通信学报 ›› 2021, Vol. 42 ›› Issue (3): 122-134.doi: 10.11959/j.issn.1000-436x.2021022
吴铤1,2, 胡程楠1, 陈庆南1, 陈安邦1, 郑秋华1
修回日期:
2020-12-30
出版日期:
2021-03-25
发布日期:
2021-03-01
作者简介:
吴铤(1972- ),男,浙江杭州人,博士,杭州电子科技大学教授、博士生导师,主要研究方向为拟态安全、理论密码学、工控安全。基金资助:
Ting WU1,2, Chengnan HU1, Qingnan CHEN1, Anbang CHEN1, Qiuhua ZHENG1
Revised:
2020-12-30
Online:
2021-03-25
Published:
2021-03-01
Supported by:
摘要:
针对DHR系统服务体在面临共同漏洞时的系统脆弱性问题,提出了一种改进的DHR架构——IDHR。该架构在 DHR 的基础上,首先引入根据执行体间的异构性对执行体集进行划分的执行体划分模块,以极大增强各执行体池之间的异构性。在此基础上,改进调度模块中的动态选择算法,即采用先随机选择执行体池,再从执行体池中随机选择执行体的方式,以提高在共同漏洞下 DHR 系统的安全性。最后,通过随机模拟执行体和仿真Web服务器2种实验方案,从攻击成功率和被控制率2个方面对所提IDHR架构进行安全性评估。实验结果表明, IDHR架构的安全性,尤其是在共同漏洞未知情况下,明显优于传统DHR架构。
中图分类号:
吴铤, 胡程楠, 陈庆南, 陈安邦, 郑秋华. 基于执行体划分的防御增强型动态异构冗余架构[J]. 通信学报, 2021, 42(3): 122-134.
Ting WU, Chengnan HU, Qingnan CHEN, Anbang CHEN, Qiuhua ZHENG. Defense-enhanced dynamic heterogeneous redundancy architecture based on executor partition[J]. Journal on Communications, 2021, 42(3): 122-134.
表4
IDHR架构的Web服务器系统软件选择"
软件类型 | 软件名称 | 具体版本 |
Windows Server | windows_server_2019 | |
操作系统 | windows_server_2016:1803 | |
Suse Linux | suse_linux:10.0 | |
RedHat Enterprise Linux | enterprise_linux:8.0 | |
Debian | debian_linux:7.0 | |
ian_linux:10 | ||
后台脚本语言 | Python | python:3.5.0 |
PHP | php:7.3.1 | |
Java | jre:8.0 | |
Nginx | nginx:1.6.1 | |
服务器软件 | nginx:1.13.8 | |
Apache | http_server:2.2.17 | |
IIS | internet_information_server:10.0 | |
MySQL | mysql:5.3.4 | |
数据库软件 | sql:8.0.1 | |
Oracle Database Server | database_server:9.0.1.5 | |
database_server:12.1.0.1 | ||
SQL Server | sql_server:2019 |
[1] | ALBERTS C J , DOROFEE A J , CREEL R ,et al. A systemic approach for assessing software supply-chain risk[C]// 2011 44th Hawaii International Conference on System Sciences. Piscataway:IEEE Press, 2011: 1-8. |
[2] | 陈福才, 何威振, 程国振 ,等. 基于 DPDK 的内网动态网关关键技术设计[J]. 通信学报, 2020,41(6): 139-151. |
CHEN F C , HE W Z , CHENG G Z ,et al. Design of key technologies for intranet dynamic gateway based on DPDK[J]. Journal on Communications, 2020,41(6): 139-151. | |
[3] | HOUSE W . Trustworthy cyberspace:strategic plan for the federal cyber security research and development program[R]. Report of the National Science and Technology Council,Executive Office of the President, 2011. |
[4] | 谭晶磊, 张恒巍, 张红旗 ,等. 基于Markov时间博弈的移动目标防御最优策略选取方法[J]. 通信学报, 2020,41(1): 42-52. |
TAN J L , ZHANG H W , ZHANG H Q ,et al. Optimal strategy selection approach of moving target defense based on Markov time game[J]. Journal on Communications, 2020,41(1): 42-52. | |
[5] | 马多贺, 李琼, 林东岱 . 基于POF的网络窃听攻击移动目标防御方法[J]. 通信学报, 2018,39(2): 73-87. |
MA D H , LI Q , LIN D D . Moving target defense against network eavesdropping attack using POF[J]. Journal on Communications, 2018,39(2): 73-87. | |
[6] | 邬江兴 . 网络空间拟态安全防御[J]. 保密科学技术, 2014(10): 4-9. |
WU J X . Mimic defense in cyberspace security[J]. Secrecy Science and Technology, 2014(10): 4-9. | |
[7] | 邬江兴 . 拟态计算与拟态安全防御的原意和愿景[J]. 电信科学, 2014,30(7): 2-7. |
WU J X . Meaning and vision of mimic computing and mimic security defense[J]. Telecommunications Science, 2014,30(7): 2-7. | |
[8] | 邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10. |
WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10. | |
