Active Defense by Mimic Association Transmission in Edge Computing

Abstract

A large amount of real-time data, including user privacy information, control commands, and other sensitive data, are transmitted in edge computing networks. It requires high-speed and reliable data transmission in dynamic edge computing networks. Traditional methods with passive defense cannot cope with the covert and complicated attacks. Edge computing networks require active defense during data transmission. Existing active defense methods based on dynamic network ignore the connectivity and link quality reduced by attacks and do not adjust defense positively. To maximize the defense revenue in moving adjustment strategy, this paper proposes the model of active defense for edge computing network data interaction. In this model, the network topology mimic association protocol is designed to associate multi-paths and multi-parameters automatically. On one hand, considering the transmission reliability and defensive revenue reduction caused by dynamic network transformation, a real-time multi-feature anomaly detection algorithm based on Non-extensive entropy and Renyi cross entropy is proposed. Based on this, a moving communication path alliance can be constructed pseudo-randomly. On the other hand, this paper proposes a Hidden Markov based state prediction model and a mimic transformation strategy for The Network Topology Mimic Association Graph based on predicted states. Combining these two ways improves the data transmission service quality of the active defense technology in edge computing networks. Experiments are carried in simulated power networks. The results show that our method outperforms the popular methods in terms of transmission efficiency, reliability, and anti-attack performance.

1 Introduction

One of the primary latent risks in a network is the cyber-attack on the network data interaction layer in the form of edge computing. This is due to the large amount of real-time state acquisition data, user privacy information and control command data present in an edg0e computing network. These data play a decisive role in user privacy protection and system decision control [1]. Alternatively, an edge computing network can perform real-time monitoring and control services on the edge of the critical infrastructure, with strict requirements on the performance of real-time data transmission [2, 3]. Considering data security interactions in an edge computing network, it is important to suppress attacks and execute evasive responses before a network attack causes damage [1, 4, 5]. Therefore, edge computing networks urgently require active defense during data transmission.

However, the current network attack methods (CNAMs) such as the advanced persistent threat (APT) are concealed, and the attack principle is complex. Attack monitoring and passive blocking technologies based on traditional misuse detection have been unable to cope with such attacks [6]. For this reason, active defense faces challenges. Fortunately, the self-organizing nature of edge computing networks provides a foundation for active defense of data interaction [7, 8]. By constructing an uncertain and dynamic network environment, the attacker lacks sufficient time to effectively probe the communication path. The dynamic transformation of data transmission network by edge computation can construct this dynamic network environment. This will reduce the effectiveness of the information collected by an attacker prior to the attack. The information collected during the attack will be outdated and invalid. It will increase the cost and complexity during attacker’s information collection and detection. The probability of data being attacked can also be reduced.

The active defense technology based on a moving network can solve the current defense problem of data transmission attacks to some extent and increase the costs of cyber-attacks. However, previous technologies do not consider a moving adjustment in the case of reduced network connectivity and link quality caused by an attack [9]. Thus, the defense strategy of a moving adjustment algorithm requires further optimization and improvement.

Therefore, this paper proposes an active defense model for data interaction processes in edge computing based on a network topology mimic correlation. Main contributions are concluded as follows. Figure 1 shows the framework of our research.

Fig. 1

Framework of active attack defense technology for edge computing network data interactions

(1) The model is achieved by pseudo-randomly constructing a moving communication path alliance under the premise of ensuring service quality. Here, the network topology mimicking association technology is used to simulate the construction of a dynamic multipath communication alliance to prevent network attacks.

(2) This method integrates the network security state and transmission reliability prediction to actively evade network attacks. The model includes the edge-aware node, the edge computing terminal node, and the primary station system. It uses a negotiated moving multipath communication alliance to secure data communication. A network attacker cannot determine the real communication path in the alliance which increases attack costs [9, 10]; thus, it is difficult to implement an effective attack.

(3) In concurrent multipath communication, the network attacker cannot obtain complete transmission data or control instructions [11, 12]. Thus, network security accidents can be avoided, such as data leakage and command tampering in an edge computing network in advance.

(4) In addition, this method also ensures data transfer efficiency.

The rest of this paper is organized as follows: Section 2 discusses relevant studies on moving network technology in mimicry defense. Section 3 gives some relevant definitions and the overall model framework and design for network topology mimic association protocols. In Section 4, this paper describes a mimic transformation method of communication path alliance based on moving threshold anomaly detection. In Section 5, a mimic transformation method utilizing a mimic topology correlation graph based on a network security state prediction is proposed. Section 6 analyzes the security of the model and verify the performance through experiments. Section 7 summarizes the contents of this paper.

2 Related works

In recent years, the moving target defense (MTD) proposed by the US Science and Technology Commission has attracted much attention as a new cybersecurity mimicry defense technology [13]. Moving network technology, as one of the most critical technologies for MTD at the network layer, has a promising application prospect in active defense.

A suitable communication path transformation strategy is crucial for implementation in moving networks. The communication path transformation strategy is used to generate a network management configuration of nodes that are used during the subsequent adjustment period. The randomness of the configuration increases the difficulty for the attacker in predicting the network management configuration.

Recently, the pseudorandom approach has been extended to address the transformation strategy of moving networks. Some methods proposed before cope with the randomness of the attack through random port mechanism. Atighetchi et al. [14] proposed a virtual port address association scheme for the client association proxy and a network address translation gateway to fill fake random addresses and ports into the corresponding fields of the data packet. Then, the data stream is redirected to defend against the attack. Once an “expired” node network management configuration is used, the possibility of detection will increase. Badishi et al. [15] developed a random port association mechanism termed random port hopping (RPH). Antonatos et al. [16] established a method for randomizing the network address space based on a transparent address association, which performs a header address translation of data stream packets. This approach maintains the novelty of the address translation table and prevents connection requests outside the service period. Jafarian et al. [17] proposed an OpenFlow random host mutation (35) based on OpenFlow. The authors used OpenFlow to transparently change the IP address of the host to ensure the consistency of the host configuration. These methods perform well but only in static network.

Aimed at the problems of limited hopping space in IPv4 and fixed hopping period, Dunlop et al. [13, 18] proposed moving target defense mechanism based IPv6 (MT6D). In order to enlarge the hopping space, IPv6 address space is adopted. Besides, MT6D uses pseudo-random number to set hopping period so as to improve the randomness. In 2014, Jafarian et al. [19] associated a host IP address with an address block with a short lifetime. The authors proposed a random association method based on the time and space domains to block, spoof and detect attackers.

Based on these, other works also aim to prevent the leakage of MAC address. In 2015, MacFarland et al. [20] hide the link, IP, and port numbers of endpoint by setting up DNS hopping controller so as to prevent the leakage of MAC address. In 2016, Skowyra et al. [21] proposed network identity elimination mechanism called PHARE. It prevents MAC address leakage by randomly transforming header when packets flow out of the endpoint. Moreover, Sun et al. [22] proposed Decoy-Enhanced Seamless IP Randomization (DESIR) to increase the unpredictability. When unauthenticated nodes access the platform, DESIR uses honeypots to observe its behavior. In order to prevent service interruption, DESIR separates the network identifier and transmission identifier of endpoint when it migrates services, thus ensuring the continuity of service provision by reserving the transmission identifier. Pseudorandom functions in moving network are exposed to higher security; however, it is possible that the node network management configuration will collide, in which case, scalability is not desirable.

At present, these researches pay attention to the privacy protection and security transmission of edge computing data. This is generally implemented by password technology and secure transmission protocol. However, most of the researches do not take the real-time requirements of data transmission in edge computing network into account. So, it is difficult to apply them to the real-time security interaction for edge computing data. In addition, the existing works do not consider the impact on data transmission efficiency in the case of network attack. Thus, these methods cannot adjust the data transmission scheme adaptively according to the degree of damage to ensure the transmission efficiency. Therefore, the existing security transmission technology generally belongs to the passive defense technology. They cannot be actively circumvented or actively suppressed by the network attack behavior. Security of the edge computing network cannot be guaranteed.

In general, the implementation of the current moving network technology is simple, but there are several shortcomings: 1) In the existing literature, moving network adjustment strategies primarily focus on static and fixed methods. These approaches cannot be adaptively adjusted in combination with the current network security status. 2) The moving network adjustment strategy needs to compress or amplify the state space of the available node network management configuration. However, current methods with a pseudorandom function have a single control factor, and the generated space of the node network management configuration is difficult to control accurately. Thus, the scalability of the algorithm is weak.

Based on these existing problems, this paper proposed a moving network active defense technology based on network topology mimic association. The proposed method focuses on high security and real-time requirements of data interaction in an edge computing network. For the security threat from unknown vulnerabilities and backdoors, Wu [23] proposed the idea of “cyber mimic defense” based on the principle of uncertainty. The main idea of mimic defense is to reduce the certainty, static and isomorphism of the vulnerability point in the network. Thus, it can increase the attacker’s attack difficulty. Then the attacker does not have enough time to probe the target network. Here, the network topology mimic association technology is proposed to improve the active defense efficiency in real-time dynamic data interaction.

3 Secure transmission model based on network topology mimic

3.1 Definition

In this section, the whole edge computing network data interaction model is designed as a three-layer network. The first layer is the sensor node layer consisting of sensing devices. The second layer is the terminal node layer composed of terminals in edge computing. The third layer is the central station. A schematic of the system is shown in Fig. 2. The sensor node directly accesses the edge computing terminal node through a wireless network. The edge computing terminal communicates with the primary station system layer through a wireless or wired network. The edge computing terminal nodes can also communicate with each other. The primary station system layer acts as the control layer for the entire network.

Fig. 2

Abstract model of the edge access network

Definition 1:

Weighted directed acyclic graph of the edge computing network  G = (V, E, W). V = (v₁, v₂, …, v_n) represents the set of nodes v_i(v_i ∈ V). E = (e₁, e₂, …, e_n) indicates the set of communication paths between nodee_ij =  < v_i, v_j > (e_ij ∈ E). W = (w₁, w₂, …, w_n) indicates the set of weights on the edge e_ij. w_ij is assigned based on the reliability of the communication path on the edge e_ij =  < v_i, v_j > (e_ij ∈ E).

Definition 2:

Node.v_i = {id_i, ip_i, pt_i, μ_i, ns_i, nd_i, nn_i, plower_i}, where Id_iis a unique identifier of the node, which can be assigned based on the node type (perceived node, edge computing terminal node). ip_i is the IP address of node v_i. pt_i is the set of available ports for the node. The port is the address of the layer interaction between the various protocol processes and the transport entity in the application layer. The available range is 0 to 65,535; aside from the first 1024 well-known ports, there remain 64,512 available ports. μ_i is an application layer protocol set supported by node v_i. For example, in a smart power network, the protocols used for communication between sensor node and data interaction primarily include application layer protocols such as the IEC60870–5-101/104 and 62,351 protocols. ns_i is the collection of source nodes for node v_i, and the value of the sensor node is null. nd_i is the set of the next hop node of v_i. nn_i is the neighbor node of v_i, and its value of the sensor node is null. \( {p}_{lowe{r}_i} \) is the minimum requirement for node communication reliability.

Each sensor node in the edge computing network assigns its own attribute information when the system is initialized. Adjacent edge computing terminal nodes interacts with each other. Each sensor node records an edge computing terminal node whose signal can be monitored. A sensor node can be subordinate to multiple edge computing terminal nodes. The terminal routing table records ip_i of the edge computing terminal node and the corresponding path node queue of visiting the primary station system. The edge computing terminal node records the addresses of all dependent sensor nodes and simultaneously maintains a network neighbor node table at the same layer. In addition, like the sensor nodes, the edge computing terminal nodes need to maintain each dependent sensor node’s path node space queue of the network topology mimic association communication. The primary station system layer constructs a network topology weighted directed graph after obtaining all of the network data.

In this paper, the network topology mimicking association technology is used to simulate the construction of a dynamic multipath communication alliance to prevent network attacks. When the network topology is found to be changed, all nodes exchange information by means of distributed propulsion. Moreover, the sensor node retains the IP addresses of the other edge computing terminal nodes that can be accessed. At the same time, when an abnormality or attack is detected in the network, the edge computing terminal node instructs the sensor node to change the communication path. When a new sensor node joins the subnet, only the members of the sensor node are added while the subnet remains, and the relevant information is directed to the primary station system.

The topology-directed acyclic graph based on the edge computing network consists of multiple subgraphs. Each subgraph consists of a sensor node, all accessible paths between the serving node of the primary station and the associated edge computing terminal nodes. There is only one initial node in each subgraph and one termination node, i.e., the sensor node and the primary station serving node, respectively. In the initialization phase of the network topology mimic association system, the primary station service node generates a space queue of network topology mimic association node for the sensor node according to the subgraph. However, the edge computing network is affected by the network attack. Thus, it needs to dynamically cut off edge computing terminal nodes that are in an abnormal state and add edge computing terminal nodes that are restored to normal. Therefore, not all edge computing terminal nodes or edges in the subgraph can meet the requirements. It is necessarily to adaptively filter the available paths that meet the reliability requirements. Then, a network topology mimic association graph can be constructed.

Definition 3:

Network topology mimic association graph S_i(t) = {s_k(t)| 1 ≤ k ≤ m}. S_i represents a sequence of nonintersecting paths whose reliability meets the requirement from the primary station serving node to the sensor node v_i at time t. m indicates the number of available nonintersecting paths.

An example of the network topology mimic association graph is shown in Fig. 3. In Fig. 3, there are three available nonintersecting paths connecting the primary station serving node and the sensor node. Each path is selected according to the reliable principle. This graph changes with time t.

