With the explosive growth of Internet traffic, large sensitive and valuable information is at risk of cyber attacks, which are mostly preceded by network reconnaissance. A moving target defense technique called host address mutation (HAM) helps facing network reconnaissance. However, there still exist several fundamental problems in HAM: 1) current approaches cannot be self-adaptive to adversarial strategies; 2) network state is time-varying because each host decides whether to mutate IP address; and 3) most methods mainly focus on enhancing security, but ignore the survivability of existing connections. In this paper, an Intelligence-Driven Host Address Mutation (ID-HAM) scheme is proposed to address aforementioned challenges. We firstly model a Markov decision process (MDP) to describe the mutation process, and design a seamless mutation mechanism. Secondly, to remove infeasible actions from the action space of MDP, we formulate address-to-host assignments as a constrained satisfaction problem. Thirdly, we design an advantage actor-critic algorithm for HAM, which aims to learn from scanning behaviors. Finally, security analysis and extensive simulations highlight the effectiveness of ID-HAM. Compared with state-of-the-art solutions, ID-HAM can decrease maximum 25% times of scanning hits while only influencing communication slightly. We also implemented a proof-of-concept prototype system to conduct experiments with multiple scanning tools.
How to Disturb Network Reconnaissance: A Moving Target Defense Approach Based on Deep Reinforcement Learning / Zhang, Tao; Xu, Changqiao; Shen, Jiahao; Kuang, Xiaohui; Grieco, Luigi Alfredo. - In: IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY. - ISSN 1556-6013. - STAMPA. - 18:(2023), pp. 5735-5748. [10.1109/TIFS.2023.3314219]
How to Disturb Network Reconnaissance: A Moving Target Defense Approach Based on Deep Reinforcement Learning
Grieco, Luigi Alfredo
2023-01-01
Abstract
With the explosive growth of Internet traffic, large sensitive and valuable information is at risk of cyber attacks, which are mostly preceded by network reconnaissance. A moving target defense technique called host address mutation (HAM) helps facing network reconnaissance. However, there still exist several fundamental problems in HAM: 1) current approaches cannot be self-adaptive to adversarial strategies; 2) network state is time-varying because each host decides whether to mutate IP address; and 3) most methods mainly focus on enhancing security, but ignore the survivability of existing connections. In this paper, an Intelligence-Driven Host Address Mutation (ID-HAM) scheme is proposed to address aforementioned challenges. We firstly model a Markov decision process (MDP) to describe the mutation process, and design a seamless mutation mechanism. Secondly, to remove infeasible actions from the action space of MDP, we formulate address-to-host assignments as a constrained satisfaction problem. Thirdly, we design an advantage actor-critic algorithm for HAM, which aims to learn from scanning behaviors. Finally, security analysis and extensive simulations highlight the effectiveness of ID-HAM. Compared with state-of-the-art solutions, ID-HAM can decrease maximum 25% times of scanning hits while only influencing communication slightly. We also implemented a proof-of-concept prototype system to conduct experiments with multiple scanning tools.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
