Methods and Equipment for Stealth in Power Information System Networks Based on Moving Target Defense

By monitoring the operational status of the power information system network and recording the number of security authentication failure events, and by adopting an adaptive IP, port address, and virtualized gateway selection strategy, the problem of the lack of address selection strategy in traditional network stealth methods is solved, thus realizing network stealth for the power information system and improving communication security and robustness.

CN118573397BActive Publication Date: 2026-06-30BEIJING UNIV OF POSTS & TELECOMM +4

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BEIJING UNIV OF POSTS & TELECOMM
Filing Date
2024-04-19
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Traditional network stealth methods lack address selection strategies, which affects the security of hopping addresses, and the strategy of judging whether a device is normal by comparing addresses has significant security risks.

Method used

By monitoring the working status of the power information system network, recording the number of security authentication failure events, matching the corresponding jump trigger conditions, and adopting a weighted random IP and port address selection strategy based on address distance and a virtualization gateway selection strategy based on a comprehensive consideration of load and jump overhead, the jump operations of IP, port address, and virtualization gateway are executed.

Benefits of technology

It increases the difficulty for attackers to detect, achieves network stealth in the attack surface dimension, effectively protects the communication security of power information systems, and balances network security and communication quality.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN118573397B_ABST
    Figure CN118573397B_ABST
Patent Text Reader

Abstract

This invention provides a method and device for network stealth in power information systems based on mobile target defense. It monitors the operational status of the power information system network and records the number of security authentication failure events in the network within each cycle. Based on the number of security authentication failure events, it matches corresponding hopping trigger conditions. After the corresponding hopping trigger conditions are met, it selects an IP address and port address using an adaptive weighted random IP and port address selection strategy based on address distance. It also selects a virtual gateway using a virtualization gateway selection strategy that comprehensively considers load and hopping overhead. A hopping operation is performed based on the selected IP address, port address, and virtual gateway. By using different hopping strategies to perform IP address, port address hopping, and virtual gateway hopping in the power information system, it expands the detection space, increases the difficulty of detection for attackers, achieves network stealth at the attack surface level, and effectively protects the communication security of the power information system.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security protection technology for power information systems, and in particular to a method and device for network stealth in power information systems based on mobile target defense. Background Technology

[0002] Software Defined Perimeter (SDP) is a network security technology designed to provide more secure access control by dynamically creating network connections. SDP achieves fine-grained control over each connection by creating secure connections based on authentication and authorization. This means that only authenticated and authorized users can access specific applications or services, hiding network resources and effectively reducing the surface area of ​​network attacks. Power information systems under the SDP architecture include key components such as secure terminals, business systems, stealth controllers, and stealth gateways. When a secure terminal wants to access services from a business system, it cannot directly establish a connection to communicate with the business system. It must first complete authentication at the stealth controller. After successful authentication and obtaining the business system's address, it can then communicate to obtain services. The stealth gateway acts as a proxy for the business system, acting as a firewall. By default, it discards all data packets. Only after a secure terminal has been authenticated and received authorization from the controller will the stealth gateway agree to communicate with the authenticated secure terminal.

[0003] Attackers often need to perform various reconnaissance and scanning activities to gather information about the target system before launching an attack. Under the SDP architecture, although strict access control is implemented for business systems, reducing the network exposure surface, the risk of being scanned still exists. Attackers may perform reconnaissance and scanning during communication between secure terminals and stealth gateways, analyzing information such as IP addresses and port addresses in network packets to locate the business system, understand its open ports and corresponding services, and then execute subsequent attack actions based on this information. Related technologies determine whether a device is functioning correctly by comparing the IP address of a data packet with the address in the real address table of the software-defined network controller. For normal IoT terminal devices, a virtual address selection module is invoked to select available virtual IP addresses and available virtual MAC addresses from the virtual address pool to deploy address hopping defense strategies. For abnormal IoT terminal devices, a policy update module is invoked to dynamically modify the address hopping period. When the hopping period falls below the minimum value, the device's interaction with the network is blocked, enhancing network security. Although this achieves randomized forwarding paths and multiple IP and MAC address hopping, increasing the stealth of terminal devices... However, the lack of address selection strategy affects the security of address hopping, and the strategy of judging whether the device is normal by address comparison has significant security risks. Summary of the Invention

[0004] This invention provides a method and device for network stealth in power information systems based on mobile target defense, which solves the defects of traditional network stealth methods, such as the lack of address selection strategy, which affects the security of hopping addresses, and the significant security risks of the strategy of judging whether the device is normal by address comparison.

[0005] This invention provides a network stealth method for power information systems based on moving target defense, comprising:

[0006] Monitor the working status of the power information system network and record the number of security authentication failure events in the network in each cycle, and match the corresponding jump trigger conditions according to the number of security authentication failure events.

[0007] After the corresponding transition triggering conditions are met, the IP address and port address are selected based on the adaptive weighted random IP and port address selection strategy based on address distance; and the virtualization gateway is selected based on the virtualization gateway selection strategy that takes into account both load and transition overhead.

[0008] Perform a hopping operation based on the selected IP address, port address, and virtualization gateway.

[0009] According to the present invention, a method for stealth in a power information system network based on mobile target defense includes matching corresponding transition trigger conditions based on the number of security authentication failure events, comprising:

[0010] If the number of security events counted in this cycle is higher than the preset threshold before the end of the transition cycle, the event trigger condition is matched; otherwise, the cycle trigger condition is matched.

[0011] After the event triggering conditions are met, an event-triggered transition is executed;

[0012] After the periodic triggering condition is met, a periodic triggering transition is executed at the end of the current transition period.

[0013] According to the present invention, a network stealth method for power information systems based on mobile target defense is provided, wherein the IP and port addresses change based on a first hopping cycle, and the virtualization gateway changes based on a second hopping cycle, and further includes:

[0014] The first and second transition cycles are adaptively adjusted based on the detected threat events.