Fig. 3

Network topology mimic association graph

Definition 4:

Nonintersecting communication path s_k(t) = {(Sip_k, Spt_k, Sμ_k, Sns_k, Snd_k)^T| 1 ≤ k ≤ m}. If and only if two acyclic communication paths s₁ and s₂ share sensor node and the primary station serving node but do not share edge computing terminal nodes, they are considered as nonintersecting communication paths. The IP sequence of the path node is represented as Sip_k = {sip₁, sip₂, ⋯sip_n}. The available communication port sequence is Spt_k = {spt₁, spt₂, ⋯spt_n}. The available communication protocol sequence is Sμ_k = {sμ₁, sμ₂⋯sμ_n}. The source address sequence is indicated as Sns_k = {Sns₁, Sns₂, ⋯Sns_n}. The destination address sequence is Snd_k = {Snd₁, Snd₂, ⋯Snd_n}. Here, n is the number of edge computing terminal nodes in k nonintersecting paths.

The dynamic communication path alliance is essential to realizing network topology mimic correlation technology. This alliance is determined by the sensor node and the primary station service node according to the network topology mimic association graph and the network security situation. To ensure secure communication, the legitimate communication parties can obtain the necessary information for reorganizing the original data stream at the correct time and on the correct network topology mimic graph.

Definition 5:

Moving communication path alliance GS_i. This alliance is a seven-tuple, i.e., \( G{S}_i(t)=\left({S}_i,{\varPhi}_{i1},{\varPhi}_{i2},{C}_i,{\mathfrak{R}}_i,{T}_S^i,{T}_{GS}^i\right) \). S_i is the network topology mimic graph. Φ_i1indicates a random number for selecting the number of the dynamic communication path. Φ_i2 represents a random sequence of nonintersecting communication path mapping numbers. C is the association condition. δ is the network topology mimic association transfer relationship. \( {T}_S^i \) is the survival time slot of the network topology mimic association graph. \( {T}_{GS}^i \) is the survival time slot of the moving communication path alliance.

Φ_i1 ≤ m is generated by a pseudorandom function and is used to determine the number of dynamic communication paths.

\( {\varPhi}_{i2}=\left({r}_i^1,{r}_i^2,\cdots, {r}_i^{\varPhi_{i1}}\right) \) is a nonintersecting path mapping random number sequence and is also generated by a pseudorandom function. It gives a sequence of dynamic communication path alliance in a nonintersecting path. The association and communication process between two parties depends on Φ_i2. The pseudorandom number sequence ensures the randomness of the network topology mimic association negotiation generation and reduces the ability of an attacker to detect the communication path.

C indicates generation conditions for the network topology mimic association negotiation, such as the established negotiation time or a new association negotiation request. C = (c₁, c₂, ⋯, c_p) indicates different trigger conditions.

\( \mathfrak{R}:{S}_i\left({t}_j\right)\overset{\kern1em {c}_i\kern1em }{\to }{S}_i\left({t}_{j+1}\right) \)indicates the network topology node configuration process adopted when the communication state changes from S_i(t_j) to S_i(t_j + 1) when the condition for the network topology mimic association is C.

\( {T}_S^i \) is the survival time slot of the network topology mimic association graph. The network topology mimic association graph is replaced at every interval of \( {T}_S^i \), where the number of handovers is indicated as i.

\( {T}_{GS}^i \) is the dynamic communication path alliance survival time slot. The communication path is updated every interval of\( {T}_{GS}^i \), where the number of switching steps is indicated as i.

Definition 6:

Moving communication path alliance node association configuration Ω_i(t). This term indicates the configuration of the association factors such as the port and protocol of the edge computing terminal node in the communication path at time t. Ω_i(t) is defined as Ω_i(t) = Φ_GS(t) × (Spt(t) × Sμ(t)). It means the network configuration of k edge computing terminal nodes at communication path i. Spt_krepresents the available port of nodes in the moving communication path alliance. Sμ_kis the available protocal. \( {\varPhi}_{GS}=\left\{{\left({\varPhi}_{GS}^{S pt},{\varPhi}_{GS}^{S\mu}\right)}^T\right\} \) indicates sequences of random data. \( {\varPhi}_{GS}^{Spt}=\left\{{r}_1^1,{r}_1^2,\cdots, {r}_1^k\right\} \). \( {\varPhi}_{GS}^{S\mu}=\left\{{r}_2^1,{r}_2^2,\cdots, {r}_2^k\right\} \). Here, r is the function for random data, rand_i(seed_i), i = 1, 2.

Ω presents two scalability advantages for the entire system. On the one hand, when it needs to reduce the overhead of the topological linkage of the entire system and dynamic adjustment, the communication path parameters may not have to be updated except for Ω. On the other hand, when the network status of the system is not safe, the dynamic update of Ω will further improve the security of the network topology mimic association. Compared with the pseudorandom function, the network topology mimic association proposed in this paper is more scalable. For example, this association supports both IPv4 and IPv6 and other related factors. At the same time, this approach ensures that the association strategy is controllable and avoids collisions in the node network configuration.

The summary of definitions for main variables is shown in Table 1.

Table 1 Definitions of main symbols

3.2 Framework

The proposed model deploys the network topology mimicking association agent in the primary station system and the sensor node. The structure of the model is shown in Fig. 4.

• The network topology mimicking association agent module is the core. This module controls other modules and available associated communication nodes. It coordinates the communication path between the sensor node and the primary station service node. This module generates a moving communication path alliance.

• After the sensor node and the primary station server node negotiate the network topology mimic association graph, the time synchronization module is used to calibrate the local clock and to enter the network topology mimic association communication mode.

• The traffic distribution module allocates traffic according to the established communication path. Data sent by legal sensor nodes are transmitted to the proxy control module through the currently active communication path. Then, the data are sent to the primary station service node by the traffic reorganization module. The server is also returned to the client by the traffic distribution module and the active path node.

• The delay processing and anomaly detection modules sample the network data stream to evaluate network anomalies and delays. The associated agent control module dynamically changes the mimic association graph configuration of the network topology and the moving communication path alliance according to the evaluation results by using a self-tuning strategy.

• The intrusion detection module detects intrusion based on the redundancy voting mechanism of the mimicry defense model for the edge computing terminal. By comparing the execution results of the heterogeneous redundant execution body, result deviations and network intrusion behavior can be identified.

• The moving communication path alliance and the network topology mimic association graph in the network topology mimic association model change by using an adaptive strategy. This action increases the diversity and randomness of transmission throughout the entire edge computing network and increases the defense strength. In addition, only the available edge computing terminal nodes in the active period can be activated at any time. Each available edge computing terminal node is allocated a node association configuration for the communication path, which will further reduce the possibility that the system communication process will suffer from a network attack.

  Fig. 4

  

  Model of active defense for edge computing network data interaction

The primary purpose of network security defense is to pursue higher defense gains under the premise of ensuring network service efficiency. It is to offset higher attack losses with lower protection costs. During data transmission in an edge computing network, the protection cost primarily arises from the network service reliability based on the network topology mimic association graph and the moving communication path alliance adjustment forced by a network attack [24]. In severe cases, an attack will affect regular access and data transmission of the sensor node. Service reliability impairment refers to a reduction in system performance such as data transmission efficiency and computing power, as well as the time cost of system switching. The survival time slot primarily determines the adjustment of the network topology mimic graph and the moving communication path alliance. The service reliability impairment increases as the survival time slot decreases. When the network is not abnormal due to an attack and the survival time slot is infinite, system service reliability impairment due to network topology mimic correlation is minimal. However, if the survival time slot is too long, attackers will have sufficient time to scan and detect the target system before launching an attack. The attackers could accurately and effectively execute a follow-up attack or a semi-blind attack, and the defense revenue of the system would decrease. In contrast, a high-frequency dynamic adjustment would lead to a greater service reliability impairment, which may also result in reduced defense revenue [11, 25]. Therefore, it is necessary to establish a reasonable active adjustment strategy for the network moving communication path alliance\( G{S}_i(t)=\left({S}_i,{\phi}_{i1},{\phi}_{i2},{C}_i,{\mathfrak{R}}_i,{T}_S^i,{T}_{GS}^i\right) \), the network topology mimic association graph S_i(t) = {s_k(t)|1 ≤ k ≤ m} and the corresponding survival time slots \( {S}_n^{-}\left(t+1\right) \), \( {S}_m^{+}\left(t+1\right) \) as shown in Fig. 5.

Fig. 5

Survival time slots for the network topology mimetic association graph and moving communication path alliance

3.3 Process of network topology mimic secure transmission

This section designs the network topology mimic association protocol flow. In this step, the server and the client determine the network topology weighted directed graph by negotiation and generate the corresponding network topology mimic association graph. Then, the client pseudo-randomly selects the communication path alliance. The communication parties are allowed to establish independent transport layer connections on multiple dynamic communication paths. In this manner, they can communicate safely according to the established communication path. This process is shown in Fig. 6.

Fig. 6

Network topology mimetic association protocol

Step 1: When a sensor node which supports the network topology mimic association, accesses the edge access network for the first time and prepares to communicate with the primary station system, the direct access will be denied. Because the edge computing terminal node does not turn on related the access control for data transmission. The sensor node can access only quarantine authentication domain A for identity authentication and trust evaluation. However, once the node authentication and trust evaluation are successful, the edge computing terminal node will open the network access port of the primary station service node.

Step 2: The sensor node sends the regular request message Req{ID_c, Ip_c, ReqID, p_lower, mark, T₁} to the primary station node. ID_c is the identity of the sensor node. Ip_c is the IP address of the sensor node. ReqID is the corresponding unique ID of each Req message. p_lower is the minimum reliability requirement. mark is the support flag of the network topology mimic association. T₁ is the time.

Step 3: The primary station service node records the time T₂ at which the message Req is received. If the server does not support the network topology mimic association, the message can be ignored. If the association is supported, the primary station service node switches to the network topology mimic association negotiation mode.

Step 4: The primary station service node initiates a deep search algorithm to find an available path that satisfies p_lower between the sensor nodes. Then, a network topology weighted directed graph is generated. p_{i, j} denotes the path reliability between the connecting nodes i andj. \( {p}_{s,t}^k \) denotes the path reliability of the kth path between the primary station serving node s and the sensor node t at time t. In this case, \( {p}_{s,t}^k={\prod}_{\left(i,j\right)\in k}{p}_{i,j} \), and \( {p}_{s,t}^k \) should be greater than p_lower .

Step 5: The primary station service node generates a corresponding network topology mimic association graph S_i = {s_k| 1 ≤ k ≤ m}based on the network topology weighted directed graph. Next, a response message Rsp{ID_s, S_i, T₃} is sent to the sensor node, including the server identity ID_s, the network topology mimicking association graphS_i, and the response packet sending timestamp T₃.

Step 6: The sensor node records the time T₄ at which the message Rsp{ID_s, S_i, T₃} is received. At the same time, the sensor node generates Φ_i1, Φ_i2, Φ_GS by a random function to determine the network topology mimicking dynamic communication path alliance GS_i(t) and the communication path node association network configuration space Ω_i(t).

Step 7: The sensor node sends a response message Rsp{ID_c, ϕ_i1, ϕ_i2, ϕ_GS, T₅) to the primary station serving node.

Step 8: The primary station serving node receives the packet Rsp{ID_c, Φ_i1, Φ_i2, Φ_GS, T₅} and records the time at which the packet is received asT₆. Then, a corresponding ACL is sent to notify all edge computing terminal nodes on the communication path with Ip_c and Ω_i(t) together.

Step 9: The primary station service node calculates the time drift θ = (T₂ − T₁ + T₃ − T₄ + T₆ − T₅)/2 according to the timestamps T₁, T₂, T₃, T₄, T₅, T₆ and sends θ to the sensor node.

Step 10: The primary station service node adjusts the local time according to the time drift θ by synchronization correction. The sensor node and primary station node implement secure communication according to the established dynamic communication path alliance.

Step 11: When any life cycle of the network topology mimic association, \( {T}_S^i \) or \( {T}_{GS}^i \), ends normally or abnormally at the end of the network attack, the network topology mimic association is re-updated.

4 Communication path Alliance mimic transformation method

During data transmission in the edge computing network, if the abnormality detection module changes the moving communication path alliance in the network topology mimic association graph whenever a network attack is detected, the moving communication path alliance switching frequency and the network topology mimic association switching frequency will increase dramatically. This will lead to a decline in network communication efficiency. Cyber-attacks necessitate a process of scanning, lifting, destroying, and so on. Before some of the preliminary steps are completed, the attack does not pose a real threat to the entire system, but it does cause network anomalies to a certain degree [26, 27]. Therefore, in this section, the communication path is adjusted based on a network anomaly metric. When the network anomaly metric exceeds a certain threshold, the moving communication path will be adjusted automatically.

