基于变点检测的网络移动目标防御效能评估方法

doi:10.11959/j.issn.1000-436x.2017015

通信学报 ›› 2017, Vol. 38 ›› Issue (1): 126-140.doi: 10.11959/j.issn.1000-436x.2017015

基于变点检测的网络移动目标防御效能评估方法

雷程^1,³,马多贺²,张红旗^1,³,杨英杰^1,³,王淼²

¹ 信息工程大学密码工程学院，河南郑州 450001
² 中国科学院信息工程研究所信息安全国家重点实验室，北京 100093
³ 河南省信息安全重点实验室，河南郑州 450001

修回日期:2016-11-12 出版日期:2017-01-01 发布日期:2017-01-23
作者简介:雷程（1989-），男，北京人，信息工程大学博士生，主要研究方向为网络信息安全、数据安全交换、移动目标防御。|马多贺（1982-），男，安徽六安人，博士，中国科学院信息工程研究所助理研究员，主要研究方向为应用安全、移动目标防御、云安全、网络与系统安全等。|张红旗（1962-），男，河北遵化人，博士，信息工程大学教授、博士生导师，主要研究方向为网络安全、等级保护和信息安全管理。|杨英杰（1971-），男，河南郑州人，信息工程大学教授、硕士生导师，主要研究方向为数据挖掘、态势感知和信息安全管理。|王淼（1991-），女，河北廊坊人，中国科学院信息工程研究所硕士生，主要研究方向为移动目标防御、网络与系统安全和云安全。
基金资助:
国家重点基础研究发展计划（“973”计划）基金资助项目(2011CB311801);国家高技术研究发展计划（“863”计划）基金资助项目(2012AA012704);国家高技术研究发展计划（“863”计划）基金资助项目(2015AA016106);郑州市科技领军人才基金资助项目(131PLKRC644);中国科学院先导专项基金资助项目(XDA06010701)

Performance assessment approach based on change-point detection for network moving target defense

Cheng LEI^1,³,Duo-he MA²,Hong-qi ZHANG^1,³,Ying-jie YANG^1,³,Miao WANG²

¹ Cryptography Engineering Institute,Information Engineering University,Zhengzhou 450001,China
² State Key Laboratory of Information Security,Institute of Information Engineering,CAS,Beijing 100093,China
³ Henan Key Laboratory of Information Security,Zhengzhou 450001,China

Revised:2016-11-12 Online:2017-01-01 Published:2017-01-23
Supported by:
The National Basic Research Program of China (973 Program)(2011CB311801);The National High Technology Research and Development Program of China (863 Program)(2012AA012704);The National High Technology Research and Development Program of China (863 Program)(2015AA016106);Zhengzhou Science and Technol-ogy Talents Project(131PLKRC644);Strategic Priority Research Program of the Chinese Academy of Sciences(XDA06010701)

摘要/Abstract

摘要：

提出一种基于变点检测的网络移动目标防御效能评估方法。针对网络资源图无法表示资源脆弱性对节点安全状态影响的问题，定义分层网络资源图，在建立资源脆弱性改变和节点安全状态转换关联关系的同时，提高构建和更新网络资源图的效率。针对静态检测度量无法准确度量网络移动目标防御动态改变的问题，设计变点检测和标准化度量算法，在保证度量标准统一的基础上实现对网络移动目标防御的安全成本和安全收益的实时检测和动态度量，提高评估的准确性和结果的可比性。典型实例分析证明了所提出的网络移动目标防御效能评估方法的可行性和有效性。

关键词: 网络移动目标防御, 分层网络资源图, 变点检测, 标准化度量, 效能评估

Abstract:

A performance assessment approach based on change-point detection for network moving target defence was proposed.Directed to the problem of network resource graph not being able to present the effect of network resource vulnerabilities to network nodes,a conversion relationship between resource vulnerability changes and node security states was established by defining the concept of a hierarchical network resource graph and the efficiency of resource graph construction and updating were improved.Furthermore,directed to the problem of static detection algorithm not being able to precisely measure the dynamic change of network moving target defense,a change-point detection algorithm and standard degree measurement algorithm was designed.The security cost and benefit of network moving target defense in real-time and dynamically on the basis of unified metrics were defected and measured,which improved the evaluation accuracy.The analysis result of typical examples has proved the feasibility and the effectiveness of the proposed approach.

