Introduction

Over the last decades, dependencies on cloud resources have been increased significantly in organizations [1]. The businesses have been transformed enormously with leading cloud vendors like Amazon, Microsoft, and Google [2]. In the Coronavirus pandemic, the usages of cloud resources have escalated when the enterprises have shifted to the work-from-home environment to adjust the computing needs worldwide. Cloud resources ensure seamless work-from-home facility and maintain connectivity with the critical resources beyond the corporate boundary [3]. However, the fast-paced adoption of cloud resources increases network traffic and security issues related to hacking and spoofing. When these cloud resources are accessed from heterogeneous platforms using untrusted home networks, it leads to severe security breaches. These problems cannot be averted with the existing methods in the present dynamic situation, whereas the individual network traffic comes from the untrusted zone beyond the corporate structure [1]. Using this privilege, attackers and hacktivists compromise the critical cloud infrastructures by launching several attacks by spoofing the host. Therefore, the trivial network infrastructures should be modified with emerging needs to protect from spoofing attacks. In this regard, the organizations aim to confirm the safety and reliability of cloud resources as well as the hosts residing and working remotely using untrusted network [4].

In a wireless environment, remote workstations are connected to the enterprise’s cloud resources through a personal Wi-Fi hotspot or mobile network. Local network service providers do not possess any special security measures to prevent network spoofing attacks like address routing protocol (ARP) spoofing attacks [2], Internet protocol (IP) spoofing attacks [3], and media access control (MAC) spoofing attacks [3]. Intruders probe through the Internet service providers (ISP) to gain access to the legitimate user. ARP spoofing and IP spoofing attacks are considered to be the significant distributed denial of service (DDoS) attacks in cloud environment when workforces connect from the home network [4]. When an intruder sniffs the network for a valid MAC address and pretends to be the legitimate user of any significant MAC address, it is termed as MAC spoofing attack [5]. Maximum Internet service providers (ISP) bind their network services with the MAC address by embedding it in the network interface card (NIC). ISPs do not grant access to the internet if the MAC address has been altered anyhow. However, the legitimate MAC address can easily be spoofed and can be the bedrock of several attacks mentioned earlier. A large number of literature exist to detect MAC spoofing attacks in wireless networks. Analyzing the sequence number of transmission control protocol (TCP) packets, using hop count filter, by checking the received signal strength indicator (RSSI) signal can detect any network spoofing attacks in wireless network [6]. However, these techniques could not take charge if the spoofing has already happened to the host and authenticated the malicious host as a legitimate one. It is very tricky to detect the attack which is already done in the enterprise’s network. When the number of hosts increases to use cloud resources from several remote zones, the chances of spoofing would be accelerated with the significant number of traffic packets. Spoofing associated with the vast amount of heterogeneous traffic coming from untrusted areas to the enterprise’s network can be prevented, which increases security [1].

The conventional security concepts to protect cloud resources have been changed radically with the growing number of cybersecurity threats. Interactions with corporate cloud resources and services are often bypassed through the on-premises perimeter-based security models that rely on conventional network firewalls and virtual private networks (VPN) [7]. The new paradigm has eliminated these traditional security barriers where perceptible perimeters are enclaved the corporate on-premises resources. Now, resources have been scattered in distributed essence in the current cloud environment, which does not rely on physical network configuration. Changing the firewall rule in every step would not be feasible for the enterprise strategies for granting access in the remote working environment. To ensure the protection in application endpoints across heterogeneous circumstances, enterprises prefer to shift to the next-generation zero-trust approaches [8].

The zero trust concept has been intended to create a new access control policy that embraces the modern environment and protects individual devices and users beyond their perimeter, which is free from network support micro-segmentation. The fundamental concept of zero trust is “never trust, always verify” [9]. It verifies individual incoming network requests coming from untrusted zones. It redefines the concept of access control security policies over the conventional security boundaries independent of VPN structure [7]. In the present cloud environment, the security policy proposed using the zero trust framework would grant access to significant network traffic for the use of distributed cloud resources [10].

The concept of trusting the network gears up by incorporating the software-defined network (SDN) paradigm in the network model [11]. Most enterprises now have moved to the SDN framework, where the data plane and control plane are separated with fine granular segmentation, which makes the concept more lenient. SDN based zero trust access control policy reduces the burden of network-based firewall policy [8]. Defining the set of access control policies at the enterprise level thwart the SDN cloud parameters [12]. The access control policies give a provision for rule-based validation where unauthorized TCP/IP traffic must be rejected to access the SDN framework of cloud resources. These policies also help to block the known and unknown attacks.

