CN108055232A - A kind of high speed lightweight mimicry virtual net construction method - Google Patents

Abstract

Translated fromChinese

本发明公开了一种高速轻量级拟态虚拟网构建方法，其特征在于，包括拟态虚拟网络构建方法和可控网络跳变与迁移方法。本发明的高速轻量级拟态虚拟网构建方法为解决基于拟态虚拟网的主动网络防御提供了方法途径。

The invention discloses a high-speed lightweight mimic virtual network construction method, which is characterized in that it includes a mimic virtual network construction method and a controllable network jump and migration method. The high-speed and lightweight mimic virtual network construction method of the invention provides a method for solving the active network defense based on the mimic virtual network.

Description

Translated fromChinese

一种高速轻量级拟态虚拟网构建方法A high-speed lightweight mimic virtual network construction method

技术领域technical field

本发明涉及拟态网络，具体涉及一种高速轻量级拟态虚拟网构建方法。The invention relates to a mimic network, in particular to a method for constructing a high-speed lightweight mimic virtual network.

背景技术Background technique

目前，主动防御技术是网络安全的关键技术，网络虚拟化及拟态网络是实现网络主动防御的一种有效技术途径。拟态网络是一种全新的主动防御技术方法。拟态网络利用网络属性多样化、系统化及动态化等特征，在网络逻辑功能等价的条件下，以防御者可控的方式通过网络、平台、环节、软件、数据等结构的主动跳变与快速迁移来实现拟态环境，对外呈现目标网络环境的动态性、非确定性、异构性和非持续性的变化网络，从而增加攻击难度和攻击成本。At present, active defense technology is the key technology of network security, and network virtualization and mimic network are an effective technical way to realize network active defense. Mimic network is a brand-new active defense technology method. The mimic network takes advantage of the characteristics of network attributes such as diversification, systematization, and dynamism. Under the condition that the network logic function is equivalent, the defender can control the network, platform, links, software, data and other structures through active jumps and attacks. Rapid migration to realize the pseudo-environment, and externally present the dynamic, non-deterministic, heterogeneous and non-sustainable change network of the target network environment, thereby increasing the difficulty and cost of attack.

网络虚拟化技术是实现拟态网络的有效途径。构建基于虚拟化的拟态网络需要解决三个方面的关键问题：一是网络架构及服务的虚拟化构建问题；二是可控的网络属性跳变与快速迁移问题；三是拟态网络功能等价于映射问题。Network virtualization technology is an effective way to realize mimic network. Building a virtualization-based mimic network needs to solve three key issues: first, the virtualization construction of network architecture and services; second, the controllable network attribute jump and rapid migration; third, the mimic network function is equivalent to Mapping problem.

发明内容Contents of the invention

本发明针对上述问题，提供一种高速轻量级拟态虚拟网构建方法，包括拟态虚拟网络构建方法和可控网络跳变与迁移方法；Aiming at the above problems, the present invention provides a high-speed lightweight mimic virtual network construction method, including a mimic virtual network construction method and a controllable network jump and migration method;

所述拟态虚拟网络构建方法包括以下步骤：The method for constructing a mimic virtual network comprises the following steps:

S11，令网络G＝(N,L)，其中N表示网络节点集，L表示网络链路集；节点n＝{id,nm,tp,os,nl,pt,sp,s},n∈N，其中id为节点序号，nm为节点名称，tp为节点类型，os为节点运行操作系统，nl为节点网络地址，sp为节点上的服务提供程序，pt为sp开放的端口，s为sp能够提供服务；S11, let the network G=(N,L), where N represents the network node set, L represents the network link set; node n={id, nm, tp, os, nl, pt, sp, s}, n∈N , where id is the node serial number, nm is the node name, tp is the node type, os is the node operating system, nl is the node network address, sp is the service provider on the node, pt is the port opened by sp, and s is the sp capability Provide services;

S12，链路l＝{id,nm,n_i,n_j},l∈L，其中id为节点序号，nm为链路名称，n_i，n_j分别为当前链路连接的两个节点；节点分为两种，一种是底层的物理节点，另一种即为容器节点；如果不特别指明，本构建方法中所称的节点即为容器节点；链路也分为两种，一种是物理节点之间连接的物理链路，另一种即为容器节点之间连接的SDN逻辑链路；S12, link l={id,nm,n_i ,n_j },l∈L, where id is the node serial number, nm is the link name, n_i and n_j are the two nodes connected by the current link respectively; There are two types of nodes, one is the underlying physical node, and the other is the container node; if not specified, the node referred to in this construction method is the container node; the link is also divided into two types, one One is the physical link connecting physical nodes, and the other is the SDN logical link connecting container nodes;

S13，拟态虚拟网构建需要经历4个阶段，分别是节点构建阶段、链路构建阶段、网络构建阶段和拟态变化阶段；需要提供5种职能，分别是用户接口、逻辑模型、部件管理、拟态网络和外界信息；S13, the construction of a mimic virtual network needs to go through four stages, which are the node construction stage, the link construction stage, the network construction stage, and the mimic change stage; five functions need to be provided, namely user interface, logic model, component management, and mimic network and external information;

S14，在节点和链路构造过程中，用户接口需要用户提供上述模型中节点n的nm，tp，os，nl，sp信息和链路l的nm，n_i，n_j信息；逻辑模型需要针对用户接口获得信息，分别对节点与链路生成唯一的uuid编码，同时使用面向对象技术将其存储；S14, in the process of node and link construction, the user interface needs the user to provide the nm, tp, os, nl, sp information of the node n in the above model and the nm,_ni ,_nj information of the link l; the logic model needs to be aimed at The user interface obtains information, generates unique uuid codes for nodes and links, and stores them using object-oriented technology;

S15，在节点构建阶段，将生成的节点逻辑对象信息转化为DockerFile并提交给容器管理器，使得容器管理器生成所需的服务容器；在链路构建阶段，将生成的链路逻辑对象信息转化为对SDN控制器的RESTful API的调用，使得SDN控制器生成所需的OpenFlow流表信息，生成所定义的链路；在网络构建阶段将生成的容器和链路组合成为需要的拟态网络，随后构建协调器统一容器管理器和SDN控制器的功能，对用户提供系统运维接口，供用户进行控制；在拟态变化阶段，定义可控网络跳变和迁移方法，用户通过系统运维接口设定跳变与迁移相关参数，同时IDS日志等外界信息也作为可控网络跳变和迁移方法的决策依据；变化控制流程通过综合用户设定和外界信息做出决策，并通过协调器对容器和网络结构进行调整；S15, in the node construction phase, convert the generated node logical object information into a DockerFile and submit it to the container manager, so that the container manager generates the required service container; in the link construction phase, convert the generated link logical object information In order to call the RESTful API of the SDN controller, the SDN controller generates the required OpenFlow flow table information and generates the defined links; in the network construction phase, the generated containers and links are combined into the required mimic network, and then Build a coordinator to unify the functions of the container manager and SDN controller, and provide users with a system operation and maintenance interface for users to control; in the stage of mimicry change, define controllable network jump and migration methods, and users can set through the system operation and maintenance interface Jump and migration related parameters, and external information such as IDS logs are also used as the decision-making basis for controllable network jump and migration methods; the change control process makes decisions through comprehensive user settings and external information, and through the coordinator container and network structural adjustments;

所述可控网络跳变与迁移方法包括网络功能映射和网络跳变迁移。The controllable network hopping and migration method includes network function mapping and network hopping migration.

