CN-121530770-B - Cloud honey point dynamic arrangement method and system based on software defined spoofing defense

Abstract

The invention provides a cloud honey point dynamic arrangement method and system based on software-defined spoofing defense, wherein the system comprises a control layer and an execution layer which are built based on a base of the software-defined spoofing defense, the control layer comprises a threat sensing unit, a game decision unit and an arrangement control unit, the execution layer comprises a cloud original arrangement unit and a defense resource library, the threat sensing unit collects threat information and generates a structured information object, the game decision unit is used for solving an optimal response strategy in a game, the arrangement control unit reads defense strategy state data and generates a strategy configuration instruction according to the optimal response strategy, the strategy configuration instruction is issued to the cloud original arrangement unit, the Yun Yuansheng arrangement unit responds to the instruction, the defense resource library is scheduled to instantiate a Pod containing a honey point container and a distributed feedback assembly, and the defense resource library maintains a honey point configuration file for generating a honey point instance. The system can realize self-adaptive closed-loop active defense.

Inventors

• TIAN ZHIHONG
• ZHANG WEIYONG
• LIU YUAN
• LIU HAO
• LU HUI
• SU SHEN
• LI MOHAN
• SUN YANBIN

Assignees

• 广州大学
• 奇安信科技集团股份有限公司

Dates

Publication Date

20260512

Application Date

20260116

Claims (10)

1. 1. The cloud honey point dynamic arrangement system based on the software-defined spoofing defense is characterized by comprising a control layer and an execution layer, wherein the control layer comprises a threat sensing unit, a game decision unit and an arrangement control unit, and the execution layer comprises a cloud native arrangement unit and a defense resource library; The threat perception unit is used for collecting threat information and generating a structured information object; The game decision unit is used for performing game solving according to the structured information object and the current defense strategy configuration to obtain an optimal response strategy for maximizing the defense utility; The arrangement control unit is provided with a north-orientation intent programming interface and a south-orientation protocol arrangement interface, the defensive strategy state data is read through the north-orientation intent programming interface, and a strategy configuration instruction is generated according to the optimal response strategy through the south-orientation protocol arrangement interface and is issued to the cloud native arrangement unit; The Yun Yuansheng arrangement unit responds to the policy configuration instruction and manages the elastic scheduling and life cycle of the honey points through Pod, each Pod internally stores a honey point container and a distributed feedback component sharing resources with the honey point container, and the distributed feedback component detects intrusion behaviors and reports the intrusion behaviors to the threat sensing unit in real time; The defensive repository maintains a honey point profile for generating a honey point instance.
2. 2. The system of claim 1, wherein the threat awareness unit collects threat intelligence comprising collecting raw threat data streams from network boundaries in real time and receiving intrusion behavior reported by the distributed feedback component; the threat awareness unit generating structured intelligence objects includes verifying, cleansing and uniformly formatting the collected raw threat data stream or received intrusion behavior to generate structured intelligence objects.
3. 3. The system of claim 1, wherein the gaming decision unit performs a gaming solution to an optimal response strategy that maximizes defense utility based on the structured intelligence object and a current defense strategy configuration, comprising: defining a state modeling function to analyze the structured information object into a current attack and defense state; Constructing an attack and defense income matrix according to the current attack and defense state and the current defense strategy configuration; and solving an optimal response strategy for maximizing the net utility of the defender in the current attack and defense state according to the attack and defense income matrix.
4. 4. A system according to claim 3, wherein the attack and defense revenue matrix defines the net revenue that can be obtained by the defender in the current attack and defense state by adopting the defending strategy, and the dynamic utility formalized definition of the net revenue satisfies the following formula: , wherein, Representing the current attack and defense state of the defender Taking a certain defending strategy in defending strategy space The net benefit that can be achieved is that, Representing defensive parties to enforce defensive policies The total benefit to be brought is that, Representing defensive parties to enforce defensive policies Cost of effort; the formal definition of the process of solving the optimal response strategy satisfies the following formula: , wherein, Representing the solved optimal response strategy, Representing a space for a defensive strategy, Indicating the desired net utility in the current offensive and defensive state.
5. 5. The system of claim 1, wherein the orchestration control unit reading the defensive policy state data comprises: executing a reading operation in a starting stage to acquire initial state data of a defense strategy; in the operation stage, when the strategy configuration of the manual intervention is modified, a reading operation is executed to acquire the current defending strategy state data.
6. 6. The system of claim 1, wherein the honeypoint configuration file maintained by the defensive repository includes a honeypoint mirror and a parameterized configuration template for honeypoint parameter configuration, the parameterized configuration template supporting dynamic parameter adjustment.
7. 7. The system of claim 1, wherein the distributed feedback component shares storage volumes and network namespaces with the honey; The distributed feedback component monitors the running state of the honey point and the network behavior in real time to obtain original data, extracts security event information from the original data and checks intrusion behavior; and when the intrusion behavior is detected, packaging the intrusion behavior into an alarm object according to a predefined structure and reporting the alarm object to the threat sensing unit.
8. 8. A cloud honey point dynamic arrangement method based on software-defined spoofing defense, which is characterized by applying the system of any one of claims 1-7 to carry out cloud honey point dynamic arrangement, comprising: The threat perception unit collects threat information to generate a structured information object; The game decision unit acquires defense strategy state data from the arrangement control unit, and the game decision unit carries out game solving according to the structured information object and the defense strategy state data to obtain an optimal response strategy; the arrangement control unit generates a strategy configuration instruction according to the optimal response strategy and transmits the strategy configuration instruction to the cloud native arrangement unit; The Yun Yuansheng orchestration unit schedules the honey point profiles in the defensive repository according to the policy configuration instructions to instantiate a Pod containing the honey point container and the distributed feedback component.
9. 9. The method of claim 8, wherein the threat awareness unit collects raw threat data streams from network boundaries and generates structured intelligence objects for transmission to the gaming decision unit for gaming solution during a cloud honey point dynamic orchestration system startup phase based on software defined fraud defense.
10. 10. The method of claim 8, wherein the distributed feedback component obtains raw data of the honey points to detect intrusion behavior, and reports to the threat awareness unit when intrusion behavior is detected; in the operation stage of the cloud honey point dynamic arrangement system based on software definition spoofing defense, when the threat perception unit receives the reported intrusion behavior, the threat perception unit generates a structured information object according to the intrusion behavior and sends the structured information object to the game decision unit for game solving.

Description

Cloud honey point dynamic arrangement method and system based on software defined spoofing defense Technical Field The invention relates to the technical field of network security, in particular to a cloud honey point dynamic arrangement method and system based on software defined spoofing defense. Background With the increasing complexity of network attacks, spoofing protection techniques under the concept of active defense have become an important component of modern security architecture. At present, various technical schemes are presented around the automation and the dynamics of honey points/honeypots by the fraud defense technology, but when dealing with modern automation and intelligent network threats, the schemes have a plurality of fundamental technical problems: the static evaluation and optimization spoofing defense scheme and the dynamic association and flow traction spoofing defense scheme can only optimize or associate the inventory of honeypot deployment, have the problem that the deployment elasticity is insufficient due to the static state of resources, and cannot realize the flexible resource deployment when facing scale attack. The dynamically instantiated fraud defense scheme in the prior art mainly comprises the situation that a defending response is triggered by dragging and changing an authenticated user and the defending response is based on evaluation of the state of a defending party, wherein the defending response speed of the scheme based on user operation is limited by manual intervention, real-time response is difficult to realize, the scheme based on evaluation of the state of the defending party still belongs to the category that the defending can be predicted due to decision stiffness when dealing with complex attacks, and intelligent non-predictive decisions aiming at different attacker intentions cannot be made in real time. Therefore, it is necessary to provide a fraud protection configuration method to implement timely and targeted dynamic deployment of active defense strategies. Disclosure of Invention The invention aims to provide a cloud honey point dynamic arrangement method and system based on software-defined spoofing defense, which are used for realizing high-reliability closed-loop self-adaptive active defense. According to the cloud honey point dynamic arrangement system based on the software-defined fraud defense, which is provided by the invention, a control layer and an execution layer are built on a base of the software-defined fraud defense, wherein the control layer comprises a threat sensing unit, a game decision unit and an arrangement control unit, the execution layer comprises a cloud primary arrangement unit and a defense resource library, the threat sensing unit is used for collecting threat information and generating a structured information object, the game decision unit is used for carrying out game solving according to the structured information object and current defense strategy configuration to maximize the defense effect, the arrangement control unit is provided with a north-orientation intention programming interface and a south-orientation protocol arrangement interface, the north-orientation intention programming interface is used for reading defense strategy state data, the south-orientation protocol arrangement interface is used for generating strategy configuration instructions according to the optimal response strategies and sending the strategy configuration instructions to the cloud primary arrangement unit, the Yun Yuansheng arrangement unit is used for responding to the strategy configuration instructions and managing the elastic scheduling and life cycle of honey points through Pod, each Pod is internally provided with a honey point container and a distributed feedback component sharing resources with the honey point container, the distributed feedback component is used for detecting behaviors and reporting the threat sensing unit in real time, and the defense resource is used for maintaining an intrusion file of a honey point instance. The cloud honey point dynamic arrangement system based on software definition spoofing defense has the beneficial effects that the system is decoupled into the control layer for intelligent decision and the execution layer for elastic execution, and the control logic and the execution resource are decoupled, so that the physical separation of the defense logic and the bottom resource is realized. And the game decision is made by relying on the attacker strategy captured by the threat sensing unit in real time, so that a more intelligent and targeted non-predictive decision is made, and the control intelligence and the automatic response are realized. The feedback information of the distributed feedback assembly is sent back to the control layer in real time to trigger re-modeling and re-decision, so that the system can change the defending topology in real time, and the dynamic self-adaptive close