A network security defense method based on dynamic camouflage
By dividing the cluster system nodes into three categories and setting dynamic IP hopping cycles, a dynamic masquerading network environment is constructed, which solves the problem that existing static masquerading techniques are easily detected and achieves effective defense against network attacks.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING INST OF COMP TECH & APPL
- Filing Date
- 2025-08-26
- Publication Date
- 2026-07-07
AI Technical Summary
Most existing network spoofing techniques are statically configured, lack real-time response capabilities, and the spoofed environment does not match the behavioral characteristics of the real system, making them easy for experienced attackers to detect, thus rendering the deception ineffective and making it difficult to effectively deal with new types of network attacks.
The nodes in the cluster system are divided into three categories: real hosts, low-interaction honeypots, and high-interaction honeypots. Different IP hopping cycles are set, and the IP addresses are dynamically adjusted through the hopping scheduling module. Combined with the session tracking mechanism, smooth migration is achieved, thus constructing a dynamic masquerading network environment.
It enhances the cluster system's ability to resist network attacks, improves deception through dynamic camouflage, and effectively defends against various network attacks.
Smart Images

Figure CN121000459B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the interdisciplinary technical field of network information warfare and security protection, and specifically relates to a network security defense method based on dynamic camouflage. Background Technology
[0002] With the rapid development of technologies such as cloud computing, the Internet of Things, and big data, cyberattacks are becoming increasingly complex and intelligent, seriously threatening the security of information systems. Traditional security protection methods, such as firewalls and intrusion detection systems (IDS), are mostly passive defenses, often unable to effectively cope with new and unknown attacks, and suffer from an "attack-defense asymmetry" problem.
[0003] Network masquerading, as a proactive defense strategy, has attracted increasing attention from researchers in recent years. By altering the network characteristics exposed to the outside world, such as IP address, operating system type, and network topology, it confuses attackers and induces them to make incorrect judgments, thereby enhancing system security. However, most existing masquerading techniques are statically configured, lacking real-time response capabilities, and the masquerading environment does not match the behavioral characteristics of the real system, making it easily detectable by experienced attackers and leading to deception failure. Therefore, researching a dynamic network masquerading method is essential. Summary of the Invention
[0004] (a) Technical problems to be solved
[0005] The technical problem to be solved by this invention is to provide a network security defense method to enhance the ability of a cluster system to resist network attacks.
[0006] (II) Technical Solution
[0007] To address the aforementioned technical problems, this invention provides a network security defense method based on dynamic camouflage, characterized by comprising the following steps:
[0008] Step 1. Node type, transition frequency configuration, and address resource grouping management
[0009] During system initialization, nodes are first categorized into three roles: real host nodes, low-interaction honeypot nodes, and high-interaction honeypot nodes. Different IP hopping cycles are set for different roles: real host nodes use a fixed 30-minute cycle, low-interaction honeypot nodes use a 5-minute cycle, and high-interaction honeypot nodes initially have a 5-minute cycle, which is automatically extended to over 20 minutes after detecting continuous abnormal interaction behavior (such as multiple login attempts or long command sessions). This mechanism creates a staggered camouflage of hopping behavior between nodes over time, enhancing the defense layer.
[0010] To ensure the orderliness of address management and the accuracy of conflict detection, the system statically groups the address space during initialization, with each node bound to an address group.
[0011] Step 2. Switching between schedules and IP addresses
[0012] The system includes a transition scheduling module in the controller. After initialization, this module polls the status of each node every minute based on the system clock. By comparing the current time with the node's last transition time, it determines whether to trigger a transition operation. The transition operation involves selecting an unassigned virtual IP address from the address group to which the target node belongs, dynamically adding it to the node's network namespace, setting the old IP address to keep alive for 3 minutes, and achieving transparent forwarding through the IP forwarding table to ensure uninterrupted connection during the transition process.
[0013] Before the jump, perform IP checks on the resources to prevent conflicts after the jump:
[0014] The controller invokes the ARP mechanism to perform reachability probes on the target node's IP address. If the new IP address to be used is already in use, it replaces the address or calls the backup address pool to replenish resources. The resource reclamation module scans and releases IP addresses that are no longer connected and have exceeded their keep-alive period every 10 minutes, and the reclamation operation simultaneously cleans up the IP forwarding table in the system.
[0015] During the transition operation, session persistence optimization strategies are executed to ensure smooth service operation:
[0016] To achieve a smooth migration of connection states, the system adopts a dual IP address coexistence mechanism and uses a session tracking mechanism to synchronize the TCP connection state to the new IP address environment, while broadcasting GARP messages to refresh the ARP cache of neighboring devices.
[0017] The present invention also provides a system for implementing the method.
[0018] (III) Beneficial Effects
[0019] This invention provides a network security defense method based on dynamic camouflage, which can construct a dynamically changing camouflaged network environment, simulate real network behavior characteristics, and enhance the deceptiveness of the network by using a frequency-adjustable address hopping mechanism, thereby effectively enhancing the cluster system's ability to resist various network attacks. Attached Figure Description
[0020] Figure 1 Network topology diagram;
[0021] Figure 2 This is a flowchart of a multi-frequency switching process;
[0022] Figure 3 This is a sequence diagram of the session migration. Detailed Implementation
[0023] To make the objectives, contents, and advantages of the present invention clearer, the specific embodiments of the present invention will be described in further detail below with reference to the accompanying drawings and examples.
[0024] This invention proposes a network security defense method based on dynamic camouflage. It can construct a dynamically changing camouflaged network environment, simulate real network behavior characteristics, and utilize a frequency-adjustable address hopping mechanism to enhance network deception, effectively strengthening the system's resistance to various network attacks. The system network topology is as follows: Figure 1 As shown, the method includes the following steps:
[0025] Step 1. Node type, transition frequency configuration, and address resource grouping management
[0026] The system divides the computing nodes in the cluster into three categories: real host nodes, low-interaction honeypot nodes, and high-interaction honeypot nodes. The node type remains stable throughout the node's lifecycle.
[0027] The actual host nodes handle core business services, and their IP hopping cycle is fixed at 30 minutes to ensure the continuity of business communication. In these nodes, the controller (which manages all nodes in a unified manner) does not enable behavior triggering mechanisms, but only determines whether to hop based on periodic polling.
[0028] Low-interaction honeypot nodes run lightweight emulation services, such as simulating web servers or fake DNS resolvers. These nodes are configured to hop every 5 minutes, with the system checking the hop status every 5 minutes and triggering an IP switch operation to expand the masquerading attack surface.
[0029] High-interaction honeypot nodes deploy interactive simulated business environments, such as SSH services with full terminal responses. The initial transition period for these nodes is also set to 5 minutes. The embedded session detection module continuously monitors the external connection behavior of these nodes. When any of the following conditions (abnormal interactive behavior) occur, the system will automatically extend the transition period of the node to 20 minutes or longer:
[0030] More than 3 login attempts were recorded within a single IP hopping cycle;
[0031] There are instances where a single session connection lasts for more than 5 minutes.
[0032] The IP hop cycle adjustment policy adopts an immediate effect mechanism, does not rely on manual intervention, and the IP hop cycle adjustment record will be automatically written to the controller event log for easy post-event auditing and analysis.
[0033] Step 2. Switching between schedules and IP addresses
[0034] The controller has an internal IP hopping scheduler based on the system clock, which polls the status of all nodes every minute by default. The hopping scheduler compares the current time with the timestamp of the node's most recent hopping to determine whether the node's set IP hopping cycle has been reached. If the condition is met, the node is added to the hopping task queue.
[0035] The jump task is completed by an execution thread driven by the jump scheduler. During execution, the controller first reads the address binding information of the target node and selects an unassigned address from its address group as the new virtual IP address. The address group consists of 6 consecutive IP address ranges, such as 192.168.100.10 to 192.168.100.15.
[0036] After selecting a new virtual IP address, the new virtual IP address is dynamically added to the network namespace of the target node and attached to the existing virtual network interface. The original IP address is not immediately removed but enters a 3-minute keep-alive phase. During this keep-alive phase, the system transparently forwards traffic from the old IP address to the new virtual IP address using DNAT rules, ensuring uninterrupted network traffic. This forwarding rule is set in the IP forwarding table and has an automatic expiration time.
[0037] After the transition is complete, the controller immediately updates its internally maintained address mapping table, which contains the node's unique identifier, current IP address, address group number, and transition time information. Simultaneously, the controller broadcasts a route refresh command to the node, making the system's forwarding table entries effective immediately.
[0038] The entire transition process is recorded in the controller log module. If the transition fails or an address conflict occurs, the system will automatically revert to the previous state and archive the error information. The transition process is as follows: Figure 2 As shown.
[0039] Before the jump, perform IP checks on the resources to prevent conflicts after the jump:
[0040] This invention employs a grouped static address management strategy. During system initialization, the IP address range is divided into several contiguous segments, each containing six IP addresses. Each node binds to an address group upon initial registration, and this binding relationship is persistently stored in the controller configuration.
[0041] Before the transition, the controller performs conflict detection on the target node's IP address. Conflict detection is performed on the node side, primarily using ARP probing to determine if the address is already in use. If the target node's IP address returns a response, it indicates a conflict exists, and the system will select a new IP address. If all addresses in the address group are unavailable, the controller will call the backup address pool to replenish the address and update the binding relationships.
[0042] Every 10 minutes, the system initiates a resource reclamation task, scanning all old IP addresses that have ended their keep-alive period. If an old IP address does not have any active connections 5 minutes after the keep-alive period expires, the system will proactively delete the old IP address configuration and clear the forwarding rules in its IP forwarding table. This process simultaneously clears the node's memory space usage, ensuring effective release of address resources.
[0043] During the transition operation, session persistence optimization strategies are executed to ensure smooth service operation:
[0044] To minimize service interruptions during the hopping process, this invention employs a dual IP address coexistence and session migration mechanism. During the hopping process, the new and old IP addresses coexist for 3 minutes. During this period, the system establishes traffic forwarding rules for the old IP address, directly redirecting connection requests received by the old IP address to the port corresponding to the new IP address, achieving a smooth transition. The session migration process is as follows: Figure 3 As shown.
[0045] To achieve seamless migration of TCP session states, the system extracts the TCP connections of all current nodes through a session tracking mechanism and synchronizes the connection information to the new IP address environment. After synchronization, the controller broadcasts a GARP message to update the local area network ARP cache, preventing communication failures due to address resolution cache errors.
[0046] As can be seen, this invention proposes a network security defense method based on dynamic camouflage, which can construct a dynamically changing camouflaged network environment. Different IP address hopping cycles are set for real host nodes, low-interaction honeypot nodes, and high-interaction honeypot nodes to form staggered camouflage, enhancing the system's deceptiveness, increasing the difficulty for attackers to detect and identify real nodes, and strengthening the system's resistance to network attacks.
[0047] The above description is only a preferred embodiment of the present invention. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the technical principles of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.
Claims
1. A network security defense method based on dynamic camouflage, characterized in that, Includes the following steps: Step 1. Configure node type and hopping frequency, and manage address resource groups. During initialization, the cluster system first classifies nodes into three roles: real host nodes, low-interaction honeypot nodes, and high-interaction honeypot nodes. Different IP hopping cycles are set for nodes with different roles: real host nodes use a fixed cycle of A minutes, low-interaction honeypot nodes use a cycle of B minutes, and high-interaction honeypot nodes have an initial cycle of B minutes, which is automatically extended to more than C minutes after continuous abnormal interaction behavior is detected; A>C>B. During system initialization, the address space is statically grouped, with each node bound to an address group; Step 2. Switching between schedules and IP addresses The system has a jump scheduler. After initialization, the jump scheduler polls the status of each node every minute based on the system clock. By comparing the current time with the node's last jump time, it determines whether to trigger a jump operation. The jump operation includes selecting an unassigned virtual IP address from the address group to which the target node belongs, dynamically adding it to the node's network namespace, setting the old IP address to keep alive for D minutes, and achieving transparent forwarding through the IP forwarding table to ensure that the connection is not interrupted during the jump process.
