TopoObfu:一种对抗网络侦察的网络拓扑混淆机制  被引量：2

作　　者：刘亚群 邢长友 高雅卓 张国敏 LIU Ya-qun;XING Chang-you;GAO Ya-zhuo;ZHANG Guo-min(College of Command and Control Engineering,Army Engineering University of PLA,Nanjing 210007,China)

机构地区：[1]陆军工程大学指挥控制工程学院,南京210007

出　　处：《计算机科学》2021年第10期278-285,共8页Computer Science

摘　　要：链路洪泛等典型网络攻击需要在拓扑侦察的基础上针对网络中的关键链路开展攻击行为,具有较强的破坏性和隐蔽性。为了有效抵御这类攻击,提出了一种对抗网络侦察的拓扑混淆机制TopoObfu。TopoObfu能够根据网络拓扑混淆的需求,在真实网络中添加虚拟链路,并通过修改探测分组的转发规则使攻击者获得虚假的拓扑探测结果,隐藏网络中的关键链路。为了便于实现,TopoObfu将虚假拓扑映射为SDN交换机的分组处理流表项,并支持在仅部分节点为SDN交换机的混合网络中部署。基于几种典型真实网络拓扑的仿真分析结果表明,TopoObfu能够从链路重要性、网络结构熵、路径相似度等方面有效提升攻击者进行关键链路分析的难度,并在SDN交换机流表数量、混淆拓扑生成时间等方面具有较高的实现效率,可以减小关键链路被攻击的概率。Some typical network attacks,such as link-flooding attack,need to be carried out on critical links based on topology reconnaissance,which has strong destructiveness and stealthiness.In order to defense these attacks effectively,TopoObfu,a topology obfuscation mechanism against network reconnaissance,is proposed.TopoObfu can add virtual links to the real network according to the requirements of network topology obfuscation,and provide attacker with fake topology by modifying the forwar-ding rules of probing packets,and hide critical links in the network.To facilitate the implementation,TopoObfu maps the fake topology to the flow table entries used by SDN switches for packet processing,and can be deployed in the hybrid network where only part of the nodes are SDN switches.The simulation analysis based on several typical real network topologies shows that TopoObfu can effectively improve the difficulty of critical links analysis launched by attackers in terms of link importance,network structure entropy,path similarity and so on,and has high implementation efficiency in terms of the number of flow table entries in SDN switches,the generated time of fake topology,and can reduce the probability of critical links being attacked.

关 键 词：拓扑混淆 链路洪泛攻击 网络侦察 关键链路 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]