A Host Fingerprint Anti-detection Model Based on SDN

doi:10.3969/j.issn.1671-1122.2020.07.005

Abstract

Abstract:

Point at the difficulty of host fingerprint detection defense, a host fingerprint anti-detection model based on SDN is proposed. The model constructs virtual nodes that contain fake fingerprint information. By identifying fingerprint probes and constructing response messages according to the fingerprint template, it can deceive fingerprint detection attackers. Then put forward honeypot mapping and traffic traction technology, combined with honeypots, redirect the attack traffic directed to the virtual node to the honeypot, and realize the capture and analysis of aggressive behavior. To analyze the benefits of the model for cybersecurity, a probabilistic model of the proposed model’s defense effectiveness was established. The influence of parameters such as the number of detections, the number of virtual nodes, the number of honeypot mapping rules, the number of allowable losses, the virtual node spoofing rate, and the honeypot detection rate on the probability of attack success is quantified. Finally, the DPDK technology is used to build a prototype system based on the X86 platform. The experimental results show that the proposed model has a higher success rate of deception than the typical anti-recognition tool IPMorph, and the additional performance overhead is less than 5%.

Key words: host fingerprint, reconnaissance, honeypot, cyber deception

CLC Number:

TP309

ZHANG Tao, LU Bing, LI Ding, HE Kang. A Host Fingerprint Anti-detection Model Based on SDN[J]. Netinfo Security, 2020, 20(7): 42-52.

Figures/Tables 17

References 18

[1]	ZHUANG R, DELOACH S A, OU X. Towards A Theory of Moving Target Defense[C]// ACM. Proceedings of the First ACM Workshop on Moving Target Defense, November 3, 2014, Scottsdale, Arizona, USA. New York: ACM, 2014: 31-40.
[2]	DAVID J, THOMAS C. Efficient DDoS Flood Attack Detection Using Dynamic Thresholding on Flow-based Network Traffic[J]. Computers & Security, 2019,82(7):284-295.
[3]	SHAMSI Z, NANDWANI A, LEONARD D, et al. Hershel: Single-Packet OS Fingerprinting[J]. ACM SIGMETRICS Performance Evaluation Review, 2014,42(1):195-206.
[4]	PRIGENT G, VICHOT F, HARROUET F. IpMorph: Fingerprinting Spoofing Unification[J]. Journal in Computer Virology, 2010,6(4):329-342.
[5]	MA Junliang, WANG Xili, HE Juhou, et al. Research and Design of Enhanced Anti-Xprobe2[J]. Computer Engineering and Applications, 2012,48(32):1-4.
	马君亮, 汪西莉, 何聚厚, 等. 增强型Anti-Xprobe2的研究与设计[J]. 计算机工程与应用, 2012,48(32):1-4.
[6]	KAMPANAKIS P, PERROS H, BEYENE T. SDN-based Solutions for Moving Target Defense Network Protection[C]// IEEE. The Fifteenth International Symposium on a World of Wireless, Mobile and Multimedia Networks, Jun 16-19, 2014, Sydney, Australia. New York: IEEE, 2014: 1-6.
[7]	JIA Zhaopeng. Research on Defense Oriented Network Spoofing Technology[D]. Beijing: Beijing University of Posts and Telecommunications, 2018.
	贾召鹏. 面向防御的网络欺骗技术研究[D]. 北京:北京邮电大学, 2018.
[8]	HAN W, ZHAO Z, DOUPÉ A, et al. Honeymix: Toward Sdn-based Intelligent Honeynet[C]// ACM. Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, March 9-11, 2016, New Orleans Louisiana USA. New York: ACM, 2016: 1-6.
[9]	LA Q D, QUEK T Q S, LEE J, et al. Deceptive Attack and Defense Game in Honeypot-enabled Networks for the Internet of Things[J]. IEEE Internet of Things Journal, 2016,3(6):1025-1035.
[10]	FAN W, DU Z, CREASEY M, et al. HoneyDOC: An Efficient Honeypot Architecture Enabling all-round Design[J]. IEEE Journal on Selected Areas in Communications, 2019,37(3):683-697.
[11]	SHI L, LI Y, LIU T, et al. Dynamic Distributed Honeypot Based on Blockchain[EB/OL]. https://ieeexplore.ieee.org/document/8727529, 2019-11-15.
[12]	JAFARIAN J H, NIAKANLAHIJI A, AL-SHAER E, et al. Multi-dimensional Host Identity Anonymization for Defeating Skilled Attackers[C]// ACM. Proceedings of the 2016 ACM Workshop on Moving Target Defense, October 24, 2018, Vienna, Austria. New York: ACM, 2016: 47-58.
[13]	ZHUGE Jianwei, TANG Yong, HAN Xinhui, et al. Honeypot Technology Research and Application[J]. Journal of Software, 2013,24(4):825-842.
	诸葛建伟, 唐勇, 韩心慧, 等. 蜜罐技术研究与应用进展[J]. 软件学报, 2013,24(4):825-842.
[14]	LI Yan. Design and Implementation of Honeynet Active Defense System Based on SDN[D]. Beijing: Beijing University of Posts and Telecommunications, 2019
	李俨. 基于SDN的蜜网主动防御系统设计与实现[D]. 北京:北京邮电大学, 2019.
[15]	BONFIM M S, DIAS K L, FERNANDES S F L. Integrated NFV/SDN Architectures: A Systematic Literature Review[J]. ACM Computing Surveys (CSUR), 2019,51(6):1-39.
[16]	HERWIG S, HARVEY K, HUGHEY G, et al. Measurement and Analysis of Hajime, A Peer-to-peer IoT Botnet[EB/OL]. http://www.cs.umd.edu/~smherwig/pub/18-imc/hajime-poster.pdf, 2019-10-15.
[17]	CERON J M, STEDING J K, HOEPERS C, et al. Improving Iot Botnet Investigation Using An Adaptive Network Layer[J]. Sensors, 2019,19(3):727.
[18]	PONGRÁCZ G, MOLNÁR L, KIS Z L. Removing Roadblocks from SDN: OpenFlow Software Switch Performance on Intel DPDK[C]// IEEE. 2013 Second European Workshop on Software Defined Networks, October 10-11, 2013, Berlin, Germany. New York: IEEE, 2013: 62-67.

命令	IP	MAC	操作系统	端口	网络距离
2019/12/13 9:20 nmap -O 172.14.96.0/24	172.14. 96.177	00:21:85:FD: C1:D2	Linux 2.7.3	80/443/1025/ 8080	1
	172.14. 96.178	8C:89:A5:0F: 17:D4	Windows 10	23/443/3389	1
	172.14. 96.179	00:21:CC:CD: 24:37	Linux 3.10	22/80/8080	1
	172.14. 96.181	2C:53:4A:03: CF:BC	Windows 7	22/23/3389	0
2019/12/13 9:37 nmap -O 172.14.96.0/24	172.14. 96.177	08:00:CD:68: 31:38	Windows Server 2012 R2 Update1	22/110/3389/ 1433	1
	172.14. 96.178	8C:89:A5:0F: 17:D4	Windows 10	23/443/3389	1
	172.14. 96.179	00:21:CC:CD: 24:37	Linux 3.10	22/80/8080	1
	172.14. 96.181	2C:53:4A:03: CF:BC	Windows 7	22/23/3389	0

部署方式	平均时延/μs	标准差
无虚拟节点	23.17	0.63
生成100个虚拟节点	24.22	0.72
生成150个虚拟节点	24.19	0.77
生成200个虚拟节点	24.25	0.73