Skip to main content
SpringerLink
Log in

Securing Software-Defined Networks Through Adaptive Moving Target Defense Capabilities

  • Research
  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

Over the last decade, Software-Defined Networking (SDN) has become increasingly popular in computer network infrastructures. However, due to its relatively recent implementation, protective measures still need to be fully developed. One significant security concern with SDN is its vulnerability to scanning attacks, which can escalate to more severe attacks like Denial-of-Service (DoS) attacks. Recently, Moving Target Defense (MTD) techniques have been used to address scanning attacks. Still, they can negatively impact network performance due to the reliance on delay tactics that increase network latency. This article introduces the MTD Adaptive Delay System (MADS) to provide feasible MTD-based protection against scanning attacks without compromising the network service parameters, especially regarding Quality of Service (QoS). Unlike existing methods that continually apply delays to all traffic packets, MADS-based delays are only triggered and applied to packets when the victim network is under attack based on the intensity of the traffic commonly used in scanning attacks. MADS' performance was evaluated and compared to state-of-the-art MTD-based defenses, and it was found to cause less network degradation while maintaining the same efficiency as MTD-based techniques against scanning attacks. Furthermore, MADS had a shorter average latency time (99.4% lower) and better average throughput (4.87% higher) than the two baseline MTD-based solutions. Additionally, MADS did not produce Bad TCP packets compared to baseline works under the same attack scenarios.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Data Availability

Not applicable.

Notes

  1. https://nmap.org/.

  2. https://www.wireshark.org/.

  3. https://www.docker.com/.

  4. http://mininet.org/.

  5. https://ryu-sdn.org/.

  6. https://www.tcpdump.org/.

References

  1. Silva, J.B., Dantas Silva, F., Neto, E.P., Lemos, M., Neto, A.: Benchmarking of mainstream SDN controllers over open off-the-shelf software-switches. Internet Technol. Lett. (2020). https://doi.org/10.1002/itl2.152

    Article  Google Scholar 

  2. Neto, E.P., Silva, F.S.D., Schneider, L.M., Neto, A.V., Immich, R.: Seamless MANO of multi-vendor SDN controllers across federated multi-domains. Comput. Netw. 186, 107752 (2021). https://doi.org/10.1016/j.comnet.2020.107752

    Article  Google Scholar 

  3. Jaber, M., Imran, M.A., Tafazolli, R., Tukmanov, A.: 5G backhaul challenges and emerging research directions: a survey. IEEE Access 4, 1743–1766 (2016). https://doi.org/10.1109/ACCESS.2016.2556011

    Article  Google Scholar 

  4. Zaidi, Z., Friderikos, V., Yousaf, Z., Fletcher, S., Dohler, M., Aghvami, H.: Will SDN be part of 5G? IEEE Commun. Surv. Tutor. 20(4), 3220–3258 (2018). https://doi.org/10.1109/COMST.2018.2836315

    Article  Google Scholar 

  5. Rahouti, M., Xiong, K., Xin, Y., Jagatheesaperumal, S.K., Ayyash, M., Shaheed, M.: SDN security review: threat taxonomy, implications, and open challenges. IEEE Access 10, 45820–45854 (2022). https://doi.org/10.1109/ACCESS.2022.3168972

    Article  Google Scholar 

  6. Jiménez, M.B., Fernández, D., Rivadeneira, J.E., Bellido, L., Cárdenas, A.: A survey of the main security issues and solutions for the SDN architecture. IEEE Access 9, 122016–122038 (2021). https://doi.org/10.1109/ACCESS.2021.3109564

    Article  Google Scholar 

  7. Ahmad, I., Namal, S., Ylianttila, M., Gurtov, A.: Security in software defined networks: a survey. IEEE Commun. Surv. Tutor. 17(4), 2317–2346 (2015). https://doi.org/10.1109/COMST.2015.2474118

    Article  Google Scholar 

  8. Datsika, E., Vardakas, J.S., Ramantas, K., Mekikis, P.-V., Monroy, I.T., Neto, L.A., Verikoukis, C.: SDN-enabled resource management for converged Fi-Wi 5G fronthaul. IEEE J. Sel. Areas Commun. 39(9), 2772–2788 (2021). https://doi.org/10.1109/JSAC.2021.3064651

    Article  Google Scholar 

  9. Abdou, A., van Oorschot, P.C., Wan, T.: Comparative analysis of control plane security of SDN and conventional networks. IEEE Commun. Surv. Tutor. 20(4), 3542–3559 (2018). https://doi.org/10.1109/COMST.2018.2839348

    Article  Google Scholar 

  10. Scott-Hayward, S., Natarajan, S., Sezer, S.: A survey of security in software defined networks. IEEE Commun. Surv. Tutor. 18(1), 623–654 (2016). https://doi.org/10.1109/COMST.2015.2453114

    Article  Google Scholar 

  11. Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 165–166. (2013)

  12. Sonchack, J., Aviv, A.J., Keller, E.: Timing SDN control planes to infer network configurations. In: Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, pp. 19–22. (2016)

  13. Pascoal, T.A., Fonseca, I.E., Nigam, V.: Slow denial-of-service attacks on software defined networks. Comput. Netw. 173, 107223 (2020)

    Article  Google Scholar 

  14. Silva, F.S.D., Neto, E.P., Oliveira, H., Rosário, D., Cerqueira, E., Both, C., Zeadally, S., Neto, A.V.: A survey on long-range wide-area network technology optimizations. IEEE Access 9, 106079–106106 (2021). https://doi.org/10.1109/ACCESS.2021.3079095

    Article  Google Scholar 

  15. Dantas Silva, F.S., Silva, E., Neto, E.P., Lemos, M., Venancio Neto, A.J., Esposito, F.: A taxonomy of DDoS attack mitigation approaches featured by SDN technologies in IoT scenarios. Sensors (2020). https://doi.org/10.3390/s20113078

    Article  Google Scholar 

  16. NETSCOUT systems: cloud in the crosshairs: NETSCOUT’s 14th worldwide infrastructure security report. (2019)

  17. Pascoal, T.A., Dantas, Y.G., Fonseca, I.E., Nigam, V.: Slow TCAM exhaustion DDoS attack. In: IFIP International Conference on ICT Systems Security and Privacy Protection, pp. 17–31. Springer (2017)

  18. Yuwen, H., Zhang, L., Wang, Z., Kong, Y.: Probability-based delay scheme for resisting SDN scanning. In: 2016 2nd IEEE International Conference on Computer and Communications (ICCC), pp. 1096–1101. IEEE (2016)

  19. Ma, D., Xu, Z., Lin, D.: Defending blind DDoS attack on SDN based on moving target defense. In: International Conference on Security and Privacy in Communication Networks, pp. 463–480. Springer (2014)

  20. Narantuya, J., Yoon, S., Lim, H., Cho, J., Kim, D.S., Moore, T., Nelson, F.: SDN-based IP shuffling moving target defense with multiple SDN controllers. In: 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks—Supplemental Volume (DSN-S), pp. 15–16. (2019). https://doi.org/10.1109/DSN-S.2019.00013

  21. Connell, W., Menasce, D.A., Albanese, M.: Performance modeling of moving target defenses with reconfiguration limits. IEEE Trans. Depend. Secur. Comput. (2018). https://doi.org/10.1109/TDSC.2018.2882825

    Article  Google Scholar 

  22. Cho, J.-H., Sharma, D.P., Alavizadeh, H., Yoon, S., Ben-Asher, N., Moore, T.J., Kim, D.S., Lim, H., Nelson, F.F.: Toward proactive, adaptive defense: a survey on moving target defense. IEEE Commun. Surv. Tutor. (2020). https://doi.org/10.1109/COMST.2019.2963791

    Article  Google Scholar 

  23. MacFarland, D.C., Shue, C.A.: The SDN shuffle: creating a moving-target defense using host-based software-defined networking. In: Proceedings of the Second ACM Workshop on Moving Target Defense, pp. 37–41. (2015)

  24. Liu, C.-C., Huang, B.-S., Tseng, C.-W., Yang, Y.-T., Chou, L.-D.: SDN/NFV-based moving target DDoS defense mechanism. In: International Conference of Reliable Information and Communication Technology, pp. 548–556. Springer (2018)

  25. Aydeger, A., Saputro, N., Akkaya, K., Rahman, M.: Mitigating crossfire attacks using SDN-based moving target defense. In: 2016 IEEE 41st Conference on Local Computer Networks (LCN), pp. 627–630. IEEE (2016)

  26. Aydeger, A., Saputro, N., Akkaya, K.: Utilizing NFV for effective moving target defense against link flooding reconnaissance attacks. In: MILCOM 2018-2018 IEEE Military Communications Conference (MILCOM), pp. 946–951. IEEE (2018)

  27. Jafarian, J.H., Al-Shaer, E., Duan, Q.: OpenFlow random host mutation: transparent moving target defense using software defined networking. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks, pp. 127–132. (2012)

  28. Gillani, F., Al-Shaer, E., Duan, Q.: In-design resilient SDN control plane and elastic forwarding against aggressive DDoS attacks. In: Proceedings of the 5th ACM Workshop on Moving Target Defense, pp. 80–89. (2018)

  29. Kampanakis, P., Perros, H., Beyene, T.: SDN-based solutions for moving target defense network protection. In: Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014, pp. 1–6. IEEE (2014)

  30. Hou, J., Zhang, M., Zhang, Z., Shi, W., Qin, B., Liang, B.: On the fine-grained fingerprinting threat to software-defined networks. Future Gener. Comput. Syst. 107, 485–497 (2020)

    Article  Google Scholar 

  31. Silva, F.S.D., Schneider, L., Rosário, D., Neto, A.: Network slicing mobility aware control to assist handover decisions on e-health 5g use cases. In: 2022 International Wireless Communications and Mobile Computing (IWCMC), p. 1. (2022)

  32. Open Networking Foundation: OpenFlow switch specification. Version 1.3.0 (Wire Protocol 0x04) (2012). https://opennetworking.org/wp-content/uploads/2014/10/openflow-spec-v1.3.0.pdf

  33. Zheng, J., Namin, A.S.: A survey on the moving target defense strategies: an architectural perspective. J. Comput. Sci. Technol. 34(1), 207–233 (2019)

    Article  Google Scholar 

  34. Lei, C., Zhang, H.-Q., Tan, J.-L., Zhang, Y.-C., Liu, X.-H.: Moving target defense techniques: a survey. Secur. Commun. Netw. (2018). https://doi.org/10.1155/2018/3759626

    Article  Google Scholar 

  35. Zhuang, R., DeLoach, S.A., Ou, X.: Towards a theory of moving target defense. In: Proceedings of the First ACM Workshop on Moving Target Defense, pp. 31–40. (2014)

  36. Okhravi, H., Hobson, T., Bigelow, D., Streilein, W.: Finding focus in the blur of moving-target techniques. IEEE Secur. Priv. 12(2), 16–26 (2013)

    Article  Google Scholar 

  37. Klöti, R., Kotronis, V., Smith, P.: OpenFlow: a security analysis. In: 2013 21st IEEE International Conference on Network Protocols (ICNP), pp. 1–6. IEEE (2013)

  38. Ji, W., Yang, S., Zhang, B., Zhang, T., Lian, Y., Xu, C.: Multi-domain multicast routing mutation scheme for resisting DDoS attacks. In: 2022 International Wireless Communications and Mobile Computing (IWCMC), pp. 142–147. (2022). https://doi.org/10.1109/IWCMC55113.2022.9824529

