Adversary-aware IP address randomization for proactive agility against sophisticated attackers

Jafar Haadi Jafarian; Ehab Al-Shaer; Qi Duan

doi:10.1109/INFOCOM.2015.7218443

Adversary-aware IP address randomization for proactive agility against sophisticated attackers

Jafar Haadi Jafarian, Ehab Al-Shaer, Qi Duan

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

64 Scopus citations

Abstract

Network reconnaissance of IP addresses and ports is prerequisite to many host and network attacks. Meanwhile, static configurations of networks and hosts simplify this adversarial reconnaissance. In this paper, we present a novel proactive-adaptive defense technique that turns end-hosts into untraceable moving targets, and establishes dynamics into static systems by monitoring the adversarial behavior and reconfiguring the addresses of network hosts adaptively. This adaptability is achieved by discovering hazardous network ranges and addresses and evacuating network hosts from them quickly. Our approach maximizes adaptability by (1) using fast and accurate hypothesis testing for characterization of adversarial behavior, and (2) achieving a very fast IP randomization (i.e., update) rate through separating randomization from end-hosts and managing it via network appliances. The architecture and protocols of our approach can be transparently deployed on legacy networks, as well as software-defined networks. Our extensive analysis and evaluation show that by adaptive distortion of adversarial reconnaissance, our approach slows down the attack and increases its detectability, thus significantly raising the bar against stealthy scanning, major classes of evasive scanning and worm propagation, as well as targeted (hacking) attacks.

Original language	English
Title of host publication	2015 IEEE Conference on Computer Communications, IEEE INFOCOM 2015
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	738-746
Number of pages	9
ISBN (Electronic)	9781479983810
DOIs	https://doi.org/10.1109/INFOCOM.2015.7218443
State	Published - 21 Aug 2015
Externally published	Yes
Event	34th IEEE Annual Conference on Computer Communications and Networks, IEEE INFOCOM 2015 - Hong Kong, Hong Kong Duration: 26 Apr 2015 → 1 May 2015

Publication series

Name	Proceedings - IEEE INFOCOM
Volume	26
ISSN (Print)	0743-166X

Conference

Conference	34th IEEE Annual Conference on Computer Communications and Networks, IEEE INFOCOM 2015
Country/Territory	Hong Kong
City	Hong Kong
Period	26/04/15 → 1/05/15

Bibliographical note

Publisher Copyright:
© 2015 IEEE.

ASJC Scopus subject areas

General Computer Science
Electrical and Electronic Engineering

Access to Document

10.1109/INFOCOM.2015.7218443

Cite this

Jafarian, J. H., Al-Shaer, E., & Duan, Q. (2015). Adversary-aware IP address randomization for proactive agility against sophisticated attackers. In 2015 IEEE Conference on Computer Communications, IEEE INFOCOM 2015 (pp. 738-746). Article 7218443 (Proceedings - IEEE INFOCOM; Vol. 26). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/INFOCOM.2015.7218443

@inproceedings{a1338037dd2943eea286415732aae1fb,

title = "Adversary-aware IP address randomization for proactive agility against sophisticated attackers",

abstract = "Network reconnaissance of IP addresses and ports is prerequisite to many host and network attacks. Meanwhile, static configurations of networks and hosts simplify this adversarial reconnaissance. In this paper, we present a novel proactive-adaptive defense technique that turns end-hosts into untraceable moving targets, and establishes dynamics into static systems by monitoring the adversarial behavior and reconfiguring the addresses of network hosts adaptively. This adaptability is achieved by discovering hazardous network ranges and addresses and evacuating network hosts from them quickly. Our approach maximizes adaptability by (1) using fast and accurate hypothesis testing for characterization of adversarial behavior, and (2) achieving a very fast IP randomization (i.e., update) rate through separating randomization from end-hosts and managing it via network appliances. The architecture and protocols of our approach can be transparently deployed on legacy networks, as well as software-defined networks. Our extensive analysis and evaluation show that by adaptive distortion of adversarial reconnaissance, our approach slows down the attack and increases its detectability, thus significantly raising the bar against stealthy scanning, major classes of evasive scanning and worm propagation, as well as targeted (hacking) attacks.",

author = "Jafarian, \{Jafar Haadi\} and Ehab Al-Shaer and Qi Duan",

note = "Publisher Copyright: {\textcopyright} 2015 IEEE.; 34th IEEE Annual Conference on Computer Communications and Networks, IEEE INFOCOM 2015 ; Conference date: 26-04-2015 Through 01-05-2015",

year = "2015",

month = aug,

day = "21",

doi = "10.1109/INFOCOM.2015.7218443",

language = "English",

series = "Proceedings - IEEE INFOCOM",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "738--746",

booktitle = "2015 IEEE Conference on Computer Communications, IEEE INFOCOM 2015",

address = "United States",

}

Jafarian, JH, Al-Shaer, E & Duan, Q 2015, Adversary-aware IP address randomization for proactive agility against sophisticated attackers. in 2015 IEEE Conference on Computer Communications, IEEE INFOCOM 2015., 7218443, Proceedings - IEEE INFOCOM, vol. 26, Institute of Electrical and Electronics Engineers Inc., pp. 738-746, 34th IEEE Annual Conference on Computer Communications and Networks, IEEE INFOCOM 2015, Hong Kong, Hong Kong, 26/04/15. https://doi.org/10.1109/INFOCOM.2015.7218443

Adversary-aware IP address randomization for proactive agility against sophisticated attackers. / Jafarian, Jafar Haadi; Al-Shaer, Ehab; Duan, Qi.
2015 IEEE Conference on Computer Communications, IEEE INFOCOM 2015. Institute of Electrical and Electronics Engineers Inc., 2015. p. 738-746 7218443 (Proceedings - IEEE INFOCOM; Vol. 26).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Adversary-aware IP address randomization for proactive agility against sophisticated attackers

AU - Jafarian, Jafar Haadi

AU - Al-Shaer, Ehab

AU - Duan, Qi

PY - 2015/8/21

Y1 - 2015/8/21

N2 - Network reconnaissance of IP addresses and ports is prerequisite to many host and network attacks. Meanwhile, static configurations of networks and hosts simplify this adversarial reconnaissance. In this paper, we present a novel proactive-adaptive defense technique that turns end-hosts into untraceable moving targets, and establishes dynamics into static systems by monitoring the adversarial behavior and reconfiguring the addresses of network hosts adaptively. This adaptability is achieved by discovering hazardous network ranges and addresses and evacuating network hosts from them quickly. Our approach maximizes adaptability by (1) using fast and accurate hypothesis testing for characterization of adversarial behavior, and (2) achieving a very fast IP randomization (i.e., update) rate through separating randomization from end-hosts and managing it via network appliances. The architecture and protocols of our approach can be transparently deployed on legacy networks, as well as software-defined networks. Our extensive analysis and evaluation show that by adaptive distortion of adversarial reconnaissance, our approach slows down the attack and increases its detectability, thus significantly raising the bar against stealthy scanning, major classes of evasive scanning and worm propagation, as well as targeted (hacking) attacks.

AB - Network reconnaissance of IP addresses and ports is prerequisite to many host and network attacks. Meanwhile, static configurations of networks and hosts simplify this adversarial reconnaissance. In this paper, we present a novel proactive-adaptive defense technique that turns end-hosts into untraceable moving targets, and establishes dynamics into static systems by monitoring the adversarial behavior and reconfiguring the addresses of network hosts adaptively. This adaptability is achieved by discovering hazardous network ranges and addresses and evacuating network hosts from them quickly. Our approach maximizes adaptability by (1) using fast and accurate hypothesis testing for characterization of adversarial behavior, and (2) achieving a very fast IP randomization (i.e., update) rate through separating randomization from end-hosts and managing it via network appliances. The architecture and protocols of our approach can be transparently deployed on legacy networks, as well as software-defined networks. Our extensive analysis and evaluation show that by adaptive distortion of adversarial reconnaissance, our approach slows down the attack and increases its detectability, thus significantly raising the bar against stealthy scanning, major classes of evasive scanning and worm propagation, as well as targeted (hacking) attacks.

UR - https://www.scopus.com/pages/publications/84954244103

U2 - 10.1109/INFOCOM.2015.7218443

DO - 10.1109/INFOCOM.2015.7218443

M3 - Conference contribution

AN - SCOPUS:84954244103

T3 - Proceedings - IEEE INFOCOM

SP - 738

EP - 746

BT - 2015 IEEE Conference on Computer Communications, IEEE INFOCOM 2015

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 34th IEEE Annual Conference on Computer Communications and Networks, IEEE INFOCOM 2015

Y2 - 26 April 2015 through 1 May 2015

ER -

Adversary-aware IP address randomization for proactive agility against sophisticated attackers

Abstract

Publication series

Conference

Bibliographical note

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this