Frequency-minimal moving target defense using software-defined networking

With the increase of cyber attacks such as DoS, there is a need for intelligent counter-strategies to protect critical cloud-hosted applications. The challenge for the defense is to minimize the waste of cloud resources and limit loss of availability, yet have effective proactive and reactive measures that can thwart attackers. In this paper we address the defense needs by leveraging moving target defense protection within Software-Defined Networking-enabled cloud infrastructure. Our novelty is in the frequency minimization and consequent location selection of target movement across heterogeneous virtual machines based on attack probability, which in turn minimizes cloud management overheads. We evaluate effectiveness of our scheme using a large-scale GENI testbed for a just-in-time news feed application setup. Our results show low attack success rate and higher performance of target application in comparison to the existing static moving target defense schemes that assume homogenous virtual machines.

[1]  Harry G. Perros,et al.  SDN-based solutions for Moving Target Defense network protection , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[2]  Moises Sudit,et al.  Cyber attack modeling and simulation for network security analysis , 2007, 2007 Winter Simulation Conference.

[3]  Ali Kartit,et al.  A NEW APPROACH TO INTRUSION DETECTION SYSTEM , 2012 .

[4]  Mark Stamp,et al.  Handbook of Information and Communication Security , 2010, Handbook of Information and Communication Security.

[5]  Fei Li,et al.  A moving target DDoS defense mechanism , 2014, Comput. Commun..

[6]  Chin-Tser Huang,et al.  A moving-target defense strategy for Cloud-based services with heterogeneous and dynamic attack surfaces , 2014, 2014 IEEE International Conference on Communications (ICC).

[7]  Fei Li,et al.  Catch Me If You Can: A Cloud-Enabled DDoS Defense , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[8]  Scott A. DeLoach,et al.  Investigating the application of moving target defenses to network security , 2013, 2013 6th International Symposium on Resilient Control Systems (ISRCS).

[9]  Chin Guok,et al.  Software-Defined Networking for Big-Data Science - Architectural Models from Campus to the WAN , 2012, 2012 SC Companion: High Performance Computing, Networking Storage and Analysis.

[10]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[11]  Thomas E. Carroll,et al.  Analysis of network address shuffling as a moving target defense , 2014, 2014 IEEE International Conference on Communications (ICC).

[12]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[13]  Audun Jøsang,et al.  AIS Electronic Library (AISeL) , 2017 .

[14]  Charles B. Silio,et al.  Procedure for detection of and response to Distributed Denial of Service cyber attacks on complex enterprise systems , 2012, 2012 IEEE International Systems Conference SysCon 2012.

[15]  Swades De,et al.  Contention Based Multichannel MAC Protocol for Distributed Cognitive Radio Networks , 2014, IEEE Transactions on Mobile Computing.

[16]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.