research-article

Catch Me If You Can: Dynamic Concealment of Network Entities

Authors:
Daniel Fraunholz

German Research Center for Artificial Intelligence, Kaiserslautern, Germany

German Research Center for Artificial Intelligence, Kaiserslautern, Germany
View Profile

,
Daniel Krohmer

German Research Center for Artificial Intelligence, Kaiserslautern, Germany

German Research Center for Artificial Intelligence, Kaiserslautern, Germany
View Profile

,
Simon Duque Anton

German Research Center for Artificial Intelligence, Kaiserslautern, Germany

German Research Center for Artificial Intelligence, Kaiserslautern, Germany
View Profile

,
Hans Dieter Schotten

German Research Center for Artificial Intelligence, Kaiserslautern, Germany

German Research Center for Artificial Intelligence, Kaiserslautern, Germany
View Profile

MTD '18: Proceedings of the 5th ACM Workshop on Moving Target DefenseOctober 2018Pages 31–39https://doi.org/10.1145/3268966.3268970

Published:15 January 2018Publication History

MTD '18: Proceedings of the 5th ACM Workshop on Moving Target Defense

Pages 31–39

ABSTRACT

In this paper, a framework for Moving Target Defense is introduced. This framework bases on three pillars: network address mutation, communication stack randomization and the dynamic deployment of decoys. The network address mutation is based on the concept of domain generation algorithms, where different features are included to fulfill the system requirements. Those requirements are time dependency, unpredictability and determinism. Communication stack randomization is applied additionally to increase the complexity of reconnaissance activity. By employing communication stack randomization, previously fingerprinted systems do not only differ in the network address but also in their communication pattern behavior. And finally, decoys are integrated into the proposed framework to detect attackers that have breached the perimeter. Furthermore, attacker's resources can be bound by interacting with the decoy systems. Additionally, the framework can be extended with more advanced Moving Target Defense methods such as obscuring port numbers of services.

References

Ehab Al-Shaer, Qi Duan, and Jafar Jafarian. 2012. Random Host Mutation for Moving Target Defense. Proceedings of the International Conference on Security and Privacy in Communication Systems (2012), 310--327.Google Scholar
S. Antonatos, P. Akritidis, E. P. Markatos, and K. G. Anagnostakis. 2005. Defending against hitlist worms using network address space randomization. In Proceedings of the 2005 ACM workshop on Rapid malcode - WORM '05 , , Vijay Atluri and Angelos D. Keromytis (Eds.). ACM Press, New York, New York, USA, 30. Google ScholarDigital Library
Anantha K. Bangalore and Arun K. Sood. 2009. Securing Web Servers Using Self Cleansing Intrusion Tolerance (SCIT). In 2009 Second International Conference on Dependability. IEEE, 60--65. Google ScholarDigital Library
John B. Bell and Barton Whaley. 1991. Cheating and deception repr ed.). Transaction Publ, New Brunswick.Google Scholar
Mihir Bellare, Ran Canetti, and Hugo Krawczyk. 1996. Keying Hash Functions for Message Authentication. Advances in Cryptology (1996), 1--15. Google ScholarDigital Library
Gilberto Bertin. 2016. Introducing the p0f BPF compiler. https://blog.cloudflare.com/introducing-the-p0f-bpf-compiler/Google Scholar
Stephen W.Stephen W.Boyd Boyd and Angelos D.Angelos D.Keromytis Keromytis. {n. d.}. SQLrand: Preventing SQL Injection Attacks. ({n. d.}).Google Scholar
Guilin Cai, Baosheng Wang, Xiaofeng Wang, Yulei Yuan, and Sudan Li. 2016. An introduction to network address shuffling. In 2016 18th International Conference on Advanced Communication Technology (ICACT). IEEE, 185--190.Google ScholarCross Ref
Monica Chew and Dawn Song. 2003. Mitigating Buer Over ows by Operating System Randomization. (2003).Google Scholar
CIRT. 2001. Nikto2. https://cirt.net/Nikto2Google Scholar
J. Corey. 2003. Local Honeypot Identification. Phrack Inc. , Vol. 11, 62 (2003).Google Scholar
Michael Crouse and Errin W. Fulp. 2011. A moving target environment for computer configurations using Genetic Algorithms. In 2011 4th Symposium on Configuration Analytics and Automation (SAFECONFIG) . IEEE, 1--7.Google Scholar
Michael Crouse, Errin W. Fulp, and Daniel Canas. 2012. Improving the Diversity Defense of Genetic Algorithm-Based Moving Target Approaches. Proceedings of the National Symposium on Moving Target Research (2012).Google Scholar
Michael Crouse, Bryan Prosser, and Errin W. Fulp. 2015. Probabilistic Performance Analysis of Moving Target and Deception Reconnaissance Defenses. In Proceedings of the Second ACM Workshop on Moving Target Defense - MTD '15, George Cybenko and Dijiang Huang (Eds.). ACM Press, New York, New York, USA, 21--29. Google ScholarDigital Library
D. Dolev and A. Yao. 1983. On the security of public key protocols. IEEE Transactions on Information Theory , Vol. 29, 2 (1983), 198--208. Google ScholarDigital Library
Matthew Dunlop, Stephen Groat, William Urbanski, Randy Marchany, and Joseph Tront. 2011. MT6D: A Moving Target IPv6 Defense. In 2011 - MILCOM 2011 Military Communications Conference. IEEE, 1321--1326.Google ScholarCross Ref
Matthew Dunlop, Stephen Groat, William Urbanski, Randy Marchany, and Joseph Tront. 2012. The Blind Man's Bluff Approach to Security Using IPv6. IEEE SECURITY & PRIVACY , Vol. 10, 4 (2012), 35--43. Google ScholarDigital Library
Simon Duque Anton , Daniel Fraunholz, Christoph Lipps, Frederic Pohl, Marc Zimmermann, and Hans Dieter Schotten. 2017. Two Decades of SCADA Exploitation: A Brief History. Workshop On The Security Of Industrial Control Systems & Of Cyber-Physical Systems , Vol. 3 (2017).Google Scholar
erwan_Ir, FireFart, and ethicalhack3r. 2018. WPScan. wpscan.orgGoogle Scholar
Europol. 2016. Internet Organized Crime Threat Assessment. https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2016Google Scholar
Daniel Fraunholz and Hans Dieter Schotten. 2018. Defending Web Servers with Feints, Distraction and Obfuscation. International Conference on Computing, Networking and Communications (2018).Google Scholar
Daniel Fraunholz, Marc Zimmermann, and Hans Dieter Schotten. 2017a. An Adaptive Honeypot Configuration, Deployment and Maintenance Strategy. International Conference on Advanced Communications Technology. International Conference on Advanced Communications Technology , Vol. 19 (2017).Google Scholar
Daniel Fraunholz, Marc Zimmermann, and Hans Dieter Schotten. 2017b. Towards Deployment Strategies for Deception Systems. Advances in Science, Technology and Engineering Systems Journal , Vol. Special Issue on Recent Advances in Engineering Systems (2017).Google Scholar
Marc Green, Douglas C. MacFarland, Doran R. Smestad, and Craig A. Shue. 2015. Characterizing Network-Based Moving Target Defenses. In Proceedings of the Second ACM Workshop on Moving Target Defense - MTD '15 , , George Cybenko and Dijiang Huang (Eds.). ACM Press , New York, New York, USA, 31--35. Google ScholarDigital Library
Xiao Han, Nizar Kheir, and Davide Balzarotti. 2017. Evaluation of Deception-Based Web Attacks Detection. In Proceedings of the 2017 Workshop on Moving Target Defense - MTD '17, Hamed Okhravi and Xinming Ou (Eds.). ACM Press, New York, New York, USA, 65--73. Google ScholarDigital Library
William Hawkins, Anh Nguyen-Tuong, Jason D. Hiser, Michele Co, and Jack W. Davidson. 2017. Mixr. In Proceedings of the 2017 Workshop on Moving Target Defense - MTD '17 , , Hamed Okhravi and Xinming Ou (Eds.). ACM Press , New York, New York, USA, 27--37. Google ScholarDigital Library
T. Holz and F. Raynal. 2005. Detecting Honeypots and other suspicious environments. Workshop on Information Assurance and Security (2005), 1--8.Google Scholar
Yih Huang, David Arsenault, and Arun Sood. 2006. Incorruptible Self-Cleansing Intrusion Tolerance and Its Application to DNS Security. Journal of Networks , Vol. 1, 5 (2006).Google ScholarCross Ref
Yih Huang and Anup Ghosh. 2011. Introducing Diversity and Uncertainty to Create Moving Attack Surfaces for Web Services. Moving Target Defense 1 (2011), 131--151.Google ScholarCross Ref
Jafar Haadi Jafarian, Ehab Al-Shaer, and Qi Duan. 2012. Openflow random host mutation. In Proceedings of the first workshop on Hot topics in software defined networks - HotSDN '12 , , Nick Feamster and Jennifer Rexford (Eds.). ACM Press , New York, New York, USA, 127.Google ScholarDigital Library
Jafar Haadi Jafarian, Ehab Al-Shaer, and Qi Duan. 2015. Adversary-aware IP address randomization for proactive agility against sophisticated attackers. In 2015 IEEE Conference on Computer Communications (INFOCOM). IEEE, 738--746.Google ScholarCross Ref
Jafar Haadi H. Jafarian, Ehab Al-Shaer, and Qi Duan. 2014. Spatio-temporal Address Mutation for Proactive Cyber Agility against Sophisticated Attackers. In Proceedings of the First ACM Workshop on Moving Target Defense - MTD '14, Sushil Jajodia and Kun Sun (Eds.). ACM Press, New York, New York, USA, 69--78. Google ScholarDigital Library
Quan Jia, Kun Sun, and Angelos Stavrou. 2013. MOTAG: Moving Target Defense against Internet Denial of Service Attacks. In 2013 22nd International Conference on Computer Communication and Networks (ICCCN) . IEEE, 1--9.Google ScholarCross Ref
Xuxian Jiang, Helen J. Wangz, Dongyan Xu, and Yi-Min Wang. 2007. RandSys: Thwarting Code Injection Attacks with System Service Interface Randomization. In 2007 26th IEEE International Symposium on Reliable Distributed Systems (SRDS 2007). IEEE, 209--218. Google ScholarDigital Library
David J. John, Robert W. Smith, William H. Turkett, Daniel A. Ca nas, and Errin W. Fulp. 2014. Evolutionary based moving target cyber defense. In Proceedings of the 2014 conference companion on Genetic and evolutionary computation companion - GECCO Comp '14 , , Dirk V. Arnold (Ed.). ACM Press, New York, New York, USA, 1261--1268. Google ScholarDigital Library
K. Kant. 2011. Configuration management security in data center environments. Moving Target Defense 1 (2011), 161--181.Google ScholarCross Ref
Brian Lucas, Errin W. Fulp, David J. John, and Daniel Ca nas. 2014. An initial framework for evolving computer configurations as a moving target defense. In Proceedings of the 9th Annual Cyber and Information Security Research Conference on - CISR '14 , , Robert K. Abercrombie and J. Todd McDonald (Eds.). ACM Press , New York, New York, USA, 69--72. Google ScholarDigital Library
Yue-Bin Luo, Bao-Sheng Wang, Xiao-Feng Wang, Xiao-Feng Hu, Gui-Lin Cai, and Hao Sun. 2015. RPAH: Random Port and Address Hopping for Thwarting Internal and External Adversaries. In 2015 IEEE Trustcom/BigDataSE/ISPA. IEEE, 263--270. Google ScholarDigital Library
Douglas C. MacFarland and Craig A. Shue. 2015. The SDN Shuffle. In Proceedings of the Second ACM Workshop on Moving Target Defense - MTD '15, George Cybenko and Dijiang Huang (Eds.). ACM Press, New York, New York, USA, 37--41. Google ScholarDigital Library
Byoung Joon Min and Joong Sup Choi. 2004. An approach to intrusion tolerance for mission-critical services using adaptability and diverse replication. Future Generation Computer Systems , Vol. 20, 2 (2004), 303--313. Google ScholarDigital Library
Amirreza Niakanlahiji and Jafar Haadi Jafarian. 2017. WebMTD. In Proceedings of the 2017 Workshop on Moving Target Defense - MTD '17 , , Hamed Okhravi and Xinming Ou (Eds.). ACM Press , New York, New York, USA, 17--26. Google ScholarDigital Library
A. Ofir and F. Yarochkin. 2003. Xprobe2 - A Fuzzy Approach to Remote Active Operating System Fingerprinting. (2003).Google Scholar
Hamed Okhravi, Adam Comella, Eric Robinson, and Joshua Haines. 2012. Creating a cyber moving target for critical infrastructure applications using platform diversity. International Journal of Critical Infrastructure Protection , Vol. 5, 1 (2012), 30--39.Google ScholarCross Ref
Hamed Okhravi, James Riordan, and Kevin Carter. 2014. Quantitative Evaluation of Dynamic Platform Techniques as a Defensive Mechanism. In Research in Attacks, Intrusions and Defenses, Angelos Stavrou, Herbert Bos, and Georgios Portokalidis (Eds.). Lecture Notes in Computer Science, Vol. 8688. Springer International Publishing, Cham, 405--425. textunderscore 20Google Scholar
OWASP. 2008. Dirbuster Project. https://www.owasp.org/index.php/Category:OWASP_DirBuster_ProjectGoogle Scholar
Hae-Sang Park and Chi-Hyuck Jun. 2009. A simple and fast algorithm for K-medoids clustering. Expert Systems with Applications , Vol. 36, 2 (2009), 3336--3341. Google ScholarDigital Library
Kyungmin Park, Samuel Woo, Daesung Moon, and Hoon Choi. 2018. Secure Cyber Deception Architecture and Decoy Injection to Mitigate the Insider Threat. Symmetry , Vol. 10, 1 (2018), 14.Google ScholarCross Ref
Vince Reynolds. 2015. Social engineering: The art of psychological warfare, human hacking, persuation & deception .CreateSpace, {Place of publication not identified}.Google Scholar
Carlos E. Rubio-Medrano, Josephine Lamp, Adam Doupé , Ziming Zhao, and Gail-Joon Ahn. 2017. Mutated Policies. In Proceedings of the 2017 Workshop on Moving Target Defense - MTD '17, Hamed Okhravi and Xinming Ou (Eds.). ACM Press , New York, New York, USA, 39--49. Google ScholarDigital Library
Reihaneh Safavi-Naini, Alireza Poostindouz, and Viliam Lisy. 2017. Path Hopping. In Proceedings of the 2017 Workshop on Moving Target Defense - MTD '17, Hamed Okhravi and Xinming Ou (Eds.). ACM Press , New York, New York, USA, 111--114. Google ScholarDigital Library
A. Saidane, V. Nicomette, and Y. Deswarte. 2009. The Design of a Generic Intrusion-Tolerant Architecture for Web Servers. IEEE Transactions on Dependable and Secure Computing , Vol. 6, 1 (2009), 45--58. Google ScholarDigital Library
Babak Salamat, Andreas Gal, and Michael Franz. 2008. Reverse Stack Execution in a Multi-Variant Execution Environment. Workshop on Compiler and Architectural Techniques for Application Reliability and Security (2008).Google Scholar
B. Salamat, T. Jackson, G. Wagner, C. Wimmer, and M. Franz. 2011. Runtime Defense against Code Injection Attacks Using Replicated Execution. IEEE Transactions on Dependable and Secure Computing , Vol. 8, 4 (2011), 588--601. Google ScholarDigital Library
Swiss Government Computer Emergency Response Team. 2017. Sage 2.0 comes with IP Generation Algorithm (IPGA).Google Scholar
Joni Uitto, Sampsa Rauti, Samuel Lauren, and Ville Lepp"anen. 2017. A Survey on Anti-honeypot and Anti-introspection Methods. Recent Advances in Information Systems and Technologies (2017), 125--134.Google Scholar
Fyodor Vaskovich. 1997. The Art of Port Scanning. Phrack Magazine , Vol. 7, 51 (1997).Google Scholar
Paul Wood, Christopher Gutierrez, and Saurabh Bagchi. 2015. Denial of Service Elusion (DoSE): Keeping Clients Connected for Less. In 2015 IEEE 34th Symposium on Reliable Distributed Systems (SRDS). IEEE, 94--103. Google ScholarDigital Library
Jun Xu, Pinyao Guo, Mingyi Zhao, Robert F. Erbacher, Minghui Zhu, and Peng Liu. 2014. Comparing Different Moving Target Defense Techniques. In Proceedings of the First ACM Workshop on Moving Target Defense - MTD '14 , , Sushil Jajodia and Kun Sun (Eds.). ACM Press, New York, New York, USA, 97--107. Google ScholarDigital Library
M. Zalewski. 2012. p0f v3: Passive fingerprinter. (2012).Google Scholar

Index Terms

Catch Me If You Can: Dynamic Concealment of Network Entities
1. Networks
  1. Network properties
    1. Network dynamics
    2. Network reliability
  2. Network services
    1. Naming and addressing
2. Security and privacy
  1. Systems security
    1. Distributed systems security

Recommendations

Insider Threat Mitigation Using Moving Target Defense and Deception
MIST '17: Proceedings of the 2017 International Workshop on Managing Insider Security Threats

The insider threat has been subject of extensive study and many approaches from technical perspective to behavioral perspective and psychological perspective have been proposed to detect or mitigate it. However, it still remains one of the most ...
Read More
Catch me, if you can: evading network signatures with web-based polymorphic worms
WOOT '07: Proceedings of the first USENIX workshop on Offensive Technologies

Polymorphic worms are self-replicating malware that change their representation as they spread throughout networks in order to evade worm detection systems. A number of approaches to detect polymorphic worms have been proposed. These approaches use ...
Read More
Real-Time Defensive Strategy Selection via Deep Reinforcement Learning
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security

As computer networks face increasingly sophisticated attacks there is a need to create adaptive defensive systems that can select appropriate countermeasures to thwart attacks. The use of Deep Reinforcement Learning to train defensive agents is an ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
MTD '18: Proceedings of the 5th ACM Workshop on Moving Target Defense
October 2018
96 pages
ISBN:9781450360036
DOI:10.1145/3268966
Program Chairs:
Massimiliano Albanese
George Mason University, USA
,
Dijiang Huang
Arizona State University, USA
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 15 January 2018
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
deception
information security
moving target defense
network mutation
Qualifiers
- research-article
Conference

Acceptance Rates
MTD '18 Paper Acceptance Rate5of5submissions,100%Overall Acceptance Rate40of92submissions,43%
More

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 3
  Total Citations
  View Citations
- 305
  Total Downloads
- Downloads (Last 12 months)15
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Catch Me If You Can: Dynamic Concealment of Network Entities

MTD '18: Proceedings of the 5th ACM Workshop on Moving Target Defense

ABSTRACT

References

Cited By

Index Terms

Recommendations

Insider Threat Mitigation Using Moving Target Defense and Deception

Catch me, if you can: evading network signatures with web-based polymorphic worms

Real-Time Defensive Strategy Selection via Deep Reinforcement Learning

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Catch Me If You Can: Dynamic Concealment of Network Entities

MTD '18: Proceedings of the 5th ACM Workshop on Moving Target Defense

ABSTRACT

References

Cited By

Index Terms

Recommendations

Insider Threat Mitigation Using Moving Target Defense and Deception

Catch me, if you can: evading network signatures with web-based polymorphic worms

Real-Time Defensive Strategy Selection via Deep Reinforcement Learning

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media