Yue-Bin Luo

Characterizing the running patterns of Moving Target Defense mechanisms

Moving Target Defense (MTD) has been proposed as a game-changing theme to increase the work effort to attack as well as the security of target system. There has been proposed a multitude of MTD mechanisms. Generally, these mechanisms follow some fundamental running patterns which determine their functionalities. In this paper, we introduce three main schools of thought on MTD mechanisms systematically and categorize the related works according to them. Then we identify and define three fundamental running patterns exhibited by these MTD mechanisms. Thereafter, we use five MTD mechanisms, which belong to the three schools of thought, as cases to confirm the patterns presented. This work can help the novices of this field to understand the running behaviours of MTDs better and easier, and can also give developers design guidance of new MTD system by providing insights of the running patterns.

A keyed-hashing based self-synchronization mechanism for port address hopping communication

Port address hopping (PAH) communication is a powerful network moving target defense (MTD) mechanism. It was inspired by frequency hopping in wireless communications. One of the critical and difficult issues with PAH is synchronization. Existing schemes usually provide hops for each session lasting only a few seconds/minutes, making them easily influenced by network events such as transmission delays, traffic jams, packet dropouts, reordering, and retransmission. To address these problems, in this paper we propose a novel self-synchronization scheme, called ‘keyed-hashing based self-synchronization (KHSS)’. The proposed method generates the message authentication code (MAC) based on the hash based MAC (HMAC), which is then further used as the synchronization information for port address encoding and decoding. Providing the PAH communication system with one-packet-one-hopping and invisible message authentication abilities enables both clients and servers to constantly change their identities as well as perform message authentication over unreliable communication mediums without synchronization and authentication information transmissions. Theoretical analysis and simulation and experiment results show that the proposed method is effective in defending against man-in-the-middle (MITM) attacks and network scanning. It significantly outperforms existing schemes in terms of both security and hopping efficiency.

A Model for Evaluating and Comparing Moving Target Defense Techniques Based on Generalized Stochastic Petri Net

Moving Target Defense has been proposed as a way to alter the asymmetric situation of attacks and defenses, and there has been given a great number of related works. Currently, the performance evaluation of these works has largely been empirical, but lacks the application of theoretical models. Further, the evaluation is usually for a specific approach or a category of MTD approaches, and few work has been taken to compare different MTD techniques. In this paper, we consider a Web server as a deployment scenario for the three typical kinds of MTD techniques, and develop a generalized abstract performance evaluation and comparison model for existing MTDs through using generalized stochastic Petri Net (GSPN). We also take a case study to describe the usage of the model. The model enables us to analyze and understand the benefits and costs of an MTD approach, and can be viewed as an attempt to fill the gap of MTD comparison.

High Performance Low Latency Network Address and Port Hopping Mechanism Based on Netfilter

Network address and port hopping (NPAH) is an effectual moving target defense tactic that comes from frequency hopping in wireless communication, and it is proposed for host and service hiding and attack resistance. In this paper, we propose a high performance low latency network address and port hopping implementation mechanism, using the netfilter framework inside the Linux kernel. We have conducted experiments and tests to evaluate the performance of our method, and the result shows that the proposed mechanism is efficient in implementing NPAH on Linux platform.