The increasing reliance on interconnected Internet of Things(IoT)devices has amplified the demand for robust anonymization strategies to protect device identities and ensure secure communication.However,traditional an...The increasing reliance on interconnected Internet of Things(IoT)devices has amplified the demand for robust anonymization strategies to protect device identities and ensure secure communication.However,traditional anonymization methods for IoT networks often rely on static identity models,making them vulnerable to inference attacks through long-term observation.Moreover,these methods tend to sacrifice data availability to protect privacy,limiting their practicality in real-world applications.To overcome these limitations,we propose a dynamic device identity anonymization framework using Moving Target Defense(MTD)principles implemented via Software-Defined Networking(SDN).In our model,the SDN controller periodically reconfigures the network addresses and routes of IoT devices using a constraint-aware backtracking algorithmthat constructs new virtual topologies under connectivity and performance constraints.This address-hopping scheme introduces continuous unpredictability at the network layer dynamically changing device identifiers,routing paths,and even network topology which thwarts attacker reconnaissance while preserving normal communication.Experimental results demonstrate that our approach significantly reduces device identity exposure and scan success rates for attackers compared to static networks.Moreover,the dynamic schememaintains high data availability and network performance.Under attack conditions it reduced average communication delay by approximately 60% vs.an unprotected network,with minimal overhead on system resources.展开更多
Port address hopping(PAH) communication is a powerful network moving target defense(MTD)mechanism. It was inspired by frequency hopping in wireless communications. One of the critical and difficult issues with PAH is ...Port address hopping(PAH) communication is a powerful network moving target defense(MTD)mechanism. It was inspired by frequency hopping in wireless communications. One of the critical and difficult issues with PAH is synchronization. Existing schemes usually provide hops for each session lasting only a few seconds/minutes, making them easily influenced by network events such as transmission delays, traffic jams, packet dropouts, reordering, and retransmission. To address these problems, in this paper we propose a novel selfsynchronization scheme, called ‘keyed-hashing based self-synchronization(KHSS)'. The proposed method generates the message authentication code(MAC) based on the hash based MAC(HMAC), which is then further used as the synchronization information for port address encoding and decoding. Providing the PAH communication system with one-packet-one-hopping and invisible message authentication abilities enables both clients and servers to constantly change their identities as well as perform message authentication over unreliable communication mediums without synchronization and authentication information transmissions. Theoretical analysis and simulation and experiment results show that the proposed method is effective in defending against man-in-the-middle(MITM) attacks and network scanning. It significantly outperforms existing schemes in terms of both security and hopping efficiency.展开更多
基金supported by the National Key Research and Development Program of China(Project No.2022YFB3104300).
文摘The increasing reliance on interconnected Internet of Things(IoT)devices has amplified the demand for robust anonymization strategies to protect device identities and ensure secure communication.However,traditional anonymization methods for IoT networks often rely on static identity models,making them vulnerable to inference attacks through long-term observation.Moreover,these methods tend to sacrifice data availability to protect privacy,limiting their practicality in real-world applications.To overcome these limitations,we propose a dynamic device identity anonymization framework using Moving Target Defense(MTD)principles implemented via Software-Defined Networking(SDN).In our model,the SDN controller periodically reconfigures the network addresses and routes of IoT devices using a constraint-aware backtracking algorithmthat constructs new virtual topologies under connectivity and performance constraints.This address-hopping scheme introduces continuous unpredictability at the network layer dynamically changing device identifiers,routing paths,and even network topology which thwarts attacker reconnaissance while preserving normal communication.Experimental results demonstrate that our approach significantly reduces device identity exposure and scan success rates for attackers compared to static networks.Moreover,the dynamic schememaintains high data availability and network performance.Under attack conditions it reduced average communication delay by approximately 60% vs.an unprotected network,with minimal overhead on system resources.
基金Project supported by the National Basic Research Program(973)of China(No.2012CB315906)the National Natural Science Foundation of China(No.61303264)
文摘Port address hopping(PAH) communication is a powerful network moving target defense(MTD)mechanism. It was inspired by frequency hopping in wireless communications. One of the critical and difficult issues with PAH is synchronization. Existing schemes usually provide hops for each session lasting only a few seconds/minutes, making them easily influenced by network events such as transmission delays, traffic jams, packet dropouts, reordering, and retransmission. To address these problems, in this paper we propose a novel selfsynchronization scheme, called ‘keyed-hashing based self-synchronization(KHSS)'. The proposed method generates the message authentication code(MAC) based on the hash based MAC(HMAC), which is then further used as the synchronization information for port address encoding and decoding. Providing the PAH communication system with one-packet-one-hopping and invisible message authentication abilities enables both clients and servers to constantly change their identities as well as perform message authentication over unreliable communication mediums without synchronization and authentication information transmissions. Theoretical analysis and simulation and experiment results show that the proposed method is effective in defending against man-in-the-middle(MITM) attacks and network scanning. It significantly outperforms existing schemes in terms of both security and hopping efficiency.
