Misery Digraphs: Delaying Intrusion Attacks in Obscure Clouds

When remote command injection attacks succeed at the entry points of a cloud (servers exposed to the outside Internet), attackers targeting a specific asset in the cloud will pursue further exploration to find their targets. Attack targets, such as database servers, are often running on separate machines, forcing an extra step for a successful attack. However, compromising two or three machines is all an attacker needs to reach an isolated database through a simple attack path. The goal of this paper is to investigate the possibility of frustrating attackers by constructing a cloud network architecture that hides the path to a target asset in the network, utilizing multiple moving decoy virtual machines and confusing firewall configurations. A deceiving cloud network architecture can significantly delay attacks (by stretching the attack path from a handful of steps to thousands), providing time for system administrators to intervene and resolve the intrusion. This paper introduces the concept of misery digraphs, which provide a theoretical foundation for creating intrusion deception in clouds. This paper describes the necessary steps to convert a cloud to one that includes a misery digraph, and evaluates the feasibility and effectiveness of using the approach with Amazon Web Services. Our simulation results demonstrate that for a cloud implementing misery digraphs with a simple attack path of length five, there is a 91% probability that an attack requires at least 1000 steps to reach the target.

[1]  Dijiang Huang,et al.  SDN based Scalable MTD solution in Cloud Network , 2016, MTD@CCS.

[2]  Fei Li,et al.  Catch Me If You Can: A Cloud-Enabled DDoS Defense , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[3]  Christoforos Ntantogian,et al.  Commix : Detecting and exploiting command injection flaws , 2015 .

[4]  Sushil Jajodia,et al.  A Moving Target Defense Approach to Disrupting Stealthy Botnets , 2016, MTD@CCS.

[5]  Demosthenis Teneketzis,et al.  Optimal Defense Policies for Partially Observable Spreading Processes on Bayesian Attack Graphs , 2015, MTD@CCS.

[6]  Sushil Jajodia,et al.  A moving target defense approach to mitigate DDoS attacks against proxy-based architectures , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[7]  Idit Keidar,et al.  Keeping Denial-of-Service Attackers in the Dark , 2007, IEEE Transactions on Dependable and Secure Computing.

[8]  Daniel Grosu,et al.  A Game Theoretic Investigation of Deception in Network Security , 2009, 2009 Proceedings of 18th International Conference on Computer Communications and Networks.

[9]  Raheem A. Beyah,et al.  Active deception model for securing cloud infrastructure , 2014, 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[10]  Christopher N. Gutierrez,et al.  Denial of Service Elusion (DoSE): Keeping Clients Connected for Less , 2015, 2015 IEEE 34th Symposium on Reliable Distributed Systems (SRDS).

[11]  Vahid Heydari,et al.  Scalable Anti-Censorship Framework Using Moving Target Defense for Web Servers , 2017, IEEE Transactions on Information Forensics and Security.

[12]  Angelos D. Keromytis,et al.  SOS: an architecture for mitigating DDoS attacks , 2004, IEEE Journal on Selected Areas in Communications.

[13]  Fei Li,et al.  Abusing Public Third-Party Services for EDoS Attacks , 2016, WOOT.

[14]  Jin B. Hong,et al.  Assessing the Effectiveness of Moving Target Defenses Using Security Models , 2016, IEEE Transactions on Dependable and Secure Computing.

[15]  Ehab Al-Shaer,et al.  An Effective Address Mutation Approach for Disrupting Reconnaissance Attacks , 2015, IEEE Transactions on Information Forensics and Security.

[16]  Mikkel Thorup,et al.  Tree based MPLS routing , 2003, SPAA '03.

[17]  Stefan Katzenbeisser,et al.  From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation , 2014, CCS.

[18]  Quanyan Zhu,et al.  Deception by Design: Evidence-Based Signaling Games for Network Defense , 2015, WEIS.

[19]  Oscar Serrano Serrano,et al.  Changing the game: The art of deceiving sophisticated attackers , 2014, 2014 6th International Conference On Cyber Conflict (CyCon 2014).

[20]  Scott A. DeLoach,et al.  Towards a Theory of Moving Target Defense , 2014, MTD '14.

[21]  Michael P. Wellman,et al.  Moving Target Defense against DDoS Attacks: An Empirical Game-Theoretic Analysis , 2016, MTD@CCS.

[22]  Salvatore J. Stolfo,et al.  Fox in the trap: thwarting masqueraders via automated decoy document deployment , 2015, EUROSEC.

[23]  Fang Liu,et al.  Enterprise data breach: causes, challenges, prevention, and future directions , 2017, WIREs Data Mining Knowl. Discov..

[24]  David E. Culler,et al.  A blueprint for introducing disruptive technology into the Internet , 2003, CCRV.

[25]  Azer Bestavros,et al.  Markov Modeling of Moving Target Defense Games , 2016, MTD@CCS.

[26]  Angelos D. Keromytis,et al.  Using graphic turing tests to counter automated DDoS attacks against web servers , 2003, CCS '03.

[27]  Angelos Stavrou,et al.  MOTAG: Moving Target Defense against Internet Denial of Service Attacks , 2013, 2013 22nd International Conference on Computer Communication and Networks (ICCCN).

[28]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[29]  Anh Nguyen-Tuong,et al.  Effectiveness of Moving Target Defenses , 2011, Moving Target Defense.

[30]  Athanasios V. Vasilakos,et al.  Preventing Distributed Denial-of-Service Flooding Attacks With Dynamic Path Identifiers , 2017, IEEE Transactions on Information Forensics and Security.

[31]  Cevdet Aykanat,et al.  Routing Algorithms for IBM SP1 , 1994, PCRCW.

[32]  D. Rubenstein,et al.  Distributed Algorithms for Secure Multipath Routing in Attack-Resistant Networks , 2007, IEEE/ACM Transactions on Networking.

[33]  Angelos D. Keromytis,et al.  MOVE: An End-to-End Solution to Network Denial of Service , 2005, NDSS.

[34]  Scott A. DeLoach,et al.  A Theory of Cyber Attacks: A Step Towards Analyzing MTD Systems , 2015, MTD@CCS.