Securing Software-Defined Networks Through Adaptive Moving Target Defense Capabilities

Over the last decade, Software-Defined Networking (SDN) has become increasingly popular in computer network infrastructures. However, due to its relatively recent implementation, protective measures still need to be fully developed. One significant security concern with SDN is its vulnerability to scanning attacks, which can escalate to more severe attacks like Denial-of-Service (DoS) attacks. Recently, Moving Target Defense (MTD) techniques have been used to address scanning attacks. Still, they can negatively impact network performance due to the reliance on delay tactics that increase network latency. This article introduces the MTD Adaptive Delay System (MADS) to provide feasible MTD-based protection against scanning attacks without compromising the network service parameters, especially regarding Quality of Service (QoS). Unlike existing methods that continually apply delays to all traffic packets, MADS-based delays are only triggered and applied to packets when the victim network is under attack based on the intensity of the traffic commonly used in scanning attacks. MADS' performance was evaluated and compared to state-of-the-art MTD-based defenses, and it was found to cause less network degradation while maintaining the same efficiency as MTD-based techniques against scanning attacks. Furthermore, MADS had a shorter average latency time (99.4% lower) and better average throughput (4.87% higher) than the two baseline MTD-based solutions. Additionally, MADS did not produce Bad TCP packets compared to baseline works under the same attack scenarios.