摘要: |
路由器作为网络空间的基础核心要素,其安全性能对网络安全具有决定性意义。但由于它的封闭性、专用性和复杂性,导致其存在的漏洞更多,后门隐藏更深。目前对路由器的安全防御手段均为被动式“补漏洞、堵后门”的“亡羊补牢”式的防御,不仅防御滞后更无法应对未知的安全威胁。本文基于拟态防御技术,在路由器体系架构上引入异构冗余功能执行体,通过动态调度机制,随机选择多个异构执行体工作,在相同外部激励的情况下,通过比对多个异构功能执行体的输出结果,对功能执行体进行异常检测,实现路由系统的主动防御。实验结果表明,该架构可以明显提升攻击链中每一步攻击的实施难度,增加攻击成本,并能抵御基于未知漏洞与后门的攻击。 |
关键词: 拟态防御 动态 异构 冗余 路由器 |
DOI:10.19363/j.cnki.cn10-1380/tn.2017.01.003 |
Received:September 12, 2016Revised:October 09, 2016 |
基金项目:本课题得到国家重点研发计划(2016YFB0800103)资助。 |
|
Dynamic Heterogeneous Redundancy based Router Architecture with Mimic Defenses |
MA Hailong,YI Peng,JIANG Yiming,HE Lei |
Institute of Information Technology, PLA Information Engineering University, Zhengzhou 450000, China |
Abstract: |
As a fundamental core element of cyberspace, the security performance of router plays a decisive significance in network security. However, the closeness, specificity and complexity of router lead to more loopholes and make backdoors hidden deeper. Currently, defense means of router are passive, which is "mend the fold after the sheep have been stolen"-like. Such defense means is not only hysteretic but also helpless against unknown security threats. Based on mimicry defense technology, heterogeneous redundancy function entities are introduces to the architecture of router. With dynamic scheduling mechanism, multiple heterogeneous execution entities are randomly selected to work. Under the same external motivations, by comparing the output of heterogeneous executing entities and conducting anomaly detection on heterogeneous executing entities, the routing system could perform active defense. Experimental results show that this architecture can significantly increase the attack difficulty in every step of the attack chain, increase the cost of attacks, and can withstand attacks based on unknown vulnerabilities and backdoors. |
Key words: Mimic defense Dynamic Heterogeneous Redundancy Router |