Research On IoT Security Technology Based On Software-defined Network

Internet of Things(Io T)is an extension of Internet in the real world.With the rapid development of Io T,its security more and more obviously appeared.The sensing node and transmission equipment of Io T have the characteristics of massive,simple function and weak computing capacity,which make them vulnerably become the victim of cyber-attack on the one hand,and become the peace breaker of Distributed Denial of Service(DDo S)attack recruiting by botnet on the other hand.Traditional static and passive network security defense system is hard to protect against unceasing development cyber-attacks,which have stronger,more elaborate attacks and more serious consequences under the Io T environment than Internet environment.Moving Target Defense(MTD)is a new design idea of active defense,which makes cyberspace more dynamic and more randomized to greatly increase attack difficulty.As a result,the cyber defense capability is enhanced effectively.However,traditional network infrastructure can't provide efficient performance for MTD,and needs the high development cost.Honeypot is a computer security mechanism which is used to detect,deflect,or counteract attacks.Honeypot has obtained positive effects in defending cyber-attacks in the Internet,but there still are some problems,which need to be solved further,such as enabling fine-grained data control and overcoming the differences between Io T and Internet.The common network traceability schemes include logging technology and packet marking technology,they can store or mark message information on the relay device.This information provides strong evidence and traceability channels for the forensic analysis of security incidents,but require additional work from the router,and they have poor scalability.As a statistical measure,entropy is used to indicate the disorder or randomness associated with variables.The detection speed based on the entropy detection scheme is fast,and no need to construct a large number of traffic characteristics,but the false alarm rate is high.Software Defined Network(SDN)has the features of logic centralized control and flexible programmable,which enable flexible management and control toward network.SDN can provide more efficient defense performance for MTD,provide finer-grained network control and flexible management for honeypots.Therefore,this paper proposes using SDN to design and implement MTD and honeypots in Io T,and finally implements an Io T security system based on SDN.The specific contributions are as follows:1.An MTD model based on SDN is proposed.It defends against the scanning of Io T devices,which is the first step in an Io T attack.The MTD architecture keeps the real IP addresses of Io T devices unchanged,maps random short-lived virtual IP addresses to them at random interval time,they achieve communication via virtual IP addresses.The lifetime of virtual IP address is short and random providing active high unpredictable and mutation rate to maximize the defense of attackers' probe about the active hosts.Based on SDN traffic monitoring technology,it analyzes and detects suspicious port scanning traffic,and responds mixed port information traffic packets,providing a dynamic port defense strategy to maximize the defense of attacker's probe about the host ports.2.A honeypot model based on SDN is proposed.Mass Io T devices mostly have sole function and poor security,it is difficult to detect cyber-attacks only rely on their limited computing capability.We set up several SDN-based edge computing layer honeypots to imitate various Io T devices in Io T perception layer,and let them lure attacker and malware with vulnerabilities.Combining with logging technology and Packet-In message,these honeypots can detect and mitigate Telnet and SSH brute force attacks;We set up a few SDNbased fog computing layer defense scheme to protect Io T servers in Io T network layer.Using packet marking technology and entropy-based detection technology,the suspicious attack traffic is found out by detecting the mark bits of packet and calculating the entropy of packet.