 |
|
|
|
以作者查詢圖書館館藏 、以作者查詢臺灣博碩士 、以作者查詢全國書目 、勘誤回報 、線上人數:157 、訪客IP:18.191.132.194
姓名 黃聖閎(Sheng-Hung Huang) 查詢紙本館藏 畢業系所 資訊工程學系 論文名稱 基於P4交換機之移動目標防禦網路
(P4 Switch-Based Solution for Moving Target Defense Networks)相關論文 檔案 [Endnote RIS 格式]
[相關文章]
[文章引用]
[完整記錄]
[館藏目錄]
至系統瀏覽論文 ( 永不開放)
摘要(中) 近年來,新型的網路架構以及防禦思維興起,其中軟體定義網路(SDN)的技術被提出,將其網路交換機中控制層與資料層分離,將其控制層從交換機硬體中移除後透過軟體集中管理化。隨者其技術的成熟,Programming protocol-independent packet processors(P4)被提出,使其資料層之傳輸也可透過軟體被定義實作,達到意義上真正的軟體定義網路。另一方面,為了解決現今網路架構設定之天生缺陷,移動目標防禦概念(Moving Target Defense)被提出。透過不斷的變化防禦目標資訊,來達到混淆攻擊者且切換其攻擊層面為其主要核心概念。本論文致力於研究將SDN/P4網路結合其移動目標防禦概念進行相關之攻擊進行防禦,透過P4其網路較能彈性變化之特性實作移動目標防禦機制。
本論文所提出的P4MTD是一致力於資料獨立的防禦機制,透過給予使用者之伺服器virtual IP address進行分群,以將其偵測者從多方使用者中偵測出來。為了有效的降低在軟體定義網路下CDPI(Control-Data-Plane-Interface)之overhead,其運用P4下protocol-independency特性撰寫特殊之表頭以利在資料層能夠有效的將其使用者封包進行導向至不同伺服器而不需再透過中央控制器進行控管。此外,透過在軟體定義網路中可彈性變化在網路中傳輸之virtual IP address來進行移動目標防禦機制,此機制能夠有效的將其攻擊者之攻擊導向至黑洞來保護主機伺服器。本論文也透過熵(Entropy)針對DDoS(Distributed Denial of Service)攻擊進行偵測,其DDoS防禦上最難以偵測之特性為攻擊來源來自不同裝置,需對其攻擊者從使用者中獨立出來,在本論文中透過移動目標防禦機制進行防禦,故不需在攻擊者與使用者的行為屬性中進行辨認就能達到有效防禦的功能。摘要(英) In recent years, novel network architectures and defensive thinking have arisen. Software-defined network (SDN) technology is proposed to decouple the control plane from network devices and implements it in software instead. With the evolution of technology, Programming protocol-independent packet processors(P4) have been proposed, which ensures the data plane can also be defined by software to achieve a true software-defined network. On the other hand, in order to solve the inherent defects of the current network architecture settings, the Moving Target Defense was proposed. The main concept of MTD is that confusing the attacker through the constant change of defense target information. We study the SDN/P4 network in combination with moving target defense concept for defending related attacks.
We present P4MTD, a data-independent defense mechanism, it is grouped by the server’s virtual IP address to detect insiders from multiple users. In order to effectively reduce the overhead of CDPI (Control-Data-Plane-Interface) in the software-defined network, it uses the protocol-independency feature of P4 to write a special header to effectively redirect the packets to different servers without communication of control plane. Besides, the moving target defense mechanism is implemented by dynamically changing the virtual IP address, which can effectively redirect the attacker’s packet to the black holes to protect the target server. We also uses Entropy to detect DDoS(Distributed Denial of Service) attacks. The most difficult feature to detect on DDoS is that the source of attackers come from different devices, and it needs to be distinguish attacker from users. In this paper, the mechanism is implemented by the moving target defense mechanism, so that it is possible to achieve an effective DDoS defense without being identified the behavior attributes of the attacker and the user.
