MTDSense: AI-Based Fingerprinting of Moving Target Defense Techniques in Software-Defined Networking

TL;DR

MTDSense investigates the security of moving target defenses in SDN by showing that an AI-capable attacker can fingerprint and time the triggering of IP-shuffling MTDs through passive traffic analysis. The authors implement MTDSense using unsupervised clustering over a rich feature set and demonstrate that the MTD trigger time and interval can be inferred with high accuracy, raising concerns about the effectiveness of traditional MTDs. To mitigate this leakage, they propose three MTD update mechanisms (ODI, OTI, PEI) and evaluate their impact on fingerprintability across various network scales and traffic loads, reporting that PEI in particular can significantly reduce detectability at some cost. The work contributes a realistic SDN-based dataset, a transferable attacker model, and practical guidance for designing less fingerprintable MTD deployments, highlighting the need to balance security gains with performance and privacy considerations in real networks.

Abstract

Moving target defenses (MTD) are proactive security techniques that enhance network security by confusing the attacker and limiting their attack window. MTDs have been shown to have significant benefits when evaluated against traditional network attacks, most of which are automated and untargeted. However, little has been done to address an attacker who is aware the network uses an MTD. In this work, we propose a novel approach named MTDSense, which can determine when the MTD has been triggered using the footprints the MTD operation leaves in the network traffic. MTDSense uses unsupervised clustering to identify traffic following an MTD trigger and extract the MTD interval. An attacker can use this information to maximize their attack window and tailor their attacks, which has been shown to significantly reduce the effectiveness of MTD. Through analyzing the attacker's approach, we propose and evaluate two new MTD update algorithms that aim to reduce the information leaked into the network by the MTD. We present an extensive experimental evaluation by creating, to our knowledge, the first dataset of the operation of an IP-shuffling MTD in a software-defined network. Our work reveals that despite previous results showing the effectiveness of MTD as a defense, traditional implementations of MTD are highly susceptible to a targeted attacker.

Figures (10)

• Figure 1: (a) Steps of MTD update at $T$ based on the update mechanism. Lines above the network connections (green) show the steps for on-demand installation (ODI), and the lines below the network connections (orange) show the steps for on-time installation (OTI) and PEI MTD, which happen at two distinct times $t_1$ and $t_2$. (b) Timing of when the MTD update is made in the SDN switches for update $T_i$. In the ODI scheme, updates are made when a client connection is requested, making it transient. In PEI, updates are installed in advance but do not come into effect until $T_i$.
• Figure 2: Our experimental environment.
• Figure 3: Proposed MTDSense approach for data analysis.
• Figure 4: The effect of attacker observation window on ARI for $T=180s$.
• Figure 5: The effect of varying the MTD interval $T$ on the attacker's achieved ARI. The right-most result is for an MTD where the next trigger time is decided by sampling randomly from a distribution.