Securing Control and Data Planes from Reconnaissance Attacks Using Distributed Shadow Controllers, Reactive and Proactive Approaches

Abstract

Moving Target Defense (MTD) is an emerging proactive Cyber Security approach. MTD constantly changes the attack surface for making cyber-attacks difficult for the invaders. Software Defined Networking(SDN) provides dynamic network design capabilities with its centralized control plane. In this paper, SMCDS (SDN based Moving Target Defense for control and data planes Security) has been proposed. The SMCDS framework safeguards against the reconnaissance attacks targeted at both data and control planes. The concept of distributed shadow controllers is introduced for securing the control plane. The MTD effect is created through the use of shadow controllers that respond to the malicious probing traffic in place of the actual controller. The availability of the distributed control plane is enhanced through the used of these shadow controllers as well. The proposed framework adopts the reactive and proactive approaches for securing the servers connected at the data plane. The reactive approach capitalizes the technique of shadow servers for providing defense against reconnaissance attacks. The proactive approach provides security enhancement through the technique of IP and port shuffling. The novelty of SMCDS framework is its capability to provide protection of both data and control planes by exploiting SDN based MTD approach. The SMCDS framework was evaluated in terms of the attacker effort, defender cost. From the results, it can be observed that the proposed framework provides security against reconnaissance attacks at a low computational cost. The prototype of the proposed SMCDS was implemented using Mininet emulator and ONOS controller.