MTD Enhanced Cyber Deception Defense System

doi:10.3778/j.issn.1002-8331.2105-0169

Abstract

Abstract: Computer networks are developing rapidly, but network security such as system damage and information leakage are also becoming increasingly prominent. Attackers usually conduct a large number of network reconnaissance before a formal attack to discover exploitable vulnerabilities in the target network and system. The static configuration in traditional network systems provides a great advantage for adversaries to find network targets and launch attacks. To reduce the effectiveness of adversaries’ continuous reconnaissance attacks, this paper develops a moving target defense enhanced cyber deception defense system based on software-defined networks. The system uses cyber deception technology to confuse the target network and system information collected by the attacker, extends the time for the attacker to scan the real vulnerable hosts in the network, and increases the attacker’s time cost. Besides, this paper integrates IP address randomization technology on the cyber deception, dynamically and randomly changes the IP addresses of nodes in the network to enhance the defensive effectiveness of the network deception system. Finally, the system prototype is implemented and evaluated. In a configuration where the virtual network topology scale is three network segments, and the address conversion cycle is 30 seconds, this system delays the adversaries’ discovery of vulnerable hosts by an average of seven times, reducing the probability of adversaries successfully attacking vulnerable hosts by 83%. At the same time, the system overhead is less than 8% on average.

Key words: network reconnaissance attack, cyber deception, moving target defense, software defined network

摘要： 计算机网络正在飞速发展，但随之而来的系统破坏、信息泄露等网络安全问题也日益突出。攻击者在正式攻击前通常进行大量的网络侦查，以发现目标网络和系统上的可利用漏洞，而传统网络系统中的静态配置为攻击者发现网络目标和发起攻击提供了极大的优势。为了减轻攻击者持续性网络侦查攻击的有效性，基于软件定义网络开发了移动目标防御（moving target defense，MTD）增强的网络欺骗防御系统。该系统采用网络欺骗技术，混淆攻击者收集到的目标网络和系统信息，延长攻击者扫描到网络内真实脆弱性主机的时间，提高其时间成本；并在此基础上融合移动目标防御技术，动态随机地变换网络内节点的IP地址，增强网络欺骗系统的防御效能。实现了系统原型并对其进行评估，在虚拟网络拓扑规模为3个网段且地址变换周期为30?s的配置下，该系统将攻击者发现脆弱性主机的时间平均延迟7倍，将攻击者成功攻击脆弱性主机的概率降低83%，同时系统额外开销平均在8%以内。

关键词: 网络侦查攻击, 网络欺骗, 移动目标防御, 软件定义网络

GAO Chungang, WANG Yongjie, XIONG Xinli. MTD Enhanced Cyber Deception Defense System[J]. Computer Engineering and Applications, 2022, 58(15): 124-132.

高春刚, 王永杰, 熊鑫立. MTD增强的网络欺骗防御系统[J]. 计算机工程与应用, 2022, 58(15): 124-132.

