基于非相似余度架構(gòu)的網(wǎng)絡(luò)空間安全系統(tǒng)異構(gòu)性量化方法

張杰鑫; 龐建民; 張錚; 邰銘; 劉浩

doi:10.11999/JEIT180764

基于非相似余度架構(gòu)的網(wǎng)絡(luò)空間安全系統(tǒng)異構(gòu)性量化方法

doi: 10.11999/JEIT180764 cstr: 32379.14.JEIT180764

數(shù)學(xué)工程與先進(jìn)計(jì)算國家重點(diǎn)實(shí)驗(yàn)室 ??鄭州 ??450001

基金項(xiàng)目: 國家自然科學(xué)基金(61472447)，國家重點(diǎn)研發(fā)計(jì)劃(2016YFB0800104)，上海市科學(xué)技術(shù)委員會科研計(jì)劃(16DZ1120502)

詳細(xì)信息

作者簡介:
張杰鑫：男，1989年生，博士生，研究方向?yàn)榫W(wǎng)絡(luò)空間安全、高效能計(jì)算

龐建民：男，1964年生，教授，研究方向?yàn)楦咝阅苡?jì)算、信息安全

張錚：男，1976年生，副教授，研究方向?yàn)榫W(wǎng)絡(luò)空間安全、先進(jìn)計(jì)算

邰銘：男，1967年生，副教授，研究方向?yàn)榫W(wǎng)絡(luò)空間安全、先進(jìn)計(jì)算

劉浩：男，1997年生，碩士生，研究方向?yàn)榫W(wǎng)絡(luò)空間安全、先進(jìn)計(jì)算

通訊作者:
龐建民　jianmin_pang@hotmail.com

中圖分類號: TP311
計(jì)量
- 文章訪問數(shù): 2689
- HTML全文瀏覽量: 1028
- PDF下載量: 121
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2018-08-03
- 修回日期: 2018-11-22
- 網(wǎng)絡(luò)出版日期: 2018-12-05
- 刊出日期: 2019-07-01

Heterogeneity Quantization Method of Cyberspace Security System Based on Dissimilar Redundancy Structure

State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China

Funds: The National Natural Science Foundation of China(61472447), The National Key R&D Program of China (2016YFB0800104), The Science and Technology Committee of Shanghai Municipal Research Project (16DZ1120502)

摘要

摘要: 基于非相似余度架構(gòu)(DRS)的網(wǎng)絡(luò)空間安全技術(shù)是一種主動防御技術(shù)，其利用非相似性、冗余性等特性阻斷或者擾亂網(wǎng)絡(luò)攻擊，以提高系統(tǒng)的可靠性和安全性。該文在研究異構(gòu)性是如何提高系統(tǒng)的安全性的基礎(chǔ)上，指出對異構(gòu)性進(jìn)行量化評估的重要性，將DRS的異構(gòu)性定義為其執(zhí)行體集的復(fù)雜性與差異性，并依此提出一種量化異構(gòu)性的方法。實(shí)驗(yàn)結(jié)果表明，該方法可以將10個(gè)執(zhí)行體集分為9類，而香濃-維納指數(shù)、辛普森指數(shù)和Pielou指數(shù)只能分為4類。在理論上為DRS異構(gòu)性量化評估提供了一種新方法，并為工程實(shí)現(xiàn)DRS系統(tǒng)提供了指導(dǎo)。
- 網(wǎng)絡(luò)空間安全 /
- 漏洞 /
- 非相似余度 /
- 異構(gòu)性 /
- 量化方法
Abstract: The Dissimilar Redundancy Structure (DRS) based cyberspace security technology is an active defense technology, which uses features such as dissimilarity and redundancy to block or disrupt network attacks to improve system reliability and security. By analyzing how heterogeneity can improve the security of the system, the importance of quantification of heterogeneity is pointed out and the heterogeneity of DRS is defined as the complexity and disparity of its execution set. A new method which is suitable for quantitative heterogeneity is also proposed. The experimental results show that this method can divide 10 execution sets into 9 categories, while the Shannon-Wiener index, Simpson index and Pielou index can only divide into 4 categories. This paper provides a new method to quantify the heterogeneity of DRS in theory, and provides guidance for engineering DRS systems.
- Cyberspace security /
- Vulnerability /
- Dissimilar redundancy /
- Heterogeneity /
- Quantification method

HTML全文

圖 1 非相似余度架構(gòu)

下載: 全尺寸圖片幻燈片

圖 2 異構(gòu)性描述圖

下載: 全尺寸圖片幻燈片

圖 3 異構(gòu)性變化圖

下載: 全尺寸圖片幻燈片

圖 4 最大異構(gòu)性與執(zhí)行體數(shù)量關(guān)系圖

下載: 全尺寸圖片幻燈片

圖 5 執(zhí)行體集的異構(gòu)性量化結(jié)果對比

下載: 全尺寸圖片幻燈片

表 1 執(zhí)行體集表

編號	軟件棧	編號	軟件棧
1	Ubuntu 12.04+Apache 2.4.0+Mysql 5.7.18	6	Ubuntu 12.04+Apache 2.4.0+Mysql 5.7.18
	Windows Server 2003+IIS 6.0+SQL Server 2012 SP2		Windows Server 2008+Apache 2.4.0+Oracle 11.2.0.3
	RedHat 7+Nginx 1.12.0+Oracle 11.2.0.3		RedHat 7+Nginx 1.12.0+Mysql 5.7.18
2	Ubuntu 12.04+Apache 2.4.0+Oracle 11.2.0.3	7	Ubuntu 12.04+Apache 2.4.0+Mysql 5.7.18
	Windows Server 2012+IIS 7.0+SQL Server 2012 SP2		Debian 7.0+Apache 2.4.0+Mysql 5.7.18
	RedHat 7+Nginx 1.12.0+Mysql 5.7.18		RedHat 7+Nginx 1.12.0+Oracle 11.2.0.3
3	Debian 7.0+Nginx 1.12.0+Mysql 5.7.18	8	Ubuntu 12.04+Nginx 1.12.0+Mysql 5.7.18
	Windows Server 2016+Lighttpd 1.4.48+SQL Server 2016		Windows Server 2016+Lighttpd 1.4.48+SQL Server 2016
	Windows 7+Apache 2.4.0+SQL Server 2014 SP2		Windows 7+Nginx 1.12.0+Mysql 5.7.18
4	Ubuntu 12.04+Nginx 1.12.0+Mysql 5.7.18	9	Ubuntu 12.04+Apache 2.4.0+Oracle 11.2.0.3
	Windows Server 2003+IIS 6.0+SQL Server 2016		Windows Server 2008+Apache 2.4.0+SQL Server 2012 SP2
	Windows 7+Apache 2.4.0+SQL Server 2014 SP2		RedHat 7+Apache 2.4.0+Oracle 11.2.0.3
5	Windows Server 2003+IIS 6.0+SQL Server 2012 SP2	10	Ubuntu 12.04+Apache 2.4.0+Mysql 5.7.18
	Windows Server 2012+IIS 7.0+SQL Server 2016		Windows Server 2008+Apache 2.4.0+Mysql 5.7.18
	Windows 7+Nginx 1.12.0+SQL Server 2014 SP2		Windows 7+Apache 2.4.0+Mysql 5.7.18

下載: 導(dǎo)出CSV

表 2 差異性參數(shù)表

構(gòu)件1	構(gòu)件2	d	構(gòu)件1	構(gòu)件2	d
Ubuntu 12.04	RedHat 7	0.9868	Windows Server 2012	Windows 7	0.5391
Windows Server 2003	Windows 7	0.7842	Windows Server 2008	Windows 7	0.2246
Windows Server 2016	Windows 7	0.8782	IIS 6.0	IIS 7.0	0.7686
Ubuntu 12.04	Debian 7.0	0.9341	SQL Server 2012 SP2	SQL Server 2014 SP2	0.9331
RedHat 7	Debian 7.0	0.9930	SQL Server 2014 SP2	SQL Server 2016	0.7206
Windows Server 2003	Windows Server 2012	0.9707

下載: 導(dǎo)出CSV

參考文獻(xiàn)(20)

中國互聯(lián)網(wǎng)絡(luò)信息中心. 第42次《中國互聯(lián)網(wǎng)絡(luò)發(fā)展?fàn)顩r統(tǒng)計(jì)報(bào)告》[OL]. http://www.cnnic.net.cn/hlwfzyj/hlwxzbg/hlwtjbg/201808/t20180820_70488.htm, 2018.

China Internet Network Information Center. The 42^nd "China Internet network development state statistic report"[OL]. http://www.cnnic.net.cn/hlwfzyj/hlwxzbg/hlwtjbg/201808/t20180820_70488.htm, 2018.

SUBRAHMANIAN V S, OVELGONNE M, DUMITRAS T, et al. The Global Cyber-vulnerability Report[M]. Cham, Switzerland: Springer International Publishing, 2015. doi: 10.1007/978-3-319-25760-0.

ERIC T, MAJORCZYK F, and Mé L. COTS diversity based intrusion detection and application to web servers[C]. The 8th International Symposium on Recent Advances in Intrusion Detection, Washington, USA, 2005: 43–62. doi: https://doi.org/10.1007/11663812_3.

GASHI I and POPOV P. Rephrasing rules for off-the-shelf SQL database servers[C]. European Dependable Computing Conference, Coimbra, Portugal, 2006: 139–148. doi: 10.1109/EDCC.2006.20.

OKHRAVI H, HOBSON T, BIGELOW D, et al. Finding focus in the blur of moving-target techniques[J]. IEEE Security & Privacy, 2014, 12(2): 16–26. doi: 10.1109/MSP.2013.137

鄔江興. 網(wǎng)絡(luò)空間擬態(tài)防御導(dǎo)論[M]. 北京:科學(xué)出版社, 2017: 341–399.

WU Jiangxing. Introduction to Cyberspace Mimic Defense[M]. Beijing: Science Press, 2017: 341–399.

殷斌, 陸熊, 陶想林. 非相似三余度飛控計(jì)算機(jī)設(shè)計(jì)和可靠性分析[J]. 測控技術(shù), 2015, 34(5): 53–56. doi: 10.19708/j.ckjs.2015.05.015

YIN Bin, LU Xiong, and TAO Xianglin. Design of a prototype flight control computer system with triple dissimilar redundancy[J]. Measurement &Control Technology, 2015, 34(5): 53–56. doi: 10.19708/j.ckjs.2015.05.015

WANG Shaoping, CUI Xiaoyu, SHI Jian, et al. Modeling of reliability and performance assessment of a dissimilar redundancy actuation system with failure monitoring[J]. Chinese Journal of Aeronautics, 2016, 29(3): 799–813. doi: 10.1016/j.cja.2015.10.002

仝青, 張錚, 張為華, 等. 擬態(tài)防御Web服務(wù)器設(shè)計(jì)與實(shí)現(xiàn)[J]. 軟件學(xué)報(bào), 2017, 28(4): 883–897. doi: 10.13328/j.cnki.jos.005192

TONG Qing, ZHANG Zheng, ZHANG Weihua, et al. Design and implementation of mimic defense Web server[J]. Journal of Software, 2017, 28(4): 883–897. doi: 10.13328/j.cnki.jos.005192

GHORABAEE M K, AMIRI M, and AZIMI P. Genetic algorithm for solving bi-objective redundancy allocation problem with k-out-of-n subsystems[J]. Applied Mathematical Modelling, 2015, 39(20): 6396–6409. doi: 10.1016/j.apm.2015.01.070

AMIRI M and KHAJEH M. Developing a bi-objective optimization model for solving the availability allocation problem in repairable series-parallel systems by NSGA II[J]. Journal of Industrial Engineering International, 2016, 12(1): 61–69. doi: 10.1007/s40092-015-0128-4

韓進(jìn), 臧斌宇. 軟件相異性對于系統(tǒng)安全的有效性分析[J]. 計(jì)算機(jī)應(yīng)用與軟件, 2010, 27(9): 273–275. doi: 10.3969/j.issn.1000-386X.2010.09.086

HAN Jin and ZANG Binyu. Analyzing the effectiveness of software diversity for system security[J]. Computer Applicationsand Software, 2010, 27(9): 273–275. doi: 10.3969/j.issn.1000-386X.2010.09.086

TWU P, MOSTOFI Y, and EGERSTEDT M. A measure of heterogeneity in multi-agent systems[C]. IEEE American Control Conference, Portland, USA, 2014: 3972–3977. doi: 10.1109/ACC.2014.6858632.

RAO C R. Diversity and dissimilarity coefficients: A unified approach[J]. Theoretical Population Biology, 1982, 21(1): 24–43. doi: 10.1016/0040-5809(82)90004-1

DING Ning, YANG Weifang, ZHOU Yunlei, et al. Different responses of functional traits and diversity of stream macroinvertebrates to environmental and spatial factors in the Xishuangbanna watershed of the upper Mekong River Basin, China[J]. Science of the Total Environment, 2017, 574(52): 288–299. doi: 10.1016/j.scitotenv.2016.09.053

LIU Zhijun. Bootstrapping one way analysis of rao's quadratic entropy[J]. Communication in Statistics-Theory and Methods, 2007, 20(20): 1683–1703. doi: 10.1080/03610929108830592

BOTTA-DUKáT Z. Rao's quadratic entropy as a measure of functional diversity based on multiple traits[J]. Journal of Vegetation Science, 2010, 16(5): 533–540. doi: 10.1111/j.1654-1103.2005.tb02393.x

YOUNIS A, MALAIYA Y K, and RAY I. Evaluating CVSS base score using vulnerability rewards programs[C]. Proceedings of IFIP International Information Security and Privacy Protection, Ghent, Belgium, 2016: 62–75. doi: https://doi.org/10.1007/978-3-319-33630-5_5.

CHEN L and AVIZIENIS A. N-version programming: A fault-tolerance approach to reliability of software operation[C]. Eighth International Conference on Fault Tolerant Computing, Toulouse, France, 1978: 3–9.

仝青, 張錚, 鄔江興. 基于軟硬件多樣性的主動防御技術(shù)[J]. 信息安全學(xué)報(bào), 2017, 2(1): 1–12. doi: 10.19363/j.cnki.cn10-1380/tn.2017.01.001

TONG Qing, ZHANG Zheng, and WU Jiangxing. The active defense technology based on the software/hardware diversity[J]. Journal of Cyber Security, 2017, 2(1): 1–12. doi: 10.19363/j.cnki.cn10-1380/tn.2017.01.001

相關(guān)文章

施引文獻(xiàn)

資源附件(0)

訪問統(tǒng)計(jì)