A Cost-Based Mechanism for Evaluating the Effectiveness of Moving Target Defenses

We propose a means for evaluating the strength of network-based moving target defenses using a general model of tag switching. Tag switching breaks the network into tags (labels for entities on the network) and assets (hosts present on the network) whose relationshps are moderated by lookup protocols, such as DNS, ARP or BGP. Lookup protocols hide the relationship between tags and assets, and are already used to provide dynamic asset allocation for scaling and defense. Our model provides a generalize means for describing tags and assets within tag spaces defined by the defender and then quantifies the attacker’s ability to manipulate a network within a tag space. Defenders manipulate the tag/asset relationship over time using one of a number of moving target defenses. The impact of these defenses is quantifiable and can be used to determine how effective different defensive postures will be.

[1]  John S. Baras,et al.  A framework for the evaluation of intrusion detection systems , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[2]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2005, WORM '05.

[3]  D. Kewley,et al.  Dynamic approaches to thwart adversary intelligence gathering , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[4]  Vinod Yegneswaran,et al.  An Attacker-Defender Game for Honeynets , 2009, COCOON.

[5]  Herbert Leitold,et al.  Communications and Multimedia Security, 10th IFIP TC-6 TC-11 International Conference, CMS 2006, Heraklion, Crete, Greece, October 19-21, 2006, Proceedings , 2006, Communications and Multimedia Security.

[6]  Spyros Antonatos,et al.  TAO: Protecting Against Hitlist Worms Using Transparent Address Obfuscation , 2006, Communications and Multimedia Security.

[7]  Guofei Gu,et al.  Conficker and beyond: a large-scale empirical study , 2010, ACSAC '10.

[8]  Salvatore J. Stolfo,et al.  Cost-based modeling for fraud and intrusion detection: results from the JAM project , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[9]  Tyler Moore,et al.  Examining the impact of website take-down on phishing , 2007, eCrime '07.

[10]  Michael Collins,et al.  Payoff Based IDS Evaluation , 2009, CSET.

[11]  John E. Gaffney,et al.  Evaluation of intrusion detectors: a decision theory approach , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[12]  Dustin Burke,et al.  Behavioral analysis of fast flux service networks , 2009, CSIIRW '09.

[13]  Balachander Krishnamurthy,et al.  On the use and performance of content distribution networks , 2001, IMW '01.