Research On Technologies Of AI Driving Moving Target Defense On Network Layer

Moving target defense is a revolutionary technology proposed to break the imbalance between attack and defense in the field of Cyberspace Security.By constantly changing the key attributes of the network,the attack surface that the attacker may use is constantly changing,so as to confuse the attacker,increase the difficulty and cost of the attacker and reduce the income of the attacker.Many studies have shown that moving target defense can make up for the defects of "passivity" and "static" of traditional defense methods,and effectively improve Cyberspace Security.However,with the variety of network attack means and the ever-changing real-time network state,the development of moving target defense technologies also faces new challenges: more and more factors participate in moving target defense decision-making,the amount of data gradually increases,and the data dimension continues to rise.It is required that moving target defense decision-making still needs to be accurate and efficient in the face of massive data processing.However,the traditional decision-making methods face the performance bottleneck of data processing.At the same time,with the improvement of computer hardware level and the arrival of the era of big data,artificial intelligence related technologies show excellent processing ability of complex,massive and high-dimensional data.The research of this paper focuses on the network layer moving target defense,applies artificial intelligence related technologies to the network layer moving target defense,and has made the following main achievements and progress.Firstly,aiming at the problem that the accuracy of attack perception needs to be improved and the defense effect needs to be improved in the existing IP address dynamic defense technology,a high-precision IP address dynamic defense technology based on convolutional neural network is innovatively studied.In order to effectively capture scanning attacks,data sampling and data preprocessing methods for scanning attacks are proposed.In order to improve the accuracy of attack perception and help improve the timeliness,accuracy and predictability of IP address hopping,a convolution neural network detector composed of three convolution modules and a judgment module is designed.The detection accuracy of scanning attack packets reaches 0.5604-0.8267.In order to improve the adaptability of IP address hopping to attack behavior,the decision results of convolutional neural network detector are applied to three-level IP address hopping to achieve the defense effect of early transformation before scanning and timely transformation after scanning.Secondly,aiming at the problems of high deployment cost and high system overhead of the existing IP address dynamic defense technology,a low-cost IP address dynamic defense technology based on deep compression is innovatively studied.In order to reduce the occupation of network channel resources by detection data,a data sampling and feature construction method for switch flow table data is proposed to reduce the occupation of channel resources to 97 KB / s.In order to reduce the storage space occupation of convolutional neural network detector,improve its processing efficiency and remove its dependence on GPU hardware,deep compression technology is used to clip and quantilize the convolutional neural network in training,so as to reduce its storage space occupation to 30.46% and improve the processing efficiency by 3.4 times.In order to adapt IP address hopping to attack behavior,the decision result of convolutional neural network detector is applied to two-level IP address transformation,and the hopping range and hopping time can be determined according to the attack behavior.Thirdly,aiming at the problems that the random forwarding granularity of the existing routing dynamic defense technology is too coarse,the effect of quality of service guarantee is poor,and the security against eavesdropping attacks needs to be improved,a routing dynamic defense technology based on deep reinforcement learning is innovatively studied.In order to refine the random forwarding granularity,a dynamic routing architecture based on P4 is proposed to realize packet level fine-grained random routing,which effectively reduces the possibility of continuous packet eavesdropping.In order to help improve the effect of service quality assurance,the network state information acquisition method based on in-band network telemetry is studied,which provides real-time and accurate data assistance for subsequent reinforcement learning decisions.In order to improve the defense effect against eavesdropping attacks and take into account the quality of service requirements of different applications,a deep deterministic policy gradient algorithm for random routing scheme generation is designed,which effectively improves the security and quality of service guarantee effect of routing dynamic defense.Forthly,aiming at the problem that the security of existing virtual topology dynamic defense technology against crossfire attack needs to be improved,starting from the defense mechanism of virtual topology dynamic defense against crossfire attack,we innovatively studies the virtual topology dynamic defense technology based on generative countermeasure network.In order to prevent attackers from exploring the key links and decoy servers required by the crossfire attack,a virtual topology generation method based on generative adversarial network is proposed,and a packet spoofing processing algorithm for virtual topology mapping is designed,so that the crossfire attack can not find the network topology information required by the attack in the reconnaissance stage,so it can not launch an effective crossfire attack.Aiming at the possible network congestion threat caused by fire attack in the attack stage,an IP address shuffling technology triggered according to the established rules is designed to disperse the congestion traffic in the network.In addition,the proposed method can also use the honeypot server in the virtual topology to identify the manipulated bot hosts in the external network according to the established rules.