Moving Target Defense Method Based on Double Address Hopping

doi:10.3969/j.issn.1671-1122.2021.02.004

Abstract

Abstract:

The determinism and static nature of the network system make the network defense in a passive state. As a defense concept, moving target defense is proposed, which changes the offensive and defensive situation. Aiming at sniffing and scanning attacks, this paper proposes a moving target defense method based on double address hopping—DAH. Through double virtual address hopping frequency classification, DAH effectively solves the contradiction between communication service quality and hopping frequency. It utilizes low-frequency virtual address hopping to ensure network availability, and utilizes high-frequency virtual address hopping to resist sniffing attacks. By detecting abnormal communication behaviors of the host, DAH constructs spoofed packets to confuse and block scanning attacks. The experimental results show that DAH can not only ensure the normal communication delay and CPU load of the network, but also effectively resist sniffing and scanning attacks.

Key words: moving target defense, software defined network, address hopping, cyber deception

CLC Number:

TP309

LI Zhaoyang, TAN Jinglei, HU Ruiqin, ZHANG Hongqi. Moving Target Defense Method Based on Double Address Hopping[J]. Netinfo Security, 2021, 21(2): 24-33.

Figures/Tables 9

References 20

[1]	CAI Guilin, WANG Baosheng, WANG Tianzuo, et al. Research and Development of Moving Target Defense Technology[J]. Journal of Computer Research and Development, 2016,53(5): 968-987.
	蔡桂林, 王宝生, 王天佐, 等. 移动目标防御技术研究进展[J]. 计算机研究与发展, 2016,53(5): 968-987.
[2]	STEVENS C. Assembling Cybersecurity: The Politics and Materiality of Technical Malware Reports and the Case of Stuxnet[J]. Contemporary Security Policy, 2020,41(1): 129-152.
[3]	ADAMS C. Learning the Lessons of WannaCry[J]. Computer Fraud & Security, 2018,2018(9): 6-9.
[4]	SHARMA D P, ENOCH S Y, CHO J H, et al. Dynamic Security Metrics for Software-defined Network-based Moving Target Defense[EB/OL]. https://www.researchgate.net/publication/343979066_Dynamic_Security_Metrics_for_Software-Defined_Network-based_Moving_Target_Defense, 2020-09-20.
[5]	TAN Jinglei, ZHANG Hengwei, ZHANG Hongqi, et al. Optimal Timing Selection Approach to Moving Target Defense: A FlipIt Attack-Defense Game Model[J]. Security and Communication Networks, 2020,2020(1): 1-12.
[6]	CHO J H, SHARMA D P, ALAVIZADEH H, et al. Toward Proactive, Adaptive Defense: A Survey on Moving Target Defense[EB/OL]. https://www.researchgate.net/publication/335908328_Toward_Proactive_Adaptive_Defense_A_Survey_on_Moving_Target_Defense, 2020-09-20.
[7]	AYDEGER A, SAPUTRO N, AKKAYA K. A Moving Target Defense and Network Forensics Framework for ISP Networks Using SDN and NFV[J]. Future Generation Computer Systems, 2019,94(5): 496-509.
[8]	ZHOU Yuyang, CHENG Guang, GUO Chunsheng, et al. A Survey on Attack Surface Dynamic Transfer Technology Based on Moving Target Defense[J]. Journal of Software, 2018,29(9): 2799-2820.
	周余阳, 程光, 郭春生, 等. 移动目标防御的攻击面动态转移技术研究综述[J]. 软件学报, 2018,29(9): 2799-2820.
[9]	CARROLL T E, CROUSE M, FULP E W, et al. Analysis of Network Address Shuffling as a Moving Target Defense[C]//IEEE. IEEE International Conference on Communications, June 10-14, 2014, Sydney, NSW, Australia. NJ: IEEE, 2014: 701-706.
[10]	ZHANG Chaokun, CUI Yong, TANG Heyi, et al. State-of-the-Art Survey on Software-defined Networking (SDN)[J]. Journal of Software, 2015,26(1): 62-81.
	张朝昆, 崔勇, 唐翯祎, 等. 软件定义网络(SDN)研究进展[J]. 软件学报, 2015,26(1): 62-81.
[11]	ZUO Qingyun, CHEN Ming, ZHAO Guangsong, et al. Research on SDN Technology Based on OpenFlow[J]. Journal of Software, 2013,24(5): 1078-1097.
	左青云, 陈鸣, 赵广松, 等. 基于OpenFlow的SDN技术研究[J]. 软件学报, 2013,24(5): 1078-1097.
[12]	KEWLEY D, FINK R, LOWRY J, et al. Dynamic Approaches to Thwart Adversary Intelligence Gathering[C]//IEEE. DARPA Information Survivability Conference Exposition II, DISCEX 2001, June 12-14, 2001, Anaheim, CA, USA. NJ: IEEE, 2001: 176-185.
[13]	ANTONATOS S, AKRITIDIS P, MARKATOS E P, et al. Defending against Hitlist Worms Using Network Address Space Randomization[C]//ACM. The 2005 ACM Workshop on Rapid Malcode, November 11, 2005, Fairfax, Virginia, USA. New York: ACM, 2005: 30-40.
[14]	AL-SHAER E, DUAN Qi, JAFARIAN J H. Random Host Mutation for Moving Target Defense[M]//Springer. Security and Privacy in Communication Networks. Heidelberg: Springer, 2013: 310-327.
[15]	SHARMA D P, KIM D S, YOON S, et al. FRVM: Flexible Random Virtual IP Multiplexing in Software-defined Networks[C]//IEEE. 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), August 1-3, 2018, New York, NY, USA. NJ: IEEE, 2018: 579-587.
[16]	JAFARIAN J H, AL-SHAER E, DUAN Qi. Openflow Random Host Mutation: Transparent Moving Target Defense Using Software Defined Networking[C]//ACM. The First Workshop on Hot Topics in Software Defined Networks, August 13, 2012, New York, NY, USA. New York: ACM, 2012: 127-132.
[17]	NOMAN H M, JASIM M N. POX Controller and Open Flow Performance Evaluation in Software Defined Networks (SDN) Using Mininet Emulator[EB/OL]. https://www.researchgate.net/publication/343586922_POX_Controller_and_Open_Flow_Performance_Evaluation_in_Software_Defined_Networks_SDN_Using_Mininet_Emulator, 2020-09-20.
[18]	CHASIB S A, KHADIM A. Software Defined Network for Data Center Using Open Flow Protocol[J]. International Journal of Scientific Engineering and Technology, 2016,5(12): 537-541.
[19]	LEI Cheng, MA Duohe, ZHANG Hongqi, et al. Network Moving Target Defense Technique Based on Optimal Forwarding Path Migration[J]. Journal on Communications, 2017,38(3): 133-143.
	雷程, 马多贺, 张红旗, 等. 基于最优路径跳变的网络移动目标防御技术[J]. 通信学报, 2017,38(3): 133-143.
[20]	ZHOU Zan, KUANG Xiaohui, SUN Limin, et al. Endogenous Security Defense against Deductive Attack: When Artificial Intelligence Meets Active Defense for Online Service[J]. IEEE Communications Magazine, 2020,58(6): 58-64.

交换机	匹配域	动作集
sw₁	src_ip=10.0.0.1 dst_ip=10.0.0.88 in_port= 1	mod_src =10.0.0.202 mod_dst=10.0.0.252 out_port= 4
sw₂	src_ip =10.0.0.202 dst_ip=10.0.0.252 in_port = 3	out_port= 4
sw₃	src_ip =10.0.0.202 dst_ip=10.0.0.252 in_port = 4	mod_src =10.0.0.92 mod_dst =10.0.0.8 out_port= 3

终端	真实IP 地址	所收集到的终端IP地址
终端	真实IP 地址	正常通信	DAH开启5 s后	DAH开启10 s后	……	DAH开启50 s后
h₁ h₂ h₃ h₄ h₅ s₁ s₂ s₃	10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.6 10.0.0.7 10.0.0.8	10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.6 10.0.0.7 10.0.0.8	10.0.0.70 10.0.0.138 10.0.0.61 10.0.0.117 10.0.0.249 10.0.0.97 10.0.0.227 10.0.0.97	10.0.0.245 10.0.0.214 10.0.0.170 10.0.0.28 10.0.0.38 10.0.0.234 10.0.0.196 10.0.0.109	…… …… …… …… …… …… …… ……	10.0.0.213 10.0.0.113 10.0.0.77 10.0.0.27 10.0.0.154 10.0.0.157 10.0.0.170 10.0.0.139