Chinese Journal of Network and Information Security ›› 2021, Vol. 7 ›› Issue (6): 44-55.doi: 10.11959/j.issn.2096-109x.2021104
• TopicⅠ: Novel Network Technology and Security • Previous Articles Next Articles
Weizhen HE1, Fucai CHEN1, Jie NIU2, Jinglei TAN1, Shumin HUO1, Guozhen CHENG1
Revised:
2021-04-27
Online:
2021-12-15
Published:
2021-12-01
Supported by:
CLC Number:
Weizhen HE, Fucai CHEN, Jie NIU, Jinglei TAN, Shumin HUO, Guozhen CHENG. Research progress on dynamic hopping technology for network layer[J]. Chinese Journal of Network and Information Security, 2021, 7(6): 44-55.
"
分类方法 | 优点 | 缺点 | 参考文献 | |
跳变属性 | 单一属性的跳变 | 跳变系统的实现较为简单 | 无法防御高级的攻击者根据其他网络属性进行攻击 | 文献[8,10,22] |
多维属性协同跳变 | 多维属性协同跳变,进一步缩小攻击面,增加了系统的安全性 | 对网络传输性能影响更大,且需要考虑多种跳变方式如何协同 | 文献[ | |
跳变的实现方式 | 基于传统网络实现 | 可以实现高速率跳变,增加跳变的不可预测性 | 改变现有的网络协议;网络性能损失严重 | 文献[5,22,26,33-36] |
基于SDN实现 | 灵活的网络架构,便于部署动态跳变系统 | 需要部署SDN控制器和SDN交换机,部署成本高;SDN控制器存在固有的网络威胁 | 文献[12,25,37-40] | |
跳变的触发方式 | 非自适应跳变 | 部署方式简单 | 难以平衡系统的安全性和通信性能,较大的跳变周期无法防御攻击者,较小的跳变周期影响通信性能 | 文献[5-10,12,21-26, 28-40] |
自适应跳变 | 能够根据攻击行为作出相应的反应,在一定限度上可以降低跳变对通信性能的影响 | 很难对攻击行为进行完美刻画,存在漏报率和误报率 | 文献[ |
[1] | Symantec. Internet Security Threat Report[R]. 2016. |
[2] | Trend Micro. Understanding Targeted Attacks:The Impact of Targeted Attacks[R]. 2015. |
[3] | JAJODIA S , GHOSH A K , SWARUP V ,et al. Moving target defense[M]. New York,NY: Springer New York, 2011. |
[4] | CHO J H , SHARMA D P , ALAVIZADEH H ,et al. Toward proactive,adaptive defense:a survey on moving target defense[J]. IEEE Communications Surveys & Tutorials, 2020,22(1): 709-745. |
[5] | KEWLEY D , FINK R , LOWRY J ,et al. Dynamic approaches to thwart adversary intelligence gathering[C]// Proceedings of Proceedings DARPA Information Survivability Conference and Exposition II.DISCEX'01. 2001: 176-185. |
[6] | ATIGHETCHI M , PAL P , WEBBER F ,et al. Adaptive use of network-centric mechanisms in cyber-defense[C]// Proceedings of Sixth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing,2003. 2003: 183-192. |
[7] | DUNLOP M , GROAT S , URBANSKI W ,et al. MT6D:a moving target IPv6 defense[C]// Proceedings of 2011 - MILCOM 2011 Military Communications Conference. 2011: 1321-1326. |
[8] | AL-SHAER E , DUAN Q , JAFARIAN J H . Random host mutation for moving target defense[M]// Lecture Notes of the Institute for Computer Sciences,Social Informatics and Telecommunications Engineering. Berlin,Heidelberg: Springer, 2013: 310-327. |
[9] | 石乐义, 贾春福, 吕述望 . 基于端信息跳变的主动网络防护研究[J]. 通信学报, 2008,29(2): 106-110. |
SHI L Y , JIA C F , LYU S W . Research on end hopping for active network confrontation[J]. Journal on Communications, 2008,29(2): 106-110. | |
[10] | DUAN Q , AL-SHAER E , JAFARIAN H . Efficient Random Route Mutation considering flow and network constraints[C]// Proceedings of 2013 IEEE Conference on Communications and Network Security (CNS). 2013: 260-268. |
[11] | HONG J B , KIM D S . Assessing the effectiveness of moving target defenses using security models[J]. IEEE Transactions on Dependable and Secure Computing, 2016,13(2): 163-177. |
[12] | JAFARIAN J H , AL-SHAER E , DUAN Q . OpenFlow random host mutation:transparent moving target defense using software defined networking[C]// Proceedings of the First Workshop on Hot Topics in Software Defined Networks. 2012: 127-132. |
[13] | YOON S , CHO J H , KIM D S ,et al. Poster:address shuffling based moving target defense for in-vehicle software-defined networks[C]// Proceedings of MobiCom '19:The 25th Annual International Conference on Mobile Computing and Networking. 2019: 1-3. |
[14] | CARROLL T E , CROUSE M , FULP E W ,et al. Analysis of network address shuffling as a moving target defense[C]// Proceedings of 2014 IEEE International Conference on Communications (ICC). 2014: 701-706. |
[15] | DUAN Q , AL-SHAER E , JAFARIAN H . Efficient Random Route Mutation considering flow and network constraints[C]// Proceedings of 2013 IEEE Conference on Communications and Network Security (CNS). 2013: 260-268. |
[16] | ZHOU Z , XU C Q , KUANG X H ,et al. An efficient and agile spatio-temporal route mutation moving target defense mechanism[C]// Proceedings of ICC 2019 - 2019 IEEE International Conference on Communications (ICC). Piscataway:IEEE Press, 2019: 1-6. |
[17] | LUO Y B , WANG B S , WANG X F ,et al. RPAH:random port and address hopping for thwarting internal and external adversaries[C]// Proceedings of 2015 IEEE Trustcom/BigDataSE/ISPA. 2015: 263-270. |
[18] | AYDEGER A , SAPUTRO N , AKKAYA K ,et al. Mitigating crossfire attacks using SDN-based moving target defense[C]// Proceedings of 2016 IEEE 41st Conference on Local Computer Networks (LCN). 2016: 627-630. |
[19] | CLARK A , SUN K , BUSHNELL L ,et al. A game-theoretic approach to IP address randomization in decoy-based cyber defense[M]// Lecture Notes in Computer Science. 2015: 3-21. |
[20] | GROAT S , DUNLOP M , URBANKSI W ,et al. Using an IPv6 moving target defense to protect the smart grid[C]// Proceedings of 2012 IEEE PES Innovative Smart Grid Technologies (ISGT). 2012: 1-7. |
[21] | 吴桦, 陈廷政 . SDN环境中基于端址跳变的DDoS防御方法[J]. 网络空间安全, 2020,11(8): 17-22. |
WU H , CHEN T Z . A DDoS defense method based on port and ad-dress hopping in SDN[J]. Cyberspace Security, 2020,11(8): 17-22. | |
[22] | LEE H C J , THING V L L . Port hopping for resilient networks[C]// Proceedings of IEEE 60th Vehicular Technology Conference,2004.VTC2004-Fall.2004. 2004: 3291-3295. |
[23] | SHI L Y , JIA C F , Lü S ,et al. Port and address hopping for active cyber-defense[M]// Intelligence and Security Informatics. Berlin,Heidelberg: Springer Berlin Heidelberg, 2007: 295-300. |
[24] | ANTONATOS S , AKRITIDIS P , MARKATOS E P ,et al. Defending against hitlist worms using network address space randomization[J]. Computer Networks, 2007,51(12): 3471-3490. |
[25] | JAFARIAN J H H , AL-SHAER E , DUAN Q . Spatio-temporal address mutation for proactive cyber agility against sophisticated attackers[C]// Proceedings of the First ACM Workshop on Moving Target Defense - MTD '14. 2014: 69-78. |
[26] | BADISHI G , HERZBERG A , KEIDAR I . Keeping denial-of-service attackers in the dark[J]. IEEE Transactions on Dependable and Secure Computing, 2007,4(3): 191-204. |
[27] | REHMANI M H , DAVY A , JENNINGS B ,et al. Software defined networks-based smart grid communication:a comprehensive survey[J]. IEEE Communications Surveys & Tutorials, 2019,21(3): 2637-2670. |
