基于OpenFlow的网络层移动目标防御方案

doi:10.11959/j.issn.1000-436x.2017202

Abstract

Abstract:

In order to take an active part in network attack and defense,a moving target defense solution on network layer based on OpenFlow was proposed,using the flexibility of network brought by OpenFlow network architecture.On the network layer,through mapping the correspondent nodes’ addresses to pseudo-random virtual addresses in the LAN and mapping correspondent nodes’ ports to virtual ports,achieving the hiding of correspond nodes in the whole network and the information of network architecture.Researches verify the system’s effectiveness.Comparing with existing moving target defense solutions,the proposed algorithm can be deployed easily in the traditional network,and realize comprehensive protection of the corresponding in the whole network.

Key words: active defense, OpenFlow, moving target defense

CLC Number:

TN915.08

Yi-xun HU,Kang-feng ZHENG,Yi-xian YANG,Xin-xin NIU. Moving target defense solution on network layer based on OpenFlow[J]. Journal on Communications, 2017, 38(10): 102-112.

Figures/Tables 14

References 14

[1]	石乐义, 贾春福, 吕述望 . 基于端信息跳变的主动网络防护研究[J]. 通信学报, 2008,29(2): 106-10.
	SHI L Y , JIA C F , LYU S W . Research on end hopping for active network confrontation[J]. Journal on Communications, 2008,29(2): 106-10.
[2]	蔡桂林, 王宝生, 王天佐 ,等. 移动目标防御技术研究进展[J]. 计算机研究与发展, 53(5): 968-987.
	CAI G L , WANG B S , WANG T Z ,et al. Research and development of moving target defense technology[J]. Journal of Computer Research and Development, 53(5): 968-987.
[3]	JACKSON T , SALAMAT B , HOMESCU A ,et al. Compiler-generated software diversity[J]. Moving Target Defense, 2011: 77-98.
[4]	VIKRAM S , YANG C , GU G . Nomad:towards non-intrusive moving-target defense against Web bots[C]// Communications and Network Security (CNS). 2013: 55-63.
[5]	PORTOKALIDIS G , KEROMYTIS A D . Global ISR:toward a comprehensive defense against unauthorized code execution[J]. Moving Target Defense, 2011: 49-76.
[6]	LUCAS B , FULP E W , JOHN D J ,et al. An initial framework for evolving computer configurations as a moving target defense[C]// The 9th Annual Cyber and Information Security Research Conference. 2014: 69-72.
[7]	APPLEGATE S D , . The principle of maneuver in cyber operations[C]// 2012 4th International Conference on Cyber Conflict (CYCON 2012). 2012: 1-13.
[8]	CAI G L , WANG B S , LUO Y B ,et al. Characterizing the running patterns of moving target defense mechanisms[C]// 2016 18th International Conference on Advanced Communication Technology (ICACT). 2016: 191-196.
[9]	TOMMY C , XIONG K Q . Dynamic generation containment systems (DGCS):a moving target defense approach[C]// 3rd International Workshop on Emerging Ideas and Trends in Engineering of Cyber-Physical Systems (EITEC). 2016: 11-16.
[10]	KIRKPATRICK K . Software-defined networking[J]. Communications of the ACM, 2013.
[11]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow:enabling innovation in campus networks[C]// ACM SIGCOMM Computer Communication Review. 2008: 69-74.
[12]	JAFARIAN JH , AL-SHAER E , DUAN Q . OpenFlow random host mutation:transparent moving target defense using software defined networking[C]// The first Workshop on Hot Topics in Software Defined Networks. 2012: 127-132.
[13]	AL-SHAER E , DUAN Q , JAFARIAN J H . Random host mutation for moving target defense[C]// SecureComm. 2012: 310-327.
[14]	WANG S L , ZHANG L , TANG C J . A new dynamic address solution for moving target defense[C]// Information Technology,Networking,Electronic and Automation Control Conference. 2016: 1149-1152.

Metrics

Recommended 0

No Suggested Reading articles found!

	策略1			策略2
匹配		行为	匹配		行为
源IP：sIP		改变源IP：newsIP	源IP：newdIP		改变源IP：dIP
目的IP：dIP		改变目的IP：newdIP	目的IP：newsIP		改变目的IP：sIP

交换机ID	匹配	行为
	源IP：sIP	改变源IP：public_IP₁
gateway1	源端口：sPort	改变源端口：newsPort
	目的IP：dIP	改变目的端口：newdPort
	目的端口：dPort

交换机ID	匹配	行为
	源IP：public_IP1	改变源IP：sIP
gateway2	源端口:：newsPort	改变源端口：sPort
	目的IP：dIP	改变目的IP：dIP
	目的端口：dPort	改变目的端口：dPort

设备	用途	区域	参数
同步服务器	同步控制器	域间	IP:192.168.10.55
同步服务器			OS:Ubuntu 10.03
节点1～节点3	计算机通信节点	LAN1	IP:10.0.10.10-12
节点1～节点3	节点1～节点3包含3个节点		OS:Ubuntu 10.03
节点4～节点7	计算机通信节点	LAN1	IP:10.0.20.20-23
节点4～节点7	节点4～节点7包含4个节点		OS:Windows 7
S1	OpenFlow网关交换机	LAN1	连接内网及LAN2内网关交换机S5
S1			域间地址：172.16.0.11
S2	OpenFlow交换机	LAN1	连接节点1～节点3
S3	OpenFlow交换机	LAN1	连接节点4～节点5
S4	OpenFlow交换机	LAN1	连接节点6～节点7
控制器1	搭载移动目标防御组件的OpenFlow控制器	LAN1	IP:10.10.20.10控制器:Floodlight v1.2
节点8	计算机通信节点	LAN2	IP:192.168.40.100-101
节点9	节点8、节点9		OS:Ubuntu 10.03
节点10	计算机通信节点	LAN2	IP:192.168.50.100-101
节点11	节点10、节点11		OS:Ubuntu 10.03
S5	OpenFlow网关交换机	LAN2	连接内网及LAN1内网关交换机S1
S5			域间地址:172.16.0.21
S6	OpenFlow交换机	LAN2	连接节点8、节点9
S7	OpenFlow交换机	LAN2	连接节点10、节点11
控制器2	搭载移动目标防御组件的OpenFlow控制器	LAN2	IP:192.168.20.10
			控制器:Floodlight v1.2