In this present situation, architectural access control policies must be redesigned to support work-from-home-concept for accessing cloud resources seamlessly without human intervention. When the cloud resources are used by limited, and having no knowledge group of people, rule-based access control policies can protect the enterprise’s cloud resources from being exposed. This paper proposes a progressive access control policy based on zero trust. The significant contributions of the paper are as follows:

  • Proposing of zero trust based access control policy to prevent MAC spoofing by ensuring security to the hosts and cloud services. This approach eliminates the threats before spoofing occurred.

  • This approach operates on the open system interface (OSI) layer 3 and layer 4 where an individual TCP packet is captured from the incoming untrusted IP address and retrieves the IP address, port number, and corresponding MAC address of the respective traffic.

  • The proposed multiplicative increase and additive decrease algorithm uses the IP trackback and port scanning techniques validation of the TCP packet, which reduces the computational overhead.

  • The use of dynamic threshold stamping by our proposed approach rectifies a legitimate user’s traffic before classifying it to the attacker, which reduces the rate of false-positive rate significantly.

The rest of the paper is organized as follows. Next section discusses the “Background and Related Work”. “Proposed Approach” the architecture of the proposed framework with proof of concept. Experimental analysis and results are reported in “Results and Analysis”. Finally, the last section concludes the paper.

Background and Related Work

Significant research proposals for making a defensive approach in the wireless network have been discussed in the following subsections. The subsections contain the major contributions from the rigorous research proposals.

DDoS and MAC Spoofing Strategies Based on Cloud Resources

The researchers in [13] used hop count filtering and sequence number encoding methodologies to protect the cloud resources against denial of service attack (DoS) as well as distributed denial of service attack (DDoS). This approach effectively filters out malicious data packets by analyzing transmission control protocol (TCP) traffic, which uses SYN cookie to prevent the attack. Message authentication code (MAC) generator is used here for authentication of the legitimate host. Another significant work is proposed in [14], where a theoretical framework of the threshold value (ThreV) detects MAC spoofing DDoS attacks in wireless local area infrastructure network (WLAN). This methodology proves the effectiveness to protect resources from DDoS attack occurred in WLAN. Cloud resources may be unreliable due to several wireless mesh network threats (WMN). A novel framework is proposed in [15] to mitigate these drawbacks of WMN from cloud resources. Similarly, an IoT-based method is proposed in [16] to ensure the privacy and security for the heterogeneous platform in the work-from-home cloud. This method can be paired up with any security measurement protocol to prevent cybersecurity attacks in the cloud, edge, and IoT layers.

Detection of Network Spoofing Using Zero Trust

The concept of the zero-trust mechanism has made a substantial leap for restructuring policies and ensuring security against cybersecurity attacks in the COVID-19 pandemic. In this regard, a significant security awareness framework has been proposed in [17] to secure 5G smart healthcare system, which hosts critical medical data by leveraging zero-trust architecture. Four-dimensional security policies have been proposed for the first time by considering the dimensions named subject, object, environment, and behavior. This methodology supports fine-grained access control, situational awareness, real-time network security, access behavior analysis, and identity authentication for building trust in the proposed system. With a similar note to the zero-trust approach, an access control policy is proposed by the researchers in [8]. A steganography overlay is embedded as an authentication token of the first packet in the respective TCP packet. This defensive mechanism is considered one of the significant approaches to prevent cybersecurity attacks in the cloud environment. In [18], a risk-based access control framework has been proposed based on a zero-trust network. This security framework supports the firewall provisioning smoothly. A well-defined policy language makes this approach more effective.

Threshold-Based Detection Methods

To preserve confidentiality and integrity against an intruder in an untrusted network, a static threshold-based technique has been proposed in [19]. Threshold has been chosen by collecting minimum features for detecting fast attacks from the perspective of the host. Observation and experimental analysis are considered to set the value of the threshold. Another threshold-based MAC spoofing detection in the wireless medium is discussed in [20]. The conventional sequence number of TCP packets is used here to detect MAC spoofing. An artificial neural network (ANN)-based detection method substitutes the limitations of the high rate of false alerts due to the loss of a data packet. This method helps to detect, and distinguish network behavior from noisy and incomplete data sources.

IP Spoofing Detection with Regards to Wireless Network

Significant research works have been proposed so far to detect spoofing in the wireless network. Some of the essential techniques adhere to the existing approaches; namely, the signature-based approach, received signal strength (RSS)-based approach, sequence number-based approaches, analyzing packet frame, hop count filtering, detecting ARP mismatch, checking the physical characteristics, and many more. Some of the following approaches have been discussed below.

An improved version of a rule-based intrusion detection system is proposed in [21], where network classification is done by analyzing malicious and benign traffic. The predictive performance gives significant accuracy without bothering network behavior. It is helpful for encrypted traffic. The method is also efficient for the malware that uses original hosts such as C& C or proxy toward C&C without checking its payload. Similarly, in  [22], a system is proposed to learn the behavior of malicious network activities to help in the detection and prevention of several types of attack such as ARP Cache Poising, DDoS, Probing attack, Botnet, Malformed Packets, etc. The malware classification is done by extracting features and classifying abnormal traffic. Hatcher et al. [23] proposed a cloud/edge streaming analysis-based threat detection model where the model collects real-time big-data traffic in an enterprise network with a similar cybersecurity context. Discrimination between normal and abnormal traffic has been evaluated by clustering algorithms. This model has proven the high accuracy and fast performance in a cloud testbed with a significant volume of streaming data. Similarly, El-Alfy and Al-Obeidat [24] proposed a novel security mechanism by collecting historical data to build the attack model with influential parameters. The multi-criterion fuzzy classification-based predictive model helps to classify unknown network traffic. Eidle et al. [25] proposed a cyber-defense model based on dynamic orchestration of authenticated gateway trust level. This model has efficiently detected and blocked DDoS attacks for the cloud data center network. Researchers in [26] contributed to the research by proposing a neural network-based model on long short-term memory (LSTM) network, which checks the aspects of observable network traffic. On the same note, to overcome the shortfall of the signature-based malware detection model, in [27], a method is presented to detect security threats based on the statistical characteristics of HTTP requests. Similarly, researchers in [28] presented malware detection methods by analyzing TCP/IP packets over HTTPS traffic. Wang et al. [29] proposed a seed expanding (SE) method to detect the attack before penetrating the host.

An intrusion prevention approach has been followed for cybersecurity attacks by combining the first packet authentication approach with transport layer access control policy methods in higher education cloud computing environments [30]. The researchers in [31] proposed a method for network administration using clustering techniques. K-means, PAM, and CLARA are the significant techniques considered here for making the threat profile. Another significant approach for mitigation of IP spoofing like Dos/DDoS attack is proposed in [32]. Using the methodology of IP traceback, Patel et al. [32] proposed a lightweight packet marking (LPM) scheme. This approach reduces the number of false-positive rates and packets needed in the spoofed host and the upstream network traffic map requirement compared to the traditional probabilistic packet marking approach (PPM). Multiple hash function is used here to reduce the false-positive rate to 0. It supports incremental deployment in the presence of a legacy router.

A technique is proposed based on RSS (received signal strength) and medoid-based clustering, which is used to detect multiple spoofing attacks in a wireless network environment in [33]. The dynamic MAC address allocation concept is proposed here to prevent multiple spoofing attacks on the host. In a similar context, the authors of [3, 6, 34,35,36] proposed significant spoofing detection methodologies applicable for IEEE 802.11 network .

Significance of Cloud in the COVID-19 Outbreak

In light of the coronavirus pandemic, telecommuting becomes a necessity for enterprises worldwide. Shifting to work-from-home has instituted by employees across the globe [1]. The cloud computing environment (CCE) is the primary choice for the employees for accomplishing the task in work-from-home culture. CCE is comprised of a pool of numerous resources that can be seamlessly configured and offers uniqueness and easy access to the resources hosted in CCE. In this crisis, the adoption of CCE provides a high demand for services with reduced cost and setup complexities. The attractive and functional features of CCE accommodate a lot of benefits to the users without investing in the network, hardware infrastructure, and cost. It provides a quick deployment environment, personalized features with high flexibility and scalability, and supports rapid data growth with high availability. However, the rapid growth of CCE usage increases the security and privacy risk. The cloud infrastructures hosted in the corporate perimeter are controlled by specific access control policies previously. However, in the present situation, CCE has transformed from its traditional periphery, and the resources are accessed by several employees having limited or no knowledge about security parameters. There is a big security concern when data transmission happens between untrusted devices globally with CCE. This massive amount of untrusted traffic creates room for several cybersecurity attacks, MAC spoofing attacks, as discussed in “DDoS and MAC Spoofing Strategies Based on Cloud Resources”, “Detection of Network Spoofing Using Zero Trust”, and “IP Spoofing Detection with Regards to Wireless Network”. For a long time, a virtual private network (VPN) has been considered for secure transmission with network perimeter security. VPN has been used as the ready-to-go solution for an extended period which worked through SSL tunnels or IPsec. According to Gartner, the concept of VPN has been phased out 60% of the companies [37] and the compatibility with the current infrastructure has been mismatched due to several reasons listed in [7].

