Research On Key Issuses Of Moving Target Defense Based On Software-Defined Networking

Moving Target Defense(MTD)is a brand new idea and method of network security,which is acknowledged as a revolutionary technique to “change the rules of the game”.Different from traditional network security defensive mechanisms,instead of attempting to assure the security of network by building an invulnerable system,MTD builds a dynamic,randomized and diversified active mechanism,which can limit the exposure of system vulnerabilities and increase the cost of network attacks.As a result,the defense capability is enhanced effectively thus the asymmetric situation of “easy to attack,difficult to defend” has changed.In this paper,the reconnaissance and launch of typical attack techniques were analyzed and several defense methods based on MTD against those attacks are proposed.The main contribution and research results are as follows.1.The background and significance of the research are elucidated.Firstly,the realistic significance and theoretical value of MTD are introduced from the perspective of applied background.Secondly,the MTD technique is outlined.The asymmetry between the difficulty of network attack and defense is emphatically introduced as well as the fundamental of MTD.The state-of-the-art about MTD research is summarized,based on which the urgent issues to be tackled in MTD research and the main contribution of this paper are proposed.Finally,the concept and structure of Software-Defined Networking(SDN)is introduced in detail.Then,the preparatory knowledge of Network Function Virtualization(NFV)and game theory is outlined.2.The MTD defense methods to defend attacks in reconnaissance phase are researched.For sniffer attacks,a double hopping communication method is proposed utilizing synergetic hopping of multiple network configuration.For the fingerprinting attack,a fingerprint hopping method is proposed based on signal game.The details are as follows.(1)An SDN-based double hopping communication method(DHC)is proposed to defend sniffer attack.Firstly,the behaviors of sniffer attacker and defender are analyzed and the limitation of traditional defense methods is discovered.Secondly,an SDN based DHC structure is proposed utilizing the centralized control and directly programmable nature of SDN.An end information selection algorithm and a weight based random path selection algorithm are proposed.Thirdly,the communication capacity and security of DHC are analyzed.And the proposition that the security of DHC is better than traditional communication is proved in theory.Finally,a simulation system of DHC DhcFlower is constructed based on SDN.Experiments verify the effectiveness and security of DHC.The performance and cost of DHC are also evaluated.(2)A game based fingerprint hopping method(FPH)is proposed to defend fingerprinting attack.Firstly,the fingerprinting attack and defense are analyzed,and an SDN based fingerprint hopping structure is proposed.Secondly,based on the characteristics of interaction between fingerprinting attack and defense,a signal game is constructed based on game theory.The equilibrium of this game is analyzed and proved.Thirdly,a model of defender's belief is proposed as well as the approach to determine the size of optimal fingerprint hopping space.A fingerprint hopping strategy selection algorithm is designed based on model of defender's belief and equilibrium of the game.Finally,a simulation system of FPH FphFlower is constructed based on SDN.Experiments verify the effectiveness and security of FPH.The performance and cost of FPH are also evaluated.3.The MTD defense methods to defend attacks in launch phase are studied.For penetration attacks,a decoy chain deployment method is proposed utilizing graph theory.For route DoS attacks,a multicast hopping communication method is proposed by constructing minimum hotness tree model.The details are as follows.(1)A decoy chain deployment method(DCD)based on SDN+NFV to defend the penetration attack in attack launch phase.Firstly,the method constructs penetration topology model,penetration attack model and decoy chain model.The traceback of penetration path is also discussed.Secondly,the resource constraints are analyzed and the optimal decoy chain deployment model is proposed under constraints.Thirdly,recursion traversing and random sampling are proposed to compute penetration probability.The optimal decoy chain deployment strategy is solved using simulated annealing algorithm.Finally,a simulation system of DCD DcDepoyer is constructed based on SDN+NFV.Simulation experiments verify the effectiveness and security of DCD.The performance and cost of DCD are also evaluated.(2)A hopping multicast communication method(HMC)is proposed to defend route DoS attack in attack launch phase.Firstly,this method introduces the idea of MTD into multicast communication and constructs a SDN based hopping multicast communication architecture.Secondly,a multicast tree hopping model is constructed for generating multiple multicast tree.The constrained minimum hotness tree is proposed and minimum hotness tree problem is proved to be a NP-complete problem.Then,an algorithm of solving constrained minimum hotness tree and a method of updating multicast tree are designed.Thirdly,the interaction between multicast route DoS attack and defense is built as a complete information static state game using game theory.The traffic rate that the attacker can obtain under various situations are analyzed and the optimal multicast tree hopping cycle is determined based on Nash equilibrium.Finally,a simulation system of HMC HmcFlower is constructed based on SDN.Parameter selection is discussed by simulation experiments and analysis.And simulation experiments verify the effectiveness and security of HMC.The performance,cost and robustness of HMC are also evaluated.At last,main contribution of this research is summarized,and further researches that could be conducted in the future are also proposed.