Full Text:   <291>

Summary:  <122>

CLC number: TP393

On-line Access: 2019-03-11

Received: 2018-08-30

Revision Accepted: 2018-11-11

Crosschecked: 2019-01-22

Cited: 0

Clicked: 2006

Citations:  Bibtex RefMan EndNote GB/T7714

 ORCID:

Yang Chen

http://orcid.org/0000-0001-7806-2066

-   Go to

Article info.
Open peer comments

Frontiers of Information Technology & Electronic Engineering  2019 Vol.20 No.2 P.238-252

http://doi.org/10.1631/FITEE.1800516


Design and implementation of a novel enterprise network defense system by maneuvering multi-dimensional network properties


Author(s):  Yang Chen, Hong-chao HU, Guo-zhen Cheng

Affiliation(s):  National Digital Switching System Engineering &Technological R&D Center, Zhengzhou 450002, China

Corresponding email(s):   13633833568@139.com

Key Words:  Intranet defense, Software-defined network, Multi-dimensional maneuvering


Yang Chen, Hong-chao HU, Guo-zhen Cheng. Design and implementation of a novel enterprise network defense system by maneuvering multi-dimensional network properties[J]. Frontiers of Information Technology & Electronic Engineering, 2019, 20(2): 238-252.

@article{title="Design and implementation of a novel enterprise network defense system by maneuvering multi-dimensional network properties",
author="Yang Chen, Hong-chao HU, Guo-zhen Cheng",
journal="Frontiers of Information Technology & Electronic Engineering",
volume="20",
number="2",
pages="238-252",
year="2019",
publisher="Zhejiang University Press & Springer",
doi="10.1631/FITEE.1800516"
}

%0 Journal Article
%T Design and implementation of a novel enterprise network defense system by maneuvering multi-dimensional network properties
%A Yang Chen
%A Hong-chao HU
%A Guo-zhen Cheng
%J Frontiers of Information Technology & Electronic Engineering
%V 20
%N 2
%P 238-252
%@ 2095-9184
%D 2019
%I Zhejiang University Press & Springer
%DOI 10.1631/FITEE.1800516

TY - JOUR
T1 - Design and implementation of a novel enterprise network defense system by maneuvering multi-dimensional network properties
A1 - Yang Chen
A1 - Hong-chao HU
A1 - Guo-zhen Cheng
J0 - Frontiers of Information Technology & Electronic Engineering
VL - 20
IS - 2
SP - 238
EP - 252
%@ 2095-9184
Y1 - 2019
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/FITEE.1800516


Abstract: 
Although the perimeter security model works well enough when all internal hosts are credible, it is becoming increasingly difficult to enforce as companies adopt mobile and cloud technologies, i.e., the rise of bring your own device (BYOD). It is observed that advanced targeted cyber-attacks usually follow a cyber kill chain; for instance, advanced targeted attacks often rely on network scanning techniques to gather information about potential targets. In response to this attack method, we propose a novel approach, i.e., an “isolating and dynamic'' cyber defense, which cuts these potential chains to reduce the cumulative availability of the gathered information. First, we build a zero-trust network environment through network isolation, and then multiple network properties are maneuvered so that the host characteristics and locations needed to identify vulnerabilities cannot be located. Second, we propose a software-defined proactive cyber defense solution (SPD) for enterprise networks and design a general framework to strategically maneuver the IP address, network port, domain name, and path, while limiting the performance impact on the benign network user. Third, we implement our SPD proof-of-concept system over a software-defined network controller (OpenDaylight). Finally, we build an experimental platform to verify the system‘s ability to prevent scanning, eavesdropping, and denial-of-service attacks. The results suggest that our system can significantly reduce the availability of network reconnaissance scan information, block network eavesdropping, and sharply increase the cost of cyber-attacks.

基于多维动态网络属性的新型企业网防御系统的设计与实现

摘要:虽然周界安全模型在内部主机可靠时足够有效,但是随着企业采用移动和云技术,如自带设备(BYOD),该模型难以为继。有针对性的高级网络攻击通常采用网络杀伤链,例如,基于网络扫描技术收集潜在目标信息。本文提出一种"隔离和动态"网络防御方法,切断潜在杀伤链,降低攻击者收集信息的可用性。首先,通过网络隔离构建一个零信任网络环境,操纵多维网络属性跳变,使攻击者无法获得目标主机的特征和位置;其次,为企业网络提出一种基于软件定义的主动网络防御解决方案(SPD),并设计了一个通用框架,在不显著影响网络性能条件下,策略性地操纵IP地址、网络端口、域名和路径的协同跳变;然后,通过软件定义网络控制器(OpenDaylight)实现SPD概念验证系统;最后,搭建实验平台验证系统防扫描、防窃听和防拒绝服务(DoS)攻击的能力。结果表明,该系统可以显著降低网络侦察扫描信息的可用性,阻止网络窃听,并大幅增加攻击者的网络攻击成本。

关键词:企业网防御;软件定义网络;多维跳变

Darkslateblue:Affiliate; Royal Blue:Author; Turquoise:Article

Reference

[1]Al-Fares M, Loukissas A, Vahdat A, 2008. A scalable, commodity data center network architecture. ACM SIGCOMM Conf on Data Communication, p.63-74. [doi:10.1145/1402958.1402967]

[2]Antonatos S, Akritidis P, Markatos EP, et al., 2007. Defending against hitlist worms using network address space randomization. Comput Netw, 51(12):3471-3490.

[3]Atighetchi M, Pal P, Webber F, et al., 2003. Adaptive use of network-centric mechanisms in cyber-defense. 6th IEEE Int Symp on Object-Oriented Real-Time Distributed Computing, p.183-192.

[4]Carroll TE, Crouse M, Fulp EW, et al., 2014. Analysis of network address shuffling as a moving target defense. IEEE Int Conf on Communications, p.701-706.

[5]Duan Q, Al-Shaer E, Jafarian H, 2013. Efficient random route mutation considering flow and network constraints. IEEE Conf on Communications and Network Security, p.260-268.

[6]Duo, 2018. Liftoff: guide to duo deployment best practices. https://duo.com/assets/pdf/Duo-Liftoff-Guide.pdf [Accessed on Oct. 18, 2018].

[7]Escobedo V, Beyer B, Saltonstall M, et al., 2017. BeyondCorp 5: the user experience. Login, 42(3):38-43.

[8]Flores DA, Qazi F, Jhumka A, 2016. Bring your own disclosure: analysing BYOD threats to corporate information. IEEE Trustcom/BigDataSE/ISPA, p.1008-1015.

[9]Greenberg A, Hamilton JR, Jain N, et al., 2009. Vl2: a scalable and flexible data center network. ACM SIGCOMM Comput Commun Rev, 39(4):51-62.

[10]Guan ZT, Li J, Wu LF, et al., 2017. Achieving efficient and secure data acquisition for cloud-supported Internet of Things in smart grid. IEEE Internet Things J, 4(6):1934-1944.

[11]Hutchins E, Cloppert M, Amin R, 2011. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: Ryan J (Ed.), Leading Issues in Information Warfare & Security Research. Academic Publishing International Limited, London, UK, p.80-106.

[12]Jafarian JH, Al-Shaer E, Duan Q, 2012. Openflow random host mutation: transparent moving target defense using software defined networking. 1st Workshop on Hot Topics in Software Defined Networks, p.127-132.

[13]Jafarian JH, Al-Shaer E, Duan Q, 2013. Formal approach for route agility against persistent attackers. 18th European Symp on Research in Computer Security, p.237-254.

[14]Jafarian JH, Al-Shaer E, Duan Q, 2015. An effective address mutation approach for disrupting reconnaissance attacks. IEEE Trans Inform Forensics Secur, 10(12):2562-2577.

[15]Kewley D, Fink R, Lowry J, et al., 2001. Dynamic approaches to thwart adversary intelligence gathering. DARPA Information Survivability Conf and Exposition II, p.176-185.

[16]Kindervag J, 2010. Build security into your network‘s DNA: the zero trust network architecture. Technical Report, Forrester Research. http://www.ndm.net/firewall/pdf/palo_alto/Forrester-Build-Security-Into-Your-Network.pdf [Accessed on Nov. 5, 2010].

[17]Kindervag J, 2016. No more chewy centers: the zero-trust model of information security. Technical Report, Forrester Research. http://crystaltechnologies.com/wp-content/uploads/ 2017/12/forrester-zero-trust-model-information-security.pdf [Accessed on Mar. 23, 2016].

[18]Lei C, Ma DH, Zhang HQ, et al., 2017. Network moving target defense technique based on optimal forwarding path migration. J Commun, 38(3):133-143 (in Chinese).

[19]Li GL, Wu J, Li JH, et al., 2018. Service popularity-based smart resources partitioning for fog computing-enabled industrial Internet of Things. IEEE Trans Ind Inform, 14(10):4702-4711.

[20]Miller KW, Voas J, Hurlburt GF, 2012. BYOD: security and privacy considerations. It Prof, 14(5):53-55.

[21]Peck J, Beyer B, Beske C, et al., 2017. Migrating to BeyondCorp: maintaining productivity while improving security. Login, 42(3):49-55.

[22]Sharma DP, Kim DS, Yoon S, et al., 2018. FRVM: flexible random virtual IP multiplexing in software-defined networks. 17th IEEE Int Conf on Trust, Security, and Privacy in Computing and Communications/12th IEEE Int Conf on Big Data Science and Engineering, p.579-587.

[23]Talipov E, Jin DX, Jung J, et al., 2006. Path hopping based on reverse AODV for security. 9th Asia-Pacific Int Conf on Network Operations and Management: Management of Convergence Networks and Services, p.574-577.

[24]Wu J, Dong MX, Ota K, et al., 2018. Big data analysis-based secure cluster management for optimized control plane in software-defined networks. IEEE Trans Netw Serv Manag, 15(1):27-38.

[25]Zhou Y, Ni W, Zheng KF, et al., 2017. Scalable node-centric route mutation for defense of large-scale software-defined networks. Secur Commun Netw, 2017:4651395.

Open peer comments: Debate/Discuss/Question/Opinion

<1>

Please provide your name, email address and a comment





Journal of Zhejiang University-SCIENCE, 38 Zheda Road, Hangzhou 310027, China
Tel: +86-571-87952783; E-mail: cjzhang@zju.edu.cn
Copyright © 2000 - Journal of Zhejiang University-SCIENCE