CN116248404A

Movatterモバイル変換

Info

Publication number: CN116248404A
Application number: CN202310252995.XA
Authority: CN
Inventors: 马媛媛; 邵志鹏; 周诚; 张波; 李新; 刘家铭; 李晨
Original assignee: State Grid Beijing Electric Power Co Ltd; State Grid Smart Grid Research Institute of SGCC; State Grid Corp of China SGCC
Current assignee: State Grid Beijing Electric Power Co Ltd; State Grid Smart Grid Research Institute of SGCC; State Grid Corp of China SGCC
Priority date: 2023-03-07
Filing date: 2023-03-07
Publication date: 2023-06-09

Abstract

The invention provides a mimicry security system and a cloud platform security operation and maintenance method, wherein the mimicry security system comprises the following components: distributing decision service, unifying service engine and running node agent; the running node agent receives the service request sent by the distribution judgment service, controls the heterogeneous execution bodies to execute the operation corresponding to the service request, and generates a service request result according to the states of the heterogeneous execution bodies after the operation corresponding to the service request is executed; and the unified service engine receives the service request result and controls the running node agent to clean, recover or reconstruct the abnormal heterogeneous execution body according to the service request result. The invention solves the problem that the safety system used by the existing cloud platform has management passivity on the safety operation and maintenance.

Description

Translated fromChinese

一种拟态安全系统以及云平台安全运维方法A mimic security system and cloud platform security operation and maintenance method

技术领域technical field

本发明涉及网络安全技术领域，尤其涉及一种拟态安全系统以及云平台安全运维方法。The invention relates to the technical field of network security, in particular to a mimic security system and a cloud platform security operation and maintenance method.

背景技术Background technique

随着云计算对高性能计算支撑能力的不断凸显，新型计算、存储、网络等基础设施快速迭代，庞大的基础设施基数、复杂的计算存储架构、高度集成的软件工具与环境为云平台网络安全运维带来巨大挑战。当前云平台安全系统运维技术主要方法为结合数据仓库、BI(Business Intelligence，商业智能)等领域利用业务数据进行专门的运维数据分析和挖掘，将来自于监控系统、自动化运维、CMDB配置管理数据库(Configuration ManagementDatabase，配置管理数据库)、日志文件以及各种专业运维工具的数据进行采集、清洗、整合、结构化，支撑企业运维数据智能化分析。使用常用系统通过业务数据进行专门的运维数据分析和挖掘，使得云平台安全运维的管理较为被动。因此，现有云平台使用的安全系统在安全运维上存在管理被动的问题。As cloud computing continues to highlight its ability to support high-performance computing, new types of computing, storage, and network infrastructure are rapidly iterating. The huge infrastructure base, complex computing and storage architecture, and highly integrated software tools and environments are key factors for cloud platform network security. O&M brings huge challenges. The current main method of cloud platform security system operation and maintenance technology is to combine data warehouse, BI (Business Intelligence, business intelligence) and other fields to use business data to conduct special operation and maintenance data analysis and mining, which will come from monitoring system, automatic operation and maintenance, CMDB configuration The management database (Configuration Management Database, configuration management database), log files, and data from various professional operation and maintenance tools are collected, cleaned, integrated, and structured to support the intelligent analysis of enterprise operation and maintenance data. Using common systems to conduct specialized operation and maintenance data analysis and mining through business data makes the management of cloud platform security operation and maintenance relatively passive. Therefore, the security system used by the existing cloud platform has the problem of passive management in terms of security operation and maintenance.

发明内容Contents of the invention

本发明提供了一种拟态安全系统以及云平台安全运维方法，以至少解决云平台使用的安全系统在安全运维上存在管理被动的问题。The present invention provides a mimetic security system and a cloud platform security operation and maintenance method to at least solve the problem of passive management in the security operation and maintenance of the security system used by the cloud platform.

根据本发明实施例的第一方面，提供了一种拟态安全系统，该系统包括：分发判决服务、统一服务引擎以及运行节点代理；所述运行节点代理接收所述分发判决服务发送的服务请求，控制多个异构执行体执行所述服务请求对应的操作，根据执行所述服务请求对应的操作后多个异构执行体的状态生成服务请求结果；所述统一服务引擎接收所述服务请求结果，根据所述服务请求结果控制运行节点代理对异常的异构执行体进行清洗、恢复或重构。According to the first aspect of the embodiments of the present invention, a mimic security system is provided, the system includes: a distribution decision service, a unified service engine, and a running node agent; the running node agent receives the service request sent by the distribution decision service, controlling multiple heterogeneous executives to perform operations corresponding to the service request, and generating service request results according to the states of the multiple heterogeneous executives after performing the operations corresponding to the service request; the unified service engine receives the service request results , according to the result of the service request, control the running node agent to clean, restore or reconstruct the abnormal heterogeneous execution body.

可选地，所述系统还包括：运行管理服务，所述运行管理服务发送运行策略至运行节点代理，所述运行节点代理执行所述运行策略后生成策略运行结果反馈至运行管理服务，所述运行管理服务根据所述策略运行结果，基于深度学习模型对运行策略进行动态调整。Optionally, the system further includes: an operation management service, the operation management service sends an operation policy to the operation node agent, and the operation node agent generates a policy operation result after executing the operation policy and feeds it back to the operation management service, the The operation management service dynamically adjusts the operation strategy based on the deep learning model according to the operation result of the strategy.

