1. Introduction
In a network, to protect information transmission, some dedicated secure hardware and middleware are widely used. These devices play a critical role in guaranteeing the safe transmission of information. The additional equipment deployment increases the operating costs and investment costs. Thus, it confines the network expansion and limits the flexibility of the network service as well [1]. At the same time, most traditional tools and techniques can only defend against the known threats, and a few can cope with the latent network threats [2].
The static one-to-one mapping of the communication pairs to the routing paths offers adversaries a great advantage to conduct a thorough reconnaissance and organize an effective attack in a stress-free manner. Without adding dedicated devices, Random Route Mutation (RRM) has established itself as a powerful technique in coping with advance persistent threats and stealthy targeted attacks [3,4]. RRM is one of the Moving Target Defense techniques. The core idea of RRM is that a network defender can proactively change the routing path of a communication pair to increase the complexity and costs of the attacks and decrease the attacks’ successful probability of accessing the routing path [5].
In contrast to route mutation techniques, traditional secure sockets typically use encryption methods to forbid attackers from getting information from captured data. The static nature of the routing path is apt to lead to some advantages to attackers, such as sufficient time, prior knowledge of the routing paths [6]. Therefore, a well-crafted route mutation technique should have two evidence characteristics to degrade the successful attacks. The one is the high frequency of route mutation for decreasing the exploring time; The other is a large mutation space for enhancing the uncertainty and complexity of the routing path.
Adopting route mutation to deliver data of a pair in the network increases the amount of routing paths used in the communication. Some pathfinding algorithms have proposed to search for a routing path with more diversity for delivering data in the next time interval of the pair in the network. However, the effectiveness is limited by the network topologies. For example, the intersection exists between some paths of the routing path set. The non-disjoint routing path has little contribution to enhancing the security of the communication. At the same time, the routing paths should be meet some constraints (e.g., bandwidth, delay) to ensure the communication performance fulfilling the QoS of the flow.
It is often that most flows have an insufficient routing path space that decreases the effectiveness of route mutation. So, we introduce a polymorphic path transferring method based on assembling physic and virtual path splices. It generates flexibly routing paths for the next interval and enlarges the routing path space for routing mutation. Section 5 lists the capabilities of the method in detail.
To improve the effectiveness of route mutation, pattern recognition based on artificial intelligence has applied in route mutation in literature [7,8]. By introducing some reinforcement learning algorithms, the defenders can get more information about the attackers to adjust the time at changing the routing path. However, Advance Persistent Threats are still often invalidating these methods. To a defender, when to change the routing path is still a problem.
The design of route mutation has accelerated greatly by adopting Software Defined Networking architecture in which the intelligence of the network centralized in a logical controller. However, the scalability of the routing mutation is heavily affected by the control costs as well. Taking routing path mutation will bring additional control messages and storages on the data plane. There have been many different routing path update techniques available. But, routing mutation makes most of them inapplicable to a routing path update of high frequency due to unreasonable costs. So, the work proposed a segment path update to decrease the control and storage costs.
The main contributions of this work as follows:
1) A polymorphic path method with assembling physic and virtual path splices is introduced to enlarge the routing path diversity.
2) Route mutation optimization problem is modelled as a Markov Decision Process with uniform distribution of background flows, by value iteration to get optimal routing path at the mutation time.
3) Adopting a segment path update in which a path is updated piecemeal with aggregation flow entries in the forwarding table. It can decrease the control and storage costs.
The Polymorphic Path Transferring with Segment Path Update (PPT-SPU) technique can improve the adaptiveness and scalability of route mutation. The PPT-SPU allows the defender to implement effective routing mutation in an environment confined to network resources (e.g., insufficient routing path space, stressed control sources). It also enables the defender to execute the next-path decision and migration optimally. We empirically evaluate our scheme in an OpenFlow-based test network. Experimental results demonstrate the advantages of PPTSPU over the other approaches in security and costs.
The remainder of the paper is organized as follows: Section 2 discusses the related works of route mutation. Section 3 presents the motivating case study, the problem formulation, and the security threats. Section 4 describes a corresponding model and a solution to the problem. some critical implementer points are given in Section 5. In Section 6, we conducted a case study, and effectiveness analysis and experimental results are demonstrated as well. Finally, we concluded the paper in Section 7.
2. Related Work
The defense measurements are usually launched passively when the harms occurred because the cyber attackers are often in the dark. To change the disadvantaged situation of the network defenders in the network attack and defense, Moving Target Defense (MTD) has attracted the attention of network researchers in recent years [3]. By proactively changing some of the network states, MTD can make an adversary in an ever-changing attack surface. So, this makes it harder for the attackers to determine the target of accuracy. MTD can respond effectively to known network threats. It can effectively reduce the security problems that may result from latent network threats also.
Since the traditional networks cannot meet the basic requirements of MTD that need to configure the network states dynamically at a high frequency, MTD confined in the domain of the single computer system for a long time, and few success cases in the Network Moving Target Defense (NMTD). In recent years, SDN (software-defined networking) has popularized as a network architecture [9]. With the wide adoption of SDN, the establishment of secure network services based on it has become one of the concerns [10]. SDN provides flexibility and programmability to the network managers and operators that make NMTD easier to implement.
Data transmitted in the network will face various kinds of attacks, such as Data Leakage [l1], Data Tampering [12], Data Replay [13]. Meanwhile, the development of machine learning in packet analysis makes the network transmission based on encryption face greater risks [14]. Therefore, limiting the number of data exposed to attackers will be an effective way to mitigate these attacks. different from the passive routing adjustment in case of network failure [15], The NMTD based on SDN has attracted more attention from academia and the industry of the network community in the last few years.
NMTD increases uncertainty/confusion to the adversaries by changing the network configuration continuously and dynamically. By now, the researchers have put more emphasis on changing static parameters of the data flow on the fly [16,17,18,19,20]. The IP address [21], the port [22], and the routing path of a flow [11,19,20,23,24,25] are the main objects of dynamic configuration.
Based on OpenFlow architecture, Jafarian et al., [18] proposed a flexible terminal IP faked data delivering method, called OF-RHM, and the analysis shows it can effectively decrease the successful attacks, but the mapped virtual IP keeps unchanged during the session. Gillani et al., [26] foil the adversaries’ probing through migrating virtual routers among multiple paths, then resists the link DDoS attacks. Qi et al., [19] formalized the RRM problem to a Satisfiability Modulo Theories (SMT) to identify the constraint-satisfying routing path set of the mutating flow. It also pointed out that finding enough disjoint paths is a hard job in wired networks. They adopted overlay networking to expand the satisfaction of the routing path. However, creating and maintaining a virtual network is a high-cost work itself. Jafarian et al., [27] adopted a similar model to the literature [19], and the difference of their work is introduced the game theory into the optimal strategy selection. Both [19] and [27] are limited to how to mutate and not to when to mutate optimally.
Jiang Liu et al., [28] develop an optimal routing path selection algorithm by introducing a network anomaly trigger mechanism to cope with changing routing paths optimally. Duan et al., [29] propose an RM scheme to cope with Infrastructure Distributed Denial of Service. These schemes all consider the attack strategies of adversaries in deciding when to mutate. Some papers [7, 8, 30] have adopted Deep Reinforcement Learning to optimal routing mutation. The results show evidence effective on the optimal routing path selection and mutation time. With Artificial Intelligence development, it seems more effective techniques for searching optimal routing path and mutation time will occur.
From the literature, routing path diversity plays a critical role and decides the security effectiveness in routing mutation directly. Three main constraints execute press on the routing path diversity: capacity constraint, overlap constraint, and QoS constraint [19]. At the same time, fine-grained flow scheduling brings pressure to the flow table storage in the data plane [31]. Since changing the routing path with high frequency, we also need to consider the control cost constraint introduced by the central control model of SDN architecture.
In this paper, we propose a routing path expand method, called virtual and physical path slices consolidated, which is different from the overlay network in [19] and the other schemes that make full use of overlapped routing paths (e.g., 7,8,10). To search for an optimal routing path, a simple optimal algorithm with corresponding segment path update and Markov decision Process is used in solving the path scheduling. However, the advanced optimal algorithms, such as the Differential evolution algorithm [32], is expected to apply in route mutation with the improvement of the controller capacity in the near future.
In our experiment environment, we do not consider the optimal time to execute the mutation based on attacks’ patterns due to a lack of trusted data from detecting. However, we hold the opinion that introduced intelligence attack sensor techniques in our scheme, which will enhance the defense instead of worsening it.
3. Problem Definition
3.1 Motivating case study
To resist some emergency, such as device invalid, link break, congestion, the operators often deploy redundancy resources in the network. It is a small probability that only one path exists between a communication pair in a running network. Parallel multipath brings opportunities at providing flexible routing policy to the data delivery of the communication pairs. By transferring data over different routing paths, route mutation enlarges the attack surface and decreases the exploration time of the adversaries. Therefore, it enhances the security of the fly packet in the network. The diversity of the routing path is a critical factor that decides the effectiveness of the route mutation. All simple routing paths of a communication pair construct a routing path set. There are two categories of these routing paths. One is disjoint paths, and the other is non-disjoint paths. The former proved more security effectiveness compared with the latter. It is satisfactory while having enough disjoint paths of a communication pair for executing route mutation policy.
We have extract ten network topologies from topology zoo [33]. These topologies are from the networks deployed around the world. Unfortunately, there are a few disjoint paths between the pairs in the topologies. There are many reasons to explain the cause of this case, such as operating costs, investment costs, and management costs. The statistical results showed in Table 1. ON represents the overlap rate and NN represents the number of nodes in all paths between a pair. The ON is given by: ON = (number of nodes in all paths - NN) / NN.
Table 1. The Statistics of ten networks
The overlay network is one of the techniques to meet the challenges. The operators can add and delete virtual links flexibly in the overlay network. Therefore, the amount of the routing paths of a communication pair can be expanded as needed. The main problem of the overlay networks is bringing extra management and maintenance costs. The optimal non-disjoint path application also brings some benefits to security. However, based on scarce path resources, it is only providing a limited effectiveness.
It is different from before when PPT-SPU adopts segment route and mixture routing path construction. For non-disjoint paths, the overlap part can be divided into multiple logical channels, called virtual path segments. Then, route mutation uses the routing paths reconstructed by the virtual path segments and the physical path segments. Compared with maintaining an overlay network, route mutation dynamically constructs the routing path at delivering data packets and tears down it at the end of delivery. So, a local virtualization-based routing path construction method has more flexibility and less cost.
3.2 Security Threats
Routers/switches are responsible for forwarding a flow in networks. However, backdoors of devices or poor security management introduce potential threats to data communications. There have many accidents created by attackers who compromised the routers/switches [34]. Therefore, in our works, some routers/switches are considered potentially malicious. That is, some routers/switches do not operate as expected.
An adversary seeks to compromise the node among the transferring path of the target communications pair, then based on the compromised node, they might execute directed or undirected attacks (e.g., eavesdropping, DDoS). The route mutation system schedules the packets of the flow from over one path to the others dynamically to escape the capture of attackers.
We assume the attacker is aware of the route mutation implemented by the communication pair in the network. The attacker selects a random path to explore the active flows of the target pair. The work assumed that an attacker has some level of ability to compromises a target path. Its capability as follows:
1) The attacker is aware of the network topology and the IP addresses of the communications pair via the reconnaissance and will attempt to compromise a route randomly between the communications pair.
2) Subject to a limited budget and an attempt to keep a low probability from detection, the attacker can only explore a portion of the nodes in the network in a fixed period. The attacker cannot monitor the whole network, which will let all effort used route mutation to lose efficacy.
3) The attacker can attack network nodes randomly at any time interval and moves from one path to the other while the target flow not identified.
4) The attack can choose to attack a set of nodes based on the knowledge increases over time.
5) If the attacker hits the flow of the target communications pair (the attacker hits the node in the routing path), it will stay in the state till the flow disappear.
3.3 Problem formulation
For transferring data from source node S to destination node D in a network, there is often a group of simple paths between S and D, we denoted it denoted by PSD. At the same time, we assume that PSD has more than one element (it is a common situation in a robust network), and \(P^{S D}=\left\{P_{i}^{S D} \mid i \in\left[1, n^{S D}\right]\right\}\), where \(P_{i}^{S D}\) indicates the 𝑖th path of the path set, and the element number of the PSD is \(n^{S D}=\left|P^{S D}\right|\). A routing path consists of a sequence of network nodes. We let \(R_{i, k}^{S D}\) represent the kth node of the path \(P_{i}^{S D}\). The main notations and definitions are shown in Table 2.
Table 2. Portion notations and definitions
In a classic packet transfer from S to D, it often uses the shortest path, and only one routing path of PSD is used to deliver all packets of the flow. That is, the transmission is over the network nodes along the shortest path. However, adopting route mutation, packets of a flow will fly over different routing paths, and we denote the used routing paths by \(P_{H}^{S D}\left(P_{H}^{S D} \subset\right.P^{S D})\). The packet distribution on the \(P_{H}^{S D}\) is relative to the path scheduling algorithm.
For kth router (or switch) \(R_{i, k}^{S D}\) in the path \(P_{i}^{S D}\), the cumulative number of flows arriving at it in the time interval [0,t], we denote by \(A_{i, k}^{S D}(\mathrm{t})\), and the value is non-negative. To formulate the amount of arrived flow precisely, the notation \(A_{i, k}^{S D}(\tau, \mathrm{t})\) represents the amount of arrived flows in the time interval [τ, t] , where t > τ ≥ 0. Combined with the definition of \(A_{i, k}^{S D}(\mathrm{t})\), \(A_{i, k}^{S D}(\tau, \mathrm{t})\) is expressed as follows:
\(\begin{aligned} &A_{i, k}^{S D}(\tau, \mathrm{t})=A_{i, k}^{S D}(\mathrm{t})-A_{i, k}^{S D}(\tau) \\ &\text { Where } A_{i, k}^{S D}(\mathrm{t}, \mathrm{t})=0, \forall \mathrm{t}>0 . \end{aligned}\) (1)
The symbol \(D_{i, k}^{S D}(\mathrm{t})\) used to denote the cumulative number of flows that have departed from \(R_{i, k}^{S D}\) during the time interval [0,t]. Since the number of departed flows cannot exceed the amount of arrived flows, so, \(A_{i, k}^{S D}(\mathrm{t})>D_{i, k}^{S D}(\mathrm{t}), \forall \mathrm{t}>0\). In particular, when \(A_{i, k}^{S D}(\mathrm{t})>D_{i, k}^{S D}(\mathrm{t})\), there are many flows that are lively at \(R_{i, k}^{S D}\).
