Scalable Node-Centric Route Mutation for Defense of Large-Scale Software-Defined Networks
Exploiting software-defined networking techniques, randomly and instantly mutating routes can disguise strategically important infrastructure and protect the integrity of data networks. Route mutation has been to date formulated as NP-complete constraint satisfaction problem where feasible sets of routes need to be generated with exponential computational complexities, limiting algorithmic scalability to large-scale networks. In this paper, we propose a novel node-centric route mutation method which interprets route mutation as a signature matching problem. We formulate the route mutation problem as a three-dimensional earth mover’s distance (EMD) model and solve it by using a binary branch and bound method. Considering the scalability, we further propose that a heuristic method yields significantly lower computational complexities with marginal loss of robustness against eavesdropping. Simulation results show that our proposed methods can effectively disguise key infrastructure by reducing the difference of historically accumulative traffic among different switches. With significantly reduced complexities, our algorithms are of particular interest to safeguard large-scale networks.
Instantly mutating route is a promising technique to provide the integrity of large data networks . It can disguise strategically located important network infrastructures and delay or prevent potential reconnaissance attacks . This is of particular interest to many practical networks delivering security-sensitive data, such as military networks  and banking systems . On the other hand, software-defined network (SDN) has been increasingly deployed. Centralized control in SDN facilitates mutating routes to disguise the strategically important switches and protect the network.
In general, route mutation is NP-complete constrained path selection in the presence of quality-of-service (QoS) consideration . It has been formulated to be a constraint satisfaction problem and solved by using the satisfiability modulo theory (SMT) . The constraints include the QoS of traffic flows and physical bandwidth of routers . The final routes are randomly chosen from the results of SMT that satisfy constraints. However, the routes can hardly claim optimality in any sense, and the complexity of SMT is prohibitively high . Although some heuristics have been developed to solve this problem within pseudo-polynomial-time [8–11], these algorithms concern network optimality rather than security.
In this paper, we propose new node-centric route mutation methods which are able to effectively change routes of flows at substantially reduced complexities. The key idea is that we propose interpreting route mutation as a signature matching problem and developing a three-dimensional earth mover’s distance (EMD) model with network connectivity and QoS constraints to suppress the traffic difference among switches. Another important aspect of our algorithm is that we solve the new node-centric problem as a three-dimensional transportation problem and develop suboptimal algorithms with polynomial time-complexities. Simulation results show that our algorithms are able to suppress the traffic difference among strategically important switches and also achieve fast convergence with substantially reduced complexities.
The rest of paper is organized as follows. Section 2 presents related work. Section 3 describes the system and network model. In Section 4, we discuss the details of designed algorithm. We present the computational efficient heuristics that can apply to large-scale networks in Section 5. Section 6 evaluates the experiment results and performance of our algorithm. In Section 7, we conclude the paper.
2. Related Work
In , randomly mutating route or host address was proposed to protect key network infrastructures from exposure to attackers and prevent potential attacks. Only a few structured algorithms have been designed for route or host address mutation, all of which formulated NP-complete constrained satisfaction problems under the constraints of the mutation rate , the address range , and the range distribution for host address mutation [6, 15]. These algorithms were solved by using SMT [6, 13–15]. However, constraint satisfaction problems are NP-complete with exponential complexities . As far as the routing problem is concerned, there are possible routes with lengths shorter than hops in an -node complete network . Choosing routes out of yields a complexity of , limiting the scalability of the designs to large-scale networks.
More efforts have been spent demonstrating the concept of route mutations. Route mutation was first implemented under IPv6, referred to as “Moving Target IPv6 Defense (MT6D),” by continually rotating the IPv6 addresses between the senders and recipients . A new transport layer protocol was designed to enable multiple addresses per network socket and support the rotations of IPv6 addresses . Route mutation was later applied to mobile ad hoc networks , by repurposing a classic attack mechanism, the Sybil attack, for effective defense. Most recently, route mutation was demonstrated using Cisco’s SDN platform, One Platform Kit . With the flexibility of SDN, a deception system that mutates the topologies virtually was proposed to defend against reconnaissances . A double hopping communication approach was designed to combine the IP address mutation and the route mutation methods in SDN , in which routes were selected from all paths within even lengths between sources and destinations. Game theory was adopted for route mutation in . Route mutation was proposed to apply to traditional networks where links were selected using stochastic game routing policies of next-hop probability distribution. In , a virtual network embedding framework was proposed to satisfy the capacity, delay, and cycle-free constraints when mutating links by game theoretic routing policies. In , a randomized multipath routing method was developed to circumvent black holes and minimize the overall energy consumption in wireless sensor networks.
3. System Model
Figure 1 illustrates the software-defined network under consideration, where there are number of switches connected in a network topology and forwarding traffic. We assume that all the switches are connected to a SDN controller in a star topology. The SDN controller is responsible for route discovery and mutation. The switches forward traffic along the routes specified by the SDN controller. The bandwidth of each switch, that is, switch , is .
Each of the switches is also connected to end-hosts which generate routing requests through the switch to the SDN controller. An end-host can request sending traffic flows to any other end-host. Each traffic flow is assumed to be randomly generated and last for a certain period of time. Without loss of generality, we assume that there are at most routing requests at any instant. The data rate of the th flow is denoted by .
Consider a practical network with hundreds of switches and nontrivial topologies (as opposed to fully connected complete graphs). Some of the switches have more connections than the others. These switches are strategically located and handle more traffic than other switches. In the example of Figure 1, switches and are such strategically located nodes. The exposure of these switches to adversaries poses critical threats to the integrity of the network.
The topology of the network can be described by an undirected graph , where collects the vertexes (i.e., switches) and collects the edges (i.e., the links connecting the switches). The size of is , where stands for cardinality. Also define to be the adjacent matrix of . , if vertices and are connected; or , otherwise.
Reconnaissance attacks  are considered, where an adversary keeps monitoring (or eavesdropping) the switches until strategically located switches are identified and attacks (such as DDoS) are initiated. The difference of historically accumulative traffic among switches is typically used by the adversary to identify strategically located switches, for example, and in Figure 1. The exposure of the strategically located switches would facilitate the potential attacks. Consider the worst-case scenario that the adversary is able to access each individual switch, install invasive software, accumulate the traffic volume handled at the switch, and collect the traffic volumes of all the switches. In practice, this can be implemented by remotely installing monitoring software, such as Cacti , to get the switches to collect and report the SNMP information to the adversary.
4. The Proposed Route Mutation for Large-Scale Networks
In this section, we propose mutating routes on a node basis to leverage between the robustness against reconnaissance attacks and the computational complexity. Particularly, routing requests from end-hosts are responded to independently from one another using classical routing techniques, such as OSPF . The exponentially increasing complexity of joint routing, such as the one proposed in , can be avoided.
Given the routes, we propose that the SDN controller identifies historically heavily loaded nodes with high exposure risks and detours their traffic flows via other historically lightly loaded nodes. A node is identified to be historically heavily or lightly loaded, based on the accumulative traffic of the node. By this means, the strategically located nodes can be disguised and protected, delaying or even preventing potential attacks.
The detours bypassing a historically heavily loaded node can be multihop. Figure 2 gives the examples of two-, three-, and four-hop detours that are considered, where node is a strategically located node. The possible detours for a traffic flow currently passing node must connect the nodes one hop away from node along the traffic flow, that is, nodes and . Such detours can be readily obtained using depth-first search (i.e., search for the closed loops passing node ) . The lengths of the detours are 2, 3, and 4 (in numbers of hops) in Figures 2(a), 2(b), and 2(c), respectively.
We also propose interpreting the route mutation as a signature matching problem. The accumulative traffic loads of the nodes are visualized as a signature, and routes are mutated to conform the signature to the one with even loads across all the nodes. Widely used to measure the difference of two images , EMD  is extended to measure the difference between the two signatures. The difference, or more specifically, the EMD, is reduced recursively by detouring flows around historically heavily loaded nodes, as described earlier.
The proposed route mutation is able to substantially reduce the computationally complexity. Assume that the detours are limited to two hops. The worst-case complexity is , consisting of detour discovery for every switch and redirecting at most traffic flows from every switch, where represents for the number of variables. In this case, . In contrast, the state-of-the-art joint mutation of all routing paths, using SMT , would result in prohibitive exponential complexity and limited scalability to networks with hundreds of nodes.
4.1. Nodewise Route Mutation for Delay-Tolerant Traffic
First consider delay-tolerant traffic. The total number of current traffic flows is , consisting of existing ongoing flows collected in the set and new flows collected in the set . . . Denote , , and (in bytes) to be the accumulative traffic of each individual node and their average, respectively, before a round of route mutation. . and are the accumulative traffic of node , , and the average, respectively, after the round of route mutation. .
The proposed route mutation redirects the traffic flows, attempting to conform the pictorial signature of the accumulative traffic of the nodes to a uniform signature with even traffic of at every node. To do this, we construct two signatures, that is, two one-dimensional distributions: and . The first signature provides the traffic volumes that can detour. The second signature denotes the demand of each node to achieve traffic uniformity among the nodes, as illustrated in Figure 3.
(a) Historically accumulative traffic volumes of nodes when Algorithm 1 starts
(b) Historically accumulative traffic volumes of nodes before Algorithm 1 terminates
(c) Historically accumulative traffic volumes of nodes after Algorithm 1 terminates
The EMD can be defined to quantify the difference between the two signatures, as given bywhere ; is the maximum allowed length of a detour (in numbers of hops); if the current flow is to be offloaded from node to detour , or , otherwise; , if flow currently goes through node , or , otherwise; is given by is the set of detours with length of , and each of the detours connects to the two nodes one hop away from node along the current route of flow . For any , ; that is, . Let denote the th element of . We have .
Here, is the cost of offloading traffic flows from node to detour . Keep in mind that our goal is to minimize the difference of accumulative traffic among the nodes. Meanwhile, the EMD is inherently defined to minimize the difference. For this reason, is defined as the normalized total difference of node and detour from , as specified by
Our EMD has a different form to the conventional definition for image processing applications . An auxiliary variable is defined to indicate the gap between the total traffic load that is expected to detour and the total traffic that can detour, whereas there is no such gap for image applications. This is due to the fact that route mutation (or, in other words, route reselection) is discrete and these two loads do not equate in most cases. (1a) and (1b) provide the average cost to minimize the difference between the total traffic load expected to be detoured and the total traffic load that can be detoured.
Predicted before a round of mutation, is unnecessarily equal to the one actually achieved after the mutation. This is due to the dependence of traffic between the nodes imposed by traffic flows. Particularly, a detour needs to be taken across multiple nodes and increases the traffic of the nodes evenly. Therefore, the average traffic load is expected to increase as a result of mutation. However, the difference of before and after a round of mutation can be iteratively reduced by increasing the rounds and diminishes as the routes stabilize. Once stabilized, the routes are implemented into the network. The convergence of the iterations can be guaranteed, since does not decrease during the iterations while it is also obviously bounded. Figure 3 gives a detailed illustration on our signature matching method.
Given , , , and , we can formulate a binary linear programming problem to minimize the EMD of the two signatures, as given bywhere is the set of nodes that can be detoured. needs to be preselected so that at most one of two consecutive nodes along a traffic flow, for example, nodes and in Figure 2, detours. This is to prevent from changing during solving (4a), (4b), (4c), (4d), (4e), and (4f). We can label the nodes along a traffic flow before running (4a), (4b), (4c), (4d), (4e), and (4f). can be first set to collect the nodes with even labels and input to (4a), (4b), (4c), (4d), (4e), and (4f). Then is reset to collect the remaining nodes with odd labels to run (4a), (4b), (4c), (4d), (4e), and (4f) again.
Here, constraint (4b) restricts a flow that can only be offloaded from a node to one detour; (4c) and (4d) restrict the amounts of traffic that can be supplied and demanded by the first and the second signatures, respectively; (4e) specifies the total maximum traffic amount that can detour; and (4f) specifies the variables to be binary.
Given , (4a), (4b), (4c), (4d), (4e), and (4f) are integer linear program and can be optimally solved using a branch and bound/cut algorithm . Specifically, we first relax (4f) and evaluate the upper and lower bounds of (4a) by increasingly setting the variables to “0” or “1” and using the Simplex method  to optimize the remaining variables. At any instant, the settings whose lower bounds are higher than the upper bound of another setting are discarded. The final remaining integer results are the solution for (4a), (4b), (4c), (4d), (4e), and (4f).