[0015] According to the present invention, a method for stealth in a power information system network based on mobile target defense is provided, wherein the adaptive adjustment of the first transition period and the second transition period according to the detected threat event includes:

[0016] If the current transition cycle is event-triggered, and a threat event was detected in the previous transition cycle, the transition cycle is shortened based on the transition cycle increment / decrement function.

[0017] If the previous transition cycle was also event-triggered, then increase the shortening of the transition cycle.

[0018] If no threat event is detected in the current transition period, the transition period is increased based on the transition period increment / decrement function;

[0019] The jump period increment / decrement function is:

[0020]

[0021] Among them, s i =0 indicates that this cycle is triggered by a cycle-based mechanism, s i =1 indicates that this cycle is triggered by an event-based mechanism, i≥1.

[0022] According to the present invention, a network stealth method for power information systems based on mobile target defense is provided, wherein the IP and port address selection strategy based on address distance adaptive weighted random IP and port address selection includes:

[0023] Construct a set of available virtual IP addresses for connection, with a set size of m. Arrange the m IP addresses in order as M = {IP0, IP1, ..., IPm-1}. Create a weight array W = [w0, w1, ..., wm-1] and initialize each item to n. The size of the virtual address set remains unchanged throughout the communication process, and no new available IPs are added if they appear.

[0024] If an address in the current set is occupied by another connection, then the freed address is added to the set and inherits the weight of the occupied address;

[0025] Once the weight data is determined, the address configuration for this period is selected according to the weighted random selection algorithm. When the next transition is triggered, the weight array is updated and the selected virtual source and destination IP addresses for the current period are returned.

[0026] According to the present invention, a method for stealth in a power information system network based on moving target defense is provided, wherein the updated weight array includes:

[0027] Let the weight array for the previous transition cycle be W', w' i For each element in the weight array W', the new weight array is updated simultaneously with respect to the source and destination addresses, using the following update formula:

[0028]

[0029] Among them, w i Let be the weight of the i-th IP address in the current transition cycle, k be the size of the virtualization gateway set, m be the size of the address set, and n be the initial weight value.

[0030] According to the present invention, a method for stealth in a power information system network based on mobile target defense, wherein the virtualization gateway selection strategy based on a comprehensive consideration of load and switching overhead selects a virtualization gateway, including:

[0031] When a new transition cycle begins, locate the virtualization gateway used in the previous transition cycle;

[0032] The number of connections and load carried by each virtualization gateway are counted. If the load of a virtualization gateway is 0, then the virtualization gateway is directly selected as the one used in this cycle.

[0033] Based on a comprehensive strategy that considers both transition overhead and load selection, the virtualization gateway with the highest transition performance is selected, and the network operating state matrix is ​​updated.

[0034] The combined strategy for switching overhead and load selection is as follows:

[0035] Target Virtualization Host

[0036]

[0037] Where t represents the current transition period, and t-1 represents the previous transition period. a is the normalization coefficient for jump cost. pq This represents the hopping cost between virtualization gateway p and virtualization gateway q, where p and q are virtualization gateway numbers, K is the set of virtualization gateways, k is the size of the virtualization gateway set, and βa jn To account for the normalized jump overhead, re n Re is the resource required for virtualization gateway n to handle a communication connection. n For the resource constraints of virtualization gateway n, x i,j (t) indicates whether communication i is served by virtualization gateway j during the transition period, and n is the optimal virtualization gateway that satisfies all constraints.

[0038] According to the present invention, a method for stealth in a power information system network based on mobile target defense includes, wherein the step of performing a hopping operation based on the selected IP address, port address, and virtualization gateway comprises:

[0039] After the secure terminal passes security authentication at the stealth controller, it obtains the virtual destination address provided by the controller, uses the terminal information to send data packets to the business system, and sends the data packets to the directly connected user-side agent.

[0040] After receiving a data packet, the switch matches it against the flow table in the switch and performs address changes and forwarding based on the action of matching the flow table. If no matching flow table entry is found, the data packet is forwarded to the stealth controller via a Packet-In message.

[0041] After receiving the Packet-In message, the stealth controller looks up the endpoint information mapping table to obtain the virtual source address corresponding to the real source address, generates the corresponding flow table and sends it to the switch. The user-side agent acts as the source switch for the secure terminal. The address modification action in the flow table is to modify the real source address information in the data packet to the virtual source address. After the data packet address information is successfully modified, the data packet is forwarded according to the forwarding port specified in the flow table action.

[0042] The user-side agent modifies the address information of the data packet to a virtual source address and a virtual destination address based on the flow table information issued by the stealth controller, and then forwards the data packet to the stealth gateway.

[0043] The stealth gateway receives data packets. After the data packet is successfully matched with the flow table, the IP address of the data packet is changed according to the action of the flow table. As the destination switch, the matching fields of the stealth gateway flow table are the virtual source address and the virtual destination address. The address modification action in the flow table is to change the virtual address of the business system to the real address. After modification, it is the virtual source address and the real destination address. Then the data packet is sent to the business system.

[0044] After receiving a message from the secure terminal, the business system replies with a data packet containing the virtual source address and the real destination address.

[0045] After receiving data packets from the business system, the stealth gateway modifies the end information of the data packets to virtual source and virtual destination addresses based on the flow table information, and then forwards them to the user-side proxy.

[0046] After receiving the data packet, the user-side agent modifies the packet's endpoint information to the real source address and virtual destination address, and then forwards it to the secure terminal.

[0047] According to the present invention, a method for stealth in a power information system network based on mobile target defense includes, wherein the step of performing a hopping operation based on the selected IP address, port address, and virtualization gateway comprises:

[0048] After receiving a communication request from a secure terminal, the stealth controller issues new flow table rules to network devices in the routing path, navigating data packets to the virtualization gateway used in this cycle;

[0049] After waiting for the longest transmission delay, the stealth controller issues a command to request the virtualization gateway used in the previous cycle to discard the old flow table entries.

[0050] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the above-described method for stealth of power information system networks based on mobile target defense.

[0051] This invention provides a method and device for stealth in power information system networks based on mobile target defense. It monitors the operational status of the power information system network and records the number of security authentication failure events in the network within each cycle. Based on the number of security authentication failure events, it matches corresponding hopping trigger conditions. After the corresponding hopping trigger conditions are met, it selects an IP address and port address using an adaptive weighted random IP and port address selection strategy based on address distance. It also selects a virtualized gateway using a virtualized gateway selection strategy that comprehensively considers load and hopping overhead. A hopping operation is performed based on the selected IP address, port address, and virtualized gateway. By using different hopping strategies to perform IP address, port address hopping, and virtualized gateway hopping in the power information system, it expands the detection space and increases the difficulty of detection for attackers, achieving network stealth at the attack surface level and effectively ensuring the communication security of the power information system. Attached Figure Description

[0052] To more clearly illustrate the technical solutions in this invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.

[0053] Figure 1 This is one of the flowcharts of the power information system network stealth method based on moving target defense provided by the present invention;

[0054] Figure 2 This is the second flowchart of the power information system network stealth method based on moving target defense provided by the present invention;

[0055] Figure 3 This is a schematic diagram of the IP and port switching process provided by the present invention;

[0056] Figure 4 This is a schematic diagram of the power information system architecture provided by the present invention;

[0057] Figure 5 This is a schematic diagram of the structure of the electronic device provided by the present invention. Detailed Implementation

[0058] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.

[0059] Figure 1 A flowchart of a power information system network stealth method based on moving target defense provided in an embodiment of the present invention is shown below. Figure 1 As shown, the power information system network stealth method based on moving target defense provided in this embodiment of the invention includes:

[0060] Step 101: Monitor the working status of the power information system network and record the number of security authentication failure events in the network in each cycle, and match the corresponding jump trigger conditions according to the number of security authentication failure events;

[0061] Step 102: After the corresponding jump triggering conditions are met, select the IP address and port address using an adaptive weighted random IP and port address selection strategy based on address distance; and select the virtual gateway using a virtualization gateway selection strategy that takes into account both load and jump overhead.

[0062] Step 103: Perform a hopping operation based on the selected IP address, port address, and virtualization gateway.

[0063] In this embodiment of the invention, the stealth controller monitors the overall network status and records the number of security authentication failure events in the network within each cycle. If the number of security events counted in this cycle exceeds a certain threshold before the end of the transition cycle, an event-triggered transition is immediately performed; otherwise, a cycle-triggered transition is performed at the end of the transition cycle. It should be noted that although IP port address transitions and virtualized host transitions use the same transition cycle management and triggering strategies, the specific triggering and transition cycle management are separate.

[0064] Once a new hopping cycle begins, the hopping cycle is dynamically adjusted and reset based on the network security status. Subsequently, the stealth management tool performs adaptive weighted random IP and port address selection based on address distance and virtualization gateway selection based on load and hopping overhead considerations, and then hands the hopping scheme over to the stealth controller for deployment.

[0065] Traditional network stealth methods determine device functionality by comparing packet IP addresses with addresses in the real address table of a software-defined network controller. For legitimate IoT devices, a virtual address selection module is invoked to select available virtual IP and MAC addresses from a virtual address pool to deploy address hopping defense strategies. For aberrant IoT devices, a policy update module is invoked to dynamically modify the address hopping period. When the hopping period falls below the minimum value, the device's interaction with the network is blocked, enhancing network security. While this achieves randomized forwarding paths and multiple IP and MAC address hopping, increasing device stealth, the lack of a proper address selection strategy compromises hopping address security, and the method of determining device functionality through address comparison presents significant security vulnerabilities.

[0066] This invention provides a network stealth method for power information systems based on mobile target defense. It monitors the operational status of the power information system network and records the number of security authentication failure events in each cycle. Based on the number of security authentication failure events, it matches corresponding hopping trigger conditions. After the corresponding hopping trigger conditions are met, it selects an IP address and port address using an adaptive weighted random IP and port address selection strategy based on address distance. It also selects a virtual gateway using a virtualization gateway selection strategy that considers both load and hopping overhead. A hopping operation is performed based on the selected IP address, port address, and virtual gateway. By using different hopping strategies to perform IP address, port address hopping, and virtual gateway hopping in the power information system, it expands the detection space, increases the difficulty of detection for attackers, achieves network stealth at the attack surface level, and effectively protects the communication security of the power information system.

[0067] Based on any of the above embodiments, such as Figure 2 As shown, the corresponding transition trigger condition is matched based on the number of security authentication failure events, including:

[0068] If the number of security events counted in this cycle is higher than the preset threshold before the end of the transition cycle, the event trigger condition is matched; otherwise, the cycle trigger condition is matched.

[0069] After the event triggering conditions are met, an event-triggered transition is executed;

[0070] After the periodic triggering condition is met, a periodic triggering transition is executed at the end of the current transition period.

[0071] In this embodiment of the invention, the IP address and port address change based on a first hopping cycle, and the virtualization gateway changes based on a second hopping cycle. The power information system network stealth method based on moving target defense further includes:

[0072] The first and second transition cycles are adaptively adjusted based on the detected threat events.

[0073] In this embodiment of the invention, adaptively adjusting the first transition period and the second transition period based on the detected threat event includes:

[0074] If the current transition cycle is event-triggered, and a threat event was detected in the previous transition cycle, the transition cycle is shortened based on the transition cycle increment / decrement function.

[0075] If the previous transition cycle was also event-triggered, then increase the shortening of the transition cycle.

[0076] If no threat event is detected in the current transition period, the transition period is increased based on the transition period increment / decrement function;

[0077] The jump period increment / decrement function is:

[0078]

[0079] Among them, s i =0 indicates that this cycle is triggered by a cycle-based mechanism, s i =1 indicates that this cycle is triggered by an event-based mechanism, i≥1.

[0080] The hop cycle is the time interval between two address hops. A shorter hop cycle means a higher hop frequency. A higher hop frequency means a smaller time window for attackers to conduct effective reconnaissance activities, resulting in higher network randomness and security. However, each address hop introduces additional overhead to communication. While shortening the hop cycle enhances security, it also impacts network communication quality. This invention proposes an event-based adaptive hop cycle adjustment strategy. It assesses the current network security status based on the frequency of secure terminal authentication failure events and flexibly adjusts the hop cycle. When facing attack risks, it shortens the hop cycle to improve defense performance; when no risks are detected, it appropriately increases the hop cycle to avoid unnecessary hop overhead, achieving a balance between network security performance and service quality.

[0081] Let the transition period be T. Based on security performance and quality of service considerations, the boundaries of the transition period must first be defined, namely the maximum value Tmax and the minimum value Tmin. Tmax ensures that at least one transition occurs during a communication session to prevent the communication content from being stolen by attackers, while Tmin ensures that the overhead incurred by the transition scheme will not affect normal communication and cannot exceed this boundary when the period is adaptively adjusted.

[0082] Assuming the current jump cycle value is Ti, and the basic unit time for jump cycle adjustment is Δt, the triggering mechanism for this jump cycle is s. i si =0 indicates that this cycle is triggered by a cycle-based mechanism, s i =1 indicates that this cycle is triggered by an event-based mechanism. If this cycle is event-based (i.e., a threat event was detected in the previous cycle), the cycle period will be shortened appropriately. If the previous cycle was also event-based (i.e., many threat events still existed even after shortening the cycle), the shortening of the cycle will be increased. Similarly, if no threat event is detected in the current cycle, the cycle period will be increased appropriately to ensure communication service quality.

[0083] The jump cycle adaptive adjustment strategy is defined as follows:

[0084]

[0085] Where i≥1, Δt>0, if two consecutive cycles are based on event triggering, the H value will increase, and the corresponding time reduction during cycle adjustment will increase.

[0086] In this embodiment of the invention, while a high switching frequency brings higher security, it also introduces additional overhead. To address the problem of difficulty in determining the switching period due to the contradiction between high security and low overhead, a dynamic adjustment strategy for the switching period based on network security status is designed. The switching period is adaptively adjusted according to the detected threat events to achieve a balance between high security and low switching overhead.

[0087] According to the present invention, a network stealth method for power information systems based on mobile target defense is provided, wherein the IP and port address selection strategy based on address distance adaptive weighted random IP and port address selection includes:

[0088] Construct a set of available virtual IP addresses for connection, with a set size of m. Arrange the m IP addresses in order as M = {IP0, IP1, ..., IPm-1}. Create a weight array W = [w0, w1, ..., wm-1] and initialize each item to n. The size of the virtual address set remains unchanged throughout the communication process, and no new available IPs are added if they appear.

[0089] If an address in the current set is occupied by another connection, then the freed address is added to the set and inherits the weight of the occupied address;

[0090] Once the weight data is determined, the address configuration for this period is selected according to the weighted random selection algorithm. When the next transition is triggered, the weight array is updated and the selected virtual source and destination IP addresses for the current period are returned.

[0091] According to the present invention, a method for stealth in a power information system network based on moving target defense is provided, wherein the updated weight array includes:

[0092] Let the weight array for the previous transition cycle be W', w' i For each element in the weight array W', the new weight array is updated simultaneously with respect to the source and destination addresses, using the following update formula:

[0093]

[0094] Among them, w i Let be the weight of the i-th IP address in the current transition cycle, k be the size of the virtualization gateway set, m be the size of the address set, and n be the initial weight value.

[0095] When selecting hopping addresses, attacker behavior should be fully considered to formulate corresponding strategies. First, the address used within a given hopping cycle should avoid being the same as the address used in the previous cycle. Second, attackers typically scan consecutive IP address ranges during network reconnaissance; therefore, addresses in adjacent ranges should be avoided when selecting hopping addresses. This invention proposes a weighted, adaptive, random IP and port address selection strategy based on address distance. A weighted array of available address pools is established based on historical IP address usage. A weighted random selection algorithm selects available addresses from the pool, distributing virtual IP addresses across different parts of the network rather than concentrating them in specific subnets or areas. This ensures that all parts of the network can fully utilize the protection effect of IP address hopping. Considering the different roles of IP addresses and port numbers in communication and the difference in available address space, different strategies are implemented for IP address selection and port number selection. The IP address selection strategy is as follows:

[0096] Each time a new communication connection is established, the stealth controller constructs a set of virtual IP addresses available for that connection. Let the size of the set be m. The m IP addresses are arranged sequentially as M = {IP0, IP1, ..., IPm-1}. A weight array W = [w0, w1, ..., wm-1] is created, and each element is initialized to n. The size of the virtual address set remains unchanged throughout the communication process. If a new available IP address appears, it is not added. If an address in the current set is occupied by another connection, the released address is added to the set, inheriting the weight of the occupied address. After the weight data is determined, an address configuration for this period is selected according to a weighted random selection algorithm. At the next transition trigger, the weight array is updated, and a new address is selected based on the updated weights. The weight update strategy is as follows:

[0097] Let W' be the weight array from the previous transition cycle, and IP address selected in the previous cycle be IP. src =IP k IP dst =IPq (0≤k, q≤m-1), the new weight array needs to be applied to IP simultaneously. src and IP dst Update the IP address. src =IP k Update strategy and IP det =IP q The update strategy is the same. Considering the assumption that the attacker is aware of the hopping strategy, using the same IP address for two consecutive hopping cycles not only logically expands the available address space but also confuses the attacker, making it difficult for them to deduce the true hopping strategy. Therefore, when updating weights, the weights of addresses used in the previous hopping cycle will not be directly assigned to 0. The meaning of the above weight array update formula is that, for IP addresses already used in the previous hopping cycle... k Appropriately reduce IP addresses k The weights of the address range and its adjacent addresses within the current transition cycle are used to reduce the probability of the same address and adjacent address ranges being selected in the current cycle. The length of an adjacent address range is defined as 1 / 2^p of the size of the available address set, where the closer to the IP address... k The larger the address, the greater the weight reduction. The weight reduction across the entire set is evenly distributed across addresses outside the adjacent address ranges to maintain the total weight at mn. The algorithm design is as follows:

[0098]

[0099]

[0100]

[0101] At the start of a new transition period, a weighted random selection algorithm is used to select the source and destination addresses based on the weight array inherited from the previous period, as shown in steps 1) to 20). After the addresses are determined, the weight array is updated, as shown in steps 21) to 31). Finally, the virtual source and destination IP addresses selected in the period are returned.

