和目标,然后从调度对象、调度数量及调度时机这3个方面对调度算法研究现状进行了分析总结,最后展望了拟态调度算法未来的研究方向与趋势。
中图分类号:
朱正彬, 刘勤让, 刘冬培, 王崇. 拟态多执行体调度算法研究进展[J]. 通信学报, 2021, 42(5): 179-190.
Zhengbin ZHU, Qinrang LIU, Dongpei LIU, Chong WANG. Research progress of mimic multi-execution scheduling algorithm[J]. Journal on Communications, 2021, 42(5): 179-190.
表1
基于调度对象算法优缺点及应用场景"
出发点 | 算法 | 优缺点 | 应用场景 |
基于历史信息负反馈算法 | 考虑历史信息和负反馈,缺乏对异构度的考量 | SDN | |
基于正态分布算法 | 动态性、可控性好,但复杂度高 | — | |
基于软件异构度度量 | 动态自学习调度算法 | 考虑了历史信息和执行体当前安全性并自适应迭代,但计算复杂度高 | SDN |
基于信誉度和相异度自适应调度算法 | 量化了信誉度及更新准则,缺乏细粒度的异构度量化公式 | SDN | |
随机种子最小相似度算法 | 动态性好,执行体异构度量化更细粒度,但缺乏对负反馈特性 | — | |
基于BSG博弈算法 | 结合BSG博弈模型数学量化执行体间异构度,但计算复杂度高 | Web服务器 | |
基于异构体组件度量 | 随机种子调度算法 | 细粒度量化执行体集异构性,结合具体系统服务质量,需进一步确定权重 | Web服务器 |
基于优先级和时间片调度算法 | 动态性高,从时间和空间2个维度考虑,缺乏对历史信息的考虑 | — | |
基于MOSS度量 | 负载感知调度算法 | 考虑了执行体集安全性和负载,可扩展性好,但复杂度高 | SDN |
表4
算法综合性对比"
调度算法 | 动态性 | 平均失效率 | 异构度 | 系统开销 | 服务质量 |
MD | ★ | 1.141 9 × 10 -4 | 0.114 3 | O (1) | — |
OMD | ★ | 3.598 9 × 10 -4 | 0.218 3 | O (1) | 0.450 3 |
随机调度 | ★★★★★ | 7.664 7 × 10 -4 | 0.272 3 | O (1) | — |
RSMS | ★★ | 2.766 4 × 10 -4 | 0.155 | O (n) | — |
PSPT | ★★★★★ | — | 0.249 | O (1) | — |
RSMHQ | ★★ | — | 0.376 8 | O (n) | 0.519 3 |
RSMHQH | ★★ | — | — | O (1) | — |
基于正态分布 | ★★★★ | — | — | O (2n) | — |
基于BSG | ★★ | — | MOSS | O (n) | — |
基于反馈判决 | ★★★ | — | MOSS | O (n) | — |
基于自学习 | ★★★ | — | — | O (2n) | — |
基于安全策略 | ★★ | — | — | O (n) | — |
滑动窗口 | ★★★★ | — | — | O(n) | — |
注:★表示低,★★表示中低,★★★表示中,★★★★表示中高,★★★★★表示高;MOSS表示用MOSS方法衡量执行体间的异构度,—表示未考虑该指标。 |
[1] | OPPLIGER R . Internet security[J]. Communications of the ACM, 1997,40(5): 92-102. |
[2] | ROBERTO D P , LUIGI V M . Intrusion detection systems[M]. Berlin: Springer Science & Business Media, 2008. |
[3] | PANDA B K , PRADHAN M , PRADHAN S K . Intrusion prevention system[M]. Network Security Attacks and Countermeasures. IGI Global, 2016. |
[4] | GHAFFARIAN S M , SHAHRIARI H R . Software vulnerability analysis and discovery using machine-learning and data-mining techniques[J]. ACM Computing Surveys, 2017,50(4): 1-36. |
[5] | HOSSEINI S , . Fingerprint vulnerability:a survey[C]// 2018 4th International Conference on Web Research. Piscataway:IEEE Press, 2018: 70-77. |
[6] | PERDISCI R , DAGON D , LEE W ,et al. Misleading worm signature generators using deliberate noise injection[C]// 2006 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2006: 17-31. |
[7] | REIS C , BARTH A , PIZANO C . Browser security:lessons from google chrome[J]. Queue, 2009,7(5): 3-8. |
[8] | 魏帅, 张辉华, 苏野 ,等. 基于高阶异构度的大数裁决算法及性能分析[J]. 计算机工程, 2020,51(1): 1-7. |
WEI S , ZHANG H H , SU Y ,et al. Majority voting algorithm and per-formance analysis based on high level heterogeneity[J]. Computer En-gineering, 2020,51(1): 1-7. | |
[9] | 沈昌祥, 张大伟, 刘吉强 ,等. 可信3.0战略:可信计算的革命性演变[J]. 中国工程科学, 2016,18(6): 53-57. |
SHEN C X , ZHANG D W , LIU J Q ,et al. The strategy of TC 3.0:a revolutionary evolution in trusted computing[J]. Engineering Science, 2016,18(6): 53-57. | |
[10] | CONG J , SARKAR V , REINMAN G ,et al. Customizable domain-specific computing[J]. IEEE Design & Test of Computers, 2011,28(2): 6-15. |
[11] | ZHENG J J , NAMIN A S . A survey on the moving target defense strategies:an architectural perspective[J]. Journal of Computer Science and Technology, 2019,34(1): 207-233. |
[12] | CHO J H , SHARMA D P , ALAVIZADEH H ,et al. Toward proactive,adaptive defense:a survey on moving target defense[J]. IEEE Communications Surveys & Tutorials, 2020,22(1): 709-745. |
[13] | JAFARIAN J H , AL-SHAER E , DUAN Q . An effective address mutation approach for disrupting reconnaissance attacks[J]. IEEE Transactions on Information Forensics and Security, 2015,10(12): 2562-2577. |
[14] | JAFARIAN J H , AL-SHAER E , DUAN Q . Adversary-aware IP address randomization for proactive agility against sophisticated attackers[C]// 2015 IEEE Conference on Computer Communications. Piscataway:IEEE Press, 2015: 738-746. |
[15] | LUO Y B , WANG B S , CAI G L . Effectiveness of port hopping as a moving target defense[C]// 2014 7th International Conference on Security Technology. Piscataway:IEEE Press, 2014: 7-10. |
[16] | AZAB M , ELTOWEISSY M . ChameleonSoft:software behavior encryption for moving target defense[J]. Mobile Networks and Applications, 2013,18(2): 271-292. |
[17] | SAKIC E , DERI? N , KELLERER W . MORPH:an adaptive framework for efficient and Byzantine fault-tolerant SDN control plane[J]. IEEE Journal on Selected Areas in Communications, 2018,36(10): 2158-2174. |
[18] | KAMPANAKIS P , PERROS H , BEYENE T . SDN-based solutions for moving target defense network protection[C]// Proceedings of IEEE International Symposium on a World of Wireless,Mobile and Multimedia Networks. Piscataway:IEEE Press, 2014: 1-6. |
[19] | TORQUATO M , VIEIRA M . Moving target defense in cloud computing:a systematic mapping study[J]. Computers & Security, 2020,92: 101742. |
[20] | 邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10. |
WU J X . Research on cyber mimic defense[J]. Journal of Cyber Secu-rity, 2016,1(4): 1-10. | |
[21] | MANADHATA P K , WING J M . An attack surface metric[J]. IEEE Transactions on Software Engineering, 2011,37(3): 371-386. |
[22] | 马海龙, 江逸茗, 白冰 ,等. 路由器拟态防御能力测试与分析[J]. 信息安全学报, 2017,2(1): 43-53. |
MA H L , JIANG Y M , BAI B ,et al. Tests and analyses for mimic de-fense ability of routers[J]. Journal of Cyber Security, 2017,2(1): 43-53. | |
[23] | 宋克, 刘勤让, 魏帅 ,等. 基于拟态防御的以太网交换机内生安全体系结构[J]. 通信学报, 2020,41(5): 18-26. |
SONG K , LIU Q R , WEI S ,et al. Endogenous security architecture of Ethernet switch based on mimic defense[J]. Journal on Communica-tions, 2020,41(5): 18-26. | |
[24] | 卢振平, 陈福才, 程国振 . 基于贝叶斯-斯坦科尔伯格博弈的 SDN安全控制平面模型[J]. 网络与信息安全学报, 2017,3(11): 40-49. |
LU Z P , CHEN F C , CHENG G Z . Secure control plane for SDN using Bayesian Stackelberg games[J]. Chinese Journal of Network and In-formation Security, 2017,3(11): 40-49. | |