[9] | 张杰鑫, 庞建民, 张铮 ,等. 基于非相似余度架构的网络空间安全系统异构性量化方法[J]. 电子与信息学报, 2019,41(7): 1594-1600. |
ZHANG J X , PANG J M , ZHANG Z ,et al. Heterogeneity quantization method of cyberspace security system based on dissimilar redundancy structure[J]. Journal of Electronics & Information Technology, 2019,41(7): 1594-1600. | |
[10] | 王伟, 曾俊杰, 李光松 ,等. 动态异构冗余系统的安全性分析[J]. 计算机工程, 2018,44(10): 42-45,50. |
WANG W , ZENG J J , LI G S ,et al. Security analysis of dynamic heterogeneous redundant system[J]. Computer Engineering, 2018,44(10): 42-45,50. | |
[11] | 扈红超, 陈福才, 王禛鹏 . 拟态防御 DHR 模型若干问题探讨和性能评估[J]. 信息安全学报, 2016,1(4): 40-51. |
HU H C , CHEN F C , WANG Z P . Performance evaluations on DHR for cyberspace mimic defense[J]. Journal of Cyber Security, 2016,1(4): 40-51. | |
[12] | 仝青, 张铮, 张为华 ,等. 拟态防御 Web 服务器设计与实现[J]. 软件学报, 2017,28(4): 883-897. |
TONG Q , ZHANG Z , ZHANG W H ,et al. Design and implementation of mimic defense Web server[J]. Journal of Software, 2017,28(4): 883-897. | |
[13] | 张铮, 马博林, 邬江兴 . Web 服务器拟态防御原理验证系统测试与分析[J]. 信息安全学报, 2017,2(1): 13-28. |
ZHANG Z , MA B L , WU J X . The test and analysis of prototype of mimic defense in Web servers[J]. Journal of Cyber Security, 2017,2(1): 13-28. | |
[14] | 宋克, 刘勤让, 魏帅 ,等. 基于拟态防御的以太网交换机内生安全体系结构[J]. 通信学报, 2020,41(5): 18-26. |
SONG K , LIU Q R , WEI S ,et al. Endogenous security architecture of Ethernet switch based on mimic defense[J]. Journal on Communications, 2020,41(5): 18-26. | |
[15] | 马海龙, 伊鹏, 江逸茗 ,等. 基于动态异构冗余机制的路由器拟态防御体系结构[J]. 信息安全学报, 2017,2(1): 29-42. |
MA H L , YI P , JIANG Y M ,et al. Dynamic heterogeneous redundancy based router architecture with mimic defenses[J]. Journal of Cyber Security, 2017,2(1): 29-42. | |
[16] | 丁绍虎, 李军飞, 季新生 . 基于拟态防御的 SDN 控制层安全机制研究[J]. 信息安全学报, 2019,4(4): 84-93. |
DING S H , LI J F , JI X S . Research on SDN control layer security based on mimic defense[J]. Journal of Cyber Security, 2019,4(4): 84-93. | |
[17] | 周清雷, 班绍桓, 韩英杰 ,等. 针对物理访问控制的拟态防御认证方法[J]. 通信学报, 2020,41(6): 80-87. |
ZHOU Q L , BAN S H , HAN Y J ,et al. Mimic defense authentication method for physical access control[J]. Journal on Communications, 2020,41(6): 80-87. | |
[18] | 任权, 贺磊, 邬江兴 . 基于离散马尔可夫链的不同抗干扰系统模型分析[J]. 网络与信息安全学报, 2018,4(4): 30-37. |
REN Q , HE L , WU J X . Analysis of different anti-interference system models based on discrete time Markov chain[J]. Chinese Journal of Network and Information Security, 2018,4(4): 30-37. | |
[19] | 朱维军, 郭渊博, 黄伯虎 . 动态异构冗余结构的拟态防御自动机模型[J]. 电子学报, 2019,47(10): 2025-2031. |
ZHU W J , GUO Y B , HUANG B H . A mimic defense automaton model of dynamic heterogeneous redundancy structures[J]. Acta Electronica Sinica, 2019,47(10): 2025-2031. | |
[20] | ZHANG B , CHANG X , LI J . A generalized information security model SOCMD for CMD Systems[J]. Chinese Journal of Electronics, 2020,29(3): 417-426. |
[21] | 李卫超, 张铮, 王立群 ,等. 基于拟态防御架构的多余度裁决建模与风险分析[J]. 信息安全学报, 2018,3(5): 64-74. |
LI W C , ZHANG Z , WANG L Q ,et al. The modeling and risk assessment on redundancy adjudication of mimic defense[J]. Journal of Cyber Security, 2018,3(5): 64-74. | |
[22] | 中国互联网络信息中心. 第 42 次《中国互联网络发展状况统计报告》[R]. 2018. |
China Internet Network Information Center. The 42-nd report of statistics on china's internet development[R]. 2018. | |
[23] | SUBRAHMANIAN V S , OVELGONNE M , DUMITRAS T ,et al. The global cyber-vulnerability report[R]. 2015. |
