INMTD: Intent-based Moving Target Defense Framework using Software Defined Networks

Intent-Based Networking (IBN) is an emerging networking paradigm while Moving Target Defense (MTD) is an active security technique. In this paper, the Intent-based Moving Target Defense (INMTD) framework using Software Defined Networks is proposed. INMTD is the first effort in exploiting IBN for the design of an efficient Moving Target Defense (MTD) framework. INMTD uses the concept of shadow servers in order to counter the first stage of cyber-attacks, i.e. reconnaissance attacks targeted against servers running in SDN networks. INMTD comprises of an MTD application running on an SDN controller. The MTD application has reconnaissance detection, MTD movement, and MTD monitoring modules. The MTD application is integrated with the intent-based northbound API of SDN controller. INMTD not only provides protection against probing attacks, but it also provides high availability due to shadow servers. The proposed framework was implemented using Mininet and ONOS SDN controller. The proposed framework was assessed in terms of defender cost, attacker’s effort, and introduced complexity in the system. The results substantiate the efficient protection against reconnaissance attacks at lower computational cost. Keywords-cyber kill chain; intent-based networking; moving target defense; software defined networks; SDN security

INTRODUCTION Nowadays, cyber security is of critical importance. Moving Target Defense (MTD) is becoming one of the popular techniques, for providing active cybersecurity [1]. MTD makes the systems dynamic by constantly changing the attack surface, making it hard to predict and attack. MTD equalizes the cyber security field for defender and attacker by eliminating the advantages of the attackers. MTD has changed the concept of cyber defense since its first announcement in 2009 [2]. MTD constantly changes the attack surface to reduce the advantage of time of attackers. MTD changes the attributes periodically, for example, ports, IPs, so that the attacker cannot gain knowledge of the attribute through which attack can be launched. The change can be of two types: movement or transformation. MTD can be divided into numerous categories which can be chosen according to the required difficulty level for attackers [3]. Intent based networking (IBN) is an emerging networking paradigm [4]. In IBN, users define their applications' network requirements through policy. These policy instructions are referred as intents. IBN can also be used to fulfil the dynamic security requirements. Open Networking Foundation (ONF) has taken the initial steps towards its regularization of intent based networking. ONF provides recommendations for creating intent based North Bound Interfaces (NBI) [5]. Software Defined Networking (SDN) has recently gained substantial popularity as a networking paradigm. It primarily segregates the Control and Data planes [6]. Its architecture comprises of three fundamental layers namely Application, Control, and Data planes. Due to its dynamic nature and centralized control, numerous security applications can be implemented through it. SDN based MTD is an active area of research, while IBN is gaining popularity in the research community. However, to the best of our knowledge, no previous work has used IBN for an MTD solution.
In this paper, Open Network Operating System (ONOS) SDN controller based intent framework [7] was used. Various extensively used SDN controllers have similar types of intent based NBIs. The ONOS intent based framework receives intent instructions and converts them into a compilation form and then installs the intent [7]. These installations perform the required operations on the network. The intent can be withdrawn as per desire if it is no more required by an application. In this paper, an MTD solution is proposed using IBN and SDN. The notion is to exploit IBN for creating MTD based upon SDN. The proposed INMTD framework protects against the reconnaissance attack which is the first stage of any cyber-attack [8]. INMTD detects the reconnaissance traffic directed against the web server and redirects it towards the shadow servers using the intent based framework of ONOS controller. The proposed solution has low computational cost, high availability, and efficient redirections among its advantages. For the implementation of INMTD, Mininet emulator and ONOS Controller [9] were used.

II. RELATED WORK
An SDN based programming framework termed as Open Software Defined Framework (OSDF) was proposed in [10]. Network administrators mention their network requirements for each application using Application Manager Interface (API). Numerous network operations including setting up standard quality of network services, network configuration, and monitoring can be managed through OSDF services. It also contains conflicting policy resolver. In a multilayer data center environment, IBN is implemented through virtualization abstraction networking [11]. For end-to-end service management, intent based reference architecture is proposed in [12]. The architecture is verified on OpenFlow and IoT based SDN testbeds and testing has been done in various domains. In [13], another intent based architecture is presented which facilitates automatic intent implementation in secure multilayer networks. The approach was also certified through testing on commercial testbeds. In [14], a reactive configuration using extended Intent-based Network Modeling (NEMO) language has been proposed. The reactive scheme will alter the network configuration automatically according to the shift in external environment. The change is representing the administrator's intent. The routing paths are shifting through bandwidth utilization in said scenario. An approach for business networks is proposed in [15] that implements IBN.
MTD architecture,developed in [16] using OpenFlow, alters the IP addresses randomly. This technique is named OpenFlow Random Host Mutation (OFRHM). The process of IP address alteration is hidden from users. The system is developed to use MTD against scanning. A collaborative mutation strategy named Network Moving Target Defense Technique based on Collaborative Mutation (TCM) is proposed in [17]. The combination of end-point mutation and routing mutation is set up which increases mutation space and reduces irregularity. Fingerprinting based mutation collision avoidance mechanism is also used to circumvent mutation collision. According to authors, TCM is more competent as compared to OFRHM and other similar techniques. A protective MTD mechanism for cloud networks is developed in [18]. The protection was done through the scheme of port hopping. A scoring strategy was used to check which cloud services are at risk. The score was measured by PageRank algorithm. MTD decisions were based on the vulnerability information obtained from the score. The impact of this MTD solution is more noticeable in large cloud networks than small scale cloud networks. An SDN-based MTD system named CHAOS was proposed in [19]. The system mystifies only the unexpected traffic without disturbing usual traffic. This is done by obfuscating each with a diverse level of security. SDN based MTD was proposed in [20] for throttling finger printing attacks which are targeting towards collecting operating system information. The proposed model was termed as FPH (fingerprinting hopping). FPH utilizes a game theoretic approach for constructing the optimal strategy for MTD. FRVM is a SDN based MTD framework [21]. The model derived its name based upon the multiplexing of virtual IP addresses. FRVM multiplexed virtual IPs based upon random fashion. In [22], a model was proposed for creating virtual topologies using SDN for protecting the reconnaissance attacks. The proposed framework utilizes the statistical information for potentially malicious nodes responsible for generating the probing traffic. In [23], the authors discussed the Distributed Denial of Services (DDoS) attacks on SDN networks. Their work also highlighted the anomaly detection techniques for SDN. The authors emphasized that the central plane of SDN is a lucrative target of attackers. The challenges with respect to the adaptation of cloud computing environment by telecom operators were addressed in [24]. The work is targeted towards specific country requirements. However, it can be extended for different countries.
III. METHODOLOGY In this section, INMTD methodology is discussed in detail.

A. Threat Model
The attackers can be directly or indirectly connected to the SDN network. They can run different networking probing attacks against the different servers connected at the data plane. For this paper, the attacker's targets are the running web servers. As the first step of a cyber-kill chain, the attacker will attempt a reconnaissance attack. Each unique IP address is considered as an attacker. Each attacker can run up to 10 concurrent reconnaissance probes at a time. This will ensure a realistic probing frequency.

B. Proposed Model
The proposed framework comprises of an MTD application running in the Control plane. This MTD application utilizes the intent-based framework of ONOS Controller [9] in order to create MTD effect. Figure 1 represents the overall architecture of INMTD and its core components. The core component of MTD application is the reconnaissance detection module (RDM). It will detect any reconnaissance traffic directed towards web servers. This module is fundamentally implemented using SNORT [25] which is an open source IDS. The SNORT [25] code was modified in order to detect the reconnaissance traffic targeted towards the web server and then redirect the traffic towards the shadow web servers. The other important module of MTD application is the decision/movement strategy. As its name suggest its role is deciding the movement technique and frequency of the proposed MTD. The MTD monitoring module is responsible for the monitoring of the overall MTD system. The MTD application runs on the top of the ONOS Northbound Intent API [9]. This interface comprises of three parts: intent engine, compilation module, and the intent installation part. MTD application forwards the decision to the intent engine which performs the intent compilation through the intent compilation module. The compiled intents are finally installed in the required switch using the intent installation module. The installed intents will create flows in the switches. The fundamental advantage of INMTD is its effectiveness against probing traffic. The detection of probing traffic is difficult and there are false positive and false negative chances. Our approach redirects the traffic to the shadow web servers. The shadow web servers are replicas of the original web servers. Therefore, even if the RDM detects a legitimate user as an attacker, it still provides the web content to the user. Algorithm 1 represents the probing traffic detection and redirection through intent modification. This algorithm detects the reconnaissance traffic through matching the source and destination IP and port addresses and reconnaissance frequency. Once probing traffic is detected, it will be redirected towards the shadow web server while modifying the destination address of the server as one of the shadow servers. These shadow servers will be selected by the round robin fashion. The selected shadow server then responds to the probing traffic of the attacker. While responding to the probing traffic, the IP address of the shadow web server will be modified using the intent parameter of "setIpSrc" to match the IP address of the original web server. The attacker will actually conceive that it is connected to the original web server, while actually it is connected to the shadow server. This way a moving target defense effect will be created. The overall flow of INMTD is presented in Figure 2. MTD and intent based applications are running in the control plane. The RDM of INMTD is constantly monitoring the Data plane for any reconnaissance traffic directed towards the web servers. There are two types of users, benign and attackers. Benign users' traffic will follow the normal SDN forwarding mechanism. The traffic from the attackers will be detected and directed towards the shadow web servers by the MTD application using intent based application. An example of intents that are installed for directing the traffic against web server to the shadow server and prepare a response to look like generated from the original web server is this:

