内生安全支撑的新型网络体系结构与关键技术研究构想与成果展望

目前,网络威胁已进入未知威胁时代。然而,传统网络安全基于“马奇诺”式的静态被动防御,缺乏自主性以及自我演化进化的内生安全能力,对未知威胁基本上只能通过“打补丁”的方式事后弥补。这种亡羊补牢的处理方法往往伴随巨大的损失,必须寻求新的思路。网络安全保护系统与人体免疫系统具有惊人的相似性,免疫系统无需病毒先验知识,学习推演能力强,天生具备未知病毒的灭活能力。有鉴于此,本研究以“未知威胁”为核心,以“人工免疫”为创新手段,研究内生安全支撑的新型网络体系结构与关键技术。首先,通过模拟人体免疫系统的基本原理,提出一种面向内生安全的网络空间安全免疫体系结构,以提供如同人体免疫系统一样的网络内生安全能力;然后,基于 mRNA 免疫思想,提出一种基于mRNA免疫的可信任网络寻址与路由控制方法,以有效识别和防范路由劫持;通过基因进化演化等方法,提出一种基于基因进化演化的未知网络威胁自适应发现方法,以形成先验知识不完备条件下未知网络威胁的快速发现能力;通过模拟人体免疫系统“体温风险预警”以及“特异性免疫”机制,提出一种基于人体体温预警机制的网络动态风险实时定量计算方法以及一种基于特异性免疫的快速动态反馈迭代网络风险控制方法,提供先验知识不完备情况下的未知威胁风险评估与应对能力,实现未知攻击的自适应防御;最后,通过构建一个面向内生安全基于免疫的新型网络原型系统,对研究成果进行技术验证,同时根据验证结果对所提出理论及方法进行改进和提高,藉此突破传统网络安全以“打补丁”为主被动防御的技术瓶颈。研究成果对网络空间安全保护的科学研究、技术研发、产业发展等具有十分重要的理论意义和实际应用价值。

Research Framework and Anticipated Results of New Network Architecture and Key Technologies Supported by Endogenous Security

At present, network threats have entered the era of unknown threats. However, traditional network security is based on "Maginot" static passive defense, which lacks autonomy and endogenous security ability of self evolution. The unknown threats can only be remedied afterwards by "patching". However, this method is often accompanied by huge losses, and new ideas should be sought. The network security protection system has striking similarities with the human immune system. The immune system does not require prior knowledge of viruses, having a strong ability to learn and evolve, and is born with the ability to inactivate unknown viruses. Inspired by immune system, with "unknown threat" as the core and "artificial immunity" as the innovative means, this research focuses the new network architecture and key technologies supported by endogenous security. Firstly, by simulating the basic principle of the human immune system, a cyberspace security immune architecture is proposed to provide the same network endogenous security capability as the human immune system. Secondly, based on the idea of mRNA immunity, a trusted network addressing and routing control method based on mRNA immunity is proposed to effectively identify and prevent route hijacking. Thirdly, through the method of genetic evolution, an adaptive discovery method of unknown cyber threats based on genetic evolution is proposed to form the ability to quickly discover unknown cyber threats under the condition of incomplete prior knowledge. Fourthly, by simulating the "body temperature risk early warning" and "specific immunity" mechanisms of the human immune system, a real-time quantitative calculation method of network dynamic risk based on the body temperature early warning mechanism and a fast dynamic feedback iterative network risk control method based on specific immunity are proposed, which can provide the ability to assess and response the risk of unknown threats in the case of incomplete prior knowledge, and achieve adaptive defense against unknown attacks. Finally, by constructing a new immune-based network prototype system for endogenous security, the research results are technically verified, and the proposed theories and methods can be further improved according to the verification results, so as to break through the bottleneck of traditional "patch" passive defense network security technology. The research results have important theoretical significance and practical application value to the scientific research, technology research, and industrial development of cyberspace security protection.