1
Moving Target Defense : SDN protection system
overview
Tarik TACHIHANTE
Supervised by Ghizlane ORHANOU, Said EL HAJJI
Laboratory of Mathematics, Computing and Applications,
Faculty of Sciences, University of Mohammed V in Rabat,
Rabat, Morocco
tariktachihante@gmail.com, orhanou@fsr.ac.ma, elhajji@fsr.ac.ma
Abstract—The static nature of our network topology and
infrastructure make them an easy targets of cyber-attack. The
research community propose a new technical defense consist
to reconfigure, change or hide a network keys properties au-
tomatically and/or randomly. Moving target defenses have been
proposed as a way to make it much more difficult for an attacker
to exploit a vulnerable system by making the attack surface
appear chaotic and convert our system to moving target. The
MTD approach comprised of the following three level: IP address
level, Host service level, and routing and access policy level. In
this paper, we investigate how SDN can be used in some network-
based MTD techniques by taking the advantages of centralization
and automation. We first describe the reason of choosing this
techniques, and present a major related work implementing MTD
using SDN.
keywords : Moving Target Defense, Software Defined
Networking, Network Security,
I. I NTRODUCTION
The network attack cycle spans number of steps including
Initial Reconnaissance (finger printing, network mapping),
Penetration exploitation, Gaining A Foothold, Appropriating
Privileges, Propagation, Maintain Presence. A key part of a
cyber-attack is performing exploration or reconnaissance to de-
termine the configuration of the target system before launching
the actual attack. In these steps the attacker tries to involve the
unauthorized discovery and mapping of systems and services
then identifies vulnerabilities and points of access to be used
in future attacks by taking advantage of the static nature of
the topology of the network. The goal of reconnaissance or
the finger printing is not to damage the network, although it is
important to identify these threats. Before launching successful
devastating attacks such as system penetration or DoS, hackers
need to gather information about attacked systems, recon-
naissance will enable them to collect information about the
attacked network. This information includes IP address range,
active and inactive IP, server location, running OS, software
version, types of hardware etc... These key properties are not
changeable for a long time because of business constraints.
This static nature also makes the propagation of worms easier.
Another essential factor that gives more advantages to the
attackers is diversity of tools such as DNS Lookups, Ping
Sweeps, Port Scans, Traceroute and Time (an attacker can
spend as much time as necessary to perform reconnaissance).
Reconnaissance attacks often employ the use of packet sniffers
and port scanners. Anti-sniffer software and hardware tools
detect changes in the response time of hosts to determine
whether the hosts are processing bigger traffic than their own.
While this does not completely eliminate the threat, as part
of an overall mitigation system, it can reduce the number of
instances of threat. It is difficult to mitigate port scanning, but
using IPS and firewall can limit the information that can be
discovered. Ping sweeps can be stopped if ICMP echo and
echo-reply are turned off on edge switches. However, when
these services are turned off, network diagnostic data will
not be available anymore. Additionally, port scans can be run
without full ping sweeps. We need a solution to make the
reconnaissance attack more difficult.
Moving target defenses have been proposed as a way to make
it much more difficult for an attacker to exploit a vulnerable
system by making the attack surface appear chaotic. This
will be attended by increasing the randomness or periodically
hiding or changing the key properties of the topology. Ac-
cordingly, for each new attempt of reconnaissance of surface
attack we the force attacker to do a new reconnaissance and
increase his effort (cost and time). The goal of MTD is to
provide the ability to dynamically change the surface attack
properties such as names of hosts, IP addresses, and port
numbers. Also, the external response behavior of hosts and
IT equipment should be randomly changed.
Implementing MTD in traditional networks is not easy since
it is difficult to build a central authority able to define which
key properties are hidden or mutable. The emergence of
software defined networking (SDN) promises a new era of
centrally managed, policy-based automation tools and accel-
erates network management, optimization, and remediation.
Compared to traditional inflexible network management sys-
tems, the SDN solutions provide an entirely different and
flexible approach to managing networks. This new paradigm
provides programmatic software control from a central point
named controller, and Centralized policy repositories make the
policies much easier to change and audit. Distributing those
policies out to the entire network from a central point also
saves a lot of time and resources and gives a big opportunity to
implement the MTD Algorithms. The big challenge of MTD
is implementing, monitoring, controlling and diagnosing the
dynamic and flexible systems.

II. SDN AND MTD R ELATED WORK
Currently, a vast amount of related work is available.
These studies involve several facets of MTD, including theory,
strategy, and effectiveness .
During the National Cyber Leap Year Summit 2009 (USA)[1],
the Networking and Information Technology Research and
Development (NITRD) supported by NCO (the National co-
ordination Office) published one Draft Report of Participants
Ideas titled: ” explores Moving-Target Defense as a path to this
new game: Exploring Paths to New Cyber Security Paradigms,
in this document the authors tried to summarize the discussion
of the participants around the Moving-Target Defense concept.
The document proposes in twelve chapters news ideas for
future research without defining a real theory of MTD.
