Design and implementation of a novel enterprise network defense system by maneuvering multi-dimensional network properties
|
摘要
Although the perimeter security model works well enough when all internal hosts are credible, it is becoming increasingly difficult to enforce as companies adopt mobile and cloud technologies, i.e., the rise of bring your own device(BYOD). It is observed that advanced targeted cyber-attacks usually follow a cyber kill chain;for instance, advanced targeted attacks often rely on network scanning techniques to gather information about potential targets. In response to this attack method, we propose a novel approach, i.e., an "isolating and dynamic"cyber defense, which cuts these potential chains to reduce the cumulative availability of the gathered information.First, we build a zero-trust network environment through network isolation, and then multiple network properties are maneuvered so that the host characteristics and locations needed to identify vulnerabilities cannot be located.Second, we propose a software-defined proactive cyber defense solution(SPD) for enterprise networks and design a general framework to strategically maneuver the IP address, network port, domain name, and path, while limiting the performance impact on the benign network user. Third, we implement our SPD proof-of-concept system over a software-defined network controller(OpenDaylight). Finally, we build an experimental platform to verify the system's ability to prevent scanning, eavesdropping, and denial-of-service attacks. The results suggest that our system can significantly reduce the availability of network reconnaissance scan information, block network eavesdropping, and sharply increase the cost of cyber-attacks.
Although the perimeter security model works well enough when all internal hosts are credible, it is becoming increasingly difficult to enforce as companies adopt mobile and cloud technologies, i.e., the rise of bring your own device(BYOD). It is observed that advanced targeted cyber-attacks usually follow a cyber kill chain;for instance, advanced targeted attacks often rely on network scanning techniques to gather information about potential targets. In response to this attack method, we propose a novel approach, i.e., an "isolating and dynamic"cyber defense, which cuts these potential chains to reduce the cumulative availability of the gathered information.First, we build a zero-trust network environment through network isolation, and then multiple network properties are maneuvered so that the host characteristics and locations needed to identify vulnerabilities cannot be located.Second, we propose a software-defined proactive cyber defense solution(SPD) for enterprise networks and design a general framework to strategically maneuver the IP address, network port, domain name, and path, while limiting the performance impact on the benign network user. Third, we implement our SPD proof-of-concept system over a software-defined network controller(OpenDaylight). Finally, we build an experimental platform to verify the system's ability to prevent scanning, eavesdropping, and denial-of-service attacks. The results suggest that our system can significantly reduce the availability of network reconnaissance scan information, block network eavesdropping, and sharply increase the cost of cyber-attacks.
Although the perimeter security model works well enough when all internal hosts are credible, it is becoming increasingly difficult to enforce as companies adopt mobile and cloud technologies, i.e., the rise of bring your own device(BYOD). It is observed that advanced targeted cyber-attacks usually follow a cyber kill chain;for instance, advanced targeted attacks often rely on network scanning techniques to gather information about potential targets. In response to this attack method, we propose a novel approach, i.e., an "isolating and dynamic"cyber defense, which cuts these potential chains to reduce the cumulative availability of the gathered information.First, we build a zero-trust network environment through network isolation, and then multiple network properties are maneuvered so that the host characteristics and locations needed to identify vulnerabilities cannot be located.Second, we propose a software-defined proactive cyber defense solution(SPD) for enterprise networks and design a general framework to strategically maneuver the IP address, network port, domain name, and path, while limiting the performance impact on the benign network user. Third, we implement our SPD proof-of-concept system over a software-defined network controller(OpenDaylight). Finally, we build an experimental platform to verify the system's ability to prevent scanning, eavesdropping, and denial-of-service attacks. The results suggest that our system can significantly reduce the availability of network reconnaissance scan information, block network eavesdropping, and sharply increase the cost of cyber-attacks.
引文
Al-Fares M,Loukissas A,Vahdat A,2008.A scalable,commodity data center network architecture.ACMSIGCOMM Conf on Data Communication,p.63-74.https://doi.org/10.1145/1402958.1402967
Antonatos S,Akritidis P,Markatos EP,et al.,2007.Defending against hitlist worms using network address space randomization.Comput Netw,51(12):3471-3490.https://doi.org/10.1016/j.comnet.2007.02.006
Atighetchi M,Pal P,Webber F,et al.,2003.Adaptive use of network-centric mechanisms in cyber-defense.6thIEEEInt Symp on Object-Oriented Real-Time Distributed Computing,p.183-192.https://doi.org/10.1109/ISORC.2003.1199253
Carroll TE,Crouse M,Fulp EW,et al.,2014.Analysis of network address shuffling as a moving target defense.IEEE Int Conf on Communications,p.701-706.https://doi.org/10.1109/ICC.2014.6883401
Duan Q,Al-Shaer E,Jafarian H,2013.Efficient random route mutation considering flow and network constraints.IEEE Conf on Communications and Network Security,p.260-268.https://doi.org/10.1109/CNS.2013.6682715
Duo,2018.Liftoff:guide to duo deployment best practices.https://duo.com/assets/pdf/Duo-Liftoff-Guide.pdf[Accessed on Oct.18,2018].
