IP address dynamic protection techniques will introduce additional overhead. Therefore, the performance of normal network transmission decreases. A dynamic protection system of IP address accelerated by Vector Packet Processing (VPP) is designed and implemented for the first time, which can hide the real IP address and enhance the system's data Processing ability. Firstly ,fast forwarding logic and slow forwarding logic are designed respectively for different logic of control plane and data plane processing, so as to minimize the number of copies in data message processing. Secondly, facing the frequent mapping between real IP and virtual IP, an efficient dynamic IP address transformation mechanism of Shared memory is proposed. Thirdly, the optimization algorithm is used to formulate the IP hopping strategy, and the hashing chain algorithm is used to formulate the efficient virtual IP address pre-allocation mechanism. Minimize system performance losses. Finally, the experimental results show that the system can effectively resist DoS attacks and control the potential detection attack hit rate below 16%, which is significantly improved in data processing performance.
Key words
network active defense /
IP mutation /
vector packet processing /
optimization
{{custom_keyword}} /
{{custom_sec.title}}
{{custom_sec.title}}
{{custom_sec.content}}
References
[1] Kewley D,Fink R,Lowry J,et al.Dynamic approaches to thwart adversary intelligence gathering[A].Darpa Information Survivability Conference & Exposition Ⅱ[C].Anaheim,CA,USA.2001.176-185.
[2] POOVENDRAN R.Dynamic defense against adaptive and persistent adversaries[A].Proceedings of the 5th ACM Workshop on Moving Target Defense[C].Toronto,Canada.2018.57-58.
[3] Antonatos S,Akritidis P,Markatos E P,et al.Defending against hitlist worms using network address space randomization[J].Computer Networks,2007,51(12):3471-3490.
[4] Luo Y B,Wang B S,Wang X F,et al.RPAH:Random port and address hopping for thwarting internal and external adversaries[A].2015 IEEE Trustcom/BigDataSE/ISPA[C].Helsinki,Finland.2015.1:263-270.
[5] Macfarland D C,Shue C A.The SDN Shuffle:Creating a moving-target defense using host-based software-defined networking[A].Acm Workshop on Moving Target Defense[C].Denver,Colorado,USA.2015.37-41.
[6] Jafarian J H,Al-Shaer E,Duan Q.Openflow random host mutation:transparent moving target defense using software defined networking[A].Workshop on Hot Topics in Software Defined Networks[C].Chicago,Illinois,USA.2012.127-132.
[7] Inocybe Technologies:Innocybe_VPP_Whitepaper[OL].http://www.sdxcentral.com/wp-content/uploads/Innocybe_VPP_Whitepaper.pdf.2017.12.
[8] Clark A,Sun K,Poovendran R.Effectiveness of IP address randomization in decoy-based moving target defense[A].2013 IEEE 52nd Annual Conference on Decision and Control (CDC)[C].Firenze,Italy.2013.187-195.
[9] Wang K,Chen X,Zhu Y.Random domain name and address mutation (RDAM) for thwarting reconnaissance attacks[J].PLoS ONE,2017,12(5):e01777111.
[10] 胡毅勋,等.基于OpenFlow的网络层移动目标防御方案[J].通信学报,2017,38(10):102-112. HU Yi-xun,ZHENG Kang-feng,YANG Yi-xian,NIU Xin-xin.Moving target defense solution onnetwork layer based on OpenFlow[J].Journal on Communications,2017,38(10):102-112.(in Chinese)
[11] 陈扬,扈红超,程国振.软件定义的内网动态防御系统设计与实现[J].电子学报,2018,46(11):2604-2611. CHEN Yang,HU Hong-chao,CHENG Guo-zhe.The Design and Implementation of a Software-Defined ntranet Dynamic Defense System[J].Acta Electronica Sinica,2018,46(11):2604-2611.(in Chinese)
{{custom_fnGroup.title_en}}
Footnotes
{{custom_fn.content}}
Funding
Emerging Research Project of Information Engineering University (No.2016610708); National Natural Science Foundation of China (No.61602509)
{{custom_fund}}
PDF(1118 KB)
