Visible to the public Multi-dimensional Host Identity Anonymization for Defeating Skilled Attackers

TitleMulti-dimensional Host Identity Anonymization for Defeating Skilled Attackers
Publication TypeConference Paper
Year of Publication2016
AuthorsJafarian, Jafar Haadi, Niakanlahiji, Amirreza, Al-Shaer, Ehab, Duan, Qi
Conference NameProceedings of the 2016 ACM Workshop on Moving Target Defense
Date PublishedOctober 2016
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4570-5
Keywordsactive cyber deception, address randomization, anonymity, fingerprint anonymization, honey pots, Metrics, moving target defense, moving target defenses, pubcrawl, Reconnaissance, resilience, Scalability
Abstract

While existing proactive-based paradigms such as address mutation are effective in slowing down reconnaissance by naive attackers, they are ineffective against skilled human attackers. In this paper, we analytically show that the goal of defeating reconnaissance by skilled human attackers is only achievable by an integration of five defensive dimensions: (1) mutating host addresses, (2) mutating host fingerprints, (3) anonymizing host fingerprints, (4) deploying high-fidelity honeypots with context-aware fingerprints, and (5) deploying context-aware content on those honeypots. Using a novel class of honeypots, referred to as proxy honeypots (high-interaction honeypots with customizable fingerprints), we propose a proactive defense model, called (HIDE), that constantly mutates addresses and fingerprints of network hosts and proxy honeypots in a manner that maximally anonymizes identity of network hosts. The objective is to make a host untraceable over time by not letting even skilled attackers reuse discovered attributes of a host in previous scanning, including its addresses and fingerprint, to identify that host again. The mutations are generated through formal definition and modeling the problem. Using a red teaming evaluation with a group of white-hat hackers, we evaluated our five-dimensional defense model and compared its effectiveness with alternative and competing scenarios. These experiments as well as our analytical evaluation show that by anonymizing all identifying attributes of a host/honeypot over time, HIDE is able to significantly complicate reconnaissance, even for highly skilled human attackers.

URLhttps://dl.acm.org/doi/10.1145/2995272.2995278
DOI10.1145/2995272.2995278
Citation Keyjafarian_multi-dimensional_2016