摘要: |
传统的防御技术存在静态和被动的特性,即系统以及安全机制在一段时间内相对固定,攻击方可持续对一个固定的目标进行研究和尝试,总能找到弱点进行攻击。为了提高安全防御的主动性,国际上启动了若干力图“改变游戏规则”的研究计划,MTD(moving target defense)以及拟态防御是新兴的主动防御思路的代表。然而,要达到主动防御的目的,除了需要在关键环节采用相关的单点技术外,还需要一种框架,使各层主动防御机制能够有机地协同,形成一个总体可变可控的主动防御体系,并且使得不具备内生性主动防御机制的传统信息系统也能在这种框架上运行,并得益于主动防御机制所带来的防御能力提升。本论文提出了一种可以有效整合不同层面的主流主动防御技术和机制,并兼容传统应用的框架:自蜕变主动防御网络框架,该框架可实现内生与外加式主动防御技术的有机整合,多层次、多粒度主动防御技术的整合,兼容传统的不具备内生性主动防御特性的应用,并可为将来形成新一代内生性主动防御网络体系架构提供借鉴。 |
关键词: 主动防御 拟态防御 移动目标防御 虚拟化 虚拟网络 |
DOI:10.19363/j.cnki.cn10-1380/tn.2016.04.002 |
投稿时间:2016-09-16修订日期:2016-10-13 |
基金项目: |
|
A Self-transforming Proactive Defense Network Framework based on “carrier” |
WU Chengrong,YAN Ming,Jin Haolin,LIU Wei,ZHANG Shiyong,ZENG Jianping |
School of Computer Science, Fudan University, Shanghai 200433, China |
Abstract: |
Traditional information security defense techniques have the feature of static and passive. Systems and security mechanisms are relatively fixed in a period of time. So attackers can continuously study the static target, and try to find the vulnerability of it. In order to improve the proactivity of security defense, some research programs that tried to "change the rules of the game" had been initialized throughout the world. MTD (moving target defense) and the Mimic-Defense are the emerging ideas of proactive defense. However, to achieve the purpose of proactive defense, in addition to the separate uses of techniques on key points, we also need a framework. Deferent defense mechanisms can be effectively cooperate in the framework to form a general "moving" and controlled proactive defense system. Traditional information system which does not have the build-in proactive defense mechanism can also run in this framework, and be benefited from the proactive defense mechanism to enhance the ability of defense. This paper presents a kind of framework that can effectively integrate different levels of proactive defense techniques and mechanisms, and is compatible with the traditional applications. We call it self-transforming proactive defense network framework. This framework can archive the integration of build-in with bolt-on proactive defense techniques, the integration of multi-level and multi-granularity proactive defense techniques. It is compatible with traditional applications which do not have the build-in proactive defense mechanism, and provides ideas.to form a new generation of build-in proactive defense network architecture in the future. |
Key words: proactive defense mimic defense moving target defense virtualization virtual network |