Jianhua Sun, Computer Science - Ph.D. Oral Proposal

January 26, 2018
1pm - 3pm
McGlothlin-Street Hall, Room 002
251 Jamestown Rd
Williamsburg, VA 23185Map this location

Moving Target Defense (MTD) has become a powerful technique to reverse the asymmetry between the attacker and the defender's postures in the security landscape nowadays. Generally, MTD aims to defend a system and substantially increase the cost of cyber attacks by deploying and operating the systems/networks to make them less homogeneous, less static, and less deterministic. Among various MTD techniques that introduce dynamics into different layers, network-based technique serves as an effective candidate for mitigating targeted remote attacks by disrupting its intelligence gathering and vulnerability discovery. Despite all its security benefits, the practical adoption of MTD has been hindered by its limited security entropy, management complexity, and interference with the normal operation of the protected system/network. Correspondingly, Cyber deception has also been employed as counter-intelligence mechanism by deploying passive decoys for attacker misdirection and disinformation. However, the effectiveness of these defense mechanisms has been largely constrained by the low decoy fidelity, the poor scalability of decoy platform, and the static decoy configurations, which allow the attackers to identify and bypass the deployed decoys.

In this dissertation proposal, we integrate MTD with cyber deception to significantly improve the security entropy of MTD. We present three research projects that synergize MTD and cyber deception for the construction of practical MTD system. First, we observe that sophisticated adversaries usually initiate their attacks with a reconnaissance phase to discover exploitable vulnerabilities on the targeted networks and systems. To mitigate the effectiveness of reconnaissance, we develop a defensive mechanism that dynamically mutates network topology with a large number of decoys to invalidate the attacker's knowledge from network scanning. We combine the IP randomization technique with decoy techniques and solve two challenges, namely, service availability to legitimate users and service security against unauthorized users. Our solution can minimize the probability of the real servers being identified and compromised by unauthorized users through deploying a large number of decoy nodes, which change their IP addresses along with the real servers to prolong the scanning time of the attackers. It can also ensure seamless connection migration so that all existing communication connections between the legitimate users and the servers are always kept alive even after the servers migrate to different IP addresses multiple times.

The second project aims to achieve a balanced trade-off between the resource constraint and decoy fidelity in cyber deception. Traditional deception-based cyber defenses often undertake reactive strategies that utilize decoy systems or services for attack detection and information gathering. Unfortunately, these strategies have been undermined by the static decoy configurations, its low fidelity, and poor platform scalablity. In response, we develop a decoy-enhanced defense framework that can proactively protect critical servers against targeted remote attacks through deception. To achieve both high fidelity and good scalability, our system follows a hybrid architecture that separates lightweight yet versatile front-end proxies from back-end high-fidelity decoy servers. Moreover, our system can further invalidate the attackers' reconnaissance through dynamic proxy address shuffling. To guarantee service availability, we develop a transparent connection translation strategy to maintain existing connections during shuffling.

We propose the third project, which aims to disclose the limitations of existing decoy systems and develop effective strategies to further increase the decoy fidelity. Since one fundamental assumption of traditional decoy design is that only attackers will attempt to interact with the decoy, this lack of real user interactivity can potentially enable the attackers to fingerprint and bypass the deployed decoys. Based on this observation, we first propose two attacks the adversaries can leverage to discriminate the authenticity of the decoys, i.e., local traffic analysis attack and system fingerprinting attack. We plan to demonstrate the effectiveness of these attacks by implementing them on real world real and decoy server systems. In the next step, to defeat these attacks, we plan to first develop a model-based traffic generation approach to generate user interactions with the decoy system, and then evaluate its cost and benefit in emulating real users for attacker deception. We will then develop a practical real-time traffic replay scheme and evaluate its effectiveness in defeating previously proposed deception evasion attacks.

Jianhua Sun is a Ph.D. candidate of Computer Science Department at William & Mary, advised by Dr. Kun Sun. His research interest lies in moving target defense, cyber deception, network security, and IoT security. He received his BS degree in Physics from University of Science and Technology of China, and his M.S. degree in Applied Science from William and Mary.