Research On Moving Target Defense Based On Security Function Virtualization

The rapid development of information technology has given birth to a variety of network environments such as the Internet of Things,5G,and the Internet of Vehicles.At the same time,it has also brought a variety of unpredictable network security threats,such as network viruses,denial of service attacks,and advanced persistent threats,etc.Because traditional network security defense technology mainly relies on static and passive methods,it cannot cope with attacks carefully constructed by attackers.In order to cope with this situation,Moving Target Defense(MTD),a new defense idea,has attracted widespread attention.By continuously changing the attack surface of the system to increase the detection cost of attackers,MTD can effectively reduce the probability of successful attacks.However,MTD is currently only a technical framework,and how to use this idea to provide specific and effective defense mechanisms for complex network environments is still in the exploratory stage.The existing researches on MTD mainly focus on the research of dynamic transfer of attack surface,but lack of considerations on network security dedicated functions and resource modeling and optimal scheduling.Security Function Virtualization(SFV)technology decouples traditional network security functions from proprietary devices,provides unprecedented flexibility in the deployment and scheduling of security services,and provides new ideas for the specific implementation of MTD.However,there are no related studies on applying SFV to MTD.Furthermore,there are still three shortcomings in the existing research on SFV: lack of systematic and customized control architecture,lack of efficient security function resource scheduling algorithms,and lack of a mechanism to migrate security functions on demand.Based on the above-mentioned background and problems,this paper proposes a moving target defense architecture based on SFV.At the same time,based on this architecture,a detailed dynamic defense process and virtual security function scheduling strategy are designed.The main work is as follows: 1)A layered MTD architecture including a dynamic defense control layer,a virtual security function layer,and a basic resource pool layer is designed.Through dynamic scheduling of security function resources,dynamic defense of the network can be achieved without introducing additional equipment.2)Designed specific details of SFV-based basic resource equipment nodes and software-defined dynamic defense control nodes.Through the cooperation of multiple functional modules in each node,moving target defense is guaranteed in accordance with data collection,threat analysis,policy calculation,and the execution process is performed efficiently.3)Established a defense strategy based on attack surface transformation and detection surface expansion,and further designed a scheduling and resource allocation algorithm for virtual security functions based on genetic algorithms.By modeling the network,and the optimization problem under multiple constraints of resource allocation and scheduling is formalized as an integer non-linear programming problem,which weighs the defense benefits and costs after dynamic scheduling of virtual security functions.4)Designed the detailed process of MTD mechanism based on virtual security function migration,specifically designed the phase of migration sequence,and designed defense control messages,including resource status statistics table,defense strategy instruction list and migration status feedback table.5)Through the construction of network simulation test and mathematical model simulation environment,the performance difference of virtual security functions under different resource states is evaluated,and the performance of the proposed scheduling algorithm in different dimensions such as migration time and available resource growth is compared.It is verified that the SFV-based moving target defense mechanism proposed in this paper has effective defense capabilities.This article innovates on the basis of existing SFV research.Based on the designed SFV,a new MTD technology is proposed,which improves the active defense capability of the next generation network.