基于网络特征混淆的欺骗防御技术研究

doi:10.11959/j.issn.2096-109x.2021045

摘要/Abstract

摘要：

网络攻击之前通常有侦查阶段，攻击者通过流量分析和主动扫描等技术获取目标系统的关键信息，从而制定有针对性的网络攻击。基于网络特征混淆的欺骗防御是一种有效的侦查对抗策略，该策略干扰攻击者在侦查阶段获取的信息，从而使攻击者发动无效的攻击。对现有混淆欺骗防御方案的技术原理进行了分析，给出了网络混淆欺骗的形式化定义，并从3个层次对现有的研究成果进行了讨论，最后分析了混淆欺骗防御技术的发展趋势。

关键词: 网络侦查防护, 拓扑混淆, 侦查欺骗, 欺骗防御

Abstract:

There is usually a reconnaissance stage before a network attack, the attacker obtains the key information of the target system through techniques such as traffic analysis and active scanning, to formulate a targeted network attack.Deception defense techniques based on network characteristics obfuscation is an effective strategy to confront network reconnaissance, which makes the attacker launch an ineffective attack by thwarting the attacker's reconnaissance stage.The technical principle of the existing obfuscation defense solutions was analyzed, the formal definition of network obfuscation was given, the existing research works were discussed from three aspects, and finally the development trend of the obfuscation deception defense technique were analyzed.

Key words: network reconnaissance protection, topology obfuscation, reconnaissance deception, deception defense

中图分类号:

TP393

赵金龙, 张国敏, 邢长友. 基于网络特征混淆的欺骗防御技术研究[J]. 网络与信息安全学报, 2021, 7(4): 42-52.

Jinlong ZHAO, Guomin ZHANG, Changyou XING. Research on deception defense techniques based on network characteristics obfuscation[J]. Chinese Journal of Network and Information Security, 2021, 7(4): 42-52.

图/表 10

图1

图2

图3

表1

图4

表2

图5

图6

图7

图8

参考文献 64

[1]	PANJWANI S , TAN S , JARRIN K M ,et al. An experimental evaluation to determine if port scans are precursors to an attack[C]// 2005 International Conference on Dependable Systems and Networks (DSN'05). 2005: 602-611.
[2]	KEWLEY D , FINK R , LOWRY J ,et al. Dynamic approaches to thwart adversary intelligence gathering[C]// Proceedings DARPA Information Survivability Conference and Exposition II DISCEX'01. 2001，1： 176-185.
[3]	HUTCHINS E M , CLOPPERT M J , AMIN R M . Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains[J]. Leading Issues in Information Warfare Security Research, 2011,1(1): 80.
[4]	AL-SHAER E , DUAN Q , JAFARIAN J H . Random host mutation for moving target defense[C]// International Conference on Security and Privacy in Communication Systems. 2012: 310-327.
[5]	JAFARIAN J H , AL-SHAER E ,, DUAN Q . Openflow random host mutation:Transparent moving target defense using software defined networking[C]// Proceedings of the First Workshop on Hot Topics in Software Defined Networks. 2012: 127-132.
[6]	TRASSARE S T , BEVERLY R , ALDERSON D . A technique for network topology deception[C]// 2013 IEEE Military Communications Conference. 2013: 1795-1800.
[7]	ACHLEITNER S , LA PORTA T F , MCDANIEL P ,et al. Deceiving network reconnaissance using SDN-based virtual topologies[J]. IEEE Transactions on Network and Service Management, 2017,14(4): 1098-1112.
[8]	CHIANG C-Y J , VENKATESAN S , SUGRIM S ,et al. On defensive cyber deception:a case study using SDN[C]// 2018 IEEE Military Communications Conference (MILCOM). 2018: 110-115.
[9]	ERIKSSON B , DASARATHY G , BARFORD P ,et al. Efficient network tomography for internet topology discovery[J]. IEEE/ACM Transactions on Networking (TON), 2012,20(3): 931-943.
[10]	JAJODIA S , GHOSH A K , SWARUP V ,et al. Moving target defense:creating asymmetric uncertainty for cyber threats[M]// Advances in information security. 2011.
[11]	邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10.
	WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10
[12]	XIAO H , KHEIR N , BALZAROTTI D . Deception techniques in computer security:a research perspective[J]. ACM Computing Surveys, 2018,51(4): 1-36.
[13]	BAO N , MUSACCHIO J . Optimizing the decision to expel attackers from an information system[C]// 2009 47th Annual Allerton Conference on Communication Control and Computing (Allerton). 2009: 644-651.
[14]	HORáK K , ZHU Q , BO?ANSKY B , . Manipulating adversary’s belief:a dynamic game approach to deception by design for proactive network security[C]// International Conference on Decision and Game Theory for Security. 2017: 273-294.
[15]	JAFARIAN J H , AL-SHAER E ,, DUAN Q . Adversary-aware ip address randomization for proactive agility against sophisticated attackers[C]// 2015 IEEE Conference on Computer Communications (INFOCOM). 2015: 738-746.
[16]	SPRING N , MAHAJAN R , WETHERALL D . Measuring ISP topologies with rocketfuel[J]. ACM Sigcomm Computer Communication Review, 2002,32(4): 133-145.
[17]	TROWBRIDGE C . An overview of remote operating system fingerprinting[EB].
[18]	YUILL J J . Defensive computer-security deception operations:Processes,principles and techniques[D]. Raleigh:North Carolina State University, 2006.
[19]	KELLY J , DELAUS M , HEMBERG E ,et al. Adversarially adapting deceptive views and reconnaissance scans on a software defined network[C]// 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM). 2019: 49-54.
[20]	贾召鹏, 方滨兴, 刘潮歌 ,等. 网络欺骗技术综述[J]. 通信学报, 2017,38(12): 128-143.
	JIA Z P , FANG B X , LIU C G ,et al. Survey on cyber deception[J]. Journal on Communications, 2017,38(12): 128-143.
[21]	石乐义, 李阳, 马猛飞 . 蜜罐技术研究新进展[J]. 电子与信息学报, 2019,41(2): 249-259.
	SHI L Y , LI Y , MA M F . Latest research progress of honeypot technology[J]. Journal of Electronics ＆ Information Technology, 2019,41(2): 249-259.
[22]	STOECKLIN M P , ZHANG J , ARAUJO F ,et al. Dressed up:baiting attackers through endpoint service projection[C]// Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks ＆ Network Function Virtualization. 2018: 23-28.
[23]	ALBANESE M , BATTISTA E , JAJODIA S . Deceiving attackers by creating a virtual attack surface[M]// Cyber Deception. 2016: 167-199.
[24]	PROVOS N , . Honeyd-a virtual honeypot daemon[C]// 10th DFN-CERT Workshop,Hamburg,Germany. 2003:4.
[25]	Cyberchaff[EB].
[26]	KIM J , SHIN S . Software-defined honeynet:towards mitigating link flooding attacks[C]// 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W). 2017: 99-100.
[27]	AL-SHAER E , WEI J , HAMLEN K W ,et al. Netshifter:a comprehensive multi-dimensional network obfuscation and deception solution[M]// Autonomous Cyber Deception, 2019: 125-146.
[28]	JAJODIA S , PARK N , PIERAZZI F ,et al. A probabilistic logic of cyber deception[J]. IEEE Transactions on Information Forensics and Security, 2017,12(11): 2532-2544.
[29]	ROWE N C , DUONG B T , CUSTY E J . Fake honeypots:a defensive tactic for cyberspace[C]// IEEE Workshop on Information Assurance. 2006: 223-230.
[30]	COHEN F . A note on the role of deception in information protection[J]. Computers ＆ Security, 1998,17(6): 483-506.
[31]	COHEN F . The use of deception techniques:honeypots and decoys[J]. Handbook of Information Security, 2006,3(1): 646-655.
[32]	PINGREE L . Emerging technology analysis:Deception techniques and technologies create security technology business opportunities[R]. Gartner Inc, 2015.
[33]	WANG Q , XIAO F , ZHOU M ,et al. Linkbait:active link obfuscation to thwart link-flooding attacks[J]. arXiv:Networking and Internet Architecture, 2017.
