INMTD: Intent-based Moving Target Defense Framework using Software Defined Networks

  • M. F. Hyder Department of Software Engineering, NED University of Engineering & Technology, Pakistan
  • M. A. Ismail Department of Computer and Information Systems Engineering, NED University of Engineering & Technology, Pakistan
Keywords: cyber kill chain, intent-based networking, moving target defense, software defined networks, SDN security

Abstract

Intent-Based Networking (IBN) is an emerging networking paradigm while Moving Target Defense (MTD) is an active security technique. In this paper, the Intent-based Moving Target Defense (INMTD) framework using Software Defined Networks is proposed. INMTD is the first effort in exploiting IBN for the design of an efficient Moving Target Defense (MTD) framework. INMTD uses the concept of shadow servers in order to counter the first stage of cyber-attacks, i.e. reconnaissance attacks targeted against servers running in SDN networks. INMTD comprises of an MTD application running on an SDN controller. The MTD application has reconnaissance detection, MTD movement, and MTD monitoring modules. The MTD application is integrated with the intent-based northbound API of SDN controller. INMTD not only provides protection against probing attacks, but it also provides high availability due to shadow servers. The proposed framework was implemented using Mininet and ONOS SDN controller. The proposed framework was assessed in terms of defender cost, attacker’s effort, and introduced complexity in the system. The results substantiate the efficient protection against reconnaissance attacks at lower computational cost.

Downloads

Download data is not yet available.

References

A. Aydeger, N. Saputro, K. Akkaya, “A moving target defense and network forensics framework for ISP networks using SDN and NFV”, Future Generation Computer Systems, Vol. 94, No. 1, pp. 496-509, 2019

F. Chong, R. B. Lee, C. Vishik, A. Acquisti, W. Horne, C. Palmer, A. K. Ghosh, D. Pendarakis, W. Sanders, E. Fleischman, H. Teufel, G. Tsudik, D. Dasgupta, S. Hofmeyr, L. Weinberger, National cyber leap year summit 2009: Co-chairs’ report, NITRD Program, 2009

J. Zheng, A. S. Namin, “A survey on the moving target defense strategies: An architectural perspective”, Journal of Computer Science and Technology, Vol. 34, No. 1, pp. 207-233, 2019

S. Nimmagadda, R. Kumar, P. T. Seshadri, Intent-based network security policy modification, US Patent Application Publication No. US 2019/0007453 A1, 2019

C. Janz, N. Davis, D. Hood, M. Lemay, D. Lenrow, L. Fengkai, F. Schneider, J. Strassner, A. Veitch, Intent nbi–definition and principles, Open Networking Foundation, 2015

B. G. Assefa, O. Ozkasap, “A survey of energy efficiency in SDN: Software-based methods and optimization models”, Journal of Network and Computer Applications, Vol. 137, No. 1, pp. 127-143, 2019

F. Canellas, A. Mimidis, N. Bonjorn, J. Soler, “Policy framework prototype for ONOS”, IEEE Conference on Network Softwarization, Paris, France, June 24-28, 2019

T. Dargahi, A. Dehghantanha, P. N. Bahrami, M. Conti, G. Bianchi, L. Benedetto, “A cyber-kill-chain based taxonomy of crypto-ransomware features”, Journal of Computer Virology and Hacking Techniques, Vol. 15, No. 4, pp. 277-305, 2019

P. Berde, M. Gerola, J. Hart, Y. Higuchi, M. Kobayashi, T. Koide, B. Lantz, B. O. Connor, P. Radoslavov, W. Snow, G. Parulkar, “ONOS: Towards an open, distributed SDN OS”, Hot Topics in Software Defined Networking, Chicago, USA, August 22, 2014

D. Comer, A. Rastegatnia, “OSDF: An intent-based software defined network programming framework”, 43rd Conference on Local Computer Networks, Chicago, USA, October 1-4, 2018

R. Cohen, K. Barabash, B. Rochwerger, L. Schour, D. Crisan, R. Birke, C. Minkenberg, M. Gusat, R. Recio, V. Jain, “An intent-based approach for network virtualization”, IFIP/IEEE International Symposium on Integrated Network Management, Ghent, Belgium, May 27-31, 2013

G. Davoli, W. Cerroni, S. Tomovic, C. Buratti, C. Contoli, F. Callegati, “Intent-based service management for heterogeneous software defined infrastructure domains”, International Journal of Network Management, Vol. 29, No. 1, pp. 46-67, 2019

T. Szyrkowiec, M. Santuari, M. Chamania, D. Siracusa, A. Autenrieth, V. Lopez, J. Cho, W. Kellerer, “Automatic intent-based secure service creation through a multilayer SDN network orchestration”, IEEE/OSA Journal of Optical Communications and Networking, Vol. 10, No. 4, pp. 289-297, 2018

Y. Tsuzaki, Y. Okabe, “Reactive configuration updating for intent-based networking”, International Conference on Information Networking, Da Nang, Vietnam, January 11-13, 2017

M. Pham, D. B. Hoang, “SDN applications-the intent-based northbound interface realisation for extended applications”, IEEE NetSoft Conference and Workshops, Seoul, South Korea, June 6-10, 2016

J. H. Jafarian, E. A. Shaer, Q. Duan, “Openflow random host mutation: Transparent moving target defense using software defined networking”, First Workshop on Hot Topics in Software Defined Networks, Helsinki, Finland, August 13-17, 2012

H. Q. Zhang, C. Lei, D. Chang, Y. J. Yang, “Network moving target defense technique based on collaborative mutation”, Computers & Security, Vol. 70, No. 1, pp. 51-71, 2017

A. Chowdhary, A. Alshamrani, D. Huang, H. Liang, “MTD analysis and evaluation framework in software defined network (MASON)”, ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, Tempe, USA, March 19-21, 2018

J. Wang, F. Xiao, J. Huang, D. Zha, H. Hu, H. Zhang, “Chaos: An SDN-based moving target defense system”, Security and Communication Networks, Vol. 1, Article ID 3659167, 2017

Z. Zhao, F. Liu, D. Gong, “An SDN-based fingerprint hopping method to prevent fingerprinting attacks”, Security and Communication Networks, Vol. 2017, Article ID 1560594, 2017

D. P. Sharma, D. S. Kim, S. Yoon, H. Lim, J. H. Cho, T. J. Moore, “FRVM: Flexible random virtual IP multiplexing in software-defined networks”, 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/ 12th IEEE International Conference on Big Data Science and Engineering, New York, USA, August 1-3, 2018

S. Achleitner, T. F. L. Porta, P. McDaniel, S. Sugrim, S. V. Krishnamurthy, R. Chadha, “Deceiving network reconnaissance using SDN-based virtual topologies”, IEEE Transactions on Network and Service Management, Vol. 14, No. 4, pp. 1098-1112, 2017

M. H. H. Khairi, S. H. S. Ariffin, N. M. A. Latiff, A. S. Abdullah, M. K. Hassan, “A review of anomaly detection techniques and distributed denial of service (DDoS) on software defined network (SDN)”, Engineering, Technology & Applied Science Research, Vol. 8, No. 2, pp. 2724-2730, 2018

M. Ramzan, M. S. Farooq, A. Zamir, W. Akhtar, M. Ilyas, H. U. Khan, “An analysis of issues for adoption of cloud computing in telecom industries”, Engineering, Technology & Applied Science Research, Vol. 8, No. 4, pp. 3157-3161, 2018

M. Roesch, “Snort: Lightweight intrusion detection for networks”, 13th Systems Administration Conference, Seattle, USA, November 7–12, 1999

B. Lantz, B. Heller, N. McKeown, “A network in a laptop: Rapid prototyping for software-defined networks”, 9th ACM SIGCOMM Workshop on Hot Topics in Networks, Monterey, USA, October 20-21, 2010

G. F. Lyon, Nmap network scanning: The official Nmap project guide to network discovery and security scanning, Insecure, 2009

Metrics

Abstract Views: 213
PDF Downloads: 129

Metrics Information
Bookmark and Share