Towards Countering the Insider Reconnaissance Using a Combination of Shuffling and Diversity Moving Target Defense Techniques

Moving Target Defense (MTD) has recently emerged as a significant cybersecurity technique. Software-Defined Networking (SDN) has the capability to design efficient network architecture due to its programmability and centralized control management. In this paper, a mechanism for the protection against insider reconnaissance has been proposed using a combination of diversity and a shuffling-based approach of MTD. In order to implement the shuffling technique, IP shuffling is used in the insider network. The IP addresses of internal hosts are mapped via real to virtual IP mapping through random IP generation from a pseudo-random mechanism. For the diversity, a multiple servers’ platform is incorporated for different critical LAN services like Domain Name System (DNS), internal web services, etc. This combined diversity and shuffling approach significantly counters the insider reconnaissance targeting critical LAN services. The proposed scheme also exploited open-source IDS to block insider reconnaissance. The proposed solution was implemented using ONOS SDN controller, Mininet simulator, Snort IDS systems. The experimental results substantiate effective protection against insider network reconnaissance at a low computational cost. Keywords-diversity; IP shuffling; insider reconiccance moving target defense; software defined networking; virtual IP


INTRODUCTION
Threats emerging from malicious insiders that have quite a clear picture of the internal resources are becoming more and more common [1]. Network reconnaissance is the initial stage of the cyber kill chain [2]. The notion is to collect information about the system and its attributes. Many different solutions have been proposed for the protection against these types of attack [3]. However, the existing work for protection against the network reconnaissance is mainly focused on the external attackers and subsequently the reconnaissance traffic generated from outsiders. Moving target is a cyber defense technique with the goal of constantly changing the attack surface in order to incommode the attacker to exploit the system [4][5][6]. This active cybersecurity has already drawn the attention of the research community in different domains including the security of cyber-physical systems [7,8], network security [4], cloud security [9], IoT security [10], etc. Software-Defined Networking (SDN) [11] augments the MTD-based solution development due to its centralized network control, visibility, and separation of control and data planes. Therefore, several MTD solutions are based on SDN [5,12,13].
In this paper, a mechanism for protecting the critical DNS and Web Servers from reconnaissance attacks generating from inside the network has been developed. The notion of the work is the exploitation of the MTD mechanism for the protection of resources from insider reconnaissance. Moreover, we have adopted a combination of two different MTD techniques, i.e. Diversity and Shuffling. The work provides a three-layer protection against insider reconnaissance. In the first line of defense, the IP addresses of the nodes are periodically mapped to virtual IP addresses. These addresses are generated using pseudo-random number generators in order to enhance the randomness. The mechanism provides the functionality of all internal communication happening via a virtual IP address. The second line of defense is the platform-level diversity of DNS and Web Services. The third protection mechanism is the use of IDS to detect and block malicious insiders generating reconnaissance traffic. These three approaches substantially counter the internal reconnaissance while ensuring that the information gained by the insider during the reconnaissance is not correct as it changes after a specific period.
The fundamental motivation behind the MTD based system is to increase the uncertainty and confusion regarding the information collected by attackers through constantly changing the attack surface [14]. It is an active cybersecurity technique with the objective of making cybersecurity an equal playing field for both the attacker and the defender. There are three broad categories of MTD, namely diversity, redundancy, and shuffling [15]. The diversity technique provides different platforms, software, programming languages, and networks. In the case of shuffling techniques, different system parameters are shuffled either periodically or on the basis of certain events. In redundancy, replicas of the resources are created. These replicated and redundant resources substantially increase the uncertainty for the attacker. Most of the work in the domain of MTD exploits one of the basic three approaches. However, a combination of these approaches has not been exploited in detail. The amalgamations of these techniques will enhance the performance of the MTD solution and increase attacker uncertainty. SDN is getting popular in designing security solutions [16]. The centralized controlling attributes enable greater ease for designing the MTD solution. It's also popular to design MTD for network security [17,18], cyber-physical systems [7], ad hoc networks [19,20], cloud security [9,19], etc.
Insider attacks are gaining momentum [1,20]. There is an initial level of work for the protection of the first stage of the cyber kill chain, i.e. reconnaissance [21]. Authors in [22] proposed a scheme to counter external reconnaissance using SDN-based virtual topologies. In [23], the authors suggested a bio-inspired technique to mitigate insider reconnaissance attacks. Insider threat detection based upon a reality gamebased approach was proposed in [24].

II. THE PROPOSED SCHEME
The proposed scheme has three levels of defense. The first one is the IP shuffling approach for different nodes and servers. The second one is based upon the diversity of platforms for Web and DNS servers. The third level of defense is the detection of insider reconnaissance via open-source IDS solution and subsequently blocking the malicious hosts generating such traffic. The high-level diagram is depicted in Figure 1.
The MTD is created using the ONOS SDN controller that consists of multiple switches and different hosts connected. Figure 2 depicts the communication between two hosts. It also presents the network flow between these hosts. The communication inside the network is happening via virtual IP addresses that are constantly changing. When a host initiates the traffic to other hosts in the network, then communication is mapped to their corresponding virtual IPs. There are several steps involved in this communication. The application running in the controller will modify the IP address of the host to convert it into a virtual IP address. The frequency for IP shuffling is set to be 30 seconds for attaining a time-based MTD mechanism. The SDN controller injects the necessary flows based upon the new IP addresses for smooth communication inside the network.
The second line of defense counters insider reconnaissance targeting specific services like DNS and Web servers. To protect against this type of attack, multiple platforms are used.
In the case of DNS, the server was prepared using Bind9 and Unbound DNS. Similarly, there are different platforms for web servers, like Apache, Nginx, and IIS. Within these platforms, different versions are also used to increase the uncertainty for the attackers. When the insider performs reconnaissance to gather information about the DNS or the Web servers, then they will get diversified platform information. Fig. 1.
The multi-layered defense approach against insider reconnaissance attacks.

Fig. 2.
Traffic flow sequence during IP mapping from real to virtual and vice versa. The proposed solution also utilized the open-source IDS Snort to detect and block the insider generating the reconnaissance traffic. This is the third line of defense against insider threats. Figure 3 depicts the server platform diversification for DNS and Web Servers. The attacker performing scanning will get different results of specific web and DNS platforms. Figure 4 represents the Snort platform analyzing the traffic for detection of reconnaissance traffic. The graphical interface of the Snort platform is depicted in Figure  5.  III. EXPERIMENTAL SETUP We used ONOS SDN Controller [25], Mininet simulator [26], and Snort IDS [27]. Regarding the server machines, we used different platforms for webserver implementation including Apache [28], Nginx [29], and IIS [30], while DNS implementation BIND9 [31], Unbound DNS [32], and PowerDNS [33] packages were selected. On the SDN network, class A IP addresses were assigned. sFlow [34] was used for collecting different statistical parameters of the network. The experimental setup was implemented on a Dell server having 32GB RAM. To generate the reconnaissance traffic, we have used Nmap [35]. The experimental topology is depicted in Figure 6. The attacker first generates the reconnaissance traffic against the other internal hosts. However, all internal transmission is based upon the mapping from real to virtual IP addresses mapping. This mapping also uses pseudo-random number generators to produce virtual IPs. The information gained by the attacker in one iteration gets invalidated due to virtual IP randomization. In the second phase, the attacker targets the DNS and Web servers' platforms. IV. RESULTS AND DISCUSSION We assumed that the attacker can perform a maximum of 10 scan probes at a time. Table I represents the IP addresses on the network as observed by the attacker in different iterations. The attackers perform multiple reconnaissance attacks. The attackers observed different IP schemes and addresses due to the IP randomization through the proposed MTD scheme. This substantially increases the confusion for the attackers, because the knowledge gained in each iteration becomes void in the next. Figure 7 illustrates the IP shuffling results for different iterations. The attackers discovered different number of IP addresses in different iterations. However, in different iterations attackers may correctly identify the previous IP addresses. The percentage of getting the same IP addresses in consecutive iterations is below 5%. We considered the generic case of i th and i th+1 iterations.  Table II depicts the diversified DNS and Web servers' platform observed by the attackers while running probing traffic against these servers. Since our scheme deploys diversified platforms, the attackers observe multiple platforms. This substantially increased the attacker confusion.  Table III indicates the IP addresses of the malicious insiders generating reconnaissance traffic being blocked by the third line of defense of our scheme i.e., the IDS Snort. The first column in Table III is the number of distinct attackers, the second column indicates the maximum number of probes generated by the attacker. The third column is the multiple of the first two, i.e. the total generated probes. The IDS is able to detect and blocked on average approximately 85% of malicious attackers. Overall, the proposed scheme successfully counters the insider reconnaissance using the three-level defense level MTD technique.  Table IV summarizes the comparison of the proposed scheme with the state-of-the-art existing solutions. The first advantage of our scheme is the exploitation of MTD for insider reconnaissance protection. The existing work in the literature [22][23][24] focuses on the protection of external reconnaissance. The second advantage of our technique is the combination of MTD techniques for insider reconnaissance protection. Moreover, our scheme is based upon SDN which provides greater flexibility in designing MTD solutions. Only the work presented in [22] exploited SDN-based MTD for probing traffic protection. However, their work focused on external reconnaissance protection only. Hence our proposed SDNbased combination of MTD technique is quite an efficient one. In this paper, a protection mechanism against insider reconnaissance traffic has been developed by combining the Randomization and Diversification MTD approaches inside an SDN-based network along with IDS-based detection. The work elaborated the effectiveness of the scheme for two important services, i.e. DNS and Web. The proposed scheme provides three levels of defense: IP randomization and platform diversity for DNS and Web Servers and IDS-based detection and blockage. The developed solution effectively throttles the insider probing traffic with minimal computational cost.
In the future, we will extend our technique for privacy enhancement for critical services. An adversary while observing the DNS traffic can cause privacy disclosure by identifying the URLs visited by the users. The proposed approach can be extended to protect against such attacks.