面向SDN的移动目标防御技术研究进展

doi:10.11959/j.issn.2096-109x.2018061

网络与信息安全学报 ›› 2018, Vol. 4 ›› Issue (7): 1-12.doi: 10.11959/j.issn.2096-109x.2018061

• 综述 • 下一篇

面向SDN的移动目标防御技术研究进展

谭晶磊^1,²,张红旗^1,²,雷程^1,²,刘小虎¹,王硕¹

¹ 信息工程大学密码工程学院，河南郑州 450001
² 河南省信息安全重点实验室，河南郑州 450001

修回日期:2018-07-03 出版日期:2018-07-15 发布日期:2018-09-10
作者简介:谭晶磊（1994-），男，山东章丘人，信息工程大学研究生，主要研究方向为网络信息安全、移动目标防御。|张红旗（1962-），男，河北遵化人，信息工程大学教授、博士生导师，主要研究方向为网络安全、移动目标防御、等级保护和信息安全管理。|雷程（1989-），男，北京人，信息工程大学博士生，主要研究方向为网络信息安全、移动目标防御、数据安全交换和网络流指纹。|刘小虎（1989-），男，河南太康人，信息工程大学讲师，主要研究方向为动态网络防御。|王硕（1991-），男，河南南阳人，信息工程大学博士生，主要研究方向为网络系统安全。
基金资助:
国家高技术研究发展计划（“863”计划）基金资助项目(2012AA012704);国家高技术研究发展计划（“863”计划）基金资助项目(2015AA7116040);郑州市科技领军人才基金资助项目(131PLJRC644)

Research progress on moving target defense for SDN

Jinglei TAN^1,²,Hongqi ZHANG^1,²,Cheng LEI^1,²,Xiaohu LIU¹,Shuo WANG¹

¹ School of Cryptography Engineering,Information Engineering University,Zhengzhou 450001,China
² Henan Provincial Key Laboratory of Information Security,Zhengzhou 450001,China

Revised:2018-07-03 Online:2018-07-15 Published:2018-09-10
Supported by:
The National High Technology Research and Development Program of China (863 Program)(2012AA012704);The National High Technology Research and Development Program of China (863 Program)(2015AA7116040);Zhengzhou Science and Technology Leader Project(131PLJRC644)

摘要/Abstract

摘要：

软件定义网络是基于开放标准的灵活架构，通过控制层管理网络功能和服务，具有控转分离、集中控制的特性；移动目标防御技术致力于构建一个不断变换的环境以提高网络系统的视在不确定性，需要灵活可定制、集中可控制的网络架构加以实施，因此将移动目标防御与软件定义网络相结合已成为更具应用价值研究热点。首先，分别介绍了软件定义网络和移动目标防御的基本概念，概括了软件定义网络所面临的安全威胁，阐述了面向SDN的移动目标防御的实现模型；其次，分别从SDN数据层、控制层和应用层归纳了移动目标防御的技术方法；最后，总结了现有SDN动态防御面临的挑战，对面向SDN的移动目标防御技术发展方向进行了展望。

关键词: 软件定义网络, 移动目标防御, 动态化, 多样性, 随机性

Abstract:

Software-defined network is based on flexible and open standards,which manages network functions and services by the control layer.And it has the unique advantages of control-separation and centralized control.The moving target defense technology is dedicated to build an ever-changing environment to increase the uncertainty of the network system,which requires a flexible and customizable,centralized and controllable network architecture to implement it.Therefore,the combination of moving target defense and software-defined network have become a more valuable research hotspot.Firstly,the basic concepts of software-defined network and moving target defense were introduced,the security threats of software-defined network was summarized,and the realization model of moving target defense for SDN network was described.Secondly,the technical methods for moving target defense were summarized respectively form the data layer,control layer and application layer of the SDN.Finally,summing up the challenges of existing SDN dynamic defense,and looking forward to the development direction of moving target defense technologies for the SDN.

Key words: software-defined network, moving target defense, dynamic, diversity, randomness

中图分类号:

TP393

谭晶磊, 张红旗, 雷程, 刘小虎, 王硕. 面向SDN的移动目标防御技术研究进展[J]. 网络与信息安全学报, 2018, 4(7): 1-12.

Jinglei TAN, Hongqi ZHANG, Cheng LEI, Xiaohu LIU, Shuo WANG. Research progress on moving target defense for SDN[J]. Chinese Journal of Network and Information Security, 2018, 4(7): 1-12.

图/表 11

图1

图2

表1

图3

图4

图5

图6

图7

图8

图9

图10

参考文献 63

[1]	LANTZ B , HELLER B , Mckeown N . A network in a laptop:rapid prototyping for software-defined networks[C]// ACM Workshop on Hot Topics in Networks.HOTNETS 2010,Monterey,Ca,Usa October. DBLP, 2010: 1-6.
[2]	KREUTZ D , RAMOS F M V ,et al. Software-defined networking:a comprehensive survey[J]. Proceedings of the IEEE, 2014,103(1): 10-13.
[3]	SCOTT-HAYWARD S , O'CALLAGHAN G , SEZER S . SDN security:a survey[C]// Future Networks and Services. IEEE, 2013: 1-7.
[4]	EATHERTON W , . The push of network processing to the top of the pyramid[C]// Architecture for Networking and Communications Systems. 2005.
[5]	BENTON K , CAMP L J , SMALL C . OpenFlow vulnerability assessment[C]// ACM SIGCOMM Workshop on Hot Topics in Software Defined NETWORKING. ACM, 2013: 151-152.
[6]	OpenFlow Switch Specification v1.3.0(2013)[S]. .
[7]	JAJODIA S , GHOSH A K , SWARUP V ,et al. Moving target defense:creating asymmetric uncertainty for Cyber Threats[M]. Berlin: Springer,2011, 54.
[8]	MANADHATA P K , WING J M . A formal model for a system’s attack surface[J]. Advances in Information Security, 2011,54: 1-28.
[9]	ZHANG H G , HAN W B , LAI X J ,et al. Survey on cyberspace security[J]. Science China Information Sciences, 2015,58(11): 1-43.
[10]	雷程, 马多贺, 张红旗, 杨英杰, 王利明 . 基于网络攻击面自适应转换的移动目标防御技术[J]. 计算机学报, 2017(5): 1-23.
	LEI C , MA D , ZHANG H ,et al. Moving target defense technology based on network attack surface self-adaptive mutation[J]. Chinese Journal of Computers, 2017(5): 1-23.
[11]	MA D , LEI C , WANG L ,et al. A Self-adaptive hopping approach of moving target defense to thwart scanning attacks[C]// International Conference on Information and Communications,Security, 2016.
[12]	PAPPA A C , ASHOK A , GOVINDARASU M . Moving target defense for securing smart grid communications:architecture,implementation ＆ evaluation[C]// Power ＆ Energy Society Innovative Smart Grid Technologies Conference. IEEE, 2017: 1-5.
[13]	ZARGAR S T , JOSHI J , TIPPER D . A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks[J]. IEEE Communications Surveys ＆ Tutorials, 2013,15(4): 2046-2069.
[14]	TOOTOONCHIAN A , GORBUNOV S , SHERWOOD R ,et al. On controller performance in software-defined networks[C]// Usenix Conference on Hot Topics in Management of Internet,Cloud,and Enterprise Networks and Services. USENIX Association, 2012.
[15]	FEGHALI A , KILANY R , CHAMOUN M . SDN security problems and solutions analysis[C]// International Conference on Protocol Engineering. IEEE, 2015: 1-5.
[16]	ZHUANG R . A theory for understanding and quantifying moving target defense[J]. Dissertations ＆ Theses - Gradworks, 2015.
[17]	KAMPANAKIS P , PERROS H , BEYENE T . SDN-based solutions for moving target defense network protection[C]// World of Wireless,Mobile and Multimedia Networks. IEEE, 2014: 1-6.
[18]	CHUN C J , XING T , HUANG D ,et al. SeReNe:on establishing secure and resilient networking services for an SDN-based multi-tenant datacenter environment[C]// IEEE International Conference on Dependable Systems and Networks Workshops. IEEE, 2015: 4-11.
[19]	ZHOU H , WU C , JIANG M ,et al. Evolving defense mechanism for future network security[J]. IEEE Communications Magazine, 2015,53(4): 45-51.
[20]	WANG J , XIAO F , HUANG J ,et al. CHAOS:an SDN-based moving target defense system[J]. arXiv:1704.01482, 2017.
[21]	KOPONEN T , CASADO M , GUDE N ,et al. Onix:a distributed control platform for large-scale production networks[C]// Usenix Conference on Operating Systems Design and Implementation. USENIX Association, 2010: 351-364.
[22]	JAFARIAN J H , AL-SHAER E , DUAN Q . Openflow random host mutation:transparent moving target defense using software defined networking[C]// The Workshop on Hot Topics in Software Defined Networks. ACM, 2012: 127-132.
[23]	CORBETT C , UHER J , COOK J ,et al. Countering intelligent jamming with full protocol stack agility[J]. IEEE Security ＆ Privacy, 2014,12(2): 44-50.
[24]	JAFARIAN J H H , AL-SHAER JE , DUAN Q . Spatio-temporal address mutation for proactive cyber agility against sophisticated attackers[C]// ACM Workshop. ACM, 2014: 69-78.
[25]	JAFARIAN J H , AL-SHAER E , DUAN Q . Adversary-aware IP address randomization for proactive agility against sophisticated attackers[C]// Computer Communications. IEEE, 2015: 738-746.
[26]	JAFARIAN J H , AL-SHAER E , DUAN Q . An effective address mutation approach for disrupting reconnaissance attacks[J]. IEEE Transactions on Information Forensics ＆ Security, 2015,10(12): 2562-2577.
[27]	CHAVEZ A R , STOUT W M S , Peisert S . Techniques for the dynamic randomization of network attributes[C]// International Carnahan Conference on Security Technology. IEEE, 2016: 1-6.
[28]	SMITH R J , ZINCIR-HEYWOOD A N , JACOBS J T ,et al. Initiating a moving target network defense with a real-time neuro-evolutionary detector[C]// Genetic and Evolutionary Computation Conference Companion. ACM, 2016: 1095-1102.
[29]	NOJOUMIAN M , GOLCHUBIAN A , SAPUTRO N ,et al. Preventing collusion between SDN defenders anc attackers using a game theoretical approach[C]// Computer Communications Workshops. IEEE, 2017.
[30]	MACFARLAND D C , SHUE C A . The SDN Shuffle:creating a moving-target defense using host-based software-defined networking[C]// ACM Workshop on Moving Target Defense. ACM, 2015: 37-41.
[31]	CHAVEZ A R , STOUT W M S , PEISERT S . Techniques for the dynamic randomization of network attributes[C]// International Carnahan Conference on Security Technology. IEEE, 2016: 1-6.
[32]	WANG S , ZHANG L , TANG C . A new dynamic address solution for moving target defense[C]// Information Technology,Networking,Electronic and Automation Control Conference,IEEE, 2016: 1149-1152.
[33]	AYDEGER A , SAPUTRO N , AKKAYA K ,et al. Mitigating crossfire attacks using sdn-based moving target defense[C]// Local Computer Networks. IEEE, 2016: 627-630.
[34]	MIN S K , LEE S B , GLIGOR V D . The crossfire attack[C]// IEEE Symposium on Security and Privacy. IEEE Computer Society, 2013: 127-141.
[35]	WANG Q , XIAO F , ZHOU M ,et al. Linkbait:active link obfuscation to thwart link-flooding attacks[J]. arXiv:1703.09521, 2017.
[36]	ASEERI A , NETJINDA N , HEWETT R . Alleviating eavesdropping attacks in software-defined networking data plane[C]// Conference on Cyber and Information Security Research. ACM, 2017:1.
[37]	FEAMSTER N , REXFORD J , ZEGURA E . The road to SDN:an intellectual history of programmable networks[M]. ACM, 2014.
[38]	LIU J , ZHANG H , GUO Z . A Defense mechanism of random routing mutation in SDN[J]. Ieice Transactions on Information ＆ Systems, 2017,100(5): 1046-1054.
[39]	DUAN Q , AL-SHAER E , JAFARIAN H . Efficient random route mutation considering flow and network constraints[C]// Communications and Network Security. IEEE, 2013: 260-268.
[40]	雷程, 马多贺, 张红旗 ,等. 基于最优路径跳变的网络移动目标防御技术[J]. 通信学报, 2017,38(3): 133-143.
	LEI C , MA D H , ZHANG H Q ,et al. Network moving target defense technique based on optimal forwarding path migration[J]. Journal on Communications, 2017,38(3): 133-143.
[41]	JAFARIAN J H , AL-SHAER E , DUAN Q . Formal approach for route agility against persistent attackers[C]// European Symposium on Research in Computer Security. Springer,Berlin,Heidelberg, 2013: 237-254.
[42]	RAUF U , GILLANI F , AL-SHAER E ,et al. Formal approach for resilient reachability based on end-system route agility[C]// ACM Workshop on Moving Target Defense. ACM, 2016: 117-127.
[43]	HAACK J N , FINK G A , MAIDEN W M ,et al. Ant-based cyber security[C]// Eighth International Conference on Information Technology:New Generations. IEEE, 2011: 918-926.
[44]	FINK G A , HAACK J N , MCKINNON A D ,et al. Defense on the move:ant-based cyber defense[J]. IEEE Security ＆ Privacy, 2014,12(2): 36-43.
[45]	MIYAZAKI R , KAWAMOTO J , MATSUMOTO S ,et al. Host independent and distributed detection system of the network attack by using OpenFlow[C]// International Conference on Information NETWORKING. IEEE, 2017: 236-241.
[46]	LEI C , ZHANG H Q , MA D H ,et al. Network moving target defense technique based on self-adaptive end-point hopping[J]. Arabian Journal for Science ＆ Engineering, 2017,42(8): 1-14.
[47]	ZHANG H Q , LEI C , CHANG D X ,et al. Network moving target defense technique based on collaborative mutation[J]. Computers ＆Security, 2017,70: 51-71.
[48]	LEE H C J , THING V L L . Port hopping for resilient networks[C]// Vehicular Technology Conference,IEEE, 2004: 3291-3295.
[49]	BADISHI G , HERZBERG A , KEIDAR I . Keeping denial-of-service attackers in the dark[J]. IEEE Transactions on Dependable ＆ Secure Computing, 2007,4(3): 191-204.
[50]	SHI L , JIA C , Lü S ,et al. Port and address hopping for active cyber-defense[M]// Intelligence and Security Informatics. Springer Berlin Heidelberg, 2007: 295-300.
[51]	LUO Y B , WANG B S , WANG X F ,et al. A keyed-hashing based self-synchronization mechanism for port address hopping communication[J]. Frontiers of Information Technology and Electronic Engineering, 2017,18(5): 719-728.
[52]	ZHANG L , WANG Z , GU K ,et al. Transparent synchronization based port mutation scheme in SDN network[C]// International Conference on Computer Science and Network Technology. 2016: 581-585.
[53]	ZHANG L , GUO Y , YUWEN H ,et al. A port hopping based dos mitigation scheme in SDN network[C]// International Conference on Computational Intelligence and Security. IEEE, 2017: 314-317.
[54]	MA D , XU Z , LIN D . Defending blind DDoS attack on SDN based on moving target defense[C]// International Conference on Security and Privacy in Communication Networks. 2014: 463-480.
[55]	WU Z , WEI Q , REN K ,et al. A dynamic defense using client puzzle for identity-forgery attack on the south-bound of software defined networks[J]. Ksii Transactions on Internet ＆ Information Systems, 2017,11(2): 846-864.
[56]	CHOWDHARY A , PISHARODY S , ALSHAMRANI A ,et al. Dynamic game based security framework in SDN-enabled cloud networking environments[C]// ACM International Workshop on Security in Software Defined Networks ＆ Network Function Virtualization. ACM, 2017: 53-58.
[57]	JANTILA S , CHAIPAH K . A Security analysis of a hybrid mechanism to defend DDoS attacks in SDN[J]. Procedia Computer Science, 2016,86: 437-440.
[58]	DEVI S R , YOGESH P . A Hybrid approach to counter application layer DDoS attacks[J]. International Journal on Cryptography ＆Information Security, 2012.
[59]	DEBROY S , CALYAM P , NGUYEN M ,et al. Frequency-minimal moving target defense using software-defined networking[C]// International Conference on Computing,Networking and Communications. IEEE, 2016: 1-6.
[60]	GILLANI F , AL-SHAER E , LO S ,et al. Agile virtualized infrastructure to proactively defend against cyber attacks[C]// Computer Communications. IEEE, 2015: 729-737.
[61]	SHIN S , PORRAS P , YEGNESWARAN V ,et al. FRESCO:modular composable security services for software defined networks[J]. Proceedings of Network ＆ Distributed Security Symposium, 2013.
[62]	SHIN S , GU G . CloudWatcher:network security monitoring using openflow in dynamic cloud networks (or:How to provide security monitoring as a service in clouds?)[C]// IEEE International Conference on Network Protocols. IEEE Computer Society, 2012: 1-6.
[63]	ZAALOUK A , KHONDOKER R , MARX R ,et al. OrchSec:anorchestrator-based architecture for enhancing network-security using Network Monitoring and SDN Control functions[C]// Noms. IEEE, 2014: 1-9.

安全威胁	数据层	控制层	应用层
未经授权的控制器访问	√	√
未经身份验证的应用程序		√	√
流规则泄露	√
转发规则泄露	√
流规则修改	√	√
欺骗性规则插入		√	√
控制器?交换机通信泛洪	√	√
交换机流表泛滥			√

面向SDN的移动目标防御技术研究进展

Research progress on moving target defense for SDN

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献 63

相关文章 15

Metrics

推荐阅读 0

[1]	谢根琳, 程国振, 王亚文, 王庆丰. 基于gadget特征分析的软件多样性评估方法[J]. 网络与信息安全学报, 2023, 9(3): 161-173.
[2]	王泽南, 李佳浩, 檀朝红, 皮德常. 面向网络安全资源池的智能服务链系统设计与分析[J]. 网络与信息安全学报, 2022, 8(4): 175-181.
[3]	王子驰, 冯国瑞, 张新鹏. NFT图像隐写[J]. 网络与信息安全学报, 2022, 8(3): 18-28.
[4]	王洋, 汤光明, 王硕, 楚江. 基于API调用管理的SDN应用层DDoS攻击防御机制[J]. 网络与信息安全学报, 2022, 8(2): 73-87.
[5]	何威振, 陈福才, 牛杰, 谭晶磊, 霍树民, 程国振. 面向网络层的动态跳变技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 44-55.
[6]	陈浩宇, 邹德清, 金海. 面向SDN/NFV环境的网络功能策略验证[J]. 网络与信息安全学报, 2021, 7(3): 59-71.
[7]	王涛, 陈鸿昶. 考虑拜占庭属性的SDN安全控制器多目标优化部署方案[J]. 网络与信息安全学报, 2021, 7(3): 72-84.
[8]	赵普, 赵文涛, 付章杰, 刘强. 基于Renyi熵的SDN自主防护系统[J]. 网络与信息安全学报, 2021, 7(3): 85-94.
[9]	曾威, 扈红超, 李凌书, 霍树民. 容器云中基于Stackelberg博弈的动态异构调度方法[J]. 网络与信息安全学报, 2021, 7(3): 95-104.
[10]	王滨, 陈靓, 钱亚冠, 郭艳凯, 邵琦琦, 王佳敏. 面向对抗样本攻击的移动目标防御[J]. 网络与信息安全学报, 2021, 7(1): 113-120.
[11]	吴奇,陈鸿昶. 低故障恢复开销的软件定义网络控制器布局算法[J]. 网络与信息安全学报, 2020, 6(6): 97-104.
[12]	李国春,马睿,马季春,李伯中,刘惠明,张桂玉. 广域网出口流量调度SDN部署研究[J]. 网络与信息安全学报, 2020, 6(5): 148-157.
[13]	何康,祝跃飞,刘龙,芦斌,刘彬. 敌对攻击环境下基于移动目标防御的算法稳健性增强方法[J]. 网络与信息安全学报, 2020, 6(4): 67-76.
[14]	黄伟, 路冉, 刘存才, 祁思博. 基于SDN分级分域架构的QoS约束路由算法[J]. 网络与信息安全学报, 2019, 5(5): 21-31.
[15]	王洋,汤光明,雷程,韩冬. 面向链路洪泛攻击的多维检测与动态防御方法[J]. 网络与信息安全学报, 2019, 5(4): 80-90.