RPAH: A Moving Target Network Defense Mechanism Naturally Resists Reconnaissances and Attacks

Yue-Bin LUO  Bao-Sheng WANG  Xiao-Feng WANG  Bo-Feng ZHANG  Wei HU  

Publication
IEICE TRANSACTIONS on Information and Systems   Vol.E100-D   No.3   pp.496-510
Publication Date: 2017/03/01
Online ISSN: 1745-1361
Type of Manuscript: PAPER
Category: Information Network
Keyword: 
port and address hopping,  moving target defense,  network security,  reconnaissance,  

Full Text: PDF(3.2MB)
>>Buy this Article


Summary: 
Network servers and applications commonly use static IP addresses and communication ports, making themselves easy targets for network reconnaissances and attacks. Moving target defense (MTD) is an innovatory and promising proactive defense technique. In this paper, we develop a novel MTD mechanism, called Random Port and Address Hopping (RPAH). The goal of RPAH is to hide network servers and applications and resist network reconnaissances and attacks by constantly changing their IP addresses and ports. In order to enhance the unpredictability, RPAH integrates source identity, service identity and temporal parameter in the hopping to provide three hopping frequencies, i.e., source hopping, service hopping and temporal hopping. RPAH provides high unpredictability and the maximum hopping diversities by introducing port and address demultiplexing mechanism, and provides a convenient attack detection mechanism with which the messages from attackers using invalid or inactive addresses/ports will be conveniently detected and denied. Our experiments and evaluation on campus network and PlanetLab show that RPAH is effective in resisting various network reconnaissance and attack models such as network scanning and worm propagation, while introducing an acceptable operation overhead.