计算机科学 ›› 2020, Vol. 47 ›› Issue (12): 304-310.doi: 10.11896/jsjkx.200900126

• 信息安全 • 上一篇    下一篇

一种对抗网络侦察的自适应欺骗防御机制

赵金龙1, 张国敏1, 邢长友1, 宋丽华1, 宗祎本2   

  1. 1 中国人民解放军陆军工程大学指挥控制工程学院 南京 210007
    2 中国人民解放军61789部队 上海 200000
  • 收稿日期:2020-09-16 修回日期:2020-12-01 发布日期:2020-12-17
  • 通讯作者: 张国敏(zhang_gmwn@163.com)
  • 作者简介:zhaojl_a@163.com
  • 基金资助:
    国家自然科学基金(6137914961772271);国家博士后科学基金项目(2017M610286)

Self-adaptive Deception Defense Mechanism Against Network Reconnaissance

ZHAO Jin-long1, ZHANG Guo-min1, XING Chang-you1, SONG Li-hua1, ZONG Yi-ben2   

  1. 1 Command & Control Engineering CollegeArmy Engineering University of PLA Nanjing 210007,China
    2 Unit 61789 of PLA Shanghai 200000,China
  • Received:2020-09-16 Revised:2020-12-01 Published:2020-12-17
  • About author:ZHAO Jin-long,born in 1994postgra-duate.His main research interests include network securitydeception defense and software defined networking.
    ZHANG Guo-min,born in 1979Ph.Dassociate professor.His main research interests include software defined networkingnetwork securitynetwork measurement and distributed system.
  • Supported by:
    Natural Science Foundation of China(61379149,61772271) and China Postdoctoral Science Foundation(2017M610286).

摘要: 静态配置的网络主机信息在面对攻击者侦察时易于暴露进而带来了严重的安全隐患.主机地址跳变及部署虚假节点等欺骗方法能够扰乱攻击者对网络的认知增加其网络侦察的难度.但如何高效地利用这些手段来对抗攻击者的侦察行为仍存在诸多困难.为此在对攻防双方行为进行建模描述的基础上提出了一种高效的自适应欺骗防御机制(Self-adaptive Deception MethodSADM)来应对网络侦察.SADM结合网络侦察过程中攻防双方多阶段持续对抗的特点以资源约束下防御方的综合收益最大化为目标进行建模并在此基础上通过启发式方法进行自适应防御决策以快速应对攻击者的多样化扫描行为.仿真实验结果表明SADM能够有效延缓攻击者的探测速度在保证防护效果的同时降低部署欺骗场景的代价.

关键词: 欺骗防御, 软件定义网络, 扫描攻击, 网络侦察

Abstract: The statically configured network host information is easy to be exposed in the face of network reconnaissancewhich brings serious security risks.Deception methods such as host address mutation and deployment of fake nodes can disruptattac-ker's awareness of the network and increase the difficulty of reconnaissance.Howeverthere are still many challenges in using these methods to counter attacker's reconnaissance behavior effectively.For this reasonby modeling the behaviors of bothattaker and defenderan efficient self-adaptive deception defense mechanism SADM (Self-adaptive Deception Method) is proposed.SADM considers the characteristics of the multi-stage continuous confrontation between attacker and defender in the network reconnaissance processmodeling with the goal of maximizing the defender's accumulative payoffs under cost constraintsand then makes adaptive defense decisions through heuristic methodsto respond quickly to attacker's diverse scanning behavior.The simulation experiment results show that SADM can effectively delay the attacker's detection speed and reduce the cost of deploying deception scenarios while ensuring the defense effect.

Key words: Deception defense, Network reconnaissance, Scanning attack, Software-defined network

中图分类号: 

