Abstract
The static nature of computer networks allows attackers to gather intelligence, perform planning, and then execute attacks at will. Further, once an attacker has gained access to a node within an enclave, there is little to stop a determined attacker from mapping out and spreading to other hosts and services within the enclave. To reduce the impact and spread of an attack before it is detected and removed, semantic changes can be made to several fundamental aspects of the network in order to create cryptographically-strong dynamics. In this chapter, we describe such an architecture designed on top of IPv6 for a wired network enclave. User and operating system impacts are mitigated through the use of a hypervisor, and the dynamics remain compatible with existing network infrastructure. At the same time, an attacker’s ability to plan, spread, and communicate within the network is significantly limited by the imposed dynamics.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
S. M. Bellovin, A. Keromytis, and B. Cheswick, “Worm propagation strategies in an IPv6 Internet,” ;login:, pp. 70–76, February 2006.
Panda Security, “2nd international barometer of security in smbs,” Report, July 2010. [Online]. Available: http://press.pandasecurity.com/wp-content/uploads/2010/08/2nd-International-Security-Barometer.pdf
W. J. Lynn, “Defending a new domain,” Foreign Affairs, vol. 5, no. 89, September/October 2010.
P. Dasgupta, C. K. S., and S. K. Gupta, “Vulnerabilities of PKI based smartcards,” in Proc. of IEEE Military Communications Conference (MILCOM), Orlando, FL, USA, October 2007.
McAfee, “Unified secure access solution for network access control,” Datasheet. [Online]. Available: http://www.mcafee.com/us/local_content/datasheets/ds_nac.pdf
J. Yackoski, P. Xie, H. Bullen, J. Li, and K. Sun, “A self-shielding dynamic network architecture,” in MILCOM, Baltimore, MD, USA, November 2011.
T. D. Morgan, “IPv6 address cookies: Mitigating spoofed attacks in the next generation internet,” Master’s thesis, Northwestern University, 2006.
T. Narten, G. Huston, and L. Roberts, “IPv6 Address Assignment to End Sites,” RFC 6177 (Best Current Practice), Internet Engineering Task Force, Mar. 2011.
S. Kent and K. Seo, “Security Architecture for the Internet Protocol,” RFC 4301 (Proposed Standard), Internet Engineering Task Force, Dec. 2005.
A. Lenstra and E. Verheul, “Selecting cryptographic key size,” Cryptography, vol. 14, no. 4, pp. 255–293, 2001.
Cisco Systems, Inc., “Cisco express forwarding,” Whitepaper, 1997. [Online]. Available: http://packetstormsecurity.org/defcon10/MoreInfo/CiscoExpressForwardingCEF.pdf
Acknowledgements
The authors would like to thank AFRL for funding this research under contracts FA8750-10-C-0089 and FA8750-11-C-0179. We would like to thank our program manager Mr. Walt Tirenin from AFRL and Mr. Lynn Meredith from Lockheed Martin for their valuable suggestions and advice during this project.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media New York
About this paper
Cite this paper
Yackoski, J., Bullen, H., Yu, X., Li, J. (2013). Applying Self-Shielding Dynamics to the Network Architecture. In: Jajodia, S., Ghosh, A., Subrahmanian, V., Swarup, V., Wang, C., Wang, X. (eds) Moving Target Defense II. Advances in Information Security, vol 100. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-5416-8_6
Download citation
DOI: https://doi.org/10.1007/978-1-4614-5416-8_6
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-5415-1
Online ISBN: 978-1-4614-5416-8
eBook Packages: Computer ScienceComputer Science (R0)