基于区块链的网络级移动目标防御系统设计

摘要/Abstract

摘要： 网络级移动目标防御技术是应对诸如泛洪攻击等攻击手段的有效方式。但现有网络级移动目标防御系统多采用单一静态中央控制器，这种集中式的管理架构易带来单点故障以及数据不可信等风险。针对上述问题，本文提出一种基于区块链的网络级移动目标防御方案，通过PoW共识机制实现中央控制器的动态切换，解决集中式中央控制器带来的单点故障问题并提高其健壮性。此外，基于区块链所构建的分布式可信网络环境，在动态中央控制器中引入负载均衡与容灾备份机制，使得网络级移动目标防御系统具有良好的高并发服务请求能力以及遭遇致命网络攻击后的服务快速恢复能力。本文设计并实现了基于区块链的网络级移动目标防御原型系统并进行充分的性能测试实验。实验结果表明系统具有良好的可用性和鲁棒性。

关键词: 移动目标防御, 区块链, 去中心化, 负载均衡, 容灾备份

Abstract: The network-level moving target defense is an effective approach to deal with the cyber attacks, like flooding attack. However, the existing network-level moving target defense systems mostly adopt the static central controller. This kind of centralized management architecture is prone to risks such as single point of failure or untrusted data. To address the above problems, this paper proposes a scheme of network-level moving target defense system based on blockchain, which realizes dynamically switching the central controller through the PoW consensus mechanism and overcomes the single point of failure of it and improves its robustness. In addition, based on the distributed trusted network environment constructed by blockchain, this paper establishes load balancing mechanism and disaster-tolerant backup mechanism for the dynamic central controller, making the system have good performance in dealing with the high concurrent service requests and recovering quickly from paralysis. Finally, this paper designs and implements the prototype system of network-level moving target defense system based on blockchain. The test results show that the designed system has good availability and robustness.

Key words: moving target defense, blockchain, decentralization, load balancing, disaster-tolerant backup

段鹏飞, 兰茹. 基于区块链的网络级移动目标防御系统设计[J]. 计算机与现代化, 2021, 0(08): 121-126.

DUAN Peng-fei, LAN Ru. Design of Network-level Moving Target Defense System Based on Blockchain[J]. Computer and Modernization, 2021, 0(08): 121-126.

参考文献

［1］ WANG J, WEN R, LI J Q, et al. Detecting and mitigating target link-flooding attacks using SDN［J］. IEEE Transactions on Dependable and Secure Computing, 2019,16(6):944-956.
［2］ HONG J B, ENOCH S Y, KIM D S, et al. Dynamic security metrics for measuring the effectiveness of moving target defense techniques［J］. Computers & Security, 2018,79:33-52.
［3］ STEINBERGER J, KUHNERT B, DIETZ C, et al. DDoS defense using MTD and SDN［C］// IEEE/IFIP Network Operations and Management Symposium. 2018:1-9.
［4］邬江兴. 网络空间拟态防御研究［J］. 信息安全学报, 2017,1(4):1-10.
［5］斯雪明,王伟,曾俊杰,等. 拟态防御基础理论研究综述［J］. 中国工程科学, 2016,18(6):62-68.
［6］石乐义,贾春福,吕述望. 基于端信息跳变的主动网络防护研究［J］. 通信学报, 2008,29(2):106-110.
［7］石乐义,郭宏彬,温晓,等．端信息跳扩混合的主动网络防御技术研究［J］．通信学报, 2019,40(5):125-135.
［8］ DUNLOP M, GROAT S, URBANSKI W, et al. MT6D: A moving target IPv6 defense［C］// Military Communications Conference. 2011:1321-1326.
［9］ BELYAEV M, GAIVORONSKI S. Towards load balancing in SDN networks during DDoS-attacks［C］// IEEE International Science and Technology Conference (Modern Networking Technologies). 2014:1-6.
［10］黄俊飞,刘杰. 区块链技术研究综述［J］. 北京邮电大学学报, 2018,41(2):1-8.〖HJ1.18mm〗
［11］LUO Y B, WANG B S, WANG X F, et al. RPAH: Random port and address hopping for thwarting internal and external adversaries［C］// Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA. 2015,1:263-270.
［12］刘江,张红旗,代向东,等. 基于端信息自适应跳变的主动网络防御模型［J］. 电子与信息学报, 2015,37(11):2642-2649.
［13］KAMPANAKIS P, PERROS H, BEYENE T. SDN-based solutions for moving target defense network protection［C］// 2014 IEEE 15th International Symposium on "A World of Wireless, Mobile and Multimedia Networks" (WoWMoM). 2014:1-6.
［14］刘敖迪,杜学绘,王娜,等. 区块链技术及其在信息安全领域的研究进展［J］. 软件学报, 2018,29(7):2092-2115.
［15］CHEN P W, JIANG B S, WANG C H. Blockchain-based payment collection supervision system using pervasive bitcoin digital wallet［C］// 2017 IEEE 13th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob). 2017:139-146.
［16］WANG H M,ZHENG Z B, XIE S A, et al. Blockchain challenges and opportunities: A survey ［J］. International Journal of Web and Grid Services, 2018,14(4):352-375.
［17］JEON J H, KIM K H, KIM J H. Blockchain-based data security enhanced IoT server platform［C］// 2018 International Conference on Information Networking (ICOIN). 2018:941-944.
［18］祝烈煌,高峰,沈蒙,等. 区块链隐私保护研究综述［J］. 计算机研究与发展, 2017,54(10):2170-2186.
［19］FROMKNECHT C, VELICANU D. A Decentralized Public Key Infrastructure with Identity Retention［R］. Massachusetts Institute of Technology, 2014.
［20］MAGDY Y, KASHKOUSH M S, AZAB M, et al. Anonymous blockchain based routing for moving-target defense across federated clouds［C］// 2020 IEEE 21st International Conference on High Performance Switching and Routing (HPSR). 2020:1-7.
［21］SHARPLES M, DOMINGUE J. The blockchain and Kudos: A distributed system for educational record, reputation and reward［C］// 2016 LNCS. 2016:490-496.
［22］ROUHANI S, DETERS R. Performance analysis of ethereum transactions in private blockchain［C］// 2017 8th IEEE International Conference on Software Engineering and Service Science (ICSESS). 2017:70-74.

[1]	李俊晓1, 张小琳1, 石静2. 基于区块链增强的车辆边缘计算网络安全数据存储和共享[J]. 计算机与现代化, 2024, 0(07): 69-75.
[2]	朱克1, 玄佳兴2, 薛文昊2. 一种基于聚合与关联智能合约的电子证照访问控制方法[J]. 计算机与现代化, 2024, 0(06): 103-108.
[3]	冯冼1, 2, 方昆1, 屈右铭1, 刘晓波1, 施佳驰1, 文立恒1. 气象服务中台关键技术研究与应用[J]. 计算机与现代化, 2024, 0(05): 69-74.
[4]	柴荔, 王萧, 龚嘉豪, 汪洋, 吉顺慧, 张鹏程. 面向供应链的共识算法研究综述[J]. 计算机与现代化, 2023, 0(11): 22-27.
[5]	王重阳, 庄毅. 基于SDN和改进CSA算法的多作业集群的负载均衡算法[J]. 计算机与现代化, 2023, 0(11): 28-35.
[6]	杨波, 徐胜超. 基于SRv6服务链的云网专线场景安全防护方法[J]. 计算机与现代化, 2023, 0(08): 107-111.
[7]	吕志星, 于晖, 康凯, 李腾昌, 杜国利. 基于节点特征模型的电力区块链竞价交易机制[J]. 计算机与现代化, 2023, 0(08): 112-118.
[8]	钟林峰, 李彦锋, 张桂鹏, 刘文印. 基于区块链的去中心化网络购物数据共享方案[J]. 计算机与现代化, 2023, 0(07): 61-68.
[9]	查凯金, 王志波, 何月顺, 徐洪珍. 区块链安全保护研究综述[J]. 计算机与现代化, 2023, 0(06): 110-117.
[10]	姜宇航, 张新有. 基于以太坊的医疗健康数据共享系统[J]. 计算机与现代化, 2023, 0(02): 110-115.
[11]	冯云霞, 陈泓达, 牛云鹤. 基于中继的联盟链跨链通信系统[J]. 计算机与现代化, 2023, 0(02): 121-126.
[12]	袁嘉立, 刘梦赤. 面向信息网模型的动态数据划分算法[J]. 计算机与现代化, 2022, 0(10): 100-105.
[13]	张斌, 李大鹏, 蒋锐, 王小明. 面向区块链溯源的链下扩展存储方案[J]. 计算机与现代化, 2022, 0(10): 106-112.
[14]	倪雅婷, 杨文晖, 苗放, 黄安琪, 蒋媛. 基于Nginx的DRC集群动态负载均衡策略[J]. 计算机与现代化, 2022, 0(04): 58-64.
[15]	张天喜, 王利朋, 周春天, 杨艳艳, 李晓冲. 物联网中基于区块链的密态内容审计方案[J]. 计算机与现代化, 2022, 0(03): 30-36.