基于POF的网络窃听攻击移动目标防御方法

马多贺; 李琼; 林东岱

doi:10.11959/j.issn.1000-436x.2018025

您当前的位置：

首页 >

文章列表页 >

基于POF的网络窃听攻击移动目标防御方法

学术论文 | 更新时间：2024-06-05

- 基于POF的网络窃听攻击移动目标防御方法
- Moving target defense against network eavesdropping attack using POF
- 通信学报 2018年39卷第2期页码：73-87
- 作者机构：
  
  1. 中国科学院信息工程研究所信息安全国家重点实验室，北京 100093
  2. 哈尔滨工业大学计算机学院信息对抗技术研究所，黑龙江哈尔滨 150001
- 作者简介：
  
  [ "马多贺（1982-），男，安徽霍邱人，博士，中国科学院信息工程研究所助理研究员，主要研究方向为移动目标防御、应用安全、云安全、网络与系统安全等。" ]
  [ "李琼（1976-），女，湖南吉首人，博士，哈尔滨工业大学教授、博士生导师，主要研究方向为量子密码、多媒体安全、生物识别等。" ]
  [ "林东岱（1964-），男，山东聊城人，中国科学院信息工程研究所研究员、博士生导师，主要研究方向为密码理论、安全协议、网络空间安全等。" ]
- 基金信息：
  
  国家重点研发计划课题基金资助项目(2017YFB1010000);国家高技术研究发展计划（“863”计划）基金资助项目(2015AA016106);中国科学院信息工程研究所“青年之星”计划基金资助项目(Y7Z0201105);国家自然科学基金资助项目(61471141);深圳市技术攻关基金资助项目(JSGG20160427185010977)
- DOI：10.11959/j.issn.1000-436x.2018025
  中图分类号： TP393
- 网络出版日期：2018-02，
  
  纸质出版日期：2018-02-25
- 稿件说明：
移动端阅览
马多贺, 李琼, 林东岱. 基于POF的网络窃听攻击移动目标防御方法[J]. 通信学报, 2018,39(2):73-87.

Duohe MA, Qiong LI, Dongdai LIN. Moving target defense against network eavesdropping attack using POF[J]. Journal on communications, 2018, 39(2): 73-87.
马多贺, 李琼, 林东岱. 基于POF的网络窃听攻击移动目标防御方法[J]. 通信学报, 2018,39(2):73-87. DOI： 10.11959/j.issn.1000-436x.2018025.

Duohe MA, Qiong LI, Dongdai LIN. Moving target defense against network eavesdropping attack using POF[J]. Journal on communications, 2018, 39(2): 73-87. DOI： 10.11959/j.issn.1000-436x.2018025.

摘要

网络窃听攻击是网络通信安全的重大威胁，它具有隐蔽性和无干扰性的特点，很难通过传统的流量特征识别的被动防御方法检测到。而现有的路径加密和动态地址等方法只能混淆网络协议的部分字段，不能形成全面的防护。提出一种基于协议无感知转发（POF

protocol-oblivious forwarding）技术的移动目标防御（MTD

moving target defense）方法，通过私有协议分组随机化策略和动态路径欺骗分组随机丢弃策略，大大提高攻击者实施网络窃听的难度，保障网络通信过程的隐私性。通过实验验证和理论分析证明了该方法的有效性。

Abstract

Eavesdropping attack hereby was the major attack for traditional network communication.As this kind of attacks was stealthy and untraceable

it was barely detectable for those feature detection or static configuration based passive defense approaches.Since existing encryption or dynamic address methods could only confuse part of fields of network protocols

they couldn’t form a comprehensive protection.Therefore a moving target defense method by utilizing the protocol customization ability of protocol-oblivious forwarding (POF) was proposed

through private protocol packet randomization strategy and randomly drop deception-packets on dynamic paths strategy.It could greatly increase the difficulty of implementing network eavesdropping attack and protect the privacy of the network communication process.Experiments and compare studies show its efficiency.

