CN115102791B - Password service monitoring system and method based on mimicry defense - Google Patents

Password service monitoring system and method based on mimicry defense Download PDF

Info

Publication number
CN115102791B
CN115102791B CN202211015580.2A CN202211015580A CN115102791B CN 115102791 B CN115102791 B CN 115102791B CN 202211015580 A CN202211015580 A CN 202211015580A CN 115102791 B CN115102791 B CN 115102791B
Authority
CN
China
Prior art keywords
defense
module
key
monitoring system
service monitoring
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211015580.2A
Other languages
Chinese (zh)
Other versions
CN115102791A (en
Inventor
张五一
江楠
兰先登
汤敏杰
刘雪梅
田叶
杨乘胜
蒋啸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Nanzi Huadun Digital Technology Co ltd
Original Assignee
Nanjing Huadun Power Information Security Evaluation Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Huadun Power Information Security Evaluation Co Ltd filed Critical Nanjing Huadun Power Information Security Evaluation Co Ltd
Priority to CN202211015580.2A priority Critical patent/CN115102791B/en
Publication of CN115102791A publication Critical patent/CN115102791A/en
Application granted granted Critical
Publication of CN115102791B publication Critical patent/CN115102791B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a password service monitoring system and method based on mimicry defense, belonging to the technical field of information security of the power Internet of things and comprising the following steps: the password service platform is at least provided with two redundant backup systems, and a first-level password service monitoring system of the password service platform generates a key service request and sends the key service request to a second-level password service monitoring system through a preset network protocol; the primary password service monitoring system comprises a key management module, a certificate management module, a digital signature verification module, an identity authentication module and a dynamic defense switching module; the secondary password service monitoring system comprises a password service module, a detection module and a mimicry heterogeneous defense module; and the dynamic defense switching module analyzes the judgment result of the mimicry heterogeneous defense module and combines a defense strategy to directly and dynamically transfer an attack surface and switch the system to a redundant backup password service platform when a key service request has threat attack. Greatly increasing the attack cost, consuming the attack time and realizing the dynamic defense of the system.

