Moving Target Defense against DDoS Attacks: An Empirical Game-Theoretic Analysis

Distributed denial-of-service attacks are an increasing problem facing web applications, for which many defense techniques have been proposed, including several moving-target strategies. These strategies typically work by relocating targeted services over time, increasing uncertainty for the attacker, while trying not to disrupt legitimate users or incur excessive costs. Prior work has not shown, however, whether and how a rational defender would choose a moving-target method against an adaptive attacker, and under what conditions. We formulate a denial-of-service scenario as a two-player game, and solve a restricted-strategy version of the game using the methods of empirical game-theoretic analysis. Using agent-based simulation, we evaluate the performance of strategies from prior literature under a variety of attacks and environmental conditions. We find evidence for the strategic stability of various proposed strategies, such as proactive server movement, delayed attack timing, and suspected insider blocking, along with guidelines for when each is likely to be most effective.

[1]  Robert Axelrod,et al.  Timing of cyber conflict , 2014, Proceedings of the National Academy of Sciences.

[2]  Angelos Stavrou,et al.  MOTAG: Moving Target Defense against Internet Denial of Service Attacks , 2013, 2013 22nd International Conference on Computer Communication and Networks (ICCCN).

[3]  B. B. Gupta,et al.  Distributed Denial of Service Prevention Techniques , 2012, ArXiv.

[4]  Minghui Zhu,et al.  Comparing Different Moving Target Defense Techniques , 2014, MTD '14.

[5]  Rami G. Melhem,et al.  Design and analysis of a replicated elusive server scheme for mitigating denial of service attacks , 2004, J. Syst. Softw..

[6]  Ananthram Swami,et al.  Security and Science of Agility , 2014, MTD '14.

[7]  Michael P. Wellman Methods for Empirical Game-Theoretic Analysis , 2006, AAAI.

[8]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[9]  Zhenhua Liu,et al.  Port and Address Hopping for Active Cyber-Defense , 2007, PAISI.

[10]  Sushil Jajodia,et al.  Adversarial and Uncertain Reasoning for Adaptive Cyber Defense: Building the Scientific Foundation , 2014, ICISS.

[11]  T. Znati,et al.  Proactive server roaming for mitigating denial-of-service attacks , 2003, International Conference on Information Technology: Research and Education, 2003. Proceedings. ITRE2003..

[12]  Rocky K. C. Chang,et al.  Defending against flooding-based distributed denial-of-service attacks: a tutorial , 2002, IEEE Commun. Mag..

[13]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[14]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[15]  Andrew McLennan,et al.  Gambit: Software Tools for Game Theory , 2006 .

[16]  Michael P. Wellman,et al.  EGTAOnline: An Experiment Manager for Simulation-Based Game Studies , 2012, MABS.

[17]  Fei Li,et al.  A moving target DDoS defense mechanism , 2014, Comput. Commun..

[18]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[19]  Christopher N. Gutierrez,et al.  Denial of Service Elusion (DoSE): Keeping Clients Connected for Less , 2015, 2015 IEEE 34th Symposium on Reliable Distributed Systems (SRDS).

[20]  Michael P. Wellman,et al.  Methods for empirical game-theoretic analysis (extended abstract) , 2006 .

[21]  H. Kuk On equilibrium points in bimatrix games , 1996 .

[22]  Michael P. Wellman,et al.  Empirical Game-Theoretic Analysis for Moving Target Defense , 2015, MTD@CCS.

[23]  Fei Li,et al.  Catch Me If You Can: A Cloud-Enabled DDoS Defense , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[24]  Sushil Jajodia,et al.  A moving target defense approach to mitigate DDoS attacks against proxy-based architectures , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).