Multi-dimensional host identity anonymization for defeating skilled attackers

Jafar Haadi Jafarian; Amirreza Niakanlahiji; Ehab Al-Shaer; Qi Duan

doi:10.1145/2995272.2995278

Multi-dimensional host identity anonymization for defeating skilled attackers

Jafar Haadi Jafarian, Amirreza Niakanlahiji, Ehab Al-Shaer, Qi Duan

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

26 Scopus citations

Abstract

While existing proactive-based paradigms such as address mutation are effective in slowing down reconnaissance by naive attackers, they are ineffective against skilled human attackers. In this paper, we analytically show that the goal of defeating reconnaissance by skilled human attackers is only achievable by an integration of five defensive dimensions: (1) mutating host addresses, (2) mutating host fingerprints, (3) anonymizing host fingerprints, (4) deploying high-fidelity honeypots with context-aware fingerprints, and (5) deploying context-aware content on those honeypots. Using a novel class of honeypots, referred to as proxy honeypots (high-interaction honeypots with customizable fingerprints), we propose a proactive defense model, called (HIDE), that constantly mutates addresses and fingerprints of network hosts and proxy honeypots in a manner that maximally anonymizes identity of network hosts. The objective is to make a host untraceable over time by not letting even skilled attackers reuse discovered attributes of a host in previous scanning, including its addresses and fingerprint, to identify that host again. The mutations are generated through formal definition and modeling of the problem. Using a red teaming evaluation with a group of white-hat hackers, we evaluated our five-dimensional defense model and compared its effectiveness with alternative and competing scenarios. These experiments as well as our analytical evaluation show that by anonymizing all identifying attributes of a host/honeypot over time, HIDE is able to significantly complicate reconnaissance, even for highly skilled human attackers.

Original language	English
Title of host publication	MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016
Publisher	Association for Computing Machinery, Inc
Pages	47-58
Number of pages	12
ISBN (Electronic)	9781450345705
DOIs	https://doi.org/10.1145/2995272.2995278
State	Published - 24 Oct 2016
Externally published	Yes
Event	2016 ACM Workshop on Moving Target Defense, MTD 2016 - Vienna, Austria Duration: 24 Oct 2016 → …

Publication series

Name	MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016

Conference

Conference	2016 ACM Workshop on Moving Target Defense, MTD 2016
Country/Territory	Austria
City	Vienna
Period	24/10/16 → …

Bibliographical note

Publisher Copyright:
© 2016 ACM.

ASJC Scopus subject areas

Computer Networks and Communications
Control and Systems Engineering
Computer Science Applications

Access to Document

10.1145/2995272.2995278

Cite this

Jafarian, J. H., Niakanlahiji, A., Al-Shaer, E., & Duan, Q. (2016). Multi-dimensional host identity anonymization for defeating skilled attackers. In MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016 (pp. 47-58). (MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016). Association for Computing Machinery, Inc. https://doi.org/10.1145/2995272.2995278

Jafarian, Jafar Haadi ; Niakanlahiji, Amirreza ; Al-Shaer, Ehab et al. / Multi-dimensional host identity anonymization for defeating skilled attackers. MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016. Association for Computing Machinery, Inc, 2016. pp. 47-58 (MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016).

@inproceedings{3a7c8910af604f35afd6898ac4e6f0a3,

title = "Multi-dimensional host identity anonymization for defeating skilled attackers",

abstract = "While existing proactive-based paradigms such as address mutation are effective in slowing down reconnaissance by naive attackers, they are ineffective against skilled human attackers. In this paper, we analytically show that the goal of defeating reconnaissance by skilled human attackers is only achievable by an integration of five defensive dimensions: (1) mutating host addresses, (2) mutating host fingerprints, (3) anonymizing host fingerprints, (4) deploying high-fidelity honeypots with context-aware fingerprints, and (5) deploying context-aware content on those honeypots. Using a novel class of honeypots, referred to as proxy honeypots (high-interaction honeypots with customizable fingerprints), we propose a proactive defense model, called (HIDE), that constantly mutates addresses and fingerprints of network hosts and proxy honeypots in a manner that maximally anonymizes identity of network hosts. The objective is to make a host untraceable over time by not letting even skilled attackers reuse discovered attributes of a host in previous scanning, including its addresses and fingerprint, to identify that host again. The mutations are generated through formal definition and modeling of the problem. Using a red teaming evaluation with a group of white-hat hackers, we evaluated our five-dimensional defense model and compared its effectiveness with alternative and competing scenarios. These experiments as well as our analytical evaluation show that by anonymizing all identifying attributes of a host/honeypot over time, HIDE is able to significantly complicate reconnaissance, even for highly skilled human attackers.",

author = "Jafarian, \{Jafar Haadi\} and Amirreza Niakanlahiji and Ehab Al-Shaer and Qi Duan",

