Moving target defense is a revolutionary technology which has the capability of game-changing.It can dynamically shift the attack surface,making the targeted system more difficult for attackers to strike.As an effective method against malicious scanning and sniffer,network mutation is one of the key point in moving target defense research.Since existing network mutation mechanisms mainly adopt random selection method in mutation space and set fixed period mutation,the unpredictability and timeliness of network mutation are poor.Besides,existing mechanisms have low usability and poor expandability due to the lack of constraints and high complexity in the implementation of network mutation.In order to achieve maximizing mutation defense benefit on the basis of ensuring the network service quality,a novel of moving target defense technique based on network attack surface self-adaptive mutation is proposed.On one hand,hierarchical mutation architecture is used so as to increase the flexibility of network mutation.Based on it,self-adaptive endpoint mutation algorithm is designed.It consists of network threat awareness mechanism and mutation strategy algorithm.Firstly,network threat awareness mechanism based on Sibson entropy is proposed,thus guiding the selection of network mutation mechanism through perceiving malicious scanning strategies.What's more,network view and view distance are defined based on attack surface and exploration surface.Based on it, mutation strategy algorithm is proposed.It selects mutation endpoint information set which can maximize network view distance,thus improving the unpredictability of network mutation.Besides, in order to guarantee the timeliness of network view,mutation period stretch strategy is adopted. As a result,by adopting endpoint mutation selection based on network view and changeable mutation period,network attack surface transforms in a self-adaptive way by the combination of spatial and temporal mutation,in which maximizes the defensive benefit.On the other hand, virtual endpoint mutation is used in order to decrease the overhead of network mutation.Based on it,satisfiability modulo theory is used to solve the lack of mutation constraints problem in the limited network resource during network mutation.Since solving satisfiability modulo theory problem is non-deterministic polynomial problem,heuristic mutation deployment algorithm is designed so as to optimize the computational efficiency,thus ensuring the expandability of network mutation implementation.Moreover,in order to guarantee the consistency of net-flow table update,the "delete in sequential order,and add in reversed order"policy is adopted.Therefore, by adopting heuristic method based on satisfiability modulo theory and proposing net-flow table update policy,it ensures availability of network mutation.Theoretical and experimental analysis show the ability of resisting scanning attacks and mutation cost.Compared with existing typical endpoint mutation mechanisms such as Random Host Mutation and Spatial and Temporal Random Host Mutation,the proposed method can disrupt more than 92.1% of different types of scanning strategies in network attacks.Besides,the flow table size of the proposed method decreases 69.24%,and the packet drop rate also decreases 64.13%.Consequently,it verifies the proposed technique can not only ensures the network service quality,but also be effectively perceiving and resisting different types of scanning strategies in network attacks.%移动目标防御是一种改变网络空间攻防对抗格局的革命性技术,它通过动态改变攻击面使得目标网络更具弹性.网络跳变作为有效抵御主动扫描的防御方法,是实现移动目标防御的关键技术之一.现有跳变机制由于在空间上采用随机选取方法并在时域采用固定跳变周期,极大降低了跳变防御的不可预测性和时效性;与此同时,由于跳变实施过程缺乏约束且跳变部署复杂度高,因此增加了网络开销,降低了跳变防御的可用性和可扩展性.针对以上问题,文中提出了一种基于网络攻击面自适应转换的移动目标防御技术.为了实现网络跳变收益的最大化,在分层跳变的架构上设计了一种网络自适应跳变算法.它由网络威胁感知和跳变策略生成两部分组成.通过设计基于Sibson熵的威胁感知机制分析扫描攻击策略,以指导网络跳变机制的选择;基于网络攻击面和网络探测面定义了网络视图和视图距离,通过设计基于视图距离的跳变策略生成算法,选取使得视图距离最大的跳变端信息集合,以最大化跳变的不可预测性;此外,通过采用跳变周期自拉伸策略保证跳变的时效性.从而通过基于视图距离的跳变策略选取与可变的跳变周期制定实现网络攻击面时空二维的自适应转换,最大化防御收益.为了解决网络资源有限条件下的跳变实施问题,利用可满足性模理论形式化描述跳变实施的约束条件,以保证跳变实施的可用性;通过设计启发式跳变实施部署算法以提高部署效率,以保证跳变防御的可扩展性.最后,理论与实验分析了该技术抵御扫描攻击的能力和跳变成本,通过以不同类型的扫描攻击为例证明了该技术在保证网络服务质量的同时可有效抵御92.1%以上的主动扫描攻击.
展开▼
