软件定义网络下的拟态防御实现架构

doi:10.11959/j.issn.2096-109x.2017.00205

网络与信息安全学报 ›› 2017, Vol. 3 ›› Issue (10): 52-61.doi: 10.11959/j.issn.2096-109x.2017.00205

软件定义网络下的拟态防御实现架构

王禛鹏¹,扈红超¹(),程国振¹,张传浩^1,²

¹ 国家数字交换系统工程技术研究中心，河南郑州 450003
² 铁道警察学院公安技术系，河南郑州 450053

修回日期:2017-09-24 出版日期:2017-10-01 发布日期:2017-11-13
作者简介:王禛鹏（1993-），男，湖北黄冈人，国家数字交换系统工程技术研究中心硕士生，主要研究方向为拟态安全防御。|扈红超（1982-），男，河南商丘人，国家数字交换系统工程技术研究中心副研究员，主要研究方向为网络安全防御和新型网络体系结构。|程国振（1986-），男，山东菏泽人，国家数字交换系统工程技术研究中心助理研究员，主要研究方向为主动防御技术和SDN安全。|张传浩（1979-），男，河南郑州人，铁道警察学院讲师，主要研究方向为网络安全。
基金资助:
国家自然科学基金资助项目(61309020);国家自然科学基金资助项目(61602509);国家自然科学基金创新群体基金资助项目(61521003);国家重点研发计划基金资助项目(2016YFB0800100);国家重点研发计划基金资助项目(2016YFB0800101);河南省科技攻关基金资助项目(172102210615);河南省科技攻关基金资助项目(172102210441)

Implementation architecture of mimic security defense based on SDN

Zhen-peng WANG¹,Hong-chao HU¹(),Guo-zhen CHENG¹,Chuan-hao ZHANG^1,²

¹ National Digital Switching System Engineering ＆Technological R＆D Center,Zhengzhou 450003,China
² Public Security Technology Department,Railway Police College,Zhengzhou 450053,China

Revised:2017-09-24 Online:2017-10-01 Published:2017-11-13
Supported by:
The National Natural Science Foundation of China(61309020);The National Natural Science Foundation of China(61602509);The Foundation for Innovative Research Groups of the National Natural Science Foundation of China(61521003);The National Key Research and Development Program of China(2016YFB0800100);The National Key Research and Development Program of China(2016YFB0800101);The Key Technologies Research and Development Program of Henan Province of China(172102210615);The Key Technologies Research and Development Program of Henan Province of China(172102210441)

摘要/Abstract

摘要：

针对传统防御技术难以应对未知漏洞和后门的问题，拟态安全防御（MSD,mimic security defense）通过构造动态异构冗余模型，提高系统的不确定性，增加攻击者的攻击难度和成本，提升网络安全性能。基于软件定义网络，提出了一种拟态防御的实现架构，首先，按照非相似余度准则构建异构冗余执行体，而后借助软件定义网络的集中管理控制实现动态选调和多模判决等功能。实验验证了架构的入侵容忍能力和可用性。

关键词: 拟态安全防御, 软件定义网络, 主动防御, 动态异构冗余

Abstract:

To deal with the attacks employing unknown security vulnerabilities or backdoors which are difficult for traditional defense techniques to eliminate,mimic security defense (MSD) that employs “dynamic,heterogeneity,redundancy (DHR)” mechanism can increase the difficulty and cost of attack and uncertainty of system so as to improve network security.Based on the software defined networking (SDN),an implementation architecture of MSD was proposed.First,diverse functional equivalent variants for the protected target were constructed,then leverage the rich programmability and flexibility of SDN to realize the dynamic scheduling and decision-making functions on SDN controller.Simulation and experimental results prove the availability and the intrusion tolerant ability of the architecture.

Key words: mimic security defense, software defined networking, active defense, dynamic heterogeneous redundancy

中图分类号:

TP393

王禛鹏,扈红超,程国振,张传浩. 软件定义网络下的拟态防御实现架构[J]. 网络与信息安全学报, 2017, 3(10): 52-61.

Zhen-peng WANG,Hong-chao HU,Guo-zhen CHENG,Chuan-hao ZHANG. Implementation architecture of mimic security defense based on SDN[J]. Chinese Journal of Network and Information Security, 2017, 3(10): 52-61.

