基于端口跳变的SDN网络防御技术研究
|
摘要
通过持续改变服务端口来隐藏服务标识和迷惑攻击者,是端口跳变、移动目标防御典型技术,利用SDN逻辑集中控制与网络可编程特性,提出基于端口跳变的SDN网络防御技术,使用SDN控制器承担服务端的端口跳变功能,不但可减轻服务端负载,且可提前检测过滤恶意数据包,并能抵御内部攻击者。理论分析与实验结果表明,所提技术对SDN控制器负载增加较少,可有效抵御Do S攻击。
By constantly changing the service port to hide service marks,and confuse attackers is the port hopping,typical of defense technology is a moving target,the use of SDN and network centralized control logic programmable features,proposed port-based hopping SDN network defense technology,use SDN controllers bear the service side of the port hopping function,not only reduce the server load,and can be detected in advance filter malicious packets,and can withstand internal attackers.Theoretical analysis and experimental results show that the proposed technique SDN controller load increases less effective against Do S attacks.
By constantly changing the service port to hide service marks,and confuse attackers is the port hopping,typical of defense technology is a moving target,the use of SDN and network centralized control logic programmable features,proposed port-based hopping SDN network defense technology,use SDN controllers bear the service side of the port hopping function,not only reduce the server load,and can be detected in advance filter malicious packets,and can withstand internal attackers.Theoretical analysis and experimental results show that the proposed technique SDN controller load increases less effective against Do S attacks.
引文
[1]Carvalho M.Moving-target defenses for computer networks[J].IEEE Security&Privacy,2014,12(2):73-76.
[2]Xu J,Guo P Y,Zhao M Y,et al.Comparing different movingtarget defense techniques[C]//Proc of the 1st ACM Workshop on Moving Target Defense,2014:97-107.
[3]Hansman S,Hunt R.A taxonomy of network and computer attacks[J].Computers&Security,2005,24(1):31-43.
[4]Jarraya Y,Madi T,Debbabi M.A survey and a layered taxonomy of software-defined networking[J].IEEE Communications Surveys&Tutorials,2014,16(1):1-29.
[5]Nunes B A A,Mendonca M,Nguyen X,et al.A survey of software-defined networking:past,present,and future of programmable networks[J].IEEE Communications Surveys&Tutorials,2014,16(3):1617-1634.
[6]Xia W F,Wen Y G,Foh C H,et al.A survey on software-defined networking[J].IEEE Communications Surveys&Tutorials,2014,17(1):27-51.
[7]Jammal M,Singh T,Shami A,et al.Software defined networking:state of the art and research challenges[J].Computer Networks,2014,72:74-98.
[8]Farhady H,Lee H,Nakao A.Software-defined networking:a survey[J].Computer Networks,2015,81:79-95.
[9]左青云,陈鸣,赵广松,等.基于Open Flow的SDN技术研究[J].软件学报,2013,24(5):1078-1097.
[10]张朝昆,崔勇,唐翯祎,等.软件定义网络(SDN)研究进展[J].软件学报,2015,26(1):62-81.
[11]Akhunzada A,Ahmed E,Gani A,et al.Securing software defined networks:taxonomy,requirements,and open issues[J].IEEE Communications Magazine,2015,53(4):36-44.
[12]Alsmadi I,Xu D.Security of software defined networks:a survey[J].Computers&Security,2015,53:79-108.
[13]Kloti R,Kotronis V,Smith P.Openflow:a security analysis[C]//Proc of the 21st IEEE International Conference on Network Protocols,2013:1-6.
[14]Braga R,Mota E,Passito A.Lightweight ddos flooding attack detection using nox/openflow[C]//Proc of the35th Annual IEEE Conference on Local Computer Networks,2010:408-415.
[15]Wang B,Zheng Y,Lou W J,et al.Ddos attack protection in the era of cloud computing and software-defined networking[J].Computer Networks,2015,81:308-319.
[16]Mousavi S M.Early Detection of DDos Attacks in Software Defined Networks Controller[M].Ottawa:Carleton University,2014.
[18]Hoque N,Bhuyan M H,Baishya R C,et al.Network attacks:taxonomy,tools and systems[J].Journal of Network and Computer Applications,2014,40:307-324.
[19]Raza M H,Sivakumar S C,Nafarieh A,et al.A comparison of software defined network(sdn)implementation strategies[J].Procedia Computer Science,2014,32:1050-1055.
[2]Xu J,Guo P Y,Zhao M Y,et al.Comparing different movingtarget defense techniques[C]//Proc of the 1st ACM Workshop on Moving Target Defense,2014:97-107.
[3]Hansman S,Hunt R.A taxonomy of network and computer attacks[J].Computers&Security,2005,24(1):31-43.
[4]Jarraya Y,Madi T,Debbabi M.A survey and a layered taxonomy of software-defined networking[J].IEEE Communications Surveys&Tutorials,2014,16(1):1-29.
[5]Nunes B A A,Mendonca M,Nguyen X,et al.A survey of software-defined networking:past,present,and future of programmable networks[J].IEEE Communications Surveys&Tutorials,2014,16(3):1617-1634.
[6]Xia W F,Wen Y G,Foh C H,et al.A survey on software-defined networking[J].IEEE Communications Surveys&Tutorials,2014,17(1):27-51.
[7]Jammal M,Singh T,Shami A,et al.Software defined networking:state of the art and research challenges[J].Computer Networks,2014,72:74-98.
[8]Farhady H,Lee H,Nakao A.Software-defined networking:a survey[J].Computer Networks,2015,81:79-95.
[9]左青云,陈鸣,赵广松,等.基于Open Flow的SDN技术研究[J].软件学报,2013,24(5):1078-1097.
[10]张朝昆,崔勇,唐翯祎,等.软件定义网络(SDN)研究进展[J].软件学报,2015,26(1):62-81.
[11]Akhunzada A,Ahmed E,Gani A,et al.Securing software defined networks:taxonomy,requirements,and open issues[J].IEEE Communications Magazine,2015,53(4):36-44.
[12]Alsmadi I,Xu D.Security of software defined networks:a survey[J].Computers&Security,2015,53:79-108.
[13]Kloti R,Kotronis V,Smith P.Openflow:a security analysis[C]//Proc of the 21st IEEE International Conference on Network Protocols,2013:1-6.
[14]Braga R,Mota E,Passito A.Lightweight ddos flooding attack detection using nox/openflow[C]//Proc of the35th Annual IEEE Conference on Local Computer Networks,2010:408-415.
[15]Wang B,Zheng Y,Lou W J,et al.Ddos attack protection in the era of cloud computing and software-defined networking[J].Computer Networks,2015,81:308-319.
[16]Mousavi S M.Early Detection of DDos Attacks in Software Defined Networks Controller[M].Ottawa:Carleton University,2014.
[18]Hoque N,Bhuyan M H,Baishya R C,et al.Network attacks:taxonomy,tools and systems[J].Journal of Network and Computer Applications,2014,40:307-324.
[19]Raza M H,Sivakumar S C,Nafarieh A,et al.A comparison of software defined network(sdn)implementation strategies[J].Procedia Computer Science,2014,32:1050-1055.