Address shuffling is a type of moving target defense that prevents an attacker from reliably contacting a system by periodically remapping network addresses. Although limited testing has demonstrated it to be effective, little research has been conducted to examine the theoretical limits of address shuffling. As a result, it is difficult to understand how effective shuffling is and under what circumstances it is a viable moving target defense. This paper introduces probabilistic models that can provide insight into the performance of address shuffling. These models quantify the probability of attacker success in terms of network size, quantity of addresses scanned, quantity of vulnerable systems, and the frequency of shuffling. Theoretical analysis shows that shuffling is an acceptable defense if there is a small population of vulnerable systems within a large network address space, however shuffling has a cost for legitimate users. These results will also be shown empirically using simulation and actual traffic traces.
Identifying application types in network traffic is a difficult problem for administrators who must secure and manage network resources, further complicated by the use of encrypted protocols and nonstandard port numbers. This paper takes a unique approach to this problem by modeling and analyzing application graphs, structures which describe the applicationlevel (e.g., HTTP, FTP) communications between hosts. These graphs are searched for motifs: recurring, significant patterns of interconnections that can be used to help determine the network application in use. Motif-based analysis has been applied predominantly to biological networks to hypothesize key functional regulatory units, but never to network traffic as it is here. For the proposed method, a description of each node is generated based on its participation in statistically significant motifs. These descriptions, or profiles, are data points in multidimensional space that are used as input to a k-nearest neighbor (k-NN) classifier to predict the application. This work also compares the performance of motif-based analysis to an alternative profile type based on "traditional" graph measures such as path lengths, clustering coefficients and centrality measures. The results show that motif profiles perform better than traditional profiles, and are able to correctly identify the actions of 85% of the hosts examined across seven protocols.
A Moving Target (MT) defense constantly changes a system's attack surface, in an attempt to limit the usefulness of the reconnaissance the attacker has collected. One approach to this defense strategy is to intermittently change a system's configuration. These changes must maintain functionality and security, while also being diverse. Finding suitable configuration changes that form a MT defense is challenging. There are potentially a large number of individual configurations' settings to consider, without a full understanding of the settings' interdependencies. Evolution-based algorithms, which formulate better solutions from good solutions, can be used to create a MT defense. New configurations are created based on the security of previous configurations and can be periodically implemented to change the system's attack surface. This approach not only has the ability to discover new, more secure configurations, but is also proactive and resilient since it can continually adapt to the current environment in a fashion similar to systems found in nature. This article presents and compares two genetic algorithms to create a MT defense. The primary difference between the two is based on their approaches to mutation. One mutates values, and the other modifies the domains from which values are chosen.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.