Abstract
Port address hopping (PAH) communication is a powerful network moving target defense (MTD) mechanism. It was inspired by frequency hopping in wireless communications. One of the critical and difficult issues with PAH is synchronization. Existing schemes usually provide hops for each session lasting only a few seconds/minutes, making them easily influenced by network events such as transmission delays, traffic jams, packet dropouts, reordering, and retransmission. To address these problems, in this paper we propose a novel self-synchronization scheme, called ‘keyed-hashing based self-synchronization (KHSS)’. The proposed method generates the message authentication code (MAC) based on the hash based MAC (HMAC), which is then further used as the synchronization information for port address encoding and decoding. Providing the PAH communication system with one-packet-one-hopping and invisible message authentication abilities enables both clients and servers to constantly change their identities as well as perform message authentication over unreliable communication mediums without synchronization and authentication information transmissions. Theoretical analysis and simulation and experiment results show that the proposed method is effective in defending against man-in-the-middle (MITM) attacks and network scanning. It significantly outperforms existing schemes in terms of both security and hopping efficiency.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Antonatos, S., Akritidis, P., Markatos, E.P., et al., 2007. Defending against hitlist worms using network address space randomization. Comput. Netw., 51(12):3471–3490. http://dx.doi.org/10.1016/j.comnet.2007.02.006
Atighetchi, M., Pal, P., Webber, F., et al., 2003. Adaptive use of network-centric mechanisms in cyber-defense. Proc. 6th IEEE Int. Symp. on Object-Oriented Real-Time Distributed Computing, p.183–192. http://dx.doi.org/10.1109/ISORC.2003.1199253
Badishi, G., Herzberg, A., Keidar, I., 2007. Keeping denial of service attackers in the dark. IEEE Trans. Depend. Sec. Comput., 4(3):191–204. http://dx.doi.org/10.1109/TDSC.2007.70209
Bellare, M., Canetti, R., Krawczyk, H., 1996. Keyed hash functions for message authentication. LNCS, 1109:1–15. http://dx.doi.org/10.1007/3-540-68697-5_1
Chong, F., Lee, R.B., Acquisti, A., et al., 2009. National Cyber Leap Year Summit 2009 Co-chairs Report. NITRD Program.
Eastlake, D.III, Jones, P., 2001. US Secure Hash Algorithm 1 (SHA1). Internet Society, Washington DC, USA. http://dx.doi.org/10.17487/RFC3174
Forouzan, B.A., 2009. Cryptography & Network Security. McGraw-Hill, Inc., New York, USA.
Gu, J., Xue, Z., 2011. An improved efficient secret handshakes scheme with unlinkability. IEEE Commun. Lett., 15(2):259–261. http://dx.doi.org/10.1109/LCOMM.2011.122810.102229
Jafarian, J.H., Al-Shaer, E., Duan, Q., 2014. Spatio-temporal address mutation for proactive cyber agility against sophisticated attackers. Proc. MTD Workshop at CCS, p.69–78. http://dx.doi.org/10.1145/2663474.2663483
Karlin, S., Peterson, L., 2002. Maximum Packet Rates for Full-Duplex Ethernet. Technical Report TR-645-02, Department of Computer Science, Princeton University, Princeton, USA.
Kewley, D., Fink, R., Lowry, J., et al., 2001. Dynamic approach to thwart adversary intelligence gathering. Proc. DARPA Information Survivability Conf. and Exposition, p.176–185. http://dx.doi.org/10.1109/DISCEX.2001.932214
Krawczyk, H., Bellare, M., Canetti, R., 1997. HMAC: Keyed-Hashing for Message Authentication. IETF Internet Request for Comments 2104 (RFC-2104).
Lantz, B., Heller, B., McKeown, N., 2010. A network in a laptop: rapid prototyping for software-defined networks. Proc. 9th ACM SIGCOMM Workshop on Hot Topics in Networks, p.19:1–19:6. http://dx.doi.org/10.1145/1868447.1868466
Lee, H.C.J., Thing, V.L.L., 2004. Port hopping for resilient networks. Proc. IEEE 60th Vehicular Technology Conf., p.3291–3295. http://dx.doi.org/10.1109/VETECF.2004.1404672
Luo, Y.B., Wang, B.S., Wang, X.F., et al., 2015a. TPAH: a universal and multi-platform deployable port and address hopping mechanism. Proc. Int. Conf. on Information and Communications Technologies, p.214–219. http://dx.doi.org/10.1049/cp.2015.0230
Luo, Y.B., Wang, B.S., Wang, X.F., et al., 2015b. RPAH: random port and address hopping for thwarting internal and external adversaries. Proc. 14th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, p.263–270. http://dx.doi.org/10.1109/Trustcom.2015.383
Luo, Y.B., Wang, B.S., Wang, X.F., et al., 2017. RPAH: a moving target network defense mechanism naturally resists reconnaissances and attacks. IEICE Trans Inform. Syst., E100-D(3):496–510. http://dx.doi.org/10.1587/transinf.2016EDP7304
Modares, H., Moravejosharieh, A., Lloret, J., et al., 2014. A survey of secure protocols in Mobile IPv6. J. Netw. Comput. Appl., 39:351–368. http://dx.doi.org/10.1016/j.jnca.2013.07.013
Morris, C.C., Burch, L.L., Robinson, D.T., 2012. Techniques for Port Hopping. US Patent 8 301 789.
Rivest, R.L., 1992. The MD5 Message Digest Algorithm. Internet Engineering Task Force, Fremont, USA.
Shi, L.Y., Jia, C.F., Lü, S.W., 2008. Full service hopping for proactive cyber-defense. Proc. IEEE Int. Conf. on Networking, Networking, Sensing and Control, p.1337–1342. http://dx.doi.org/10.1109/ICNSC.2008.4525425
Sifalakis, M., Schmid, S., Hutchison, D., 2005. Network address hopping: a mechanism to enhance data protection for packet communications. Proc. IEEE Int. Conf. on Communications, p.1518–1523. http://dx.doi.org/10.1109/ICC.2005.1494598
Author information
Authors and Affiliations
Corresponding author
Additional information
Project supported by the National Basic Research Program (973) of China (No. 2012CB315906) and the National Natural Science Foundation of China (No. 61303264)
ORCID: Yue-bin LUO, http://orcid.org/0000-0002-8194-5262
Rights and permissions
About this article
Cite this article
Luo, Yb., Wang, Bs., Wang, Xf. et al. A keyed-hashing based self-synchronization mechanism for port address hopping communication. Frontiers Inf Technol Electronic Eng 18, 719–728 (2017). https://doi.org/10.1631/FITEE.1601548
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1631/FITEE.1601548