skip to main content
10.1145/2995272.2995275acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
research-article
Public Access

Formal Approach for Resilient Reachability based on End-System Route Agility

Published: 24 October 2016 Publication History

Abstract

The deterministic nature of existing routing protocols has resulted into an ossified Internet with static and predictable network routes. This gives persistent attackers (e.g. eavesdroppers and DDoS attackers) plenty of time to study the network and identify the vulnerable (critical) links to plan devastating and stealthy attacks. Recently, Moving Target Defense (MTD) based approaches have been proposed to to defend against DoS attacks. However, MTD based approaches for route mutation are oriented towards re-configuring the parameters in Local Area Networks (LANs), and do not provide any protection against infrastructure level attacks, which inherently limits their use for mission critical services over the Internet infrastructure. To cope with these issues, we extend the current routing architecture to consider end-hosts as routing elements, and present a formal method based agile defense mechanism to embed resiliency in the existing cyber infrastructure. The major contributions of this paper include: (1) formalization of efficient and resilient End to End (E2E) reachability problem as a constraint satisfaction problem, which identifies the potential end-hosts to reach a destination while satisfying resilience and QoS constraints, (2) design and implementation of a novel decentralized End Point Route Mutation (EPRM) protocol, and (3) design and implementation of planning algorithm to minimize the overlap between multiple flows, for the sake of maximizing the agility in the system. Our PlanetLab based implementation and evaluation validates the correctness, effectiveness and scalability of the proposed approach.

References

[1]
E. Dijkstra, "A note on two problems in connexion with graphs," Numerische Mathematik, vol. 1, no. 1, pp. 269--271, 1959.
[2]
F. Gillani, E. Al-shaer, S. Lo, Q. Duan, M. Ammar, and E. Zegura, "Agile virtualized infrastructure to proactively defend against cyber attacks," in INFOCOM 2015, vol. 1, April 2015, pp. 270--280 vol.1.
[3]
Q. Duan, E. Al-Shaer, and H. Jafarian, "Efficient random route mutation considering flow and network constraints," in Communications and Network Security (CNS), 2013 IEEE Conference on, Oct 2013.
[4]
J. Jafarian, E. Al-Shaer, and Q. Duan, "Formal approach for route agility against persistent attackers," in Computer Security, ESORICS 2013, ser. Lecture Notes in Computer Science, J. Crampton, S. Jajodia, and K. Mayes, Eds. Springer Berlin Heidelberg, 2013.
[5]
"PlanetLab," in http://www.planet-lab.org.
[6]
"PlumGrid," in http://www.plumgrid.com/.ıffalse
[7]
J. H. Jafarian, E. Al-Shaer, and Q. Duan, "Openflow random host mutation: Transparent moving target defense using software defined networking," in Proceedings of the First Workshop on Hot Topics in Software Defined Networks. NY, USA: ACM, 2012.
[8]
M. Faloutsos, P. Faloutsos and C. Faloutsos, "Openflow random host mutation: On Power Law Relationships on the Internet Topology," in In Proc. ACM SIGCOMM 1999.
[9]
R. Dechter, Constraint Processing. San Francisco, CA, USA: Morgan Kaufmann Publishers Inc., 2003.
[10]
F. Rossi, P. v. Beek, and T. Walsh, Handbook of Constraint Programming (Foundations of Artificial Intelligence). New York, NY, USA: Elsevier Science Inc., 2006.
[11]
L. De Moura and N. Bjørner, "Z3: An efficient smt solver," in Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, ser. TACAS'08/ETAPS'08. Berlin, Heidelberg: Springer-Verlag, 2008, pp. 337--340.
[12]
J. Leskovec and A. Krevl, "SNAP Datasets: Stanford large network dataset collection," http://snap.stanford.edu/data, Jun. 2014.
[13]
M. Davis and H. Putnam, "A computing procedure for quantification theory," J. ACM, vol. 7, no. 3, pp. 201--215, Jul. 1960.
[14]
M. Fränzle, C. Herde, T. Teige, S. Ratschan, and T. Schubert, "Efficient solving of large non-linear arithmetic constraint systems with complex boolean structure," Journal on Satisfiability, Boolean Modeling and Computation, vol. 1, pp. 209--236, 2007.
[15]
M. R. Garey and D. S. Johnson, Computers and Intractability; A Guide to the Theory of NP-Completeness. New York, NY, USA: W. H. Freeman & Co., 1990.
[16]
G. S. Kc, A. D. Keromytis, and V. Prevelakis, "Countering code-injection attacks with instruction-set randomization," in Proceedings of the 10th ACM Conference on Computer and Communications Security, ser. CCS '03. New York, NY, USA: ACM, 2003, pp. 272--280.
[17]
A. Medina, I. Matta, and J. Byers, "Brite: A flexible generator of internet topologies," Boston, MA, USA, Tech. Rep., 2000.
[18]
H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh, "On the effectiveness of address-space randomization," in Proceedings of the 11th ACM Conference on Computer and Communications Security, ser. CCS '04. New York, NY, USA: ACM, 2004, pp. 298--307.
[19]
A. Shamir, "How to share a secret," Commun. ACM, vol. 22, no. 11, pp. 612--613, Nov. 1979.
[20]
T. Shu, M. Krunz, and S. Liu, "Secure data collection in wireless sensor networks using randomized dispersive routes," Mobile Computing, IEEE Transactions on, vol. 9, no. 7, pp. 941--954, July 2010.
[21]
Jia, Quan and Wang, Huangxin and Fleck, Dan and Li, Fei and Stavrou, Angelos and Powell, Walter, "Catch me if you can: A cloud-enabled ddos defense", in 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.
[22]
Wood, Paul and Gutierrez, Christopher and Bagchi, Saurabh, "Denial of Service Elusion (DoSE): Keeping Clients Connected for Less", in 2015 IEEE 34th Symposium on Reliable Distributed Systems (SRDS).
[23]
Z. Ye, S. Krishnamurthy, and S. Tripathi, "A framework for reliable routing in mobile ad hoc networks," in INFOCOM 2003. Twenty-Second Annual Joint Conference of the IEEE Computer and Communications. IEEE Societies, vol. 1, March 2003, pp. 270--280 vol.1.
[24]
M. S. Kang, S. B. Lee, and V. D. Gligor, "The crossfire attack," in Proceedings of the 2013 IEEE Symposium on Security and Privacy, ser. SP '13. Washington, DC, USA: IEEE Computer Society, 2013, pp. 127--141.
[25]
D. B. Johnson, D. A. Maltz, and J. Broch, "Ad hoc networking." Boston, MA, USA: Addison-Wesley Longman Publishing Co., Inc., 2001, ch. DSR: The Dynamic Source Routing Protocol for Multihop Wireless Ad Hoc Networks, pp. 139--172.
[26]
"NEPI," in http://nepi.inria.fr/.
[27]
S. Bhatia, S. Di Giovanni, T. Haddow, A. Bavier, S. Muir, and L. Peterson, "Vsys: A Programmable sudo," in USENIX Annual Technical Conference, 2011.
[28]
A. Studer and A. Perrig, The Coremelt Attack. Berlin, Heidelberg: Springer Berlin Heidelberg, 2009, pp. 37--52.
[29]
D. M. Goldschlag, M. G. Reed, and P. F. Syverson, "Hiding routing information," in Proceedings of the First International Workshop on Information Hiding. London, UK, UK: Springer-Verlag, 1996, pp. 137--150.

Cited By

View all
  • (2024)Multi-Constraint and Multi-Policy Path Hopping Active Defense Method Based on SDNFuture Internet10.3390/fi1604014316:4(143)Online publication date: 22-Apr-2024
  • (2021)Context-Aware Adaptive Route Mutation Scheme: A Reinforcement Learning ApproachIEEE Internet of Things Journal10.1109/JIOT.2021.30656808:17(13528-13541)Online publication date: 1-Sep-2021
  • (2021)Towards Crossfire Distributed Denial of Service Attack Protection Using Intent-Based Moving Target Defense Over Software-Defined NetworkingIEEE Access10.1109/ACCESS.2021.31038459(112792-112804)Online publication date: 2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
MTD '16: Proceedings of the 2016 ACM Workshop on Moving Target Defense
October 2016
144 pages
ISBN:9781450345705
DOI:10.1145/2995272
  • Program Chairs:
  • Peng Liu,
  • Cliff Wang
© 2016 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the United States Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. moving target defense
  2. network resilience
  3. route mutation
  4. routing agility

Qualifiers

  • Research-article

Funding Sources

  • Pacific Northwest National Laboratory
  • Army Research Office

Conference

CCS'16
Sponsor:

Acceptance Rates

MTD '16 Paper Acceptance Rate 9 of 26 submissions, 35%;
Overall Acceptance Rate 40 of 92 submissions, 43%

Upcoming Conference

ICSE 2025

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)105
  • Downloads (Last 6 weeks)5
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Multi-Constraint and Multi-Policy Path Hopping Active Defense Method Based on SDNFuture Internet10.3390/fi1604014316:4(143)Online publication date: 22-Apr-2024
  • (2021)Context-Aware Adaptive Route Mutation Scheme: A Reinforcement Learning ApproachIEEE Internet of Things Journal10.1109/JIOT.2021.30656808:17(13528-13541)Online publication date: 1-Sep-2021
  • (2021)Towards Crossfire Distributed Denial of Service Attack Protection Using Intent-Based Moving Target Defense Over Software-Defined NetworkingIEEE Access10.1109/ACCESS.2021.31038459(112792-112804)Online publication date: 2021
  • (2020)A Review of Moving Target Defense Mechanisms for Internet of Things ApplicationsModeling and Design of Secure Internet of Things10.1002/9781119593386.ch24(563-614)Online publication date: 12-Jun-2020
  • (2019)Investigation of Moving Target Defense Technique to Prevent Poisoning Attacks in SDN2019 IEEE World Congress on Services (SERVICES)10.1109/SERVICES.2019.00050(178-183)Online publication date: Jul-2019
  • (2019)EPOCH: Error Bound Analysis Towards Indoor WLAN Positioning Under Colored Gaussian Noisy ChannelICC 2019 - 2019 IEEE International Conference on Communications (ICC)10.1109/ICC.2019.8761994(1-6)Online publication date: May-2019
  • (2019)An Efficient and Agile Spatio-Temporal Route Mutation Moving Target Defense MechanismICC 2019 - 2019 IEEE International Conference on Communications (ICC)10.1109/ICC.2019.8761927(1-6)Online publication date: May-2019
  • (2019)Minimizing Age of Information in the Internet of Things with Non-Uniform Status Packet SizesICC 2019 - 2019 IEEE International Conference on Communications (ICC)10.1109/ICC.2019.8761311(1-6)Online publication date: May-2019
  • (2019)A moving target defense and network forensics framework for ISP networks using SDN and NFVFuture Generation Computer Systems10.1016/j.future.2018.11.04594:C(496-509)Online publication date: 1-May-2019
  • (2019)Cyber Regulatory Networks: Towards a Bio-inspired Auto-resilient Framework for Cyber-DefenseBio-inspired Information and Communication Technologies10.1007/978-3-030-24202-2_12(156-174)Online publication date: 24-Jul-2019
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media