Skip to main content
SpringerLink
Log in

A Game-Theoretic Approach to IP Address Randomization in Decoy-Based Cyber Defense

  • Conference paper
  • First Online:
Decision and Game Theory for Security (GameSec 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9406))

Included in the following conference series:

Abstract

Networks of decoy nodes protect cyber systems by distracting and misleading adversaries. Decoy defenses can be further enhanced by randomizing the space of node IP addresses, thus preventing an adversary from identifying and blacklisting decoy nodes over time. The decoy-based defense results in a time-varying interaction between the adversary, who attempts to identify and target real nodes, and the system, which deploys decoys and randomizes the address space in order to protect the identity of the real node. In this paper, we present a game-theoretic framework for modeling the strategic interaction between an external adversary and a network of decoy nodes. Our framework consists of two components. First, we model and study the interaction between the adversary and a single decoy node. We analyze the case where the adversary attempts to identify decoy nodes by examining the timing of node responses, as well as the case where the adversary identifies decoys via differences in protocol implementations between decoy and real nodes. Second, we formulate games with an adversary who attempts to find a real node in a network consisting of real and decoy nodes, where the time to detect whether a node is real or a decoy is derived from the equilibria of the games in first component. We derive the optimal policy of the system to randomize the IP address space in order to avoid detection of the real node, and prove that there is a unique threshold-based Stackelberg equilibrium for the game. Through simulation study, we find that the game between a single decoy and an adversary mounting timing-based attacks has a pure-strategy Nash equilibrium, while identification of decoy nodes via protocol implementation admits only mixed-strategy equilibria.

This work was supported by ARO grant W911NF-12-1-0448.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abu Rajab, M., Monrose, F., Terzis, A.: On the impact of dynamic addressing on malware propagation. In: Proceedings of the 4th ACM Workshop on Recurring Malcode, pp. 51–56 (2006)

    Google Scholar 

  2. Alpcan, T., BaÅŸar, T.: Network Security: A Decision and Game-Theoretic Approach. Cambridge University Press, Cambridge (2010)

    Book  Google Scholar 

  3. Antonatos, S., Akritidis, P., Markatos, E.P., Anagnostakis, K.G.: Defending against hitlist worms using network address space randomization. Comput. Netw. 51(12), 3471–3490 (2007)

    Article  MATH  Google Scholar 

  4. Bohacek, S., Hespanha, J., Lee, J., Lim, C., Obraczka, K.: Game theoretic stochastic routing for fault tolerance and security in computer networks. IEEE Trans. Parallel Distrib. Syst. 18(9), 1227–1240 (2007)

    Article  Google Scholar 

  5. Cao, J., Andersson, M., Nyberg, C., Kihl, M.: Web server performance modeling using an M/G/1/K PS queue. In: 10th IEEE International Conference on Telecommunications (ICT), pp. 1501–1506 (2003)

    Google Scholar 

  6. Carter, K.M., Riordan, J.F., Okhravi, H.: A game theoretic approach to strategy determination for dynamic platform defenses. In: Proceedings of the First ACM Workshop on Moving Target Defense, pp. 21–30 (2014)

    Google Scholar 

  7. Chisnall, D.: The Definitive Guide to the Xen Hypervisor. Prentice Hall, Englewood (2007)

    Google Scholar 

  8. Clark, A., Sun, K., Poovendran, R.: Effectiveness of IP address randomization in decoy-based moving target defense. In: Proceedings of the 52nd IEEE Conference on Decision and Control (CDC), pp. 678–685 (2013)

    Google Scholar 

  9. Franz, M.: E unibus pluram: massive-scale software diversity as a defense mechanism. In: Proceedings of the 2010 Workshop on New Security Paradigms, pp. 7–16 (2010)

    Google Scholar 

  10. Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced operating system security through efficient and fine-grained address space randomization. In: USENIX Security Symposium (2012)

    Google Scholar 

  11. Holz, T., Raynal, F.: Detecting honeypots and other suspicious environments. In: IEEE Information Assurance and Security Workshop (IAW), pp. 29–36 (2005)

