Network defenses based on traditional tools, techniques, and procedures fail to account for the a... more Network defenses based on traditional tools, techniques, and procedures fail to account for the attacker's inherent advantage present due to the static nature of network services and configurations. To take away this asymmetric advantage, Moving Target Defense (MTD) continuously shifts the configuration of the underlying system, in turn reducing the success rate of cyberattacks. In this survey, we analyze the recent advancements made in the development of MTDs and define categorizations that capture the key aspects of such defenses. We first categorize these defenses into different sub-classes depending on what they move, when they move and how they move. In trying to answer the latter question, we showcase the use of domain knowledge and game-theoretic modeling can help the defender come up with effective and efficient movement strategies. Second, to understand the practicality of these defense methods, we discuss how various MTDs have been implemented and find that networking ...
SDN provides a programmable command and control networking system in a multi-tenant cloud network... more SDN provides a programmable command and control networking system in a multi-tenant cloud network using control and data plane separation. However, separating the control and data planes make it difficult for incorporating some security services (e.g., firewalls) into SDN framework. Most of the existing solutions use SDN switches as packet filters and rely on SDN controllers to implement firewall policy management functions, which is impractical for implementing stateful firewalls since SDN switches only send session's initial packets and statistical data of flows to their controllers. For a data center networking environment, applying a Distributed FireWall (DFW) system to prevent attacker's lateral movements is highly desired, in which designing and implementing an SDN-based Stateful DFW (SDFW) demand a scalable distributed states management solution at the data plane to track packets and flow states. Our performance results show that SDFW achieves scalable security agains...
2019 International Conference on Computing, Networking and Communications (ICNC), 2019
Large scale cloud networks consist of distributed networking and computing elements that process ... more Large scale cloud networks consist of distributed networking and computing elements that process critical information and thus security is a key requirement for any environment. Unfortunately, assessing the security state of such networks is a challenging task and the tools used in the past by security experts such as packet filtering, firewall, Intrusion Detection Systems (IDS) etc., provide a reactive security mechanism. In this paper, we introduce a Moving Target Defense (MTD) based proactive security framework for monitoring attacks which lets us identify and reason about multi-stage attacks that target software vulnerabilities present in a cloud network. We formulate the multi-stage attack scenario as a two-player zero-sum Markov Game (between the attacker and the network administrator) on attack graphs. The rewards and transition probabilities are obtained by leveraging the expert knowledge present in the Common Vulnerability Scoring System (CVSS). Our framework identifies an ...
Network defenses based on traditional tools, techniques, and procedures fail to account for the a... more Network defenses based on traditional tools, techniques, and procedures fail to account for the attacker's inherent advantage present due to the static nature of network services and configurations. To take away this asymmetric advantage, Moving Target Defense (MTD) continuously shifts the configuration of the underlying system, in turn reducing the success rate of cyberattacks. In this survey, we analyze the recent advancements made in the development of MTDs and define categorizations that capture the key aspects of such defenses. We first categorize these defenses into different sub-classes depending on what they move, when they move and how they move. In trying to answer the latter question, we showcase the use of domain knowledge and game-theoretic modeling can help the defender come up with effective and efficient movement strategies. Second, to understand the practicality of these defense methods, we discuss how various MTDs have been implemented and find that networking ...
SDN provides a programmable command and control networking system in a multi-tenant cloud network... more SDN provides a programmable command and control networking system in a multi-tenant cloud network using control and data plane separation. However, separating the control and data planes make it difficult for incorporating some security services (e.g., firewalls) into SDN framework. Most of the existing solutions use SDN switches as packet filters and rely on SDN controllers to implement firewall policy management functions, which is impractical for implementing stateful firewalls since SDN switches only send session's initial packets and statistical data of flows to their controllers. For a data center networking environment, applying a Distributed FireWall (DFW) system to prevent attacker's lateral movements is highly desired, in which designing and implementing an SDN-based Stateful DFW (SDFW) demand a scalable distributed states management solution at the data plane to track packets and flow states. Our performance results show that SDFW achieves scalable security agains...
2019 International Conference on Computing, Networking and Communications (ICNC), 2019
Large scale cloud networks consist of distributed networking and computing elements that process ... more Large scale cloud networks consist of distributed networking and computing elements that process critical information and thus security is a key requirement for any environment. Unfortunately, assessing the security state of such networks is a challenging task and the tools used in the past by security experts such as packet filtering, firewall, Intrusion Detection Systems (IDS) etc., provide a reactive security mechanism. In this paper, we introduce a Moving Target Defense (MTD) based proactive security framework for monitoring attacks which lets us identify and reason about multi-stage attacks that target software vulnerabilities present in a cloud network. We formulate the multi-stage attack scenario as a two-player zero-sum Markov Game (between the attacker and the network administrator) on attack graphs. The rewards and transition probabilities are obtained by leveraging the expert knowledge present in the Common Vulnerability Scoring System (CVSS). Our framework identifies an ...
Uploads
Papers by Abdulhakim Sabur