Jafar Haadi Jafarian

Random Host Mutation for Moving Target Defense

Exploiting static configuration of networks and hosts has always been a great advantage for design and launching of decisive attacks. Network reconnaissance of IP addresses and ports is prerequisite to many host and network attacks. At the same time, knowing IP addresses is required for service reachability in IP networks, which makes complete concealment of IP address for servers infeasible. In addition, changing IP addresses too frequently may cause serious ramifications including service interruptions, routing inflation, delays and security violations. In this paper, we present a novel approach that turns end-hosts into untraceable moving targets by transparently mutating their IP addresses in an intelligent and unpredictable fashion and without sacrificing network integrity, manageability or performance. The presented technique is called Random Host Mutation (RHM). In RHM, moving target hosts are assigned virtual IP addresses that change randomly and synchronously in a distributed fashion over time. In order to prevent disruption of active connections, the IP address mutation is managed by network appliances and totally transparent to end-host. RHM employs multi-level optimized mutation techniques that maximize uncertainty in adversary scanning by effectively using the whole available address range, while at the same time minimizing the size of routing tables, and reconfiguration updates. RHM can be transparently deployed on existing networks on end-hosts or network elements. Our analysis, implementation and evaluation show that RHM can effectively defend against stealthy scanning, many types of worm propagation and attacks that require reconnaissance for successful launching. We also show the performance bounds for moving target defense in a practical network setup.

An Effective Address Mutation Approach for Disrupting Reconnaissance Attacks

Network reconnaissance of addresses and ports is prerequisite to a vast majority of cyber attacks. Meanwhile, the static address configuration of networks and hosts simplifies adversarial reconnaissance for target discovery. Although the randomization of host addresses has been suggested as a proactive disruption mechanism against such reconnaissance, the proposed approaches do not exploit the full potentials of address randomization in provision of unpredictability and attack adaptability. Moreover, these approaches do not provide thorough analysis on effectiveness and limitations of address randomization against relevant threat models, including stealthy scanning and worms. In this paper, we present an effective address randomization technique, called random host address mutation (RHM), that turns end-hosts into untraceable moving targets. This technique achieves maximum efficacy by allowing address randomization to be highly unpredictable and fast, and adaptive to adversarial behavior, while incurring low operational and reconfiguration overhead. Our approach achieves the following objectives: (1) it achieves high uncertainty in adversary scanning by modeling address mutation randomization as a multi-level satisfiability problem; (2) it adapts the mutation scheme by fast characterization of adversarial reconnaissance patterns; (3) it achieves high mutation rate by separating mutation from end-hosts and managing it via network appliances; and (4) it preserves network integrity, manageability and performance by bounding the size of routing tables, preserving end-to-end reachability, and efficient handling of reconfiguration updates. Our extensive analyses and simulation show that the RHM distorts adversarial reconnaissance, slows down (deters) the attack, and increases its detectability. Consequently, the RHM is effective in countering a significant number of sophisticated threat models, including reconnaissance, stealthy/evasive scanning methods, and targeted attacks. We also address limitations of our approach in terms of effectiveness and applicability.

Adversary-aware IP address randomization for proactive agility against sophisticated attackers

Network reconnaissance of IP addresses and ports is prerequisite to many host and network attacks. Meanwhile, static configurations of networks and hosts simplify this adversarial reconnaissance. In this paper, we present a novel proactive-adaptive defense technique that turns end-hosts into untraceable moving targets, and establishes dynamics into static systems by monitoring the adversarial behavior and reconfiguring the addresses of network hosts adaptively. This adaptability is achieved by discovering hazardous network ranges and addresses and evacuating network hosts from them quickly. Our approach maximizes adaptability by (1) using fast and accurate hypothesis testing for characterization of adversarial behavior, and (2) achieving a very fast IP randomization (i.e., update) rate through separating randomization from end-hosts and managing it via network appliances. The architecture and protocols of our approach can be transparently deployed on legacy networks, as well as software-defined networks. Our extensive analysis and evaluation show that by adaptive distortion of adversarial reconnaissance, our approach slows down the attack and increases its detectability, thus significantly raising the bar against stealthy scanning, major classes of evasive scanning and worm propagation, as well as targeted (hacking) attacks.

Formal Approach for Route Agility against Persistent Attackers

To proactively defend against denial of service attacks, we propose an agile multipath routing approach called random route mutation (RRM) which combines game theory and constraint satisfaction optimization to determine the optimal strategy for attack deterrence while satisfying security, performance and QoS requirements of the network. Our contribution in this paper is fourfold: (1) we model the interaction between RRM defender and DoS attacker as a game in order to determine the parameters by which the defender can maximize her benefit, (2) we model route selection as a constraint satisfaction optimization and formalize it using Satisfiability Modulo Theories (SMT) to identify efficient practical routes, (3) we provide algorithms for sound and smooth deployment of RRM on conventional as well as software-defined networks, and (4) we develop analytical and experimental models to investigate the effectiveness and limitation of RRM under different network and adversarial parameters. Our analysis and preliminary implementation show that RRM can protect up to 90% of flow packets from being attacked against persistent attackers, as compared with single-path routing schemes. Moreover, our implementation shows that RRM can be efficiently deployed on networks without causing any disruption for flows.

GTHBAC: A Generalized Temporal History Based Access Control Model

Time plays a crucial role in access control for new computing environments, which is not supported in traditional access control models. In this paper, we propose a Generalized Temporal History Based Access Control (GTHBAC) model, aimed at integrating history-based constraints along with a generic access control model. GTHBAC enhances the specification of user-defined authorization rules by constraining time interval and temporal expression over users’ history of accesses. Due to different application needs, GTHBAC uses two different time schemes, i.e., real time and logical time, in its authorization rules. A formal semantics for temporal authorizations is provided, and conflicting situations are also investigated and resolved in the model. To represent the applicability of the proposed model, an architecture for an access control system based on the model is proposed, and a case of employing the model in specifying and enforcing access control policies in a banking system is studied. The operators of GTHBAC are also compared with Linear Time Temporal Logic (LTL) operators to show the expressive power of the model.

A Vagueness-based Obfuscation Technique for Protecting Location Privacy

Technical evolution of location technologies has augmented the development and growth of location-based services. With widespread adoption of these services, threats to location privacy are increasing, entailing more robust and sophisticated solutions. This paper proposes an intuitive obfuscation-based scheme, which uses vagueness in human perception of nearness to provide a flexible and robust location privacy scheme. Key to this work is the concept of vagueness degree, which aims to enhance its robustness against privacy attacks. Furthermore, our scheme is totally in line with human perception of privacy and provides a solution, which mostly suits proximity-based services, social networking environments, and other similar applications. The solution is also applicable to various environments ranging from geographical locations to IP-based and mobile Networks. We propose three privacy-aware architectures for our scheme. In addition, it is shown that the time and space complexity of the scheme is polynomial. The robustness of the scheme against privacy attacks as well as its implementation issues are discussed.

Towards a General Framework for Optimal Role Mining: A Constraint Satisfaction Approach

Role Based Access Control (RBAC) is the most widely used advanced access control model deployed in a variety of organizations. To deploy an RBAC system, one needs to first identify a complete set of roles, including permission role assignments and role user assignments. This process, known as role engineering, has been identified as one of the costliest tasks in migrating to RBAC. Since many organizations already have some form of user permission assignments defined, it makes sense to identify roles from this existing information. This process, known as role mining, has gained significant interest in recent years and numerous role mining techniques have been developed that take into account the characteristics of the core RBAC model, as well as its various extended features and each is based on a specific optimization metric. In this paper, we propose a generic approach which transforms the role mining problem into a constraint satisfaction problem. The transformation allows us to discover the optimal RBAC state based on customized optimization metrics. We also extend the RBAC model to include more context-aware and application specific constraints. These extensions broaden the applicability of the model beyond the classic role mining to include features such as permission usage, hierarchical role mining, hybrid role engineering approaches, and temporal RBAC models. We also perform experiments to show applicability and effectiveness of the proposed approach.

Protecting Location Privacy through a Graph-Based Location Representation and a Robust Obfuscation Technique

With technical advancement of location technologies and their widespread adoption, information regarding physical location of individuals is becoming more available, augmenting the development and growth of location-based services. As a result of such availability, threats to location privacy are increasing, entailing more robust and sophisticated solutions capable of providing users with straightforward yet flexible privacy. The ultimate objective of this work is to design a privacy-preserving solution, based on obfuscation techniques (imprecision and inaccuracy), capable of handling location privacy, as required by users and according to their preferences. To this aim, we propose an intuitive graph-based location model, based on which users can express their regional privacy preferences. We present an obfuscation-based solution which allows us to achieve location privacy through degradation of location information, as well as measuring the reliability of such information. The proposed approach is robust and efficient, and covers some of the deficiencies of current obfuscation-based privacy solutions. We also propose two privacy-aware architectures for our solution.

A gray-box DPDA-based intrusion detection technique using system-call monitoring

In this paper, we present a novel technique for automatic and efficient intrusion detection based on learning program behaviors. Program behavior is captured in terms of issued system calls augmented with point-of-system-call information, and is modeled according to an efficient deterministic pushdown automaton (DPDA). The frequency of visit of each state is captured and statistically analyzed to detect abnormal execution patterns. This approach provides a very accurate learning of program behavior, which avoids a broad class of impossible path exploits. It also allows detection of new classes of attacks such as denial-of-service and brute-force dictionary attacks. We also present a complexity analysis of our model, and show that its time and space complexity is polynomial and fairly comparable to other similar approaches in learning, and hugely better in detection. Moreover, We evaluate our approach experimentally in terms of false positive rate, convergence rate, and performance. Finally, We shall discuss classes of attacks which are detectable and undetectable by our approach.

A Context-Aware Mandatory Access Control Model for Multilevel Security Environments

Mandatory access control models have traditionally been employed as a robust security mechanism in multilevel security environments like military domains. In traditional mandatory models, the security classes associated with entities are context-insensitive. However, context-sensitivity of security classes may be required in some environments. Moreover, as computing technology becomes more pervasive, flexible access control mechanisms are needed. Unlike traditional approaches for access control, such access decisions depend on the combination of the required credentials of users and the context of the system. Incorporating context-awareness into mandatory access control models results in a model appropriate for handling such context-aware policies and context- sensitive class association mostly needed in multilevel security environments. In this paper, we introduce a context-aware mandatory access control model (CAMAC) capable of dynamic adaptation of access control policies to the context, and handling context-sensitive class association, in addition to preservation of confidentiality and integrity. One of the most significant characteristics of the model is its high expressiveness which allows us to express various mandatory access control models such as Bell-LaPadula, Biba, Dion, and Chinese Wall with it.