[28] | 陈扬, 扈红超, 程国振 . 软件定义的内网动态防御系统设计与实现[J]. 电子学报, 2018,46(11): 2604-2611. |
CHEN Y , HU H C , CHENG G Z . The design and implementation of a software-defined intranet dynamic defense system[J]. Acta Electronica Sinica, 2018,46(11): 2604-2611. | |
[29] | JAFARIAN J H , NIAKANLAHIJI A , AL-SHAER E ,et al. Multi-dimensional host identity anonymization for defeating skilled attackers[C]// MTD '16:Proceedings of the 2016 ACM Workshop on Moving Target Defense. 2016: 47-58. |
[30] | LUO Y B , WANG B S , WANG X F ,et al. RPAH:random port and address hopping for thwarting internal and external adversaries[C]// Proceedings of 2015 IEEE Trustcom/BigDataSE/ISPA. Piscataway:IEEE Press, 2015: 263-270. |
[31] | SHARMA D P , CHO J H , MOORE T J ,et al. Random host and service multiplexing for moving target defense in software-defined networks[C]// Proceedings of ICC 2019 - 2019 IEEE International Conference on Communications (ICC). 2019: 1-6. |
[32] | WANG K , CHEN X , ZHU Y F . Random domain name and address mutation (RDAM) for thwarting reconnaissance attacks[J]. PLoS One, 2017,12(5): e0177111. |
[33] | SIFALAKIS M , SCHMID S , HUTCHISON D . Network address hopping:a mechanism to enhance data protection for packet communications[C]// Proceedings of IEEE International Conference on Communications,2005.ICC 2005.2005. 2005: 1518-1523. |
[34] | LIN K , JIA C . Distributed timestamp synchronization for end hopping[J]. China Communications, 2011,8(4): 164-169. |
[35] | 林楷, 贾春福, 石乐义 . 分布式时间戳同步技术的改进[J]. 通信学报, 2012,33(10): 110-116. |
LIN K , JIA C F , SHI L Y . Improvement of distributed timestamp syn-chronization[J]. Journal on Communications, 2012,33(10): 110-116. | |
[36] | 石乐义, 郭宏彬, 温晓 ,等. 端信息跳扩混合的主动网络防御技术研究[J]. 通信学报, 2019,40(5): 125-135. |
SHI L Y , GUO H B , WEN X ,et al. Research on end hopping and spreading for active cyber defense[J]. Journal on Communications, 2019,40(5): 125-135. | |
[37] | JAFARIAN J H , AL-SHAER E , DUAN Q . An effective address mutation approach for disrupting reconnaissance attacks[J]. IEEE Transactions on Information Forensics and Security, 2015,10(12): 2562-2577. |
[38] | 胡毅勋, 郑康锋, 杨义先 ,等. 基于 OpenFlow 的网络层移动目标防御方案[J]. 通信学报, 2017,38(10): 102-112. |
HU Y X , ZHENG K F , YANG Y X ,et al. Moving target defense solution on network layer based on OpenFlow[J]. Journal on Communications, 2017,38(10): 102-112. | |
[39] | SHARMA D P , KIM D S , YOON S ,et al. FRVM:flexible random virtual IP multiplexing in software-defined networks[C]// Proceedings of 2018 17th IEEE International Conference on Trust,Security and Privacy In Computing and Communications/ 12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE). 2018: 579-587. |
[40] | CHANG S Y , PARK Y , ASHOK BABU B B . Fast IP hopping randomization to secure hop-by-hop access in SDN[J]. IEEE Transactions on Network and Service Management, 2019,16(1): 308-320. |
[41] | JAFARIAN J H , AL-SHAER E , DUAN Q . Adversary-aware IP address randomization for proactive agility against sophisticated attackers[C]// Proceedings of 2015 IEEE Conference on Computer Communications (INFOCOM). 2015: 738-746. |