Keyword: Software-defined Networking; Programming protocol-independent packet processors; Moving Target Defense; Distributed Denial of Service; Entropy關鍵字(中) ★ 軟體定義網路
★ Programming protocol-independent packet processors
★ 分散式阻斷服務攻擊
★ 移動目標防禦
★ Entropy關鍵字(英) ★ Software-defined Networking
★ Programming protocol-independent packet processors
★ Moving Target Defense
★ Distributed Denial of Service
★ Entropy論文目次 目錄
第一章 緒論 1
1.1 概要 1
1.2 研究動機 2
1.3 研究目的 3
1.4 論文架構 4
第二章 背景知識與相關研究 5
2.1 軟體定義網路 5
2.2 P4: Programming Protocol-Independent Packet Processors 7
2.3 移動目標防禦網路 12
2.4 分散式阻斷服務攻擊 18
2.5 相關研究之比較 20
第三章 研究方法 23
3.1 系統架構與設計 23
3.1.1 MTD Module 25
3.1.2 MTD Header management 26
3.1.3 Server IP management 27
3.1.4 Forward IP rule module 27
3.1.5 DDoS attack notification 28
3.1.6 Host information management 28
3.1.7 Server Forward rule production 29
3.1.8 Attack detection module 29
3.1.9 P4 Configuration 31
3.2 系統運作流程與機制 32
3.2.1 系統假設與定義 33
3.2.2 資料符號表 34
3.2.3 P4MTD運作流程 36
3.2.4 Entropy 偵測機制運作流程 45
3.3 系統實作 47
第四章 實驗與討論 50
4.1 情境一:MTD 繞送以及DNS Server測試 50
4.1.1 實驗一:基於P4MTD機制之DNS Server功能驗證 51
4.1.2 實驗二:P4MTD機制導向功能驗證 52
4.2 情境二: DDoS Detection討論 54
4.2.1 實驗三:Entropy analysis機制之探討 54
4.2.2 實驗四:Flooding detection 56
4.3 情境三:DDoS Mitigation討論 58
4.3.1 實驗五 Moving Target Defense mitigation 58
4.3.2 實驗六 Insider Detection 61
4.4 連線評估之分析與討論 63
4.4.1 實驗七 Round Trip Time in P4 environment 63
4.4.2 實驗八 Number of entries in P4 environment 64
4.4.3 實驗九 CDPI reduction 65
第五章 結論與未來研究方向 67
5.1 結論 67
5.2 研究限制 68
5.3 未來方向 68
參考文獻 71
圖目錄
圖 1 SOFTWARE-DEFINED NETWORK 架構圖 7
圖 2 FIELDS RECONGNIZED BY THE OPENFLOW STANDARD 8
圖 3 RELATIONSHIP BETWEEN P4 AND OPENFLOW 9
圖 4 P4 ABSTRACT FORWARDING 模組 10
圖 5 ATTACK CYCLE示意圖 15
圖 6 PROXY-BASED MTD 示意圖 16
圖 7 PROXY HARVESTING ATTACK示意圖 17
圖 8 系統模組架構圖 23
圖 9 IP SELECTION MODULE 示意圖 25
圖 10 IP ADDRESS POOL 示意圖 26
圖 11 MTD HEADER 示意圖 26
圖 12 MTD HEADER FRAME FORMAT 27
圖 13 SHANNON ENTROPY 公式 30
圖 14系統使用者存取服務流程圖 37
圖 15 INSIDER攻擊示意圖 39
圖 16 系統移動示意圖 40
圖 17攻擊示意圖 42
圖 18 P4 SWITCH PARSER示意圖 43
圖 19 INGRESS FUNCTION 示意圖 44
圖 20 EGRESS FUNCTION 示意圖 45
圖 21 系統實作圖 48
圖 22 P4驗證環境拓樸圖 50
圖 23 使用者DNS設定圖 51
圖 24 HOST 2 VIRTUAL IP ADDRESS 驗證圖 52
圖 25 HOST 3 VIRTUAL IP ADDRESS 驗證圖 52
圖 26 P4導向封包示意圖 53
圖 27 INGRESS SWITCH LOG 圖 53
圖 28 FORWARD SWITCH LOG 圖 54
圖 29 EGRESS SWITCH LOG圖 54
圖 30 TCP AVERAGE ENTROPY 比較圖 55
圖 31 UDP AVERAGE ENTROPY 比較圖 56
圖 32 TCP SYN FLOODING AVERAGE ENTROPY比較圖 57
圖 33 UDP FLOODING AVERAGE ENTROPY比較圖 58
圖 34 TCP SYN 流量偵測圖 59
圖 35 UDP FLOODING 流量偵測圖 60
圖 36 INSIDER DETECTION WORST-CASE 62
圖 37 INSIDER DETECTION AVERAGE CASE 63
圖 38 SDN/P4 ENVIRONMENT 比較圖 64
圖 39 ENTRY數量比較圖 65
圖 40 CONTROL DATA PLANE INTERFACE OVERHEAD 66
?
表目錄
表 1相關研究比較表 22
表 2 P4MTD機制輸入參數符號表 34
表 3 ENTROPY DETECTION 機制輸入參數符號表 35
表 4伺服器硬體規格表 49
參考文獻 [ 1 ] McKeown, Nick. "Software-defined networking." INFOCOM keynote talk 17.2 (2009) 30-32.
[ 2 ] Zhuang, Rui, Scott A. DeLoach, and Xinming Ou. "Towards a theory of moving target defense." Proceedings of the First ACM Workshop on Moving Target Defense. ACM, 2014.
[ 3 ] Wikipedia, "P4"
Available: https://en.wikipedia.org/wiki/P4_(programming_language)
[ 4 ] Venkatesan, Sridhar, et al. "A moving target defense approach to mitigate DDoS attacks against proxy-based architectures." Communications and Network Security (CNS), 2016 IEEE Conference on. IEEE, 2016.
