SDN-Based Double Hopping Communication against Sniffer Attack
Sniffer attack has been a severe threat to network communication security. Traditional network usually uses static network configuration, which provides convenience to sniffer attack. In this paper, an SDN-based double hopping communication (DHC) approach is proposed to solve this problem. In DHC, ends in communication packets as well as the routing paths are changed dynamically. Therefore, the traffic will be distributed to multiple flows and transmitted along different paths. Moreover, the data from multiple users will be mixed, bringing difficulty for attackers in obtaining and recovering the communication data, so that sniffer attack will be prevented effectively. It is concluded that DHC is able to increase the overhead of sniffer attack, as well as the difficulty of communication data recovery.
Sniffer attack is a serious matter for network communication security. Sniffer attack is one of the most popular ways used by attackers, which captures and analyzes network communication data. Sniffer attackers are able to eavesdrop communication data from network nodes or links, monitor network status, and steal sensitive data such as usernames and passwords. However, the static network configurations in traditional network provide convenience for sniffer attack. For instance, static ends and route configurations make it easy for attackers to obtain and analyze communication data.
Communication encryption is a traditional approach to preventing sniffer attack. The communication data is encrypted during transmission, making it difficult for attackers to crack the information. However, there are still some limitations in practical applications. Firstly, encryption protocol should be supported by both communicating sides or communication would fail. Secondly, a large number of popular protocols, such as HTTP, FTP, Telnet, and SMTP, do not apply encryption, which causes serious security risk to communication based on these protocols. Thirdly, security flaws exist in some encryption protocols, by which attackers may crack communication data.
Moving target defense (MTD) [1–4], a recently proposed technology, uses dynamicity to enhance communication security. The network configuration is dynamically changed to deceive attackers [5, 6], avoid attacks [7–9], and defend against attacks [10, 11]. However, potential attacks still exist even if single network configuration is changed . Changes of multiple network configurations can enhance the dynamicity of the network and further improve network security.
Collaborative changes of multiple network configurations put forward higher requirements on capabilities of networks management. Distributed control is adopted in traditional IP network, in which the routing table configuration relies on routing protocols. In this paradigm, serious consequences, such as service interruptions and routing inflation, can appear due to the changing network configuration . And it is hard for traditional network to change multiple network configuration collaboratively. For example, it is difficult for MPLS, a high-speed networking technique used in traditional network, to implement dynamic resources changes due to the lack of a global view and flexible resource allocation . Dynamic transformation of host IP configuration is attempted to be realized in traditional network in , but the cost is high because several new devices are introduced. So collaborative changes among multiple network configurations demand powerful management of the network. Emerging software-defined network (SDN)  brings new method to realize dynamic network configuration. SDN decouples the control plane and the forwarding plane (data plane) and applies logic centralized control. The powerful network management and control ability of SDN make the realization of dynamic network configuration more flexible. The programmable nature of SDN can control flowtable of forwarding devices directly and avoid service interruptions and routing inflation. The centralized control of SDN makes it possible to have a global view of network. Therefore collaborative changes of multiple network configuration can be realized.
In this paper, double hopping communication (DHC) is proposed based on SDN architecture to enhance the ability to resist sniffer attack. DHC periodically changes the end information of both communication sides as well as the routing paths between them, thus realizing double hopping of end and route. In DHC, communication data is transmitted among multiple paths and data flow from multiple users will be mixed. It is difficult for attackers to obtain complete data from one communication in DHC and moreover it sets obstacles to avoid the attackers to correctly separate data of one single user among all the data they obtain. Therefore, overhead and difficulty for attackers to obtain and analyze communication data are dramatically increased due to the disability of attackers to conduct targeted sniffing. In addition, DHC is constructed based on SDN, which is transparent to the terminals and neither extra external software nor hardware is needed.
The rest of the paper is organized as follows. In Section 2 related works are discussed. Section 3 describes the basic principles of DHC. In Section 4 we describe the basic architecture and communication protocols of DHC. Section 5 presents the prototype deployment and simulation experiment and security of DHC are analyzed in Section 6. Section 7 concludes the paper.