Description

Password service monitoring system and method based on mimicry defense
Technical Field
The invention belongs to the technical field of information security of power internet of things, and particularly relates to a password service monitoring system and method based on mimicry defense.
Background
With the rapid development of smart grids and the deep application of advanced information technologies such as perception, calculation, communication, control and the like, the power system gradually realizes informatization, networking and intellectualization. The open communication network and the equipment terminal interface bring potential safety hazards while promoting real-time analysis, scientific decision and efficient configuration of power resources.
The national power grid company develops and constructs a unified password service platform which is used for intensively and uniformly constructing, managing and maintaining password infrastructure resources and standardizing the application of passwords in each business system. The password service platform provides software and hardware facilities such as a password machine, micro-service and a database for each business system, and is used for supporting password services such as digital certificate issuing, user identity authentication, real-name authentication and business data encryption and decryption. However, due to the inherent reasons of the power system and the communication and information system, the communication and information system still has potential safety hazards, and the possibility that the network attack cannot be defended or can be defended but has high cost still exists. In order to ensure the normal operation of various software and hardware devices and services in the password service platform, a targeted elastic defense system needs to be constructed, and a proper defense strategy is executed in an active defense mode, so that the risk faced by the system is reduced.
Disclosure of Invention
Aiming at the problems in the prior art, the invention aims to provide a crypto service monitoring system and method based on mimicry defense, which are used for carrying out redundancy backup on a crypto service platform system, monitoring key service requests transmitted between networks in real time, analyzing whether the key service requests carry threatening data or not, and directly and dynamically transferring an attack surface and switching the crypto service platform system to a redundancy backup system when a threat attack is faced, so that a fixed bug is difficult to find during the attack, the attack cost is greatly increased, and the attack time is greatly consumed.
In order to achieve the purpose, the technical scheme of the invention is as follows:
a cryptographic service monitoring system based on a mimicry defense, the system comprising:
the password service platform is provided with at least two redundant backup systems and comprises a primary password service monitoring system, the primary password service monitoring system is in communication connection with at least one secondary password service monitoring system, and the primary password service monitoring system generates a key service request and sends the key service request to the secondary password service monitoring system through a preset network protocol;
the primary password service monitoring system comprises a key management module, a certificate management module, a digital signature verification module, an identity authentication module and a dynamic defense switching module;
the identity authentication module is used for authorizing a corresponding operation level to a user identifier logged in the password service platform;
the key management module acquires a key pair generated by a cipher machine and stores, encrypts and distributes the key pair;
the certificate management module generates corresponding signature certificates based on the public keys of the key pairs and the user identifications of different operation levels;
a digital signature verification module digitally signs the key service request based on a private key of the key pair to generate an encrypted key service request;
the primary password service monitoring system issues an encrypted key service request with a user identification signature to the secondary password service monitoring system;
the secondary password service monitoring system comprises a password service module, a detection module and a mimicry heterogeneous defense module;
the detection module is used for automatically detecting and acquiring an encrypted key service request with a user identification signature;
the cryptographic service module obtains a public key of the key pair in the signature certificate to decrypt the cryptographic service request;
the mimicry heterogeneous defense module comprises a distribution unit, a scheduling unit, an execution unit, a judging unit, an execution body pool and a plurality of execution bodies in the execution body pool;
the executive unit acquires executors with the same function from the executive pool;
the distribution unit dynamically and randomly distributes the decrypted key service request to a plurality of executors of the executor unit for normalization processing and returns the processing result to the arbitration unit;
the judging unit compares and judges the normalization processing result and outputs a judging result;
the scheduling unit schedules a plurality of executives from the executor pool to the executor unit based on a dynamic scheduling algorithm and a judgment result, and replaces the executives with abnormal output in the executor unit;
and the dynamic defense switching module analyzes the judgment result of the mimicry heterogeneous defense module and combines a defense strategy, and is used for directly and dynamically transferring an attack surface and switching the system to the redundancy backup password service platform when the key service request has threat attack.
Preferably, the secondary cryptographic service monitoring system generates a key obtaining request according to the key service request and sends the key obtaining request to the primary cryptographic service monitoring system, the key management module includes a key distribution unit, the key distribution unit determines a key issuing mode according to the key obtaining request, and issues the stored key pair to the cryptographic service module, and the cryptographic service module analyzes the key pair and issues the key pair to the terminal internet of things device using the key pair.
Preferably, the secondary cryptographic service monitoring system further comprises an exception alarm module, and the exception alarm module performs information classification on the threat level of the cryptographic key service request according to an execution log generated by an execution body with the same function and outputs alarm information.
Preferably, the primary cryptographic service monitoring system further comprises a security analysis module, the security analysis module is arranged at the front end of the primary cryptographic service monitoring system, the security analysis module presets a feature information rule base, monitors the operation state of the cryptographic service platform communication network, collects network messages, extracts feature information, performs security assessment on the operation state of the communication network based on the feature information rule base, and responds to abnormal network messages.
Preferably, the primary cryptographic service monitoring system further includes a monitoring module and an interception module, the monitoring module and the interception module are disposed at the rear end of the primary cryptographic service monitoring system, the monitoring module captures the network packet and analyzes the data packet of the network packet, the interception module presets an abnormal interception rule base, and the interception module detects the analyzed data packet based on an abnormal judgment rule of the abnormal interception rule base to capture and intercept the abnormal network packet.
Preferably, the defense strategies are defense strategy set intervals composed of an interval endpoint which is a required defense strategy type representing the highest priority and an unnecessary defense strategy type representing the lowest priority, and corresponding available defense strategies are selected from the defense strategy set intervals according to defense strategy weight factors.
Preferably, the secondary cryptographic service monitoring system further includes a defense policy updating module, where the defense policy updating module monitors and analyzes execution logs generated by the multiple executors in real time, and is configured to update the defense policy weight factors, and selects an optimal defense policy from the defense policy set interval based on the updated defense policy weight factors.
Preferably, the calculation model for selecting the defense strategy from the defense strategy set interval according to the defense strategy weight factor is as follows:
Figure 408505DEST_PATH_IMAGE001
wherein D represents a set of defense policies,
Figure 591224DEST_PATH_IMAGE002
the probability of adopting the ith defense strategy, n is the total number of attack strategies,
Figure 433278DEST_PATH_IMAGE003
generated from a plurality of said executivesExecuting log calculation to generate corresponding defense strategy weight factors, wherein alpha is a correlation factor of the current defense strategy and the previous defense strategy,
Figure 375958DEST_PATH_IMAGE004
based on the correlation factor alpha and the defense strategy weight factor
Figure 721488DEST_PATH_IMAGE003
The protection strategy is defined and the protection strategy is defined,
Figure 278372DEST_PATH_IMAGE005
in order to defend the utility of the strategy,
Figure 342143DEST_PATH_IMAGE006
to select the utility of the corresponding available defense strategy from the set of defense strategies.
Preferably, the cryptographic service platform adopts a distributed microservice architecture.
The invention also provides a password service monitoring method based on mimicry defense, which applies the password service monitoring system based on mimicry defense and comprises the following steps:
step S1: the method comprises the following steps that a password service platform is initialized and configured to be provided with at least two redundant backup systems, wherein the password service platform is configured with a primary password service monitoring system and at least one secondary password service monitoring system;
step S2: the primary password service monitoring system and the secondary password service monitoring system establish communication connection;
and step S3: acquiring a key pair generated by a cipher machine, and generating a corresponding signature certificate by combining the key pair with an authorized operation level corresponding to a user identifier logged in the cipher service platform;
and step S4: generating a key service request, performing digital signature on the password service request based on a private key of the key pair to generate an encrypted password service request, and issuing the encrypted password service request to the secondary password service monitoring system;
step S5: automatically detecting and acquiring an encrypted password service request with a user identification signature, and decrypting the password service request based on a public key of the key pair in the signature certificate;
step S6: dynamically and randomly distributing the decrypted password service request to a plurality of executors in an execution unit for normalization processing, comparing and judging the normalization processing result, and outputting a judgment result;
step S7: finding out an execution body with abnormal output in the execution body unit based on a dynamic scheduling algorithm and a judgment result, and scheduling a plurality of execution bodies from an execution body pool to replace the execution body with the abnormal output;
step S8: analyzing the judgment result and combining with a defense strategy, directly and dynamically transferring an attack surface and switching the system to the redundancy backup password service platform when the password service request has threat attack.
The technical scheme of the invention has the beneficial effects that:
the invention is based on a mimicry defense technology, adopts a redundant backup protection architecture for a cryptographic service platform, automatically detects a cryptographic key service request transmitted between networks in real time, analyzes whether the cryptographic key service request has threatened data, dynamically schedules an executive body to enable the threatened data of the cryptographic key service request to be in dynamic change, increases the difficulty of falsification of the decrypted data by adding the limitation of multi-mode judgment, sets a mimicry heterogeneous defense module to directly and dynamically transfer an attack surface and switch the cryptographic service platform system to a redundant backup system, is difficult to find fixed bugs during attack, avoids the whole system from being exposed in security threats, greatly increases the attack cost and attack time, enables the platform to live with bacteria, and realizes the dynamic defense of the system.
Further, the primary cryptographic service monitoring system acquires a key pair generated by a local cryptographic key machine, different operation levels are given based on different user identifications authorized to log in the cryptographic service platform, and corresponding signature certificates are generated, the signature certificates are used for carrying out signature encryption protection on the cryptographic service request, the cryptographic key data is prevented from being maliciously stolen and tampered and attacked in the early stage, the corresponding signature certificates and the cryptographic service request data are sent according to a communication protocol, the secondary cryptographic service monitoring system decrypts the cryptographic service request by using the signature certificates, the correctness and normal output of key data are guaranteed, and the security of distributing the cryptographic key to the intelligent internet of things terminal equipment by the cryptographic service platform is guaranteed.
Drawings
The above and other objects, features and advantages of the present invention will become more apparent by describing in more detail exemplary embodiments thereof with reference to the attached drawings, in which like reference numerals generally represent like parts throughout.
FIG. 1 is a schematic structural diagram of a cryptographic service monitoring system based on mimicry defense provided by an embodiment of the present invention;
fig. 2 is a schematic structural diagram illustrating a pseudo-heterogeneous defense module of a cryptographic service monitoring system based on pseudo-defense according to an embodiment of the present invention;
FIG. 3 is a flow chart of a cryptographic service monitoring method based on mimicry defense according to an embodiment of the present invention;
description of the reference numerals:
1. a cryptographic service platform; 11. a primary cryptographic service monitoring system; 12. a secondary cryptographic service monitoring system; 111. a key management module; 112. a certificate management module; 113. a digital signature verification module; 114. an identity authentication module; 115. a dynamic defense switching module; 116. a security analysis module; 117. a monitoring module; 118. an interception module; 121. a cryptographic service module; 122. a detection module; 123. a mimicry heterogeneous defense module; 124. an anomaly alarm module; 125. a defense strategy updating module; 1231. a distribution unit; 1232. a scheduling unit; 1233. an execution unit; 1234. an arbitration unit; 1235. an executive pool; 12351. an execution body; 2. terminal thing allies oneself with equipment.
Detailed Description
Preferred embodiments of the present invention will be described in more detail below. While the following describes preferred embodiments of the present invention, it should be understood that the present invention may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Example one
Referring to fig. 1 and 2, the present invention provides a cryptographic service monitoring system based on mimicry defense, the system includes:
the password service platform 1, the password service platform 1 has two redundant backup systems at least, the password service platform 1 includes the first-class password service monitoring system 11, the first-class password service monitoring system communication connects at least one second-class password service monitoring system 12, the first-class password service monitoring system 11 generates the cipher key service request and sends to the second-class password service monitoring system 12 through the preset network communication protocol;
the primary cryptographic service monitoring system 11 comprises a key management module 111, a certificate management module 112, a digital signature verification module 113, an identity authentication module 114 and a dynamic defense switching module 115;
the identity authentication module 114 is configured to authorize a corresponding operation level for a user identifier logged in to the password service platform 1;
the key management module 111 acquires the key pair generated by the cipher machine and stores, encrypts and distributes the key pair;
the certificate management module 112 generates corresponding signature certificates based on the public keys of the key pairs in combination with the user identifications of different operation levels;
the digital signature verification module 113 digitally signs the key service request based on a private key of the key pair to generate an encrypted key service request;
the primary cryptographic service monitoring system 11 issues the encrypted cryptographic key service request with the user identification signature to the secondary cryptographic service monitoring system 12;
the secondary cryptographic service monitoring system 12 includes a cryptographic service module 121, a detection module 122, and a mimicry heterogeneous defense module 123;
the detecting module 122 is configured to automatically detect and obtain an encrypted key service request with a user identification signature;
the cryptographic service module 121 obtains a public key of a key pair in the signature certificate to decrypt the cryptographic service request;
the mimicry heterogeneous defense module 123 includes a distribution unit 1231, a scheduling unit 1232, an executive unit 1233, an arbitration unit 1234, an executive pool 1235, and a plurality of executives 12351 in the executive pool;
the executor unit 1233 obtains an executor 12351 having the same function from the executor pool 1235;
the distributing unit 1231 dynamically and randomly distributes the decrypted key service request to the multiple executives 12351 of the executor unit 1233 for normalization processing, and returns the processing result to the arbitrating unit 1234;
the arbitration unit 1234 compares and arbitrates the normalization processing result, and outputs an arbitration result;
the scheduling unit 1232 schedules a plurality of executables from the executor pool 1235 to the executor unit 1233 based on the dynamic scheduling algorithm and the arbitration result, and replaces the executor 12351 with abnormal output in the executor unit 1233;
the dynamic defense switching module 115 analyzes the arbitration result of the mimicry heterogeneous defense module 123 and combines a defense strategy, so as to directly and dynamically transfer an attack surface and switch the system to the redundant backup cryptographic service platform 1 when the key service request has a threat attack.
Specifically, the invention is based on a mimicry defense technology, a password service platform 1 adopts a redundant backup protection architecture, the password service platform 1 comprises a primary password service monitoring system 11 and at least one secondary password service monitoring system 12 which are communicated with each other, the primary password service monitoring system 11 is a global password service monitoring system, the secondary password service monitoring system 12 is a regional password service monitoring system (a plurality of systems can be provided), the two systems adopt preset communication protocols to transmit data, and the communication protocols comprise various network protocols such as RPC, TCP, UDP, HTTP, HTTPS and the like. The detecting module 122 automatically detects the key service request transmitted between the primary cryptographic service monitoring system 11 and the secondary cryptographic service monitoring system 12 in real time, and analyzes whether the key service request carries threatening data, the mimicry heterogeneous defense module 123 dynamically schedules the executors 12351 to make the threat existing in the key service request in the middle of dynamic change, the executors pool 1235 is an N-variant structure, back doors arranged in the structures of the executors 12351 are different, the isomer attributes in the executors 1233 cannot be known by threat attack to effectively attack, and the difficulty of tampering decrypted data is increased by adding the limitation of multi-mode arbitration of the arbitration unit 1234. The mimicry heterogeneous defense module 123 arranged in the secondary password service monitoring system 12 can directly and dynamically transfer an attack surface and switch the password service platform system to a redundant backup system, so that a fixed leak is difficult to find during attack, the whole system is prevented from being exposed to security threats, the attack cost is greatly increased, the attack time is greatly consumed, the platform can live with bacteria, and the dynamic defense of the system is realized. Meanwhile, the scheduling unit 1232 performs cleaning or offline processing on the executives 12351 with an abnormality in the executives pool 1235 according to the feedback control message sent by the arbitration unit 1234, thereby ensuring the purity of the executives pool 1235.