图/表 7

图1

图2

图3

图4

表1

图5

图6

参考文献 31

[1]	VOAS J , GHOSH A , CHARRON F ,et al. Reducing uncertainty about common-mode failures[C]// IEEE Symposium Software Reliability Engineering. 1997: 308-319.
[2]	LEVITIN G . Optimal structure of fault-tolerant software systems[J]. Reliability Engineering ＆ System Safety, 2005,89(3): 286-295.
[3]	AROMS E . NIST special publication 800-94 guide to intrusion detection and prevention systems (IDPS)[M]. South Carolina: CreateSpacePress, 2012.
[4]	SPITZNER L , . Honeypots:catching the insider threat[C]// IEEE Computer Security Applications Conference. 2003: 170-179.
[5]	JANA S , PORTER D E , SHMATIKOV V . TxBox:building secure,efficient sandboxes with system transactions[C]// IEEE Symposium on Security and Privacy,IEEE Computer Society. 2011: 329-344.
[6]	ZHUANG R , DELOACH S A , OU X . Towards a theory of moving target defense[C]// ACM Workshop on Moving Target Defense. 2014: 31-40.
[7]	邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10.
	WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10.
[8]	MCKEOWN N , ANDERSON T . OpenFlow:enabling innovation in campus networks[J]. ACM Sigcomm Computer Communication Review, 2008,38(2): 69-74.
[9]	COX B , EVANS D , FILIPI A ,et al. 2006.N-variant systems:a secretless framework for security through diversity[C]// Usenix Security Symposium. 2006:9.
[10]	KC G S , KEROMYTIS A D , PREVELAKIS V . Countering code-injection attacks with instruction-set randomization[C]// ACM Conference on Computer and Communications Security. 2003: 272-280.
[11]	HOMESCU A , BRUNTHALER S , LARSEN P ,et al. Librando:transparent code randomization for just-in-time compilers[C]// ACM Sigsac Conference on Computer ＆ Communications Security. 2013: 993-1004.
[12]	BHATKAR S , DUVARNEY D C , SEKAR R . Address obfuscation:an efficient approach to combat a board range of memory error exploits[C]// Conference on Usenix Security Symposium. 2003: 105-120.
[13]	DUNLOP M , GROAT S , URBANSKI W ,et al. Mt6d:a moving target IPv6 defense[C]// IEEE Military Communications Conference. 2011: 1321-1326.
[14]	JAFARIAN J H , AL-SHAER E , DUAN Q . An effective address mutation approach for disrupting reconnaissance attacks[J]. IEEE Transactions on Information Forensics and Security, 2015,10(12): 2562-2577.
[15]	JAFARIAN J H , AL-SHAER E , DUAN Q . Adversary-aware IP address randomization for proactive agility against sophisticated attackers[C]// 2015 IEEE Conference on Computer Communications (Infocom). 2015: 738-746.
[16]	MAYO J R , TORGERSON M D , WALKER A M ,et al. The theory of diversity and redundancy in information system security[R]. LDRD Final Report, 2010.
[17]	王禛鹏, 扈红超, 程国振 . 一种基于拟态安全防御的 DNS 框架设计[J]. 电子学报.
	WANG Z P , HU H C , CHENG G Z . A DNS architecture based on mimic security defense[J]. Chinese Journal of Electronics.
[18]	HU H C , WANG Z P , CHENG G Z ,et al. MNOS:a mimic network operating system for software defined networks[J]. IET Information Security, 2017
[19]	WANG H , SCHMITT J . Load balancing-towards balanced delay guarantees in NFV/SDN[C]//IEEE Conference on NFV-SDN 2016:240-245. IEEE Conference on NFV-SDN,　　　　　　 2016: 240-245.
[20]	CASCONE C , SANVITO D , POLLINI L ,et al. Fast failure detection and recovery in SDN with stateful data plane[J]. International Journal of Network Management, 2016
[21]	PANG J , XU G , FU X . SDN-based data center networking with collaboration of multipath TCP and segment routing[J]. IEEE Access, 2017,(99): 1-1.
[22]	HAN W , ZHAO Z , AHN G J . HoneyMix:toward SDN-based intelligent honeynet[C]// ACM International Workshop on Security in Software Defined Networks ＆ Network Function Virtualization. 2016: 1-6.
[23]	JAFARIAN J H , AL-SHAER E , DUAN Q . Openflow random host mutation:transparent moving target defense using software defined networking[C]// The Workshop on Hot Topics in Software Defined Networks. 2012: 127-132.
[24]	GEMBER-JACOBSON A , VISWANATHAN R , PRAKASH C ,et al. OpenNF:enabling innovation in network function control[C]// ACM Conference on Sigcomm. 2015: 163-174.
[25]	JAFARIAN J H , AL-SHAER E , DUAN Q . Adversary-aware IP address randomization for proactive agility against sophisticated attackers[C]// Computer Communications(IEEE Infocom). 2015:738746.
[26]	PORRAS P , SHIN S , YEGNESWARAN V ,et al. A security enforcement kernel for OpenFlow networks[C]// The First Workshop on Hot Topics in Software Defined Networks. 2012: 121-126.
[27]	CHEUNG S , FONG M , PORRAS P ,et al. Securing the software-defined network control layer[C]// Network and Distributed System Security Symposium. 2015.
[28]	SHIN S , SONG Y , LEE T ,et al. Rosemary:a robust,secure,and high-performance network operating system[C]// 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 78-89.
[29]	BERDE P , HART J , HART J ,et al. ONOS:towards an open,distributed SDN OS[C]// The Workshop on Hot Topics in Software Defined Networking. 2010: 1-6.
[30]	LI H , LI P , GUO S ,et al. Byzantine-resilient secure software defined networks with multiple controllers in cloud[J]. IEEE Transactions on Cloud Computing, 2015,2(4): 436-447.
[31]	HU H C , WANG Z P , CHENG G Z ,et al. MNOS:a mimic network operating system for software defined networks[J]. IET Information Security, 2017.