  • TP393
[1] PANJWANI S,TAN S,JARRIN K M,et al.An experimentalevaluation to determine if port scans are precursors to an attack[C]//2005 International Conference on Dependable Systems and Networks (DSN'05).IEEE,2005:602-611.
[2] WANG L,WU D.Moving target defense against network reconnaissance with software defined networking[C]//International Conference on Information Security.Springer,2016:203-217.
[3] SOOD A K,ENBODY R J.Targeted cyberattacks:A superset of advanced persistent threats[J].IEEE Security &Privacy,2013,11(1):54-61.
[4] CHIANG C-Y J,GOTTLIEB Y M,SUGRIM S J,et al.Acyds:An adaptive cyber deception system[C]//2016 IEEE Military Communications Conference.IEEE,2016:800-805.
[5] XU M,GAO Y,FENG C.Dds:A distributed deception defense system based on sdn[C]//2018 14th International Conference on Computational Intelligence and Security (CIS).IEEE,2018:430-433.
[6] KELLY J,DELAUS M,HEMBERG E,et al.Adversariallyadapting deceptive views and reconnaissance scans on a software defined network[C]//2019 IFIP/IEEE Symposium on Integra-ted Network and Service Management (IM).IEEE,2019:49-54.
[7] ACHLEITNER S,LA PORTA T F,MCDANIEL P,et al.Deceiving network reconnaissance using sdn-based virtual topologies[J].Ieee Transactions on Network and Service Management,2017,14(4):1098-1112.
[8] ROBERTSON S,ALEXANDER S,MICALLEF J,et al.Cin-dam:Customized information networks for deception and attack mitigation[C]//IEEE International Conference on Self-adaptive &Self-organizing Systems Workshops.IEEE,2015:114-119.
[9] Cyberchaff[EB/OL].(2020-8-14)[2020-8-14].https://formal.tech/cyberchaff/.
[10] JAFARIAN J H,AL-SHAER E,DUAN Q.Openflow random host mutation:Transparent moving target defense using software defined networking[C]//Proceedings of the First Workshop on Hot Topics in Software Defined Networks.ACM,2012:127-132.
[11] DU J,GUAN H S,JIANG B C.Defending against hitlist worms using network address space randomization[J].Microcomputer Information,2009(6):85-87.
[12] JAFARIAN J H,AL-SHAER E,DUAN Q.An effective address mutation approach for disrupting reconnaissance attacks[J].IEEE Trans Information Forensics and Security,2015,10(12):2562-2577.
[13] JAFARIAN J H,AL-SHAER E,DUAN Q.Adversary-aware ip address randomization for proactive agility against sophisticated attackers[C]//2015 IEEE Conference on Computer Communications (INFOCOM).IEEE,2015:738-746.
[14] CLARK A,SUN K,POOVENDRAN R.Effectiveness of ip address randomization in decoy-based moving target defense[C]//Decision &Control.IEEE,2013:678-685.
[15] MACFARLAND D C,SHUE C A.The sdn shuffle:Creating a moving-target defense using host-based software-defined networking[C]//Proceedings of the Second ACM Workshop on Moving Target Defense.ACM,2015:37-41.
[16] ANTONATOS S,AKRITIDIS P,MARKATOS E P,et al.Defending against hitlist worms using network address space randomization[J].Computer Networks,2007,51(12):3471-3490.
[17] YACKOSKI J,XIE P,BULLEN H,et al.A self-shielding dy-namic network architecture[C]//Military Communications Conference.IEEE,2011:1381-1386.
[18] XING J,YANG M,ZHOU H,et al.Hiding and trapping:A deceptive approach for defending against network reconnaissance with software-defined network[C]//2019 IEEE 38th International Performance Computing and Communications Conference (IPCCC),London,United Kingdom.IEEE,2019:1-8.
[19] ZOU C C,TOWSLEY D,GONG W B.On the performance of internet worm scanning strategies[J].Performance Evaluation,2006,63(7):700-723.