关键词

Keywords

references

ZHANG P , JIANG Y , LIN C , et al . P-coding:secure network coding against eavesdropping attacks [C ] // INFOCOM . 2010 : 1 - 9 .

XIA H D,JOSÉ C B , . Hardening web browsers against man-in-themiddle and eavesdropping attacks [C ] // The 14th International Conference on World Wide Web . 2005 .

KEWLEY D , FINK R , LOWRY J , et al . Dynamic approaches to thwart adversary intelligence gathering [C ] // DARPA Information Survivability Conference ＆ Exposition II . 2001 : 176 - 185 .

CHOI H , PATRICK M D , THOMAS F , et al . Privacy preserving communication in MANETs [C ] // The 4th Annual IEEE Communications Society Conference on Sensor,Mesh and Ad Hoc Communications and Networks . 2007 : 233 - 242 .

HWANG H , JUNG G , SOHN K , et al . A study on MITM (man in the middle) vulnerability in wireless network using 802.1 X and EAP [C ] // International Conference on Information Science and Security . 2008 : 164 - 170 .

WAGNER R . Address resolution protocol spoofing and man-in-themiddle attacks [J ] . The SANS Institute , 2001

SYVERSON P F , GOLDSCHLAG D M , REED M G . Anonymous connections and onion routing [C ] // IEEE Symposium on Security and Privacy . 1997 : 44 - 54 .

ZHANG P , JIANG Y , LIN C , et al . Padding for orthogonality:Efficient subspace authentication for network coding [C ] // INFOCOM . 2011 : 1026 - 1034 .

SIFALAKIS M , SCHMID S , HUTCHISON D . Network address hopping:a mechanism to enhance data protection for packet communications [C ] // 2005 IEEE International Conference on Communications . 2005 : 1518 - 1523 .

JAJODIA S , GHOSH A K , SWARUP V , et al . Moving target defense:creating asymmetric uncertainty for cyber threats [J ] . Springer Ebooks , 2011 :54.

ANTONATOS S , AKRITIDIS P , MARKATOS E P , et al . Defending against hitlist worms using network address space randomization [J ] . Computer Networks , 2007 , 51 ( 12 ): 3471 - 3490 .

JAFARIAN J H , AL-SHAER E , DUAN Q . OpenFlow random host mutation:Transparent moving target defense using software defined networking [C ] // The First Workshop on Hot Topics in Software Defined Networks . 2012 : 127 - 132 .

DUNLOP M , GROAT S , URBANSKI W , et al . MT6D:a moving target IPv6 defense [C ] // Military Communications Conference . 2011 : 1321 - 1326 .

LEE H C J , THING V L L . Port hopping for resilient networks [C ] // Vehicular Technology Conference . 2004 : 3291 - 3295 .

ERIKSSON J , FALOUTSOS M , SRIKANTH V , et al . Routing amid colluding attackers [C ] // IEEE International Conference on Network Protocols , 2007 .

REED M , GOLDSCHLAG D . Onion routing [J ] . Communications of the ACM , 1999 ( 42 ): 39 - 41 .

GOLDSCHLAG D M , MICHAEL G R , PAUL F . Syverson hiding routing information [J ] . Information Hiding,Springer Berlin Heidelberg , 1996 , 1174 : 137 - 150 .

SHI L , JIA C . LÜ S , et al . Port and address hopping for active cyber-defense [C ] // Intelligence and Security Informatics . Springer Berlin Heidelberg , 2007 : 295 - 300 .

CHOWDHARY A , SANDEEP P , DIJIANG H . SDN based scalable MTD solution in cloud network [J ] // 2016 ACM Workshop on Moving Target Defense . 2016 : 27 - 36 .

SONG H , GONG J , CHEN H , et al . Unified POF programming for Diversified SDN Data Plane [J ] . Eprint Arxiv , 2014 : 92 - 97 .

AL-SHAER E . Toward network configuration randomization for moving target defense [J ] . Moving Target Defense,Springer New York , 2011 : 153 - 159 .