符号	含义
T_{td_ss}	两交换机间的传输时延
T_{td_cs}	控制器与交换机间的传输时延
T_{td_ce}	执行体到控制器间总时延
T_{pd_s}	交换机修改报文的处理时延
T_{pd_c}	控制器的处理时延
T_{pd_e}	执行体的处理时延
T_add	架构增加的时延

软件定义网络下的拟态防御实现架构

Implementation architecture of mimic security defense based on SDN

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 31

相关文章 15

Metrics

推荐阅读 0

[1]	王泽南, 李佳浩, 檀朝红, 皮德常. 面向网络安全资源池的智能服务链系统设计与分析[J]. 网络与信息安全学报, 2022, 8(4): 175-181.
[2]	王洋, 汤光明, 王硕, 楚江. 基于API调用管理的SDN应用层DDoS攻击防御机制[J]. 网络与信息安全学报, 2022, 8(2): 73-87.
[3]	何威振, 陈福才, 牛杰, 谭晶磊, 霍树民, 程国振. 面向网络层的动态跳变技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 44-55.
[4]	陈浩宇, 邹德清, 金海. 面向SDN/NFV环境的网络功能策略验证[J]. 网络与信息安全学报, 2021, 7(3): 59-71.
[5]	王涛, 陈鸿昶. 考虑拜占庭属性的SDN安全控制器多目标优化部署方案[J]. 网络与信息安全学报, 2021, 7(3): 72-84.
[6]	赵普, 赵文涛, 付章杰, 刘强. 基于Renyi熵的SDN自主防护系统[J]. 网络与信息安全学报, 2021, 7(3): 85-94.
[7]	吴奇,陈鸿昶. 低故障恢复开销的软件定义网络控制器布局算法[J]. 网络与信息安全学报, 2020, 6(6): 97-104.
[8]	李国春,马睿,马季春,李伯中,刘惠明,张桂玉. 广域网出口流量调度SDN部署研究[J]. 网络与信息安全学报, 2020, 6(5): 148-157.
[9]	黄伟, 路冉, 刘存才, 祁思博. 基于SDN分级分域架构的QoS约束路由算法[J]. 网络与信息安全学报, 2019, 5(5): 21-31.
[10]	王洋,汤光明,雷程,韩冬. 面向链路洪泛攻击的多维检测与动态防御方法[J]. 网络与信息安全学报, 2019, 5(4): 80-90.
[11]	谭晶磊, 张红旗, 雷程, 刘小虎, 王硕. 面向SDN的移动目标防御技术研究进展[J]. 网络与信息安全学报, 2018, 4(7): 1-12.
[12]	吕迎迎,郭云飞,王禛鹏,程国振,王亚文. SDN中基于历史信息的负反馈调度算法[J]. 网络与信息安全学报, 2018, 4(6): 45-51.
[13]	郭中孚, 张兴明, 赵博, 王苏南. 软件定义网络数据平面安全综述[J]. 网络与信息安全学报, 2018, 4(11): 1-12.
[14]	吴奇,陈鸿昶,陈福才. 异构容错控制平面的安全性分析[J]. 网络与信息安全学报, 2018, 4(11): 32-39.
[15]	卢振平,陈福才,程国振. 软件定义网络中控制器调度时间机制设计与实现[J]. 网络与信息安全学报, 2018, 4(1): 36-44.