Network moving target defense technique based on collaborative mutation

Abstract Moving target defense is emerging as a research hotspot in addressing the asymmetric situation between attack and defense in cyberspace, and network mutation is one of the key technologies. In order to improve the defensive benefit brought by network mutation and ensure the service quality of network systems, a novel network moving target defense technique based on collaborative mutation is proposed. In order to maximize the defensive benefit, collaborative mutation and self-learning mutation strategy selection are proposed. In collaborative mutation, end-point mutation and routing mutation are adopted collaboratively so as to improve mutation space. Mutation strategy selection based on adversary strategy awareness is designed by using hypothesis test to self-learn malicious reconnaissance strategies, thus maximizing the unpredictability of network mutation. Then, the satisfiability modulo theories and mutation collision avoidance are used to improve availability in networks with limited resources. Satisfiability modulo theory is used to formally describe the overhead constraints of the mutation, so as to ensure the quality of service. Besides, mutation collision avoidance based on network fingerprinting is designed to eliminate mutation collision, thus improving the availability of the proposed method. Finally, theoretical and experimental analyses demonstrate that the proposed technique can effectively resist different types of malicious reconnaissance strategies and ensure low mutation overhead at the same time.

[1]  Sushil Jajodia,et al.  Protecting Enterprise Networks through Attack Surface Expansion , 2014, SafeConfig '14.

[2]  Scott A. DeLoach,et al.  Model-driven, Moving-Target Defense for Enterprise Network Security , 2011, Models@run.time@Dagstuhl.

[3]  Meng Li,et al.  A Self-adaptive Hopping Approach of Moving Target Defense to thwart Scanning Attacks , 2016, ICICS.

[4]  Minghui Zhu,et al.  Comparing Different Moving Target Defense Techniques , 2014, MTD '14.

[5]  Xuehui Du,et al.  Net-flow Fingerprint Model Based on Optimization Theory , 2016 .

[6]  Nick McKeown,et al.  A network in a laptop: rapid prototyping for software-defined networks , 2010, Hotnets-IX.

[7]  Shlomi Dolev,et al.  SDN-Based Private Interconnection , 2014, 2014 IEEE 13th International Symposium on Network Computing and Applications.

[8]  Peng Xie,et al.  A Self-shielding Dynamic Network Architecture , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[9]  Yuan Ge,et al.  DTHMM based delay modeling and prediction for networked control systems , 2010 .

[10]  Joseph Naor,et al.  On the effect of forwarding table size on SDN network utilization , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[11]  Jan Medved,et al.  OpenDaylight: Towards a Model-Driven SDN Controller architecture , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[12]  Ehab Al-Shaer,et al.  Spatio-temporal Address Mutation for Proactive Cyber Agility against Sophisticated Attackers , 2014, MTD '14.

[13]  Erik Blasch,et al.  Toward effectiveness and agility of network security situational awareness using moving target defense (MTD) , 2014, Defense + Security Symposium.

[14]  Mário M. Freire,et al.  Security issues in cloud environments: a survey , 2014, International Journal of Information Security.

[15]  Minlan Yu,et al.  Rethinking virtual network embedding: substrate support for path splitting and migration , 2008, CCRV.

[16]  Yang Xiang,et al.  Modeling the Propagation of Worms in Networks: A Survey , 2014, IEEE Communications Surveys & Tutorials.

[17]  Leandros Tassiulas,et al.  Routing for network capacity maximization in energy-constrained ad-hoc networks , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[18]  Ehab Al-Shaer,et al.  Efficient Random Route Mutation considering flow and network constraints , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[19]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[20]  Erol Gelenbe,et al.  A self-aware approach to denial of service defence , 2007, Comput. Networks.

[21]  Laurent Massoulié,et al.  Impact of fairness on Internet performance , 2001, SIGMETRICS '01.

[22]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[23]  Cheng Lei,et al.  Optimal Strategy Selection for Moving Target Defense Based on Markov Game , 2017, IEEE Access.

[24]  Craig A. Shue,et al.  The SDN Shuffle: Creating a Moving-Target Defense using Host-based Software-Defined Networking , 2015, MTD@CCS.

[25]  Weifa Liang,et al.  Dynamic routing for network throughput maximization in software-defined networks , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[26]  Mourad Debbabi,et al.  Cyber Scanning: A Comprehensive Survey , 2014, IEEE Communications Surveys & Tutorials.

[27]  Fei Li,et al.  A moving target DDoS defense mechanism , 2014, Comput. Commun..

[28]  William W. Streilein,et al.  Moving Target Techniques: Leveraging Uncertainty for Cyber Defense , 2015 .

[29]  Nancy Adagala,et al.  An Assessment of the Kenyan Journalism Training and Gaps Filled by Other Professionals: A Study of Selected Fm Radio Stations , 2017, Journal of Communication.

[30]  Bor-Chen Kuo,et al.  Advanced Techniques for Computational and Information Sciences , 2016 .

[31]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2007, Comput. Networks.

[32]  Bo Peng,et al.  QoS Routing with Bandwidth and Hop-Count Consideration: A Performance Perspective , 2006, J. Commun..

[33]  D. Kewley,et al.  Dynamic approaches to thwart adversary intelligence gathering , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[34]  Ehab Al-Shaer,et al.  Formal Approach for Route Agility against Persistent Attackers , 2013, ESORICS.

[35]  Duohe Ma,et al.  Moving Target Network Defense Effectiveness Evaluation Based on Change-Point Detection , 2016 .

[36]  Frank J. Stech,et al.  Integrating Cyber-D&D into Adversary Modeling for Active Cyber Defense , 2016, Cyber Deception.