A Novel Model of Mimic Defense Based on Minimal L-Order Error Probability

Mimic defense is an active defense theory, which aims to fundamentally change the “easy to attack and difficult to defend” situation of network security. In this paper, we propose an evaluation method based on the probability of being attack successfully, and improve the evaluation scheme of historical confidence. We combine the two evaluation schemes with the TOPSIS (technique for order performance by similarity to ideal solution) algorithm, and finally form a complete heterogeneous variant dynamic scheduling model. Different from traditional multi-mode voting algorithms, the effect of the heterogeneous degree in voting is considered, and we use Bayesian estimation to obtain the optimal result in the probabilistic sense. Finally, simulation results show that the proposed algorithm can effectively enhance the dynamic and security of the mimic defense model, and give full play to the characteristics of mimic defense.


I. INTRODUCTION
With the development of the network and information technology, people's life and work have become not only more convenient but also more inseparable from information technology [1]. Recently, several serious safety accidents have shown that malicious attacks can be disastrous, such as the raid of Iran's nuclear plant [2], the destruction of the national grid of Ukrainian [3], and the security flaws reported on modern cars [4]. The security of cyberspace has become a restrictive factor in the development and application of information technology [5].
Although there are many effective methods for tackling known attacks, such as firewalls [6], antivirus [7] and intrusion detection [8], it is still a challenge to how to deal with unknown attacks [9]. Inescapable vulnerabilities and backdoors deriving from design or implementation flaws further increase the passivity of the defender [10]. The above reasons result in the asymmetric situation of cyberspace security, that is easy to attack and difficult to defend [11].
The associate editor coordinating the review of this manuscript and approving it for publication was Kaigui Bian .
In order to reverse the asymmetry and guard against unknown attacks, moving target defense (MTD), a representative proactive defense mechanism, has emerged with high hopes [12], [13]. MTD continuously and randomly changes network elements to achieve active defense [14]. By increasing the unpredictability of the system, MTD greatly increases the cost of the attacker while ensuring the normal operation of the system [12]. Based on operation, MTD can be roughly divided into four types [15]: shuffling [16], [17], diversity [18], [19], redundancy [20]- [22] and hybrid [23], [24]. Although different types of MTD have their characteristics, it is still difficult to satisfy coverage, timeliness and unpredictability at the same time [25], and problems such as blindness, inefficiency and unverifiability may also arise [26].
To solve these problems, inspired by the mimic phenomena in the natural world, Wu et al. [27] proposed a novel theory called Mimic Defense (MD). Employing dynamic, heterogeneity, and redundancy (DHR) mechanism, MD has been applied in many fields such as Software Defined Networking (SDN) [28], encryption [29] and cloud [30]. Generally, MD includes a dynamic scheduling algorithm and a voting algorithm. There are some valuable researches on dynamic scheduling algorithms. Qi et al. [28] solved it as VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ an optimization problem, and used a heuristic algorithm to maximize the security gain of the network operating system during each switch. Li et al. [31] used the design strategy of minimizing heterogeneity. Shen et al. [32] added the weight of historical confidence to the heterogeneous evaluation system. Liu et al. [33] provided a scheduling method based on the minimum similarity of random seeds. In terms of voting algorithm, the majority voting algorithm and the consensus voting algorithm are used the most widely [34], [35]. On this basis, Wu et al. [36] combined the advantages of multiple voting algorithms and added heterogeneity as a factor to the voting algorithm. Lin et al. [37] proposed a competitive arbitration model based on the multi-mode voting algorithm.
To the best of our knowledge, the existing researches of MD cannot take full advantage of the dynamic scheduling model based on heterogeneous degree, nor can they fully utilize the dynamic of DHR architecture. Based on the above research status of MD, this paper focuses on using the probability model to construct the DHR framework that minimizes the probability of a successful attack. Combining the definition of heterogeneity, we have improved the existing dynamic scheduling algorithm and voting algorithm to enhance the initiative and dynamic of DHR. The main contributions of this paper are as follows: (1) An improved algorithm about heterogeneous variants selection is proposed based on the minimal L-order error probability, in which we fully consider the definition of heterogeneity.
(2) A novel evaluation scheme of historical confidence is designed to enhance the dynamic of the scheduling algorithm.
(3) The optimal solution to the multi-mode voting result is obtained based on Bayesian estimation.
The rest of our paper is organized as follows. In Section II, we combine the minimum probability of a successful attack and historical credibility to establish the system model. In Section III, we propose the functional unit design of DHR, including the dynamic scheduling algorithm and the multi-mode voting algorithm. In Section IV, we use simulation experiments to prove the effectiveness of the algorithm. Section V contains the conclusion and the prospect.

II. DYNAMIC HETEROGENEOUS REDUNDANCY MODEL
The entire dynamic heterogeneous redundancy model can be divided into two parts: the dynamic scheduling algorithm and the multi-mode voting algorithm.
Dynamic scheduling selection aims to select the heterogeneous variants in the spare heterogeneous variants' set through a specific algorithm, and forms a heterogeneous variant group to perform the corresponding function. Each heterogeneous variant in the group gets its own result (C 1 , C 2 , . . . , C m ) according to the input. Their original function is the same, which means their outputs are the same under normal circumstances. However, due to the existence of the attack on the selected heterogeneous variants, the results obtained may be different. The results of their output will be handed over to the voting unit for comprehensive judgment.
The voting unit integrates all the results outputted by the collected heterogeneous variants to obtain the final result with the highest confidence. These two parts reflect the dynamic and heterogeneity of DHR.
For a general mimic defense system, consider the spare heterogeneous variants' set = E 1 , E 2 , . . . ,E N , which includes N heterogeneous variants with the same function. Each heterogeneous variant E i (i= 1, 2, . . . , N ) has the vulnerability set V i . Besides, all the heterogeneous variants' vulnerability set can form the total vulnerability set V = n i=1 V i . Among the N heterogeneous variants, M heterogeneous variants are selected by the dynamic scheduling algorithm according to a certain rule to form a heterogeneous variant group. We use to represent the set including all the possibilities of selecting heterogeneous groups, and the number of heterogeneous variant groups in is υ, which means υ = | | = C M N . The whole Dynamic Heterogeneous Redundancy model is shown in Figure 1.

A. HETEROGENEITY
The heterogeneity definition in this paper adopts the mainstream method [27], that is related to the number of common vulnerabilities between the two heterogeneous variants. The number of common vulnerabilities is positively correlated with the heterogeneity and the possibility of simultaneous destruction by the same attack.
Suppose that each heterogeneous variant E i can be divided into s components according to specific criteria. Because of the cost and power consumption, s is a finite number. We use e j i to represent the component j of the heterogeneous variant E i , and obtain that E i = e 1 i , e 2 i , e 3 i , . . . ,e s i . Each component may have several implementations, and in general, there are fewer common vulnerabilities in the heterogeneous variant implemented by different schemes. Considering that component j has π j implementation schemes, we define the matrix j related to scheme similarity: where ϕ j ab (a, b = 1, 2, . . . , π j ) represents the similarity between scheme a and b of component j. The more common vulnerabilities scheme a and b have, the larger the ϕ j ab is. Especially, ϕ j ab = 1 and ϕ j ab = 0 denote the vulnerabilities of scheme a and b are the same and totally different, respectively.
In the later design, we assume that the performance of each scheme is similar, which means when designing heterogeneous variants, the scheduling scheme selected is random. Each component is also assumed to have the same probability of being attacked when an attack happens.
For component e j i , we define its scheme feature vector I j i = l 1 , . . . , l v , . . . , l π j T , and number π j kinds of schemes. If the scheme of component j in heterogeneous variant i uses the scheme numbered z, element l v is defined as (1).