    Google Scholar 

  12. Jafarian, J.H.H., Al-Shaer, E., Duan, Q.: Spatio-temporal address mutation for proactive cyber agility against sophisticated attackers. In: Proceedings of the First ACM Workshop on Moving Target Defense, pp. 69–78 (2014)

    Google Scholar 

  13. Jajodia, S., Ghosh, A.K., Subrahmanian, V., Swarup, V., Wang, C., Wang, X.S.: Moving Target Defense II. Springer, New York (2013)

    Book  Google Scholar 

  14. Kurose, J., Ross, K.: Computer Networking. Pearson Education, New Delhi (2012)

    Google Scholar 

  15. Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: Sok: automated software diversity. In: IEEE Symposium on Security and Privacy, pp. 276–291 (2014)

    Google Scholar 

  16. Mukkamala, S., Yendrapalli, K., Basnet, R., Shankarapani, M., Sung, A.: Detection of virtual environments and low interaction honeypots. In: IEEE Information Assurance and Security Workshop (IAW), pp. 92–98 (2007)

    Google Scholar 

  17. Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th USENIX Security Symposium, vol. 132 (2004)

    Google Scholar 

  18. Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley Professional, Reading (2007)

    Google Scholar 

  19. Robinson, J.: An iterative method of solving a game. Ann. Math. 54(2), 296–301 (1951)

    Article  MATH  Google Scholar 

  20. Ross, S.M.: Introduction to Probability Models. Academic Press, Orlando (2009)

    Google Scholar 

  21. Rowe, J., Levitt, K., Demir, T., Erbacher, R.: Artificial diversity as maneuvers in a control-theoretic moving target defense. In: Moving Target Research Symposium (2012)

    Google Scholar 

  22. Shamsi, Z., Nandwani, A., Leonard, D., Loguinov, D.: Hershel: single-packet OS fingerprinting. In: ACM International Conference on Measurement and Modeling of Computer Systems, pp. 195–206 (2014)

    Google Scholar 

  23. Sultan, F., Srinivasan, K., Iyer, D., Iftode, L.: Migratory TCP: connection migration for service continuity in the internet. In: Proceedings of the 22nd IEEE International Conference on Distributed Computing Systems, pp. 469–470 (2002)

    Google Scholar 

  24. Van Dijk, M., Juels, A., Oprea, A., Rivest, R.L.: Flipit: the game of stealthy takeover. J. Cryptology 26(4), 655–713 (2013)

    Article  MathSciNet  MATH  Google Scholar 

  25. Wolfgang, M.: Host discovery with NMAP (2002). http://moonpie.org/writings/discovery.pdf

  26. Zhu, Q., Başar, T.: Game-theoretic approach to feedback-driven multi-stage moving target defense. In: Das, S.K., Nita-Rotaru, C., Kantarcioglu, M. (eds.) GameSec 2013. LNCS, vol. 8252, pp. 246–263. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, Worcester Polytechnic Institute, Worcester, MA, 01609, USA

    Andrew Clark

  2. Department of Computer Science, College of William and Mary, Williamsburg, VA, 23187, USA

    Kun Sun

  3. Network Security Lab, Department of Electrical Engineering, University of Washington, Seattle, WA, 98195, USA

    Linda Bushnell & Radha Poovendran

Authors
  1. Andrew Clark
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kun Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Linda Bushnell
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Radha Poovendran
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andrew Clark .

Editor information

Editors and Affiliations

  1. Queen Mary University of London, London, United Kingdom

    MHR Khouzani

  2. University of Brighton, Brighton, United Kingdom

    Emmanouil Panaousis

  3. Cardiff University, Cardiff, United Kingdom

    George Theodorakopoulos

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Clark, A., Sun, K., Bushnell, L., Poovendran, R. (2015). A Game-Theoretic Approach to IP Address Randomization in Decoy-Based Cyber Defense. In: Khouzani, M., Panaousis, E., Theodorakopoulos, G. (eds) Decision and Game Theory for Security. GameSec 2015. Lecture Notes in Computer Science(), vol 9406. Springer, Cham. https://doi.org/10.1007/978-3-319-25594-1_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25594-1_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25593-4

  • Online ISBN: 978-3-319-25594-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation