[PAST EVENT] Jianhua Sun, Computer Science - Dissertation Defense
Moving Target Defense (MTD) and cyber deception have become effective techniques for mitigating the targeted attack by disrupting its intelligence gathering and vulnerability discovery. However, their practical deployment is hindered by the limited security entropy, enormous management complexity, and interference with the normal operation of the protected system/network. The poor scalability of the decoy platform and low decoy fidelity further constrain its adoption. In this dissertation, we present four projects that synergize MTD and deception to enhance their security efficacy and practicality.
First, we observe that targeted attacks are typically preceded by thorough reconnaissance to discover exploitable vulnerabilities. Motivated by this, we develop a decoy-enhanced seamless IP randomization system named DESIR that dynamically mutates network topology with a large number of decoys to invalidate the attacker's knowledge from network scanning. DESIR substantially improves the security entropy of IP randomization by leveraging decoy nodes. We also develop a seamless connection migration mechanism to guarantee service availability of legitimate users. Implementation and evaluation of a DESIR prototype demonstrate its effectiveness for defeating network reconnaissance.
The effectiveness of deception has been largely undermined by the static decoy configuration, its low fidelity, and poor scalability. To address these issues, in the second project we propose CyberMoat, a hybrid decoy architecture that can proactively protect critical servers against targeted remote attacks. To achieve balanced tradeoff between decoy fidelity and scalability, CyberMoat separates lightweight yet versatile front-end proxies from back-end high-fidelity decoy servers. In addition, CyberMoat invalidates the attacker reconnaissance through dynamic proxy address shuffling and successfully maintains existing connections during shuffling via SDN-assisted connection translation.
In the third project, we further observe that a real server experiences wearoff from service request processing, whereas decoys receive no user interactions. Given this, we propose two decoy evasion attacks, namely, traffic fingerprinting and system fingerprinting, which allow sophisticated insiders to identify decoys. As a countermeasure, we develop a replay system called Mirage to generate believable decoy network traffic. Mirage operates as a reverse proxy that transparently replays real network traffic toward the decoys in real time. It integrates a decoy client emulator to maintain consistent decoy states and employs format preserving encryption to obfuscate sensitive user data.
Finally, we focus on automated IoT device fingerprinting, which is a prerequisite step for realizing secure, reliable, and high-quality IoT applications. We propose a novel data-driven approach for passive fingerprinting of IoT device types through automatic classification of encrypted IoT network flows. Based on an in-depth empirical study on the traffic of real-world IoT devices, we identify a variety of valuable data features for accurately characterizing IoT device communications. By leveraging these features, we develop a deep learning based classification model for accurate IoT device fingerprinting.
Jianhua Sun is a Ph.D. candidate of Computer Science Department at William & Mary, advised by Dr. Kun Sun. His research interest lies in moving target defense, cyber deception, network security, and IoT security. He received his BS degree in Physics from University of Science and Technology of China, and his M.S. degree in Applied Science from William & Mary.