Key words: network moving target defense, multi-layer network resource graph, change-point detection, standardized measurement, performance assessment

中图分类号:

TP393

雷程,马多贺,张红旗,杨英杰,王淼. 基于变点检测的网络移动目标防御效能评估方法[J]. 通信学报, 2017, 38(1): 126-140.

Cheng LEI,Duo-he MA,Hong-qi ZHANG,Ying-jie YANG,Miao WANG. Performance assessment approach based on change-point detection for network moving target defense[J]. Journal on Communications, 2017, 38(1): 126-140.

图/表 20

图1

图2

图3

图4

图5

图6

图7

表1

表2

表3

表4

表5

表6

图8

图9

表7

图10

图11

表8

图12

参考文献 28

[1]	Cybersecurity game-change research ＆ development recommendations[EB/OL]. .
[2]	ZHANG M , WANG L , JAJODIA S ,et al. Network diversity:a security metric for evaluating the resilience of networks against zero-day attacks[J]. IEEE Transactions on Information Forensics and Security, 2016,11(5): 1071-1086.
[3]	ZHUANG R , BARDAS A G , DELOACH S A ,et al. A theory of cyber attacks:a step towards analyzing MTD systems[C]// The Second ACM Workshop on Moving Target Defense. ACM, 2015: 11-20.
[4]	SUN K , JAJODIA S . Protecting enterprise networks through attack surface expansion[C]// The 2014 Workshop on Cyber Security Analytics,Intelligence and Automation. ACM, 2014: 29-32.
[5]	石乐义, 贾春福, 吕述望 . 基于端信息跳变的主动网络防护研究[J]. 通信学报, 2008,29(2): 106-110.
	SHI L Y , JIA C F , LYU S W . Research on end hopping for active network confrontation[J]. Journal on Communications, 2008,29(2): 106-110.
[6]	EVANS D , NGUYEN-TUONG A , KNIGHT J . Effectiveness of moving target defenses[M]. Moving Target Defense I: Creating Asymmetric Uncertainty for Cyber Threats.New York,SpringerPress, 2011: 29-48.
[7]	GREEN M , MACFARLAND D C , SMESTAD D R ,et al. Characterizing network-based moving target defenses[C]// ACM CCS Workshop on Moving Target Defense (MTD). 2015.
[8]	CLARK A , SUN K , BUSHNELL L ,et al. A game-theoretic approach to IP address randomization in decoy-based cyber defense[C]// International Conference on Decision and Game Theory for Security. Springer International Publishing, 2015: 3-21.
[9]	ZHUANG R , ZHANG S , DELOACH S A ,et al. Simulation-based approaches to studying effectiveness of moving target network defense[C]// In National Symposium on Moving Target Research,Annapolis, 2012: 21-26.
[10]	ZHUANG R , DELOACH S A , OU X . A model for analyzing the effect of moving target defenses on enterprise networks[C]// The 9th Annual Cyber and Information Security Research Conference. ACM, 2014: 73-76.
[11]	CARROLL T E , CROUSE M , FULP E W ,et al. Analysis of network address shuffling as a moving target defense[C]// Communications (ICC),2014 IEEE International Conference on,Sydney, 2014: 701-706.
[12]	MANADHATA P K . Game theoretic approaches to attack surface shifting[M]. Moving Target Defense II: Application of Game Theory and Adversarial Modeling.New York,SpringerPress, 2013: 1-13.
[13]	OKHRAVI H , RIORDAN J , CARTER K . Quantitative evaluation of dynamic platform techniques as a defensive mechanism[M]. Research in Attacks,Intrusions and Defenses. New York,Springer, 2014: 405-425.
