Performance Modeling of Moving Target Defenses

In recent years, Moving Target Defense (MTD) has emerged as a potential game changer in the security landscape, due to its potential to create asymmetric uncertainty that favors the defender. Many different MTD techniques have then been proposed, each addressing an often very specific set of attack vectors. Despite the huge progress made in this area, there are still some critical gaps with respect to the analysis and quantification of the cost and benefits of deploying MTD techniques. In fact, common metrics to assess the performance of these techniques are still lacking and most of them tend to assess their performance in different and often incompatible ways. This paper addresses these gaps by proposing a quantitative analytic model for assessing the resource availability and performance of MTDs, and a method for the determination of the highest possible reconfiguration rate, and thus smallest probability of attacker's success, that meets performance and stability constraints. Finally, we present an experimental validation of the proposed approach.

[1]  Daniel A. Menascé,et al.  An Autonomic Framework for Integrating Security and Quality of Service Support in Databases , 2012, 2012 IEEE Sixth International Conference on Software Security and Reliability.

[2]  Azer Bestavros,et al.  Markov Modeling of Moving Target Defense Games , 2016, MTD@CCS.

[3]  Sushil Jajodia,et al.  A moving target defense mechanism for MANETs based on identity virtualization , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[4]  Arun K. Sood,et al.  Securing Web Servers Using Self Cleansing Intrusion Tolerance (SCIT) , 2009, 2009 Second International Conference on Dependability.

[5]  Sushil Jajodia,et al.  A Moving Target Defense Approach to Disrupting Stealthy Botnets , 2016, MTD@CCS.

[6]  Gordon Fyodor Lyon,et al.  Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning , 2009 .

[7]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[8]  Angelos Stavrou,et al.  MOTAG: Moving Target Defense against Internet Denial of Service Attacks , 2013, 2013 22nd International Conference on Computer Communication and Networks (ICCCN).

[9]  William H. Sanders,et al.  Proactive Resilience Revisited: The Delicate Balance Between Resisting Intrusions and Remaining Available , 2006, 2006 25th IEEE Symposium on Reliable Distributed Systems (SRDS'06).

[10]  Sushil Jajodia,et al.  Manipulating the attacker's view of a system's attack surface , 2014, 2014 IEEE Conference on Communications and Network Security.

[11]  Joseph G. Tront,et al.  Implementing an IPv6 Moving Target Defense on a Live Network , 2012 .

[12]  Daniel A. Menascé Security Performance , 2003, IEEE Internet Comput..

[13]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[14]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[15]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[16]  Thomas E. Carroll,et al.  Analysis of network address shuffling as a moving target defense , 2014, 2014 IEEE International Conference on Communications (ICC).

[17]  Frank Eliassen,et al.  Putting together QoS and security in autonomic pervasive systems , 2010, Q2SWinet '10.

[18]  Aun Haider,et al.  Classification of malicious network streams using honeynets , 2012, 2012 IEEE Global Communications Conference (GLOBECOM).

[19]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[20]  George Cybenko,et al.  Quantification of moving target cyber defenses , 2015, Defense + Security Symposium.

[21]  Luís Teixeira d’Aguiar Norton Brandão,et al.  On the reliability and availability of replicated and rejuvenating systems under stealth attacks and intrusions , 2012 .

[22]  Ehab Al-Shaer,et al.  Efficient Random Route Mutation considering flow and network constraints , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[23]  Wei Hu,et al.  A Model for Evaluating and Comparing Moving Target Defense Techniques Based on Generalized Stochastic Petri Net , 2016, ACA.

[24]  Fei Li,et al.  Catch Me If You Can: A Cloud-Enabled DDoS Defense , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[25]  Ehab Al-Shaer,et al.  Spatio-temporal Address Mutation for Proactive Cyber Agility against Sophisticated Attackers , 2014, MTD '14.

[26]  David Watson,et al.  Protocol scrubbing: network security through transparent flow modification , 2004, IEEE/ACM Transactions on Networking.

[27]  Joshua Taylor,et al.  A Quantitative Framework for Moving Target Defense Effectiveness Evaluation , 2015, MTD@CCS.