  39. Hyder, M.F., Fatima, T.: Towards crossfire distributed denial of service attack protection using intent-based moving target defense over software-defined networking. IEEE Access 9, 112792–112804 (2021). https://doi.org/10.1109/ACCESS.2021.3103845

    Article  Google Scholar 

  40. Shen, J., Zhang, T., Zhang, B., Ji, W., Kuang, X., Xu, C.: PPO-RM: proximal policy optimization based route mutation for multimedia services. In: 2021 International Wireless Communications and Mobile Computing (IWCMC), pp. 35–40. (2021). https://doi.org/10.1109/IWCMC51323.2021.9498706

  41. Gudla, C., Sung, A.H.: Moving target defense application and analysis in software-defined networking. In: 2020 11th IEEE Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), pp. 0641–0646. (2020). https://doi.org/10.1109/IEMCON51383.2020.9284847

  42. Yoon, S., Cho, J.-H., Kim, D.S., Moore, T.J., Free-Nelson, F., Lim, H.: Attack graph-based moving target defense in software-defined networks. IEEE Trans. Netw. Serv. Manag. 17(3), 1653–1668 (2020). https://doi.org/10.1109/TNSM.2020.2987085

    Article  Google Scholar 

  43. Kelly, J., DeLaus, M., Hemberg, E., O’Reilly, U.-M.: Adversarially adapting deceptive views and reconnaissance scans on a software defined network. In: 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 49–54. (2019)

  44. Zhang, Z., Towey, D., Ying, Z., Zhang, Y., Zhou, Z.Q.: MT4NS: metamorphic testing for network scanning. In: 2021 IEEE/ACM 6th International Workshop on Metamorphic Testing (MET), pp. 17–23. (2021). https://doi.org/10.1109/MET52542.2021.00010

  45. Zhijun, W., Qing, X., Jingjie, W., Meng, Y., Liang, L.: Low-rate DDoS attack detection based on factorization machine in software defined network. IEEE Access 8, 17404–17418 (2020). https://doi.org/10.1109/ACCESS.2020.2967478

    Article  Google Scholar 

  46. Zarek, A., Ganjali, Y., Lie, D.: OpenFlow Timeouts Demystified. University of Toronto, Toronto (2012)

    Google Scholar 

Download references

Funding

Not applicable.

Author information

Authors and Affiliations

  1. LaTARC Research Lab, Federal Institute of Education, Science and Technology of Rio Grande do Norte, Natal, RN, Brazil

    Felipe S. Dantas Silva, Emidio P. Neto, Rodrigo S. S. Nunes, Cristian H. M. Souza & Túlio Pascoal

  2. Department of Informatics and Applied Mathematics, Federal University of Rio Grande do Norte, Natal, RN, Brazil

    Felipe S. Dantas Silva, Emidio P. Neto & Augusto J. V. Neto

  3. Interdisciplinary Centre for Security, Reliability and Trust, University of Luxembourg, Luxembourg, Luxembourg

    Túlio Pascoal

Authors
  1. Felipe S. Dantas Silva
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Emidio P. Neto
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rodrigo S. S. Nunes
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Cristian H. M. Souza
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Augusto J. V. Neto
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Túlio Pascoal
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

FSDS: conceptualization, methodology, formal analysis, writing—original draft, writing—review & editing, supervision. TP: conceptualization, methodology, formal analysis, writing—original draft, writing—review & editing, supervision. EPN: conceptualization, writing—original draft, writing—review & editing. RSSN: formal analysis, writing—original draft. CHMS: writing—review & editing. AJVN: writing—review & editing.

Corresponding author

Correspondence to Felipe S. Dantas Silva.

Ethics declarations

Competing Interests

The authors declare no competing interests.

Ethical Approval

Not applicable.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Dantas Silva, F.S., Neto, E.P., Nunes, R.S.S. et al. Securing Software-Defined Networks Through Adaptive Moving Target Defense Capabilities. J Netw Syst Manage 31, 61 (2023). https://doi.org/10.1007/s10922-023-09746-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10922-023-09746-z

Keywords

Search

Navigation