A bisection method can be taken to recursively search for the minimum feasible value of . When is too small, (4a), (4b), (4c), (4d), (4e), and (4f) can become infeasible. When is large, (4e) becomes inactive and (4a), (4b), (4c), (4d), (4e), and (4f) becomes always feasible. To this end, (4a), (4b), (4c), (4d), (4e), and (4f) is an on-off function of preserving monotonicity and can be readily solved bisectionally.
Algorithm 1 summarizes the proposed route mutation, where is a predetermined positive threshold for the termination of the algorithm. This algorithm resides in the SDN controller and runs periodically or on-demand. As described, the kernel of the algorithm is the EMD problem (4a), (4b), (4c), (4d), (4e), and (4f) solved using the binary branch and bound/cut method in Step (11). The optimal solution for (4a), (4b), (4c), (4d), (4e), and (4f) is used to update , or, in other words, to find the detours of the routes, as depicted in Step (12). By repeating these steps, the existing routes gradually move away and increase lengths, until the uniformity of all the nodes as regards accumulative traffic cannot be further improved; see the loop from Steps (2) to (13).
The majority of the complexity in Algorithm 1 lies in Step (11), that is, binary branch and bound/cut. Given a network , we can precompute all possible loops using depth-first search. Consider the worst-case scenario where the network is a complete graph. Let denote the maximum number of detours that a node can take, and , where is the length of detours in node numbers. As a result, the complexity of Steps (3) to (9) is . In the best-case and worst-case of branch and bound/cut, the members of branches are and , respectively, where . As per each branch, the complexity is , where is the number of constraints [34, 35]. , as (4f) limits each variable to be smaller than 1. Thus, the complexity is . As a result, the lower bound complexity of Algorithm 1 is , and the upper bound is .
4.2. Route Mutation for Delay-Bounded Traffic
Algorithm 1 can be extended to the case with QoS constraints on traffic flows. For illustration convenience, we assume that the QoS requirement of a traffic flow, say flow, is characterized by the maximum allowed route length of the flow, denoted by (in numbers of hops). To this end, the following constraint is added to (4a), (4b), (4c), (4d), (4e), and (4f):where . is the route length of traffic flow or is the length of the route discovered using OPSF for a new flow . Equation (5) limits the total length of the detours that each flow can take.
The finite bandwidth of switches can also be considered in the proposed algorithm. We can incorporate a new constraint of the bandwidth of each link into a node-centric optimization problem, as shown as follows:where denotes the maximum bandwidth of link , and is connected to node in one hop; that is, . For any node in the network, denotes the link bandwidth, which is computed as the minimum one among all bandwidths of the links connecting node . accounts for the traffic load of node before mutation; after we mutate the flows out of node , that is, , and move flows to it, that is, , its traffic load is within the range of .
In practice, the maximum number of flow entries on an SDN switch is limited by the physical resources of the switch, such as CAM and SRAM. We can add constraint (7) into Algorithm 1 to restrain the maximum number of flow rules that the switches can install. Without loss of generality, we denote the average size of a flow rule as . The number of flow rules at each switch depends on the total number of flows passing through it, as given bywhere, for any switch in the network, the size of its flow table is bounded by . Thus, the maximum number of flow entries that a switch can install is . The left-hand side of inequality (7) shows the number of flow rules of switch after mutation, which is bounded by .
Given and the constraints (5), (6a), (6b), and (7), (4a), (4b), (4c), (4d), (4e), and (4f) can be optimally solved using binary branch and bound/cut in the same way, as described in Algorithm 1. After that, both and need to be updated until cannot be further increased. Algorithm 2 summarizes the proposed route mutation approach in the presence of QoS constraints. The key difference from Algorithm 1 is Step (4), implementing (5), (6a), (6b), and (7). The only other changes are in Steps (1) and (5), where is initialized and updated, respectively.
5. Computationally Efficient Heuristics
As described in Section 4, binary linear programming is formulated and the binary branch and bound/cut method is required. This has the worst-case complexity of .
In this section, we propose a simplified version of Algorithms 1 and 2, which decouples traffic allocation and flow selection into two concatenated subproblems. The traffic allocation can be formulated as a linear programming transportation problem. The flow selection can be achieved by using the aforementioned binary branch and bound/cut algorithm, but with a substantially smaller number of variables, that is, less than . As a result, the complexity can be significantly reduced to the complexity of solving (8a), (8b), (8c), and (8d).
