基于POF的网络窃听攻击移动目标防御方法

doi:10.11959/j.issn.1000-436x.2018025

通信学报 ›› 2018, Vol. 39 ›› Issue (2): 73-87.doi: 10.11959/j.issn.1000-436x.2018025

基于POF的网络窃听攻击移动目标防御方法

马多贺¹,李琼²(),林东岱¹

¹ 中国科学院信息工程研究所信息安全国家重点实验室，北京 100093
² 哈尔滨工业大学计算机学院信息对抗技术研究所，黑龙江哈尔滨 150001

修回日期:2017-12-10 出版日期:2018-02-01 发布日期:2018-03-28
作者简介:马多贺（1982-），男，安徽霍邱人，博士，中国科学院信息工程研究所助理研究员，主要研究方向为移动目标防御、应用安全、云安全、网络与系统安全等。|李琼（1976-），女，湖南吉首人，博士，哈尔滨工业大学教授、博士生导师，主要研究方向为量子密码、多媒体安全、生物识别等。|林东岱（1964-），男，山东聊城人，中国科学院信息工程研究所研究员、博士生导师，主要研究方向为密码理论、安全协议、网络空间安全等。
基金资助:
国家重点研发计划课题基金资助项目(2017YFB1010000);国家高技术研究发展计划（“863”计划）基金资助项目(2015AA016106);中国科学院信息工程研究所“青年之星”计划基金资助项目(Y7Z0201105);国家自然科学基金资助项目(61471141);深圳市技术攻关基金资助项目(JSGG20160427185010977)

Moving target defense against network eavesdropping attack using POF

Duohe MA¹,Qiong LI²(),Dongdai LIN¹

¹ State Key Laboratory of Information Security,Institute of Information Engineering,CAS,Beijing 100093,China
² Institute of Information Countermeasure Techniques,School of Computer Science and Technology,Harbin Institute of Technology,Harbin 150001,China

Revised:2017-12-10 Online:2018-02-01 Published:2018-03-28
Supported by:
The National Key Research and Development Program of China(2017YFB1010000);The National High Technology Research and Development Program of China (863 Program)(2015AA016106);“Young Scientist Program” of Institute of Information Engineering CAS(Y7Z0201105);The National Natural Science Foundation of China(61471141);The Key Technology Program of Shenzhen(JSGG20160427185010977)

摘要/Abstract

摘要：

网络窃听攻击是网络通信安全的重大威胁，它具有隐蔽性和无干扰性的特点，很难通过传统的流量特征识别的被动防御方法检测到。而现有的路径加密和动态地址等方法只能混淆网络协议的部分字段，不能形成全面的防护。提出一种基于协议无感知转发（POF,protocol-oblivious forwarding）技术的移动目标防御（MTD,moving target defense）方法，通过私有协议分组随机化策略和动态路径欺骗分组随机丢弃策略，大大提高攻击者实施网络窃听的难度，保障网络通信过程的隐私性。通过实验验证和理论分析证明了该方法的有效性。

关键词: 移动目标防御, 窃听攻击, 协议栈随机化, 网络空间欺骗, 协议无感知转发

Abstract:

Eavesdropping attack hereby was the major attack for traditional network communication.As this kind of attacks was stealthy and untraceable,it was barely detectable for those feature detection or static configuration based passive defense approaches.Since existing encryption or dynamic address methods could only confuse part of fields of network protocols,they couldn’t form a comprehensive protection.Therefore a moving target defense method by utilizing the protocol customization ability of protocol-oblivious forwarding (POF) was proposed,through private protocol packet randomization strategy and randomly drop deception-packets on dynamic paths strategy.It could greatly increase the difficulty of implementing network eavesdropping attack and protect the privacy of the network communication process.Experiments and compare studies show its efficiency.

Key words: moving target defense, eavesdropping attack, protocol randomization, cyber space deception

中图分类号:

TP393

马多贺,李琼,林东岱. 基于POF的网络窃听攻击移动目标防御方法[J]. 通信学报, 2018, 39(2): 73-87.

Duohe MA,Qiong LI,Dongdai LIN. Moving target defense against network eavesdropping attack using POF[J]. Journal on Communications, 2018, 39(2): 73-87.