Zhuang et Al. [2] define the basic concepts about MTD
systems and their basic properties introducing the theory of
MTD. In this paper the authors defined the three essential
problems of MTD systems :(1) the MTD Problem (How to
select the next valid system configuration), (2) the Adaptation
election Problem, and (3) the Timing Problem. They built
the definition of an MTD system based on configurable
goals, policy systems and Adaptation. Then they defined the
configuration space and introduce a new concept called the
exploration surface. They also formally defined the concepts
of diversification and randomization and showed how they
relate to MTD systems and how their use can increase the
effectiveness of those systems, then they formalized the MTD
Entropy Hypothesis, which states that the greater the entropy
of the system’s configuration, the more effective the MTD
system.
Jafarian et Al. [3] present an random host mutation as moving
target defense technique using on software defined networking.
In their work, they describe how host virtual addresses can be
updated following an algorithm that assigns free addresses.
DNS is used to constantly update the name to virtual address
mappings and OpenFlow programs flows and address trans-
lations according to the address change schedule. OpenFlow
runs at a central location and communicates with switches in
the network. Dunlop et Al. [4] implements an IPv6 address
update scheme in similar context.
Al-Shaer et Al. [5] proposes changing routes that connect a
source and a destination. It describes how a random route
mutation (RRM) scheme can be formulated and optimized
according to MTD requirements and costs. Then the most
effective route is implemented without disrupting any on-
going traffic or violating security integrity. it uses heuristic
algorithms in order to solve the optimization problem of the
RRM route that maximizes the attackers cost while satisfying
the route constraints, but the cost depends on the problem
specifics.
Kampanakis et Al. [6] propose an SDN framework that
incorporates MTD functionality. Adaptations happen based on
MTD security models which run on the SDN controller. The
authors propose an Algorithm that can be implemented in
SDN in order to enforce MTD obfuscations in response to
a TCP or UDP port scan and ICMP scans so that to impose
randomly live hosts and network intermediate hops where they
2
do not exist. Fake listening hosts will further increase the
attacker’s workload in order to investigate them. The action for
each packet is kept in a buffer to ensure consistent behavior.
As a result of this algorithm, random ports will appear to
the scanner as being open. On this paper, authors introduce
a moving target technique called OpenFlow Random Host
Mutation (OF-RHM) which mutates IP addresses of end-hosts
randomly and frequently so that the attackers’ premises about
the static IP assignment of network fails.
Based on the related work, we distinguish three focal points
of research :
• Frequently randomized changing of network addresses
(IP address level)
• Frequently randomized changing of responses and ran-
domized ghost host (Host service level)
• Frequent route mutation and path diversity (routing &
access policy level)
III. C ONCLUSION
Moving target defense (MTD) has emerged as one of the
game-changing themes, the goal keeps moving the attack
surface of a system through dynamic shifting, which can
be controlled and managed automatically by the system
itself or manually by the network administrator. In this way,
the attack surface exposed to attackers appears chaotic and
changes over time. Therefore, the work effort, the cost and
the complexity, for the attackers to launch a successful attack,
will be greatly increased. As a result, the probability of
successful attacks will be decreased, and the resiliency and
security of a protected system will be enhanced effectively.
Security in SDN networks poses significant challenges, in
this paper, we have present a range of recent state-of-the-art
projects use MTD in order to secure SDN architecture .
Based on the related work, we classified key challenges and
opportunities along a number of different new research axes.
R EFERENCES
[1] Explores Moving-Target Defense as a path to this new game: Explor-
ing Paths to New Cyber Security Paradigms, the National Cyber Leap
Year Summit 2009 (USA)The Networking and Information Technology
Research and Development (NITRD).
[2] R. Zhuang, S. A. DeLoach, et X. Ou, Towards a Theory of Moving
Target Defense , 2014, p. 31 40.
[3] J. H. Jafarian, E. Al-Shaer, et Q. Duan, Openflow random host mutation:
transparent moving target defense using software defined networking ,
in Proceedings of the first workshop on Hot topics in software defined
networks, 2012, p. 127132.
[4] M. Dunlop, S. Groat, R. Marchany, and J. Tront, Implementing an IPv6
Moving Target Defense on a Live Network, in National Symposium on
Moving Target Research, June 2012.
[5] E. Al-Shaer and Q. D. J. Jafarian, On the Random Route Mutation Moving
Target Defense, in National Symposium on Moving Target Research, June
2012.
[6] P. Kampanakis, H. Perros, et T. Beyene, SDN-based solutions for
Moving Target Defense network protection , in World of Wireless, Mobile
and Multimedia Networks (WoWMoM), 2014 IEEE 15th International
Symposium on a, 2014, p. 16.
[7] J. H. Jafarian, E. Al-Shaer, et Q. Duan, Openflow random host mutation:
transparent moving target defense using software defined networking ,
in Proceedings of the first workshop on Hot topics in software defined
networks, 2012, p. 127132.