基于最优路径跳变的网络移动目标防御技术
Network moving target defense technique based on optimal forwarding path migration
- 通信学报 2017年38卷第3期 页码:133-143
- 作者机构:
1. 解放军信息工程大学密码工程学院,河南 郑州 450001
2. 中国科学院信息工程研究所信息安全国家重点实验室,北京 100093
3. 河南省信息安全重点实验室,河南 郑州 450001
4. 哈尔滨工业大学信息对抗技术研究所,黑龙江 哈尔滨 150001
- 作者简介:
[ "雷程(1989-),男,北京人,解放军信息工程大学博士生,主要研究方向为网络信息安全、移动目标防御、数据安全交换和网络流指纹等。" ]
[ "马多贺(1982-),男,安徽六安人,博士,中国科学院信息工程研究所助理研究员,主要研究方向为应用安全、移动目标防御、云安全、网络与系统安全等。" ]
[ "张红旗(1962-),男,河北遵化人,博士,解放军信息工程大学教授、博士生导师,主要研究方向为网络安全、移动目标防御、等级保护和信息安全管理等。" ]
[ "韩琦(1981-),男,河南平顶山人,博士,哈尔滨工业大学副教授,主要研究方向为信息隐藏、信息对抗、量子密码和多媒体安全等。" ]
[ "杨英杰(1971-),男,河南郑州人,博士,解放军信息工程大学教授、硕士生导师,主要研究方向为数据挖掘、态势感知和信息安全管理等。" ]
- 基金信息:国家重点基础研究发展计划(“973计划)基金资助项目(2011CB311801);郑州市科技领军人才基金资助项目(131PLKRC644);中国科学院先导专项基金资助项目(XDA06010701);中国科学院信息工程研究所“青年之星”计划基金资助项目(118800808);中国科学院重点部署专项基金资助项目(Y6X0061105)
DOI:10.11959/j.issn.1000-436x.2017056
中图分类号: TP393-
网络首发:2017-03,
纸质出版:2017-03-15
- 稿件说明:
移动端阅览
雷程, 马多贺, 张红旗, 等. 基于最优路径跳变的网络移动目标防御技术[J]. 通信学报, 2017,38(3):133-143.
Cheng LEI, Duo-he MA, Hong-qi ZHANG, et al. Network moving target defense technique based on optimal forwarding path migration[J]. Journal on Communications, 2017, 38(3): 133-143.
雷程, 马多贺, 张红旗, 等. 基于最优路径跳变的网络移动目标防御技术[J]. 通信学报, 2017,38(3):133-143. DOI: 10.11959/j.issn.1000-436x.2017056.
Cheng LEI, Duo-he MA, Hong-qi ZHANG, et al. Network moving target defense technique based on optimal forwarding path migration[J]. Journal on Communications, 2017, 38(3): 133-143. DOI: 10.11959/j.issn.1000-436x.2017056.
摘要
移动目标防御(MTD
moving target defense)是一种改变网络攻防对抗格局的技术,路径跳变则是该领域的研究热点之一。针对现有路径跳变技术,由于路径选取存在盲目性,跳变实施缺乏约束性,难以在保证网络性能的同时最大化防御收益等问题,提出基于最优路径跳变的网络移动目标防御技术。通过可满足性模理论形式化规约路径跳变所需满足的约束,以防止路径跳变引起的瞬态问题;通过基于安全容量矩阵的最优路径跳变生成方法选取最优跳变路径和跳变周期组合,以实现防御收益的最大化。理论与实验分析了该技术抵御被动监听攻击的成本和收益,证明其在保证网络性能的同时实现了跳变收益的最大化。
Abstract
Moving target defense is a revolutionary technology which changes the situation of attack and defense.How to effectively achieve forwarding path mutation is one of the hotspot in this field.Since existing mechanisms are blindness and lack of constraints in the process of mutation
it is hard to maximize mutation defense benefit under the condition of good network quality of services.A novel of network moving target defense technique based on optimal forwarding path migration was proposed.Satisfiability modulo theory was adopted to formally describe the mutation constraints
so as to prevent transient problem.Optimization combination between routing path and mutation period was chosen by using optimal routing path generation method based on security capacity matrix so as to maximum defense benefit.Theoretical and experimental analysis show the defense cost and benefit in resisting passive sniffing attacks.The capability of achieving maximum defense benefit under the condition of ensuring network quality of service is proved.
关键词
Keywords
references
JAJODIA S , GHOSH A K , SWARUP V , et al . Moving target defense:creating asymmetric uncertainty for cyber threats [M ] . Springer Science & Business Media , 2011 .
LEI C , MA D H , ZHANG H Q . Optimal strategy selection for moving target defense based on Markov game [J ] . IEEE Access , 2017 .
SUN K , JAJODIA S . Protecting enterprise networks through attack surface expansion [C ] // The 2014 Workshop on Cyber Security Analytics,Intelligence and Automation . 2014 : 29 - 32 .
LEI C , MA D , ZHANG H , et al . Moving target network defense effectiveness evaluation based on change-point detection [J ] . Mathematical Problems in Engineering , 2016 : 20166 - 391502 .
YADAV T , RAO A M . Technical aspects of cyber kill chain [C ] // International Symposium on Security in Computing and Communication.Springer International Publishing . 2015 : 438 - 452 .
DUAN Q,AL-SHAER E , JAFARIAN H . Efficient random route mutation considering flow and network constraints [C ] // IEEE Conference on Communications and Network Security (CNS) . 2013 : 260 - 268 .
NELAKUDITI S , LEE S , YU Y , et al . Fast local rerouting for handling transient link failures [J ] . IEEE/ACM Transactions on Networking (ToN) , 2007 , 15 ( 2 ): 359 - 372 .
JAFARIAN J H , AL-SHAER E , DUAN Q . Formal approach for route agility against persistent attackers [C ] // European Symposium on Research in Computer Security . 2013 : 237 - 254 .
DOLEV S , DAVID S T . SDN-Based Private Interconnection [C ] // 2014 IEEE 13th International Symposium on Network Computing and Applications (NCA) . 2014 : 129 - 136 .
SHU T , KRUNZ M , LIU S . Secure data collection in wireless sensor networks using randomized dispersive routes [J ] . IEEE Transactions on Mobile Computing , 2010 , 9 ( 7 ): 941 - 954 .
BOHACEK S , HESPANHA J P , LEE J , et al . Game theoretic stochastic routing for fault tolerance and security in computer networks [J ] . IEEE Transactions on Parallel and Distributed Systems , 2007 , 18 ( 9 ): 1227 - 1240 .
GILLANI F,AL-SHAER E , LO S , et al . Agile virtualized infrastructure to proactively defend against cyber-attacks [C ] // 2015 IEEE Conference on Computer Communications (INFOCOM) . 2015 : 729 - 737 .
BJØRNER N , DE MOURA L . Z310:applications,enablers,challenges and directions [C ] // Sixth International Workshop on Constraints in Formal Verification . 2009 .
QAZI Z A , LEE J , JIN T , et al . Application-awareness in SDN [J ] . ACM SIGCOMM Computer Communication Review , 2013 , 43 ( 4 ): 487 - 488 .
HAN S , PENG Z , WANG S . The maximum flow problem of uncertain network [J ] . Information Sciences , 2014 , 265 : 167 - 175 .
YU M , YI Y , REXFORD J , et al . Rethinking virtual network embedding:substrate support for path splitting and migration [J ] . ACM SIGCOMM Computer Communication Review , 2008 , 38 ( 2 ): 17 - 29 .
COHEN R,LEWIN-EYTAN L , NAOR J S , et al . On the effect of forwarding table size on SDN network utilization [C ] // IEEE INFOCOM 2014-IEEE Conference on Computer Communications . 2014 : 1734 - 1742 .
KAR K , KODIALAM M , LAKSHMAN T V , et al . Routing for network capacity maximization in energy-constrained ad hoc networks [C ] // INFOCOM . 2003 .
LIANG W , GUO X . On-line multicasting for network capacity maximization in energy-constrained ad hoc networks [J ] . IEEE Transactions Mobile Computing , 2006 , 5 : 1215 - 1227 .
HUANG M , LIANG W , XU Z , et al . Dynamic routing for network throughput maximization in software-defined networks [C ] // IEEE INFOCOM The 35th Annual IEEE International Conference on Computer Communications . 2016 : 978 - 986 .
PENG B , KEMP A H , BOUSSAKTA S . QoS routing with bandwidth and hop-count consideration:a performance perspective [J ] . Journal of Communications , 2006 , 1 ( 2 ): 1 - 11 .
JACOBSON V . Congestion avoidance and control [J ] . ACM SIGCOMM Computer Communication Review , 1988 , 18 ( 4 ): 314 - 329
HAO J , ORLIN J . A faster algorithm for finding the minimum cut in a directed graph [J ] . Journal of Algorithms , 1994 , 17 ( 3 ): 424 - 446 .
KIRKPATRICK K . Software-defined networking [J ] . Communications of the ACM , 2013 , 56 ( 9 ): 16 - 19 .
LEUNG K C , LI V O K , YANG D . An overview of packet reordering in transmission control protocol(TCP):problems,solutions,and challenges [J ] . IEEE Transactions on Parallel & Distributed Systems , 2007 , 18 : 522 - 535 .
LANTZ B , HELLER B , MCKEOWN N . A network in a laptop:rapid prototyping for software-defined networks [C ] // The 9th ACM SIGCOMM Workshop on Hot Topics in Networks . 2010 .
MCKEOWN N , ANDERSON T , BALAKRISHNAN H , et al . OpenFlow:enabling innovation in campus networks [J ] . ACM SIGCOMM Computer Communication Review , 2008 , 38 ( 2 ): 69 - 74 .
MEDVED J , VARGA R , TKACIK A , et al . Opendaylight:towards a model-driven SDN controller architecture [C ] // 2014 IEEE 15th International Symposium on a World of Wireless,Mobile and Multimedia Networks . 2014 : 1 - 6 .
0
浏览量
3685
下载量
0
CSCD
- 网络PDF下载
- XML下载
- Meta-XML下载
- BibTeX下载
- Endnote下载
- RefMan 下载
- NoteExpress下载
- NoteFirst下载
关联资源
相关文章
相关作者
相关机构
AI问答- 技术支持由北京北大方正电子有限公司提供 京ICP备09064830号-19
京公网安备11010802024621 - 本系统建议在Chrome、 IE9+ 以上版本浏览器阅读本站内容,360浏览器请切换至极速模式
- Cookies帮助我们提供服务并提供个性化体验。使用本网站,即表示您同意我们使用Cookies
- 总访问量:582358 今日访问量:174