ABSTRACT
Moving Target Defense (MTD) has emerged as a newcomer into the asymmetric field of attack and defense, and shuffling-based MTD has been regarded as one of the most effective ways to mitigate DDoS attacks. However, previous work does not acknowledge that frequent shuffles would significantly intensify the overhead. MTD requires a quantitative measure to compare the cost and effectiveness of available adaptations and explore the best trade-off between them. In this paper, therefore, we propose a new cost-effective shuffling method against DDoS attacks using MTD. By exploiting Multi-Objective Markov Decision Processes to model the interaction between the attacker and the defender, and designing a cost-effective shuffling algorithm, we study the best trade-off between the effectiveness and cost of shuffling in a given shuffling scenario. Finally, simulation and experimentation on an experimental software defined network (SDN) indicate that our approach imposes an acceptable shuffling overload and is effective in mitigating DDoS attacks.
- Marco Carvalho and Richard Ford. Moving-target defenses for computer networks. IEEE Security & Privacy, 12(2):73--76, 2014.Google ScholarCross Ref
- Gui-lin Cai, Bao-sheng Wang, Wei Hu, and Tian-zuo Wang. Moving target defense: state of the art and characteristics. Frontiers of Information Technology & Electronic Engineering, 17(11):1122--1153, 2016.Google ScholarCross Ref
- Cheng Lei, Hong-Qi Zhang, Jing-Lei Tan, Yu-Chen Zhang, and Xiao-Hu Liu. Moving target defense techniques: A survey. Security and Communication Networks, 2018, 2018.Google Scholar
- Pratyusa Manadhata and Jeannette M Wing. Measuring a system's attack surface. Technical report, CARNEGIE-MELLON UNIV PITTSBURGH PA SCHOOL OF COMPUTER SCIENCE, 2004.Google Scholar
- Vahid Zangeneh and Mehdi Shajari. A cost-sensitive move selection strategy for moving target defense. Computers & Security, 75:72--91, 2018.Google ScholarCross Ref
- Diederik M Roijers and Shimon Whiteson. Multi-objective decision making. Synthesis Lectures on Artificial Intelligence and Machine Learning, 11(1):1--129, 2017.Google ScholarCross Ref
- Partha Pal, Richard Schantz, Aaron Paulos, and Brett Benyo. Managed execution environment as a moving-target defense infrastructure. IEEE Security & Privacy, 12(2):51--59, 2013.Google ScholarCross Ref
- Mohammad Ashiqur Rahman, Ehab Al-Shaer, and Rakesh B Bobba. Moving target defense for hardening the security of the power system state estimation. In Proceedings of the First ACM Workshop on Moving Target Defense, pages 59--68. ACM, 2014.Google ScholarDigital Library
- Fida Gillani, Ehab Al-Shaer, Samantha Lo, Qi Duan, Mostafa Ammar, and Ellen Zegura. Agile virtualized infrastructure to proactively defend against cyber attacks. In 2015 IEEE Conference on Computer Communications (INFOCOM), pages 729--737. IEEE, 2015.Google ScholarCross Ref
- Sang-Yoon Chang, Younghee Park, and Bhavana Babu Ashok Babu. Fast ip hopping randomization to secure hop-by-hop access in sdn. IEEE Transactions on Network and Service Management, 16(1):308--320, 2018.Google ScholarDigital Library
- Thomas E Carroll, Michael Crouse, Errin W Fulp, and Kenneth S Berenhaut. Analysis of network address shuffling as a moving target defense. In 2014 IEEE International Conference on Communications (ICC), pages 701--706. IEEE, 2014.Google ScholarCross Ref
- Michael Crouse, Bryan Prosser, and Errin W Fulp. Probabilistic performance analysis of moving target and deception reconnaissance defenses. In Proceedings of the Second ACM Workshop on Moving Target Defense, pages 21--29. ACM, 2015.Google ScholarDigital Library
- Hong-qi Zhang, Cheng Lei, De-xian Chang, and Ying-jie Yang. Network moving target defense technique based on collaborative mutation. computers & security, 70:51--71, 2017.Google Scholar
- Panos Kampanakis, Harry Perros, and Tsegereda Beyene. Sdn-based solutions for moving target defense network protection. In Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014, pages 1--6. IEEE, 2014.Google ScholarCross Ref
- Yih Huang and Anup K Ghosh. Introducing diversity and uncertainty to create moving attack surfaces for web services. In Moving target defense, pages 131--151. Springer, 2011.Google ScholarCross Ref
- Vaishali Kansal and Mayank Dave. Ddos attack isolation using moving target defense. In 2017 International Conference on Computing, Communication and Automation (ICCCA), pages 511--514. IEEE, 2017.Google ScholarCross Ref
- Hooman Alavizadeh, Julian Jang-Jaccard, and Dong Seong Kim. Evaluation for combination of shuffle and diversity on moving target defense strategy for cloud computing. In 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pages 573--578. IEEE, 2018.Google ScholarCross Ref
- Jin B Hong and Dong Seong Kim. Assessing the effectiveness of moving target defenses using security models. IEEE Transactions on Dependable and Secure Computing, 13(2):163--177, 2015.Google ScholarDigital Library
- Ghanshyam S Bopche and Babu M Mehtre. Graph similarity metrics for assessing temporal changes in attack surface of dynamic networks. Computers & Security, 64:16--43, 2017.Google ScholarDigital Library
- Jin B Hong, Simon Yusuf Enoch, Dong Seong Kim, Armstrong Nhlabatsi, Noora Fetais, and Khaled M Khan. Dynamic security metrics for measuring the effectiveness of moving target defense techniques. Computers & Security, 79:33--52, 2018.Google ScholarCross Ref
- Xin-Li Xiong, Lin Yang, and Guang-Sheng Zhao. Effectiveness evaluation model of moving target defense based on system attack surface. IEEE Access, 7:9998--10014, 2019.Google ScholarCross Ref
- Huan Zhang, Kangfeng Zheng, Xiujuan Wang, Shoushan Luo, and Bin Wu. Efficient strategy selection for moving target defense under multiple attacks. IEEE Access, 2019.Google ScholarCross Ref
- Achintya Prakash and Michael P Wellman. Empirical game-theoretic analysis for moving target defense. In Proceedings of the Second ACM Workshop on Moving Target Defense, pages 57--65. ACM, 2015.Google ScholarDigital Library
- Xiaotao Feng, Zizhan Zheng, Derya Cansever, Ananthram Swami, and Prasant Mohapatra. A signaling game model for moving target defense. In IEEE INFOCOM 2017-IEEE Conference on Computer Communications, pages 1--9. IEEE, 2017.Google ScholarCross Ref
- Erik Miehling, Mohammad Rasouli, and Demosthenis Teneketzis. Optimal defense policies for partially observable spreading processes on bayesian attack graphs. In Proceedings of the Second ACM Workshop on Moving Target Defense, pages 67--76. ACM, 2015.Google ScholarDigital Library
- Zhisheng Hu, Minghui Zhu, and Peng Liu. Online algorithms for adaptive cyber defense on bayesian attack graphs. In MTD@ CCS, pages 99--109, 2017.Google Scholar
- Jianjun Zheng and Akbar Siami Namin. A markov decision process to determine optimal policies in moving target. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 2321--2323. ACM, 2018.Google ScholarDigital Library
- Cheng Lei, Hong-Qi Zhang, Li-Ming Wan, Lu Liu, and Duo-he Ma. Incomplete information markov game theoretic approach to strategy generation for moving target defense. Computer Communications, 116:184--199, 2018.Google ScholarCross Ref
- Yi-Hui Lin, Jian-Jhih Kuo, De-Nian Yang, and Wen-Tsuen Chen. A cost-effective shuffling-based defense against http ddos attacks with sdn/nfv. In 2017 IEEE International Conference on Communications (ICC), pages 1--7. IEEE, 2017.Google ScholarCross Ref
- Huangxin Wang, Fei Li, and Songqing Chen. Towards cost-effective moving target defense against ddos and covert channel attacks. In Proceedings of the 2016 ACM Workshop on Moving Target Defense, pages 15--25. ACM, 2016.Google ScholarDigital Library
- Qiao Yan, F Richard Yu, Qingxiang Gong, and Jianqiang Li. Software-defined networking (sdn) and distributed denial of service (ddos) attacks in cloud computing environments: A survey, some research issues, and challenges. IEEE communications surveys & tutorials, 18(1):602--622, 2015.Google Scholar
- OpenDayLight, 2019. Home - OpenDaylight. https://www.opendaylight.org/.Google Scholar
- OpenStack, 2019. Build the future of Open Infrastructure. https://www.openstack.org/.Google Scholar
- Open vSwitch, 2019. Open vSwitch. http://www.openvswitch.org/.Google Scholar
- Shaila RGhanti and GM GM Naik. Design of system on chip for generating syn flood attack to test the performance of the security system. International Journal of Computer Applications, 122(7):14--17, 2015.Google ScholarCross Ref
Index Terms
- A Cost-effective Shuffling Method against DDoS Attacks using Moving Target Defense
Recommendations
Towards Cost-Effective Moving Target Defense Against DDoS and Covert Channel Attacks
MTD '16: Proceedings of the 2016 ACM Workshop on Moving Target DefenseTraditionally, network and system configurations are static. Attackers have plenty of time to exploit the system's vulnerabilities and thus they are able to choose when to launch attacks wisely to maximize the damage. An unpredictable system ...
Moving Target Defense against DDoS Attacks: An Empirical Game-Theoretic Analysis
MTD '16: Proceedings of the 2016 ACM Workshop on Moving Target DefenseDistributed denial-of-service attacks are an increasing problem facing web applications, for which many defense techniques have been proposed, including several moving-target strategies. These strategies typically work by relocating targeted services ...
Cost-effective moving target defense against DDoS attacks using trilateral game and multi-objective Markov decision processes
Highlights- Defend against Distributed Denial-of-Service attacks by Moving Target Defense.
- ...
AbstractMoving Target Defense (MTD) has emerged as a game changer to reverse the asymmetric situation between attackers and defenders, and as one of the most effective countermeasures to mitigate DDoS attacks, shuffling-based MTD has gained ...
Comments