Weitere Kapitel dieses Buchs durch Wischen aufrufen
Cyber attacks are typically preceded by a reconnaissance phase in which attackers aim at collecting valuable information about the target system, including network topology, service dependencies, operating systems, and unpatched vulnerabilities. Unfortunately, when system configurations are static, attackers will always be able, given enough time, to acquire accurate knowledge about the target system through a variety of tools—including operating system and service fingerprinting—and engineer effective exploits. To address this important problem, many techniques have been devised to dynamically change some aspects of a system’s configuration in order to introduce uncertainty for the attacker. In this chapter, we present a graph-based approach for manipulating the attacker’s view of a system’s attack surface, which addresses several limitations of existing techniques. To achieve this objective, we formalize the notions of system view and distance between views. We then define a principled approach to manipulating responses to attacker’s probes so as to induce an external view of the system that satisfies certain desirable properties. In particular, we propose efficient algorithmic solutions to two classes of problems, namely (1) inducing an external view that is at a minimum distance from the internal view, while minimizing the cost for the defender; (2) inducing an external view that maximizes the distance from the internal view, given an upper bound on the cost for the defender. In order to demonstrate practical applicability of the proposed approach, we present deception-based techniques for defeating an attacker’s effort to fingerprint operating systems and services on the target system. These techniques consist in manipulating outgoing traffic so that it resembles traffic generated by a completely different system. Experimental results show that our approach can efficiently and effectively deceive an attacker.
Bitte loggen Sie sich ein, um Zugang zu diesem Inhalt zu erhalten
Sie möchten Zugang zu diesem Inhalt erhalten? Dann informieren Sie sich jetzt über unsere Produkte:
F. H. Abbasi, R. J. Harris, G. Moretti, A. Haider, and N. Anwar. Classification of malicious network streams using honeynets. In Proceedings of the IEEE Conference on Global Communications (GLOBECOM 2012), pages 891–897, Anaheim, CA, USA, December 2012. IEEE.
M. Albanese, S. Jajodia, A. Pugliese, and V. S. Subrahmanian. Scalable analysis of attack scenarios. In Proceedings of the 16th European Symposium on Research in Computer Security (ESORICS 2011), pages 416–433, Leuven, Belgium, September 2011. Springer.
M. Albanese, A. De Benedictis, S. Jajodia, and K. Sun. A moving target defense mechanism for manets based on identity virtualization. In Proceedings of the 1st IEEE Conference on Communications and Network Security (IEEE CNS 2013), pages 278–286, Washington, DC, USA, October 2013. IEEE.
M. Albanese, E. Battista, S. Jajodia, and V. Casola. Manipulating the attacker’s view of a system’s attack surface. In Proceedings of the 2nd IEEE Conference on Communications and Network Security (IEEE CNS 2014), pages 472–480, San Francisco, CA, USA, October 2014.
M. Albanese, E. Battista, and S. Jajodia. A deception based approach for defeating OS and service fingerprinting. In Proceedings of the 3rd IEEE Conference on Communications and Network Security (IEEE CNS 2015), pages 253–261, Florence, Italy, September 2015.
P. Auffret. SinFP, unification of active and passive operating system fingerprinting. Journal in Computer Virology, 6(3):197–205, August 2010.
D. Barroso Berrueta. A practical approach for defeating Nmap OS-Fingerprinting. http://nmap.org/misc/defeat-nmap-osdetect.html, January 2003.
V. Casola, A. De Benedictis, and M. Albanese. A moving target defense approach for protecting resource-constrained distributed devices. In Proceedings of the 14th International Conference on Information Reuse and Integration (IEEE IRI 2013), pages 22–29, San Francisco, CA, USA, August 2013.
V. Casola, A. De Benedictis, and M. Albanese. Integration of Reusable Systems, chapter A Multi-Layer Moving Target Defense Approach for Protecting Resource-Constrained Distributed Devices. Advances in Intelligent and Soft Computing. Springer, 2013.
C.-M. Chen, S.-T. Cheng, and R.-Y. Zeng. A proactive approach to intrusion detection and malware collection. Security and Communication Networks, 6(7):844–853, July 2013.
Q. Duan, E. Al-Shaer, and H. Jafarian. Efficient random route mutation considering flow and network constraints. In Proceedings of the 1st IEEE Conference on Communications and Network Security (IEEE CNS 2013), pages 260–268, Washington, DC, USA, October 2013. IEEE.
M. Dunlop, S. Groat, R. Marchany, and J. Tront. Implementing an IPv6 moving target defense on a live network. In Proceedings of the National Moving Target Research Symposium, Annapolis, MD, USA, June 2012.
Executive Office of the President, National Science and Technology Council. Trustworthy cyberspace: Strategic plan for the federal cybersecurity research and development program. http://www.whitehouse.gov/, December 2011.
R. Gula. Enhanced operating system identification with Nessus. http://www.tenable.com/blog/enhanced-operating-system-identification-with-nessus, February 2009.
J. H. Jafarian, E. Al-Shaer, and Q. Duan. OpenFlow random host mutation: Transparent moving target defense using software defined networking. In Proceedings of the 1st Workshop on Hot Topics in Software Defined Networks (HotSDN 2012), pages 127–132, Helsinki, Finland, August 2012. ACM.
S. Jajodia, A. K. Ghosh, V. Swarup, C. Wang, and X. S. Wang, editors. Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, volume 54 of Advances in Information Security. Springer, 1st edition, 2011.
G. F. Lyon. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, 2009.
P. K. Manadhata and J. M. Wing. An attack surface metric. IEEE Transactions on Software Engineering, 37(3):371–386, May 2011.
A. Rana. What is AMap and how does it fingerprint applications? http://www.sans.org/security-resources/idfaq/amap.php, March 2014.
G. Shu and D. Lee. Network protocol system fingerprinting - a formal approach. In Proceedings of the 25th IEEE International Conference on Computer Communications (INFOCOM 2006). IEEE, April 2006.
C. Trowbridge. An overview of remote operating system fingerprinting. SANS Institute InfoSec Reading Room, July 2003.
D. Watson, M. Smart, G. R. Malan, and F. Jahanian. Protocol scrubbing: Network security through transparent flow modification. IEEE/ACM Transactions on Networking, 12(2): 261–273, April 2004.
M. Zalewski. p0f v3 (version 3.06b). http://lcamtuf.coredump.cx/p0f3/, January 2012.
- Deceiving Attackers by Creating a Virtual Attack Surface
Neuer Inhalt/© ITandMEDIA, Best Practices für die Mitarbeiter-Partizipation in der Produktentwicklung/© astrosystem | stock.adobe.com