Scanning-Adaptive Network Deception

Abstract

The rise of fast whole-Internet scanning [1] over the last decade has enabled researchers both with and without a deep background in, networking to generate rapid snapshots of various Internet phenomena. Unfortunately, this same technology also allows attackers to,perform at-scale Internet reconnaissance?threat actors can easily, with modest Internet resources and minimal technical background,,quickly identify network vulnerabilities, discover seemingly hidden machines, and quickly map out network infrastructure. Indeed, su,ch technology has resulted in massive botnets and large-scale compromise [2].Fast Internet scanning tools achieve their scale and sp,eed via the use of specific technological methods?stateless scanning, pseudo-random patterns, and ?2-phase? activity. Understanding,both how fast Internet scanning tools work as well as how attackers leverage the technology presents defenders with a unique opportu,nity to improve network defense via adaptation to scanning realtime. Namely, defenders can leverage scanning behavioral knowledge to, confound reconnaissance by generating a variety of misinformation responses, thus creating a ?needle-in-a-haystack? effect that deg,rades attacker understanding and capabilities.We will develop a new class of fast-Internet-Scanning-aware network deception methods,aimed at obscuring services and eliciting attacker information. Our work will focus on understanding how different adjustments to sc,anning responses, each leveraging different facets of scanning behavior, influence attacker behaviors. We consider attackers across,the opportunistic and targeted attacker spectrum and will leverage knowledge of current IPv4 scanning behaviors and nascent IPv6 sca,nning technology to produce deceptive responses to large-scale Internet scans designed to 1) obscure IPv4 services with a large volu,me of active services, 2) convince generative IPv6 scanning systems ranges are unused or aliased, and 3) elicit attacker information,.Our work will be designed to be deployed at the perimeter of networks in an on-path capacity.We will accomplish our work across thr,ee tasks:? Task I: Quantifying Existing Attacker Reconnaissance (Section 3): We will identify and characterize 2-phase scanner recon,naissance activity across the IPv4 address space. Our key effort is to develop metrics to identify reconnaissance activity across th,ree axes: 1) 2- phase scanning timing distributions, 2) ?time-on-target? behavior across a network, and 3) subsequent follow-up acti,vity. Such understanding will serve as grounding to underpin our adaptive defenses.? Task II: Developing Decoy Defenses (Section 4):, We will develop a collection of potential IPv4 and IPv6 network reconnaissance defenses that can be deployed in different scenarios,, based on situational needs guided by the questions and understanding gleaned from Task 1. These defenses are based on the various,properties of relevant fast Internet scanning technologies, and can be deployed together or independently.? Task III: Deployment and, Optimizing Network Deception (Section 5): We will deploy and begin to explore the space of possible configurations and optimization, of our developed defenses and how those defenses influence attacker behaviors. Our deployment will center around the notions of dec,oy fidelity, scale, and movement.Approved for Public Release

Document Details

Document Type

DoD Grant Award

Publication Date

Dec 06, 2022

Source ID

N000142312080

Entities

Tags