Effectiveness of IP address randomization in decoy-based moving target defense

In a decoy-based moving target defense (MTD), a computer network introduces a large number of virtual decoy nodes in order to prevent the adversary from locating and targeting real nodes. Since the decoys can eventually be identified and their Internet Protocol (IP) addresses blacklisted by the adversary, current MTD approaches suggest that the IP addresses of the real and decoy nodes should be randomly refreshed and reassigned over time. Refreshing and reassigning the IP addresses, however, disrupts services such as TCP/IP that rely on the IP address. We introduce an analytical approach to MTD and choosing the optimal randomization policy in order to minimize disruptions to system performance. Our approach consists of two components. First, we model the interaction between the adversary and a virtual node as a sequential detection process, in which the adversary attempts to determine whether the node is real or a decoy in the minimum possible time. We compute the optimal strategy for the adversary to decide whether the node is real or a decoy, and derive closed-form expressions for the expected time to identify the real node using this strategy. Second, we formulate the problem of deciding when to randomize the IP addresses, based on a trade-off between reducing the probability of detecting the real node and minimizing the disruption to network services, as an optimal stopping problem. We derive the optimal randomization policy for the network and analyze the detection probability, expected number of connections lost due to IP randomization, and expected time between randomizations under the proposed policy. Our results are illustrated via a simulation study using real-world data from NMAP, a software tool used to identify decoy nodes. Our simulation study indicates that our IP randomization policy reduces the probability of detection while minimizing the number of connections that are disrupted by the randomization.

[1]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[2]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[3]  David Chisnall,et al.  The Definitive Guide to the Xen Hypervisor , 2007 .

[4]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[5]  Xuejun Tan,et al.  On Recognizing Virtual Honeypots and Countermeasures , 2006, 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing.

[6]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2007, Comput. Networks.

[7]  Alʹbert Nikolaevich Shiri︠a︡ev,et al.  Optimal Stopping and Free-Boundary Problems , 2006 .

[8]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[9]  Karl N. Levitt,et al.  Artificial Diversity as Maneuvers in a Control Theoretic Moving Target Defense , 2012 .

[10]  Andrew H. Sung,et al.  Detection of Virtual Environments and Low Interaction Honeypots , 2007 .

[11]  H. Artail,et al.  A Dynamic Honeypot Design for Intrusion Detection , 2004, The IEEE/ACS International Conference on Pervasive Services.

[12]  P. Santhi Thilagam,et al.  SQL Injection Attack Mechanisms and Prevention Techniques , 2011, ADCONS.

[13]  Andreas Terzis,et al.  On the impact of dynamic addressing on malware propagation , 2006, WORM '06.

[14]  Chaoliang Li,et al.  The Dynamic Honeypot Design and Implementation Based on Honeyd , 2011, CSEE.