Towards Enhancing the Endpoint Security using Moving Target Defense (Shuffle-based Approach) in Software Defined Networking

-Static IP addresses make the network vulnerable to different attacks and once the machines are compromised, any sensitive information within the network can be spoofed. Moving Target Defense (MTD) provides an efficient mechanism for proactive security by constantly changing different system attributes. Software Defined Networks (SDNs) provide greater flexibility in designing security solutions due to their centralized management and programming capabilities. In this paper, a mechanism for the protection of endpoint security is developed using IP address host shuffling. In the proposed approach, the real IP address of the host is masked and a virtual IP address is assigned. The virtual IPs are mined from the pool of unassigned IP addresses. The address pool is created using a pseudo-random number generator to guarantee high randomness. This approach helps in invalidating the intelligence gathered by the adversaries through the changes in the network configuration that will disturb attack execution, eventually leading to attack failure. Transparency is attained via preserving the actual IP intact and mapping a virtual IP to it. The proposed solution is implemented using the RYU Controller and Mininet. The efficient results obtained from the experiments substantiate the effectiveness of the MTD approach for enhancing endpoint security.

INTRODUCTION Static networks are an easy target for attackers, even from a remote network. The attackers send probes using various scanning tools to random hosts in the network to identify the victims and attack them. However, dynamic allocation can be carried out using protocols like DHCP or NAT. Even though NAT and DHCP provide dynamic IP address assignment schemes for hosts, they cannot provide adequate security and can also be tracked. The Moving Target Defense (MTD) technique has been adopted to different domains including network security, cyber-physical systems security, Software Defined Network (SDN) security, etc. [1,2]. However, to the best of our knowledge, MTD for endpoint security has not been covered in depth so far. Endpoint security is gaining importance, especially with the advent of technologies like the Internet of Things (IoT) [3].
In this paper, we exploited the RYU SDN controller [4] to design an MTD framework that can be used to provide dynamic IP assignments to end hosts periodically. Moreover, the solution ensures that all the communication inside the network is based upon virtual IP addresses assigned to different hosts. This provides a way to counter different threats generated against the endpoints. The solutions are scalable and programable due to the SDN architecture [5]. This approach of hiding the actual IPs of the endpoint/hosts substantially enhances their security as the attackers are unable to get their correct information.
The purpose of MTD is to increase confusion and uncertainty for the attacker who is attempting to breach a system by exploiting vulnerabilities [6]. MTD changes the system/network configurations thus the information gathered by the attacker becomes invalid as the target attack surface is changing continuously. MTD techniques are categorized in terms of redundancy, shuffling, and diversity [7]. Shufflingbased MTD changes the system's configuration such as IP shuffling or service reconfiguration. MTD is mostly combined with SDN by using SDN controllers as a central controlling point for network topology shuffling-based MTD, or random host mutation using OpenFlow and port hopping. Diversitybased MTD gives the ability to implement various executions of same services of functionalities. This provides diversity in programming language to avoid code injection attacks and software stack diversity to enhance service provisions and network resilience. Redundancy-based MTD enhances the reliability of the system by generating many images of network components. The authors in [8,9] used MTD for network security, especially in SDN networks. MTD has also been adopted for cloud security [10,11]. The authors in [12] exploited MTD for the security of cyber-physical systems. There is a recent trend of the adaptation of MTD for wireless ad hoc networks as well [13,14].
The main contributions of this paper are: • The development of shuffle-based MTD mechanism in a distributed SDN environment.
• The MTD mechanism for the enhancement of endpoint security in the SDN environment.
II. THE PROPOSED SCHEME This section will cover the way we have implemented and deployed the SDN based shuffling MTD. We have set up a MTD mechanism using RYU as a Python controller for the SDN which consists of 3 switches interconnected with 8 user hosts. Communication between Host one and Host two is being shown in Figure 1. The local networking of the system is: 1. In the first step, the packet will be coming into switch one with the real source address and a virtual destination address.

2.
A packet will then go to the RYU controller.
3. The RYU controller will check for the attachments of the hosts in the IP pool if the switch one is directly connected to the destination address of the host.
4. The RYU controller will receive a negative response in a message.
5. The packet will go out of the RYU controller and will ask for a virtual IP address since it was detected with a real IP address.
6. The packet now will come to switch two with the virtual source address and virtual destination address.
7. The packet will then go to the RYU controller. 8. The RYU controller will now check for the attachments of the hosts in the IP pool if the switch two is associated directly to the destination address of the host.
9. The RYU controller will receive a negative response in a message. 10. A packet going out of the switch will now message to forward it to next available hopping. 11. The packet will come to switch three with the virtual source address and virtual destination address.
12. The packet will then go to the RYU controller.
13. The RYU controller will check for the attachments of the hosts in the IP pool if switch three is directly connected to the destination address of the host.
14. The RYU controller will receive a positive response in a message.
15. The packet going out of switch will now change to the real destination address. 16. The packet goes out to the destination host, i.e. host two.
17. Host two will now respond with the real source address and the virtual destination address.
18. The packet will go to the RYU controller. 21. The packet going out of switch will now receive message to change into virtual source address.
22. The packet will come to switch two with the virtual source address and virtual destination address.
23. The packet will then go to the RYU controller.
24. The RYU controller will now check for the attachments of the hosts in the IP pool if switch two is directly connected to the destination address of the host.
25. The RYU controller will receive a negative response in a message.
26. A packet going out of the switch will now message to forward it to next available hopping.
27. The packet will come to switch one with the virtual source address and the virtual destination address.
28. The packet will then go to the RYU controller.
29. The RYU controller will now check for the attachments of the hosts in IP pool if switch one is attached directly to the destination address of the host.
30. The RYU controller will receive a positive response in a message.

31.
A packet going out of switch will now message to change into the real destination address.
32. The packet mentioned in the first step has now reached host one, i.e. its destination.
In Figure 1, we have shown the working flow of the IP shuffling from real to virtual IP address. This workflow shows the architecture of the way our SDN environment containing MTD is implementing random host mutation using a timeout event. The timeout event is triggered every 30 seconds and then shuffles the IP address for every host. Figure 2 represents the real-virtual IP address life cycle. Virtual addresses are being shuffled in a random manner and are updated in every host. This system in general transforms real addresses to virtual addresses and vice versa. The real address is allocated the same way as before and nothing is changed on it, but all the communication is being done through virtual addresses inside the SDN network. At every timeout event triggering, the old flows are also deleted to be seemingly synchronized with packets and flow mappings.

A. SDN Controller
We have used RYU as our SDN controller which is a Python-based controller and it will be responsible for controlling real and virtual IPs between switches and hosts using the random host mutation technique. It will also be controlling the communication between each host via virtual IPs and MAC addresses. It is a controller through which we execute and control both network configuration and real-time control of the network. Figure 3 indicates the experimental topology.

B. Network Simulation
We have used Mininet [15] as our network simulation tool to deploy our network topology containing 3 switches and 8 hosts containing class A IP addresses. It is a network simulator that can generate virtual switches, hosts and attach these to the SDN controllers, in our case with the RYU controller. We emulated this via Python-based programming scripts where modifications are required at a certain level to grip the project with the required topology that we created.

C. Network Monitoring
We have used sFlow [16] as our network monitoring tool which is used to monitor our network devices which include switches and hosts. It will also be used for monitoring any kind of traffic and attacks on the network. We will also use sFlow IV. RESULTS AND DISCUSSION First, the sflow-rt is started as shown in Figure 4. Afterwards, the RYU controller starts along with our proposed algorithm and GUI topology as depicted in Figure 5. The network is created as presented in Figure 6. Now, the hosts try to ping each other through their real IP. Since our algorithm is activated, the packets drop on the real IP addresses as indicated in Figure 7. The controller is blocking this communication as presented in Figure 8. After finding the virtual IP address of the remote machine, host 2 is able to ping the host 8 successfully as indicated in Figure 9. The controller's log confirms this connectivity as depicted in Figure 10.    In order to evaluate the effectiveness of our proposed scheme, we launch an attack on the end-hosts on their real and virtual IP address using hping [17]. The controller is blocking the communication after identifying a real IP address.   Figure 11 represents the hping based UDP flood from host 1 to host 3. Since it is based upon the real IP address, no traffic will be generated if the attacker is able to somehow find the virtual IP address of the host. Then the attack will be generated against the virtual IP as shown in Figure 12. However, since our algorithm is periodically generating random IPs after 30 seconds, the attack can be generated for a maximum duration of 30 seconds. Figure 13 indicates the flooding traffic passing through different switches.    Figure 14 shows that the attack traffic on virtual IP is reduced after 30 seconds as the virtual IP is changed. This approach ensures that DDoS attacks cannot proceed beyond the limit of the IP shuffling period. The solution is adaptable to change in the frequency of IP shuffling. It means that DDoS period can further be reduced with higher frequency of movement. Fig. 14. The attack is generated on said hosts but due to the MTD algorithm, the connection will be terminated in 30 seconds. Table I shows the comparison of the proposed approach with the existing solutions. The proposed scheme implemented endpoint protection using SDN and MTD approaches. Moreover, the proposed solution does not require any specific agent to be installed on the endpoint. This is a substantial attribute of our proposed solution and makes the proposed scheme flexible enough. The authors in [18] used the commercial tool "Fireeye" for the enhancement of endpoint security. Their solution is based on anti-virus based approach. The authors in [19] proposed a mechanism for endpoint security along with estimation of its effectiveness. The author in [20] proposed a mechanism for endpoint security improvement. In this work, we have implemented MTD by randomly metamorphosing IP addresses of endpoints using SDN. The fundamental aim of MTD is to thwart the discovery of machines by the probes generated by numerous worms and scanning tools. The actual IP addresses are hidden from both internal and external scanners to avoid attacks. The RYU controller was used to mutate the IP addresses. A host's real IP address is assigned with a virtual IP address at a high mutation rate from an unused resource pool of IP addresses by using a pseudo random number generator.
A brief description of the implementation of DNS response interception by the controller follows: When a host requests for the IP address of the destination host, the DNS server responds with the real IP address of the destination. The RYU controller intercepts the packet and alters the actual IP address to the virtual IP address before it reaches the requesting host. The implementation of authorized user functionality is as follows: An authorized user will be able to ping the destination host using a real IP address. The real IP detection within the network can be automated.
In the future, the proposed scheme can be used for the protection of critical services, especially those that are running on LANs including DNS, DHCP, etc. The proposed scheme can be used to divert the DNS and DHCP through real to virtual IP mapping along with port randomization for these services. This approach not only enhances security but can also be used for digital privacy enhancement.