[5] IETF, "The Internet Engineering Task Force (IETFR)", 2018. [Online]. Aailable:https://www.ietf.org/.[Accessed: 19- Jul- 2018]
[ 6 ] Wikipedia, "OpenFlow protocol"
Available: https://en.wikipedia.org/wiki/OpenFlow
[7] The P4 Language Consortium, " Programming Protocol-independent Packet Processors"
Available : https://p4.org
[8] Bosshart, Pat, et al. "P4: Programming protocol-independent packet processors." ACM SIGCOMM Computer Communication Review 44.3 (2014): 87-95.
[ 9 ] The P4 Language Consortium, " P416 Language Specification"
Available : https://p4.org/p4-spec/docs/P4-16-v1.0.0-spec.pdf
[ 10 ]E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F.Kaashoek, The Click modular router," ACM Transactions on Computer Systems, vol. 18, pp. 263{297, Aug. 2000.
[ 11 ] Zhuang, Rui, et al. "Investigating the application of moving target defenses to network security." Resilient Control Systems (ISRCS), 2013 6th International Symposium on. IEEE, 2013.
[ 12 ]Cai, Guilin, et al. "Characterizing the running patterns of moving target defense mechanisms." Advanced Communication Technology (ICACT), 2016 18th International Conference on. IEEE, 2016.
[ 13 ] Jackson, Todd, et al. "Compiler-generated software diversity." Moving Target Defense. Springer, New York, NY, 2011. 77-98.
[ 14 ] M. Christodorescu, M. Fredrikson, S. Jha and J. Giffin, "End-to-End Software Diversification of Internet Services", Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, pp.117-130, New York: Springer, 2011
[ 15 ] H. Okhravi, T. Hobson, D. Bigelow and W. Streilein, "Finding Focus in the Blur of Moving-Target Techniques", IEEE Security & Privacy, vol.12, no.2, pp.16-26. 2014
[ 16 ] H. Okhravi, A. Comella, E. Robinson and J. Haines, "Creating a cyber moving target for critical infrastructure applications using platform diversity", International Journal of Critical Infrastructure Protection, vol.5, no.1, pp.30-39. 2012.
[ 17 ] A. K. Bangalore and A. K. Sood, "Securing Web Servers Using Self Cleansing Intrusion Tolerance (SCIT)", in Proc of DEPEND ′09, 2009, pp.60-65.
[ 18 ] Y. Huang and A. Ghosh, "Introducing Diversity and Uncertainty to Create Moving Attack Surfaces for Web Services", Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, pp.131- 151, New York: Springer, 2011.
[ 19 ] Jafarian, Jafar Haadi, Ehab Al-Shaer, and Qi Duan. "Openflow random host mutation: transparent moving target defense using software defined networking." Proceedings of the first workshop on Hot topics in software defined networks. ACM, 2012.
[ 20 ] Al-Shaer, Ehab. "Toward network configuration randomization for moving target defense." Moving Target Defense. Springer, New York, NY, 2011. 153-159.
[ 21 ] David, Jisa, and Ciza Thomas. "DDoS attack detection using fast entropy approach on flow-based network traffic." Procedia Computer Science 50 (2015): 30-36.
[ 22 ] p4lang, "behavioral-model."
Available: https://github.com/p4lang/behavioral-model
[ 23 ] P4. Available: https://github.com/p4lang
[ 24 ] Wikipedia, Entropy.
Available: https://en.wikipedia.org/wiki/Entropy_(information_theory)
[ 25 ] nanomsg. Available: https://nanomsg.org
[ 26 ] Wikipedia, EtherType.
Available: https://en.wikipedia.org/wiki/EtherType
[ 27 ] Mininet. Available: http://mininet.org/
[ 28 ] p4lang, p4runtime library. Available: https://github.com/p4lang/PI
[ 29 ] grpc. Available: https://grpc.io grpc
[ 30 ] protobuf. Available: https://github.com/google/protobuf
[ 31 ] Python DNS library. Available: https://github.com/andreif/dnslib
[ 32 ] hping3. Available: http://hping.org hping3
[ 33 ] iperf. Available: https://iperf.fr iperf3
[ 34 ] Zhao, Zheng, et al. "An SDN-based IP hopping communication scheme against scanning attack." Communication Software and Networks (ICCSN), 2017 IEEE 9th International Conference on. IEEE, 2017.
[ 35 ] 黃柏勝, "基於SDN、NFV與移動目標防禦之分散式阻斷服務攻擊防禦機制," 碩士, 資訊工程學系, 國立中央大學, 桃園縣, 2017指導教授 周立德(Li-Der Chou) 審核日期 2018-8-22 推文 plurk
funp
live
udn
HD
myshare
netvibes
friend
youpush
delicious
baidu
網路書籤 Google bookmarks
del.icio.us
hemidemi
facebook
twitter
google
reddit