Active Perceptive Dynamic Scheduling Mechanism Based on Negative Feedback

Available online at www.sciencedirect.com Available online at www.sciencedirect.com

ScienceDirect ScienceDirect

Available online at www.sciencedirect.com Procedia Computer Science00 (2018) 000–000 Procedia Computer Science00 (2018) 000–000

ScienceDirect

www.elsevier.com/locate/procedia www.elsevier.com/locate/procedia

Procedia Computer Science 131 (2018) 520–524

8th International Congress of Information and Communication Technology (ICICT-2018) 8th International Congress of Information and Communication Technology (ICICT-2018)

Active Perceptive Dynamic Scheduling Mechanism Based on Active Perceptive Dynamic Scheduling Mechanism Based on Negative Feedback Negative Feedback Yingying Lv一, Yunfei Guo, Qiang Chen, Guozhen Cheng, Yang Chen Yingying Lv一, Yunfei Guo, Qiang Chen, Guozhen Cheng, Yang Chen National Digital Switching System Engineering & Technological R&D Center Zhengzhou 450002, Henan, China National Digital Switching System Engineering & Technological R&D Center Zhengzhou 450002, Henan, China

Abstract Abstract With the popularization of the Internet, the production and living of people and even the security development of the country have more and moreofdependent on cyberspace, the and importance cyberspace has become increasingly prominent. With been the popularization the Internet, the production living ofofpeople and even the security development of theNetwork country have been more be andpaid more dependent on attention cyberspace, the importance of iscyberspace has defense become technologies. increasingly prominent. Network security should more and more to. Mimicry defense one of active We focused on the security should beand paidgive more and moreonattention Mimicry mechanism defense is one of active defense technologies. focused on the DHR architecture a research mimicryto. scheduling based on negative feedback and weWe have analyzed feasibility of this method in atheory. DHR architecture and give research on mimicry scheduling mechanism based on negative feedback and we have analyzed the feasibility ofAuthors. this method in theory. © 2018 The Published by Elsevier B.V. ©2018 2018The TheAuthors. Authors. Publishedby by Elsevier Ltd.committee of the 8th International Congress of Information and Communication © Published B.V. Peer-review under responsibility ofElsevier organizing This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0/) Technology Peer-review (ICICT-2018). under responsibility of organizing committee of the 8th International Congress of Information and Communication Selection and peer-review under responsibility of the scientific committee of the 8th International Congress of Information and Technology (ICICT-2018). Communication Technology. Keywords：mimicry defense, active defense, negative feedback Keywords：mimicry defense, active defense, negative feedback

1. Introduction 1. Introduction Over recent years, with the popularization of the Internet, the production and living of people and even the Over recent years, with popularization of the Internet, the production living of people and even the security development of thethecountry have been more and more dependent and on cyberspace, the importance of security development the countryprominent. have been more and dependent on cyberspace, the for importance cyberspace has becomeofincreasingly However, the more fragility of cyberspace makes it easy criminals of to [1]. In cyberspace has become increasingly However, the as fragility of cyberspace makes it easy formost criminals to take advantage of the threat posed toprominent. national security, such cybercrime and hacker attacks cases of [1]. In most cases of take advantage of the threat to national security, such as cybercrime andattackers hacker attacks today’s networks, there is aposed significant amount of asymmetry between the and defenders, where the today’s networks, significant amount between the attackers and defenders, where attacker can decidethere what isanda when to attack whileoftheasymmetry defender often has only a static defense or a defense thatthe is [2]. to attack while the defender often has only a static defense or a defense that is attacker can what manner and when changing in adecide predefined changing a predefined manner[2].defense, which prevents an attacker from completing an attack on a target or Active indefense is a proactive Activethedefense prevents attacker fromartificial completing an attack on due a target or enables systemis toa proactive prevent a defense, security which incident withoutanthe need for passive response to the [5] and [6] enables the system prevent ameasures security[3]incident without the[4],need for target artificial passive response to the implementation of theto defensive . Intrusion tolerance moving defense mimicrydue defense implementation of the defensive measures[3]. Intrusion tolerance[4], moving target defense[5] and mimicry defense[6] * Corresponding author. Tel.:18638716496. E-mail address:author. [email protected] * Corresponding Tel.:18638716496. © 2018 Theaddress: [email protected] Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license E-mail https://creativecommons.org/licenses/by-nc-nd/4.0/) © 2018 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license Selection and peer-review under responsibility of the scientific committee of the 8th International Congress of Information and Communication https://creativecommons.org/licenses/by-nc-nd/4.0/) Technology Selection and peer-review under responsibility of the scientific committee of the 8th International Congress of Information and Communication Technology 1877-0509 © 2018 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0/) Selection and peer-review under responsibility of the scientific committee of the 8th International Congress of Information and Communication Technology 10.1016/j.procs.2018.04.253



Yingying Lv et al. / Procedia Computer Science 131 (2018) 520–524

521

are three typical active defense technologies. The primary goal of an intrusion tolerant system is availability and reliability; Moving target defense mainly uses dynamic technologies, such as dynamic migration and reconfiguration. The goal of defensive is to change the static properties of the system to achieve the purpose of confusing the attacker and hiding the vulnerability by unpredictable proactive changes; mimicry defense mainly uses redundancy, voting, active reconstruction and dynamic migration technology in the technical level while uses a combination of a variety of active defense technology in the data layer and the code layer. In this paper, we study mimicry scheduling mechanism based on negative feedback control in the dynamic heterogeneous redundancy (DHR[6]) architecture, and propose how to prevent the entities from attacks. 2. Problem Statement Mimicry Defense reduces the vulnerability and backdoor utilization of unknown vulnerabilities and backdoors by destroying the network environment's dependence on the attacked targets and disrupts the attack information chain, thereby increasing the difficulty and cost of network attacks and reducing the security risks in cyberspace[1]. As shown in Figure 1, the DHR architecture consists of the input proxy, heterogeneous element pool, heterogeneous component set, dynamic selection algorithm, entity and the decider. In this architecture, m functionally equivalent heterogeneous components are constructed from elements in the heterogeneous element pool, and the dynamic selection algorithm dynamically selects n components as an entity. At any moment, the input proxy forwards the input to each executive body, the output of the executive body is submitted to the decider for voting, finally the output of the system is obtained.

Fig. 1. the DHR architecture

The core of the DHR architecture is to vote on the processing results of heterogeneous entities to obtain relatively correct output. However, this architecture also suffers from a variety of attacks, especially detection attacks. As for the detection attacks, there have been some studies on the case that the entities are running. [7] studies the entity running, based on the negative feedback dynamic perception switching algorithm to enhance the uncertainties that the entity set brings to the outside, and at the same time , it can ensure a good and reliable operation of the network, making it harder for an attacker to control the network. However, not only are the running entities suffering from the detection attacks, but also those that are waiting for being called. This paper is about how to prevent the entities standby from detection attacks. 3. Model Classification And Method The entities of the whole mimicry heterogeneous entity pool are divided into two categories, as shown in Figure 2, one is the entities chosen to use (A1,A2……Am), the other is the entities standby (B1,B2……Bn). A1,A2……Am, B1,B2……and Bn are heterogeneous entity sets, where each entity is assigned a different IP address. Thus, we can know whether the entity is attacked or not. If the attacker is attacking the entity in A, assuming that the number of the entities to be compromised is less than half of the number of the entities selected,

Yingying Lv et al. / Procedia Computer Science 131 (2018) 520–524

522

Yingying Lv/ Procedia Computer Science00 (2018) 000–000

then the judgment result of the decider can identify which entity is attacked successfully. If the attacked is attacking the entity in B, we can find out whether there is traffic to the non-calling IP address, if any, it indicates that an attacker is attacking an entity in B, and vice versa.

Fig. 2. the Classification model

We are focusing on the security of the entities standby. So we have made the assumptions about the detection attacks on the entities standby. After obtaining the data of the entity set suffering from the detection attack, we can carry out classification according to the scanning detection rules of different entities set. We make two assumptions about the attacker to schedule effectively through hypothesis testing. The first assumption, expressed as a non-uniform attack, determines whether an attacker is targeting a particular type of the entity. If this hypothesis is validated, then we can reduce the probability that the selector will select such an entity or even exclude such an entity from the attacker's valid attack. The second assumption, expressed as a non-repetitive, attack, determines whether an attacker is attacking different set of the entity with equivalent probability. If this assumption is validated, then we can call other entity sets to avoid an attacker's valid attack. 1) Non-uniform test. A non-uniform test is defined in order to determine whether an attacker is performing a non-uniform attack. The purpose of this test is to determine that an attacker attacks a heterogeneous entities with a non-equal probability. We use  k to indicate the number of various types of entities that was attacked, z/M is the average number of attacks per entity set (z is the total number of attacks, M is the total number of the entity set). In order to test the null hypothesis and show that the frequency distribution and the uniform distribution of events attacking various types of entities are inconsistent, Pearson’s



distribution can be used[8], assume that

 z 2 represents the goodness of fit

after observing the event z. In uniform distribution, every set will suffer from z/M probing attack.

( xk  z / M )2 z/M k 1 M

z2  

(1) Compared with the chi-squared distribution with M-1 degree of freedom to determine the goodness of fit, in which we use the significance level of 0.05, we can get the following result:

P(  z2 )   0.05 0.05

When the

z2

accept the non  uniformity hypothesis reject the non uniformity hypothesis



(2)

probability is no more than 0.05, the null hypothesis will be accepted by the test, otherwise, the

test reject the null hypothesis. If the null hypothesis is accepted, it means that the probes of an attacker are interested in the certain set of the entities. So, we can call this kind of entity as little as possible and increase the probability of calling other kind of entities, thus reducing attacking success probability and delaying the attack. 2) Non-repetition test: the objective of non-repetition test is to test the hypothesis that an attacker is scan the IP address without replacement. We give an assumption that the attackers tend to detect every set of the entities. To test the hypothesis,



Yingying Lv et al. / Procedia Computer Science 131 (2018) 520–524

523

we calculate the deviation from the average number of detections to every set of the entity. If the deviation is close to zero, it means that the set of entity has been detected with equal probability. Assume that yi denotes number of probes to the i th entity, z denotes the total number of detection, and N denotes the total number of uncalled sets of the entity in the pool. Then assume that g set of entity, observing z detections. Once receiving the

( z  1)

th

z

denotes average probes to every

probes to the entity Bk, we have

gk  gk  1 ,

thus the average is recursively updated according to the following formula:

g z 1  g z  Then assume that Q2, z  formula:

z 1 z 1   N N N

(3)

2

N

 (gi  g z ) , the unbiased variance of the datas can be calculated in the following i 1

Q2, z 1  Q2, z  2  2 *g k 1  g z  g z+1 S2z1 

Q2, z 1

(4) (5)

N 1

With observing the events z, we can define the normalized deviation as:

yz 

Sz

gz

(6)

z

When y  0.001 , the null hypothesis is accepted, otherwise, the test rejects the null hypothesis. When it accepts the null hypothesis, that means the attacker is detected the entities with an equal probability. So we can choose to use the set of the entity with a random equal probability in order to avoid probing attacks. 4. Conclusion In this paper, we introduced the DHR architecture and gave a research on the mimicry scheduling mechanism based on negative feedback. We made two assumptions and tested them, and theoretically our method is helpful for avoiding detection attacks. Next we will conduct a simulation experiment to verify whether our method can be good for the security of the architecture. Acknowledgments This work is supported by The National Natural Science Foundation of China (No.61521003, No.61602509, No.61309020), the National Key R&D Program of China (No.2016YFB0800100, No.2016YFB0800101), the Key Technologies Research and the Development of Program of Henan Province (No.172102210615). References 1. Qing T, Zheng Z and Jiang W. 2017. Active Defense Technology Based on Software and Hardware Diversity. Journal of Information Security, 2 (1), 1-12. 2. Picek, S., Hemberg, E. and O'Reilly, U. M. 2017. If You Can't Measure It, You Can't Improve It: Moving Target Defense Metrics. Workshop(pp.115-118). 3. Xiao G and Pu S. 2009. Active Defense Technology for Network Security. Computer Security (1), 38-40. 4. Adelsbach, A., Alessandri, D., Cachin, C. et al. 2003. Conceptual model and architecture of maftia.Technical Report. 5. Kewley, D. L., and Bouchard, J. F. 2001. Darpa information assurance program dynamic defense experiment summary.IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans,31(4), 331-336. 6. Jiang W. 2016. Research on cyberspace mimetic defense. Journal of Information Security, 1 (4), 1-10. 7. Chao Q, Jiang W, Guo C, Jian A, and Shuo Z. 2017. An aware-scheduling security architecture with priority-equal multi-controller for sdn. China Communication, 14(9), 144-154.

524

Yingying Lv et al. / Procedia Computer Science 131 (2018) 520–524

Yingying Lv/ Procedia Computer Science00 (2018) 000–000 8. Jafarian, J. H., Al-Shaer, E., and Duan, Q. 2015. Adversary-aware IP address randomization for proactive agility against sophisticated attackers. Computer Communications (pp.738-746). IEEE.