A Moving Target Defense and Network Forensics Framework for ISP Networks using SDN and NFV

Abstract

With the increasing diversity of network attacks, there is a trend towards building more agile networks that can defend themselves or prevent attackers to easily launch attacks. To this end, moving target defense (MTD) mechanisms have started to be pursued to dynamically change the structure and configuration of the networks not only during an attack but also before an attack so that conducting network reconnaissance will become much more difficult. Furthermore, various network forensics mechanisms are introduced to help locating the source and types of attacks as a reactive defense mechanism. Emerging Software Defined Networking (SDN) and Network Function Virtualization (NFV) provide excellent opportunities to implement these mechanisms efficiently. This paper considers MTD in the context of an Internet Service Provider (ISP) network and proposes an architectural framework that will enable it even at the reconnaissance phase while facilitating forensics investigations. We propose various virtual shadow networks through NFV to be used when implementing MTD mechanisms via route mutation. The idea is to dynamically change the routes for specific reconnaissance packets so that attackers will not be able to easily identify the actual network topologies for potential distributed denial of service attacks (DDoS) such as Crossfire while enabling the defender to store potential attacker’s information through a forensics feature. We present an integrated framework that encompasses these features. The proposed framework is implemented in Mininet to test its effectiveness and overheads. The results demonstrated the effectiveness in terms of failing the attackers at the expense of slightly increased path lengths, endto- end delay and storage for forensic purposes.