Probabilistic Performance Analysis of Moving Target and Deception Reconnaissance Defenses

Deception and moving target reconnaissance defenses are techniques that attempt to invalidate information an attacker attempts to gather. Deception defenses attempt to mislead attackers performing network reconnaissance, while moving target defenses seek to make it more difficult for the attacker to predict the state of their target by dynamically altering what the attacker sees. Although the deployment of reconnaissance defenses can be effective, there are nontrivial administration costs associated with their configuration and maintenance. As a result, understanding under the circumstances these defenses are effective and efficient is important. This paper introduces probabilistic models for reconnaissance defenses to provide deeper understanding of the theoretical effect these strategies and their parameters have for cyber defense. The models quantify the success of attackers under various conditions, such as network size, deployment of size, and number of vulnerable computers. This paper provides a probabilistic interpretation for the performance of honeypots, for deception, and network address shuffling, for moving target, and their effect in concert. The models indicate that a relatively small number of deployed honeypots can provide an effective defense strategy, often better than movement alone. Furthermore, the models confirm the intuition that that combining, or layering, defense mechanisms provide the largest impact to attacker success while providing a quantitative analysis of the improvement and parameters of each strategy.

[1]  Thomas E. Carroll,et al.  Analysis of network address shuffling as a moving target defense , 2014, 2014 IEEE International Conference on Communications (ICC).

[2]  Neil C. Rowe,et al.  Measuring the Effectiveness of Honeypot Counter-Counterdeception , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[3]  Fred Cohen Moving target defenses with and without cover deception , 2011 .

[4]  Hosam M. Mahmoud,et al.  Polya Urn Models , 2008 .

[5]  Lance Spitzner,et al.  The Honeynet Project: Trapping the Hackers , 2003, IEEE Secur. Priv..

[6]  T. Holz,et al.  Detecting honeypots and other suspicious environments , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[7]  Fei Li,et al.  A moving target DDoS defense mechanism , 2014, Comput. Commun..

[8]  Rayford B. Vaughn,et al.  Experiences with Honeypot Systems: Development, Deployment, and Analysis , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[9]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[10]  Ehab Al-Shaer,et al.  Spatio-temporal Address Mutation for Proactive Cyber Agility against Sophisticated Attackers , 2014, MTD '14.

[11]  Zhenhua Liu,et al.  Port and Address Hopping for Active Cyber-Defense , 2007, PAISI.

[12]  N.C. Rowe,et al.  Thwarting Cyber-Attack Reconnaissance with Inconsistency and Deception , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.

[13]  Hosam Mahmoud,et al.  P√≥lya Urn Models , 2008 .

[14]  Erik Lee,et al.  Final Report for the Network Security Mechanisms Utilizing Network Address Translation LDRD Project , 2002 .

[15]  Xuejun Tan,et al.  On Recognizing Virtual Honeypots and Countermeasures , 2006, 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing.