CN117241274B - Communication method of self-adaptive networking - Google Patents

Abstract

The invention provides a communication method of a self-adaptive networking, which comprises the following steps: the network threat detection sensor host machine network behavior characteristic acquisition method is improved, and the host machine behavior characteristic acquisition method is suitable for host machine diversity of a target network; improving the network threat detection sensor network load initialization flow, and adopting port multiplexing to transmit internal communication information among network threat detection sensors and self-adaptive networking loads; improving the resource management of the network threat detection sensor, and optimizing the network threat detection sensor resource management group decomposition algorithm and the route selection algorithm; and constructing an optimized network threat detection sensor task cluster. The self-organizing property and the maneuverability of individual networking of the network threat detection sensor are met by using the minimum cost, the high safety and the high reliability as principle indexes and adopting a self-adapting networking method for statistical analysis of the network behavior of the network threat detection sensor host.

Description

A communication method for adaptive networking

Technical field

The present invention relates to the technical field of network security protection, and in particular to a communication method for adaptive networking.

Background technique

The network threat detection sensor is a software deployed on the host computer that can and independently carry out relevant security threat detection tasks. Adaptive networking is a key link in the command, control and task collaboration of network threat detection sensors. It is not only related to the smooth execution of network threat detection sensor tasks, but also related to the concealment and security of the individual survival of network threat detection sensors.

(1) Adaptive networking is the basic requirement to meet the task of network threat detection sensor clusters

Tasks can be performed in a non-cooperative network environment either individually or cooperatively. However, the assignment and execution of tasks and the uploading of feedback must be completed through a collaborative model, which requires that each network threat detection sensor must be a member of the cluster task organization. The process of an individual network threat detection sensor becoming a cluster task member is the process of network threat detection sensor networking, which is the most basic requirement to meet the network threat detection sensor cluster task.

(2) Adaptive networking cannot affect the living status

This is because the risk of exposure cannot be increased during the adaptive networking process. Adaptive security networking must be carried out on the premise of ensuring security and based on the principles of minimum cost, high security, and high reliability. in:

The minimum cost means that the network threat detection sensor should produce as few abnormal behaviors as possible during the adaptive networking process to prevent it from being discovered by the host's security inspection mechanism, thus affecting the survival of individual network threat detection sensors and thereby increasing the number of the entire network threat detection sensor. Risks of cluster exposure.

High security means that the transmission of networking information that requires collaboration during the adaptive networking process must use high-security methods to prevent the exposure of network threat detection sensors due to the leakage of networking collaboration information.

High reliability means that a reliable task cluster must be built through adaptive networking to ensure that each individual network threat detection sensor has the ability to accept control and complete tasks under the networking state.

(3) Adaptive networking should have dynamic adaptability in non-cooperative network environments

Relying on the host computer to survive in a non-cooperative network environment, whether the host computer is powered on and whether individual network threat detection sensors survive safely will have an impact on the networking process. Adaptive networking should have strong dynamic adaptability and flexibly adjust networking strategies based on the online or alive status of network threat detection sensors to meet the networking needs of cluster tasks.

Contents of the invention

In view of the above problems, the present invention is proposed to provide an adaptive networking communication method that overcomes the above problems or at least partially solves the above problems.

According to one aspect of the present invention, a communication method for adaptive networking is provided. The communication method includes:

Improve the collection method of network behavior characteristics of the network threat detection sensor host to adapt to the host diversity of the target network;

Improve the network threat detection sensor networking load initialization process and use port reuse to transmit internal communication information between network threat detection sensor adaptive networking loads;

Improve network threat detection sensor resource management, optimize network threat detection sensor resource management group decomposition algorithm and routing selection algorithm; build optimized network threat detection sensor task clusters.

Optionally, the method for collecting network behavior characteristics of the host computer by improving the network threat detection sensor specifically includes:

According to the presence of multiple network cards on the network threat detection sensor host, distinguish IP addresses to collect network behavior characteristics, and increase the collection of port usage and usage frequency under the same IP;

Detail the communication interval statistics of HTTP and SMTP protocol traffic, count user active time periods hourly according to the normal work flow rate, and extract several active time periods;

Implement feature statistics support for multi-network card hosts. The communication time period of a certain communication IP is counted according to 24 intervals. However, the statistical results are not included in the networking policy table and are stored locally in the form of files for reference during local communication.

