Spatio-temporal Address Mutation for Proactive Cyber Agility against Sophisticated Attackers

MTD '14 Pub Date : 2014-11-07 DOI:10.1145/2663474.2663483

J. H. Jafarian, E. Al-Shaer, Qi Duan

{"title":"Spatio-temporal Address Mutation for Proactive Cyber Agility against Sophisticated Attackers","authors":"J. H. Jafarian, E. Al-Shaer, Qi Duan","doi":"10.1145/2663474.2663483","DOIUrl":null,"url":null,"abstract":"The static one-to-one binding of hosts to IP addresses allows adversaries to conduct thorough reconnaissance in order to discover and enumerate network assets. Specifically, this fixed address mapping allows distributed network scanners to aggregate information gathered at multiple locations over different times in order to construct an accurate and persistent view of the network. The unvarying nature of this view enables adversaries to collaboratively share and reuse their collected reconnaissance information in various stages of attack planning and execution. This paper presents a novel moving target defense (MTD) technique which enables host-to-IP binding of each destination host to vary randomly across the network based on the source identity (spatial randomization) as well as time (temporal randomization). This spatio-temporal randomization will distort attackers' view of the network by causing the collected reconnaissance information to expire as adversaries transition from one host to another or if they stay long enough in one location. Consequently, adversaries are forced to re-scan the network frequently at each location or over different time intervals. These recurring probings significantly raises the bar for the adversaries by slowing down the attack progress, while improving its detectability. We introduce three novel metrics for quantifying the effectiveness of MTD defense techniques: deterrence, deception, and detectability. Using these metrics, we perform rigorous theoretical and experimental analysis to evaluate the efficacy of this approach. These analyses show that our approach is effective in countering a significant number of sophisticated threat models including collaborative reconnaissance, worm propagation, and advanced persistent threat (APT), in an evasion-free manner.","PeriodicalId":241301,"journal":{"name":"MTD '14","volume":"29 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-11-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"85","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"MTD '14","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2663474.2663483","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 85

Abstract

The static one-to-one binding of hosts to IP addresses allows adversaries to conduct thorough reconnaissance in order to discover and enumerate network assets. Specifically, this fixed address mapping allows distributed network scanners to aggregate information gathered at multiple locations over different times in order to construct an accurate and persistent view of the network. The unvarying nature of this view enables adversaries to collaboratively share and reuse their collected reconnaissance information in various stages of attack planning and execution. This paper presents a novel moving target defense (MTD) technique which enables host-to-IP binding of each destination host to vary randomly across the network based on the source identity (spatial randomization) as well as time (temporal randomization). This spatio-temporal randomization will distort attackers' view of the network by causing the collected reconnaissance information to expire as adversaries transition from one host to another or if they stay long enough in one location. Consequently, adversaries are forced to re-scan the network frequently at each location or over different time intervals. These recurring probings significantly raises the bar for the adversaries by slowing down the attack progress, while improving its detectability. We introduce three novel metrics for quantifying the effectiveness of MTD defense techniques: deterrence, deception, and detectability. Using these metrics, we perform rigorous theoretical and experimental analysis to evaluate the efficacy of this approach. These analyses show that our approach is effective in countering a significant number of sophisticated threat models including collaborative reconnaissance, worm propagation, and advanced persistent threat (APT), in an evasion-free manner.

查看原文本刊更多论文

针对复杂攻击者的主动网络敏捷性的时空地址突变

主机和IP地址的静态一对一绑定允许攻击者进行彻底的侦察，以便发现和枚举网络资产。具体地说，这种固定地址映射允许分布式网络扫描器聚合在不同时间在多个位置收集的信息，以便构建一个准确和持久的网络视图。这种视图的不变特性使对手能够在攻击计划和执行的各个阶段协作共享和重用他们收集的侦察信息。本文提出了一种新的移动目标防御(MTD)技术，该技术使每个目标主机的主机到ip绑定在网络中基于源身份(空间随机化)和时间随机化(时间随机化)随机变化。这种时空随机化会扭曲攻击者对网络的看法，因为当攻击者从一个主机转移到另一个主机时，或者如果他们在一个位置停留足够长的时间，就会导致收集到的侦察信息过期。因此，攻击者被迫在每个位置或在不同的时间间隔频繁地重新扫描网络。这些反复出现的探测通过减缓攻击进度显著提高了对手的门槛，同时提高了其可探测性。我们介绍了量化MTD防御技术有效性的三个新指标:威慑、欺骗和可探测性。利用这些指标，我们进行了严格的理论和实验分析，以评估该方法的有效性。这些分析表明，我们的方法在对抗大量复杂的威胁模型方面是有效的，包括协作侦察、蠕虫传播和高级持续性威胁(APT)，并且没有逃避。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

MTD '14

自引率

0.00%

发文量