TY - GEN
T1 - Random host mutation for moving target defense
AU - Al-Shaer, Ehab
AU - Duan, Qi
AU - Jafarian, Jafar Haadi
PY - 2013
Y1 - 2013
N2 - Exploiting static configuration of networks and hosts has always been a great advantage for design and launching of decisive attacks. Network reconnaissance of IP addresses and ports is prerequisite to many host and network attacks. At the same time, knowing IP addresses is required for service reachability in IP networks, which makes complete concealment of IP address for servers infeasible. In addition, changing IP addresses too frequently may cause serious ramifications including service interruptions, routing inflation, delays and security violations. In this paper, we present a novel approach that turns end-hosts into untraceable moving targets by transparently mutating their IP addresses in an intelligent and unpredictable fashion and without sacrificing network integrity, manageability or performance. The presented technique is called Random Host Mutation (RHM). In RHM, moving target hosts are assigned virtual IP addresses that change randomly and synchronously in a distributed fashion over time. In order to prevent disruption of active connections, the IP address mutation is managed by network appliances and totally transparent to end-host. RHM employs multi-level optimized mutation techniques that maximize uncertainty in adversary scanning by effectively using the whole available address range, while at the same time minimizing the size of routing tables, and reconfiguration updates. RHM can be transparently deployed on existing networks on end-hosts or network elements. Our analysis, implementation and evaluation show that RHM can effectively defend against stealthy scanning, many types of worm propagation and attacks that require reconnaissance for successful launching. We also show the performance bounds for moving target defense in a practical network setup.
AB - Exploiting static configuration of networks and hosts has always been a great advantage for design and launching of decisive attacks. Network reconnaissance of IP addresses and ports is prerequisite to many host and network attacks. At the same time, knowing IP addresses is required for service reachability in IP networks, which makes complete concealment of IP address for servers infeasible. In addition, changing IP addresses too frequently may cause serious ramifications including service interruptions, routing inflation, delays and security violations. In this paper, we present a novel approach that turns end-hosts into untraceable moving targets by transparently mutating their IP addresses in an intelligent and unpredictable fashion and without sacrificing network integrity, manageability or performance. The presented technique is called Random Host Mutation (RHM). In RHM, moving target hosts are assigned virtual IP addresses that change randomly and synchronously in a distributed fashion over time. In order to prevent disruption of active connections, the IP address mutation is managed by network appliances and totally transparent to end-host. RHM employs multi-level optimized mutation techniques that maximize uncertainty in adversary scanning by effectively using the whole available address range, while at the same time minimizing the size of routing tables, and reconfiguration updates. RHM can be transparently deployed on existing networks on end-hosts or network elements. Our analysis, implementation and evaluation show that RHM can effectively defend against stealthy scanning, many types of worm propagation and attacks that require reconnaissance for successful launching. We also show the performance bounds for moving target defense in a practical network setup.
UR - https://www.scopus.com/pages/publications/84874541599
U2 - 10.1007/978-3-642-36883-7_19
DO - 10.1007/978-3-642-36883-7_19
M3 - Conference contribution
AN - SCOPUS:84874541599
SN - 9783642368820
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering
SP - 310
EP - 327
BT - Security and Privacy in Communication Networks - 8th International ICST Conference, SecureComm 2012, Revised Selected Papers
T2 - 8th International ICST Conference on Security and Privacy in Communication Networks, SecureComm 2012
Y2 - 3 September 2012 through 5 September 2012
ER -