[0102] Compared to the limited number of available IP addresses, port numbers typically have a larger pool of available ports in a network. Therefore, a simple random selection strategy can achieve good randomization performance. Furthermore, network reconnaissance typically involves first probing IP addresses and then performing port scanning on those IPs. Thus, with good IP randomization, attackers may not even be able to effectively determine the IP to be scanned. In this case, overly complex and sophisticated port hopping strategies become redundant. This invention uses a simple random selection strategy for port address selection. Before each hopping, a port number is randomly selected from the currently available port space, reducing unnecessary overhead while accommodating network unpredictability.

[0103] In this embodiment of the invention, a weighted random IP and port address selection strategy based on address distance is designed to address port address hopping, thereby increasing the randomness of address hopping within a limited address space.

[0104] Based on any of the above embodiments, a virtualization gateway selection strategy that comprehensively considers load and switching overhead selects a virtualization gateway, including:

[0105] When a new transition cycle begins, locate the virtualization gateway used in the previous transition cycle;

[0106] The number of connections and load carried by each virtualization gateway are counted. If the load of a virtualization gateway is 0, then the virtualization gateway is directly selected as the one used in this cycle.

[0107] Based on a comprehensive strategy that considers both transition overhead and load selection, the virtualization gateway with the highest transition performance is selected, and the network operating state matrix is ​​updated.

[0108] The combined strategy for switching overhead and load selection is as follows:

[0109] Target Virtualization Host

[0110]

[0111] Where t represents the current transition period, and t-1 represents the previous transition period. a is the normalization coefficient for jump cost. pq This represents the hopping cost between virtualization gateway p and virtualization gateway q, where p and q are virtualization gateway numbers, K is the set of virtualization gateways, k is the size of the virtualization gateway set, and βa jn To account for the normalized jump overhead, re n Re is the resource required for virtualization gateway n to handle a communication connection. n For the resource constraints of virtualization gateway n, x i,j (t) indicates whether communication i is served by virtualization gateway j during the transition period, and n is the optimal virtualization gateway that satisfies all constraints.

[0112] In this embodiment of the invention, the virtualization gateway hopping deploys IP and port address hopping strategies with different parameters in different virtualization gateways. By changing the Δt value in the periodic adjustment strategy and the p value in the address selection strategy, the address hopping strategy in the network becomes more complex and harder to predict. At the same time, when some virtualization gateways are attacked or intruded, the diversified configuration of other gateways can be used to protect other parts of the network.

[0113] The virtualization gateway selection problem is modeled as a constrained selection problem. Each gateway has k virtualization gateways and m ongoing communication connections. Each virtualization gateway can independently provide services to a communication connection. At each transition trigger, the virtualization gateway providing services to the communication connection transitions. The set of virtualization gateways and the set of communication connections are represented as K = {1, 2, ..., k} and M = {1, 2, ..., m}, respectively. Whether communication connection i is processed by virtualization gateway n within the transition period t is represented by a binary variable x. i,n If (t)∈{0,1}, then X(t)={x i,n (t)|i∈M,n∈K,} represents the working state of the virtualization gateway within the transition period t, then:

[0114]

[0115] Let the resource limit of virtualization gateway n be Re. n and use re n This represents the resources required for virtualization gateway n to handle one communication connection. To avoid excessive waste of virtualization gateway resources, it is stipulated that each virtualization gateway must handle at least one communication connection, i.e.:

[0116]

[0117]

[0118] To ensure network communication quality during virtualization gateway transitions, gateway load is considered when selecting a gateway, and the current gateway load state is defined as follows:

[0119]

[0120] Since the configurations of different virtualization gateways vary, a jump cost matrix A is constructed based on the degree of difference between the gateways. kk A kk For symmetric matrices, the greater the configuration difference, the greater the jump overhead, i.e.:

[0121]

[0122] In summary, when a new transition period t arrives, the target virtualization host g that should be selected when communication connection i transitions is:

[0123]

[0124]

[0125] in Let l be the normalization coefficient for hopping overhead. Considering that the larger the hopping overhead or the virtualization gateway load, the more important it is in the target selection consideration, l is used in the above formula. n (t-1) and βa jn The square is applied. The gateway selection algorithm is designed as follows:

[0126]

[0127]

[0128] At the start of a new transition cycle, first, find the virtualization gateway pre used in the previous cycle, as shown in steps 1) to 6). Then, count the number of connections and load carried by each virtualization gateway. If the load of a certain virtualization gateway is 0, then directly select this virtualization gateway for this cycle, as shown in steps 7) to 18). Finally, select the virtualization gateway with the highest overall transition performance based on transition overhead and load, and update the network working state matrix X, as shown in steps 19) to 28).

[0129] In this embodiment of the invention, a virtualization gateway selection strategy based on load and switching overhead is designed for virtualization gateway switching. Taking into account the load and switching overhead of each virtualization gateway, the solution with the highest switching efficiency is selected, thereby improving network security.

[0130] Based on any of the above embodiments, performing a hopping operation according to the selected IP address, port address, and virtualization gateway includes:

[0131] After the secure terminal passes security authentication at the stealth controller, it obtains the virtual destination address provided by the controller, uses the terminal information to send data packets to the business system, and sends the data packets to the directly connected user-side agent.

[0132] After receiving a data packet, the switch matches it against the flow table in the switch and performs address changes and forwarding based on the action of matching the flow table. If no matching flow table entry is found, the data packet is forwarded to the stealth controller via a Packet-In message.

[0133] After receiving the Packet-In message, the stealth controller looks up the endpoint information mapping table to obtain the virtual source address corresponding to the real source address, generates the corresponding flow table and sends it to the switch. The user-side agent acts as the source switch for the secure terminal. The address modification action in the flow table is to modify the real source address information in the data packet to the virtual source address. After the data packet address information is successfully modified, the data packet is forwarded according to the forwarding port specified in the flow table action.

[0134] The user-side agent modifies the address information of the data packet to a virtual source address and a virtual destination address based on the flow table information issued by the stealth controller, and then forwards the data packet to the stealth gateway.

[0135] The stealth gateway receives data packets. After the data packet is successfully matched with the flow table, the IP address of the data packet is changed according to the action of the flow table. As the destination switch, the matching fields of the stealth gateway flow table are the virtual source address and the virtual destination address. The address modification action in the flow table is to change the virtual address of the business system to the real address. After modification, it is the virtual source address and the real destination address. Then the data packet is sent to the business system.

[0136] After receiving a message from the secure terminal, the business system replies with a data packet containing the virtual source address and the real destination address.

[0137] After receiving data packets from the business system, the stealth gateway modifies the end information of the data packets to virtual source and virtual destination addresses based on the flow table information, and then forwards them to the user-side proxy.

[0138] After receiving the data packet, the user-side agent modifies the packet's endpoint information to the real source address and virtual destination address, and then forwards it to the secure terminal.

[0139] In this embodiment of the invention, the address information in a single communication is set as Add = {IPsrc, Psrc, IPdst, Pdst}, where IPsrc and Psrc are the address information of the source host, and IPdst and Pdst are the address information of the destination host. rAdd is the actual source and destination host address, and vAdd is the virtual source and destination host address after the hopping. When the hopping is triggered, the stealth management tool generates a specific hopping scheme, i.e., the virtual address information used in this cycle, and sends it to the stealth controller for storage in the form of an address information mapping table. After the IP and port address hopping is triggered, the address information hopping process and communication steps of the two communicating parties are as follows: Figure 3 As shown.

[0140] ① After the secure terminal passes security authentication at the stealth controller, it obtains the virtual destination address {vIPdst,vPdst} provided by the controller, and uses the terminal information {rIPsrc,rPsrc,vIPdst,vPdst} to send data packets to the business system. The data packets will first be sent to the directly connected user-side agent.

[0141] ② After receiving a data packet, the switch will match it against the flow table in the switch and perform address changes and forwarding based on the flow table matching action. If no matching flow table entry is found, the data packet will be forwarded to the stealth controller via Packet-In.

[0142] ③ After receiving the Packet-In message, the stealth controller retrieves the corresponding {vIPsrc, vPsrc} from the endpoint information mapping table by looking up {rIPsrc, rPsrc}, and then generates the corresponding flow table and sends it to the switch. The user-side agent, acting as the source switch for the secure endpoint, modifies the address information in the flow table by changing the actual source address information {rIPsrc, rPsrc} in the data packet to {vIPsrc, vPsrc}. After successful address modification, the data packet is forwarded according to the forwarding port specified in the flow table action. On switches other than the user-side agent and the stealth gateway, the matching field of the flow table is the IP port address after the hop, and the flow table action is to send the data packet to the specified port.

[0143] ④ The user-side agent modifies the address information of the data packet to {vIPsrc,vPsrc,vIPdst,vPdst} based on the flow table information issued by the stealth controller, and then forwards the data packet to the stealth gateway.

[0144] ⑤ The stealth gateway receives data packets. After the data packet is successfully matched with the flow table, the IP address of the data packet is changed according to the action of the flow table. As the destination switch, the matching field of the stealth gateway flow table is {vIPsrc,vPsrc,vIPdst,vPdst}. The address modification action in the flow table is to change the virtual address of the business system to the real address, which is now {vIPsrc,vPsrc,rIPdst,rPdst}. The data packet is then sent to the business system.

[0145] ⑥ After receiving the message sent by the terminal, the business system replies to the terminal with a data packet. The terminal information of this data packet is {vIPsrc,vPsrc,rIPdst,rPdst}.

[0146] ⑦ After receiving the data packets sent by the business system, the stealth gateway modifies the end information of the data packets to {vIPsrc,vPsrc,vIPdst,vPdst} according to the flow table information, and then forwards them to the user-side proxy.

[0147] ⑧ After receiving the data packet, the user-side agent modifies the end information of the data packet to {rIPsrc,rPsrc,vIPdst,vPdst}, and then forwards it to the terminal.

[0148] When a new transition cycle arrives, the stealth control tool generates a new virtual address vAdd', the secure terminal business system continues to communicate, and the stealth controller sends new flow table rules to network devices in the path. The entire packet processing flow is the same as the above steps, except that the matching field and action field of the flow table are different.

[0149] Because the configuration of the communication host is not modified, but the end address information of the communication data packet is dynamically changed during network transmission, the source and destination hosts can transparently switch communication over the network without interrupting the ongoing communication.

[0150] Based on any of the above embodiments, performing a hopping operation according to the selected IP address, port address, and virtualization gateway includes:

[0151] After receiving a communication request from a secure terminal, the stealth controller issues new flow table rules to network devices in the routing path, navigating data packets to the virtualization gateway used in this cycle;

[0152] After waiting for the longest transmission delay, the stealth controller issues a command to request the virtualization gateway used in the previous cycle to discard the old flow table entries.

[0153] In this embodiment of the invention, after the transition is triggered and the virtual gateway selection is completed, let the virtualized gateway used in the previous cycle be G(t-1), and the virtualized gateway used in this cycle be G(t). The gateway transition process is as follows:

[0154] 1) The stealth controller sends the corresponding flow table rules to G(t), requiring it to immediately begin accepting communication requests from secure terminals;

[0155] 2) The stealth controller issues new flow table rules to network devices in the routing path, navigating data packets to G(t);

[0156] 3) After waiting for the longest transmission delay time, the stealth controller issues a command to require G(t-1) to discard the old flow table entries.

[0157] This invention provides a network stealth method for power information systems based on mobile target defense, achieving network stealth for power information systems under the SDP architecture and improving network security and robustness. To prevent malicious probing and scanning of the network by attackers, the address information in network data packets is continuously changed through IP and port address hopping and virtualized gateway hopping, expanding the attacker's probe space. IP and port address hopping periodically or non-periodically changes the addresses displayed in data packets by secure terminals and business systems during communication, making it difficult for attackers to obtain the true network configuration. Virtualized gateway hopping, based on IP and port address hopping, constructs multiple virtualized gateways with different configurations within a stealth gateway, and executes different hopping strategies on different virtualized gateways. During communication, the virtualized gateway providing services continuously changes, increasing the complexity and unpredictability of address hopping. Regarding the IP and port address selection problem, considering the attacker's behavioral habits, a weighted random address selection strategy based on address distance is proposed, increasing the randomness of hopping within a limited address space. To address the virtualization gateway selection problem, a strategy based on load and hopping overhead is proposed to select the hopping scheme with the highest overall hopping efficiency. While high hopping frequency brings higher security, it also introduces additional overhead. To address the difficulty in determining the hopping cycle due to the contradiction between high security and low overhead, a dynamic adjustment strategy for the hopping cycle based on network security status is proposed. This strategy adaptively adjusts the hopping cycle according to detected threat events, achieving a balance between high security and low hopping overhead.

[0158] Figure 4 This is a schematic diagram of the power information system architecture provided in an embodiment of the present invention, such as... Figure 4 As shown, network stealth is achieved through IP address and port address hopping, as well as virtualized gateway hopping, concealing the business system behind the stealth gateway to protect it from malicious probing and network attacks. The SDP architecture of the power information system implements access control for the business system through Software Defined Perimeter (SDP) and Single Packet Authentication (SPA). This includes key components such as secure terminals, stealth gateways, stealth controllers, and the business system. A network stealth management tool is incorporated into the architecture to generate specific hopping schemes and manage hopping cycles.

[0159] The application layer includes two functions: (1) IP and port address hopping: During the communication process between the secure terminal and the business system, the real IP and port addresses in the data packets are hopped to virtual addresses; (2) Virtualized gateway hopping: Based on IP and port address hopping, multiple virtualized gateways are constructed within a stealth gateway. Different virtualized gateways execute IP and port address hopping strategies with different parameters, dynamically changing the virtualized gateway providing services during communication, thereby increasing the complexity of address hopping and the difficulty for attackers to predict. Note that all virtualized gateways in the stealth gateway are simultaneously providing services for several different communication connections, that is, there is a one-to-one correspondence between communication connections and virtualized gateways. Virtualized gateway hopping refers to changing this correspondence, rather than transferring all services in one virtualized gateway to another virtualized gateway.

[0160] The control layer performs the following tasks: triggering transitions, selecting transition schemes, managing transition cycles, collecting network information, and issuing transition schemes.

[0161] (1) Jump Trigger: This is handled by the stealth controller and includes event-based triggering and period-based triggering. Period-based triggering defines a jump period to guide the jump behavior. In event-based triggering, the event refers to the number of security terminal authentication failure events counted by the stealth controller before the end of the current jump period exceeding a certain threshold. When an event occurs, the network is considered to face a significant security threat. At this time, regardless of whether the jump period has been reached, a jump is immediately performed and the jump period is reset.

[0162] (2) Jump cycle management: This is the responsibility of the stealth control tool. If the jump cycle is constant, it is not only difficult to determine the appropriate jump interval, but also easy for attackers who have been carrying out intrusion activities for a long time to discover the pattern. Therefore, this invention proposes a jump cycle dynamic adjustment strategy based on network security status. The current network security level is inferred based on the number of recent authentication failure events, and the jump cycle is flexibly adjusted.

[0163] (3) Hopping scheme selection: This is handled by the stealth management tool, including the selection of weighted random IP and port addresses based on address distance and the selection of virtualization gateways based on load and hopping overhead considerations;

[0164] (4) Network information collection: This is the responsibility of the stealth controller, including monitoring security authentication failure events, monitoring communication connection status, and collecting gateway load.

[0165] (5) Jump scheme distribution: The stealth controller is responsible for distributing the processing actions of data packets to network devices such as switches and stealth gateways in the form of flow tables;

[0166] The network layer includes various devices responsible for communication and executing mobile target defense plans issued by the control layer.

[0167] Figure 5 An example is a schematic diagram of the physical structure of an electronic device, such as... Figure 5 As shown, the electronic device may include: a processor 510, a communication interface 520, a memory 530, and a communication bus 540, wherein the processor 510, the communication interface 520, and the memory 530 communicate with each other through the communication bus 540. The processor 510 can call logical instructions in the memory 530 to execute a stealth method for power information system networks based on moving target defense. This method includes: monitoring the working status of the power information system network and recording the number of security authentication failure events in the network in each cycle; matching corresponding transition trigger conditions according to the number of security authentication failure events; after the corresponding transition trigger conditions are met, selecting an IP address and port address based on an adaptive weighted random IP and port address selection strategy based on address distance; and selecting a virtual gateway based on a virtualization gateway selection strategy that comprehensively considers load and transition overhead; and performing a transition operation according to the selected IP address, port address, and virtualization gateway.

[0168] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods of various embodiments or some parts of embodiments.

