Next Article in Journal
Contactless Blood Pressure Estimation System Using a Computer Vision System
Next Article in Special Issue
A Comprehensive Review of Architecture, Communication, and Cybersecurity in Networked Microgrid Systems
Previous Article in Journal
Sensitivity Analysis of Artificial Neural Networks Identifying JWH Synthetic Cannabinoids Built with Alternative Training Strategies and Methods
Previous Article in Special Issue
Improvement of Fault Current Calculation and Static Security Risk for Droop Control of the Inverter-Interfaced DG of Grid-Connected and Isolated Microgrids
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Inventions
Volume 7
Issue 3
10.3390/inventions7030083
Review Report
inventions-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Method of Forming Various Configurations of Telecommunication System Using Moving Target Defense

Inventions 2022, 7(3), 83; https://doi.org/10.3390/inventions7030083
by Anatoly V. Ryapukhin *, Evgeny O. Karpukhin and Ivan O. Zhuikov
Reviewer 1:
Yan Ma
Reviewer 2:
Azeem Hafeez
Inventions 2022, 7(3), 83; https://doi.org/10.3390/inventions7030083
Submission received: 8 August 2022 / Revised: 31 August 2022 / Accepted: 12 September 2022 / Published: 16 September 2022
(This article belongs to the Special Issue Microgrids: Protection, Cyber Physical Issues, and Control)

Round 1

Reviewer 1 Report

- "New web server (host SP)", only web server? How about other type of network services?

- “address for incoming packets”, does it mean this: "source address of incoming packets"?

- In the model, Host P will take 3 functions: 1) Origianl normal network service, 2) detecting an attack from incoming packets and 3) forward suspicious traffic to both HHost SP and Host H. It seams this model in Fig.3 has a possible scalability issue, and could not handle heavy traffic load. The model need more careful design.

- "operator or intrusion detection system detected an attack on one of the hosts;", it is ok to make decision for one host but it is not feasible for human operator to handle multiple hosts.

- In Fig.5 and Fig.6, SDN controller port F0/1 is with IP address 192.168.2.1, the interface F0/1 of Router R0 is with IP address 192.168.1.1. By using this configuration, it is not possible for the two device communicate with each other. The two IP addresses should be in the same network.

- " the resources of the host P become overloaded, and it cannot continue to work", only limited attack let the targeted host overloaded, many other types of network attack do not let the host overloaded. 

- In Fig.6, Host P changed its original IP address from 192.168.3.100 to 192.168.4.242. Then, all ongoing communication will be lost, no service available to all customers at once. If attacker continues sending packets, Host P will keep changing its IP address, then it will be almost down with no services provided to customers.

- In Fig.6, the Honey_Pot also changed it IP address. In this model, is one host with one honeypot? If there are multiple hosts in a service system, then there should be multiple honeypots? If there are mpre than two attacks concurrently going on, how to handle this situation?

- "To assess the attacker’s impact on the host, hping3 utility [18] was used to create and send custom ICMP/UDP/TCP packets.". To simulate the normal operation, using hping sending unidirection ICMP/UDP/TCP packet is not enough, two direction real UDP/TCP socket communication test should be conducted.

 

Author Response

Question 1: «New web server (host SP)", only web server? How about other type of network services?

Answer1: In this example it was decided to use a web server, but it is possible to use other network services, taking into account their characteristics and limitations.

 

Question 2: “address for incoming packets”, does it mean this: "source address of incoming packets"?

 

Answer 2: Ответ – What is meant here is that the address for legitimate packets is changed from host P to host SP, so that the system can continue to function in the same way.

 

Question 3: In the model, Host P will take 3 functions: 1) Origianl normal network service, 2) detecting an attack from incoming packets and 3) forward suspicious traffic to both HHost SP and Host H. It seams this model in Fig.3 has a possible scalability issue, and could not handle heavy traffic load. The model need more careful design.

Answer 3: In the normal state of the host P performs all functions assigned to it, it takes protective actions in case of attack detection, taking the attack on itself, while the system continues to function as normal, because the load on the server P takes over the next server SP, and the attack goes to the controlled environment HoneyPot. In a real environment, we can have as many servers P as it makes sense for us in terms of handling the required load and protective actions.

 

Question 4: «operator or intrusion detection system detected an attack on one of the hosts;", it is ok to make decision for one host but it is not feasible for human operator to handle multiple hosts.

Answer 4: Particular tools and human resources can be selected in a real case depending on objective factors and capabilities (level of funding, level of network service load, level of infrastructure criticality, etc.)

 

Question 5: In Fig.5 and Fig.6, SDN controller port F0/1 is with IP address 192.168.2.1, the interface F0/1 of Router R0 is with IP address 192.168.1.1. By using this configuration, it is not possible for the two device communicate with each other. The two IP addresses should be in the same network.

Answer 5: As a simplification of the model in this demonstration, the SDN controller additionally acts as a second router connecting the attacker's network to the attacked network, and, therefore, this configuration is necessary for the functioning of the model.

 

Question 6: «the resources of the host P become overloaded, and it cannot continue to work", only limited attack let the targeted host overloaded, many other types of network attack do not let the host overloaded. 

Answer 6: In this example, the fact that the host is overloaded is not important for the demonstration. In the case of another attack, there would be different negative consequences for the system.

 

Question 7: In Fig.6, Host P changed its original IP address from 192.168.3.100 to 192.168.4.242. Then, all ongoing communication will be lost, no service available to all customers at once. If attacker continues sending packets, Host P will keep changing its IP address, then it will be almost down with no services provided to customers.

Answer 7: Yes, indeed, at this stage of the work it was decided to concentrate on evaluating the effectiveness of this method without regard to clients. In our next works we will disclose the solution to this problem, most likely additional network protocols will be proposed for the full functioning of the proposed concept.

 

Question 8: In Fig.6, the Honey_Pot also changed it IP address. In this model, is one host with one honeypot? If there are multiple hosts in a service system, then there should be multiple honeypots? If there are more than two attacks concurrently going on, how to handle this situation?

Answer 8: The address of the attacked host was assigned to the Honey Pot network, so that further negative actions of the attacker could be investigated in the monitored network. The question of approach in case of more than one simultaneous attack was not considered at this stage of work. It is assumed that if the victim is of such value to the attackers that a Multiple Advanced Persistent Threat is produced, then the victim has the resources to sustain multiple Honey Pot.

 

Question 9: – «To assess the attacker’s impact on the host, hping3 utility [18] was used to create and send custom ICMP/UDP/TCP packets.". To simulate the normal operation, using hping sending unidirection ICMP/UDP/TCP packet is not enough, two direction real UDP/TCP socket communication test should be conducted.

Answer 9: – During preliminary tests of the model, such tests were carried out.

Reviewer 2 Report

Mathematical equations for the research should be added.

 

Comparison with state-of-the-art is missing

Author Response

Question 1: Mathematical equations for the research should be added.

Answer 1: The necessary mathematical equations are given in chapter 2.1. MTD in Telecommunication Networks. A more detailed mathematical model, if needed, will be described in a later paper.

 

Question 2: Comparison with state-of-the-art is missing

Answer 2: Relevant research is given in chapter 2.4. Problem Area. A full-fledged comparison with state-of-the-art is planned in the next paper, when the model will be refined to take into account real-world situations.

Round 2

Reviewer 1 Report

With the current revision, no other comment.

Back to TopTop