网络与信息安全学报 ›› 2021, Vol. 7 ›› Issue (6): 44-55.doi: 10.11959/j.issn.2096-109x.2021104
何威振1, 陈福才1, 牛杰2, 谭晶磊1, 霍树民1, 程国振1
修回日期:
2021-04-27
出版日期:
2021-12-15
发布日期:
2021-12-01
作者简介:
何威振(1996− ),男,安徽亳州人,信息工程大学硕士生,主要研究方向为网络安全、移动目标防御基金资助:
Weizhen HE1, Fucai CHEN1, Jie NIU2, Jinglei TAN1, Shumin HUO1, Guozhen CHENG1
Revised:
2021-04-27
Online:
2021-12-15
Published:
2021-12-01
Supported by:
摘要:
首先,介绍了网络层跳变技术的基本概念并给出了其所能抵御的安全威胁;接着,从传统网络和软件定义网络给出了网络层跳变技术的两种模型和通信方式;然后,从跳变属性、跳变的实现方式和跳变的触发方式3个方面对网络层跳变技术进行分类,并给出网络层跳变的两种评估模型;最后,总结了网络层跳变技术目前仍然存在的问题,以及相应的发展方向。
中图分类号:
何威振, 陈福才, 牛杰, 谭晶磊, 霍树民, 程国振. 面向网络层的动态跳变技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 44-55.
Weizhen HE, Fucai CHEN, Jie NIU, Jinglei TAN, Shumin HUO, Guozhen CHENG. Research progress on dynamic hopping technology for network layer[J]. Chinese Journal of Network and Information Security, 2021, 7(6): 44-55.
表1
典型的网络层跳变技术防御的安全威胁Table 1 Security threats defended by typical network layer hopping technology"
典型技术 | 扫描攻击 | DDoS攻击 | 蠕虫传播 | APT攻击 |
DYNAT (Kewley等) | √ | √ | ||
NASR (Antonatos等) | √ | √ | ||
MT6D (DUNLOP等) | ||||
Port Hopping (Lee等) | √ | |||
RPH (Badishi等) | √ | |||
RHM (Jafarian等) | √ | √ | ||
OF-RHM (Jafarian等) | √ | √ | ||
STAM (Jafarian等) | √ | √ | √ | |
端信息跳变 (Shi等) | √ | √ |
表2
网络层跳变技术分类方法及其优缺点Table 2 Network layer hopping technology classification method and its advantages and disadvantages"
分类方法 | 优点 | 缺点 | 参考文献 | |
跳变属性 | 单一属性的跳变 | 跳变系统的实现较为简单 | 无法防御高级的攻击者根据其他网络属性进行攻击 | 文献[8,10,22] |
多维属性协同跳变 | 多维属性协同跳变,进一步缩小攻击面,增加了系统的安全性 | 对网络传输性能影响更大,且需要考虑多种跳变方式如何协同 | 文献[ | |
跳变的实现方式 | 基于传统网络实现 | 可以实现高速率跳变,增加跳变的不可预测性 | 改变现有的网络协议;网络性能损失严重 | 文献[5,22,26,33-36] |
基于SDN实现 | 灵活的网络架构,便于部署动态跳变系统 | 需要部署SDN控制器和SDN交换机,部署成本高;SDN控制器存在固有的网络威胁 | 文献[12,25,37-40] | |
跳变的触发方式 | 非自适应跳变 | 部署方式简单 | 难以平衡系统的安全性和通信性能,较大的跳变周期无法防御攻击者,较小的跳变周期影响通信性能 | 文献[5-10,12,21-26, 28-40] |
自适应跳变 | 能够根据攻击行为作出相应的反应,在一定限度上可以降低跳变对通信性能的影响 | 很难对攻击行为进行完美刻画,存在漏报率和误报率 | 文献[ |
表3
网络层跳变技术的关键模型及其优缺点Table 3 The key model of network layer hopping technology and its advantages and disadvantages"
理论模型 | 相关技术 | 优点 | 缺点 | 相关文献 |
博弈模型 | 完全信息博弈 | 能够有效建模攻击者与防御者的行为;能够通过多方的博弈行为得到最优的跳变周期 | 求解的复杂度比较高 | 文献[25,44,46-48] |
不完全信息博弈 | ||||
概率模型 | 攻击图 | 便于分析跳变技术的有效性;便于求解最优的跳变策略 | 对攻击者和防御者的抽象层次太高;模型是静态的,无法建模复杂的网络攻防场景 | 文献[ |
概率论 |
[1] | Symantec. Internet Security Threat Report[R]. 2016. |
[2] | Trend Micro. Understanding Targeted Attacks:The Impact of Targeted Attacks[R]. 2015. |
[3] | JAJODIA S , GHOSH A K , SWARUP V ,et al. Moving target defense[M]. New York,NY: Springer New York, 2011. |
[4] | CHO J H , SHARMA D P , ALAVIZADEH H ,et al. Toward proactive,adaptive defense:a survey on moving target defense[J]. IEEE Communications Surveys & Tutorials, 2020,22(1): 709-745. |
[5] | KEWLEY D , FINK R , LOWRY J ,et al. Dynamic approaches to thwart adversary intelligence gathering[C]// Proceedings of Proceedings DARPA Information Survivability Conference and Exposition II.DISCEX'01. 2001: 176-185. |
[6] | ATIGHETCHI M , PAL P , WEBBER F ,et al. Adaptive use of network-centric mechanisms in cyber-defense[C]// Proceedings of Sixth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing,2003. 2003: 183-192. |
[7] | DUNLOP M , GROAT S , URBANSKI W ,et al. MT6D:a moving target IPv6 defense[C]// Proceedings of 2011 - MILCOM 2011 Military Communications Conference. 2011: 1321-1326. |
[8] | AL-SHAER E , DUAN Q , JAFARIAN J H . Random host mutation for moving target defense[M]// Lecture Notes of the Institute for Computer Sciences,Social Informatics and Telecommunications Engineering. Berlin,Heidelberg: Springer, 2013: 310-327. |
[9] | 石乐义, 贾春福, 吕述望 . 基于端信息跳变的主动网络防护研究[J]. 通信学报, 2008,29(2): 106-110. |
SHI L Y , JIA C F , LYU S W . Research on end hopping for active network confrontation[J]. Journal on Communications, 2008,29(2): 106-110. | |
[10] | DUAN Q , AL-SHAER E , JAFARIAN H . Efficient Random Route Mutation considering flow and network constraints[C]// Proceedings of 2013 IEEE Conference on Communications and Network Security (CNS). 2013: 260-268. |
[11] | HONG J B , KIM D S . Assessing the effectiveness of moving target defenses using security models[J]. IEEE Transactions on Dependable and Secure Computing, 2016,13(2): 163-177. |
[12] | JAFARIAN J H , AL-SHAER E , DUAN Q . OpenFlow random host mutation:transparent moving target defense using software defined networking[C]// Proceedings of the First Workshop on Hot Topics in Software Defined Networks. 2012: 127-132. |
[13] | YOON S , CHO J H , KIM D S ,et al. Poster:address shuffling based moving target defense for in-vehicle software-defined networks[C]// Proceedings of MobiCom '19:The 25th Annual International Conference on Mobile Computing and Networking. 2019: 1-3. |
[14] | CARROLL T E , CROUSE M , FULP E W ,et al. Analysis of network address shuffling as a moving target defense[C]// Proceedings of 2014 IEEE International Conference on Communications (ICC). 2014: 701-706. |
[15] | DUAN Q , AL-SHAER E , JAFARIAN H . Efficient Random Route Mutation considering flow and network constraints[C]// Proceedings of 2013 IEEE Conference on Communications and Network Security (CNS). 2013: 260-268. |
[16] | ZHOU Z , XU C Q , KUANG X H ,et al. An efficient and agile spatio-temporal route mutation moving target defense mechanism[C]// Proceedings of ICC 2019 - 2019 IEEE International Conference on Communications (ICC). Piscataway:IEEE Press, 2019: 1-6. |
[17] | LUO Y B , WANG B S , WANG X F ,et al. RPAH:random port and address hopping for thwarting internal and external adversaries[C]// Proceedings of 2015 IEEE Trustcom/BigDataSE/ISPA. 2015: 263-270. |
[18] | AYDEGER A , SAPUTRO N , AKKAYA K ,et al. Mitigating crossfire attacks using SDN-based moving target defense[C]// Proceedings of 2016 IEEE 41st Conference on Local Computer Networks (LCN). 2016: 627-630. |
[19] | CLARK A , SUN K , BUSHNELL L ,et al. A game-theoretic approach to IP address randomization in decoy-based cyber defense[M]// Lecture Notes in Computer Science. 2015: 3-21. |
[20] | GROAT S , DUNLOP M , URBANKSI W ,et al. Using an IPv6 moving target defense to protect the smart grid[C]// Proceedings of 2012 IEEE PES Innovative Smart Grid Technologies (ISGT). 2012: 1-7. |
[21] | 吴桦, 陈廷政 . SDN环境中基于端址跳变的DDoS防御方法[J]. 网络空间安全, 2020,11(8): 17-22. |
WU H , CHEN T Z . A DDoS defense method based on port and ad-dress hopping in SDN[J]. Cyberspace Security, 2020,11(8): 17-22. | |
[22] | LEE H C J , THING V L L . Port hopping for resilient networks[C]// Proceedings of IEEE 60th Vehicular Technology Conference,2004.VTC2004-Fall.2004. 2004: 3291-3295. |
[23] | SHI L Y , JIA C F , Lü S ,et al. Port and address hopping for active cyber-defense[M]// Intelligence and Security Informatics. Berlin,Heidelberg: Springer Berlin Heidelberg, 2007: 295-300. |
[24] | ANTONATOS S , AKRITIDIS P , MARKATOS E P ,et al. Defending against hitlist worms using network address space randomization[J]. Computer Networks, 2007,51(12): 3471-3490. |
[25] | JAFARIAN J H H , AL-SHAER E , DUAN Q . Spatio-temporal address mutation for proactive cyber agility against sophisticated attackers[C]// Proceedings of the First ACM Workshop on Moving Target Defense - MTD '14. 2014: 69-78. |
[26] | BADISHI G , HERZBERG A , KEIDAR I . Keeping denial-of-service attackers in the dark[J]. IEEE Transactions on Dependable and Secure Computing, 2007,4(3): 191-204. |
[27] | REHMANI M H , DAVY A , JENNINGS B ,et al. Software defined networks-based smart grid communication:a comprehensive survey[J]. IEEE Communications Surveys & Tutorials, 2019,21(3): 2637-2670. |
[28] | 陈扬, 扈红超, 程国振 . 软件定义的内网动态防御系统设计与实现[J]. 电子学报, 2018,46(11): 2604-2611. |
CHEN Y , HU H C , CHENG G Z . The design and implementation of a software-defined intranet dynamic defense system[J]. Acta Electronica Sinica, 2018,46(11): 2604-2611. | |
[29] | JAFARIAN J H , NIAKANLAHIJI A , AL-SHAER E ,et al. Multi-dimensional host identity anonymization for defeating skilled attackers[C]// MTD '16:Proceedings of the 2016 ACM Workshop on Moving Target Defense. 2016: 47-58. |
[30] | LUO Y B , WANG B S , WANG X F ,et al. RPAH:random port and address hopping for thwarting internal and external adversaries[C]// Proceedings of 2015 IEEE Trustcom/BigDataSE/ISPA. Piscataway:IEEE Press, 2015: 263-270. |
[31] | SHARMA D P , CHO J H , MOORE T J ,et al. Random host and service multiplexing for moving target defense in software-defined networks[C]// Proceedings of ICC 2019 - 2019 IEEE International Conference on Communications (ICC). 2019: 1-6. |
[32] | WANG K , CHEN X , ZHU Y F . Random domain name and address mutation (RDAM) for thwarting reconnaissance attacks[J]. PLoS One, 2017,12(5): e0177111. |
[33] | SIFALAKIS M , SCHMID S , HUTCHISON D . Network address hopping:a mechanism to enhance data protection for packet communications[C]// Proceedings of IEEE International Conference on Communications,2005.ICC 2005.2005. 2005: 1518-1523. |
[34] | LIN K , JIA C . Distributed timestamp synchronization for end hopping[J]. China Communications, 2011,8(4): 164-169. |
[35] | 林楷, 贾春福, 石乐义 . 分布式时间戳同步技术的改进[J]. 通信学报, 2012,33(10): 110-116. |
LIN K , JIA C F , SHI L Y . Improvement of distributed timestamp syn-chronization[J]. Journal on Communications, 2012,33(10): 110-116. | |
[36] | 石乐义, 郭宏彬, 温晓 ,等. 端信息跳扩混合的主动网络防御技术研究[J]. 通信学报, 2019,40(5): 125-135. |
SHI L Y , GUO H B , WEN X ,et al. Research on end hopping and spreading for active cyber defense[J]. Journal on Communications, 2019,40(5): 125-135. | |
[37] | JAFARIAN J H , AL-SHAER E , DUAN Q . An effective address mutation approach for disrupting reconnaissance attacks[J]. IEEE Transactions on Information Forensics and Security, 2015,10(12): 2562-2577. |
[38] | 胡毅勋, 郑康锋, 杨义先 ,等. 基于 OpenFlow 的网络层移动目标防御方案[J]. 通信学报, 2017,38(10): 102-112. |
HU Y X , ZHENG K F , YANG Y X ,et al. Moving target defense solution on network layer based on OpenFlow[J]. Journal on Communications, 2017,38(10): 102-112. | |
[39] | SHARMA D P , KIM D S , YOON S ,et al. FRVM:flexible random virtual IP multiplexing in software-defined networks[C]// Proceedings of 2018 17th IEEE International Conference on Trust,Security and Privacy In Computing and Communications/ 12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE). 2018: 579-587. |
[40] | CHANG S Y , PARK Y , ASHOK BABU B B . Fast IP hopping randomization to secure hop-by-hop access in SDN[J]. IEEE Transactions on Network and Service Management, 2019,16(1): 308-320. |
[41] | JAFARIAN J H , AL-SHAER E , DUAN Q . Adversary-aware IP address randomization for proactive agility against sophisticated attackers[C]// Proceedings of 2015 IEEE Conference on Computer Communications (INFOCOM). 2015: 738-746. |
[42] | MA D H , LEI C , WANG L M ,et al. A self-adaptive hopping approach of moving target defense to thwart scanning attacks[M]// Information and Communications Security. Cham: Springer International Publishing, 2016: 39-53. |
[43] | 王鹏超, 陈福才, 程国振 ,等. 软件定义的 L2/L3 地址协同拟态伪装策略研究[J]. 电子学报, 2019,47(10): 2032-2039. |
WANG P C , CHEN F C , CHENG G Z ,et al. L2/L3 address coop-erative mimicry strategy research based on SDN[J]. Acta Electro-nica Sinica, 2019,47(10): 2032-2039. | |
[44] | YOON S , CHO J H , KIM D S ,et al. Attack graph-based moving target defense in software-defined networks[J]. IEEE Transactions on Network and Service Management, 2020,17(3): 1653-1668. |
[45] | WANG H X , LI F , CHEN S Q . Towards cost-effective moving target defense against DDoS and covert channel attacks[C]// Proceedings of the 2016 ACM Workshop on Moving Target Defense. 2016: 15-25. |
[46] | CARROLL T E , CROUSE M , FULP E W ,et al. Analysis of network address shuffling as a moving target defense[C]// Proceedings of 2014 IEEE International Conference on Communications (ICC). 2014: 701-706. |
[47] | CLARK A , SUN K , POOVENDRAN R . Effectiveness of IP address randomization in decoy-based moving target defense[C]// Proceedings of 52nd IEEE Conference on Decision and Control. 2013: 678-685. |
[48] | MALEKI H , VALIZADEH S , KOCH W ,et al. Markov modeling of moving target defense games[C]// Proceedings of the 2016 ACM Workshop on Moving Target Defense. 2016: 81-92. |
[49] | MANADHATA P K . Game theoretic approaches to attack surface shifting[M]. Moving Target Defense II. New York,NY: Springer New York, 2012: 1-13. |
