Cyber Security Enhancement via Software-Defined Pseudo-Random Private IP Address Hopping
Authors: Andre Slonopas, Warren Thompson, Zona Kostic
Abstract:
Obfuscation is one of the most useful tools to prevent network compromise. Previous research focused on the obfuscation of the network communications between external-facing edge devices. This work proposes the use of two edge devices, external and internal facing, which communicates via private IPv4 addresses in a software-defined pseudo-random IP hopping. This methodology does not require additional IP addresses and/or resources to implement. Statistical analyses demonstrate that the hopping surface must be at least 1e3 IP addresses in size with a broad standard deviation to minimize the possibility of coincidence of monitored and communication IPs. The probability of breaking the hopping algorithm requires a collection of at least 1e6 samples, which for large hopping surfaces will take years to collect. The probability of dropped packets is controlled via memory buffers and the frequency of hops and can be reduced to levels acceptable for video streaming. This methodology provides an impenetrable layer of security ideal for information and supervisory control and data acquisition systems.
Keywords: Moving Target Defense, cybersecurity, network security, hopping randomization, software defined network, network security theory.
Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 616References:
[1] F.-J. Muro, N. Skorin-Kapov and P. Pavon-Marino, "Revisiting core traffic growth in the presence of expanding CDNs," Computer Networks, vol. 154, pp. 1-11, 2019.
[2] R. Malik, "Spread spectrum-secret military technology to 3G," IEEE History of Telecommunications Contest, 2001.
[3] J. Qingmin, X. Renchao, H. Tao, L. Jiang and L. Yunjie, "The Collaboration for Content Delivery and Network Infrastructures: A Survey," IEEE Access, vol. 5, pp. 18088 - 18106, 2017.
[4] G. Gan, Z. Lu and J. Jiang, "Internet of Things Security Analysis," International Conference on Internet Technology and Applications, pp. 1 - 4, 2011.
[5] L. Shi, C. Jia, S. Lu and Z. Liu, "Port and address hopping for active cyber-defense," Intelligence and Security Informatics, PAISI, vol. 4430, pp. 295-300, 2007.
[6] S.-Y. Chang, Y. Park and B. B. Ashok Babu, "Fast IP hopping randomization to secure hop-by-hop access in SDN," IEEE Transactions on Network and Service Management, vol. 16, no. 1, pp. 308 - 320, 2019.
[7] A. Teixeira, G. Dan, H. Sandberg and K. H. Johansson, "A cyber security study of a SCADA energy management system: stealthy deception attacks on the state estimator," IFAC Proceedings Volumes, vol. 44, no. 1, pp. 11271 - 11277, 2011.
[8] K. Zheng, X. Zhao, X. Li and Y. Zhou, "A SDN-based IP address hopping method design," Proceedings of the 2016 5th International Conference on Measurement, Instrumentation and Automation (ICMIA 2016), 2016.
[9] M. Marx, M. Schwarz, M. Blochberger, F. Wille and H. Federrath, "Context-Aware IPv6 Address Hopping," Information and Communications Security. ICICS, vol. 11999, pp. 539 - 554, 2019.
[10] S.-Y. Chang, Y. Park and A. Muralidharan, "Fast address hopping at the switches: Securing access for packet forwarding in SDN," NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium, pp. 454 - 460, 2016.
[11] C. Zhao, C. Jia and K. Lin, "Technique and application of end-hopping in network defense," First ACIS International Symposium on Cryptography, and Network Security, Data Mining and Knowledge Discovery, E-Commerce and Its Applications, and Embedded Systems, pp. 266-270, 2010.
[12] M. Atighetchi, P. Pal, F. Webber and C. Jones, "Adaptive use of network-centric mechanisms in cyber-defense," Sixth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing, pp. 183 - 192, 2003.
[13] M. Dunlop, S. Groat, W. Urbanski, R. Marchany and J. Tront, "MT6D: A Moving Target IPv6 Defense," MILCOM 2011 Military Communications Conference, pp. 1321 - 1326, 2011.
[14] D. L. Kewley, R. A. Fink, J. Lowry and M. Dean, "Dynamic approaches to thwart adversary intelligence gathering," Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01, pp. 176 - 185, 2001.
[15] D. E. Broth and R. E. Ziemer, Introduction to Spread-spectrum Communications, Englewood Cliffs, NJ: Prentice Hall, 1995.
[16] J. Haadi Jafarian, E. Al-Shaer and Q. Duan, "Random host mutation for Moving Target Defense," International Conference on Security and Privacy in Communication Systems, vol. 106, pp. 310 - 327, 2012.
[17] P. Kampanakis, H. Perros and T. Beyene, "SDN-based solutions for Moving Target Defense network protection," Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks, pp. 1 - 6, 2014.
[18] S. Watanabe and M. Opper, "Asymptotic equivalence of Bayes cross validation and widely applicable information criterion in singular learning theory," Journal of Machine Learning Research, vol. 11, pp. 3571-3594, 2010.
[19] A. Vehtari, A. Gelman and J. Gabry, "Practical Bayesian model evaluation using leave-one-out cross-validation and WAIC," Statistics and Computing, vol. 27, pp. 1413-1432, 2017.
[20] R. Harman and M. Prus, "Computing optimal experimental designs with respect to a compound Bayes risk criterion," Statistics & Probability Letters, vol. 137, pp. 135-141, 2018.
[21] D. Zhang and D. Ionescu, "Reactive estimation of packet loss probability for IP-based video services," IEEE Transactions on Broadcasting, vol. 55, no. 2, pp. 375-385, 2009.
[22] D. Zhang and D. Ionescu, "A new method for measuring packet loss probability using a Kalman filter," IEEE Transactions on Instrumentation and Measurement, vol. 58, no. 2, pp. 488-499, 2009.
[23] Z. M. Shafiq, S. A. Khayam and M. Farooq, "Embedded malware detection using Markov n-Grams," Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2008. Lecture Notes in Computer Science., vol. 5137, 2008.