MTDSense: AI-Based Fingerprinting of Moving Target Defense Techniques in Software-Defined Networking

TL;DR

This paper introduces MTDSense, an AI-based method to detect when moving target defenses are triggered in software-defined networks, revealing vulnerabilities and proposing new algorithms to reduce information leakage.

Contribution

The work presents MTDSense for detecting MTD triggers and proposes two new MTD update algorithms to mitigate information leakage, supported by extensive experimental evaluation.

Findings

Traditional MTD implementations are highly susceptible to targeted attacks.

MTDSense can accurately identify MTD trigger intervals in network traffic.

New algorithms can reduce information leakage in MTD systems.

Abstract

Moving target defenses (MTD) are proactive security techniques that enhance network security by confusing the attacker and limiting their attack window. MTDs have been shown to have significant benefits when evaluated against traditional network attacks, most of which are automated and untargeted. However, little has been done to address an attacker who is aware the network uses an MTD. In this work, we propose a novel approach named MTDSense, which can determine when the MTD has been triggered using the footprints the MTD operation leaves in the network traffic. MTDSense uses unsupervised clustering to identify traffic following an MTD trigger and extract the MTD interval. An attacker can use this information to maximize their attack window and tailor their attacks, which has been shown to significantly reduce the effectiveness of MTD. Through analyzing the attacker's approach, we propose and evaluate two new MTD update algorithms that aim to reduce the information leaked into the network by the MTD. We present an extensive experimental evaluation by creating, to our knowledge, the first dataset of the operation of an IP-shuffling MTD in a software-defined network. Our work reveals that despite previous results showing the effectiveness of MTD as a defense, traditional implementations of MTD are highly susceptible to a targeted attacker.