TOTP Moving Target Defense for sensitive network services

e-Archivo Repository

Show simple item record

dc.contributor.author Cunha, Vitor A.
dc.contributor.author Corujo, Daniel
dc.contributor.author Barraca, Joao P.
dc.contributor.author Aguiar, Rui L.
dc.date.accessioned 2022-02-10T09:46:54Z
dc.date.issued 2021-07
dc.identifier.bibliographicCitation Cunha, V. A., Corujo, D., Barraca, J. P. & Aguiar, R. L. (2021). TOTP Moving Target Defense for sensitive network services. Pervasive and Mobile Computing, 74, 101412.
dc.identifier.issn 1574-1192
dc.identifier.uri http://hdl.handle.net/10016/34087
dc.description.abstract Edge computing is crucial for many of the new 5G business vertical use-cases, such as Industry 4.0 robots, safety-critical communications, and highly-efficient smart grids. However, the tighter integration of such impactful businesses into previously core network operations raises significant security, trustworthiness, and reliability issues. A business vertical must not compromise the Edge platform to other business verticals. Likewise, the vertical Network Services (NSs) entrusted to the Edge should not be compromisable by adversary action. Inspired by the existing Internet Services Two-Factor Authentication (2FA) systems, we propose a Moving Target Defense (MTD) mechanism that protects sensitive NSs using a port mutation akin to a seamless Time-based One-Time Password (TOTP) authentication. Our architecture leverages Software-Defined Networking (SDN) to perform the mutations, having the option of working exclusively as a Virtual Network Function (VNF) that can be instantiated on-demand, or in conjunction with OpenFlow hardware-accelerated switches for smarter resource usage. The straightforward Proof-of-Concept implementation showed the approach was viable, with good forwarding plane performance (exceeding the current Network Interface Controllers capabilities), and effective at stopping the unauthorized interactions with the NS being protected. Because the TOTP approach depends on time and there is commonly occurring jitter (e.g., network), the Threat Detection must make a trade-off between minimizing false-positives (too many alarms) and having false-negatives (attempts that go unreported). We have struck a balance that reduces the probability of a rogue probe reaching the NS to nearly 0.0045%, while the probability of stopping an attack but not generating the alarm is approximately 2%. Future work, such as adaptive delay compensation or the use of AI/ML, may further improve the effectiveness of the solution.
dc.description.sponsorship This work has been supported by the EU Commission through the 5GROWTH project (grant agreement no. 856709) and the European Regional Development Fund through the Portugal 2020 program CENTRO 2020 [Project SOCA (CENTRO-01-0145-FEDER-000010)].
dc.format.extent 17
dc.language.iso eng
dc.publisher Elsevier
dc.rights © 2021 Elsevier B.V. All rights reserved.
dc.rights Atribución-NoComercial-SinDerivadas 3.0 España
dc.rights.uri http://creativecommons.org/licenses/by-nc-nd/3.0/es/
dc.subject.other TOTP
dc.subject.other MTD
dc.subject.other 2FA
dc.title TOTP Moving Target Defense for sensitive network services
dc.type article
dc.subject.eciencia Telecomunicaciones
dc.identifier.doi https://doi.org/10.1016/j.pmcj.2021.101412
dc.rights.accessRights embargoedAccess
dc.relation.projectID info:eu-repo/grantAgreement/EC/856709
dc.type.version acceptedVersion
dc.identifier.publicationfirstpage 1
dc.identifier.publicationissue 101412
dc.identifier.publicationlastpage 17
dc.identifier.publicationtitle Pervasive and Mobile Computing
dc.identifier.publicationvolume 74
carlosiii.embargo.liftdate 2023-07-01
carlosiii.embargo.terms 2023-07-01
dc.contributor.funder European Commission
 Find Full text

Files in this item

*Click on file's image for preview. (Embargoed files's preview is not supported)


The following license files are associated with this item:

This item appears in the following Collection(s)

Show simple item record