Browse > Article
http://dx.doi.org/10.3837/tiis.2021.08.006

Polymorphic Path Transferring for Secure Flow Delivery  

Zhang, Rongbo (State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications)
Li, Xin (State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications)
Zhan, Yan (AVI-SPL)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.15, no.8, 2021 , pp. 2805-2826 More about this Journal
Abstract
In most cases, the routing policy of networks shows a preference for a static one-to-one mapping of communication pairs to routing paths, which offers adversaries a great advantage to conduct thorough reconnaissance and organize an effective attack in a stress-free manner. With the evolution of network intelligence, some flexible and adaptive routing policies have already proposed to intensify the network defender to turn the situation. Routing mutation is an effective strategy that can invalidate the unvarying nature of routing information that attackers have collected from exploiting the static configuration of the network. However, three constraints execute press on routing mutation deployment in practical: insufficient route mutation space, expensive control costs, and incompatibility. To enhance the availability of route mutation, we propose an OpenFlow-based route mutation technique called Polymorphic Path Transferring (PPT), which adopts a physical and virtual path segment mixed construction technique to enlarge the routing path space for elevating the security of communication. Based on the Markov Decision Process, with considering flows distribution in the network, the PPT adopts an evolution routing path scheduling algorithm with a segment path update strategy, which relieves the press on the overhead of control and incompatibility. Our analysis demonstrates that PPT can secure data delivery in the worst network environment while countering sophisticated attacks in an evasion-free manner (e.g., advanced persistent threat). Case study and experiment results show its effectiveness in proactively defending against targeted attacks and its advantage compared with previous route mutation methods.
Keywords
Moving target defense; route mutation; software defined networking; segment routing;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Duan, Qi, et al., ""Proactive routing mutation against stealthy Distributed Denial of Service attacks: metrics, modeling, and analysis," The Journal of Defense Modeling and Simulation, 15(2), pp. 219-230. Feb. 2018.   DOI
2 Xu, Changqiao, et al., "Context-aware Adaptive Route Mutation Scheme: A Reinforcement Learning Approach," IEEE Internet of Things Journal, pp.1-1 Mar 2021.
3 Deng, Wu, et al., "Differential evolution algorithm with wavelet basis function and optimal mutation strategy for complex optimization problem," Applied Soft Computing, 100, pp. 106724. Mar. 2021.   DOI
4 Knight, Simon, et al., "The internet topology zoo," IEEE Journal on Selected Areas in Communications, 29(9), pp.1765-1775. Sep. 2011.   DOI
5 Liu, Huiping, Cheqing Jin, Bin Yang, and Aoying Zhou, "Finding top-k shortest paths with diversity," IEEE Transactions on Knowledge and Data Engineering, vol. 30, pp. 488-502, November 2017.   DOI
6 Zhang, Rongbo, Jibin Niu, Xin Li, and Shanzhi Chen, "An Anonymous System Based on Random Virtual Proxy Mutation," Tehnicki vjesnik, vol.27, pp. 1115-1125, August 2020.
7 OpenFlow Switch Consortium, "OpenFlow Switch Specification Version 1.5.1," 2015
8 Marx, Matthias, Monina Schwarz, Maximilian Blochberger, Frederik Wille, and Hannes Federrath, "Context-Aware IPv6 Address Hopping," in Proc. of International Conference on Information and Communications Security, pp. 539-554, February 2020.
9 Zhang, Liancheng, Qiang Wei, Kejun Gu, and Huiqiang Yuwen, "Path hopping based SDN network defense technology," in Proc. of 12th International Conference on Natural Computation, Fuzzy Systems and Knowledge Discovery (ICNC-FSKD), pp. 2058-2063, August 2016.
10 Safavi-Naini, Reihaneh, Alireza Poostindouz, and Viliam Lisy, "Path Hopping: An MTD Strategy for Long-Term Quantum-Safe Communication," Security and Communication Networks, vol.2018 May 2018.
