Design and implementation of a novel enterprise network defense system bymaneuveringmulti-dimensional network properties
Autor: | Hong-chao Hu, Yang Chen, Guo-zhen Cheng |
---|---|
Rok vydání: | 2019 |
Předmět: |
021110 strategic
defence & security studies Computer Networks and Communications business.industry Computer science 0211 other engineering and technologies Bring your own device Cloud computing Eavesdropping 02 engineering and technology Computer security computer.software_genre Network interface controller Hardware and Architecture Kill chain 020204 information systems Signal Processing 0202 electrical engineering electronic engineering information engineering Enterprise private network Electrical and Electronic Engineering business Host (network) computer Block (data storage) |
Zdroj: | Frontiers of Information Technology & Electronic Engineering. 20:238-252 |
ISSN: | 2095-9230 2095-9184 |
Popis: | Although the perimeter security model works well enough when all internal hosts are credible, it is becoming increasingly difficult to enforce as companies adopt mobile and cloud technologies, i.e., the rise of bring your own device (BYOD). It is observed that advanced targeted cyber-attacks usually follow a cyber kill chain; for instance, advanced targeted attacks often rely on network scanning techniques to gather information about potential targets. In response to this attack method, we propose a novel approach, i.e., an “isolating and dynamic” cyber defense, which cuts these potential chains to reduce the cumulative availability of the gathered information. First, we build a zero-trust network environment through network isolation, and then multiple network properties are maneuvered so that the host characteristics and locations needed to identify vulnerabilities cannot be located. Second, we propose a software-defined proactive cyber defense solution (SPD) for enterprise networks and design a general framework to strategically maneuver the IP address, network port, domain name, and path, while limiting the performance impact on the benign network user. Third, we implement our SPD proof-of-concept system over a software-defined network controller (OpenDaylight). Finally, we build an experimental platform to verify the system’s ability to prevent scanning, eavesdropping, and denial-of-service attacks. The results suggest that our system can significantly reduce the availability of network reconnaissance scan information, block network eavesdropping, and sharply increase the cost of cyber-attacks. |
Databáze: | OpenAIRE |
Externí odkaz: |