C. Experimental Setup
For the deployment of experimental setup, a Dell server with Intel Xeon CPU E5-2620 2.1GHz with 32 cores and 32GB RAM was used. Mininet [26] and ONOS Controller [9] were used for the creation of the SDN topology. Snort [25] was deployed as an IDS (Intrusion Detection System) mode. Nmap [27] was used for generating reconnaissance traffic. For the experimental analysis, the ONOS reactive forwarding application [9] was disabled. The reason is that only intent based forwarding was required. Next, intents were inserted based upon the probing traffic. Figure 3 represents the simulation setup for our proposed INMTD framework. For Data plane security analysis, the case of one web server was considered. For one web server, there are k running shadow web servers. For the experimental analysis, we consider k=3. Different numbers of scans were performed in order to evaluate the performance of INMTD. The number of scans ranges from 100 to 3200. Each attacker can generate up to 10 scans. Each distinct IP address belongs to an attacker. This number of scans is realistic because increasing the number of scans beyond this limit will cause the IDS or the firewall system to permanently block the attacker's IP address. Table I presents the overall results of experiments.

A. Attacker Cost
The fundamental goal of MTD is to increase the attacker's effort. Attacker's cost primarily comprises of the number of scans performed while accurately detecting the platforms of the web server and port addresses, etc. Table II presents  Attacker's scanning attack success is around 97% to 98% against native SDN using Nmap tool [27]. For the current analysis, there are 100 to 3200 scans performed against a native SDN environment without any protection available. The success rate of attacker ranges from 97% to 98%. However, attacker's success reduced substantially when adopting the proposed INMTD. For 100 scans, the attacker success rate was 22.6% and it further reduced to 21% for 200 scans. In a similar fashion, the attacker success reduced as the number of scans increased, becoming 14% for 3200 scans. This is a substantial decrease in attacker scanning success rate.

B. Defender Cost
Defender's cost primarily comprises of the intent installation, IDS detection, and shadow web servers. Generally IDS is a part of any enterprise network. Moreover, generally a web application runs on multiple web servers. Therefore, the main cost is related to the intent compilation and installation. For this purpose we have calculated the number of flows injected for attacker's probing traffic with and without intents as presented in Table III. As mentioned above, each attacker can run 10 concurrent probs. Therefore, for each new IP address there will be a flow injected in the switches. It is clear from Table III that there is a slight increase in the number of flows, approximately 20% on average due to the addition of intents. Figure 5 presents the graph of the number of flows inserted in the switch for probing traffic with and without intents. As evident form the Table, for   To the best of our knowledge, no previous work has used IBN for the design of SDN based MTD solutions. Another critical advantage of INMTD is the distributed Control plane for higher availability. Figure 7 represents the comparative analysis of the proposed INMTD with three other well-known SDN based MTD solutions, namely OF-RHM [16], TCM [17], and FRVM [21]. For the purpose of comparative analysis, the proposed INMTD model and the other models were analyzed on the basis of successful redirection for the reconnaissance traffic and computation cost. The computational cost is determined in terms of number of flows injected in the SDN devices after the adaptation of the protection mechanism. The number of scans ranges from 100 to 3200. For theses scans, computational cost and successful redirections were calculated for the proposed INMTD, and the existing solutions. As indicated in Figure 7, INMTD achieves successful defense rate up to 86.5% with a computational cost of around 23%, while OF-RHM [16] achieved a success rate of 74.4% with 28.7% increase in computational cost. TCM [17] provided a success rate of 79.5% with 27.4% increase in computational cost. FRVM [21] had 83.2% success rate with 24.5% increase of the cost. INMTD has the highest success rate in comparison to the other three models. Moreover, INMTD computational cost is lower than OF-RHM [16] and TCM [17]. Its computational cost is almost similar to that of FRVM [21]. Comparative analysis of INMTD with other SDN based MTD V. CONCLUSION AND FUTURE WORK In this paper, intent based MTD using SDN has been proposed. This is the first attempt in utilizing IBN for creating the MTD framework. The proposed INMTD model provides an efficient MTD effect at lower computational cost. INMTD successfully defended up to 86% of scanning attacks while redirecting them to shadow servers. The successful defense rate of the proposed INMTD is higher than the existing state-of-theart SDN-based MTDs. The main computational cost is a slight increase in the number of flows while introducing the intents. This work confirms that intents are an effective mechanism for creating SDN based MTD. Regarding future work, there is a need to further investigate IBN for designing MTD with especial emphasis on enhancing Quality of Service (QoS). The current work is protecting the Data plane of SDN. In the future we plan to extend the same protocol to protect the Control plane.