Optionally, the improved host network behavior signature library definition: for Its network behavior feature library is recorded as:

Among them: p≥n; NODEID is the unique identifier of the network threat detection sensor, ip _k represents the IP address of host k communicating with the host machine, F _k represents the communication frequency with host k; Http _k represents the HTTP protocol communication with host k Communication timing and traffic volume; Smtp _k is the communication timing and traffic volume for SMTP protocol communication with host k, port _k is the port usage information and usage frequency information on the ip _k address.

Optionally, the improved network threat detection sensor networking load initialization process specifically includes:

Use the host machine in the target network that meets the server characteristics as the selection target of the network threat detection sensor cluster head, and build a network threat detection sensor management system. When the network threat detection sensor enters the target network, check whether the host machine meets the server characteristics, such as Whether to open ports 80 and 25. If satisfied, it will be marked as a cluster head node, otherwise it will be an ordinary node; if an ordinary node finds no cluster head node during the survival process of the network threat detection sensor, when subsequently maintaining its own networking characteristic table, If it is found that there is a cluster head network threat detection sensor in the same IP network segment, the cluster head node with the highest ranking will be actively identified as the cluster head node.

Optionally, the use of port multiplexing to transmit internal communication information between adaptive networking loads of network threat detection sensors specifically includes:

During the construction and maintenance of the network threat detection sensor resource management system, the internal communication between the cluster head node and the ordinary node adaptive networking load, including the reporting of the networking policy table and task allocation information, all need to be communicated with the host network. Port multiplexing technology matching behavioral characteristics for transmission.

Optionally, the improved network threat detection sensor resource management, optimized network threat detection sensor resource management group decomposition algorithm and routing selection algorithm specifically include:

When the network threat detection sensor resources owned by the management node reach the quantity threshold, the network threat detection sensor resource decomposition process is started:

The management node selects the backup management node as the new management node. The new management node selects the appropriate node from the original management node as the management resource. The management node removes the new management node and the network threat detection sensor managed by the new management node from the management resources. resource;

The management nodes and new management nodes supplement the backup management nodes according to the cluster head selection algorithm. The management nodes notify their affiliated nodes to update the backup management node information. All cluster heads and backup cluster heads are server nodes in the target network.

Optionally, in the improved network threat detection sensor management system, the cluster head node controls the node with the most network threat detection sensor resources and optimizes communication route retrieval.

Optionally, the node A first checks whether there is direct communication with the node B in the networking policy table. If so, it returns the routing information node A ID + node B ID and exits; otherwise, the node A applies to the cluster head node A'. Check whether it can communicate with node B. If node B exists in the networking policy table of A', return the routing information node AID + node A' ID + node B ID; otherwise, node A' will be able to communicate with it according to the sorting in the networking policy table. All cluster heads and backup cluster head nodes queried in the own networking policy table apply to check whether they can communicate with node B. If node B exists in the networking policy table of the cluster head or backup cluster head node C, the routing information is returned. Node A ID+Node A'ID+Node C ID+Node B ID.

Optionally, the process of building a network threat detection sensor task cluster includes active task cluster construction and passive task cluster construction;

When network threat detection sensor resources are insufficient, apply for network threat detection sensor resources from the cluster head or other network threat detection sensor resource management groups;

During the construction process of the network threat detection sensor task cluster, when the network threat detection sensor resources are insufficient and it is necessary to apply for network threat detection sensor resources, the cluster head host for which the resources are applied has the maximum network threat detection sensor resources.

Optionally, the active task cluster construction supports that network threat detection sensor A selects and notifies appropriate network threat detection sensors from the network threat detection sensor resources to which it belongs to build task clusters, and creates a task cluster table; according to each The feedback of the network threat detection sensor completing the task dynamically adjusts the network threat detection sensor resources in the task cluster;

If a network threat detection sensor cannot perform a task or fails to perform a task, the network threat detection sensor is dynamically exited from the task cluster table, and at the same time, a suitable network threat detection sensor is selected from the remaining network threat detection sensors and dynamically added to the task cluster table. ;

If the resources of network threat detection sensor A cannot meet the needs of the task during the construction of the task cluster, it will apply for resources from other network threat detection sensor resource management groups; when A completes the task, according to the feedback from each node in the task cluster, if the task has When completed, the task cluster is destroyed.

