Visible to the public Attack Graph-Based Moving Target Defense in Software-Defined Networks

TitleAttack Graph-Based Moving Target Defense in Software-Defined Networks
Publication TypeJournal Article
Year of Publication2020
AuthorsYoon, S., Cho, J.-H., Kim, D. S., Moore, T. J., Free-Nelson, F., Lim, H.
JournalIEEE Transactions on Network and Service Management
Keywordsadaptive defense services, advanced SDN technology, affordable defense services, Asset Criticality, attack graph-based MTD technique, Attack Graphs, Attack Path, attack path prediction, attack success probability, attack surface, complex network, complex system operations, composability, computer network security, control systems, critical hosts, Electronic mail, graph theory, hierarchical attack graph, hierarchical attack graph model, highly exploitable hosts, interrupt attack execution, IP networks, Measurement, minimum MTD cost, moving target defense, MTD shuffling decisions, network address shuffling, network configurations, Network topology, potential attacker, Predictive Metrics, proactive defense mechanism, proactive defense services, proactive/adaptive defense, probability, Protocols, pubcrawl, Resiliency, SDN controllers, SDN functionalities, security, Software, software defined networking, software-defined networking, Software-Defined Networks, target defense, telecommunication security, telecommunication traffic
AbstractMoving target defense (MTD) has emerged as a proactive defense mechanism aiming to thwart a potential attacker. The key underlying idea of MTD is to increase uncertainty and confusion for attackers by changing the attack surface (i.e., system or network configurations) that can invalidate the intelligence collected by the attackers and interrupt attack execution; ultimately leading to attack failure. Recently, the significant advance of software-defined networking (SDN) technology has enabled several complex system operations to be highly flexible and robust; particularly in terms of programmability and controllability with the help of SDN controllers. Accordingly, many security operations have utilized this capability to be optimally deployed in a complex network using the SDN functionalities. In this paper, by leveraging the advanced SDN technology, we developed an attack graph-based MTD technique that shuffles a host's network configurations (e.g., MAC/IP/port addresses) based on its criticality, which is highly exploitable by attackers when the host is on the attack path(s). To this end, we developed a hierarchical attack graph model that provides a network's vulnerability and network topology, which can be utilized for the MTD shuffling decisions in selecting highly exploitable hosts in a given network, and determining the frequency of shuffling the hosts' network configurations. The MTD shuffling with a high priority on more exploitable, critical hosts contributes to providing adaptive, proactive, and affordable defense services aiming to minimize attack success probability with minimum MTD cost. We validated the out performance of the proposed MTD in attack success probability and MTD cost via both simulation and real SDN testbed experiments.
Citation Keyyoon_attack_2020