References

[1] 徐焱，贾晓璐.内网安全攻防：渗透测试实战指南[J].中国信息化，2020，310（2）：99.
XU Y，JIA X L.Intranet security attack and defense：a practical guide to penetration testing[J].China Information Technology，2020，310（2）：99.
[2] PING C，DESMET L，HUYGENS C.A study on advanced persistent threats[C]//IFIP International Conference on Communications and Multimedia Security.Berlin Heidelberg：Springer，2014.
[3] BOWERS K，VAN DIJK M，GRIFFIN R，et al.Defending against the unknown enemy：applying flipit to system security[C]//Proceedings of the 3rd Conference on the Decision and Game Theory for Security（GameSec），2012：248-263.
[4] WANG C，LU Z.Cyber deception：overview and the road ahead[J].IEEE Security & Privacy，2018，16（2）：80-85.
[5] 贾召鹏，方滨兴，刘潮歌，等.网络欺骗技术综述[J].通信学报，2017，38（12）：128-143.
JIA Z P，FANG B X，LIU C G，et al.Survey on cyber deception[J].Journal on Communications，2017，38（12）：128-143.
[6] UITTO J，RAUTI S，LAURéN S，et al.A survey on anti-honeypot and anti-introspection methods[C]//World Conference on Information Systems & Technologies，2017.
[7] JAJODIA S，GHOSH A K，SWARUP V，et al.Moving target defense[M].New York：Springer，2011：23-35.
[8] XU J，GUO P，ZHAO M，et al.Comparing different moving target defense techniques[C]//Proceedings of ACM Workshop on Moving Target Defense，2014：97-107.
[9] AL-SHAER E.Toward network configuration randomization for moving target defense[M]//Moving target defense.[S.l.]：Springer，2011：153-159.
[10] FEAMSTER N，REXFORD J，ZEGURA E.The road to SDN：an intellectual history of programmable networks[J].Computer Communication Review：A Quarterly Publication of the Special Interest Group on Data Communication，2014（2）：87-98.
[11] AKIYAMA M，YAGI T，HARIU T，et al.Honey circulator：distributing credential honeytoken for introspection of web-based attack cycle[J].International Journal of Information Security，2018，17：135-151.
[12] ACHLEITNER S，PORTA T L，MCDANIEL P，et al.Cyber deception：virtual networks to defend insider reconnaissance[C]//2016 International Workshop，2016.
[13] ZHAN S，YAN G.Ensuring deception consistency for FTP services hardened against advanced persistent threats[C]//The 5th ACM Workshop，2018.
[14] RRUSHI J L.NIC displays to thwart malware attacks mounted from within the OS[J].Computers & Security，2016，61：59-71.
[15] RUBIO-MEDRANO C E，DOUP A，YAN S，et al.HoneyPLC：a next-generation honeypot for industrial control systems[C]//2020 ACM SIGSAC Conference on Computer and Communications Security，2020.
[16] ZHE L，YIN X，REN T A N，et al.SDN virtual honeynet for network attack information acquisition[J].DEStech Transactions on Computer Science and Engineering，2017，2：123-125.
[17] KONG T，WANG L，MA D，et al.Automated honeynet deployment strategy for active defense in container-based cloud[C]//2020 IEEE 22nd International Conference on High Performance Computing and Communications；IEEE 18th International Conference on Smart City；IEEE 6th International Conference on Data Science and Systems（HPCC/SmartCity/DSS），2020.
[18] NIAKANLAHIJI A，JAFARIAN J H，CHU B T，et al.HoneyBug：personalized cyber deception for Web applications[C]//Hawaii International Conference on System Sciences 2020（HICSS 53），2020.
[19] SENGUPTA S，CHOWDHARY A，SABUR A，et al.A survey of moving target defenses for network security[J].IEEE Communications Surveys & Tutorials，2019，22（3）：1909-1941.
[20] YANG Y，CHENG L.An SDN-based MTD model[J].Concurrency and Computation：Practice and Experience，2018，31.
[21] LIU Z，HE Y，WANG W，et al.AEH-MTD：adaptive moving target defense scheme for SDN[C]//2019 IEEE International Conference on Smart Internet of Things（SmartIoT），2019.
[22] NARANTUYA J，YOON S，LIM H，et al.SDN-based IP shuffling moving target defense with multiple SDN controllers[C]//2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks-Supplemental Volume（DSN-S），2019.
[23] WANG P，ZHOU M，DING Z.A two-layer IP hopping-based moving target defense approach to enhancing the security of mobile ad-hoc networks[J].Sensors，2021，21（7）：2355.
[24] DADHEECH K，CHOUDHARY A，BHATIA G.De-militarized zone：a next level to network security[C]//2018 Second International Conference on Inventive Communication and Computational Technologies（ICICCT），2018：595-600.
[25] JAIN S，KUMAR A，MANDAL S，et al.B4：experience with a globally-deployed software defined WAN[C]//Computer Communication Review，2013：3-14.
[26] DAS T，GURUSAMY M.Controller placement for resilient network state synchronization in multi-controller SDN[J].IEEE Communications Letters，2020，24（6）：1299-1303.
[27] TZENG Y Y，SHEN C A.An integrated multi-controller management framework for highly reliable software defined networking[J].Telecommunication Systems，2021，77：377-388.
[28] OLIVEIRA R，SCHWEITZER C M，SHINODA A A，et al.Using mininet for emulation and prototyping software-defined networks[C]//Communications & Computing，2014.