Optionally, if there are sufficient network threat detection sensor resources in the network threat detection sensor resources to which network threat detection sensor A belongs, directly select and notify the appropriate network threat detection sensor to build a task cluster, and create a task cluster. surface;

Otherwise, network threat detection sensor A applies to its cluster head for network threat detection sensor resources. The cluster head returns the network threat detection sensor resources that meet the task conditions to network threat detection sensor A, and then network threat detection sensor A notifies the selected network. Threat detection sensors build task clusters and create task cluster tables;

Network threat detection sensor A dynamically adjusts the network threat detection sensor resources in the task cluster based on the feedback of each network threat detection sensor completing the task;

If a network threat detection sensor cannot perform a task or fails to perform a task, the network threat detection sensor is dynamically exited from the task cluster table, and at the same time, a suitable network threat detection sensor is selected from the remaining network threat detection sensors and dynamically added to the task cluster table.

Optionally, the passive task cluster construction support;

Passive task cluster management relies on tasks that are not generated by themselves, but are issued by superior nodes. This is called central task cluster management, which also includes the generation of task clusters, the merging of clusters, and the destruction of clusters;

The generation, merging and destruction of passive task group clusters are all managed by the cluster head.

The invention provides an adaptive networking communication method. The communication method includes: improving the network behavior characteristic collection method of the network threat detection sensor host to adapt to the host diversity of the target network; improving the network threat detection sensor network load initialization The process uses port reuse to transmit internal communication information between network threat detection sensor adaptive networking loads; improve network threat detection sensor resource management, optimize network threat detection sensor resource management group decomposition algorithm and routing selection algorithm; build optimized network threat Detect sensor task clusters. Taking the minimum cost, high security and high reliability as the principle indicators, through the adaptive networking method of statistical analysis of the network behavior of the network threat detection sensor host, the self-organization and mobility of the individual network threat detection sensor network are satisfied.

The above description is only an overview of the technical solutions of the present invention. In order to have a clearer understanding of the technical means of the present invention, they can be implemented according to the content of the description, and in order to make the above and other objects, features and advantages of the present invention more obvious and understandable. , the specific embodiments of the present invention are listed below.

Description of the drawings

In order to explain the technical solutions of the embodiments of the present invention more clearly, the drawings needed to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. Those of ordinary skill in the art can also obtain other drawings based on these drawings without exerting creative efforts.

Figure 1 is a flow chart of the adaptive networking process and steps provided by the embodiment of the present invention;

Figure 2 is an improved flow chart of networking load initialization provided by an embodiment of the present invention;

Figure 3 is a flow chart of network threat detection sensor resource decomposition and optimization provided by an embodiment of the present invention;

Figure 4 is a schematic diagram of optimization of network threat detection sensor communication security routing decisions provided by an embodiment of the present invention.

Detailed ways

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided to provide a thorough understanding of the disclosure, and to fully convey the scope of the disclosure to those skilled in the art.

The terms "comprising" and "having" and any variations thereof in the description, claims and drawings of the present invention are intended to cover non-exclusive inclusion, for example, the inclusion of a series of steps or units.

The technical solution of the present invention will be described in further detail below with reference to the accompanying drawings and examples.

Example 1

As shown in Figure 1, an adaptive networking communication method includes:

S01: Statistically analyze the network behavior of individual hosts of the network threat detection sensor, obtain the characteristics of the host network behavior, and construct the network behavior feature library of the host, which mainly includes: main communication IP address, communication frequency, communication time period, communication duration, Communication service type, communication traffic size, etc., and sorted according to communication frequency.

S02: Based on the host network behavior signature library, the network threat detection sensor individual checks whether the network threat detection sensor individual object host in the networking policy table it inherits (the list of network threat detection sensor individuals that can be networked) is the host of this individual. Objects that the host communicates with normally can be handled in the following two ways:

S02-1: The individual object of the network threat detection sensor is not included in the network behavior signature library of this individual host and is not used as the object of daily covert communication. The purpose is not to generate abnormal communication traffic and reduce the risk of exposure of the network threat detection sensor, and in Move it down in the networking policy table.