[42] | MA D H , LEI C , WANG L M ,et al. A self-adaptive hopping approach of moving target defense to thwart scanning attacks[M]// Information and Communications Security. Cham: Springer International Publishing, 2016: 39-53. |
[43] | 王鹏超, 陈福才, 程国振 ,等. 软件定义的 L2/L3 地址协同拟态伪装策略研究[J]. 电子学报, 2019,47(10): 2032-2039. |
WANG P C , CHEN F C , CHENG G Z ,et al. L2/L3 address coop-erative mimicry strategy research based on SDN[J]. Acta Electro-nica Sinica, 2019,47(10): 2032-2039. | |
[44] | YOON S , CHO J H , KIM D S ,et al. Attack graph-based moving target defense in software-defined networks[J]. IEEE Transactions on Network and Service Management, 2020,17(3): 1653-1668. |
[45] | WANG H X , LI F , CHEN S Q . Towards cost-effective moving target defense against DDoS and covert channel attacks[C]// Proceedings of the 2016 ACM Workshop on Moving Target Defense. 2016: 15-25. |
[46] | CARROLL T E , CROUSE M , FULP E W ,et al. Analysis of network address shuffling as a moving target defense[C]// Proceedings of 2014 IEEE International Conference on Communications (ICC). 2014: 701-706. |
[47] | CLARK A , SUN K , POOVENDRAN R . Effectiveness of IP address randomization in decoy-based moving target defense[C]// Proceedings of 52nd IEEE Conference on Decision and Control. 2013: 678-685. |
[48] | MALEKI H , VALIZADEH S , KOCH W ,et al. Markov modeling of moving target defense games[C]// Proceedings of the 2016 ACM Workshop on Moving Target Defense. 2016: 81-92. |
[49] | MANADHATA P K . Game theoretic approaches to attack surface shifting[M]. Moving Target Defense II. New York,NY: Springer New York, 2012: 1-13. |
[50] | LEI C , MA D H , ZHANG H Q . Optimal strategy selection for moving target defense based on Markov game[J]. IEEE Access, 2017,5: 156-169. |
[51] | FENG X T , ZHENG Z Z , MOHAPATRA P ,et al. A stackelberg game and Markov modeling of moving target defense[M]// Lecture Notes in Computer Science. Cham: Springer International Publishing, 2017: 315-335. |
[52] | 陈永强, 吴晓平, 付钰 ,等. 基于模糊静态贝叶斯博弈的网络主动防御策略选取[J]. 计算机应用研究, 2015,32(3): 887-889,899. |
CHEN Y Q , WU X P , FU Y ,et al. Active defense strategy selection of network based on fuzzy static Bayesian game model[J]. Applica-tion Research of Computers, 2015,32(3): 887-889,899. | |
[53] | ZHU Q Y , BA?AR T , . Game-theoretic approach to feedback-driven multi-stage moving target defense[M]// Lecture Notes in Computer Science. Cham: Springer International Publishing, 2013: 246-263. |
[54] | LEI C , ZHANG H Q , WAN L M ,et al. Incomplete information Markov game theoretic approach to strategy generation for moving target defense[J]. Computer Communications, 2018,116: 184-199. |
[55] | TAN J L , LEI C , ZHANG H Q ,et al. Optimal strategy selection approach to moving target defense based on Markov robust game[J]. Computers & Security, 2019,85: 63-76. |
[56] | LEI C , ZHANG H Q , TAN J L ,et al. Moving target defense techniques:a survey[J]. Security and Communication Networks, 2018,2018: 1-25. |
[57] | 张明悦, 金芝, 赵海燕 ,等. 机器学习赋能的软件自适应性综述[J]. 软件学报, 2020,31(8): 2404-2431. |
ZHANG M Y , JIN Z , ZHAO H Y ,et al. Survey of machine learning enabled software self-adaptation[J]. Journal of Software, 2020,31(8): 2404-2431. | |