[14]	HAN Y , LU W , XU S . Characterizing the power of moving target defense via cyber epidemic dynamics[C]// The 2014 Symposium and Bootcamp on the Science of Security,Raleigh, 2014: 23-33.
[15]	ZAFFARANO K , TAYLOR J , HAMILTON S . A quantitative framework for moving target defense effectiveness evaluation[C]// The Second ACM Workshop on Moving Target Defense. ACM, 2015: 3-10.
[16]	SHEYNER O , HAINES J , JHA S ,et al. Automated generation and analysis of attack graphs[C]// Security and Privacy,2002.Proceedings.2002 IEEE Symposium on. IEEE, 2002: 273-284.
[17]	WANG L , NOEL S , JAJODIA S . Minimum-cost network hardening using attack graphs[J]. Computer Communications, 2006,29(18): 3812-3824.
[18]	AMMANN P , WIJESEKERA D , KAUSHIK S . Scalable,graph-based network vulnerability analysis[C]// The 9th ACM Conference on Computer and Communications Security. ACM, 2002: 217-224.
[19]	LARSEN P , BRUNTHALER S , FRANZ M . Security through diversity:are we there yet?[J]. IEEE Security ＆ Privacy, 2014,12(2): 28-35.
[20]	MELL P , SCARFONE K , ROMANOSKY S . Common vulnerability scoring system[J]. Security ＆ Privacy,IEEE, 2006,4(6): 85-89.
[21]	FINK G A , HAACK J N , Mckinnon A D ,et al. Defense on the move:ant-based cyber defense[J]. Security ＆ Privacy,IEEE, 2014,12(2): 36-43.
[22]	HONG J B , KIM D S . Performance analysis of scalable attack representation models[M]// Security and Privacy Protection in Information Processing Systems. Springer Berlin Heidelberg, 2013: 330-343.
[23]	王元卓, 林闯, 程学旗 ,等. 基于随机博弈模型的网络攻防量化分析方法[J]. 计算机学报, 2010,33(9): 1748-1762.
	WANG Y Z , LIN C , CHENG X Q ,et al. Analysis for network attack-defense based on stochastic game model[J]. Chinses Journal of Computers, 2010,33(9): 1748-1762.
[24]	HUTCHINS E M , CLOPPERT M J , AMIN R M . Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains[J]. Leading Issues in Information Warfare ＆ Security Research, 2011,1: 80.
[25]	付钰, 李洪成, 吴晓平 ,等. 基于大数据分析的APT攻击检测研究综述[J]. 通信学报, 2015,36(11): 1-14.
	FU Y , LI H C , WU X P ,et al. Detecting APT attacks:a survey from the perspective of big data analysis[J]. Journal of Communications, 2015,36(11): 1-14.
[26]	赵春蕾, 贾春福, 翁臣 ,等. 端信息跳变系统自适应策略研究[J]. 通信学报, 2011 (11A): 47-57.
	ZHAO C L , JIA C F , WENG C ,et al. Research on adaptive strategies for end-hopping system[J]. Journal on Communications, 2011(11A): 47-57.
[27]	SHUE C A , KALAFUT A J , ALLMAN M ,et al. On building inexpensive network capabilities[J]. ACM SIGCOMM Computer Communication Review, 2012,42(2): 72-79.
[28]	YACKOSKI J , BULLEN H , YU X ,et al. Applying self-shielding dynamics to the network architecture[M]// Moving Target Defense II: Application of Game Theory and Adversarial Modeling.New York,SpringerPress, 2013: 978-115.

编号	入侵路径	入侵步骤	存在资源脆弱性类型/种
1	rootA→http→user,s₁→netbiosssn→user,s₂→ http→squidproxy→root,s₃	4	3
2	rootA→http→user,s₁→netbios_ssn→user,s₂→ rsh→squidproxy→root,s₃	4	4
3	rootA→http→user,s₁→ ftp→root,s₁→netbiosssn→ user,s₂→http→squidproxy→root,s₃	5	4
4	rootA→http→user,s₁→ ftp→root,s₁→netbiosssn→ user,s₂→rsh→squidproxy→root,s₃	5	5
5	rootA→netbiosssn→user,s₂→ http→squidproxy→root,s₃	3	3
6	rootA→netbiosssn→user,s₂→ rsh→squidproxy→root,s₃	3	3

