CLC number: TP393
On-line Access: 2019-03-11
Received: 2018-08-30
Revision Accepted: 2018-11-11
Crosschecked: 2019-01-22
Cited: 0
Clicked: 7657
Yang Chen, Hong-chao HU, Guo-zhen Cheng. Design and implementation of a novel enterprise network defense system by maneuvering multi-dimensional network properties[J]. Frontiers of Information Technology & Electronic Engineering, 2019, 20(2): 238-252.
@article{title="Design and implementation of a novel enterprise network defense system by maneuvering multi-dimensional network properties",
author="Yang Chen, Hong-chao HU, Guo-zhen Cheng",
journal="Frontiers of Information Technology & Electronic Engineering",
volume="20",
number="2",
pages="238-252",
year="2019",
publisher="Zhejiang University Press & Springer",
doi="10.1631/FITEE.1800516"
}
%0 Journal Article
%T Design and implementation of a novel enterprise network defense system by maneuvering multi-dimensional network properties
%A Yang Chen
%A Hong-chao HU
%A Guo-zhen Cheng
%J Frontiers of Information Technology & Electronic Engineering
%V 20
%N 2
%P 238-252
%@ 2095-9184
%D 2019
%I Zhejiang University Press & Springer
%DOI 10.1631/FITEE.1800516
TY - JOUR
T1 - Design and implementation of a novel enterprise network defense system by maneuvering multi-dimensional network properties
A1 - Yang Chen
A1 - Hong-chao HU
A1 - Guo-zhen Cheng
J0 - Frontiers of Information Technology & Electronic Engineering
VL - 20
IS - 2
SP - 238
EP - 252
%@ 2095-9184
Y1 - 2019
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/FITEE.1800516
Abstract: Although the perimeter security model works well enough when all internal hosts are credible, it is becoming increasingly difficult to enforce as companies adopt mobile and cloud technologies, i.e., the rise of bring your own device (BYOD). It is observed that advanced targeted cyber-attacks usually follow a cyber kill chain; for instance, advanced targeted attacks often rely on network scanning techniques to gather information about potential targets. In response to this attack method, we propose a novel approach, i.e., an “isolating and dynamic'' cyber defense, which cuts these potential chains to reduce the cumulative availability of the gathered information. First, we build a zero-trust network environment through network isolation, and then multiple network properties are maneuvered so that the host characteristics and locations needed to identify vulnerabilities cannot be located. Second, we propose a software-defined proactive cyber defense solution (SPD) for enterprise networks and design a general framework to strategically maneuver the IP address, network port, domain name, and path, while limiting the performance impact on the benign network user. Third, we implement our SPD proof-of-concept system over a software-defined network controller (OpenDaylight). Finally, we build an experimental platform to verify the system‘s ability to prevent scanning, eavesdropping, and denial-of-service attacks. The results suggest that our system can significantly reduce the availability of network reconnaissance scan information, block network eavesdropping, and sharply increase the cost of cyber-attacks.
[1]Al-Fares M, Loukissas A, Vahdat A, 2008. A scalable, commodity data center network architecture. ACM SIGCOMM Conf on Data Communication, p.63-74. [doi:10.1145/1402958.1402967]
[2]Antonatos S, Akritidis P, Markatos EP, et al., 2007. Defending against hitlist worms using network address space randomization. Comput Netw, 51(12):3471-3490.
[3]Atighetchi M, Pal P, Webber F, et al., 2003. Adaptive use of network-centric mechanisms in cyber-defense. 6th IEEE Int Symp on Object-Oriented Real-Time Distributed Computing, p.183-192.
[4]Carroll TE, Crouse M, Fulp EW, et al., 2014. Analysis of network address shuffling as a moving target defense. IEEE Int Conf on Communications, p.701-706.
[5]Duan Q, Al-Shaer E, Jafarian H, 2013. Efficient random route mutation considering flow and network constraints. IEEE Conf on Communications and Network Security, p.260-268.
[6]Duo, 2018. Liftoff: guide to duo deployment best practices. https://duo.com/assets/pdf/Duo-Liftoff-Guide.pdf [Accessed on Oct. 18, 2018].
[7]Escobedo V, Beyer B, Saltonstall M, et al., 2017. BeyondCorp 5: the user experience. Login, 42(3):38-43.
[8]Flores DA, Qazi F, Jhumka A, 2016. Bring your own disclosure: analysing BYOD threats to corporate information. IEEE Trustcom/BigDataSE/ISPA, p.1008-1015.
[9]Greenberg A, Hamilton JR, Jain N, et al., 2009. Vl2: a scalable and flexible data center network. ACM SIGCOMM Comput Commun Rev, 39(4):51-62.
[10]Guan ZT, Li J, Wu LF, et al., 2017. Achieving efficient and secure data acquisition for cloud-supported Internet of Things in smart grid. IEEE Internet Things J, 4(6):1934-1944.
[11]Hutchins E, Cloppert M, Amin R, 2011. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: Ryan J (Ed.), Leading Issues in Information Warfare & Security Research. Academic Publishing International Limited, London, UK, p.80-106.
[12]Jafarian JH, Al-Shaer E, Duan Q, 2012. Openflow random host mutation: transparent moving target defense using software defined networking. 1st Workshop on Hot Topics in Software Defined Networks, p.127-132.
[13]Jafarian JH, Al-Shaer E, Duan Q, 2013. Formal approach for route agility against persistent attackers. 18th European Symp on Research in Computer Security, p.237-254.
[14]Jafarian JH, Al-Shaer E, Duan Q, 2015. An effective address mutation approach for disrupting reconnaissance attacks. IEEE Trans Inform Forensics Secur, 10(12):2562-2577.
[15]Kewley D, Fink R, Lowry J, et al., 2001. Dynamic approaches to thwart adversary intelligence gathering. DARPA Information Survivability Conf and Exposition II, p.176-185.
[16]Kindervag J, 2010. Build security into your network‘s DNA: the zero trust network architecture. Technical Report, Forrester Research. http://www.ndm.net/firewall/pdf/palo_alto/Forrester-Build-Security-Into-Your-Network.pdf [Accessed on Nov. 5, 2010].
[17]Kindervag J, 2016. No more chewy centers: the zero-trust model of information security. Technical Report, Forrester Research. http://crystaltechnologies.com/wp-content/uploads/ 2017/12/forrester-zero-trust-model-information-security.pdf [Accessed on Mar. 23, 2016].
[18]Lei C, Ma DH, Zhang HQ, et al., 2017. Network moving target defense technique based on optimal forwarding path migration. J Commun, 38(3):133-143 (in Chinese).
[19]Li GL, Wu J, Li JH, et al., 2018. Service popularity-based smart resources partitioning for fog computing-enabled industrial Internet of Things. IEEE Trans Ind Inform, 14(10):4702-4711.
[20]Miller KW, Voas J, Hurlburt GF, 2012. BYOD: security and privacy considerations. It Prof, 14(5):53-55.
[21]Peck J, Beyer B, Beske C, et al., 2017. Migrating to BeyondCorp: maintaining productivity while improving security. Login, 42(3):49-55.
[22]Sharma DP, Kim DS, Yoon S, et al., 2018. FRVM: flexible random virtual IP multiplexing in software-defined networks. 17th IEEE Int Conf on Trust, Security, and Privacy in Computing and Communications/12th IEEE Int Conf on Big Data Science and Engineering, p.579-587.
[23]Talipov E, Jin DX, Jung J, et al., 2006. Path hopping based on reverse AODV for security. 9th Asia-Pacific Int Conf on Network Operations and Management: Management of Convergence Networks and Services, p.574-577.
[24]Wu J, Dong MX, Ota K, et al., 2018. Big data analysis-based secure cluster management for optimized control plane in software-defined networks. IEEE Trans Netw Serv Manag, 15(1):27-38.
[25]Zhou Y, Ni W, Zheng KF, et al., 2017. Scalable node-centric route mutation for defense of large-scale software-defined networks. Secur Commun Netw, 2017:4651395.
Open peer comments: Debate/Discuss/Question/Opinion
<1>