2. Related Work
Hopping communication, based on dynamic and randomness of MTD technology, is one type of active network defense methods, aimed at breaking the hypothesis of static network configuration, and can improve network security via dynamic and randomness [11, 14]. Currently, researchers have proposed different hopping communication techniques. Atighetchi et al.  proposed a hopping approach based on fake address and port. Fake addresses and ports are used during data transmission to confuse attackers. Sifalakis et al.  proposed one network address hopping method (NAH) based on information hiding technique. Data flow is spread across multiple end-to-end connections by network address hopping during transmission. Thus point-to-point data transmission security could be improved. In  a random port-hopping (RPH) scheme was proposed to defend DDoS attacks by changing the communication ports. MT6D , proposed by Dunlop et al., taking the advantage of address space of IPv6 and robust IP hopping strategy, is achieved. Tunnel technique is used to encapsulate the packets. Source and destination IP addresses of the tunnel are changed repeatedly, making it difficult for attackers to sniff communication traffic. The approaches described above have their own advantages. However, in all of these methods, end is hopped, while routing path stays unchanged, which makes it possible for attackers to obtain complete communication data and therefore recover communication data. Moreover, in order to realize hopping communication, deploying software on terminal and adding hardware in the network are needed, which causes high cost.
In traditional network, quick cooperative hopping is difficult in distributed route management. However, the emerging software-defined network has brought new methods to hopping communication. Based on SDN, Kampanakis et al.  proposed three kinds of MTD methods, including reconnaissance protection, service version/OS hiding, and random host/route mutation. Attack cost, benefits, and potential attackers’ countermeasures of these three methods are analyzed, respectively, in this work. These methods involve network scanning, DDoS, and worm, but DHC focuses on sniffer attack. In the SDN architecture, a flexible as well as transparent to terminal IP hopping method, called OF-RHM [7, 17], is proposed by Jafarian et al. It is true that the effectivity of sniffer attack is decreased by OF-RHM, but virtual IP should stay unchanged during one continuous communication, which enables attackers to obtain complete data of one communication from a switch. Jafarian et al.  proposed a technique in which hopping is implemented temporarily and spatially in order to interfere with attackers’ views of the network. This hopping communication can defeat collaborative scanning attacks effectively. However, in our work, multiple network configurations are changed dynamically to enhance the dynamism of network for resisting sniffer attack. The work in  achieves fast IP hopping to resist scanning and worm propagation. The method discovers hazardous network ranges and addresses adaptively and evacuates network hosts from them quickly. MacFarland and Shue  provide a scalable moving target system to enable key security properties and maintain acceptable performance. The method distinguishes trustworthy and untrustworthy clients to provide access control for legacy clients.
There exist multiple paths between two nodes in network topology, which are used by researchers to improve communication security. An active random route mutation (RRM) method is proposed by Duan et al. [8, 21] and applied in SDN environment. Routes of multiple flows in the network are changed randomly and simultaneously. However, multiple uncrossed paths between source and destination are required, which is difficult to satisfy in common network topology. In addition, no end hopping is involved in RRM method, which enables attackers to recover communication data between hosts by sniffing multiple switches. Dolev and David  use multiple paths between datacenters to achieve secure communication. In order to ensure the privacy, an secret sharing method is used to encrypt communication data. The source creates shares of its data, then sends them along multiple paths, and makes sure that no or more shares pass the same router. Thus the method achieves theoretically secured channel to the public cloud. However, in our work, ends and route paths are changed frequently to increase the cost of attacks while obtaining and reconstructing communication data. Gillani et al.  migrate virtual routers among multiple paths to invalidate the network topology probe of attacks; therefore link DDoS attacks are resisted. Gkounis et al.  proposed a method based on SDN architecture to detect and mitigate Crossfire attack  by rerouting traffic via multiple paths. The two abovementioned works aim to resist link DDoS attacks, while our work, aimed at resisting sniffer attack, increases the cost of attackers through changes of ends and routing paths.
3. Basic Principles of DHC
In static configuration based network communication, when two hosts communicate on one connection, all the packets in communication contain information about this connection and the transmission path of the communication packets is static. These two facts provide convenience for attackers to sniff network communication. Attackers are able to obtain communication data easily from the target by sniffing network flow based on target end on transmission path. In DHC approach, both end and route are hopped based on SDN architecture. Dynamic and randomness are introduced in communication for two dimensions: end and route. For the data plane, random hopping end and route are configured by the controller in every hopping period after one connection is established. In the meantime, both end hopping and route hopping are achieved.
In DHC, ends in both communication sides hop dynamically. The data from multiple users will be mixed and end-to-end traffic is hidden in network background traffic. Frequent hopping of the end brings difficulty for attackers to select and sort the sniffed packets as well as recovering the initial data. Thus the difficulty of analyzing communication data is increased. Route hopping changes routing paths of the packets dynamically, spreading the communication traffic into multiple routing paths. In this way, overhead and difficulty of sniffing are increased since continuous communication data is difficult to obtain. To sum up, double hopping of both end and route limits the communication data that attackers can obtain and set obstacles for attackers to analyze the data.