For a router/switch, a flow commonly consists of a sequence of packets needed to forward to the next node. To associate \(A_{i, k}^{S D}(\mathrm{t})\) with \(D_{i, k}^{S D}(\mathrm{t})\), and we assume that each flow is timeconfining, that is, the flow does not live on a node if there are no packets to be transferred. The existing flows processed at \(R_{i, k}^{S D}\) during the period of (τ, t) is denoted by \(E_{i, k}^{S D}(\tau, \mathrm{t})\), where \(E_{i, k}^{S D}(0, \mathrm{t}) = E_{i, k}^{S D}\). So, given \(R_{i, k}^{S D}\) and two-time points τ and t (t > τ), we can get:
\(E_{i, k}^{S D}(\tau, \mathrm{t})=A_{i, k}^{S D}(\mathrm{t})-D_{i, k}^{S D}(\tau)\) (2)
Given a path \(P_{i}^{S D}\) used to transfer data for pair , and the duration of the flow is the interval (t1,t2). Thus, in the worst scenario, the attacker is only need to explore one router/switch among the path, and which has the minimum number of flows under process comparing with the other nodes among the routing path. The attack surface of the routing path \(P_{i}^{S D}\) is denoted by \(A S_{i}^{S D}\), and its value is:
\(A S_{i}^{S D} \geq \min _{R_{i, k}^{S D} \in P_{i}^{S D}} E_{i, k}^{S D}\left(t_{1}, t_{2}\right)\) (3)
To increase security, route mutation scales up attacker surface at detecting a flow on the flying. For a flow of pair , if all paths in the PSD are disjointed, the attack surface of the flow (denoted by ASSD) is formalized as:
\(A S^{S D}=\sum_{P_{i}^{S D} \in P_{H}^{S D}} A S_{i}^{S D}\) (4)
To update a path \(P_{i}^{S D}\) (consisting of \(\left|P_{i}^{S D}\right|\) nodes) in OpenFlow networks, under the classical scenario, it will bring \(\left|P_{i}^{S D}\right|\) Flow-Mod messages at the initial phase of the flow transfer and \(\left|P_{i}^{S D}\right|\) Flow-Removed messages at the finish phase. The storage requirement is \(\left|P_{i}^{S D}\right|\) flow entries on the data plane.
For a path replacement, such as using \(P_{j}^{S D}\) to replace \(P_{i}^{S D}\), the extra \(\left|P_{j}^{S D}\right|\) Flow-Mod messages and \(\left|P_{j}^{S D}\right|\) Flow-Removed messages add to exchange messages between the controller and the data plane. It also brings an instant increase at storage on the data plane. To assure the packets delivery at path exchange period, it is need to store \(\left|P_{i}^{S D}\right|\)+\(\left|P_{j}^{S D}\right|\) flow entries on the data plane in a short period.
Traditionally, in the shortest path first routing paradigm, a flow overhead of pair includes: \(2^{*}\left|P_{i}^{S D}\right|+1\) control messages and \(\left|P_{i}^{S D}\right|\) flow entries storage, where \(P_{i}^{S D}\) satisfied \(\left|P_{i}^{S D}\right|=\min _{P_{j}^{S D} \in P^{S D}}\left|P_{j}^{S D}\right|\).
For route mutation with frequency H, due to routing path replacement constantly, a flow overhead of the pair duration time T includes: \(2 * \sum_{k=1}^{T H}\left|P_{k}^{S D}\right|+1\) control messages a(denoted by \(C_{\text {control }}^{S D}\)) and peek storage requirement for \(\left|P_{k}^{S D}\right|+\left|P_{k+1}^{S D}\right|\) flow entries (denoted by \(C_{\text {Storage }}^{S D}\)). Where \(\left|P_{k}^{S D}\right|\) and \(\left|P_{k+1}^{S D}\right|\) are the two paths in a temporally alternating sequence and \(\left|P_{k}^{S D}\right|\) is the kth time interval used path.
Therefore, in route mutation, path \(P_{j}^{S D}\) used for replacing the current path for delivering the flow of pair involves some control messages of Flow-Mod and Flow-Removed and the burst of storage. When the routing path mutation is at a fast frequency that will bring high operation overhead on control message. At the same time, the data plane requires more storage coping with changing paths at high frequency. All in all, route mutation brings more pressure on the scalability.
For improve the scalability of route mutation, decreasing the overhead on the path replacement (\(C_{\text {control }}^{S D}\) and \(C_{\text {Storage }}^{S D}\)) is a critical way. Based on the SDN architecture and OpenFlow characteristics. In PPT-SPU, network background flows enter in consideration to seek a strategy that gets:
\(\min \left(C_{\text {control }}^{S D}+C_{\text {Storage }}^{S D}\right) \text { and } \max \left(A S^{S D}\right)\) (5)
4. Model Description and Solution
Considering a periodic-mutation route communications system with control messages, storage in data plane, quality of service (QoS) and security, we model the problem as a Markov Decision Process (MDP) to obtain optimal mutation policy. The transferring flows over periods {F1, F2, ..., Ft, ...} are independent and identically distributed (iid) between periods in the network. At each time t = 1,2, … , the F denote one-period transferring flows, which is non-negative with mathematical expectation E[F] > 0, and the defender has not access to the true transferring flow in the network a priori. The defender can only observe the past statistics of flows and adjust the routing path on the fly.
4.1 Markov Decision Process Model
We model the problem as a MDP to obtain optimal mutation policy. There are two mutation options as follows:
1) “virtual” segment: Based on changing the identifier of the flow to construct a logical channel, it can escape the capture of the attack among the path. The significant feature is its diversity.
2) “physical” segment: Not only the identifier of the flow but also the routers/switches among the routing path are all changed while adopting “physical” segment mutation. However, the diversity is often insufficient.
We can obtain revenue from changing the identifier of the flow, varying the routers/switches among the routing path, or both in forwarding the flow, which can increase difficulty of the attackers. However, the costs are also paid to migrate the routing path or identifier of the flow. We concentrate the overhead on control messages and storage of the flow entries in here.
The routing path state migrating decisions are made once a time interval. The decision is based on the observations that includes current forwarding flow state (the identifiers of the flow and routers among the routing paths). Depending on the network states, the decided actions at the delivering flow make more sense than other. And the routing path should also meet:
1) No loop in the routing path;
2) Can’t load beyond any link or node capacity among the path;
3) QoS of the flow.
Each action of route mutation has a reward which equals the revenue subtracting the costs. Taking an action will affect what we observe next. That is the next period’s routing state of the flow, and it includes amounts of flows forwarded at each router among each routing path.
For the routing mutation system under consideration, at each time t = 1,2, …, it observes the current routing state xt ∈ X. It will select a mutation action for transforming the routing path in next period at ∈ A(xt), which will earn a reward r(xt, at). The next routing state is xt+1 with probability pr(xt+1|xt, at).
The action is periodically procuring a single path segment to migrate the routing path. The flows are independent and identically distributed (iid) among the routers in the network. The routing path set of pair is X = PSD. The action set is A(x) = {virtual segment muation, physical segment mutation} , which select path segments ps,ps ∈ pi, pi ∈ PSD for delivering flow in the next time interval. We let r(x, a) be the expected reward earned when action 𝑎𝑎 is taken in state x:
\(r(x, a)=A S^{S D}-C_{\text {control }}^{S D}-C_{\text {Storage }}^{S D}\) (6)
Let Fr denote the distribution of transferring flow at router r. If the current routing state is x, and action α is taken, the next state is x′ in the next interval with probability:
\(p r\left(x^{\prime} \mid x, a\right)=\left(\frac{\sum_{r \in x^{\prime}} \int d F_{r}}{\left|x^{\prime}\right|}\right) / \sum_{p_{i} \in P^{S D}}\left(\frac{\sum_{r \in p_{i}} \int d F_{r}}{\left|p_{i}\right|}\right)\) (7)
Based on routing states, the defender follows a policy π for selecting actions. If the routing state history of the flow up to time t is x0 ... xt-1at-1xt, then select action at ∈ A(xt) with probability π(at|x0 ... xt-1at-1xt), In general, policies may be randomized and historydependent.
4.2 Solution
The performance of the route mutation measures by an Infinite-Horizon Discounted Total Reward, denoted by \(V_{\gamma}^{\pi}(x)\), which represents the expected value of the received rewards, starting from state X = x and following policy π.
\(E_{x}^{\pi}\) = expectation given that the initial state is 𝑥𝑥 and the policy π is used;
γ = discount factor (between 0 and 1);
Xt = routing state at time ;
At = migrating action taken at time ;
\(V_{\gamma}^{\pi}(x)=E_{x}^{\pi} \sum_{t=0}^{\infty} \gamma^{t} r\left(X_{t}, A_{t}\right) x \in X\) (8)
In route mutation, a deterministic stationary policy \(\pi\) can be evaluated by the utility function as follows:
π is used to implement the mapping function: : X → A, which dictates each migrates to take a certain segment while being in a specific routing state. πx = a represents adopting action α at routing state 𝑥 by using policy π . The state process X0, X1,... is a homogeneous Markov chain. Each routing migration rewards r(x, a) are bounded. The policy\(V_{\gamma}^{\pi}(x)=\sum_{x^{\prime} \in X} p r\left(x^{\prime} \mid x, \pi_{x}\right)\left[r\left(x^{\prime}, \pi_{x}\right)+\gamma V_{\gamma}^{\pi}\left(x^{\prime}\right)\right]\) (9)
Since the routing state and action sets are finite. For any \(\gamma \in[0,1)\), there exists an optimal policy that is deterministic and stationary. (Theorem, Howard, 1960). Consider any \(\gamma \in[0,1)\), the value function:
\(V_{\gamma}^{*}(x):={ }_{\pi}^{\inf } V_{\gamma}^{\pi}(x)\) (10)
Uniquely satisfies the optimality equation
\(V_{\gamma}^{*}(x)=\max _{a \in A(x)}\left[r(x, a)+\gamma \sum_{x \prime \in X} p r\left(x^{\prime} \mid x, a\right) V_{\gamma}^{\pi}\left(x^{\prime}\right)\right], \quad x \in X\) (11)
Moreover, a deterministic stationary policy \(\pi\) is optimal if and only if
\(\pi^{*}(x)=\underset{a \in A(x)}{\arg \max }\left[r(x, a)+\gamma \sum_{x^{\prime} \in X} p r\left(x^{\prime} \mid x, a\right) V_{\gamma}^{\pi}\left(x^{\prime}\right)\right]\) (12)
Based on the preceding the following algorithm, it can be used to compute an ε-optimal policy, i.e., a policy \(\pi^*\) such that:
\(V_{\gamma}^{\pi^{*}}(x) \geq V_{\gamma}^{*}(x)-\varepsilon \forall x \in X, \text { for any } \varepsilon>0\)
Then, we use the value iteration to solve the MDP problem, as shown in Algorithm 1.
Algorithm 1. Value Iteration
5. Critical Implementer Points
The fundamental modules of PPT-SPU are the routing path calculator and scheduler. Firstly, based on the K-shortest paths algorithm from [35], the routing path calculator produces a simple path set for a route request from a communication pair. Each element in the set is a candidate to transfer data of the communication pair. A routing path consists of a sequence of network nodes (switches/routers). These devices are responsible for transmitting packets of the flow from the source to the destination terminal of the communication pair. In the network, each switch should be responsible for processing different flows at the same time. Both the monitor for flows matrix and the K-shortest paths selection algorithm are all outside the scope of this paper, and the reader can get these from our previous work [36]. Subsequently, the routing path scheduler that consists of path selection, path install, and path replacement enters the role of maintaining the routing path used to deliver the flow. We focus our attention on path selection and update in route mutation to attain optimal scalability and security performances as formulation (5) described. In the rest of the paper, the router, the switch, and the node would be interchangeable when no cause confusion.
As a route mutation policy for SDN networks, PPT-SPU implements path scheduling based on the global network view provided by a logical controller of the network. For adjusting a routing path, the central controller downloads instructions into the network device in the data plane. The PPT-SPU above the controller is responsible for flexibly scheduling the routing path of the flow on the fly.
The scalability of route mutation will seriously degrade while the costs severe increases caused by changing the routing paths at high frequency. For better scalability, the PPT-SPU adopts a segment path migrating strategy according to virtual/physical segment construction of the routing path. Then, the routing path migrates at a sequence of the path segments. The approach relieves the controller press caused by updating the whole routing path once a time. As a by-product, the control consumption (such as control bandwidth, storage) does not incur burst, and the communication performance does not intermittently deteriorate.
For further concealing the packets of the flow, during the virtual segment path construction and migration, it takes the network background flows into account at deciding the next-hop routing path, which introduced not only as a transfer performance index but also as a security index. The flow identifier changes according to the background flows that confuses the attacker in recognizing the target flow. So, it will further increase the security of flow delivery.
5.1 Path scheduler
In PPT-SPU, for changing the routing path of a flow on the fly, the path scheduler should decide the next-hop routing path for transforming the route of the flow from the current to the next. To attain optimal security with the least costs, it adopts MDP with a segment update strategy to determine the routing path for the next transmitting slot. The constraints of the nexthop path selection include the migrating cost, the traffic of the flow distribution history, and the network background flows. To reduce the control costs, the strategy also constructed virtual path segments by existed flow entries in the data plane, which provides better scalability. At the same time, integrating the flow identifier concealment, the security of data transfers is also enhanced.
Enlarging the explore space of the attackers is important for implementing a successful route mutation. The flows processed on different network nodes consist of the explore space. A router with a large amount flows at processing will add hard to the attacker at identifying the targe flow. So, the scheduler prefers to use the busy router among the routing path in the next time interval.
A routing path weight index is introduced to indicate how security the routing path is. We assume that the nodes of the network have the same capacity in processing of flows, the weight value of path \(p_{i}^{S D}\) in time slot (τ,t) is the average amount of the existing flows processed at the nodes among the path, we denoted it by \(W_{i}^{S D}\).
\(W_{i}^{S D}=\frac{\sum_{1
Since the network background flow is a continuously changing state, the value of the weight is varying along with the time.
In SDN networks, an OpenFlow-enabled switch forwards the arrived packet according to the instructions of the matching flow entries in its flow table. At the initial phase, the matching field can be select from 12 metadata in OpenFlow 1.0 [37], and the number has extended to 42 metadata in OpenFlow 1.5 [38]. But, in practice, the number of the matching field in a flow entry is just a few. While two flows have a common path segment, their flow entries among the segment will have the common instructions. So, the flow entries can be multiplexed by both flows. Flow entries multiplex decreases the operation on both controller and data plane. It is also the major motivation for the proposed Segment Path Update.
As Fig. 2 shows, a flow of pair is transferring in the network, a path \(\left(P_{i}^{A B}= \right.\left.\left(r_{1}, r_{3}, r_{4}, r_{5}, r_{6}\right)\right)\) serviced the flow. When a new flow of pair is occur, and the first packet of the flow arrives at γ2 , then path \(P_{j}^{S D}\) is selected by the routing algorithm for transferring the flow. The path \(P_{j}^{S D}=\left(r_{2}, r_{3}, r_{4}, r_{5}, r_{7}\right)\). Since \(P_{i}^{A B} \cap P_{j}^{S D}=\left(r_{3}, r_{4}, r_{5}\right)\), segment \(\left(r_{3}, r_{4}, r_{5}\right)\) is multiplexed by the two flows. To benefit the multiplexing of the segment, at the ingress of the segment, the head of packets of the flow can be modified to a new head which contains all the matching fields of the entries serviced the flow . To distinct and restore the flow of at the egress of the segment, an extra field needs to add in the head of packets of the flow . Thus, the packets of the flow are replaced at r3 and restored at r5. So, on the other nodes of the segment, the packets of the pair will be processed as the packets of the pair .
Fig. 2. The multiplexing of segment
In route mutation, virtual segment of a path implementation is to construct a virtual channel for the packets of the flow. In the virtual channel, it is need to cast the packets of the flow to transfer according to the special virtual channel. Finding an appropriate sequence of segments benefited to multiplex is the first task due to faking the flow is important for both virtual segment construction and Segment Path Update. There are different segment discovery paradigms (e.g., minimize the number of the segments contained in a path). Given the constraints, the transfer order of switches and segments in each path will be determined. Subsequently, the controller needs to execute the flow head replacement to disguise the flow for transmitting over a specified segment. To relieve the operation cost, minimize the number of the segments contained in a path is adopted in PPT-SPU.
Path \(P_{i}^{S D}\) can be divided into many segments. Conversely, the path consists of some segments which are stick to each other according to the directed sequence. For any segment in path \(P_{i}^{S D}\), the start switch of the segment initials the packets transmitting of a flow over the segment, and at the end switch of the segment finishes the current segment transmitting and opens the next segment transfer (if it is not the end of the path).
We formally define the problem of segment discovery on a path set of pair denoted by PSD. We denote the set of all possible segments of PSD by a segment dictionary SSD, and each element in SSD is a sub-path of a path in PSD. It is easy to see that if path \(P_{i}^{S D}\) contains \(n_{i}^{S D}-1=\left|P_{i}^{S D}\right|-1\) edges, then \(S_{i}^{S D}\) contains \(\left|S_{i}^{S D}\right|=\left(n_{i}^{S D}\left(n_{i}^{S D}-1\right)\right) / 2\) segments.
The paths in PSD can be reconstructed by concatenating the segments in dictionary SSD. The size of the segment dictionary is denoted by |SSD| which defines the number of its segments. Obviously, the largest segment dictionary that one can have is \(S_{\max }^{S D}=\bigcup_{i \in\left[1, n^{S D}\right]} S_{i}^{S D}\). When path \(P_{i}^{S D}\) can be reconstructed by a segment set \(S_{i}^{S D^{\prime}}=\left(S_{1}, S_{2}, \ldots, S_{m}\right) \subset S_{\max }^{S D}\), we denote by \(P_{i}^{S D}=U\left(S_{i}^{S D \prime}\right)\), there exists a permutation σ = σ(1)σ(2)…σ(m) such that \(P_{i}^{S D}=S_{\sigma(1)} \cup S_{\sigma(2)} \cup \ldots \cup S_{\sigma(m)}\).
Deduction. 1. If each path in PSD can be reconstructed by two segments S1 and S2, and we denoted it by \(\left(S_{1}, S_{2}\right) \subset S^{2 S D}\), therein \(S^{2 S D}\) represents the segment dictionary that each element in the 𝑆𝑆2𝑆𝑆𝑆𝑆 can find the other one constructed at least one path in the \(P_{i}^{S D}\). That is \(S^{2 S D} \subset S^{S D}\), any path \(P_{i}^{S D}=U\left(S_{1}, S_{2}\right)\), and there exists a permutation σ such that \(P_{i}^{S D}=S_{\sigma(1)} \cup S_{\sigma(2)}\). We represent the segment \(S_{\sigma(1)}\) and \(S_{\sigma(2)}\) by \(S_{(\mathrm{S}, \mathrm{I})} \text { and } S_{(\mathrm{I}, \mathrm{D})}\) respectively, and node I is the finish node of \(S_{\sigma(1)}\) and the start node of \(S_{\sigma(2)}\).
Note: Given path \(P_{i}^{S D}\) and a segment dictionary \(S^{2 S D}\), there may exist multiple ways to reconstruct \(P_{i}^{S D}\) using subsets \(S^{2 S D}\). In our works, we are interested in the \(S^{2 S D}\) for gaining largest attack surface.
Deduction. 2. The Attack Surface \(A S\left(P_{i}^{S D}, t, S^{2 S D}\right)\) of a routing path \(P_{i}^{S D}\) transferring a flow at interval(0,t) with respect to a segment dictionary \(S^{2 S D}\) is given by:
\(\begin{gathered} A S\left(P_{i}^{S D}, \mathrm{t}, S^{2 S D}\right)=A S_{S_{1}}^{S D}+A S_{S_{2}}^{S D} \\ \text { s.t. } \exists S_{\text {sub }} \subset S^{2 S D}, P_{i}^{S D}=\mathrm{U}\left(S_{\text {sub }}\right), S_{\text {sub }}=\left(S_{1}, S_{2}\right), S_{1}=S_{(\mathrm{S}, \mathrm{I})} \end{gathered} \text { and } S_{2}=S_{(\mathrm{I}, \mathrm{D})}\) (14)
For segment discovery, we would like to select the segments to maximize the attacker surface of the extracted segment, as well as the largest average number of processed flows at network nodes along with the segments.
Given path set PSD and the set of all possible segment SSD, we define segment discovery as an optimal choosing repeatedly process of each path in PSD. For 𝑖𝑖th path in PSD, the discovery process as follows:
\(\begin{gathered} \operatorname{Discovery}\left(P_{i}^{S D}, t, S_{s u b}\right)=\max _{S_{s u b} \subset S^{2 S D}, S_{s u b} \notin S_{o p t}^{2 S D}, P_{i}^{S D}=\mathrm{U}\left(S_{s u b}\right), P_{i}^{S D} \in P^{S U} \mathrm{AS}\left(P_{i}^{S D}, \mathrm{t}, S^{2 S D}\right)} \\ {\text { s.t. } \forall P_{i}^{S D} \in P^{S U}, \exists S_{S u b} \subset S^{2 S D}, P_{i}^{S D}=\mathrm{U}\left(S_{S u b}\right)} \end{gathered}\) (15)
Each segment discovery process will find a Ssub, if the Ssub exists then \(S_{o p t}^{2 S D}=S_{o p t}^{2 S D} \cup S_{s u b}\), else the segment discovery finishes and stops the next search. The segment set \(S_{o p t}^{2 S D}\) is the segment dictionary for the two-segment path replacement. Then, based on Algorithm 1, the selected routing path \(P_{i}^{S D}\) for the next interval is decided.
As shown in Fig. 3, when the controller received a packet of the route mutation service, it delivers the message to the Path Scheduler. The Path Scheduler calls the MDP module to select an optimal policy from the Policy set. The policy can be virtual segment mutation or physic segment mutation according to the reward. Then the Path Scheduler decides the routing path and produces the Flow-Mod Messages which are download into the data plane through the controller. The flow entries contained in the Flow-Mod Messages are installed into the switches among the routing path, then the packets of the flow will be transferred by the path. When the timer of the time interval expired or a threat even arrived, the path scheduler will start a new routing path production and paving process.
Fig. 3. The workflow of the PPT-SPU
In PPT-SPU, the optimal strategy selection algorithm adopted in MDP is value iteration, as Algorithm 1 described. The time complexity of PPT-SPU is mainly in value iteration, which is O(nk), where n is the number of the policy and the k is the convergence steps. Besides, calculate reward and adjust the transition probability also caused time consumption. The storage consumption is mainly caused by intermediate results.
5.2 Virtual segment implementation
To implement virtual path segment, in PPT-SPU, a routing path is selected according to the Algorithm 1, and two segments S1, S2 from\(S_{o p t}^{2 S D}\) are determined \(\left(S_{1}, S_{2} \in S_{S u b}\right)\). To construct virtual segment based on S1, S2, a shield channel should to be chosen carefully. A shield channel is a serial of flow entries that has paved by other flows, which can complete packets transport over one segment.
A flow set F contains some flows, such as \(f_{1}, f_{2}, \ldots, f_{n}\left(F=\left(f_{1}, f_{2}, \ldots, f_{n}\right)\right)\), and a flow contains a serial of packets, then the number of the packets of the flow \(f_{i}\) is |\(f_{i}\)|. We use FS1 and FS2 to represent the flows over S1 and S2 respectively. To better conceal the flow, the selected channels are paved by the flow Fk1 that satisfied \(\left|f_{k 1}\right|=\max _{f_{i} \in F_{S_{1}}}\left|f_{i}\right| \text { s.t. } f_{k 1} \in F s 1\), and the flow fk2 that satisfied \(\left|f_{k 2}\right| \max _{f_{j} \in F_{S 2}}\left|f_{j}\right| \text { s.t. } f_{k 2} \in F_{S 2}\). Then flow fk1 and fk2 are the masking flows for segment S1 and S2 respectively. That is, the flow disguised as fk1 over S1, then disguised as fk2 over S2, and restored at the egress of S2 the flow.
At a path updating, there are only three controller messages that need to be created and downloaded corresponding flow entries into the access node, the intermedia node, and the departure node of the path for the two-segment replacement approach. The intermedia node is the end node of the S1 and the start node of the S2. Base on the installed flow entries, when a packet of flow f arrived, at the access node the identifier of the packet is changed from f to fk1 identifier + extra fields for multiplexing S1 with fk1, then at the intermedia node the identifier of the packet is substituted with fk2 identifier +extra fields for multiplexing S2 with fk2, and at the departure node the identifier of the packet is restored to f, then the packet arrived the destination, the effects of the anonymity of the identifier disguise can enhance security of the flow on the fly.
5.3 Security Measurement
In route mutation application, it assumed that the switches in the networks are vulnerable spots of the network. The adversaries target a special flow for a long time. The betweenness centrality CB is introduced to metric the security of the flow on the fly. Assumed a network consisting of vertexes and valued edges, the betweenness centrality of vertex i is the fraction of geodesic paths between other vertices that i falls on [39]. So, while the flows are independent and identically distributed (iid) among the routers, the high CB of a vertex means exist many shortest paths of pairs across it. Since the classic routing rule of the network is the shortest path first, so CB is an appropriate metric to measure the security of the threat model described in section 3 and the decision model in section 4. A compromised switch (vertex) with high CB will bring substantial confusion to the attacker due to more flows over it.
Given a flow of pair , and a path set PSD of the flow, which can be used to transfer the flow. the security analysis as follows:
Shortest Path First: In this model, path ps is the selected path from the PSD, where \(p_{s}=\min _{P_{B}^{S D} \in P} S D\left(\sum_{(i, j) \in P_{D}^{S D}} \text { weight }(i, j)\right)\). We define \(n_{i}^{S D}=\left|p_{s}\right|, p_{s}=\left(r_{\sigma(1)}, r_{\sigma(2)}, \ldots, r_{\sigma\left(n_{i}^{S D}\right)}\right)\), that is, path ps contains switches \(r_{\sigma(1)}, r_{\sigma(2)}, \ldots, \text { and } r_{\sigma\left(n_{i}^{S D}\right)}\). So, the lowest betweenness centrality of the switch in path ps (denoted by \(C_{B, s}^{L}\)) represents the worse scenario of security, \(C_{B, S}^{L}=\min _{i \in\left(1, n_{S}^{S D}\right)} C_{B, r_{\sigma(i)}}\), and the security of Shortest Path First is \(C_{B, s}^{L}\).
Route Mutation: we assume paths \(P_{H}^{S{D}}\) are used to transmit the flow, where \(P_{H}^{S{D}} \subset P^{S D}, n_{H}^{S D} \leq n^{S D}\). For the paths of \(P_{H}^{S{D}}\) are disjoint,the lowest betweenness centrality of the switch in different paths of \(P_{H}^{S{D}}\) is different. So, the security of route mutation is \(C_{B, H}^{L}=\sum_{p_{i}^{S D} \in P_{H}^{S D}} C_{B, i}^{L}\). For the paths of \(P_{H}^{S{D}}\) existing overlap, and if the overlap is the lowest betweenness centrality of many paths, the security of route mutation needs to guarantee no repeated calculation.
PPT-SPU: It assumed H paths \(P_{H}^{S{D}}\) are used to transfer a flow, where \(P_{H}^{S D} \subset P^{S D}, n_{H}^{S D} \leq n^{S D}\). For the paths of \(P_{H}^{S{D}}\) are disjoint,each path in \(P_{H}^{S{D}}\) is divided into two sub-paths (segment) with different flow identify. Give any path \(p_{i}^{S D} \in P_{H}^{S D}\), each sub-path of \(p_{i}^{S D}\) has the lowest betweenness centrality, and the value is not lower than \(C_{B, i}^{L}\). So, the security of TwoSegment Update is \(C_{B, R}^{L} \geq 2 * C_{B, H}^{L}\). Similar to route mutation, For the paths of \(P_{H}^{S{D}}\) existing overlap, the value needs to guarantee no repeated calculation.
From the analysis, we can see that the more path used to transfer a flow, the more security acquisition, the more segments in path updating, the more security acquisition. However, more paths and more segments mean more overhead which will be illustrated in the next section.
6. Performance evaluation
When a new flow arrived the network, it initials a flow routing process. That is, when a packet of the flow arrived at the access node, a path is selected by the controller according to the route strategy, and corresponding rules are installed into the data plane for transferring the flow. Next, it will change the path if need be, a new path will be selected, and the flow entries of the path will be downloaded into the corresponding switches along the path again.
As for two-segment path update with the frequency H, duration time T, the overhead for a flow of pair contains 3 × T × H + 1 control messages and peak storage requirement for 2 × 3 = 6 flow entries. Because, in two-segment replacement, only source, intermediate, and destination need to acquire the corresponding flow entries for path deployment. The twosegment path update can decrease overhead obviously on the storage requirement in the data plane and control messages which is important for the scalability of route mutation.
In the next section, we presented the results of a demo application that adopts PPT-SPU to enhance the security of a communication pair. This application is implemented based on the OpenFlow three-layer architecture, as shown in Fig. 4.
Fig. 4. The application architecture and the network topology for experiments
6.1 Experiment configuration
To verify the efficiency and effectiveness of PPT-SPU, A simple network was deployed in Mininet [40]. The network consists of 14 forwarding devices (Open vSwitch [41]) and a controller (Ryu [42]), and each switch connected with one host, as shown in Fig. 4. We set the bandwidth of each link in the network with 10Mbps. The packet delivery rate is 1000 per second at terminal S. The betweenness centrality CB of each node is a random variable in range (300,1000). The other flows come from ping each other of the hosts, and we assume that is no traffic congestion in the network during the experiment. We implemented a base scenario, in which, to protect packets of the specified flow on the fly, the application periodically changes the paths at a constant interval. As Fig. 4 shown, the disjoined paths from S to D is three. A common tool nping is used to generate a UDP flows from S to D. The other pairs of the network have a constant flow between each other (we execute the command "pingall" at each host). For comparison, we ran experiments which use the Radom Route Mutation (RRM), Radom Route Mutation with Weight (RRM with Weight) and PPT-SPU respectively. The measurement results are presented in the follow.
6.2 The attacker surfaces
Fig. 5 shows the attack surfaces of the test flow over a simulation time, and the measurement adopts three approaches (RRM, RRM with Weight and PPT-SPU). In the PPT-SPU, the value of the attack surfaces has a high raise range in the start phase, then keep on a constant value. In contrast, for RRM and RRM with Weight, the attack surfaces have a low value, the raise time is brevity, the value fast grades into a constant. The strength of raising rang is determined by the introduced new path from the path set of delivering the flow. Since the segment path replacement of PPT-SPU divides a path into sub-path, the value of the attack surfaces of the two-segment replacement has a high start point and rises fast at the beginning phase. Meanwhile, benefit from a path has more than one division style, so the number of the segment combination is more than the number of the path in the path set, so the raising range of the PPT-SPU is wider than RRM and RRM with Weight. The right of Fig. 5 is a summary of ten tests.
Fig. 5. The attack surfaces
6.3 The cost of control messages
Fig. 6 shows the control messaging overhead of the three approaches. For RRM and RRM with Weight, the value of the messages rises continuously and presents periodic rise. However, with PPT-SPU, the value of the messages grows linearly, and locates below the value of RRM and RRM with Weight. For adopting the RRM and RRM with Weight, a path \(p_{i}^{S D}\) update will bring 2 × \(\left|p_{i}^{S D}\right|\) messages (Flow-Mod and Flow-Removed) to pave the path of pair . In PPT-SPU, virtual segment virtual only needs 2 × 3 messages (Flow-Mod and Flow-Removed) for a path changing. The right of Fig. 6 is a summary of ten tests.
Fig. 6. Control message pay-off
6.4 The overhead on the data plane
Fig. 7 shows the storage requirement in the data plane of the three approaches. For PPT-SPU, the value is lower compared with RRM and RRM with Weight, and the value presents a periodic change. In the RRM and RRM with Weight, the values locate higher than the PPTSPU, which due to virtual segment replacement can decrease flow entries requirement on the data plan obviously. The right of Fig. 7 is a summary of ten tests.
Fig. 7. Overhead on storage
6.5 Limitations
In this subsection, we will stress some limitations of our solutions. 1) Computation and storage constraints on the controller, due to introducing complex and flexible routing paradigm, PPTSPU need more computation processes and storage on the controller. As we have known, the scalability of the central controller in SDN is an inherent problem, our method will put even more pressure on the controller. Although we believed that we can acquire enough resources above a logical center controller. However, as multi-path routing moves to a large-scale application, it is conceivable that computation and storage are needed to be considered carefully. 2) Path two-segment replacement is a typical application that can be used in route mutation. However, there is a common case that no two segments construct a path, in which needs three or more segments using to construct the path. The complex of the hopping also added. 3) PPT-SPU is firstly adopted in a telemedicine system for protecting sensitive information. Through a fog-based framework [43] attain an effective healthcare system. it still needs to verify its wide applicability in practical.
7. Conclusion
The underlay ideal of route mutation is to split a flow into a sequence of sub-flows, and these sub-flows are delivered over different paths according to the splitting sequence. The routing path mutation brings a dynamically changing attack target and enlarges the exploit surface of the attackers. However, the cost also expands to enhance security. The overhead on the control and store resources will decrease the scalability of the routing path mutation. Changing the routing path simply will bring plenty of packets that violate the regulations (e.g., shortest path first), then bring new vulnerability to the network. To cope with these problems, we proposed a PPT-SPU approach to improve the states as follows: 1) Decrease the cost of the control, and the burst caused by concurrent path changing events; 2) need a few storages on the data plane; 3) extend the attack surface; and 4) suitable to the segment routing instinctively. All in all, the proposed approach can improve the scalability of path hopping and enhance security at the same time. However, plenty of extra works are introduced into the controller at the same time, and it will bring some trouble to the logical central controller. So, more ingenious methods are needed to migrate the burden on the controller, and it is our next works also.
References
- German, Paul, "Time to bury dedicated hardware-based security solutions," Network Security, vol.8, pp.13-15, August 2017. https://doi.org/10.1016/S1353-4858(17)30083-1
- Sailik Sengupta, Ankur Chowdhary, et al., "A survey of moving target defenses for network security," IEEE Communications Surveys & Tutorials, vol.22, pp.1909-1942, March 2020. https://doi.org/10.1109/COMST.2020.2982955
- Cho, Jin-Hee, et al., "Toward proactive, adaptive defense: A survey on moving target defense," IEEE Communications Surveys & Tutorials, vol.22, pp.709-745, January 2020. https://doi.org/10.1109/COMST.2019.2963791
- Taguinod, Marthony, et al., "Toward a moving target defense for web applications," in Proc. of 2015 IEEE International Conference on Information Reuse and Integration, pp. 510-517, August 2015.
- Jajodia, Sushil, Anup K. Ghosh, Vipin Swarup, Cliff Wang, and X. Sean Wang, eds. "Moving target defense: creating asymmetric uncertainty for cyber threats," Springer Science & Business Media, Vol. 54, 2011.
- Okhravi, Hamed, William W. Streilein, and Kevin S. Bauer. "Moving Target Techniques: Leveraging Uncertainty for CyberDefense," MIT Lincoln Laboratory Lexington United States, 2015.
- Zhang, Tao, et al., "An intelligent route mutation mechanism against mixed attack based on security awareness," in Proc. of 2019 IEEE Global Communications Conference (GLOBECOM), pp. 1-6, Dec. 2019.
- Zhang, Tao, et al., "DQ-RM: Deep Reinforcement Learning-based Route Mutation Scheme for Multimedia Services," in Proc. of 2020 International Wireless Communications and Mobile Computing (IWCMC), pp. 291-296, June 2020.
- Amin, Rashid, Martin Reisslein, and Nadir Shah, "Hybrid SDN networks: A survey of existing approaches," IEEE Communications Surveys & Tutorials, vol.20, pp. 3259-3306, May 2018. https://doi.org/10.1109/COMST.2018.2837161
- J. Vijila and A.A. Raj, "Ameliorate security by introducing security server in software defined network," Computers, Materials & Continua, vol. 62, no. 3, pp. 1077-1096, January 2020. https://doi.org/10.32604/cmc.2020.08534
- Zhang, Chuanhao, Youjun Bu, and Zheng Zhao, "SDN-based path hopping communication against eavesdropping attack," in Proc. of Optical Communication, Optical Fiber Sensors, and Optical Memories for Big Data Storage, vol.10158, pp. 101580, October 2016.
- Zhang, Z., Deng, R., Yau, D.K., Cheng, P. and Chen, J., "On Hiddenness of Moving Target Defense against False Data Injection Attacks on Power Grid," ACM Transactions on Cyber-Physical Systems, vol. 4, pp. 1-29, March 2020.
- Yang, Yubin, and Liming Cheng, "An SDN-based MTD model," Concurrency and Computation: Practice and Experience, vol.31, pp. e4897, October 2018.
