Similar articles

Abstract: port address hopping (PAH) communication is a powerful network moving target defense (MTD) mechanism. It was inspired by frequency hopping in wireless communications. One of the critical and difficult issues with PAH is synchronization. Existing schemes usually provide hops for each session lasting only a few seconds/minutes, making them easily influenced by network events such as transmission delays, traffic jams, packet dropouts, reordering, and retransmission. To address these problems, in this paper we propose a novel self-synchronization scheme, called ’keyed-hashing based self-synchronization (KHSS)’. The proposed method generates the message authentication code (MAC) based on the hash based MAC (HMAC), which is then further used as the synchronization information for port address encoding and decoding. Providing the PAH communication system with one-packet-one-hopping and invisible message authentication abilities enables both clients and servers to constantly change their identities as well as perform message authentication over unreliable communication mediums without synchronization and authentication information transmissions. Theoretical analysis and simulation and experiment results show that the proposed method is effective in defending against man-in-the-middle (MITM) attacks and network scanning. It significantly outperforms existing schemes in terms of both security and hopping efficiency.

一种基于加密哈希的端口地址跳变通信自同步机制

[1]Antonatos, S., Akritidis, P., Markatos, E.P., et al., 2007. Defending against hitlist worms using network address space randomization. Comput. Netw., 51(12):3471-3490.

[2]Atighetchi, M., Pal, P., Webber, F., et al., 2003. Adaptive use of network-centric mechanisms in cyber-defense. Proc. 6th IEEE Int. Symp. on Object-Oriented Real-Time Distributed Computing, p.183-192.

[3]Badishi, G., Herzberg, A., Keidar, I., 2007. Keeping denial of service attackers in the dark. IEEE Trans. Depend. Sec. Comput., 4(3):191-204.

[4]Bellare, M., Canetti, R., Krawczyk, H., 1996. Keyed hash functions for message authentication. LNCS, 1109:1-15.

[5]Chong, F., Lee, R.B., Acquisti, A., et al., 2009. National Cyber Leap Year Summit 2009 Co-chairs Report. NITRD Program.

[6]Eastlake, D.III, Jones, P., 2001. US Secure Hash Algorithm 1 (SHA1). Internet Society, Washington DC, USA.

[7]Forouzan, B.A., 2009. Cryptography & Network Security. McGraw-Hill, Inc., New York, USA.

[8]Gu, J., Xue, Z., 2011. An improved efficient secret handshakes scheme with unlinkability. IEEE Commun. Lett., 15(2):259-261.

[9]Jafarian, J.H., Al-Shaer, E., Duan, Q., 2014. Spatio-temporal address mutation for proactive cyber agility against sophisticated attackers. Proc. MTD Workshop at CCS, p.69-78.

[10]Karlin, S., Peterson, L., 2002. Maximum Packet Rates for Full-Duplex Ethernet. Technical Report TR-645-02, Department of Computer Science, Princeton University, Princeton, USA.

[11]Kewley, D., Fink, R., Lowry, J., et al., 2001. Dynamic approach to thwart adversary intelligence gathering. Proc. DARPA Information Survivability Conf. and Exposition, p.176-185.

[12]Krawczyk, H., Bellare, M., Canetti, R., 1997. HMAC: Keyed-Hashing for Message Authentication. IETF Internet Request for Comments 2104 (RFC-2104).

[13]Lantz, B., Heller, B., McKeown, N., 2010. A network in a laptop: rapid prototyping for software-defined networks. Proc. 9th ACM SIGCOMM Workshop on Hot Topics in Networks, p.19:1-19:6.

[14]Lee, H.C.J., Thing, V.L.L., 2004. Port hopping for resilient networks. Proc. IEEE 60th Vehicular Technology Conf., p.3291-3295.

[15]Luo, Y.B., Wang, B.S., Wang, X.F., et al., 2015a. TPAH: a universal and multi-platform deployable port and address hopping mechanism. Proc. Int. Conf. on Information and Communications Technologies, p.214-219.

[16]Luo, Y.B., Wang, B.S., Wang, X.F., et al., 2015b. RPAH: random port and address hopping for thwarting internal and external adversaries. Proc. 14th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, p.263-270.

[17]Luo, Y.B., Wang, B.S., Wang, X.F., et al., 2017. RPAH: a moving target network defense mechanism naturally resists reconnaissances and attacks. IEICE Trans Inform. Syst., E100-D(3):496-510.

[18]Modares, H., Moravejosharieh, A., Lloret, J., et al., 2014. A survey of secure protocols in Mobile IPv6. J. Netw. Comput. Appl., 39:351-368.

[19]Morris, C.C., Burch, L.L., Robinson, D.T., 2012. Techniques for Port Hopping. US Patent 8 301 789.

[20]Rivest, R.L., 1992. The MD5 Message Digest Algorithm. Internet Engineering Task Force, Fremont, USA.

[21]Shi, L.Y., Jia, C.F., Lü, S.W., 2008. Full service hopping for proactive cyber-defense. Proc. IEEE Int. Conf. on Networking, Networking, Sensing and Control, p.1337-1342.

[22]Sifalakis, M., Schmid, S., Hutchison, D., 2005. Network address hopping: a mechanism to enhance data protection for packet communications. Proc. IEEE Int. Conf. on Communications, p.1518-1523.