Towards Enhancing the Endpoint Security using Moving Target Defense (Shuffle-based Approach) in Software Defined Networking
Static IP addresses make the network vulnerable to different attacks and once the machines are compromised, any sensitive information within the network can be spoofed. Moving Target Defense (MTD) provides an efficient mechanism for proactive security by constantly changing different system attributes. Software Defined Networks (SDNs) provide greater flexibility in designing security solutions due to their centralized management and programming capabilities. In this paper, a mechanism for the protection of endpoint security is developed using IP address host shuffling. In the proposed approach, the real IP address of the host is masked and a virtual IP address is assigned. The virtual IPs are mined from the pool of unassigned IP addresses. The address pool is created using a pseudo-random number generator to guarantee high randomness. This approach helps in invalidating the intelligence gathered by the adversaries through the changes in the network configuration that will disturb attack execution, eventually leading to attack failure. Transparency is attained via preserving the actual IP intact and mapping a virtual IP to it. The proposed solution is implemented using the RYU Controller and Mininet. The efficient results obtained from the experiments substantiate the effectiveness of the MTD approach for enhancing endpoint security.
Keywords:IP shuffling, endpoint security, moving target defense, software defined networking, virtual IP
S. Sengupta, A. Chowdhary, A. Sabur, A. Alshamrani, D. Huang, and S. Kambhampati, "A Survey of Moving Target Defenses for Network Security," IEEE Communications Surveys Tutorials, vol. 22, no. 3, pp. 1909–1941, 2020.
M. F. Hyder and M. A. Ismail, "INMTD: Intent-based Moving Target Defense Framework using Software Defined Networks," Engineering, Technology & Applied Science Research, vol. 10, no. 1, pp. 5142–5147, Feb. 2020.
S. Tedeschi, C. Emmanouilidis, J. Mehnen, and R. Roy, "A Design Approach to IoT Endpoint Security for Production Machinery Monitoring," Sensors, vol. 19, no. 10, Jan. 2019, Art. no. 2355.
T. Fujita, "Introduction to Ryu SDN framework," 2013, Accessed: Aug. 01, 2021. [Online]. Available: https://ryu-sdn.org/slides/ONS2013-april-ryu-intro.pdf.
Y. Djeldjeli and M. Zoubir, "CP-SDN: A New Approach for the Control Operation of 5G Mobile Networks to Improve QoS," Engineering, Technology & Applied Science Research, vol. 11, no. 2, pp. 6857–6863, Apr. 2021.
R. Zhuang, S. A. DeLoach, and X. Ou, "Towards a Theory of Moving Target Defense," in Proceedings of the First ACM Workshop on Moving Target Defense, New York, NY, USA, Nov. 2014, pp. 31–40.
J.-H. Cho et al., "Toward Proactive, Adaptive Defense: A Survey on Moving Target Defense," arXiv:1909.08092 [cs], Sep. 2019, Accessed: Aug. 01, 2021. [Online]. Available: http://arxiv.org/abs/1909.08092.
A. Chowdhary, A. Alshamrani, D. Huang, and H. Liang, "MTD Analysis and evaluation framework in Software Defined Network (MASON)," in Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, New York, NY, USA, Mar. 2018, pp. 43–48.
A. Chowdhary, S. Pisharody, and D. Huang, "SDN based Scalable MTD solution in Cloud Network," in Proceedings of the 2016 ACM Workshop on Moving Target Defense, New York, NY, USA, Oct. 2016, pp. 27–36.
H. Alavizadeh, J. Jang-Jaccard, and D. S. Kim, "Evaluation for Combination of Shuffle and Diversity on Moving Target Defense Strategy for Cloud Computing," in 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), Aug. 2018, pp. 573–578.
M. Torquato and M. Vieira, "Moving target defense in cloud computing: A systematic mapping study," Computers & Security, vol. 92, May 2020, Art. no. 101742.
B. Potteiger, Z. Zhang, and X. Koutsoukos, "Integrated moving target defense and control reconfiguration for securing Cyber-Physical systems," Microprocessors and Microsystems, vol. 73, Mar. 2020, Art. no. 102954.
P. Wang, M. Zhou, and Z. Ding, "A Two-Layer IP Hopping-Based Moving Target Defense Approach to Enhancing the Security of Mobile Ad-Hoc Networks," Sensors, vol. 21, no. 7, Jan. 2021, Art. no. 2355.
E. M. Ghourab and M. Azab, "Benign false-data injection as a moving-target defense to secure mobile wireless communications," Ad Hoc Networks, vol. 102, May 2020, Art. no. 102064.
R. L. S. de Oliveira, C. M. Schweitzer, A. A. Shinoda, and L. R. Prete, "Using Mininet for emulation and prototyping Software-Defined Networks," in 2014 IEEE Colombian Conference on Communications and Computing (COLCOM), Bogota, Colombia, Jun. 2014, pp. 1–6.
K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, and V. Maglaris, "Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments," Computer Networks, vol. 62, pp. 122–136, Apr. 2014.
L. Liang, K. Zheng, Q. Sheng, and X. Huang, "A Denial of Service Attack Method for an IoT System," in 2016 8th International Conference on Information Technology in Medicine and Education (ITME), Fuzhou, China, Dec. 2016, pp. 360–364.
M. Dujmić, D. Delija, G. Sirovatka, and M. Žagar, "Using FireEye Endpoint Security for educational purposes," in 2020 43rd International Convention on Information, Communication and Electronic Technology (MIPRO), Opatija, Croatia, Sep. 2020, pp. 1206–1211.
S. Chandel, S. Yu, T. Yitian, Z. Zhili, and H. Yusheng, "Endpoint Protection: Measuring the Effectiveness of Remediation Technologies and Methodologies for Insider Threat," in 2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), Guilin, China, Oct. 2019, pp. 81–89.
S. J. Yoo, "Study on Improving Endpoint Security Technology," Convergence Security Journal, vol. 18, pp. 19–25, 2018.
How to Cite
MetricsAbstract Views: 96
PDF Downloads: 58
Copyright (c) 2021 M. F. Hyder, . Waseemullah, M. U. Farooq, U. Ahmed, W. Raza
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain the copyright and grant the journal the right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) after its publication in ETASR with an acknowledgement of its initial publication in this journal.