note = "Publisher Copyright: {\textcopyright} 2016 ACM.; 2016 ACM Workshop on Moving Target Defense, MTD 2016 ; Conference date: 24-10-2016",

year = "2016",

month = oct,

day = "24",

doi = "10.1145/2995272.2995278",

language = "English",

series = "MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016",

publisher = "Association for Computing Machinery, Inc",

pages = "47--58",

booktitle = "MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016",

}

Jafarian, JH, Niakanlahiji, A, Al-Shaer, E & Duan, Q 2016, Multi-dimensional host identity anonymization for defeating skilled attackers. in MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016. MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016, Association for Computing Machinery, Inc, pp. 47-58, 2016 ACM Workshop on Moving Target Defense, MTD 2016, Vienna, Austria, 24/10/16. https://doi.org/10.1145/2995272.2995278

Multi-dimensional host identity anonymization for defeating skilled attackers. / Jafarian, Jafar Haadi; Niakanlahiji, Amirreza; Al-Shaer, Ehab et al.
MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016. Association for Computing Machinery, Inc, 2016. p. 47-58 (MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Multi-dimensional host identity anonymization for defeating skilled attackers

AU - Jafarian, Jafar Haadi

AU - Niakanlahiji, Amirreza

AU - Al-Shaer, Ehab

AU - Duan, Qi

PY - 2016/10/24

Y1 - 2016/10/24

N2 - While existing proactive-based paradigms such as address mutation are effective in slowing down reconnaissance by naive attackers, they are ineffective against skilled human attackers. In this paper, we analytically show that the goal of defeating reconnaissance by skilled human attackers is only achievable by an integration of five defensive dimensions: (1) mutating host addresses, (2) mutating host fingerprints, (3) anonymizing host fingerprints, (4) deploying high-fidelity honeypots with context-aware fingerprints, and (5) deploying context-aware content on those honeypots. Using a novel class of honeypots, referred to as proxy honeypots (high-interaction honeypots with customizable fingerprints), we propose a proactive defense model, called (HIDE), that constantly mutates addresses and fingerprints of network hosts and proxy honeypots in a manner that maximally anonymizes identity of network hosts. The objective is to make a host untraceable over time by not letting even skilled attackers reuse discovered attributes of a host in previous scanning, including its addresses and fingerprint, to identify that host again. The mutations are generated through formal definition and modeling of the problem. Using a red teaming evaluation with a group of white-hat hackers, we evaluated our five-dimensional defense model and compared its effectiveness with alternative and competing scenarios. These experiments as well as our analytical evaluation show that by anonymizing all identifying attributes of a host/honeypot over time, HIDE is able to significantly complicate reconnaissance, even for highly skilled human attackers.

AB - While existing proactive-based paradigms such as address mutation are effective in slowing down reconnaissance by naive attackers, they are ineffective against skilled human attackers. In this paper, we analytically show that the goal of defeating reconnaissance by skilled human attackers is only achievable by an integration of five defensive dimensions: (1) mutating host addresses, (2) mutating host fingerprints, (3) anonymizing host fingerprints, (4) deploying high-fidelity honeypots with context-aware fingerprints, and (5) deploying context-aware content on those honeypots. Using a novel class of honeypots, referred to as proxy honeypots (high-interaction honeypots with customizable fingerprints), we propose a proactive defense model, called (HIDE), that constantly mutates addresses and fingerprints of network hosts and proxy honeypots in a manner that maximally anonymizes identity of network hosts. The objective is to make a host untraceable over time by not letting even skilled attackers reuse discovered attributes of a host in previous scanning, including its addresses and fingerprint, to identify that host again. The mutations are generated through formal definition and modeling of the problem. Using a red teaming evaluation with a group of white-hat hackers, we evaluated our five-dimensional defense model and compared its effectiveness with alternative and competing scenarios. These experiments as well as our analytical evaluation show that by anonymizing all identifying attributes of a host/honeypot over time, HIDE is able to significantly complicate reconnaissance, even for highly skilled human attackers.

UR - https://www.scopus.com/pages/publications/84998694431

U2 - 10.1145/2995272.2995278

DO - 10.1145/2995272.2995278

M3 - Conference contribution

AN - SCOPUS:84998694431

T3 - MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016

SP - 47

EP - 58

BT - MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016

PB - Association for Computing Machinery, Inc

T2 - 2016 ACM Workshop on Moving Target Defense, MTD 2016

Y2 - 24 October 2016

ER -

Jafarian JH, Niakanlahiji A, Al-Shaer E, Duan Q. Multi-dimensional host identity anonymization for defeating skilled attackers. In MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016. Association for Computing Machinery, Inc. 2016. p. 47-58. (MTD 2016 - Proceedings of the 2016 ACM Workshop on Moving Target Defense, co-located with CCS 2016). doi: 10.1145/2995272.2995278

Multi-dimensional host identity anonymization for defeating skilled attackers

Abstract

Publication series

Conference

Bibliographical note

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this