Abstract
Networks of decoy nodes protect cyber systems by distracting and misleading adversaries. Decoy defenses can be further enhanced by randomizing the space of node IP addresses, thus preventing an adversary from identifying and blacklisting decoy nodes over time. The decoy-based defense results in a time-varying interaction between the adversary, who attempts to identify and target real nodes, and the system, which deploys decoys and randomizes the address space in order to protect the identity of the real node. In this paper, we present a game-theoretic framework for modeling the strategic interaction between an external adversary and a network of decoy nodes. Our framework consists of two components. First, we model and study the interaction between the adversary and a single decoy node. We analyze the case where the adversary attempts to identify decoy nodes by examining the timing of node responses, as well as the case where the adversary identifies decoys via differences in protocol implementations between decoy and real nodes. Second, we formulate games with an adversary who attempts to find a real node in a network consisting of real and decoy nodes, where the time to detect whether a node is real or a decoy is derived from the equilibria of the games in first component. We derive the optimal policy of the system to randomize the IP address space in order to avoid detection of the real node, and prove that there is a unique threshold-based Stackelberg equilibrium for the game. Through simulation study, we find that the game between a single decoy and an adversary mounting timing-based attacks has a pure-strategy Nash equilibrium, while identification of decoy nodes via protocol implementation admits only mixed-strategy equilibria.
This work was supported by ARO grant W911NF-12-1-0448.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abu Rajab, M., Monrose, F., Terzis, A.: On the impact of dynamic addressing on malware propagation. In: Proceedings of the 4th ACM Workshop on Recurring Malcode, pp. 51–56 (2006)
Alpcan, T., BaÅŸar, T.: Network Security: A Decision and Game-Theoretic Approach. Cambridge University Press, Cambridge (2010)
Antonatos, S., Akritidis, P., Markatos, E.P., Anagnostakis, K.G.: Defending against hitlist worms using network address space randomization. Comput. Netw. 51(12), 3471–3490 (2007)
Bohacek, S., Hespanha, J., Lee, J., Lim, C., Obraczka, K.: Game theoretic stochastic routing for fault tolerance and security in computer networks. IEEE Trans. Parallel Distrib. Syst. 18(9), 1227–1240 (2007)
Cao, J., Andersson, M., Nyberg, C., Kihl, M.: Web server performance modeling using an M/G/1/K PS queue. In: 10th IEEE International Conference on Telecommunications (ICT), pp. 1501–1506 (2003)
Carter, K.M., Riordan, J.F., Okhravi, H.: A game theoretic approach to strategy determination for dynamic platform defenses. In: Proceedings of the First ACM Workshop on Moving Target Defense, pp. 21–30 (2014)
Chisnall, D.: The Definitive Guide to the Xen Hypervisor. Prentice Hall, Englewood (2007)
Clark, A., Sun, K., Poovendran, R.: Effectiveness of IP address randomization in decoy-based moving target defense. In: Proceedings of the 52nd IEEE Conference on Decision and Control (CDC), pp. 678–685 (2013)
Franz, M.: E unibus pluram: massive-scale software diversity as a defense mechanism. In: Proceedings of the 2010 Workshop on New Security Paradigms, pp. 7–16 (2010)
Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced operating system security through efficient and fine-grained address space randomization. In: USENIX Security Symposium (2012)
Holz, T., Raynal, F.: Detecting honeypots and other suspicious environments. In: IEEE Information Assurance and Security Workshop (IAW), pp. 29–36 (2005)
Jafarian, J.H.H., Al-Shaer, E., Duan, Q.: Spatio-temporal address mutation for proactive cyber agility against sophisticated attackers. In: Proceedings of the First ACM Workshop on Moving Target Defense, pp. 69–78 (2014)
Jajodia, S., Ghosh, A.K., Subrahmanian, V., Swarup, V., Wang, C., Wang, X.S.: Moving Target Defense II. Springer, New York (2013)
Kurose, J., Ross, K.: Computer Networking. Pearson Education, New Delhi (2012)
Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: Sok: automated software diversity. In: IEEE Symposium on Security and Privacy, pp. 276–291 (2014)
Mukkamala, S., Yendrapalli, K., Basnet, R., Shankarapani, M., Sung, A.: Detection of virtual environments and low interaction honeypots. In: IEEE Information Assurance and Security Workshop (IAW), pp. 92–98 (2007)
Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th USENIX Security Symposium, vol. 132 (2004)
Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley Professional, Reading (2007)
Robinson, J.: An iterative method of solving a game. Ann. Math. 54(2), 296–301 (1951)
Ross, S.M.: Introduction to Probability Models. Academic Press, Orlando (2009)
Rowe, J., Levitt, K., Demir, T., Erbacher, R.: Artificial diversity as maneuvers in a control-theoretic moving target defense. In: Moving Target Research Symposium (2012)
Shamsi, Z., Nandwani, A., Leonard, D., Loguinov, D.: Hershel: single-packet OS fingerprinting. In: ACM International Conference on Measurement and Modeling of Computer Systems, pp. 195–206 (2014)
Sultan, F., Srinivasan, K., Iyer, D., Iftode, L.: Migratory TCP: connection migration for service continuity in the internet. In: Proceedings of the 22nd IEEE International Conference on Distributed Computing Systems, pp. 469–470 (2002)
Van Dijk, M., Juels, A., Oprea, A., Rivest, R.L.: Flipit: the game of stealthy takeover. J. Cryptology 26(4), 655–713 (2013)
Wolfgang, M.: Host discovery with NMAP (2002). http://moonpie.org/writings/discovery.pdf
Zhu, Q., Başar, T.: Game-theoretic approach to feedback-driven multi-stage moving target defense. In: Das, S.K., Nita-Rotaru, C., Kantarcioglu, M. (eds.) GameSec 2013. LNCS, vol. 8252, pp. 246–263. Springer, Heidelberg (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Clark, A., Sun, K., Bushnell, L., Poovendran, R. (2015). A Game-Theoretic Approach to IP Address Randomization in Decoy-Based Cyber Defense. In: Khouzani, M., Panaousis, E., Theodorakopoulos, G. (eds) Decision and Game Theory for Security. GameSec 2015. Lecture Notes in Computer Science(), vol 9406. Springer, Cham. https://doi.org/10.1007/978-3-319-25594-1_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-25594-1_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25593-4
Online ISBN: 978-3-319-25594-1
eBook Packages: Computer ScienceComputer Science (R0)