Adaptive and Proactive Cyber Security in Software-Defined Networks

Abstract

With regard to cyber security, pervasive network traffic visibility and proactive defense techniques are the most essential security functionalities to defend against advanced cyber attacks for complex network systems. In particular, one of the proactive defense techniques, moving target defense (MTD) has emerged as an advanced defense mechanism aiming to thwart and disrupt potential attackers. The key underlying idea of MTD is to increase uncertainty and confusion for attackers by changing the attack surface (i.e., system or network configurations) that can invalidate the intelligence collected by the attackers and interrupt attack execution; ultimately leading to attack failure. Recently, the significant advancement of software-defined networking (SDN) technology has enabled many complex system operations highly flexible and robust particularly in terms of programmability and controllability with the help of centralized SDN controllers. Accordingly, many cyber security mechanisms have utilized these capabilities to be optimally deployed in complex networks. In this thesis, we propose adaptive and proactive cyber security techniques including traffic monitoring and MTD techniques by leveraging the advance of SDN platforms.

At first, in the first part of this dissertation, we consider the practical problem concerning how to achieve scalable traffic measurement using SDN functionalities. We propose the use of a centrality measure in graph theory for deciding the traffic monitoring points among the switches in thet network. In addition, we discuss how to decide the traffic monitoring rates at the selected switches. The results of the simulation and SDN testbed experiments indicate that the proposed traffic monitoring point and rate decision methods enhance the intrusion detection performance of an IDS in terms of capturing malicious traffic.

In the second part of this dissertation, we developed an attack graph-based MTD technique that shuffles a host's network configurations (e.g., MAC/IP/port addresses) based on its criticality, which is highly exploitable by attackers when the host is on the attack path(s). To this end, we developed a hierarchical attack graph model that provides a network's vulnerability and network topology, which can be utilized for the MTD shuffling decisions in selecting highly exploitable hosts in a given network, and determining the frequency of shuffling the hosts' network configurations. The MTD shuffling with a high priority on more exploitable, critical hosts contributes to providing adaptive, proactive, and affordable defense services aiming to minimize attack success probability with minimum MTD cost. We validated the outperformance of the proposed MTD in attack success probability and MTD cost via both simulation and real SDN testbed experiments.

In the third part of this dissertation, we aim to develop MTD-based proactive defense mechanism in in-vehicle SDN environment, which achieves multiple objectives of minimizing system security vulnerabilities and defense cost while maximizing service availability. To this end, we propose a multi-agent deep reinforcement learning (mDRL)-based network slicing technique that can help determine two key resource management decisions: (1) link bandwidth allocation to meet Quality-of-Service requirements and (2) the frequency of triggering IP shuffling not to hinder service availability by maintaining normal system operations. Specifically, we apply this strategy in an SDN-based in-vehicle network to deploy the proposed MTD, which dynamically changes addresses assigned to electronic control unit (ECU) nodes to introduce uncertainty and confusion for attackers.

In the fourth part of this dissertation, we aim to develop two key mechanisms to build secure in-vehicle networks: (1) RL-based less intrusive proactive defense mechanism which achieves multiple objectives of minimizing system security vulnerabilities while maximizing service availability, and (2) resilient RL method that allows an agent to operate in the presence of adversarial disturbances that neutralize the system security. In order to deal with the adversarial environment, we utilize an anomaly detection mechanism with a memory-based RL technique to enhance the resiliency of the RL agents under adversarial attacks. By performing extensive simulation experiments, we investigate the proposed robust mDRL algorithm can help the deployed proactive security mechanism achieve both goals of improved security and performance in the presence of adversarial attacks.

Through the studies in this dissertation, it is expected that the proposed SDN-based proactive and adaptive network monitoring mechanism and moving target defense techniques can greatly contribute to enhancing the robustness of various SDN-enabled environments such as data center networks and in-vehicular networks. Concluding remarks provide the key findings from the research conducted in each chapter and summarize the analysis results from the observed information in the experiments.