Abstract
Cyber security is dynamic as defenders often need to adapt their defense postures. The state-of-the-art is that the adaptation of network defense is done manually (i.e., tedious and error-prone). The ideal solution is to automate adaptive network defense, which is however a difficult problem. As a first step towards automation, we propose investigating how to attain semi-automated adaptive network defense (SAND). We propose an approach extending the architecture of software-defined networking, which is centered on providing defenders with the capability to program the generation and deployment of dynamic defense rules enforced by network defense tools. We present the design and implementation of SAND, as well as the evaluation of the prototype implementation. Experimental results show that SAND can achieve agile and effective dynamic adaptations of defense rules (less than 15 ms on average for each operation), while only incurring a small performance overhead.
Similar content being viewed by others
References
Zhang M H, Li G Y, Wang S C, et al. Poseidon: mitigating volumetric DDoS attacks with programmable switches. In: Proceedings of the 27th Annual Network and Distributed System Security Symposium, San Diego, 2020
Kang Q, Xue L, Morrison A, et al. Programmable in-network security for context-aware BYOD policies. In: Proceedings of the 29th USENIX Security Symposium, 2020. 595–612
Sebastián E, Lewis G A, Grabowski C, et al. KalKi: a software-defined IoT security platform. In: Proceedings of the 6th IEEE World Forum on Internet of Things, New Orleans, 2020. 1–6
McCormack M, Vasudevan A, Liu G Y, et al. Towards an architecture for trusted edge IoT security gateways. In: Proceedings of the 3rd USENIX Workshop on Hot Topics in Edge Computing, 2020
Yu T L, Fayaz S K, Collins M, et al. PSI: precise security instrumentation for enterprise networks. In: Proceedings of Network and Distributed System Security Symposium, San Diego, 2017
Zou C C, Duffield N, Towsley D, et al. Adaptive defense against various network attacks. IEEE J Sel Areas Commun, 2006, 24: 1877–1888
Li M H, Li M. An adaptive approach for defending against DDoS attacks. Math Problems Eng, 2010, 2010: 1–15
Fayaz S K, Tobioka Y, Sekar V, et al. Bohatei: flexible and elastic DDoS defense. In: Proceedings of USENIX Security Symposium, Washington, 2015. 817–832
Cho J H, Sharma D P, Alavizadeh H, et al. Toward proactive, adaptive defense: a survey on moving target defense. IEEE Commun Surv Tut, 2020, 22: 709–745
Xu S H, Lu W L, Xu L, et al. Adaptive epidemic dynamics in networks. ACM Trans Auton Adapt Syst, 2014, 8: 1–19
Huang L N, Zhu Q Y. Strategic learning for active, adaptive, and autonomous cyber defense. In: Adaptive Autonomous Secure Cyber Systems. Cham: Springer, 2020. 205–230
Huang L N, Zhu Q Y. Adaptive strategic cyber defense for advanced persistent threats in critical infrastructure networks. SIGMETRICS Perform Eval Rev, 2019, 46: 52–56
Mijumbi R, Serrat J, Gorricho J L, et al. Network function virtualization: state-of-the-art and research challenges. IEEE Commun Surv Tut, 2016, 18: 236–262
Seungwon S, Phillip A P, Vinod Y, et al. FRESCO: modular composable security services for software-defined networks. In: Proceedings of Network and Distributed System Security Symposium, San Diego, 2013
Hu H X, Han W, Ahn G-J, et al. FLOWGUARD: building robust firewalls for software-defined networks. In: Proceedings of the 3rd Workshop on Hot Topics in Software Defined Networking, Chicago, 2014. 97–102
Deng J, Hu H X, Li H D, et al. VNGuard: an NFV/SDN combination framework for provisioning and managing virtual firewalls. In: Proceedings of IEEE Conference on Network Function Virtualization and Software Defined Networks, San Francisco, 2015. 107–114
Deng J, Li H D, Wang K C, et al. On the safety and efficiency of virtual firewall elasticity control. In: Proceedings of Network and Distributed System Security Symposium, San Diego, 2017
Xia M, Shirazipour M, Zhang Y, et al. Optical service chaining for network function virtualization. IEEE Commun Mag, 2015, 53: 152–158
Fayaz S K, Luis C, Vyas S, et al. Enforcing network-wide policies in the presence of dynamic middlebox actions using FlowTags. In: Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation, Seattle, 2014. 543–546
Amann J, Sommer R. Providing dynamic control to passive network security monitoring. In: Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses, Kyoto, 2015. 133–152
Durumeric Z, Kasten J, Adrian D, et al. The matter of heartbleed. In: Proceedings of the 2014 Internet Measurement Conference, Vancouver, 2014. 475–488
Ramaswamy C. Secure virtual network configuration for virtual machine (VM) protection. NIST Special Publ, 2016, 800: 125B
Wette P, Dräxler M, Schwabe A. MaxiNet: distributed emulation of software-defined networks. In: Proceedings of IFIP Networking Conference, Trondheim, 2014. 1–9
Horn A, Kheradmand A, Prasad M R. Delta-net: real-time network verification using atoms. In: Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation, Boston, 2017. 735–749
Chen F, Liu A X, Hwang J H, et al. First step towards automatic correction of firewall policy faults. ACM Trans Auton Adapt Syst, 2012, 7: 1–24
Panda A, Lahav O, Argyraki K J, et al. Verifying reachability in networks with mutable datapaths. In: Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation, Boston, 2017. 699–718
Stoenescu R, Popovici M, Negreanu L, et al. SymNet: scalable symbolic execution for modern networks. In: Proceedings of the ACM SIGCOMM 2016 Conference, Florianopolis, 2016. 314–327
Acknowledgements
This work was supported by Key Program of National Science Foundation of China (Grant No. U1936211), Shenzhen Fundamental Research Program (Grant No. JCYJ20170413114215614), and Key-Area Research and Development Program of Guangdong Province (Grant No. 2019B010139001).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Chen, H., Zou, D., Jin, H. et al. SAND: semi-automated adaptive network defense via programmable rule generation and deployment. Sci. China Inf. Sci. 65, 172102 (2022). https://doi.org/10.1007/s11432-020-3193-2
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11432-020-3193-2