As many VPNs are found fake and malicious, the enterprise should limit the use of VPN in the present scenario. To ensure data protection in work-from-home in this crisis, CCE follows cloud access security brokers (CASB) policies for ultimate data security. CASB is a unified platform that supports minimizing data breaches by ensuring data protection in a completely controlled environment [7]. It also increases cloud visibility. Organizations can get a clear insight into the attack surface and the affected applications with the help of CASB policies.

In the present context, a well-defined solution is proposed by our approach for considering the extreme need for restructuring the existing access control policies. When the enterprises have already started to decrease the budget for the upcoming fiscal year 2021, this approach proves the trustworthiness by proposing this intelligent approach, which needs significantly less computational overhead. Henceforth, the novelty of this approach can be used to secure hosts and cloud resources that can detect any spoofing at a very initial stage without falsifying the legitimate host.

Proposed Approach

The proposed approach is based on the wireless network (IEEE 802.11), independent of physical characteristics and location. The use of the threshold stamping technique gives the chance to rectify a legitimate user’s traffic before classifying it to the attacker by reducing the false-positive rate (FPR). The self-learning process of the algorithm allows to learn the characteristics of the deployed network on its own. This process helps to anticipate the network and predict the host’s characteristics for easy classification of the spoofed traffic. The existence of spoofing could exponentially raise the threshold. However, if the consecutive increment of the threshold is anticipated, it would be marked as a wrong entry or spoofed IP address and would discard that packet. This approach has been decreased the threshold linearly by predicting the balanced network [38]. This process could prevent any unwanted cybersecurity threats from exploiting the cloud resources. It is considered as an effective process to detect any attack in the presence of a stable network.

Fig. 1
figure 1

Block diagram of the proposed architecture

Full size image

The proposed access control policy is based on the transport access control (TAC) layer to extract and analyze the TCP packets of incoming traffic. However, to build a TCP connection with the cloud server/resources, hypertext transfer protocol (HTTP) is used as the application layer protocol [39]. Individual untrusted IP addresses are verified explicitly by the zero-trust network at the time of establishing a session with the cloud resources. The existing identity access management (IDM), such as Amazon Web Services (AWS) or Microsoft Web Directory cloud services, takes the control of the authentication of IP addresses. An explicit trust is established with the IP addresses coming from each host, and IDM allows to create the TCP sessions for accessing the cloud resources further [32]. Validated hosts send the ARP requests with their corresponding IP addresses. The network parameters correspond to the IP addresses have been stored in the ARP table after receiving the ARP responses. Retrieval of MAC address is also carried out by the ARP protocol. Explicit TCP header has been inspected for the port number and destination IP address, instead of the entire TCP packet, which reduces the overhead of checking individual TCP packet content. Henceforth, it preserves high bandwidth with low latency of the network. Authenticated IP addresses should be passed through a virtual security gateway where our access control policy is implemented. Figure 1 illustrates the architecture of the proposed approach. The access control policy takes the responsibility further for granting the access to specified IP traffic. Spoofed IP addresses would automatically be discarded by the policy, and an alert message would be generated.

Structure of the Proposed Access Control Policy

The Proposed access control policy allows inspecting the network traffic by analyzing the port number by assigning certain threshold values [2]. The threshold is dependent on significant global factors, which will be discussed in the next section. Figure 2 describes the flow of the proposed access control policy.

Fig. 2
figure 2

Flow diagram of the proposed zero-trust-based access control policy

Full size image

Based on algorithm 1, if the incoming port number is less than the threshold value, the algorithm should perform the following procedures:

  • If two different IP addresses come with different port numbers, it increases the threshold by the factor of two, and updates the ARP table of the new incoming IP address.

  • If the exact mismatch of the IP is found, then the port number is inspected, and the threshold value would be decreased linearly to balance the network traffic [23]. Henceforth, it updates the port number in the ARP table.

  • If the new incoming IP address matches with the current IP address, it authenticates for the similarity of the port number, and henceforth, the port number remains unchanged .

If it is found that the incoming TCP port value is much greater than the threshold value, the threshold would be increased by a factor of two to accommodate the new port number by the self-learning process. In this situation, the host gets a chance to correct the incoming traffic without punishment. If the entire process continues and the consistent increment of the threshold is observed, then the host is identified as spoofed. The approach would reject the TCP packet coming from that host automatically.

This algorithm decreases the false-positive rate significantly by giving a chance to decrease the threshold when it goes beyond the maximum limit. Individual scanning of the threshold based on their port number authenticates the particular IP traffic. The traffic would be considered spoofed by this approach without traceback to their respective MAC address. The flowchart of algorithm 1 is illustrated in Fig. 3.

figure a
Fig. 3
figure 3

Flowchart of algorithm 1

Full size image

Proof of Concept

Consider a network space N with available users (\(R_a\)) with TCP traffic packets (\(T_p\)), which have specific network requirements (\(A^*\)) stored in ARP table (\(T_b\)). Network attributes can be represented as \(A_i^* = A_1^*, A_2^*, A_3^*, \ldots A_n^*\) which can be extracted from each \(T_p\). Source Port number, Destination Port number, IP address, and MAC address are the required network traffic attributes here [40]. Network parameters (P) can be retrieved from the network requirements (\(A^*\)) of individual \(T_p\) by the function \(P_k\).

U is represented the IP addresses of existing users’ by \(R_a\) with corresponding TCP traffic packet \(T_p\) in Eq. (1). Equation (2) retrieves the required network parameters (\(P_k\)) for each user corresponds to the Eq. (1). Equation (3) calculates the number of existing users in a specified time frame

$$\begin{aligned} U= & {} (R_{a} * T_{p} ) \in N, \end{aligned}$$
(1)
$$\begin{aligned} P_k= & {} P[(R_a * T_p )\,*\,(A_i^*)] \in N, \end{aligned}$$
(2)
$$\begin{aligned} N(U_A^*)= & {} \sum _{i=0}^{n} \frac{\delta (P_k)(A_i^*)}{\delta (t)} \; \mathrm{where} \;A_i \subset A \;\forall A_i \subset U,\;t \,[0,1]. \end{aligned}$$
(3)

Dynamic users (\(R_d\)) can be incorporated into this network space N in the specified time interval [t, 0] . In Eq. (4), the representations of all the hosts are described as U. Parameters’ calculations (\(P_k\)) for cumulative users like existing users and new dynamic users are described in Eq. (5). The number of cumulative users in a specified period is defined by Eq. (6) where \(P_i \le n_i\) and \(A_i \subset A\) for all \(A_i \subset U\) [41]

$$\begin{aligned} U= & {} [(R_a * T_p )\, (R_d * T_p)] \in N, \end{aligned}$$
(4)
$$\begin{aligned} P_k= & {} P(U * A_i^*) \in N, \end{aligned}$$
(5)
$$\begin{aligned} N(U_A^*)= & {} \sum _{i=0}^{n}\frac{\delta (P_k)(A_i^*)}{\delta (t)} \;\mathrm{where} \;A_i \subset A \;\forall A_i \subset U,\;t\, [0,1]. \end{aligned}$$
(6)

The incoming source IP address and the required destination IP address are represented by \(A_\mathrm{sip}\) and \(A_\mathrm{dip}\) . Total number of source \((U_s)\) and destination \((U_D)\) port numbers in a specified time interval are calculated in Eqs. (7) and (8), respectively

$$\begin{aligned} U_s= & {} \int _{i=0}^{n}\sum _{i=0}^{n}\frac{\delta (A_\mathrm{sip})}{\delta (t)}, \end{aligned}$$
(7)
$$\begin{aligned} U_D= & {} \int _{i=0}^{n}\sum _{i=0}^{n}\frac{\delta (A_\mathrm{dip})}{\delta (t)}. \end{aligned}$$
(8)

The requisite information regarding source and destination port addresses can be retrieved from the network parameters (\(A_i^*\)) and stored in the ARP table (\(T_b\)) defined in Eq. (9). The value of \(T_b\) would to be used further by the proposed approach for MAC address verification and granting the access to cloud resources

$$\begin{aligned} {T_b(U_S+U_D) = \int _ {i=0} ^{n} \sum _{i=0}^ {n} \frac{\delta (A_\mathrm{sip})}{\delta (t)} + \int _ {i=0}^ {n} \sum _ {i=0}^ {n} \frac{\delta (A_\mathrm{dip})}{\delta (t)} }. \end{aligned}$$
(9)

Calculation of Threshold Value

The selection of a proper threshold value helps to prevent any attack at a very early stage. It is hard to stamp a suitable threshold value to distinguish between normal and abnormal traffic. The inaccurate threshold will not only increase the false-positive rate of network traffic, but it increases the chances of intrusion by considering the malicious activity as regular traffic. In this paper, the static threshold approach is applied using the port scanning method of the respective TCP packets of incoming network traffic [42]. The threshold will be helpful to detect the constant or dramatic increase in the network flow [19].

Threshold (\(P_\mathrm{tr}\)) is calculated by investigating the network traffic (\(P_i\)) statistics over a fixed period considered as t [43]. For normal traffic, \(P_i \le P_\mathrm{tr}\), should be validated by the proposed approach. Depending upon the port number, the threshold value is assigned for authentication. If \(P_i \ge P_\mathrm{tr}\), an anomalous network state is likely to be occurred. According to the algorithm proposed, it is impossible to know the spoofed MAC address without prior knowledge of the threshold value. The threshold can be calculated based on some specific network parameters.

  1. a.

    Number of incoming traffic request coming from the router at the time period (t).

  2. b.

    Count the number of incoming active traffic request and analyzing log.

  3. c.

    Type and rate of incoming traffic (type such as TCP, UDP, and ICMP).

  4. d.

    Extraction of destination port number.

To find the lower value \((\alpha )\) and the upper value \((\beta )\) of the threshold, Eq. (10) is used where \(n_1\) and \(n_0\) are considered the two threshold coefficients here. After defining the threshold based on essential network parameters, regular calculations of the coefficients are carried out. If any coefficient’s value is considerably greater than other, irregular network states can be found. As the TCP packet rates vary across TCP ports ranging from 0 to 65k, a threshold value for the single port must be greater than 1023

$$\begin{aligned} P_\mathrm{tr}(n1) = \frac{\beta }{\alpha } \, , \, P_\mathrm{tr}(n0) = \frac{1- \beta }{1- \alpha }. \end{aligned}$$
(10)

From the set of network parameters (\(A^*\)) extracted from the TCP packet \((T_p)\), we need the discrete source port address \((U_s)\), from the set of all source IPs referred as \(s:S \in A_i^*\) [44]. \(A_i^*\) must be updated for a distinguished source IP address \((U_s)\). If \(U_s\) exceeds a certain threshold value \((P_\mathrm{tr})\), the source IP address (s) is labeled as a spoofed according to the hypothesis S1 [33]. Based on the hypothesis S0, if \(U_s\) falls below a significant threshold \((P_\mathrm{tr})\), then the source IP address (s) is labeled as benign. In either case, the algorithm monitors the source IP address (s) for categorization [41]. \(A_i^*\) is computed as follows in the likelihood ratio in Eq. (11):

$$\begin{aligned} \prod _{i=1} ^ {n} \frac{\Pr [A_i | S1]}{\Pr [A_i | S0]}. \end{aligned}$$
(11)

To calculate the conditional probability, Eqs. (12) and (13) are used hereunder

$$\begin{aligned}&{\left\{ \begin{array}{ll} \Pr [A_i =0 | S0] = \theta _0\\ \Pr [A_i =0| S1] = \theta _1,\\ \end{array}\right. } \end{aligned}$$
(12)
$$\begin{aligned}&{\left\{ \begin{array}{ll} \Pr [A_{i} =1 | S0] = 1-\theta _{0}\\ \Pr [A_{i} =1 | S1] = 1-\theta _{1}. \end{array}\right. } \end{aligned}$$
(13)

Concerning Eqs. (12) and (13), the value of \(A_{i}\) is considered with two Boolean values where 0 represents success, and 1 is for failure; it gives the number of success or failure of connecting to the specific target IP addresses. \(\theta _0\) exhibits the regular traffic where \(\theta _1\) is responsible for malicious traffic. Here, the port number \((U_s)\) of the TCP packet \((T_p)\) is taken as a primary network parameter \((A^*)\). Probability of the respective port number \((U_s)\) is calculated in Eq. (14)

$$\begin{aligned} P_r(U_S) = \frac{\mathrm{No.}\, \mathrm{of}\, \mathrm{packet}\, \mathrm{with}\, A_i\, \mathrm{as}\, \mathrm{src}\, \mathrm{port}\, \mathrm{address}}{\mathrm{Total} \,\mathrm{packet} \, \mathrm{in} \, (t)}. \end{aligned}$$
(14)

Based on this calculation, spoofed profile (suspect factor) is detected from in Eq. (15)

$$\begin{aligned} S_0 \le \mathrm{Spoofed} \; \mathrm{Host} \ge S_1. \end{aligned}$$
(15)

Results and Analysis

Wireshark version 3.2.5 is used to capture the network traffic with a configuration of 1.10 GHz Intel Pentium processor with 4 GB RAM, 1 TB HDD, and Intel HD Graphics card. Wireshark is a leading open-source network capturing tool that simultaneously captures all kinds of network traffic packets from network interface cards (NIC’s) and provides traffic analysis and monitoring options. PCAP detects the network traffic on a fixed amount of time interval in a wireless network environment and filters out the TCP traffic.

From the snapshot of the Wireshark PCAP traffic analysis in Fig. 4, it is visible that the two highlighted IP addresses, namely 192.168.0.105 and 192.168.0.106, are utilized for analyzing MAC spoofing. Tables 1 and 2 have been validated mathematically according to our algorithm by observing the two IP addresses and their corresponding threshold values. Table 1 corresponds to the legitimate host. Based on our algorithm, the legitimate host is considered an authorized one and has got the access to the SDN framework of cloud architecture. It is also clear from Table 2 that the spoofed already happened to the new IP address; thus, it needs to discard the TCP packet.

Fig. 4
figure 4

PCAP snapshot of Wireshark network traffic with filtering TCP traffic

Full size image

Figure 5 represents the Wireshark PCAP I/O graph considering the TCP packet based on the above two cases on a fixed amount of time interval. The I/O graph represented in Fig. 5i corresponds to the legitimate IP addresses where consistency is maintained. However, from the abrupt increment of TCP traffic exhibited in Fig. 5ii, our algorithm has considered it as spoofed traffic.

Figure 6 is illustrated hereunder, by analyzing the values of Tables 1 and 2 in these regards. The red line shows the threshold value, and the green line indicates the corresponding port number.

It is visible from Fig. 6ii that for the spoofed user, the threshold value is beyond the maximum limit, and the abrupt changes break the linearity where the authorized user’s graph is linear in fashion in Fig. 6i. All the existing algorithms predict a legitimate user as a spoofed one, which increases the false-positive rate where our algorithm outperforms among the existing algorithms by its self-learning nature to set an optimal threshold by considering several parameters.

Table 1 Authorized user
Full size table
Table 2 Spoofed user
Full size table
Fig. 5
figure 5

Wireshark PCAP I/O graph considering TCP packet

Full size image
Fig. 6
figure 6

Threshold according to the Port Number representation for authorized host and for spoofed host

Full size image

Calculation of Entropy

Entropy is calculated in this section to analyze the randomness of malicious incoming traffic [45]. Entropy is considered a familiar and valuable concept of information theory for the measurement associated with the uncertainty of randomness. The degree of randomness is termed as a concentration of distribution [46]. Entropy can be used to analyze the distribution of randomness collected from the attributes of the TCP packet over a certain period. Attributes can be referred to as source IP, destination IP, source port, destination port, and many more. If there are N incoming packets, then the value of entropy will vary from \(0 \, \mathrm{to} \, \log _2N\). Entropy is zero where all distribution values are identical and highest when all the values are different [47]. We have used Wireshark simulation for experimental purposes and captured the network traffic over 1 h time. As per the definition, if there is N number of TCP traffic coming from a particular source IP port, the entropy will give a clear analysis if the traffic is beyond the threshold or not. The entropy of the random variable X is defined as H(X) in Eq. (16).

$$\begin{aligned} H(X) = {- \sum _ {i=1} ^ {n} P(x_i) \log _{2} (P(x_i)}. \end{aligned}$$
(16)

The random variable \(X={x_1,x_2 , \ldots x_n}\) is considered as possible realizations and \(p(x_i)\) be the corresponding probabilities in Eq. (17).

$$\begin{aligned}&P_{i} = {- \frac{\mathrm{No.}\, \mathrm{of} \, \mathrm{time}\, \mathrm{of}\, x_{i}\, \mathrm{of}\, {X}}{\mathrm{Window} \,\mathrm{size}} } \end{aligned}$$
(17)
$$\begin{aligned}&{\left\{ \begin{array}{ll} \mathrm{if}\,, H_0 , < \mathrm{Threshold : Suspected}\, \mathrm{as}\, \mathrm{spoofing}\\ \mathrm{if}\,,H_0 , > \mathrm{Threshold : No}\, \mathrm{attack}\, \mathrm{detected} \end{array}\right. } \end{aligned}$$
(18)
$$\begin{aligned}&\mathrm{Normalized}\, \mathrm{Entropy} : H_{0} = \frac{H(x)}{\log _{2}(n)} \end{aligned}$$
(19)

By considering Eq. (18), the performance of our algorithm could be enhanced. The incremental value of the entropy \(H_0\) could be normalized using Eq. (19).

Performance Evaluation

For the assessment of our proposed method, we have compared the approach with the existing approaches of  [20, 3336]. All these chosen researches are considered to be the best performing methods for ensuring MAC spoofing defensive mechanism by capturing the TCP/IP network traffic. Most of the existing researches of [20, 35, 36] are based on the physical characteristics of the wireless network, i.e., RSS values, wherein the framework of [34] is based on eliminating MAC spoofing from blacklisted MAC address from the network. We have evaluated the accuracy of the existing methods of [20, 33,34,35,36] along with our proposed approach.

Fig. 7
figure 7

Overall accuracy (%) of the proposed method compared to other methods

Full size image
Fig. 8
figure 8

ROC curve of the proposed method compared to other methods

Full size image

The proposed method attained an accuracy rate of \(97.75\%\), wherein in  [34], the accuracy rate is calculated as \(96.28\%\). Researchers in [20] achieved an accuracy rate of \(95.28\%\). Vijayakumar et al. [33] and Alotaibi et al. [35] detected the similar accuracy rate of \(94.83 \%\) from their proposed work. From the research of Jokar et al. [36], \(94.75\%\) accuracy rate is calculated. It is evident that our proposed method outperforms the existing researches in terms of accuracy. Figure 7 illustrates the overall accuracy compared to previously proposed methods.

Fig. 9
figure 9

Detection rate of the proposed method compared to other methods

Full size image
Fig. 10
figure 10

Comparison of throughput analysis

Full size image

For evaluating the performance of our approach more rigorously, we have used the receiver-operating characteristic (ROC) curve which is illustrated in Fig. 8. This curve plots the detection rate (true positive rate) against the false-positive rate (FPR) of the computed values from the methods. It is visible from Fig. 8 that the approach exhibits a low false-positive rate and significantly high detection rate compared to other methods. At \(0.5\%\) FPR, our proposed method has achieved a \(96.5\%\) detection rate, which is considered upstanding. Furthermore, the detection rate has been calculated explicitly by comparing with other existing methods in Fig. 9.

Comparing the throughput analyses by the researchers in their existing work, our proposed approach has achieved \(98.87\%\), which is very effective rate compared to other methods. Figure 10 exhibits the analysis of throughput in the bar graph.

Conclusion

The permanent shift towards work-from-home has adhered by the corporate structure to contain the virus undoubtedly in this coronavirus outbreak. The dependency on cloud resources has dramatically elevated due to the present COVID-19 pandemic. The fast-paced adoption of the cloud enables the workforce to keep the enterprise’s revenue growth straight and avoid any financial loss. However, the change in work culture would also increase the chances of a cybersecurity attack, MAC spoofing attack,and DDoS/ DoS attack due to the divergent incoming traffic from an untrusted network.

This paper introduces a novel access control policy based on a zero-trust network by creating a defensive mechanism against MAC spoofing in the software-defined network (SDN) framework of cloud architecture. When the access control policies of the corporate structure need a change, our approach exhibits higher accuracy by collecting the individual network traffic from untrusted zones by checking their source TCP/IP traffic and corresponding MAC address. The use of multiplicative increase and additive decrease algorithm helps to detect the advanced MAC spoofing attack before penetrating SDN-based cloud resources. The dynamic threshold value is stamped based on the incoming port number using the ARP protocol policy. The threshold stamping gives the chance to rectify a legitimate user’s traffic before classifying it to the attacker, which reduces the false-positive rate. The self-learning nature of the threshold stamping system helps to anticipate the network’s characteristics for the spoofed traffic classification. When the network sees a rapid rise, our AI-based model helps to decrease the threshold and normalizes the traffic. However, in an adverse scenario, the highly skilled attacker’s presence does not allow the threshold to decrease, making the TCP packet rejected by the algorithm itself and does not allow the spoofed user to penetrate the SDN framework of cloud architecture. It is observed that our proposed method outperforms the existing literature by achieved a high detection rate and throughput. As we cannot deliberately prevent this preconceived security threat, however, with the help of this approach, seamless threats can be eliminated and prevent the attacker from using the cloud resources. In a software-defined-network paradigm, the elimination of threats ensures the cloud resources’ optimized security. However, analyzing the traffic and removing a spoofed user are time-consuming procedures that can be enhanced by further research work.