基于异构执行体同步控制的入侵检测模型研究  

作　　者：于洪 朱正彬 魏帅[1] 郭威[1] 兰巨龙[1,2] YU Hong;ZHU Zhengbin;WEI Shuai;GUO Wei;LAN Julong(Information Engineering University,Zhengzhou 450001,China;Songshan Laboratory,Zhengzhou 450018,China)

机构地区：[1]信息工程大学,河南郑州450001 [2]嵩山实验室,河南郑州450018

出　　处：《网络与信息安全学报》2025年第1期54-65,共12页Chinese Journal of Network and Information Security

基　　金：国家重点研发计划(2022YFB4401401)。

摘　　要：基于机器学习和深度学习的入侵检测及网络安全态势感知技术,普遍存在依赖先验知识、需要提前训练的缺点,使其在检测不同类型的攻击时准确率较低或动态适应性差。动态异构冗余(dynamic heterogenous redundancy,DHR)构造技术可以通过判别异构执行体的行为一致性检测攻击。该发现为入侵检测提供了新的思路,基于该思路提出了一种新的入侵检测模型——IDHES(intrusion detection model based on synchronization of heterogenous executer),可在无训练的前提下检测到多种类型的入侵。同时,模型采用内外部事件转换的方式实现异构执行体目标功能同步,降低了因执行体异构性导致的检测假阳率。通过对模型的检测原理及检测准确率进行理论分析,得出IDHES检测准确率仅依赖异构执行体协同攻击成功率和目标功能同步效率这一推论。为验证模型有效性,进一步构建了DHR架构的微控制器原型验证系统,实现了基于内外部事件转换的目标功能同步方法。最后,利用白盒插桩模拟攻击的方式对模型的攻击检测能力进行了测试,测试结果验证了IDHES检测准确率仅依赖异构执行体协同攻击成功率和目标功能同步效率这一推论,也表明IDHES可在不依赖先验知识、不提前训练的情况下,对不同类型的攻击进行实时检测。Intrusion detection and cybersecurity situational awareness technologies based on machine learning and deep learning have generally been limited by their reliance on prior knowledge and pre-training,which restricts their accuracy in detecting various types of attacks.The dynamic heterogeneous redundancy(DHR)construction technique,which detects attacks by evaluating the behavioral consistency of heterogeneous executers,offers a new perspective for intrusion detection.Based on this concept,a novel intrusion detection model called IDHES was proposed.This model was capable of detecting multiple types of intrusions without requiring pre-training.Additionally,synchronization of the target functions of heterogeneous executers was achieved through internal and external event conversions,thereby reducing the false positive rate caused by the heterogeneity of executers.Through theoretical analysis of the model,it was concluded that the detection accuracy of the IDHES model depends solely on the success rate of coordinated attacks by heterogeneous executers and the efficiency of target function synchronization.To verify the effectiveness of the model,a prototype MCU system based on the DHR architecture was constructed,and the target function synchronization method was implemented through internal and external event conversions.Finally,the attack detection capability of the model was tested using white-box instrumentation.The test results confirm the conclusion that the detection accuracy of the IDHES model depends solely on the success rate of coordinated attacks by heterogeneous executers and the efficiency of target function synchronization.Furthermore,the results demonstrate that IDHES can perform real-time detection of various types of attacks without relying on prior knowledge or pre-training.

关 键 词：入侵检测 攻击感知 内生安全 执行体同步 动态异构冗余 

分 类 号：TP309.1[自动化与计算机技术—计算机系统结构]