ASOKAN N , VALTTERI N , KAISA N . Man-in-the-middle in tunnelled authentication protocols [C ] // International Conference on Security Protocols . 2003 : 42 - 48 .

BOSSHART P , DAN D , IZZARD M , et al . Programming protocol-independent packet processors [J ] . ACM Sigcomm Computer Communication Review , 2013 , 44 ( 3 ): 87 - 95 .

WANG Z , WANG L , GAO X , et al . An architecture of content-centric networking over protocol-oblivious forwarding [C ] // IEEE Globecom Workshops . 2015 : 1 - 5 .

TAN X , ZOU S , GUO H , et al . POFOX:towards controlling the protocol oblivious forwarding network [C ] // Advances in Parallel and Distributed Computing and Ubiquitous Services . Springer Singapore , 2016 .

HU D , LI S , XUE N , et al . Design and demonstration of SDN-based flexible flow converging with protocol-oblivious forwarding (POF) [C ] // IEEE Global Communications Conference . 2015 : 1 - 6 .

CORBETT C , UHER J , COOK J , et al . Countering intelligent jamming with full protocol stack agility [J ] . IEEE Security ＆ Privacy Magazine , 2014 , 12 ( 2 ): 44 - 50 .

张朝昆 , 崔勇 , 唐翯祎 , 等 . 软件定义网络 (SDN) 研究进展 [J ] . 软件学报 , 2015 , 26 ( 1 ): 62 - 81 .

ZHANG C K , CUI Y , TANG H Y , et al . State-of-the-art survey on software-defined networking (SDN) [J ] . Journal of Software , 2015 , 26 ( 1 ): 62 - 81 .

CARROLL T E , CROUSE M , FUIP E W , et al . Analysis of network address shuffling as a moving target defense [C ] // 2014 IEEE International Conference on Communications (ICC) . 2014 : 701 - 706 .

石乐义 , 贾春福 , 吕述望 . 基于端信息跳变的主动网络防护研究 [J ] . 通信学报 , 2008 , 29 ( 2 ): 106 - 110 .

SHI L Y , JIA C F , LYU S W . Research on end hopping for active network confrontation [J ] . Journal on Communications , 2008 , 29 ( 2 ): 106 - 110 .

MA D , XU Z , LIN D . A moving target defense approach based on POF to thwart blind DDoS attack [C ] // International Conference on Computer Communications ＆ Networks . 2015 .

李佟 , 葛敬国 , 鄂跃鹏 , 等 . 基于标签的 POF 网络虚拟化技术研究 [J ] . 计算机应用研究 , 2017 , 34 ( 3 ).

LI T , GE J G , E Y P , et al . Label-based POF network virtualization [J ] . Application Research of Computers , 2017 , 34 ( 3 ).

MA D H , WANG L , LEI C , et al . Thwart eavesdropping attacks on network communication based on moving target defense [C ] // Performance Computing and Communications Conference (IPCCC) . 2017 : 1 - 2 .

JAJODIA S , WANG C , SUBRAHMANIAN V , et al . Cyber deception [M ] . Springer International Publishing , 2016 .

JAJODIA S , PARK N , PIERAZZI F , et al . A probabilistic logic of cyber deception [J ] . IEEE Transactions on Information Forensics ＆Security , 2017 ( 99 ): 1 - 1 .

ALBANESE M , BATTISTA E , JAJODIA S . Deceiving attackers by creating a virtual attack surface [M ] // Cyber Deception . Springer International Publishing , 2016 .

AL-SHAER E , GILLANI S F . Agile virtual infrastructure for cyber deception against stealthy DDoS attacks [M ] // Cyber Deception . Springer International Publishing , 2016 .

浏览量

1248

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于深度确定性策略梯度的随机路由防御方法

基于DPDK的内网动态网关关键技术设计

基于Markov时间博弈的移动目标防御最优策略选取方法

基于信号博弈的移动目标防御最优策略选取方法

基于OpenFlow的网络层移动目标防御方案