可选地，所述运行节点代理还用于监控多个异构执行体的状态，将所述多个异构执行体的状态发送至运行管理服务，其中，所述监控多个异构执行体的状态包括：采集多个异构执行体的输出以及监听多个异构执行体的资源。Optionally, the running node agent is also used to monitor the status of multiple heterogeneous executables, and send the statuses of the multiple heterogeneous executables to the operation management service, wherein the monitoring of multiple heterogeneous executables The state includes: collecting the output of multiple heterogeneous executives and monitoring the resources of multiple heterogeneous executives.

可选地，所述分发判决服务、统一服务引擎以及运行管理服务是云平台上的应用，运行节点代理是搭建在云平台上的多个异构执行体的代理，所述云平台上的应用与所述云平台上的多个异构执行体的代理之间通过通信网进行交互。Optionally, the distribution decision service, unified service engine, and operation management service are applications on the cloud platform, and the operation node agent is an agent of multiple heterogeneous executives built on the cloud platform. The application on the cloud platform Interact with agents of multiple heterogeneous executive bodies on the cloud platform through a communication network.

根据本发明实施例的第二方面，还提供了一种采用本发明实施例第一方面任一项所述的拟态安全系统的云平台安全运维方法，该方法包括：使用拟态安全系统对云平台进行安全运维。According to the second aspect of the embodiments of the present invention, there is also provided a cloud platform security operation and maintenance method using the mimic security system described in any one of the first aspects of the embodiments of the present invention, the method includes: using the mimic security system to cloud Platform security operation and maintenance.

可选地，所述使用拟态安全系统对云平台进行安全运维，包括：基于拟态安全系统对云平台中的异构执行体进行裁决和调度管理；基于高安全数据防护技术对云平台中的动态数据和异构数据进行访问。Optionally, using the mimic security system to perform security operation and maintenance on the cloud platform includes: adjudicating and scheduling management of heterogeneous executives in the cloud platform based on the mimic security system; Dynamic data and heterogeneous data access.

可选地，所述基于拟态安全系统对云平台中的异构执行体进行裁决和调度管理，包括：基于自演化模型的裁决技术对云平台中的异构执行体进行裁决；基于异构执行体快速调度管理和清洗恢复技术对异常的异构执行体进行清洗、恢复或重构，其中，所述重构包括更改异构执行体的部件或后台任务。Optionally, the adjudication and scheduling management of the heterogeneous executive bodies in the cloud platform based on the mimic security system includes: arbitrating the heterogeneous executive bodies in the cloud platform based on the self-evolution model adjudication technology; The abnormal heterogeneous execution body is cleaned, restored or restructured by the fast scheduling management and cleaning recovery technology, wherein the reconstruction includes changing the components or background tasks of the heterogeneous execution body.

可选地，所述基于自演化模型的裁决技术对多个异构执行体进行裁决，包括：获取多个异构执行体的历史运行策略和策略运行结果；根据所述历史运行策略和策略运行结果训练深度学习模型；采用训练后的深度学习模型对运行策略进行动态调整。Optionally, the adjudication technology based on the self-evolution model adjudicates multiple heterogeneous executives, including: obtaining historical operation strategies and strategy operation results of multiple heterogeneous executives; running according to the historical operation strategies and strategies As a result, the deep learning model is trained; the running strategy is dynamically adjusted using the trained deep learning model.

可选地，所述基于高安全数据防护技术对动态数据和异构数据进行访问，包括：采用分段式防护策略以分段结构对动态数据进行访问；采用数据分发与状态同步技术对多个异构执行体间的异构数据进行访问。Optionally, the access to dynamic data and heterogeneous data based on high-security data protection technology includes: using a segmented protection strategy to access dynamic data in a segmented structure; using data distribution and state synchronization technology to access multiple Access heterogeneous data between heterogeneous executives.

根据本发明实施例的第三方面，还提供了一种计算机可读的存储介质，该存储介质中存储有计算机程序，其中，该计算机程序被设置为运行时执行上述任一实施例中的方法步骤。According to a third aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium, in which a computer program is stored, wherein the computer program is set to execute the method in any of the above-mentioned embodiments when running step.

在本发明实施例中，通过运行节点代理接收分发判决服务发送的服务请求，控制多个异构执行体执行服务请求对应的操作，根据执行服务请求对应的操作后多个异构执行体的状态生成服务请求结果；统一服务引擎接收服务请求结果，根据服务请求结果控制运行节点代理对异常的异构执行体进行清洗、恢复或重构。由于多个异构执行体接收服务请求如WEB请求后，将服务请求结果即异构执行体执行服务请求后的状态或输出信息等发送至统一服务引擎，统一服务引擎根据服务请求结果对异构执行体进行诊断，对异常的异构执行体进行清洗恢复或者创建新的异构执行体保证系统安全运行。即该拟态防御系统是一种主动防御系统，能够检测定位漏洞并及时修复，从而解决了现有云平台使用的安全系统在安全运维上存在管理被动的问题。In the embodiment of the present invention, the service request sent by the distribution judgment service is received by the running node agent, and multiple heterogeneous executives are controlled to perform the operation corresponding to the service request. Generate the service request result; the unified service engine receives the service request result, and controls the running node agent to clean, restore or reconstruct the abnormal heterogeneous execution body according to the service request result. After multiple heterogeneous executors receive service requests such as WEB requests, they send the service request results, that is, the status or output information of the heterogeneous executors after executing the service requests, to the unified service engine. Executors are diagnosed, and abnormal heterogeneous executives are cleaned and restored or new heterogeneous executives are created to ensure safe operation of the system. That is to say, the mimic defense system is an active defense system that can detect and locate vulnerabilities and repair them in time, thereby solving the problem of passive management in the security operation and maintenance of the security system used by the existing cloud platform.

在本发明实施例中，采用拟态安全系统通过云网融合，使用基于自演化模型的裁决技术利用深度学习框架对拟态安全系统中的裁决策略进行动态调整，提高了裁决策略的智能性和精确性；基于异构执行体快速调度管理和清洗恢复获得未知攻击特征进行改进，进一步完善了拟态安全系统的防御体系；采用高安全数据防护技术使用分段式数据安全防护技术，构建动态数据和异构数据等多元数据防护架构。使得云平台即使受到攻击，也能在保证正常运行的同时，对异常进行处理，并且能够抵御和处理未知风险，提高了云平台运维的主动性和可靠性。In the embodiment of the present invention, the mimetic security system is adopted through cloud-network integration, and the decision technology based on the self-evolution model is used to dynamically adjust the decision strategy in the mimic security system using the deep learning framework, which improves the intelligence and accuracy of the decision strategy ;Based on the rapid scheduling management and cleaning and recovery of heterogeneous executives to obtain unknown attack characteristics to improve, further improve the defense system of the mimic security system; adopt high-security data protection technology and use segmented data security protection technology to build dynamic data and heterogeneous Data and other multiple data protection architectures. Even if the cloud platform is attacked, it can handle exceptions while ensuring normal operation, and can resist and deal with unknown risks, improving the initiative and reliability of cloud platform operation and maintenance.

附图说明Description of drawings

此处的附图被并入说明书中并构成本说明书的一部分，示出了符合本发明的实施例，并与说明书一起用于解释本发明的原理。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description serve to explain the principles of the invention.

为了更清楚地说明本发明实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，对于本领域普通技术人员而言，在不付出创造性劳动性的前提下，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, for those of ordinary skill in the art, In other words, other drawings can also be obtained from these drawings without paying creative labor.

图1是根据本发明实施例的一种可选的拟态安全系统的示意图；Fig. 1 is a schematic diagram of an optional mimic security system according to an embodiment of the present invention;

图2是根据本发明实施例的另一种可选的拟态安全系统示意图；FIG. 2 is a schematic diagram of another optional mimic security system according to an embodiment of the present invention;

图3是根据本发明实施例的一种可选的云平台示意图；FIG. 3 is a schematic diagram of an optional cloud platform according to an embodiment of the present invention;

图4是根据本发明实施例的一种可选的云网融合的分布式拟态安全架构示意图。Fig. 4 is a schematic diagram of an optional distributed mimetic security architecture for cloud-network integration according to an embodiment of the present invention.

具体实施方式Detailed ways

为了使本技术领域的人员更好地理解本发明方案，下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本发明一部分的实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都应当属于本发明保护的范围。In order to enable those skilled in the art to better understand the solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are only It is an embodiment of a part of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts shall fall within the protection scope of the present invention.

需要说明的是，在本发明的描述中，术语“第一”、“第二”等是用于区别类似的对象，而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换，以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外，术语“包括”和“具有”以及他们的任何变形，意图在于覆盖不排他的包含，例如，包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元，而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。术语“安装”、“相连”、“连接”应做广义理解，例如，可以是固定连接，也可以是可拆卸连接，或一体地连接；可以是机械连接，也可以是电连接；可以是直接相连，也可以通过中间媒介间接相连，还可以是两个元件内部的连通，可以是无线连接，也可以是有线连接。对于本领域的普通技术人员而言，可以具体情况理解上述术语在本发明中的具体含义。It should be noted that in the description of the present invention, terms such as "first" and "second" are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances such that the embodiments of the invention described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having", as well as any variations thereof, are intended to cover a non-exclusive inclusion, for example, a process, method, system, product or device comprising a sequence of steps or elements is not necessarily limited to the expressly listed instead, may include other steps or elements not explicitly listed or inherent to the process, method, product or apparatus. The terms "installation", "connection" and "connection" should be understood in a broad sense, for example, it can be fixed connection, detachable connection, or integral connection; it can be mechanical connection or electrical connection; it can be direct It can also be connected indirectly through an intermediary, or it can be an internal connection between two components, it can be a wireless connection, or a wired connection. Those of ordinary skill in the art can understand the specific meanings of the above terms in the present invention in specific situations.

根据本发明实施例的第一方面，提供了一种拟态安全系统。该系统包括：分发判决服务、统一服务引擎以及运行节点代理；运行节点代理接收分发判决服务发送的服务请求，控制多个异构执行体执行服务请求对应的操作，根据执行服务请求对应的操作后多个异构执行体的状态生成服务请求结果；统一服务引擎接收服务请求结果，根据服务请求结果控制运行节点代理对异常的异构执行体进行清洗、恢复或重构。According to the first aspect of the embodiments of the present invention, a mimic security system is provided. The system includes: a distribution judgment service, a unified service engine, and a running node agent; the running node agent receives the service request sent by the distribution judgment service, controls multiple heterogeneous executives to execute the operation corresponding to the service request, and executes the corresponding operation according to the service request. The status of multiple heterogeneous executors generates service request results; the unified service engine receives the service request results, and controls the running node agent to clean, restore or reconstruct abnormal heterogeneous executors according to the service request results.

可选地，如图1所示，运行节点代理为多个异构执行体的代理，用于管理和控制多个异构执行体。运行节点代理接收分发判决服务发送的服务请求即要进行的操作及调度裁决方法，并将服务请求结果如异构执行体执行服务请求后的状态或输出信息等反馈给统一服务引擎。示例性地，分发判决服务将某一服务请求复制多份发送至运行节点代理，运行节点代理将多个服务请求分别发送给多个异构执行体，由于各异构执行体采用动态、异构、冗余设计，使得各异构执行体之间的漏洞后门离散化，即使异构执行体受到未知攻击，也能保证在任一时刻存在能正常运行的异构执行体。对于受到攻击后异常的异构执行体，由统一服务引擎对服务请求结果进行解析和诊断，然后控制运行节点代理对异常的异构执行体进行清洗、恢复或重构。其中，异构执行体的重构包括生成功能等价的新的异构执行体，也可以在现有的异构执行体中更换某些构件，如通过替换当前异构执行体中的部件重新配置资源，或者给异构执行体增减后台任务，变化其运行场景等。Optionally, as shown in FIG. 1 , the running node agent is an agent of multiple heterogeneous executive bodies, and is used to manage and control multiple heterogeneous executive bodies. The running node agent receives the service request sent by the distribution judgment service, that is, the operation to be performed and the scheduling judgment method, and feeds back the service request results, such as the status or output information of the heterogeneous executive body after executing the service request, to the unified service engine. Exemplarily, the distribution judgment service sends multiple copies of a certain service request to the running node agent, and the running node agent sends multiple service requests to multiple heterogeneous executives respectively. Since each heterogeneous executive adopts dynamic, heterogeneous , Redundant design, discretizes the vulnerability backdoors between heterogeneous executives, even if the heterogeneous executives are attacked by unknown, it can also ensure that there are heterogeneous executives that can operate normally at any time. For the abnormal heterogeneous execution body after being attacked, the unified service engine analyzes and diagnoses the service request result, and then controls the running node agent to clean, recover or reconstruct the abnormal heterogeneous execution body. Among them, the reconstruction of the heterogeneous executive body includes generating a new heterogeneous executive body with equivalent functions, and can also replace some components in the existing heterogeneous executive body, such as replacing the components in the current heterogeneous executive body. Configure resources, or add or remove background tasks for heterogeneous executives, change their operating scenarios, etc.

在本发明实施例中，由于多个异构执行体接收服务请求如WEB请求后，将服务请求结果即异构执行体执行服务请求后的状态或输出信息等发送至统一服务引擎，统一服务引擎根据服务请求结果对异构执行体进行诊断，对异常的异构执行体进行清洗恢复或者创建新的异构执行体保证系统安全运行。即该拟态防御系统是一种主动防御系统，能够检测定位漏洞并及时修复，从而解决了现有云平台使用的安全系统在安全运维上存在管理被动的问题。In the embodiment of the present invention, after multiple heterogeneous executives receive service requests such as WEB requests, they send the service request results, that is, the status or output information of the heterogeneous executives after executing the service requests, to the unified service engine, and the unified service engine Diagnose heterogeneous executives according to service request results, clean and restore abnormal heterogeneous executives or create new heterogeneous executives to ensure safe operation of the system. That is to say, the mimic defense system is an active defense system that can detect and locate vulnerabilities and repair them in time, thereby solving the problem of passive management in the security operation and maintenance of the security system used by the existing cloud platform.

作为一种可选的实施例，系统还包括：运行管理服务，运行管理服务发送运行策略至运行节点代理，运行节点代理执行运行策略后生成策略运行结果反馈至运行管理服务，运行管理服务根据策略运行结果，基于深度学习模型对运行策略进行动态调整。As an optional embodiment, the system also includes: operation management service, the operation management service sends the operation policy to the operation node agent, and the operation node agent generates the policy operation result after executing the operation strategy and feeds back to the operation management service, and the operation management service according to the policy Based on the running results, the running strategy is dynamically adjusted based on the deep learning model.

可选地，运行管理服务属于反馈控制部件，发送异构执行体的运行策略给运行节点代理，再根据运行节点代理反馈的策略运行结果对运行策略进行动态调整。具体为，采用深度学习框架使用历史运行策略及策略运行结果对模型进行训练学习，根据运行结果调整运行策略中裁决异常字段类型的权重参数，从而实现运行策略的智能化和精确化。如使用择多裁决，多数和少数只是一种概率表达，当缺乏某些先验性知识或第三方意见时，难以得到具体的结论。但是，由于拟态裁决使用多种表决策略和辅助决策参数的结果权重进行再表决，因此当辅助决策参数中包含过往表决结果的因素时，如使用深度学习模型调整运行策略中的裁决参数，拟态裁决就具有了时空反馈的意义。在本发明实施例中，采用深度学习框架对运行策略进行动态调整实现了为异构执行体的安全稳定运行提供必要条件的目的，提高了系统的安全性、稳定性及可靠性，降低了拟态逃逸的风险即防止系统内部敏感信息被复现。Optionally, the operation management service belongs to the feedback control component, which sends the operation strategy of the heterogeneous executor to the operation node agent, and then dynamically adjusts the operation strategy according to the policy operation result fed back by the operation node agent. Specifically, the deep learning framework is used to train and learn the model using the historical operation strategy and strategy operation results, and the weight parameters of the judgment exception field type in the operation strategy are adjusted according to the operation results, so as to realize the intelligence and precision of the operation strategy. If majority ruling is used, majority and minority are just a probability expression, and it is difficult to draw specific conclusions without certain prior knowledge or third-party opinions. However, since the mimicry ruling uses multiple voting strategies and the result weights of auxiliary decision-making parameters for re-voting, when the auxiliary decision-making parameters include factors of past voting results, such as using a deep learning model to adjust the ruling parameters in the running strategy, the mimicry ruling It has the meaning of space-time feedback. In the embodiment of the present invention, the deep learning framework is used to dynamically adjust the operation strategy to achieve the purpose of providing necessary conditions for the safe and stable operation of heterogeneous executives, improve the security, stability and reliability of the system, and reduce the mimicry The risk of escape is to prevent sensitive information inside the system from being reproduced.