Further, the primary cryptographic service monitoring system 11 obtains a key pair generated by a local key machine, different operation levels are given based on different user identifications authorized to log in the cryptographic service platform 1, and corresponding signature certificates are generated, the signature certificates are used for carrying out signature encryption protection on the cryptographic service request, the cryptographic key data is prevented from being maliciously stolen and tampered and attacked in the early stage, the corresponding signature certificates and the cryptographic service request data are sent according to a communication protocol, the secondary cryptographic service monitoring system 12 decrypts the cryptographic service request by using the signature certificates, the correctness and normal output of key data are ensured, and the security of distributing the key to the terminal internet of things equipment 2 of the intelligent internet of things by the cryptographic service platform 1 is ensured.
In a preferred example, the secondary cryptographic service monitoring system 12 generates a key obtaining request according to the key service request and sends the key obtaining request to the primary cryptographic service monitoring system 11, the key management module 111 includes a key distribution unit, the key distribution unit determines a key issuing mode according to the key obtaining request, issues a stored key pair to the cryptographic service module 121, and the cryptographic service module 121 parses the key pair and issues the key pair to the terminal equipment 2 using the key pair.
Specifically, the key issuing mode may adopt two modes, that is, online issuing and offline issuing, the key distribution unit applies the key acquisition application to the key management module 111 by using the acquisition rule corresponding to the determined key issuing mode, transmits the acquired key pair to the cryptographic service module 121 according to the established communication protocol, and the key distribution software of the cryptographic service module 121 analyzes the key pair and issues the key pair to the terminal internet of things device 2 using the key pair. The interactive process of key acquisition and distribution between the key management module 111 and the cryptographic service module 121 is made clear, so that the terminal internet of things device 2 which obtains the key pair can be safely accessed.
In a preferred example, the secondary cryptographic service monitoring system 12 further includes an exception alarm module 124, and the exception alarm module 124 classifies the threat level of the key service request according to the execution log generated by the executable having the same function and outputs an alarm message.
Specifically, the exception alarm module 124 receives all execution logs generated by executors with the same function to perform correlation analysis, extracts key feature information of error information from the mimicry defense execution logs, determines the threat degree existing in the key service request, performs information classification on the existing threat degree and outputs alarm information, the alarm information records the threat and threat degree existing in the executors corresponding to the log source of the key feature information, the threat degree is divided into high-level threat, middle-level threat, low-level threat and no threat, if the target user requests to generate high-level threat, a scheduling request is sent to the scheduling unit, the scheduling unit performs offline and abnormal data elimination processing on the executors 12351 generating the threat, schedules a plurality of executors from the executor pool 1235 to the executor unit 1233 based on a dynamic scheduling algorithm and a decision result, replaces the executors 12351 with abnormal output in the executor unit 1233, and classifies based on the threat degree information, thereby avoiding frequent scheduling cleaning caused by excessive alarms, and saving system overhead.
In a preferred example, the primary cryptographic service monitoring system 11 further includes a security analysis module 116, the security analysis module 116 is disposed at the front end of the primary cryptographic service monitoring system 11, the security analysis module 116 presets a feature information rule base, monitors the operation state of the communication network of the cryptographic service platform 1, collects network messages, extracts feature information, performs security assessment on the operation state of the communication network based on the feature information rule base, and responds to an abnormal network message.
Specifically, the security analysis module 116 collects network messages to extract feature information, summarizes and collates abnormal conditions occurring in the communication network, records the results to a feature information rule base according to a specified format, forms training samples for training the feature information rule base, continuously corrects and perfects the rule base, and performs query analysis through a network port visual interface of background monitoring software arranged in the primary cryptographic service monitoring system 11, filters illegal access traffic at the front end of the primary cryptographic service monitoring system 11 as much as possible, responds and inhibits the sending and receiving of abnormal network messages, quickly pre-judges abnormal changes generated in the network, and gives an auxiliary processing strategy (the auxiliary processing strategy is, for example, starting abnormal message recording, reporting abnormal alarms, and running event recording), thereby ensuring the normal running of the passing network.
In a preferred example, the primary cryptographic service monitoring system 11 further includes a monitoring module 117 and an intercepting module 118, the monitoring module 117 and the intercepting module 118 are disposed at the rear end of the primary cryptographic service monitoring system 11, the monitoring module 117 captures a network packet and parses a data packet of the network packet, the intercepting module 118 presets an abnormal intercepting rule base, and the intercepting module 118 detects the parsed data packet based on an abnormal determination rule of the abnormal intercepting rule base, so as to capture and intercept an abnormal network packet.
Specifically, the abnormal interception rule base preset by the interception module 118 is generated by a network rule database arranged in the global network monitoring master station according to the configuration of network nodes (such as a server, a workstation, a router, a switch, and a HUBS), and is stored in the interception module 118 in a file form. The exception intercept rule may be logically divided into two parts: a rule header and a rule option. The rule head defines the behavior of the rule, the protocol of the matched network message, a source address, a target address, a source port, a target port and other information; the rule options include a network message abnormity judgment method and required alarm information. The security analysis module 116 is disposed at the front end of the primary cryptographic service monitoring system 11, and the monitoring module 117 and the interception module 118 are disposed at the back end of the primary cryptographic service monitoring system 11, so as to avoid the disadvantage of high hysteresis due to passive defense by security analysis, active monitoring and interception, and solve the problem of network attack missing report caused by lack of network attack monitoring and analysis capability at the global side of the primary cryptographic service monitoring system 11.
According to a preferred example, the defense strategies are defense strategy set intervals which are respectively composed of a required defense strategy type representing the highest priority and an unnecessary defense strategy type representing the lowest priority, and the corresponding available defense strategies are selected from the defense strategy set intervals according to defense strategy weight factors.
Specifically, the types of defense strategies include prevention, monitoring, recovery, and their importance is measured as critical (C) or non-critical (N). C is the highest priority, representing the type of defense strategy required; n is the lowest priority, i.e. the type of defense strategy that is not needed. In this example, based on the dynamic switching condition of the mimicry defense, the importance of each defense strategy type under different malicious targets is measured, a targeted defense strategy interval is finally determined, a corresponding available defense strategy is selected, and the defense strategy is executed in an active defense manner.
In a preferred example, the secondary cryptographic service monitoring system 12 further includes a defense policy updating module 125, and the defense policy updating module 125 monitors and analyzes execution logs generated by a plurality of executives in real time to update the defense policy weight factors, and selects an optimal defense policy from the defense policy set interval based on the updated defense policy weight factors.
In a preferred example, the calculation model for selecting the defense strategy from the defense strategy set interval according to the defense strategy weight factor is as follows:
Figure 275464DEST_PATH_IMAGE001
wherein D represents a set of defense policies,
Figure 741080DEST_PATH_IMAGE002
the probability of adopting the ith defense strategy, n is the total number of attack strategies,
Figure 626122DEST_PATH_IMAGE003
calculating and generating corresponding defense strategy weight factors according to execution logs generated by a plurality of executors, wherein alpha is a correlation factor of the current defense strategy and the previous defense strategy,
Figure 911609DEST_PATH_IMAGE004
based on the correlation factor alpha and the defense strategy weight factor
Figure 445359DEST_PATH_IMAGE003
The protection strategy is defined and the protection strategy is defined,
Figure 234323DEST_PATH_IMAGE005
in order to defend against the utility of the policy,
Figure 736937DEST_PATH_IMAGE006
to choose the utility of the corresponding available defense strategy from the set of defense strategies.
Specifically, the defense policy update module 125 is configured to monitor and analyze execution logs generated by a plurality of executives in real time according to the weight factors of the defense policies
Figure 244142DEST_PATH_IMAGE003
And selecting a corresponding available defense strategy from the defense strategy set interval. During execution of the defense strategy scenario, the system may still be subject to new attacks, and therefore, to determine if it is necessary to re-plan the defense strategy. When a new attack is received, the new attack only affects the order of execution of the defense strategies since the mimicry defense is not changed, and therefore by introducing the defense strategy weighting factors
Figure 50424DEST_PATH_IMAGE003
And establishing a calculation model selected by the defense strategies according to the association factor alpha of the front defense strategy and the rear defense strategy, and selecting and executing the defense strategy scheme with the highest effectiveness.
In a preferred example, the cryptographic service platform 1 employs a distributed microservice architecture.
Specifically, the password service platform 1 adopts a distributed micro-service architecture design, and the password service platform 1 is split into different services according to functional modules, and is independently developed, independently deployed and independently maintained. Compared with the traditional service, the micro-service architecture has higher reliability and scalability, each module has single responsibility, the maintenance and the development become easier, and the system is deployed in a clustering way. And the data interaction between the background of the primary password service monitoring system 11 and the background of the secondary password service monitoring system 12 is realized by adopting a WebService technology, and the method is convenient and quick.
Example two
Referring to fig. 3, the present embodiment provides a cryptographic service monitoring method based on mimicry defense, and the cryptographic service monitoring system based on mimicry defense, which is applied, includes the following steps:
step S1: the password service platform 1 is initialized and configured to have at least two redundant backup systems, wherein the password service platform 1 is configured with a primary password service monitoring system 11 and at least one secondary password service monitoring system 12;
step S2: the primary password service monitoring system 11 and the secondary password service monitoring system 12 establish communication connection;
and step S3: acquiring a key pair generated by a cipher machine, and generating a corresponding signature certificate by combining the key pair with an authorized operation level corresponding to a user identifier logged in a cipher service platform;
and step S4: generating a key service request, performing digital signature on the password service request based on a private key of a key pair to generate an encrypted password service request, and issuing the encrypted password service request to a secondary password service monitoring system;
step S5: automatically detecting and acquiring an encrypted password service request with a user identification signature, and decrypting the password service request based on a public key of a key pair in a signature certificate;
step S6: the decrypted cryptographic service request is dynamically and randomly distributed to a plurality of execution bodies in the execution body unit for normalization processing, the normalization processing result is compared and arbitrated, and the arbitration result is output;
step S7: finding out an execution body with abnormal output in the execution body unit based on a dynamic scheduling algorithm and a judgment result, and scheduling a plurality of execution bodies from an execution body pool to replace the execution body with the abnormal output;
step S8: analyzing the judgment result and combining with a defense strategy, directly and dynamically transferring an attack surface and switching the system to a redundancy backup cryptographic service platform 1 when the cryptographic service request has threat attack.
The method applies the cryptographic service monitoring system based on the mimicry defense, so that a fixed vulnerability is difficult to find when the system is attacked, the whole system is prevented from being exposed in the security threat, the attack cost is greatly increased, the attack time is greatly consumed, the platform can live with bacteria, and the dynamic defense of the system is realized. Specific reference is made to the description of the first embodiment, which is not repeated herein.
While embodiments of the present invention have been described above, the above description is illustrative, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments.

Claims (10)

1. A cryptographic service monitoring system based on mimicry defense, the system comprising:
the password service platform is provided with at least two redundant backup systems and comprises a primary password service monitoring system, the primary password service monitoring system is in communication connection with at least one secondary password service monitoring system, and the primary password service monitoring system generates a key service request and sends the key service request to the secondary password service monitoring system through a preset network protocol;
the primary password service monitoring system comprises a key management module, a certificate management module, a digital signature verification module, an identity authentication module and a dynamic defense switching module;
the identity authentication module is used for authorizing a corresponding operation level to a user identifier logged in the password service platform;
the key management module acquires a key pair generated by the cipher machine and stores, encrypts and distributes the key pair;
the certificate management module generates corresponding signature certificates based on the public keys of the key pairs and the user identifications of different operation levels;
a digital signature verification module digitally signs the key service request based on a private key of the key pair to generate an encrypted key service request;
the primary password service monitoring system issues an encrypted key service request with a user identification signature to the secondary password service monitoring system;
the secondary password service monitoring system comprises a password service module, a detection module and a mimicry heterogeneous defense module;
the detection module is used for automatically detecting and acquiring an encrypted key service request with a user identification signature;
the cryptographic service module acquires a public key of the key pair in the signature certificate to decrypt the cryptographic service request;
the mimicry heterogeneous defense module comprises a distribution unit, a scheduling unit, an execution unit, a resolution unit, an execution body pool and a plurality of execution bodies in the execution body pool;
the executive unit acquires executors with the same function from the executive pool;
the distribution unit dynamically and randomly distributes the decrypted key service request to a plurality of executors of the executor unit for normalization processing and returns the processing result to the arbitration unit;
the judging unit compares and judges the normalization processing result and outputs a judging result;
the scheduling unit schedules a plurality of executives from the executor pool to the executor unit based on a dynamic scheduling algorithm and a judgment result, and replaces the executives with abnormal output in the executor unit;
and the dynamic defense switching module analyzes the judgment result of the mimicry heterogeneous defense module and combines a defense strategy, and is used for directly and dynamically transferring an attack surface and switching the system to the redundancy backup password service platform when the key service request has threat attack.
2. The pseudo-defense-based cryptographic service monitoring system of claim 1, wherein the secondary cryptographic service monitoring system generates a key acquisition request according to the key service request and sends the key acquisition request to the primary cryptographic service monitoring system, the key management module comprises a key distribution unit, the key distribution unit determines a key distribution mode according to the key acquisition request, distributes the stored key pair to the cryptographic service module, and the cryptographic service module analyzes the key pair and distributes the key pair to a terminal physical connection device using the key pair.
3. The crypto-service monitoring system based on mimicry defense of claim 1, wherein the secondary crypto-service monitoring system further comprises an anomaly alarm module, the anomaly alarm module classifies the threat level of the key service request according to the execution log generated by the executors with the same function and outputs alarm information.
4. The crypto-service monitoring system based on mimicry defense as claimed in claim 1, wherein the primary crypto-service monitoring system further comprises a security analysis module, the security analysis module is disposed at a front end of the primary crypto-service monitoring system, the security analysis module presets a feature information rule base, monitors an operation state of the crypto-service platform communication network, collects network messages to extract feature information, performs security assessment on the operation state of the communication network based on the feature information rule base, and responds to abnormal network messages.
5. The cryptographic service monitoring system based on mimicry defense according to claim 1, wherein the primary cryptographic service monitoring system further comprises a monitoring module and an intercepting module, the monitoring module and the intercepting module are disposed at a back end of the primary cryptographic service monitoring system, the monitoring module captures a network packet and analyzes a data packet of the network packet, the intercepting module presets an abnormal intercepting rule base, and the intercepting module detects the analyzed data packet based on an abnormal judgment rule of the abnormal intercepting rule base to capture and intercept an abnormal network packet.
6. The cryptographic service monitoring system based on mimicry defense as claimed in claim 1, wherein the defense strategy is a defense strategy set interval composed of an interval endpoint of a required defense strategy type representing the highest priority and an unnecessary defense strategy type representing the lowest priority, respectively, and the corresponding available defense strategy is selected from the defense strategy set interval according to a defense strategy weight factor.
7. The pseudo-defense based cryptographic service monitoring system of claim 6, further comprising a defense policy updating module, wherein the defense policy updating module monitors and analyzes execution logs generated by a plurality of executors in real time for updating the defense policy weighting factors, and selects an optimal defense policy from the defense policy set interval based on the updated defense policy weighting factors.
8. The cryptographic service monitoring system based on mimicry defense of claim 6, wherein the computational model of the defense strategy selected from the defense strategy set interval according to the defense strategy weighting factor is:
Figure DEST_PATH_IMAGE001
wherein D represents a set of defense policies,
Figure 338375DEST_PATH_IMAGE002
the probability of adopting the ith defense strategy, n is the total number of attack strategies,
Figure DEST_PATH_IMAGE003
calculating and generating corresponding defense strategy weight factors according to execution logs generated by a plurality of executors, wherein alpha is a correlation factor of a current defense strategy and a previous defense strategy,
Figure 317833DEST_PATH_IMAGE004
based on the correlation factor alpha and the defense strategy weight factor
Figure 363149DEST_PATH_IMAGE003
The protection strategy is defined and the protection strategy is defined,
Figure DEST_PATH_IMAGE005
in order to defend the utility of the strategy,
Figure 555096DEST_PATH_IMAGE006
the utility of the corresponding available defense strategy is selected from the defense strategy set.
9. The mimicry defense based cryptographic service monitoring system of claim 1, wherein the cryptographic service platform employs a distributed microservice architecture.
10. A cryptographic service monitoring method based on mimicry defense, which applies the cryptographic service monitoring system based on mimicry defense as claimed in any one of claims 1-9, characterized by comprising the following steps:
step S1: the method comprises the following steps that a password service platform is initialized and configured to be provided with at least two redundant backup systems, wherein the password service platform is configured with a primary password service monitoring system and at least one secondary password service monitoring system;
step S2: the primary password service monitoring system and the secondary password service monitoring system establish communication connection;
and step S3: acquiring a key pair generated by a cipher machine, and generating a corresponding signature certificate by combining the key pair with an authorized operation level corresponding to a user identifier logged into the cipher service platform;
and step S4: generating a key service request, performing digital signature on the key service request based on a private key of the key pair to generate an encrypted key service request, and issuing the encrypted key service request to the secondary password service monitoring system;
step S5: automatically detecting and acquiring an encrypted key service request with a user identification signature, and decrypting the key service request based on a public key of the key pair in a signature certificate;
step S6: dynamically and randomly distributing the decrypted key service request to a plurality of execution bodies in an execution body unit for normalization processing, comparing and arbitrating the normalization processing results, and outputting an arbitration result;
step S7: finding out an execution body with abnormal output in the execution body unit based on a dynamic scheduling algorithm and a resolution result, and scheduling a plurality of execution bodies from an execution body pool to replace the execution body with the abnormal output;
step S8: analyzing the adjudication result and combining with a defense strategy, directly and dynamically transferring an attack surface and switching the system to the redundancy backup cryptographic service platform when the key service request has threat attack.
CN202211015580.2A 2022-08-24 2022-08-24 Password service monitoring system and method based on mimicry defense Active CN115102791B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211015580.2A CN115102791B (en) 2022-08-24 2022-08-24 Password service monitoring system and method based on mimicry defense