进一步地，所述网络功能映射具体为：Further, the network function mapping is specifically:

首先建立功能映射关系表；其形式为M＝{(n_v,F)}，其中n_v指网络服务或功能，F为功能提供二元组；随后建立映射函数，其形式为F_m(n_v,F_set)，其中n_v为服务类型，F_set为提供服务的二元组集合；还需要考虑功能依赖，所谓功能依赖是指某一功能的实现需要其他功能进行支撑，用n_v′＝ref(n_v)表示，即n_v所依赖的其他功能；First establish a function mapping table; its form is M={(n_v , F)}, wherein n_v refers to network services or functions, and F provides a binary group for the function; then establishes a mapping function, and its form is F_m (n_v , F_set ), where n_v is the type of service, and F_set is the set of 2-tuples that provide services; functional dependence also needs to be considered, the so-called functional dependence means that the realization of a certain function needs other functions to support, use n_v ′ ＝ref(n_v ) represents, that is, other functions on which n_v depends;

还包括在网络跳变和迁移后如何在可变空间内选择新的映射关系：It also includes how to select a new mapping relationship in the variable space after network jumps and migrations:

首先给定当前的(n_v,F)，在可变空间中寻找F_new≠F，使得其满足(n_v,F_new)；然后，找到n_v的依赖关系n_v′＝ref(n_v)，通过其映射函数找到当前n_v′对应的F′；随后验证F_new是否满足F与F′之间的依赖关系，如果满足则直接通过映射函数修改功能映射关系，即将F_m(n_v,F)映射为F_m(n_v,F_new)，如果不满足则组建中间构件适配Fnew与F′的关系，如果存在适配组件则将其与F_new整合成F′_new，再修改映射关系，如果不存在则重新寻找F_new。First given the current (n_v , F), search for F_new ≠ F in the variable space so that it satisfies (n_v , F_new ); then, find the dependency relationship n_v ′=ref(_nv ), through its mapping function, find the corresponding F' of the current n_v '; then verify whether F_new satisfies the dependency between F and F', if so, directly modify the functional mapping relationship through the mapping function, that is, F_m (n_v , F) is mapped to F_m (n_v , F_new ), if it is not satisfied, build an intermediate component to adapt the relationship between Fnew and F′, if there is an adaptation component, integrate it with F_new into F′_new , and then modify If the mapping relationship does not exist, search for F_new again.

更进一步地，所述网络跳变迁移具体为：Further, the network hopping migration is specifically:

在可控网络跳变与迁移方法中，首先对链路及节点进行编号，实体链路分别为逻辑链路分别为物理节点分别为容器节点分别为In the controllable network hopping and migration method, the links and nodes are numbered first, and the physical links are respectively Logical links are The physical nodes are The container nodes are

N_c中的容器对应的操作系统为其提供的服务为N^type表示基本服务类型，例如网页服务，数据库服务，文件存储服务等；而服务与服务程序是1:n关系，即定义服务提供函数f(s)，则其中服务程序s_k ∈S^app，可认为这里有两个重要条件：一是每一只提供一种二是s_k在任意上都能运行；The operating system corresponding to the container in N_c is The services it provides are N^type represents the basic service type, such as web page service, database service, file storage service, etc.; and the service and service program have a 1:n relationship, that is, define the service provider function f(s), then Among them, the service program s_k ∈ S^app can be regarded as There are two important conditions here: one is that each only provide one Second, s_k in any can run on

随后利用随机函数r(t)与外部信息i对网络进行跳变与迁移；定义信息收益函数Pⁱ(s,d)，其中s为变化的源L^g、N^p、N^cos或N^c，d为变化的目的L^g、N^p、N^cos或N^c，其值表示按照外部信息i从s变化到d的收益；因此对于某一源而言，其变化收益可视为收益向量将其使用min-max标准化，即Then use the random function r(t) and external information i to jump and migrate the network; define the information income function Pⁱ (s,d), where s is the source of change L^g , N^p , N^cos or N^c , d is the purpose of change L^g , N^p , N^cos or N^c , and its value represents the income of changing from s to d according to external information i; therefore, for a certain source, its change income can be regarded as income vector Normalize it using min-max, i.e.

其中min(Pⁱ(s,d_n))表示所有pⁱ(s,d_n)中的最小值，max(Pⁱ(s,d_n))表示所有pⁱ(s,d_n)中的最大值；可视其为通过外部信息进行迁移的概率，则可定义变化收益为在实际变化过程中按照最大P(s,d)对应的变化进行迁移与跳变；Among them, min(Pⁱ (s,d_n )) represents the minimum value among all pⁱ (s,d_n ), max(Pⁱ (s,d_n )) represents the minimum value among all pⁱ (s,d_n ) The maximum value; it can be regarded as the probability of migration through external information, and the change income can be defined as Migrate and jump according to the change corresponding to the maximum P(s,d) during the actual change process;

可定义变化能力f(s,d)，其中s为变化的源L^g、N^p、N^cos或N^c，d为变化的目的L^g、N^p、N^cos或N^c；函数表示由s变化为d；链路的变化能力由SDN控制器提供，通过对OpenFlow交换机的流表进行更改实现链路的重映射；节点的变化由容器管理器提供，通过容器迁移和动态生成等实现容器的重映射；The ability to change f(s,d) can be defined, where s is the source of change L^g , N^p , N^cos or N^c , d is the purpose of change L^g , N^p , N^cos or N^c ; the function is represented by s The change is d; the ability to change the link is provided by the SDN controller, and the remapping of the link is realized by changing the flow table of the OpenFlow switch; the change of the node is provided by the container manager, and the container is realized through container migration and dynamic generation. remap;

最后，通过约束函数r对迁移后的状态进行检查；设置一系列检查条件并定义对应的阈值只有当所有检查条件得出的结果都符合各项阈值时，该次变化才能够实施；Finally, check the migrated state through the constraint function r; set a series of check conditions And define the corresponding threshold Only when the results of all inspection conditions meet the thresholds, the change can be implemented;

因此，可将T(S,t,i,C_e,c)定义为：Therefore, T(S,t,i,C_e ,c) can be defined as:

其中变化条件为max(P(s,d))，并通过ck(s_th(c(S)))；其中ck(s)表示阈值检测函数。The change condition is max(P(s,d)), and passes ck(s_th (c(S))); where ck(s) represents the threshold detection function.

本发明的优点：Advantages of the present invention:

本发明的高速轻量级拟态虚拟网构建方法为解决基于拟态虚拟网的主动网络防御提供了方法途径。虚拟网构建方法构建的拟态虚拟网是一种全新的主动防御技术，利用拟态虚拟网属性多样化、系统化及动态化等特性，使目标网络呈现动态性、非确定性、异构性和非持续性等变化特征，从而增加攻击难度和攻击成本。The high-speed and lightweight mimic virtual network construction method of the invention provides a method for solving the active network defense based on the mimic virtual network. The mimetic virtual network constructed by the virtual network construction method is a brand-new active defense technology, which makes the target network appear dynamic, non-deterministic, heterogeneous and non-deterministic by using the properties of the mimetic virtual network, such as diversification, systematization and dynamism. Change characteristics such as persistence, thereby increasing the difficulty and cost of attacks.

除了上面所描述的目的、特征和优点之外，本发明还有其它的目的、特征和优点。下面将参照图，对本发明作进一步详细的说明。In addition to the objects, features and advantages described above, the present invention has other objects, features and advantages. Hereinafter, the present invention will be described in further detail with reference to the drawings.

附图说明Description of drawings

构成本申请的一部分的附图用来提供对本发明的进一步理解，本发明的示意性实施例及其说明用于解释本发明，并不构成对本发明的不当限定。The accompanying drawings constituting a part of this application are used to provide further understanding of the present invention, and the schematic embodiments and descriptions of the present invention are used to explain the present invention, and do not constitute an improper limitation of the present invention.

