Analysis of Threat Model and Requirements in Network-based Moving Target Defense

  • Received : 2017.08.30
  • Accepted : 2017.09.25
  • Published : 2017.10.31


Reconnaissance is performed gathering information from a series of scanning probes where the objective is to identify attributes of target hosts. Network reconnaissance of IP addresses and ports is prerequisite to various cyber attacks. In order to increase the attacker's workload and to break the attack kill chain, a few proactive techniques based on the network-based moving target defense (NMTD) paradigm, referred to as IP address mutation/randomization, have been presented. However, there are no commercial or trial systems deployed in real networks. In this paper, we propose a threat model and the request for requirements for developing NMTD techniques. For this purpose, we first examine the challenging problems in the NMTD mechanisms that were proposed for the legacy TCP/IP network. Secondly, we present a threat model in terms of attacker's intelligence, the intended information scope, and the attacker's location. Lastly, we provide seven basic requirements to develop an NMTD mechanism for the legacy TCP/IP network: 1) end-host address mutation, 2) post tracking, 3) address mutation unit, 4) service transparency, 5) name and address access, 6) adaptive defense, and 7) controller operation. We believe that this paper gives some insight into how to design and implement a new NMTD mechanism that would be deployable in real network.


Grant : Development of Cyber Self Mutation Technologies for Proactive Cyber Defense

Supported by : Institute for Information & communications Technology Promotion(IITP)


  1. H. Okhravi, T. Hobson, D. Bigelow and W. Streilein, "Finding Focus in the Blur of Moving-Target Techniques," In IEEE Security&Privacy, vol.12, no. 2, pp. 16-26, March 2014.
  2. D. Kewley, R. Fink, J. Lowry and M. Dean, "Dynamic Approaches to Thwart Adversary Intelligence Gathering," Proceedings of the DARPA Information Survivability Conference and Exposition, pp. 176-185, August 2001.
  3. M. Atighetchi, P. Pal, F. Webber and C. Hones, "Adaptive Use of Network-Centric Mechanisms in Cyber-Defense," Proceedings of the sixth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing, pp. 183-192, 2003.
  4. S. Antonatos, P. Akritidis, E. P. Markatos, K. G. Anagnostakis, "Defending against histlist worms using network address space randomization," Computer Networks, vol.51, no.12, pp.3471-3490. 2007.
  5. J. H. Jafarian, E. Al-Shaer and Q. Duan, "An Effective Address Mutation Approach for Disrupting Reconnaissance Attacks," IEEE Transactions on Information Forensics, vol.10, no.12, pp. 2562-2577, August 2015.
  6. J. Sun and K. Sun, "DESIR: Decoy-enhanced seamless IP randomization," Proceedings of the IEEE ONFOCOM, 2016.
  7. J. H. Jafarian, A. Niakankahiji, E. Al-Shaer and Q. Duan, "Multi-dimensional Host Identity Anonymization for Defeating Skilled Attacks," Proceedings of the 2016 ACM Workshop on Moving Target Defense, pp. 47-58, 2016.
  8. J. H. Jafarian, E. Al-Shaer and Q. Duan, "OpenFlow Random Host Mutation: Transparent Moving Target Defense using Software Defined Networking," Proceedings of the first worshop on Hot topics in software defined networks, pp. 127-132, 2012.
  9. Z. Zhao, F. Liu and D. Gong, "An SDN-Based Fingerprint Hopping Method to Prevent Fingerprinting Attacks," Proceedings of the Security and Communication Networks, 2017.
  10. B. A. Nunes, M. Mendonca, X. Nguyen, K. Obraczka, and T. Turletti, "A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks," IEEE Communications Surveys & Tutorials, vol.16, no.3, pp.1617-1634. Feb. 2014.
  11. R. Droms, Dynamic Host Configuration Protocol, RFC 2131,, Mar. 1997.
  12. G. Su and J. Jieh, "Mobile Communication with Virtual Network Address Translation," Technical Report CUCS-003-02, Department of Computer Science, Columbia University, 2002.
  13. S. Ansari, S. G. Rajeev and H. S. Chandrashejar, "Packet sniffing: a brief introduction," IEEE potentials, vol.21, no. 5, pp.17-19, 2002.
  14. G. F. Lyon, Nmap network scanning: The official Nmap project guide to network discovery and security scanning, Insecure, 2009.
  15. C. Kreibich, M. Handley and V. Paxson, "Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics," Proceedings of USENIX Security Symposium, 2001.