Full Text:   <469>

Summary:  <240>

CLC number: TP393.08

On-line Access: 2017-05-24

Received: 2016-09-16

Revision Accepted: 2017-04-06

Crosschecked: 2017-05-08

Cited: 0

Clicked: 1936

Citations:  Bibtex RefMan EndNote GB/T7714


Yue-bin Luo


-   Go to

Article info.
Open peer comments

Frontiers of Information Technology & Electronic Engineering  2017 Vol.18 No.5 P.719-728


A keyed-hashing based self-synchronization mechanism for port address hopping communication

Author(s):  Yue-bin Luo, Bao-sheng Wang, Xiao-feng Wang, Bo-feng Zhang

Affiliation(s):  College of Computer, National University of Defense Technology, Changsha 410073, China

Corresponding email(s):   luoyuebin@nudt.edu.cn, bswang@nudt.edu.cn, xf_wang@nudt.edu.cn, bfzhang@nudt.edu.cn

Key Words:  Synchronization, Port address hopping, Moving target defense, Network security

Yue-bin Luo, Bao-sheng Wang, Xiao-feng Wang, Bo-feng Zhang. A keyed-hashing based self-synchronization mechanism for port address hopping communication[J]. Frontiers of Information Technology & Electronic Engineering, 2017, 18(5): 719-728.

@article{title="A keyed-hashing based self-synchronization mechanism for port address hopping communication",
author="Yue-bin Luo, Bao-sheng Wang, Xiao-feng Wang, Bo-feng Zhang",
journal="Frontiers of Information Technology & Electronic Engineering",
publisher="Zhejiang University Press & Springer",

%0 Journal Article
%T A keyed-hashing based self-synchronization mechanism for port address hopping communication
%A Yue-bin Luo
%A Bao-sheng Wang
%A Xiao-feng Wang
%A Bo-feng Zhang
%J Frontiers of Information Technology & Electronic Engineering
%V 18
%N 5
%P 719-728
%@ 2095-9184
%D 2017
%I Zhejiang University Press & Springer
%DOI 10.1631/FITEE.1601548

T1 - A keyed-hashing based self-synchronization mechanism for port address hopping communication
A1 - Yue-bin Luo
A1 - Bao-sheng Wang
A1 - Xiao-feng Wang
A1 - Bo-feng Zhang
J0 - Frontiers of Information Technology & Electronic Engineering
VL - 18
IS - 5
SP - 719
EP - 728
%@ 2095-9184
Y1 - 2017
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/FITEE.1601548

port address hopping (PAH) communication is a powerful network moving target defense (MTD) mechanism. It was inspired by frequency hopping in wireless communications. One of the critical and difficult issues with PAH is synchronization. Existing schemes usually provide hops for each session lasting only a few seconds/minutes, making them easily influenced by network events such as transmission delays, traffic jams, packet dropouts, reordering, and retransmission. To address these problems, in this paper we propose a novel self-synchronization scheme, called ’keyed-hashing based self-synchronization (KHSS)’. The proposed method generates the message authentication code (MAC) based on the hash based MAC (HMAC), which is then further used as the synchronization information for port address encoding and decoding. Providing the PAH communication system with one-packet-one-hopping and invisible message authentication abilities enables both clients and servers to constantly change their identities as well as perform message authentication over unreliable communication mediums without synchronization and authentication information transmissions. Theoretical analysis and simulation and experiment results show that the proposed method is effective in defending against man-in-the-middle (MITM) attacks and network scanning. It significantly outperforms existing schemes in terms of both security and hopping efficiency.


概要:端口地址跳变(Port address hopping, PAH)通信是一种有用的网络动目标防御(Moving target defense, MTD)机制,它受无线通信领域的跳频通信思想启发发展而来。跳变同步是PAH通信的一个关键和难点问题,已有机制通常为通信会话提供周期为数秒或数分钟的跳变,且容易受到传输延时、流量拥塞、数据包丢包、乱序和重传等网络事件的影响。为了应对这些问题,在本文中我们提出了一种新的自同步机制,叫做基于加密哈希的自同步(Keyed-hashing based self-synchronization, KHSS)。本文方法基于HMAC(Hash message authentication code)机制生成消息认证码(MAC),MAC被进一步用作端口地址编码和解码的同步信息,为端口地址跳变系统提供了一个数据包一次的跳变和隐秘的消息认证功能,使得通过不可靠通信媒介连接的客户端和服务器能够在持续变换它们的通信标识的同时执行消息认证,而且这一过程不需要传输任何同步和认证信息。理论分析、仿真和实验结果表明本文提出的方法能有效防御中间人(man-in-the-middle, MITM)攻击和网络扫描,在安全性和跳变效率方面也明显优于已有方法。


Darkslateblue:Affiliate; Royal Blue:Author; Turquoise:Article


[1]Antonatos, S., Akritidis, P., Markatos, E.P., et al., 2007. Defending against hitlist worms using network address space randomization. Comput. Netw., 51(12):3471-3490.

[2]Atighetchi, M., Pal, P., Webber, F., et al., 2003. Adaptive use of network-centric mechanisms in cyber-defense. Proc. 6th IEEE Int. Symp. on Object-Oriented Real-Time Distributed Computing, p.183-192.

[3]Badishi, G., Herzberg, A., Keidar, I., 2007. Keeping denial of service attackers in the dark. IEEE Trans. Depend. Sec. Comput., 4(3):191-204.

[4]Bellare, M., Canetti, R., Krawczyk, H., 1996. Keyed hash functions for message authentication. LNCS, 1109:1-15.

[5]Chong, F., Lee, R.B., Acquisti, A., et al., 2009. National Cyber Leap Year Summit 2009 Co-chairs Report. NITRD Program.

[6]Eastlake, D.III, Jones, P., 2001. US Secure Hash Algorithm 1 (SHA1). Internet Society, Washington DC, USA.

[7]Forouzan, B.A., 2009. Cryptography & Network Security. McGraw-Hill, Inc., New York, USA.

[8]Gu, J., Xue, Z., 2011. An improved efficient secret handshakes scheme with unlinkability. IEEE Commun. Lett., 15(2):259-261.

[9]Jafarian, J.H., Al-Shaer, E., Duan, Q., 2014. Spatio-temporal address mutation for proactive cyber agility against sophisticated attackers. Proc. MTD Workshop at CCS, p.69-78.

[10]Karlin, S., Peterson, L., 2002. Maximum Packet Rates for Full-Duplex Ethernet. Technical Report TR-645-02, Department of Computer Science, Princeton University, Princeton, USA.

[11]Kewley, D., Fink, R., Lowry, J., et al., 2001. Dynamic approach to thwart adversary intelligence gathering. Proc. DARPA Information Survivability Conf. and Exposition, p.176-185.

[12]Krawczyk, H., Bellare, M., Canetti, R., 1997. HMAC: Keyed-Hashing for Message Authentication. IETF Internet Request for Comments 2104 (RFC-2104).

[13]Lantz, B., Heller, B., McKeown, N., 2010. A network in a laptop: rapid prototyping for software-defined networks. Proc. 9th ACM SIGCOMM Workshop on Hot Topics in Networks, p.19:1-19:6.

[14]Lee, H.C.J., Thing, V.L.L., 2004. Port hopping for resilient networks. Proc. IEEE 60th Vehicular Technology Conf., p.3291-3295.

[15]Luo, Y.B., Wang, B.S., Wang, X.F., et al., 2015a. TPAH: a universal and multi-platform deployable port and address hopping mechanism. Proc. Int. Conf. on Information and Communications Technologies, p.214-219.

[16]Luo, Y.B., Wang, B.S., Wang, X.F., et al., 2015b. RPAH: random port and address hopping for thwarting internal and external adversaries. Proc. 14th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, p.263-270.

[17]Luo, Y.B., Wang, B.S., Wang, X.F., et al., 2017. RPAH: a moving target network defense mechanism naturally resists reconnaissances and attacks. IEICE Trans Inform. Syst., E100-D(3):496-510.

[18]Modares, H., Moravejosharieh, A., Lloret, J., et al., 2014. A survey of secure protocols in Mobile IPv6. J. Netw. Comput. Appl., 39:351-368.

[19]Morris, C.C., Burch, L.L., Robinson, D.T., 2012. Techniques for Port Hopping. US Patent 8 301 789.

[20]Rivest, R.L., 1992. The MD5 Message Digest Algorithm. Internet Engineering Task Force, Fremont, USA.

[21]Shi, L.Y., Jia, C.F., Lü, S.W., 2008. Full service hopping for proactive cyber-defense. Proc. IEEE Int. Conf. on Networking, Networking, Sensing and Control, p.1337-1342.

[22]Sifalakis, M., Schmid, S., Hutchison, D., 2005. Network address hopping: a mechanism to enhance data protection for packet communications. Proc. IEEE Int. Conf. on Communications, p.1518-1523.

Open peer comments: Debate/Discuss/Question/Opinion


Please provide your name, email address and a comment

Journal of Zhejiang University-SCIENCE, 38 Zheda Road, Hangzhou 310027, China
Tel: +86-571-87952783; E-mail: cjzhang@zju.edu.cn
Copyright © 2000 - Journal of Zhejiang University-SCIENCE