Area-Dividing Route Mutation in Moving Target Defense Based on SDN

To enhance mutation efficiency and proactively defend against denial of service attacks in moving target defense, we propose an effective and speedy multipath routing mutation approach called area-dividing random route mutation (ARRM). This approach can successfully resist denial of service attacks with acceptable CPU overhead and reduce convergence time caused by route mutation. Our contribution in this paper is threefold: (1) we provided model and method for smooth deployment of ARRM on software-defined networks; (2) we proposed extended shortest path calculation and route selection method to identify and select efficient route; (3) we simulated the interaction between ARRM defender and DoS attacker and develop analytical and experimental models to investigate the effectiveness and costs of ARRM under different mutation intervals and adversarial parameters. Our analysis and preliminary implementation show that ARRM can protect flow packets from being attacked against persistent DoS attackers and prolong attackers’ response time. Moreover, compared with traditional RRM schemes, our implementation shows that ARRM can efficiently decrease the recalculation time delay caused by route mutation with acceptable CPU costs.

[1]  Ehab Al-Shaer,et al.  Random Host Mutation for Moving Target Defense , 2012, SecureComm.

[2]  Brice Augustin,et al.  Multipath tracing with Paris traceroute , 2007, 2007 Workshop on End-to-End Monitoring Techniques and Services.

[3]  Alexander Shalimov,et al.  Advanced study of SDN/OpenFlow controllers , 2013 .

[4]  Scott A. DeLoach,et al.  Towards a Theory of Moving Target Defense , 2014, MTD '14.

[5]  Stefan Hougardy,et al.  The Floyd-Warshall algorithm on graphs with negative cycles , 2010, Inf. Process. Lett..

[6]  John A. Zinky,et al.  Building auto-adaptive distributed applications: the QuO-APOD experience , 2003, 23rd International Conference on Distributed Computing Systems Workshops, 2003. Proceedings..

[7]  Scott A. DeLoach,et al.  Simulation-based Approaches to Studying Effectiveness of Moving-Target Network Defense | NIST , 2012 .

[8]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2007, Comput. Networks.

[9]  D. Kewley,et al.  Dynamic approaches to thwart adversary intelligence gathering , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[10]  Ehab Al-Shaer,et al.  Efficient Random Route Mutation considering flow and network constraints , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[11]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.