图1是本发明的一种高速轻量级拟态虚拟网构建方法的拟态虚拟网络构建架构图；Fig. 1 is a kind of high-speed lightweight mimetic virtual network construction method of the present invention's mimetic virtual network construction framework diagram;

图2是本发明的一种高速轻量级拟态虚拟网构建方法的拟态虚拟网络示例架构图。FIG. 2 is an example architecture diagram of a mimetic virtual network in a method for constructing a high-speed lightweight mimetic virtual network according to the present invention.

具体实施方式Detailed ways

为了使本发明的目的、技术方案及优点更加清楚明白，以下结合附图及实施例，对本发明进行进一步详细说明。应当理解，此处所描述的具体实施例仅仅用以解释本发明，并不用于限定本发明。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

参考图1，如图1所示的一种高速轻量级拟态虚拟网构建方法，包括拟态虚拟网络构建方法和可控网络跳变与迁移方法；Referring to FIG. 1, a high-speed lightweight mimic virtual network construction method as shown in FIG. 1 includes a mimic virtual network construction method and a controllable network jump and migration method;

所述拟态虚拟网络构建方法包括以下步骤：The method for constructing a mimic virtual network comprises the following steps:

S11，令网络G＝(N,L)，其中N表示网络节点集，L表示网络链路集；节点n＝{id,nm,tp,os,nl,pt,sp,s},n∈N，其中id为节点序号，nm为节点名称，tp为节点类型，os为节点运行操作系统，nl为节点网络地址，sp为节点上的服务提供程序，pt为sp开放的端口，s为sp能够提供服务；S11, let the network G=(N,L), where N represents the network node set, L represents the network link set; node n={id, nm, tp, os, nl, pt, sp, s}, n∈N , where id is the node serial number, nm is the node name, tp is the node type, os is the node operating system, nl is the node network address, sp is the service provider on the node, pt is the port opened by sp, and s is the sp capability Provide services;

S12，链路l＝{id,nm,n_i,n_j},l∈L，其中id为节点序号，nm为链路名称，n_i，n_j分别为当前链路连接的两个节点；节点分为两种，一种是底层的物理节点，另一种即为容器节点；如果不特别指明，本构建方法中所称的节点即为容器节点；链路也分为两种，一种是物理节点之间连接的物理链路，另一种即为容器节点之间连接的SDN逻辑链路；S12, link l={id,nm,n_i ,n_j },l∈L, where id is the node serial number, nm is the link name, n_i and n_j are the two nodes connected by the current link respectively; There are two types of nodes, one is the underlying physical node, and the other is the container node; if not specified, the node referred to in this construction method is the container node; the link is also divided into two types, one One is the physical link connected between physical nodes, and the other is the SDN logical link connected between container nodes;

S13，拟态虚拟网构建需要经历4个阶段，分别是节点构建阶段、链路构建阶段、网络构建阶段和拟态变化阶段；需要提供5种职能，分别是用户接口、逻辑模型、部件管理、拟态网络和外界信息；S13, the construction of a mimic virtual network needs to go through four stages, which are the node construction stage, the link construction stage, the network construction stage, and the mimic change stage; five functions need to be provided, namely user interface, logic model, component management, and mimic network and external information;

S14，在节点和链路构造过程中，用户接口需要用户提供上述模型中节点n的nm，tp，os，nl，sp信息和链路l的nm，n_i，n_j信息；逻辑模型需要针对用户接口获得信息，分别对节点与链路生成唯一的uuid编码，同时使用面向对象技术将其存储；S14, in the process of node and link construction, the user interface needs the user to provide the nm, tp, os, nl, sp information of the node n in the above model and the nm,_ni ,_nj information of the link l; the logic model needs to be aimed at The user interface obtains information, generates unique uuid codes for nodes and links, and stores them using object-oriented technology;

S15，在节点构建阶段，将生成的节点逻辑对象信息转化为DockerFile并提交给容器管理器，使得容器管理器生成所需的服务容器；在链路构建阶段，将生成的链路逻辑对象信息转化为对SDN控制器的RESTful API的调用，使得SDN控制器生成所需的OpenFlow流表信息，生成所定义的链路；在网络构建阶段将生成的容器和链路组合成为需要的拟态网络，随后构建协调器统一容器管理器和SDN控制器的功能，对用户提供系统运维接口，供用户进行控制；在拟态变化阶段，定义可控网络跳变和迁移方法，用户通过系统运维接口设定跳变与迁移相关参数，同时IDS日志等外界信息也作为可控网络跳变和迁移方法的决策依据；变化控制流程通过综合用户设定和外界信息做出决策，并通过协调器对容器和网络结构进行调整；S15, in the node construction phase, convert the generated node logical object information into a DockerFile and submit it to the container manager, so that the container manager generates the required service container; in the link construction phase, convert the generated link logical object information In order to call the RESTful API of the SDN controller, the SDN controller generates the required OpenFlow flow table information and generates the defined links; in the network construction phase, the generated containers and links are combined into the required mimic network, and then Build a coordinator to unify the functions of the container manager and SDN controller, and provide users with a system operation and maintenance interface for users to control; in the stage of mimicry change, define controllable network jump and migration methods, and users can set through the system operation and maintenance interface Jump and migration related parameters, and external information such as IDS logs are also used as the decision-making basis for controllable network jump and migration methods; the change control process makes decisions through comprehensive user settings and external information, and through the coordinator container and network structural adjustments;

所述可控网络跳变与迁移方法包括网络功能映射和网络跳变迁移。The controllable network hopping and migration method includes network function mapping and network hopping migration.

所述网络功能映射具体为：The network function mapping is specifically:

首先建立功能映射关系表；其形式为M＝{(n_v,F)}，其中n_v指网络服务或功能，F为功能提供二元组；随后建立映射函数，其形式为F_m(n_v,F_set)，其中n_v为服务类型，F_set为提供服务的二元组集合；还需要考虑功能依赖，所谓功能依赖是指某一功能的实现需要其他功能进行支撑，用n′_v＝ref(n_v)表示，即n_v所依赖的其他功能；First establish a function mapping table; its form is M={(n_v , F)}, wherein n_v refers to network services or functions, and F provides a binary group for the function; then establishes a mapping function, and its form is F_m (n_v , F_set ), where n_v is the service type, and F_set is the set of binary groups that provide the service; functional dependence also needs to be considered, the so-called functional dependence means that the realization of a certain function needs other functions to support, use n′_v ＝ref(n_v ) represents, that is, other functions on which n_v depends;

还包括在网络跳变和迁移后如何在可变空间内选择新的映射关系：It also includes how to select a new mapping relationship in the variable space after network jumps and migrations:

首先给定当前的(n_v,F)，在可变空间中寻找F_new≠F，使得其满足(n_v,F_new)；然后，找到n_v的依赖关系n_v′＝ref(n_v)，通过其映射函数找到当前n_v′对应的F′；随后验证F_new是否满足F与F′之间的依赖关系，如果满足则直接通过映射函数修改功能映射关系，即将F_m(n_v,F)映射为F_m(n_v,F_new)，如果不满足则组建中间构件适配Fnew与F′的关系，如果存在适配组件则将其与F_new整合成F′_new，再修改映射关系，如果不存在则重新寻找F_new。First given the current (n_v , F), search for F_new ≠ F in the variable space so that it satisfies (n_v , F_new ); then, find the dependency relationship n_v ′=ref(_nv ), through its mapping function, find the corresponding F' of the current n_v '; then verify whether F_new satisfies the dependency between F and F', if so, directly modify the functional mapping relationship through the mapping function, that is, F_m (n_v , F) is mapped to F_m (n_v , F_new ), if it is not satisfied, build an intermediate component to adapt the relationship between Fnew and F′, if there is an adaptation component, integrate it with F_new into F′_new , and then modify If the mapping relationship does not exist, search for F_new again.

