Research ArticleSecurity Analysis of Dynamic SDN Architectures Based onGame Theory

Chao Qi Jiangxing Wu Guozhen Cheng Jianjian Ai and Shuo Zhao

National Digital Switching System Engineering amp Technological RampD Center Zhengzhou Henan 450002 China

Correspondence should be addressed to Chao Qi 13937147170163com

Received 26 September 2017 Accepted 26 December 2017 Published 23 January 2018

Academic Editor Zhiping Cai

Copyright copy 2018 Chao Qi et alThis is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Security evaluation of SDN architectures is of critical importance to develop robust systems and address attacks Focused on anovel-proposed dynamic SDN framework a game-theoretic model is presented to analyze its security performance This modelcan represent several kinds of playersrsquo information simulate approximate attack scenarios and quantitatively estimate systemsrsquoreliability Andwe explore several typical game instances defined by systemrsquos capability playersrsquo objects and strategies Experimentalresults illustrate that the systemrsquos detection capability is not a decisive element to security enhancement as introduction of dynamismand redundancy into SDN can significantly improve security gain and compensate for its detection weaknessMoreover we observea range of common strategic actions across environmental conditions And analysis reveals diverse defense mechanisms adoptedin dynamic systems have different effect on security improvement Besides the existence of equilibrium in particular situationsfurther proves the novel structurersquos feasibility flexibility and its persistent ability against long-term attacks

1 Introduction

SDN is a novel and promising framework which can beapplied in traditional and wireless networks to achieve highlyprogrammable switch infrastructure [1 2] It separates thedata and control planes which makes switches becomesimple data forwarding devices and network is manipulatedthrough logically centralized controllers [3] It is no doubtthat this processing mechanism will definitely improve theefficiency of network management and performance of net-work operation [4] However this reliance on a centralizedcontroller can easily lead to a single point of failure ifnot carefully designed and implemented Moreover a newset of threats that are unique to SDN can render thenetwork vulnerable especially when the control plane iscompromised Thus in order to enhance security of SDNdifferent SDN architectures employing multiple controllershave been proposed such as distributed controllers [5ndash10]To the best of our knowledge the most powerful dynamicsecurity architecture for SDN is the Mcad-SA proposed in[9] which exploits heterogeneity redundancy and dynamismfrom multiple controllers to intensify security However no

researches about their security performance evaluation havebeen conducted

Our objective is to develop a general model to evaluateeffectiveness of dynamic SDN architectures (take Mcad-SAas the instance) and provide some insights for designers todevise new simple and effective frameworks To improveapplicability the model must have the ability to representfeatures of dynamic frameworks Besides it can capturethe essential dynamic of progressive attack interacting withdefense strategies to hinder that progression [11]

In this paper we examine an abstract SDN-defensescenario designed to simulate strategic interactions betweenattacks and defense methods in dynamic architectures asthe control layer is a critical part in SDN and responsiblefor handling and distributing flows of information betweennetwork applications and the data plane Thus we takethe control planersquos security as measurement of the wholeSDN Though simple our model is generic flexible andapplicable for a range of dynamic architectures and defensetechniques Our approach is game-theoretic which allowsus to realize how effective are dynamic architectures whenthey deal with attacks and how security performance varies

HindawiSecurity and Communication NetworksVolume 2018 Article ID 4123736 10 pageshttpsdoiorg10115520184123736

2 Security and Communication Networks

as attackers and defenders change their behaviors Unlikeother game-theoretic researches our model can apply todynamic systems It can also imitate systems which adoptspecific defense means like moving-target defense Andvia systematic simulation this empirical approach providesus with the opportunity to quantitatively estimate securityperformance of dynamic systems and defense technologies

Among our findings we characterize the control planersquossecurity as the contention of controllers in it by oppo-nents And controllersrsquo compromising process is proceedingprocedurally which means the probability of controllersbeing compromised is a function of the number of probesimplemented on them Besides defenders have the capabil-ity to perceive the secure states of controllers since somedynamic architectures own detection mechanisms Throughexperimental simulations we observe that Mcad-SA arepowerful against persistent probes from attackers Andreasonable defense and scheduling mechanism can furtherimprove SDNrsquos security Besides it is fascinating that systemrsquosdetection capability is not as important as it is imagined inMcad-SA since dynamism and redundancy can mitigate thisweakness to a large degree

The paper is organized as follows The next sectiondescribes related work Section 3 presents a detailed speci-fication of our games In Section 4 we present our game-theoretic experimental results The last section concludes bysummarizing our work and discussing future work

2 Related Work

Recently researchers have paid attention to security in SDNOn one hand it aims at designing more resilient and robustcontrollers such as FortNOX [12] and SE-Floodlight [13] aredesigned to deal with flow-rule conflict [14] On the otherhand many SDN architectures with distributed controllershave been proposed to intensify SDN security from thepoint of framework However little work has been doneon evaluating their security performance especially whenthe architecture adopts moving-target defense to enhancesecurity

However there is an amount of literature on computersecurity In [15] formal methods have been used to providean attack surface metric as an indicator of the systemrsquossecurity So reducing attack surface is an effective approachto mitigate risk Furthermore [16 17] pointed out launchinga sequence of attacks is a common way for attackers toexploit vulnerabilities at multiple stages of the system Thusdividing the system into several layers and using attackgraphs is a feasible method to assess the cause-consequencerelationships between diverse network states And it is apopular trend that proactive defense techniques are employedby the system to generate security strategies that alter overtime to reduce the exposure of vulnerabilities and increasecomplexity and attack costs [18 19] Against such defensemechanisms game theory provides an appropriate theoret-ical framework for modeling the win-lose situation betweena defender and attacker [20] In [21] FlipIt game where twoplayers compete for control of single resource is designed

to describe uncertainty in state of control Extensions ofFlipIt have considered additional actual scenario featuresIn an extension called ldquoFlipThemrdquo [22] multiple servers areincorporated and authors consider some extreme situationswhere attackers have to compromise one or all servers toachieve goals Reference [11] refines the scenario further Itdevises a more flexible utility model to allow payoffs betweenobjectives of control and availability Meantime it considersimperfect probe detection which indicates the defenderobserves attack probe actions with probabilities Moreover itprovides a much richer set of attack and defense strategies toevaluate overall system state Although above work is relatedto security analysis it cannot be applied in SDN environmentdirectly because SDN is a novel framework and has its owntraits For instance its primary goal is to guarantee validity offlow rules delivered to switches Besides its defense strategy isbackup or switch instead of reimage Thus we further makeimprovements on existing models and apply them into theSDN scenarios

3 Game Specification

In our game the attacker anddefender compete for the controlof 119872 controllers Because once controllers are compromisedthen the whole network is also manipulated by attackers119872 is changeable since the number of running controllers isvarying with time in Mcad-SA At first controllers are incontrol of defenders The attacker attempts to wrest controlof a controller through via inserting some malicious flowrules which needs probe actions on controllers The successprobability is relevant to the number of probes Meantimethe defender may take some defense strategies based oncurrent SDN frameworks For instance it may switch toanother backup controller after it discovers the controllerruns abnormally Based on above analysis first we introducethe abstracts of Mcad-SA and controller and then presentmodels of players in detail later

31 Abstract of Mcad-SA In this section we attempt torepresent the control plane in Mcad-SA with a model Thereason why we take Mcad-SA as the example is that itis a typical representation of dynamic SDN architecturewhich employs heterogeneity redundancy and dynamism toimprove security and owns perception simultaneously Theoverview of Mcad-SA is presented in Figure 1 It consistsof a variant control plane a sensor a scheduler and anarbitrator The novel control plane is equipped with multiplecontrollers And the scheduler will select several as runningcontrollers via specific mechanisms In the meantime thesensor can perceive current state of each controller to someextent For example it has the ability to realize how manyprobes have been conducted on controllers by attackers Asto the arbitrator it determines the valid and correct flow rulesdown to switches

The basic elements of the control plane in Mcad-SAinclude the number of controllers the running controllersset each time whether it has perfect perception and what

Security and Communication Networks 3

Data plane

1 2

3 4Domain A

Control plane

Running controller

Backup controller

Sensor

Scheduler

Arbitrator

Figure 1 An overview of Mcad-SA

scheduling strategies it adopts Formally abstract model ofthe control plane is a quadruple ⟨119888 119903 120595 Ω⟩ where

(i) 119888 isin [1 119873] represents how many controllers thecontrol plane has and119873 is a very big positive number

(ii) 119903 isin [1 119888] represents number of running controllers 119903is changeable and generally an odd number

(iii) 120595 isin 0 1 indicates whether the control planecan sense the states of all controllers ideally 120595 =1 indicates it can detect every probe the attackersimplement while 120595 = 0 means it detects probewith some probability and the probability is relatedto number of probes already on controllers

(iv) Ω illustrates sets of strategies the scheduler employssuch as random selection or other scheduling algo-rithms

Generally there are 2|Ω| occasions according to abovesettings For instance when 120595 = 1 and Ω is randomselection which indicates the system can be aware of everyprobe precisely and it chooses controllers randomly as thenext running controller set Next we introduce the model ofplayers

32 Model of Player In order to quantitatively measuresecurity performance of the control plane we need defineinformation of players Here we focus on their actionsutilities and strategies

321 Actions Before describing playersrsquo actions we depictthe state of a controller at first which is convenient formodeling players At any point of time controllersrsquo state canbe represented by who takes control of it what type whetherit is up or down and how much progress the attacker hasmade towards controlling if the attacker has begun his probeaction Formally controller state is a triple ⟨120594 120581 119904 120588⟩ where

(i) 120594 isin att def represents the player who controls thecontroller

(ii) 120581 represents what kind of controller it belongs to suchas floodlight [23] Ryu [24] or OpenDaylight [25]

(iii) 119904 isin up cup down represents whether the controlleris running (119904 = up) or is not up (119904 = down)

(iv) 120588 is the successful number of probes attackers hascarried out on a controller

The state of the overall SDN system is determined by thejoint state of all running controllers plus the current time 119905

For attackers its action is called probe To describe theactions precisely let ⟨120594119905 120581119905 119904119905 120588119905⟩ be the state at time 119905 Andwe denote ⟨120594119905+ 120581119905+ 119904119905+ 120588119905+⟩ as the state after the actionsThusthe probe actionrsquos effect can be specified via the followingrules

(i) If 119904119905 = down the probe action has no effect⟨120594119905+ 120581119905+ 119904119905+ 120588119905+⟩ = ⟨120594119905 120581119905 119904119905 120588119905⟩

(ii) If 119904119905 = up and 120581119905+ = 120581119905 the number of probes isincremented 120588119905+ = 120588119905 + 1 while 119904119905 = up and 120581119905+ =120581119905 which indicates during the probe the runningcontroller has been replaced with another type ofcontroller In Mcad-SA this switching mechanismcan intensify the security of control plane to somedegree since they have different bugs which requiresmore cost to attack successfully So the number ofprobes is incrementedwith probability 1minus119890minus120573120588119905+ underthis occasion because formal effective probe may beinvalid on another type of controller And when 120594119905 =att then the attacker maintains control 120594119905+ = attWhile 120594119905 = def the defender continues to controlthe controller with probability 119890minus120574120588119905+ For attackersits probability of control raises up to 1 minus 119890minus120574120588119905+ Thisprobability can be seen as the probability with whichthe controller generates malicious flow rules where120573 gt 0 and 120574 gt 0 are scaling parameters

The defender has two actions One is reimage and theother is switch The goal of reimaging controllers is reset itsstate to initial settings So the defender wins control back andthe cumulative effect of probe is eliminated And the state isreset as follows ⟨120594119905+ 120581119905+ 119904119905+ 120588119905+⟩ = ⟨def 120581119905 down 0⟩ Theswitch action is to replace the running controllerwith anothercontroller which can reduce the probability of control byattackers to some extent And the state is transited to that ofnew controller ⟨120594119905+ 120581119905+ 119904119905+ 120588119905+⟩ = ⟨1205941015840119905 1205811015840119905 1199041015840119905 1205881015840119905 ⟩

322 Utility In SDN the major function of controllers isproducing valid flow rules and delivering them to switches

4 Security and Communication Networks

And the purpose of the defender is to guarantee the controlplane generates as many right flow rules as possible whilethe attackerrsquo objective is just the opposite Thus we measureeach playerrsquos payoff based on the state of flow rules the controlplane creates

We presume the number of effective flow rules a healthycontroller produces is 119899ℎ119890 If 119904119905 = down the controller cannotgenerate any valid rulesWhile if 119904119905 = up the number of validrules 119899119901119890 is related to probes the attacker conducts (ie 120588119905) Itcan be calculated via

119899119901119890 = 119899ℎ119890 119890minus120574120588119905 (1)

Then we can define each playerrsquos payoff Given therunning controller set 119862119877 the total payoff of the attacker is

APtotal = sum119888119894isin119862119877

119899ℎ119890 (1 minus 119890minus120574120588119905) minus Φac (2)

where 119888119894 is the 119894th controller andΦac is the total attacking costand proportional to the number of probes Correspondinglythe defenderrsquos payoff can be computed via

DPtotal = sum119888119894isin119862119877

119899119901119890 minus Φdc (3)

where Φdc is the total defending cost It includes the costof reimaging and switching to other controllers and isproportional to the number of reimages and switches

323 Strategies A strategy for players is to choose controllersonwhich they execute their actionsThey are always triggeredby observed events or detected information

The attackerrsquos strategy consists of two factors how manyprobes they can execute each time and the number of probesthey have conducted on each controller Here we consider astrategy defined by the following policy rules

(i) Random-Probe (RanProb) select uniformly amongrunning controllers under defenderrsquos control (120594119905 =def)

(ii) Maximum-Probe (MaxProb) select controllers thathave been probed most to proceed next probe

For the defender the condition of executing reimage issimilar to attackers Also it has the following strategies

(i) Random-Reimage (RanReimage) pick up runningcontrollers randomly to reimage regardless of theirstates

(ii) Maximum-Reimage (MaxReimage) choose control-lers that have been probed most to be reimaged

As to the other action of defender the switch actionis executed under two mechanisms One is after a fixedtime interval Δ119905 regardless of whatever states all runningcontrollers are The other is according to the fraction ofcontrollers regulated by defenders When it falls below athreshold 120591 the switching process is evoked However when120595 = 0 the defender cannot realize controllersrsquo state directly

Instead the sensor component can assist the control planeestimating their conditions Let 119899def119888 denote the estimatednumber of controllers in the hand of defenders if

E [119899def119888 ]1003816100381610038161003816119862119877

1003816100381610038161003816lt 120591 (4)

then the switch action is activated One detail to be men-tioned the switch strategy may have more than one methodaccording to system settings Here wemake specific explana-tions on switch strategies (Ω) We list three common kinds ofscheduling methods below And we let 119862119899 be the next set ofrunning controllers

(i) RandomWithRepeat select 119862119899 uniformly from all theavailable controllers

(ii) RandomWithoutRepeat select 119862119899 uniformly from therest controllers to guarantee 119862119899 cap 119862119877 = 0