[0169] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A network stealth method for power information systems based on moving target defense, characterized in that, include: Monitor the working status of the power information system network and record the number of security authentication failure events in the network in each cycle, and match the corresponding jump trigger conditions according to the number of security authentication failure events. After the corresponding transition triggering conditions are met, the IP address and port address are selected based on the adaptive weighted random IP and port address selection strategy based on address distance; and the virtualization gateway is selected based on the virtualization gateway selection strategy that takes into account both load and transition overhead. Perform the hopping operation based on the selected IP address, port address, and virtualization gateway; The virtualization gateway selection strategy, which considers both load and switching overhead, selects a virtualization gateway, including: When a new transition cycle begins, locate the virtualization gateway used in the previous transition cycle; The number of connections and load carried by each virtualization gateway are counted. If the load of a virtualization gateway is 0, then the virtualization gateway is directly selected as the one used in this cycle. Based on a comprehensive strategy that considers both transition overhead and load selection, the virtualization gateway with the highest transition performance is selected, and the network operating state matrix is ​​updated. The combined strategy for switching overhead and load selection is as follows: Target Virtualization Gateway ; ; Define the current load status of the virtualization gateway as follows: ; Where t represents the current transition period, and t-1 represents , The jump cost normalization coefficient is... This represents the hopping cost between virtualization gateway p and virtualization gateway q, where p and q are virtualization gateway numbers, K is the set of virtualization gateways, and k is the size of the virtualization gateway set. To account for the normalized jump overhead, The resources required for virtualization gateway n to handle a communication connection. Resource limitations for virtualization gateway n This indicates whether communication i is served by virtualization gateway j during the transition period, and n is the optimal virtualization gateway that satisfies all constraints.

2. The method for stealth in power information system networks based on moving target defense according to claim 1, characterized in that, The step of matching the corresponding transition trigger condition based on the number of security authentication failure events includes: If the number of security events counted in this cycle is higher than the preset threshold before the end of the transition cycle, the event trigger condition is matched; otherwise, the cycle trigger condition is matched. After the event triggering conditions are met, an event-triggered transition is executed; After the periodic triggering condition is met, a periodic triggering transition is executed at the end of the current transition period.

3. The method for stealth in a power information system network based on moving target defense according to claim 1, characterized in that, The IP and port addresses change based on a first hopping cycle, and the virtualization gateway changes based on a second hopping cycle, and also includes: The first and second transition cycles are adaptively adjusted based on the detected threat events.

4. The method for stealth in a power information system network based on moving target defense according to claim 3, characterized in that, The adaptive adjustment of the first transition period and the second transition period based on the detected threat events includes: If the current transition cycle is event-triggered, and a threat event was detected in the previous transition cycle, the transition cycle is shortened based on the transition cycle increment / decrement function. If the previous transition cycle was also event-triggered, then increase the shortening of the transition cycle. If no threat event is detected in the current transition period, the transition period is increased based on the transition period increment / decrement function; The jump period increment / decrement function is: ; in, =0 indicates that this cycle is triggered by a cycle-based mechanism. =1 indicates that this cycle is triggered by an event-based mechanism, i≥1.

5. A method for stealth in power information system networks based on moving target defense according to claim 1, characterized in that, The IP and port address selection strategy based on address distance and adaptive weighted random IP and port address selection includes: Construct a set of available virtual IP addresses for connection, with a set size of m. Arrange the m IP addresses in order as M = {IP0, IP1, …, IPm-1}. Create a weight array W = [w0, w1, …, wm-1] and initialize each item to n. The size of the virtual address set remains unchanged throughout the communication process, and no new available IPs are added if they appear. If an address in the current set is occupied by another connection, then the freed address is added to the set and inherits the weight of the occupied address; Once the weight data is determined, the address configuration for this period is selected according to the weighted random selection algorithm. When the next transition is triggered, the weight array is updated and the selected virtual source and destination IP addresses for the current period are returned.

6. A method for stealth in power information system networks based on moving target defense according to claim 5, characterized in that, The updated weight array includes: Let W' be the weight array for the previous transition cycle. For each element in the weight array W', the new weight array is updated simultaneously with respect to the source and destination addresses, using the following update formula: ; in, Let be the weight of the i-th IP address in the current transition cycle. Where m is the size of the virtualization gateway set, N is the initial weight value, and P is used to determine the length of adjacent address segments.

7. A method for stealth in power information system networks based on moving target defense according to claim 1, characterized in that, The step-over operation based on the selected IP address, port address, and virtualization gateway includes: After the secure terminal passes security authentication at the stealth controller, it obtains the virtual destination address provided by the controller, uses the terminal information to send data packets to the business system, and sends the data packets to the directly connected user-side agent. After receiving a data packet, the switch matches it against the flow table in the switch and performs address changes and forwarding based on the action of matching the flow table. If no matching flow table entry is found, the data packet is forwarded to the stealth controller via a Packet-In message. After receiving the Packet-In message, the stealth controller looks up the endpoint information mapping table to obtain the virtual source address corresponding to the real source address, generates the corresponding flow table and sends it to the switch. The user-side agent acts as the source switch for the secure terminal. The address modification action in the flow table is to modify the real source address information in the data packet to the virtual source address. After the data packet address information is successfully modified, the data packet is forwarded according to the forwarding port specified in the flow table action. The user-side agent modifies the address information of the data packet to a virtual source address and a virtual destination address based on the flow table information issued by the stealth controller, and then forwards the data packet to the stealth gateway. The stealth gateway receives data packets. After the data packet is successfully matched with the flow table, the IP address of the data packet is changed according to the action of the flow table. As the destination switch, the matching fields of the stealth gateway flow table are the virtual source address and the virtual destination address. The address modification action in the flow table is to change the virtual address of the business system to the real address. After modification, it is the virtual source address and the real destination address. Then the data packet is sent to the business system. After receiving a message from the secure terminal, the business system replies with a data packet containing the virtual source address and the real destination address. After receiving data packets from the business system, the stealth gateway modifies the end information of the data packets to virtual source and virtual destination addresses based on the flow table information, and then forwards them to the user-side proxy. After receiving the data packet, the user-side agent modifies the packet's endpoint information to the real source address and virtual destination address, and then forwards it to the secure terminal.

8. A method for stealth in power information system networks based on moving target defense according to claim 1, characterized in that, The step-over operation based on the selected IP address, port address, and virtualization gateway includes: After receiving a communication request from a secure terminal, the stealth controller issues new flow table rules to network devices in the routing path, navigating data packets to the virtualization gateway used in this cycle; After waiting for the longest transmission delay, the stealth controller issues a command to request the virtualization gateway used in the previous cycle to discard the old flow table entries.

9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the power information system network stealth method based on mobile target defense as described in any one of claims 1 to 8.