CN111683057B - Threat information transmission and sharing method based on dynamic attack surface - Google Patents

Threat information transmission and sharing method based on dynamic attack surface Download PDF

Info

Publication number
CN111683057B
CN111683057B CN202010419193.XA CN202010419193A CN111683057B CN 111683057 B CN111683057 B CN 111683057B CN 202010419193 A CN202010419193 A CN 202010419193A CN 111683057 B CN111683057 B CN 111683057B
Authority
CN
China
Prior art keywords
data stream
risk
packet
node
packets
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010419193.XA
Other languages
Chinese (zh)
Other versions
CN111683057A (en
Inventor
程光
水思源
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southeast University
Original Assignee
Southeast University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southeast University filed Critical Southeast University
Priority to CN202010419193.XA priority Critical patent/CN111683057B/en
Publication of CN111683057A publication Critical patent/CN111683057A/en
Application granted granted Critical
Publication of CN111683057B publication Critical patent/CN111683057B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a threat information transmitting and sharing method based on a dynamic attack surface, which comprises a threat data high-speed transmission protocol facing to a time delay requirement and a heuristic virus propagation restraining and speed reducing method. In a high-speed transmission protocol of threat data facing a time delay requirement, a network node calculates the risk level of a data stream and determines whether related information enters a message processing queue preferentially or not according to the result; in the heuristic virus propagation restraining and speed reducing method, after a regional center obtains a propagation model of a high-risk data stream, infected and easily-infected nodes are identified, the connectivity and the bandwidth of the infected and easily-infected nodes are limited, meanwhile, an optimal node is screened to monitor the trend of the data stream and report the trend to the regional center, and the regional center continuously updates related parameters and models and adjusts the decision. The invention improves the reporting speed of the high-risk data stream, and simultaneously carries out bandwidth resource and port resource limitation on the infected nodes in the current and predicted time windows in a targeted manner so as to inhibit the virus propagation speed.

