Army research looks at defending computer systems with MTD technique

The basic idea of MTD as it applies to IP addresses on computer networks is this: change the IP address of the computer frequently enough so the attacker loses sight of where his victim is. This, however, can be expensive.

"Taking actions proactively requires extra overhead to add another layer of defence strength," Professor Hyuk Lim of GIST, said. "Hence, deploying the proactive defence and security mechanisms is not for free, but brings a cost because the system needs to constantly change the attack surface such as IP addresses.

“This cost can be mitigated to some extent by leveraging the technology called SDN. The SDN technology provides highly efficient programmatic and dynamic management of the network policy by removing the network control from individual devices in a network to a centralised controller. The network configuration can be defined by the SDN controller, enabling more reliable and responsive network operations under variable conditions."

The UC led the effort of developing a MTD technology called the Flexible Random Virtual IP Multiplexing (FRVM).

"In FRVM, while the real IP address of a server-host remains unchanged but stays hidden, a virtual IP address of the server-host keeps being randomly and periodically changed where the IP mapping/remapping (i.e., called multiplexing/demultiplexing) is performed by an SDN controller," said Dilli P. Sharma of UC. "This effectively forces the adversary to play the equivalent of an honest shell game. However, instead of guessing among three shells (IP addresses) to find a pea (a running network service), the adversary must guess among 65,536 shells, given address space2^16.

“This MTD protocol is novel because it provides high flexibility to have multiple, random, time-variant IP addresses in a host, which implies the adversary will require more time to discover an IP address of the target host."

In this research, the team formulated the architecture and communication protocols for the proposed IP (de)multiplexing-based MTD to be applied in SDN environments.

The team also validated the effectiveness of the FRVM under various degrees of scanning attacks in terms of the attack success probability.

According to the team, the next step is to study the trade-off in the FRVM between the dual conflicting goals of system security and performance, as proactive defence may introduce adverse effects when running MTD techniques while achieving enhanced security.