First consider delay-tolerant traffic. We begin with optimizing the total traffic , , , which needs to move from one of the nodes, that is, node , to a detour, that is, detour . Following the EMD criterion, a linear programming problem can be formulated to determine the total traffic that needs to detour from the heavily loaded nodes, as given bywhich can be solved using the Simplex method . The optimal solution for (8a), (8b), (8c), and (8d) is denoted by , or for short. A bisection search can also be taken to identify the minimum value of to preserve the feasibility of (8a), (8b), (8c), and (8d).
Given , we proceed to select the traffic flows for redirecting from node to detour and formulate a binary linear program, as given bywhich can be readily solved using binary branch and bound/cut.
We start by offloading the traffic flows of the node with . And (9) is used to offload the flows first to the detour with and then to the other detours in increasing order of . This repeats for the other nodes in decreasing order of .
Algorithm 3 summarizes the proposed computationally efficient heuristic approach for route mutation under delay-tolerant traffic. Steps (3) and (4) execute the traffic allocation, following the EMD criterion and using (8a), (8b), (8c), and (8d). Steps (5) to (13) conduct the flow selection, using (9). These two parts concatenate to reduce the complexity.
The major complexity of Algorithm 3 lies in solving (8a), (8b), (8c), (8d), and (9). Solving (8a), (8b), (8c), and (8d) requires the complexity of , as discussed in Section 4.1, where here. In the worst-case scenario with a complete graph, , where , as given earlier, is large, and the number of variables is larger than the number of constraints. Therefore, the complexity of (8a), (8b), (8c), and (8d) is . Given each nonzero solution , (9) implements branch and bound/cut. The best-case complexity of solving (9) is , where is the number of variables in (9), and is substantially smaller than . The worst-case complexity is . Suppose all of the solutions from (8a), (8b), (8c), and (8d) are nonzero. The best-case and worst-case complexities of Algorithm 3 are and , respectively.
Proceed with delay sensitive traffic, where the route lengths of traffic flows are strictly bounded. Algorithm 3 can be readily extended to this case by evaluating the route lengths on-the-go. The constraints of bandwidth and switch capacity can also be considered in the same way in Algorithm 2, as discussed in Section 4.2.
The extension is summarized in Algorithm 4, where only the differences between the two algorithms are highlighted.
6. Simulation and Evaluation
In this section, simulations are carried out to evaluate the proposed algorithms. We generate different random -regular graphs by using Python package NetworkX (NX) , where the degrees of all the nodes are . Nodes have the same probabilities of requesting new routes at any instant. The routes between these nodes are initially generated by the Dijkstra algorithm  before our algorithms are carried out. The traffic loads of the routes are randomly and uniformly distributed within . The simulations run in a computer with 32 GB RAM and 6 cores of Intel Xeon CPU. We use IBM-CPLEX to solve linear programming problems.
We assume that adversaries can identify strategically important nodes by monitoring historically accumulative traffic of the nodes. Dynamic eavesdropping or interception is considered where, after every interval of monitoring, the eavesdropper acquires network information and updates the identification of targets accordingly. Under this eavesdropping model, we consider different numbers of nodes that the eavesdroppers can identify and the upper bound of traffic difference that eavesdroppers use to identify strategically important nodes. The upper bound reflects the eavesdropping capability and therefore is referred to as “node interception probability.” We also consider different time intervals for the eavesdroppings.
The performance of the algorithms are measured by two metrics.
(1) Coefficient of Variation (CV). A more disperse distribution of traffic can facilitate eavesdroppers recognizing heavily loaded nodes in network. Coefficient of variation is a metric to evaluate the dispersion of distribution, which is defined as the ratio of standard deviation to the mean ,
(2) The Percentage of Traffic That Bypasses Any Node Being Eavesdropped or Monitored. Figure 4 compares the CV of accumulated traffic between the proposed Algorithms 1, 2, 3, and 4, in a 50-node network with topology of 6-regular graph. The CV changes as the time elapses. In Algorithms 2 and 4, different upper bounds of QoS constraints are considered, that is, 1, 2, and 3 in number of nodes. We see that after routes mutations, the network and variations exhibit significantly reduced variance of accumulative traffic. In other words, the difference of traffic loads among the nodes fast diminishes. Moreover, with the increasing upper bounds of QoS constraints, Algorithm 2 approaches Algorithm 1.
