Penn State computer scientists have figured out how to create flexible networks that can detect threats from hackers and help deflect the repercussions of those attacks.
“Because of the static nature of a computer network, the attacker has a time advantage,” said Dinghao Wu, assistant professor of information sciences and technology. “Hackers can spend a month, two months, six months or more just studying the network and finding vulnerabilities. When they return to use that information to attack, the network typically has not changed and those vulnerabilities are still there, too.”
The researchers created a computer defense system that can detect possible malicious probes of the network and then redirect that potential attack to a virtual network that doesn’t provide much information about the real network that was initially supposed to be hacked.
Typically, when hacker wants to get down to business, he or she will probe a network to gain information about the system, for example, what software types and versions, operating systems and hardware the network is running. The researchers decided that instead of trying to stop these hackers’ scans, it could be beneficial to set up a detector that could monitor incoming web traffic to determine when hackers are scanning the network.
“We can’t realistically stop all scanning activities, but we can usually tell when a malicious scan is happening,” said Wu. “If it’s a large-scale scan, it is usually malicious.”
Once a malicious scan is detected, the researchers use a network device called a reflector to redirect that traffic to a decoy, or shadow network, as they call it. The shadow network is isolated and invisible from the real network, but can mimic the structure of a physical network to fool the hackers into believing they are receiving information about an actual network.
“A typical strategy would be to create a shadow network environment that has the same look as the protection domain,” said Li Wang, a doctoral candidate in information sciences and technology, who worked with Wu. “It can have the same number of nodes, network topology and configurations to fool the hacker. These shadow networks can be created to simulate complex network structures.”
This kind of defense, known in the computer industry as a moving target defense, also provides network administrators with an option change parts of the shadow network’s virtual system and make it even more difficult for hackers to assess the success of their scans.
According to Wu, there is little effect on the real network’s performance and functionality since the reflector can act as a regular network device when there are no malicious attacks present.
The researchers created a prototype for the system and tested it on a simulated network that runs on a computer — a virtual local area network. This allowed them to simulate both an attack and defense without using an actual network. The team’s prototype was able to sense the incoming scan and deflect it to a shadow network.
The information they were able to extract from the attack scan only produced information from the shadow network. With that success, Wu now plans to deploy the system in an actual network.