CHAOS: An SDN-Based Moving Target Defense System

Shi, Yuexi; Zhang, Huanguo; Wang, Juan; Xiao, Feng; Huang, Jianwei; Zha, Daochen; Hu, Hongxin; Yan, Fei; Zhao, Bo

doi:10.1155/2017/3659167

Cited by 20 publications

(15 citation statements)

References 19 publications

(23 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [75], if the admin detects a spike in bandwidth usage of a particular link or sub-net, they change the maximum bandwidth value allocated to that link or the network. Authors in [85] scan open connections routinely and upon detection of unexpected connections, move between MTD configurations to protect the system against port-scanning attacks. b) Strategic: In order to understand these methods, we first define T max as the maximum time for which an MTD system can stay in the same configuration.…”

Section: B When To Switch? ≈ When To Play?mentioning

confidence: 99%

“…The work considers bandwidth limitation, and treats the MTD as an adaptation problem. as network shuffling [105], route modification [100], IP, and port obfuscation as discussed by Wang et al [85].…”

Section: Sdn-based Mtd Applications and Case Studymentioning

confidence: 99%

“…In contrast to all these works, [127] models the security risk associated with a particular defense action as inversely proportional to the cost (it believes) an attacker would spend to compromising it. b) Considers only Security of the Ensemble: Works that measure only the security of an ensemble as opposed to security of actions, mostly showcase the security benefits of the MTD ensemble by comparing them to the security benefits provided by a static system configuration [85], [7], [58], [68], [141]. In essence, these works consider the static system as the control case but unfortunately, do not ensure that this static system is the most secure constituent defense configuration in the ensemble.…”

Section: A) Considers Only Security Of Individual Defenses: Mostmentioning

confidence: 99%

“…CHAOS [85] analyzes how the delay intentionally introduced by MTD impacts the packet count in a SDN-managed network. The SDN controller utilizes host-mutation and decoysevers to deceive an adversary.…”

Section: B Quantitative Metricsmentioning

confidence: 99%

See 3 more Smart Citations

A Survey of Moving Target Defenses for Network Security

Sengupta

Chowdhary

Sabur

et al. 2020

IEEE Commun. Surv. Tutorials

153

View full text Add to dashboard Cite

Network defense techniques based on traditional tools, techniques, and procedures (TTP) fail to account for the attacker's inherent advantage present due to static nature of network services and configurations. Moving Target Defense (MTD), on the other hand, provides an intelligent countermeasure by dynamically re-configuring the underlying systems, thereby reducing the effectiveness of cyber attacks. In this survey, we analyze the recent advancements made in the development of MTD tools, techniques and procedures (TTP) and highlight how these defenses can be made more effective with the use of artificial intelligence techniques for decision making. We first define a unified formal notation for MTDs that can capture different aspects of such defenses. We then categorize these defenses into different sub-classes depending on how they answer the three questions-what to move, when to move and how to moveshowcasing how game theoretic strategies can effectively answer the latter question. To understand the usefulness of these defense methods, we study the implementation of such MTD techniques. We find that (relatively) new networking technologies such as Software Defined Networking (SDN) and Network Function Virtualization (NFV) provide effective means for implementing these dynamic defense methods. To encourage researchers and industry experts in using such defenses, we highlight industry use-cases and discuss the practicality and maturity of these defenses. To aid readers who want to test or deploy MTD techniques, we highlight existing MTD test-beds. Our survey then performs both a qualitative and quantitative analysis to better understand the effectiveness of these MTDs in terms of security and performance. To that extent, we use well-defined metrics such as risk analysis, performance costs for qualitative evaluation and metrics based on Confidentiality, Integrity, Availability (CIA), attack representation, QoS impact, targeted threat models and defense cost for quantitative evaluation. Finally, we conclude by summarizing research opportunities that our survey elucidates.

show abstract

Section: B When To Switch? ≈ When To Play?mentioning

confidence: 99%

Section: Sdn-based Mtd Applications and Case Studymentioning

confidence: 99%

Section: A) Considers Only Security Of Individual Defenses: Mostmentioning

confidence: 99%

Section: B Quantitative Metricsmentioning

confidence: 99%

See 2 more Smart Citations

A Survey of Moving Target Defenses for Network Security

Sengupta

Chowdhary

Sabur

et al. 2020

IEEE Commun. Surv. Tutorials

153

View full text Add to dashboard Cite

show abstract

“…It also used the satisfiability modulo theories for generating optimal strategies. CHAOS which is an MTD system was proposed in [14]. It utilized the concept of CTS (Chaos Tower Structure).…”

Section: Related Workmentioning

confidence: 99%

Distributed Shadow Controllers based Moving Target Defense Framework for Control Plane Security

Hyder¹,

Ismail²

2019

IJACSA

View full text Add to dashboard Cite

Moving Target Defense (MTD) has drawn substantial attention of research community in recent past for designing secure networks. MTD significantly reduced the asymmetric advantage of attackers by constantly changing the attack surface. In this paper Software Defined Networking (SDN) based MTD framework SMTSC (SDN based MTD framework using Shadow Controllers) has been proposed. Although the previous work in SDN based MTD targets the Data plane security, we exploit MTD for the protection of Control plane of SDN. The proposed solution uses the concept of Shadow Controllers for producing dynamism in order to provide security at the Control plane of SDN environment. We proposed the concepts of Shadow Controllers for throttling the reconnaissance attacks targeting Controllers. The advantage of our approach is multifold. First it exploits the mechanism of MTD for providing security in the Control plane. The other advantage is that the multi-controller approach provides higher availability in the SDN network. Another critical gain is the lower computational overhead of SMTSC. Mininet and ONOS Controller are used to implement the proposed framework. The effectiveness and overheads of the framework is evaluated in terms of attacker's effort, defender cost and complexity introduced in the network. Results demonstrated promising trends for the protection of Control plan of SDN environment.

show abstract

Toward Domain Name System privacy enhancement using intent‐based Moving Target Defense framework over software defined networks

Hyder

Ismail

2021

Trans Emerging Tel Tech

View full text Add to dashboard Cite

Moving Target Defense (MTD) is an active security procedure while intent-based networking (IBN) is gaining popularity as an evolving networking model. Software defined network (SDN) provides centralized network management through the control plane. In this article, a mechanism for the privacy enhancement of the Domain Name System (DNS) is proposed using intent-based MTD over SDN. DNS is a critical internet service with a high risk of privacy disclosure as it is related to user preferences. The proposed model privacy enhancement using intent-based MTD running over SDN (PEIMS) exploits IBN API of ONOS SDN controller along with Openflow flow modification for privacy enhancement. PEIMS core components include MTD application running over the ONOS SDN controller, ONOS intent-based API, and the DNS server. The notion is the protection of privacy disclosures that occur during DNS queries. PEIMS provides a dynamic port shuffling technique for mapping DNS traffic to minimize the attacker's chances of observing the DNS queries responses. The proposed model was implemented using ONOS controller, ONOS north bound intent-based API, and Mininet. The proposed model was evaluated in terms of privacy protection, attacker, and defender cost. The results showed promising trends for DNS privacy protection at a low computational cost. The work also quantified the privacy disclosures.

show abstract

CHAOS: An SDN-Based Moving Target Defense System

Cited by 20 publications

References 19 publications

A Survey of Moving Target Defenses for Network Security

A Survey of Moving Target Defenses for Network Security

Distributed Shadow Controllers based Moving Target Defense Framework for Control Plane Security

Toward Domain Name System privacy enhancement using intent‐based Moving Target Defense framework over software defined networks

Contact Info

Product

Resources

About