Attack Surface Expansion through Decoy Trap for Protected Servers in Moving Target Defense

  • Received : 2019.09.18
  • Accepted : 2019.10.07
  • Published : 2019.10.31


In this paper, we propose a method to apply the attack surface expansion through decoy traps to a protected server network. The network consists of a large number of decoys and protected servers. In the network, each protected server dynamically mutates its IP address and port numbers based on Hidden Tunnel Networking that is a network-based moving target defense scheme. The moving target defense is a new approach to cyber security and continuously changes system's attack surface to prevent attacks. And, the attack surface expansion is an approach that uses decoys and decoy groups to protect attacks. The proposed method modifies the NAT table of the protected server with a custom chain and a RETURN target in order to make attackers waste all their time and effort in the decoy traps. We theoretically analyze the attacker success rate for the protected server network before and after applying the proposed method. The proposed method is expected to significantly reduce the probability that a protected server will be identified and compromised by attackers.

본 논문에서는 보호대상 서버 네트워크에 디코이 트랩을 통한 공격 표면 확장의 적용 방법을 제안한다. 보호대상 서버 네트워크는 많은 수의 디코이들과 보호대상 서버로 구성되며, 각 보호대상 서버는 Hidden Tunner Networking이라는 네트워크 기반 이동 표적 방어 기법에 따라 IP 주소와 포트 번호를 변이한다. 이동 표적 방어는 공격을 막기 위하여 지속적으로 시스템의 공격 표면을 변경하는 사이버 보안에서의 새로운 접근방법이다. 공격 표면 확장은 공격을 막기 위해 디코이와 디코이 그룹을 활용하는 접근방법이다. 제안하는 방법에서는 공격자가 디코이 트랩에서 공격자의 모든 시간과 노력을 허비하도록 커스텀 체인과 RETURN 타켓을 사용하여 보호대상 서버의 NAT 테이블을 수정한다. 본 논문에서는 제안하는 방법이 적용되기 전과 후에 보호대상 서버 네트워크에서의 공격자 성공률을 수식으로 계산한다. 제안하는 방법은 보호대상 서버가 공격자에 의해 식별되고 공격당할 확률을 현저히 줄일 것으로 기대된다.



  1. T. Al-Salah, L. Hong, and S. Shetty, "Attack Surface Expansion Using Decoys to Protect Virtualized Infrastructure," Proceedings of the 2017 IEEE International Conference on Edge Computing, pp. 216-219, June 2017.
  2. K. Kang, T. Park, and D. Moon, "Analysis of Threat Model and Requirements in Network-based Moving Target Defense," Journal of The Korea Society of Computer and Information, Vol. 22, No. 10, pp. 83-92, October 2017.
  3. T. Park, K. Park, and D. Moon, "Design of a Protected Server Network with Decoys for Network-based Moving Target Defense," Journal of The Korea Society of Computer and Information, Vol. 23, No. 9, pp. 57-64, September 2018.
  4. D. Kewley, R. Fink, J. Lowry and M. Dean, "Dynamic Approaches to Thwart Adversary Intelligence Gathering," Proceedings of the DARPA Information Survivability Conference and Exposition, pp. 176-185, August 2001.
  5. M. Atighetchi, P. Pal, F. Webber and C. Hones, "Adaptive Use of Network-Centric Mechanisms in Cyber-Defense," Proceedings of the sixth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing, pp. 183-192, 2003.
  6. S. Antonatos, P. Akritidis, E. P. Markatos, K. G. Anagnostakis, "Defending against histlist worms using network address space randomization," Computer Networks, vol.51, no.12, pp.3471-3490. 2007.
  7. J. H. Jafarian, E. Al-Shaer and Q. Duan, "An Effective Address Mutation Approach for Distructing Reconnaissance Attacks," IEEE Transactions on Information Forensics, vol.10, no.12, pp. 2562-2577, 2015.
  8. J. Sun and K. Sun, "DESIR: Decoy-enhanced seamless IP randomization," Proceedings of the IEEE INFOCOM, 2016.
  9. J. H. Jafarian, A. Niakankahiji, E. Al-Shaer and Q. Duan, "Multi-dimensional Host Identity Anonymization for Defeating Skilled Attacks," Proceedings of the 2016 ACM Workshop on Moving Target Defense, pp. 47-58, 2016.
  10. T. Park, K. Kang, and D. Moon, "A Scalable and Seamless Connection Migration Scheme for Moving Target Defense in Legacy Networks," IEICE Trans. Inf. & Syst., In Press, Vol.E101-D, No.11, November 2018.
  11. K. Park, S. Woo, D. Moon, K. Koo, I. Kim, and J. Lee "Pseudonym Address based Hidden Tunnel Networking for Network Address Mutation," KOREA Patent App. No. 10-2018-0076029, 2018.
  12. Fred Cohen, "The Use of Deception Techniques: Honeypots and Decoys", Fred Cohen & Associates, at, accessed 23 March 2018.
  13. K. Borders, L. Falk, and A. Prakash, "OpenFire: Using Deception to Reduce Network Attacks", 2007 Third International Conference on Security and Privacy in Communications Networks and the