Moving target defense of routing randomization with deep reinforcement learning against eavesdropping attack

Eavesdropping attacks have become one of the most common attacks on networks because of their easy implementation. Eavesdropping attacks not only lead to transmission data leakage but also develop into other more harmful attacks. Routing randomization is a relevant research direction for moving target defense, which has been proven to be an effective method to resist eavesdropping attacks. To counter eavesdropping attacks, in this study, we analyzed the existing routing randomization methods and found that their security and usability need to be further improved. According to the characteristics of eavesdropping attacks, which are “latent and transferable”, a routing randomization defense method based on deep reinforcement learning is proposed. The proposed method realizes routing randomization on packet-level granularity using programmable switches. To improve the security and quality of service of legitimate services in networks, we use the deep deterministic policy gradient to generate random routing schemes with support from powerful network state awareness. In-band network telemetry provides real-time, accurate, and comprehensive network state awareness for the proposed method. Various experiments show that compared with other typical routing randomization defense methods, the proposed method has obvious advantages in security and usability against eavesdropping attacks.

Strategy Selection for Moving Target Defense in Incomplete Information Game

As a core component of the network,web applications have become one of the preferred targets for attackers because the static configuration of web applications simplifies the exploitation of vulnerabilities by attackers.Although the moving target defense(MTD)has been proposed to increase the attack difficulty for the attackers,there is no solo approach can cope with different attacks;in addition,it is impossible to implement all these approaches simultaneously due to the resource limitation.Thus,the selection of an optimal defense strategy based on MTD has become the focus of research.In general,the confrontation of two players in the security domain is viewed as a stochastic game,and the reward matrices are known to both players.However,in a real security confrontation,this scenario represents an incomplete information game.Each player can only observe the actions performed by the opponent,and the observed actions are not completely accurate.To accurately describe the attacker’s reward function to reach the Nash equilibrium,this work simulated and updated the strategy selection distribution of the attacker by observing and investigating the strategy selection history of the attacker.Next,the possible rewards of the attacker in each confrontation via the observation matrix were corrected.On this basis,the Nash-Q learning algorithm with reward quantification was proposed to select the optimal strategy.Moreover,the performances of the Minimax-Q learning algorithm and Naive-Q learning algorithm were compared and analyzed in the MTD environment.Finally,the experimental results showed that the strategy selection algorithm can enable defenders to select a more reasonable defensive strategy and achieve the maximum possible reward.

Game theoretic analysis for the mechanism of moving target defense

Moving target defense （MT_D） is a novel way to alter the asymmetric situation of attacks and defenses, and a lot of MTD studies have been carried out recently. However, relevant analysis for the defense mechanism of the MTD technology is still absent. In this paper, we analyze the defense mechanism of MTD technology in two dimensions. First, we present a new defense model named MP2R to describe the proactivity and effect of MTD technology intuitively. Second, we use the incomplete information dynamic game theory to verify the proactivity and effect of MTD technology. Specifically, we model the interaction between a defender who equips a server with different types of MTD techniques and a visitor who can be a user or an attacker, and analyze the equilibria and their conditions for these models. Then, we take an existing incomplete information dynamic game model for traditional defense and its equilibrium result as baseline for comparison, to validate the proactivity and effect of MTD technology. We also identify the factors that will influence the proactivity and effectiveness of the MTD approaches. This work gives theoretical support for understanding the defense process and defense mechanism of MTD technology and provides suggestions to improve the effectiveness of MTD approaches.

Moving target defense:state of the art and characteristics

Moving target defense(MTD) has emerged as one of the game-changing themes to alter the asymmetric situation between attacks and defenses in cyber-security. Numerous related works involving several facets of MTD have been published. However, comprehensive analyses and research on MTD are still absent. In this paper, we present a survey on MTD technologies to scientifically and systematically introduce, categorize, and summarize the existing research works in this field. First, a new security model is introduced to describe the changes in the traditional defense paradigm and security model caused by the introduction of MTD. A function-and-movement model is provided to give a panoramic overview on different perspectives for understanding the existing MTD research works. Then a systematic interpretation of published literature is presented to describe the state of the art of the three main areas in the MTD field, namely, MTD theory, MTD strategy, and MTD evaluation. Specifically,in the area of MTD strategy, the common characteristics shared by the MTD strategies to improve system security and effectiveness are identified and extrapolated. Thereafter, the methods to implement these characteristics are concluded. Moreover, the MTD strategies are classified into three types according to their specific goals, and the necessary and sufficient conditions of each type to create effective MTD strategies are then summarized, which are typically one or more of the aforementioned characteristics. Finally, we provide a number of observations for the future direction in this field, which can be helpful for subsequent researchers.

An Active Deception Defense Model Based on Address Mutation and Fingerprint Camouflage

The static and predictable characteristics of cyber systems give attackers an asymmetric advantage in gathering useful information and launching attacks.To reverse this asymmetric advantage,a new defense idea,called Moving Target Defense(MTD),has been proposed to provide additional selectable measures to complement traditional defense.However,MTD is unable to defeat the sophisticated attacker with fingerprint tracking ability.To overcome this limitation,we go one step beyond and show that the combination of MTD and Deception-based Cyber Defense(DCD)can achieve higher performance than either of them.In particular,we first introduce and formalize a novel attacker model named Scan and Foothold Attack(SFA)based on cyber kill chain.Afterwards,we develop probabilistic models for SFA defenses to provide a deeper analysis of the theoretical effect under different defense strategies.These models quantify attack success probability and the probability that the attacker will be deceived under various conditions,such as the size of address space,and the number of hosts,attack analysis time.Finally,the experimental results show that the actual defense effect of each strategy almost perfectly follows its probabilistic model.Also,the defense strategy of combining address mutation and fingerprint camouflage can achieve a better defense effect than the single address mutation.

Dynamic defenses in cyber security:Techniques,methods and challenges Author links open overlay panel

Driven by the rapid development of the Internet of Things,cloud computing and other emerging technologies,the connotation of cyberspace is constantly expanding and becoming the fifth dimension of human activities.However,security problems in cyberspace are becoming serious,and traditional defense measures(e.g.,firewall,intrusion detection systems,and security audits)often fall into a passive situation of being prone to attacks and difficult to take effect when responding to new types of network attacks with a higher and higher degree of coordination and intelligence.By constructing and implementing the diverse strategy of dynamic transformation,the configuration characteristics of systems are constantly changing,and the probability of vulnerability exposure is increasing.Therefore,the difficulty and cost of attack are increasing,which provides new ideas for reversing the asymmetric situation of defense and attack in cyberspace.Nonetheless,few related works systematically introduce dynamic defense mechanisms for cyber security.The related concepts and development strategies of dynamic defense are rarely analyzed and summarized.To bridge this gap,we conduct a comprehensive and concrete survey of recent research efforts on dynamic defense in cyber security.Specifically,we firstly introduce basic concepts and define dynamic defense in cyber security.Next,we review the architectures,enabling techniques and methods for moving target defense and mimic defense.This is followed by taxonomically summarizing the implementation and evaluation of dynamic defense.Finally,we discuss some open challenges and opportunities for dynamic defense in cyber security.

Securing Forwarding Layers from Eavesdropping Attacks Using Proactive Approaches

As an emerging network paradigm,the software-defined network(SDN)finds extensive application in areas such as smart grids,the Internet of Things(IoT),and edge computing.The forwarding layer in software-defined networks is susceptible to eavesdropping attacks.Route hopping is amoving target defense(MTD)technology that is frequently employed to resist eavesdropping attacks.In the traditional route hopping technology,both request and reply packets use the same hopping path.If an eavesdropping attacker monitors the nodes along this path,the risk of 100%data leakage becomes substantial.In this paper,we present an effective route hopping approach,called two-day different path(TDP),that turns communication paths into untraceable moving targets.This technology minimizes the probability of data leakage by transmitting request data and reply data through different paths.Firstly,a brief introduction to the network model and attack model involved in this paper is given.Secondly,the algorithm and processingmethod of the TDP are proposed.Thirdly,the paper proposes three differentmetrics tomeasure the effectiveness of the proposed approach.Finally,theoretical analysis and simulation results show that the TDP can effectively reduce the percentage of data exposure,decrease eavesdropping attack success probability,and improve the unpredictability of the path.

A keyed-hashing based self-synchronization mechanism for port address hopping communication

Port address hopping(PAH) communication is a powerful network moving target defense(MTD)mechanism. It was inspired by frequency hopping in wireless communications. One of the critical and difficult issues with PAH is synchronization. Existing schemes usually provide hops for each session lasting only a few seconds/minutes, making them easily influenced by network events such as transmission delays, traffic jams, packet dropouts, reordering, and retransmission. To address these problems, in this paper we propose a novel selfsynchronization scheme, called ‘keyed-hashing based self-synchronization(KHSS)'. The proposed method generates the message authentication code(MAC) based on the hash based MAC(HMAC), which is then further used as the synchronization information for port address encoding and decoding. Providing the PAH communication system with one-packet-one-hopping and invisible message authentication abilities enables both clients and servers to constantly change their identities as well as perform message authentication over unreliable communication mediums without synchronization and authentication information transmissions. Theoretical analysis and simulation and experiment results show that the proposed method is effective in defending against man-in-the-middle(MITM) attacks and network scanning. It significantly outperforms existing schemes in terms of both security and hopping efficiency.