【打印本页】      【下载PDF全文】   View/Add Comment  Download reader   Close
←前一篇|后一篇→ 过刊浏览    高级检索
本文已被:浏览 8390次   下载 8110 本文二维码信息
码上扫一扫!
基于动态异构冗余机制的路由器拟态防御体系结构
马海龙,伊鹏,江逸茗,贺磊
分享到: 微信 更多
(解放军信息工程大学信息技术研究所 郑州 中国 450000)
摘要:
路由器作为网络空间的基础核心要素,其安全性能对网络安全具有决定性意义。但由于它的封闭性、专用性和复杂性,导致其存在的漏洞更多,后门隐藏更深。目前对路由器的安全防御手段均为被动式“补漏洞、堵后门”的“亡羊补牢”式的防御,不仅防御滞后更无法应对未知的安全威胁。本文基于拟态防御技术,在路由器体系架构上引入异构冗余功能执行体,通过动态调度机制,随机选择多个异构执行体工作,在相同外部激励的情况下,通过比对多个异构功能执行体的输出结果,对功能执行体进行异常检测,实现路由系统的主动防御。实验结果表明,该架构可以明显提升攻击链中每一步攻击的实施难度,增加攻击成本,并能抵御基于未知漏洞与后门的攻击。
关键词:  拟态防御  动态  异构  冗余  路由器
DOI:10.19363/j.cnki.cn10-1380/tn.2017.01.003
Received:September 12, 2016Revised:October 09, 2016
基金项目:本课题得到国家重点研发计划(2016YFB0800103)资助。
Dynamic Heterogeneous Redundancy based Router Architecture with Mimic Defenses
MA Hailong,YI Peng,JIANG Yiming,HE Lei
Institute of Information Technology, PLA Information Engineering University, Zhengzhou 450000, China
Abstract:
As a fundamental core element of cyberspace, the security performance of router plays a decisive significance in network security. However, the closeness, specificity and complexity of router lead to more loopholes and make backdoors hidden deeper. Currently, defense means of router are passive, which is "mend the fold after the sheep have been stolen"-like. Such defense means is not only hysteretic but also helpless against unknown security threats. Based on mimicry defense technology, heterogeneous redundancy function entities are introduces to the architecture of router. With dynamic scheduling mechanism, multiple heterogeneous execution entities are randomly selected to work. Under the same external motivations, by comparing the output of heterogeneous executing entities and conducting anomaly detection on heterogeneous executing entities, the routing system could perform active defense. Experimental results show that this architecture can significantly increase the attack difficulty in every step of the attack chain, increase the cost of attacks, and can withstand attacks based on unknown vulnerabilities and backdoors.
Key words:  Mimic defense  Dynamic  Heterogeneous  Redundancy  Router