Skip to main content
SpringerLink
Log in

Random Host Mutation for Moving Target Defense

  • Conference paper
Book cover Security and Privacy in Communication Networks (SecureComm 2012)

Abstract

Exploiting static configuration of networks and hosts has always been a great advantage for design and launching of decisive attacks. Network reconnaissance of IP addresses and ports is prerequisite to many host and network attacks. At the same time, knowing IP addresses is required for service reachability in IP networks, which makes complete concealment of IP address for servers infeasible. In addition, changing IP addresses too frequently may cause serious ramifications including service interruptions, routing inflation, delays and security violations. In this paper, we present a novel approach that turns end-hosts into untraceable moving targets by transparently mutating their IP addresses in an intelligent and unpredictable fashion and without sacrificing network integrity, manageability or performance. The presented technique is called Random Host Mutation (RHM). In RHM, moving target hosts are assigned virtual IP addresses that change randomly and synchronously in a distributed fashion over time. In order to prevent disruption of active connections, the IP address mutation is managed by network appliances and totally transparent to end-host. RHM employs multi-level optimized mutation techniques that maximize uncertainty in adversary scanning by effectively using the whole available address range, while at the same time minimizing the size of routing tables, and reconfiguration updates. RHM can be transparently deployed on existing networks on end-hosts or network elements. Our analysis, implementation and evaluation show that RHM can effectively defend against stealthy scanning, many types of worm propagation and attacks that require reconnaissance for successful launching. We also show the performance bounds for moving target defense in a practical network setup.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, USA (2009)

    Google Scholar 

  2. Laudicina, A.P.: Nessus - a powerful, free remote security scanner. Sys. Admin. 11(5) (2002)

    Google Scholar 

  3. Whyte, D., Kranakis, E., van Oorschot, P.C.: DNS-based Detection of Scanning Worms in an Enterprise Network. In: Proceedings of The 12th Annual Network and Distributed System Security Symposium (February 2005)

    Google Scholar 

  4. Bjørner, N., de Moura, L.: z310: Applications, enablers, challenges and directions. In: CFV 2009 (2009)

    Google Scholar 

  5. Antonatos, S., Akritidis, P., Markatos, E.P., Anagnostakis, K.G.: Defending against hitlist worms using network address space randomization. Comput. Netw. 51(12), 3471–3490 (2007)

    Article  MATH  Google Scholar 

  6. Kewley, D., Fink, R., Lowry, J., Dean, M.: Dynamic approaches to thwart adversary intelligence gathering. In: DARPA Information Survivability Conference and Exposition, vol. 1, p. 0176 (2001)

    Google Scholar 

  7. Michalski, J.T.: Network security mechanisms utilising network address translation. International Journal of Critical Infrastructures 2(1), 10–49 (2006)

    Article  MathSciNet  Google Scholar 

  8. Atighetchi, M., Pal, P., Webber, F., Jones, C.: Adaptive use of network-centric mechanisms in cyber-defense. In: ISORC 2003, p. 183. IEEE Computer Society (2003)

    Google Scholar 

  9. Kewley, D., Fink, R., Lowry, J., Dean, M.: Dynamic approaches to thwart adversary intelligence gathering. In: Proceedings of DARPA Information Survivability Conference Exposition II, DISCEX 2001, vol. 1, pp. 176–185 (2001)

    Google Scholar 

  10. Jafarian, J.H., Al-Shaer, E., Duan, Q.: Openflow random host mutation: Transparent moving target defense using software defined networking. In: Proceedings of HotSDN workshop at SIGCOMM 2012, Helsinki, Finland (2012)

    Google Scholar 

  11. Yegneswaran, V., Alfeld, C.: Camouflaging honeynets. In: Proceedings of IEEE Global Internet Symposium (2007)

    Google Scholar 

  12. Cai, J.-Y., Yegneswaran, V., Alfeld, C., Barford, P.: An Attacker-Defender Game for Honeynets. In: Ngo, H.Q. (ed.) COCOON 2009. LNCS, vol. 5609, pp. 7–16. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  13. Chakravarty, S.: A characterization of binary decision diagrams. IEEE Trans. Comput. 42(2), 129–137 (1993)

    Article  MathSciNet  Google Scholar 

  14. Al-Shaer, E.S., Hamed, H.H.: Discovery of policy anomalies in distributed firewalls. In: Twenty-Third Annual Joint Conference of the IEEE Computer and Communications Societies, INFOCOM 2004, vol. 4, pp. 2605–2616 (March 2004)

    Google Scholar 

  15. Zou, C.C., Towsley, D., Gong, W.: On the performance of internet worm scanning strategies. Elsevier Journal of Performance Evaluation 63, 700–723 (2003)

    Article  Google Scholar 

  16. Zou, C.C., Towsley, D.: Routing Worm: A Fast, Selective attack worm based on IP address information. In: Workshop on Principles of Advanced and Distributed Simulation (PADS 2005), pp. 199–206 (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Software and Information Systems, University of North Carolina at Charlotte, Charlotte, NC, USA

    Ehab Al-Shaer, Qi Duan & Jafar Haadi Jafarian

Authors
  1. Ehab Al-Shaer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qi Duan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jafar Haadi Jafarian
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, M.C. 0401, 10027-7003, New York, NY, USA

    Angelos D. Keromytis

  2. Dipartimento di Matematica, Università degli Studi Roma Tre, Largo San Leonardo Murialdo 1, 00146, Rome, Italy

    Roberto Di Pietro

Rights and permissions

Reprints and permissions

Copyright information

© 2013 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Al-Shaer, E., Duan, Q., Jafarian, J.H. (2013). Random Host Mutation for Moving Target Defense. In: Keromytis, A.D., Di Pietro, R. (eds) Security and Privacy in Communication Networks. SecureComm 2012. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 106. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36883-7_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-36883-7_19

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-36882-0

  • Online ISBN: 978-3-642-36883-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation