Title :
An Effective Address Mutation Approach for Disrupting Reconnaissance Attacks
Author :
Jafarian, Jafar Haadi ; Al-Shaer, Ehab ; Qi Duan
Author_Institution :
CyberDNA Center, Univ. of North Carolina at Charlotte, Charlotte, NC, USA
Abstract :
Network reconnaissance of addresses and ports is prerequisite to a vast majority of cyber attacks. Meanwhile, the static address configuration of networks and hosts simplifies adversarial reconnaissance for target discovery. Although the randomization of host addresses has been suggested as a proactive disruption mechanism against such reconnaissance, the proposed approaches do not exploit the full potentials of address randomization in provision of unpredictability and attack adaptability. Moreover, these approaches do not provide thorough analysis on effectiveness and limitations of address randomization against relevant threat models, including stealthy scanning and worms. In this paper, we present an effective address randomization technique, called random host address mutation (RHM), that turns end-hosts into untraceable moving targets. This technique achieves maximum efficacy by allowing address randomization to be highly unpredictable and fast, and adaptive to adversarial behavior, while incurring low operational and reconfiguration overhead. Our approach achieves the following objectives: (1) it achieves high uncertainty in adversary scanning by modeling address mutation randomization as a multi-level satisfiability problem; (2) it adapts the mutation scheme by fast characterization of adversarial reconnaissance patterns; (3) it achieves high mutation rate by separating mutation from end-hosts and managing it via network appliances; and (4) it preserves network integrity, manageability and performance by bounding the size of routing tables, preserving end-to-end reachability, and efficient handling of reconfiguration updates. Our extensive analyses and simulation show that the RHM distorts adversarial reconnaissance, slows down (deters) the attack, and increases its detectability. Consequently, the RHM is effective in countering a significant number of sophisticated threat models, including reconnaissance, stealthy/evasive scanning methods, and targeted att- cks. We also address limitations of our approach in terms of effectiveness and applicability.
Keywords :
IP networks; computer network management; computer network performance evaluation; computer network security; telecommunication network routing; telecommunication traffic; RHM; address randomization; adversarial behavior; adversarial reconnaissance; adversarial reconnaissance patterns; adversary scanning; attack adaptability; cyber attacks; end-hosts; end-to-end reachability; evasive scanning method; multilevel satisfiability problem; mutation rate; network appliances; network integrity; network manageability; network performance; network reconnaissance; operational overhead; proactive disruption mechanism; random host address mutation; reconfiguration overhead; reconfiguration updates; reconnaissance attack disruption; routing tables; static address configuration; stealthy scanning method; target discovery; targeted attacks; threat models; unpredictability; untraceable moving targets; Analytical models; Entropy; Grippers; IP networks; Nickel; Reconnaissance; Routing; IP address randomization; Moving Target Defense (MTD); moving target defense (MTD); reconnaissance; scanning;
Journal_Title :
Information Forensics and Security, IEEE Transactions on
DOI :
10.1109/TIFS.2015.2467358
