The Research And Design Of A Distributed Moving Target Defense System

With the rapid development of the Internet,various attacks against service continuity have emerged,among which DDoS(Distributed Denial of Service)attacks are difficult to be prevented by conventional security systems due to the massive volume of traffic,difficult identification of traffic characteristics,and distributed nature.Moving Target Defense(MTD)technology introduces dynamic,diverse,and randomized security concepts into the original static,deterministic,and self-similar traditional network through disruption,heterogeneity,and redundancy to achieve dynamic changes in the network attack plane,thereby completely reversing the asymmetric information of attackers in the attack and defense game,which is a subversive new active defense technology.Among all the moving target defense strategies,Network Moving Target Defense(NMTD)achieves DDoS attack defense by using reverse proxy server clusters and random shuffling policies and blocking authenticated users based on scoring models.This scheme in the existing network architecture mainly has problems such as easy to be DDoS attack entry server,imperfect user scoring mechanism,and single function of reverse proxy cluster.To address the above problems,this paper designs and implements a distributed mobile target defense system,which solves the vulnerability of the entrance server by combining blockchain smart contract technology and the master-slave data synchronization model of the reverse proxy cluster with the decentralized,tamper-proof and traceable features of blockchain,and proposes a multiparameter scoring model with perceptible historical behavior to improve the efficiency and accuracy of user blocking.The main works of this paper are.(1)In this paper,we propose the use of blockchain smart contracts as an entry point to the network mobile target defense architecture.This paper conducts an in-depth study of the mobile target defense system and analyzes the shortcomings of the current proxy-switched mobile target defense system,i.e.,the entry server of the current network mobile target defense architecture is vulnerable to DDoS traffic and is the weak link in the system,and then proposes the scheme.The scheme has the features of easy and fast mapping replacement and strong programmability,thus enhancing the security of network mobile target defense.(2)In this paper,we propose to distribute fault-tolerant distributed storage of all reverse proxy-to-user mappings on the reverse proxy cluster and redirect the access of different users according to this mapping,through this way with the distributed portal deployed on the blockchain,we can effectively avoid the single point of failure caused by DDoS attacks,and even if a node has response timeout due to DDoS attacks,due to the synchronization algorithm fault tolerance,other reverse proxy nodes can be unaffected to maintain the normal operation of the system.(3)This paper proposes the method of using a linear model to record the attacker's historical behavior and then blocking when a specific threshold is reached.This method can effectively resist the misleading of the discontinuous attack behavior of policy-based attackers to the system blocking model,and use multiple indicators to distinguish different attack behaviors and change the system sensitivity to different attacks by changing different behavior coefficients,so that it can adapt to multiple service types..At the same time,a fair shuffling algorithm is used to ensure that the number and probability of users assigned to each reverse proxy remain the same,thus ensuring load balancing and fast screening of malicious users in the system.