CN-121984692-A - End-tube-cloud dynamic defense topology construction method

Abstract

The application discloses a method for constructing an end-pipe-cloud dynamic defense topology, relates to the technical field of network security protection, and solves the problems of insufficient protection strength and adaptability of the prior art to network attacks. According to the embodiment of the application, ash point agents are respectively deployed at different levels of the system, when abnormal behaviors are detected, information is uniformly reported to a central arrangement engine of a cloud for uniform processing, so that cooperative linkage of the multi-ash point agents is realized, different strategies are adopted by an attack characteristic vector based on the abnormal behaviors through a reinforcement learning model, the protection adaptability to network attacks is improved, the attacks are introduced into a controllable sandbox through an isolation strategy, local microscopic hemostasis can be realized, attack fingerprints are actively collected through the trapping strategy, threat information quality can be improved, and a service module can independently operate by combining security domain isolation, so that the toughness of the system is ensured, and the protection strength is improved.

Inventors

• LIAN YUTING
• XIE PENGYU
• ZENG MINGFEI
• MENG LIANG
• XIE MING
• Zeng Hushuang
• CHEN LINA
• LI SIWEI
• CHEN ZHI
• Wu Mingzhan

Assignees

• 广西电网有限责任公司

Dates

Publication Date

20260505

Application Date

20251203

Claims (10)

1. 1. The end-tube-cloud dynamic defense topology construction method is characterized by being applied to an end-tube-cloud dynamic defense system, wherein the end-tube-cloud dynamic defense system comprises a terminal and a cloud, an application service logic layer and an operating system kernel layer of the terminal and a cloud micro-service layer of the cloud are both provided with gray point agents, and the method comprises the following steps: Under the condition that abnormal behaviors are detected, the gray point agent sends a topology reconstruction request to a central orchestration engine of the cloud, wherein the topology reconstruction request carries an attack feature vector and an affected security domain list, the attack feature vector is used for describing the features of the abnormal behaviors, and the affected security domain list comprises identifications of one or more security domains affected by the abnormal behaviors; The central orchestration engine generates an isolation policy and/or a trapping policy based on the attack feature vector and the affected security domain list through a reinforcement learning model, wherein the isolation policy is used for redirecting traffic of the affected security domain to a sandbox environment, the trapping policy is used for injecting a decoy instance on an attack moving path, and the decoy instance is used for collecting attack data; The central orchestration engine sends a path generation instruction to a corresponding gray point agent based on the isolation policy and/or the trapping policy; the gray point proxy reconstructs a topology of the system based on the path generation instruction.
2. 2. The method of claim 1, wherein before the gray point agent sends the topology reconfiguration request to the central orchestration engine of the cloud, the method further comprises: The gray point agent analyzes and scores the local event through rule matching, statistical analysis and/or a machine learning model to obtain an analysis result and comprehensive anomaly score; under the condition that the comprehensive anomaly score exceeds a preset threshold, the gray point proxy determines that an anomaly is detected; The gray point proxy generates the topology reconfiguration request based on the analysis result.
3. 3. The method according to claim 1or2, wherein the central orchestration engine generates an isolation policy and/or a trapping policy based on the attack feature vector and the affected security domain list by means of a reinforcement learning model, comprising: The central orchestration engine builds a state vector based on the attack feature vector and the affected security domain list; The central programming engine inputs the state vector into the reinforcement learning model to obtain an optimal defense action output by the reinforcement learning model, wherein the optimal defense action is formed based on action types, target node sets and action intensities; the central orchestration engine generates the quarantine policy and/or the trap policy based on the optimal defensive action.
4. 4. A method according to claim 3, wherein the generation flow of the quarantine policy comprises: determining a separation edge set for separating an isolation node and a preset key service node by calculating a minimum cut set, wherein the isolation node is a node with an isolated action type corresponding to the target node set; configuring a sandbox environment based on the isolated node; And generating a routing rule and configuring a network policy based on the separation edge set and the sandbox environment to obtain the isolation policy.
5. 5. The method of claim 3, wherein the generating of the trapping strategy comprises: Using a trap node with a corresponding action type as a trap in the target node set as a bait deployment position, and generating a bait blueprint based on data of the trap node, wherein the bait blueprint is used for configuring the bait instance; and obtaining the trapping strategy based on the bait deployment position and the bait blueprint.
6. 6. A method according to claim 3, wherein the central orchestration engine sends path generation instructions to the corresponding gray point agents based on the quarantine policy and/or the trap policy, comprising: for the isolation policy, the central orchestration engine sends the path generation instruction to an infected area gray point agent, an infected border area gray point agent, and a gray point agent of a sandbox environment access point corresponding to the abnormal behavior; For the trap policy, the central orchestration engine sends the path generation instruction to a gray point agent on a predicted attack path, and a gray point agent of a trap node.
7. 7. The method of claim 1 or 2, wherein the gray point proxy reconstructs a topology of the system based on the path generation instructions, comprising: In the case that the path generation instruction corresponds to the isolation policy, the gray point proxy modifies a local traffic flow route based on the path generation instruction, migrating an existing network connection to a sandbox environment; In the event that the path generation instruction corresponds to the trap policy, the gray point proxy coordinates a local computing infrastructure to create a bait instance based on the path generation instruction and simulates business behavior using a generative antagonism network.
8. 8. An end-pipe-cloud dynamic defense system, which is characterized by being applied to the method of any one of claims 1-7, wherein the system comprises a terminal and a cloud, and an application service logic layer and an operating system kernel layer of the terminal, and a cloud micro-service layer of the cloud are both deployed with gray point agents; Under the condition that abnormal behaviors are detected, the gray point agent is used for sending a topology reconstruction request to a central orchestration engine of the cloud, wherein the topology reconstruction request carries an attack feature vector and an affected security domain list, the attack feature vector is used for describing the features of the abnormal behaviors, and the affected security domain list comprises identifications of one or more security domains affected by the abnormal behaviors; The central orchestration engine is used for generating an isolation strategy and/or a trapping strategy based on the attack eigenvectors and the affected security domain list through a reinforcement learning model, wherein the isolation strategy is used for redirecting traffic of the affected security domains to a sandbox environment, the trapping strategy is used for injecting bait examples on an attack moving path, and the bait examples are used for collecting attack data; The central orchestration engine is further configured to send a path generation instruction to a corresponding gray point agent based on the isolation policy and/or the trapping policy; the gray point proxy is further configured to reconstruct a topology of the system based on the path generation instruction.
9. 9. The system of claim 8, wherein the gray point agent is further configured to analyze and score local events by rule matching, statistical analysis, and/or machine learning models to obtain analysis results and composite anomaly scores; the gray point proxy is further configured to determine that an abnormal behavior is detected if the integrated anomaly score exceeds a preset threshold; The gray point proxy is further configured to construct a topology reconstruction request based on the analysis result, where the attack feature vector includes attack type, severity, propagation speed, and resource sensitivity.
10. 10. A computer readable storage medium, characterized in that the computer readable storage medium comprises a stored program, wherein the program, when run, controls a device in which the computer readable storage medium is located to perform the method of any one of claims 1-7.

