摘要
软件定义网络(SDN)通过分离数据与控制平台为网络提供高度开放性和可编程性。针对已有工作中SDN主动防御框架缺乏考虑网络瓶颈的问题,提出了基于SDN的分布式欺骗防御系统DDS。首先,使用多层划分算法根据物理网络的设备属性将其划分为不同区域。在此基础上为每个区域设计不同欺骗拓扑和针对攻击方侦查行为的欺骗策略,在攻击方已经成功入侵网络,但潜伏的主机位置不明的假设下,系统内的各个区域按照相应欺骗拓扑和策略执行欺骗任务。实验表明该系统能够有效干扰侦查行为,为防御方争取时间,而且区域划分将节点数量为10 000个的网络划分成3个区域时仅需11.9 ms。
By separating the control plane from the data plane,Software-Defined Network(SDN)empowers the network operators with more flexibility to program their network.However,the existing SDN active defense solutions lacks the consideration of network bottlenecks.A distributed deceptive defense system based on SDN(DDS)was developed to solve the problem.The multilevel graph partitioning scheme was introduced to divide the network into different regions according to its device properties.The deception topologies and policies for each region to thwart network reconnaissance were designed,which base on the assumption that the attacker has successfully invade the network hosts with its location unknown.The results of test show that DDS is able to interfere with the adversarial reconnaissance effectively and buy more time for defenders,while topology division only takes11.9ms when dividing a network with10000nodes.
作者
徐明迪
高杨
崔峰
XU Mingdi;GAO Yang;CUI Feng(Wuhan Digital Engineering Institute, Wuhan 430205, China)
出处
《通信学报》
EI
CSCD
北大核心
2018年第A02期54-60,共7页
Journal on Communications