4.1 Network anomaly detection based on information entropy

Many scholars have reported research on measures that can be used for network anomaly metrics. When network traffic is abnormal, changes arise in the distribution of features such as IP addresses and port numbers. However, it is difficult to describe the changes in flow characteristic distributions caused by a network anomaly. In 1948, Shannon first introduced the concept of entropy to information theory and proposed the concept of information entropy. Entropy is an essential concept for measuring the variation of a system parameter distribution and can be used to describe the distribution of network traffic with respect to specific characteristic parameters [26, 27]. When the distribution of the characteristic parameters is more dispersed, the entropy value is larger, and vice versa. Shannon entropy is suitable for describing a system with a normal distribution, while network traffic characteristics present a non-Gaussian distribution. For the network topology mimic association algorithm, the primary station service node \( {T}_{GS}^i \) receives a legal data packet in the association period and should match the network configuration of the communication path GS_i. However, in the case of a network attack, the attack packet prevents the network traffic from matching the network configuration of the communication path GS_i, which will cause some network traffic characteristics to have an abnormal probability distribution. To this end, this paper introduces the Tallies entropy to analyze the unusual characteristics of network traffic. Tallies entropy is Shannon entropy with a full parameter, which is defined as follows:

$$ {S}_q(X)=\frac{1}{q-1}\left(1-{\sum}_{i=1}^n{\left({p}_i\right)}^q\right) $$

(1)

\( {p}_i=\frac{a_i}{S} \)indicates the probability of occurrence of an event a_i. a_i denotes the number of occurrences of feature elements (such as source IP, destination IP, source port, destination port, etc.) during the observation time, where \( {\sum}_{i=1}^N\frac{a_i}{S}=1 \) . q is an extensive parameter and plays an important role in the statistical analysis of Tallies entropy. The degree of offset of q from 1 represents the degree of non-extensiveness of the entropy function. The value of q affects the contribution of event a_i toS_q. When q > 1, a large-probability event makes a large contribution. When q < 1, a small-probability event makes a large contribution. If q → 1, the Tallies entropy is consistent with the Shannon entropy.

To accurately measure changes in the security state of the communication path and identify network anomalies, the step size will be set to 0.5 and take 9 values ​​from [−2, 2]. Thus, the distribution state of the characteristic parameter at time t can be expressed as S_{t, f} = {S_q1, S_q2, ⋯, S_q9}. In this way, the characteristic distribution state of each feature element in the life cycle of the network topology mimic associated communication path is judged by nine different Tallies entropy values. Specifically, no adjustment value is needed for different abnormalities.

In network topology mimic correlation technology, the anomaly detection module collects network traffic over the sampling analysis period \( t={T}_{GS}^i \) for analysis. The characteristic parameters are extracted from the packet header, such as the source/destination IP address, source/destination port and so on. The Tallies entropy value corresponding to each characteristic parameter at time t is calculated separately, and each Tallies entropy value is normalized as follows:

$$ {S}_{t, sip}^{\prime }=\left\{{s}_{q1}^{\prime },{s}_{q2}^{\prime },\cdots {s}_{q9}^{\prime}\right\}; $$

(2)

$$ {S}_{t, dip}^{\prime }=\left\{{s}_{q1}^{\prime },{s}_{q2}^{\prime },\cdots {s}_{q9}^{\prime}\right\}; $$

(3)

$$ {S}_{t, spt}^{\prime }=\left\{{s}_{q1}^{\prime },{s}_{q2}^{\prime },\cdots {s}_{q9}^{\prime}\right\}; $$

(4)

$$ {S}_{t, dpt}^{\prime }=\left\{{s}_{q1}^{\prime },{s}_{q2}^{\prime },\cdots {s}_{q9}^{\prime}\right\}; $$

(5)

Using nine different Tallies entropy values of different feature parameters to determine whether an abnormality has occurred. Whether an abnormality has occurred is judged by comparing the difference between D_{t, f} and D_{t − 1, f}. In this paper, Renyi cross-entropy is used to measure the difference between two probability distributions [16]. When no anomalies occur, the cross-entropy tends to zero. When an anomaly occurs, the cross-entropy will change abruptly.

For simplicity, taking the characteristic distribution of the source address as an example. Suppose that the anomaly detection module samples and counts data packets for two adjacent time periods to obtain a set of source address sampling data in the network traffic, sip_t − 1 = {sip₁, sip₂, ⋯, sip_n) and\( si{p}_t=\left\{ si{p}_1^{\prime }, si{p}_2^{\prime },\cdots, si{p}_n^{\prime}\right) \). Thus, the Renyi cross-entropy between sip_t − 1 and sip_t is

$$ {I}_a\left( si{p}_{t-1}, si{p}_t\right)=\frac{1}{1-a}{\mathit{\log}}_2{\sum}_{i=1}^n\frac{{\left(p\left( si{p}_i\right)\right)}^a}{{\left(p\left( si{p}_i^{\prime}\right)\right)}^{a-1}} $$

(6)

When a = 0.5, the cross-entropy is symmetrical, that is, I_0.5(sip_t − 1, sip_t) = I_0.5(sip_t, sip_t − 1). The cross-entropy is then rewritten as

$$ {I}_{0.5}\left( si{p}_{t-1}, si{p}_t\right)=2{\mathit{\log}}_2{\sum}_{i=1}^n\sqrt{p\left( si{p}_i\right)p\left( si{p}_i^{\prime}\right)} $$

(7)

Then, the change in the probability distribution for each feature parameter f at time t can be obtained by calculating the Renyi cross-entropy I_{t, f} = I_0.5(S_{t − 1, f}, S_{t, f}).

Therefore, the Renyi cross-entropy of the source/destination IP address and source/destination port at times t-1 and t are calculated respectively:

$$ {I}_{t, sip}\left({S}_{t-1, sip}^{\prime },{S}_{t, sip}^{\prime}\right), $$

(8)

$$ {I}_{t, dip}\left({S}_{t-1, dip}^{\prime },{S}_{t, dip}^{\prime}\right), $$

(9)

$$ {I}_{t, spt}\left({S}_{t-1, spt}^{\prime },{S}_{t, spt}^{\prime}\right), $$

(10)

$$ {I}_{t, dpt}\left({S}_{t-1, dpt}^{\prime },{S}_{t, dpt}^{\prime}\right) $$

(11)

An abnormality threshold δ_{t, f} is introduced. For edge computing networks, the change in network traffic in real time based on a fixed threshold is unreasonable. Therefore, this paper proposes a method to set a dynamic threshold. \( {\bar{I}}_{t,f} \) is set as the cross-entropy mean value of f at time t and σ_{t, f} as the standard deviation of the characteristic fcross-entropy at time t. Thus,

$$ {\delta}_{t,f}={\overline{I}}_{t,f}\pm {\sigma}_{t,f}=\frac{\sum_{t=t-a}^{t-1}{I}_{t,f}}{a}\pm \sqrt{\frac{1}{a-1}\left[{\sum}_{t=t-a}^{t-1}{\left({I}_{t,f}-{\overline{I}}_{t,f}\right)}^2\right]} $$

(12)

Here, a represents a data observation sliding window.

4.2 Strategy for moving communication path alliance mimic transformation

The dynamic adjustment of the life cycle of the moving communication path alliance must meet the principle of “increase slowly and decrease rapidly”. That is, when no network abnormality is detected and the probability a network attack is small, the survival time of the moving communication path alliance of the next association cycle slowly increases [28, 29]. Moreover, as the duration of the non-attack state increases, the growth rate of the current moving communication path alliance should also increase to improve the quality of the communication service. When a network abnormality is detected and the probability of a network attack is substantial, the survival time slot of the active communication path alliance in the next period is rapidly reduced. As the abnormal state duration increases, the reduction range of the survival time slot of the active communication path alliance in the next cycle should also increase to ensure communication security.

