Intelligent defense using pretense against targeted attacks in cloud platforms

Abstract Cloud-hosted services are being increasingly used in online businesses in e.g., retail, healthcare, manufacturing, entertainment due to benefits such as scalability and reliability. These benefits are fueled by innovations in orchestration of cloud platforms that make them programmable as Software Defined everything Infrastructures (SDxI). At the same time, sophisticated targeted attacks such as Distributed Denial-of-Service (DDoS) and Advanced Persistent Threats (APTs) are growing on an unprecedented scale threatening the availability of online businesses. In this paper, we present a novel defense system called Dolus to mitigate the impact of targeted attacks launched against high-value services hosted in SDxI-based cloud platforms. Our Dolus system is able to initiate a ‘pretense’ in a scalable and collaborative manner to deter the attacker based on threat intelligence obtained from attack feature analysis. Using foundations from pretense theory in child play, Dolus takes advantage of elastic capacity provisioning via ‘quarantine virtual machines’ and SDxI policy co-ordination across multiple network domains to deceive the attacker by creating a false sense of success. We evaluate the efficacy of Dolus using a GENI Cloud testbed and demonstrate its real-time capabilities to: (a) detect DDoS and APT attacks and redirect attack traffic to quarantine resources to engage the attacker under pretense, (b) coordinate SDxI policies to possibly block attacks closer to the attack source(s).

[1]  Prasad Calyam,et al.  Frequency-minimal moving target defense using software-defined networking , 2016, 2016 International Conference on Computing, Networking and Communications (ICNC).

[2]  Jiang Sheng-yi,et al.  Application-layer DoS attack detection based on HMM , 2013 .

[3]  Xin Li,et al.  Distributed and collaborative traffic monitoring in software defined networks , 2014, HotSDN.

[4]  Prasad Calyam,et al.  Network-Wide Anomaly Event Detection and Diagnosis With perfSONAR , 2016, IEEE Transactions on Network and Service Management.

[5]  Damir Delija,et al.  Advanced Persistent Threats - detection and defense , 2015, 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[6]  Prasant Mohapatra,et al.  Dynamic defense strategy against advanced persistent threat with insiders , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[7]  Daesung Moon,et al.  DFA-AD: a distributed framework architecture for the detection of advanced persistent threats , 2017, Cluster Computing.

[8]  Wei Wang,et al.  Using Large Scale Distributed Computing to Unveil Advanced Persistent Threats , 2012 .

[9]  Eric Cole,et al.  Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization , 2012 .

[10]  Radha Poovendran,et al.  Effectiveness of IP address randomization in decoy-based moving target defense , 2013, 52nd IEEE Conference on Decision and Control.

[11]  Michele Colajanni,et al.  Analysis of high volumes of network traffic for Advanced Persistent Threat detection , 2016, Comput. Networks.

[12]  Andrew Warfield,et al.  Live migration of virtual machines , 2005, NSDI.

[13]  Wanlei Zhou,et al.  Distributed Denial of Service (DDoS) detection by traffic pattern analysis , 2014, Peer-to-Peer Netw. Appl..

[14]  Jan van den Berg,et al.  Systems for Detecting Advanced Persistent Threats: A Development Roadmap Using Intelligent Data Analysis , 2012, 2012 International Conference on Cyber Security.

[15]  Václav Přenosil,et al.  POSTER: Network Based Advanced Persistent Threat AttackDetection , 2014 .

[16]  Junho Choi,et al.  A method of DDoS attack detection using HTTP packet pattern and rule engine in cloud computing environment , 2014, Soft Comput..

[17]  Julia W. Van de Vondervoort,et al.  Young children protest and correct pretense that contradicts their general knowledge , 2017 .

[18]  Thomas G. Dietterich Multiple Classifier Systems , 2000, Lecture Notes in Computer Science.

[19]  Robert S. Boyer,et al.  MJRTY: A Fast Majority Vote Algorithm , 1991, Automated Reasoning: Essays in Honor of Woody Bledsoe.

[20]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[21]  Nick Feamster,et al.  Authorizing Network Control at Software Defined Internet Exchange Points , 2016, SOSR.

[22]  Akihiro Nakao,et al.  GENI: A federated testbed for innovative network experiments , 2014, Comput. Networks.

[23]  Václav Přenosil,et al.  Advanced Persistent Threat Attack Detection: An Overview , 2014 .

[24]  Tao Zhang,et al.  Defense of DDoS attack for cloud computing , 2012, 2012 IEEE International Conference on Computer Science and Automation Engineering (CSAE).

[25]  Darragh O'Brien,et al.  Machine Learning for Automatic Defence Against Distributed Denial of Service Attacks , 2007, 2007 IEEE International Conference on Communications.

[26]  Dimitris Gritzalis,et al.  The Big Four - What We Did Wrong in Advanced Persistent Threat Detection? , 2013, 2013 International Conference on Availability, Reliability and Security.

[27]  Ari Juels,et al.  Sherlock Holmes and the Case of the Advanced Persistent Threat , 2012, LEET.

[28]  Harry G. Perros,et al.  SDN-based solutions for Moving Target Defense network protection , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[29]  F. Richard Yu,et al.  Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges , 2016, IEEE Communications Surveys & Tutorials.

[30]  Fernando Gont,et al.  ICMP Attacks against TCP , 2010, RFC.

[31]  Wesley M. Eddy,et al.  TCP SYN Flooding Attacks and Common Mitigations , 2007, RFC.

[32]  Edgar Toshiro Yano,et al.  Towards a Framework to Detect Multi-stage Advanced Persistent Threats Attacks , 2014, 2014 IEEE 8th International Symposium on Service Oriented System Engineering.

[33]  Christoph Meinel,et al.  Advanced persistent threats: Behind the scenes , 2016, 2016 Annual Conference on Information Science and Systems (CISS).

[34]  Taejin Lee,et al.  Detection of Advanced Persistent Threat by Analyzing the Big Data Log , 2013 .

[35]  Jun Bi,et al.  An Incrementally Deployable Flow-Based Scheme for IP Traceback , 2012, IEEE Communications Letters.

[36]  Kamal Benzekki,et al.  Software-defined networking (SDN): a survey , 2016, Secur. Commun. Networks.

[37]  Ayman Abdel-Hamid,et al.  A Framework for Security Enhancement in SDN-Based Datacenters , 2016, 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS).

[38]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[39]  Gregory Vert,et al.  A Technology for Detection of Advanced Persistent Threat in Networks and Systems Using a Finite Angular State Velocity Machine and Vector Mathematics , 2018, Computer and Network Security Essentials.

[40]  S. Stich,et al.  A cognitive theory of pretense , 2000, Cognition.

[41]  Prasad Calyam,et al.  PCA-based network-wide correlated anomaly event detection and diagnosis , 2015, 2015 11th International Conference on the Design of Reliable Communication Networks (DRCN).

[42]  Dimitris Gritzalis,et al.  Trusted Computing vs. Advanced Persistent Threats: Can a Defender Win This Game? , 2013, 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing.