面向持久性连接的自适应拟态表决器设计与实现

doi:10.11959/j.issn.1000-436x.2022081

通信学报 ›› 2022, Vol. 43 ›› Issue (6): 71-84.doi: 10.11959/j.issn.1000-436x.2022081

面向持久性连接的自适应拟态表决器设计与实现

周大成, 陈鸿昶, 程国振, 何威振, 商珂, 扈红超

信息工程大学信息技术研究所，河南郑州 450001

修回日期:2022-03-24 出版日期:2022-06-01 发布日期:2022-06-01
作者简介:周大成（1995- ），男，河南息县人，信息工程大学博士生，主要研究方向为网络空间安全、云计算等
陈鸿昶（1964- ），男，河南新密人，博士，信息工程大学教授、博士生导师，主要研究方向为网络空间安全、数据分析等
程国振（1986- ），男，山东菏泽人，博士，信息工程大学副教授、硕士生导师，主要研究方向为网络空间安全、软件定义网络等
何威振（1996- ），男，安徽亳州人，信息工程大学博士生，主要研究方向为网络空间安全、云计算等
商珂（1995- ），女，河南郑州人，信息工程大学助理研究员，主要研究方向为网络空间安全、云计算等
扈红超（1982- ），男，河南商丘人，博士，信息工程大学教授、博士生导师，主要研究方向为网络空间安全、拟态防御等
基金资助:
国家自然科学基金资助项目(62072467);国家重点研发计划基金资助项目(2021YFB1006200);国家重点研发计划基金资助项目(2021YFB1006201)

Design and implementation of adaptive mimic voting device oriented to persistent connection

Dacheng ZHOU, Hongchang CHEN, Guozhen CHENG, Weizhen HE, Ke SHANG, Hongchao HU

Institute of Information Technology, Information Engineering University, Zhengzhou 450001, China

Revised:2022-03-24 Online:2022-06-01 Published:2022-06-01
Supported by:
The National Natural Science Foundation of China(62072467);The National Key Research and Develop-ment Program of China(2021YFB1006200);The National Key Research and Develop-ment Program of China(2021YFB1006201)

摘要/Abstract

摘要：

目的：拟态表决器是拟态防御技术的动态异构冗余架构下的关键组件，但是现有拟态表决方法需要分析处理异构冗余执行体的完整输出数据，在基于HTTP 1.1协议的基于持久性连接持续传输数据分块的应用场景中存在表决效率过低、内存资源开销过大的问题。本文面向持久性连接的数据分块持续输出的场景，设计实现面向持久性连接的自适应拟态表决器，以降低表决器的内存资源开销并提高该场景下的表决效率。

方法：通过自适应切分陆续到达表决器的异构冗余分块报文，在数据持续传输过程中以滑动窗口的方式对分块报文的数据进行动态表决与输出，并逐步释放已表决分块报文数据，从而在保持持久性连接的数据传输连续性的条件下降低数据表决处理时间和拟态表决器的内存消耗。一方面，分析滑动窗口式表决的分块传输编码报文的数据特征，构建表决算法选择策略集，给出表决器在滑动窗口式的数据表决时的表决准确性的维护方案。另一方面，建立自适应拟态表决器的数据表决过程的存贮模型，并基于存贮模型的成本优化提出自适应表决窗口控制策略，为待表决数据的提供最佳的自适应切分方案。

结果：基于Nginx实现自适应拟态表决器的原型系统并与传统的拟态表决器进行一系列的对比实验。（1）通过对内存资源占用量评估发现，自适应拟态表决器在传输20MB分块编码传输的Web资源时消耗的物理内存的峰值及消耗物理内存的总时间相较于传统拟态表决器均明显降低；（2）通过传输时延评估发现，自适应拟态表决器在表决处理10MB至320MB的分块传输编码的网页资源的响应时间均较低，说明其表决速率得到明显提高；（3）通过并发性能评估发现，自适应拟态表决器在1000至5000的并发量下的系统平均响应时延低于传统拟态表决器的，表决处理吞吐量也高于传统拟态表决器；（4）通过表决准确性评估表明，基于表决算法选择策略集的自适应拟态表决器相较于分别采用字符相似度算法、语义特征算法、层次分析算法的传统拟态表决器，在多个HTML的数据篡改场景中略弱于语义特征算法和层次分析算法，但远优于字符相似度算法，因此具有可接受的表决准确率。

结论：自适应拟态表决器有效解决了持久性连接传输分块报文的表决过程中的内存资源的过度占用带来的服务性能下降问题。资源开销实验说明了自适应拟态表决器对该问题的改善效果；表决准确度评估实验说明了自适应拟态表决器在提高表决效率的同时维护了可接受的表决准确性；不同数据规模和不同服务压力下的实验以微基准的方式说明了自适应拟态表决器在一般应用场景下的可行性。因此，本文所设计实现的自适应拟态表决器在可接受的表决准确度下降低了资源开销并提高了表决效率，可有效支撑在持久性连接中传输数据的应用程序的拟态化改造。

关键词: 拟态防御, 拟态表决, 超文本传输协议, 持久性连接, 分块传输编码

Abstract:

Objectives: Mimic voter is a crucial component under the dynamic heterogeneous redundancy architecture of mimic defense technology,but the existing mimic voting method needs to collect and process the complete output data of heterogeneous redundant executives. In the application scenario where the connection continuously transmits data in chunked transfer encoding,there are problems that the mimic voting efficiency is too low and the memory resource overhead of mimic voting is too significant.This paper designs and implements an adaptive mimic voter oriented to the scenario of the continuous output of chunked transfer encoded data in a persistent connection to reduce the memory resource overhead of the mimic voter and improve voting efficiency.

Methods: The proposed mimic voter adaptively divides the chunked-transfer-encoded data arriving at the voter successively from the heterogeneous redundant executives,dynamically votes, and then outputs the data in the form of a sliding window during the continuous data transmission process.Gradually releasing the data of the voted blocks can reduce the memory consumption of the mimic voter and lower the voting processing time while maintaining the continuity of data transmission of the persistent connection.On the one hand,a voting algorithm selection strategy set is constructed to keep the voting accuracy by analyzing the data characteristics in the sliding window.On the other hand,an inventory model of the data voting process of the adaptive mimic voter is established,and an adaptive voting window control strategy is proposed based on the cost optimization of the inventory model to provide the best adaptive segmentation scheme for the data to be voted.

Results:A series of comparative experiments between the prototype system of the adaptive mimic voter and the traditional mimic voter is conducted as follows. (1) The evaluation of memory resource occupancy shows that the peak physical memory consumption and the total time of consuming physical memory when the adaptive mimic voter transmits 20MB web resources in chunked transfer encoding are significantly lower than those of the traditional mimic voter. (2) The evaluation of transmission delay shows that the response time of the adaptive mimic voter in the voting processing of 10MB to 320MB chunked transfer-encoded webpage resources is relatively low, indicating that its voting speed has been significantly improved. (3) The concurrency performance evaluation shows that the average of response time of the system applying the adaptive mimic voter under the request concurrency of 1000 to 5000 is lower than that of the traditional mimic voter,and the voting processing throughput is higher than that of the traditional mimic voter.(4)The evaluation of voting accuracy shows that the adaptive mimic voter based on the voting algorithm selects the strategy set is slightly weaker than the semantic feature algorithm and the AHP algorithm while far superior to the character similarity algorithm in the traditional mimic voter, which reveals that the adaptive mimic voter has an acceptable voting accuracy.

Conclusions: The design of the adaptive mimic voter effectively solves the problem of service performance degradation caused by the excessive occupation of memory resources in voting chunked transfer encoding data of persistent connection. The memory occupancy experiment shows the improvement effect of the adaptive mimic voter on this problem, and the voting accuracy evaluation experiment shows that the adaptive mimic voter can improve voting efficiency while maintaining acceptable voting accuracy.The experiments under different service pressures give the feasibility analysis of the adaptive mimic voter in general application scenarios with micro-benchmarks. Therefore, the adaptive mimic voter reduces resource overhead and improves voting efficiency with acceptable voting accuracy, which can effectively support the mimic transformation of applications that transmit data in persistent connections.

Key words: mimic defense, mimic voting, HTTP, persistent connection, chunked transfer encoding

中图分类号:

TP309.1

周大成, 陈鸿昶, 程国振, 何威振, 商珂, 扈红超. 面向持久性连接的自适应拟态表决器设计与实现[J]. 通信学报, 2022, 43(6): 71-84.

Dacheng ZHOU, Hongchang CHEN, Guozhen CHENG, Weizhen HE, Ke SHANG, Hongchao HU. Design and implementation of adaptive mimic voting device oriented to persistent connection[J]. Journal on Communications, 2022, 43(6): 71-84.

图/表 14

图1

图2

图3

图4

图5

图6

图7

表1

图8

图9

图10

图11

图12

图13

参考文献 20

[1]	邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10.
	WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10.
[2]	吴铤, 胡程楠, 陈庆南 ,等. 基于执行体划分的防御增强型动态异构冗余架构[J]. 通信学报, 2021,42(3): 122-134.
	WU T , HU C N , CHEN Q N ,et al. Defense-enhanced dynamic heterogeneous redundancy architecture based on executor partition[J]. Journal on Communications, 2021,42(3): 122-134.
[3]	MCALLISTER D F , SUN C , VOUK M A . Reliability of voting in fault-tolerant software systems for small output-spaces[J]. IEEE Transactions on Reliability, 1990,39(5): 524-534.
[4]	JAMALI N , SAMMUT C . Majority voting:material classification by tactile sensing using surface texture[J]. IEEE Transactions on Robotics, 2011,27(3): 508-521.
[5]	仝青, 张铮, 张为华 ,等. 拟态防御 Web 服务器设计与实现[J]. 软件学报, 2017,28(4): 883-897.
	TONG Q , ZHANG Z , ZHANG W H ,et al. Design and implementation of mimic defense Web server[J]. Journal of Software, 2017,28(4): 883-897.
[6]	张文建, 宋克, 谭力波 ,等. 面向拟态判决的可编程语义解析方法[J]. 通信学报, 2020,41(4): 62-69.
	ZHANG W J , SONG K , TAN L B ,et al. Programmable semantic parsing approach for mimic arbitration[J]. Journal on Communications, 2020,41(4): 62-69.
[7]	马博林, 张铮, 刘健雄 . 应用于动态异构Web服务器的相似度求解方法[J]. 计算机工程与设计, 2018,39(1): 282-287.
	MA B L , ZHANG Z , LIU J X . Similarity calculation method applied to dynamic heterogeneous Web server system[J]. Computer Engineering and Design, 2018,39(1): 282-287.
[8]	QI C , WU J X , HU H C ,et al. An intensive security architecture with multi-controller for SDN[C]// Proceedings of 2016 IEEE Conference on Computer Communications Workshops. Piscataway:IEEE Press, 2016: 401-402.
[9]	欧阳城添, 王曦, 郑剑 . 自适应一致表决算法[J]. 计算机科学, 2011,38(7): 130-133.
	OUYANG C T , WANG X , ZHENG J . Adaptive consensus voting algorithm[J]. Computer Science, 2011,38(7): 130-133.
[10]	HU H C , WU J X , WANG Z P ,et al. Mimic defense:a designed-in cybersecurity defense framework[J]. IET Information Security, 2018,12(3): 226-237.
[11]	陆以勤, 黄俊贤, 程喆 ,等. 基于改进AHP-FCE模型的多指标拟态表决算法[J]. 北京邮电大学学报, 2021,44(2): 8-13.
	LU Y Q , HUANG J X , CHENG Z ,et al. A multi-index mimic voting algorithm based on improved AHP-FCE model[J]. Journal of Beijing University of Posts and Telecommunications, 2021,44(2): 8-13.
[12]	ZHOU D C , CHEN H C , CHENG G Z ,et al. SecIngress:an API gateway framework to secure cloud applications based on N-variant system[J]. China Communications, 2021,18(8): 17-34.
[13]	林森杰, 刘勤让, 王孝龙 . 面向拟态防御系统的竞赛式仲裁模型[J]. 计算机工程, 2018,44(4): 193-198.
	LIN S J , LIU Q R , WANG X L . Competitive arbitration model for mimic defense system[J]. Computer Engineering, 2018,44(4): 193-198.
[14]	WANG Y W , WU J X , GUO Y F ,et al. Scientific workflow execution system based on mimic defense in the cloud environment[J]. Frontiers of Information Technology ＆ Electronic Engineering, 2018,19(12): 1522-1536.
[15]	TH?NES J . Microservices[J]. IEEE Software, 2015,32(1): 116.
[16]	AKHSHABI S , NARAYANASWAMY S , BEGEN A C ,et al. An experimental evaluation of rate-adaptive video players over HTTP[J]. Signal Processing:Image Communication, 2012,27(4): 271-287.
[17]	王禛鹏, 扈红超, 程国振 . 一种基于拟态安全防御的 DNS 框架设计[J]. 电子学报, 2017,45(11): 2705-2714.
	WANG Z P , HU H C , CHENG G Z . A DNS architecture based on mimic security defense[J]. Acta Electronica Sinica, 2017,45(11): 2705-2714.
[18]	张铮, 马博林, 邬江兴 . Web 服务器拟态防御原理验证系统测试与分析[J]. 信息安全学报, 2017,2(1): 13-28.
	ZHANG Z , MA B L , WU J X . The test and analysis of prototype of mimic defense in Web servers[J]. Journal of Cyber Security, 2017,2(1): 13-28.
[19]	SCARF H E . Inventory theory[J]. Operations Research, 2002,50(1): 186-191.
[20]	杨益民, 付必胜 . 仓库容量有限条件下的生产销售存贮模型[J]. 系统工程, 2001,19(1): 18-23.
	YANG Y M , FU B S . The storage model about production and sale under the condition of limited-space storehouse[J]. Systems Engineering, 2001,19(1): 18-23.

指标	参数
操作系统	CentOS 7.6 64位
CPU	8核 2.5 GHz
内存/GB	4
硬盘/GB	32
网络带宽/(Mbit·s^-1)	1 000

面向持久性连接的自适应拟态表决器设计与实现

Design and implementation of adaptive mimic voting device oriented to persistent connection

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 14

参考文献 20

相关文章 10

Metrics

推荐阅读 0

[1]	张进, 葛强, 徐伟海, 江逸茗, 马海龙, 于洪涛. 拟态路由器BGP代理的设计实现与形式化验证[J]. 通信学报, 2023, 44(3): 33-44.
[2]	贾洪勇, 潘云飞, 刘文贺, 曾俊杰, 张建辉. 基于高阶异构度的执行体动态调度算法[J]. 通信学报, 2022, 43(3): 233-245.
[3]	朱正彬, 刘勤让, 刘冬培, 王崇. 拟态多执行体调度算法研究进展[J]. 通信学报, 2021, 42(5): 179-190.
[4]	吴铤, 胡程楠, 陈庆南, 陈安邦, 郑秋华. 基于执行体划分的防御增强型动态异构冗余架构[J]. 通信学报, 2021, 42(3): 122-134.
[5]	潘传幸, 张铮, 马博林, 姚远, 季新生. 面向进程控制流劫持攻击的拟态防御方法[J]. 通信学报, 2021, 42(1): 37-47.
[6]	丁绍虎,齐宁,郭义伟. 基于M-FlipIt博弈模型的拟态防御策略评估[J]. 通信学报, 2020, 41(7): 186-194.
[7]	周清雷,班绍桓,韩英杰,冯峰. 针对物理访问控制的拟态防御认证方法[J]. 通信学报, 2020, 41(6): 80-87.
[8]	宋克,刘勤让,魏帅,张文建,谭力波. 基于拟态防御的以太网交换机内生安全体系结构[J]. 通信学报, 2020, 41(5): 18-26.
[9]	姚远,潘传幸,张铮,张高斐. 多样化软件系统量化评估方法[J]. 通信学报, 2020, 41(3): 120-125.
[10]	张兴明,顾泽宇,魏帅,沈剑良. 拟态防御马尔可夫博弈模型及防御策略选择[J]. 通信学报, 2018, 39(10): 143-154.