Research On Proactive Defense Of Computer Network

Network security is increasingly prominent with the development of network and information technology.The traditional predefined rule-base security techniques such as Firewall,intrusion and virus detection cannot counter with threats exploiting unkonwn vulnerabilities and backdoors.They are passive and lagging in nature and insufficient to insure security.Proactive defense is a novel and effective defense technique,which performs proactive,controlled,and varing security policies and try to radically increase the difficulty of attacks while decrease the attack success rates.Therefore,proactive defense is of great value to change the current imbalance between network attacks and defenses.Moving target defense(MTD)is an innovatory proactive defense technique that defends against attacks by continuously shifting the attack surfaces in a system.Under the protection of MTD techniques,system security will not strictly rely on totally eliminating system's vulnerabilities.MTD can thrawt attacks exploiting unknown vulnerabilities and backdoors using dynamic,diversified,and random proactive defense methods.In this thesis,we study the development,inner principles and existing key issues of proactive defense represented by MTD,including the unidirectionality of NAT/NAPT,PAH lacks of diversity,existing hopping synchronization mechanisms depend on third parties making them easily influenced by network disturbances,and lacking of flow-level security management and control.The results of this research are very important for the defense against network reconnaissance,attack,and the improvement of proactive defense.The main research works and contributions of this thesis are as follows:Firstly,to ease the devastating problem that the unidirectionality of NAT/NAPT bring to the end-to-end communication,we introduce port knocking and combine it with identity and location separation,and propose a novel and flexible NAPT/FW traversing tactic,called PK-NFT(Port Knocking-based NAPT/FW Traversing).PK-NFT uses a series of closed ports or a specific open port for stealthy authentication,where the information is transmitted in the form of a series of connection attempts or a packet data payload,making it possible to actively connect to a host/application running on a completely isolated network protected by NAPT/FW.PK-NFT introduces an extra security layer to enhance security,the authentication of existing applications(e.g.,SSH)do not need to be changed.Our measurment and analysis show that PK-NFT introduces low authentication overhead while dramatically increase the two-way connectivity of NAPT/FW.Secondly,to enhance the hopping diversity of port address hopping(PAH),we develop a novel PAH mechanism,called Random Port and Address Hopping(RPAH).The goal of RPAH is to hide network servers and applications and resist network reconnaissances and attacks by constantly changing their IP addresses and ports.RPAH integrates source identity,service identity,and temporal parameter in the hopping to provide three hopping frequencies,i.e.,source hopping,service hopping,and temporal hopping,providing high unpredictability and hopping diversity.At the same time of hopping communication,RPAH can identify illegal connections using invalid or inactive addresses/ports from any attackers or unauthorized users.Simulation and experiment show that RPAH is effective in resisting various network reconnaissance and attacks such as network scanning and worms,while introducing low overhead.Thirdly,to solve the critical and difficult synchronization issue in hopping communication,we combine message authentication with PAH and propose a novel selfsynchronization scheme that applies to various communication parameter hopping such as address,port,protocol number,sequence number,and acknowledgement number,called Keyed-Hashing based Self-Synchronization(KHSS).KHSS generates the message authentication code(MAC)based on the HMAC,which is then further used as the synchronization information for communication parameter encoding and decoding.Providing the hopping communication system with one-packet-one hopping and invisible message authentication abilities without synchronization and authentication information transmissions over unreliable communication mediums.Theoretical analysis,simulation,and experiment show that KHSS is robust to network disturbances such as packet dropout and time delay.It is effective in defending against man-in-the-middle(MITM)attacks and network scanning,and it significantly outperforms existing schemes in both security and hopping frequency.Lastly,to make up the lack abilities of flow-level network security management and control in proactive defense,and to address the limitations that existing flow watermarking techniques cannot correlate multiple flows synchronously and they are vulnerable to multi-flow attacks.We design a novel flow fingerprinting scheme,called Interval-Based Fingerprinting(IBF).IBF creates an invisible and secret communication channel for embedding different fingerprints into various flows by slightly adjusting the timings of packets in selected intervals,which can be used to conveniently deploy and enforce various active security strategies such as secret access control,flow monitoring,flow linking,stepping stone detection,and attack traceback.Experiment results show that,compared to IBW,IBF can encode more bits of fingerprint information and attain high detection rates using fewer packets and timing adjustments.