Evaluating the Network Diversity of Networks Against Zero-Day Attacks

Diversity has long been regarded as a security mechanism and it has found new applications in security, e.g., in cloud, Moving Target Defense (MTD), and network routing. However, most existing efforts rely on intuitive and imprecise notions of diversity, and the few existing models of diversity are mostly designed for a single system running diverse software replicas or variants. At a higher abstraction level, as a global property of the entire network, diversity and its effect on security have received limited attention. In this chapter, we present a formal model of network diversity as a security metric. Specifically, we first devise a biodiversity-inspired metric based on the effective number of distinct resources. We then propose two complementary diversity metrics, based on the least and the average attacking efforts, respectively. Finally, we evaluate the proposed metrics through simulation.

[1]  Miles A. McQueen,et al.  Time-to-Compromise Model for Cyber Risk Reduction Estimation , 2006, Quality of Protection.

[2]  Tom Leinster,et al.  Measuring diversity: the importance of species similarity. , 2012, Ecology.

[3]  Daniel J. Quinlan,et al.  Detecting code clones in binary executables , 2009, ISSTA.

[4]  Sushil Jajodia,et al.  Time-efficient and cost-effective network hardening using attack graphs , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[5]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[6]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[7]  S. Bhatkar,et al.  Data Space Randomization , 2008, DIMVA.

[8]  Christopher W. Fraser,et al.  Clone detection via structural abstraction , 2007, 14th Working Conference on Reverse Engineering (WCRE 2007).

[9]  Romain Robbes,et al.  Language-Independent Clone Detection Applied to Plagiarism Detection , 2010, 2010 10th IEEE Working Conference on Source Code Analysis and Manipulation.

[10]  K. McCann The diversity–stability debate , 2000, Nature.

[11]  Sencun Zhu,et al.  Improving sensor network immunity under worm attacks: a software diversity approach , 2008, MobiHoc '08.

[12]  Lingyu Wang,et al.  SIGMA: A Semantic Integrated Graph Matching Approach for identifying reused functions in binary code , 2015, Digit. Investig..

[13]  J. Howard Johnson,et al.  Identifying redundancy in source code using fingerprints , 1993, CASCON.

[14]  Ross J. Anderson,et al.  Rendezvous: A search engine for binary code , 2013, 2013 10th Working Conference on Mining Software Repositories (MSR).

[15]  Bev Littlewood,et al.  Redundancy and Diversity in Security , 2004, ESORICS.

[16]  Scott Shenker,et al.  Diverse Replication for Single-Machine Byzantine-Fault Tolerance , 2008, USENIX Annual Technical Conference.

[17]  Sushil Jajodia,et al.  Modeling Network Diversity for Evaluating the Robustness of Networks against Zero-Day Attacks , 2014, ESORICS.

[18]  Debin Gao,et al.  Behavioral Distance Measurement Using Hidden Markov Models , 2006, RAID.

[19]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[20]  William F. Smyth,et al.  Efficient token based clone detection with flexible tokenization , 2007, FSE 2007.

[21]  Sushil Jajodia,et al.  Measuring network security using dynamic bayesian network , 2008, QoP '08.

[22]  Thomas Dullien,et al.  Automated Attacker Correlation for Malicious Code , 2010 .

[23]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[24]  M. Hill Diversity and Evenness: A Unifying Notation and Its Consequences , 1973 .

[25]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[26]  Cong Wang,et al.  Security Challenges for the Public Cloud , 2012, IEEE Internet Computing.

[27]  Alysson Neves Bessani,et al.  OS diversity for intrusion tolerance: Myth or reality? , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[28]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[29]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[30]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[31]  Jia Wang,et al.  Would Diversity Really Increase the Robustness of the Routing Infrastructure against Software Defects? , 2008, NDSS.