S02-2: There is a host mechanism network behavior signature database, which is sorted in the networking policy table according to the frequency of communication with the host, the size of the communication traffic, etc., and the top-ranked network threat detection sensor individuals are selected for daily covert communication. To communicate with objects, try not to choose lower-ranked network threat detection sensors to communicate with individual objects.

As shown in Figure 2, the method flow of improved network load initialization is shown;

S03: Based on the host network behavior signature database, the network threat detection sensor individual detects whether there is an individual network threat detection sensor among the remaining top-ranked network behavior objects of the host after excluding all communication objects in the networking policy table. If it exists, add it to the networking policy table and sort it.

S04: The individual network threat detection sensor sends the updated content in the networking policy table to the command center at a certain frequency.

S05: According to the networking policy table, individual network threat detection sensors select top-ranked individual network threat detection sensor objects for communication under normal conditions. In order to ensure the reliability of communication, two to three objects can be selected for communication at a time; Under mission status and special circumstances, according to the "Command Node" collaborative instructions, it can network and communicate with any individual object of the network threat detection sensor in the networking policy table.

S06: After the network threat detection sensor completes the networking policy table, in order to better adapt to the needs of the task, a task cluster needs to be formed. The command center first plans the mission and then issues the mission order. The network threat detection sensors that receive the mission first form a mission cluster so that the mission can be completed under coordinated control. According to the previous research on the task architecture of the network threat detection sensor cluster, the RC-chord protocol can be used for resource query and cluster construction. Therefore, after the task command is issued, the network threat detection sensor quickly adapts through the developed protocol. Form task clusters. As shown in Figure 3, the flow chart of network threat detection sensor resource decomposition and optimization.

S05-1: First, we must form a cluster task architecture for network threat detection sensors. The formation of a network threat detection sensor cluster must first select one or more super nodes. The super node is responsible for all processing of the entire network in the initial stage. Assuming that there are only two nodes in the initial stage, one node is selected as the super node. The node and the super node Add your own routing information respectively. At this time, the most basic structure of the network has been formed. The node sends a networking request to the super node. The super node is responsible for registering the node and notifying the corresponding node to update the routing information. With the addition of nodes, when the number of nodes in the cluster reaches a certain number, the second cluster begins to be created. According to the above process, each node is created separately. Next-level cluster, at this time, the network threat detection sensor cluster task architecture is basically completed. As shown in Figure 4, a schematic diagram of network threat detection sensor communication security routing decision optimization.

S05-2: There are two ways to form task clusters:

The first type: the command center designates network threat detection sensor task cluster super nodes and ordinary nodes according to the mission planning plan, and the cluster super node calls the cluster construction algorithm according to the cluster composition plan to realize the creation and management of clusters.

The second type: the command center only assigns tasks and designates network threat detection sensor cluster super nodes. The designated network threat detection sensor super nodes adaptively select the network policy table information provided by the tasks and the adaptive networking module. Secure network threat detection sensor nodes call the cluster construction algorithm to realize the creation and management of clusters.

S05-3: This invention uses an improved RC-Chord (Resource ClusteredChord) algorithm to realize the creation and management of network threat detection sensor clusters. RC-Chord is an extension of the Chord protocol, which combines the HP2P structure to solve the joint formation problem in large-scale systems. The RC-Chord algorithm has the ability to expand the hierarchical structure to any number of levels. Each level is composed of one or more clusters, and each cluster is an independent Chord instance. In RC-chord, the cluster organization is similar to a tree. The cluster network is constructed from top to bottom. The highest-level cluster is called a super cluster. The number of sub-clusters each cluster can have is determined by the branch coefficient. Each task cluster has a super node. The super node is responsible for managing the nodes in the cluster and communicating with the command center. The command center manages the super node. Due to the dynamic nature of the network, nodes may exit the task cluster or fail, and task clusters may also split or merge. Task cluster nodes call the improved RC-Chord algorithm to implement dynamic management of network threat detection sensor clusters. In order to ensure the completion of the task, a corresponding fault-tolerant mechanism (building a backup super node) is adopted to realize the management of the cluster. Each task cluster has a super node and a backup super node. During the collaborative execution of tasks, ordinary nodes transfer to the super node. If the request information sent by the node does not receive a response within a certain period of time, it will be determined whether the super node has failed. If it fails, the backup super node will be started immediately. After the task is completed, the super node is responsible for disbanding the task cluster.

In order to better adapt to the cluster task architecture, the specific process and steps of the cluster split algorithm are:

S05-3-1: When the number of nodes in the cluster exceeds the upper limit, the main super node of the cluster selects half of the candidate super nodes from the super nodes as the super nodes of the new cluster, and selects a main super node. The principle of election is that the main super node distributes resource types as evenly as possible according to the resource types of the cluster, so that the number of nodes and resource types owned by the two clusters after the split are as balanced as possible.

S05-3-2: The new cluster is added to the network as a chord instance and a corresponding routing table is established. The super node of the relevant cluster updates its own routing table.

S05-3-3: The original cluster elects a new batch of backup super nodes from the ordinary nodes and exchanges information with the original reserved super nodes. Other ordinary nodes update their own routing information.

S05-3-4: The new cluster elects a new batch of backup super nodes from the ordinary nodes and exchanges information with the newly established super nodes. Other ordinary nodes update their routing information.

S05-3-5: The new cluster reports its own resources to the upper cluster, the super node of the upper cluster updates its own routing information, and the cluster split is completed.

The specific process and steps of the cluster merging algorithm are:

S05-3-1: When the number of nodes in cluster i is less than the lower limit, the main super node of the cluster searches for cluster j that is closer to the cluster in the same layer and sends a merge request to cluster j.

S05-3-2: When the super node of cluster j receives a merge request, it first checks whether the number of nodes in this cluster is less than the lower limit. If it is less than the lower limit, it checks whether the resource types of cluster i and this cluster are complementary, so that after the merger The cluster has as many resource types as possible, and the resource complementarity is given a threshold. When the two clusters reach this threshold, a merge response is sent, otherwise a merge response is rejected.

S05-3-3: After cluster i receives the merge response from cluster j, it starts the merge process. Cluster i notifies the upper-level cluster that it wants to exit, and the upper-level cluster updates its routing information.

S05-3-4: Cluster i adds the entire cluster to cluster j. The main super node in cluster j selects a new super node according to the election strategy, and other nodes also update related routing information.

S05-3-5: When cluster i receives the merge rejection response from cluster j, cluster i looks for the next group that can be merged and sends a merge request until a cluster that can be merged is found, and the cluster merge is completed.

Example 2

An adaptive networking model based on network behavior characteristics is provided. The method specifically includes the following steps:

(1)Model definition

Definition 1: Command center: Command={ip _command }.

Definition 2: Super node set: SuperCraft={ip _i |1≤i≤m,m∈N}, ip _i represents the super node (cluster head) individual;

Definition 3: Network threat detection sensor collection: Craft = {ip _j |1≤j≤n,n∈N}, where n≥m, ip _j represents an individual network threat detection sensor.

Definition 4: Host set: Computer={ip _j |1≤j≤n,n∈N}.

Definition 5: Host network behavior signature library: for Its network behavior feature library is recorded as where p≥n; ip _k represents the IP address of host k communicating with the host machine, F _k represents the communication frequency with host k; Http _k represents the communication opportunity and traffic volume of HTTP protocol communication with host k; Smtp _{k represents the communication time with host k} The communication timing and communication volume of host k performing SMTP protocol communication.

Definition 6: Network threat detection sensor network policy table set: For network threat detection sensor craft _j ∈ Craft, its network policy table set Policy _j = {＜ip _jk ,F _jk ,Http _jk ,Smtp _jk ,state _jk , payload _jk ＞|1≤k≤q,q∈N}, where state _k represents the online status of the kth network threat detection sensor in the table, and payload _k represents the payload carried by the kth network threat detection sensor in the table.

Definition 7: The tasks sent by the command and control center to super nodes such as cluster heads are recorded as Misson={m _l |1≤l≤q,q∈N}.

Definition 8: Super node cluster set: For the network threat detection sensor craft _j ∈ SuperCraft, its task cluster set is recorded as and

(2)Model rules

Rule 1: If the network threat detection sensors craft _j1 and craft _j2 ∈ Craft, and craft _j1 is copied and generated by craft _j2 , then craft _j2 is called the parent network threat detection sensor of craft _j1 , and craft _j1 is called the child network threat detection sensor of craft _j2 . Sensor, recorded as craft _j1 <craft _j2 .