Assuming that \( {\sigma}_{t,f}^{\prime } \) is the standard deviation at time t and δ^′ is the threshold for a network outlier. Based on expert experience, choosing a function that meets the principle of “increase slowly and decrease rapidly”, i.e.

$$ g\left({\sigma}_{t,f}^{\hbox{'}}\right)=\left\{\begin{array}{c}{g}_1\left({\sigma}_{t,f}^{\hbox{'}}\right),0<{\sigma}_{t,f}^{\hbox{'}}\le \delta \hbox{'}\\ {}{g}_2\left({\sigma}_{t,f}^{\hbox{'}}\right){\sigma}_{t,f}^{\hbox{'}}>\delta \hbox{'}\end{array}\right. $$

(13)

Withg₁(δ^′) = g₂(δ^′),\( {g_1}^{\prime}\left({\sigma}_{t,f}^{\prime}\right)<0 \),\( {g_2}^{\prime}\left({\sigma}_{t,f}^{\prime}\right)>0 \), \( {g_1}^{\prime}\left(2{\delta}^{\prime }-{\sigma}_{t,f}^{\prime}\right)+{g_2}^{\prime}\left({\sigma}_{t,f}^{\prime}\right)>0 \) .The active adjustment strategy is.

$$ {T}_{GS}^{i+1}=\left\{\begin{array}{c}\left(1+{g}_1\left({\sigma}_{t,f}^{\hbox{'}}\right)\right)\ast {T}_{GS}^i,0<{\sigma}_{t,f}^{\hbox{'}}\le {\delta}^{\hbox{'}}\\ {}\left(1-{g}_2\left({\sigma}_{t,f}^{\hbox{'}}\right)\right)\ast {T}_{GS}^i,0<{\sigma}_{t,f}^{\hbox{'}}>\delta \hbox{'}\end{array}\right. $$

(14)

5 Transformation method for the network topology mimic association graph

After the network topology weighted acyclic graph and the network topology mimic association graph is successfully generated, sensor nodes and primary station service nodes select reliable path randomly to communicate safely with multi-path. The network topology mimic association graph and the communication path negotiation confirmation mechanism increase the randomness of the communication path selection and ensure communication efficiency and security by satisfying the reliability requirements [21]. However, the state of the edge computing network changes dynamically. Some accessible paths that do not meet the reliability requirements are improved after the network attack is eliminated and then become available nonintersecting paths. Partially guided paths are subject to network attacks or other uncontrollable factors, which may not satisfy the reliability requirements. Therefore, both parties need to expand or compress the network topology mimic map space according to the established strategy.

When there is a given sequence of observed symbols, the hidden Markov model is suitable to predict the probability of occurrence of a new observed symbol sequence. The hidden Markov model is a stochastic process of the relationship between the observable variable O and the hidden variable S. It is very similar to the abnormal metric (hidden state) and the security state(observable state) of the security situation system [30, 31]. Therefore, using the hidden Markov model can well analyze the network security situation.

Here, this section proposes a hidden Markov based reliability prediction model of network security to realize a network security reliability prediction based on network security anomaly metric data. Based on the security reliability prediction results, the proposed method expands or compresses the network topology mimic association graph and set a reasonable survival time slot \( {T}_S^i \) for the network topology mimic association graph.

5.1 Network security state prediction based on the HMM

The HMM can be described by a quintuple =(N, M, π, A, B) . In this quintuple, N indicates the number of possible hidden state values in the HMM, which can be recorded as IS = {IS_i|1 ≤ i ≤ N} . Each hidden state value IS_i corresponds to M observable states O, which is recorded as O = {O_i| 1 ≤ i ≤ M}. Here, π is a 1 × N-order initial probability distribution matrix, indicating the initial probability distribution of the hidden state q₁ for each possible hidden state value for the observable sequence O at time t = 1, π_i = P(q₁ = IS_i), 1 ≤ i ≤ N.

A = (a_ij)_N × N is a hidden state probability transfer matrix for Markov chains. For a first order HMM,

$$ {a}_{ij}=P\left({q}_{t+1}=I{S}_j|{q}_t=I{S}_i\right),{\sum}_{j=1}^N{a}_{ij}=1, $$

$$ 1\le i\le N,1\le j\le N $$

(15)

B = (b_im)_N × M is a probability matrix of the observed indicators, and the observed probability is b_im = P(O_t = v_m|q_t = IS_i), 1 ≤ i ≤ N, 1 ≤ m ≤ M .

To predict the security reliability of all accessible paths in the network topology mimic graph, the method classifies the network security reliability hidden state levels into five categories: safe, mild, general, moderate, and high-risk, expressed as IS₁, IS₂, IS₃, IS₄, IS₅ and assigned to 1, 2, 3, 4, and 5, respectively. Then, the reliability of each accessible path is transferred at a given probability in these five states. At the same time, the network security reliability of each path is defined by two observable indicators, the network transmission efficiency TE and network threat TH. The reliability is expressed as a random variable x_i(1 ≤ i ≤ 2). The current security reliability of the entire network is measured from two different dimensions. Then, after time t, the observation sequence O = {o₁, o₂, ⋯, o_t} is obtained from observation x_i. To simplify the description, cyber threat prediction is introduced as an example to introduce the prediction algorithm.

First, it is needed to obtain three parameters (π, A, B) from the calculation by means of sample training. Given that O is the sequence of observations for all training samples, to define the probability that the system is in a hidden state IS_i at time t and the system is in state IS_j at time t + 1 as follows.

$$ {\psi}_t\left(i,j\right)=P\left({q}_t=I{S}_i,{q}_{t+1}=I{S}_j|O,\lambda \right)=\kern0.5em \frac{\zeta_t(i){a}_{ij}{b}_{jt+1}{\omega}_{t+1}(j)}{\sum_k{\sum}_l{\zeta}_t(k){a}_{k1}{b}_{1t}{\omega}_{t+1}(l)} $$

(16)

Where \( {\zeta}_t(i)=\left[{\sum}_{k=1}^N{\zeta}_{t-1}(k){a}_{ki}\right]{b}_{it} \) is the forward observation probability, which indicates the probability of the observation sequence before time t for a hidden state IS_i at time t. The corresponding backward observation probability is \( {\omega}_t(i)={\sum}_{k=1}^N{a}_{ki}{b}_{k,t+1}{\omega}_{t+1}(k) \).