作为一种可选的实施例，运行节点代理还用于监控多个异构执行体的状态，将多个异构执行体的状态发送至运行管理服务，其中，监控多个异构执行体的状态包括：采集多个异构执行体的输出以及监听多个异构执行体的资源。As an optional embodiment, the running node agent is also used to monitor the status of multiple heterogeneous execution bodies, and send the status of multiple heterogeneous execution bodies to the operation management service, wherein, monitoring the status of multiple heterogeneous execution bodies The state includes: collecting the output of multiple heterogeneous executives and monitoring the resources of multiple heterogeneous executives.

可选地，运行节点代理还负责监控多个异构执行体，具体地，包括监听异构执行体的资源状态，采集异构执行体的输出，将以上信息发送给运行管理服务，由运行管理服务对异构执行体的状态进行管理，或是使用监控所得的信息帮助调整运行策略。需要说明的是，运行节点代理还可获取异构执行体的异常状态、进程状态、系统配置及日志等信息，将上述信息发送给统一服务引擎，用于辅助统一服务引擎对异构执行体进行诊断。在本发明实施例中，通过监控多个异构执行体获取异构执行的状态和输出信息，有助于调整运行策略或管理异构执行体，进一步提高了系统的安全性、稳定性及可靠性。Optionally, the running node agent is also responsible for monitoring multiple heterogeneous executors, specifically, monitoring the resource status of heterogeneous executors, collecting the output of heterogeneous executors, sending the above information to the operation management service, and the operation management The service manages the status of heterogeneous executives, or uses the information obtained from monitoring to help adjust the operation strategy. It should be noted that the running node agent can also obtain information such as abnormal status, process status, system configuration, and logs of heterogeneous executives, and send the above information to the unified service engine to assist the unified service engine in processing heterogeneous executives. diagnosis. In the embodiment of the present invention, the status and output information of heterogeneous execution are obtained by monitoring multiple heterogeneous execution bodies, which helps to adjust the operation strategy or manage heterogeneous execution bodies, and further improves the security, stability and reliability of the system sex.

作为一种可选的实施例，分发判决服务、统一服务引擎以及运行管理服务是云平台上的应用，运行节点代理是搭建在云平台上的多个异构执行体的代理，云平台上的应用与云平台上的多个异构执行体的代理之间通过通信网进行交互。As an optional embodiment, the distribution judgment service, unified service engine, and operation management service are applications on the cloud platform, and the operation node agent is an agent of multiple heterogeneous executives built on the cloud platform. The application interacts with the agents of multiple heterogeneous executives on the cloud platform through the communication network.

可选地，将拟态安全系统部署在云平台上，如图3所示，拟态云管即运行管理服务，用于管理异构容器执行体池，异构容器执行体池即运行节点代理，是搭建在云平台上的多个异构执行体的代理。拟态安全运行支撑组件包括分发判决服务及统一服务引擎，与运行管理服务一样都是云平台上的应用。拟态云管除了对异构容器执行体池中的异构执行体进行调度，还负责应用部署、服务编排、对拟态安全运行支撑组件及异构容器执行体池进行监控管理。在本发明实施例中，将拟态安全系统部署在云平台上，各部分之间通过通信网交互，提高了云平台对未知漏洞和不确定威胁的抵御能力。Optionally, the mimic security system is deployed on the cloud platform, as shown in Figure 3, the mimic cloud management is the operation management service, which is used to manage the heterogeneous container execution body pool, and the heterogeneous container execution body pool is the running node agent, which is A proxy for multiple heterogeneous executives built on the cloud platform. Mimic security operation support components include distribution judgment service and unified service engine, which, like operation management services, are applications on the cloud platform. In addition to scheduling the heterogeneous executives in the heterogeneous container executive pool, Mimic Cloud Management is also responsible for application deployment, service orchestration, and monitoring and management of mimic security operation support components and heterogeneous container executive pools. In the embodiment of the present invention, the mimic security system is deployed on the cloud platform, and various parts interact through the communication network, which improves the cloud platform's ability to resist unknown vulnerabilities and uncertain threats.