[58] | CHENG K , BAI Y B , ZHOU Y ,et al. CANeleon:protecting CAN bus with frame ID chameleon[J]. IEEE Transactions on Vehicular Technology, 2020,69(7): 7116-7130. |
[1] | Tao WANG, Hongchang CHEN. Multi-objective optimization placement strategy for SDN security controller considering Byzantine attributes [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 72-84. |
[2] | Pu ZHAO, Wentao ZHAO, Zhangjie FU, Qiang LIU. SDN self-protection system based on Renyi entropy [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 85-94. |
[3] | Wei ZENG, Hongchao HU, Lingshu LI, Shumin HUO. Dynamic heterogeneous scheduling method based on Stackelberg game model in container cloud [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 95-104. |
[4] | Bin WANG, Liang CHEN, Yaguan QIAN, Yankai GUO, Qiqi SHAO, Jiamin WANG. Moving target defense against adversarial attacks [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 113-120. |
[5] | Qi WU,Hongchang CHEN. Low failure recovery cost controller placement strategy in software defined networks [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 97-104. |
[6] | Kang HE,Yuefei ZHU,Long LIU,Bin LU,Bin LIU. Improve the robustness of algorithm under adversarial environment by moving target defense [J]. Chinese Journal of Network and Information Security, 2020, 6(4): 67-76. |
[7] | Wei HUANG, Ran LU, Cuncai LIU, Sibo QI. QoS routing algorithm based on multiple domain architecture of SDN [J]. Chinese Journal of Network and Information Security, 2019, 5(5): 21-31. |
[8] | Yang WANG,Guangming TANG,Cheng LEI,Dong HAN. Multidimensional detection and dynamic defense method for link flooding attack [J]. Chinese Journal of Network and Information Security, 2019, 5(4): 80-90. |
[9] | Jinglei TAN, Hongqi ZHANG, Cheng LEI, Xiaohu LIU, Shuo WANG. Research progress on moving target defense for SDN [J]. Chinese Journal of Network and Information Security, 2018, 4(7): 1-12. |
[10] | Yuyang ZHOU, Guang CHENG, Chunsheng GUO. Risk assessment method for network attack surface based on Bayesian attack graph [J]. Chinese Journal of Network and Information Security, 2018, 4(6): 11-22. |
[11] | Danjun LIU,Guilin CAI,Baosheng WANG. AMTD:a way of adaptive moving target defense [J]. Chinese Journal of Network and Information Security, 2018, 4(1): 15-25. |
[12] | Zhenping LU,Fucai CHEN,Guozhen CHENG. Design and implementation of the controller scheduling-time in SDN [J]. Chinese Journal of Network and Information Security, 2018, 4(1): 36-44. |
[13] | Zhen-ping LU,Fu-cai CHEN,Guo-zhen CHENG. Secure control plane for SDN using Bayesian Stackelberg games [J]. Chinese Journal of Network and Information Security, 2017, 3(11): 40-49. |
[14] | Zhen-peng WANG,Hong-chao HU,Guo-zhen CHENG,Chuan-hao ZHANG. Implementation architecture of mimic security defense based on SDN [J]. Chinese Journal of Network and Information Security, 2017, 3(10): 52-61. |
[15] | Jia-wei LI,Zhi-ju YANG,Xi-jun LIN,UHai-peng Q. Research on networking troubleshooting method based on software defined network [J]. Chinese Journal of Network and Information Security, 2016, 2(12): 56-62. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|