图/表 11

图1

图2

图3

图4

图5

图6

图7

图8

表1

表2

MTD模型的随机化程度对比"

模型	协议空间	路径空间	封包空间	消息内容空间	抗数据分组窃听	抗会话消息窃听
IP MTD	32	0	0	0	P	×
Port MTD	16	0	0	0	×	×
End MTD	48	0	0	0	P	×
MT6D	128	0	0	0	P	×
POFMTD	12 000	$\ln (S i z e (S S_{r}))$	$\ln (S i z e (S S_{p}))$	$\ln (S i z e (S S_{m}))$	√	√

表2

图9

参考文献 37

[1]	ZHANG P , JIANG Y , LIN C ,et al. P-coding:secure network coding against eavesdropping attacks[C]// INFOCOM. 2010: 1-9.
[2]	XIA H D,JOSé C B , . Hardening web browsers against man-in-themiddle and eavesdropping attacks[C]// The 14th International Conference on World Wide Web. 2005.
[3]	KEWLEY D , FINK R , LOWRY J ,et al. Dynamic approaches to thwart adversary intelligence gathering[C]// DARPA Information Survivability Conference ＆ Exposition II. 2001: 176-185.
[4]	CHOI H , PATRICK M D , THOMAS F ,et al. Privacy preserving communication in MANETs[C]// The 4th Annual IEEE Communications Society Conference on Sensor,Mesh and Ad Hoc Communications and Networks. 2007: 233-242.
[5]	HWANG H , JUNG G , SOHN K ,et al. A study on MITM (man in the middle) vulnerability in wireless network using 802.1 X and EAP[C]// International Conference on Information Science and Security. 2008: 164-170.
[6]	WAGNER R . Address resolution protocol spoofing and man-in-themiddle attacks[J]. The SANS Institute, 2001
[7]	SYVERSON P F , GOLDSCHLAG D M , REED M G . Anonymous connections and onion routing[C]// IEEE Symposium on Security and Privacy. 1997: 44-54.
[8]	ZHANG P , JIANG Y , LIN C ,et al. Padding for orthogonality:Efficient subspace authentication for network coding[C]// INFOCOM. 2011: 1026-1034.
[9]	SIFALAKIS M , SCHMID S , HUTCHISON D . Network address hopping:a mechanism to enhance data protection for packet communications[C]// 2005 IEEE International Conference on Communications. 2005: 1518-1523.
[10]	JAJODIA S , GHOSH A K , SWARUP V ,et al. Moving target defense:creating asymmetric uncertainty for cyber threats[J]. Springer Ebooks, 2011:54.
[11]	ANTONATOS S , AKRITIDIS P , MARKATOS E P ,et al. Defending against hitlist worms using network address space randomization[J]. Computer Networks, 2007,51(12): 3471-3490.
[12]	JAFARIAN J H , AL-SHAER E , DUAN Q . OpenFlow random host mutation:Transparent moving target defense using software defined networking[C]// The First Workshop on Hot Topics in Software Defined Networks. 2012: 127-132.
[13]	DUNLOP M , GROAT S , URBANSKI W ,et al. MT6D:a moving target IPv6 defense[C]// Military Communications Conference. 2011: 1321-1326.
[14]	LEE H C J , THING V L L . Port hopping for resilient networks[C]// Vehicular Technology Conference. 2004: 3291-3295.
[15]	ERIKSSON J , FALOUTSOS M , SRIKANTH V ,et al. Routing amid colluding attackers[C]// IEEE International Conference on Network Protocols, 2007.
[16]	REED M , GOLDSCHLAG D . Onion routing[J]. Communications of the ACM, 1999(42): 39-41.
[17]	GOLDSCHLAG D M , MICHAEL G R , PAUL F . Syverson hiding routing information[J]. Information Hiding,Springer Berlin Heidelberg, 1996,1174: 137-150.
[18]	SHI L , JIA C . Lü S ,et al. Port and address hopping for active cyber-defense[C]// Intelligence and Security Informatics. Springer Berlin Heidelberg, 2007: 295-300.
[19]	CHOWDHARY A , SANDEEP P , DIJIANG H . SDN based scalable MTD solution in cloud network[J]// 2016 ACM Workshop on Moving Target Defense. 2016: 27-36.
[20]	SONG H , GONG J , CHEN H ,et al. Unified POF programming for Diversified SDN Data Plane[J]. Eprint Arxiv, 2014: 92-97.
[21]	AL-SHAER E . Toward network configuration randomization for moving target defense[J]. Moving Target Defense,Springer New York, 2011: 153-159.
[22]	ASOKAN N , VALTTERI N , KAISA N . Man-in-the-middle in tunnelled authentication protocols[C]// International Conference on Security Protocols. 2003: 42-48.
[23]	BOSSHART P , DAN D , IZZARD M ,et al. Programming protocol-independent packet processors[J]. ACM Sigcomm Computer Communication Review, 2013,44(3): 87-95.
[24]	WANG Z , WANG L , GAO X ,et al. An architecture of content-centric networking over protocol-oblivious forwarding[C]// IEEE Globecom Workshops. 2015: 1-5.
[25]	TAN X , ZOU S , GUO H ,et al. POFOX:towards controlling the protocol oblivious forwarding network[C]// Advances in Parallel and Distributed Computing and Ubiquitous Services. Springer Singapore, 2016.
[26]	HU D , LI S , XUE N ,et al. Design and demonstration of SDN-based flexible flow converging with protocol-oblivious forwarding (POF)[C]// IEEE Global Communications Conference. 2015: 1-6.
[27]	CORBETT C , UHER J , COOK J ,et al. Countering intelligent jamming with full protocol stack agility[J]. IEEE Security ＆ Privacy Magazine, 2014,12(2): 44-50.
[28]	张朝昆, 崔勇, 唐翯祎 ,等. 软件定义网络 (SDN) 研究进展[J]. 软件学报, 2015,26(1): 62-81.
	ZHANG C K , CUI Y , TANG H Y ,et al. State-of-the-art survey on software-defined networking (SDN)[J]. Journal of Software, 2015,26(1): 62-81.
[29]	CARROLL T E , CROUSE M , FUIP E W ,et al. Analysis of network address shuffling as a moving target defense[C]// 2014 IEEE International Conference on Communications (ICC). 2014: 701-706.
[30]	石乐义, 贾春福, 吕述望 . 基于端信息跳变的主动网络防护研究[J]. 通信学报, 2008,29(2): 106-110.
	SHI L Y , JIA C F , LYU S W . Research on end hopping for active network confrontation[J]. Journal on Communications, 2008,29(2): 106-110.
[31]	MA D , XU Z , LIN D . A moving target defense approach based on POF to thwart blind DDoS attack[C]// International Conference on Computer Communications ＆ Networks. 2015.
[32]	李佟, 葛敬国, 鄂跃鹏 ,等. 基于标签的 POF 网络虚拟化技术研究[J]. 计算机应用研究, 2017,34(3).
	LI T , GE J G , E Y P ,et al. Label-based POF network virtualization[J]. Application Research of Computers, 2017,34(3).
[33]	MA D H , WANG L , LEI C ,et al. Thwart eavesdropping attacks on network communication based on moving target defense[C]// Performance Computing and Communications Conference (IPCCC). 2017: 1-2.
[34]	JAJODIA S , WANG C , SUBRAHMANIAN V ,et al. Cyber deception[M]. Springer International Publishing, 2016.
[35]	JAJODIA S , PARK N , PIERAZZI F ,et al. A probabilistic logic of cyber deception[J]. IEEE Transactions on Information Forensics ＆Security, 2017(99): 1-1.
[36]	ALBANESE M , BATTISTA E , JAJODIA S . Deceiving attackers by creating a virtual attack surface[M]// Cyber Deception. Springer International Publishing, 2016.
[37]	AL-SHAER E , GILLANI S F . Agile virtual infrastructure for cyber deception against stealthy DDoS attacks[M]// Cyber Deception. Springer International Publishing, 2016.

消息分组数量	欺骗分组数量	协议数量	传输路径数（含S₁→S₂）	窃听数据分组比例	重组会话成功率	通信端接收数据分组比例
10	0	1（标准UDP）	1	100%	100%	100%
9	1	1(私有协议)	1	100%(含欺骗数据)	0(fail)	100%（不含欺骗数据）
100	0	2(私有协议)	2	35%	0(fail)	100%
1 000	0	5(私有协议)	2	30%	0(fail)	100%
10 000	0	5(私有协议)	4	5%~11%	0(fail)	95%~100%

基于POF的网络窃听攻击移动目标防御方法

Moving target defense against network eavesdropping attack using POF

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献 37

相关文章 7

Metrics

推荐阅读 0

[1]	徐潇雨, 胡浩, 张红旗, 刘玉岭. 基于深度确定性策略梯度的随机路由防御方法[J]. 通信学报, 2021, 42(6): 41-51.
[2]	陈福才,何威振,程国振,霍树民,周大成. 基于DPDK的内网动态网关关键技术设计[J]. 通信学报, 2020, 41(6): 139-151.
[3]	谭晶磊,张恒巍,张红旗,金辉,雷程. 基于Markov时间博弈的移动目标防御最优策略选取方法[J]. 通信学报, 2020, 41(1): 42-52.
[4]	蒋侣,张恒巍,王晋东. 基于信号博弈的移动目标防御最优策略选取方法[J]. 通信学报, 2019, 40(6): 128-137.
[5]	雷程,马多贺,张红旗,韩琦,杨英杰. 基于最优路径跳变的网络移动目标防御技术[J]. 通信学报, 2017, 38(3): 133-143.
[6]	胡毅勋,郑康锋,杨义先,钮心忻. 基于OpenFlow的网络层移动目标防御方案[J]. 通信学报, 2017, 38(10): 102-112.
[7]	雷程,马多贺,张红旗,杨英杰,王淼. 基于变点检测的网络移动目标防御效能评估方法[J]. 通信学报, 2017, 38(1): 126-140.