[24] | MAQBOOL O , BABRI H . Hierarchical clustering for software architecture recovery[J]. IEEE Transactions on Software Engineering, 2007,33(11): 759-780. |
[25] | SHTERN M , TZERPOS V . Clustering methodologies for software engineering[J]. Advances in Software Engineering, 2012,10: 14-32. |
[26] | NASEEM R , MAQBOOL O , MUHAMMAD S . An improved similarity measure for binary features in software clustering[C]// 2010 Second International Conference on Computational Intelligence,Modelling and Simulation. Piscataway:IEEE Press, 2010: 111-116. |
[27] | NASEEM R , DERIS M M . A new binary similarity measure based on integration of the strengths of existing measures:application to software clustering[C]// International Conference on Soft Computing and Data Mining. Berlin:Springer, 2016: 304-315. |
[28] | CHOI S S , CHA S H , TAPPERT C C . A survey of binary similarity and distance measures[J]. Journal of Systemics,Cybernetics and Informatics, 2010,8(1): 43-48. |
[29] | JACCARD P . étude comparative de la distribution florale dans une portion des Alpes et des Jura[J]. Bulletin De La Societe Vaudoise Des Sciences Naturelles, 1901,37: 547-579. |
[30] | SNEATH P H , SOKAL R R . The principles and practice of numerical classification[M]. London: Oxford University Press, 1973. |
[31] | FERDOUS R , . An efficient k-means algorithm integrated with Jaccard distance measure for document clustering[C]// 2009 First Asian Himalayas International Conference on Internet. Piscataway:IEEE Press, 2009: 1-6. |
[32] | KAUFMANN L , . Clustering by means of medoids[C]// International Conference on Statistical Data Analysis Based on the L1-norm and Related Methods.[S.n.:s.l.], 1987: 1-10. |
[33] | 郑秋华, 胡程楠, 吴铤 ,等. 一种基于概率分析的拟态DHR模型安全性分析方法[J]. 电子学报, 2020,doi:10.12263/DZXB.20201063. |
ZHENG Q H , HU C N , WU T ,et al. A security analysis approach for mimic DHR model based on probability analysis[J]. Chinese Journal of Electronics, 2020,doi:10.12263/DZXB.20201063. |
[1] | 张进, 葛强, 徐伟海, 江逸茗, 马海龙, 于洪涛. 拟态路由器BGP代理的设计实现与形式化验证[J]. 通信学报, 2023, 44(3): 33-44. |
[2] | 周大成, 陈鸿昶, 程国振, 何威振, 商珂, 扈红超. 面向持久性连接的自适应拟态表决器设计与实现[J]. 通信学报, 2022, 43(6): 71-84. |
[3] | 贾洪勇, 潘云飞, 刘文贺, 曾俊杰, 张建辉. 基于高阶异构度的执行体动态调度算法[J]. 通信学报, 2022, 43(3): 233-245. |
[4] | 朱正彬, 刘勤让, 刘冬培, 王崇. 拟态多执行体调度算法研究进展[J]. 通信学报, 2021, 42(5): 179-190. |
[5] | 潘传幸, 张铮, 马博林, 姚远, 季新生. 面向进程控制流劫持攻击的拟态防御方法[J]. 通信学报, 2021, 42(1): 37-47. |
[6] | 丁绍虎,齐宁,郭义伟. 基于M-FlipIt博弈模型的拟态防御策略评估[J]. 通信学报, 2020, 41(7): 186-194. |
[7] | 周清雷,班绍桓,韩英杰,冯峰. 针对物理访问控制的拟态防御认证方法[J]. 通信学报, 2020, 41(6): 80-87. |
[8] | 宋克,刘勤让,魏帅,张文建,谭力波. 基于拟态防御的以太网交换机内生安全体系结构[J]. 通信学报, 2020, 41(5): 18-26. |
[9] | 普黎明,刘树新,丁瑞浩,王凯. 面向拟态云服务的异构执行体调度算法[J]. 通信学报, 2020, 41(3): 17-24. |
[10] | 姚远,潘传幸,张铮,张高斐. 多样化软件系统量化评估方法[J]. 通信学报, 2020, 41(3): 120-125. |
[11] | 张兴明,顾泽宇,魏帅,沈剑良. 拟态防御马尔可夫博弈模型及防御策略选择[J]. 通信学报, 2018, 39(10): 143-154. |
[12] | 杨骁,向广利,魏江宏,孙瑞宗. 对2个属性基签名方案安全性的分析和改进[J]. 通信学报, 2016, 37(Z1): 168-173. |
[13] | 许艳,黄刘生,田苗苗,仲红. 可证安全的高效无证书有序多重签名方案[J]. 通信学报, 2014, 35(11): 126-131. |
[14] | 许 艳,黄刘生,田苗苗,仲 红. 可证安全的高效无证书有序多重签名方案[J]. 通信学报, 2014, 35(11): 14-126. |
[15] | 桂荆京,张毓森. 基于串空间的ad hoc路由协议安全性分析新方法[J]. 通信学报, 2010, 31(9A): 217-222. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|