Initiating a Moving Target Network Defense with a Real-time Neuro-evolutionary Detector

The moving network target defense (MTD) based approach to security aims to design and develop capabilities to dynamically change the attack surfaces to make it more difficult for attackers to strike. One such capability is to dynamically change the IP addresses of subnetworks in unpredictable ways in an attempt to disrupt the ability of an attacker to collect the necessary reconnaissance information to launch successful attacks. In particular, Denial of Service (DoS) and worms represent examples of distributed attacks that can potentially propagate through networks very quickly, but could also be disrupted by MTD. Conversely, MTD are also disruptive to regular users. For example, when IP addresses are changed dynamically it is no longer effective to use DNS caches for IP address resolutions before any communication can be performed. In this work we take another approach. We note that the deployment of MTD could be triggered through the use of light-weight intrusion detection. We demonstrate that the neuro-evolution of augmented topologies algorithm (NEAT) has the capacity to construct detectors that operate on packet data and produce sparse topologies, hence are real-time in operation. Benchmarking under examples of DoS and worm attacks indicates that NEAT detectors can be constructed from relatively small amounts of data and detect attacks approx. 90% accuracy. Additional experiments with the open-ended evolution of code modules through genetic program teams provided detection rates approaching 100%. We believe that adopting such an approach to MTB a more specific deployment strategy that is less invasive to legitimate users, while disrupting the actions of malicious users.