Tina Moghaddam, Guowei Yang, Chandra Thapa, Seyit Camtepe, Dan Dongseong Kim
{"title":"MTDSense: AI-Based Fingerprinting of Moving Target Defense Techniques in Software-Defined Networking","authors":"Tina Moghaddam, Guowei Yang, Chandra Thapa, Seyit Camtepe, Dan Dongseong Kim","doi":"arxiv-2408.03758","DOIUrl":null,"url":null,"abstract":"Moving target defenses (MTD) are proactive security techniques that enhance\nnetwork security by confusing the attacker and limiting their attack window.\nMTDs have been shown to have significant benefits when evaluated against\ntraditional network attacks, most of which are automated and untargeted.\nHowever, little has been done to address an attacker who is aware the network\nuses an MTD. In this work, we propose a novel approach named MTDSense, which\ncan determine when the MTD has been triggered using the footprints the MTD\noperation leaves in the network traffic. MTDSense uses unsupervised clustering\nto identify traffic following an MTD trigger and extract the MTD interval. An\nattacker can use this information to maximize their attack window and tailor\ntheir attacks, which has been shown to significantly reduce the effectiveness\nof MTD. Through analyzing the attacker's approach, we propose and evaluate two\nnew MTD update algorithms that aim to reduce the information leaked into the\nnetwork by the MTD. We present an extensive experimental evaluation by\ncreating, to our knowledge, the first dataset of the operation of an\nIP-shuffling MTD in a software-defined network. Our work reveals that despite\nprevious results showing the effectiveness of MTD as a defense, traditional\nimplementations of MTD are highly susceptible to a targeted attacker.","PeriodicalId":501280,"journal":{"name":"arXiv - CS - Networking and Internet Architecture","volume":"39 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Networking and Internet Architecture","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2408.03758","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Moving target defenses (MTD) are proactive security techniques that enhance
network security by confusing the attacker and limiting their attack window.
MTDs have been shown to have significant benefits when evaluated against
traditional network attacks, most of which are automated and untargeted.
However, little has been done to address an attacker who is aware the network
uses an MTD. In this work, we propose a novel approach named MTDSense, which
can determine when the MTD has been triggered using the footprints the MTD
operation leaves in the network traffic. MTDSense uses unsupervised clustering
to identify traffic following an MTD trigger and extract the MTD interval. An
attacker can use this information to maximize their attack window and tailor
their attacks, which has been shown to significantly reduce the effectiveness
of MTD. Through analyzing the attacker's approach, we propose and evaluate two
new MTD update algorithms that aim to reduce the information leaked into the
network by the MTD. We present an extensive experimental evaluation by
creating, to our knowledge, the first dataset of the operation of an
IP-shuffling MTD in a software-defined network. Our work reveals that despite
previous results showing the effectiveness of MTD as a defense, traditional
implementations of MTD are highly susceptible to a targeted attacker.