所述网络跳变迁移具体为：The network jump migration is specifically:

在可控网络跳变与迁移方法中，首先对链路及节点进行编号，实体链路分别为逻辑链路分别为物理节点分别为容器节点分别为In the controllable network hopping and migration method, the links and nodes are numbered first, and the physical links are respectively Logical links are The physical nodes are The container nodes are

N_c中的容器对应的操作系统为其提供的服务为N^type表示基本服务类型，例如网页服务，数据库服务，文件存储服务等；而服务与服务程序是1:n关系，即定义服务提供函数f(s)，则其中服务程序s_k ∈S^app，可认为这里有两个重要条件：一是每一只提供一种二是s_k在任意上都能运行；The operating system corresponding to the container in N_c is The services it provides are N^type represents the basic service type, such as web page service, database service, file storage service, etc.; and the service and service program have a 1:n relationship, that is, define the service provider function f(s), then Among them, the service program s_k ∈ S^app can be regarded as There are two important conditions here: one is that each only provide one Second, s_k in any can run on

随后利用随机函数r(t)与外部信息i对网络进行跳变与迁移；定义信息收益函数Pⁱ(s,d)，其中s为变化的源L^g、N^p、N^cos或N^c，d为变化的目的L^g、N^p、N^cos或N^c，其值表示按照外部信息i从s变化到d的收益；因此对于某一源而言，其变化收益可视为收益向量＝(P(s,d₁),P(s,d₂),L,P(s,d_n))，将其使用min-max标准化，即Then use the random function r(t) and external information i to jump and migrate the network; define the information income function Pⁱ (s,d), where s is the source of change L^g , N^p , N^cos or N^c , d is the purpose of change L^g , N^p , N^cos or N^c , and its value represents the income of changing from s to d according to external information i; therefore, for a certain source, its change income can be regarded as income vector =(P(s,d₁ ),P(s,d₂ ),L,P(s,d_n )), normalize it using min-max, ie

其中min(Pⁱ(s,d_n))表示所有pⁱ(s,d_n)中的最小值，max(Pⁱ(s,d_n))表示所有pⁱ(s,d_n)中的最大值；可视其为通过外部信息进行迁移的概率，则可定义变化收益为在实际变化过程中按照最大P(s,d)对应的变化进行迁移与跳变；Among them, min(Pⁱ (s,d_n )) represents the minimum value among all pⁱ (s,d_n ), max(Pⁱ (s,d_n )) represents the minimum value among all pⁱ (s,d_n ) The maximum value; it can be regarded as the probability of migration through external information, and the change income can be defined as Migrate and jump according to the change corresponding to the maximum P(s,d) during the actual change process;

可定义变化能力f(s,d)，其中s为变化的源L^g、N^p、N^cos或N^c，d为变化的目的L^g、N^p、N^cos或N^c；函数表示由s变化为d；链路的变化能力由SDN控制器提供，通过对OpenFlow交换机的流表进行更改实现链路的重映射；节点的变化由容器管理器提供，通过容器迁移和动态生成等实现容器的重映射；The ability to change f(s,d) can be defined, where s is the source of change L^g , N^p , N^cos or N^c , d is the purpose of change L^g , N^p , N^cos or N^c ; the function is represented by s The change is d; the ability to change the link is provided by the SDN controller, and the remapping of the link is realized by changing the flow table of the OpenFlow switch; the change of the node is provided by the container manager, and the container is realized through container migration and dynamic generation. remap;

最后，通过约束函数r对迁移后的状态进行检查；设置一系列检查条件并定义对应的阈值只有当所有检查条件得出的结果都符合各项阈值时，该次变化才能够实施；Finally, check the migrated state through the constraint function r; set a series of check conditions And define the corresponding threshold Only when the results of all inspection conditions meet the thresholds, the change can be implemented;

因此，可将T(S,t,i,C_e,c)定义为：Therefore, T(S,t,i,C_e ,c) can be defined as:

其中变化条件为max(P(s,d))，并通过ck(s_th(c(S)))；其中ck(s)表示阈值检测函数。The change condition is max(P(s,d)), and passes ck(s_th (c(S))); where ck(s) represents the threshold detection function.

拟态虚拟网络构建方法：Mimic virtual network construction method:

为了满足主动防御目的，实现拟态网络架构与服务的虚拟化构建，提出一种拟态虚拟网络构建方法。In order to meet the purpose of active defense and realize the virtualization construction of mimic network architecture and services, a method of constructing mimic virtual network is proposed.

构建拟态虚拟网，需要建立基本的对外提供正常访问功能的虚拟网络结构。网络的拟态性可以通过几种方式实现：一是网络部件冗余方式。此种方式通过节点与链路的冗余实现对网络的热切换，对外表现为拟态网络，但是存在使用效率不高，硬件同步困难的问题。二是使用VLAN、MPLS等虚拟网络技术。此种方式能够有效复用当前硬件设施，同时也具有较强的网络调整能力，但是无法对网络节点进行有效变化。三是虚拟机网络方式。此种方式通过虚拟机构建网络节点，通过虚拟机网络实现拟态网络，避免了前两种方式的缺点，但是虚拟机及其网络的标准通常与虚拟机服务提供商紧密耦合，难以有效进行扩展。因此，提出以软件定义网络配合容器技术的拟态虚拟网构建方法。To build a pseudo-virtual network, it is necessary to establish a basic virtual network structure that provides normal access to the outside world. The mimicry of the network can be realized in several ways: One is the redundancy of network components. This method realizes the hot switching of the network through the redundancy of nodes and links, which appears as a mimic network to the outside world, but has the problems of low efficiency and difficult hardware synchronization. The second is to use virtual network technologies such as VLAN and MPLS. This method can effectively reuse current hardware facilities and has strong network adjustment capabilities, but it cannot effectively change network nodes. The third is the virtual machine network mode. This method builds network nodes through virtual machines and implements a mimic network through virtual machine networks, which avoids the shortcomings of the first two methods. However, the standards of virtual machines and their networks are usually tightly coupled with virtual machine service providers, making it difficult to effectively expand. Therefore, a method for constructing a pseudo-virtual network using software-defined networking combined with container technology is proposed.

可令网络G＝(N,L)，其中N表示网络节点集，L表示网络链路集。节点n＝{id,nm,tp,os,nl,pt,sp,s},n∈N，其中id为节点序号，nm为节点名称，tp为节点类型，os为节点运行操作系统，nl为节点网络地址，sp为节点上的服务提供程序，pt为sp开放的端口，s为sp能够提供服务。链路l＝{id,nm,n_i,n_j},l∈L，其中id为节点序号，nm为链路名称，n_i，n_j分别为当前链路连接的两个节点。节点分为两种，一种是底层的物理节点，另一种即为容器节点。如果不特别指明，本构建方法中所称的节点即为容器节点。链路也分为两种，一种是物理节点之间连接的物理链路，另一种即为容器节点之间连接的SDN逻辑链路。如果不特别指明，本构建方法所称的链路即为SDN逻辑链路。The network can be set as G=(N, L), where N represents a network node set, and L represents a network link set. Node n={id, nm, tp, os, nl, pt, sp, s}, n∈N, where id is the node serial number, nm is the node name, tp is the node type, os is the operating system of the node, and nl is Node network address, sp is the service provider on the node, pt is the port opened by sp, s is the service that sp can provide. Link l={id,nm,n_i ,n_j },l∈L, where id is the node serial number, nm is the link name, n_i and n_j are the two nodes connected by the current link respectively. There are two types of nodes, one is the underlying physical node, and the other is the container node. Unless otherwise specified, the nodes referred to in this construction method are container nodes. There are also two types of links, one is the physical link connecting physical nodes, and the other is the SDN logical link connecting container nodes. Unless otherwise specified, the links referred to in this construction method are SDN logical links.

开始拟态虚拟网构建需要经历4个阶段，分别是节点构建阶段、链路构建阶段、网络构建阶段和拟态变化阶段；需要提供5种职能，分别是用户接口、逻辑模型、部件管理、拟态网络和外界信息。The construction of a mimic virtual network needs to go through four stages, which are node construction stage, link construction stage, network construction stage and mimic change stage; five functions need to be provided, namely user interface, logic model, component management, mimic network and outside information.

在节点和链路构造阶段中，用户接口需要用户提供上述模型中节点n的nm，tp，os，nl，sp信息和链路l的nm，n_i，n_j信息；逻辑模型需要针对用户接口获得信息，分别对节点与链路生成唯一的uuid编码，同时使用面向对象技术将其存储。在节点构建阶段，将生成的节点逻辑对象信息转化为DockerFile并提交给容器管理器，使得容器管理器生成所需的服务容器。在链路构建阶段，将生成的链路逻辑对象信息转化为对SDN控制器的RESTful API的调用，使得SDN控制器生成所需的OpenFlow流表信息，生成所定义的链路。在网络构建阶段将生成的容器和链路组合成为需要的拟态网络，随后构建协调器统一容器管理器和SDN控制器的功能，对用户提供系统运维接口，供用户进行控制。在拟态变化阶段，定义可控网络跳变和迁移方法，用户通过系统运维接口设定跳变与迁移相关参数，同时IDS日志等外界信息也作为可控网络跳变和迁移方法的决策依据。变化控制流程通过综合用户设定和外界信息做出决策，并通过协调器对容器和网络结构进行调整。In the node and link construction phase, the user interface needs the user to provide the nm, tp, os, nl, sp information of the node n in the above model and the nm,_ni , n_j information of the link l; the logical model needs to be specific to the user interface Obtain information, generate unique uuid codes for nodes and links, and store them using object-oriented technology. In the node construction phase, the generated node logic object information is converted into a DockerFile and submitted to the container manager, so that the container manager generates the required service container. In the link construction phase, the generated link logic object information is converted into a call to the RESTful API of the SDN controller, so that the SDN controller generates the required OpenFlow flow table information and generates the defined link. In the network construction phase, the generated containers and links are combined into the required mimic network, and then the coordinator is constructed to unify the functions of the container manager and SDN controller, and provide users with a system operation and maintenance interface for users to control. In the stage of mimicry change, define controllable network jump and migration methods, users set jump and migration related parameters through the system operation and maintenance interface, and external information such as IDS logs are also used as decision-making basis for controllable network jump and migration methods. The change control process makes decisions by integrating user settings and external information, and adjusts the container and network structure through the coordinator.

可控网络跳变与迁移方法：Controllable network hopping and migration methods:

为了抵消传统网络的确定性、静态性和同构性给攻击者带来的攻击时间、信息不对称和攻击成本的优势，提出一种基于拟态思想的可控网络跳变与迁移方法。In order to offset the advantages of attack time, information asymmetry and attack cost brought by the determinism, staticity and isomorphism of the traditional network to the attacker, a controllable network jump and migration method based on the idea of mimicry is proposed.

可控网络跳变与迁移方法的相关定义：Related definitions of controllable network hopping and migration methods:

定义1变化，即链路跳变与节点迁移的统称。可分为被动变化与主动变化。在主动变化中可分为随机变化和应激变化。Definition 1 Change, that is, the general term for link hopping and node migration. Can be divided into passive change and active change. Active change can be divided into random change and stress change.

可控网络跳变与迁移方法所称的被动变化是指需要外界信息I_o驱动的，在保证网络功能等价的条件下，网络内部利用该信息进行变化p(i)的一种形式。被动变化需要外界信息驱动，即需要外界信息才能进行变化。同时，变化需要外界的信息做出相应变化决策。三是网络功能等价，即需要约束函数c(S)对变化结果进行控制，保证变化后从外部观察网络功能前后等价。The passive change referred to in the controllable network hopping and migration method refers to a form that needs to be driven by external information I_o and uses this information inside the network to change p(i) under the condition of ensuring network function equivalence. Passive changes need to be driven by external information, that is, external information is required to make changes. At the same time, changes require external information to make corresponding change decisions. The third is the equivalence of network functions, that is, the constraint function c(S) is required to control the change results to ensure that the network functions are equivalent before and after the changes are observed from the outside.

随机变化是指网络内部按照一定的随机函数r(t)，在保证网络功能等价的条件下进行变化的一种形式。随机变化包含三个要点。一是随机函数r(t)，即变化是随机进行的，不能或者相当难以预测其变化规律特点。二是网络功能等价，即需要约束函数c(S)对r(t)进行控制，保证变化后从外部观察网络功能前后等价。Random change refers to a form of change within the network according to a certain random function r(t) under the condition that the network functions are equivalent. Random variation contains three main points. One is the random function r(t), that is, the change is carried out randomly, and it is impossible or quite difficult to predict the characteristics of its change law. The second is the equivalence of network functions, that is, the constraint function c(S) is required to control r(t) to ensure that the network functions are equivalent before and after the changes are observed from the outside.

应激变化指网络内部按照一定的随机函数r(t)，在保证网络功能等价的条件下结合外界信息I_o进行变化的一种形式。应激变化综合了被动变化与随机变化的特点，主要包含五个要点。一是随机函数r(t)，即变化是随机进行的，不能或者相当难以预测其变化规律特点。二是利用外部信息，即变化需要外界的信息做出相应变化决策。三是结合比C_r，即外界信息能在多大程度上影响变化。C_r∈[0,1]，若C_r＝0则应激变化退化为随机变化；若C_r＝1则应激变化退化为被动变化。四是网络功能等价，即需要约束函数c(S)对变化结果进行控制，保证变化后从外部观察网络功能前后等价。五是网络内部变化，即变化由网络内部进行控制。可控网络跳变与迁移方法实现的是网络的应激变化。Stress change refers to a form in which the network internally changes according to a certain random function r(t) and combined with external information I_o under the condition of ensuring network function equivalence. Stress change combines the characteristics of passive change and random change, and mainly includes five points. One is the random function r(t), that is, the change is carried out randomly, and it is impossible or quite difficult to predict the characteristics of its change law. The second is to use external information, that is, changes require external information to make corresponding change decisions. The third is the combination ratio_Cr , that is, the extent to which external information can affect the change. C_r ∈ [0,1], if C_r =0, the stress change degenerates into a random change; if C_r =1, the stress change degenerates into a passive change. The fourth is the equivalence of network functions, that is, the constraint function c(S) is required to control the change results to ensure that the network functions are equivalent before and after the changes are observed from the outside. Fifth, changes within the network, that is, changes are controlled within the network. The controllable network hopping and migration method realizes the stress change of the network.

定义2变化函数T(S,t,i,C_r,c)是指从一种网络状态到另一种网络状态的映射关系，其中S指当前网络状态，t指时间，i指外部信息，C_r指结合比，c指功能等价约束条件。Definition 2 The change function T(S,t,i,C_r ,c) refers to the mapping relationship from one network state to another network state, where S refers to the current network state, t refers to time, and i refers to external information,_Cr refers to the binding ratio, and c refers to the functional equivalence constraint.

