A power industrial control security protection system and method based on microkernel active defense
The microkernel-based power industrial control security protection system solves the problems of single-point failure and easy penetration of isolation boundaries in power industrial control systems under unknown vulnerabilities and advanced persistent threats, realizes the system's reliability and recoverability, and improves the ability to suppress unknown attacks and the ability to operate continuously.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- NARI INFORMATION & COMM TECH
- Filing Date
- 2026-03-30
- Publication Date
- 2026-06-09
AI Technical Summary
Power industry control systems are prone to single-point failures under unknown vulnerabilities and advanced persistent threats. Isolation boundaries are easily penetrated, control plane failures lack recoverable paths and inconsistent adjudication, and existing dynamic heterogeneous redundancy solutions have problems such as easy breach of isolation boundaries and large platform attack surfaces.
A power control security protection system based on microkernel active defense is adopted. Through the microkernel isolation base and revocable control, an independent protection domain is constructed to realize request distribution, arbitration and execution scheduling. Combined with strong isolation and controllable permissions, it provides clear failure handling paths and dynamic redundancy mechanisms to improve system reliability and anti-interference capabilities.
It enhances the security and recoverability of power industrial control systems, reduces the risk of unknown vulnerabilities and long-term latent attacks, improves the unpredictability and anti-interference capabilities of the system, and meets high availability requirements.
Smart Images

Figure CN122179216A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of power industry control system security protection technology, and relates to a power industry control system security protection system and method based on microkernel active defense. Specifically, it relates to a power industry control system security protection method and system based on microkernel and dynamic heterogeneous redundancy (DHR) mechanism. It addresses the continuous secure operation requirements of industrial control systems (ICS) under conditions of unknown vulnerabilities and advanced persistent threats (APT). By organizing multiple execution entities for parallel processing and result adjudication through dynamic heterogeneous redundancy, and combining a strongly isolated operating base and a closed-loop reconstruction mechanism, it achieves enhanced security and improved failure handling capabilities for critical control links. Background Technology
[0002] Power industry control systems typically need to operate continuously under long-term, high-availability constraints, and bear the brunt of critical links such as field data acquisition, control decision-making, and execution. With the development of interconnected networks, remote operation and maintenance, and the introduction of third-party components, the system's exposure surface has expanded, and attack methods have become more covert, interconnected, and persistent. Simply relying on known feature detection, patching, or boundary isolation is insufficient to cover the full lifecycle risks posed by unknown vulnerability exploitation, supply chain poisoning, and long-term latent attacks. To improve the ability to suppress unknown attacks, existing proactive defense methods generally employ a dynamic heterogeneous redundancy strategy. This involves assigning the same function or task to multiple functionally equivalent but differently implemented executors for parallel processing, and then using input distribution and output adjudication mechanisms to converge the results, thereby reducing the probability of attackers gaining stable control by exploiting a unified vulnerability. To achieve dynamic heterogeneous redundancy, the following prerequisites must be met: First, the system must have multiple functionally equivalent but different implementation paths, such as code source versions or algorithm paths, to reduce the risk of synchronization failure caused by common-source defects; Second, the system must be dynamic, capable of dynamically combining different implementations, so that when one instance is compromised or fails, other instances can still continue to execute tasks to avoid overall system collapse; Third, the system must have redundancy and fault tolerance. Through redundant instances and adjudication mechanisms, even if some implementations are attacked or abnormal, the system can still output relatively reliable results and maintain operational stability. Despite the significant security advantages and achievements of proactive defense technologies based on dynamic heterogeneous redundancy, the following key challenges remain in engineering implementation scenarios, even with the aforementioned execution layer conditions: First, the implicit premise of long-term stability and reliability of the control plane is strong. Existing research generally assumes that control plane modules are always reliable and stable. However, when these critical modules are attacked, crash, or run out of resources, the system often lacks clear failure safety mechanisms and recovery paths. Second, the isolation requirements between execution entities are easily weakened. If isolation is insufficient, attackers may use compromised instances to affect other instances or critical modules, thereby undermining the security benefits of redundant structures. Third, the attack surface of the implementation platform is relatively large. Many solutions rely on monolithic kernel operating systems, virtual machines, or container platforms to carry multiple execution entities and adjudication scheduling logic, resulting in high platform complexity and a large number of potential vulnerabilities, which increases the risk of isolation boundaries being breached.
[0003] The aforementioned issues indicate the need to introduce a microkernel-based strong isolation framework and revocable control on the basis of dynamic heterogeneous redundancy, forming an active defense operating base to address the systemic risks caused by control plane failure and breach of isolation boundaries. Summary of the Invention
[0004] Purpose of the invention: The purpose of this invention is to provide a microkernel-based active defense power control system that can solve the problems of single-point failure, easy penetration of isolation boundaries, lack of recoverable paths for control plane failures, and lack of usable output ports under conditions of inconsistent adjudication or partial timeout in power industrial control systems (ICS) under unknown vulnerability and advanced persistent attack scenarios.
[0005] Another objective of this invention is to provide a method for power control system security protection.
[0006] The technical solution of this invention is: a power control system security protection system based on microkernel active defense, comprising: User-mode security protection service cluster: includes input / output service, input module, request distribution service, online user-mode service cluster, consistency arbitration service, output module, execution body scheduling service and candidate protection domain pool; The input module, request distribution service, consistency arbitration service, execution entity scheduling service, and online user-mode service cluster each execution entity instance runs in a mutually isolated protection domain and corresponds to an independent virtual address space and an independent set of powers; The input module receives the request, generates a request identifier, and then sends it to the request distribution service. The request distribution service distributes the same request to an odd number of online execution instances; The online user-space service cluster is connected to the consistency arbitration service to send back multiple candidate results; The consistency arbitration service generates a single, publicly available arbitration result within the arbitration time window and sends feedback metrics to the execution body scheduling service. The execution scheduling service selects candidate executions from the candidate protection domain pool based on feedback indicators and performs controlled replacement or reconstruction of the online user-mode service cluster through the system call interface layer. Security Base Interface Layer: Includes system call interface layer and cross-protection domain communication interface; The system call interface layer is used to provide a controlled entry point to the user space, realize the creation or destruction of protection domains, the loading or unloading of service instances, the binding or revocation of power objects, and the registration or cancellation of interruption notifications, and uniformly constrain the call parameter verification, power check, audit trail and frequency constraints. The cross-protection domain communication interface is used to provide a message channel based on the communication endpoint between different protection domains and to establish a controlled shared memory mapping channel under the authorization of the authority. Microkernel isolation base: Located in kernel mode, it provides the minimum kernel capabilities for address space and memory management, thread and scheduling, inter-process communication and interrupt management, including functional subsystems and active defense kernel mode support modules; The power subsystem is used to authorize, verify, derive, and revocable control the permissions of communication endpoints, notification objects, controlled shared memory mappings, and kernel objects related to protection domains. When critical user-mode services such as request distribution service, consistency arbitration service, or execution body scheduling service fail, the proactive defense kernel-mode support module performs a fallback cleanup process and puts the system into a rebuild state.
[0007] Furthermore, the online user-mode service cluster in the user-mode security protection service cluster consists of multiple mutually isolated protection domains, each protection domain corresponding to an independent virtual address space and an independent set of permissions; The consistency arbitration service distinguishes candidate results into two categories: discrete consistency and continuous consistency. Discrete consistency determines the main candidate cluster by performing normalization and serialization on the candidate results, calculating the summary, clustering and voting. Continuous consistency forms a consistent cluster by a distance threshold and determines the main candidate cluster by the support of the consistent cluster. When the main candidate cluster meets the majority threshold, the representative value of the main candidate cluster is used as the single decision result output available to the outside world. When the majority threshold is not met or there is a timeout leading to insufficient convergence, the backoff decision result is used as the single decision result output available to the outside world, and anomaly labels are generated to characterize the degree of inconsistency. The execution entity scheduling service is used to select candidate execution entity instances from the candidate protection domain pool and load them into a new protection domain, so that the candidate execution entity instances can be added to the online user-mode service cluster to form or update the online instance set. It adopts a scheduling strategy that combines periodic rotation and event triggering. Periodic rotation is used to maintain the dynamic heterogeneous combination of the online user-mode service cluster, and event triggering is used to trigger adjustments when the difference rate increases, the confidence level decreases, or the size of the abnormal execution entity set reaches a threshold.
[0008] Furthermore, the feedback metrics include difference rate, timeout level, confidence level, anomaly label, and set of anomaly execution bodies. The set of abnormal executors is obtained by the consistency arbitration service based on the deviation and timeout information of the candidate results from the arbitration output, and is used as the direct input for the executor scheduling service to remove and replace them.
[0009] Furthermore, the controlled replacement first completes the loading and health check of the candidate executor within the new protection domain, then switches the distribution strategy of the request distribution service, and finally revokes the powers held by the replaced executor and reclaims its resources.
[0010] Furthermore, the cross-protection domain communication interface in the security base interface layer includes an inter-process communication channel based on the communication endpoint, and establishes a controlled shared memory mapping channel under the authorization of the authority, which is used to carry large-scale business payloads or batch candidate results while maintaining address space isolation.
[0011] Furthermore, the proactive defense kernel-mode support module in the microkernel isolation base triggers a fallback cleanup process when it detects a crash, unauthorized access, abnormal system call, or prolonged unresponsiveness in the request distribution service, the consistency arbitration service, or the execution scheduling service. The fallback cleanup process includes: revoking execution authority to reclaim the communication endpoint and notification object permissions held by the abnormal protection domain; performing address space reclamation and mapping cleanup to revoke the controlled mapping relationship of the abnormal protection domain; terminating the execution context of the abnormal protection domain; and recording audit evidence and event summaries.
[0012] Furthermore, a microkernel-based active defense security protection method for power industry control systems, applied to the aforementioned system, includes the following steps: Step (101) The system starts and completes the protection domain initialization, and starts the input module, request distribution service, online user space service cluster, consistency arbitration service, output module, I / O service and execution body scheduling service. It loads the first batch of online execution bodies according to the candidate protection domain pool, where the number of online execution bodies is an odd number greater than or equal to 3. Step (102) involves the I / O service accessing field data or service requests; Step (103) involves the input module standardizing the access data and generating a request identifier before sending it to the request distribution service; Step (104) involves the request distribution service distributing the same request in parallel to multiple online execution instances based on the list of online instances provided by the execution scheduling service; Step (105) involves online execution instances processing requests in parallel within their respective protection domains and sending candidate results back to the consistency arbitration service; Step (106) The consistency arbitration service performs consistency determination on the candidate results within the arbitration time window and generates a single ruling output that can be used externally. At the same time, it generates feedback indicators such as difference rate, timeout level, confidence level, anomaly label and anomaly execution body set and sends them to the execution body scheduling service. Step (107) involves the output module publishing the single decision output; Step (108) involves the execution body scheduling service performing controlled replacement and reconstruction of the online user-mode service cluster based on feedback indicators, either by cycle rotation or event triggering. When critical user-mode services such as request distribution service, consistency arbitration service, or execution body scheduling service fail, the kernel is triggered to perform fallback cleanup and enter a rebuildable state.
[0013] Furthermore, when determining consistency, the consistency arbitration service generates an anomaly score based on the deviation of the candidate results from the arbitration output and the timeout information, and obtains a set of abnormal executors based on the relationship between the anomaly score and the threshold. The set of abnormal execution bodies is used by the execution body scheduling service to determine the removal priority and replacement range.
[0014] Furthermore, when the execution scheduling service selects candidate executions from the candidate protection domain pool, it forms a candidate score based at least on the heterogeneous attributes and health availability markers of the candidate executions, and selects the candidate execution with the best score for replacement. The controlled replacement and reconstruction includes at least the address space configuration, communication endpoint configuration, and controlled memory mapping configuration of the new protection domain, and synchronously updates the online instance list and distribution strategy parameters of the request distribution service.
[0015] Furthermore, when critical user-mode services such as request distribution service, consistency arbitration service, or execution body scheduling service crash, access exceed, make abnormal system calls, or remain unresponsive for an extended period, kernel fallback cleanup is triggered. After the kernel fallback cleanup is completed, the system enters a reinitializable and reconstructable state, and the user-mode initialization and scheduling mechanism restarts the request distribution service, consistency arbitration service, and execution body scheduling service according to the startup sequence, and rebuilds the online user-mode service cluster based on the candidate protection domain pool.
[0016] This invention utilizes a microkernel Trusted Computing Base (TCB), also known as a microkernel isolation base, combining strong isolation and controllable permission security features to provide a more suitable runtime base and recoverable path for proactive defense against dynamic heterogeneous redundancy. By streamlining core functions and retaining only basic mechanisms such as scheduling, inter-process communication (IPC), and memory management, the microkernel implements complex strategies and business logic in user-space modules and achieves minimum permission and revocable permission control through a capability model, thereby achieving the following objectives: First, key control plane modules such as request distribution service, consistency arbitration service, and execution body scheduling are separated from the execution body and configured with independent protection domains. This enables controlled cleanup and reconstruction within the isolation boundary when key modules are attacked or crashed, forming a clear failure handling path. Second, by using independent address spaces and controlled communication channels, strict constraints are placed on the access of different executors and their resources to avoid the lateral impact of an abnormality in a single executor on other executors or the control plane. Third, by minimizing the kernel design, the complexity of the underlying system and the potential vulnerability exposure surface are reduced, thereby enhancing the overall trustworthiness of the system; Fourth, under the strong isolation support of the microkernel isolation base, the combination of dynamic heterogeneous redundancy and consistency arbitration can improve the unpredictability of the attack surface and the running path, weaken the reusability of the same source vulnerability and the formation of a stable control link, making it difficult for attackers to obtain continuous effective output through single point of attack, thereby reducing the risk of the system being continuously manipulated.
[0017] Beneficial effects: Compared with the prior art, the present invention has the following significant advantages: It solves the problems of difficult construction of isolation domain and lack of controlled recovery path in dynamic heterogeneous redundancy active defense by using a microkernel isolation base, highlighting the innovation of the present invention in terms of security and recoverability; at the same time, it improves the uncertainty of attack surface and suppresses the risk of lateral influence and common mode failure by using dynamic heterogeneous redundancy and consistency arbitration, thereby improving the anti-interference ability and continuous operation capability against unknown vulnerabilities and long-term latent attacks while meeting the high availability requirements of power industrial control systems. Attached Figure Description
[0018] Figure 1 This is a schematic diagram of the overall architecture of the present invention; Figure 2 This is the overall system flowchart of the present invention; Figure 3 This is a flowchart of the online executor reconstruction and rotation process driven by the adjudication feedback in this invention; Figure 4 This is a flowchart of the kernel fallback cleanup and rebuildable recovery process when a critical user-mode service fails in this invention; Figure 5 This is a Monte Carlo simulation diagram comparing the probability of system breach under the assumption of homogeneity and independence between the multi-executor consistency arbitration scheme and the traditional single-executor scheme in this embodiment of the invention. Figure 6 This is a Monte Carlo simulation diagram showing the change in the probability of system breach under the condition of introducing a common mode failure trigger probability parameter, which is a multi-executor consistency arbitration mechanism based on a microkernel isolation base in an embodiment of the present invention. Detailed Implementation
[0019] The specific technical solution of the present invention will be further described in detail below with reference to specific examples.
[0020] As shown in the figure, this embodiment provides a power control security protection system based on microkernel active defense. The system uses a microkernel isolation base as the minimum trusted computing base. Through the power subsystem, it binds cross-protection domain communication endpoints, controlled shared memory mapping, and operation permissions of key kernel objects related to the protection domain to the target protection domain in a revocable manner, so that the construction of isolation domains, online replacement, and revocation of permissions have a convergent foundation. The method constructs a business link of input parallel execution, adjudication, and output in user space, and introduces a closed-loop scheduling and controlled reconstruction mechanism driven by adjudication feedback. The system outputs the main candidate result when the majority consensus is established, and still outputs the fallback adjudication result and generates an abnormal label and an abnormal execution body set when the majority consensus is not established or there are partial timeouts leading to insufficient convergence. This drives the execution body scheduling service to perform periodic rotation and event triggering adjustment. When key user-space services such as request distribution service, consistency arbitration service, or execution body scheduling service fail and cannot complete fault convergence in user space, the active defense kernel-space support module performs minimum fallback cleanup and enters a rebuildable state, thereby forming an isolated, convergent, and recoverable active defense closed loop. Specifically, such as Figure 1 As shown in the figure (which illustrates the composition and relationships between the microkernel basic capabilities and active defense kernel-mode support modules, security base interface layer, and user-mode input modules, request distribution services, online user-mode service clusters, consistency arbitration services, output modules, I / O services, execution scheduling services, and candidate protection domain pools, as well as the business data flow, control / event flow, and cross-protection domain communication relationships), the system comprises three domains: microkernel isolation base, security base interface layer, and user-mode security protection service cluster. The microkernel isolation base provides minimal kernel capabilities such as address space and memory management, thread and scheduling, inter-process communication mechanisms, and interrupt management. It also authorizes, verifies, and revoks control of cross-domain communication endpoints, threads, and object capabilities through a power subsystem to achieve strong isolation boundaries between different protection domains. Furthermore, the request distribution service, consistency arbitration service, and execution entity scheduling service, as proactive defense control plane modules, are configured at the same level as online execution entity instances as independent protection domains and bound to independent power sets. This allows control plane failures to be isolated, revoked, and restored. The kernel mode (microkernel isolation base) provides a minimal trusted computing base and mandatory isolation capabilities, exposing basic mechanisms such as scheduling, clock, memory management, power control, inter-process communication primitives, and interrupts. Other policy logic is implemented in user mode. In this embodiment, the kernel mode (microkernel isolation base) includes at least an active defense kernel mode support module, a clock, address space and memory management, a power subsystem, threads and scheduling, inter-process communication mechanisms, and interrupt management. The active defense kernel mode support module provides minimum fallback and failure cleanup capabilities. When the request distribution service, consistency arbitration service, or execution scheduling service crashes, experiences unauthorized access, makes abnormal system calls, or remains unresponsive for a long time, it forcibly reclaims the endpoint, notification, and memory mapping permissions held by the abnormal process through mechanisms such as power revocation and address space reclamation, and terminates the execution context of its protected domain, so that the system returns to a safe state that can be reinitialized and rebuilt. This module only implements low-level actions such as power revocation and termination, and does not carry arbitration algorithms or scheduling strategies to control the scale of the trusted computing base. The clock provides a kernel time base based on hardware timer interrupts, which is used to trigger preemption and enter the kernel scheduling path when the time slice ends, but does not undertake strategic time control such as arbitration time windows, voting cycles, or control ticks. The address space and memory management establishes an independent virtual address space for each protected domain and provides a controlled shared memory mapping interface to support high-throughput data channels. Aside from a small amount of static memory used by the kernel itself, physical memory is managed by user space in an "untyped" capability form. User space creates new objects through retyping, thus avoiding dynamic memory allocation by the kernel. The capability subsystem expresses access authorization and controls the operation permissions, derivation, and revocation of kernel objects such as thread control blocks, scheduling contexts, endpoints, notifications, virtual address spaces, and interrupts, achieving least privilege and revocable control. Threads and scheduling are responsible for thread creation, state switching, and allocating processor time according to priority or real-time policies, providing stable time budgets and scheduling interface support for user-space execution body scheduling, but do not participate in execution body rotation, heterogeneous replacement, or other policy decisions. The inter-process communication mechanism provides endpoint-based synchronous message sending, receiving, and reply semantics and supports lightweight notification objects, providing an isolated and traceable communication foundation for cross-protection domain request and response, status notification, and control signaling. Interrupt management is responsible for registering, masking, and distributing hardware interrupt sources, and delivering interrupt events to user-space I / O services in a controlled notification manner, ensuring that device event responses are completed in user space without violating isolation boundaries.
[0021] The security base interface layer provides controlled entry and auditing for system calls and cross-protection domain communication; it includes at least a system call interface layer and a cross-protection domain communication module. The system call interface layer provides kernel capability access interfaces to the user space, such as creating or destroying protection domains, loading or unloading service instances, binding or revoking capability objects, and registering or deregistering interrupt notifications. The cross-protection domain communication module provides message channels between different protection domains to support the transmission of control commands and event notifications. Specifically: The system call interface layer describes the unified controlled entry point from user mode to kernel mode, covering system call parameter verification, capability checks, object handle binding, and auditing. It can also implement rate limiting and error code return for abnormal call frequencies to prevent resource exhaustion. Cross-protection domain communication is used to abstract the controlled communication channel between user-mode services, and by default, control and decision signals are transmitted through inter-process communication. Under the premise of satisfying capability authorization and isolation constraints, a controlled shared memory can be established as a high-throughput data channel to carry large business loads or batch results, but control and decision signals are still transmitted through inter-process communication to ensure that closed-loop control is traceable and auditable.
[0022] The user-mode security protection service cluster: The user-mode carries the industrial control business link and the active defense closed loop, builds a positive business data flow around input, parallel execution, adjudication and output, and forms a negative feedback closed loop through adjudication feedback, execution body scheduling and candidate replacement; Solid lines represent business data flows, dashed lines represent control or event flows, and dotted lines represent cross-protection domain communication; it includes at least an input module, a request distribution service, an online user-space service cluster, a consistency arbitration service, an output module, an I / O service, an execution scheduling service, and a candidate protection domain pool. Among them: the input module is connected to the IO service signal and is used to receive field data and business requests and complete the format standardization and request identifier generation; The request distribution service is signal-connected to the input module and is used to distribute the same request in parallel to multiple online executors and manage the arbitration time window; The online user-space service cluster consists of multiple isolated user-space service instances within a protection domain, used to process requests in parallel and return candidate results. The consistency arbitration service is connected to the online user-mode service cluster via signal, which is used to aggregate candidate results and complete the consistency determination within the arbitration time window, generate a single ruling output that can be used externally, and generate feedback indicators. The output module is connected to the consistency arbitration service signal and is used to publish or distribute the arbitration output according to the business agreement; The execution entity scheduling service and the consistency arbitration service are connected by a signal to receive the arbitration feedback and form an online adjustment plan. Then, candidate execution entities are selected from the candidate protection domain pool and the online user-mode service cluster is reconstructed and rotated through the system call interface layer. The candidate protection domain pool is used to store a set of candidate execution resources that can be started and replaced at any time.
[0023] The cross-protection domain communication module uses inter-process communication (IPC) to carry control signals and event notifications. When the amount of business data is large, shared memory can be introduced as a data channel while maintaining address space isolation, while control signals are still synchronized and arbitrated through IPC.
[0024] The system call interface layer provides access to kernel capabilities while validating call parameters, checking the capabilities of the caller, and auditing and recording key operations with frequency constraints to reduce the risk of unauthorized calls and abuse.
[0025] The number of online executors is an odd number greater than or equal to three to ensure the feasibility of strict majority rulings; this number is denoted as... ,satisfy: In the formula, It is a positive integer; correspondingly, the strict majority threshold is denoted as . ,satisfy This is used to determine whether the primary candidate cluster has achieved majority consensus.
[0026] The consistency arbitration service distinguishes between discrete consistency and continuous consistency. Discrete consistency performs normalization and serialization on candidate results, calculates summaries, and clusters them, determining the main candidate cluster based on cluster support. Continuous consistency forms consistent clusters through distance thresholds and determines the main candidate cluster based on consistent cluster support. When the main candidate cluster meets a majority threshold, the representative value of the main candidate cluster is output. When the majority threshold is not met or there is a timeout leading to insufficient convergence, the backoff arbitration result is still output, and an exception label and an exception execution body set are generated to characterize the degree of inconsistency and provide direct input for scheduling.
[0027] The execution entity scheduling service employs a scheduling strategy combining periodic rotation and event triggering. Periodic rotation is used to maintain the dynamic heterogeneous combination of online user-mode service clusters, while event triggering is used to adjust the system when the difference rate increases, the confidence level decreases, or the size of the abnormal execution entity set reaches a threshold. The triggering conditions can be expressed as follows: In the formula, Indicates the difference rate. Indicates the confidence level of the ruling. Represents the set of exception execution bodies. , and These represent the difference rate threshold, confidence threshold, and anomaly set size threshold, respectively. The controlled replacement adopts a switching sequence that first completes the loading and health check of candidate executors in the new protection domain, then switches the request distribution service distribution strategy, and finally revokes the powers held by the replaced executor and reclaims its resources, in order to reduce the impact of the replacement window on business continuity.
[0028] The system also includes a proactive defense kernel-mode support module, which is used to perform minimum fallback measures when the request distribution service, consistency arbitration service, or execution body scheduling service is abnormal or unavailable. The fallback measures include at least capability revocation, address space reclamation, abnormal execution context termination, and audit evidence recording to ensure that the fault can be converged and support subsequent reconstruction and recovery. Specifically, the user-mode security protection service cluster includes at least an input module, a request distribution service, an online user-mode service cluster, a consistency arbitration service, an output module, an I / O service, an execution entity scheduling service, and a candidate protection domain pool. The input module receives on-site collected data or external business requests and converts them into a unified format to generate request identifiers. The request distribution service normalizes, throttles, and manages sessions for the input data, and distributes the same request to multiple online execution entity instances based on the online instance list provided by the execution entity scheduling service. The online user-mode service cluster consists of multiple isolated protection domains, each execution entity having an independent address space and set of capabilities, enabling parallel processing of service logic with different implementations or versions to generate multiple candidate results. The consistency arbitration service completes consistency arbitration within the arbitration time window and generates a single output, calculating feedback metrics. The output module publishes or distributes the arbitration results according to the business protocol. The I / O module... The service carries the driver and protocol stack in user space, receives interrupts delivered by the kernel via notification, and completes interrupt registration, masking, acknowledgment, and necessary status queries through system calls. The execution body scheduling service is responsible for the creation, migration, removal, and rotation of execution bodies, and selects candidate execution bodies from the candidate protection domain pool to replace failed or suspicious instances based on the adjudication feedback and preset strategies. The candidate protection domain pool maintains the set of candidate execution bodies and their metadata status, including version information, heterogeneous attributes, health status, and availability flags, providing input for scheduling decisions.
[0029] This invention also provides a power control system security protection method based on microkernel active defense, such as... Figure 2 The diagram illustrates the steps involved in system startup and protection domain initialization, entry of field data and business requests into the system, input module standardization and request identifier generation, request distribution service distributing requests to multiple online instances, parallel processing and result feedback of the online user-mode service cluster, completion of consistency arbitration and generation of arbitration results within the arbitration time window, output module publication and traceability constraints, and closed-loop control and failure handling. When applied to the aforementioned system, this includes the following steps: Step 101: System Startup and Protection Domain Initialization Start the microkernel isolation base and security base interface layer, initialize the power subsystem and cross-protection domain communication channel; start the input module, request distribution service, consistency arbitration service, output module, I / O service and execution body scheduling service in user space, and load them from the candidate protection domain pool to form an initial online user space service cluster; Specifically, in this embodiment, after the system starts, the user space sequentially launches basic services such as input, request distribution service, online user space service cluster related instances, consistency arbitration service, output, I / O service, and execution body scheduling service. Based on the candidate execution body metadata maintained by the candidate protection domain pool, it completes the selection and loading of the first batch of online execution bodies. The execution body scheduling service initiates controlled requests through the system call interface layer to complete the establishment of the isolated protection domain operating environment and the configuration of running objects such as communication endpoints. The kernel space address space and memory management provide isolation and controlled mapping, the power subsystem provides authorization and revocation constraints, inter-process communication provides endpoint semantics and message sending and receiving basis, and the system call interface layer implements unified constraints on parameter verification, power checks, and audit trails. The initialization includes allocating independent address spaces for different protection domains, allocating controlled communication endpoint capabilities for online user-mode service clusters, and binding revocable capabilities to target protection domains one by one to support subsequent revocation, replacement, and reclamation. When loading the first batch of online executors, the executor scheduling service combines the version differences, implementation differences and health status of the candidate executors to select heterogeneous or multi-version combinations to form an initial redundant set, so as to improve the resistance to unknown defects or single point attacks. Step 102: On-site data and business requests enter the system The I / O service receives field-collected data and upper-layer service requests, and forwards the requests to the input module. Specifically, in this embodiment, field-collected data or external service requests are accessed by the I / O service. The I / O service carries the driver and protocol stack in user space, and completes interrupt registration, masking, and response operations through the system call interface layer. Kernel interrupt management delivers hardware interrupts to the I / O service in a controlled notification manner, enabling it to complete data transmission and reception and protocol processing in user space while maintaining isolation boundaries from being penetrated. The I / O service completes the interrupt event registration and notification binding through the system call interface layer, and sends events to the user space only in the form of controlled notifications or messages, so as to avoid spreading the device interrupt handling logic to unnecessary modules. The I / O service adopts a minimal state machine and exception isolation strategy for handling peripheral events, isolating and discarding abnormal inputs to prevent abnormal inputs from spreading from the driver side to the business processing link; Step 103: Input Module Normalization and Request Identifier Generation The input module performs format standardization, field validation, and basic cleanup on the request, generates a request identifier, and forwards it to the request distribution service after carrying the necessary metadata. Specifically, in this embodiment, the input module receives business data from the I / O service or the upper-layer business entry point, converts it into a unified format, generates a request identifier and necessary context information, and then delivers the request to the request distribution service to enter the subsequent parallel processing link. The request identifier includes at least a timestamp, source identifier, business type, and sequence number information, which is used to support arbitration time window matching, output idempotent control, and audit traceability; The input module performs basic checks on field range, encoding rules, and structural integrity, and uses the check results as one of the reference information for subsequent adjudication and scheduling. Step 104: The request distribution service distributes the request to multiple online instances. The request distribution service distributes the same request in parallel to an odd number of online execution instances based on the list of online instances provided by the execution entity scheduling service, and sets an arbitration time window deadline. Management timeout convergence; the number of online executors satisfy Corresponding to most thresholds ; Specifically, in this embodiment, the request distribution service normalizes the request and generates a request context, and selects an odd number of executors from the online instance list maintained by the executor scheduling service to participate in the adjudication. The number of online executors in each round is... satisfy In the formula, The positive integer parameter is used to characterize the majority threshold; the request distribution service distributes the same request in parallel to this... Each entity is responsible for execution, and an arbitration time window deadline is set. If the timeout period expires, it will be recorded as no response. Step 105: Parallel processing and result feedback of online user-space service cluster Each online executor independently processes requests within its own protection domain, generates candidate results, and sends the candidate results back to the consistency arbitration service through cross-protection domain communication; Specifically, in this embodiment, the online user-space service cluster consists of multiple isolated protection domains. Each execution entity processes the same request in parallel under the constraints of an independent address space and an independent set of capabilities, forming multiple candidate results and sending them back to the consistency arbitration service. To improve the independence of redundancy, the heterogeneous layers of the online execution entities include implementation layer heterogeneity and algorithm layer heterogeneity: implementation layer heterogeneity refers to independent implementations of the same functional specification in different code libraries or different programming languages; algorithm layer heterogeneity refers to different but functionally equivalent algorithm implementations. Generate output And send a return message within the window; if no return message is sent within a timeout period, mark it as timeout. The response set and timeout indicator are defined as follows: , In the formula, This represents the set of execution body indexes that return results on time within the arbitration time window. Indicates the first An indicator of whether an executor has timed out; the executor and the consistency arbitration service interact through a cross-protection domain communication channel, with communication endpoints and permissions constrained by the authority subsystem to ensure that cross-domain interactions are isolated, controllable, and traceable; Candidate result feedback is achieved through data channels and control signals: business data can be transmitted in large volumes or batches through controlled shared memory, and control signals trigger the consistency arbitration service to enter the arbitration time window for processing via IPC; When authorized and isolation constraints are met, controlled shared memory is used to carry large blocks of business data to improve throughput; however, control and decision-related signals are still transmitted through inter-process communication. Step 106: Complete the consensus arbitration and generate the award within the arbitration time window. The consistency arbitration service aggregates multiple candidate results within the arbitration time window, distinguishes between discrete and continuous consistency criteria to form candidate clusters, and determines the main candidate cluster and external output based on a strict majority threshold. Simultaneously, the consistency arbitration service generates anomaly scores based on candidate result deviation and timeout information, resulting in a set of anomalous execution entities. Abnormal scores can be represented as: In the formula, Indicates the first Has the execution unit timed out? Indicates the first The deviation of the output of each executor from the output of the decision. This represents a scale indicating continuous consistency tolerance. and The weighting coefficient is used; the consistency arbitration service outputs a single ruling and generates feedback indicators such as difference rate, timeout level, confidence level, anomaly label and anomaly execution body set, which are sent to the execution body scheduling service. When an abnormality flag is detected, such as an excessively high difference rate, an abnormal timeout rate, or insufficient confidence of the result, an anomaly flag is output. Specifically, in this embodiment, the consistency arbitration service aggregates multiple candidate results within the arbitration time window, first performs structured modeling on the results and distinguishes between discrete and continuous consistency criteria, and then completes consistency measurement, candidate value formation, voting decision, and indicator evaluation; on the one hand, it generates a single decision output that can be used externally. , On the other hand, abnormal or suspicious executors are located and feedback indicators are generated for subsequent closed-loop scheduling and failure handling triggering; the relevant time and timeout criteria follow the definitions in steps 104-105. (1) Result normalization and consistency definition: For discrete outputs, the consistency arbitration service determines the consistency arbitration criteria for each timely returned result. Execute normalized serialization function And calculate the summary Candidate clusters with strictly consistent definitions and abstracts: In the formula, Indicates the first Normalized summaries of the candidate results; Represents a summary function; Represents the normalized serialization function: In the formula, The summary value indicates A uniform cluster; Indicates a value that can be taken from a certain summary; For continuous or approximate outputs, the consistency arbitration service is based on a distance function. With tolerance threshold Define sufficiently close consistency relations, and form several consistent clusters based on them: In the formula, This represents a function that measures the difference between candidate outputs. The tolerance threshold for determining continuity consistency; Indicates tolerance Determine if the relationship is consistent; (2) Candidate value formation and voting decision: The candidate cluster set is obtained by discrete grouping or continuous clustering. It calculates the support for each candidate cluster; in the simplest implementation, the weights can be taken as follows: Or it can be given by the historical stability maintained by the scheduling service. The consistency arbitration service is applied to each candidate cluster. Calculate cluster support scores: In the formula, Indicates the first The support scores of each candidate cluster are used to select the primary candidate cluster index with the highest support score. ; Strict majority thresholds are used: , Determine if majority consensus has been achieved; when the primary candidate cluster meets the majority threshold, select the central element within the primary cluster as the decision output: In the formula, This represents the execution body index corresponding to the central element within the primary candidate cluster; This indicates a single ruling output from the consistent arbitration service. It is a measure of difference; If the difference rate is too high or some instances time out, resulting in failure to meet the majority threshold, then the score of the candidate cluster set will be used. Discuss each case separately; ① If the candidate cluster corresponding to the maximum support score is unique, then the set returned on time is directly used. The globally weighted central element is used as the backoff decision output: In the formula, This indicates that the collection will be returned on time. The execution body index that minimizes the globally weighted difference metric; ② If multiple candidate clusters achieve the same maximum support score, disambiguation selection is required among these tied candidate clusters; the set of cluster indices for the tied candidate clusters is defined as follows. : , Subsequently, for each of the parallel candidate clusters Select a representative execution unit within the cluster, and denote its index as . : ; This represents the candidate output corresponding to the executor. Used as the representative value for this candidate cluster; Finally, the representative values of each candidate cluster are... With global timed return collection All candidate outputs are compared, their global weighted difference metric is calculated, and the candidate cluster that minimizes this global weighted difference metric is selected as the backoff decision cluster. The index of this cluster is denoted as . : At this point, the rollback decision output takes the representative execution body within the rollback decision cluster, i.e. and output ; ③When At this time, the consistency arbitration service only outputs anomaly handling flags and event summaries, without outputting business results, and triggers a closed-loop failure handling process; (3) Consistency measurement, abnormal execution entity judgment and feedback indicator evaluation: Consistency arbitration service calculates consistency strength and difference rate: In the formula, Indicates the strength of consistency; Indicates the difference rate; Indicates the first The size of each candidate cluster; Indicates the number of online executors; and outputs the ruling. For reference calculation of the deviation of each executor: In a continuous output scenario, at this time: In the formula, Indicating the first continuous or approximate output scenario The deviation of each executor from the decision output; while in the discrete output scenario, then: In the formula, This indicates an indicator function; it returns 1 if the condition is true and 0 otherwise. Indicates the output of the ruling Standardized abstract, It is the first A standardized summary of the results; An anomaly score is generated by combining timeout and deviation: In the formula, Indicates the first The overall score of anomalies in each executor; and Indicates the weighting coefficients for timeout and deviation terms; For continuous consistency scenarios, a tolerance benchmark can be used; for discrete scenarios, a suitable benchmark can be used. To maintain dimensional consistency; and based on this, to obtain a set of abnormal or suspicious execution entities: ; Confidence level of the ruling To characterize the reliability of the current output, the percentage of support from the primary candidate cluster can be used: ; Consistent arbitration services provide a single award result. as well as the difference rate, timeout level, confidence level, and outlier set. These metrics serve as feedback for the execution body scheduling service, driving subsequent closed-loop refactoring and failure handling; the clock mechanism provides the kernel time base and triggers preemption into the kernel scheduling path at the end of the time slice; strategic time controls such as arbitration time windows, voting cycles, and control ticks are defined and executed by user-space services. Step 107: Output Module Release and Traceability Constraints The output module receives the ruling output and publishes or distributes it to external parties according to the business agreement. At the same time, it records the request identifier and the ruling summary to achieve idempotent publication and traceable constraints. Specifically, in this embodiment, the output module receives a single output result generated by the consistency arbitration service and publishes or distributes it to external parties according to the business agreement; during the output delivery process, it records information such as request identifier, ruling summary and publication receipt to form traceable constraints; The output module performs whitelist field filtering and secure formatting on the adjudication output, and triggers security degradation output on the business side for abnormal flags, so as to avoid uncertain results directly affecting critical control links; The output module performs whitelist filtering on sensitive content; when the output risk increases, it performs isolated release or downgraded release to control the risk within the boundary of the output end; finally, the external transmission or the distribution to lower-level devices is completed with the cooperation of I / O services. Step 108: Triggering of closed-loop control and failure handling driven by adjudication feedback When the feedback indicators output by the consistency arbitration service meet the adjustment conditions, the execution body scheduling service is triggered to perform online reconstruction and rotation; when it is detected that key user-space services such as request distribution service, consistency arbitration service or execution body scheduling service have failed and cannot be converged in user space, the kernel-space minimum fallback cleanup and rebuildable recovery process is triggered. Specifically, in this embodiment, the consistency arbitration service will determine the difference rate. Timeout level, confidence level Exception labels and exception sets Feedback information is sent to the execution scheduling service, forming a control and event flow. The scheduling strategy combines periodic rotation and event triggering: when the difference rate increases, confidence decreases, or the number of abnormal instances increases, event triggering will prompt the scheduling service to adjust quickly; in other cases, periodic rotation is used to maintain dynamic heterogeneity and long-term risk resistance. The event triggering condition can be defined as: In the formula, , and These represent the trigger thresholds for the difference rate, confidence level, and anomaly set size, respectively; when an adjustment is triggered, the execution body scheduling service first... Internal executors are isolated and removed, then candidate executors are selected from the candidate protection domain pool to replace them. Simultaneously, the online instance list and distribution strategy parameters of the request distribution service are updated to ensure consistency between request distribution and the online executor set before proceeding to the next round of processing. Candidate executor selection scoring is used in the replacement phase. In the formula, This represents candidate execution instances in the candidate protection domain pool. This represents the current set of online execution entities. and These are the weighting coefficients for heterogeneity and health availability scores. Scoring the heterogeneity of candidate executors relative to the online set. The health status and availability of candidate implementers are scored. For the candidate set of the candidate protection domain pool, This indicates the final selected replacement candidate; decision feedback and control signaling are transmitted through cross-protection domain communication endpoints, and service payloads can be carried through controlled shared memory under authorized capabilities.
[0030] In step 108, when the execution body scheduling service needs to perform online reconstruction and rotation of the online user-mode service cluster, such as Figure 3The diagram illustrates the process of the consistency arbitration service generating feedback metrics and sending them to the execution scheduling service via inter-process communication; the scheduling service forming an adjustment plan; selecting candidate executions from the candidate protection domain pool; completing controlled replacement and reconstructing the online user-mode service cluster through system call interfaces; and synchronously updating the online instance list and distribution strategy parameters of the request distribution service before proceeding to the next round of processing. It includes the following sub-steps: Step (201): Consistency arbitration service generates feedback metrics; Specifically, in this embodiment, the consistency arbitration service generates indicators such as difference rate, timeout level, confidence level and anomaly label while completing the consistency determination, which are used to characterize the degree of anomaly and stability level of this round of parallel execution. Feedback metrics are set with different thresholds or weights according to business type to adapt to the tolerance and engineering constraints of different control scenarios; Step (202): Send feedback to the execution scheduling service via IPC; Specifically, in this embodiment, the consistency arbitration service sends feedback indicators to the execution scheduling service through inter-process communication to form a control and event flow; the control link uses inter-process communication by default to ensure auditability and traceability; Step (203): Execute the scheduling service to form an adjustment plan; Specifically, in this embodiment, after receiving feedback, the execution entity scheduling service forms an adjustment plan based on a preset strategy, clarifying the scope and target status of online execution entity instances that need to be removed, migrated, restarted, or rotated. The adjustment plan combines the type of abnormal labels, confidence trends, and the number of consecutive timeouts to determine the replacement priority and adjustment range in order to avoid frequent fluctuations. Step (204): Select candidate execution entities from the candidate protection domain pool; Specifically, in this embodiment, the execution scheduling service reads the version information, heterogeneous attributes, health status and availability flags of candidate executions from the candidate protection domain pool, and selects candidate executions that meet the admission criteria to replace failed or suspicious instances. Candidate selection prioritizes heterogeneity and health, and adopts conservative strategies when resources are limited, such as reducing the number of parallel instances or selecting a candidate version that has been verified to be stable. Step (205): Complete the controlled replacement and reconstruct the online user-mode service cluster through the system call interface layer; Specifically, in this embodiment, the execution body scheduling service initiates a controlled request through the system call interface layer to complete the establishment or replacement of the new protection domain operating environment, including address space configuration, communication endpoint configuration and controlled memory mapping; the authority subsystem implements authorization and revocable constraint on the operation of related kernel objects, so that the new execution body enters the online user-mode service cluster with the least privilege, and performs removal and exit processing on failed or suspicious instances to complete the online cluster reconstruction; In high-throughput scenarios, controlled shared memory can be established for new executors under authorized capabilities to carry large business loads or batch results; Step (206): Synchronously update the list of online instances of the request distribution service and the distribution strategy parameters to ensure that the request distribution is consistent with the set of online executors and proceed to the next round of processing; Specifically, in this embodiment, after the execution body scheduling service completes the online cluster adjustment, it synchronously updates the online instance list and distribution strategy parameters of the request distribution service to ensure that the request distribution is consistent with the online execution body set; accordingly, the request distribution service continues to execute request distribution and triggers the online user-space service cluster to carry out the next round of parallel processing; The request distribution service synchronously adjusts the concurrency limit, queue level, and backpressure strategy to reduce the impact on system throughput and latency during online reconstruction. Step 109: The execution body scheduling service completes online refactoring and rotation. The execution entity scheduling service implements the start-up, replacement, withdrawal and reclamation of online execution entities according to the adjustment plan, updates the composition and strategy parameters of the online user-mode service cluster, and synchronizes the change results to the request distribution service and the consistency arbitration service; The online reconstruction adopts a controlled switching method of "build first, then switch": first, the candidate executor is loaded and health check is completed in the new protection domain, then the distribution strategy is switched, and finally the capability object of the replaced executor is revoked and its resources are reclaimed, so as to reduce the impact of the switching window on business continuity. Step 1010: Kernel fallback cleanup and rebuildable recovery in the event of critical user-space service failure When a critical user-space service (including but not limited to consistency arbitration service, execution body scheduling service or cross-domain communication critical endpoint) fails, causing the user space to be unable to complete fault convergence, the proactive defense kernel-space support module is triggered to perform fallback cleanup, and then enters rebuildable initialization and is handed over to the user space to complete the recovery.
[0031] In step 1010, as Figure 4As shown in the diagram (which illustrates the process of triggering kernel fallback cleanup, revoking execution privileges, reclaiming and cleaning up execution address space and mappings, terminating the execution context of the exception protection domain, recording audit evidence and event summaries, and entering a re-initialized and rebuildable state before handing it over to user space for recovery), the minimum fallback cleanup triggered by the proactive defense kernel-mode support module and the process of entering a rebuildable recovery state includes the following sub-steps: Step (301): Trigger the kernel fallback cleanup process; Specifically, in this embodiment, the active defense kernel-mode support module triggers a fallback cleanup process after detecting the above-mentioned failure conditions, enabling the system to enter a controllable state; this module only implements the underlying fallback action and does not carry the adjudication algorithm or scheduling strategy. Step (302): Revoke the power of execution; Specifically, in this embodiment, the proactive defense kernel-mode support module forcibly reclaims the endpoint, notification, and related kernel object operation permissions held by the abnormal process through power revocation, thereby blocking its continued access to critical resources and communication channels; The scope of revocation is limited to the target protection domain and its derived object set, reducing the impact on other normal protection domains; Step (303): Perform address space reclamation and mapping cleanup; Specifically, in this embodiment, the active defense kernel-mode support module reclaims the address space of the abnormal protection domain and cleans up the controlled mapping relationship, cancels residual mappings and associated resources, so that the system resource state returns to the reconstructable baseline; Forced revocation of shared memory mappings to eliminate cross-domain residual data channels and reduce the risk of data residual; Step (304): Terminate the execution context of the exception protection domain; Specifically, in this embodiment, the proactive defense kernel-mode support module terminates the execution context of the abnormal protection domain to block the risk of fault propagation and continued execution; the termination action is coordinated with the object reclamation sequence to avoid dangling endpoints or unreleased mappings. Step (305): Record audit evidence and event summary; Specifically, in this embodiment, the proactive defense kernel-mode support module records audit information such as trigger type, involved objects, and handling summary, providing a basis for user-mode recovery process and subsequent forensic analysis; Audit information includes time-series summaries and summaries of the set of objects to be revoked, in order to pinpoint the source of anomalies and assess the effectiveness of recovery. Step (306): Enter the reinitializable and rebuildable state and hand it over to user space for recovery; Specifically, in this embodiment, after the system enters the reinitializable and rebuildable state, the restart of critical service instances and the replacement of online execution entities are completed by the existing user-mode initialization and scheduling mechanism, and the kernel mode does not participate in the specific recovery strategy decision; the user-mode recovery reloads critical services according to the predetermined startup sequence, and reassembles the online user-mode service cluster based on the candidate protection domain pool.
[0032] This embodiment is used to verify the advantages of the present invention in terms of anti-attack resistance compared to the traditional single-executor industrial control processing method; such as Figure 5 The diagram shows a Monte Carlo simulation comparing the probability of system breach between a single-executor scheme and a multi-executor consistency arbitration scheme under the assumption of homogeneity and independence, using a microkernel-isolated multi-executor consistency arbitration mechanism. The consistency arbitration employs a strict majority threshold to determine a single, publicly available arbitration result. Assume that within an arbitration time window, the probability of a traditional single-executor system being breached is... This invention uses a microkernel isolation base as the minimum trusted computing base. Through capabilities, it revocables authorization of subsystem communication endpoints and controlled mappings, ensuring that request distribution services, consistency arbitration services, execution entity scheduling services, and multiple online execution entities all operate within mutually isolated protection domains. This prevents a single execution entity's anomaly from having a lateral impact on other execution entities or the control plane. Under these isolation conditions, the attack status of each execution entity within the arbitration time window is abstracted as a binary random variable, and... , , Monte Carlo simulations were performed on an odd-sized online user-state service cluster, with repeated trials under each set of parameters. Next, the frequency with which the consensus arbitration output is compromised is used as an estimate, where consensus arbitration uses a strict majority threshold to generate a single, publicly available ruling; clearly, when When the number of executors increases, the system probability of being compromised by the multi-executor consensus arbitration scheme is significantly lower than that of the traditional single-executor scheme, and the system probability of being compromised further decreases as the number of executors increases. Due to the large number of experiments, the Monte Carlo frequency estimation is approximately consistent with the theoretical value, indicating that the simulation model and the implementation are consistent and the statistical error has converged. These results show that, under the support of strong isolation and revocable privileges in a microkernel, this invention effectively compresses the attack success rate through parallel redundancy and consensus arbitration, and ensures the continuous operation of the active defense closed loop through scheduling reconfiguration and reconstructable paths, thus having higher resistance to attack and recoverability compared to the traditional single-point execution structure.
[0033] This embodiment addresses the probability of a single executable being compromised. In addition, a common breakthrough probability is introduced. This is used to characterize common mode failures caused by vulnerabilities in the shared infrastructure, shared configuration, or control plane; within an arbitration time window, it is used to determine probabilistically... If a joint breach event occurs, multiple execution entities will be breached simultaneously once triggered. If the joint breach event is not triggered, each execution entity will still be breached according to probability. Independence was breached; Figure 6 It introduces a common attack probability parameter Subsequently, a Monte Carlo simulation diagram illustrating the changes in risk in a multi-executor consistency arbitration system; clearly, in the same Under these conditions, with the probability of a joint attack... The increase in the number of executors raises the overall probability of a system being compromised by a multi-executor consistency arbitration scheme, and when When the number of execution units increases to a certain extent, the advantages of multi-execution unit schemes over single-execution unit schemes are significantly weakened; this phenomenon indicates that the security benefits of parallel redundancy and consistency arbitration depend not only on the probability of a single unit being compromised. It also depends on whether there are shared attack paths in the underlying system base that could cause multiple execution units to be affected simultaneously. This invention reduces the probability of multiple execution units failing simultaneously due to a breach of the shared base by constructing a microkernel isolation base, a strong isolation mechanism, and revocable control over critical resources, thereby effectively reducing the probability of a joint attack. This allows the statistical advantages of redundant heterogeneous strategies to be fully realized.
[0034] Through the above systems and methods, parallel execution of multiple user-mode instances, converged output of adjudication, online reconstruction and rotation driven by adjudication feedback can be achieved under the strong isolation boundary of the microkernel. Kernel-mode minimal fallback cleanup and reconstructable recovery can also be achieved in critical user-mode service failure scenarios, thereby improving the availability and controllability of power industrial control business links under the conditions of combating unknown attacks and abnormal failures.