Between different heterogeneous variants E i 1 and E i 2 , the heterogeneity of component j is h j i 1 ,i 2 and it can be calculated by (2): where i 1 , i 2 = 1, 2, . . . , N . According to the previous formulas, the heterogeneity h i 1 ,i 2 between different heterogeneous variants can be expressed as (3): where j indicates the importance of component j in the formation of heterogeneity, which is generally measured by the difficulty of being attacked. It can also indicate the possibility of an attacker exploiting this component. Obviously, all the j add up to 1, i.e.: It is obvious that 0 <h i 1 ,i 2 < 1. h i 1 ,i 2 describes the similarity between E i 1 and E i 2 , which means that the larger h i 1 ,i 2 is, the more same vulnerabilities E i 1 and E i 2 have.

B. THE RELATIONSHIP BETWEEN ATTACK SUCCESS PROBABILITY AND HETEROGENEITY
Note that an attacker can access the system as a normal user. In fact, an attacker is a rational man, which can master the vulnerability and corresponding attack methods of a certain heterogeneous variant, and can change the attack state in time to obtain a better attack effect. According to the definition of heterogeneity h i 1 ,i 2 , less heterogeneity means the lower probability that the same attack will cause two heterogeneous variants to fail at the same time [33], [38], [39]. We define p i as to denote the probability of an attacker exploiting the vulnerability in heterogeneous variants E i to make the output incorrect. In a physical sense, we define ν (t) as follows to describe the changing rate of success probability at time t [27]: So, we can obtain the equation of p i as as follows: where λ is closely related to the attacker's ability. We set λ equal to 0.5 the same as [27]. Initially, it increases more rapidly, but as the variable increases, its growth rate decreases. Eventually, it tends to 1. Its function image is shown in Figure 2. Considering that an attacker will try his best to attack, the integral time should be an update cycle T of dynamic scheduling, i.e.: For the convenience of later analysis, we assume that the attacker's ability to attack each vulnerability is equal, and obtain the equation as follows: If event A i indicates that the output of heterogeneous variant E i is incorrect due to the attack aimed at the vulnerability existing in the heterogeneous variant E i , P A i 1 can be expressed as follows: According to the definition of heterogeneity, h i 1 ,i 2 denotes the probability that these vulnerabilities also exist in E i 2 . Hence, the probability of the E i 2 output error because of facing the attack aimed at these vulnerabilities is: C. RELATED DEFINITIONS Definition 1: We use symbol F i (k) to denote the output of E i at time k, and define that F i (k) and F j (k) have the same result when heterogeneous variants E i and E j keep the following relationship: where γ ij is the maximum difference between the heterogeneous variants E i and E j under the same input, due to the influence of the computational accuracy and channel noises [40]. γ ij is related to the heterogeneous variants' operation, which means that γ ij is not too large in general. A successful attack wants to mess up the system and needs to ensure that the output of the heterogeneous variant will be quite different from the original.
Definition 2: It is called L-order error that there are L heterogeneous variants' outputs inconsistent with the result obtained by the multi-mode voting algorithm.
For the heterogeneous variant group of the current service, L is positively related to the impact on the multi-mode voting algorithm.

III. ALGORITHM DESIGN
The DHR designed in this paper includes the dynamic scheduling algorithm and the multi-mode voting algorithm.

A. DYNAMIC SCHEDULING ALGORITHM
The dynamic scheduling algorithm in this paper is composed of heterogeneity and historical confidence, but the evaluation method is different from the previous researches.

1) L-ORDER ERROR PROBABILITY
The existing dynamic scheduling algorithms generally adopt linear minimization when considering heterogeneity, which is a simple and intuitive method [31], [32]. However, when one component of heterogeneous variant is easier to be attacked, i.e., when the corresponding j is relatively large, the simple linear summation of heterogeneity might cause selected heterogeneous variants to only consider the heterogeneity of component j but ignore those of other components, which is a serious problem.
To solve this problem, the optimization goal of our design is to minimize the L-order error probability p LS . L is the amount which needs to be specifically defined in practical application. The larger the L, the greater the impact on the vote. Therefore, if the consensus voting algorithm is used, L can be M 2 [32]. If the output error result of the heterogeneous variants is not likely to be repeated, then L could take M − 1. Considering that the attack was launched against the vulnerability in the components that make up heterogeneous variants, it is not difficult to obtain the expression shown as follows: where p jL indicates the probability that an attack aiming at component j results in an L-order error. We use p jκL to indicate the probability of causing the L-order error when an attacker exploits the vulnerability of the scheme κ (κ = 1, 2, . . . , π j ) of the component j to attack. And we obtain the expression of p jL as follows: If p jκκ (l 1 ) is used to represent the probability of an l 1 -order error occurring for all components using scheme κ when an attacker exploits the vulnerability of the scheme κ to attack, p jκ (l 2 ) denotes the probability of this type of attack resulting in an l 2 -order error for all components not using the scheme κ, and l 1 + l 2 = L, p jκκ (l 1 ) * p jκ (l 2 ) is the probability that such an attack will cause L-order error. In other words, the mathematical expression of p jκL is as follows: where l 1 = ς, ς + 1, . . . , ξ and The mathematical relationship of the relevant parameters is as follows: where a jκ represents the number of heterogeneous variants using the scheme κ in the component j. The expression of (15) and (16) are mainly for mathematical rigor. In practice, most cases meet L − a jκ ≥ 0, which means the number of heterogeneous variants using the scheme κ does not exceed L, and M − L − a jκ ≥ 0, which means the number of heterogeneous variants not using the scheme κ is not less than L. It can be deduced that p jκκ (l 1 ) obeys the binomial distribution, which can be expressed as follows: where p jκκ as denotes the probability that the output of heterogeneous variant using scheme κ in component j goes wrong because of the attack, which is designed according to the vulnerability of the scheme κ in component j. Ignoring the different performances of different heterogeneous variants, p jκκ as is only impacted by the ability of attackers.
It is difficult to directly obtain the expression of p jκ (l 2 ). It is obvious that U jκ has C l 2 M −a jκ elements. We define that function y = f (x) denotes the product of the non-zero elements of vector x, and I M −a jκ represents the M − a jκ -element row vector composed of 1. The mathematical expression of p jκ (l 2 ) is obtained as follows: Although the form of p jκ (l 2 ) is complicated, M is small in actual application because of the cost [27], which means p jκ (l 2 ) can be easily calculated.
In conclusion, we could define the first evaluation indicator J 1 of the heterogeneous variant group as follows: We can obtain J 1 > 0 because of p LS (0, 1). And the goal of our selection of heterogeneous variants is to make the J 1 as large as possible.

2) HISTORICAL CONFIDENCE
The popular evaluation method of historical confidence of heterogeneous variant E i is to calculate its historical correct rate, i.e., the proportion of its result being the same as the voting result [32], [36]. However, considering that the attacker can often reproduce the attack based on previous experience, if a vulnerability is discovered and not dealt with in time, the attacker may continue to attack. In addition, if the historical confidence is calculated according to the time heterogeneous variant E i used, the rate of historical confidence decline is related to the time when the attacker discovers the vulnerability. If it takes a long time for an attacker to find its vulnerability, the heterogeneous variant E i can still maintain high historical confidence for a period of time, which may deceive the dynamic scheduling mechanism. Furthermore, one of the outstanding advantages of the DHR is dynamic, i.e., DHR defense is characterized by initiative and prevention [41]. Therefore, even if the output of the heterogeneous variant E i always produces the same result as the voting result, it should be replaced when it is used more than a certain number of times, given that the attacker may have found the vulnerability in the E i at this time. This approach takes full advantages of dynamic, effectively preventing attackers from re-using prior experience to reproduce attacks.
In this case, consider the number of continuous use and wrong output times of heterogeneous variants as an evaluation of historical confidence. We consider that the increase in the number of continuous use times and the increase in the number of wrong outputs cause the scheduling algorithm to have exponential attenuation of trust in heterogeneous variants. We define historical confidence H i as follows: where H i denotes the historical confidence of the heterogeneous variant E i , n 1i represents the continuous use times of heterogeneous variant E i , and n 2i represents the number of times that the heterogeneous variant E i has a different output from the multi-mode voting in the continuous n 1i times. Because of the high dynamic of the algorithm, n 1i is generally not too large, and the number of wrong outputs is more reasonable than the error rate. β 1 and β 2 are adjustment factors and should be designed according to the actual system. It should be noted that if υ is relatively large, more options can be taken among the heterogeneous variant group, and β 1 can be appropriately larger to enhance dynamic. If |V | is relatively large, then the probability of continual success of random attack is relatively small, i.e., the probability of random attack causing heterogeneous variant E i to output incorrect results many times is relatively small, so β 2 can be appropriately larger. σ 1 and σ 2 are growth coefficients to measure the tolerance of heterogeneous variant E i with the increase of continuous use and errors respectively. And the scheduling algorithm should be designed according to the actual system and its design law is the same as β 1 and β 2 . Thus, the second evaluation indicator J 2 of a heterogeneous variant group can be obtained: Obviously, the heterogeneous variant group we have selected should make J 2 as small as possible.
In order to evaluate the heterogeneous variant group, we need to process indicators J 1 and J 2 . Although these two indicators have the same decision-making position, they have different value ranges. Thus, we evaluate the quality of a heterogeneous variant group by using the TOPSIS algorithm [42]. TOPSIS algorithm normalizes the results of their two indicators when evaluating the heterogeneous variant group ϑ, then enter the weight matrix w = [w 1 , 1−w 1 ], and we can obtain a score for each heterogeneous variant group by the gap with the most ideal indicator. Thus, we can obtain the group with the highest score and use it as the current service. Furthermore, if υ is not too large, it's feasible to traverse the heterogeneous variant set to obtain a globally optimal solution, i.e., ϑ = υ. Otherwise, we only need to traverse part of to obtain the locally optimal solution.
Remark 1: Although the mathematical form used in the paper is more complicated, in practical application, the system will not have too many heterogeneous variants to be chosen because of the limited cost. Therefore, the efficiency of the algorithm can be accepted.

B. MULTI-MODE VOTING ALGORITHM
Although the multi-mode voting algorithm makes full use of the output values of each heterogeneous variant, it ignores the contribution of its heterogeneity in voting. Considering that the use of the above dynamic scheduling algorithm makes it almost impossible for an attacker to obtain the vulnerability information of the system based on prior ionized experience, the attack can be considered random. Then, after getting M outputs of the heterogeneous variants at a certain moment, VOLUME 8, 2020 we merge the same results according to Definition 1 and finally obtain r different results. In other words, we obtain different output results' set C = {c 1 , c 2 , . . . , c r }, r ≤ M . We assume that the correct result is c * . Considering the special case where all variants may be attacked and output incorrect results, c * has r + 1 possible results. In this paper, we hope to obtain the multi-mode voting resultc * , so that the probability ofc * = c * is the largest. We use p t to represent the probability that the variant E ic t with the output c t are all attacked (t= 1, 2, . . . , r), and set S (t) represents the heterogeneous variants whose outputs are c t . In order to obtain a unified form, we define a virtual output c 0 , and its probability is p 0 , which represents the probability that all heterogeneous variants have been attacked, and the correct result is not in set C at this time.
where p jt indicates the probability that an attack aiming at component j results in the incorrect output of variant E ic t . Note that the attacker has the same probability of attacking each scheme of component j, we obtain: where p jιt represents the probability that an attack aiming at the vulnerability of scheme ι causes all heterogeneous variants E C t ∈ S (t) to output incorrect results. Hence, we obtain: where p iι represents the probability of heterogeneous variants E ic t belonging to S (t), which output incorrect results under the attack aiming at the vulnerability of scheme ι. Based on the matrix j , the results can be obtained in the same way according to (9) and (10). We define that p c t denotes the probability of c t = c * . It is obvious that p c t is the probability that all heterogeneous variants with other results are attacked except the heterogeneous variants of this result. We can obtain its expression as follows: Especially, According to (25), (26) and the Bayesian formula [43], the probability ofc * = c t is p r t shown as follows: In particular, c * / ∈ C means that all heterogeneous variants are attacked, and the probability that the hypothesis is correct is p r 0 .
Next, we only need to find the maximum value in the probability set {p r t , p r 0 } to find the optimal results in the sense of probability. If p r 0 is the largest value in the above set, the voting fails, the voting result is invalid and an alarm is returned. It also shows that the choice of heterogeneous variant group is inappropriate. The adjustment coefficient and growth coefficient previously mentioned also need to be adjusted.
Remark 2: In our model, the system input is assumed to be completely unknown, which means the voting result of the system is completely dependent on the output of the heterogeneous variants without priori estimates. However, in practical applications, the input may have a model known to the system, which means the system can obtain a priori estimate of the current voting result from previous voting results. In this case, we need to modify the voting algorithm, amending the voting algorithm from Bayesian estimation to recursive Bayesian estimation [44], [45]. In other words, according to the known input model, the historical voting output result should be added to the calculation of the current voting result.

IV. NUMERICAL SIMULATION
In this section, we simulate the algorithm proposed in this paper, compare it with others, and analyze the influence of parameter changes on the performance of the algorithm. First, we assume that the attacks are random, and the update cycle of the dynamic scheduling algorithm is 1 second (i.e., T = 1). At this point, p i as = 0.3935. The relevant parameter settings of historical confidence formula (20) are β 1 = β 2 = 0.1 and σ 1 = σ 2 = 0.1. Every time an instruction is executed, if the heterogeneous variant is not attacked successfully, the output is correct. Otherwise, the output must be wrong and the incorrect results are random. We consider that there are 9 heterogeneous variants in the spare heterogeneous variants' set (i.e., N = 9), and each time we choose 5 heterogeneous variants from the spare heterogeneous variants' set to achieve function (i.e., M = 5). Because the output incorrect result of the heterogeneous is random, L = 4 is sufficient. The number of components per heterogeneous variant is set to 4, i.e., s = 4. The numbers of implementation schemes for each component are: π 1 = 6, π 2 = 5, π 3 = 4, π 4 = 3. Each scheme is chosen with equal probability. Take the weight matrix w = [0.50.5]. In order to unify, the number of attacks simulated in each experiment is 100000.
To illustrate that our algorithm can better reflect the advantage of the dynamic scheduling algorithm based on heterogeneity, we compare the traditional heterogeneous variants scheduling algorithm with ours. In order not to lose generality, we consider the general case (the component weights are close) and the extreme case (the weight of one component is relatively large). In the general case, the construction of the heterogeneity matrix is randomly obtained by β distribution, and component weights j are set as 0.4, 0.3, 0.2, and 0.1, respectively. Under the same voting algorithm, the voting accuracy of the traditional algorithm is 98.91% while ours is slightly better, which is 99.23%.
In the extreme case, if one component of the system has more vulnerabilities or is more attractive to attackers, its weight will be relatively larger. Traditional algorithms will pick heterogeneous variants with a lower heterogeneous degree and ignore the importance of other components. In this case, the weight of the four components are defined as 0.7, 0.1, 0.1, 0.1, respectively. And heterogeneous variants with different first components tend to use the same components in the remaining choices. The simulation experiment shows that the voting accuracy of the traditional algorithm is only 94.94%, and the accuracy of our improved algorithm is 96.88%, in which the detection error rate is reduced by 38.34%. According to the simulation results, if the weight of one component is relatively large, then the advantage of our algorithm will be more prominent. For a better comparison, we increase the weight of the component with the largest weight in the case where the weights of other components are the same, and the simulation result is shown in Figure 3. On the whole, when the maximum weight increases, our selection algorithm will have more advantages, which is manifested as the detection error rate decreases more obviously. Figure 3 shows that the algorithm proposed in this paper can play a better role when the maximum weight is larger.
However, when the maximum weight is too large, the attack detection accuracy of the algorithm will be greatly affected, which results in a slower decline of detection error rate. Of course, it is unlikely that a component weights 0.9 in practical problems. So, it can be considered that our algorithm has certain advantages.
In order to show that the historical confidence evaluation system we propose can increase the dynamic of the algorithm, we compare it with the traditional evaluation criterion used in [32] and [36].