[25] | WANG W , LI G S , GAI K K ,et al. Modelization and analysis of dynamic heterogeneous redundant system[J]. Concurrency and Computation Practice and Experience, 2020,35(2): 35-43. |
[26] | HU H C , WU J X , WANG Z P ,et al. Mimic defense:a designed-in cybersecurity defense framework[J]. IET Information Security, 2018,12(3): 226-237. |
[27] | PARHAMI B . Voting algorithms[J]. IEEE Transactions on Reliability, 1994,43(4): 617-629. |
[28] | JAMALI N , SAMMUT C . Majority voting:material classification by tactile sensing using surface texture[J]. IEEE Transactions on Robotics, 2011,27(3): 508-521. |
[29] | LEUNG Y W . Maximum likelihood voting for fault-tolerant software with finite output-space[J]. IEEE Transactions on Reliability, 1995,44(3): 419-427. |
[30] | MCALLISTER D F , SUN C E , VOUK M A . Reliability of voting in fault-tolerant software systems for small output-spaces[J]. IEEE Transactions on Reliability, 1990,39(5): 524-534. |
[31] | REIS G A , CHANG J , VACHHARAJANI N ,et al. SWIFT:software implemented fault tolerance[C]// International Symposium on Code Generation and Optimization. Piscataway:IEEE Press, 2005: 243-254. |
[32] | 彭浩, 陆阳, 孙峰 ,等. 副版本不可抢占的全局容错调度算法[J]. 软件学报, 2016,27(12): 3158-3171. |
PENG H , LU Y , SUN F ,et al. Fault tolerant global scheduling with non-preemptive backups[J]. Journal of Software, 2016,27(12): 3158-3171. | |
[33] | AVIZIENIS A . The N-version approach to fault-tolerant software[J]. IEEE Transactions on Software Engineering, 1985,SE-11(12): 1491-1501. |
[34] | CASTRO M , LISKOV B . Practical Byzantine fault tolerance and proactive recovery[J]. ACM Transactions on Computer Systems, 2002,20(4): 398-461. |
[35] | VERONESE G S , CORREIA M , BESSANI A N ,et al. Efficient Byzantine fault-tolerance[J]. IEEE Transactions on Computers, 2013,62(1): 16-30. |
[36] | 邬江兴 . 网络空间拟态防御导论[M]. 北京: 科学出版社, 2017. |
WU J X . Introduction to cyberspace mimic defense[M]. Beijing: Science Press, 2017. | |
[37] | 刘勤让, 林森杰, 顾泽宇 . 面向拟态安全防御的异构功能等价体调度算法[J]. 通信学报, 2018,39(7): 188-198. |
LIU Q R , LIN S J , GU Z Y . Heterogeneous redundancies scheduling algorithm for mimic security defense[J]. Journal on Communications, 2018,39(7): 188-198. | |
[38] | 韩进, 臧斌宇 . 软件相异性对于系统安全的有效性分析[J]. 计算机应用与软件, 2010,27(9): 273-275,300. |
HAN J , ZANG B Y . Analyzing the effectiveness of software diversity for system security[J]. Computer Applications and Software, 2010,27(9): 273-275,300. | |
[39] | 姚文斌, 杨孝宗 . 相异性软件组件选择算法设计[J]. 哈尔滨工业大学学报, 2003,35(3): 261-264. |
YAO W B , YANG X Z . Design of selective algorithm for diverse software components[J]. Journal of Harbin Institute of Technology, 2003,35(3): 261-264. | |
[40] | 吕迎迎, 郭云飞, 王禛鹏 ,等. SDN 中基于历史信息的负反馈调度算法[J]. 网络与信息安全学报, 2018,4(6): 45-51. |
LYU Y Y , GUO Y F , WANG Z P ,et al. Negative feedback scheduling algorithm based on historical information in SDN[J]. Chinese Journal of Network and Information Security, 2018,4(6): 45-51. | |
[41] | 张震骁 . 拟态防御动态调度策略研究[D]. 郑州:郑州大学, 2018. |
ZHANG Z X . Research on dynamic scheduling strategy for mi-mic defense[D]. Zhengzhou:Zhengzhou University, 2018. | |