Description

Threat information transmission and sharing method based on dynamic attack surface
Technical Field
The invention relates to the field of relevant aspects of sending, transmitting and sharing of network threat information, in particular to a method for transmitting and sharing network threat information based on a dynamic attack surface.
Background
The network threat situation awareness technology is a technology for constructing multi-angle and finer-grained network threat information and threat behavior description based on a network measurement technology and behavior description.
With the continuous development of information technology, internet technology and computer technology, computer networks have become an important part of our daily lives and research. However, in recent years, there are many safety problems, which cause many units and individuals to suffer loss. Aiming at the problem of network security, although technologies such as a firewall, intrusion detection and honeypots are used for defense, the technologies generally have the defects of low precision, slow response, single applicable scene and the like. The network threat situation perception technology well combines the defense technology and the active and passive measurement technology, obtains abnormal behavior expression in a finer granularity, and better describes characteristics of abnormal attack behaviors.
The network threat situation awareness platform is generally completed by cooperation of a plurality of modules, including but not limited to data traffic detection, threat behavior analysis, alarm event processing, and the like.
Data traffic monitoring generally includes preprocessing of data traffic, such as extraction of important information, classification of the same features, and so on. If necessary, performing association analysis on the traffic data, wherein the association analysis on the traffic data is to classify data streams with similar characteristics or behaviors into the same class by analyzing the existing association matching rules, and then, better describe the network attack behavior characteristics by analyzing the same or different data stream characteristics.
The service data monitoring is mainly performed by monitoring related index data of network node hardware devices, such as occupation conditions of a CPU, a disk and a memory, and link bandwidth and port bandwidth conditions of a whole network segment. So as to better allocate resources for monitoring the threat information and better limit the transmission of the threat information after the threat information arrives.
And alarm information processing, which is mainly to realize the function of identifying false alarms after receiving a plurality of alarm information, simultaneously carry out priority sequencing according to actual requirements, and delete corresponding information after finally removing the alarms.
And threat information analysis, which mainly analyzes which kind of threat behavior the abnormal flow information corresponds to according to the acquired abnormal flow information, evaluates the threat degree of the abnormal flow information according to needs, outputs the result to a display interface, and is convenient for better issuing defense decisions.
Disclosure of Invention
The purpose of the invention is as follows: aiming at the defects of the prior art, the invention provides a threat information transmission and sharing method based on a dynamic attack surface, which is characterized in that the processing and transmission of data are directly accelerated by utilizing a node kernel state, so that the transmission priority of related packet content is improved, the information transmission delay is reduced, and meanwhile, a regional center node can obtain the related information of a data stream containing a larger proportion of threats as soon as possible. And secondly, according to the current global network topology, carrying out bandwidth resource and port resource limitation on infected nodes in the current and predicted time windows in a targeted manner by a heuristic method so as to inhibit the virus propagation speed.
The technical scheme is as follows: in order to realize the purpose of the invention, the technical scheme adopted by the invention is as follows: a threat information transmission and sharing method based on a dynamic attack surface comprises the following steps:
(1) the threat data high-speed transmission protocol content facing the time delay requirement is as follows:
(1.1) a network node receives a network data stream through a general flow collector, reads a five-tuple, a source IP, a destination IP, a source port, a destination port and a protocol of a received data packet; calculating a risk level packet of the packet according to a general vulnerability scoring system, comparing the risk level packet with a set threshold value r0, and if the packet is greater than r0, the packet is more likely to contain the worm virus and is regarded as a high-risk packet; if packet, the risk < r0, regarding the packet as a low risk packet, and calculating the proportion prob of the high risk data packet in the total number of the data stream packets;
(1.2) comparing prob calculated according to step (1.1) with a set threshold p 0; if prob > is p0, the stream contains a large proportion of high-risk packets, and is a high-risk data stream, the corresponding information info is generated, and the priority info of the packet transmitted on the link is set to high; if prob < p0, stream is a low risk data stream, generating corresponding information info, and setting its priority info.
(1.3) constructing a two-dimensional message processing queue q in a network node, receiving the data stream and the information info processed in the step (1.2), and sequencing from high to low according to the priority prio, wherein if the priorities of the two packets are the same, sequencing from early to late according to the time t generated by the packets;
(1.4) respectively calculating the total number sum of the packets in the queue and the capacity of the packets which can be continuously received in the next hop node according to the queue q in the step (1.3), and if sum is less than cache, sequentially receiving all the packets; if sum is greater than the cache, sequentially receiving the packets in sequence, temporarily not receiving the excess part, setting the priority prio of the excess part to be high, and returning to the step (1.3) for reordering;
(2) the heuristic virus propagation restraining and speed reducing method comprises the following steps:
(2.1) the regional center obtains the information info provided in step (1.4), and if the data stream is a high-risk data stream according to the judgment result in step (1.2), obtains the related information of the data stream packet, including the propagation path, the source and destination address ports, the protocol used, the next hop node that the data stream will pass through, and the regional center will also predict the node infection condition in the next time window: generating risk attribute probability p of all nodes in the network according to a universal vulnerability scoring system, comparing the risk attribute probability p with a set threshold value p1, p2, and if p is more than 0 and less than p1, predicting the node to be a normal node; if p1< ═ p < p2, the node is predicted to be a susceptible node; if p2< ═ p < ═ 1, the node is predicted to be an infected node; if the stream is low risk, entering the step (2.3);
(2.2) if the data stream is a high-risk data stream according to the comparison result of prob and p0 in (1.2), limiting bandwidth resources and port resources of links related to the susceptible and infected nodes, and setting the priority level of the data stream for link forwarding transmission, stream.prio, to be low;
(2.3) if the data stream is a high-risk data stream, computing the computing resource sources of all nodes in the whole network and sequencing the computing resource sources from more to less, selecting the amount nodes with the most sources as preferred nodes, wherein the preferred nodes dynamically adjust resource allocation, and under the condition of ensuring normal operation, the rate of processing packets by normal receiving and sending can be reduced, more memories and data caches are allocated for collecting relevant information of the high-risk data stream, and meanwhile, operation and maintenance personnel access all network nodes to obtain the latest remaining available resource condition, if the stream is a low risk, the operation and maintenance personnel also need to obtain the remaining available resource condition of all network nodes;
and (2.4) updating the prediction result of the node infection condition in the step (2.1) according to the report information of the optimized node in the step (2.3), returning to the step (2.2), waiting for the defense decision-making host to send a defense command to the susceptible and infected nodes, and returning to the step (1.1) to receive a new data stream packet.
Further, in step (1.1), the risk level of the packet is judged, vulnerability detection can be performed on each packet through a vulnerability scanning tool, a vulnerability name corresponding to each packet is obtained, and three scoring measures of the vulnerability information are searched in a universal vulnerability scoring system according to the vulnerability name: and the attack path, the attack complexity and the identity authentication are multiplied, and the probability of the grouped risk attribute is formed and is used as a judgment standard of the risk level.
Further, under the sum > cache described in step (1.4), the next-hop node preferentially receives packet packets with high priority and early generation time, and the remaining part is congested, at this time, the packet priority of the congested part needs to be increased, so as to avoid a situation that the packet cannot be transmitted and processed all the time due to continuous generation of high-priority packets in the following.
Further, if the result of the comparison calculated in step (1.2) is prob < p0, the high-risk data stream is not currently received, and there is no need to perform virus propagation containment and speed reduction on the packet.
Further, in the step (2.1), infected and vulnerable nodes are judged, vulnerability detection can be performed on each node through a vulnerability scanning tool, resource names of each node and corresponding vulnerability names are obtained, and three scoring measures of the vulnerability information are searched in a universal vulnerability scoring system according to the vulnerability names: and the attack path, the attack complexity and the identity authentication are multiplied, and the risk attribute probability of the node is formed.
Further, the defense strategy in step (2.4) may employ the shortest link or the smallest number of hops to send the defense command, so as to ensure the decision efficiency.
Has the advantages that: compared with the prior art, the technical scheme of the invention has the following beneficial technical effects:
(1) threat data is gathered to the universe center and is interfered by various service flows in the network. However, the immunization mechanism requires that threat data be collected and reported within a specified time. Generally, the threat data is transmitted through a common network protocol, so that not only can the current service flow be influenced and the time delay be improved, but also the perception timeliness can be reduced, the time for processing and analyzing the threat data by the regional center and the global center is reduced, and the overall efficiency of the immune system is reduced. The invention can help the immune system to defend in advance or stop loss in time by improving the reporting speed of the information containing threat data, effectively improve the perception efficiency of the threat universe center, determine the threat source as early as possible and eliminate the malicious code as early as possible.
