MTD’19- Proceedings of the 6th ACM Workshop on Moving Target DefenseFull Citation in the ACM Digital Library
SESSION: Modeling, Analysis and Evaluation
Researchers propose Moving Target Defense (MTD) strategies for networking infrastructures as a countermeasure to impede attackers from identifying and exploiting vulnerable network hosts. In this paper, we investigate the weaknesses of Network-based Moving Target Defense (NMTD) against passive host profiling attacks. In particular, we consider periodical and reactive approaches to change hosts’ identifiers. To evaluate the capabilities of a host profiling attack, we design Hostbuster, a tool that reidentifies hosts based on network flow data. We experimentally evaluate its effectiveness using real-world network traffic from the University of Oxford. We show the robustness of learned host profiles, which are valid for more than two months. On average, our experiments result in 80% classification performance given by the F1 score. As a result of these analyses, we provide guidelines to strengthen NMTD against these types of attacks.
Cyber agility enables cyber systems to defend proactively against sophisticated attacks by dynamically changing the system configuration parameters (called mutable parameters) in order to deceive adversaries from reaching their goals, disrupt the attack plans by forcing them to change their adversarial behaviors, and/or deterring them through prohibitively increasing the cost for attacks. However, developing cyber agility such as moving target defense techniques that are provable safe is a highly complex task that requires significant time and expertise. Our goal is to address this challenge by providing a framework for automating the creation of configuration-based moving target techniques rapidly and safely.
In this paper, we present a cyber agility synthesis framework, called MTDSynth, that contains a formal ontology, MTD policy language, and MTD controller synthesis engine for implementing configuration-based moving target defense techniques. The policy language contains the agility specifications required to model the MTD technique, such as sensors, mutation trigger, mutation parameters, mutation actions, and mutation constraints. Based on the mutation constraints, the MTD controller synthesis engine provides an MTD policy refinement implementation for SDN configuration with provable properties using constraint satisfaction solvers. We show several examples of MTD controller synthesis, including temporal and spatial IP mutation, path mutation, detector mutation.
We developed our ActivSDN over OpenDaylight SDN controller as an open programming environment to enable rapid and safe development of MTD sense-making and decision-making actions. Our implementation and evaluation experiments show not only the feasibility of MTD policy refinement but also the insignificant computational overhead of this refinement process.
Mobile Edge Computing (MEC) is delivering a rich portfolio of computation services to resource-constrained mobile devices, enabling ultra-low latency and location-awareness for the emerging mobile applications. However, the vulnerability of this new paradigm to potential security and privacy issues prevents mobile users from fully embracing its advantage. While various defensive strategies have been proposed to secure the connection between the end devices and edge servers, an equally important issue, the server-side risk is still under-investigated for most edge computing systems. To handle these server-side risks, a Risk-aware Computation Offloading (RCO) policy is proposed in this paper to distribute computation tasks safely among geographically distributed edge sites under server-side attacks. RCO takes into account the strategic behaviors of the potential attackers in the edge system and finds an appropriate balance between risk management and service delay reduction. The Bayesian Stackelberg game is employed to formulate the RCO problem, which describes an appropriate relation between the edge system (as a defender) and the attacker. In particular, the Bayesian Stackelberg game captures the uncertainty of attacker’s behavior and enables RCO to work even when the edge system does not know precisely the attacker that it is playing against. To facilitate the derivation of Stackelberg equilibria, two pruning rules, Heuristic Pruning (HP) and Branch-and-Bound (BaB), are proposed. HP prunes by analyzing the user demand distribution and attack type, and BaB prunes by obtaining the tight upper/lower bound of edge system utility with assist of disjunctive programming and Bender’s cut. Extensive simulations show that the proposed algorithm helps improve the scalability and efficiency of risk-aware computation offloading.
SESSION: Frameworks and Methods
Recent years have witnessed a surging trend of leveraging deception technique to detect and defeat sophisticated cyber attacks such as the advanced persistent threat. Deception typically employs a decoy network to entrap the attackers and divert the firepower away from the real protected assets. Unfortunately, existing decoy systems failed to achieve a balanced tradeoff between the decoy fidelity and scalability, which potentially undermines the effectiveness of attacker deception. In this paper, we propose a hybrid decoy architecture that separates lightweight front-end decoys from high-fidelity back-end decoy servers. To enhance the deception effectiveness, we introduce dynamics into the decoy system design to make the decoy a moving target, where the front-end decoys constrain attackers by transparently intercepting and forwarding the malicious commands to the heterogeneous back-end decoys for real execution. We implement two prototypes of the hybrid decoy architecture based on Linux Bash shell and Windows PowerShell. The experimental results demonstrate that our system can effectively misdirect and disinform attackers with small network and system overhead.
An increasing number of devices of our everyday life are referred to as connected objects. Most of them need an Internet connection, and are thus provided with a public IP address. With these IP addresses come new security threats as attackers may attempt to attack a whole family of objects. This problem becomes even more worrying when considering safety critical objects (.e. their failures can have catastrophic consequences). In this paper we propose a Moving Target Defense (MTD) technique at the network level, that consists in reassigning objects’ IP addresses in order to escape from attackers both outside or inside the object’s subnetwork. We propose different variants of this defense allowing for a trade-off between (i) increasing the security level, and (ii) lowering the network load overhead due to the defense. As opposed to existing works, we also define a method to maintain the objects’ connectivity while reassigning IP addresses. A motivating example from the automotive domain is used to illustrate the applicability of this work.
Moving Target Defense (MTD) has emerged as a newcomer into the asymmetric field of attack and defense, and shuffling-based MTD has been regarded as one of the most effective ways to mitigate DDoS attacks. However, previous work does not acknowledge that frequent shuffles would significantly intensify the overhead. MTD requires a quantitative measure to compare the cost and effectiveness of available adaptations and explore the best trade-off between them. In this paper, therefore, we propose a new cost-effective shuffling method against DDoS attacks using MTD. By exploiting Multi-Objective Markov Decision Processes to model the interaction between the attacker and the defender, and designing a cost-effective shuffling algorithm, we study the best trade-off between the effectiveness and cost of shuffling in a given shuffling scenario. Finally, simulation and experimentation on an experimental software defined network (SDN) indicate that our approach imposes an acceptable shuffling overload and is effective in mitigating DDoS attacks.
SESSION: Strategies and Applications
Browser fingerprinting is a technique that collects information about the browser configuration and the environment in which it is running. This information is so diverse that it can partially or totally identify users online. Over time, several countermeasures have emerged to mitigate tracking through browser fingerprinting. However, these measures do not offer full coverage in terms of privacy protection, as some of them may introduce inconsistencies or unusual behaviors, making these users stand out from the rest.
We address these limitations by proposing a novel approach that minimizes both the identifiability of users and the required changes to browser configuration. To this end, we exploit clustering algorithms to identify the devices that are prone to share the same or similar fingerprints and to provide them with a new non-unique fingerprint. We then use this fingerprint to automatically assemble and run web browsers through virtualization within a docker container. Thus all the devices in the same cluster will end up running a web browser with an indistinguishable and consistent fingerprint.
Should I (re)Learn or Should I Go(on)?: Stream Machine Learning for Adaptive Defense against Network Attacks
Continuous, dynamic and short-term learning is an effective learning strategy when operating in dynamic and adversarial environments, where concept drift constantly occurs and attacks rapidly change over time. In an on-line, stream learning model, data arrives as a stream of sequentially ordered samples, and older data is no longer available to revise earlier suboptimal modeling decisions as the fresh data arrives. Stream approaches work in a limited amount of time, and have the advantage to perform predictions at any point in time during the stream. We focus on a particularly challenging problem, that of continually learning detection models capable to recognize cyber-attacks and system intrusions in a highly dynamic and adversarial environment such as the open Internet. We consider adaptive learning algorithms for the analysis of continuously evolving network data streams, using (dynamic) sliding windows — representing the system memory, to periodically re-learn, automatically adapting to concept drifts in the underlying data. By continuously learning and detecting concept drifts to adapt memory length, we show that adaptive learning algorithms can realize high detection accuracy of evolving network attacks over dynamic network data streams.