[42] | LI J F , WU J X , HU Y X ,et al. DSL:dynamic and self-learning schedule method of multiple controllers in SDN[J]. ETRI Journal, 2017,39(3): 364-372. |
[43] | 沈丛麒, 陈双喜, 吴春明 ,等. 基于信誉度与相异度的自适应拟态控制器研究[J]. 通信学报, 2018,39(S2): 173-180. |
SHEN C Q , CHEN S X , WU C M ,et al. Adaptive mimic defensive controller framework based on reputation and dissimilarity[J]. Journal on Communications, 2018,39(S2): 173-180. | |
[44] | 王晓梅, 杨文晗, 张维 ,等. 基于BSG的拟态Web服务器调度策略研究[J]. 通信学报, 2018,39(S2): 112-120. |
WANG X M , YANG W H , ZHANG W ,et al. Research on scheduling strategy of mimic Web server based on BSG[J]. Journal on Communi-cations, 2018,39(S2): 112-120. | |
[45] | 李传煌, 任云方, 汤中运 ,等. SDN中服务部署的拟态防御方法[J]. 通信学报, 2018,39(S2): 121-130. |
LI C H , REN Y F , TANG Z Y ,et al. Mimic defense method for service deployment in SDN[J]. Journal on Communications, 2018,39(S2): 121-130. | |
[46] | TWU P , MOSTOFI Y , EGERSTEDT M . A measure of heterogeneity in multi-agent systems[C]// 2014 American Control Conference. Piscataway:IEEE Press, 2014: 3972-3977. |
[47] | 张杰鑫, 庞建民, 张铮 ,等. 面向拟态构造Web服务器的执行体调度算法[J]. 计算机工程, 2019,45(8): 14-21. |
ZHANG J X , PANG J M , ZHANG Z ,et al. Executors scheduling al-gorithm for Web server with mimic structure[J]. Computer Engineer-ing, 2019,45(8): 14-21. | |
[48] | GARCIA M , BESSANI A , GASHI I ,et al. Analysis of operating system diversity for intrusion tolerance[J]. Software:Practice and Experience, 2014,44(6): 735-770. |
[49] | 普黎明, 刘树新, 丁瑞浩 ,等. 面向拟态云服务的异构执行体调度算法[J]. 通信学报, 2020,41(3): 17-24. |
PU L M , LIU S X , DING R H ,et al. Heterogeneous executor schedul-ing algorithm for mimic cloud service[J]. Journal on Communications, 2020,41(3): 17-24. | |
[50] | WU Z Q , WEI J . Heterogeneous executors scheduling algorithm for mimic defense systems[C]// 2019 IEEE 2nd International Conference on Computer and Communication Engineering. Piscataway:IEEE Press, 2019: 279-284. |
[51] | QIU D H , LI H , SUN J L . Measuring software similarity based on structure and property of class diagram[C]// 2013 Sixth International Conference on Advanced Computational Intelligence. Piscataway:IEEE Press, 2013: 75-80. |
[52] | 顾泽宇, 张兴明, 林森杰 . 基于安全策略的负载感知动态调度机制[J]. 计算机应用, 2017,37(11): 3304-3310. |
GU Z Y , ZHANG X M , LIN S J . Load-aware dynamic scheduling mechanism based on security strategies[J]. Journal of Computer Ap-plications, 2017,37(11): 3304-3310. | |
[53] | 高明, 罗锦, 周慧颖 ,等. 一种基于拟态防御的差异化反馈调度判决算法[J]. 电信科学, 2020,36(5): 73-82. |
GAO M , LUO J , ZHOU H Y ,et al. A differential feedback scheduling decision algorithm based on mimic defense[J]. Telecommunications Science, 2020,36(5): 73-82. | |
[54] | LU Z P , CHEN F C , CHENG G Z ,et al. Towards a dynamic controller scheduling-timing problem in software-defined networking[J]. China Communications, 2017,14(10): 26-38. |
[55] | GUO W , WU Z Q , ZHANG F ,et al. Scheduling sequence control method based on sliding window in cyberspace mimic defense[J]. IEEE Access, 2019,8: 1517-1533. |
[56] | 魏帅, 于洪, 顾泽宇 ,等. 面向工控领域的拟态安全处理机架构[J]. 信息安全学报, 2017,2(1): 54-73. |
WEI S , YU H , GU Z Y ,et al. Architecture of mimic security processor for industry control system[J]. Journal of Cyber Security, 2017,2(1): 54-73. | |
[57] | QI C , WU J X , HU H C ,et al. Dynamic-scheduling mechanism of controllers based on security policy in software-defined network[J]. Electronics Letters, 2016,52(23): 1918-1920. |
[58] | HU H C , WANG Z P , CHENG G Z ,et al. MNOS:a mimic network operating system for software defined networks[J]. IET Information Security, 2017,11(6): 345-355. |
[59] | 李军飞 . 软件定义网络中拟态防御的关键技术研究[D]. 郑州:战略支援部队信息工程大学, 2019. |
LI J F . Research on key technologies of mimic defense in soft-ware-defined network[D]. Zhengzhou:Information Engineering Uni-versity, 2019. | |
[60] | PARZEN E . On estimation of a probability density function and mode[J]. The Annals of Mathematical Statistics, 1962,33(3): 1065-1076. |
[61] | LIPOWSKI A , LIPOWSKA D . Roulette-wheel selection via stochastic acceptance[J]. Physica A:Statistical Mechanics and Its Applications, 2012,391(6): 2193-2196. |
[62] | TAMADA H . Java birthmarks:detecting the software theft[J]. IEICE Transactions on Information and Systems, 2005,88(9): 2148-2158. |
[63] | PARK H , CHOI S , LIM H I ,et al. Detecting code theft via a static instruction trace birthmark for Java methods[C]// 2008 6th IEEE International Conference on Industrial Informatics. Piscataway:IEEE Press, 2008: 551-556. |
[64] | BAXTER I D , YAHIN A , MOURA L ,et al. Clone detection using abstract syntax trees[C]// Proceedings of International Conference on Software Maintenance. Piscataway:IEEE Press, 1998: 368-377. |
[1] | 张进, 葛强, 徐伟海, 江逸茗, 马海龙, 于洪涛. 拟态路由器BGP代理的设计实现与形式化验证[J]. 通信学报, 2023, 44(3): 33-44. |
[2] | 周大成, 陈鸿昶, 程国振, 何威振, 商珂, 扈红超. 面向持久性连接的自适应拟态表决器设计与实现[J]. 通信学报, 2022, 43(6): 71-84. |
[3] | 贾洪勇, 潘云飞, 刘文贺, 曾俊杰, 张建辉. 基于高阶异构度的执行体动态调度算法[J]. 通信学报, 2022, 43(3): 233-245. |
[4] | 冯智斌, 徐煜华, 杜智勇, 刘鑫, 李文, 韩昊, 张晓博. 对抗智能干扰的主动防御技术[J]. 通信学报, 2022, 43(10): 42-54. |
[5] | 仝青, 郭云飞, 霍树民, 王亚文, 蔄羽佳, 张凯. 自适应的时空多样性联合调度策略设计[J]. 通信学报, 2021, 42(7): 12-24. |
[6] | 吴铤, 胡程楠, 陈庆南, 陈安邦, 郑秋华. 基于执行体划分的防御增强型动态异构冗余架构[J]. 通信学报, 2021, 42(3): 122-134. |
[7] | 潘传幸, 张铮, 马博林, 姚远, 季新生. 面向进程控制流劫持攻击的拟态防御方法[J]. 通信学报, 2021, 42(1): 37-47. |
[8] | 胡永进,马骏,郭渊博,张晗. 基于多阶段网络欺骗博弈的主动防御研究[J]. 通信学报, 2020, 41(8): 32-42. |
[9] | 丁绍虎,齐宁,郭义伟. 基于M-FlipIt博弈模型的拟态防御策略评估[J]. 通信学报, 2020, 41(7): 186-194. |
[10] | 周清雷,班绍桓,韩英杰,冯峰. 针对物理访问控制的拟态防御认证方法[J]. 通信学报, 2020, 41(6): 80-87. |
[11] | 陈福才,何威振,程国振,霍树民,周大成. 基于DPDK的内网动态网关关键技术设计[J]. 通信学报, 2020, 41(6): 139-151. |
[12] | 宋克,刘勤让,魏帅,张文建,谭力波. 基于拟态防御的以太网交换机内生安全体系结构[J]. 通信学报, 2020, 41(5): 18-26. |
[13] | 普黎明,刘树新,丁瑞浩,王凯. 面向拟态云服务的异构执行体调度算法[J]. 通信学报, 2020, 41(3): 17-24. |
[14] | 姚远,潘传幸,张铮,张高斐. 多样化软件系统量化评估方法[J]. 通信学报, 2020, 41(3): 120-125. |
[15] | 张兴明,顾泽宇,魏帅,沈剑良. 拟态防御马尔可夫博弈模型及防御策略选择[J]. 通信学报, 2018, 39(10): 143-154. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|