(2) The traditional method for restraining virus diffusion does not consider the global network profile and does not analyze the interaction between the service flow and the virus diffusion. After the threat is known, strong operations are usually performed on the network nodes suspected of being infected, such as node suspension or port closure, and these operations inevitably cause failure of the policy and a great deal of resource waste, and interfere with the main services in the existing network. According to the invention, the virus propagation speed is restrained by pertinently limiting the bandwidth resources and the port resources of the infected nodes in the current and predicted time windows.
Drawings
FIG. 1 is a schematic diagram of a high-speed transmission protocol of threat data for delay requirements;
FIG. 2 is a schematic diagram of a data reporting and control issuing process;
FIG. 3 is a patent flow diagram of the invention.
Detailed Description
The invention will be further described with reference to the following examples and the accompanying figures 1-3 of the specification.
Example 1:
a method for transmitting and sharing threat information based on a dynamic attack surface is characterized in that a node kernel state is used for directly accelerating the processing and transmission of data, so that the transmission priority of related packet content is improved, the information transmission delay is reduced, and meanwhile, a regional center node can obtain the related information of a data stream containing a larger proportion of threats as soon as possible. And secondly, according to the current global network topology, carrying out bandwidth resource and port resource limitation on infected nodes in the current and predicted time windows in a targeted manner by a heuristic method so as to inhibit the virus propagation speed. The method comprises the following steps: a threat data high-speed transmission protocol facing to a time delay requirement, and a heuristic virus propagation restraining and speed reducing method.
(1) The threat data high-speed transmission protocol content facing the time delay requirement is as follows:
(1.1) a network node receives a network data stream through a general traffic collector, reads a five-tuple, a source IP, a destination IP, a source port, a destination port, and a protocol of a received packet, calculates a risk level packet of a packet according to a CVSS (universal vulnerability score system), compares the risk level packet with a set threshold r0, and if the risk level packet > is r0, the packet is more likely to contain a worm virus and is regarded as a high-risk packet; risk < r0, then considered a low risk packet. Calculating the proportion prob of the high-risk data packets to the total number of the data stream packets;
(1.2) comparing prob calculated according to step (1.1) with a set threshold p 0; when finding that prob > ═ p0, the stream contains a large proportion of high-risk packets, and is a high-risk data stream, the corresponding information info is generated, and the priority info of the packet transmitted on the link is set to high;
(1.3) constructing a two-dimensional message processing queue q in a network node, receiving the data stream and the information info processed in the step (1.2), and sequencing from high to low according to the priority prio, wherein if the priorities of the two packets are the same, sequencing from early to late according to the time t generated by the packets;
(1.4) respectively calculating the total number sum of the packets in the queue and the capacity of the packets which can be continuously received in the next hop node according to the queue q in the step (1.3), and if sum is less than cache, sequentially receiving all the packets; if sum is greater than the cache, sequentially receiving the packets in sequence, temporarily not receiving the excess part, setting the priority prio of the excess part to be high, and returning to the step (1.3) for reordering;
(2) the heuristic virus propagation restraining and speed reducing method comprises the following steps:
(2.1) the regional center obtains the information info provided in step (1.4), and if the data stream is a high-risk data stream according to the judgment result in step (1.2), obtains the related information of the data stream packet, including the propagation path, the source and destination address ports, the protocol used, the next hop node that the data stream will pass through, and the regional center will also predict the node infection condition in the next time window: generating risk attribute probability p of all nodes in the network according to a universal vulnerability scoring system, comparing the risk attribute probability p with a set threshold value p1, p2, and if p is more than 0 and less than p1, predicting the node to be a normal node; if p1< ═ p < p2, the node is predicted to be a susceptible node; if p2< ═ p < ═ 1, the node is predicted to be an infected node;
(2.2) according to the comparison result of prob and p0 in (1.2), the data stream is a high-risk data stream, the bandwidth resources and the port resources of the link related to the susceptible and infected nodes are limited, and the priority level of the data stream for link forwarding transmission is set to be low;
(2.3) because the data stream is a high-risk data stream, computing the computing resource sources of all nodes in the whole network and sequencing the computing resource sources from more to less, selecting the amount nodes with the most sources as the preferred nodes, and dynamically adjusting the resource allocation of the preferred nodes, under the condition of ensuring normal operation, reducing the rate of processing packets by normal receiving and sending, allocating more memories and data caches for collecting relevant information of the high-risk data stream, and simultaneously, accessing all network nodes by operation and maintenance personnel to obtain the latest residual available resource condition.
And (2.4) updating the prediction result of the node infection condition in the step (2.1) according to the report information of the optimized node in the step (2.3), returning to the step (2.2), waiting for the defense decision-making host to send a defense command to the susceptible and infected nodes, and returning to the step (1.1) to receive a new data stream packet.
In this embodiment, according to the calculation result of (1.2), (1.1) the high-risk data stream is obtained, so that the priority prio of the corresponding generated info information transmitted on the link is set to high, so as to be reported to the regional central node or device quickly, and the defense decision is implemented earlier. Meanwhile, the regional center positions the high-risk data stream according to the content in the information info, sets the priority prio of the high-risk data stream to be low, slows down the propagation speed of the virus, and avoids infection of more nodes. Since the defense decision needs to wait, the preferred node needs to perform dynamic monitoring so that the center can obtain more information about the virus.
Example 2:
a high-efficiency and high-speed threat information transmission and sharing method based on a dynamic attack surface is characterized in that a node kernel state is used for directly accelerating the processing and transmission of data, so that the transmission priority of related packet content is improved, and the information transmission delay is reduced. The global ownership network node then updates the available resource information to better handle previously created threats or better face threats that may be created in the future. The method comprises the following steps: a threat data high-speed transmission protocol facing to a time delay requirement, and a heuristic virus propagation restraining and speed reducing method.
(1) The threat data high-speed transmission protocol content facing the time delay requirement is as follows:
(1.1) a network node receives a network data stream through a general traffic collector, reads a five-tuple, a source IP, a destination IP, a source port, a destination port, and a protocol of a received packet, calculates a risk level packet of a packet according to a CVSS (universal vulnerability score system), compares the risk level packet with a set threshold r0, and if the risk level packet > is r0, the packet is more likely to contain a worm virus and is regarded as a high-risk packet; risk < r0, then considered a low risk packet. Calculating the proportion prob of the high-risk data packets to the total number of the data stream packets;
(1.2) comparing the prob calculated in the step (1.1) with a set threshold p0, and if the prob is found to be < p0, the stream is a low-risk data stream, and corresponding information info is generated, and priority info of the stream is set as default;
(1.3) constructing a two-dimensional message processing queue q in a network node, receiving the data stream and the information info processed in the step (1.2), and sequencing from high to low according to the priority prio, wherein if the priorities of the two packets are the same, sequencing from early to late according to the time t generated by the packets;
(1.4) respectively calculating the total number sum of the packets in the queue and the capacity of the packets which can be continuously received in the next hop node according to the queue q in the step (1.3), and if sum is less than cache, sequentially receiving all the packets; if sum is greater than the cache, sequentially receiving the packets in sequence, temporarily not receiving the excess part, setting the priority prio of the excess part to be high, and returning to the step (1.3) for reordering;
(2) the heuristic virus propagation restraining and speed reducing method comprises the following steps:
(2.1) the area center obtains the information info provided by the step (1.4), and the data stream is low risk according to the judgment result of (1.2), and the step (2.3) is carried out;
(2.3) although the stream is low-risk, operation and maintenance personnel also need to access all network nodes to acquire the residual available resource condition of all the nodes;
(2.4) since there is no high risk data flow, there is no need to update the prediction and decision results at this point, and there is no need to wait for a new defense command. It is only necessary to remain the same and return (1.1) to receiving new data stream packets.
In this embodiment, according to the calculation result of (1.2), the low-risk data stream is obtained in (1.1), and the data stream and the corresponding information info only need to be normally transmitted and reported. Since there is no high-risk data flow for the moment, the second part plays more role in network data flow and device security. All nodes still update the resource information of the nodes, so that timely information can be provided in the case of emergency in the future.
The above examples are only preferred embodiments of the present invention, it should be noted that: it will be apparent to those skilled in the art that various modifications and equivalents can be made without departing from the spirit of the invention, and it is intended that all such modifications and equivalents fall within the scope of the invention as defined in the claims.

