{"title":"Dynamic Defense against Adaptive and Persistent Adversaries","authors":"R. Poovendran","doi":"10.1145/3268966.3268977","DOIUrl":"https://doi.org/10.1145/3268966.3268977","url":null,"abstract":"This talk will cover two topics, namely, modeling and design of Moving Target Defense (MTD), and DIFT games for modeling Advanced Persistent Threats (APTs). We will first present a game-theoretic approach to characterizing the trade-off between resource efficiency and defense effectiveness in decoy- and randomization-based MTD. We will then address the game formulation for APTs. APTs are mounted by intelligent and resourceful adversaries who gain access to a targeted system and gather information over an extended period of time. APTs consist of multiple stages, including initial system compromise, privilege escalation, and data exfiltration, each of which involves strategic interaction between the APT and the targeted system. While this interaction can be viewed as a game, the stealthiness, adaptiveness, and unpredictability of APTs imply that the information structure of the game and the strategies of the APT are not readily available. Our approach to modeling APTs is based on the insight that the persistent nature of APTs creates information flows in the system that can be monitored. One monitoring mechanism is Dynamic Information Flow Tracking (DIFT), which taints and tracks malicious information flows through a system and inspects the flows at designated traps. Since tainting all flows in the system will incur significant memory and storage overhead, efficient tagging policies are needed to maximize the probability of detecting the APT while minimizing resource costs. In this work, we develop a multi-stage stochastic game framework for modeling the interaction between an APT and a DIFT, as well as designing an efficient DIFT-based defense. Our model is grounded on APT data gathered using the Refinable Attack Investigation (RAIN) flow-tracking framework. We present the current state of our formulation, insights that it provides on designing effective defenses against APTs, and directions for future work.","PeriodicalId":20619,"journal":{"name":"Proceedings of the 5th ACM Workshop on Moving Target Defense","volume":"31 11 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2018-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89745650","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Ensuring Deception Consistency for FTP Services Hardened against Advanced Persistent Threats","authors":"Zhan Shu, Guanhua Yan","doi":"10.1145/3268966.3268971","DOIUrl":"https://doi.org/10.1145/3268966.3268971","url":null,"abstract":"As evidenced by numerous high-profile security incidents such as the Target data breach and the Equifax hack, APTs (Advanced Persistent Threats) can significantly compromise the trustworthiness of cyber space. This work explores how to improve the effectiveness of cyber deception in hardening FTP (File Transfer Protocol) services against APTs. The main objective of our work is to ensure deception consistency: when the attackers are trapped, they can only make observations that are consistent with what they have seen already so that they cannot recognize the deceptive environment. To achieve deception consistency, we use logic constraints to characterize an attacker's best knowledge (either positive, negative, or uncertain). When migrating the attacker's FTP connection into a contained environment, we use these logic constraints to instantiate a new FTP file system that is guaranteed free of inconsistency. We performed deception experiments with student participants who just completed a computer security course. Following the design of Turing tests, we find that the participants' chances of recognizing deceptive environments are close to random guesses. Our experiments also confirm the importance of observation consistency in identifying deception.","PeriodicalId":20619,"journal":{"name":"Proceedings of the 5th ACM Workshop on Moving Target Defense","volume":"65 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2018-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90449486","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
V. Casola, Alessandra De Benedictis, M. Rak, Umberto Villano