(iii) MaxSG this is a perceptive scheduling strategy pro-posed in [26] to maximize security gain of the controlplane during each switch For a controller it will beswitched preferentially to another controller which isbelonged to another type deployed on another hostand probe leastThat is to say thismechanism ensurestwo controllers have maximum difference and thenext running controller is the most reliable one

4 Game-Theoretic Analysis

In this part we conduct simulations on Mcad-SA based onabove assumptions First we present a brief introduction ofits operating mechanisms again

In Mcad-SA the running controller set is varying withtime under this situation Moreover the system can adjust itsswitching strategy based on specific settings That illustratesthat dynamism is introduced into SDN

41 Simulation Environments It is obvious that this game isa periodic process So we let this game last for 119879 time units(119879 = 200) For the control plane employing more than onecontroller we take 119872 = 7 The scaling parameters 120573 and120574 equal 01 The fixed switch interval Δ119905 is set as 25 and thereimage interval is 20 And we let 120591 equal 05

Next we implement experiments using a discrete-eventsimulator Before the simulation we define 119891119901 as failureprobability of the control plane 119891119901 is related to conditionsof all running controllers Only when over lceil(|119862119877| + 1)2rceilcontrollers are compromised simultaneously will the systemfail For controller 119888119894 isin 119862119877 its reliability 119903119888119894 equals the ratio ofvalid flow rules (119899119901119890 ) to total rules it produces (119899ℎ119890 ) Then 119891119901can be computed via (5) where 119862119888gelceil(|119862119877|+1)2rceil represents theset of all situations with more than lceil(|119862119877| + 1)2rceil controllersbeing compromised simultaneously 119862119906119888 is the set of benigncontrollers in 119862119888 The smaller 119891119901 is the more right flow rulesthe control plane can produce which means more powerfulability to resist attacks Here we let 119899ℎ119890 be 1000

119891119901 = 1 minus sum119862119888isin119862119888gelceil(|119862119877|+1)2rceil

prod119888119894isin119862119906119888

(1 minus 119903119888119894 ) prod119888119895isin119862119888119862

119906119888

119903119888119895 (5)

Security and Communication Networks 5

RanProb RanReimageRanProb MaxReimage

WithRepeatWithoutRepeatWithMaxSG

0005

01015

02

Failu

re p

roba

bilit

y

002040608

1

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

20 40 60 80 100 120 140 160 180 2000Time series

Figure 2 Failure probability under respective defending strategieswhen facing random probes

42 Simulation Process At first we assume that all controllersare perfect without any probes Thus 119891119901 is 0 at the beginningvia (1) Then attackers will choose an attacking strategyto conduct attacks which results in the rise of 119891119901 With119891119901 being higher and higher the system is going to launchrespective defense mechanisms to reduce 119891119901 As a result119891119901 is varying with time and playersrsquo strategies Throughanalyzing the changing trend of 119891119901 which is related to statusof running controllers we can realize the real-time stateof Mcad-SA under various combinations of playersrsquo tacticsSimilarly playersrsquo payoffs can be obtained according to probeson controllers and cost of players via (2) and (3)Then we canconclude that which player owns the control of the system

Further in order to measure how powerful Mcad-SAis we classify the scenarios of Mcad-SA into two situationsaccording to 120595 When 120595 = 1 we call it perfect probedetection environment while 120595 = 0 it is regarded asimperfect probe detection environmentThen we analyze thesimulation results under two circumstances when adoptingvarious scheduling strategies (Ω)

43 Simulation Results

431 Perfect Probe Detection Environment In perfect probedetection environment the defender is able to observe allprobes from attackers on controllers

(a) Respective Defending First we make comparisons on theeffectiveness of respective defending strategies when facingdifferent attacking means Figure 2 indicates variations ofsystemrsquos security performance when attackers adopt randomprobe while Figure 3 illustrates the situations when attackersemploy maximum probes

In Figure 2 the upper picture is the result when takingreimage actions only while the map below is the consequencewhen taking switch actions only It is obvious that when

MaxProb RanReimageMaxProb MaxReimage

WithRepeatWithoutRepeatWithMaxSG

20 40 60 80 100 120 140 160 180 2000Time series

0001002003004

Failu

re p

roba

bilit

y

0001002003004005

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

Figure 3 Failure probability under respective defending strategieswhen facing maximum probes

RanProb RanReimage + MaxSGRanProb MaxReimage + MaxSG

MaxProb RanReimage + MaxSGMaxProb MaxReimage + MaxSG

00005

0010015

002

Failu

re p

roba

bilit

y

0001002003004

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

20 40 60 80 100 120 140 160 180 2000Time series

Figure 4 Failure probability with associate defending strategiesunder perfect detections

the defender adopts reimage methods to defend randomprobes random and maximum reimages have similar effect(MaxReimage is slightly better) However the consequencesof various switching strategies are very different When thesystem employs random switching (with repeat or with-out repeat) security performance is close While adoptingMaxSG reliability of the system is strengthened to somedegree especially after 100 time units The reason is thatprobes of controllers will increase to a large number withtime going on So under this situation perceptive switch canensure the system select more reliable controllers (probedleast) than random switchThis phenomenon further demon-strates superior schedulingways have better effect on improv-ing systemrsquos security performance

6 Security and Communication Networks

Random Random---AttackerRandom Random---Defender

Random Max---AttackerRandom Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

3500

4000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

3500

4000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 5 Payoffs of players against random probes with associate defending strategies under perfect detections

In Figure 3 it is another situation where the attackerconducts maximum probes An interesting phenomenonis observed that all defending measures have approximatepreventive effectThat is due to the cause that this attackmoderesults in severe destruction on specific controllersThus oncedefending methods can avoid selecting these controllers thesecurity state of the system can be guaranteed So it comesto a conclusion that unless attackers have to probe particularcontrollers to acquire important information it is of littlevalue to carry out persistent maximum probes

(b) Associate Defending As is analyzed above MaxSG is themost effective switch option compared to random switchThen we combined it with reimage action to testify associatedefending performance That is to say the system adoptsreimage and switch behaviors simultaneously

Figure 4 illustrates the results of associate defendingwhenencountering random andmaximum probe individuallyTheupper section is the consequence against random probe Itis apparent that associate defending mechanism significantlyreduces the failure probability of the system and enhancesits security gain as the value is decreased with an order ofmagnitude (from 005 to 0005 averagely) while the bottompart is the case against maximum probe Similarly security ofthe system is intensified to some extent and the value of failureprobability is lowered to half of that in previous circumstance

(c) Playersrsquo Payoffs Next we analyze playersrsquo payoffs inoccasions where associate defending is used to deal withprobes from attackers Figure 5 is the case with random probewhile Figure 6 is the situation with maximum probe

In Figure 5 the left part shows how payoffs vary withrandom reimage and MaxSG while the right section is the

result with maximum reimage Both pictures manifest thatpayoffs of players are steady which means attackers cannotacquire much valuable information from the system anddefenders canmaintain it operating in a relatively secure statemeantime As to some downward pulse their appearancesare due to the trigger of reimage or switch actions Howeverstrictly speaking defense effect of the right one is superiorto that of the left one since the line of the attacker ismore stable and the value is lower which further provesmaximum reimage is better than random reimage under thisenvironment

Figure 6 is similar to the shape of Figure 5 except thatdownward pulses are more obviousThat is an indication thatthe system is severely compromised since several controllershave been probed persistently under maximum probes Butin other occasions the payoff of the attacker is less than thatin Figure 5 which again demonstrates maximumprobe is nota good choice unless attackers have special purposes

Actually the described process can be regarded as anapproximate zero-sum game Once the attacker gains someprivilege the defender loses some control and vice versaBased on above simulations and analysis the followingconclusion can be drawn introducing dynamism to SDNis a feasible and effective way to mitigate attacksrsquo impactand improve the systemrsquos robustness And whatever actionsattackers take the best response for defenders is maximumreimage andMaxSG In other words eliminating and restor-ing the most damaged components in the system is a criticalpoint to ensure its security

432 Imperfect Probe Detection Environment Then we ana-lyze the results when the system does not own the capabilityto detect each probe (120595 = 0 ie imperfect detection)

Security and Communication Networks 7

Max Random---AttackerMax Random---Defender

Max Max---AttackerMax Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

3500

4000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

3500

4000

Payo

ffs o

f pla

yers

Figure 6 Payoffs of players against maximum probes with associate defending strategies under perfect detections

RanProb RanReimage + MaxSGRanProb MaxReimage + MaxSG

MaxProb RanReimage + MaxSGMaxProb MaxReimage + MaxSG

0005

01015

02

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

0001002003004005

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

Figure 7 Failure probability with associate defending strategiesunder imperfect detections

Here we neglect the analysis on respective defending sinceits changing trend is similar to that in perfect probe detectionenvironment So we pay attention to associate defending andplayersrsquo payoffs

(a) Associate Defending Figure 7 is the simulation underimperfect probes Compared to perfect probe the mostdistinction is the failure probability increases overall Actu-ally the systemrsquos security performance under two associate

defenses is approximate The cause resulting in this phe-nomenon is that the system can no longer perceive the realstate of controllers which may incur the scheduler to makean incorrect policy For instance the scheduler seems tochoose a controller which has been probed least to be thenext running controller but actually this one has already beenseverely compromised This phenomenon may also appearin the reimage situations Above decisions will influencethe systemrsquos reliability to some extent However a point tobe noticed although without perfect probe detection thefailure probability is also maintained at a low level becauseof reimage and switch strategies

(b) Playersrsquo Payoffs Figures 8 and 9 are the variations ofplayersrsquo payoffs under random andmaximumprobes respec-tively The distribution of payoff is fluctuating extensivelyparticularly in random probe That is due to the reason thatdefenders are likely to discover the controllers being con-tinuously compromised when attackers employ maximumprobes even under imperfect detections Thus we can noticedownward pulses are more distinct in Figure 9 than Figure 8which is strong evidence on the effectiveness of reimageand switch strategies in maximum probes Meanwhile theattackerrsquos payoff is clearly increased in both figures Never-theless it is still kept in a stable interval which demonstratesplayers reach an equilibrium Moreover for attackers theresults further authenticate that adopting random probe issuperior to maximum probe in general

According to above analysis it is evident that detectioncapability has effect on the security performance of thesystem to some extent since inaccurate state informationof controllers will definitely influence the decision-makingprocess of the scheduler And ways of reimage and switch

8 Security and Communication Networks

Random Random---AttackerRandom Random---Defender

Random Max---AttackerRandom Max---Defender

minus500

0

500

1000

1500

2000

2500

3000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 8 Payoffs of players against random probes with associate defending strategies under imperfect detections

Max Random---AttackerMax Random---Defender

Max Max---AttackerMax Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 9 Payoffs of players against maximum probes with associate defending strategies under imperfect detections

can lead to diverse defense results In most cases randomprobe is a better option for attackers while the best responseof defenders is the combination of maximum reimage andMaxSG However as long as dynamism heterogeneity andredundancy are introduced into SDN its security can beimproved significantly and the failure probability of thecontrol plane can be maintained at relatively a low standard

44 Equilibrium Results In this section we report the equi-libria found in the simulation As we all know when thesystem reaches an equilibrium the failure probability ofMcad-SA andplayersrsquo payoffs stays stableTheyhave no intentto alter their strategies

Actually in Mcad-SA whenever in perfect or imperfectprobe detection environment the situations of equilibria are

Security and Communication Networks 9

identicalThe only occasion in which the equilibrium exists isthat defenders adoptmaximum reimage andMaxSG schedul-ing method while attackers select maximum probe Fromthe simulation results above as long as attackers carry outmaximum probe they always can acquire higher payoffs andhigher failure probability of the system over random probeon matter what actions defenders take Similarly defenderswill tend to choose maximum reimage and MaxSG to obtainhigher payoffs and lower failure probability whenever theyface random or maximum probe In other words maximumreimage and MaxSG are the best choice for defenders andmaximum probe is the best option for attackers as they canachieve their goals to maximum extent

5 Conclusion

Evaluation of security performance of SDN architecturesplays a critical role in designing reliable structures andestimating system risks Focused on Mcad-SA a novel SDNstructure we attempt to establish amodel to analyze its abilityto resist attackswith the assistance of game theoryThismodelcan represent playersrsquo related information (actions strategiesetc) and quantitatively assess systemrsquos capability to dealwith risks Experimental results indicate the introductionof dynamism redundancy and heterogeneity into SDN canintensify systemrsquos security andmaintain its consistent capabil-ity against diverse probes which is an extraordinary weaknessin current SDN frameworks Further we analyze equilibriumin particular situations where common types of probes anddefense methods are included And analysis results presenthints that for dynamic systems the design of their defensestrategies has certain effect on security enhancement whichimplies that how to devise effective defense mechanism iscrucial to maximize security gain In the future we plan totake internal security mechanism of diverse controllers intoconsideration and pay attention to hybrid security analysis

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work is supported by the Foundation for InnovativeResearch Groups of the National Natural Science Foundationof China (no 61521003) the National Key RampD Programof China (no 2016YFB0800100 and no 2016YFB0800101)and the National Natural Science Foundation of China (no61602509)

References

[1] N McKeown T Anderson H Balakrishnan et al ldquoOpenFlowenabling innovation in campus networksrdquo Computer Commu-nication Review vol 38 no 2 pp 69ndash74 2008

[2] D He S Chan and M Guizani ldquoSecuring software definedwireless networksrdquo IEEE Communications Magazine vol 54no 1 pp 20ndash25 2016

[3] C Monsanto J Reich and N Foster ldquoComposing software-defined networksrdquo in Proceedings of the 10th USENIX Confer-ence onNetworked SystemsDesign and Implementation pp 1ndash14USENIX Association 2013

[4] Z Guo M Su Y Xu et al ldquoImproving the performance of loadbalancing in software-defined networks through load variance-based synchronizationrdquoComputerNetworks vol 68 pp 95ndash1092014

[5] P Berde M Gerola J Hart et al ldquoONOS towards an opendistributed SDNOSrdquo in Proceedings of the 3rd ACM SIGCOMM2014 Workshop on Hot Topics in Software Defined Networking(HotSDN rsquo14) pp 1ndash6 August 2014

[6] V Yazici M O Sunay and A O Ercan ldquoControlling a softwaredefined network via distributed controllersrdquo in Proceedings ofthe 2012 NEM Summit pp 16ndash20 2014

[7] H Li P Li S Guo and A Nayak ldquoByzantine-resilient securesoftware-defined networks with multiple controllers in cloudrdquoIEEE Transactions on Cloud Computing vol 2 no 4 pp 436ndash447 2014

[8] X Jin J Gossels J Rexford and D Walker ldquoCoVisor acompositional hypervisor for software-defined networksrdquo inProceedings of the 12th USENIX Symposium on NetworkedSystems Design and Implementation (NSDI rsquo15) pp 87ndash101USENIX Association May 2015

[9] CQi JWuHHu et al ldquoAn intensive security architecturewithmulti-controller for SDNrdquo in Proceedings of the 35th IEEE Con-ference on Computer Communications Workshops (INFOCOMWKSHPS rsquo16) pp 401-402 April 2016

[10] K ElDefrawy and T Kaczmarek ldquoByzantine fault tolerantsoftware-defined networking (SDN) controllersrdquo in Proceedingsof the 2016 IEEE 40th Annual Computer Software and Applica-tions Conference (COMPSAC rsquo16) pp 208ndash213 June 2016

[11] A Prakash and M P Wellman ldquoEmpirical game-theoreticanalysis for moving target defenserdquo in Proceedings of the 2ndACM Workshop on Moving Target Defense (MTD rsquo15) pp 57ndash65 2015

[12] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquo inProceedings of the 1st ACM InternationalWorkshop onHot Topicsin Software Defined Networks (HotSDN rsquo12) pp 121ndash126 August2012

[13] P Porras S Cheung M Fong K Skinner and V YegneswaranldquoSecuring the Software Defined Network Control Layerrdquo inProceedings of the Network and Distributed System SecuritySymposium (NDSS rsquo15) San Diego CA USA 2015

[14] Z Guo Y Xu M Cello et al ldquoJumpFlow Reducing flow tableusage in software-defined networksrdquo Computer Networks vol92 pp 300ndash315 2015

[15] P K Manadhata and J M Wing ldquoAn attack surface metricrdquoIEEE Transactions on Software Engineering vol 37 no 3 pp371ndash386 2011

[16] N Poolsappasit R Dewri and I Ray ldquoDynamic security riskmanagement using Bayesian attack graphsrdquo IEEE Transactionson Dependable and Secure Computing vol 9 no 1 pp 61ndash742012

[17] C-C Ten C-C Liu and M Govindarasu ldquoVulnerabilityassessment of cybersecurity for SCADA systems using attacktreesrdquo in Proceedings of the IEEE Power Engineering SocietyGeneral Meeting (PES rsquo07) pp 1ndash8 Tampa FL USA June 2007

[18] S Jajodia A K Ghosh and V SwarupMoving Target DefenseCreating Asymmetric Uncertainty for Cyber Threats SpringerEbooks 2011

10 Security and Communication Networks

[19] S Jajodia S K Ghosh V S Subrahmanian V Swarup CWangand X S WangMoving Target Defense II Application of GameTheory and Adversarial Modeling Advances in InformationSecurity Springer 2012

[20] M H Manshaei Q Zhu T Alpcan T Basar and J-P HubauxldquoGame theory meets network security and privacyrdquo ACMComputing Surveys vol 45 no 3 article 25 2013

[21] M Van Dijk A Juels A Oprea and R L Rivest ldquoFlipIt Thegame of ldquostealthy takeoverrdquordquo Journal of Cryptology vol 26 no4 pp 655ndash713 2013

[22] A Laszka G Horvath M Felegyhazi and L ButtyanldquoFlipThem modeling targeted attacks with flipit for multipleresourcesrdquo in Decision and Game Theory for Security vol 8840of Lecture Notes in Computer Science pp 175ndash194 SpringerInternational Publishing Cham 2014

[23] FloodLight ldquoOpen SDN controllerrdquo httpfloodlightopen-flowhuborg

[24] ldquoRyu SDN Frameworkrdquo httposrggithubioryu[25] ldquoOpenDaylight Consortiumrdquo httpwwwopendaylightorg[26] C Qi J Wu H Hu and G Cheng ldquoDynamic-scheduling

mechanism of controllers based on security policy in software-defined networkrdquo IEEE Electronics Letters vol 52 no 23 pp1918ndash1920 2016

Security and Communication Networks 3

Data plane

1 2

3 4Domain A

Control plane

Running controller

Backup controller

Sensor

Scheduler

Arbitrator

Figure 1 An overview of Mcad-SA

scheduling strategies it adopts Formally abstract model ofthe control plane is a quadruple ⟨119888 119903 120595 Ω⟩ where

(i) 119888 isin [1 119873] represents how many controllers thecontrol plane has and119873 is a very big positive number

(ii) 119903 isin [1 119888] represents number of running controllers 119903is changeable and generally an odd number

(iii) 120595 isin 0 1 indicates whether the control planecan sense the states of all controllers ideally 120595 =1 indicates it can detect every probe the attackersimplement while 120595 = 0 means it detects probewith some probability and the probability is relatedto number of probes already on controllers

(iv) Ω illustrates sets of strategies the scheduler employssuch as random selection or other scheduling algo-rithms

Generally there are 2|Ω| occasions according to abovesettings For instance when 120595 = 1 and Ω is randomselection which indicates the system can be aware of everyprobe precisely and it chooses controllers randomly as thenext running controller set Next we introduce the model ofplayers

32 Model of Player In order to quantitatively measuresecurity performance of the control plane we need defineinformation of players Here we focus on their actionsutilities and strategies

321 Actions Before describing playersrsquo actions we depictthe state of a controller at first which is convenient formodeling players At any point of time controllersrsquo state canbe represented by who takes control of it what type whetherit is up or down and how much progress the attacker hasmade towards controlling if the attacker has begun his probeaction Formally controller state is a triple ⟨120594 120581 119904 120588⟩ where

(i) 120594 isin att def represents the player who controls thecontroller

(ii) 120581 represents what kind of controller it belongs to suchas floodlight [23] Ryu [24] or OpenDaylight [25]

(iii) 119904 isin up cup down represents whether the controlleris running (119904 = up) or is not up (119904 = down)

(iv) 120588 is the successful number of probes attackers hascarried out on a controller

The state of the overall SDN system is determined by thejoint state of all running controllers plus the current time 119905

For attackers its action is called probe To describe theactions precisely let ⟨120594119905 120581119905 119904119905 120588119905⟩ be the state at time 119905 Andwe denote ⟨120594119905+ 120581119905+ 119904119905+ 120588119905+⟩ as the state after the actionsThusthe probe actionrsquos effect can be specified via the followingrules

(i) If 119904119905 = down the probe action has no effect⟨120594119905+ 120581119905+ 119904119905+ 120588119905+⟩ = ⟨120594119905 120581119905 119904119905 120588119905⟩

(ii) If 119904119905 = up and 120581119905+ = 120581119905 the number of probes isincremented 120588119905+ = 120588119905 + 1 while 119904119905 = up and 120581119905+ =120581119905 which indicates during the probe the runningcontroller has been replaced with another type ofcontroller In Mcad-SA this switching mechanismcan intensify the security of control plane to somedegree since they have different bugs which requiresmore cost to attack successfully So the number ofprobes is incrementedwith probability 1minus119890minus120573120588119905+ underthis occasion because formal effective probe may beinvalid on another type of controller And when 120594119905 =att then the attacker maintains control 120594119905+ = attWhile 120594119905 = def the defender continues to controlthe controller with probability 119890minus120574120588119905+ For attackersits probability of control raises up to 1 minus 119890minus120574120588119905+ Thisprobability can be seen as the probability with whichthe controller generates malicious flow rules where120573 gt 0 and 120574 gt 0 are scaling parameters

The defender has two actions One is reimage and theother is switch The goal of reimaging controllers is reset itsstate to initial settings So the defender wins control back andthe cumulative effect of probe is eliminated And the state isreset as follows ⟨120594119905+ 120581119905+ 119904119905+ 120588119905+⟩ = ⟨def 120581119905 down 0⟩ Theswitch action is to replace the running controllerwith anothercontroller which can reduce the probability of control byattackers to some extent And the state is transited to that ofnew controller ⟨120594119905+ 120581119905+ 119904119905+ 120588119905+⟩ = ⟨1205941015840119905 1205811015840119905 1199041015840119905 1205881015840119905 ⟩

322 Utility In SDN the major function of controllers isproducing valid flow rules and delivering them to switches

4 Security and Communication Networks

And the purpose of the defender is to guarantee the controlplane generates as many right flow rules as possible whilethe attackerrsquo objective is just the opposite Thus we measureeach playerrsquos payoff based on the state of flow rules the controlplane creates

We presume the number of effective flow rules a healthycontroller produces is 119899ℎ119890 If 119904119905 = down the controller cannotgenerate any valid rulesWhile if 119904119905 = up the number of validrules 119899119901119890 is related to probes the attacker conducts (ie 120588119905) Itcan be calculated via

119899119901119890 = 119899ℎ119890 119890minus120574120588119905 (1)

Then we can define each playerrsquos payoff Given therunning controller set 119862119877 the total payoff of the attacker is

APtotal = sum119888119894isin119862119877

119899ℎ119890 (1 minus 119890minus120574120588119905) minus Φac (2)

where 119888119894 is the 119894th controller andΦac is the total attacking costand proportional to the number of probes Correspondinglythe defenderrsquos payoff can be computed via

DPtotal = sum119888119894isin119862119877

119899119901119890 minus Φdc (3)

where Φdc is the total defending cost It includes the costof reimaging and switching to other controllers and isproportional to the number of reimages and switches

323 Strategies A strategy for players is to choose controllersonwhich they execute their actionsThey are always triggeredby observed events or detected information

The attackerrsquos strategy consists of two factors how manyprobes they can execute each time and the number of probesthey have conducted on each controller Here we consider astrategy defined by the following policy rules

(i) Random-Probe (RanProb) select uniformly amongrunning controllers under defenderrsquos control (120594119905 =def)

(ii) Maximum-Probe (MaxProb) select controllers thathave been probed most to proceed next probe

For the defender the condition of executing reimage issimilar to attackers Also it has the following strategies

(i) Random-Reimage (RanReimage) pick up runningcontrollers randomly to reimage regardless of theirstates

(ii) Maximum-Reimage (MaxReimage) choose control-lers that have been probed most to be reimaged

As to the other action of defender the switch actionis executed under two mechanisms One is after a fixedtime interval Δ119905 regardless of whatever states all runningcontrollers are The other is according to the fraction ofcontrollers regulated by defenders When it falls below athreshold 120591 the switching process is evoked However when120595 = 0 the defender cannot realize controllersrsquo state directly

Instead the sensor component can assist the control planeestimating their conditions Let 119899def119888 denote the estimatednumber of controllers in the hand of defenders if

E [119899def119888 ]1003816100381610038161003816119862119877

1003816100381610038161003816lt 120591 (4)

then the switch action is activated One detail to be men-tioned the switch strategy may have more than one methodaccording to system settings Here wemake specific explana-tions on switch strategies (Ω) We list three common kinds ofscheduling methods below And we let 119862119899 be the next set ofrunning controllers

(i) RandomWithRepeat select 119862119899 uniformly from all theavailable controllers

(ii) RandomWithoutRepeat select 119862119899 uniformly from therest controllers to guarantee 119862119899 cap 119862119877 = 0

(iii) MaxSG this is a perceptive scheduling strategy pro-posed in [26] to maximize security gain of the controlplane during each switch For a controller it will beswitched preferentially to another controller which isbelonged to another type deployed on another hostand probe leastThat is to say thismechanism ensurestwo controllers have maximum difference and thenext running controller is the most reliable one

4 Game-Theoretic Analysis

In this part we conduct simulations on Mcad-SA based onabove assumptions First we present a brief introduction ofits operating mechanisms again

In Mcad-SA the running controller set is varying withtime under this situation Moreover the system can adjust itsswitching strategy based on specific settings That illustratesthat dynamism is introduced into SDN

41 Simulation Environments It is obvious that this game isa periodic process So we let this game last for 119879 time units(119879 = 200) For the control plane employing more than onecontroller we take 119872 = 7 The scaling parameters 120573 and120574 equal 01 The fixed switch interval Δ119905 is set as 25 and thereimage interval is 20 And we let 120591 equal 05

Next we implement experiments using a discrete-eventsimulator Before the simulation we define 119891119901 as failureprobability of the control plane 119891119901 is related to conditionsof all running controllers Only when over lceil(|119862119877| + 1)2rceilcontrollers are compromised simultaneously will the systemfail For controller 119888119894 isin 119862119877 its reliability 119903119888119894 equals the ratio ofvalid flow rules (119899119901119890 ) to total rules it produces (119899ℎ119890 ) Then 119891119901can be computed via (5) where 119862119888gelceil(|119862119877|+1)2rceil represents theset of all situations with more than lceil(|119862119877| + 1)2rceil controllersbeing compromised simultaneously 119862119906119888 is the set of benigncontrollers in 119862119888 The smaller 119891119901 is the more right flow rulesthe control plane can produce which means more powerfulability to resist attacks Here we let 119899ℎ119890 be 1000

119891119901 = 1 minus sum119862119888isin119862119888gelceil(|119862119877|+1)2rceil

prod119888119894isin119862119906119888

(1 minus 119903119888119894 ) prod119888119895isin119862119888119862

119906119888

119903119888119895 (5)

Security and Communication Networks 5

RanProb RanReimageRanProb MaxReimage

WithRepeatWithoutRepeatWithMaxSG

0005

01015

02

Failu

re p

roba

bilit

y

002040608

1

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

20 40 60 80 100 120 140 160 180 2000Time series

Figure 2 Failure probability under respective defending strategieswhen facing random probes

42 Simulation Process At first we assume that all controllersare perfect without any probes Thus 119891119901 is 0 at the beginningvia (1) Then attackers will choose an attacking strategyto conduct attacks which results in the rise of 119891119901 With119891119901 being higher and higher the system is going to launchrespective defense mechanisms to reduce 119891119901 As a result119891119901 is varying with time and playersrsquo strategies Throughanalyzing the changing trend of 119891119901 which is related to statusof running controllers we can realize the real-time stateof Mcad-SA under various combinations of playersrsquo tacticsSimilarly playersrsquo payoffs can be obtained according to probeson controllers and cost of players via (2) and (3)Then we canconclude that which player owns the control of the system

Further in order to measure how powerful Mcad-SAis we classify the scenarios of Mcad-SA into two situationsaccording to 120595 When 120595 = 1 we call it perfect probedetection environment while 120595 = 0 it is regarded asimperfect probe detection environmentThen we analyze thesimulation results under two circumstances when adoptingvarious scheduling strategies (Ω)

43 Simulation Results

431 Perfect Probe Detection Environment In perfect probedetection environment the defender is able to observe allprobes from attackers on controllers

(a) Respective Defending First we make comparisons on theeffectiveness of respective defending strategies when facingdifferent attacking means Figure 2 indicates variations ofsystemrsquos security performance when attackers adopt randomprobe while Figure 3 illustrates the situations when attackersemploy maximum probes

In Figure 2 the upper picture is the result when takingreimage actions only while the map below is the consequencewhen taking switch actions only It is obvious that when

MaxProb RanReimageMaxProb MaxReimage

WithRepeatWithoutRepeatWithMaxSG

20 40 60 80 100 120 140 160 180 2000Time series

0001002003004

Failu

re p

roba

bilit

y

0001002003004005

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

Figure 3 Failure probability under respective defending strategieswhen facing maximum probes

RanProb RanReimage + MaxSGRanProb MaxReimage + MaxSG

MaxProb RanReimage + MaxSGMaxProb MaxReimage + MaxSG

00005

0010015

002

Failu

re p

roba

bilit

y

0001002003004

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

20 40 60 80 100 120 140 160 180 2000Time series

Figure 4 Failure probability with associate defending strategiesunder perfect detections

the defender adopts reimage methods to defend randomprobes random and maximum reimages have similar effect(MaxReimage is slightly better) However the consequencesof various switching strategies are very different When thesystem employs random switching (with repeat or with-out repeat) security performance is close While adoptingMaxSG reliability of the system is strengthened to somedegree especially after 100 time units The reason is thatprobes of controllers will increase to a large number withtime going on So under this situation perceptive switch canensure the system select more reliable controllers (probedleast) than random switchThis phenomenon further demon-strates superior schedulingways have better effect on improv-ing systemrsquos security performance

6 Security and Communication Networks

Random Random---AttackerRandom Random---Defender

Random Max---AttackerRandom Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

3500

4000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

3500

4000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 5 Payoffs of players against random probes with associate defending strategies under perfect detections

In Figure 3 it is another situation where the attackerconducts maximum probes An interesting phenomenonis observed that all defending measures have approximatepreventive effectThat is due to the cause that this attackmoderesults in severe destruction on specific controllersThus oncedefending methods can avoid selecting these controllers thesecurity state of the system can be guaranteed So it comesto a conclusion that unless attackers have to probe particularcontrollers to acquire important information it is of littlevalue to carry out persistent maximum probes

(b) Associate Defending As is analyzed above MaxSG is themost effective switch option compared to random switchThen we combined it with reimage action to testify associatedefending performance That is to say the system adoptsreimage and switch behaviors simultaneously

Figure 4 illustrates the results of associate defendingwhenencountering random andmaximum probe individuallyTheupper section is the consequence against random probe Itis apparent that associate defending mechanism significantlyreduces the failure probability of the system and enhancesits security gain as the value is decreased with an order ofmagnitude (from 005 to 0005 averagely) while the bottompart is the case against maximum probe Similarly security ofthe system is intensified to some extent and the value of failureprobability is lowered to half of that in previous circumstance

(c) Playersrsquo Payoffs Next we analyze playersrsquo payoffs inoccasions where associate defending is used to deal withprobes from attackers Figure 5 is the case with random probewhile Figure 6 is the situation with maximum probe

In Figure 5 the left part shows how payoffs vary withrandom reimage and MaxSG while the right section is the

result with maximum reimage Both pictures manifest thatpayoffs of players are steady which means attackers cannotacquire much valuable information from the system anddefenders canmaintain it operating in a relatively secure statemeantime As to some downward pulse their appearancesare due to the trigger of reimage or switch actions Howeverstrictly speaking defense effect of the right one is superiorto that of the left one since the line of the attacker ismore stable and the value is lower which further provesmaximum reimage is better than random reimage under thisenvironment

Figure 6 is similar to the shape of Figure 5 except thatdownward pulses are more obviousThat is an indication thatthe system is severely compromised since several controllershave been probed persistently under maximum probes Butin other occasions the payoff of the attacker is less than thatin Figure 5 which again demonstrates maximumprobe is nota good choice unless attackers have special purposes

Actually the described process can be regarded as anapproximate zero-sum game Once the attacker gains someprivilege the defender loses some control and vice versaBased on above simulations and analysis the followingconclusion can be drawn introducing dynamism to SDNis a feasible and effective way to mitigate attacksrsquo impactand improve the systemrsquos robustness And whatever actionsattackers take the best response for defenders is maximumreimage andMaxSG In other words eliminating and restor-ing the most damaged components in the system is a criticalpoint to ensure its security

432 Imperfect Probe Detection Environment Then we ana-lyze the results when the system does not own the capabilityto detect each probe (120595 = 0 ie imperfect detection)

Security and Communication Networks 7

Max Random---AttackerMax Random---Defender

Max Max---AttackerMax Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

3500

4000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

3500

4000

Payo

ffs o

f pla

yers

Figure 6 Payoffs of players against maximum probes with associate defending strategies under perfect detections

RanProb RanReimage + MaxSGRanProb MaxReimage + MaxSG

MaxProb RanReimage + MaxSGMaxProb MaxReimage + MaxSG

0005

01015

02

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

0001002003004005

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

Figure 7 Failure probability with associate defending strategiesunder imperfect detections

Here we neglect the analysis on respective defending sinceits changing trend is similar to that in perfect probe detectionenvironment So we pay attention to associate defending andplayersrsquo payoffs

(a) Associate Defending Figure 7 is the simulation underimperfect probes Compared to perfect probe the mostdistinction is the failure probability increases overall Actu-ally the systemrsquos security performance under two associate

defenses is approximate The cause resulting in this phe-nomenon is that the system can no longer perceive the realstate of controllers which may incur the scheduler to makean incorrect policy For instance the scheduler seems tochoose a controller which has been probed least to be thenext running controller but actually this one has already beenseverely compromised This phenomenon may also appearin the reimage situations Above decisions will influencethe systemrsquos reliability to some extent However a point tobe noticed although without perfect probe detection thefailure probability is also maintained at a low level becauseof reimage and switch strategies

(b) Playersrsquo Payoffs Figures 8 and 9 are the variations ofplayersrsquo payoffs under random andmaximumprobes respec-tively The distribution of payoff is fluctuating extensivelyparticularly in random probe That is due to the reason thatdefenders are likely to discover the controllers being con-tinuously compromised when attackers employ maximumprobes even under imperfect detections Thus we can noticedownward pulses are more distinct in Figure 9 than Figure 8which is strong evidence on the effectiveness of reimageand switch strategies in maximum probes Meanwhile theattackerrsquos payoff is clearly increased in both figures Never-theless it is still kept in a stable interval which demonstratesplayers reach an equilibrium Moreover for attackers theresults further authenticate that adopting random probe issuperior to maximum probe in general

According to above analysis it is evident that detectioncapability has effect on the security performance of thesystem to some extent since inaccurate state informationof controllers will definitely influence the decision-makingprocess of the scheduler And ways of reimage and switch

8 Security and Communication Networks

Random Random---AttackerRandom Random---Defender

Random Max---AttackerRandom Max---Defender

minus500

0

500

1000

1500

2000

2500

3000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 8 Payoffs of players against random probes with associate defending strategies under imperfect detections

Max Random---AttackerMax Random---Defender

Max Max---AttackerMax Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 9 Payoffs of players against maximum probes with associate defending strategies under imperfect detections

can lead to diverse defense results In most cases randomprobe is a better option for attackers while the best responseof defenders is the combination of maximum reimage andMaxSG However as long as dynamism heterogeneity andredundancy are introduced into SDN its security can beimproved significantly and the failure probability of thecontrol plane can be maintained at relatively a low standard

44 Equilibrium Results In this section we report the equi-libria found in the simulation As we all know when thesystem reaches an equilibrium the failure probability ofMcad-SA andplayersrsquo payoffs stays stableTheyhave no intentto alter their strategies

Actually in Mcad-SA whenever in perfect or imperfectprobe detection environment the situations of equilibria are

Security and Communication Networks 9

identicalThe only occasion in which the equilibrium exists isthat defenders adoptmaximum reimage andMaxSG schedul-ing method while attackers select maximum probe Fromthe simulation results above as long as attackers carry outmaximum probe they always can acquire higher payoffs andhigher failure probability of the system over random probeon matter what actions defenders take Similarly defenderswill tend to choose maximum reimage and MaxSG to obtainhigher payoffs and lower failure probability whenever theyface random or maximum probe In other words maximumreimage and MaxSG are the best choice for defenders andmaximum probe is the best option for attackers as they canachieve their goals to maximum extent

5 Conclusion

Evaluation of security performance of SDN architecturesplays a critical role in designing reliable structures andestimating system risks Focused on Mcad-SA a novel SDNstructure we attempt to establish amodel to analyze its abilityto resist attackswith the assistance of game theoryThismodelcan represent playersrsquo related information (actions strategiesetc) and quantitatively assess systemrsquos capability to dealwith risks Experimental results indicate the introductionof dynamism redundancy and heterogeneity into SDN canintensify systemrsquos security andmaintain its consistent capabil-ity against diverse probes which is an extraordinary weaknessin current SDN frameworks Further we analyze equilibriumin particular situations where common types of probes anddefense methods are included And analysis results presenthints that for dynamic systems the design of their defensestrategies has certain effect on security enhancement whichimplies that how to devise effective defense mechanism iscrucial to maximize security gain In the future we plan totake internal security mechanism of diverse controllers intoconsideration and pay attention to hybrid security analysis

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work is supported by the Foundation for InnovativeResearch Groups of the National Natural Science Foundationof China (no 61521003) the National Key RampD Programof China (no 2016YFB0800100 and no 2016YFB0800101)and the National Natural Science Foundation of China (no61602509)

References

[1] N McKeown T Anderson H Balakrishnan et al ldquoOpenFlowenabling innovation in campus networksrdquo Computer Commu-nication Review vol 38 no 2 pp 69ndash74 2008

[2] D He S Chan and M Guizani ldquoSecuring software definedwireless networksrdquo IEEE Communications Magazine vol 54no 1 pp 20ndash25 2016

[3] C Monsanto J Reich and N Foster ldquoComposing software-defined networksrdquo in Proceedings of the 10th USENIX Confer-ence onNetworked SystemsDesign and Implementation pp 1ndash14USENIX Association 2013

[4] Z Guo M Su Y Xu et al ldquoImproving the performance of loadbalancing in software-defined networks through load variance-based synchronizationrdquoComputerNetworks vol 68 pp 95ndash1092014

[5] P Berde M Gerola J Hart et al ldquoONOS towards an opendistributed SDNOSrdquo in Proceedings of the 3rd ACM SIGCOMM2014 Workshop on Hot Topics in Software Defined Networking(HotSDN rsquo14) pp 1ndash6 August 2014

[6] V Yazici M O Sunay and A O Ercan ldquoControlling a softwaredefined network via distributed controllersrdquo in Proceedings ofthe 2012 NEM Summit pp 16ndash20 2014

[7] H Li P Li S Guo and A Nayak ldquoByzantine-resilient securesoftware-defined networks with multiple controllers in cloudrdquoIEEE Transactions on Cloud Computing vol 2 no 4 pp 436ndash447 2014

[8] X Jin J Gossels J Rexford and D Walker ldquoCoVisor acompositional hypervisor for software-defined networksrdquo inProceedings of the 12th USENIX Symposium on NetworkedSystems Design and Implementation (NSDI rsquo15) pp 87ndash101USENIX Association May 2015

[9] CQi JWuHHu et al ldquoAn intensive security architecturewithmulti-controller for SDNrdquo in Proceedings of the 35th IEEE Con-ference on Computer Communications Workshops (INFOCOMWKSHPS rsquo16) pp 401-402 April 2016

[10] K ElDefrawy and T Kaczmarek ldquoByzantine fault tolerantsoftware-defined networking (SDN) controllersrdquo in Proceedingsof the 2016 IEEE 40th Annual Computer Software and Applica-tions Conference (COMPSAC rsquo16) pp 208ndash213 June 2016

[11] A Prakash and M P Wellman ldquoEmpirical game-theoreticanalysis for moving target defenserdquo in Proceedings of the 2ndACM Workshop on Moving Target Defense (MTD rsquo15) pp 57ndash65 2015

[12] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquo inProceedings of the 1st ACM InternationalWorkshop onHot Topicsin Software Defined Networks (HotSDN rsquo12) pp 121ndash126 August2012

[13] P Porras S Cheung M Fong K Skinner and V YegneswaranldquoSecuring the Software Defined Network Control Layerrdquo inProceedings of the Network and Distributed System SecuritySymposium (NDSS rsquo15) San Diego CA USA 2015

[14] Z Guo Y Xu M Cello et al ldquoJumpFlow Reducing flow tableusage in software-defined networksrdquo Computer Networks vol92 pp 300ndash315 2015

[15] P K Manadhata and J M Wing ldquoAn attack surface metricrdquoIEEE Transactions on Software Engineering vol 37 no 3 pp371ndash386 2011

[16] N Poolsappasit R Dewri and I Ray ldquoDynamic security riskmanagement using Bayesian attack graphsrdquo IEEE Transactionson Dependable and Secure Computing vol 9 no 1 pp 61ndash742012

[17] C-C Ten C-C Liu and M Govindarasu ldquoVulnerabilityassessment of cybersecurity for SCADA systems using attacktreesrdquo in Proceedings of the IEEE Power Engineering SocietyGeneral Meeting (PES rsquo07) pp 1ndash8 Tampa FL USA June 2007

[18] S Jajodia A K Ghosh and V SwarupMoving Target DefenseCreating Asymmetric Uncertainty for Cyber Threats SpringerEbooks 2011

10 Security and Communication Networks

[19] S Jajodia S K Ghosh V S Subrahmanian V Swarup CWangand X S WangMoving Target Defense II Application of GameTheory and Adversarial Modeling Advances in InformationSecurity Springer 2012

[20] M H Manshaei Q Zhu T Alpcan T Basar and J-P HubauxldquoGame theory meets network security and privacyrdquo ACMComputing Surveys vol 45 no 3 article 25 2013

[21] M Van Dijk A Juels A Oprea and R L Rivest ldquoFlipIt Thegame of ldquostealthy takeoverrdquordquo Journal of Cryptology vol 26 no4 pp 655ndash713 2013

[22] A Laszka G Horvath M Felegyhazi and L ButtyanldquoFlipThem modeling targeted attacks with flipit for multipleresourcesrdquo in Decision and Game Theory for Security vol 8840of Lecture Notes in Computer Science pp 175ndash194 SpringerInternational Publishing Cham 2014

[23] FloodLight ldquoOpen SDN controllerrdquo httpfloodlightopen-flowhuborg

[24] ldquoRyu SDN Frameworkrdquo httposrggithubioryu[25] ldquoOpenDaylight Consortiumrdquo httpwwwopendaylightorg[26] C Qi J Wu H Hu and G Cheng ldquoDynamic-scheduling

mechanism of controllers based on security policy in software-defined networkrdquo IEEE Electronics Letters vol 52 no 23 pp1918ndash1920 2016

4 Security and Communication Networks

And the purpose of the defender is to guarantee the controlplane generates as many right flow rules as possible whilethe attackerrsquo objective is just the opposite Thus we measureeach playerrsquos payoff based on the state of flow rules the controlplane creates

We presume the number of effective flow rules a healthycontroller produces is 119899ℎ119890 If 119904119905 = down the controller cannotgenerate any valid rulesWhile if 119904119905 = up the number of validrules 119899119901119890 is related to probes the attacker conducts (ie 120588119905) Itcan be calculated via

119899119901119890 = 119899ℎ119890 119890minus120574120588119905 (1)

Then we can define each playerrsquos payoff Given therunning controller set 119862119877 the total payoff of the attacker is

APtotal = sum119888119894isin119862119877

119899ℎ119890 (1 minus 119890minus120574120588119905) minus Φac (2)

where 119888119894 is the 119894th controller andΦac is the total attacking costand proportional to the number of probes Correspondinglythe defenderrsquos payoff can be computed via

DPtotal = sum119888119894isin119862119877

119899119901119890 minus Φdc (3)

where Φdc is the total defending cost It includes the costof reimaging and switching to other controllers and isproportional to the number of reimages and switches

323 Strategies A strategy for players is to choose controllersonwhich they execute their actionsThey are always triggeredby observed events or detected information

The attackerrsquos strategy consists of two factors how manyprobes they can execute each time and the number of probesthey have conducted on each controller Here we consider astrategy defined by the following policy rules

(i) Random-Probe (RanProb) select uniformly amongrunning controllers under defenderrsquos control (120594119905 =def)

(ii) Maximum-Probe (MaxProb) select controllers thathave been probed most to proceed next probe

For the defender the condition of executing reimage issimilar to attackers Also it has the following strategies

(i) Random-Reimage (RanReimage) pick up runningcontrollers randomly to reimage regardless of theirstates

(ii) Maximum-Reimage (MaxReimage) choose control-lers that have been probed most to be reimaged

As to the other action of defender the switch actionis executed under two mechanisms One is after a fixedtime interval Δ119905 regardless of whatever states all runningcontrollers are The other is according to the fraction ofcontrollers regulated by defenders When it falls below athreshold 120591 the switching process is evoked However when120595 = 0 the defender cannot realize controllersrsquo state directly

Instead the sensor component can assist the control planeestimating their conditions Let 119899def119888 denote the estimatednumber of controllers in the hand of defenders if

E [119899def119888 ]1003816100381610038161003816119862119877

1003816100381610038161003816lt 120591 (4)

then the switch action is activated One detail to be men-tioned the switch strategy may have more than one methodaccording to system settings Here wemake specific explana-tions on switch strategies (Ω) We list three common kinds ofscheduling methods below And we let 119862119899 be the next set ofrunning controllers

(i) RandomWithRepeat select 119862119899 uniformly from all theavailable controllers

(ii) RandomWithoutRepeat select 119862119899 uniformly from therest controllers to guarantee 119862119899 cap 119862119877 = 0

(iii) MaxSG this is a perceptive scheduling strategy pro-posed in [26] to maximize security gain of the controlplane during each switch For a controller it will beswitched preferentially to another controller which isbelonged to another type deployed on another hostand probe leastThat is to say thismechanism ensurestwo controllers have maximum difference and thenext running controller is the most reliable one

4 Game-Theoretic Analysis

In this part we conduct simulations on Mcad-SA based onabove assumptions First we present a brief introduction ofits operating mechanisms again

In Mcad-SA the running controller set is varying withtime under this situation Moreover the system can adjust itsswitching strategy based on specific settings That illustratesthat dynamism is introduced into SDN

41 Simulation Environments It is obvious that this game isa periodic process So we let this game last for 119879 time units(119879 = 200) For the control plane employing more than onecontroller we take 119872 = 7 The scaling parameters 120573 and120574 equal 01 The fixed switch interval Δ119905 is set as 25 and thereimage interval is 20 And we let 120591 equal 05

Next we implement experiments using a discrete-eventsimulator Before the simulation we define 119891119901 as failureprobability of the control plane 119891119901 is related to conditionsof all running controllers Only when over lceil(|119862119877| + 1)2rceilcontrollers are compromised simultaneously will the systemfail For controller 119888119894 isin 119862119877 its reliability 119903119888119894 equals the ratio ofvalid flow rules (119899119901119890 ) to total rules it produces (119899ℎ119890 ) Then 119891119901can be computed via (5) where 119862119888gelceil(|119862119877|+1)2rceil represents theset of all situations with more than lceil(|119862119877| + 1)2rceil controllersbeing compromised simultaneously 119862119906119888 is the set of benigncontrollers in 119862119888 The smaller 119891119901 is the more right flow rulesthe control plane can produce which means more powerfulability to resist attacks Here we let 119899ℎ119890 be 1000

119891119901 = 1 minus sum119862119888isin119862119888gelceil(|119862119877|+1)2rceil

prod119888119894isin119862119906119888

(1 minus 119903119888119894 ) prod119888119895isin119862119888119862

119906119888

119903119888119895 (5)

Security and Communication Networks 5

RanProb RanReimageRanProb MaxReimage

WithRepeatWithoutRepeatWithMaxSG

0005

01015

02

Failu

re p

roba

bilit

y

002040608

1

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

20 40 60 80 100 120 140 160 180 2000Time series

Figure 2 Failure probability under respective defending strategieswhen facing random probes

42 Simulation Process At first we assume that all controllersare perfect without any probes Thus 119891119901 is 0 at the beginningvia (1) Then attackers will choose an attacking strategyto conduct attacks which results in the rise of 119891119901 With119891119901 being higher and higher the system is going to launchrespective defense mechanisms to reduce 119891119901 As a result119891119901 is varying with time and playersrsquo strategies Throughanalyzing the changing trend of 119891119901 which is related to statusof running controllers we can realize the real-time stateof Mcad-SA under various combinations of playersrsquo tacticsSimilarly playersrsquo payoffs can be obtained according to probeson controllers and cost of players via (2) and (3)Then we canconclude that which player owns the control of the system

Further in order to measure how powerful Mcad-SAis we classify the scenarios of Mcad-SA into two situationsaccording to 120595 When 120595 = 1 we call it perfect probedetection environment while 120595 = 0 it is regarded asimperfect probe detection environmentThen we analyze thesimulation results under two circumstances when adoptingvarious scheduling strategies (Ω)

43 Simulation Results

431 Perfect Probe Detection Environment In perfect probedetection environment the defender is able to observe allprobes from attackers on controllers

(a) Respective Defending First we make comparisons on theeffectiveness of respective defending strategies when facingdifferent attacking means Figure 2 indicates variations ofsystemrsquos security performance when attackers adopt randomprobe while Figure 3 illustrates the situations when attackersemploy maximum probes

In Figure 2 the upper picture is the result when takingreimage actions only while the map below is the consequencewhen taking switch actions only It is obvious that when

MaxProb RanReimageMaxProb MaxReimage

WithRepeatWithoutRepeatWithMaxSG

20 40 60 80 100 120 140 160 180 2000Time series

0001002003004

Failu

re p

roba

bilit

y

0001002003004005

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

Figure 3 Failure probability under respective defending strategieswhen facing maximum probes

RanProb RanReimage + MaxSGRanProb MaxReimage + MaxSG

MaxProb RanReimage + MaxSGMaxProb MaxReimage + MaxSG

00005

0010015

002

Failu

re p

roba

bilit

y

0001002003004

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

20 40 60 80 100 120 140 160 180 2000Time series

Figure 4 Failure probability with associate defending strategiesunder perfect detections

the defender adopts reimage methods to defend randomprobes random and maximum reimages have similar effect(MaxReimage is slightly better) However the consequencesof various switching strategies are very different When thesystem employs random switching (with repeat or with-out repeat) security performance is close While adoptingMaxSG reliability of the system is strengthened to somedegree especially after 100 time units The reason is thatprobes of controllers will increase to a large number withtime going on So under this situation perceptive switch canensure the system select more reliable controllers (probedleast) than random switchThis phenomenon further demon-strates superior schedulingways have better effect on improv-ing systemrsquos security performance

6 Security and Communication Networks

Random Random---AttackerRandom Random---Defender

Random Max---AttackerRandom Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

3500

4000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

3500

4000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 5 Payoffs of players against random probes with associate defending strategies under perfect detections

In Figure 3 it is another situation where the attackerconducts maximum probes An interesting phenomenonis observed that all defending measures have approximatepreventive effectThat is due to the cause that this attackmoderesults in severe destruction on specific controllersThus oncedefending methods can avoid selecting these controllers thesecurity state of the system can be guaranteed So it comesto a conclusion that unless attackers have to probe particularcontrollers to acquire important information it is of littlevalue to carry out persistent maximum probes

(b) Associate Defending As is analyzed above MaxSG is themost effective switch option compared to random switchThen we combined it with reimage action to testify associatedefending performance That is to say the system adoptsreimage and switch behaviors simultaneously

Figure 4 illustrates the results of associate defendingwhenencountering random andmaximum probe individuallyTheupper section is the consequence against random probe Itis apparent that associate defending mechanism significantlyreduces the failure probability of the system and enhancesits security gain as the value is decreased with an order ofmagnitude (from 005 to 0005 averagely) while the bottompart is the case against maximum probe Similarly security ofthe system is intensified to some extent and the value of failureprobability is lowered to half of that in previous circumstance

(c) Playersrsquo Payoffs Next we analyze playersrsquo payoffs inoccasions where associate defending is used to deal withprobes from attackers Figure 5 is the case with random probewhile Figure 6 is the situation with maximum probe

In Figure 5 the left part shows how payoffs vary withrandom reimage and MaxSG while the right section is the

result with maximum reimage Both pictures manifest thatpayoffs of players are steady which means attackers cannotacquire much valuable information from the system anddefenders canmaintain it operating in a relatively secure statemeantime As to some downward pulse their appearancesare due to the trigger of reimage or switch actions Howeverstrictly speaking defense effect of the right one is superiorto that of the left one since the line of the attacker ismore stable and the value is lower which further provesmaximum reimage is better than random reimage under thisenvironment

Figure 6 is similar to the shape of Figure 5 except thatdownward pulses are more obviousThat is an indication thatthe system is severely compromised since several controllershave been probed persistently under maximum probes Butin other occasions the payoff of the attacker is less than thatin Figure 5 which again demonstrates maximumprobe is nota good choice unless attackers have special purposes

Actually the described process can be regarded as anapproximate zero-sum game Once the attacker gains someprivilege the defender loses some control and vice versaBased on above simulations and analysis the followingconclusion can be drawn introducing dynamism to SDNis a feasible and effective way to mitigate attacksrsquo impactand improve the systemrsquos robustness And whatever actionsattackers take the best response for defenders is maximumreimage andMaxSG In other words eliminating and restor-ing the most damaged components in the system is a criticalpoint to ensure its security

432 Imperfect Probe Detection Environment Then we ana-lyze the results when the system does not own the capabilityto detect each probe (120595 = 0 ie imperfect detection)

Security and Communication Networks 7

Max Random---AttackerMax Random---Defender

Max Max---AttackerMax Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

3500

4000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

3500

4000

Payo

ffs o

f pla

yers

Figure 6 Payoffs of players against maximum probes with associate defending strategies under perfect detections

RanProb RanReimage + MaxSGRanProb MaxReimage + MaxSG

MaxProb RanReimage + MaxSGMaxProb MaxReimage + MaxSG

0005

01015

02

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

0001002003004005

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

Figure 7 Failure probability with associate defending strategiesunder imperfect detections

Here we neglect the analysis on respective defending sinceits changing trend is similar to that in perfect probe detectionenvironment So we pay attention to associate defending andplayersrsquo payoffs

(a) Associate Defending Figure 7 is the simulation underimperfect probes Compared to perfect probe the mostdistinction is the failure probability increases overall Actu-ally the systemrsquos security performance under two associate

defenses is approximate The cause resulting in this phe-nomenon is that the system can no longer perceive the realstate of controllers which may incur the scheduler to makean incorrect policy For instance the scheduler seems tochoose a controller which has been probed least to be thenext running controller but actually this one has already beenseverely compromised This phenomenon may also appearin the reimage situations Above decisions will influencethe systemrsquos reliability to some extent However a point tobe noticed although without perfect probe detection thefailure probability is also maintained at a low level becauseof reimage and switch strategies

(b) Playersrsquo Payoffs Figures 8 and 9 are the variations ofplayersrsquo payoffs under random andmaximumprobes respec-tively The distribution of payoff is fluctuating extensivelyparticularly in random probe That is due to the reason thatdefenders are likely to discover the controllers being con-tinuously compromised when attackers employ maximumprobes even under imperfect detections Thus we can noticedownward pulses are more distinct in Figure 9 than Figure 8which is strong evidence on the effectiveness of reimageand switch strategies in maximum probes Meanwhile theattackerrsquos payoff is clearly increased in both figures Never-theless it is still kept in a stable interval which demonstratesplayers reach an equilibrium Moreover for attackers theresults further authenticate that adopting random probe issuperior to maximum probe in general

According to above analysis it is evident that detectioncapability has effect on the security performance of thesystem to some extent since inaccurate state informationof controllers will definitely influence the decision-makingprocess of the scheduler And ways of reimage and switch

8 Security and Communication Networks

Random Random---AttackerRandom Random---Defender

Random Max---AttackerRandom Max---Defender

minus500

0

500

1000

1500

2000

2500

3000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 8 Payoffs of players against random probes with associate defending strategies under imperfect detections

Max Random---AttackerMax Random---Defender

Max Max---AttackerMax Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 9 Payoffs of players against maximum probes with associate defending strategies under imperfect detections

can lead to diverse defense results In most cases randomprobe is a better option for attackers while the best responseof defenders is the combination of maximum reimage andMaxSG However as long as dynamism heterogeneity andredundancy are introduced into SDN its security can beimproved significantly and the failure probability of thecontrol plane can be maintained at relatively a low standard

44 Equilibrium Results In this section we report the equi-libria found in the simulation As we all know when thesystem reaches an equilibrium the failure probability ofMcad-SA andplayersrsquo payoffs stays stableTheyhave no intentto alter their strategies

Actually in Mcad-SA whenever in perfect or imperfectprobe detection environment the situations of equilibria are

Security and Communication Networks 9

identicalThe only occasion in which the equilibrium exists isthat defenders adoptmaximum reimage andMaxSG schedul-ing method while attackers select maximum probe Fromthe simulation results above as long as attackers carry outmaximum probe they always can acquire higher payoffs andhigher failure probability of the system over random probeon matter what actions defenders take Similarly defenderswill tend to choose maximum reimage and MaxSG to obtainhigher payoffs and lower failure probability whenever theyface random or maximum probe In other words maximumreimage and MaxSG are the best choice for defenders andmaximum probe is the best option for attackers as they canachieve their goals to maximum extent

5 Conclusion

Evaluation of security performance of SDN architecturesplays a critical role in designing reliable structures andestimating system risks Focused on Mcad-SA a novel SDNstructure we attempt to establish amodel to analyze its abilityto resist attackswith the assistance of game theoryThismodelcan represent playersrsquo related information (actions strategiesetc) and quantitatively assess systemrsquos capability to dealwith risks Experimental results indicate the introductionof dynamism redundancy and heterogeneity into SDN canintensify systemrsquos security andmaintain its consistent capabil-ity against diverse probes which is an extraordinary weaknessin current SDN frameworks Further we analyze equilibriumin particular situations where common types of probes anddefense methods are included And analysis results presenthints that for dynamic systems the design of their defensestrategies has certain effect on security enhancement whichimplies that how to devise effective defense mechanism iscrucial to maximize security gain In the future we plan totake internal security mechanism of diverse controllers intoconsideration and pay attention to hybrid security analysis

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work is supported by the Foundation for InnovativeResearch Groups of the National Natural Science Foundationof China (no 61521003) the National Key RampD Programof China (no 2016YFB0800100 and no 2016YFB0800101)and the National Natural Science Foundation of China (no61602509)

References

[1] N McKeown T Anderson H Balakrishnan et al ldquoOpenFlowenabling innovation in campus networksrdquo Computer Commu-nication Review vol 38 no 2 pp 69ndash74 2008

[2] D He S Chan and M Guizani ldquoSecuring software definedwireless networksrdquo IEEE Communications Magazine vol 54no 1 pp 20ndash25 2016

[3] C Monsanto J Reich and N Foster ldquoComposing software-defined networksrdquo in Proceedings of the 10th USENIX Confer-ence onNetworked SystemsDesign and Implementation pp 1ndash14USENIX Association 2013

[4] Z Guo M Su Y Xu et al ldquoImproving the performance of loadbalancing in software-defined networks through load variance-based synchronizationrdquoComputerNetworks vol 68 pp 95ndash1092014

[5] P Berde M Gerola J Hart et al ldquoONOS towards an opendistributed SDNOSrdquo in Proceedings of the 3rd ACM SIGCOMM2014 Workshop on Hot Topics in Software Defined Networking(HotSDN rsquo14) pp 1ndash6 August 2014

[6] V Yazici M O Sunay and A O Ercan ldquoControlling a softwaredefined network via distributed controllersrdquo in Proceedings ofthe 2012 NEM Summit pp 16ndash20 2014

[7] H Li P Li S Guo and A Nayak ldquoByzantine-resilient securesoftware-defined networks with multiple controllers in cloudrdquoIEEE Transactions on Cloud Computing vol 2 no 4 pp 436ndash447 2014

[8] X Jin J Gossels J Rexford and D Walker ldquoCoVisor acompositional hypervisor for software-defined networksrdquo inProceedings of the 12th USENIX Symposium on NetworkedSystems Design and Implementation (NSDI rsquo15) pp 87ndash101USENIX Association May 2015

[9] CQi JWuHHu et al ldquoAn intensive security architecturewithmulti-controller for SDNrdquo in Proceedings of the 35th IEEE Con-ference on Computer Communications Workshops (INFOCOMWKSHPS rsquo16) pp 401-402 April 2016

[10] K ElDefrawy and T Kaczmarek ldquoByzantine fault tolerantsoftware-defined networking (SDN) controllersrdquo in Proceedingsof the 2016 IEEE 40th Annual Computer Software and Applica-tions Conference (COMPSAC rsquo16) pp 208ndash213 June 2016

[11] A Prakash and M P Wellman ldquoEmpirical game-theoreticanalysis for moving target defenserdquo in Proceedings of the 2ndACM Workshop on Moving Target Defense (MTD rsquo15) pp 57ndash65 2015

[12] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquo inProceedings of the 1st ACM InternationalWorkshop onHot Topicsin Software Defined Networks (HotSDN rsquo12) pp 121ndash126 August2012

[13] P Porras S Cheung M Fong K Skinner and V YegneswaranldquoSecuring the Software Defined Network Control Layerrdquo inProceedings of the Network and Distributed System SecuritySymposium (NDSS rsquo15) San Diego CA USA 2015

[14] Z Guo Y Xu M Cello et al ldquoJumpFlow Reducing flow tableusage in software-defined networksrdquo Computer Networks vol92 pp 300ndash315 2015

[15] P K Manadhata and J M Wing ldquoAn attack surface metricrdquoIEEE Transactions on Software Engineering vol 37 no 3 pp371ndash386 2011

[16] N Poolsappasit R Dewri and I Ray ldquoDynamic security riskmanagement using Bayesian attack graphsrdquo IEEE Transactionson Dependable and Secure Computing vol 9 no 1 pp 61ndash742012

[17] C-C Ten C-C Liu and M Govindarasu ldquoVulnerabilityassessment of cybersecurity for SCADA systems using attacktreesrdquo in Proceedings of the IEEE Power Engineering SocietyGeneral Meeting (PES rsquo07) pp 1ndash8 Tampa FL USA June 2007

[18] S Jajodia A K Ghosh and V SwarupMoving Target DefenseCreating Asymmetric Uncertainty for Cyber Threats SpringerEbooks 2011

10 Security and Communication Networks

[19] S Jajodia S K Ghosh V S Subrahmanian V Swarup CWangand X S WangMoving Target Defense II Application of GameTheory and Adversarial Modeling Advances in InformationSecurity Springer 2012

[20] M H Manshaei Q Zhu T Alpcan T Basar and J-P HubauxldquoGame theory meets network security and privacyrdquo ACMComputing Surveys vol 45 no 3 article 25 2013

[21] M Van Dijk A Juels A Oprea and R L Rivest ldquoFlipIt Thegame of ldquostealthy takeoverrdquordquo Journal of Cryptology vol 26 no4 pp 655ndash713 2013

[22] A Laszka G Horvath M Felegyhazi and L ButtyanldquoFlipThem modeling targeted attacks with flipit for multipleresourcesrdquo in Decision and Game Theory for Security vol 8840of Lecture Notes in Computer Science pp 175ndash194 SpringerInternational Publishing Cham 2014

[23] FloodLight ldquoOpen SDN controllerrdquo httpfloodlightopen-flowhuborg

[24] ldquoRyu SDN Frameworkrdquo httposrggithubioryu[25] ldquoOpenDaylight Consortiumrdquo httpwwwopendaylightorg[26] C Qi J Wu H Hu and G Cheng ldquoDynamic-scheduling

mechanism of controllers based on security policy in software-defined networkrdquo IEEE Electronics Letters vol 52 no 23 pp1918ndash1920 2016

Security and Communication Networks 5

RanProb RanReimageRanProb MaxReimage

WithRepeatWithoutRepeatWithMaxSG

0005

01015

02

Failu

re p

roba

bilit

y

002040608

1

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

20 40 60 80 100 120 140 160 180 2000Time series

Figure 2 Failure probability under respective defending strategieswhen facing random probes

42 Simulation Process At first we assume that all controllersare perfect without any probes Thus 119891119901 is 0 at the beginningvia (1) Then attackers will choose an attacking strategyto conduct attacks which results in the rise of 119891119901 With119891119901 being higher and higher the system is going to launchrespective defense mechanisms to reduce 119891119901 As a result119891119901 is varying with time and playersrsquo strategies Throughanalyzing the changing trend of 119891119901 which is related to statusof running controllers we can realize the real-time stateof Mcad-SA under various combinations of playersrsquo tacticsSimilarly playersrsquo payoffs can be obtained according to probeson controllers and cost of players via (2) and (3)Then we canconclude that which player owns the control of the system

Further in order to measure how powerful Mcad-SAis we classify the scenarios of Mcad-SA into two situationsaccording to 120595 When 120595 = 1 we call it perfect probedetection environment while 120595 = 0 it is regarded asimperfect probe detection environmentThen we analyze thesimulation results under two circumstances when adoptingvarious scheduling strategies (Ω)

43 Simulation Results

431 Perfect Probe Detection Environment In perfect probedetection environment the defender is able to observe allprobes from attackers on controllers

(a) Respective Defending First we make comparisons on theeffectiveness of respective defending strategies when facingdifferent attacking means Figure 2 indicates variations ofsystemrsquos security performance when attackers adopt randomprobe while Figure 3 illustrates the situations when attackersemploy maximum probes

In Figure 2 the upper picture is the result when takingreimage actions only while the map below is the consequencewhen taking switch actions only It is obvious that when

MaxProb RanReimageMaxProb MaxReimage

WithRepeatWithoutRepeatWithMaxSG

20 40 60 80 100 120 140 160 180 2000Time series

0001002003004

Failu

re p

roba

bilit

y

0001002003004005

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

Figure 3 Failure probability under respective defending strategieswhen facing maximum probes

RanProb RanReimage + MaxSGRanProb MaxReimage + MaxSG

MaxProb RanReimage + MaxSGMaxProb MaxReimage + MaxSG

00005

0010015

002

Failu

re p

roba

bilit

y

0001002003004

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

20 40 60 80 100 120 140 160 180 2000Time series

Figure 4 Failure probability with associate defending strategiesunder perfect detections

the defender adopts reimage methods to defend randomprobes random and maximum reimages have similar effect(MaxReimage is slightly better) However the consequencesof various switching strategies are very different When thesystem employs random switching (with repeat or with-out repeat) security performance is close While adoptingMaxSG reliability of the system is strengthened to somedegree especially after 100 time units The reason is thatprobes of controllers will increase to a large number withtime going on So under this situation perceptive switch canensure the system select more reliable controllers (probedleast) than random switchThis phenomenon further demon-strates superior schedulingways have better effect on improv-ing systemrsquos security performance

6 Security and Communication Networks

Random Random---AttackerRandom Random---Defender

Random Max---AttackerRandom Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

3500

4000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

3500

4000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 5 Payoffs of players against random probes with associate defending strategies under perfect detections

In Figure 3 it is another situation where the attackerconducts maximum probes An interesting phenomenonis observed that all defending measures have approximatepreventive effectThat is due to the cause that this attackmoderesults in severe destruction on specific controllersThus oncedefending methods can avoid selecting these controllers thesecurity state of the system can be guaranteed So it comesto a conclusion that unless attackers have to probe particularcontrollers to acquire important information it is of littlevalue to carry out persistent maximum probes

(b) Associate Defending As is analyzed above MaxSG is themost effective switch option compared to random switchThen we combined it with reimage action to testify associatedefending performance That is to say the system adoptsreimage and switch behaviors simultaneously

Figure 4 illustrates the results of associate defendingwhenencountering random andmaximum probe individuallyTheupper section is the consequence against random probe Itis apparent that associate defending mechanism significantlyreduces the failure probability of the system and enhancesits security gain as the value is decreased with an order ofmagnitude (from 005 to 0005 averagely) while the bottompart is the case against maximum probe Similarly security ofthe system is intensified to some extent and the value of failureprobability is lowered to half of that in previous circumstance

(c) Playersrsquo Payoffs Next we analyze playersrsquo payoffs inoccasions where associate defending is used to deal withprobes from attackers Figure 5 is the case with random probewhile Figure 6 is the situation with maximum probe

In Figure 5 the left part shows how payoffs vary withrandom reimage and MaxSG while the right section is the

result with maximum reimage Both pictures manifest thatpayoffs of players are steady which means attackers cannotacquire much valuable information from the system anddefenders canmaintain it operating in a relatively secure statemeantime As to some downward pulse their appearancesare due to the trigger of reimage or switch actions Howeverstrictly speaking defense effect of the right one is superiorto that of the left one since the line of the attacker ismore stable and the value is lower which further provesmaximum reimage is better than random reimage under thisenvironment

Figure 6 is similar to the shape of Figure 5 except thatdownward pulses are more obviousThat is an indication thatthe system is severely compromised since several controllershave been probed persistently under maximum probes Butin other occasions the payoff of the attacker is less than thatin Figure 5 which again demonstrates maximumprobe is nota good choice unless attackers have special purposes

Actually the described process can be regarded as anapproximate zero-sum game Once the attacker gains someprivilege the defender loses some control and vice versaBased on above simulations and analysis the followingconclusion can be drawn introducing dynamism to SDNis a feasible and effective way to mitigate attacksrsquo impactand improve the systemrsquos robustness And whatever actionsattackers take the best response for defenders is maximumreimage andMaxSG In other words eliminating and restor-ing the most damaged components in the system is a criticalpoint to ensure its security

432 Imperfect Probe Detection Environment Then we ana-lyze the results when the system does not own the capabilityto detect each probe (120595 = 0 ie imperfect detection)

Security and Communication Networks 7

Max Random---AttackerMax Random---Defender

Max Max---AttackerMax Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

3500

4000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

3500

4000

Payo

ffs o

f pla

yers

Figure 6 Payoffs of players against maximum probes with associate defending strategies under perfect detections

RanProb RanReimage + MaxSGRanProb MaxReimage + MaxSG

MaxProb RanReimage + MaxSGMaxProb MaxReimage + MaxSG

0005

01015

02

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

0001002003004005

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

Figure 7 Failure probability with associate defending strategiesunder imperfect detections

Here we neglect the analysis on respective defending sinceits changing trend is similar to that in perfect probe detectionenvironment So we pay attention to associate defending andplayersrsquo payoffs

(a) Associate Defending Figure 7 is the simulation underimperfect probes Compared to perfect probe the mostdistinction is the failure probability increases overall Actu-ally the systemrsquos security performance under two associate

defenses is approximate The cause resulting in this phe-nomenon is that the system can no longer perceive the realstate of controllers which may incur the scheduler to makean incorrect policy For instance the scheduler seems tochoose a controller which has been probed least to be thenext running controller but actually this one has already beenseverely compromised This phenomenon may also appearin the reimage situations Above decisions will influencethe systemrsquos reliability to some extent However a point tobe noticed although without perfect probe detection thefailure probability is also maintained at a low level becauseof reimage and switch strategies

(b) Playersrsquo Payoffs Figures 8 and 9 are the variations ofplayersrsquo payoffs under random andmaximumprobes respec-tively The distribution of payoff is fluctuating extensivelyparticularly in random probe That is due to the reason thatdefenders are likely to discover the controllers being con-tinuously compromised when attackers employ maximumprobes even under imperfect detections Thus we can noticedownward pulses are more distinct in Figure 9 than Figure 8which is strong evidence on the effectiveness of reimageand switch strategies in maximum probes Meanwhile theattackerrsquos payoff is clearly increased in both figures Never-theless it is still kept in a stable interval which demonstratesplayers reach an equilibrium Moreover for attackers theresults further authenticate that adopting random probe issuperior to maximum probe in general

According to above analysis it is evident that detectioncapability has effect on the security performance of thesystem to some extent since inaccurate state informationof controllers will definitely influence the decision-makingprocess of the scheduler And ways of reimage and switch

8 Security and Communication Networks

Random Random---AttackerRandom Random---Defender

Random Max---AttackerRandom Max---Defender

minus500

0

500

1000

1500

2000

2500

3000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 8 Payoffs of players against random probes with associate defending strategies under imperfect detections

Max Random---AttackerMax Random---Defender

Max Max---AttackerMax Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 9 Payoffs of players against maximum probes with associate defending strategies under imperfect detections

can lead to diverse defense results In most cases randomprobe is a better option for attackers while the best responseof defenders is the combination of maximum reimage andMaxSG However as long as dynamism heterogeneity andredundancy are introduced into SDN its security can beimproved significantly and the failure probability of thecontrol plane can be maintained at relatively a low standard

44 Equilibrium Results In this section we report the equi-libria found in the simulation As we all know when thesystem reaches an equilibrium the failure probability ofMcad-SA andplayersrsquo payoffs stays stableTheyhave no intentto alter their strategies

Actually in Mcad-SA whenever in perfect or imperfectprobe detection environment the situations of equilibria are

Security and Communication Networks 9

identicalThe only occasion in which the equilibrium exists isthat defenders adoptmaximum reimage andMaxSG schedul-ing method while attackers select maximum probe Fromthe simulation results above as long as attackers carry outmaximum probe they always can acquire higher payoffs andhigher failure probability of the system over random probeon matter what actions defenders take Similarly defenderswill tend to choose maximum reimage and MaxSG to obtainhigher payoffs and lower failure probability whenever theyface random or maximum probe In other words maximumreimage and MaxSG are the best choice for defenders andmaximum probe is the best option for attackers as they canachieve their goals to maximum extent

5 Conclusion

Evaluation of security performance of SDN architecturesplays a critical role in designing reliable structures andestimating system risks Focused on Mcad-SA a novel SDNstructure we attempt to establish amodel to analyze its abilityto resist attackswith the assistance of game theoryThismodelcan represent playersrsquo related information (actions strategiesetc) and quantitatively assess systemrsquos capability to dealwith risks Experimental results indicate the introductionof dynamism redundancy and heterogeneity into SDN canintensify systemrsquos security andmaintain its consistent capabil-ity against diverse probes which is an extraordinary weaknessin current SDN frameworks Further we analyze equilibriumin particular situations where common types of probes anddefense methods are included And analysis results presenthints that for dynamic systems the design of their defensestrategies has certain effect on security enhancement whichimplies that how to devise effective defense mechanism iscrucial to maximize security gain In the future we plan totake internal security mechanism of diverse controllers intoconsideration and pay attention to hybrid security analysis

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work is supported by the Foundation for InnovativeResearch Groups of the National Natural Science Foundationof China (no 61521003) the National Key RampD Programof China (no 2016YFB0800100 and no 2016YFB0800101)and the National Natural Science Foundation of China (no61602509)

References

[1] N McKeown T Anderson H Balakrishnan et al ldquoOpenFlowenabling innovation in campus networksrdquo Computer Commu-nication Review vol 38 no 2 pp 69ndash74 2008

[2] D He S Chan and M Guizani ldquoSecuring software definedwireless networksrdquo IEEE Communications Magazine vol 54no 1 pp 20ndash25 2016

[3] C Monsanto J Reich and N Foster ldquoComposing software-defined networksrdquo in Proceedings of the 10th USENIX Confer-ence onNetworked SystemsDesign and Implementation pp 1ndash14USENIX Association 2013

[4] Z Guo M Su Y Xu et al ldquoImproving the performance of loadbalancing in software-defined networks through load variance-based synchronizationrdquoComputerNetworks vol 68 pp 95ndash1092014

[5] P Berde M Gerola J Hart et al ldquoONOS towards an opendistributed SDNOSrdquo in Proceedings of the 3rd ACM SIGCOMM2014 Workshop on Hot Topics in Software Defined Networking(HotSDN rsquo14) pp 1ndash6 August 2014

[6] V Yazici M O Sunay and A O Ercan ldquoControlling a softwaredefined network via distributed controllersrdquo in Proceedings ofthe 2012 NEM Summit pp 16ndash20 2014

[7] H Li P Li S Guo and A Nayak ldquoByzantine-resilient securesoftware-defined networks with multiple controllers in cloudrdquoIEEE Transactions on Cloud Computing vol 2 no 4 pp 436ndash447 2014

[8] X Jin J Gossels J Rexford and D Walker ldquoCoVisor acompositional hypervisor for software-defined networksrdquo inProceedings of the 12th USENIX Symposium on NetworkedSystems Design and Implementation (NSDI rsquo15) pp 87ndash101USENIX Association May 2015

[9] CQi JWuHHu et al ldquoAn intensive security architecturewithmulti-controller for SDNrdquo in Proceedings of the 35th IEEE Con-ference on Computer Communications Workshops (INFOCOMWKSHPS rsquo16) pp 401-402 April 2016

[10] K ElDefrawy and T Kaczmarek ldquoByzantine fault tolerantsoftware-defined networking (SDN) controllersrdquo in Proceedingsof the 2016 IEEE 40th Annual Computer Software and Applica-tions Conference (COMPSAC rsquo16) pp 208ndash213 June 2016

[11] A Prakash and M P Wellman ldquoEmpirical game-theoreticanalysis for moving target defenserdquo in Proceedings of the 2ndACM Workshop on Moving Target Defense (MTD rsquo15) pp 57ndash65 2015

[12] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquo inProceedings of the 1st ACM InternationalWorkshop onHot Topicsin Software Defined Networks (HotSDN rsquo12) pp 121ndash126 August2012

[13] P Porras S Cheung M Fong K Skinner and V YegneswaranldquoSecuring the Software Defined Network Control Layerrdquo inProceedings of the Network and Distributed System SecuritySymposium (NDSS rsquo15) San Diego CA USA 2015

[14] Z Guo Y Xu M Cello et al ldquoJumpFlow Reducing flow tableusage in software-defined networksrdquo Computer Networks vol92 pp 300ndash315 2015

[15] P K Manadhata and J M Wing ldquoAn attack surface metricrdquoIEEE Transactions on Software Engineering vol 37 no 3 pp371ndash386 2011

[16] N Poolsappasit R Dewri and I Ray ldquoDynamic security riskmanagement using Bayesian attack graphsrdquo IEEE Transactionson Dependable and Secure Computing vol 9 no 1 pp 61ndash742012

[17] C-C Ten C-C Liu and M Govindarasu ldquoVulnerabilityassessment of cybersecurity for SCADA systems using attacktreesrdquo in Proceedings of the IEEE Power Engineering SocietyGeneral Meeting (PES rsquo07) pp 1ndash8 Tampa FL USA June 2007

[18] S Jajodia A K Ghosh and V SwarupMoving Target DefenseCreating Asymmetric Uncertainty for Cyber Threats SpringerEbooks 2011

10 Security and Communication Networks

[19] S Jajodia S K Ghosh V S Subrahmanian V Swarup CWangand X S WangMoving Target Defense II Application of GameTheory and Adversarial Modeling Advances in InformationSecurity Springer 2012

[20] M H Manshaei Q Zhu T Alpcan T Basar and J-P HubauxldquoGame theory meets network security and privacyrdquo ACMComputing Surveys vol 45 no 3 article 25 2013

[21] M Van Dijk A Juels A Oprea and R L Rivest ldquoFlipIt Thegame of ldquostealthy takeoverrdquordquo Journal of Cryptology vol 26 no4 pp 655ndash713 2013

[22] A Laszka G Horvath M Felegyhazi and L ButtyanldquoFlipThem modeling targeted attacks with flipit for multipleresourcesrdquo in Decision and Game Theory for Security vol 8840of Lecture Notes in Computer Science pp 175ndash194 SpringerInternational Publishing Cham 2014

[23] FloodLight ldquoOpen SDN controllerrdquo httpfloodlightopen-flowhuborg

[24] ldquoRyu SDN Frameworkrdquo httposrggithubioryu[25] ldquoOpenDaylight Consortiumrdquo httpwwwopendaylightorg[26] C Qi J Wu H Hu and G Cheng ldquoDynamic-scheduling

mechanism of controllers based on security policy in software-defined networkrdquo IEEE Electronics Letters vol 52 no 23 pp1918ndash1920 2016

6 Security and Communication Networks

Random Random---AttackerRandom Random---Defender

Random Max---AttackerRandom Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

3500

4000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

3500

4000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 5 Payoffs of players against random probes with associate defending strategies under perfect detections

In Figure 3 it is another situation where the attackerconducts maximum probes An interesting phenomenonis observed that all defending measures have approximatepreventive effectThat is due to the cause that this attackmoderesults in severe destruction on specific controllersThus oncedefending methods can avoid selecting these controllers thesecurity state of the system can be guaranteed So it comesto a conclusion that unless attackers have to probe particularcontrollers to acquire important information it is of littlevalue to carry out persistent maximum probes

(b) Associate Defending As is analyzed above MaxSG is themost effective switch option compared to random switchThen we combined it with reimage action to testify associatedefending performance That is to say the system adoptsreimage and switch behaviors simultaneously

Figure 4 illustrates the results of associate defendingwhenencountering random andmaximum probe individuallyTheupper section is the consequence against random probe Itis apparent that associate defending mechanism significantlyreduces the failure probability of the system and enhancesits security gain as the value is decreased with an order ofmagnitude (from 005 to 0005 averagely) while the bottompart is the case against maximum probe Similarly security ofthe system is intensified to some extent and the value of failureprobability is lowered to half of that in previous circumstance

(c) Playersrsquo Payoffs Next we analyze playersrsquo payoffs inoccasions where associate defending is used to deal withprobes from attackers Figure 5 is the case with random probewhile Figure 6 is the situation with maximum probe

In Figure 5 the left part shows how payoffs vary withrandom reimage and MaxSG while the right section is the

result with maximum reimage Both pictures manifest thatpayoffs of players are steady which means attackers cannotacquire much valuable information from the system anddefenders canmaintain it operating in a relatively secure statemeantime As to some downward pulse their appearancesare due to the trigger of reimage or switch actions Howeverstrictly speaking defense effect of the right one is superiorto that of the left one since the line of the attacker ismore stable and the value is lower which further provesmaximum reimage is better than random reimage under thisenvironment

Figure 6 is similar to the shape of Figure 5 except thatdownward pulses are more obviousThat is an indication thatthe system is severely compromised since several controllershave been probed persistently under maximum probes Butin other occasions the payoff of the attacker is less than thatin Figure 5 which again demonstrates maximumprobe is nota good choice unless attackers have special purposes

Actually the described process can be regarded as anapproximate zero-sum game Once the attacker gains someprivilege the defender loses some control and vice versaBased on above simulations and analysis the followingconclusion can be drawn introducing dynamism to SDNis a feasible and effective way to mitigate attacksrsquo impactand improve the systemrsquos robustness And whatever actionsattackers take the best response for defenders is maximumreimage andMaxSG In other words eliminating and restor-ing the most damaged components in the system is a criticalpoint to ensure its security

432 Imperfect Probe Detection Environment Then we ana-lyze the results when the system does not own the capabilityto detect each probe (120595 = 0 ie imperfect detection)

Security and Communication Networks 7

Max Random---AttackerMax Random---Defender

Max Max---AttackerMax Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

3500

4000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

3500

4000

Payo

ffs o

f pla

yers

Figure 6 Payoffs of players against maximum probes with associate defending strategies under perfect detections

RanProb RanReimage + MaxSGRanProb MaxReimage + MaxSG

MaxProb RanReimage + MaxSGMaxProb MaxReimage + MaxSG

0005

01015

02

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

0001002003004005

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

Figure 7 Failure probability with associate defending strategiesunder imperfect detections

Here we neglect the analysis on respective defending sinceits changing trend is similar to that in perfect probe detectionenvironment So we pay attention to associate defending andplayersrsquo payoffs

(a) Associate Defending Figure 7 is the simulation underimperfect probes Compared to perfect probe the mostdistinction is the failure probability increases overall Actu-ally the systemrsquos security performance under two associate

defenses is approximate The cause resulting in this phe-nomenon is that the system can no longer perceive the realstate of controllers which may incur the scheduler to makean incorrect policy For instance the scheduler seems tochoose a controller which has been probed least to be thenext running controller but actually this one has already beenseverely compromised This phenomenon may also appearin the reimage situations Above decisions will influencethe systemrsquos reliability to some extent However a point tobe noticed although without perfect probe detection thefailure probability is also maintained at a low level becauseof reimage and switch strategies

(b) Playersrsquo Payoffs Figures 8 and 9 are the variations ofplayersrsquo payoffs under random andmaximumprobes respec-tively The distribution of payoff is fluctuating extensivelyparticularly in random probe That is due to the reason thatdefenders are likely to discover the controllers being con-tinuously compromised when attackers employ maximumprobes even under imperfect detections Thus we can noticedownward pulses are more distinct in Figure 9 than Figure 8which is strong evidence on the effectiveness of reimageand switch strategies in maximum probes Meanwhile theattackerrsquos payoff is clearly increased in both figures Never-theless it is still kept in a stable interval which demonstratesplayers reach an equilibrium Moreover for attackers theresults further authenticate that adopting random probe issuperior to maximum probe in general

According to above analysis it is evident that detectioncapability has effect on the security performance of thesystem to some extent since inaccurate state informationof controllers will definitely influence the decision-makingprocess of the scheduler And ways of reimage and switch

8 Security and Communication Networks

Random Random---AttackerRandom Random---Defender

Random Max---AttackerRandom Max---Defender

minus500

0

500

1000

1500

2000

2500

3000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 8 Payoffs of players against random probes with associate defending strategies under imperfect detections

Max Random---AttackerMax Random---Defender

Max Max---AttackerMax Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 9 Payoffs of players against maximum probes with associate defending strategies under imperfect detections

can lead to diverse defense results In most cases randomprobe is a better option for attackers while the best responseof defenders is the combination of maximum reimage andMaxSG However as long as dynamism heterogeneity andredundancy are introduced into SDN its security can beimproved significantly and the failure probability of thecontrol plane can be maintained at relatively a low standard

44 Equilibrium Results In this section we report the equi-libria found in the simulation As we all know when thesystem reaches an equilibrium the failure probability ofMcad-SA andplayersrsquo payoffs stays stableTheyhave no intentto alter their strategies

Actually in Mcad-SA whenever in perfect or imperfectprobe detection environment the situations of equilibria are

Security and Communication Networks 9

identicalThe only occasion in which the equilibrium exists isthat defenders adoptmaximum reimage andMaxSG schedul-ing method while attackers select maximum probe Fromthe simulation results above as long as attackers carry outmaximum probe they always can acquire higher payoffs andhigher failure probability of the system over random probeon matter what actions defenders take Similarly defenderswill tend to choose maximum reimage and MaxSG to obtainhigher payoffs and lower failure probability whenever theyface random or maximum probe In other words maximumreimage and MaxSG are the best choice for defenders andmaximum probe is the best option for attackers as they canachieve their goals to maximum extent

5 Conclusion

Evaluation of security performance of SDN architecturesplays a critical role in designing reliable structures andestimating system risks Focused on Mcad-SA a novel SDNstructure we attempt to establish amodel to analyze its abilityto resist attackswith the assistance of game theoryThismodelcan represent playersrsquo related information (actions strategiesetc) and quantitatively assess systemrsquos capability to dealwith risks Experimental results indicate the introductionof dynamism redundancy and heterogeneity into SDN canintensify systemrsquos security andmaintain its consistent capabil-ity against diverse probes which is an extraordinary weaknessin current SDN frameworks Further we analyze equilibriumin particular situations where common types of probes anddefense methods are included And analysis results presenthints that for dynamic systems the design of their defensestrategies has certain effect on security enhancement whichimplies that how to devise effective defense mechanism iscrucial to maximize security gain In the future we plan totake internal security mechanism of diverse controllers intoconsideration and pay attention to hybrid security analysis

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work is supported by the Foundation for InnovativeResearch Groups of the National Natural Science Foundationof China (no 61521003) the National Key RampD Programof China (no 2016YFB0800100 and no 2016YFB0800101)and the National Natural Science Foundation of China (no61602509)

References

[1] N McKeown T Anderson H Balakrishnan et al ldquoOpenFlowenabling innovation in campus networksrdquo Computer Commu-nication Review vol 38 no 2 pp 69ndash74 2008

[2] D He S Chan and M Guizani ldquoSecuring software definedwireless networksrdquo IEEE Communications Magazine vol 54no 1 pp 20ndash25 2016

[3] C Monsanto J Reich and N Foster ldquoComposing software-defined networksrdquo in Proceedings of the 10th USENIX Confer-ence onNetworked SystemsDesign and Implementation pp 1ndash14USENIX Association 2013

[4] Z Guo M Su Y Xu et al ldquoImproving the performance of loadbalancing in software-defined networks through load variance-based synchronizationrdquoComputerNetworks vol 68 pp 95ndash1092014

