ABSTRACT
In this paper, a framework for Moving Target Defense is introduced. This framework bases on three pillars: network address mutation, communication stack randomization and the dynamic deployment of decoys. The network address mutation is based on the concept of domain generation algorithms, where different features are included to fulfill the system requirements. Those requirements are time dependency, unpredictability and determinism. Communication stack randomization is applied additionally to increase the complexity of reconnaissance activity. By employing communication stack randomization, previously fingerprinted systems do not only differ in the network address but also in their communication pattern behavior. And finally, decoys are integrated into the proposed framework to detect attackers that have breached the perimeter. Furthermore, attacker's resources can be bound by interacting with the decoy systems. Additionally, the framework can be extended with more advanced Moving Target Defense methods such as obscuring port numbers of services.
- Ehab Al-Shaer, Qi Duan, and Jafar Jafarian. 2012. Random Host Mutation for Moving Target Defense. Proceedings of the International Conference on Security and Privacy in Communication Systems (2012), 310--327.Google Scholar
- S. Antonatos, P. Akritidis, E. P. Markatos, and K. G. Anagnostakis. 2005. Defending against hitlist worms using network address space randomization. In Proceedings of the 2005 ACM workshop on Rapid malcode - WORM '05 , , Vijay Atluri and Angelos D. Keromytis (Eds.). ACM Press, New York, New York, USA, 30. Google ScholarDigital Library
- Anantha K. Bangalore and Arun K. Sood. 2009. Securing Web Servers Using Self Cleansing Intrusion Tolerance (SCIT). In 2009 Second International Conference on Dependability. IEEE, 60--65. Google ScholarDigital Library
- John B. Bell and Barton Whaley. 1991. Cheating and deception repr ed.). Transaction Publ, New Brunswick.Google Scholar
- Mihir Bellare, Ran Canetti, and Hugo Krawczyk. 1996. Keying Hash Functions for Message Authentication. Advances in Cryptology (1996), 1--15. Google ScholarDigital Library
- Gilberto Bertin. 2016. Introducing the p0f BPF compiler. https://blog.cloudflare.com/introducing-the-p0f-bpf-compiler/Google Scholar
- Stephen W.Stephen W.Boyd Boyd and Angelos D.Angelos D.Keromytis Keromytis. {n. d.}. SQLrand: Preventing SQL Injection Attacks. ({n. d.}).Google Scholar
- Guilin Cai, Baosheng Wang, Xiaofeng Wang, Yulei Yuan, and Sudan Li. 2016. An introduction to network address shuffling. In 2016 18th International Conference on Advanced Communication Technology (ICACT). IEEE, 185--190.Google ScholarCross Ref
- Monica Chew and Dawn Song. 2003. Mitigating Buer Over ows by Operating System Randomization. (2003).Google Scholar
- CIRT. 2001. Nikto2. https://cirt.net/Nikto2Google Scholar
- J. Corey. 2003. Local Honeypot Identification. Phrack Inc. , Vol. 11, 62 (2003).Google Scholar
- Michael Crouse and Errin W. Fulp. 2011. A moving target environment for computer configurations using Genetic Algorithms. In 2011 4th Symposium on Configuration Analytics and Automation (SAFECONFIG) . IEEE, 1--7.Google Scholar
- Michael Crouse, Errin W. Fulp, and Daniel Canas. 2012. Improving the Diversity Defense of Genetic Algorithm-Based Moving Target Approaches. Proceedings of the National Symposium on Moving Target Research (2012).Google Scholar
- Michael Crouse, Bryan Prosser, and Errin W. Fulp. 2015. Probabilistic Performance Analysis of Moving Target and Deception Reconnaissance Defenses. In Proceedings of the Second ACM Workshop on Moving Target Defense - MTD '15, George Cybenko and Dijiang Huang (Eds.). ACM Press, New York, New York, USA, 21--29. Google ScholarDigital Library
- D. Dolev and A. Yao. 1983. On the security of public key protocols. IEEE Transactions on Information Theory , Vol. 29, 2 (1983), 198--208. Google ScholarDigital Library
- Matthew Dunlop, Stephen Groat, William Urbanski, Randy Marchany, and Joseph Tront. 2011. MT6D: A Moving Target IPv6 Defense. In 2011 - MILCOM 2011 Military Communications Conference. IEEE, 1321--1326.Google ScholarCross Ref
- Matthew Dunlop, Stephen Groat, William Urbanski, Randy Marchany, and Joseph Tront. 2012. The Blind Man's Bluff Approach to Security Using IPv6. IEEE SECURITY & PRIVACY , Vol. 10, 4 (2012), 35--43. Google ScholarDigital Library
- Simon Duque Anton , Daniel Fraunholz, Christoph Lipps, Frederic Pohl, Marc Zimmermann, and Hans Dieter Schotten. 2017. Two Decades of SCADA Exploitation: A Brief History. Workshop On The Security Of Industrial Control Systems & Of Cyber-Physical Systems , Vol. 3 (2017).Google Scholar
- erwan_Ir, FireFart, and ethicalhack3r. 2018. WPScan. wpscan.orgGoogle Scholar
- Europol. 2016. Internet Organized Crime Threat Assessment. https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2016Google Scholar
- Daniel Fraunholz and Hans Dieter Schotten. 2018. Defending Web Servers with Feints, Distraction and Obfuscation. International Conference on Computing, Networking and Communications (2018).Google Scholar
- Daniel Fraunholz, Marc Zimmermann, and Hans Dieter Schotten. 2017a. An Adaptive Honeypot Configuration, Deployment and Maintenance Strategy. International Conference on Advanced Communications Technology. International Conference on Advanced Communications Technology , Vol. 19 (2017).Google Scholar
- Daniel Fraunholz, Marc Zimmermann, and Hans Dieter Schotten. 2017b. Towards Deployment Strategies for Deception Systems. Advances in Science, Technology and Engineering Systems Journal , Vol. Special Issue on Recent Advances in Engineering Systems (2017).Google Scholar
- Marc Green, Douglas C. MacFarland, Doran R. Smestad, and Craig A. Shue. 2015. Characterizing Network-Based Moving Target Defenses. In Proceedings of the Second ACM Workshop on Moving Target Defense - MTD '15 , , George Cybenko and Dijiang Huang (Eds.). ACM Press , New York, New York, USA, 31--35. Google ScholarDigital Library
- Xiao Han, Nizar Kheir, and Davide Balzarotti. 2017. Evaluation of Deception-Based Web Attacks Detection. In Proceedings of the 2017 Workshop on Moving Target Defense - MTD '17, Hamed Okhravi and Xinming Ou (Eds.). ACM Press, New York, New York, USA, 65--73. Google ScholarDigital Library
- William Hawkins, Anh Nguyen-Tuong, Jason D. Hiser, Michele Co, and Jack W. Davidson. 2017. Mixr. In Proceedings of the 2017 Workshop on Moving Target Defense - MTD '17 , , Hamed Okhravi and Xinming Ou (Eds.). ACM Press , New York, New York, USA, 27--37. Google ScholarDigital Library
- T. Holz and F. Raynal. 2005. Detecting Honeypots and other suspicious environments. Workshop on Information Assurance and Security (2005), 1--8.Google Scholar
- Yih Huang, David Arsenault, and Arun Sood. 2006. Incorruptible Self-Cleansing Intrusion Tolerance and Its Application to DNS Security. Journal of Networks , Vol. 1, 5 (2006).Google ScholarCross Ref
- Yih Huang and Anup Ghosh. 2011. Introducing Diversity and Uncertainty to Create Moving Attack Surfaces for Web Services. Moving Target Defense 1 (2011), 131--151.Google ScholarCross Ref
- Jafar Haadi Jafarian, Ehab Al-Shaer, and Qi Duan. 2012. Openflow random host mutation. In Proceedings of the first workshop on Hot topics in software defined networks - HotSDN '12 , , Nick Feamster and Jennifer Rexford (Eds.). ACM Press , New York, New York, USA, 127.Google ScholarDigital Library
- Jafar Haadi Jafarian, Ehab Al-Shaer, and Qi Duan. 2015. Adversary-aware IP address randomization for proactive agility against sophisticated attackers. In 2015 IEEE Conference on Computer Communications (INFOCOM). IEEE, 738--746.Google ScholarCross Ref
- Jafar Haadi H. Jafarian, Ehab Al-Shaer, and Qi Duan. 2014. Spatio-temporal Address Mutation for Proactive Cyber Agility against Sophisticated Attackers. In Proceedings of the First ACM Workshop on Moving Target Defense - MTD '14, Sushil Jajodia and Kun Sun (Eds.). ACM Press, New York, New York, USA, 69--78. Google ScholarDigital Library
- Quan Jia, Kun Sun, and Angelos Stavrou. 2013. MOTAG: Moving Target Defense against Internet Denial of Service Attacks. In 2013 22nd International Conference on Computer Communication and Networks (ICCCN) . IEEE, 1--9.Google ScholarCross Ref
- Xuxian Jiang, Helen J. Wangz, Dongyan Xu, and Yi-Min Wang. 2007. RandSys: Thwarting Code Injection Attacks with System Service Interface Randomization. In 2007 26th IEEE International Symposium on Reliable Distributed Systems (SRDS 2007). IEEE, 209--218. Google ScholarDigital Library
- David J. John, Robert W. Smith, William H. Turkett, Daniel A. Ca nas, and Errin W. Fulp. 2014. Evolutionary based moving target cyber defense. In Proceedings of the 2014 conference companion on Genetic and evolutionary computation companion - GECCO Comp '14 , , Dirk V. Arnold (Ed.). ACM Press, New York, New York, USA, 1261--1268. Google ScholarDigital Library
- K. Kant. 2011. Configuration management security in data center environments. Moving Target Defense 1 (2011), 161--181.Google ScholarCross Ref
- Brian Lucas, Errin W. Fulp, David J. John, and Daniel Ca nas. 2014. An initial framework for evolving computer configurations as a moving target defense. In Proceedings of the 9th Annual Cyber and Information Security Research Conference on - CISR '14 , , Robert K. Abercrombie and J. Todd McDonald (Eds.). ACM Press , New York, New York, USA, 69--72. Google ScholarDigital Library
- Yue-Bin Luo, Bao-Sheng Wang, Xiao-Feng Wang, Xiao-Feng Hu, Gui-Lin Cai, and Hao Sun. 2015. RPAH: Random Port and Address Hopping for Thwarting Internal and External Adversaries. In 2015 IEEE Trustcom/BigDataSE/ISPA. IEEE, 263--270. Google ScholarDigital Library
- Douglas C. MacFarland and Craig A. Shue. 2015. The SDN Shuffle. In Proceedings of the Second ACM Workshop on Moving Target Defense - MTD '15, George Cybenko and Dijiang Huang (Eds.). ACM Press, New York, New York, USA, 37--41. Google ScholarDigital Library
- Byoung Joon Min and Joong Sup Choi. 2004. An approach to intrusion tolerance for mission-critical services using adaptability and diverse replication. Future Generation Computer Systems , Vol. 20, 2 (2004), 303--313. Google ScholarDigital Library
- Amirreza Niakanlahiji and Jafar Haadi Jafarian. 2017. WebMTD. In Proceedings of the 2017 Workshop on Moving Target Defense - MTD '17 , , Hamed Okhravi and Xinming Ou (Eds.). ACM Press , New York, New York, USA, 17--26. Google ScholarDigital Library
- A. Ofir and F. Yarochkin. 2003. Xprobe2 - A Fuzzy Approach to Remote Active Operating System Fingerprinting. (2003).Google Scholar
- Hamed Okhravi, Adam Comella, Eric Robinson, and Joshua Haines. 2012. Creating a cyber moving target for critical infrastructure applications using platform diversity. International Journal of Critical Infrastructure Protection , Vol. 5, 1 (2012), 30--39.Google ScholarCross Ref
- Hamed Okhravi, James Riordan, and Kevin Carter. 2014. Quantitative Evaluation of Dynamic Platform Techniques as a Defensive Mechanism. In Research in Attacks, Intrusions and Defenses, Angelos Stavrou, Herbert Bos, and Georgios Portokalidis (Eds.). Lecture Notes in Computer Science, Vol. 8688. Springer International Publishing, Cham, 405--425. textunderscore 20Google Scholar
- OWASP. 2008. Dirbuster Project. https://www.owasp.org/index.php/Category:OWASP_DirBuster_ProjectGoogle Scholar
- Hae-Sang Park and Chi-Hyuck Jun. 2009. A simple and fast algorithm for K-medoids clustering. Expert Systems with Applications , Vol. 36, 2 (2009), 3336--3341. Google ScholarDigital Library
- Kyungmin Park, Samuel Woo, Daesung Moon, and Hoon Choi. 2018. Secure Cyber Deception Architecture and Decoy Injection to Mitigate the Insider Threat. Symmetry , Vol. 10, 1 (2018), 14.Google ScholarCross Ref
