Research On Threat Situation Awareness Method For Next-generation Network Processor

Although the deployment of Threat Situation Awareness(TSA)technology at the application layer can detect threats,the timeliness lags and the countermeasures are not effective.From the perspective of traffic,expressing and deploying TSA on the data plane to detect,understand and project threats is a research hotspot in future network security.However,data plane resources are limited,enabling security services to easily affect normal network transmission performance.It is difficult to ensure the forwarding efficiency of ordinary packets while sensing threats to traffic.Research in the industry and academia have found that modularizing and decoupling threat situation awareness into programmable data plane hardware such as network processors(NP)can improve the efficiency of threat discovery,classification,and countermeasures while maintaining network transmission stability.However,the current research still has the following problems:(1)The performance and flexibility of existing NP are too poor to support TSA.(2)The detecting process on TSA and packet transmission interact with each other,which leads to the perceived data being easily stolen and tampered with.(3)Threat classification accuracy is poor,as well as low speed and large consumption.(4)Threat processing methods are single,and it is easy to be mapped by the enemy and bypass the defense.Facing these problems and difficulties,this paper studies the TSA method for next-generation network processors from the aspects of NP’s architecture innovation,TSA module optimization,and their adaptation and integration.The main research contents are as follows:(1)Aiming at the problem that the current NP has poor packet processing performance and flexibility,and cannot support complex security services such as TSA,a high-performance and evolvable next-generation network processor architecture(HPENP)is designed.A chip-based multi-stage pipeline of software and hardware fusion is studied,which supports the in-depth processing of packets on security services while ensuring transmission speed.Abstracting resources from the perspective of architecture,providing transmission optimization and programming interface,HPENP improves the efficiency of the TSA.Experiments have proved that HPENP balances advanced packet processing and forwarding efficiency,and its programmability provides a good hardware development foundation for TSA close-loop.(2)Aiming at the problem that the TSA process is expensive,and the detection results are easy to be tampered with by the enemy,resulting in the perception collapse,a Threat Situation Detection(TSD)method based on secure lightweight network telemetry is proposed.The method builds a multi-dimensional resource view(MRV)and designs a lightweight and accurate network telemetry protocol to reduce the measurement overhead and shorten the convergence time for different scenarios,which ensures the accuracy and efficiency of the TSD process.The detection data protection method of the TSA domain blockchain is designed,and the consensus mechanism adapted to HPENP is implemented to update the collection measurement with distributed storage to prevent the enemy from tampering and stealing detection instructions and feedback data.The method provides an accurate MRV for TSA while reducing resonance with the transmission.(3)Aiming at the problems of taking too much time to obtain the threat intelligence,and difficulty in matching accuracy requirements and hardware resources in the process of Threat Situation Understanding(TSU),a high-speed TSU method based on multidimensional resource view is proposed.The method trains and learns historical MRV performs mutation detection on new detection data to adaptively deploy the TSD tasks and realizes a preliminary understanding of the situation.The dimensionality reduction and high-speed threat intelligence classification method for situation information is designed,and the embedded neural network and integrated learning hierarchy are introduced.With the assistance of HPENP multi-plane,threat classification is performed with limited time and space complexity,and reliable threat intelligence is generated.(4)Aiming at the problem that the Threat Situation Projection(TSP)process has a single countermeasure and is easy to be detected by attackers,an intelligent situation projection method with elastic redundancy is proposed.For complex threats,this paper designs a heterogeneous situation projection executor to achieve defense flexibility.A method of executive chaining based on the mimetic ruling is proposed.Under the constraints of hardware boundary resources,considering the state and heterogeneity of executives,the HPENP intelligently dispatches defense chains to increase the cost of enemy attacks and realize switch mimicry defense.The method can also predict the enemy’s further actions and realize the closed loop of the whole TSA process.