节点	网络地址	虚拟地址
节点1	10.0.10.10	13.22.16.55
节点2	10.0.10.11	95.33.60.152
节点3	10.0.10.12	56.28.99.98
节点4	10.0.20.20	139.65.156.2
节点5	10.0.20.21	66.59.239.67
节点6	10.0.20.22	215.12.178.36
节点7	10.0.20.23	54.33.142.233

Moving target defense solution on network layer based on OpenFlow

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 14

References 14

Related Articles 15

Metrics

Recommended 0

时间	源地址	源端口	目的地址	目的端口
34	172.16.0.11	12082	172.16.0.21	32841
…	…	…	…	…
982	172.16.0.11	8623	172.16.0.21	59210
…	…	…	…	…

功能	RHM	OF-RHM	端信息跳变	基于OpenFlow的网络层移动目标防御方案
移动目标防御方案	好	好	好	好
移动目标防御方案	具有良好的防嗅探能力	具有良好的防嗅探能力	具有良好的防嗅探能力	具有良好的防嗅探能力
兼容性	差	差		与现有网络兼容
兼容性	部署时需要改变现有的网络结构	部署时需要改变现有的网络结构	与现有网络兼容无需改变网络结构	无需改变网络结构且可以保护跨域通信
部署方式	简单	简单	复杂	简单
部署方式	上层透明，用户无需改变通信实现	上层透明，用户无需改变通信实现	需要每个保护节点安装第三方通信库	上层透明，用户无需改变通信实现
防御范围	小	小	小	全网保护
防御范围	仅限于部署的域内区域	仅限于部署的域内区域	仅限于部署的域内区域	对于域内和跨域的通信均实现防御功能

[1]	Zhibin FENG, Yuhua XU, Zhiyong DU, Xin LIU, Wen LI, Hao HAN, Xiaobo ZHANG. Active defense technology against intelligent jammer [J]. Journal on Communications, 2022, 43(10): 42-54.
[2]	Qing TONG, Yunfei GUO, Shumin HUO, Yawen WANG, Yujia MAN, Kai ZHANG. Design of self-adaptive spatio-temporal diversity joint scheduling strategy [J]. Journal on Communications, 2021, 42(7): 12-24.
[3]	Xiaoyu XU, Hao HU, Hongqi ZHANG, Yuling LIU. Random routing defense method based on deep deterministic policy gradient [J]. Journal on Communications, 2021, 42(6): 41-51.
[4]	Zhengbin ZHU, Qinrang LIU, Dongpei LIU, Chong WANG. Research progress of mimic multi-execution scheduling algorithm [J]. Journal on Communications, 2021, 42(5): 179-190.
[5]	Yongjin HU,Jun MA,Yuanbo GUO,Han ZHANG. Research on active defense based on multi-stage cyber deception game [J]. Journal on Communications, 2020, 41(8): 32-42.
[6]	Fucai CHEN,Weizhen HE,Guozhen CHENG,Shumin HUO,Dacheng ZHOU. Design of key technologies for intranet dynamic gateway based on DPDK [J]. Journal on Communications, 2020, 41(6): 139-151.
[7]	Jinglei TAN,Hengwei ZHANG,Hongqi ZHANG,Hui JIN,Cheng LEI. Optimal strategy selection approach of moving target defense based on Markov time game [J]. Journal on Communications, 2020, 41(1): 42-52.
[8]	JIANG Lyu,ZHANG Hengwei,WANG Jindong. Optimal strategy selection method for moving target defense based on signaling game [J]. Journal on Communications, 2019, 40(6): 128-137.
[9]	Duohe MA,Qiong LI,Dongdai LIN. Moving target defense against network eavesdropping attack using POF [J]. Journal on Communications, 2018, 39(2): 73-87.
[10]	Xingming ZHANG,Zeyu GU,Shuai WEI,Jianliang SHEN. Markov game modeling of mimic defense and defense strategy determination [J]. Journal on Communications, 2018, 39(10): 143-154.
[11]	Le-yi SHI,Hui SUN,Yu-wen CUI,Hong-bin GUO,Jian-lan LI. Web plug-in paradigm for anti-DoS attack based on end hopping [J]. Journal on Communications, 2017, 38(Z1): 19-24.
[12]	Hui HU,Ming CHEN,Bo LIU,Bo XU,Chang-you XING,Chao HU. Mechanism of eliminating UDP redundancy control packets in OpenFlow network [J]. Journal on Communications, 2017, 38(9): 167-175.
[13]	Peng-hao SUN,Ju-long LAN,Shao-jun ZHANG,Jun-fei LI. Information entropy based match field cutting algorithm [J]. Journal on Communications, 2017, 38(5): 182-189.
[14]	Cheng LEI,Duo-he MA,Hong-qi ZHANG,Qi HAN,Ying-jie YANG. Network moving target defense technique based on optimal forwarding path migration [J]. Journal on Communications, 2017, 38(3): 133-143.
[15]	Tao WANG,Hong-chang CHEN,Guo-zhen CHENG. Research on software-defined network and the security defense technology [J]. Journal on Communications, 2017, 38(11): 133-160.