| Owing to asymmetric information,time and cost advantages attackers have,cyberspace has always been in an unfair situation as easy to attack and difficult to defend.In addition,the traditional network architecture and defense system,which have static,deterministic,and similar characteristics,are difficult to deal with the challenges of unknown threats.Therefore,without relying on prior knowledge,how transforming unknown threats into threat-level controllable security problems poses great challenges in cyberspace security.To break the dilemma of defenders and overcome the shortcomings of traditional defense methods relying on attribute code,we research the dynamic defense mechanism of service states’ maintenance which can effectively deal with unknown attacks and ensure service availability and partition fault tolerance.The main work and contribution are as follows.(1)We propose an intelligent arbitration strategy based on trust and dissimilarity.Combined with the redundancy arbitration of mimic defense,we implement a service intelligent arbitration strategy from the perspectives of node trust and dissimilarity.To better balance security and service availability,we give a reasonable range of mimic defense boundaries for the distributed file system(DFS).The experimental results show that this strategy can effectively improve the accuracy of arbitration,thereby reducing the impact on the service.(2)We propose Dynamic Defense Space-time Game Model(DDS),analyze the limitations of the traditional dynamic defense from the perspective of time and space,and adopt a Dynamic Defense Space-Time Strategy based on an incomplete information game to provide a theoretical basis for attack surface transformation.On the one hand,we analyze the limitations of the traditional space strategy of dynamic defense against the space squeeze attack and then establish a model to describe the game.Based on the Nash equilibrium solution of the model,we propose the optimal space strategy for distributed dynamic defense.To effectively implement the defense system dynamic,we decompose a single game into an attack preparation stage and an attack launch stage to analyze the relationship between service response time,attack preparation time,and synchronization time.Finally,We set up an experimental environment to verify the effectiveness of the strategy from three aspects:space adaptive parameters,attack intensity distribution,and hopping time.The results show that this method can effectively reduce the impact of attacks on service performance.(3)We design and implement a polymorphic security prototype system based on DFS.By analyzing the vulnerability of the DFS and the difficulty of de-collaboration in the dynamic transformation,we improve the system in dynamic,randomized and diverse to solve unknown problems.More specifically,instead of deploying a redundancy arbitration mechanism as the core of security defense,we utilize this mechanism as an auxiliary perceptual approach for attack detection and develop a security closed-loop of "Detection-Response-Reconstruction-Recovery".While the closed-loop guarantees service quality,it transforms the attack surface in a manageable and controllable manner to increase system security resilience and continuous service capability.Considering the properties of DFS,a series of strategies are designed,including a security detection module,a gateway module,a control module,and a service scheduling module.Experiments verify the effectiveness of the model and strategies from the aspects of service correctness,availability and anti-attack. |
PDF Full Text Request