软件定义网络下的拟态防御实现架构

doi:10.11959/j.issn.2096-109x.2017.00205

Abstract

Abstract:

To deal with the attacks employing unknown security vulnerabilities or backdoors which are difficult for traditional defense techniques to eliminate,mimic security defense (MSD) that employs “dynamic,heterogeneity,redundancy (DHR)” mechanism can increase the difficulty and cost of attack and uncertainty of system so as to improve network security.Based on the software defined networking (SDN),an implementation architecture of MSD was proposed.First,diverse functional equivalent variants for the protected target were constructed,then leverage the rich programmability and flexibility of SDN to realize the dynamic scheduling and decision-making functions on SDN controller.Simulation and experimental results prove the availability and the intrusion tolerant ability of the architecture.

Key words: mimic security defense, software defined networking, active defense, dynamic heterogeneous redundancy

CLC Number:

TP393

Zhen-peng WANG,Hong-chao HU,Guo-zhen CHENG,Chuan-hao ZHANG. Implementation architecture of mimic security defense based on SDN[J]. Chinese Journal of Network and Information Security, 2017, 3(10): 52-61.

Figures/Tables 7

References 31

[1]	VOAS J , GHOSH A , CHARRON F ,et al. Reducing uncertainty about common-mode failures[C]// IEEE Symposium Software Reliability Engineering. 1997: 308-319.
[2]	LEVITIN G . Optimal structure of fault-tolerant software systems[J]. Reliability Engineering ＆ System Safety, 2005,89(3): 286-295.
[3]	AROMS E . NIST special publication 800-94 guide to intrusion detection and prevention systems (IDPS)[M]. South Carolina: CreateSpacePress, 2012.
[4]	SPITZNER L , . Honeypots:catching the insider threat[C]// IEEE Computer Security Applications Conference. 2003: 170-179.
[5]	JANA S , PORTER D E , SHMATIKOV V . TxBox:building secure,efficient sandboxes with system transactions[C]// IEEE Symposium on Security and Privacy,IEEE Computer Society. 2011: 329-344.
[6]	ZHUANG R , DELOACH S A , OU X . Towards a theory of moving target defense[C]// ACM Workshop on Moving Target Defense. 2014: 31-40.
[7]	邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10.
	WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10.
[8]	MCKEOWN N , ANDERSON T . OpenFlow:enabling innovation in campus networks[J]. ACM Sigcomm Computer Communication Review, 2008,38(2): 69-74.
[9]	COX B , EVANS D , FILIPI A ,et al. 2006.N-variant systems:a secretless framework for security through diversity[C]// Usenix Security Symposium. 2006:9.
[10]	KC G S , KEROMYTIS A D , PREVELAKIS V . Countering code-injection attacks with instruction-set randomization[C]// ACM Conference on Computer and Communications Security. 2003: 272-280.
[11]	HOMESCU A , BRUNTHALER S , LARSEN P ,et al. Librando:transparent code randomization for just-in-time compilers[C]// ACM Sigsac Conference on Computer ＆ Communications Security. 2013: 993-1004.
[12]	BHATKAR S , DUVARNEY D C , SEKAR R . Address obfuscation:an efficient approach to combat a board range of memory error exploits[C]// Conference on Usenix Security Symposium. 2003: 105-120.
[13]	DUNLOP M , GROAT S , URBANSKI W ,et al. Mt6d:a moving target IPv6 defense[C]// IEEE Military Communications Conference. 2011: 1321-1326.
[14]	JAFARIAN J H , AL-SHAER E , DUAN Q . An effective address mutation approach for disrupting reconnaissance attacks[J]. IEEE Transactions on Information Forensics and Security, 2015,10(12): 2562-2577.
[15]	JAFARIAN J H , AL-SHAER E , DUAN Q . Adversary-aware IP address randomization for proactive agility against sophisticated attackers[C]// 2015 IEEE Conference on Computer Communications (Infocom). 2015: 738-746.
[16]	MAYO J R , TORGERSON M D , WALKER A M ,et al. The theory of diversity and redundancy in information system security[R]. LDRD Final Report, 2010.
[17]	王禛鹏, 扈红超, 程国振 . 一种基于拟态安全防御的 DNS 框架设计[J]. 电子学报.
	WANG Z P , HU H C , CHENG G Z . A DNS architecture based on mimic security defense[J]. Chinese Journal of Electronics.
[18]	HU H C , WANG Z P , CHENG G Z ,et al. MNOS:a mimic network operating system for software defined networks[J]. IET Information Security, 2017
[19]	WANG H , SCHMITT J . Load balancing-towards balanced delay guarantees in NFV/SDN[C]//IEEE Conference on NFV-SDN 2016:240-245. IEEE Conference on NFV-SDN,　　　　　　 2016: 240-245.
[20]	CASCONE C , SANVITO D , POLLINI L ,et al. Fast failure detection and recovery in SDN with stateful data plane[J]. International Journal of Network Management, 2016
[21]	PANG J , XU G , FU X . SDN-based data center networking with collaboration of multipath TCP and segment routing[J]. IEEE Access, 2017,(99): 1-1.
[22]	HAN W , ZHAO Z , AHN G J . HoneyMix:toward SDN-based intelligent honeynet[C]// ACM International Workshop on Security in Software Defined Networks ＆ Network Function Virtualization. 2016: 1-6.
[23]	JAFARIAN J H , AL-SHAER E , DUAN Q . Openflow random host mutation:transparent moving target defense using software defined networking[C]// The Workshop on Hot Topics in Software Defined Networks. 2012: 127-132.
[24]	GEMBER-JACOBSON A , VISWANATHAN R , PRAKASH C ,et al. OpenNF:enabling innovation in network function control[C]// ACM Conference on Sigcomm. 2015: 163-174.
[25]	JAFARIAN J H , AL-SHAER E , DUAN Q . Adversary-aware IP address randomization for proactive agility against sophisticated attackers[C]// Computer Communications(IEEE Infocom). 2015:738746.
[26]	PORRAS P , SHIN S , YEGNESWARAN V ,et al. A security enforcement kernel for OpenFlow networks[C]// The First Workshop on Hot Topics in Software Defined Networks. 2012: 121-126.
[27]	CHEUNG S , FONG M , PORRAS P ,et al. Securing the software-defined network control layer[C]// Network and Distributed System Security Symposium. 2015.
[28]	SHIN S , SONG Y , LEE T ,et al. Rosemary:a robust,secure,and high-performance network operating system[C]// 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 78-89.
[29]	BERDE P , HART J , HART J ,et al. ONOS:towards an open,distributed SDN OS[C]// The Workshop on Hot Topics in Software Defined Networking. 2010: 1-6.
[30]	LI H , LI P , GUO S ,et al. Byzantine-resilient secure software defined networks with multiple controllers in cloud[J]. IEEE Transactions on Cloud Computing, 2015,2(4): 436-447.
[31]	HU H C , WANG Z P , CHENG G Z ,et al. MNOS:a mimic network operating system for software defined networks[J]. IET Information Security, 2017.

Metrics

Recommended 0

No Suggested Reading articles found!

符号	含义
T_{td_ss}	两交换机间的传输时延
T_{td_cs}	控制器与交换机间的传输时延
T_{td_ce}	执行体到控制器间总时延
T_{pd_s}	交换机修改报文的处理时延
T_{pd_c}	控制器的处理时延
T_{pd_e}	执行体的处理时延
T_add	架构增加的时延

Implementation architecture of mimic security defense based on SDN

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 7

References 31

Related Articles 4

Metrics

Recommended 0

[1]	Yingying LYU,Yunfei GUO,Zhenpeng WANG,Guozhen CHENG,Yawen WANG. Negative feedback scheduling algorithm based on historical information in SDN [J]. Chinese Journal of Network and Information Security, 2018, 4(6): 45-51.
[2]	Dequan YANG,Weimin LIU,Zhou YU. Research on active defense application based on honeypot [J]. Chinese Journal of Network and Information Security, 2018, 4(1): 57-62.
[3]	Zhen-ping LU,Fu-cai CHEN,Guo-zhen CHENG. Secure control plane for SDN using Bayesian Stackelberg games [J]. Chinese Journal of Network and Information Security, 2017, 3(11): 40-49.
[4]	Jing-qiang LIU,Bin LI,Li-zhang CHEN,Bin CHEN. Research based on the method of Android system active defense without Root permission [J]. Chinese Journal of Network and Information Security, 2016, 2(1): 65-73.