Deceiving Network Reconnaissance Using SDN-Based Virtual Topologies

Advanced targeted cyber attacks often rely on reconnaissance missions to gather information about potential targets, their characteristics and location to identify vulnerabilities in a networked environment. Advanced network scanning techniques are often used for this purpose and are automatically executed by malware infected hosts. In this paper, we formally define network deception to defend reconnaissance and develop a reconnaissance deception system, which is based on software defined networking, to achieve deception by simulating virtual topologies. Our system thwarts network reconnaissance by delaying the scanning techniques of adversaries and invalidating their collected information, while limiting the performance impact on benign network traffic. By simulating the topological as well as physical characteristics of networks, we introduce a system which deceives malicious network discovery and reconnaissance techniques with virtual information, while limiting the information an attacker is able to harvest from the true underlying system. This approach shows a novel defense technique against adversarial reconnaissance missions which are required for targeted cyber attacks such as advanced persistent threats in highly connected environments. The defense steps of our system aim to invalidate an attackers information, delay the process of finding vulnerable hosts and identify the source of adversarial reconnaissance within a network.

[1]  Eric Baize Developing Secure Products in the Age of Advanced Persistent Threats , 2012, IEEE Security & Privacy.

[2]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[3]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[4]  Srikanth V. Krishnamurthy,et al.  Cyber Deception: Virtual Networks to Defend Insider Reconnaissance , 2016, MIST@CCS.

[5]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[6]  Josephine Micallef,et al.  CINDAM: Customized Information Networks for Deception and Attack Mitigation , 2015, 2015 IEEE International Conference on Self-Adaptive and Self-Organizing Systems Workshops.

[7]  Ehab Al-Shaer,et al.  An Effective Address Mutation Approach for Disrupting Reconnaissance Attacks , 2015, IEEE Transactions on Information Forensics and Security.

[8]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2007, Comput. Networks.

[9]  Paul Barford,et al.  Efficient Network Tomography for Internet Topology Discovery , 2012, IEEE/ACM Transactions on Networking.

[10]  Richard J. Enbody,et al.  Targeted Cyberattacks: A Superset of Advanced Persistent Threats , 2013, IEEE Security & Privacy.

[11]  Jianhua Sun,et al.  DESIR: Decoy-enhanced seamless IP randomization , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[12]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[13]  Chao Chen,et al.  Understanding Divide-Conquer-Scanning Worms , 2008, 2008 IEEE International Performance, Computing and Communications Conference.

[14]  Andrew Vance Flow based analysis of Advanced Persistent Threats detecting targeted attacks in cloud computing , 2014, 2014 First International Scientific-Practical Conference Problems of Infocommunications Science and Technology.

[15]  Michel Cukier,et al.  An experimental evaluation to determine if port scans are precursors to an attack , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[16]  Maciej Kuźniar,et al.  What You Need to Know About SDN Flow Tables , 2015, PAM.

[17]  Robert D. Nowak,et al.  Maximum likelihood network topology identification from edge-based unicast measurements , 2002, SIGMETRICS '02.

[18]  Alberto Dainotti,et al.  Uncovering network tarpits with degreaser , 2014, ACSAC.

[19]  John A. Clark,et al.  Networking Recon: Network reconnaissance , 2008 .

[20]  Paul Barford,et al.  Network radar: tomography from round trip time measurements , 2004, IMC '04.

[21]  Yitzchak M. Gottlieb,et al.  ACyDS: An adaptive cyber deception system , 2016, MILCOM 2016 - 2016 IEEE Military Communications Conference.

[22]  Ke Ci,et al.  Hacking Exposed : Network Security Secrets and Solutions , 2013 .

[23]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[24]  Hideyuki Shimonishi,et al.  Source flow: handling millions of flows on flow-based nodes , 2010, SIGCOMM 2010.

[25]  Erwan Le Malécot MitiBox: camouflage and deception for network scan mitigation , 2009 .

[26]  Robert Beverly,et al.  A Technique for Network Topology Deception , 2013, MILCOM 2013 - 2013 IEEE Military Communications Conference.

[27]  Donald F. Towsley,et al.  On the performance of Internet worm scanning strategies , 2006, Perform. Evaluation.

[28]  Ehab Al-Shaer,et al.  Adversary-aware IP address randomization for proactive agility against sophisticated attackers , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[29]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[30]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[31]  Ehab Al-Shaer,et al.  Random Host Mutation for Moving Target Defense , 2012, SecureComm.

[32]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.