We assume that attacks occur when the system is running safely for a period of time. Because of the previous accumulation, it takes a relatively long time for the existing historical confidence evaluation scheme to find and replace the damaged heterogeneous variants. During this period, the system has a high probability of being attacked successfully. However, when the same attack sequence happens on the system applied our algorithm, it can quickly find and replace the damaged heterogeneous variants. We assume that the attacker is continuously attack at intervals, that is, the attacker will periodically repeat the attack, it has no action in the first half of the period, and continuously attack in the second half of the period. Figure 4 shows the simulation results. As shown in Figure 4, when attacks occur, the system using our proposed algorithm can quickly find and replace the damaged heterogeneous variants, so that the attack success rate does not have a large peak, and the attack success rate is relatively low in the final steady state.
In practical applications, the attacker tends to attack the vulnerabilities of a system after finding them. We assume that the attack is random at first, but the attacker is able to obtain the output of the system. When it finds that the voting result is incorrect, the attacker repeats the previous attack with the probability of attack retention p af . Note that the attacker is issued by a hacker, p af is generally not 0. If p af is 1, then the attack is likely to fall into the local optimal solution trap set by the defender. Therefore, a real attacker should set p af satisfying 0 <p af < 1. The influence of p af on voting accuracy is discussed below.
The relationship between voting accuracy and attack retention probability is shown in Figure 5. Figure 5 shows that the voting accuracy does not change much with the probability of the attack, which means that the algorithm we designed has good dynamic and initiative. Even if the probability of an attack remains at 0.9, the voting accuracy rate is comparable to that of a random attack, indicating that the attacker has lost the advantage of making use of prior attack experience.
Next, we analyze the influence of w 1 on detection accuracy. Take p af = 0.8, the effect of weight w 1 on detection accuracy is shown in Figure 6.    Weight w 1 measures whether heterogeneity or historical confidence is more important in the dynamic scheduling algorithm. Figure 6 shows that the voting accuracy rate does not change very much while the weight changes from 0.4 to 0.7, which indicates that the heterogeneity and historical confidence are sufficient to resist attacks at that time. However, when one of the indicators is ignored, the voting accuracy will drop rapidly. If heterogeneity is ignored, the attacker is likely to attack the heterogeneous variants with the same vulnerability. If dynamic is ignored, the attacker can likely use prior experience to attack. According to experimental results, heterogeneity indicators may be relatively more important.
Similarly, the influence of the dynamic update cycle T on voting accuracy is shown in Figure 7.
With the increase of T , the voting accuracy first declines slowly and then rapidly. That is because the decline of T not only makes p i as larger but also makes it more possible for attackers to find system vulnerabilities and keep attacking for a period of time. When T tends to be infinite, the dynamic scheduling algorithm becomes useless.
Next is the simulation test for the parameter change. Setting p af = 0.8, T = 1 and β 2 = 0.1, the effect of β 1 on voting accuracy is shown in Figure 8.
Parameter β 1 mainly strengthens the initiative of the system's mimic defense, i.e., the system actively replaces the heterogeneous variants whose vulnerabilities are suspected to have been found. Therefore, when β 1 is small, with the increase of β 1 , the initiative of the algorithm increases, and the damaged heterogeneous variants can be found and replaced in time, resulting in increasing voting accuracy. But when β 1 increases to a certain extent, since the number of alternative heterogeneous variant groups is limited, i.e., υ is limited, excessive emphasis on dynamic scheduling algorithm will make the dynamic scheduling algorithm ignore the minimum L-order error probability, resulting in the decline of voting accuracy.

V. CONCLUSION
We have analyzed the mimic defense and dynamic heterogeneous redundancy model. A heterogeneous variant evaluation model based on the smallest L-order error probability has been proposed combining the advantages of existing algorithms and the definition of heterogeneity. At the same time, in view of the current shortcomings in measuring the historical confidence, a system that uses the number of consecutive usage and errors as the historical confidence evaluation index has been proposed to effectively solve the problem of lagging historical confidence evaluation. For the voting algorithm, the Bayesian estimation method has been introduced to find the optimal solution of the voting result. Simulation experiments have shown that for this model, the attacker cannot use the prior experience to continuously carry out effective attacks, and the security and dynamic of our mimic defense system are improved.