Analysis of port hopping for proactive cyber defense

Abstract

Port hopping is a typical proactive cyber defense technology, which hides the service identity and confuses attackers during reconnaissance by constantly altering service ports. Although several kinds of port hopping mechanisms have been proposed and implemented, but it is still unknown how effective port hopping is and under what circumstances it is a viable moving target defense because the existed works are limited and they usually discuss only a few parameters. Besides, in many cases the defense effectiveness has been studied empirically. In order to have an insight into the effectiveness of port hopping, this paper introduces a quantitative analysis based on the urn model, which quantifies the probability of attacker success in terms of port pool size, number of probes, number of vulnerable services, and hopping frequency. Theoretical analysis shows that port hopping is an effective and promising proactive defense technology in thwarting cyber attacks.