4. Basic Architecture of DHC
When conducting hopping communication in DHC, end and routing path that are about to hop are selected first. Then flowtables are updated according to hopping protocol. Thus end hopping space and route hopping space as well as hopping communication protocol should be taken into consideration to realize DHC.
4.1. End Hopping Space
End consists of IP address of the host and port in communication. It is an essential element of communication between two hosts in network and it uniquely defines one communication side in network. One connection in network communication contains IP addresses and ports of both source and destination hosts. Therefore, is defined to represent the end of one connection. End of packets mentioned through the paper refers to this definition. In DHC, end hopping space consists of hopping IP addresses and hopping ports. Given IP address pool and hopping port pool , end hopping space can be represented byUnoccupied hopping ends are randomly selected in to replace the real ends in communication when the ends need hopping.
4.2. Route Hopping Space
One routing path between source and destination hosts is a sequence that consists of forwarding nodes (i.e., OF switch). Define , where connects with source host and is called source forwarding node (source switch); connects with destination host and is called destination forwarding node (destination switch). Under SDN architecture, controller has the global network view. Therefore, all paths connecting source and destination hosts that satisfy certain conditions can be calculated, constituting the route hopping space.
Suppose the source host communicates with destination host ; the corresponding route hopping space will be calculated as follows:(1)Calculate all acyclic paths between and that are not longer than the maximum path length according to the topology of network and constitute the path set .(2)For , if holds, delete from path set , where represents the set of nodes that path passes. The reason for deleting is that no node in can be avoided when packets pass along , which leads to a longer path.
The route hopping space is obtained from the steps above. If holds, the paths in satisfy the following: , , there exists and , which means that does not pass at least one node in .
In order to guarantee the unpredictability of the hopping path, randomness in hopping path selection is essential. One simple method is random path selection which randomly selects one path in at the beginning of each period and takes it as the hopping path during the period. The probability of selection for each path in is identical. However, traffic may be forwarded unbalanced by the nodes, which means possibility of large amount of traffic forwarded by one single node exists. In this case, if attackers sniff on this specific node, large amount of communication data will be obtained easily. The reason is that paths in intersect. Fortunately, this threat can be eliminated in DHC by using weighted random path selection.
For a node, we define as the number of paths in route hopping space that pass through . For a node set , we define . Suppose that, for one connection between hosts and , there is . donates the node set that contains the nodes left after common nodes (e.g., source forwarding node and destination forwarding node) through which all paths in pass are deleted. The weight of is defined where the function gets the maximum value in . By using the weighting function above, lower weight is assigned to paths with nodes that more paths cross. Therefore, chances for overmuch traffic passes through one single node (except common nodes for all paths) in network due to intersection are eliminated.
Weighted random path selection algorithm is shown in Algorithm 1. The probability of one path to be chosen is set as the weight for the path. The inputs of the algorithm include paths in route hopping space , corresponding weights , and a random number . In the algorithm, weights are accumulated for each path in steps 2 to 6. The path corresponding to the weight is returned when the sum of accumulated weights is bigger than or equal to the random number .
4.3. DHC Protocol
In DHC, for each period , one hopping end and one path from source to destination are randomly chosen. New flow entries are generated by the controller and installed in OF switches. End of packets from source host is modified to and these packets are transmitted to destination host along . Then double hopping of end and route with period as granularity is realized.
4.3.1. Double Hopping
The basic protocol of DHC is illustrated in Figure 1. It is a network with SDN architecture, in which host communicates with . Denote end hopping space as and route hopping space of the communication as . Firstly, initial end is generated by according to the real IP address and port of two communication sides; then the address of the communication is determined.
Detailed steps of double hopping are as follows:(1)The first packet containing is sent to the network by . OF switch receives the packet and encapsulates it as a packet-in message. Then the packet-in message is sent to the controller.(2)The packet-in message is deencapsulated by the controller and is extracted. Then hopping end is selected randomly in . Route hopping space is calculated by the controller and is chosen using weighted random path selection algorithm. With the knowledge of and , controller generates flow entries encapsulated as modify-state messages and sends them to OF switches , , and . Corresponding modification and routing of the packets are conducted.(3)Ends in the packets are modified to by source switch and the modified packets are forwarded to OF switch then to destination switch .(4)Ends in the packets are recovered to the and forwarded to host by destination switch . Then receives the packets from .
In this communication, the hopping end is recalculated by the controller for a hopping period and is represented as as shown in Figure 1. A new path, denoted as , is selected in using weighted random path selection algorithm. Then the flow entries in OF switches are updated. Source switch modifies the end in the packets sent from to as and forwards the modified packets along . In destination switch , the end of these packets is recovered to the real end .
The procedure described above does not modify the real end on both hosts. Instead it modifies the end and routing path of the communication packets dynamically in network transmission. The source and destination hosts can achieve hopping communication transparently in network without interrupting the ongoing communication. Once the packets of communication between and enter the network, end of the packets and routing path are hopped with time. For each hopping period , the hopping end and route will be reconfigured by the controller. The communication will be considered finished when the controller detects the fact that the flow entries are not hit in a hopping period via flow-removed messages sent by switches. Thus flow entries will not be updated.
4.3.2. Flow Entries Update
Flow entries in OF switches need to be updated when end and route are hopped in DHC. Moreover, it should be guaranteed that the flow entries update is consistent and no packet is lost. Suppose that hopping communication is conducted in the network topology as shown in Figure 2. Assume that the end is being hopped by switch currently, end changes from to , and the packets are being transmitted along path . At this circumstance, to hop the end of the packets from to and to hop the routing path from to , the steps of updating flow entries are as follows:(1)Controller sends modify-state messages to install new flow entries in switches , , , , for forwarding the packets with end . At this time, the new flow entries will not be hit by packets, because there are no packets in the network that contain the end .(2)Controller sends modify-state messages to modify the flow entry in switch ; thus the end of packets is converted from to .(3)Controller sends modify-state messages to delete the old flow entries in switches , , , after the maximum transmission delay of path is reached.
The method to update the flow entries described above can guarantee that the traffic is routed by the old flow entries during update, avoiding packets loss. In addition, traffic is routed by the updated flow entries after update, maintaining per-packet consistency.
5. Prototype Deployment and Simulation Experiment
5.1. Prototype Deployment
To verify the performance and security of DHC, DhcFlower, a prototype based on SDN controller is implemented. As shown in Figure 3, DhcFlower runs on the top of SDN controller which manages switches through OpenFlow.
In the prototype deployment of DHC, TopologyDiscovery reports the changes of network topology and updates view of network. FlowMonitor monitors the flow state of network to find initiation and termination of connections. Based on the view and flow state of network, DhcFlower chooses the ends and routing paths to convert network configurations.
Detailed structure of DhcFlower is shown in Figure 4. TopologyDiscovery updates topology database TopologyInfo with the changes of network topology. Using the network topology information, hopping path calculator calculates multiple paths of each pair of nodes and stores hopping path information in the hopping path pool. Hopping ends are stored in Hopping end pool. With hopping end pool and hopping path pool, double hopping engine, as the core module, chooses the hopping end and path based on flow state information. Afterwards, strategies of hopping are generated. Flow updater generates flow entries based on hopping strategies and updates the flowtables in a specific order.
5.2. Simulation Experiment
To evaluate DHC, we have operated our implement prototype over the Mininet . OpenFlow 1.0  is applied and POX  is used as controller. A class B address block is chosen as hopping IP address pool and hopping port pool denoted as . Network topology proposed by  is applied, which has 16 nodes (forwarding nodes) as illustrated in Figure 5. The maximum path length is set to 32.
5.2.1. Validation of the Effectiveness of End Hopping
UDP packets from terminal on node 1 are sent to terminal on node 16 for 500 s. Packets are sniffed on the forwarding nodes and the number of ends received on each node is counted. The sniffing results in DHC and traditional network are shown in Figure 6.
As demonstrated in Figure 6, on some forwarding nodes in traditional network, such as nodes 4, 7, 8, and 12, only one end is able to be sniffed. However, in DHC, apart from source and destination forwarding nodes, multiple ends can be sniffed on other forwarding nodes. Due to the invariant of packets’ end in traditional networks, end that is sniffed stays unchangeable, which brings convenience for attackers. Attackers can launch a targeted sniffer to any connection and obtain the complete communication data of the connection. In DHC, end changes randomly and periodically. The ends sniffed on forwarding nodes between source and destination hosts are various. It is difficult for attackers to determine the ends from the same connection, increasing the difficulty in reconstructing the communication data. Moreover, the more frequently ends hop, the more ends will be sniffed on forwarding nodes. It can be seen in Figure 6 that more ends are sniffed when s compared with s. In addition, fewer ends can be sniffed on forwarding node 9 than other nodes as can be seen in the figure. The reason is that fewer paths pass through forwarding node 9 than other nodes; thus the probability of being hit by weighted random selection is lower.