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211015580.2A CN115102791B (en) 2022-08-24 2022-08-24 Password service monitoring system and method based on mimicry defense

Publications (2)

Publication Number Publication Date
CN115102791A CN115102791A (en) 2022-09-23
CN115102791B true CN115102791B (en) 2023-01-03

Family

ID=83300273

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211015580.2A Active CN115102791B (en) 2022-08-24 2022-08-24 Password service monitoring system and method based on mimicry defense

Country Status (1)

Country Link
CN (1) CN115102791B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115408371B (en) * 2022-10-31 2023-01-31 之江实验室 Dynamic redundancy deployment method and device for redis database
CN116094948B (en) * 2023-04-12 2023-07-04 乾讯信息技术(无锡)有限公司 Service type password product realization system and method with mimicry structure
CN116781434B (en) * 2023-08-25 2023-11-14 北京傲星科技有限公司 Access control method, system and related equipment based on mimicry defense
CN117097564B (en) * 2023-10-18 2024-02-02 沃通电子认证服务有限公司 Password service calling method, device, terminal equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111010410A (en) * 2020-03-09 2020-04-14 南京红阵网络安全技术研究院有限公司 Mimicry defense system based on certificate identity authentication and certificate signing and issuing method
CN111478970A (en) * 2020-04-13 2020-07-31 国网福建省电力有限公司 Power grid Web application mimicry defense system
CN111741008A (en) * 2020-07-08 2020-10-02 南京红阵网络安全技术研究院有限公司 Two-way anonymous authentication system and method based on mimicry defense principle
CN114793248A (en) * 2022-03-02 2022-07-26 上海图灵智算量子科技有限公司 Mimicry-based encryption communication method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111010410A (en) * 2020-03-09 2020-04-14 南京红阵网络安全技术研究院有限公司 Mimicry defense system based on certificate identity authentication and certificate signing and issuing method
WO2021179449A1 (en) * 2020-03-09 2021-09-16 南京红阵网络安全技术研究院有限公司 Mimic defense system based on certificate identity authentication, and certificate issuing method
CN111478970A (en) * 2020-04-13 2020-07-31 国网福建省电力有限公司 Power grid Web application mimicry defense system
CN111741008A (en) * 2020-07-08 2020-10-02 南京红阵网络安全技术研究院有限公司 Two-way anonymous authentication system and method based on mimicry defense principle
CN114793248A (en) * 2022-03-02 2022-07-26 上海图灵智算量子科技有限公司 Mimicry-based encryption communication method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于拟态防御技术针对关键数据进行保护的架构研究;冯峰等;《现代计算机》;20200815(第23期);全文 *
面向能源互联的电力物联网安全架构及技术;张翼英等;《电信科学》;20210220;全文 *

Also Published As

Publication number Publication date
CN115102791A (en) 2022-09-23

Similar Documents

Publication Publication Date Title
CN115102791B (en) Password service monitoring system and method based on mimicry defense
Puthal et al. SEEN: A selective encryption method to ensure confidentiality for big sensing data streams
US6775657B1 (en) Multilayered intrusion detection system and method
KR101294280B1 (en) System and Method capable of Preventing Individual Information Leakage by Monitoring Encrypted HTTPS-based Communication Data via Network Packet Mirroring
US20040193943A1 (en) Multiparameter network fault detection system using probabilistic and aggregation analysis
JP2015518320A (en) Network intrusion detection using decoy encryption key
US8656154B1 (en) Cloud based service logout using cryptographic challenge response
EP1759479A1 (en) A network security enforcement system
Baig Multi-agent systems for protecting critical infrastructures: A survey
CN111447067A (en) Encryption authentication method for power sensing equipment
Jha Cybersecurity and confidentiality in smart grid for enhancing sustainability and reliability
US11936778B2 (en) Systems and methods of post-quantum security management
CN117040896A (en) Internet of things management method and Internet of things management platform
CN110474921A (en) A kind of perception layer data fidelity method towards local Internet of Things
Gu et al. Cluster-based malicious node detection for false downstream data in fog computing-based VANETs
CN117390656B (en) Security management method and system for encryption equipment
Hu et al. Smart contract assisted privacy-preserving data aggregation and management scheme for smart grid
Pradeepa et al. A hybrid OpenFlow with intelligent detection and prediction models for preventing BGP path hijack on SDN
KR20130085473A (en) Encryption system for intrusion detection system of cloud computing service
Jena et al. A Pragmatic Analysis of Security Concerns in Cloud, Fog, and Edge Environment
Liang et al. Collaborative intrusion detection as a service in cloud computing environment
Agrawal et al. A SURVEY ON ATTACKS AND APPROACHES OF INTRUSION DETECTION SYSTEMS.
Venkatesan et al. Analysis of accounting models for the detection of duplicate requests in web services
CN115225415B (en) Password application platform for new energy centralized control system and monitoring and early warning method
KR100933986B1 (en) Integrated Signature Management and Distribution System and Method for Network Attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: No. 38, New Model Road, Gulou District, Nanjing City, Jiangsu Province, 210000

Patentee after: Nanjing Nanzi Huadun Digital Technology Co.,Ltd.

Address before: No. 38, New Model Road, Gulou District, Nanjing City, Jiangsu Province, 210000

Patentee before: NANJING HUADUN POWER INFORMATION SECURITY EVALUATION CO.,LTD.