A honeypot deployment strategy optimization method for a double-layer internet of things architecture
By optimizing honeypot deployment using a two-player zero-sum Stackelberg game model and k-sparse constraints, the computational infeasibility of honeypot deployment in a two-layer IoT architecture is solved, achieving an efficient and feasible optimal configuration and reducing deployment complexity and computational cost.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUANGZHOU UNIVERSITY
- Filing Date
- 2026-05-12
- Publication Date
- 2026-07-03
Smart Images

Figure CN122339820A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of IoT security and network deception defense technology, and in particular to an optimization method for honeypot deployment strategy for a two-layer IoT architecture. Background Technology
[0002] The Internet of Things (IoT) refers to a technological system that interconnects computing devices embedded in everyday objects through the Internet. IoT systems typically present a hierarchical network architecture, with different layers undertaking different functional roles. This structure achieves layered decoupling in terms of functionality, effectively reducing system complexity and improving the flexibility and scalability of the overall architecture.
[0003] However, while layered architecture brings the aforementioned advantages, it also creates independent security domains with different vulnerabilities and defense capabilities for each layer, highlighting the increasing security risks in the IoT industry. Because IoT devices typically have limited computing resources and weak security mechanisms, they are highly susceptible to cyberattacks. While traditional defense mechanisms play a crucial role in identifying and blocking known attack patterns, in the IoT environment, they are essentially only able to respond after an attack has occurred, making it difficult to effectively and promptly address the penetration threats from attackers. Therefore, building effective proactive defense mechanisms to address the increasingly complex IoT security threats has become an urgent need.
[0004] Honeypoint technology, as a proactive deception defense method, has been widely used in attack traffic capture and threat detection. However, in resource-constrained IoT environments, the number and location of honeypoint nodes are subject to strict budget constraints, making optimal deployment a pressing issue. Theoretically, game theory provides a rigorous analytical framework for characterizing the attack-defense interaction in IoT environments. However, in two-layer IoT networks, both the defender's policy space (all legitimate layered honeypoint configurations) and the attacker's policy space grow exponentially with network size, making direct enumeration computationally infeasible. Furthermore, in practical security deployments, defenders face significant feasibility constraints. Theoretically, the optimal hybrid strategy may include a large number of different honeypoint deployment schemes, but maintaining too many configuration schemes will lead to high deployment overhead—each additional configuration scheme requires a separate deployment process and monitoring strategy, thus creating practical limitations in terms of cost, manpower, and operational complexity, which existing game theory solutions struggle to address effectively.
[0005] Therefore, it is necessary to provide an optimization method for honeypot deployment strategies designed specifically for the characteristics of IoT architecture. Summary of the Invention
[0006] The purpose of this invention is to provide a honeypot deployment strategy optimization method for a two-layer IoT architecture, which provides an efficient and feasible optimal configuration scheme for honeypot deployment in a two-layer IoT architecture.
[0007] In a first aspect, the honeypot deployment strategy optimization method for a two-layer IoT architecture provided by this invention includes: formally modeling a two-player zero-sum Stackelberg game model based on the honeypot deployment and attack penetration process of a two-layer IoT, wherein the defender's policy space is set to satisfy k-sparse constraints; iteratively expanding the initial active policy sets of the attacker and defender in the constructed game model, while performing k-sparse checks according to a set checking period, continuously judging whether the convergence condition is met during the iterative expansion process, and obtaining the expanded active policy set when convergence is achieved, wherein the iterative expansion process includes: performing game solving to obtain the attack and defense strategies of the attacker and defender. The strategy and game value are combined, and the defender oracle and attacker oracle are respectively called to generate new strategies for both sides and add them to the active strategy set of both sides to achieve an iterative expansion of the active strategy set. The size of the expanded active strategy set is checked. When the size of the expanded active strategy set is less than the preset minimum size, the active strategy set is expanded to reach the preset minimum size to obtain the active defense strategy set and active attack path set for accurate solution. The defense strategy probability, support set indicator variable and game value are set to model a k-sparse optimal commitment MILP model. The model is solved to obtain the k-sparse equilibrium strategy for optimizing honeypot deployment.
[0008] The beneficial effects of the honeypot deployment strategy optimization method for a two-layer IoT architecture provided by this invention are as follows: the game model designed for the IoT network architecture fits the actual deployment requirements, the asymmetric solution framework is designed to adapt to the differentiated characteristics of different layers in the network architecture, the computational efficiency and solution quality are balanced, the efficient solution of a large-scale policy space is achieved, and an efficient and feasible optimal configuration scheme is provided for honeypot deployment in the IoT network.
[0009] In one possible embodiment, the two-player zero-sum Stackelberg game model is as follows: ,in: This represents a two-layer IoT architecture, including the construction of a node set and an edge set based on the two-layer IoT architecture; The defender's policy space is defined by the deployment of heterogeneous honeypot nodes by the defender in the two-layer network, and the defender's policy space satisfies the k-sparse hybrid policy constraint. This represents the attacker's strategy space, defined according to the attacker's attack targets; The attacker's gain is defined as the sum of hierarchical damage gains calculated based on the attack path nodes at different network layers, according to the attacker's policy space and the two-layer IoT architecture. This represents the defender's payoff, which is determined based on the zero-sum game conditions.
[0010] In another possible embodiment, invoking the Defender Oracle to generate a new defender strategy includes: calculating the risk scores of candidate nodes that can be deployed at honeypots; selecting nodes in the network and physical layers of the Internet of Things to construct corresponding candidate strategies based on the honeypot deployment number constraint defined in the two-player zero-sum Stackelberg game model; performing neighborhood search optimization of the corresponding candidate strategies in the network and physical layers to obtain the final optimized strategy based on the candidate strategies; determining whether the final optimized strategy exists in the current active strategy set; if the determination result is that it does not exist, the final optimized strategy is the new strategy generated by the Defender Oracle; if the determination result is that it exists, solving for the maximum expected interception benefit of the defender on all active attack paths under the attacker's current strategy to obtain the new strategy.
[0011] In other possible embodiments, the neighborhood set is defined as the set of all policies that satisfy the node number constraint by replacing only a single node within the layer for the current policy; the neighborhood search optimization includes: taking the candidate policy as the current optimal policy; selecting any node not in the current policy in the network layer corresponding to the current optimal policy to replace the node in the current optimal policy, and combining all replacement results to form the neighborhood set of the current optimal policy; calculating the defense value of each policy in the neighborhood set of the current optimal policy and selecting the policy with the highest defense value to update the current optimal policy; generating a neighborhood set based on the updated current optimal policy and calculating the defense value, selecting the policy with the highest defense value, and stopping the iteration until the defense value of all policies in the neighborhood set is no greater than that of the current optimal policy, and outputting the current optimal policy as the final optimized policy.
[0012] The new strategy for generating defenders by calling the attacker's Oracle includes: calculating the expected interception probability of each node based on the current defender strategy, defining node weights by performing a logarithmic transformation on the expected interception probability; enumerating all cross-layer edges between the physical layer and the network layer, using the node weights as path costs, and independently solving for the shortest inner edges in the physical layer and network layer with the corresponding node as the endpoint based on the nodes of each cross-layer edge; concatenating the cross-layer edges and the corresponding two shortest inner edges to obtain multiple complete paths, and selecting the complete path with the highest expected return to obtain the new strategy generated by the attacker's Oracle.
[0013] The expansion of the active strategy set includes: sorting the deployable honeypot nodes of each layer in descending order of risk score to obtain a risk-ordered queue; using a fixed-size sliding window to slide position by position on the risk-ordered queue of each layer, selecting the node combination with the highest risk score within the window to generate candidate strategies; performing non-repeating random sampling on all candidate strategies that meet the deployment quantity constraints of the defense strategy but are not included in the active strategy set to obtain a random sampling strategy; and combining the candidate strategies generated by the sliding window with the random sampling strategy to supplement the size of the active strategy set to reach the preset minimum size.
[0014] The MILP model is constructed by setting the defense strategy probability, support set indicator variable, and game value as follows: ,in, Indicates the probability of a defense strategy. Indicates the support set indicator variable. Let represent the game value; the constraints of the MILP model include: the game value is not less than the attacker's expected payoff for any path, the sum of the probabilities of the active defense strategy set is 1, the probability of the unselected defense strategy is zero, the selected defense strategy has a non-zero probability, and the support set size is k.
[0015] Secondly, the present invention also provides a computer-readable storage medium storing a computer program, which, when executed by a processor, implements the above-described honeypot deployment strategy optimization method for a two-layer Internet of Things architecture.
[0016] Thirdly, the present invention also provides an electronic device, comprising: a processor and a memory; the memory being used to store a computer program; the processor being used to execute the computer program stored in the memory, so that the electronic device executes the above-described honeypot deployment strategy optimization method for a two-layer Internet of Things architecture.
[0017] For the beneficial effects of the second and third aspects mentioned above, please refer to the description of the first aspect mentioned above. Attached Figure Description
[0018] Figure 1 A flowchart illustrating a honeypot deployment strategy optimization method for a two-layer IoT architecture provided in an embodiment of the present invention;
[0019] Figure 2 This is a schematic diagram of an electronic device structure provided in an embodiment of the present invention. Detailed Implementation
[0020] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions in the embodiments of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without inventive effort are within the scope of protection of this invention. Unless otherwise defined, the technical or scientific terms used herein should have the ordinary meaning understood by those skilled in the art. The terms "comprising" and similar expressions used herein mean that the element or object preceding the word covers the element or object listed following the word and its equivalents, but do not exclude other elements or objects.
[0021] This embodiment provides an optimization method for honeypot deployment strategies in a two-layer IoT architecture. See the appendix to the specification. Figure 1 The method includes:
[0022] S101: Based on the honeypot deployment and attack penetration process of the two-layer Internet of Things, a two-player zero-sum Stackelberg game model is formed by formal modeling, in which the defender's policy space is set to satisfy k-sparse constraints.
[0023] In one possible embodiment, the two-player zero-sum Stackelberg game model is as follows: ,in: This represents a two-layer IoT architecture, including the construction of a node set and an edge set based on the two-layer IoT architecture; The defender's policy space is defined by the deployment of heterogeneous honeypot nodes by the defender in the two-layer network, and the defender's policy space satisfies the k-sparse hybrid policy constraint. This represents the attacker's strategy space, defined according to the attacker's attack targets; The attacker's gain is defined as the sum of hierarchical damage gains calculated based on the attack path nodes at different network layers, according to the attacker's policy space and the two-layer IoT architecture. This represents the defender's payoff, which is determined based on the zero-sum game conditions.
[0024] In a specific embodiment, a two-layer IoT network is represented as follows: , where the node set , Represents a network layer node. Represents physical layer nodes; edge sets , Indicates the inner edge of a network layer. Indicates the inner edge of the physical layer. Indicates a cross-layer edge. Set as the attack source node. To attack the target node.
[0025] The defender deploys heterogeneous honeypot nodes in a two-layer IoT network, specifically high-interaction honeypot nodes at the network layer and low-interaction honeypot nodes at the physical layer. Specifically, a node set is defined at the network layer. mid-deployment Number of nodes, interception probability Highly interactive honeypot nodes provide complete service simulation, enabling them to deeply engage attackers and collect detailed attack behavior data. Define the physical layer node set. mid-deployment Number of nodes, interception probability ,and Low-interaction honeypot nodes simulate only limited device functionality, consuming few resources but possessing relatively weak detection capabilities. The deployment of honeypot nodes in specific locations works by simulating the services and environment of that node to lure attackers. Let... and These represent the set of nodes where honeypots can be deployed at each layer. A defender's pure policy can be represented as a tuple. ,in satisfy , satisfy The defender's strategy space is: The defenders employ a hybrid strategy. This approach increases the attacker's probing uncertainty by randomly selecting different honeypot configuration schemes. Furthermore, a k-coefficient commitment strategy is defined, requiring that the support set size of the hybrid strategy does not exceed k. Support set It is a subset of the pure strategies actually used by the defender. By using k-sparse constraints, it is ensured that the defender only needs to prepare and maintain at most k honeypot configuration schemes, which significantly reduces deployment complexity while maintaining near-optimal defense performance.
[0026] The attacker's core objective is to gradually penetrate from the lower-level intrusion points to high-value targets in the upper-layer network. Because frequent lateral movement across layers easily triggers detection mechanisms based on behavioral anomalies, attackers typically choose a path that involves only a single inter-layer boundary jump. Attack Path It can be represented as: The attack path happens to cross a cross-layer edge. To characterize the differences in penetration difficulty at different levels, the movement cost of each edge is defined as depending only on the level of the starting node: Total cost of the attack path This represents the sum of movement costs along all edges of the attack path. The attacker's policy space. Defined as all elements that satisfy the single cross-level constraint, from arrive The set of attack paths.
[0027] Attack path The basic reward is defined as the reciprocal of its total cost. This is used to quantify the contribution of attack efficiency to the final gain. Given an attack path... Let the cross-level index be The path nodes are divided into three regions: cross-layer pre-nodes. (Physical layer intermediate nodes), cross-layer edge nodes (The two endpoints of the cross-layer edge) and the node after the cross-layer. (Network layer intermediate node). Set up a defense strategy. For a set of nodes where honeypot nodes have been deployed, For the node The probability of successfully detecting the attack. The probability of an attacker successfully evading detection at different stages is calculated piecewise as follows: , , The probability that an attacker successfully crosses the boundary and enters the upper-layer network is: Based on the attack outcome, three levels of damage are distinguished: complete success (the attacker reaches the target). probability Partial success (the attacker gains access to the upper-layer network but is intercepted internally, with a low probability). ) and boundary interception (the attacker is intercepted at or before a cross-layer edge, with a probability of (The loss is zero). Therefore, the attacker's expected gain is defined as: ,in For complete success, the damage coefficient, This represents the partial success damage coefficient.
[0028] The defender's payoff under the zero-sum game assumption is .
[0029] Modeling a two-player zero-sum Stackelberg game The defender (leader) first commits to a k-sparse hybrid strategy, and the attacker (follower) observes and chooses the optimal response. The k-sparse Stackelberg equilibrium is... A constrained strong Stackelberg equilibrium (SSE) is a mixture of policies in which the defender has at most k pure policies with positive probabilities.
[0030] S102: Based on the initial active policy set of the attacker and defender in the constructed game model, perform iterative expansion, and perform k-sparse checks according to the set check period. During the iterative expansion process, continuously check whether the convergence condition is met. When convergence is achieved, the expanded active policy set is obtained. The iterative expansion process includes: performing game solving to obtain the mixed strategy and game value of the attacker and defender, and calling the defender oracle and attacker oracle respectively to generate new strategies for the attacker and defender and add them to the active policy set of the attacker and defender to realize one iterative expansion of the active policy set.
[0031] In one possible implementation, the defender Oracle and the attacker Oracle are adapted to two completely different strategy spaces: defender heterogeneous honeypot deployment and attacker cross-layer penetration.
[0032] The process of generating a new defender strategy by calling the Defender Oracle includes: calculating the risk scores of candidate nodes that can be deployed at honeypots; selecting nodes in the network and physical layers of the Internet of Things to construct corresponding candidate strategies based on the honeypot deployment number constraint defined in the two-player zero-sum Stackelberg game model; performing neighborhood search optimization on the candidate strategies in the network and physical layers to obtain the final optimized strategy; determining whether the final optimized strategy exists in the current active strategy set; if the result is no, the final optimized strategy is the new strategy generated by the Defender Oracle; if the result is yes, the new strategy is obtained by solving for the maximum expected interception benefit of the defender on all active attack paths under the attacker's current strategy.
[0033] The neighborhood set is defined as the set of all policies that satisfy the node number constraint by replacing only a single node within the layer for the current policy. The neighborhood search optimization includes: taking the candidate policy as the current optimal policy; selecting any node not in the current policy in the network layer corresponding to the current optimal policy to replace the node in the current optimal policy, and combining all replacement results to form the neighborhood set of the current optimal policy; calculating the defense value of each policy in the neighborhood set of the current optimal policy and selecting the policy with the highest defense value to update the current optimal policy; generating a neighborhood set based on the updated current optimal policy and calculating the defense value, selecting the policy with the highest defense value, and stopping the iteration until the defense value of all policies in the neighborhood set is no greater than that of the current optimal policy, and outputting the current optimal policy as the final optimized policy.
[0034] The new strategy for generating defenders by calling the attacker's Oracle includes: calculating the expected interception probability of each node based on the current defender strategy, defining node weights by performing a logarithmic transformation on the expected interception probability; enumerating all cross-layer edges between the physical layer and the network layer, using the node weights as path costs, and independently solving for the shortest inner edges in the physical layer and network layer with the corresponding node as the endpoint based on the nodes of each cross-layer edge; concatenating the cross-layer edges and the corresponding two shortest inner edges to obtain multiple complete paths, and selecting the complete path with the highest expected return to obtain the new strategy generated by the attacker's Oracle.
[0035] In one specific embodiment, the initial active strategy set for both the attacker and defender in the constructed game model is the active defense strategy set. Includes a randomized layered defense strategy and a set of active attack paths. It contains a shortest cross-layer path.
[0036] Constructing the revenue submatrix ,in . This represents the attack and defense payoff submatrix under the currently active strategy set; The matrix dimension is represented as "number of active attack paths" × "number of active defense strategies"; Indicates that the defender adopts the first An active pure strategy The attacker chooses the first One active attack path At that time, the attacker's expected gain .
[0037] Solve the zero-sum game to obtain the current mixed strategies of the attacker and defender. Game value . This represents the defender's mixed strategy on the currently active strategy set; This indicates the attacker's mixed strategy on the currently active policy set; This represents the equilibrium value of the current zero-sum game, i.e., the maximum expected payoff that the attacker can obtain.
[0038] Perform periodic k-sparseness checks: every In the next iteration, MILP is called to solve for the k-sparse game value on the current active policy set. ,judge Whether it holds true is used to track the stability of k-sparse game values, in order to avoid premature termination due to the game value not improving temporarily. This represents the iteration period for the k-sparse stability check; This represents the game value that satisfies the k-sparse constraint on the current active strategy set; This represents the k-sparse game value obtained from the previous k-sparse stability check; This represents the preset stability threshold, which is preset during the algorithm iteration initialization stage. The value is a very small positive number, determined based on the tolerance of k-sparse game value fluctuations and the algorithm stability requirements. It is used to determine whether the game value under k-sparse constraints tends to be stable. This indicates that the difference between two consecutive k-sparse game values is less than the threshold, and the k-sparse game value is judged to be stable.
[0039] Invoke the Defender Oracle to generate a new defense strategy for the Defender. .
[0040] The attacker invoked Oracle to generate a new attack path. and its expected returns Expected returns This represents the attacker's expected benefit from the best response to the current hybrid defense strategy.
[0041] Determining whether the iterative expansion converges: Convergence criteria include the attacker's optimal response gain. The defender Oracle is unable to find a new strategy. And the k-sparse game value has stabilized. When the above three convergence conditions are met at the same time, the iterative expansion converges and the expanded active policy set is obtained. Otherwise, the new policy is added to the corresponding active policy set to realize one iterative expansion of the active policy set.
[0042] In one specific embodiment, the defender oracle uses a two-stage strategy generation method of "heuristic first, precise later" to generate new strategies for the defender.
[0043] The heuristic strategy generation includes: defining candidate nodes that can be deployed at honeypots. The risk score is calculated according to the following formula , Represents a node Risk score; Indicates all nodes visited attack path ; This indicates that the attacker chose the first attack path The probability of; Indicates the current defense hybrid strategy Below, the attacker chooses a path Expected returns; This is an indicator function; it takes the value 1 if the condition within the parentheses is met, and 0 otherwise. This represents the set of nodes currently covered by the hybrid defense strategy. Represents a node Not covered by the current defense strategy. Based on the node's risk score, the highest-risk nodes are selected in a tiered manner. Network layer nodes and Each physical layer node constructs a candidate strategy. Based on the candidate strategies, a hierarchical local neighborhood search optimization is performed: a neighborhood strategy is defined as a strategy obtained by exchanging single nodes within the same layer. The set of all strategies that satisfy the node number constraint by replacing only single nodes within the layer with the current strategy forms the neighborhood set; the neighborhood strategy that maximizes the defense value is iteratively selected until no further improvement is possible, at which point the final optimized strategy is obtained.
[0044] The strategy generation for exact solution includes: determining whether the final optimized strategy exists in the current active strategy set; if the final optimized strategy does not exist in the current active strategy set, using the final optimized strategy as the new strategy generated by the defender Oracle; if the final optimized strategy exists in the current active strategy set, then performing MILP exact solution. The MILP exact solution process includes: assuming... Indicates whether a candidate node has deployed a honeypot. This indicates that honeypots are deployed on candidate nodes. This indicates that honeypots will not be deployed on candidate nodes; Let Indicates the first attack path The probability of interception, , Indicates the first One active attack path, This represents the total number of currently active attack paths; let... This indicates that the attacker selects the first option under a mixed strategy. attack path The probability of is expressed by the objective function as: ,in, This represents the defender's expected interception gain across all active attack paths under the attacker's current hybrid strategy; the objective function's role is to adjust variables... and This maximizes the overall interception effect of the defender on the current attack path distribution. Furthermore, it defines an exact solution for MILP that satisfies the path interception probability constraint. Network layer honeypot node number constraint Physical layer honeypot node number constraints Where D represents the set of all candidate nodes that can be deployed as honeypots. Indicates the attack path The intersection with the candidate node set D, Indicates at node The probability of successfully detecting an attack. Indicates the attacker along the first attack path The joint probability that the device is not blocked when passing through the relevant candidate nodes in sequence. Indicates the first attack path The total interception probability; the network layer honeypot node number constraint means that the total number of honeypots actually deployed in the network layer is strictly equal to... The physical layer honeypot node count constraint: the total number of honeypots actually deployed in the physical layer is strictly equal to... .
[0045] For example, taking the current policy as For example, the neighborhood strategy generation steps are as follows: 1. Network layer single node exchanges neighborhoods: traversal Each node The nodes that can be deployed using the network layer are not concentrated in one location. Any node within replace 1. Obtain the neighborhood strategy; 2. Physical layer single node neighborhood exchange: traversal Each node The physical layer can deploy honeypots in a concentrated location. Any node within replace 3. All the generated results that conform to the definition of a neighborhood policy constitute the neighborhood set of the current policy. The neighborhood policy that maximizes the defense value is selected as follows: according to the formula... Calculate each neighborhood policy In the attacker's hybrid strategy The defense value is calculated and the results are compared to select the neighborhood strategy that maximizes the defense value.
[0046] In one specific embodiment, the attacker Oracle employs a new strategy for generating defenders using a cross-layer awareness path search algorithm: defining the expected interception probability of nodes to satisfy the formula... Furthermore, node weights can be defined through logarithmic transformation. ,in, Indicates the node under the current defense hybrid strategy Expected probability of intercepting an attack; Represents all containing nodes Active defense pure strategy ; Indicates the defender's choice of the first An active pure strategy The probability of defensive strategies; This represents the node weights after logarithmic transformation. The logarithmic transformation formula is... This is used to transform the product-wise optimization of attack escape probabilities into the cumulative optimization of path weights. It enumerates all cross-layer edges between the physical layer and the network layer. The node weights are calculated as path costs. Based on the nodes of each cross-layer edge, the shortest path problem within the physical layer and network layer is solved independently, i.e., the shortest path problem within the physical layer is solved. and network layer The Dijkstra shortest path is obtained by concatenating cross-layer edges and the corresponding two shortest inner edges to obtain multiple complete paths. The complete path with the highest expected return is selected to obtain the new strategy generated by the attacker's Oracle.
[0047] S103: Check the size of the expanded active strategy set. If the size of the expanded active strategy set is less than the preset minimum size, expand the active strategy set to reach the preset minimum size to obtain the active defense strategy set and active attack path set for accurate solution.
[0048] In one possible embodiment, expanding the active strategy set includes: arranging the deployable honeypot nodes of each layer in descending order of risk score to obtain a risk-ordered queue; sliding a fixed-size sliding window across the risk-ordered queue of each layer, selecting the node combination with the highest risk score within the window to generate candidate strategies; performing non-repeating random sampling on all candidate strategies that meet the deployment quantity constraints of the defense strategy but are not included in the active strategy set to obtain a random sampling strategy; and combining the candidate strategies generated by the sliding window with the random sampling strategy to supplement the size of the active strategy set to reach a preset minimum size.
[0049] In a specific implementation, based on sparse commitment theory: the restricted policy set requires Only a sufficiently large set of active policies can encompass all optimal k-sparse policies. Therefore, after obtaining the expanded set of active policies, its size is checked; if the expanded set of active policies has a large enough size... Expand the active strategy set to The scale is designed to ensure the sufficiency of the policy space for subsequent MILP solutions. The specific process of expanding the active policy set includes: first, arranging the deployable nodes at each layer in descending order of risk score to form a risk-ordered queue; then, using a fixed-size sliding window to slide position by position on each risk-ordered queue, selecting the corresponding number of nodes with the highest risk within the window to generate candidate policies; subsequently, performing non-repeating random sampling within the range of all legal pure defense policies that satisfy the hierarchical deployment constraints and are not included in the active policy set; finally, combining the candidate policies generated by the sliding window with the randomly sampled policies to supplement the size of the active policy set to [size missing]. .
[0050] S104: Set up a MILP model of k-sparse optimal commitment by setting the defense strategy probability, support set indicator variables and game value, and solve the model to obtain the k-sparse equilibrium strategy for optimizing honeypot deployment.
[0051] In one possible embodiment, the MILP model constructed using the defense strategy probability, support set indicator variable, and game value is set as follows: ,in, Indicates the probability of a defense strategy. Indicates the support set indicator variable. Let represent the game value; the constraints of the MILP model include: the game value is not less than the attacker's expected payoff for any path, the sum of the probabilities of the active defense strategy set is 1, the probability of the unselected defense strategy is zero, the selected defense strategy has a non-zero probability, and the support set size is k.
[0052] In a specific embodiment, after obtaining the active defense strategy set and active attack path set for accurate solution, the active defense strategy set for accurate solution is denoted as... The active attack path set is Introducing a probability-based defense strategy Support set indicator variables Game value The MILP model for modeling k-sparse optimal commitments is as follows: Furthermore, set constraints. , , , , The first set of constraints is a Minimax constraint, which ensures The probability normalization constraint ensures that the sum of the probabilities of the defense strategies is 1; the upper bound connection constraint ensures that the probability of the unselected defense strategy is zero; the lower bound connection constraint ensures that the selected defense strategy has a non-zero probability. The sparse constraint precisely controls the support set size to k. After solving the above MILP model, the final k-sparse equilibrium strategy is output. Game value ,in The defender's k-sparse optimal hybrid strategy includes at most k honeypot configuration schemes and their corresponding probabilities; This is the optimal response path for the attacker. The defender, based on... By randomly deploying the honeypot configuration scheme and its probability, the honeypot deployment strategy can be optimized.
[0053] The honeypot deployment strategy optimization method for two-layer IoT architecture provided by this invention designs an attack path generation and constraint mechanism, honeypot deployment logic, k-sparse constraints and payout quantification structure that are different from the game model construction of existing technologies. It fully considers the cross-layer attack characteristics of IoT architecture and the differentiated defense capabilities of heterogeneous honeypot nodes, and solves the problem that the game model construction in existing technologies is difficult to adapt to the actual cross-layer architecture and network scale of IoT networks.
[0054] For two-layer network structures, an asymmetric Oracle was designed to adapt to two completely different strategy spaces: the hierarchical deployment of heterogeneous honeypot nodes by defenders and the cross-layer penetration by attackers. This solves the problems of computational infeasibility caused by the exponential growth of the strategy spaces of both attackers and defenders in IoT architecture, as well as the limited scalability in structured games.
[0055] The honeypot deployment strategy optimization method for two-layer IoT architecture provided by this invention is customized for IoT network structure. It fully considers the cross-layer attack characteristics of IoT network and the differentiated defense capabilities of heterogeneous honeypot nodes. It can achieve a good balance between computational efficiency and solution quality, realize efficient solution of large-scale policy space, and provide an efficient and feasible optimal configuration scheme for honeypot deployment in IoT network.
[0056] In other embodiments of this application, an electronic device is disclosed, such as... Figure 2 As shown, the electronic device 200 may include: one or more processors 201; a memory 202; a display 203; one or more application programs (not shown); and one or more computer programs 204. These devices can be connected via one or more communication buses 205. The one or more computer programs 204 are stored in the memory and configured to be executed by the one or more processors 201. The one or more computer programs 204 include instructions that can be used to perform actions such as... Figure 1 And the various steps in the corresponding embodiments.
[0057] Through the above description of the embodiments, those skilled in the art will clearly understand that, for the sake of convenience and brevity, only the division of the above functional modules is used as an example. In practical applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the device can be divided into different functional modules to complete all or part of the functions described above. The specific working process of the system, device, and unit described above can be referred to the corresponding process in the foregoing method embodiments, and will not be repeated here.
[0058] In the embodiments of this application, the functional units can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.
[0059] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solutions of the embodiments of this application, essentially, or the parts that contribute to the prior art, or all or part of the technical solutions, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) or processor to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as flash memory, portable hard disk, read-only memory, random access memory, magnetic disk, or optical disk.
[0060] The above description is merely a specific implementation of the embodiments of this application, but the protection scope of the embodiments of this application is not limited thereto. Any changes or substitutions within the technical scope disclosed in the embodiments of this application should be covered within the protection scope of the embodiments of this application. Therefore, the protection scope of the embodiments of this application should be determined by the protection scope of the claims.
Claims
1. A honeypot deployment strategy optimization method for a two-layer IoT architecture, characterized in that, include: Based on the honeypot deployment and attack penetration process of the two-layer Internet of Things, a two-player zero-sum Stackelberg game model is formed by formal modeling, in which the defender's policy space is set to satisfy k-sparse constraints. Based on the initial active policy set of the attacker and defender in the constructed game model, iterative expansion is performed. At the same time, k-sparse checks are performed according to the set check period. During the iterative expansion process, it is continuously judged whether the convergence condition is met. When convergence is achieved, the expanded active policy set is obtained. The iterative expansion process includes: executing game solving to obtain the mixed strategy and game value of the attacker and defender, and calling the defender oracle and attacker oracle respectively to generate new strategies for the attacker and defender and add them to the active policy set of the attacker and defender to realize one iterative expansion of the active policy set. Check the size of the expanded active strategy set. If the size of the expanded active strategy set is less than the preset minimum size, expand the active strategy set to reach the preset minimum size to obtain the active defense strategy set and active attack path set for accurate solution. A k-sparse optimal commitment MILP model is constructed by setting up defense strategy probabilities, support set indicator variables, and game values. The k-sparse equilibrium strategy is then obtained by solving the model to optimize honeypot deployment.
2. The method according to claim 1, characterized in that, Modeling a two-player zero-sum Stackelberg game model ,in: This represents a two-layer IoT architecture, including the construction of a node set and an edge set based on the two-layer IoT architecture; The defender's policy space is defined by the deployment of heterogeneous honeypot nodes by the defender in the two-layer network, and the defender's policy space satisfies the k-sparse hybrid policy constraint. This represents the attacker's strategy space, defined according to the attacker's attack targets; The attacker's gain is defined as the sum of hierarchical damage gains calculated based on the attack path nodes at different network layers, according to the attacker's policy space and the two-layer IoT architecture. This represents the defender's payoff, which is determined based on the zero-sum game conditions.
3. The method according to claim 1, characterized in that, New strategies for calling the Defender Oracle to generate defenders include: Calculate the risk score of candidate nodes that can be deployed in honey spots; Based on the honeypot deployment number constraint defined in the two-player zero-sum Stackelberg game model, nodes are selected in the network layer and physical layer of the Internet of Things to construct corresponding candidate strategies. Based on the candidate strategies, the final optimized strategy is obtained by performing neighborhood search optimization of the corresponding candidate strategies in the network layer and physical layer respectively. Determine whether the final optimized strategy exists in the current active strategy set. If the determination result is that it does not exist, the final optimized strategy is a new strategy generated by the defender Oracle. If the determination result is that it exists, calculate the maximum expected interception benefit of the defender on all active attack paths under the attacker's current strategy to obtain the new strategy.
4. The method according to claim 3, characterized in that, Define the neighborhood set as the set of all policies that satisfy the node number constraint and can be obtained by replacing only a single node within the layer for the current policy; Neighborhood search optimization includes: The candidate strategy is selected as the current optimal strategy. In the network hierarchy corresponding to the current optimal policy, any node not in the current policy is selected to replace the node in the current optimal policy, and all replacement results are combined to form the neighborhood set of the current optimal policy. Calculate the defense value of each policy within the neighborhood set of the current optimal policy and select the policy with the highest defense value to update the current optimal policy; Generate a neighborhood set based on the updated current best policy and calculate the defense value. Select the policy with the highest defense value. Stop iterating when the defense value of all policies in the neighborhood set is no greater than that of the current best policy. Output the current best policy as the final optimized policy.
5. The method according to claim 1, characterized in that, New strategies for invoking attackers' Oracle to generate defenders include: Calculate the expected interception probability of each node based on the current defender strategy, and define the node weight by performing a logarithmic transformation on the expected interception probability; Enumerate all cross-layer edges between the physical layer and the network layer, and use the node weights as the path cost. Solve independently the shortest intra-layer edges in the physical layer and network layer with the corresponding nodes as endpoints based on the nodes of each cross-layer edge. By splicing cross-layer edges and the corresponding two shortest inner-layer edges, multiple complete paths are obtained. The complete path with the highest expected return is selected to obtain the new strategy generated by the attacker's Oracle.
6. The method according to claim 1, characterized in that, The active strategy set expansion includes: Arrange the deployable honey points in each layer in descending order of risk score to obtain a risk-ordered queue. A fixed-size sliding window is used to slide sequentially across the risk-ordered queues at each level, and the nodes with the highest risk scores within the window are selected to generate candidate strategies. Random sampling strategy is obtained by performing non-repeating random sampling on all candidate strategies that meet the defense strategy's honeypot deployment number constraint and are not included in the active strategy set; The candidate strategies generated by the sliding window are combined with the random sampling strategy to supplement the size of the active strategy set to reach the preset minimum size.
7. The method according to claim 1, characterized in that, The MILP model is constructed by setting the defense strategy probability, support set indicator variable, and game value as follows: ,in, Indicates the probability of a defense strategy. Indicates the support set indicator variable. Represents the game value; The constraints for the MILP model include: the game value is not less than the attacker's expected payoff for any path, the sum of the probabilities of the active defense strategy set is 1, the probability of an unselected defense strategy is zero, the selected defense strategy has a non-zero probability, and the support set size is k.
8. A computer-readable storage medium storing a computer program thereon, characterized in that, When the computer program is executed by the processor, it implements the honeypot deployment strategy optimization method for a two-layer Internet of Things architecture as described in any one of claims 1 to 7.
9. An electronic device, characterized in that, include: Processor and memory; The memory is used to store computer programs; The processor is used to execute the computer program stored in the memory to cause the electronic device to perform the honeypot deployment strategy optimization method for a two-layer Internet of Things architecture as described in any one of claims 1 to 7.