Adversary-aware IP address randomization for proactive agility against sophisticated attackers

Network reconnaissance of IP addresses and ports is prerequisite to many host and network attacks. Meanwhile, static configurations of networks and hosts simplify this adversarial reconnaissance. In this paper, we present a novel proactive-adaptive defense technique that turns end-hosts into untraceable moving targets, and establishes dynamics into static systems by monitoring the adversarial behavior and reconfiguring the addresses of network hosts adaptively. This adaptability is achieved by discovering hazardous network ranges and addresses and evacuating network hosts from them quickly. Our approach maximizes adaptability by (1) using fast and accurate hypothesis testing for characterization of adversarial behavior, and (2) achieving a very fast IP randomization (i.e., update) rate through separating randomization from end-hosts and managing it via network appliances. The architecture and protocols of our approach can be transparently deployed on legacy networks, as well as software-defined networks. Our extensive analysis and evaluation show that by adaptive distortion of adversarial reconnaissance, our approach slows down the attack and increases its detectability, thus significantly raising the bar against stealthy scanning, major classes of evasive scanning and worm propagation, as well as targeted (hacking) attacks.

[1]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[2]  Peng Xie,et al.  A Self-shielding Dynamic Network Architecture , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[3]  Donald F. Towsley,et al.  On the performance of Internet worm scanning strategies , 2006, Perform. Evaluation.

[4]  2015 IEEE Conference on Computer Communications, INFOCOM 2015, Kowloon, Hong Kong, April 26 - May 1, 2015 , 2015, IEEE Conference on Computer Communications.

[5]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2005, WORM '05.

[6]  Sreejit Chakravarty,et al.  A Characterization of Binary Decision Diagrams , 1993, IEEE Trans. Computers.

[7]  Nick McKeown,et al.  A network in a laptop: rapid prototyping for software-defined networks , 2010, Hotnets-IX.

[8]  Michael Franz,et al.  Compiler-Generated Software Diversity , 2011, Moving Target Defense.

[9]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[10]  Jun Li,et al.  Behavior-Based Worm Detectors Compared , 2010, RAID.

[11]  Ehab Al-Shaer,et al.  Random Host Mutation for Moving Target Defense , 2012, SecureComm.

[12]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[13]  Vinod Yegneswaran,et al.  An Attacker-Defender Game for Honeynets , 2009, COCOON.

[14]  Chao Chen,et al.  Understanding Divide-Conquer-Scanning Worms , 2008, 2008 IEEE International Performance, Computing and Communications Conference.

[15]  Angelos D. Keromytis,et al.  Global ISR: Toward a Comprehensive Defense Against Unauthorized Code Execution , 2011, Moving Target Defense.

[16]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[17]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2007, Comput. Networks.

[18]  Jin-Yi Cai,et al.  Camouflaging Honeynets , 2007, 2007 IEEE Global Internet Symposium.

[19]  D. Kewley,et al.  Dynamic approaches to thwart adversary intelligence gathering , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.