Description

End-tube-cloud dynamic defense topology construction method Technical Field The invention relates to the technical field of network security protection, in particular to a method for constructing an end-pipe-cloud dynamic defense topology. Background In the current digital age, network security has become a core issue for guaranteeing stable operation of key information infrastructures such as government affairs, finance, energy sources and the like. With the continuous evolution of network attack means, advanced persistent threat (ADVANCED PERSISTENT THREAT, APT) forms a serious challenge for the traditional safety protection system by virtue of the characteristics of strong latency, hidden attack path, definite target pertinence and the like. In order to cope with the threat, an embedded gray point technology is developed gradually in the industry, and the technology achieves real-time capturing of key information such as network flow, process activity, data interaction and the like by deploying a logic module (namely a gray point agent) with information acquisition and state monitoring functions in advance in a key node of a target system or a network architecture, provides basic support for security analysis and threat early warning, and is an important component in the current network security deep defense system. In practical application, the existing embedded gray point technology mainly adopts a running mode of static deployment-unidirectional monitoring. However, the unidirectional monitoring mechanism leads to limited protection vision, the gray point agent can only realize local information acquisition, can not form cooperative linkage with gray point agents of other nodes, the back-end platform can only acquire isolated monitoring data, is difficult to restore an integral link of an APT attack, and can not quickly position an attack source and a transverse diffusion path by security personnel when the attack occurs, and the static deployment mode lacks dynamic adaptability that the deployment position and the monitoring range of the existing gray point agent are fixed and can not be adjusted according to the real-time attack situation. In view of this, there is a need for an end-pipe-cloud dynamic defense topology construction method. Disclosure of Invention Aiming at the problem of insufficient strength and adaptability of the prior art to network attack, the invention provides a method for constructing an end-tube-cloud dynamic defense topology, which can improve the protection strength and adaptability to network attack. The specific technical scheme is as follows: in a first aspect, an embodiment of the present application provides a method for constructing an end-pipe-cloud dynamic defense topology, which is applied to an end-pipe-cloud dynamic defense system, where the end-pipe-cloud dynamic defense system includes a terminal and a cloud, and gray point agents are deployed on an application service logic layer and an operating system kernel layer of the terminal and a cloud micro service layer of the cloud, where the method includes: In the case of abnormal behavior detection, the gray point agent sends a topology reconstruction request to a central orchestration engine of the cloud, wherein the topology reconstruction request carries an attack feature vector and an affected security domain list, the attack feature vector is used for describing the feature of the abnormal behavior, the affected security domain list comprises identification of one or more security domains affected by the abnormal behavior, the central orchestration engine generates an isolation policy and/or a trapping policy based on the attack feature vector and the affected security domain list through a reinforcement learning model, the isolation policy is used for redirecting traffic of the affected security domains to a sandbox environment, the trapping policy is used for injecting a decoy instance on an attack moving path, the decoy instance is used for collecting attack data, the central orchestration engine sends a path generation instruction to the corresponding gray point agent based on the isolation policy and/or the trapping policy, and the gray point agent reconstructs the topology of the system based on the path generation instruction. Preferably, before the gray point agent sends the topology reconfiguration request to the central orchestration engine of the cloud, the method further comprises the steps that the gray point agent analyzes and scores local events through rule matching, statistical analysis and/or a machine learning model to obtain analysis results and comprehensive anomaly scores, the gray point agent determines that abnormal behaviors are detected when the comprehensive anomaly scores exceed a preset threshold, and the gray point agent builds the topology reconfiguration request based on the analysis results, wherein attack feature vectors comprise attack types, severity, propagation speed an