Figure 5 compares Algorithms 2 and 4. For comparison purpose, we also simulate the random route mutation proposed in . Two cases are considered. The first case is to choose the optimal combination of routes to minimize the CV of traffic at any instant, referred to as “RRM-O.” The second case is to randomly choose routes as long as the QoS requirements are met and therefore referred to as “RRM-R.” Clearly, RRM-O is optimal in the sense of minimized CV of accumulative traffic. Unfortunately, RRM-O requires exhaustive search of all possible combinations of routes, with a prohibitive complexity. Figure 5 also demonstrates that Algorithm 2 outperforms Algorithm 4 and RRM-R. This is due to the fact that Algorithm 2 carefully designs the routes in a structured way to reduce the CV, where RRM-R does not.
Table 1 shows the average running time for each instant of the proposed algorithms with 50-node 6-regular graph, and the probability to request new routes is 10%. In this table, represents the length of detour , that is, the upper bound of QoS. As Algorithms 1 and 3 are designed without QoS constraints, we marked their as . Comparing the proposed heuristic methods with the method of , Table 1 shows that the increase of the upper bounds of QoS constraints has less influence on our algorithms. RRM-R degrades, when the length of a detour increases from a single hop to two hops. Here, we only plot the tightest QoS constraints of RRM-O in Table 1. This is because the complexity of RRM-O becomes too high to be practical, when the maximum allowed detour length is longer than hops.
As mentioned in Section 3, the eavesdroppers can identify nodes by the differences of accumulative traffic. Figure 6 plots the distribution of “safe” traffic, that is, the traffic that does not pass through any compromised node, under the aforementioned dynamic interception model. In this figure, Algorithm 4 with the constraints of QoS of one-hop increment performs worst. This is because the first step of computing the traffic value to move, as given by (8a), (8b), (8c), and (8d), overlooks flows. As a result, a scenario that, for any , there is no detour, that is, , to move, may occur. When the number of flows increases, for example, the curve of “Algorithm 4-QoS 3” in Figure 6, the probability of flows to move also increases. Therefore it can outperform RRM-R with the upper bound of QoS constraint is three hops, that is, the line of “RRM-R-QoS 3.” We can also conclude from this figure that the results of this metric are consistent with Figure 5.
Figure 7 shows the convergent variance for networks with increasing numbers of nodes. The topologies of the networks are 5-regular random graphs. Each line in Figure 7 corresponds to a different probability that nodes are assigned as sources or destinations for some route. We see that, with the increasing network size and the increasing number of routes to mutate, the difference of nodes traffic becomes smaller. Algorithm 3 increasingly approaches Algorithm 1. In other words, the low-complexity heuristic, Algorithm 4, becomes increasingly robust against eavesdroppings.
Figure 8 shows the convergent CV in the networks with different connectivities. The probability of nodes initiating or receiving routing requests is all set to be 10%. Each line corresponds to the nodes having the same degree. As the network size gets larger, the difference of nodes traffic reduces. Figure 9 shows the CV of 40 nodes with connectivities of 3, 4, 5, and 6, respectively. With the increasing of network connectivities, there are more available detours to move to for sources, and the variations are getting smaller.
Figure 10 shows the average running time of the algorithms corresponding to Figure 7. As compared with RRM, our proposed algorithms are far more tolerant against the growth of the network size. As a matter of fact, the convergence time of the proposed algorithms remains almost unchanged, as the network grows. In contrast, the RRM algorithms suffer from exponentially increasing complexity and convergence delay. Our methods are time efficient and suitable to larger-scale networks.
In this paper, we propose a node-centric route mutation method which interprets route mutation as a signature matching problem. A three-dimensional EMD model is formulated to match signatures. By this means, routes are mutated by increasingly taking detours, balancing historically accumulated traffic among switches. Heuristic approaches are also developed to significantly reduce the computational complexities of signature matching, enhancing the scalability of route mutation to defend large-scale SDNs. Simulation results show that our methods can disguise strategically located, important switches and increase the difficulties for eavesdroppers to identify the switches, thereby delaying or preventing malicious attacks. Significantly reduced complexities also indicate the suitability of our algorithms to large-scale networks.
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
This research was supported by the National Key R&D Program of China (2017YFB0802703) and the National Natural Science Foundation of China (61602052).
J. Claessens, V. Dem, D. De Cock, B. Preneel, and J. Vandewalle, “On the security of todays online electronic banking systems,” Computers & Security, vol. 21, no. 3, pp. 253–265, 2002.View at: Google Scholar
M. R. Garey and D. S. Johnson, A Guide to The Theory of Np-Completeness, WH Freemann, New York, NY, USA, 1979.
Q. Duan, E. Al-Shaer, and H. Jafarian, “Efficient Random Route Mutation considering flow and network constraints,” in Proceedings of the IEEE Conference on Communications and Network Security (CNS '13), pp. 260–268, IEEE, National Harbor, Md, USA, October 2013.View at: Publisher Site | Google Scholar
T. Korkmaz and M. Krunz, “Multi-constrained optimal path selection,” in Proceedings of the IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society, pp. 834–843, Anchorage, Alaska, USA.View at: Publisher Site | Google Scholar
E. Al-Shaer, Q. Duan, and J. H. Jafarian, “Random host mutation for moving target defense,” in Security and Privacy in Communication Networks, A. D. Keromytis and R. Di Pietro, Eds., vol. 106 of Lecture Notes of the Institute for Computer Sciences, pp. 310–327, Springer, Berlin, Germany, 2013.View at: Publisher Site | Google Scholar
J. H. Jafarian, E. Al-Shaer, and Q. Duan, “Openflow random host mutation: transparent moving target defense using software defined networking,” in Proceedings of the 1st Workshop on Hot Topics in Software Defined Networks (HotSDN '12), pp. 127–132, ACM, Helsinki, Finland, August 2012.View at: Publisher Site | Google Scholar
R. Moore, S. Groat, R. Marchany, and J. Tront, “Using transport layer multihoming to enhance network layer moving target defenses,” in Proceedings of the 8th Annual Cyber Security and Information Intelligence Research Workshop: Federal Cyber Security R and D Program Thrusts, CSIIRW 2013, USA, January 2013.View at: Publisher Site | Google Scholar
M. Albanese, A. De Benedictis, S. Jajodia, and K. Sun, “A moving target defense mechanism for MANETs based on identity virtualization,” in Proceedings of the 1st IEEE International Conference on Communications and Network Security, CNS 2013, pp. 278–286, USA, October 2013.View at: Publisher Site | Google Scholar
P. Kampanakis, H. Perros, and T. Beyene, “SDN-based solutions for Moving Target Defense network protection,” in Proceedings of the 15th IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM '14), pp. 1–6, Sydney, Australia, June 2014.View at: Publisher Site | Google Scholar
S. Achleitner, T. La Porta, P. McDaniel, S. Sugrim, S. V. Krishnamurthy, and R. Chadha, “Cyber deception: Virtual networks to defend insider reconnaissance,” in Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, MIST 2016, pp. 57–68, Austria.View at: Publisher Site | Google Scholar
M. Zalewski, Silence on the wire: a field guide to passive reconnaissance and indirect attacks, Starch Press, 2005.View at: Publisher Site
T. Urban, Cacti 0.8 beginner’s guide, Packt Publishing Ltd, 2011.
J. Moy, “OSPF Version 2,” 1997.View at: Google Scholar
J. E. Mitchell, “Branch-and-cut algorithms for combinatorial optimization problems,” in Handbook of Applied Optimization, pp. 65–77, 2002.View at: Google Scholar
I. Maros, Computational techniques of the simplex method, vol. 61, Springer Science & Business Media, 2012.
N. Megiddo, On the Complexity of Linear Programming, IBM Thomas J. Watson Research Division, 1986.
W. L. Winston, M. Venkataramanan, and J. B. Goldberg, Introduction to Mathematical Programming, vol. 1, Thomson/Brooks/Cole Duxbury, Pacific Grove, Calif, USA, 2003.
A. A. Hagberg, D. A. Schult, and P. J. Swart, “Exploring network structure, dynamics, and function using NetworkX,” in Proceedings of the 7th Python in Science Conference (SciPy 2008), pp. 11–15, Pasadena, Calif, USA, 2008.View at: Google Scholar