[50] | LEI C , MA D H , ZHANG H Q . Optimal strategy selection for moving target defense based on Markov game[J]. IEEE Access, 2017,5: 156-169. |
[51] | FENG X T , ZHENG Z Z , MOHAPATRA P ,et al. A stackelberg game and Markov modeling of moving target defense[M]// Lecture Notes in Computer Science. Cham: Springer International Publishing, 2017: 315-335. |
[52] | 陈永强, 吴晓平, 付钰 ,等. 基于模糊静态贝叶斯博弈的网络主动防御策略选取[J]. 计算机应用研究, 2015,32(3): 887-889,899. |
CHEN Y Q , WU X P , FU Y ,et al. Active defense strategy selection of network based on fuzzy static Bayesian game model[J]. Applica-tion Research of Computers, 2015,32(3): 887-889,899. | |
[53] | ZHU Q Y , BA?AR T , . Game-theoretic approach to feedback-driven multi-stage moving target defense[M]// Lecture Notes in Computer Science. Cham: Springer International Publishing, 2013: 246-263. |
[54] | LEI C , ZHANG H Q , WAN L M ,et al. Incomplete information Markov game theoretic approach to strategy generation for moving target defense[J]. Computer Communications, 2018,116: 184-199. |
[55] | TAN J L , LEI C , ZHANG H Q ,et al. Optimal strategy selection approach to moving target defense based on Markov robust game[J]. Computers & Security, 2019,85: 63-76. |
[56] | LEI C , ZHANG H Q , TAN J L ,et al. Moving target defense techniques:a survey[J]. Security and Communication Networks, 2018,2018: 1-25. |
[57] | 张明悦, 金芝, 赵海燕 ,等. 机器学习赋能的软件自适应性综述[J]. 软件学报, 2020,31(8): 2404-2431. |
ZHANG M Y , JIN Z , ZHAO H Y ,et al. Survey of machine learning enabled software self-adaptation[J]. Journal of Software, 2020,31(8): 2404-2431. | |
[58] | CHENG K , BAI Y B , ZHOU Y ,et al. CANeleon:protecting CAN bus with frame ID chameleon[J]. IEEE Transactions on Vehicular Technology, 2020,69(7): 7116-7130. |
[1] | 王泽南, 李佳浩, 檀朝红, 皮德常. 面向网络安全资源池的智能服务链系统设计与分析[J]. 网络与信息安全学报, 2022, 8(4): 175-181. |
[2] | 王洋, 汤光明, 王硕, 楚江. 基于API调用管理的SDN应用层DDoS攻击防御机制[J]. 网络与信息安全学报, 2022, 8(2): 73-87. |
[3] | 陈浩宇, 邹德清, 金海. 面向SDN/NFV环境的网络功能策略验证[J]. 网络与信息安全学报, 2021, 7(3): 59-71. |
[4] | 王涛, 陈鸿昶. 考虑拜占庭属性的SDN安全控制器多目标优化部署方案[J]. 网络与信息安全学报, 2021, 7(3): 72-84. |
[5] | 赵普, 赵文涛, 付章杰, 刘强. 基于Renyi熵的SDN自主防护系统[J]. 网络与信息安全学报, 2021, 7(3): 85-94. |
[6] | 曾威, 扈红超, 李凌书, 霍树民. 容器云中基于Stackelberg博弈的动态异构调度方法[J]. 网络与信息安全学报, 2021, 7(3): 95-104. |
[7] | 王滨, 陈靓, 钱亚冠, 郭艳凯, 邵琦琦, 王佳敏. 面向对抗样本攻击的移动目标防御[J]. 网络与信息安全学报, 2021, 7(1): 113-120. |
[8] | 吴奇,陈鸿昶. 低故障恢复开销的软件定义网络控制器布局算法[J]. 网络与信息安全学报, 2020, 6(6): 97-104. |
[9] | 李国春,马睿,马季春,李伯中,刘惠明,张桂玉. 广域网出口流量调度SDN部署研究[J]. 网络与信息安全学报, 2020, 6(5): 148-157. |
[10] | 何康,祝跃飞,刘龙,芦斌,刘彬. 敌对攻击环境下基于移动目标防御的算法稳健性增强方法[J]. 网络与信息安全学报, 2020, 6(4): 67-76. |
[11] | 黄伟, 路冉, 刘存才, 祁思博. 基于SDN分级分域架构的QoS约束路由算法[J]. 网络与信息安全学报, 2019, 5(5): 21-31. |
[12] | 王洋,汤光明,雷程,韩冬. 面向链路洪泛攻击的多维检测与动态防御方法[J]. 网络与信息安全学报, 2019, 5(4): 80-90. |
[13] | 谭晶磊, 张红旗, 雷程, 刘小虎, 王硕. 面向SDN的移动目标防御技术研究进展[J]. 网络与信息安全学报, 2018, 4(7): 1-12. |
[14] | 周余阳, 程光, 郭春生. 基于贝叶斯攻击图的网络攻击面风险评估方法[J]. 网络与信息安全学报, 2018, 4(6): 11-22. |
[15] | 郭中孚, 张兴明, 赵博, 王苏南. 软件定义网络数据平面安全综述[J]. 网络与信息安全学报, 2018, 4(11): 1-12. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|