Research On The Key Technologies Of Software-defined Dynamic Network Defense

The genetic defects such as staticity and certainty of the current network architecture have aggravated the asymmetry of "easy to attack but hard to defend".Existing defense theories and methods mainly follow the defense mode that “threat perception,cognitive decision-making,problem removal”,and are difficult to cope with increasingly complex network attacks.In order to change this situation,countries have launched a number of active defense research programs that attempt to “change the rules of the game”,e.g.Moving Target Defense(MTD),Cyber Mimic Defense(CMD),which increase the attacker's attack difficulty by irregularly transferring the attack surface.As an essential part of the dynamic defense,dynamic network defense technology has also been developed rapidly,but most of the existing techniques are limited to the dynamics in a single dimension,and the attack on advanced attackers still seems to be inadequate.In this paper,we propose a concept of Multi-dimensional Dynamic Reconfiguration(MDR)to change the asymmetry of the network,which aims at disrupting the attacker's kill chain and improving the attacker's attack difficulty.With the software-defined ecological environment,we combine the multi-dimensional host identification and dynamic transmission path to study the related problems of multi-dimensional attribute cooperative maneuvering.Finally,we designed and implemented a multi-dimensional dynamic reconstruction prototype system based on software definition to verify the relevant research results.The main works and creations are as the following:1.We study the dynamic maneuvering problem of multi-dimensional host identification and design different maneuvering mechanisms for the four-dimension attributes of IP address,MAC,port and domain name.Through the global configuration mechanism of the SDN,a shared resource pool is configured for all terminals,so that the real and virtual information of the terminal are obtained from a pool,the user configuration is reduced,and the virtual information maneuvering space is maximized.By optimizing the communication process and using one-time message modification,we reduce the processing overhead and transmission delay of the switch.2.We study the efficient dynamic transmission path algorithms.Based on the global view of the software-defined network,the paths of multiple streams are randomly and concurrently transformed to resist reconnaissance,eavesdropping,and DoS attacks.The existing YEN algorithm is improved to make the generated K path satisfy the capacity,overlap and QoS constraints,and meanwhile,improve the computational efficiency,solve the optimal K value,and analyze the security effect brought by the dynamic path.3.We study the design of the system and the implementation of multi-dimensional attribute collaborative maneuvering.Based on the global configuration and global view of SDN,the host identification and path maneuvering are combined to implement a multi-dimensional cooperative dynamic network system.By dynamically transforming the multi-dimensional attribute configuration,the attacker's cognitive advantage to the target system or the available resources that are mastered cannot be continuously effective in time and space.