Proactive Defense Through Deception

Cyberattacks are typically preceded by a reconnaissance phase in which attackers aim at collecting valuable information about the target system, including network topology, service dependencies, operating systems (OSs), and unpatched vulnerabilities. Unfortunately, when system configurations are static, given enough time, attackers can always acquire accurate knowledge about the target system through a variety of tools—including OS and service fingerprinting—and engineer effective exploits. To address this important problem and increase the resiliency of systems against known and unknown attacks, many techniques have been devised to dynamically and periodically change some aspects of a system’s configuration in order to introduce uncertainty for the attacker. However, these techniques, commonly referred to as moving target defenses, may introduce a significant overhead for the defender. To address this limitation, we present a graph-based approach for manipulating the attacker’s view of a system’s attack surface, which does not require altering the actual configuration of a system. To achieve this objective, we first formalize the notions of system view and distance between views and then define a principled approach to manipulating responses to attacker’s probes so as to induce an external view of the system that satisfies certain desirable properties. In particular, we propose efficient algorithmic solutions to two classes of problems, namely, (i) inducing an external view that is at a minimum distance from the internal view while minimizing the cost for the defender and (ii) inducing an external view that maximizes the distance from the internal view, given an upper bound on the cost for the defender. In order to demonstrate practical applicability of the proposed approach, we present deception-based techniques for defeating an attacker’s effort to fingerprint OSs and services on the target system. These techniques consist in manipulating outgoing traffic so that it resembles traffic generated by a completely different system. Experimental results show that our approach can efficiently and effectively deceive an attacker.

[1]  Sushil Jajodia,et al.  A deception based approach for defeating OS and service fingerprinting , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[2]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[3]  Ehab Al-Shaer,et al.  Efficient Random Route Mutation considering flow and network constraints , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[4]  David Lee,et al.  Network Protocol System Fingerprinting - A Formal Approach , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[5]  Gordon Fyodor Lyon,et al.  Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning , 2009 .

[6]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[7]  Sushil Jajodia,et al.  A moving target defense mechanism for MANETs based on identity virtualization , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[8]  Aun Haider,et al.  Classification of malicious network streams using honeynets , 2012, 2012 IEEE Global Communications Conference (GLOBECOM).

[9]  Sushil Jajodia,et al.  Manipulating the attacker's view of a system's attack surface , 2014, 2014 IEEE Conference on Communications and Network Security.

[10]  Joseph G. Tront,et al.  Implementing an IPv6 Moving Target Defense on a Live Network , 2012 .

[11]  Valentina Casola,et al.  A Multi-Layer Moving Target Defense Approach for Protecting Resource-Constrained Distributed Devices , 2013, IRI.

[12]  Sheng-Tzong Cheng,et al.  A proactive approach to intrusion detection and malware collection , 2013, Secur. Commun. Networks.

[13]  Patrice Auffret SinFP, unification of active and passive operating system fingerprinting , 2008, Journal in Computer Virology.

[14]  David Watson,et al.  Protocol scrubbing: network security through transparent flow modification , 2004, IEEE/ACM Transactions on Networking.

[15]  Valentina Casola,et al.  A moving target defense approach for protecting resource-constrained distributed devices , 2013, 2013 IEEE 14th International Conference on Information Reuse & Integration (IRI).

[16]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.