Effectiveness of IP address randomization in decoy-based moving target defense

In a decoy-based moving target defense (MTD), a computer network introduces a large number of virtual decoy nodes in order to prevent the adversary from locating and targeting real nodes. Since the decoys can eventually be identified and their Internet Protocol (IP) addresses blacklisted by the adversary, current MTD approaches suggest that the IP addresses of the real and decoy nodes should be randomly refreshed and reassigned over time. Refreshing and reassigning the IP addresses, however, disrupts services such as TCP/IP that rely on the IP address. We introduce an analytical approach to MTD and choosing the optimal randomization policy in order to minimize disruptions to system performance. Our approach consists of two components. First, we model the interaction between the adversary and a virtual node as a sequential detection process, in which the adversary attempts to determine whether the node is real or a decoy in the minimum possible time. We compute the optimal strategy for the adversary to decide whether the node is real or a decoy, and derive closed-form expressions for the expected time to identify the real node using this strategy. Second, we formulate the problem of deciding when to randomize the IP addresses, based on a trade-off between reducing the probability of detecting the real node and minimizing the disruption to network services, as an optimal stopping problem. We derive the optimal randomization policy for the network and analyze the detection probability, expected number of connections lost due to IP randomization, and expected time between randomizations under the proposed policy. Our results are illustrated via a simulation study using real-world data from NMAP, a software tool used to identify decoy nodes. Our simulation study indicates that our IP randomization policy reduces the probability of detection while minimizing the number of connections that are disrupted by the randomization.