11 German, Paul, "Time to bury dedicated hardware-based security solutions," Network Security, vol.8, pp.13-15, August 2017.   DOI
12 Tu, Cheng-Chun, Joe Stringer, and Justin Pettit, "Building an extensible Open vSwitch data path," ACM SIGOPS Operating Systems Review, vol. 51, pp. 72-77, September 2017.   DOI
13 Jafarian, Jafar Haadi, Ehab Al-Shaer, and Qi Duan, "Formal approach for route agility against persistent attackers," in Proc. of European Symposium on Research in Computer Security, Springer, Berlin, Heidelberg, pp. 237-254, Sep. 2013.
14 Gillani, Fida, et al., "Agile virtualized infrastructure to proactively defend against cyber attacks," in Proc. of 2015 IEEE Conference on Computer Communications (INFOCOM), pp. 729-737, May 2015.
15 Cho, Jin-Hee, et al., "Toward proactive, adaptive defense: A survey on moving target defense," IEEE Communications Surveys & Tutorials, vol.22, pp.709-745, January 2020.   DOI
16 Sailik Sengupta, Ankur Chowdhary, et al., "A survey of moving target defenses for network security," IEEE Communications Surveys & Tutorials, vol.22, pp.1909-1942, March 2020.   DOI
17 Kollmer, Jonathan E., and Karen E. Daniels, "Betweenness centrality as predictor for forces in granular packings," Soft matter, vol.15, pp. 1793-1798, December 2018.   DOI
18 R. C. Meena, M. Bundele and M. Nawal, "RYU SDN Controller Testbed for Performance Testing of Source Address Validation Techniques," in Proc. of 2020 3rd International Conference on Emerging Technologies in Computer Engineering: Machine Learning and Internet of Things (ICETCE), pp. 1-6, February 2020.
19 Zhang, Chuanhao, Youjun Bu, and Zheng Zhao, "SDN-based path hopping communication against eavesdropping attack," in Proc. of Optical Communication, Optical Fiber Sensors, and Optical Memories for Big Data Storage, vol.10158, pp. 101580, October 2016.
20 J. H. Jafarian, E. Al-Shaer, and Q. Duan, "Openflow random host mutation: Transparent moving target defense using software defined networking," in Proc of the First Workshop on Hot Topics in Software Defined Networks, pp. 127-132, August 2012.
21 Taguinod, Marthony, et al., "Toward a moving target defense for web applications," in Proc. of 2015 IEEE International Conference on Information Reuse and Integration, pp. 510-517, August 2015.
22 Zhang, Tao, et al., "An intelligent route mutation mechanism against mixed attack based on security awareness," in Proc. of 2019 IEEE Global Communications Conference (GLOBECOM), pp. 1-6, Dec. 2019.
23 J. Vijila and A.A. Raj, "Ameliorate security by introducing security server in software defined network," Computers, Materials & Continua, vol. 62, no. 3, pp. 1077-1096, January 2020.   DOI
24 Yang, Yubin, and Liming Cheng, "An SDN-based MTD model," Concurrency and Computation: Practice and Experience, vol.31, pp. e4897, October 2018.
25 Jargalsaikhan Narantuya, Seunghyun Yoon, Hyuk Lim, Jin-Hee Cho, Dong Seong Kim, Terrence Moore, and Frederica Nelson, "SDN-Based IP Shuffling Moving Target Defense with Multiple SDN Controllers," in Proc. of 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S), pp. 15-16, August 2019.
26 Zhang, Liancheng, Yi Guo, Huiqiang Yuwen, and Yu Wang, "A port hopping based DoS mitigation scheme in SDN network," in Proc. of 12th International Conference on Computational Intelligence and Security (CIS), pp. 314-317, December 2016.
27 Zhang, Tao, et al., "DQ-RM: Deep Reinforcement Learning-based Route Mutation Scheme for Multimedia Services," in Proc. of 2020 International Wireless Communications and Mobile Computing (IWCMC), pp. 291-296, June 2020.
28 Karim, Z. K. I. K., Anass Sebbar, Youssef Baddi, and Mohammed Boulmalf, "Secure Multipath Mutation SMPM in Moving Target Defense Based on SDN," Procedia Computer Science, vol.151, pp. 977-984, 2019.   DOI
29 Liu, Jiang, Hongqi Zhang, and Zhencheng Guo, "A defense mechanism of random routing mutation in SDN," IEICE TRANSACTIONS on Information and Systems, 100(5), pp. 1046-1054. May 2017.
30 Okhravi, Hamed, William W. Streilein, and Kevin S. Bauer. "Moving Target Techniques: Leveraging Uncertainty for CyberDefense," MIT Lincoln Laboratory Lexington United States, 2015.
31 Amin, Rashid, Martin Reisslein, and Nadir Shah, "Hybrid SDN networks: A survey of existing approaches," IEEE Communications Surveys & Tutorials, vol.20, pp. 3259-3306, May 2018.   DOI
32 Zhang, Z., Deng, R., Yau, D.K., Cheng, P. and Chen, J., "On Hiddenness of Moving Target Defense against False Data Injection Attacks on Power Grid," ACM Transactions on Cyber-Physical Systems, vol. 4, pp. 1-29, March 2020.
33 B. Indira and K. Valarmathi, "A perspective of the machine learning approach for the packet classification in the software defined network," Intelligent Automation & Soft Computing, vol. 26, no.4, pp. 795-805, January 2020.   DOI
34 H. Geng, J. Yao and Y. Zhang, "Single failure routing protection algorithm in the hybrid sdn network," Computers, Materials & Continua, vol. 64, no. 1, pp. 665-679, January 2020.   DOI
35 Keti, Faris, and Shavan Askar, "Emulation of software defined networks using Mininet in different simulation environments," in Proc. of 2015 6th International Conference on Intelligent Systems, Modelling and Simulation, pp. 205-210. October 2015.
36 Song, Fei, Yu-Tong Zhou, Yu Wang, Tian-Ming Zhao, Ilsun You, and Hong-Ke Zhang, "Smart collaborative distribution for privacy enhancement in moving target defense," Information Sciences, vol.479, pp. 593-606, April 2019.   DOI
37 R. Safavi-Naini, A. Poostindouz, and V. Lisy, "Path hopping: An mtd strategy for quantum-safe communication," in Proc. of ACM Workshop on Moving Target Defense, pp. 111-114, October 2017.
38 Jajodia, Sushil, Anup K. Ghosh, Vipin Swarup, Cliff Wang, and X. Sean Wang, eds. "Moving target defense: creating asymmetric uncertainty for cyber threats," Springer Science & Business Media, Vol. 54, 2011.
39 Darki, Ahmad, Alexander Duff, Zhiyun Qian, Gaurav Naik, Spiros Mancoridis, and Michalis Faloutsos, "Don't trust your router: Detecting compromised router," in Proc. of the IEEE Proceedings of the 12th International Conference on Emerging Networking Experiments and Technologies CoNEXT, vol.16, December 2016.
40 OpenFlow Switch Consortium, "OpenFlow Switch Specification Version 1.0.0," 2009.
41 L. Sun, Q. Yu, D. Peng, S. Subramani and X. Wang, "Fogmed: a fog-based framework for disease prognosis based medical sensor data streams," Computers, Materials & Continua, vol. 66, no.1, pp. 603-619, October 2020.   DOI
42 J. Su, R. Xu, S. Yu, B. Wang, and J. Wang, "Redundant rule detection for software-defined networking," KSII Transactions on Internet and Information Systems, vol. 14, no. 6, pp. 2735-2751, June 2020.   DOI
43 Qi Duan, E. Al-Shaer, and H. Jafarian, "Efficient random route mutation considering flow and network constraints," in Proc. of IEEE Conference on Communications and Network Security (CNS), pp. 260-268, December 2013.