Claims
1. A power industrial control security protection system based on microkernel active defense, characterized in that, include: User-mode security protection service cluster: includes input / output service, input module, request distribution service, online user-mode service cluster, consistency arbitration service, output module, execution body scheduling service and candidate protection domain pool; The input module, request distribution service, consistency arbitration service, execution entity scheduling service, and online user-mode service cluster each execution entity instance runs in a mutually isolated protection domain and corresponds to an independent virtual address space and an independent set of powers; The input module receives the request, generates a request identifier, and then sends it to the request distribution service. The request distribution service distributes the same request to an odd number of online execution instances; The online user-space service cluster is connected to the consistency arbitration service to send back multiple candidate results; The consistency arbitration service generates a single, publicly available arbitration result within the arbitration time window and sends feedback metrics to the execution body scheduling service. The execution scheduling service selects candidate executions from the candidate protection domain pool based on feedback indicators and performs controlled replacement or reconstruction of the online user-mode service cluster through the system call interface layer. Security Base Interface Layer: Includes system call interface layer and cross-protection domain communication interface; The system call interface layer is used to provide a controlled entry point to the user space, realize the creation or destruction of protection domains, the loading or unloading of service instances, the binding or revocation of power objects, and the registration or cancellation of interruption notifications, and uniformly constrain the call parameter verification, power check, audit trail and frequency constraints. The cross-protection domain communication interface is used to provide a message channel based on the communication endpoint between different protection domains and to establish a controlled shared memory mapping channel under the authorization of the authority. Microkernel isolation base: Located in kernel mode, it provides the minimum kernel capabilities for address space and memory management, thread and scheduling, inter-process communication and interrupt management, including functional subsystems and active defense kernel mode support modules; The power subsystem is used to authorize, verify, derive, and revocable control the permissions of communication endpoints, notification objects, controlled shared memory mappings, and kernel objects related to protection domains. When critical user-mode services such as request distribution service, consistency arbitration service, or execution body scheduling service fail, the proactive defense kernel-mode support module performs a fallback cleanup process and puts the system into a rebuild state.
2. The power control system security protection system based on microkernel active defense according to claim 1, characterized in that, The online user-mode service cluster in the user-mode security protection service cluster consists of multiple isolated protection domains, each of which corresponds to an independent virtual address space and an independent set of permissions. The consistency arbitration service distinguishes candidate results into two categories: discrete consistency and continuous consistency. Discrete consistency determines the main candidate cluster by performing normalization and serialization on the candidate results, calculating the summary, clustering and voting. Continuous consistency forms a consistent cluster by a distance threshold and determines the main candidate cluster by the support of the consistent cluster. When the main candidate cluster meets the majority threshold, the representative value of the main candidate cluster is used as the single decision result output available to the outside world. When the majority threshold is not met or there is a timeout leading to insufficient convergence, the backoff decision result is used as the single decision result output available to the outside world, and anomaly labels are generated to characterize the degree of inconsistency. The execution entity scheduling service is used to select candidate execution entity instances from the candidate protection domain pool and load them into a new protection domain, so that the candidate execution entity instances can be added to the online user-mode service cluster to form or update the online instance set. It adopts a scheduling strategy that combines periodic rotation and event triggering. Periodic rotation is used to maintain the dynamic heterogeneous combination of the online user-mode service cluster, and event triggering is used to trigger adjustments when the difference rate increases, the confidence level decreases, or the size of the abnormal execution entity set reaches a threshold.
3. The power control system security protection system based on microkernel active defense according to claim 1, characterized in that, The feedback metrics include the difference rate, timeout level, confidence level, anomaly label, and set of anomaly execution bodies. The set of abnormal executors is obtained by the consistency arbitration service based on the deviation and timeout information of the candidate results from the arbitration output, and is used as the direct input for the executor scheduling service to remove and replace them.
4. The power control system security protection system based on microkernel active defense according to claim 1, characterized in that, The controlled replacement first completes the loading and health check of candidate executors in the new protection domain, then switches the distribution strategy of the request distribution service, and finally revokes the powers held by the replaced executor and reclaims its resources.
5. The power control system security protection system based on microkernel active defense according to claim 1, characterized in that, The cross-protection domain communication interface in the security base interface layer includes an inter-process communication channel based on the communication endpoint, and establishes a controlled shared memory mapping channel under the authorization of the authority, which is used to carry large-scale business payloads or batch candidate results while maintaining address space isolation.
6. The power control system security protection system based on microkernel active defense according to claim 1, characterized in that, The proactive defense kernel-mode support module in the microkernel isolation base triggers a fallback cleanup process when it detects a crash, unauthorized access, abnormal system call, or prolonged unresponsiveness in the request distribution service, the consistency arbitration service, or the execution scheduling service. The fallback cleanup process includes: revoking execution authority to reclaim the communication endpoint and notification object permissions held by the abnormal protection domain; performing address space reclamation and mapping cleanup to revoke the controlled mapping relationship of the abnormal protection domain; terminating the execution context of the abnormal protection domain; and recording audit evidence and event summaries.
7. A security protection method for a power industry control system based on microkernel active defense, applied to the system described in any one of claims 1 to 6, characterized in that, Includes the following steps: Step (101) The system starts and completes the protection domain initialization, and starts the input module, request distribution service, online user space service cluster, consistency arbitration service, output module, I / O service and execution body scheduling service. It loads the first batch of online execution bodies according to the candidate protection domain pool, where the number of online execution bodies is an odd number of ≥3. Step (102) involves the I / O service accessing field data or service requests; Step (103) involves the input module standardizing the access data and generating a request identifier before sending it to the request distribution service; Step (104) involves the request distribution service distributing the same request in parallel to multiple online execution instances based on the list of online instances provided by the execution scheduling service; Step (105) involves online execution instances processing requests in parallel within their respective protection domains and sending candidate results back to the consistency arbitration service; Step (106) The consistency arbitration service performs consistency determination on the candidate results within the arbitration time window and generates a single ruling output that can be used externally. At the same time, it generates feedback indicators such as difference rate, timeout level, confidence level, anomaly label and anomaly execution body set and sends them to the execution body scheduling service. Step (107) involves the output module publishing the single decision output; Step (108) involves the execution body scheduling service performing controlled replacement and reconstruction of the online user-mode service cluster based on feedback indicators, and triggering kernel fallback cleanup and entering a rebuildable state when the critical user-mode services of the request distribution service, consistency arbitration service or execution body scheduling service fail.
8. The method according to claim 7, characterized in that: When determining consistency, the consistency arbitration service generates anomaly scores based on the deviation of candidate results from the arbitration output and timeout information, and obtains a set of abnormal execution bodies based on the relationship between the anomaly scores and thresholds. The set of abnormal execution bodies is used by the execution body scheduling service to determine the removal priority and replacement range.
9. The method according to claim 7, characterized in that: When the execution scheduling service selects candidate executions from the candidate protection domain pool, it forms a candidate score based on the heterogeneous attributes and health availability markers of the candidate executions, and selects the candidate execution with the best score for replacement. The controlled replacement and reconstruction includes the address space configuration, communication endpoint configuration, and controlled memory mapping configuration of the new protection domain, and synchronously updates the online instance list and distribution strategy parameters of the request distribution service.
10. The method according to claim 7, characterized in that: When a critical user-space service of the request distribution service, consistency arbitration service, or execution body scheduling service crashes, experiences unauthorized access, makes an abnormal system call, or remains unresponsive for an extended period, kernel fallback cleanup is triggered. After kernel fallback cleanup is completed, the system enters a reinitializable and reconstructable state, and the user-space initialization and scheduling mechanism restarts the request distribution service, consistency arbitration service, and execution body scheduling service according to the startup sequence, and rebuilds the online user-space service cluster based on the candidate protection domain pool.