[34]	MEIER R , TSANKOV P , LENDERS V ,et al. Nethide:secure and practical network topology obfuscation[C]// 27th USENIX Security Symposium (USENIX Security 18). 2018: 693-709.
[35]	MAXIMOV R V , IVANOV I I , SHARIFULLIN S R . Network topology masking in distributed information systems[C]// Selected Papers of the VIII All-Russian Conference with International Participation" Secure Information Technologies". 2017:83.
[36]	GILLANI F , AL-SHAER E , LO S ,et al. Agile virtualized infrastructure to proactively defend against cyber attacks[C]// IEEE Conference on Computer Communications. 2015: 729-737.
[37]	DUAN Q , AL-SHAER E ,, JAFARIAN H . Efficient random route mutation considering flow and network constraints[C]// 2013 IEEE Conference on Communications and Network Security (CNS). 2013: 260-268.
[38]	KAMPANAKIS P , PERROS H , BEYENE T . SDN-based solutions for moving target defense network protection[C]// Proceeding of IEEE International Symposium on a World of Wireless,Mobile and Multimedia Networks 2014. 2014: 1-6.
[39]	LIASKOS C , KOTRONIS V , DIMITROPOULOS X . A novel framework for modeling and mitigating distributed link flooding attacks[C]// IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications. 2016: 1-9.
[40]	SHAKARIAN P , KULKARNI N , ALBANESE M ,et al. Keeping intruders at bay:a graph-theoretic approach to reducing the probability of successful network intrusions[C]// International Conference on E-Business and Telecommunications,Cham. 2014: 191-211.
[41]	BORDERS K , FALK L , PRAKASH A . Openfire:Using deception to reduce network attacks[C]// International Conference on Security＆ Privacy in Communications Networks ＆ the Workshops. 2007: 224-233.
[42]	WANG L , WU D . Moving target defense against network reconnaissance with software defined networking[C]// International Conference on Information Security. 2016: 203-217.
[43]	SHIMANAKA T , MASUOKA R , HAY B . Cyber deception architecture:covert attack reconnaissance using a safe SDN approach[C]// Proceedings of the 52nd Hawaii International Conference on System Sciences. 2019: 1-10.
[44]	XU M , GAO Y , FENG C . DDS:a distributed deception defense system based on SDN[C]// 2018 14th International Conference on Computational Intelligence and Security (CIS). 2018: 430-433.
[45]	ROBERTSON S , ALEXANDER S , MICALLEF J ,et al. Cindam:customized information networks for deception and attack mitigation[C]// IEEE International Conference on Self-adaptive ＆Self-organizing Systems Workshops. 2015: 114-119.
[46]	CHIANG C-Y J , GOTTLIEB Y M , SUGRIM S J ,et al. Acyds:an adaptive cyber deception system[C]// 2016 IEEE Military Communications Conference. 2016: 800-805.
[47]	ANTONATOS S , AKRITIDIS P , MARKATOS E P ,et al. Defending against hitlist worms using network address space randomization[J]. Computer Networks, 2007,51(12): 3471-3490.
[48]	YACKOSKI J , XIE P , BULLEN H ,et al. A self-shielding dynamic network architecture[C]// Military Communications Conference. 2011: 1381-1386.
[49]	MACFARLAND D C , SHUE C A . The SDN shuffle:Creating a moving-target defense using host-based software-defined networking[C]// Proceedings of the Second ACM Workshop on Moving Target Defense. 2015: 37-41.
[50]	DATTA T , FEAMSTER N , REXFORD J ,et al. {spine}:Surveillance protection in the network elements[C]// 9th USENIX Workshop on Free and Open Communications on the Internet (FOCI 19). 2019.
[51]	MEIER R , GUGELMANN D , VANBEVER L . ITAP:In-network traffic analysis prevention using software-defined networks[C]// Proceedings of the Symposium on SDN Research. 2017: 102-114.
[52]	ZHU T W , FENG D , WANG F ,et al. Efficient anonymous communication in SDN-based data center networks[J]. IEEE-ACM Transactions on Networking, 2017,25(6): 3767-3780.
[53]	LU Z , WANG C , WEI M . A proactive and deceptive perspective for role detection and concealment in wireless networks[M]// Cyber Deception, 2016: 97-114.
[54]	FRAUNHOLZ D , RETI D , DUQUE ANTON S ,et al. Cloxy:a context-aware deception-as-a-service reverse proxy for web services[C]// Proceedings of the 5th ACM Workshop on Moving Target Defense. 2018: 40-47.
[55]	HAN X , KHEIR N , BALZAROTTI D . Evaluation of deception-based web attacks detection[C]// Proceedings of the 2017 Workshop on Moving Target Defense. 2017: 65-73.
[56]	WATSON D , SMART M , MALAN G R ,et al. Protocol scrubbing:network security through transparent flow modification[J]. IEEE/ACM Transactions on Networking, 2004,12(2): 261-273.
[57]	SMART M , MALAN G R , JAHANIAN F . Defeating TCP/IP stack fingerprinting[C]// Usenix Security Symposium. 2000:17.
[58]	MALéCOT E L , . Mitibox:Camouflage and deception for network scan mitigation[C]// Usenix Conference on Hot Topics in Security. 2009:4.
[59]	SHI Y , ZHANG H , WANG J ,et al. Chaos:an SDN-based moving target defense system[J]. Security and Communication Networks, 2017.
[60]	STUDER A , PERRIG A . The coremelt attack[C]// European Symposium on Research in Computer Security, 2009: 37-52.
[61]	KANG M S , LEE S B , GLIGOR V D . The crossfire attack[C]// 2013 IEEE Symposium on Security and Privacy. IEEE, 2013: 127-141.
[62]	AYDEGER A , SAPUTRO N , AKKAYA K . Utilizing NFV for effective moving target defense against link flooding reconnaissance attacks[C]// 2018 IEEE Military Communications Conference(MILCOM). 2018: 946-951.
[63]	GADGE J , PATIL A A . Port scan detection[C]// 2008 16th IEEE International Conference on Networks. 2008: 1-6.
[64]	LISTON T . Labrea:“Sticky” honeypot and ids[EB].

混淆方案	原理	方法	典型研究
诱饵式混淆	设置有诱惑价值的虚假节点，改变网络的节点价值分布	蜜罐、蜜饵、蜜标	DressUp^[22], SDhoneynet^[26]
空间类混淆	设置大量轻量级的虚假资源，扩大真实资源的分布空间	轻量级虚拟机、大量开放端口、活跃IP地址	Honeyd^[24]，CyberChaff^[25]
动态变化混淆	展示错误的或者动态变化的信息，增加系统的不确定性	指纹伪装、拓扑突变、IP地址随机化	NetShifter^[27], PLD-Logic^[28]

层次结构	防护目标	应对的威胁	典型工具	防御方案
拓扑防护	关键链路、网络拓扑	LFA、拓扑推断	Traceroute、RIPE atlas	报文重路由^[6,26,33]，覆盖网络^[34-35]，拓扑突变^[36-39]
端节点防护	关键资源、端节点的角色和位置	主机扫描、网络窃听、端口扫描	Sniff、ping、Iris、Nmap	Honey-X技术^[40-43]，主机虚拟视图^[7,44-46]，报文随机化^[47-53]
系统指纹防护	节点运行的操作系统和服务及其版本	指纹扫描、漏洞探测	SinFP3、p0f、Nessus	高交互蜜罐^[22,54-55]，动态信息响应^[56-59]