2. The method as described in claim 1, characterized in that, Before the transition, the IP address of the resource is also checked: The ARP mechanism is invoked to perform reachability detection on the target node's IP address. If the new IP address to be used is already in use, the address is replaced or the backup address pool is called to replenish resources. Every 10 minutes, IP addresses that have no connection and have exceeded the keep-alive period are scanned and released. The reclamation operation simultaneously cleans up the IP forwarding table in the system.
3. The method as described in claim 1, characterized in that, During the transition operation, a session persistence optimization strategy is implemented: to achieve a smooth migration of connection state, the system adopts a dual IP address coexistence mechanism and synchronizes the TCP connection state to the new IP address environment through a session tracking mechanism, while broadcasting GARP messages to refresh the ARP cache of neighboring devices.
4. The method as described in claim 1, characterized in that, The three node types remain stable throughout the node's lifecycle; The real host nodes undertake the preset core business services; the system uses a controller to uniformly manage all nodes. In the real host nodes, the controller does not enable the behavior triggering mechanism, but only determines whether to change based on periodic polling. The real host nodes use a fixed period of 30 minutes; The low-interaction honeypot node runs a lightweight simulation service. The system checks the transition status of the low-interaction honeypot node every 5 minutes and triggers an IP switching operation to expand the masquerading attack surface. The high-interaction honeypot node deploys an interactive simulation business environment. The system continuously monitors the external connection behavior of the high-interaction honeypot node. When any of the following abnormal interactive behaviors occur, the system will automatically extend the node's transition period to more than 20 minutes: More than 3 login attempts were recorded within a single IP hopping cycle; There are instances where a single session connection lasts for more than 5 minutes.
5. The method as described in claim 1, characterized in that, In step 2, the hopping scheduler determines whether to trigger the hopping operation based on the following conditions: whether the IP hopping cycle set by the node has been reached. If the condition is met, the node is added to the hopping task queue, and the hopping operation is triggered. The jump task is completed by the execution thread driven by the jump scheduler; During execution, the controller first reads the address binding information of the target node and selects an unassigned address from its address group as the new virtual IP address; the address group consists of 6 consecutive IP address ranges. After selecting a new virtual IP address, the new virtual IP address is dynamically added to the network namespace of the target node and mounted to the existing virtual network interface card. The original IP address is not removed immediately, but enters a 3-minute keep-alive phase. During the keep-alive phase, the system transparently forwards the traffic of the old IP address to the new virtual IP address through DNAT rules. The forwarding rules are set in the IP forwarding table and have an automatic expiration time. After the transition is completed, the controller immediately updates the internally maintained address mapping table, which contains the node's unique identifier, current IP address, address group number, and transition time information. At the same time, the controller broadcasts a route refresh command to the node, making the system forwarding table entries effective immediately.
6. The method as described in claim 1, characterized in that, During system initialization, the IP address range is divided into several contiguous segments, each containing 6 IP addresses; each node binds to an address group after its initial registration, and this binding relationship is persistently stored in the controller's configuration. IP detection is performed on the node side, using the ARP detection mechanism to determine whether the address has been occupied. If the target node's IP address returns a response, it indicates that a conflict exists, and the system will select a new IP address. If all addresses in the address group are unavailable, the controller will call the backup address pool to replenish the addresses and update the binding relationships. Every 10 minutes, the system initiates a resource reclamation task to scan all old IP addresses that are in the end of the keep-alive period. If an old IP address does not have an active connection after 5 minutes of the keep-alive period, the system will actively delete the configuration of the old IP address and clear the forwarding rules in its IP forwarding table.
7. The method as described in claim 1, characterized in that, During the transition, the new and old IP addresses coexist for 3 minutes. During this period, the system establishes traffic forwarding rules for the old IP address, directly redirecting connection requests received by the old IP address to the port corresponding to the new IP address, thus achieving a smooth transition. To achieve seamless migration of TCP session states, the system extracts the TCP connections of all current node connection states through a session tracking mechanism and synchronizes the connection information to the new IP address environment. After synchronization is complete, the controller broadcasts a GARP message to update the local area network ARP cache to prevent communication failures due to address resolution cache errors.
8. The method as described in claim 1, characterized in that, This method is applied in network information warfare and security protection.