Rule 2: If the network threat detection sensors craft _{j1 and} craft _j2 ∈ Craft, and craft _j1 <craft _j2 , then the networking policy table Policy _j1 carried when craft _j1 is generated is a subset of the craft _j2 networking policy table, including only the command Super node information such as control center and cluster head, as well as the first three common node information.

Rule 3: If the network threat detection sensor craft _j1 is copied and generated by the command and control center, or is launched by the command and control center, then craft _j1 defaults to the cluster head, that is, craft _j1 ∈ SuperCraft.

Rule 4: If the network threat detection sensor craft _j1 is injected into a non-cooperative network through a cross-network method, it will default to the cluster head, that is, craft _j1 ∈ SuperCraft.

Rule 5: If the network threat detection sensor craft _j1 appears in the networking policy table Policy _j2 of craft _j2 ∈ SuperCraft, then craft _j1 is considered to be under the jurisdiction of the super node craft _j2 , which can support the task-based adaptive networking of craft _j1 by craft _j2 . , recorded as craft _j2 ——→craft _j1 .

Rule 6: Right craft _j2 ∈Craft, if craft _j2 ——→craft _j1 , and craft _j2 actually uses craft _j1 to build the task cluster, then it is recorded as />

(3)Model description

Adaptive networking can be divided into two processes: individual adaptive networking strategy table construction and task-based adaptive networking.

Process 2: Dynamic networking based on tasks to form task clusters

There are two ways of task-based dynamic networking: one is that the command and control center directly issues instructions to inform the super node (cluster head) to build all ordinary nodes of the task cluster; the other is that the super node (cluster head) Tasks select ordinary nodes to build task clusters.

Process 3: Separation and reorganization of task clusters

When a certain task cluster is too large, it needs to be separated and expanded into a new cluster, which facilitates task decomposition and management of ordinary nodes. When a certain task cluster is too small, it is merged into other task clusters to facilitate the integration of task forces.

①Separate expansion of task clusters

②Reorganization and merger of task clusters.

Beneficial effects: Based on the principles of minimum cost, high security, and high reliability, it meets the self-organization and mobility requirements of individual network threat detection sensors.

The above specific embodiments further describe the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above are only specific embodiments of the present invention and are not intended to limit the scope of protection of the present invention. Within the spirit and principles of the present invention, any modifications, equivalent substitutions, improvements, etc. shall be included in the protection scope of the present invention.

Claims (1)

1. A communication method for adaptive networking, characterized in that the communication method includes: Improve the network behavior characteristic collection method of the network threat detection sensor host to adapt to the host diversity of the target network, including: According to the presence of multiple network cards on the network threat detection sensor host, distinguish IP addresses to collect network behavior characteristics, and increase the collection of port usage and usage frequency under the same IP; Detail the communication interval statistics of HTTP and SMTP protocol traffic, count user active time periods hourly according to the normal work flow rate, and extract several active time periods; Implement feature statistics support for multi-network card hosts. The communication time period of a certain communication IP is counted according to 24 intervals. However, the statistical results are not included in the networking policy table and are stored locally in the form of files for reference during local communication; Improved host network behavior signature library definition: for Its network behavior feature library is recorded as: Among them: p≥n; NODEID is the unique identifier of the network threat detection sensor, ip _k represents the IP address of host k communicating with the host machine, F _k represents the communication frequency with host k; Http _k represents the HTTP protocol communication with host k Communication timing and traffic volume; Smtp _k is the communication timing and traffic volume for SMTP protocol communication with host k, port _k is the port usage information and usage frequency information on the ip _k address; In the improved network threat detection sensor management system, the cluster head node controls the node with the most network threat detection sensor resources and optimizes communication route retrieval; Node A first checks whether there is direct communication with node B in the networking policy table. If so, it returns the routing information node A ID + node B ID and exits; otherwise node A applies to cluster head node A' to check whether it can communicate with node B. Communication, if node B exists in the networking policy table of A', the routing information node A ID + node A' ID + node B ID will be returned; otherwise, node A' will be able to use its own networking policy according to the sorting in the networking policy table. All cluster heads and backup cluster head nodes queried in the table apply to check whether they can communicate with node B. If node B exists in the networking policy table of cluster head or backup cluster head node C, the routing information node AID + node A' is returned. ID+node C ID+node B ID; Improve the network threat detection sensor network payload initialization process, specifically including; Use the host machine in the target network that meets the server characteristics as the selection target of the network threat detection sensor cluster head, and build a network threat detection sensor management system. When the network threat detection sensor enters the target network, check whether the host machine meets the server characteristics, such as Whether to open ports 80 and 25. If satisfied, it will be marked as a cluster head node, otherwise it will be an ordinary node; if an ordinary node finds no cluster head node during the survival process of the network threat detection sensor, when subsequently maintaining its own networking characteristic table, If it is found that there is a cluster head network threat detection sensor in the same IP network segment, the cluster head node with the highest ranking will be actively identified as the cluster head node; Port reuse is used to transmit internal communication information between adaptive networking loads of network threat detection sensors, including: During the construction and maintenance of the network threat detection sensor resource management system, the internal communication between the cluster head node and the ordinary node adaptive networking load, including the reporting of the networking policy table and task allocation information, all need to be communicated with the host network. Port multiplexing technology matching behavioral characteristics for transmission; Improve network threat detection sensor resource management and optimize network threat detection sensor resource management group decomposition algorithm and routing selection algorithm, including: When the network threat detection sensor resources owned by the management node reach the quantity threshold, the network threat detection sensor resource decomposition process is started: The management node selects the backup management node as the new management node. The new management node selects the appropriate node from the original management node as the management resource. The management node removes the new management node and the network threat detection sensor managed by the new management node from the management resources. resource; The management nodes and new management nodes supplement the backup management nodes according to the cluster head selection algorithm. The management nodes notify their affiliated nodes to update the backup management node information. All cluster heads and backup cluster heads are server nodes in the target network; Build optimized network threat detection sensor task clusters, including active task cluster construction and passive task cluster construction; When network threat detection sensor resources are insufficient, apply for network threat detection sensor resources from the cluster head or other network threat detection sensor resource management groups; During the construction process of the network threat detection sensor task cluster, the cluster head host for which the resources are applied has the maximum network threat detection sensor resources. When the network threat detection sensor resources are insufficient, you need to apply for network threat detection sensor resources; The active task cluster construction supports the network threat detection sensor A. It selects and notifies the appropriate network threat detection sensor from the network threat detection sensor resources it belongs to to build a task cluster, and creates a task cluster table; according to each network threat detection sensor Feedback on completed tasks dynamically adjusts network threat detection sensor resources in task clusters; If a network threat detection sensor cannot perform a task or fails to perform a task, the network threat detection sensor is dynamically exited from the task cluster table, and at the same time, a suitable network threat detection sensor is selected from the remaining network threat detection sensors and dynamically added to the task cluster table. ; If during the construction of the task cluster, the resources of network threat detection sensor A cannot meet the needs of the task, it will apply for resources from other network threat detection sensor resource management groups; when network threat detection sensor A completes the task cluster, each node in the cluster will give feedback. If the task is completed, destroy the task cluster; If there are sufficient network threat detection sensor resources in the network threat detection sensor resources to which network threat detection sensor A belongs, directly select and notify the appropriate network threat detection sensor to build a task cluster, and create a task cluster table; Otherwise, network threat detection sensor A applies to its cluster head for network threat detection sensor resources. The cluster head returns the network threat detection sensor resources that meet the task conditions to network threat detection sensor A, and then network threat detection sensor A notifies the selected network. Threat detection sensors build task clusters and create task cluster tables; Network threat detection sensor A dynamically adjusts the network threat detection sensor resources in the task cluster based on the feedback of each network threat detection sensor completing the task; If a network threat detection sensor cannot perform the task or fails to perform the task, the network threat detection sensor will be dynamically exited from the task cluster table, and at the same time, a suitable network threat detection sensor will be selected from the remaining network threat detection sensors and dynamically added to the task cluster table. The passive task cluster construction support; Passive task cluster management relies on tasks that are not generated by themselves, but are issued by superior nodes. This is called central task cluster management, which also includes the generation of task clusters, the merging of clusters, and the destruction of clusters; The generation, merging and destruction of passive task group clusters are all managed by the cluster head.