Escobedo V,Beyer B,Saltonstall M,et al.,2017.BeyondCorp 5:the user experience.Login,42(3):38-43.
Flores DA,Qazi F,Jhumka A,2016.Bring your own disclosure:analysing BYOD threats to corporate information.IEEE Trustcom/BigDataSE/ISPA,p.1008-1015.https://doi.org/10.1109/TrustCom.2016.0169
Greenberg A,Hamilton JR,Jain N,et al.,2009.Vl2:a scalable and flexible data center network.ACMSIGCOMM Comput Commun Rev,39(4):51-62.https://doi.org/10.1145/1594977.1592576
Guan ZT,Li J,Wu LF,et al.,2017.Achieving efficient and secure data acquisition for cloud-supported Internet of Things in smart grid.IEEE Internet Things J,4(6):1934-1944.https://doi.org/10.1109/JIOT.2017.2690522
Hutchins E,Cloppert M,Amin R,2011.Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains.In:Ryan J(Ed.),Leading Issues in Information Warfare&Security Research.Academic Publishing International Limited,London,UK,p.80-106.
Jafarian JH,Al-Shaer E,Duan Q,2012.Openflow random host mutation:transparent moving target defense using software defined networking.1stWorkshop on Hot Topics in Software Defined Networks,p.127-132.https://doi.org/10.1145/2342441.2342467
Jafarian JH,Al-Shaer E,Duan Q,2013.Formal approach for route agility against persistent attackers.18thEuropean Symp on Research in Computer Security,p.237-254.https://doi.org/10.1007/978-3-642-40203-6_14
Jafarian JH,Al-Shaer E,Duan Q,2015.An effective address mutation approach for disrupting reconnaissance attacks.IEEE Trans Inform Forensics Secur,10(12):2562-2577.https://doi.org/10.1109/TIFS.2015.2467358
Kewley D,Fink R,Lowry J,et al.,2001.Dynamic approaches to thwart adversary intelligence gathering.DARPAInformation Survivability Conf and Exposition II,p.176-185.https://doi.org/10.1109/DISCEX.2001.932214
Kindervag J,2010.Build security into your network’s DNA:the zero trust network architecture.Technical Report,Forrester Research.http://www.ndm.net/firewall/pdf/palo_alto/ForresterBuild-Security-Into-Your-Network.pdf[Accessed on Nov.5,2010].
Kindervag J,2016.No more chewy centers:the zero-trust model of information security.Technical Report,Forrester Research.http://crystaltechnologies.com/wp-content/uploads/2017/12/forrester-zero-trust-model-informationsecurity.pdf[Accessed on Mar.23,2016].
Lei C,Ma DH,Zhang HQ,et al.,2017.Network moving target defense technique based on optimal forwarding path migration.J Commun,38(3):133-143(in Chinese).https://doi.org/10.11959/j.issn.1000-436x.2017056
Li GL,Wu J,Li JH,et al.,2018.Service popularity-based smart resources partitioning for fog computing-enabled industrial Internet of Things.IEEE Trans Ind Inform,14(10):4702-4711.https://doi.org/10.1109/TII.2018.2845844
Miller KW,Voas J,Hurlburt GF,2012.BYOD:security and privacy considerations.It Prof,14(5):53-55.https://doi.org/10.1109/MITP.2012.93
Peck J,Beyer B,Beske C,et al.,2017.Migrating to Beyond Corp:maintaining productivity while improving security.Login,42(3):49-55.
Sharma DP,Kim DS,Yoon S,et al.,2018.FRVM:flexible random virtual IP multiplexing in software-defined networks.17thIEEE Int Conf on Trust,Security,and Privacy in Computing and Communications/12th IEEE Int Conf on Big Data Science and Engineering,p.579-587.https://doi.org/10.1109/trustcom/bigdatase.2018.00088
Talipov E,Jin DX,Jung J,et al.,2006.Path hopping based on reverse AODV for security.9thAsia-Pacific Int Conf on Network Operations and Management:Management of Convergence Networks and Services,p.574-577.https://doi.org/10.1007/11876601_69
Wu J,Dong MX,Ota K,et al.,2018.Big data analysis-based secure cluster management for optimized control plane in software-defined networks.IEEE Trans Netw Serv Manag,15(1):27-38.https://doi.org/10.1109/TNSM.2018.2799000
Zhou Y,Ni W,Zheng KF,et al.,2017.Scalable node-centric route mutation for defense of large-scale softwaredefined networks.Secur Commun Netw,2017:4651395.https://doi.org/10.1155/2017/4651395
Antonatos S,Akritidis P,Markatos EP,et al.,2007.Defending against hitlist worms using network address space randomization.Comput Netw,51(12):3471-3490.https://doi.org/10.1016/j.comnet.2007.02.006
Atighetchi M,Pal P,Webber F,et al.,2003.Adaptive use of network-centric mechanisms in cyber-defense.6thIEEEInt Symp on Object-Oriented Real-Time Distributed Computing,p.183-192.https://doi.org/10.1109/ISORC.2003.1199253
Carroll TE,Crouse M,Fulp EW,et al.,2014.Analysis of network address shuffling as a moving target defense.IEEE Int Conf on Communications,p.701-706.https://doi.org/10.1109/ICC.2014.6883401
Duan Q,Al-Shaer E,Jafarian H,2013.Efficient random route mutation considering flow and network constraints.IEEE Conf on Communications and Network Security,p.260-268.https://doi.org/10.1109/CNS.2013.6682715
Duo,2018.Liftoff:guide to duo deployment best practices.https://duo.com/assets/pdf/Duo-Liftoff-Guide.pdf[Accessed on Oct.18,2018].