资源图类型	构建计算复杂度	更新计算复杂度	遍历
NRG	O(m²n²)	O(mn)	O(u!v!^u)
MRG	O(m²n+n²)	节点层：O(n)	O (u!v!)
		资源层：O(m)

模板类型	任务模板	攻击模板
未实施NMTD	性能开销基线	攻击成本基线	攻击收益基线
实施NMTD	综合性能开销	攻击成本	攻击收益

节点名称	系统信息	危害程度
H₁：网络服务器	Windows NT 4.0	ω ₁=0.4
H₂：域内服务器	Windows 2000 SP1	ω ₂=0.55
H₃：客户端	Windows XP Pro SP2	ω ₃=0.3
H₄：Linux数据库	Red Hat 7.0	ω ₄=0.7

节点	恶意敌手	H₁	H₂	H₃	H₄
恶意敌手	本地	所有	—	—	—
H₁	所有	本地	所有	所有	Squid
					LICQ
H₂	所有	IIS	本地	所有	Squid
					LICQ
H₃	所有	IIS	所有	本地	Squid
					LICQ
H₄	所有	IIS	所有	所有	本地

基于变点检测的网络移动目标防御效能评估方法

Performance assessment approach based on change-point detection for network moving target defense

在线阅读

PDF下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 20

参考文献 28

相关文章 1

Metrics

推荐阅读 0

编号	节点	资源	端口号	资源脆弱性
A	H₁	IIS网络服务	80	IIS buffer overflow
B	H₁	FTP	21	ftp rhost overwrite
C	H₂	FTP	21	ftp rhost overwrite
D	H₂	SSH	22	ssh buffer overflow
E	H₂	RSH	514	rsh login
F	H₃	Netbois-ssn	139	netbios-ssn nullsession
G	H₄	LICQ	5190	LICQ remote-to-user
H	H₄	Squid 代理	80	squid port scan
I	H₄	Mysql DB	3306	local-setuid-buffer

编号	攻击路径	攻击步骤	存在脆弱性类型/种	攻击成功率
1	root,a→A→root,s ₁→C→E→user,s ₂→D→root,s ₂→G→H→user,s ₄→I→root,s ₄	7	7	0.095
2	root,a→A→root,s ₁→D→root,s ₂→ G→H→user,s ₄→I→root,s ₄	5	5	0.194
3	root,a→A→root,s ₁→ G→H→user,s ₄→I→root,s ₄	4	4	0.231
4	root,a→A→root,s ₁→F→user,s ₃→ G→H→user,s ₄→I→root,s ₄	5	5	0.212
5	root,a→A→root,s ₁→F→user,s ₃→D→root,s ₂→G→H→user,s ₄→I→root,s ₄	6	6	0.147
6	root,a→A→root,s ₁→F→user,s ₃→C→E→user,s ₂→D→root,s ₂→G→H→user,s ₄→I→root,s ₄	8	8	0.084
7	root,a→B→root,s ₁→C→E→user,s ₂→D→root,s ₂→G→H→user,s ₄→I→root,s ₄	7	6	0.103
8	root,a→B→root,s ₁→D→root,s ₂→ G→H→user,s ₄→I→root,s ₄	5	5	0.210
9	root,a→B→root,s ₁→ G→H→user,s ₄→I→root,s ₄	4	4	0.251
10	root,a→B→root,s ₁→F→user,s ₃→ G→H→user,s ₄→I→root,s ₄	5	5	0.229
11	root,a→B→root,s ₁→F→user,s ₃→D→root,s ₂→G→H→user,s ₄→I→root,s ₄	6	6	0.159
12	root,a→B→root,s ₁→F→user,s ₃→C→E→user,s ₂→D→root,s ₂→G→H→user,s ₄→I→root,s ₄	8	7	0.091

方法	最大标准差		平均标准差
方法	Adaptive-EH	DNAT	Adaptive-EH	DNAT
本文方法	4.44%	4.59%	3.88%	3.93%
文献[15]方法	9.73%	9.02%	8.77%	8.42%