- Vince Reynolds. 2015. Social engineering: The art of psychological warfare, human hacking, persuation & deception .CreateSpace, {Place of publication not identified}.Google Scholar
- Carlos E. Rubio-Medrano, Josephine Lamp, Adam Doupé , Ziming Zhao, and Gail-Joon Ahn. 2017. Mutated Policies. In Proceedings of the 2017 Workshop on Moving Target Defense - MTD '17, Hamed Okhravi and Xinming Ou (Eds.). ACM Press , New York, New York, USA, 39--49. Google ScholarDigital Library
- Reihaneh Safavi-Naini, Alireza Poostindouz, and Viliam Lisy. 2017. Path Hopping. In Proceedings of the 2017 Workshop on Moving Target Defense - MTD '17, Hamed Okhravi and Xinming Ou (Eds.). ACM Press , New York, New York, USA, 111--114. Google ScholarDigital Library
- A. Saidane, V. Nicomette, and Y. Deswarte. 2009. The Design of a Generic Intrusion-Tolerant Architecture for Web Servers. IEEE Transactions on Dependable and Secure Computing , Vol. 6, 1 (2009), 45--58. Google ScholarDigital Library
- Babak Salamat, Andreas Gal, and Michael Franz. 2008. Reverse Stack Execution in a Multi-Variant Execution Environment. Workshop on Compiler and Architectural Techniques for Application Reliability and Security (2008).Google Scholar
- B. Salamat, T. Jackson, G. Wagner, C. Wimmer, and M. Franz. 2011. Runtime Defense against Code Injection Attacks Using Replicated Execution. IEEE Transactions on Dependable and Secure Computing , Vol. 8, 4 (2011), 588--601. Google ScholarDigital Library
- Swiss Government Computer Emergency Response Team. 2017. Sage 2.0 comes with IP Generation Algorithm (IPGA).Google Scholar
- Joni Uitto, Sampsa Rauti, Samuel Lauren, and Ville Lepp"anen. 2017. A Survey on Anti-honeypot and Anti-introspection Methods. Recent Advances in Information Systems and Technologies (2017), 125--134.Google Scholar
- Fyodor Vaskovich. 1997. The Art of Port Scanning. Phrack Magazine , Vol. 7, 51 (1997).Google Scholar
- Paul Wood, Christopher Gutierrez, and Saurabh Bagchi. 2015. Denial of Service Elusion (DoSE): Keeping Clients Connected for Less. In 2015 IEEE 34th Symposium on Reliable Distributed Systems (SRDS). IEEE, 94--103. Google ScholarDigital Library
- Jun Xu, Pinyao Guo, Mingyi Zhao, Robert F. Erbacher, Minghui Zhu, and Peng Liu. 2014. Comparing Different Moving Target Defense Techniques. In Proceedings of the First ACM Workshop on Moving Target Defense - MTD '14 , , Sushil Jajodia and Kun Sun (Eds.). ACM Press, New York, New York, USA, 97--107. Google ScholarDigital Library
- M. Zalewski. 2012. p0f v3: Passive fingerprinter. (2012).Google Scholar
Index Terms
- Catch Me If You Can: Dynamic Concealment of Network Entities
Recommendations
Insider Threat Mitigation Using Moving Target Defense and Deception
MIST '17: Proceedings of the 2017 International Workshop on Managing Insider Security ThreatsThe insider threat has been subject of extensive study and many approaches from technical perspective to behavioral perspective and psychological perspective have been proposed to detect or mitigate it. However, it still remains one of the most ...
Catch me, if you can: evading network signatures with web-based polymorphic worms
WOOT '07: Proceedings of the first USENIX workshop on Offensive TechnologiesPolymorphic worms are self-replicating malware that change their representation as they spread throughout networks in order to evade worm detection systems. A number of approaches to detect polymorphic worms have been proposed. These approaches use ...
Real-Time Defensive Strategy Selection via Deep Reinforcement Learning
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and SecurityAs computer networks face increasingly sophisticated attacks there is a need to create adaptive defensive systems that can select appropriate countermeasures to thwart attacks. The use of Deep Reinforcement Learning to train defensive agents is an ...
Comments