Abstract
Although the perimeter security model works well enough when all internal hosts are credible, it is becoming increasingly difficult to enforce as companies adopt mobile and cloud technologies, i.e., the rise of bring your own device (BYOD). It is observed that advanced targeted cyber-attacks usually follow a cyber kill chain; for instance, advanced targeted attacks often rely on network scanning techniques to gather information about potential targets. In response to this attack method, we propose a novel approach, i.e., an “isolating and dynamic” cyber defense, which cuts these potential chains to reduce the cumulative availability of the gathered information. First, we build a zero-trust network environment through network isolation, and then multiple network properties are maneuvered so that the host characteristics and locations needed to identify vulnerabilities cannot be located. Second, we propose a software-defined proactive cyber defense solution (SPD) for enterprise networks and design a general framework to strategically maneuver the IP address, network port, domain name, and path, while limiting the performance impact on the benign network user. Third, we implement our SPD proof-of-concept system over a software-defined network controller (OpenDaylight). Finally, we build an experimental platform to verify the system’s ability to prevent scanning, eavesdropping, and denial-of-service attacks. The results suggest that our system can significantly reduce the availability of network reconnaissance scan information, block network eavesdropping, and sharply increase the cost of cyber-attacks.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Al–Fares M, Loukissas A, Vahdat A, 2008. A scalable, commodity data center network architecture. ACM SIGCOMM Conf on Data Communication, p.63–74. https://doi.org/10.1145/1402958.1402967
Antonatos S, Akritidis P, Markatos EP, et al., 2007. Defending against hitlist worms using network address space randomization. Comput Netw, 51(12):3471–3490. https://doi.org/10.1016/j.comnet.2007.02.006
Atighetchi M, Pal P, Webber F, et al., 2003. Adaptive use of network–centric mechanisms in cyber–defense. 6th IEEE Int Symp on Object–Oriented Real–Time Distributed Computing, p.183–192. https://doi.org/10.1109/ISORC.2003.1199253
Carroll TE, Crouse M, Fulp EW, et al., 2014. Analysis of network address shuffling as a moving target defense. IEEE Int Conf on Communications, p.701–706. https://doi.org/10.1109/ICC.2014.6883401
Duan Q, Al–Shaer E, Jafarian H, 2013. Efficient random route mutation considering flow and network constraints. IEEE Conf on Communications and Network Security, p.260–268. https://doi.org/10.1109/CNS.2013.6682715
Duo, 2018. Liftoff: guide to duo deployment best practices. https://duo.com/assets/pdf/Duo-Liftoff-Guide.pdf[Accessed on Oct. 18, 2018].
Escobedo V, Beyer B, Saltonstall M, et al., 2017. Beyond–Corp 5: the user experience. Login, 42(3):38–43.
Flores DA, Qazi F, Jhumka A, 2016. Bring your own disclosure: analysing BYOD threats to corporate information. IEEE Trustcom/BigDataSE/ISPA, p.1008–1015. https://doi.org/10.1109/TrustCom.2016.0169
Greenberg A, Hamilton JR, Jain N, et al., 2009. Vl2: a scalable and flexible data center network. ACM SIGCOMM Comput Commun Rev, 39(4):51–62. https://doi.org/10.1145/1594977.1592576
Guan ZT, Li J, Wu LF, et al., 2017. Achieving efficient and secure data acquisition for cloud–supported Internet of Things in smart grid. IEEE Internet Things J, 4(6):1934–1944. https://doi.org/10.1109/JIOT.2017.2690522
Hutchins E, Cloppert M, Amin R, 2011. Intelligence–driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: Ryan J (Ed.), Leading Issues in Information Warfare & Security Research. Academic Publishing International Limited, London, UK, p.80–106.
Jafarian JH, Al–Shaer E, Duan Q, 2012. Openflow random host mutation: transparent moving target defense using software defined networking. 1st Workshop on Hot Topics in Software Defined Networks, p.127–132. https://doi.org/10.1145/2342441.2342467
Jafarian JH, Al–Shaer E, Duan Q, 2013. Formal approach for route agility against persistent attackers. 18th European Symp on Research in Computer Security, p.237–254. https://doi.org/10.1007/978-3-642-40203-6_14
Jafarian JH, Al–Shaer E, Duan Q, 2015. An effective address mutation approach for disrupting reconnaissance attacks. IEEE Trans Inform Forensics Secur, 10(12):2562–2577. https://doi.org/10.1109/TIFS.2015.2467358
Kewley D, Fink R, Lowry J, et al., 2001. Dynamic approaches to thwart adversary intelligence gathering. DARPA Information Survivability Conf and Exposition II, p.176–185. https://doi.org/10.1109/DISCEX.2001.932214
Kindervag J, 2010. Build security into your network’s DNA: the zero trust network architecture. Technical Report, Forrester Research. http://www.ndm.net/firewall/pdf/palo_alto/Forrester-Build-Security-Into-Your-Network.pdf [Accessed on Nov. 5, 2010].
Kindervag J, 2016. No more chewy centers: the zero-trust model of information security. Technical Report, Forrester Research. http://crystaltechnologies.com/wp-content/uploads/2017/12/forrester-zero-trust-model-informationsecurity.pdf [Accessed on Mar. 23, 2016].
Lei C, Ma DH, Zhang HQ, et al., 2017. Network moving target defense technique based on optimal forwarding path migration. J Commun, 38(3):133–143 (in Chinese). https://doi.org/10.11959/j.issn.1000-436x.2017056
Li GL, Wu J, Li JH, et al., 2018. Service popularity–based smart resources partitioning for fog computing–enabled industrial Internet of Things. IEEE Trans Ind Inform, 14(10):4702–4711. https://doi.org/10.1109/TII.2018.2845844
Miller KW, Voas J, Hurlburt GF, 2012. BYOD: security and privacy considerations. It Prof, 14(5):53–55. https://doi.org/10.1109/MITP.2012.93
Peck J, Beyer B, Beske C, et al., 2017. Migrating to BeyondCorp: maintaining productivity while improving security. Login, 42(3):49–55.
Sharma DP, Kim DS, Yoon S, et al., 2018. FRVM: flexible random virtual IP multiplexing in software–defined networks. 17th IEEE Int Conf on Trust, Security, and Privacy in Computing and Communications/12th IEEE Int Conf on Big Data Science and Engineering, p.579–587. https://doi.org/10.1109/trustcom/bigdatase.2018.00088
Talipov E, Jin DX, Jung J, et al., 2006. Path hopping based on reverse AODV for security. 9th Asia–Pacific Int Conf on Network Operations and Management: Management of Convergence Networks and Services, p.574–577. https://doi.org/10.1007/11876601_69
Wu J, Dong MX, Ota K, et al., 2018. Big data analysis–based secure cluster management for optimized control plane in software–defined networks. IEEE Trans Netw Serv Manag, 15(1):27–38. https://doi.org/10.1109/TNSM.2018.2799000
Zhou Y, Ni W, Zheng KF, et al., 2017. Scalable node–centric route mutation for defense of large–scale softwaredefined networks. Secur Commun Netw, 2017:4651395. https://doi.org/10.1155/2017/4651395
Author information
Authors and Affiliations
Corresponding author
Additional information
Project supported by the Information Engineering University Emerging Direction Cultivation Fund, China (No. 2016610708), the Science and Technology Research Project of Henan, China (No. 172102210615), the National Natural Science Foundation of China (Nos. 61521003 and 61602509), and the National Key Research and Development Program of China (Nos. 2016YFB0800100 and 2016YFB0800101)
Rights and permissions
About this article
Cite this article
Chen, Y., Hu, Hc. & Cheng, Gz. Design and implementation of a novel enterprise network defense system bymaneuveringmulti-dimensional network properties. Frontiers Inf Technol Electronic Eng 20, 238–252 (2019). https://doi.org/10.1631/FITEE.1800516
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1631/FITEE.1800516