Time-Based Moving Target Defense Using Bayesian Attack Graph Analysis

Abstract

The moving target defense (MTD) is a proactive cybersecurity defense technique that constantly changes potentially vulnerable points to be attacked, to confuse the attackers, making it difficult for attackers to infer the system configuration and nullify reconnaissance activities to a victim system. We consider an MTD strategy for software-defined networking (SDN) environment where every SDN switch is controlled by a central SDN controller. As the MTD may incur excessive usage of the network/system resources for cybersecurity purposes, we propose to perform the MTD operations adaptively according to the security risk assessment based on a Bayesian attack graph (BAG) analysis. For accurate BAG analysis, we model random and weakest-first attack behaviors and incorporate the derived analytical models into the BAG analysis. Using the BAG analysis result, we formulate a knapsack problem to determine the optimal set of vulnerabilities to be reconfigured under a constraint of SDN reconfiguration overhead. The experiment results prove that the proposed MTD strategy outperforms the full MTD and random MTD counterparts in terms of the maximum/average of attack success probabilities and the number of SDN reconfiguration updates.