ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2017, Vol. 54 ›› Issue (12): 2761-2771.

### Path and Port Address Hopping Based SDN Proactive Defense Technology

Zhang Liancheng1, Wei Qiang1, Tang Xiucun2, Fang Jiabao1

1. 1(State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450002); 2(Jiangnan Institute of Computing Technology, Wuxi, Jiangsu 214083)
• Online:2017-12-01

Abstract: Existing path hopping technologies are not so efficient for defending global network interception and analysis attackers, and existing port and address hopping technologies spend too much effect on hopping synchronization and are difficult to be deployed. In order to mitigate these problems, a path and port address hopping based SDN proactive defense (PPAH-SPD) scheme, making full use of SDN network characteristics (such as control plane and data plane separation, logically centralized control) and introducing of multi-path routing, is proposed. PPAH-SPD scheme models the path hopping problem as a constraint solving problem, and utilizes satisfiability modulo theory solver to obtain multiple available paths, which satisfy overlap and capacity constraints. According to path hopping strategy and specific hopping interval, SDN controller installs corresponding flow entries into all OpenFlow switches along every specific path, and these switches can then use these flow entries to properly forward the corresponding network flows, and simultaneously change their address and port information. Theoretical analysis and experimental results show that PPAH-SPD scheme can not only achieve transmission path hopping and port and address random hopping along every single transmission path with comparatively small communication time delay and computation overhead, and but also improve proactive defense capability of SDN network to resist global network interception and analysis attack, denial of service attack and insider threat.

CLC Number: