Investigating the application of moving target defenses to network security

This paper presents a preliminary design for a moving-target defense (MTD) for computer networks to combat an attacker's asymmetric advantage. The MTD system reasons over a set of abstract models that capture the network's configuration and its operational and security goals to select adaptations that maintain the operational integrity of the network. The paper examines both a simple (purely random) MTD system as well as an intelligent MTD system that uses attack indicators to augment adaptation selection. A set of simulation-based experiments show that such an MTD system may in fact be able to reduce an attacker's success likelihood. These results are a preliminary step towards understanding and quantifying the impact of MTDs on computer networks.

[1]  Ruby B. Lee,et al.  National Cyber Leap Year Summit 2009 Co-Chairs ’ Report , 2009 .

[2]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[3]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[4]  Scott A. DeLoach,et al.  An Investigation of Reorganization Algorithms , 2006, IC-AI.

[5]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2007, Comput. Networks.

[6]  D. Kewley,et al.  Dynamic approaches to thwart adversary intelligence gathering , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[7]  Matthew D. Compton,et al.  Improving the Quality of Service and Security of Military Networks with a Network Tasking Order Process , 2012 .

[8]  Scott A. DeLoach,et al.  Mission-oriented moving target defense based on cryptographically strong network dynamics , 2013, CSIIRW '13.

[9]  Erik Lee,et al.  Final Report for the Network Security Mechanisms Utilizing Network Address Translation LDRD Project , 2002 .

[10]  Peng Xie,et al.  A Self-shielding Dynamic Network Architecture , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[11]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[12]  Sahin Albayrak,et al.  Application-level Simulation for Network Security , 2010, Simul..

[13]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[14]  Sushil Jajodia Topological analysis of network attack vulnerability , 2007, ASIACCS '07.

[15]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[16]  Robert K. Cunningham,et al.  Evaluating and Strengthening Enterprise Network Security Using Attack Graphs , 2005 .

[17]  Ehab Al-Shaer,et al.  Toward Network Configuration Randomization for Moving Target Defense , 2011, Moving Target Defense.