5.2.2. Validation of the Effectiveness of Route Hopping
In the experiment, 106 packets are transmitted from node 5 to node 6 with the speed of 104 packets per second. The hopping period is set to 5 s. Packets are sniffed on the forwarding nodes and the number of packets sniffed is counted. In DHC network, random path selection and weighted random path selection are applied to conduct hopping communication. Sniffing results are compared with traditional network communication, as shown in Figure 7.
In Figure 7, the vertical coordinate stands for the fraction of all the packets transmitted from node 5 to node 6. As we can see, in traditional network, complete communication data from source host to destination host can be sniffed on some nodes (e.g., nodes 6, 11, and 12), which means that attackers can sniff complete data on any of the nodes and further data analysis is possible. Since shortest-path routing is applied in traditional network and the path stays unchanged during communication, the complete communication data can be obtained on any node that the shortest path goes through. In DHC, packets of a connection are distributed to several paths by route hopping. It is difficult for attackers to sniff complete data on single forwarding node. Possibility for sniffing large amount of data on a certain nodes exists if random path selection is applied. As shown in Figure 7, more than 50% of the data can be sniffed on forwarding nodes 4, 8, and 12. Applying weighed random path selection can avoid excessive traffic passing through certain nodes. The reason is that lower weight is assigned to paths with nodes that more paths cross.
5.2.3. Validation of Effectiveness of Antisniffer Attack
In the experiment, 100 MB data had been transmitted from node 1 to node 16 for 500 s. The hopping period is set to 5 s. Data is sniffed on node sets , , , and , respectively. The shortest path from node 1 to node 16 is . The percentage of data sniffed on node sets , , , and is presented in Figure 8.
As illustrated in Figure 8, complete communication data can be sniffed on all sniffed node sets, , , , and , in traditional network since they all contain node 8 on the shortest path, on which complete data can be sniffed. However, in DHC, complete data cannot be obtained from node sets , , and since route hopping is applied. The percentage of data sniffed on and is the same because traffic passes through and also passes through . Only can sniff the complete communication data in DHC. However ends of the data are diverse because of end hopping. We consider that packets with the same end are static data that attackers can obtain. The static data that attackers can obtain in hopping communication is far less than that in traditional network.
5.2.4. Performance of DHC
In the experiment, bandwidth of all connections in network topology is set to 10 Mb/s. Data is transmitted from terminal on node 1 to terminal on node 16 using File Transfer Protocol (FTP). Time for data transmission in both DHC and traditional network is recorded. Results are shown in Figure 9.
As can be seen in Figure 9, time consumption of data transmission in DHC increased in comparison with traditional network. The reason is that multiple paths from source to destination are selected, including longer paths. On the contrary, the data is routed by the shortest path in traditional network. Therefore, transmission time in DHC is longer than that in traditional network. But the increase is less than 7% when s in the experiment. Routing path hopping of a connection results in a small amount of disordered packets at receiving end when new period starts. Then retransmission is caused. Therefore the more frequently the entries update flow, the more likely the retransmission happens. We can also see from Figure 9 that longer time will be consumed to transmit data when s compared with s.
In DHC, each hopping connection needs to occupy hopping ends in every period. In Section 6.1, the number of hopping connections that can be supported in DHC network, that is, hopping network capacity, is analyzed. DHC brings difficulty for attackers to obtain complete data and to reconstruct data. Therefore, communication security is improved. The obtaining and reconstruction of communication data are discussed in Sections 6.2 and 6.3. The unpredictability and the cost of DHC are analyzed in Sections 6.4 and 6.5, respectively.
6.1. Capacity of Hopping Network
Suppose the sizes of hopping IP address pool and port pool are and , respectively. The number of all the ends is , and the number of the ends is when . According to the definition of end, valid ends require , so the size of valid end hopping space can be calculated by In DHC, end hopping is performed in both directions of one connection, which means that, at any moment, one connection needs two ends. Assuming hopping connections exist simultaneously in network, ends will be needed, so ends are left. To ensure high randomness in hopping end selection, enough unoccupied hopping ends in are necessary. Suppose the maximum occupancy rate in end hopping space is ; that is, there are at least ends unoccupied. Then inequality (4) holds:Therefore, the maximum number of hopping connections allowed in DHC is ; that is, the capacity of hopping network is .