Escobedo V,Beyer B,Saltonstall M,et al.,2017.BeyondCorp 5:the user experience.Login,42(3):38-43.
Flores DA,Qazi F,Jhumka A,2016.Bring your own disclosure:analysing BYOD threats to corporate information.IEEE Trustcom/BigDataSE/ISPA,p.1008-1015.https://doi.org/10.1109/TrustCom.2016.0169
Greenberg A,Hamilton JR,Jain N,et al.,2009.Vl2:a scalable and flexible data center network.ACMSIGCOMM Comput Commun Rev,39(4):51-62.https://doi.org/10.1145/1594977.1592576
Guan ZT,Li J,Wu LF,et al.,2017.Achieving efficient and secure data acquisition for cloud-supported Internet of Things in smart grid.IEEE Internet Things J,4(6):1934-1944.https://doi.org/10.1109/JIOT.2017.2690522
Hutchins E,Cloppert M,Amin R,2011.Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains.In:Ryan J(Ed.),Leading Issues in Information Warfare&Security Research.Academic Publishing International Limited,London,UK,p.80-106.
Jafarian JH,Al-Shaer E,Duan Q,2012.Openflow random host mutation:transparent moving target defense using software defined networking.1stWorkshop on Hot Topics in Software Defined Networks,p.127-132.https://doi.org/10.1145/2342441.2342467
Jafarian JH,Al-Shaer E,Duan Q,2013.Formal approach for route agility against persistent attackers.18thEuropean Symp on Research in Computer Security,p.237-254.https://doi.org/10.1007/978-3-642-40203-6_14
Jafarian JH,Al-Shaer E,Duan Q,2015.An effective address mutation approach for disrupting reconnaissance attacks.IEEE Trans Inform Forensics Secur,10(12):2562-2577.https://doi.org/10.1109/TIFS.2015.2467358
Kewley D,Fink R,Lowry J,et al.,2001.Dynamic approaches to thwart adversary intelligence gathering.DARPAInformation Survivability Conf and Exposition II,p.176-185.https://doi.org/10.1109/DISCEX.2001.932214
Kindervag J,2010.Build security into your network’s DNA:the zero trust network architecture.Technical Report,Forrester Research.http://www.ndm.net/firewall/pdf/palo_alto/ForresterBuild-Security-Into-Your-Network.pdf[Accessed on Nov.5,2010].
Kindervag J,2016.No more chewy centers:the zero-trust model of information security.Technical Report,Forrester Research.http://crystaltechnologies.com/wp-content/uploads/2017/12/forrester-zero-trust-model-informationsecurity.pdf[Accessed on Mar.23,2016].
Lei C,Ma DH,Zhang HQ,et al.,2017.Network moving target defense technique based on optimal forwarding path migration.J Commun,38(3):133-143(in Chinese).https://doi.org/10.11959/j.issn.1000-436x.2017056
Li GL,Wu J,Li JH,et al.,2018.Service popularity-based smart resources partitioning for fog computing-enabled industrial Internet of Things.IEEE Trans Ind Inform,14(10):4702-4711.https://doi.org/10.1109/TII.2018.2845844
Miller KW,Voas J,Hurlburt GF,2012.BYOD:security and privacy considerations.It Prof,14(5):53-55.https://doi.org/10.1109/MITP.2012.93
Peck J,Beyer B,Beske C,et al.,2017.Migrating to Beyond Corp:maintaining productivity while improving security.Login,42(3):49-55.
Sharma DP,Kim DS,Yoon S,et al.,2018.FRVM:flexible random virtual IP multiplexing in software-defined networks.17thIEEE Int Conf on Trust,Security,and Privacy in Computing and Communications/12th IEEE Int Conf on Big Data Science and Engineering,p.579-587.https://doi.org/10.1109/trustcom/bigdatase.2018.00088
Talipov E,Jin DX,Jung J,et al.,2006.Path hopping based on reverse AODV for security.9thAsia-Pacific Int Conf on Network Operations and Management:Management of Convergence Networks and Services,p.574-577.https://doi.org/10.1007/11876601_69
Wu J,Dong MX,Ota K,et al.,2018.Big data analysis-based secure cluster management for optimized control plane in software-defined networks.IEEE Trans Netw Serv Manag,15(1):27-38.https://doi.org/10.1109/TNSM.2018.2799000
Zhou Y,Ni W,Zheng KF,et al.,2017.Scalable node-centric route mutation for defense of large-scale softwaredefined networks.Secur Commun Netw,2017:4651395.https://doi.org/10.1155/2017/4651395