Automated benchmark network diversification for realistic attack simulation with application to moving target defense

With numbers of exploitable vulnerabilities and attacks on networks constantly increasing, it is important to employ defensive techniques to protect one’s systems. A wide range of defenses are available and new paradigms such as Moving Target Defense (MTD) rise in popularity. But to make informed decisions on which defenses to implement, it is necessary to evaluate their effectiveness first. In many cases, the full impact these techniques have on security is not well understood yet. In this paper we propose network defense evaluation based on detailed attack simulation. Using a flexible modeling language, networks, attacks, and defenses are described in high detail, yielding a fine-grained scenario definition. Based on this, an automated instantiator generates a wide range of realistic benchmark networks. These serve to perform simulations, allowing to evaluate the security impact of different defenses, both quantitatively and qualitatively. A case study based on a mid-sized corporate network scenario and different Moving Target Defenses illustrates the usefulness of this approach. Results show that virtual machine migration, a frequently suggested MTD technique, more often degrades than improves security. Hence, we argue that evaluation based on realistic attack simulation is a qualified approach to examine and verify claims of newly proposed defense techniques.

[1]  Julian Jang,et al.  Model-based evaluation of combinations of Shuffle and Diversity MTD techniques on the cloud , 2020, Future Gener. Comput. Syst..

[2]  Bharat Bhargava,et al.  Bio-Inspired Formal Model for Space/Time Virtual Machine Randomization and Diversification , 2022, IEEE Transactions on Cloud Computing.

[3]  Daniel A. Menascé,et al.  Performance Modeling of Moving Target Defenses , 2017, MTD@CCS.

[4]  Georg T. Becker,et al.  A critical view on moving target defense and its analogies , 2020, CF.

[5]  Scott A. DeLoach,et al.  Simulation-based Approaches to Studying Effectiveness of Moving-Target Network Defense | NIST , 2012 .

[6]  Layne T. Watson,et al.  Misery Digraphs: Delaying Intrusion Attacks in Obscure Clouds , 2018, IEEE Transactions on Information Forensics and Security.

[7]  Kevin W. Hamlen,et al.  Modeling and Analysis of Deception Games Based on Hypergame Theory , 2019, Autonomous Cyber Deception.

[8]  Prasad Calyam,et al.  Dolus: Cyber Defense using Pretense against DDoS Attacks in Cloud Platforms , 2018, ICDCN.

[9]  Jin B. Hong,et al.  Automated security investment analysis of dynamic networks , 2018, ACSW.

[10]  Scott A. DeLoach,et al.  A Theory of Cyber Attacks: A Step Towards Analyzing MTD Systems , 2015, MTD@CCS.

[11]  Ing-Ray Chen,et al.  Parameterizing Moving Target Defenses , 2016, 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS).

[12]  Akbar Siami Namin,et al.  A Survey on the Moving Target Defense Strategies: An Architectural Perspective , 2019, Journal of Computer Science and Technology.

[13]  Jamal Bentahar,et al.  Resource-Aware Detection and Defense System against Multi-Type Attacks in the Cloud: Repeated Bayesian Stackelberg Game , 2019, IEEE Transactions on Dependable and Secure Computing.

[14]  Christopher Leckie,et al.  Using Virtual Machine Allocation Policies to Defend against Co-Resident Attacks in Cloud Computing , 2017, IEEE Transactions on Dependable and Secure Computing.

[15]  Dong Seong Kim,et al.  Performability analysis of services in a software-defined networking adopting time-based moving target defense mechanisms , 2020, SAC.

[16]  Younghee Park,et al.  Fast IP Hopping Randomization to Secure Hop-by-Hop Access in SDN , 2019, IEEE Transactions on Network and Service Management.

[17]  Khurram Shahzad,et al.  P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language , 2015, IEEE Trans. Dependable Secur. Comput..

[18]  Bharat K. Bhargava,et al.  Mayflies: A Moving Target Defense Framework for Distributed Systems , 2016, MTD@CCS.

[19]  Zhen Han,et al.  Numerical Evaluation of Job Finish Time Under MTD Environment , 2020, IEEE Access.

[20]  Joshua Taylor,et al.  Automated Effectiveness Evaluation of Moving Target Defenses: Metrics for Missions and Attacks , 2016, MTD@CCS.

[21]  Daniel A. Menascé,et al.  Performance Modeling of Moving Target Defenses with Reconfiguration Limits , 2021, IEEE Transactions on Dependable and Secure Computing.

[22]  Dijiang Huang,et al.  MTD Analysis and evaluation framework in Software Defined Network (MASON) , 2018, SDN-NFV@CODASPY.

[23]  Arun K. Sood,et al.  Securing Web Servers Using Self Cleansing Intrusion Tolerance (SCIT) , 2009, 2009 Second International Conference on Dependability.

[24]  Fei Li,et al.  Towards Cost-Effective Moving Target Defense Against DDoS and Covert Channel Attacks , 2016, MTD@CCS.

[25]  Justin Yackoski,et al.  Moving Target Defense: a Journey from Idea to Product , 2016, MTD@CCS.

[26]  Lu Liu,et al.  Incomplete information Markov game theoretic approach to strategy generation for moving target defense , 2018, Comput. Commun..

[27]  Georg T. Becker,et al.  Attack Simulation for a Realistic Evaluation and Comparison of Network Security Techniques , 2018, NordSec.

[28]  Azer Bestavros,et al.  Markov Modeling of Moving Target Defense Games , 2016, MTD@CCS.

[29]  Hooman Alavizadeh,et al.  Toward Proactive, Adaptive Defense: A Survey on Moving Target Defense , 2019, IEEE Communications Surveys & Tutorials.

[30]  Scott A. DeLoach,et al.  A model for analyzing the effect of moving target defenses on enterprise networks , 2014, CISR '14.

[31]  Michael P. Wellman,et al.  Empirical Game-Theoretic Analysis for Moving Target Defense , 2015, MTD@CCS.

[32]  Khaled Salah,et al.  Frequency-Minimal Utility-Maximal Moving Target Defense Against DDoS in SDN-Based Systems , 2020, IEEE Transactions on Network and Service Management.

[33]  Akbar Siami Namin,et al.  Enforcing Optimal Moving Target Defense Policies , 2019, 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC).

[34]  Mathias Ekstedt,et al.  pwnPr3d: An Attack-Graph-Driven Probabilistic Threat-Modeling Approach , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[35]  Massimiliano Albanese,et al.  A Framework for Moving Target Defense Quantification , 2017, SEC.

[36]  J. Tukey,et al.  Variations of Box Plots , 1978 .

[37]  Hyuk Lim,et al.  SDN-Based IP Shuffling Moving Target Defense with Multiple SDN Controllers , 2019, 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks – Supplemental Volume (DSN-S).

[38]  D. Kewley,et al.  Dynamic approaches to thwart adversary intelligence gathering , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[39]  Sailik Sengupta,et al.  Moving Target Defense for Web Applications using Bayesian Stackelberg Games: (Extended Abstract) , 2016, AAMAS.

[40]  Craig A. Shue,et al.  The SDN Shuffle: Creating a Moving-Target Defense using Host-based Software-Defined Networking , 2015, MTD@CCS.

[41]  Hongwei Shi,et al.  Moving Target Defense for Internet of Things Based on the Zero-Determinant Theory , 2020, IEEE Internet of Things Journal.

[42]  Lin Yang,et al.  Effectiveness Evaluation Model of Moving Target Defense Based on System Attack Surface , 2019, IEEE Access.

[43]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[44]  Joseph G. Tront,et al.  MT6D: A Moving Target IPv6 Defense , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[45]  Jin B. Hong,et al.  Assessing the Effectiveness of Moving Target Defenses Using Security Models , 2016, IEEE Transactions on Dependable and Secure Computing.

[46]  Julian Jang,et al.  Evaluation for Combination of Shuffle and Diversity on Moving Target Defense Strategy for Cloud Computing , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).