[20] WANG S,ZHOU Y,LI Y,et al.Quantitative analysis of network address randomization's security effectiveness[C]//2018 IEEE 18th International Conference on Communication Technology (ICCT).IEEE,2018.
[21] STAFFORD S,LI J.Behavior-based worm detectors compared[C]//Recent Advances in Intrusion Detection.International Symposium,Raid,Ottawa,Ontario,Canada.DBLP,2013.
[22] LI Y,CHEN Z,CHEN C.Understanding divide-conquer-scanning worms[C]//2008 IEEE International Performance,Computing and Communications Conference.IEEE,2008:51-58.
[1] 姜洋洋, 宋丽华, 邢长友, 张国敏, 曾庆伟.
蜜罐博弈中信念驱动的攻防策略优化机制
Belief Driven Attack and Defense Policy Optimization Mechanism in Honeypot Game
计算机科学, 2022, 49(9): 333-339. https://doi.org/10.11896/jsjkx.220400011
[2] 高春刚, 王永杰, 熊鑫立.
MTDCD:一种对抗网络入侵的混合防御机制
MTDCD:A Hybrid Defense Mechanism Against Network Intrusion
计算机科学, 2022, 49(7): 324-331. https://doi.org/10.11896/jsjkx.210600193
[3] 耿海军, 王威, 尹霞.
基于混合软件定义网络的单节点故障保护方法
Single Node Failure Routing Protection Algorithm Based on Hybrid Software Defined Networks
计算机科学, 2022, 49(2): 329-335. https://doi.org/10.11896/jsjkx.210100051
[4] 李少辉, 张国敏, 宋丽华, 王秀磊.
基于不完全信息博弈的反指纹识别分析
Incomplete Information Game Theoretic Analysis to Defend Fingerprinting
计算机科学, 2021, 48(8): 291-299. https://doi.org/10.11896/jsjkx.210100148
[5] 董仕.
软件定义网络安全问题研究综述
Survey on Software Defined Networks Security
计算机科学, 2021, 48(3): 295-306. https://doi.org/10.11896/jsjkx.200300119
[6] 高明, 周慧颖, 焦海, 应丽莉.
基于加权图的链路映射算法
Link Mapping Algorithm Based on Weighted Graph
计算机科学, 2021, 48(11A): 476-480. https://doi.org/10.11896/jsjkx.201200216
[7] 刘亚群, 邢长友, 高雅卓, 张国敏.
TopoObfu:一种对抗网络侦察的网络拓扑混淆机制
TopoObfu:A Network Topology Obfuscation Mechanism to Defense Network Reconnaissance
计算机科学, 2021, 48(10): 278-285. https://doi.org/10.11896/jsjkx.210400296
[8] 高雅卓, 刘亚群, 张国敏, 邢长友, 王秀磊.
基于多阶段博弈的虚拟化蜜罐动态部署机制
Multi-stage Game Based Dynamic Deployment Mechanism of Virtualized Honeypots
计算机科学, 2021, 48(10): 294-300. https://doi.org/10.11896/jsjkx.210500071
[9] 贾吾财, 吕光宏, 王桂芝, 宋元隆.
SDN多控制器放置问题研究综述
Review on Placement of Multiple Controllers in SDN
计算机科学, 2020, 47(7): 206-212. https://doi.org/10.11896/jsjkx.200200075
[10] 黄梅根, 汪涛, 刘亮, 庞瑞琴, 杜欢.
基于软件定义网络资源优化的虚拟网络功能部署策略
Virtual Network Function Deployment Strategy Based on Software Defined Network Resource Optimization
计算机科学, 2020, 47(6A): 404-408. https://doi.org/10.11896/JsJkx.191000116
[11] 张举, 王浩, 罗舒婷, 耿海军, 尹霞.
基于遗传算法的混合软件定义网络路由节能算法
Hybrid Software Defined Network Energy Efficient Routing Algorithm Based on Genetic Algorithm
计算机科学, 2020, 47(6): 236-241. https://doi.org/10.11896/jsjkx.191000139
[12] 谢英英, 石涧, 黄硕康, 雷凯.
面向5G的命名数据网络物联网研究综述
Survey on Internet of Things Based on Named Data Networking Facing 5G
计算机科学, 2020, 47(4): 217-225. https://doi.org/10.11896/jsjkx.191000157
[13] 周建新, 张志鹏, 周宁.
基于CKSP的分段路由负载均衡技术
Load Balancing Technology of Segment Routing Based on CKSP
计算机科学, 2020, 47(4): 256-261. https://doi.org/10.11896/jsjkx.190500122
[14] 高航航,赵尚弘,王翔,张晓燕.
基于系统最优的航空信息网络流量均衡方案
Traffic Balance Scheme of Aeronautical Information Network Based on System Optimal Strategy
计算机科学, 2020, 47(3): 261-266. https://doi.org/10.11896/jsjkx.190200296
[15] 谷晓会,章国安.
SDN在车载网中的应用综述
Survey of SDN Applications in Vehicular Networks
计算机科学, 2020, 47(1): 237-244. https://doi.org/10.11896/jsjkx.190100178
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!