定义3可变空间即为映射的集合空间。其大小为S_div(n_v)＝N^cos×N^cs，其中N^cos为容器节点内操作系统的映射，N^cs为容器节点内提供服务程序的映射。Definition 3 The variable space is the set space of mapping. Its size is S_div (n_v )=N^cos ×N^cs , where N^cos is the mapping of the operating system in the container node, and N^cs is the mapping of the service program in the container node.

定义4功能映射指提供相同网络服务的二元组的映射关系，即F_old a F_new。其中s_k∈N^cs。功能映射是在可变空间中的映射关系，容器可以看作是能够提供的二元组。Definition 4 Functional mapping refers to providing the same network service the two-tuple The mapping relationship of F_old a F_new . in s_k ∈ N^cs . Functional mapping is the mapping relationship in the variable space, and the container can be regarded as being able to provide of Two-tuple.

1.网络功能映射1. Network function mapping

要实现可控网络跳变与迁移，则必须先实现网络功能的映射。首先建立功能映射关系表。其形式为M＝{(n_v,F)}，其中n_v指网络服务或功能，F为功能提供二元组；随后建立映射函数，其形式为F_m(n_v,F_set)，其中n_v为服务类型，F_set为提供服务的二元组集合；还需要考虑功能依赖，所谓功能依赖是指某一功能的实现需要其他功能进行支撑，可用n′_v＝ref(n_v)表示，即n_v所依赖的其他功能。To realize controllable network hopping and migration, the mapping of network functions must be realized first. Firstly, a functional mapping relation table is established. Its form is M={(n_v ,F)}, where n_v refers to a network service or function, and F provides a two-tuple for the function; then a mapping function is established, and its form is F_m (n_v ,F_set ), where n_v is the type of service, and F_set is the set of 2-tuples that provide the service; functional dependence also needs to be considered. The so-called functional dependence means that the realization of a certain function requires support from other functions, which can be expressed by n′_v = ref(n_v ) , other functions on which n_v depends.

在可控网络跳变与迁移方法中，更多的是考虑功能重映射的问题，即在网络跳变和迁移后如何在可变空间内选择新的映射关系。首先给定当前的(n_v,F)，在可变空间中寻找F_new ≠F，使得其满足(n_v,F_new)；然后，找到n_v的依赖关系n′_v＝ref(n_v)，通过其映射函数找到当前n′_v对应的F′；随后验证F_new是否满足F与F′之间的依赖关系，如果满足则直接通过映射函数修改功能映射关系，即将F_m(n_v,F)映射为F_m(n_v,F_new)，如果不满足则组建中间构件适配F_new与F′的关系，如果存在适配组件则将其与F_new整合成F_n′_ew，再修改映射关系，如果不存在则重新寻找F_new。In the controllable network hopping and migration method, more consideration is given to the problem of functional remapping, that is, how to select a new mapping relationship in the variable space after network hopping and migration. First given the current (n_v , F), search for F_new ≠ F in the variable space so that it satisfies (n_v , F_new ); then, find the dependency relationship n′_v = ref(_nv ), find the F′ corresponding to the current n′_v through its mapping function; then verify whether F_new satisfies the dependency relationship between F and F′, and if so, directly modify the functional mapping relationship through the mapping function, that is, F_m (n_v ,F) is mapped to F_m (n_v ,F_new ), if not satisfied, build an intermediate component to adapt the relationship between F_new and F′, if there is an adaptation component, integrate it with F_new into F_n ′_ew , Then modify the mapping relationship, if it does not exist, search for F_new again.

2.网络跳变迁移2. Network jump migration

在可控网络跳变与迁移方法中，首先对链路及节点进行编号，实体链路分别为逻辑链路分别为物理节点分别为容器节点分别为In the controllable network hopping and migration method, the links and nodes are numbered first, and the physical links are respectively Logical links are The physical nodes are The container nodes are

N_c中的容器对应的操作系统为其提供的服务为N^type表示基本服务类型，例如网页服务，数据库服务，文件存储服务等。而服务与服务程序是1:n关系，即定义服务提供函数f(s)，则其中服务程序s_k∈S^app，可认为这里有两个重要条件：一是每一只提供一种二是s_k在任意上都能运行。考虑到目前绝大部分服务提供程序是可移植的，这个条件也是可以成立的。The operating system corresponding to the container in N_c is The services it provides are N^type indicates the basic service type, such as web page service, database service, file storage service, etc. The service and the service program have a 1:n relationship, that is, define the service providing function f(s), then Among them, the service program s_k ∈ S^app can be regarded as There are two important conditions here: one is that each only provide one Second, s_k in any can run on. Considering that the vast majority of service providers are portable, this condition can also be established.

随后利用随机函数r(t)与外部信息i对网络进行跳变与迁移。定义信息收益函数Pⁱ(s,d)，其中s为变化的源L^g、N^p、N^cos或N^c，d为变化的目的L^g、N^p、N^cos或N^c，其值表示按照外部信息i从s变化到d的收益。因此对于某一源而言，其变化收益可视为收益向量将其使用min-max标准化，即Then use the random function r(t) and external information i to jump and migrate the network. Define the information gain function Pⁱ (s,d), where s is the source of change L^g , N^p , N^cos or N^c , d is the purpose of change L^g , N^p , N^cos or N^c , and its value represents The payoff of changing from s to d according to external information i. Therefore, for a certain source, its variable income can be regarded as the income vector Normalize it using min-max, i.e.

其中min(Pⁱ(s,d_n))表示所有pⁱ(s,d_n)中的最小值，max(Pⁱ(s,d_n))表示所有pⁱ(s,d_n)中的最大值。可视其为通过外部信息进行迁移的概率，则可定义变化收益为在实际变化过程中按照最大P(s,d)对应的变化进行迁移与跳变。Among them, min(Pⁱ (s,d_n )) represents the minimum value among all pⁱ (s,d_n ), max(Pⁱ (s,d_n )) represents the minimum value among all pⁱ (s,d_n ) maximum value. It can be regarded as the probability of migration through external information, and the change income can be defined as Migrate and jump according to the change corresponding to the maximum P(s,d) in the actual change process.

可定义变化能力f(s,d)，其中s为变化的源L^g、N^p、N^cos或N^c，d为变化的目的L^g、N^p、N^cos或N^c。函数表示由s变化为d。链路的变化能力由SDN控制器提供，通过对OpenFlow交换机的流表进行更改实现链路的重映射。节点的变化由容器管理器提供，通过容器迁移和动态生成等实现容器的重映射。The ability to change f(s,d) can be defined, where s is the source of change L^g , N^p , N^cos or N^c , and d is the target of change L^g , N^p , N^cos or N^c . The function represents the change from s to d. The ability to change the link is provided by the SDN controller, and the remapping of the link is realized by changing the flow table of the OpenFlow switch. The change of the node is provided by the container manager, and the remapping of the container is realized through container migration and dynamic generation.

最后，通过约束函数r对迁移后的状态进行检查。可以设置一系列检查条件并定义对应的阈值只有当所有检查条件得出的结果都符合各项阈值时，该次变化才能够实施。Finally, the migrated state is checked by the constraint function r. A series of check conditions can be set And define the corresponding threshold Only when the results of all check conditions meet the thresholds, the change can be implemented.

因此，可将T(S,t,i,C_e,c)定义为：Therefore, T(S,t,i,C_e ,c) can be defined as:

其中变化条件为max(P(s,d))，并通过ck(s_th(c(S)))。其中ck(s)表示阈值检测函数。The change condition is max(P(s,d)), and passes ck(s_th (c(S))). where ck(s) represents the threshold detection function.

拟态网络重映射示例：Mimic network remapping example:

本方法首先确定可变空间的大小。对于同一个功能n_v，存在不同的容器操作系统与服务提供软件的组合。例如一个Web服务，容器操作系统搭配与服务提供软件搭配可能表所示：This method first determines the size of the variable space. For the same function n_v , there are different combinations of container operating systems and service providing software. For example, for a web service, the collocation of container operating system and service provider software may be shown in the following table:

表1Web服务的可变空间Table 1 The variable space of Web service

在表中各操作系统与服务提供软件均未计版本，同时只选取主流操作系统与服务提供软件。如果考虑到版本因素，可变空间将更大。The operating systems and service-providing software in the table are not counted in version, and only mainstream operating systems and service-providing software are selected. If the version factor is considered, the variable space will be larger.

随后，通过蜜网等技术获取到攻击者的攻击信息。例如攻击的操作系统类型、利用的软件漏洞等。通过对这些信息进行分析，有针对性的对进行变化。例如，已知了攻击者通过Linux CVE-2017-7184漏洞与Apache CVE-2016-4976漏洞对WEB服务实施提权攻击，此时应该对当前功能映射表进行检查。Subsequently, the attacker's attack information was obtained through honeynet and other technologies. For example, the type of operating system attacked, the software vulnerability exploited, etc. By analyzing this information, targeted Make changes. For example, it is known that attackers use the Linux CVE-2017-7184 vulnerability and the Apache CVE-2016-4976 vulnerability to carry out privilege escalation attacks on WEB services. At this time, the current function mapping table should be checked.

对功能映射表进行变化。例如当前功能映射表如表所示：Make changes to the function map. For example, the current function mapping table is as shown in the table:

表2当前功能映射表Table 2 Current function mapping table

获得的信息为攻击者通过Linux漏洞和Apache漏洞对WEB服务进行攻击，因此可以从可变空间内抽取出非Linux系统和非Apache的服务提供二元组，将WEB服务映射到其上。即可选择WindowsServer系列的操作系统搭配IIS、Nginx和Lighttpd服务提供软件。假设选择Nginx，则重映射后的映射表如表所示：The information obtained is that attackers attack WEB services through Linux vulnerabilities and Apache vulnerabilities, so non-Linux systems and non-Apache services can be extracted from the variable space to provide binary groups, and WEB services can be mapped to it. You can choose the operating system of Windows Server series with IIS, Nginx and Lighttpd service provider software. Assuming that Nginx is selected, the remapped mapping table is as shown in the table:

表3重映射功能映射表Table 3 Remapping function mapping table

对于DATA功能而言，其当前的为Linux系列，为了安全起见也可将其重映射为WindowsServer。映射与否取决于系统的安全策略。For the DATA function, its current For the Linux series, it can also be remapped to Windows Server for security reasons. Mapping or not depends on the security policy of the system.

最后根据映射表，利用映射函数实施重映射。可以采取两种策略，一是动态生成DockerFile，以之生成新的二是将可变空间内所有的提前生成，利用f(s,d)进行动态迁移。Finally, according to the mapping table, the mapping function is used to implement remapping. Two strategies can be adopted, one is to dynamically generate DockerFile to generate new The second is to put all the variables in the variable space Generated in advance, using f(s,d) for dynamic migration.

值得注意的是，当功能映射发生变化时，其ref(n_v)也要进行调整。例如WEB功能依赖于DATA功能，在重映射后，原有的WEB功能提供软件与DATA功能提供软件之间的关系在重映射后要得到保留。It is worth noting that when the feature mapping changes, its ref(n_v ) is also adjusted. For example, the WEB function depends on the DATA function. After remapping, the original WEB function provides software Provided software with DATA function The relationship between should be preserved after remapping.

可控网络跳变与迁移方法如算法1所示：The controllable network hopping and migration method is shown in Algorithm 1:

信息收益归一化算法如算法2所示：The information gain normalization algorithm is shown in Algorithm 2:

拟态功能映射算法如算法3所示：The mimic function mapping algorithm is shown in Algorithm 3:

本发明的高速轻量级拟态虚拟网构建方法为解决基于拟态虚拟网的主动网络防御提供了方法途径。虚拟网构建方法构建的拟态虚拟网是一种全新的主动防御技术，利用拟态虚拟网属性多样化、系统化及动态化等特性，使目标网络呈现动态性、非确定性、异构性和非持续性等变化特征，从而增加攻击难度和攻击成本。The high-speed and lightweight mimic virtual network construction method of the invention provides a method for solving the active network defense based on the mimic virtual network. The mimetic virtual network constructed by the virtual network construction method is a brand-new active defense technology, which makes the target network appear dynamic, non-deterministic, heterogeneous and non-deterministic by using the properties of the mimetic virtual network, such as diversification, systematization and dynamism. Change characteristics such as persistence, thereby increasing the difficulty and cost of attacks.

以上所述仅为本发明的较佳实施例，并不用以限制本发明，凡在本发明的精神和原则之内，所作的任何修改、等同替换、改进等，均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the protection of the present invention. within range.

Claims (3)

1. a kind of high speed lightweight mimicry virtual net construction method, which is characterized in that including mimicry virtual network construction method andControllable network saltus step and moving method；

The mimicry virtual network construction method comprises the following steps：

S11, makes network G=(N, L), wherein N represent network node collection, and L represents network link collection；Node n=id, nm, tp,Os, nl, pt, sp, s }, n ∈ N, wherein id are node ID, and nm is nodename, and tp is node type, and os is node operation behaviourMake system, nl is node network address, and sp is the service providing program on node, and pt is the port that sp is opened, and s can carry for spFor service；

S12, link l={ id, nm, n_i,n_j, l ∈ L, wherein id are node ID, and nm is link name, n_i, n_jIt is respectively currentTwo nodes of link connection；Node is divided into two kinds, and a kind of is the physical node of bottom, and another kind is container node；IfIt does not specialize, so-called node is container node in this construction method；Link is also classified into two kinds, one kind be physical node itBetween the physical link that connects, another kind is the SDN logical links connected between container node；

S13, mimicry virtual net structure need to undergo 4 stages, are node structure stage, link structure stage, network structure respectivelyBuild stage and mimicry changes phase；It needs to provide 5 kinds of functions, is user interface, logical model, component management, mimicry net respectivelyNetwork and external information；

S14, during node and link construction, user interface needs nm, tp, the os of the above-mentioned model interior joint n of user's offer,The nm of nl, sp information and link l, n_i, n_jInformation；Logical model needs to obtain information for user interface, respectively to node and chainRoad generates unique uuid codings, while is stored using Object-oriented Technique；

S15 builds the stage in node, the node logical object information of generation is converted into DockerFile and submits to container tubeManage device so that the service container needed for container manager generation；The stage is built in link, by the link logical object information of generationIt is converted into the calling to the RESTful API of SDN controllers so that the OpenFlow flow table information needed for the generation of SDN controllers,Link defined in generation；The container of generation and link combinations are become to the mimicry network needed in network configuration phase, thenThe function of coordinator unified pods manager and SDN controllers is built, system O＆M interface is provided to user, is controlled for userSystem；In mimicry changes phase, controllable network saltus step and moving method are defined, user is by system O＆M interface setting saltus step with movingPhase shift related parameter, while the external informations such as IDS daily records also serve as the decision-making foundation of controllable network saltus step and moving method；Variation controlFlow processed is made a policy by synthetic user setting and external information, and passes through coordinator and container and network structure are adjustedIt is whole；

The controllable network saltus step includes network function mapping with moving method and network hop becomes migration.

2. high speed lightweight mimicry virtual net construction method according to claim 1, which is characterized in that the network functionMapping is specially：

Initially set up function mapping table；Its form is M={ (n_v, F) }, wherein n_vIt is function to refer to network service or function, FTwo tuples are provided；Then set up mapping function, form F_m(n_v,F_set), wherein n_vFor service type, F_setTo provide serviceTwo tuple-sets；Also need to consider function rely on, called function dependence refer to a certain function realization need other functions intoRow support, uses n_v'=ref (n_v) represent, i.e. n_vOther functions of being relied on；

How new mapping relations are selected in variable spaces after being additionally included in network saltus step and migration：

Current (n is given first_v, F), F is found in variable spaces_new≠ F so that it meets (n_v,F_new)；Then, n is found_vDependence n_v'=ref (n_v), current n is found by its mapping function_v' corresponding F '；Then verification F_newWhether F is metWith the dependence between F ', function mapping relations are directly changed by mapping function if meeting, i.e., by F_m(n_v, F) and mappingFor F_m(n_v,F_new), intermediate member adaptation F is set up if being unsatisfactory for_newWith the relation of F ', if there is adapter assembly then by itWith F_newIt is integrated into F '_new, then mapping relations are changed, if there is no then finding F again_new。

3. high speed lightweight mimicry virtual net construction method according to claim 1, which is characterized in that the network saltus stepMigration is specially：

In controllable network saltus step and moving method, link and node are numbered first, physical link is respectivelyLogical links is respectivelyPhysical node is respectivelyContainer node is respectively

N_cIn the corresponding operating system of container beIts provide service beN^typeExpression basic service type, such as web service, database service,File storage service etc.；And it is 1 to service with service routine:N relations, i.e. definition service provide function f (s), thenWherein service routine s_k∈S^app, it is believed thatHere there are two essential conditions：It is first, eachIt only provides a kind ofSecond is that s_kArbitraryOn can run；

Saltus step and migration are carried out to network followed by random function r (t) and external information i；Define information revenue function Pⁱ(s,D), wherein s is the source L of variation^g、N^p、N^cosOr N^c, d is the purpose L of variation^g、N^p、N^cosOr N^c, value expression is according to external informationI changes to the income of d from s；Therefore for a certain source, variation income can be considered income vectorIt is standardized using min-max, i.e.,

<mrow> <msup> <mover> <mi>P</mi> <mo>&amp;OverBar;</mo> </mover> <mi>i</mi> </msup> <mrow> <mo>(</mo> <mi>s</mi> <mo>,</mo> <msub> <mi>d</mi> <mi>&amp;psi;</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <msup> <mi>P</mi> <mi>i</mi> </msup> <mrow> <mo>(</mo> <mi>s</mi> <mo>,</mo> <msub> <mi>d</mi> <mi>&amp;psi;</mi> </msub> <mo>)</mo> </mrow> <mo>-</mo> <mi>sin</mi> <mrow> <mo>(</mo> <msup> <mi>P</mi> <mi>i</mi> </msup> <mo>(</mo> <mi>s</mi> <mo>,</mo> <mi>d</mi> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mrow> <mi>max</mi> <mrow> <mo>(</mo> <msup> <mi>P</mi> <mi>i</mi> </msup> <mo>(</mo> <mi>s</mi> <mo>,</mo> <mi>d</mi> <mo>)</mo> </mrow> <mo>)</mo> <mo>-</mo> <mi>min</mi> <mrow> <mo>(</mo> <msup> <mi>P</mi> <mi>i</mi> </msup> <mo>(</mo> <mi>s</mi> <mo>,</mo> <mi>d</mi> <mo>)</mo> </mrow> <mo>)</mo> </mrow> </mfrac> </mrow>

Wherein min (Pⁱ(s,d_n)) represent all pⁱ(s,d_n) in minimum value, max (Pⁱ(s,d_n)) represent all pⁱ(s,d_n) inMaximum；The probability migrated by external information is considered as, then can define variation income isIt is carried out during actual change according to the corresponding variation of maximum P (s, d)Migration and saltus step；

Changing capability f (s, d) is can define, wherein s is the source L of variation^g、N^p、N^cosOr N^c, d is the purpose L of variation^g、N^p、N^cosOrN^c；Function representation is d by s variations；The changing capability of link is provided by SDN controllers, passes through the stream to OpenFlow interchangersTable, which is modified, realizes remapping for link；The variation of node is provided by container manager, passes through container migration and dynamic generationDeng remapping for realization container；

Finally, the state after migration is checked by constraint function r；A series of inspection conditions are setAnd define corresponding threshold valueOnly when the result that all inspection conditions are drawn all meets every threshold valueWhen, this variation can be implemented；

It therefore, can be by T (S, t, i, C_e, c) and it is defined as：

<mrow> <msub> <mi>S</mi> <mrow> <mi>n</mi> <mi>e</mi> <mi>w</mi> </mrow> </msub> <mo>=</mo> <mi>T</mi> <mrow> <mo>(</mo> <msub> <mi>S</mi> <mrow> <mi>o</mi> <mi>l</mi> <mi>d</mi> </mrow> </msub> <mo>,</mo> <mi>t</mi> <mo>,</mo> <mi>i</mi> <mo>,</mo> <msub> <mi>C</mi> <mi>e</mi> </msub> <mo>,</mo> <mi>c</mi> <mo>)</mo> </mrow> <mo>=</mo> <mfenced open = "{" close = ""> <mtable> <mtr> <mtd> <mi>f</mi> <mo>(</mo> <msubsup> <mi>L</mi> <mrow> <mi>o</mi> <mi>l</mi> <mi>d</mi> </mrow> <mi>g</mi> </msubsup> <mo>,</mo> <msubsup> <mi>L</mi> <mrow> <mi>n</mi> <mi>e</mi> <mi>w</mi> </mrow> <mi>g</mi> </msubsup> <mo>)</mo> </mtd> </mtr> <mtr> <mtd> <mi>f</mi> <mo>(</mo> <msubsup> <mi>N</mi> <mrow> <mi>o</mi> <mi>l</mi> <mi>d</mi> </mrow> <mi>c</mi> </msubsup> <mo>,</mo> <msubsup> <mi>N</mi> <mrow> <mi>n</mi> <mi>e</mi> <mi>w</mi> </mrow> <mi>c</mi> </msubsup> <mo>)</mo> </mtd> </mtr> <mtr> <mtd> <mi>f</mi> <mo>(</mo> <msubsup> <mi>N</mi> <mrow> <mi>o</mi> <mi>l</mi> <mi>d</mi> </mrow> <mi>cos</mi> </msubsup> <mo>,</mo> <msubsup> <mi>L</mi> <mrow> <mi>n</mi> <mi>e</mi> <mi>w</mi> </mrow> <mi>cos</mi> </msubsup> <mo>)</mo> </mtd> </mtr> <mtr> <mtd> <mi>f</mi> <mo>(</mo> <msubsup> <mi>L</mi> <mrow> <mi>o</mi> <mi>l</mi> <mi>d</mi> </mrow> <mrow> <mi>c</mi> <mi>s</mi> </mrow> </msubsup> <mo>,</mo> <msubsup> <mi>L</mi> <mrow> <mi>n</mi> <mi>e</mi> <mi>w</mi> </mrow> <mrow> <mi>c</mi> <mi>s</mi> </mrow> </msubsup> <mo>)</mo> </mtd> </mtr> </mtable> </mfenced> </mrow>

Wherein change condition is max (P (s, d)), and passes through ck (s_th(c(S)))；Wherein ck (s) represents threshold check function.