根据本发明实施例的第二方面，还提供了一种采用本发明实施例第一方面任一项的拟态安全系统的云平台安全运维方法，该方法包括：使用拟态安全系统对云平台进行安全运维。可选地，现有的云平台大多是基于先验知识的被动式防御，如使用已经知道的病毒特征建立对抗该种病毒的病毒库，通过已知漏洞为系统打补丁，这种被动式防御难以抵御未知漏洞或后门等不确定威胁。而在对云平台采用拟态安全系统后，由于异构执行体即云平台上的节点具有动态、异构、冗余的特性，提高了系统的容错能力和可靠性，使得攻击者难以进行有效探测和协同攻击。并且各节点通过运行策略进行调度，能够及时发现异常，进行修复，保持系统的平衡稳定。在本发明实施例中，基于拟态安全系统对云平台进行安全运维，提高了云平台的可靠性、安全性和对未知攻击的抵御能力。According to the second aspect of the embodiments of the present invention, there is also provided a cloud platform security operation and maintenance method using the mimic security system according to any one of the first aspects of the embodiments of the present invention, the method includes: using the mimic security system to perform cloud platform Security operation and maintenance. Optionally, most of the existing cloud platforms are passive defenses based on prior knowledge, such as using known virus characteristics to build a virus database against the virus, and patching the system through known vulnerabilities. This passive defense is difficult to resist Uncertain threats such as unknown vulnerabilities or backdoors. However, after adopting the mimetic security system for the cloud platform, because the heterogeneous executive body, that is, the nodes on the cloud platform have dynamic, heterogeneous, and redundant characteristics, the fault tolerance and reliability of the system are improved, making it difficult for attackers to effectively detect and coordinated attacks. And each node is scheduled through the operation strategy, which can detect abnormalities in time, repair them, and maintain the balance and stability of the system. In the embodiment of the present invention, the security operation and maintenance of the cloud platform is performed based on the mimetic security system, which improves the reliability, security and resistance to unknown attacks of the cloud platform.

作为一种可选的实施例，使用拟态安全系统对云平台进行安全运维，包括：基于拟态安全系统对云平台中的异构执行体进行裁决和调度管理；基于高安全数据防护技术对云平台中的动态数据和异构数据进行访问。可选地，使用拟态安全系统对云平台进行安全运维除了依靠对异构执行体进行调度裁决和清洗恢复，还包括基于高安全数据防护技术，结合业务需求、应用场景将多元数据切分为多个防护部分，每个防护部分具有不同的防护策略，使得攻击性的数据访问无法访问空间上全部数据，从而保证了云平台上数据访问的安全性。As an optional embodiment, using the mimic security system to perform security operation and maintenance on the cloud platform includes: adjudicating and scheduling management of heterogeneous executive bodies in the cloud platform based on the mimic security system; Access dynamic data and heterogeneous data in the platform. Optionally, the security operation and maintenance of the cloud platform by using the mimic security system not only depends on the scheduling, ruling, cleaning and recovery of heterogeneous executives, but also includes dividing multivariate data into Multiple protection parts, each protection part has different protection strategies, so that offensive data access cannot access all data in the space, thus ensuring the security of data access on the cloud platform.

作为一种可选的实施例，基于拟态安全系统对云平台中的异构执行体进行裁决和调度管理，包括：基于自演化模型的裁决技术对云平台中的异构执行体进行裁决；基于异构执行体快速调度管理和清洗恢复技术对异常的异构执行体进行清洗、恢复或重构，其中，重构包括更改异构执行体的部件或后台任务。As an optional embodiment, the adjudication and scheduling management of heterogeneous executives in the cloud platform based on the mimic security system includes: arbitrating the heterogeneous executives in the cloud platform based on the adjudication technology of the self-evolution model; The rapid scheduling management and cleaning recovery technology of heterogeneous executives cleans, restores or reconstructs abnormal heterogeneous executives, wherein the reconstruction includes changing the components or background tasks of heterogeneous executives.

可选地，基于自演化模型的多模裁决技术针对异构执行体输出结果裁决判别问题，对多模裁决策略进行动态调整，裁决后往往对异构执行体进行调度清洗，包括时空维度下的异构体轮换部署和清洗恢复。具体地，基于异构执行体快速调度管理和清洗恢复技术使用重构、重组、重定义等多种手段，改变主动防御体系内的相异性从而破坏攻击的协同性和阶段成果的可继承性，使得软硬件漏洞后门失效或使之失去可利用性。需要说明的是，调度管理和清洗恢复的对象包括可重构或软件可定义的异构执行体实体或虚体资源。可依据异构度或重构重组策略生成新的功能等价得异构执行体，也可以在现有的异构执行体中更换某些构件，如通过替换当前异构执行体中的部件重新配置资源，或者给异构执行体增减后台任务，变化其运行场景等实现对异构执行体的重构。Optionally, the self-evolutionary model-based multi-mode adjudication technology dynamically adjusts the multi-mode adjudication strategy for the judgment problem of heterogeneous executive output results. After the adjudication, the heterogeneous executives are often scheduled and cleaned, including Isomer rotation deployment and cleaning recovery. Specifically, based on the rapid scheduling management and cleaning recovery technology of heterogeneous executives, various methods such as reconstruction, reorganization, and redefinition are used to change the dissimilarity in the active defense system, thereby destroying the synergy of attacks and the inheritance of stage results. Make the software and hardware vulnerability backdoor invalid or make it unusable. It should be noted that the objects for scheduling management and cleaning recovery include reconfigurable or software-definable heterogeneous executive entities or virtual resources. New functionally equivalent heterogeneous executives can be generated according to the degree of heterogeneity or reconstruction and reorganization strategies, and some components can also be replaced in the existing heterogeneous executives, such as by replacing the components in the current heterogeneous executives. Configure resources, or add or remove background tasks for heterogeneous executives, change their operating scenarios, etc. to achieve reconstruction of heterogeneous executives.

