Research On Network Dynamic Defense Policy And Its Effectiveness Evaluation

With the rapid development of information and network technology,the connotation of cyberspace,known as the fifth dimensional space of human activities,is greatly extended.However,the security situation of cyberspace is becoming increasingly serious.Faced with much more collaborative and intelligent network attacks,traditional defense technologies like firewall,intrusion detection and security audit,always fall into the passive situation of “easy to attack but hard to defend”.Moving Target Defense(MTD)has been proposed as a new approach to alter the asymmetric situation between attacks and defenses.By constructing and applying diverse,dynamic and shifting policies,MTD changes system attributes constantly and reduces continuous exposure of vulnerabilities,which increases complexity and expense for adversaries to conduct attacks.How to select and adjust the transformation period,transformation space and transformation style of system resources,which increases the diversity,dynamic and unpredictability of defense policies to improve the defense effectiveness and benefits,is the core and key issues of applying moving target defense policies.In this paper,the network-based moving target defense is taken as a breakthrough point to conduct researches,including the design of network dynamic defense policies,the evaluation of defense effectiveness and the optimal selection of defense policies.The main work and results are presented as follows:1.Focused on the poor defense effectiveness of ending hopping policy with fixed hopping period that is difficult to adjust dynamically according to the network security situation,and the serious packet loss caused by shift of ending information in the peer-to-peer communication mode of traditional network,this paper proposes an adaptive adjustment policy of ending information based on peer-to-peer hopping protocol.Firstly,a hopping period adjustment policy that satisfies the principle of “fast decrease and slow increase” is designed according to the network abnormality which is measured based on the fusion of non-extensive entropy and Sibon entropy.Secondly,by deploying decoy ending information with a given distribution characteristics in some network nodes,a hopping space adjustment policy is designed.These two policies can enhance the capability of ending hopping policy to resist the denial of service attack,follow attack and half blind attack.Meanwhile,a hopping period stretching policy is designed according to the network delay prediction based on the discrete time Markov.The policy can reduce the packet loss rate of hopping boundary and improve the forwarding success rate of hopping communication.2.Focused on the problem that deploying address hopping policy on service node has a great impact on the service performance in the client-to-service communication mode of traditional network,this paper proposes an address hopping policy based on the improved Dynamic Host Configuration Protocol(DHCP).Firstly,by using the reserved field of DHCP,multiple addresses are assigned to one network node during an interaction process.This method can decrease the protocol overload,and increase the diversity of address hopping without any changes of the DHCP protocol.Secondly,the hopping communication is conducted with the support of the address mapping relationship between client and server as well as the address relevance relationship between inherent address and hopping address of the server,which can ensure the stability of service provision.Furthermore,in order to increase the dynamic of address hopping,the address lease time is adjusted dynamically according to the network anomaly which is detected by using the time series similarity measure algorithm based on dynamic time warping distance.The proposed policy not only increases the difficulties of launching network eavesdropping and denial of service attacks,but also reduces the impact on service performance caused by address hopping of the server.3.Focused on the problem that the switches need to send packets which don't match any flow entries to the controller by encapsulating them as packet-in messages,which is prone to be exploited by the attackers to launch the denial of service attack against the controller in OpenFlow network,this paper proposes a migration policy on switcher-controller connection.Firstly,abnormal switches are detected based on the history and current rate of flow requests.Secondly,to handle flow requests from normal switches effectively when attacks have occurred,the connection migrations are implemented on normal switches.Finally,in order to avoid the network burst flow requests from being misjudged as attack flows and discarded,the flow requests from abnormal switches are detected by using the multi-queue round robin mechanism based on the hast check.The proposed policy can not only protect the controllers from being attacked by the denial of service attack,but also ensure the capabilities of processing network traffic request and forwarding data.4.Focused on the problem that network nodes with static routing policies are vulnerable to network eavesdropping and denial of service attacks in Open Flow network,this paper proposes a routing mutation policy.Firstly,in order to improve the dynamic and pertinence of routing mutation,the mutation is triggered by network abnormality,which is detected and located by using the multi-scale principal component analysis method to analyze the entropy matrix of traffic characteristics from the perspective of spatial and temporal correlations.Moreover,the generation of mutation routing path is specified as a 0-1 knapsack problem,whose optimization target is maximizing the randomness of routing nodes between different mutation periods.Additionally,an improved ant colony algorithm is presented to calculate the optimal solution.The proposed policy can increase the difficulty of network eavesdropping,reduce the impact of denial of service attack on data forwarding,and ensure the capability of forwarding data.5.Focused on the poor generality of existing defense effectiveness evaluation methods for network dynamic defense policies and the low accuracy of the evaluation results,this paper presents a defense effectiveness evaluation method based on the model of node security state migration.Initially,it demonstrates a construction algorithm of node security state transition graph to describe the process of security state changes caused by network attack and defense policies.Then,combined with the diversity,dynamic and randomness nature of network dynamic defense policies,calculation methods of forward-transition probability,self-transition probability and backward-transition probability are proposed.Finally,effectiveness evaluation results of network dynamic defense policies are obtained by analyzing the influence of the defense policies on attack success rate.Simulation results in a representative network example show that the accuracy deviation of the proposed method is only 4%.6.Focused on the problems that existing optimal selection methods of network dynamic defense polices lack comprehensive analysis on the reward quantization of attack-defense policies and merely consider the decision altering according to the information collected gradually from the multiple round attack-defense games of both attacker and defender,this paper proposes an optimal selection method of network dynamic defense policies based on the signal game.Above all,to ensure the scientific nature and accuracy of the reward value,both the characteristics of attack-defense confrontation and the reward quantization of attack and defense policies are analyzed.Then,single-state and multi-stage game models in network dynamic defense environment are constructed based on the signal game.Meanwhile,an algorithm to obtain the perfect Bayesian equilibrium and a method to revise the belief of attack type are proposed.Meanwhile,an optimal selection algorithm of network dynamic defense policies is distributed based on the constructed game model.As a result,the law of attack-defense game in the network dynamic defense environment is summarized,which provides a methodological reference for the selection of network dynamic defense policies.The experimental results show the feasibility and effectiveness of the proposed policies and methods above,which can provide powerful technical support for the application of network dynamic defense policies and the construction of proactive defense system.