随着互联网技术的普及和发展,用户数据和隐私的保护已经成为一个热门的研究领域。网络空间安全防御从被动防御发展到主动防御,防御性能和成功率获得了显著的提升。然而,传统的被动防御和主动防御本质上都是功能和安全松耦合的外壳式防御,对未知攻击的防御性能较差。网络空间拟态防御（cyberspace mimic defense, CMD）是在传统网络安全防御方式上发展出来的网络内生安全实现形式,核心架构为动态异构冗余架构,架构实现主体主要由异构执行体集合、分发器、拟态变换器和表决器4部分组成,同时以CMD三定理及网络安全不完全交集定理为理论基础。其中,通过异构执行体增加系统的异构性,并由表决算法决定异构执行体中上下线的个体,最终由调度算法完成系统中执行体的上下线过程。本文主要从网络空间安全发展的历史沿革出发,对比传统防御方式与拟态防御的差异,着重介绍拟态架构中异构策略、调度策略以及表决策略的具体实现形式,并罗列在实践过程中融合拟态防御思想的应用实例。拟态防御已经在各个领域有了较为广泛的应用基础,在此基础上的研究可以将现有网络安全体系推进到新的阶段。

The popularization and development of the Internet technology have facilitated extensive research on the protection of user’s data and privacy. Cyberspace security defense has developed from passive defense to active Defense in recent years, and the performance and success rate of the new defense technologies have been significantly improved. Typical applications for passive defense are known as access control, firewall, and virtual local area network； those for active defense are honeypot technology, digital watermarking, intrusion detection, and flow cleaning. However, the traditional passive defense and active defense are shell defense loosely coupled with function and security, and their defense performance against unknown attacks is poor. Its defects can be summarized as the “impossible triangle”, which means that a traditional defense system cannot simultaneously meet the three defense elements of dynamics, variety, and redundancy. The three elements can be combined in pairs to form a defensive domain. The typical technical representative of DV domain is mobile target defense, DR domain is dynamic isomorphic redundancy, and VR domain is non-similar redundancy architecture. Our research aims to find a defense technology that can reach the DVR domain. Cyberspace mimic defense （CMD） was proposed by Academician Wu Jiangxing in 2016. It aims to address the issue of cyberspace mimic security, which is an implementation form of network endogenous security developed from traditional cybersecurity defense methods. Its core architecture is a dynamic heterogeneous redundant architecture, which mainly consists of four parts： a set of heterogeneous execution entities, a distributor, a mimetic transformer, and a voter. It is also based on the three theorems of CMD and the theorem of network security incomplete intersection as the theoretical foundation. Among them, the heterogeneity of the system is increased through heterogeneous execution entities, and the voting algorithm determines the individuals which go online and offline in the heterogeneous execution entities. The heterogeneous strategy can be divided into four areas： single source closed, single source open, multi source closed, and multi source open. This classification depends on whether the system is open source and whether the source code has been modified. In the selection of heterogeneous components, similarity should be avoided as much as possible. Thus, system redundancy will be improved to prevent collaborative attacks from breaking through mimic defense and causing damage to the system. The hybrid heterogeneous method can serve as a direction for further research on heterogeneous methods. It utilizes cloud computing resources to break through the limitations of single computer software and hardware, and it consolidates the diversity and reliability of heterogeneous systems. The core idea of the mimic voting method is that the mimic system needs to monitor the “process data and process element resources” of the execution entity, discover the attacked execution entity through voting, and determine the final result value output by the system to the user I/O. The evolution process of voting algorithms is mainly reflected in the use of diverse modules to repeatedly verify the voting results to improve their credibility, and multimodal adjudication is also an important guarantee for the dynamics of simulated systems. At the end of the mimic defense process, the scheduling algorithm completes the online and offline process of the execution entities in the system. For scheduling algorithms, the standard of whether the system obtains historical data is adopted. This division divides algorithms into two categories： open-loop external feedback algorithms and closed-loop self-feedback algorithms. A positive external feedback scheduling algorithm can improve performance to a certain extent. However, the lack of analysis of the historical state of a system will reduce its sensitivity to attacks that have occurred, which weakens the dynamics of the mimic system. Therefore, scheduling strategies with self-feedback algorithms have better effectiveness and performance in adversarial experimental results. This study mainly starts from the historical evolution of cyberspace security development, compares the differences between traditional defense methods and mimic defense, focuses on introducing the specific implementation forms of heterogeneous strategies, scheduling strategies, and voting strategies in mimic architecture, and lists application examples that integrate mimic defense ideas in practice. The mainstream mimic defense applications are mimic router, mimic Web server, mimic distributed application, and mimic Internet of Things. Mimic defense has now gained a wide application foundation in various fields, and research based on this foundation can advance the existing network security system to a new stage.