基于最优路径跳变的网络移动目标防御技术

doi:10.11959/j.issn.1000-436x.2017056

Abstract

Abstract:

Moving target defense is a revolutionary technology which changes the situation of attack and defense.How to effectively achieve forwarding path mutation is one of the hotspot in this field.Since existing mechanisms are blindness and lack of constraints in the process of mutation,it is hard to maximize mutation defense benefit under the condition of good network quality of services.A novel of network moving target defense technique based on optimal forwarding path migration was proposed.Satisfiability modulo theory was adopted to formally describe the mutation constraints,so as to prevent transient problem.Optimization combination between routing path and mutation period was chosen by using optimal routing path generation method based on security capacity matrix so as to maximum defense benefit.Theoretical and experimental analysis show the defense cost and benefit in resisting passive sniffing attacks.The capability of achieving maximum defense benefit under the condition of ensuring network quality of service is proved.

Key words: moving target defense, forwarding path migration, satisfiability modulo theory, ransient problem, security capacity matrix, defense benefit maximization

CLC Number:

TP393

Cheng LEI,Duo-he MA,Hong-qi ZHANG,Qi HAN,Ying-jie YANG. Network moving target defense technique based on optimal forwarding path migration[J]. Journal on Communications, 2017, 38(3): 133-143.

Figures/Tables 9

符号	含义
$T_{R M P}$	OFPM跳变周期
$b_{v}^{T_{R M P}} (k)$	布尔变量，表示路由节点 v 在跳变周期 T_RMP内是否转发第k条数据流
$M L_{e}$	跳变转发链路e
$M R_{v}$	跳变路由节点v
C _v (k)	路由节点承载数据流k时的边际成本
C _e (k)	转发链路承载数据流k时的边际成本
$χ (M R_{v})$	转发路径中去除源地址和目的地址所属路由后剩余的转发路由节点集合
$d_{v - D}^{k}$	当前路由节点MR_v到目标节点的距离
$s c_{S, D}$	从S到D实现安全转发的路由节点和转发链路的资源容量大小
$c_{S, D}$	S到D间的最大剩余容量
$ω_{S, D}^{s}$	安全系数
$Q {[s c_{S, D}]}_{n \times n}$	从S到D的安全容量矩阵
σ	调整参数

符号	含义
$C_{v}^{t h}$	路由节点需要保留的最小数据量
$C_{v}^{\max}$	路由节点可承载的累计边际成本最大值
$C_{e}^{t h}$	转发链路需要保留的最小数据量
$C_{e}^{\max}$	转发链路可承载的累计边际成本最大值
$L_{\max}$	设定的最大转发路径长度

References 28

[1]	JAJODIA S , GHOSH A K , SWARUP V ,et al. Moving target defense:creating asymmetric uncertainty for cyber threats[M]. Springer Science & Business Media, 2011.
[2]	LEI C , MA D H , ZHANG H Q . Optimal strategy selection for moving target defense based on Markov game[J]. IEEE Access, 2017.
[3]	SUN K , JAJODIA S . Protecting enterprise networks through attack surface expansion[C]// The 2014 Workshop on Cyber Security Analytics,Intelligence and Automation. 2014: 29-32.
[4]	LEI C , MA D , ZHANG H ,et al. Moving target network defense effectiveness evaluation based on change-point detection[J]. Mathematical Problems in Engineering, 2016: 20166-391502.
[5]	YADAV T , RAO A M . Technical aspects of cyber kill chain[C]// International Symposium on Security in Computing and Communication.Springer International Publishing. 2015: 438-452.
[6]	DUAN Q,AL-SHAER E , JAFARIAN H . Efficient random route mutation considering flow and network constraints[C]// IEEE Conference on Communications and Network Security (CNS). 2013: 260-268.
[7]	NELAKUDITI S , LEE S , YU Y ,et al. Fast local rerouting for handling transient link failures[J]. IEEE/ACM Transactions on Networking (ToN), 2007,15(2): 359-372.
[8]	JAFARIAN J H , AL-SHAER E , DUAN Q . Formal approach for route agility against persistent attackers[C]// European Symposium on Research in Computer Security. 2013: 237-254.
[9]	DOLEV S , DAVID S T . SDN-Based Private Interconnection[C]// 2014 IEEE 13th International Symposium on Network Computing and Applications (NCA). 2014: 129-136.
[10]	SHU T , KRUNZ M , LIU S . Secure data collection in wireless sensor networks using randomized dispersive routes[J]. IEEE Transactions on Mobile Computing, 2010,9(7): 941-954.
[11]	BOHACEK S , HESPANHA J P , LEE J ,et al. Game theoretic stochastic routing for fault tolerance and security in computer networks[J]. IEEE Transactions on Parallel and Distributed Systems, 2007,18(9): 1227-1240.
[12]	GILLANI F,AL-SHAER E , LO S , et al . Agile virtualized infrastructure to proactively defend against cyber-attacks[C]// 2015 IEEE Conference on Computer Communications (INFOCOM). 2015: 729-737.
[13]	BJ?RNER N , DE MOURA L . Z310:applications,enablers,challenges and directions[C]// Sixth International Workshop on Constraints in Formal Verification. 2009.
[14]	QAZI Z A , LEE J , JIN T ,et al. Application-awareness in SDN[J]. ACM SIGCOMM Computer Communication Review, 2013,43(4): 487-488.
[15]	HAN S , PENG Z , WANG S . The maximum flow problem of uncertain network[J]. Information Sciences, 2014,265: 167-175.
[16]	YU M , YI Y , REXFORD J ,et al. Rethinking virtual network embedding:substrate support for path splitting and migration[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 17-29.
[17]	COHEN R,LEWIN-EYTAN L , NAOR J S , et al . On the effect of forwarding table size on SDN network utilization[C]// IEEE INFOCOM 2014-IEEE Conference on Computer Communications. 2014: 1734-1742.
[18]	KAR K , KODIALAM M , LAKSHMAN T V ,et al. Routing for network capacity maximization in energy-constrained ad hoc networks[C]// INFOCOM. 2003.
[19]	LIANG W , GUO X . On-line multicasting for network capacity maximization in energy-constrained ad hoc networks[J]. IEEE Transactions Mobile Computing, 2006,5: 1215-1227.
[20]	HUANG M , LIANG W , XU Z ,et al. Dynamic routing for network throughput maximization in software-defined networks[C]// IEEE INFOCOM The 35th Annual IEEE International Conference on Computer Communications. 2016: 978-986.
[21]	PENG B , KEMP A H , BOUSSAKTA S . QoS routing with bandwidth and hop-count consideration:a performance perspective[J]. Journal of Communications, 2006,1(2): 1-11.
[22]	JACOBSON V . Congestion avoidance and control[J]. ACM SIGCOMM Computer Communication Review, 1988,18(4): 314-329
[23]	HAO J , ORLIN J . A faster algorithm for finding the minimum cut in a directed graph[J]. Journal of Algorithms, 1994,17(3): 424-446.
[24]	KIRKPATRICK K . Software-defined networking[J]. Communications of the ACM, 2013,56(9): 16-19.
[25]	LEUNG K C , LI V O K , YANG D . An overview of packet reordering in transmission control protocol(TCP):problems,solutions,and challenges[J]. IEEE Transactions on Parallel & Distributed Systems, 2007,18: 522-535.
[26]	LANTZ B , HELLER B , MCKEOWN N . A network in a laptop:rapid prototyping for software-defined networks[C]// The 9th ACM SIGCOMM Workshop on Hot Topics in Networks. 2010.
[27]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow:enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74.
[28]	MEDVED J , VARGA R , TKACIK A ,et al. Opendaylight:towards a model-driven SDN controller architecture[C]// 2014 IEEE 15th International Symposium on a World of Wireless,Mobile and Multimedia Networks. 2014: 1-6.

Metrics

Recommended 0

No Suggested Reading articles found!

Network moving target defense technique based on optimal forwarding path migration

RichHTML

PDF

Knowledge

Cited

Abstract

Cite this article

share this article

Figures/Tables 9

References 28

Related Articles 8

Metrics

Recommended 0

[1]	Xiaoyu XU, Hao HU, Hongqi ZHANG, Yuling LIU. Random routing defense method based on deep deterministic policy gradient [J]. Journal on Communications, 2021, 42(6): 41-51.
[2]	Fucai CHEN,Weizhen HE,Guozhen CHENG,Shumin HUO,Dacheng ZHOU. Design of key technologies for intranet dynamic gateway based on DPDK [J]. Journal on Communications, 2020, 41(6): 139-151.
[3]	Jinglei TAN,Hengwei ZHANG,Hongqi ZHANG,Hui JIN,Cheng LEI. Optimal strategy selection approach of moving target defense based on Markov time game [J]. Journal on Communications, 2020, 41(1): 42-52.
[4]	JIANG Lyu,ZHANG Hengwei,WANG Jindong. Optimal strategy selection method for moving target defense based on signaling game [J]. Journal on Communications, 2019, 40(6): 128-137.
[5]	Duohe MA,Qiong LI,Dongdai LIN. Moving target defense against network eavesdropping attack using POF [J]. Journal on Communications, 2018, 39(2): 73-87.
[6]	Qi-xuan WU,Jian-feng MA,Cong SUN,Shuai ZHANG,Shuang ZHANG,Tao ZHENG. Constraint analysis for extended dynamic fault tree [J]. Journal on Communications, 2017, 38(9): 159-166.
[7]	Yi-xun HU,Kang-feng ZHENG,Yi-xian YANG,Xin-xin NIU. Moving target defense solution on network layer based on OpenFlow [J]. Journal on Communications, 2017, 38(10): 102-112.
[8]	Cheng LEI,Duo-he MA,Hong-qi ZHANG,Ying-jie YANG,Miao WANG. Performance assessment approach based on change-point detection for network moving target defense [J]. Journal on Communications, 2017, 38(1): 126-140.