- B. Indira and K. Valarmathi, "A perspective of the machine learning approach for the packet classification in the software defined network," Intelligent Automation & Soft Computing, vol. 26, no.4, pp. 795-805, January 2020. https://doi.org/10.32604/iasc.2020.010114
- H. Geng, J. Yao and Y. Zhang, "Single failure routing protection algorithm in the hybrid sdn network," Computers, Materials & Continua, vol. 64, no. 1, pp. 665-679, January 2020. https://doi.org/10.32604/cmc.2020.09912
- Jargalsaikhan Narantuya, Seunghyun Yoon, Hyuk Lim, Jin-Hee Cho, Dong Seong Kim, Terrence Moore, and Frederica Nelson, "SDN-Based IP Shuffling Moving Target Defense with Multiple SDN Controllers," in Proc. of 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S), pp. 15-16, August 2019.
- Song, Fei, Yu-Tong Zhou, Yu Wang, Tian-Ming Zhao, Ilsun You, and Hong-Ke Zhang, "Smart collaborative distribution for privacy enhancement in moving target defense," Information Sciences, vol.479, pp. 593-606, April 2019. https://doi.org/10.1016/j.ins.2018.06.002
- J. H. Jafarian, E. Al-Shaer, and Q. Duan, "Openflow random host mutation: Transparent moving target defense using software defined networking," in Proc of the First Workshop on Hot Topics in Software Defined Networks, pp. 127-132, August 2012.
- Qi Duan, E. Al-Shaer, and H. Jafarian, "Efficient random route mutation considering flow and network constraints," in Proc. of IEEE Conference on Communications and Network Security (CNS), pp. 260-268, December 2013.
- R. Safavi-Naini, A. Poostindouz, and V. Lisy, "Path hopping: An mtd strategy for quantum-safe communication," in Proc. of ACM Workshop on Moving Target Defense, pp. 111-114, October 2017.
- Marx, Matthias, Monina Schwarz, Maximilian Blochberger, Frederik Wille, and Hannes Federrath, "Context-Aware IPv6 Address Hopping," in Proc. of International Conference on Information and Communications Security, pp. 539-554, February 2020.
- Zhang, Liancheng, Yi Guo, Huiqiang Yuwen, and Yu Wang, "A port hopping based DoS mitigation scheme in SDN network," in Proc. of 12th International Conference on Computational Intelligence and Security (CIS), pp. 314-317, December 2016.
- Zhang, Liancheng, Qiang Wei, Kejun Gu, and Huiqiang Yuwen, "Path hopping based SDN network defense technology," in Proc. of 12th International Conference on Natural Computation, Fuzzy Systems and Knowledge Discovery (ICNC-FSKD), pp. 2058-2063, August 2016.
- Safavi-Naini, Reihaneh, Alireza Poostindouz, and Viliam Lisy, "Path Hopping: An MTD Strategy for Long-Term Quantum-Safe Communication," Security and Communication Networks, vol.2018 May 2018.
- Karim, Z. K. I. K., Anass Sebbar, Youssef Baddi, and Mohammed Boulmalf, "Secure Multipath Mutation SMPM in Moving Target Defense Based on SDN," Procedia Computer Science, vol.151, pp. 977-984, 2019. https://doi.org/10.1016/j.procs.2019.04.137
- Gillani, Fida, et al., "Agile virtualized infrastructure to proactively defend against cyber attacks," in Proc. of 2015 IEEE Conference on Computer Communications (INFOCOM), pp. 729-737, May 2015.
- Jafarian, Jafar Haadi, Ehab Al-Shaer, and Qi Duan, "Formal approach for route agility against persistent attackers," in Proc. of European Symposium on Research in Computer Security, Springer, Berlin, Heidelberg, pp. 237-254, Sep. 2013.
- Liu, Jiang, Hongqi Zhang, and Zhencheng Guo, "A defense mechanism of random routing mutation in SDN," IEICE TRANSACTIONS on Information and Systems, 100(5), pp. 1046-1054. May 2017.
- Duan, Qi, et al., ""Proactive routing mutation against stealthy Distributed Denial of Service attacks: metrics, modeling, and analysis," The Journal of Defense Modeling and Simulation, 15(2), pp. 219-230. Feb. 2018. https://doi.org/10.1177/1548512917731002
- Xu, Changqiao, et al., "Context-aware Adaptive Route Mutation Scheme: A Reinforcement Learning Approach," IEEE Internet of Things Journal, pp.1-1 Mar 2021.
- J. Su, R. Xu, S. Yu, B. Wang, and J. Wang, "Redundant rule detection for software-defined networking," KSII Transactions on Internet and Information Systems, vol. 14, no. 6, pp. 2735-2751, June 2020. https://doi.org/10.3837/tiis.2020.06.022
- Deng, Wu, et al., "Differential evolution algorithm with wavelet basis function and optimal mutation strategy for complex optimization problem," Applied Soft Computing, 100, pp. 106724. Mar. 2021. https://doi.org/10.1016/j.asoc.2020.106724
- Knight, Simon, et al., "The internet topology zoo," IEEE Journal on Selected Areas in Communications, 29(9), pp.1765-1775. Sep. 2011. https://doi.org/10.1109/JSAC.2011.111002
- Darki, Ahmad, Alexander Duff, Zhiyun Qian, Gaurav Naik, Spiros Mancoridis, and Michalis Faloutsos, "Don't trust your router: Detecting compromised router," in Proc. of the IEEE Proceedings of the 12th International Conference on Emerging Networking Experiments and Technologies CoNEXT, vol.16, December 2016.
- Liu, Huiping, Cheqing Jin, Bin Yang, and Aoying Zhou, "Finding top-k shortest paths with diversity," IEEE Transactions on Knowledge and Data Engineering, vol. 30, pp. 488-502, November 2017. https://doi.org/10.1109/tkde.2017.2773492
- Zhang, Rongbo, Jibin Niu, Xin Li, and Shanzhi Chen, "An Anonymous System Based on Random Virtual Proxy Mutation," Tehnicki vjesnik, vol.27, pp. 1115-1125, August 2020.
- OpenFlow Switch Consortium, "OpenFlow Switch Specification Version 1.0.0," 2009.
- OpenFlow Switch Consortium, "OpenFlow Switch Specification Version 1.5.1," 2015
- Kollmer, Jonathan E., and Karen E. Daniels, "Betweenness centrality as predictor for forces in granular packings," Soft matter, vol.15, pp. 1793-1798, December 2018. https://doi.org/10.1039/c8sm01372a
- Keti, Faris, and Shavan Askar, "Emulation of software defined networks using Mininet in different simulation environments," in Proc. of 2015 6th International Conference on Intelligent Systems, Modelling and Simulation, pp. 205-210. October 2015.
- Tu, Cheng-Chun, Joe Stringer, and Justin Pettit, "Building an extensible Open vSwitch data path," ACM SIGOPS Operating Systems Review, vol. 51, pp. 72-77, September 2017. https://doi.org/10.1145/3139645.3139657
- R. C. Meena, M. Bundele and M. Nawal, "RYU SDN Controller Testbed for Performance Testing of Source Address Validation Techniques," in Proc. of 2020 3rd International Conference on Emerging Technologies in Computer Engineering: Machine Learning and Internet of Things (ICETCE), pp. 1-6, February 2020.
- L. Sun, Q. Yu, D. Peng, S. Subramani and X. Wang, "Fogmed: a fog-based framework for disease prognosis based medical sensor data streams," Computers, Materials & Continua, vol. 66, no.1, pp. 603-619, October 2020. https://doi.org/10.32604/cmc.2020.012515