{"title":"A Security SLA-Driven Moving Target Defense Framework to Secure Cloud Applications","authors":"V. Casola, Alessandra De Benedictis, M. Rak, Umberto Villano","doi":"10.1145/3268966.3268975","DOIUrl":"https://doi.org/10.1145/3268966.3268975","url":null,"abstract":"The large adoption of cloud services in many business domains dramatically increases the need for effective solutions to improve the security of deployed services. The adoption of Security Service Level Agreements (Security SLAs) represents an effective solution to state formally the security guarantees that a cloud service is able to provide. Even if security policies declared by the service provider are properly implemented before the service is deployed and launched, the actual security level tends to degrade over time, due to the knowledge on the exposed attack surface that the attackers are progressively able to gain. In this paper, we present a Security SLA-driven MTD framework that allows MTD strategies to be applied to a cloud application by automatically switching among different admissible application configurations, in order to confuse the attackers and nullify their reconnaissance effort, while preserving the application Security SLA across reconfigurations.","PeriodicalId":20619,"journal":{"name":"Proceedings of the 5th ACM Workshop on Moving Target Defense","volume":"44 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2018-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74951222","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Keynote","authors":"Massimiliano Albanese","doi":"10.1145/3285946","DOIUrl":"https://doi.org/10.1145/3285946","url":null,"abstract":"","PeriodicalId":20619,"journal":{"name":"Proceedings of the 5th ACM Workshop on Moving Target Defense","volume":"11 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2018-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82003441","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Session 1: Evaluation of MTD Techniques","authors":"I. Ray","doi":"10.1145/3285944","DOIUrl":"https://doi.org/10.1145/3285944","url":null,"abstract":"","PeriodicalId":20619,"journal":{"name":"Proceedings of the 5th ACM Workshop on Moving Target Defense","volume":"51 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2018-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79536234","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Todd Jackson, Andrei Homescu, Stephen Crane, Per Larsen, Stefan Brunthaler, M. Franz
{"title":"Diversifying the Software Stack Using Randomized NOP Insertion","authors":"Todd Jackson, Andrei Homescu, Stephen Crane, Per Larsen, Stefan Brunthaler, M. Franz","doi":"10.1007/978-1-4614-5416-8_8","DOIUrl":"https://doi.org/10.1007/978-1-4614-5416-8_8","url":null,"abstract":"","PeriodicalId":20619,"journal":{"name":"Proceedings of the 5th ACM Workshop on Moving Target Defense","volume":"14 1","pages":"151-173"},"PeriodicalIF":0.0,"publicationDate":"2013-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78301649","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Game Theoretic Approaches to Attack Surface Shifting","authors":"P. Manadhata","doi":"10.1007/978-1-4614-5416-8_1","DOIUrl":"https://doi.org/10.1007/978-1-4614-5416-8_1","url":null,"abstract":"","PeriodicalId":20619,"journal":{"name":"Proceedings of the 5th ACM Workshop on Moving Target Defense","volume":"51 1","pages":"1-13"},"PeriodicalIF":0.0,"publicationDate":"2013-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76794598","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Security Games Applied to Real-World: Research Contributions and Challenges","authors":"Manish Jain, Bo An, Milind Tambe","doi":"10.1007/978-1-4614-5416-8_2","DOIUrl":"https://doi.org/10.1007/978-1-4614-5416-8_2","url":null,"abstract":"","PeriodicalId":20619,"journal":{"name":"Proceedings of the 5th ACM Workshop on Moving Target Defense","volume":"1 1","pages":"15-39"},"PeriodicalIF":0.0,"publicationDate":"2013-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86566909","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"From Individual Decisions from Experience to Behavioral Game Theory: Lessons for Cybersecurity","authors":"Cleotilde González","doi":"10.1007/978-1-4614-5416-8_4","DOIUrl":"https://doi.org/10.1007/978-1-4614-5416-8_4","url":null,"abstract":"","PeriodicalId":20619,"journal":{"name":"Proceedings of the 5th ACM Workshop on Moving Target Defense","volume":"8 1","pages":"73-86"},"PeriodicalIF":0.0,"publicationDate":"2013-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91334190","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Adversarial Dynamics: The Conficker Case Study","authors":"D. Bilar, G. Cybenko, J. P. Murphy","doi":"10.1007/978-1-4614-5416-8_3","DOIUrl":"https://doi.org/10.1007/978-1-4614-5416-8_3","url":null,"abstract":"","PeriodicalId":20619,"journal":{"name":"Proceedings of the 5th ACM Workshop on Moving Target Defense","volume":"10 1","pages":"41-71"},"PeriodicalIF":0.0,"publicationDate":"2013-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80093765","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}