Abstract: Existing path hopping technologies are not so efficient for defending global network interception and analysis attackers, and existing port and address hopping technologies spend too much effect on hopping synchronization and are difficult to be deployed. In order to mitigate these problems, a path and port address hopping based SDN proactive defense (PPAH-SPD) scheme, making full use of SDN network characteristics (such as control plane and data plane separation, logically centralized control) and introducing of multi-path routing, is proposed. PPAH-SPD scheme models the path hopping problem as a constraint solving problem, and utilizes satisfiability modulo theory solver to obtain multiple available paths, which satisfy overlap and capacity constraints. According to path hopping strategy and specific hopping interval, SDN controller installs corresponding flow entries into all OpenFlow switches along every specific path, and these switches can then use these flow entries to properly forward the corresponding network flows, and simultaneously change their address and port information. Theoretical analysis and experimental results show that PPAH-SPD scheme can not only achieve transmission path hopping and port and address random hopping along every single transmission path with comparatively small communication time delay and computation overhead, and but also improve proactive defense capability of SDN network to resist global network interception and analysis attack, denial of service attack and insider threat.

Key words: software defined network (SDN), moving target defense, path hopping, port and address hopping, proactive defense