6.2. Analysis of Complete Communication Data Obtaining by Attackers
We hypothesize that attackers can sniff part of the forwarding nodes in network randomly. Suppose network topology is an undirected connected graph, where is a set of forwarding nodes and is a set of links. contains forwarding nodes and attackers can randomly sniff of them simultaneously (). Sniffed node set consisting of these sniffed forwarding nodes is denoted as . and .
Source host communicates with destination host . Source and destination forwarding nodes are denoted as and , respectively. Assume there are nodes on the shortest path between and (), which constitute node set . In traditional network, if , complete communication data between and can be obtained by attackers. If , no communication data can be sniffed. The probability of attackers obtaining complete communication data in traditional network can be calculated by (6), where is number of all and is the number of when . So represents the number of when :
In DHC, attackers can sniff complete data between and if or . The number of such is . In other cases, if and , to sniff complete data, one vertex cut-set should be contained in , and and should be cut by into different connected subgraphs; that is, exists, where is cut by into connected subgraphs , and and , , , and , hold. Suppose there exists sniffed node set , where contains such in this case. Then the probability of attackers obtaining complete data between and can be calculated by
Proposition 1. The probability of attackers obtaining complete data in traditional network on one communication is not less than that in DHC; that is, .
The proof process of this proposition is shown in the Appendix. In the network topology shown in Figure 5, suppose a host on node 1 communicates with a host on node 16. The shortest path from node 1 to node 16 contains 6 nodes. Attackers can sniff nodes randomly (). Probabilities of attackers obtaining complete data in traditional network and DHC network are shown in Figure 10.
As can be seen from Figure 10, probability of attackers obtaining complete data increases when number of sniffed nodes increases, both in traditional and DHC network. But always holds. Probability of attackers obtaining complete data is 1 in both traditional and DHC network when the number of sniffed nodes is more than 10. Although probability of attackers sniffing complete data increases in DHC network when large number of forwarding nodes are sniffed, attackers obtain more irrelevant data. Since end hops constantly during a communication, attackers cannot pick out the traffic that belongs to the target from the sniffed data easily, which increases the difficulty for attackers to reconstruct and recover communication data.
6.3. Analysis of Communication Data Reconstruction for Attackers
Reconstruction of communication data requires complete data in this communication. Assume attackers can sniff complete data in communication between source and destination hosts in this section. In traditional network, attackers can deduce the positions of both communication sides and upper layer protocol according to IP and port of the sniffed packets. Useless packets can be eliminated based on the end and the target communication data can be obtained. However, in DHC network no real end from source and destination hosts can be sniffed by attackers if source and host forwarding nodes are not sniffed. Data in communication is distributed to various flows that attackers are not able to distinguish. Suppose that there are flows in the sniffed data, among which flows contain the data of target connections () and different ends are applied in different connections. There are combinations since attackers randomly choose flows from flows. Attackers can reconstruct communication data properly with only one combination; that is, . Given that attackers select several flows randomly for a single time to reconstruct communication data, probability of reconstructing data properly can be calculated with As shown in (8), probability of attackers reconstructing data successfully with a single time decreases exponentially with the increase of number of flows sniffed. The more data sniffed, the more difficulties for successful data reconstruction. Since attackers cannot determine the timing of target communication easily due to end hopping, longer sniffing time is needed to obtain complete communication data. Therefore large amount of irrelevant data is obtained, increasing the difficulty for data reconstruction. Given and , the probability of attackers reconstructing data correctly by selecting several flows randomly for one time would be .
6.4. Analysis of Unpredictability
Since the end and route hop randomly in DHC (detailed information is illustrated in Section 4.3), the end and route used in next period can not be predicted precisely. Under the condition of exposing DHC protocol, end hopping space, and route hopping space, DHC can still increase the cost of sniffer attackers and resist sniffer attacks. Suppose that an attacker with all the information above sniffs the DHC network for a target communication, then she will face the following difficulties in launching sniffer attack. Firstly, even though DHC protocol is transparent to the attacker, a targeted sniffer attack can not be launched thanks to the randomness of end and route hopping. Secondly, it is hard for the attacker to get complete communication data during sniffing due to periodical hopping of route. Thirdly, the attacker will get a large number of ends because of frequent end hopping, which prevents the attacker from extracting the right packets belonging to the target communication when she/he attempts to recover communication data. So the unpredictability of DHC guarantees that it can resist sniffer attack under the condition of exposing DHC protocol and network information.
6.5. Analysis of Cost
Under traditional routing schemes, the packets are routed along the shortest path. However, in DHC network, packets may be routed along longer paths due to dynamic changing of the route. Therefore the cost of packet transmission time is higher in DHC. Let denote length (the length of a routing path is estimated by hops) of the shortest path between source and destination, the average length of paths in route hopping space (), and the hopping period, then the cost of packet transmission time is shown in Table 1. Moreover, random selection of routing is periodically conducted by routing path hop of a communication, which results in a small number of disordered packets at receiving end when a new period starts, leaving no obstacles to normal communication.
Ends and routing paths will be selected in DHC when flow entries are generated, which is more complicated than that in traditional network. Therefore time cost of generating flow entries is higher in DHC. Since average path is longer in DHC, more flow entries are installed for one communication compared with traditional network. Thus the time cost for flow entries setup is higher in DHC as well. In Figure 11, the average time cost for installing flow entries between different node pairs in topology (shown in Figure 5) of DHC and traditional network is compared. As illustrated in Figure 11, the average time for flow entries generation and setup in DHC is longer than that in traditional network.
In the network without DHC, flow entries are installed only once at the beginning of communication, while in DHC flow entries of data plane are updated periodically and hopping ends and paths have to be allocated for any connection of two communication sides, which brings more loads for the controller. In experiment topology, 50 pairs of source and destination hosts are chosen randomly and communication between any pairs is stared. The CPU utilization of DHC and traditional network is compared in Figure 12. If controller does not run DHC, the load is low because the flow entry is not periodically updated. Therefore, the CPU utilization is under 10% as shown in Figure 12. If a controller runs DHC, the load increases due to periodical updating of flow entries. It can be found in the figure that CPU utilization is much higher when controller runs DHC. When s, the CPU utilization is between 20% and 40% and when s the CPU utilization is between 10% and 30%. The shorter hopping period enables more controller operations. So when s, CPU utilization of a controller is higher than when s. Controller will be the bottleneck when DHC is used in large scale network. Fortunately, distributed SDN controller  is a solution to the problem.
In traditional network, flows are matched only by destination addresses. So the length of routing tables is an order of given the network of nodes. However, flows are matched by ends (including source/destination address and ports) in DHC, meaning that two flows must be specified for every connection (TCP or UDP) between two communication sides. Let denote the average speed of connection establishment and let denote the lasting time of each connection; then the mean length of flowtables is an order of . Moreover, to avoid packets loss, DHC requires both old and new flow entries in flowtable simultaneously for a brief period of time, during which the cost of flowtable space increases. Therefore the cost of flowtable space is higher in DHC.
The centralized control and programmability of SDN make hopping communication easier to realize and deploy. In this paper, end hopping and route hopping are combined and double hopping communication based on SDN is proposed. End is changed dynamically in DHC so that the data from multiple users is mixed and communication traffic can be hidden in background traffic. So traffic cannot be distinguished easily and the difficulty for attackers to reconstruct and recover data increases. In addition, the data is transmitted along multiple paths by changing routing path dynamically. The difficulty for attackers to obtain complete communication data is increased. Results show that the approach proposed in this paper effectively enables antisniffer. Moreover, DHC is realized completely based on software and also transparent to terminals. Controller bottleneck usually occurs in large scale network of DHC. In the future work, a distributed controller model will be applied to deal with the problem and feasible communication solution of DHC will be tested in real network.
Suppose there are nodes in network topology . Attacker can sniff nodes and the sniffed nodes constitute a sniffed node set (). Given the route hopping space , there are nodes in the shortest path between source host and destination host (). is a vertex cut-set by which is cut into several connected subgraphs and source forwarding node and destination forwarding node are in different subgraphs. Suppose there are sniffed node set satisfying . Proof of the probability that attacker can obtain complete communication data in traditional network in one communication which is not less than that in DHC—that is, —is shown below.
Proof. Verify that ; and make sure .
Given , , we haveSuppose the shortest path from to is (). The complete communication data from source host to destination host can be sniffed on ; then , there exists , where represents the set of nodes that passes. Because , then ; that is, contains at least one node on the shortest path (Conclusion 1).
When , attack sniffs 1 node in the network. Then, based on (A.1), we haveIn (A.2), the denominator and the numerator is as follows:Known by Conclusion 1, ; that is, the sniffed node is on the shortest path. In the nodes on the shortest path, the number of which can divide source node and destination node into different connected subgraphs is not more than ; that is, . So (A.3) ≥ 0 can be got. The numerator of (A.2) is not less than 0; then, in (A.2) .
When , attack sniffs more than 1 node in the network. Then, based on (A.1), we haveIn (A.4), denominator and the numerator is as follows:According to the definition, is the number of those which can divide and into different connected subgraphs. So and do not belong to such . is the number of all satisfying both and . is the number of satisfying . Known by Conclusion 1, ; then is not more than . So (A.5) ≥ 0 can be got. The numerator of (A.4) is not less than 0; then, in (A.4) .
In conclusion, ; that is, .
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
This work is supported by the National Natural Science Foundation of China (nos. 61379151, 61272489, 61302159, and 61401512) and The National Cryptography Development Fund of China (no. MMJJ201301005). The National Basic Research Program of China (973) (Grants nos. 2012CB315901 and 2013CB329104) and The National Natural Science Foundation of China (Grants nos. 61309019 and 61372121).
National Cyber Leap Year Summit 2009 Co-Chairs' Report, “Networking and information technology research and development,” Tech. Rep., 2009.View at: Google Scholar
T. Cyberspace, Strategic Plan for the Federal Cybersecurity Research and Development Program, Executive Office of the President National Science and Technology Council, Washington, DC, USA, 2011.
S. Jajodia, A. K. Ghosh, V. Swarup, C. Wang, and X. S. Wang, Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, vol. 54, Springer Science & Business Media, New York, NY, USA, 2011.
P. Kampanakis, H. Perros, and T. Beyene, “SDN-based solutions for Moving Target Defense network protection,” in Proceedings of the 15th IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM '14), pp. 1–6, Sydney, Australia, June 2014.View at: Publisher Site | Google Scholar
J. H. Jafarian, E. Al-Shaer, and Q. Duan, “Openflow random host mutation: transparent moving target defense using software defined networking,” in Proceedings of the 1st Workshop on Hot Topics in Software Defined Networks (HotSDN '12), pp. 127–132, ACM, Helsinki, Finland, August 2012.View at: Publisher Site | Google Scholar
Q. Duan, E. Al-Shaer, and H. Jafarian, “Efficient Random Route Mutation considering flow and network constraints,” in Proceedings of the IEEE Conference on Communications and Network Security (CNS '13), pp. 260–268, IEEE, National Harbor, Md, USA, October 2013.View at: Publisher Site | Google Scholar
E. Al-Shaer, Q. Duan, and J. H. Jafarian, “Random host mutation for moving target defense,” in Security and Privacy in Communication Networks, pp. 310–327, Springer, New York, NY, USA, 2013.View at: Google Scholar
N. McKeown, “Software-defined networking,” INFOCOM Keynote Talk, vol. 17, no. 2, pp. 30–32, 2009.View at: Google Scholar
M. Sifalakis, S. Schmid, and D. Hutchison, “Network address hopping: a mechanism to enhance data protection for packet communications,” in Proceedings of the IEEE International Conference on Communications (ICC '05), vol. 3, pp. 1518–1523, IEEE, Seoul, Republic of Korea, May 2005.View at: Publisher Site | Google Scholar
J. H. H. Jafarian, E. Al-Shaer, and Q. Duan, “Spatio-temporal address mutation for proactive cyber agility against sophisticated attackers,” in Proceedings of the 1st ACM Workshop on Moving Target Defense (MTD '14), pp. 69–78, Scottsdale, AZ, USA, November 2014.View at: Publisher Site | Google Scholar
J. Jafarian, E. Al-Shaer, and Q. Duan, “Formal approach for route agility against persistent attackers,” in Computer Security—ESORICS 2013, J. Crampton, S. Jajodia, and K. Mayes, Eds., vol. 8134 of Lecture Notes in Computer Science, pp. 237–254, Springer, Berlin, Germany, 2013.View at: Publisher Site | Google Scholar
S. Dolev and S. T. David, “SDN-based private interconnection,” in Proceedings of the IEEE 13th International Symposium on Network Computing and Applications (NCA '14), 2014.View at: Google Scholar
F. Gillani, E. Al-Shaer, S. Lo, Q. Duan, M. H. Ammar, and E. W. Zegura, “Agile virtualized infrastructure to proactively defend against cyber attacks,” in Proceedings of the IEEE Conference on Computer Communications (INFOCOM '15), pp. 729–737, Hong Kong, April-May 2015.View at: Google Scholar