An adversarial coupon-collector model of asynchronous moving-target defense against botnet reconnaissance

George Kesidis, Yuquan Shan, Daniel Fleck, Angelos Stavrou, Takis Konstantopoulos

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We consider a moving-target defense of a proxied multiserver tenant of the cloud where the proxies dynamically change to defeat reconnaissance activity by a botnet planning a DDoS attack targeting the tenant. Unlike the system of [4] where all proxies change simultaneously at a fixed rate, we consider a more 'responsive' system where the proxies may change more rapidly and selectively based on the current session request intensity, which is expected to be abnormally large during active reconnaissance. In this paper, we study a tractable 'adversarial' coupon-collector model wherein proxies change after a random period of time from the latest request, i.e., asynchronously. In addition to determining the stationary mean number of proxies discovered by the attacker, we study the age of a proxy (coupon type) when it has been identified (requested) by the botnet. This gives us the rate at which proxies change (cost to the defender) when the nominal client request load is relatively negligible.

Original languageEnglish (US)
Title of host publicationMALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages61-67
Number of pages7
ISBN (Electronic)9781728101538
DOIs
StatePublished - Mar 4 2019
Event13th International Conference on Malicious and Unwanted Software, MALWARE 2018 - Nantucket, United States
Duration: Oct 22 2018Oct 24 2018

Publication series

NameMALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software

Conference

Conference13th International Conference on Malicious and Unwanted Software, MALWARE 2018
CountryUnited States
CityNantucket
Period10/22/1810/24/18

Fingerprint

Planning
Costs
Botnet

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Software
  • Safety, Risk, Reliability and Quality

Cite this

Kesidis, G., Shan, Y., Fleck, D., Stavrou, A., & Konstantopoulos, T. (2019). An adversarial coupon-collector model of asynchronous moving-target defense against botnet reconnaissance In MALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software (pp. 61-67). [8659359] (MALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/MALWARE.2018.8659359
Kesidis, George ; Shan, Yuquan ; Fleck, Daniel ; Stavrou, Angelos ; Konstantopoulos, Takis. / An adversarial coupon-collector model of asynchronous moving-target defense against botnet reconnaissance MALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software. Institute of Electrical and Electronics Engineers Inc., 2019. pp. 61-67 (MALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software).
@inproceedings{cc728144f3054701bd8c3a1587d41c45,
title = "An adversarial coupon-collector model of asynchronous moving-target defense against botnet reconnaissance ∗",
abstract = "We consider a moving-target defense of a proxied multiserver tenant of the cloud where the proxies dynamically change to defeat reconnaissance activity by a botnet planning a DDoS attack targeting the tenant. Unlike the system of [4] where all proxies change simultaneously at a fixed rate, we consider a more 'responsive' system where the proxies may change more rapidly and selectively based on the current session request intensity, which is expected to be abnormally large during active reconnaissance. In this paper, we study a tractable 'adversarial' coupon-collector model wherein proxies change after a random period of time from the latest request, i.e., asynchronously. In addition to determining the stationary mean number of proxies discovered by the attacker, we study the age of a proxy (coupon type) when it has been identified (requested) by the botnet. This gives us the rate at which proxies change (cost to the defender) when the nominal client request load is relatively negligible.",
author = "George Kesidis and Yuquan Shan and Daniel Fleck and Angelos Stavrou and Takis Konstantopoulos",
year = "2019",
month = "3",
day = "4",
doi = "10.1109/MALWARE.2018.8659359",
language = "English (US)",
series = "MALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "61--67",
booktitle = "MALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software",
address = "United States",

}

Kesidis, G, Shan, Y, Fleck, D, Stavrou, A & Konstantopoulos, T 2019, An adversarial coupon-collector model of asynchronous moving-target defense against botnet reconnaissance in MALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software., 8659359, MALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software, Institute of Electrical and Electronics Engineers Inc., pp. 61-67, 13th International Conference on Malicious and Unwanted Software, MALWARE 2018, Nantucket, United States, 10/22/18. https://doi.org/10.1109/MALWARE.2018.8659359

An adversarial coupon-collector model of asynchronous moving-target defense against botnet reconnaissance . / Kesidis, George; Shan, Yuquan; Fleck, Daniel; Stavrou, Angelos; Konstantopoulos, Takis.

MALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software. Institute of Electrical and Electronics Engineers Inc., 2019. p. 61-67 8659359 (MALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - An adversarial coupon-collector model of asynchronous moving-target defense against botnet reconnaissance ∗

AU - Kesidis, George

AU - Shan, Yuquan

AU - Fleck, Daniel

AU - Stavrou, Angelos

AU - Konstantopoulos, Takis

PY - 2019/3/4

Y1 - 2019/3/4

N2 - We consider a moving-target defense of a proxied multiserver tenant of the cloud where the proxies dynamically change to defeat reconnaissance activity by a botnet planning a DDoS attack targeting the tenant. Unlike the system of [4] where all proxies change simultaneously at a fixed rate, we consider a more 'responsive' system where the proxies may change more rapidly and selectively based on the current session request intensity, which is expected to be abnormally large during active reconnaissance. In this paper, we study a tractable 'adversarial' coupon-collector model wherein proxies change after a random period of time from the latest request, i.e., asynchronously. In addition to determining the stationary mean number of proxies discovered by the attacker, we study the age of a proxy (coupon type) when it has been identified (requested) by the botnet. This gives us the rate at which proxies change (cost to the defender) when the nominal client request load is relatively negligible.

AB - We consider a moving-target defense of a proxied multiserver tenant of the cloud where the proxies dynamically change to defeat reconnaissance activity by a botnet planning a DDoS attack targeting the tenant. Unlike the system of [4] where all proxies change simultaneously at a fixed rate, we consider a more 'responsive' system where the proxies may change more rapidly and selectively based on the current session request intensity, which is expected to be abnormally large during active reconnaissance. In this paper, we study a tractable 'adversarial' coupon-collector model wherein proxies change after a random period of time from the latest request, i.e., asynchronously. In addition to determining the stationary mean number of proxies discovered by the attacker, we study the age of a proxy (coupon type) when it has been identified (requested) by the botnet. This gives us the rate at which proxies change (cost to the defender) when the nominal client request load is relatively negligible.

UR - http://www.scopus.com/inward/record.url?scp=85063909241&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85063909241&partnerID=8YFLogxK

U2 - 10.1109/MALWARE.2018.8659359

DO - 10.1109/MALWARE.2018.8659359

M3 - Conference contribution

AN - SCOPUS:85063909241

T3 - MALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software

SP - 61

EP - 67

BT - MALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Kesidis G, Shan Y, Fleck D, Stavrou A, Konstantopoulos T. An adversarial coupon-collector model of asynchronous moving-target defense against botnet reconnaissance In MALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software. Institute of Electrical and Electronics Engineers Inc. 2019. p. 61-67. 8659359. (MALWARE 2018 - Proceedings of the 2018 13th International Conference on Malicious and Unwanted Software). https://doi.org/10.1109/MALWARE.2018.8659359