拟态防御架构设计方法研究进展  

作　　者：李淇 段鹏松[1] 曹仰杰[1] 张大龙 杨晓晗 王宇静 Li Qi;Duan Pengsong;Cao Yangjie;Zhang Dalong;Yang Xiaohan;Wang Yujing(School of Cyber Science and Engineering,Zhengzhou University,Zhengzhou 450003,China;Institute of Information Technology,Information Engineering University,Zhengzhou 450001,China)

机构地区：[1]郑州大学网络空间安全学院,郑州450003 [2]信息工程大学信息技术研究所,郑州450001

出　　处：《中国图象图形学报》2024年第8期2319-2332,共14页Journal of Image and Graphics

基　　金：郑州市协同创新重大专项(20XTZX06013);河南省高等学校重点科研项目计划项目(21A520043);中国工程科技发展战略河南研究院战略咨询研究项目(2022HENYB03);河南省科技攻关项目(232102210050)。

摘　　要：随着互联网技术的普及和发展,用户数据和隐私的保护已经成为一个热门的研究领域。网络空间安全防御从被动防御发展到主动防御,防御性能和成功率获得了显著的提升。然而,传统的被动防御和主动防御本质上都是功能和安全松耦合的外壳式防御,对未知攻击的防御性能较差。网络空间拟态防御(cyberspace mimic defense,CMD)是在传统网络安全防御方式上发展出来的网络内生安全实现形式,核心架构为动态异构冗余架构,架构实现主体主要由异构执行体集合、分发器、拟态变换器和表决器4部分组成,同时以CMD三定理及网络安全不完全交集定理为理论基础。其中,通过异构执行体增加系统的异构性,并由表决算法决定异构执行体中上下线的个体,最终由调度算法完成系统中执行体的上下线过程。本文主要从网络空间安全发展的历史沿革出发,对比传统防御方式与拟态防御的差异,着重介绍拟态架构中异构策略、调度策略以及表决策略的具体实现形式,并罗列在实践过程中融合拟态防御思想的应用实例。拟态防御已经在各个领域有了较为广泛的应用基础,在此基础上的研究可以将现有网络安全体系推进到新的阶段。The popularization and development of the Internet technology have facilitated extensive research on the protec⁃tion of user’s data and privacy.Cyberspace security defense has developed from passive defense to active Defense in recent years,and the performance and success rate of the new defense technologies have been significantly improved.Typical applications for passive defense are known as access control,firewall,and virtual local area network;those for active defense are honeypot technology,digital watermarking,intrusion detection,and flow cleaning.However,the traditional passive defense and active defense are shell defense loosely coupled with function and security,and their defense perfor⁃mance against unknown attacks is poor.Its defects can be summarized as the“impossible triangle”,which means that a tra⁃ditional defense system cannot simultaneously meet the three defense elements of dynamics,variety,and redundancy.The three elements can be combined in pairs to form a defensive domain.The typical technical representative of DV domain is mobile target defense,DR domain is dynamic isomorphic redundancy,and VR domain is non-similar redundancy architec⁃ture.Our research aims to find a defense technology that can reach the DVR domain.Cyberspace mimic defense(CMD)was proposed by Academician Wu Jiangxing in 2016.It aims to address the issue of cyberspace mimic security,which is an implementation form of network endogenous security developed from traditional cybersecurity defense methods.Its core architecture is a dynamic heterogeneous redundant architecture,which mainly consists of four parts:a set of heterogeneous execution entities,a distributor,a mimetic transformer,and a voter.It is also based on the three theorems of CMD and the theorem of network security incomplete intersection as the theoretical foundation.Among them,the heterogeneity of the system is increased through heterogeneous execution entities,and the voting algorithm determines the individuals which go online and offline in the het

关 键 词：网络安全 内生安全 拟态防御 冗余性 动态异构 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]