作为一种可选的实施例，基于自演化模型的裁决技术对多个异构执行体进行裁决，包括：获取多个异构执行体的历史运行策略和策略运行结果；根据历史运行策略和策略运行结果训练深度学习模型；采用训练后的深度学习模型对运行策略进行动态调整。As an optional embodiment, the adjudication technology based on the self-evolution model arbitrates multiple heterogeneous executives, including: obtaining the historical operation strategies and strategy operation results of multiple heterogeneous executives; The running results train the deep learning model; use the trained deep learning model to dynamically adjust the running strategy.

可选地，通过获取异构执行体的历史运行策略和策略运行结果训练深度学习模型，可对运行策略中的裁决参数进行动态调整，由于裁决操作通常是一个具有反馈性质的迭代过程，使用深度学习模型学习历史数据，动态调整运行策略，达到了使得运行策略更加智能化和精确化的效果。除此以外，对于异构执行体的数值及复杂类型输出结果提供直接数值比对、数据流比对或字段内容比对等多种裁决策略，并通过生成树和加权方法实现不同字段的分类和检索，从而达到了减少裁决时延的效果。Optionally, the deep learning model can be trained by obtaining the historical operation strategy and strategy operation results of heterogeneous executives, and the judgment parameters in the operation strategy can be dynamically adjusted. Since the judgment operation is usually an iterative process with feedback, using depth The learning model learns historical data and dynamically adjusts the operation strategy, achieving the effect of making the operation strategy more intelligent and precise. In addition, for the numerical and complex type output results of heterogeneous executives, it provides multiple decision strategies such as direct numerical comparison, data flow comparison or field content comparison, and realizes the classification and classification of different fields through spanning trees and weighting methods. Retrieval, so as to achieve the effect of reducing the delay of adjudication.

作为一种可选的实施例，基于高安全数据防护技术对动态数据和异构数据进行访问，包括：采用分段式防护策略以分段结构对动态数据进行访问；采用数据分发与状态同步技术对多个异构执行体间的异构数据进行访问。可选地，高安全数据防护技术基于应用策略的分段式数据安全防护技术，构建具备内生安全特征的动态数据访问与异构数据协同等多元数据防护架构，形成以应用场景数据体量、数据类型、读写频率为参照变量的数据防护方案。具体地，针对动态数据访问架构，结合业务防御需求对多元数据进行分段，各个分段称为分片结构，表示切分后的各个防护部分。基于单一或综合动态、异构、冗余技术使得各分片结构的防护策略均不相同，从而保证了数据访问的安全性。针对异构数据访问协同架构，采用现有的云数据分发与状态同步技术，解决各个异构体的数据分发与状态同步问题，从而使得各个异构体可以实现同步的数据访问与操作，实现了拟态防御机制下的云平台存储设备与数据库间的访问和操作。As an optional embodiment, access to dynamic data and heterogeneous data based on high-security data protection technology includes: using segmented protection strategies to access dynamic data with a segmented structure; using data distribution and state synchronization technology Access heterogeneous data among multiple heterogeneous executives. Optionally, the high-security data protection technology is based on the segmented data security protection technology of the application strategy, and constructs a multi-data protection architecture with endogenous security features such as dynamic data access and heterogeneous data collaboration, forming a data volume based on application scenarios, Data type and read/write frequency are data protection schemes for reference variables. Specifically, for the dynamic data access architecture, multiple data is segmented in combination with business defense requirements. Each segment is called a fragment structure, which represents each protection part after segmentation. Based on single or comprehensive dynamic, heterogeneous, and redundant technologies, the protection strategies of each fragment structure are different, thus ensuring the security of data access. For the heterogeneous data access collaborative architecture, the existing cloud data distribution and state synchronization technology is used to solve the data distribution and state synchronization problems of each heterogeneous body, so that each heterogeneous body can realize synchronous data access and operation, and realize Access and operation between cloud platform storage device and database under mimic defense mechanism.

作为一种可选的实施例，图4是根据本发明实施例的一种可选的云网融合的分布式拟态安全架构示意图，如图4所示，该架构基于自主可控软硬件平台，采用动态、异构、冗余架构设计思想，将云平台和通信网进行融合从而实现分布式的拟态安全架构。其中，硬件层采用异构国产处理器如飞腾、蛆鹏、申威等，操作系统采用深度、中标麒麟、银河麒麟等，由此形成异构执行体运行环境。使得不同执行体之间的漏洞后门离散化，基于微服务技术构建面向业务流的分发代理、多模裁决和反馈控制部件，形成时间、空间多维度动态可变的拟态安全运行支撑环境。As an optional embodiment, FIG. 4 is a schematic diagram of an optional distributed mimetic security architecture for cloud-network integration according to an embodiment of the present invention. As shown in FIG. 4, the architecture is based on an autonomously controllable software and hardware platform. Using the design idea of dynamic, heterogeneous and redundant architecture, the cloud platform and communication network are integrated to realize the distributed mimic security architecture. Among them, the hardware layer adopts heterogeneous domestic processors such as Phytium, Magpeng, Shenwei, etc., and the operating system adopts Shenin, Winning Kirin, Yinhe Kirin, etc., thus forming a heterogeneous execution body operating environment. Discreteize the vulnerability backdoors between different executives, build business flow-oriented distribution agents, multi-mode judgment and feedback control components based on micro-service technology, and form a dynamic and variable mimetic security operation support environment in time and space.

其中的四个部分，分发判决服务用于向运行节点代理(各个异构执行体的代理)发送服务请求即要进行的操作以及调度裁决方法，其中，调度裁决方法包括：同步判决、异步判决、普通类型判决及复杂类型判决。运行节点代理用于构建其他部分与异构执行体的链接，如接受服务请求后，各个异构体执行服务请求对应的操作，运行节点代理对节点数据采集即对节点状态监控，包括采集各个异构执行体的输出以及监听各个异构执行体的资源，并将异构执行体服务请求结果发送至统一服务引擎。统一服务引擎通过统一接口访问各异构执行体发送的请求结果，根据服务请求结果进行服务请求解析、服务请求威胁诊断及服务请求威胁清洗。对诊断出有问题的异构执行体进行清洗和恢复，包括安全异构体创建。即统一服务引擎控制运行节点代理执行异构执行体清洗及异构执行体恢复，此外，运行节点代理还负责执行体通信服务。Among the four parts, the distribution and judgment service is used to send service requests to the running node agents (agents of various heterogeneous executives), that is, the operations to be performed and the scheduling and ruling methods. The scheduling and ruling methods include: synchronous judgment, asynchronous judgment, Common type judgments and complex type judgments. The running node agent is used to build links between other parts and heterogeneous executives. For example, after accepting the service request, each isomer executes the operation corresponding to the service request. The running node agent collects node data, that is, monitors the node status, including collecting each The output of heterogeneous executives and the resources of each heterogeneous executive are monitored, and the service request results of heterogeneous executives are sent to the unified service engine. The unified service engine accesses the request results sent by various heterogeneous executives through a unified interface, and performs service request analysis, service request threat diagnosis, and service request threat cleaning according to the service request results. Cleaning and recovery of heterogeneous executors diagnosed as problematic, including creation of safe isomers. That is, the unified service engine controls the running node agent to perform heterogeneous execution body cleaning and heterogeneous execution body recovery. In addition, the running node agent is also responsible for execution body communication services.

运行管理服务属于反馈控制部件，负责运行管理门户、拟态策略管理、拟态策略分发、执行体调度、执行体池管理、执行体部署、节点状态管理及执行体负载均衡。运行管理服务将运行策略发送至运行节点代理，根据策略运行结果，采用深度学习框架对历史裁决记录进行学习，从而实现对裁决异常字段类型的权重进行动态调整的目的，实现裁决策略的智能化和精确化。在本发明实施例中，采用云网融合的分布式拟态安全架构，提高了云平台安全运维的主动性、在云平台运行业务的同时即可实现云平台的运维，提高了云平台业务和运维的关联性。The operation management service belongs to the feedback control component, which is responsible for the operation management portal, mimic policy management, mimic policy distribution, executive scheduling, executive pool management, executive deployment, node status management and executive load balancing. The operation management service sends the operation strategy to the operation node agent. According to the operation result of the strategy, the deep learning framework is used to learn the historical judgment records, so as to realize the purpose of dynamically adjusting the weight of the abnormal field type of the judgment, and realize the intelligentization and coordination of the judgment strategy. precise. In the embodiment of the present invention, the cloud-network-integrated distributed mimic security architecture is adopted to improve the initiative of cloud platform security operation and maintenance, and the operation and maintenance of the cloud platform can be realized while the cloud platform is running business, which improves the cloud platform business. relationship with operation and maintenance.

根据本发明实施例的第三方面，还提供了一种存储介质。可选地，在本实施例中，上述存储介质可以用于执行云平台安全运维方法的程序代码。According to a third aspect of the embodiments of the present invention, a storage medium is also provided. Optionally, in this embodiment, the above-mentioned storage medium may be used to execute the program code of the cloud platform security operation and maintenance method.

可选地，在本实施例中，上述存储介质可以位于上述实施例所示的网络中的多个网络设备中的至少一个网络设备上。Optionally, in this embodiment, the foregoing storage medium may be located on at least one network device among the plurality of network devices in the network shown in the foregoing embodiments.

可选地，本实施例中的具体示例可以参考上述实施例中所描述的示例，本实施例中对此不再赘述。Optionally, for specific examples in this embodiment, reference may be made to the examples described in the foregoing embodiments, which will not be repeated in this embodiment.

可选地，在本实施例中，上述存储介质可以包括但不限于：U盘、ROM、RAM、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。Optionally, in this embodiment, the above-mentioned storage medium may include, but not limited to, various media capable of storing program codes such as USB flash drive, ROM, RAM, removable hard disk, magnetic disk, or optical disk.

上述本发明实施例序号仅仅为了描述，不代表实施例的优劣。在本发明的上述实施例中，对各个实施例的描述都各有侧重，某个实施例中没有详述的部分，可以参见其他实施例的相关描述。以上所述仅是本发明的优选实施方式，应当指出，对于本技术领域的普通技术人员来说，在不脱离本发明原理的前提下，还可以做出若干改进和润饰，这些改进和润饰也应视为本发明的保护范围。The serial numbers of the above embodiments of the present invention are for description only, and do not represent the advantages and disadvantages of the embodiments. In the above-mentioned embodiments of the present invention, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments. The above is only a preferred embodiment of the present invention, it should be pointed out that, for those of ordinary skill in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications can also be made. It should be regarded as the protection scope of the present invention.