Claims (6)

1. A threat information transmission and sharing method based on a dynamic attack surface is characterized by comprising the following steps:
(1) the content of the threat data high-speed transmission protocol facing the time delay requirement is as follows:
(1.1) the network node receives a data stream through a general flow collector, reads a five-tuple, a source IP, a destination IP, a source port, a destination port and a protocol of a received data packet; calculating a risk level packet of the packet according to a general vulnerability scoring system, comparing the risk level packet with a set threshold value r0, and if the packet is greater than r0, the packet is more likely to contain the worm virus and is regarded as a high-risk data packet; if packet, the risk < r0, regarding the packet as a low risk data packet, and calculating the proportion prob of the high risk data packet in the total number of the data stream packets;
(1.2) comparing prob calculated according to step (1.1) with a set threshold p 0; if prob > ═ p0, the data stream contains a large proportion of high-risk data packets, and is a high-risk data stream, corresponding information info is generated, and priority info of the packets transmitted on the link is set to high; if prob < p0, the data stream is a low-risk data stream, generating corresponding information info, and setting priority info of the data stream as default;
(1.3) constructing a two-dimensional message processing queue q in a network node, receiving the data stream and the information info processed in the step (1.2), and sequencing from high to low according to the priority info.
(1.4) respectively calculating the total number sum of the packets in the queue and the capacity of the packets which can be continuously received in the next hop node according to the queue q in the step (1.3), and if sum is less than cache, sequentially receiving all the packets; if sum > cache, sequentially receiving the packets in sequence, temporarily not receiving the excess part, setting the priority info of the excess part to high, and returning to the step (1.3) for reordering;
(2) the heuristic virus propagation restraining and speed reducing method comprises the following steps:
(2.1) the regional center obtains the information info provided in step (1.4), and if the data stream is a high-risk data stream according to the judgment result in step (1.2), obtains the related information of the data stream packet, including the propagation path, the source and destination address ports, the protocol used, the next hop node that the data stream will pass through, and the regional center will also predict the node infection condition in the next time window: generating risk attribute probability p of all nodes in the network according to a universal vulnerability scoring system, comparing the risk attribute probability p with a set threshold value p1, p2, and if p is more than 0 and less than p1, predicting the node to be a normal node; if p1< ═ p < p2, the node is predicted to be a susceptible node; if p2< ═ p < ═ 1, the node is predicted to be an infected node; if the data stream is low risk, entering step (2.3);
(2.2) if the data stream is a high-risk data stream according to the comparison result of prob and p0 in (1.2), limiting bandwidth resources and port resources of links related to the susceptible and infected nodes, and setting the priority level of the data stream for link forwarding transmission, stream.prio, to be low;
(2.3) if the data stream is a high-risk data stream, computing the computing resource sources of all nodes in the whole network and sequencing the computing resource sources from more to less, selecting the amount nodes with the most sources as preferred nodes, wherein the preferred nodes dynamically adjust resource allocation, reducing the rate of normal receiving and sending processing packets under the condition of ensuring normal operation, allocating more memories and data caches for collecting relevant information of the high-risk data stream, and simultaneously acquiring the latest residual available resource condition, such as the data stream is a low risk condition, and acquiring the residual available resource condition of all network nodes;
and (2.4) updating the prediction result of the node infection condition in the step (2.1) according to the report information of the optimized node in the step (2.3), returning to the step (2.2), waiting for the defense decision-making host to send a defense command to the susceptible and infected nodes, and returning to the step (1.1) to receive a new data stream packet.
2. The method according to claim 1, wherein the risk level of the packet is determined in step (1.1), the vulnerability of each packet is detected by a vulnerability scanning tool, the vulnerability name corresponding to each packet is obtained, and three scoring measures of the vulnerability name are searched in a universal vulnerability scoring system according to the vulnerability name: and the attack path, the attack complexity and the identity authentication are multiplied, and the probability of the grouped risk attribute is formed and is used as a judgment standard of the risk level.
3. The method according to claim 1, wherein in the case of sum > cache described in step (1.4), the next-hop node preferentially receives packets with high priority and early generation time, and the remaining part is congested, and at this time, the packet priority of the congested part needs to be increased to avoid a situation that the packet cannot be transmitted and processed all the time due to continuous generation of high-priority packets in the following.
4. The method of claim 3, wherein the result of the comparison calculated in step (1.2) is prob < p0, and no high-risk data stream is currently received, and there is no need to perform virus propagation containment and speed reduction on the packet.
5. The method as claimed in claim 4, wherein the infected and vulnerable nodes are determined in step (2.1), the vulnerability of each node can be detected by a vulnerability scanning tool, the resource name of each node and the corresponding vulnerability name are obtained, and the three scoring measures of the vulnerability name are searched in a universal vulnerability scoring system according to the vulnerability name: and the attack path, the attack complexity and the identity authentication are multiplied, and the risk attribute probability of the node is formed.
6. The method for delivering and sharing threat information based on dynamic attack plane as claimed in claim 5, wherein the defense strategy in step (2.4) can use shortest link or smallest hop count to send defense command to ensure decision efficiency.
CN202010419193.XA 2020-05-18 2020-05-18 Threat information transmission and sharing method based on dynamic attack surface Active CN111683057B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010419193.XA CN111683057B (en) 2020-05-18 2020-05-18 Threat information transmission and sharing method based on dynamic attack surface

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010419193.XA CN111683057B (en) 2020-05-18 2020-05-18 Threat information transmission and sharing method based on dynamic attack surface

Publications (2)

Publication Number Publication Date
CN111683057A CN111683057A (en) 2020-09-18
CN111683057B true CN111683057B (en) 2022-03-11

Family

ID=72433509

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010419193.XA Active CN111683057B (en) 2020-05-18 2020-05-18 Threat information transmission and sharing method based on dynamic attack surface

Country Status (1)

Country Link
CN (1) CN111683057B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109150868A (en) * 2018-08-10 2019-01-04 海南大学 network security situation evaluating method and device
CN109617865A (en) * 2018-11-29 2019-04-12 中国电子科技集团公司第三十研究所 A kind of network security monitoring and defence method based on mobile edge calculations

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10721239B2 (en) * 2017-03-31 2020-07-21 Oracle International Corporation Mechanisms for anomaly detection and access management
US11057418B2 (en) * 2018-10-15 2021-07-06 International Business Machines Corporation Prioritizing vulnerability scan results

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109150868A (en) * 2018-08-10 2019-01-04 海南大学 network security situation evaluating method and device
CN109617865A (en) * 2018-11-29 2019-04-12 中国电子科技集团公司第三十研究所 A kind of network security monitoring and defence method based on mobile edge calculations

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于威胁情报共享的安全态势感知和入侵意图识别技术研究;李炜键等;《计算机与现代化》;20170315(第03期);全文 *

Also Published As

Publication number Publication date
CN111683057A (en) 2020-09-18

Similar Documents

Publication Publication Date Title
Tan et al. A new framework for DDoS attack detection and defense in SDN environment
CN109005157B (en) DDoS attack detection and defense method and system in software defined network
Imran et al. Toward an optimal solution against denial of service attacks in software defined networks
WO2021227322A1 (en) Ddos attack detection and defense method for sdn environment
KR101900154B1 (en) SDN capable of detection DDoS attacks and switch including the same
US8089871B2 (en) Method and apparatus for traffic control of dynamic denial of service attacks within a communications network
CN108809749B (en) Performing upper layer inspection of a stream based on a sampling rate
CN105051696A (en) An improved streaming method and system for processing network metadata
CN105991617B (en) Computer-implemented system and method for selecting a secure path using network scoring
da Silva et al. IDEAFIX: Identifying elephant flows in P4-based IXP networks
US11870754B2 (en) Packet analysis and filtering
WO2021068489A1 (en) Routing path intelligent selection method and apparatus, device, and readable storage medium
CN113452695A (en) DDoS attack detection and defense method in SDN environment
CN114513340B (en) Two-stage DDoS attack detection and defense method in software defined network
US20220407841A1 (en) A Method And Unit For Adaptive Creation Of Network Traffic Filtering Rules On A Network Device That Autonomously Detects Anomalies And Automatically Mitigates Volumetric (DDOS) Attacks
CN112019533A (en) Method and system for relieving DDoS attack on CDN system
CN113364810B (en) Link flooding attack detection and defense system and method
KR20110028106A (en) Apparatus for controlling distribute denial of service attack traffic based on source ip history and method thereof
CN111683057B (en) Threat information transmission and sharing method based on dynamic attack surface
KR100733830B1 (en) DDoS Detection and Packet Filtering Scheme
CN109922083A (en) A kind of network protocol flow control system
KR20200014139A (en) The method of defense against distributed denial-of-service attack on the heterogeneous iot network and the system thereof
Amari et al. Prediction and detection model for hierarchical Software-Defined Vehicular Network
Liu et al. POAGuard: A Defense Mechanism Against Preemptive Table Overflow Attack in Software-Defined Networks
CN111641593A (en) Internet of things security architecture and information security interaction method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant