The current static nature of computer networks allows attackers to gather intelligence, perform planning, and then execute attacks at will. This situation creates a low barrier of entry and assures that any given computer network will eventually be successfully attacked. In particular, once an attacker has gained access to a node within an enclave, there is little to stop a determined attacker from eventually accessing other hosts and services within the enclave. To reduce the impact of an attack in the time frame between when the attack begins and when the attacker is (eventually) detected and removed, we propose a fundamental change to the nature of the network by introducing cryptographically-strong dynamics. In this work, we describe a Self-shielding Dynamic Network Architecture (SDNA) which allows multiple types of dynamics to be constructively combined. We have implemented SDNA on real hardware in a testbed network and have designed SDNA to eliminate many of the technical challenges, user impacts, and compatibility issues faced by such an architecture. Through the use of a hypervisor, SDNA is transparent to the OS and is not noticeable to the average user. SDNA can also be added to an existing network with little to no infrastructure or configuration changes. At the same time, many classes of attacks can be either completely prevented or severely limited by SDNA.
[1]
William J. Lynn,et al.
Defending a New Domain: The Pentagon's Cyberstrategy
,
2010
.
[2]
Stephen T. Kent,et al.
Security Architecture for the Internet Protocol
,
1998,
RFC.
[3]
Hugo Krawczyk,et al.
A Security Architecture for the Internet Protocol
,
1999,
IBM Syst. J..
[4]
Timothy D. Morgan.
IPv6 Address Cookies
,
2006
.
[5]
Arjen K. Lenstra,et al.
Selecting Cryptographic Key Sizes
,
2000,
Journal of Cryptology.
[6]
Sandeep K. S. Gupta,et al.
Vulnerabilities of PKI based Smartcards
,
2007,
MILCOM 2007 - IEEE Military Communications Conference.
[7]
Arjen K. Lenstra,et al.
Selecting Cryptographic Key Sizes
,
2000,
Public Key Cryptography.
[8]
Iesg.
IAB/IESG Recommendations on IPv6 Address Allocations to Sites
,
2001
.