Michael B. Crouse

Analysis of network address shuffling as a moving target defense

Address shuffling is a type of moving target defense that prevents an attacker from reliably contacting a system by periodically remapping network addresses. Although limited testing has demonstrated it to be effective, little research has been conducted to examine the theoretical limits of address shuffling. As a result, it is difficult to understand how effective shuffling is and under what circumstances it is a viable moving target defense. This paper introduces probabilistic models that can provide insight into the performance of address shuffling. These models quantify the probability of attacker success in terms of network size, quantity of addresses scanned, quantity of vulnerable systems, and the frequency of shuffling. Theoretical analysis shows that shuffling is an acceptable defense if there is a small population of vulnerable systems within a large network address space, however shuffling has a cost for legitimate users. These results will also be shown empirically using simulation and actual traffic traces.

A moving target environment for computer configurations using Genetic Algorithms

Moving Target (MT) environments for computer systems provide security through diversity by changing various system properties that are explicitly defined in the computer configuration. Temporal diversity can be achieved by making periodic configuration changes; however in an infrastructure of multiple similarly purposed computers diversity must also be spatial, ensuring multiple computers do not simultaneously share the same configuration and potential vulnerabilities. Given the number of possible changes and their potential interdependencies discovering computer configurations that are secure, functional, and diverse is challenging. This paper describes how a Genetic Algorithm (GA) can be employed to find temporally and spatially diverse secure computer configurations. In the proposed approach a computer configuration is modeled as a chromosome, where an individual configuration setting is a trait or allele. The GA operates by combining multiple chromosomes (configurations) which are tested for feasibility and ranked based on performance which will be measured as resistance to attack. Successive iterations of the GA yield configurations that are often more secure and diverse due to the crossover and mutation processes. Simulations results will demonstrate this approach can provide at MT environment for a large infrastructure of similarly purposed computers by discovering temporally and spatially diverse secure configurations.

Probabilistic Performance Analysis of Moving Target and Deception Reconnaissance Defenses

Deception and moving target reconnaissance defenses are techniques that attempt to invalidate information an attacker attempts to gather. Deception defenses attempt to mislead attackers performing network reconnaissance, while moving target defenses seek to make it more difficult for the attacker to predict the state of their target by dynamically altering what the attacker sees. Although the deployment of reconnaissance defenses can be effective, there are nontrivial administration costs associated with their configuration and maintenance. As a result, understanding under the circumstances these defenses are effective and efficient is important. This paper introduces probabilistic models for reconnaissance defenses to provide deeper understanding of the theoretical effect these strategies and their parameters have for cyber defense. The models quantify the success of attackers under various conditions, such as network size, deployment of size, and number of vulnerable computers. This paper provides a probabilistic interpretation for the performance of honeypots, for deception, and network address shuffling, for moving target, and their effect in concert. The models indicate that a relatively small number of deployed honeypots can provide an effective defense strategy, often better than movement alone. Furthermore, the models confirm the intuition that that combining, or layering, defense mechanisms provide the largest impact to attacker success while providing a quantitative analysis of the improvement and parameters of each strategy.

Using swarming agents for scalable security in large network environments

The difficulty of securing computer infrastructures increases as they grow in size and complexity. Network-based security solutions such as IDS and firewalls cannot scale because of exponentially increasing computational costs inherent in detecting the rapidly growing number of threat signatures. Host-based solutions like virus scanners and IDS suffer similar issues that are compounded when enterprises try to monitor them in a centralized manner. Swarm-based autonomous agent systems like digital ants and artificial immune systems can provide a scalable security solution for large network environments. The digital ants approach offers a biologically inspired design where each ant in the virtual colony can detect atoms of evidence that may help identify a possible threat. By assembling the atomic evidences from different ant types the colony may detect the threat. This decentralized approach can require, on average, fewer computational resources than traditional centralized solutions; however there are limits to its scalability. This paper describes how dividing a large infrastructure into smaller, managed enclaves allows the digital ant framework to effectively operate in larger environments. Experimental results will show that using smaller enclaves allows for more consistent distribution of agents and results in faster response times.

Taming Wireless Fluctuations by Predictive Queuing Using a Sparse-Coding Link-State Model

We introduce State-Informed Link-Layer Queuing (SILQ), a system that models, predicts, and avoids packet delivery failures caused by temporary wireless outages in everyday scenarios. By stabilizing connections in adverse link conditions, SILQ boosts throughput and reduces performance variation for network applications, for example by preventing unnecessary TCP timeouts due to dead zones, elevators, and subway tunnels. SILQ makes predictions in real-time by actively probing links, matching measurements to an overcomplete dictionary of patterns learned offline, and classifying the resulting sparse feature vectors to identify those that precede outages. We use a clustering method called sparse coding to build our data-driven link model, and show that it produces more variation-tolerant predictions than traditional loss-rate, location-based, or Markov chain techniques. We present extensive data collection and field-validation of SILQ in airborne, indoor, and urban scenarios of practical interest. We show how offline unsupervised learning discovers link-state patterns that are stable across diverse networks and signal-propagation environments. Using these canonical primitives, we train outage predictors for 802.11 (Wi-Fi) and 3G cellular networks to demonstrate TCP throughput gains of 4x with off-the-shelf mobile devices. SILQ addresses delivery failures solely at the link layer, requires no new hardware, and upholds the end-to-end design principle, to enable easy integration across applications, devices, and networks.

Bio-Inspired Enterprise Security

Providing security for enterprises is difficult due to the size and complexity of their computing and networking infrastructures. These environments consist of a large number of diverse systems and services that continually change, thus they are difficult to defend using current static-oriented defense mechanisms. This paper introduces a new security paradigm that mimics designs in nature to ensure the safety and soundness of infrastructures that are potentially very diverse and dynamic. Primary inspiration has come from ant colonies, social networking, and bioinformatics. The proposed framework combines these ideas to provide complex-adaptive security for computer systems, telecommunications, and critical Supervisory Control and Data Acquisition (SCADA) infrastructures.

Nested Buddy System: A New Block Address Allocation Scheme for ISPs and IaaS Providers

We propose a novel block address allocation method, called the nested buddy system, which can make use of wasted areas in the classical buddy system due to internal fragmentation. While achieving high utilization of address space, our new scheme supports efficient address matching for routers in packet forwarding and for network middleboxes in packet filtering. Specifically, the scheme uses just one prefix rule for each allocated address block in a packet routing/filtering table. We show by analysis and simulation that the increased address utilization can lead to significant reduction in the probability of a denial-of-service under bursty address allocation requests. In contrast, the classical buddy system requires the aggregation of many requests over time to smooth out demand, resulting in service delays undesirable to end users. Our solution is applicable to ISPs in serving mobile users carrying many network connected IoT devices and IasS providers in the cloud in serving tenants with dynamically varying demands for network addresses.