At the same time, the probability that the system is in a hidden state IS_i at time t is defined as

$$ {\gamma}_t(i)={\sum}_{j=1}^N{\psi}_t\left(i,j\right) $$

(17)

Next, to perform a maximum likelihood estimation of the model parameters by Expectation-Maximization(EM) algorithm. In each iteration, ψ_t(i, j) and γ_t(i) are calculated using the E-algorithm for a given λ. Subsequently, the M-algorithm is used to calculate λ in the case of ψ_t(i, j) and γ_t(i) until convergence is reached. When there are multiple observation sequences, taking the average to obtain three parameters (π, A, B) as follows:

$$ {a}_{ij}=\frac{\sum_{k=1}^K{\psi}_t^k\left(i,j\right)}{\sum_{k=1}^K{\gamma}_t^k(i)} $$

(18)

$$ {b}_{im}=\frac{\sum_{k=1}^K{\psi}_t^k\left(i,m\right)}{\sum_{k=1}^K{\gamma}_t^k(i)} $$

(19)

$$ {\pi}_i={\sum}_{k=1}^K{\gamma}_i^k(i) $$

(20)

After the model parameters are obtained, using λ to predict the network reliability. When a network threat observation sequence O_TH = {o_{TH, 1}, o_{TH, 2}, ⋯, o_{TH, t}} is observed in an anomaly detection module of the network topology auto-association system, the Viterbi algorithm is used to calculate the optimal hidden state sequence Q_TH. Then, at the next time point (t + 1), the network threat transfers to 5 different hidden states IS₁, IS₂, IS₃, IS₄, IS₅. The transfer probability vectors are

$$ {\varGamma}_{TH}^{t+1}\left(P\left({q}_{t+1}=I{S}_1|{q}_t=I{S}_t\right),\cdots P\left({q}_{t+1}=I{S}_5|{q}_t=I{S}_t\right)\right) $$

(21)

On this basis, to multiply the hidden state level transpose vector and \( {\varGamma}_{TH}^{t+1} \) to calculate the network threat level \( Se{c}_{TH}^{t+1}={\varGamma}_{TH}^{t+1}\cdotp {\left(1,2,3,4,5\right)}^T \) at the next time point (t + 1) for the system. Similarly, the transfer probability vectors Γ_TE and \( Se{c}_{TE}^{t+1} \) of the network transmission efficiency TE for the next time point (t + 1) can be obtained. Finally, w_TH and w_TE, the weights of \( Se{c}_{TH}^{t+1} \) and \( Se{c}_{TE}^{t+1} \) respectively can be obtained, based on the expert’s experience. Reliability prediction value of the current path at the next time point (t + 1) can be calculated:

$$ S{p}_{t+1}={w}_{TH} Se{c}_{TH}^{t+1}+{w}_{TE} Se{c}_{TE}^{t+1} $$

(22)

If Sp_t + 1 is moderate or high-risk, this path should be excluded in the next guided path space. Otherwise, this path will continue to be retained or added to the guided path space.

5.2 Mimic transformation strategy for the network topology mimic association graph

In the network topology mimic correlation graph, it is assumed that there are n available nonintersecting paths at time t whose predicted reliable values being transferred as medium-risk or high-risk paths at time (t + 1) in forming the network topology mimic graph \( {S}_n^{-}\left(t+1\right) \). At the same time, there are m non-usable and nonintersecting paths at time t whose predicted reliable values being assessed as safe, mild or general risk at time (t + 1) for the network topology mimic association graph \( {S}_m^{+}\left(t+1\right) \). Thus, the next network topology mimic graph is \( {S}_i\left(t+1\right)={S}_i(t)-{S}_n^{-}\left(t+1\right)+{S}_m^{+}\left(t+1\right) \).

At time (t + 1), the new path \( {S}_m^{+}\left(t+1\right) \) will be added; if this path is selected as the communication path, only the primary station serving node needs to notify the edge computing terminal node on the path with the relevant ACL and other information. This is according to the network topology mimic association negotiation algorithm. However, for the communication path \( {S}_n^{-}\left(t+1\right) \) at time t, the primary station service node needs to notify the relevant parties to revoke the ACL and other information.

After the network topology mimic graph is adjusted at the completion time (t + 1), a new graph S_i(t + 1) = {s_k(t + 1)| 1 ≤ k ≤ m} can be obtained. Then, the overall reliability prediction value corresponding to S_i(t + 1) can be obtained as\( \kern0.5em S{A}_{S_i\left(t+1\right)}={\sum}_{i=1}^mS{p}_{t+1}^i \). The function is then updated, satisfying the principle of “increase slowly and decrease rapidly”.

$$ h\left(S{A}_{S_i\left(t+1\right)}\right)=\left\{\begin{array}{c}\kern0em {h}_1\left(S{A}_{S_i\left(t+1\right)}\right),S{A}_{S_i\left(t+1\right)}=1\kern0em \\ {}{h}_2\left(S{\mathrm{A}}_{S_i\left(t+1\right)}\right),S{A}_{S_i\left(t+1\right)}\in \left(2,3\right)\kern0em \end{array}\right.\kern0.5em $$

(23)

The self-adjusting strategy is as follows:

$$ {T}_S^{i+1}=\left\{\begin{array}{c}\left(1+{h}_1\left(S{A}_{S_i\left(t+1\right)}\right)\right)\ast {T}_S^i,S{A}_{S_i\left(t+1\right)}=1\kern0em \\ {}\left(1-{h}_2\left(S{A}_{S_i\left(t+1\right)}\right)\right)\ast {T}_S^i,S{A}_{S_i\left(t+1\right)}\in \left(2,3\right)\kern0em \end{array}\right. $$

(24)

6 Experiments

6.1 Data preparation

The experiment performs a power system simulation of the network topology mimic association algorithm based on the NS2 network simulation environment. This model uses C++ to write the synchronization module, association module, communication module, attack module, delay processing module, sampling module, anomaly detection module, and deception processing module. It implements the network topology simulation by writing an OTcl script. The number of available IPv4 addresses in the network is 28, and the number of available ports is 1000. The initial correlation period is 120 s. The method supposed that g₁(x) =  −  ln (20x + 0.5), g₂(x) = 16x² − 0.8x + 0.01, h₁(z) =  −  ln (20x + 0.6), h₂(z) = 16z² − 0.64z + 0.064. To mention that the simulation experiments are conducted in different scenarios with the same resources.

6.2 Experiment metrics

6.2.1 Security analysis

Security is an important indicator for evaluating the advantages and disadvantages of a defense method. This section analyzes the anti-attack capability of the proposed active defense technology for an edge defense network attack based on network topology mimic correlation. The active defense principle for edge computing network attacks based on the network topology mimic association algorithm is shown in Figs. 7 and 8.

• Anti-DoS attack

Fig. 7

Defense before network topology mimetic correlation

Fig. 8

Defense after network topology mimetic correlation

After the network topology mimic association defense strategy is implemented, the IP address and port of the communication host and the protocol used by the communication parties will be associated after each corresponding time slot. For an attacker who performs a DoS attack, it is necessary to continuously send a large number of service requests to the target host and consume the target host resources. However, the node network configuration of the target host is continuously associated; thus, a DoS attack cannot be initiated [32, 33].

• Anti-following attacks and anti-semi-blind attacks

A following attack is a special type of attack for a network topology mimicking system. When the defender adopts the network topology mimicking association strategy, the attacker will try to detect and locate the current active node network configuration as the focus of the attack. A blind attack occurs when an attacker cannot locate the current active node network configuration and attacks all available nodes of the node network configuration state space that are detected. The attack strength is evenly distributed across all available nodes. The difference between a semi-blind attack and a blind attack is that the attack intensity of a semi-blind attack is concentrated on a subset of the available nodes while the attack strength of the follow-up attack is concentrated at one point. The network topology mimic association algorithm further increases the difficulty for an attacker to detect and locate the current active node network configuration of the associated system, and thus, the ability to resist follow-up attacks and anti-semi-blind attacks is improved [34].

6.2.2 Network transmission efficiency

Attacks effect the network transmission. Network transmission efficiency can be regarded as the metric to evaluate the state of the network transmission. To evaluate different network transmission efficiency, the most direct and main metric is the network transmission rate. The network topology mimic association (PA NTAA) proposed in this paper is compared with other three algorithms, the non-topology-association algorithm (No NTAA), the simple topology association algorithm (Simple NTAA) and the end-hopping-based topology association algorithm (EH NTAA) proposed in [19, 20]. Experiments compare these algorithms on network transmission efficiency under different attack rates. Average attack rates range from 0 to 100. After that, experiments are also analyzed with and without an attack. Additionally, the transmission efficiencies of the No NTAA and PA NTAA are compared.

6.3 Results

6.3.1 Experiment against DDoS attacks

In this section, the SYN-Flood mode is used to guide a DoS attack. Experiments test the average service response time of the network topology mimic association system under different SYN-Flood attack rates to reflect the service availability performance. Figure 9 shows results for No NTAA, Simple NTAA, EH NTAA, and PA NTAA. The results show that the network topology mimic association strategy proposed in this paper can better resist DoS attacks. This result occurs because the mimic correlation technology of the network topology dynamically measures network anomalies according to the strength of cyber-attacks. Then, the network topology mimic graph and communication paths are automatically adjusted. Adjustments increase the difficulty of hitting a path for DDoS attacks. However, the difference between the results for the association strategy in [19] and PA NTAA is not significant. Moreover, when the mimic map space of the network topology is compressed to almost zero, the DDoS attack enters an unsupervised blind attack state, that is, an average attack on all nodes in the accessible path detected by the attacker.

Fig. 9

Results for DDoS attack defense test

6.3.2 Experiment against the following attack

In conventional edge computing network communication, the attacker can easily detect the node IP and port number in the communication path. Thus, the following attack at this time is a direct attack. When the attack strength increases, the DoS state will be quickly reached. Under the simple topology association algorithm, the adjustment period is fixed; thus, the communication path is adjusted uniformly according to a fixed term. In the experiments, the attacker’s following delay is 2S, which allows the attacker to follow with sufficient time. When the EH NTAA is adopted, in the case of an attack, the adjustment period is reduced by more than half to inhibit the attacker from detecting the communication path. In this paper, when adopting PA NTAA, since both the network anomaly and network security reliability are considered, the adjustment period will be reduced by more than 1/2 in the presence of continuous attacks. In this case, the adjustment period will be reduced more quickly, and the other time delays will increase for the attacker.

The experimental results in Fig. 10 show that the response time for the simple topology association algorithm is better than that for No NTAA. This result arises because the adjustment period of the Simple NTAA is fixed, and the attacker has sufficient time to analyze the current active node and start attacking. The network transmission efficiency of PA NTAA is significantly higher than that of EH NTAA because the adjustment of the network topology mimic graph and communication path is based on network anomaly detection and network security reliability prediction, but not just reduced by more than 1/2. This approach can effectively reduce the transmission efficiency loss caused by the mimic transformation strategy. However, as the attack speed increases, the attack packets occupy a large amount of network bandwidth, causing the network to enter a congested state. Although the attacker cannot identify the attack after the current active node, it will still cause a rapid decline in transmission efficiency.

Fig. 10

Results for an accompanying attack defense test

6.3.3 Experiment against a semi-blind attack

Here, it uses a perceptual node edge access system with 20 communication paths for experiments. It can be seen from Fig. 11 that when the edge of the access node is connected to the network, the network transmission delay increases rapidly as the proportion of the received attack path reaches 50%. When the proportion exceeds 60%, the network transmission delay tends to infinity. The average response time of the EH topology association strategy is better than that of the No NTAA but is not as good as that of the Simple NTAA, which is consistent with the analysis presented in [35]. The average response time of the PA NTAA is better than that of the Simple NTAA.

Fig. 11

Results for semi-blind attack defense

6.3.4 Comparison of with and without attack

The experiment results are also analyzed with and without an attack. Additionally, the transmission efficiencies of the No NTAA and PA NTAA are compared, primarily based on the reporting rate of the primary station node. As shown in Fig. 12, when there is no attack, the transmission efficiency of the PA NTAA is lower than that of the No NTAA during the initial negotiation phase. However, after the negotiation point, the transmission efficiency of the PA NTAA is 43% higher than that of the No NTAA, which is primarily due to the multipath transmission. Moreover, the experimental results show that the adjustment period is 180 s, 198 s, 227.8 s, and 271 s, and the growth rate is approximately 10%, 15%, and 19% of the previous cycle, which satisfies the principle of full growth. In the case of an attack, the transmission efficiency of the No NTAA decreases as the attack strength increases. The transmission efficiency of the PA NTAA can be maintained when the attack strength is not robust. However, as the attack strength increases, the transmission efficiency gradually decreases.

Fig. 12

Experimental analysis results of network transmission efficiency without an attack

7 Conclusion

Based on a thorough study of the mobile self-organizing characteristics of edge computing networks, the framework combines a moving network transmission with path mimicry adjustment techniques to propose a strict, formal description and definition. An active defense framework for data transmission in an edge computing network based on a link layer and application layer network topology mimic correlation is designed to ensure scalability of the algorithm. To solve the problem of attacks and to improve defense and transmission quality with a moving periodic adjustment of the network, this method proposes a moving communication path alliance and a mimic graph transformation method for network topology. Based on the temporal and spatial dimensions, this work combines moving threshold network anomaly detection and reliability prediction of network security based on the HMM. In this way, a reasonable transformation of the network can be performed. The mimic adjustment overhead can be minimized and active defense problems in the DoS attack, following attack and semi-blind attack can be resolved. Experimental results show that the transmission efficiency of the network topology mimic association algorithm proposed in this paper is higher than that of other popular methods and the reliability and anti-attack performance are significantly improved.

However, there are still some deficiencies in this work. This work is mainly applied in power edge computing network. Experiments are conducted in simulated power network. Due to the particularity of the power network, results are sensitive to parameters and environment in this model. Next step, the method needs to be improved to apply in more common networks.