[5] P Berde M Gerola J Hart et al ldquoONOS towards an opendistributed SDNOSrdquo in Proceedings of the 3rd ACM SIGCOMM2014 Workshop on Hot Topics in Software Defined Networking(HotSDN rsquo14) pp 1ndash6 August 2014

[6] V Yazici M O Sunay and A O Ercan ldquoControlling a softwaredefined network via distributed controllersrdquo in Proceedings ofthe 2012 NEM Summit pp 16ndash20 2014

[7] H Li P Li S Guo and A Nayak ldquoByzantine-resilient securesoftware-defined networks with multiple controllers in cloudrdquoIEEE Transactions on Cloud Computing vol 2 no 4 pp 436ndash447 2014

[8] X Jin J Gossels J Rexford and D Walker ldquoCoVisor acompositional hypervisor for software-defined networksrdquo inProceedings of the 12th USENIX Symposium on NetworkedSystems Design and Implementation (NSDI rsquo15) pp 87ndash101USENIX Association May 2015

[9] CQi JWuHHu et al ldquoAn intensive security architecturewithmulti-controller for SDNrdquo in Proceedings of the 35th IEEE Con-ference on Computer Communications Workshops (INFOCOMWKSHPS rsquo16) pp 401-402 April 2016

[10] K ElDefrawy and T Kaczmarek ldquoByzantine fault tolerantsoftware-defined networking (SDN) controllersrdquo in Proceedingsof the 2016 IEEE 40th Annual Computer Software and Applica-tions Conference (COMPSAC rsquo16) pp 208ndash213 June 2016

[11] A Prakash and M P Wellman ldquoEmpirical game-theoreticanalysis for moving target defenserdquo in Proceedings of the 2ndACM Workshop on Moving Target Defense (MTD rsquo15) pp 57ndash65 2015

[12] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquo inProceedings of the 1st ACM InternationalWorkshop onHot Topicsin Software Defined Networks (HotSDN rsquo12) pp 121ndash126 August2012

[13] P Porras S Cheung M Fong K Skinner and V YegneswaranldquoSecuring the Software Defined Network Control Layerrdquo inProceedings of the Network and Distributed System SecuritySymposium (NDSS rsquo15) San Diego CA USA 2015

[14] Z Guo Y Xu M Cello et al ldquoJumpFlow Reducing flow tableusage in software-defined networksrdquo Computer Networks vol92 pp 300ndash315 2015

[15] P K Manadhata and J M Wing ldquoAn attack surface metricrdquoIEEE Transactions on Software Engineering vol 37 no 3 pp371ndash386 2011

[16] N Poolsappasit R Dewri and I Ray ldquoDynamic security riskmanagement using Bayesian attack graphsrdquo IEEE Transactionson Dependable and Secure Computing vol 9 no 1 pp 61ndash742012

[17] C-C Ten C-C Liu and M Govindarasu ldquoVulnerabilityassessment of cybersecurity for SCADA systems using attacktreesrdquo in Proceedings of the IEEE Power Engineering SocietyGeneral Meeting (PES rsquo07) pp 1ndash8 Tampa FL USA June 2007

[18] S Jajodia A K Ghosh and V SwarupMoving Target DefenseCreating Asymmetric Uncertainty for Cyber Threats SpringerEbooks 2011

10 Security and Communication Networks

[19] S Jajodia S K Ghosh V S Subrahmanian V Swarup CWangand X S WangMoving Target Defense II Application of GameTheory and Adversarial Modeling Advances in InformationSecurity Springer 2012

[20] M H Manshaei Q Zhu T Alpcan T Basar and J-P HubauxldquoGame theory meets network security and privacyrdquo ACMComputing Surveys vol 45 no 3 article 25 2013

[21] M Van Dijk A Juels A Oprea and R L Rivest ldquoFlipIt Thegame of ldquostealthy takeoverrdquordquo Journal of Cryptology vol 26 no4 pp 655ndash713 2013

[22] A Laszka G Horvath M Felegyhazi and L ButtyanldquoFlipThem modeling targeted attacks with flipit for multipleresourcesrdquo in Decision and Game Theory for Security vol 8840of Lecture Notes in Computer Science pp 175ndash194 SpringerInternational Publishing Cham 2014

[23] FloodLight ldquoOpen SDN controllerrdquo httpfloodlightopen-flowhuborg

[24] ldquoRyu SDN Frameworkrdquo httposrggithubioryu[25] ldquoOpenDaylight Consortiumrdquo httpwwwopendaylightorg[26] C Qi J Wu H Hu and G Cheng ldquoDynamic-scheduling

mechanism of controllers based on security policy in software-defined networkrdquo IEEE Electronics Letters vol 52 no 23 pp1918ndash1920 2016

Security and Communication Networks 7

Max Random---AttackerMax Random---Defender

Max Max---AttackerMax Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

3500

4000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

3500

4000

Payo

ffs o

f pla

yers

Figure 6 Payoffs of players against maximum probes with associate defending strategies under perfect detections

RanProb RanReimage + MaxSGRanProb MaxReimage + MaxSG

MaxProb RanReimage + MaxSGMaxProb MaxReimage + MaxSG

0005

01015

02

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

0001002003004005

Failu

re p

roba

bilit

y

20 40 60 80 100 120 140 160 180 2000Time series

Figure 7 Failure probability with associate defending strategiesunder imperfect detections

Here we neglect the analysis on respective defending sinceits changing trend is similar to that in perfect probe detectionenvironment So we pay attention to associate defending andplayersrsquo payoffs

(a) Associate Defending Figure 7 is the simulation underimperfect probes Compared to perfect probe the mostdistinction is the failure probability increases overall Actu-ally the systemrsquos security performance under two associate

defenses is approximate The cause resulting in this phe-nomenon is that the system can no longer perceive the realstate of controllers which may incur the scheduler to makean incorrect policy For instance the scheduler seems tochoose a controller which has been probed least to be thenext running controller but actually this one has already beenseverely compromised This phenomenon may also appearin the reimage situations Above decisions will influencethe systemrsquos reliability to some extent However a point tobe noticed although without perfect probe detection thefailure probability is also maintained at a low level becauseof reimage and switch strategies

(b) Playersrsquo Payoffs Figures 8 and 9 are the variations ofplayersrsquo payoffs under random andmaximumprobes respec-tively The distribution of payoff is fluctuating extensivelyparticularly in random probe That is due to the reason thatdefenders are likely to discover the controllers being con-tinuously compromised when attackers employ maximumprobes even under imperfect detections Thus we can noticedownward pulses are more distinct in Figure 9 than Figure 8which is strong evidence on the effectiveness of reimageand switch strategies in maximum probes Meanwhile theattackerrsquos payoff is clearly increased in both figures Never-theless it is still kept in a stable interval which demonstratesplayers reach an equilibrium Moreover for attackers theresults further authenticate that adopting random probe issuperior to maximum probe in general

According to above analysis it is evident that detectioncapability has effect on the security performance of thesystem to some extent since inaccurate state informationof controllers will definitely influence the decision-makingprocess of the scheduler And ways of reimage and switch

8 Security and Communication Networks

Random Random---AttackerRandom Random---Defender

Random Max---AttackerRandom Max---Defender

minus500

0

500

1000

1500

2000

2500

3000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 8 Payoffs of players against random probes with associate defending strategies under imperfect detections

Max Random---AttackerMax Random---Defender

Max Max---AttackerMax Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 9 Payoffs of players against maximum probes with associate defending strategies under imperfect detections

can lead to diverse defense results In most cases randomprobe is a better option for attackers while the best responseof defenders is the combination of maximum reimage andMaxSG However as long as dynamism heterogeneity andredundancy are introduced into SDN its security can beimproved significantly and the failure probability of thecontrol plane can be maintained at relatively a low standard

44 Equilibrium Results In this section we report the equi-libria found in the simulation As we all know when thesystem reaches an equilibrium the failure probability ofMcad-SA andplayersrsquo payoffs stays stableTheyhave no intentto alter their strategies

Actually in Mcad-SA whenever in perfect or imperfectprobe detection environment the situations of equilibria are

Security and Communication Networks 9

identicalThe only occasion in which the equilibrium exists isthat defenders adoptmaximum reimage andMaxSG schedul-ing method while attackers select maximum probe Fromthe simulation results above as long as attackers carry outmaximum probe they always can acquire higher payoffs andhigher failure probability of the system over random probeon matter what actions defenders take Similarly defenderswill tend to choose maximum reimage and MaxSG to obtainhigher payoffs and lower failure probability whenever theyface random or maximum probe In other words maximumreimage and MaxSG are the best choice for defenders andmaximum probe is the best option for attackers as they canachieve their goals to maximum extent

5 Conclusion

Evaluation of security performance of SDN architecturesplays a critical role in designing reliable structures andestimating system risks Focused on Mcad-SA a novel SDNstructure we attempt to establish amodel to analyze its abilityto resist attackswith the assistance of game theoryThismodelcan represent playersrsquo related information (actions strategiesetc) and quantitatively assess systemrsquos capability to dealwith risks Experimental results indicate the introductionof dynamism redundancy and heterogeneity into SDN canintensify systemrsquos security andmaintain its consistent capabil-ity against diverse probes which is an extraordinary weaknessin current SDN frameworks Further we analyze equilibriumin particular situations where common types of probes anddefense methods are included And analysis results presenthints that for dynamic systems the design of their defensestrategies has certain effect on security enhancement whichimplies that how to devise effective defense mechanism iscrucial to maximize security gain In the future we plan totake internal security mechanism of diverse controllers intoconsideration and pay attention to hybrid security analysis

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work is supported by the Foundation for InnovativeResearch Groups of the National Natural Science Foundationof China (no 61521003) the National Key RampD Programof China (no 2016YFB0800100 and no 2016YFB0800101)and the National Natural Science Foundation of China (no61602509)

References

[1] N McKeown T Anderson H Balakrishnan et al ldquoOpenFlowenabling innovation in campus networksrdquo Computer Commu-nication Review vol 38 no 2 pp 69ndash74 2008

[2] D He S Chan and M Guizani ldquoSecuring software definedwireless networksrdquo IEEE Communications Magazine vol 54no 1 pp 20ndash25 2016

[3] C Monsanto J Reich and N Foster ldquoComposing software-defined networksrdquo in Proceedings of the 10th USENIX Confer-ence onNetworked SystemsDesign and Implementation pp 1ndash14USENIX Association 2013

[4] Z Guo M Su Y Xu et al ldquoImproving the performance of loadbalancing in software-defined networks through load variance-based synchronizationrdquoComputerNetworks vol 68 pp 95ndash1092014

[5] P Berde M Gerola J Hart et al ldquoONOS towards an opendistributed SDNOSrdquo in Proceedings of the 3rd ACM SIGCOMM2014 Workshop on Hot Topics in Software Defined Networking(HotSDN rsquo14) pp 1ndash6 August 2014

[6] V Yazici M O Sunay and A O Ercan ldquoControlling a softwaredefined network via distributed controllersrdquo in Proceedings ofthe 2012 NEM Summit pp 16ndash20 2014

[7] H Li P Li S Guo and A Nayak ldquoByzantine-resilient securesoftware-defined networks with multiple controllers in cloudrdquoIEEE Transactions on Cloud Computing vol 2 no 4 pp 436ndash447 2014

[8] X Jin J Gossels J Rexford and D Walker ldquoCoVisor acompositional hypervisor for software-defined networksrdquo inProceedings of the 12th USENIX Symposium on NetworkedSystems Design and Implementation (NSDI rsquo15) pp 87ndash101USENIX Association May 2015

[9] CQi JWuHHu et al ldquoAn intensive security architecturewithmulti-controller for SDNrdquo in Proceedings of the 35th IEEE Con-ference on Computer Communications Workshops (INFOCOMWKSHPS rsquo16) pp 401-402 April 2016

[10] K ElDefrawy and T Kaczmarek ldquoByzantine fault tolerantsoftware-defined networking (SDN) controllersrdquo in Proceedingsof the 2016 IEEE 40th Annual Computer Software and Applica-tions Conference (COMPSAC rsquo16) pp 208ndash213 June 2016

[11] A Prakash and M P Wellman ldquoEmpirical game-theoreticanalysis for moving target defenserdquo in Proceedings of the 2ndACM Workshop on Moving Target Defense (MTD rsquo15) pp 57ndash65 2015

[12] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquo inProceedings of the 1st ACM InternationalWorkshop onHot Topicsin Software Defined Networks (HotSDN rsquo12) pp 121ndash126 August2012

[13] P Porras S Cheung M Fong K Skinner and V YegneswaranldquoSecuring the Software Defined Network Control Layerrdquo inProceedings of the Network and Distributed System SecuritySymposium (NDSS rsquo15) San Diego CA USA 2015

[14] Z Guo Y Xu M Cello et al ldquoJumpFlow Reducing flow tableusage in software-defined networksrdquo Computer Networks vol92 pp 300ndash315 2015

[15] P K Manadhata and J M Wing ldquoAn attack surface metricrdquoIEEE Transactions on Software Engineering vol 37 no 3 pp371ndash386 2011

[16] N Poolsappasit R Dewri and I Ray ldquoDynamic security riskmanagement using Bayesian attack graphsrdquo IEEE Transactionson Dependable and Secure Computing vol 9 no 1 pp 61ndash742012

[17] C-C Ten C-C Liu and M Govindarasu ldquoVulnerabilityassessment of cybersecurity for SCADA systems using attacktreesrdquo in Proceedings of the IEEE Power Engineering SocietyGeneral Meeting (PES rsquo07) pp 1ndash8 Tampa FL USA June 2007

[18] S Jajodia A K Ghosh and V SwarupMoving Target DefenseCreating Asymmetric Uncertainty for Cyber Threats SpringerEbooks 2011

10 Security and Communication Networks

[19] S Jajodia S K Ghosh V S Subrahmanian V Swarup CWangand X S WangMoving Target Defense II Application of GameTheory and Adversarial Modeling Advances in InformationSecurity Springer 2012

[20] M H Manshaei Q Zhu T Alpcan T Basar and J-P HubauxldquoGame theory meets network security and privacyrdquo ACMComputing Surveys vol 45 no 3 article 25 2013

[21] M Van Dijk A Juels A Oprea and R L Rivest ldquoFlipIt Thegame of ldquostealthy takeoverrdquordquo Journal of Cryptology vol 26 no4 pp 655ndash713 2013

[22] A Laszka G Horvath M Felegyhazi and L ButtyanldquoFlipThem modeling targeted attacks with flipit for multipleresourcesrdquo in Decision and Game Theory for Security vol 8840of Lecture Notes in Computer Science pp 175ndash194 SpringerInternational Publishing Cham 2014

[23] FloodLight ldquoOpen SDN controllerrdquo httpfloodlightopen-flowhuborg

[24] ldquoRyu SDN Frameworkrdquo httposrggithubioryu[25] ldquoOpenDaylight Consortiumrdquo httpwwwopendaylightorg[26] C Qi J Wu H Hu and G Cheng ldquoDynamic-scheduling

mechanism of controllers based on security policy in software-defined networkrdquo IEEE Electronics Letters vol 52 no 23 pp1918ndash1920 2016

8 Security and Communication Networks

Random Random---AttackerRandom Random---Defender

Random Max---AttackerRandom Max---Defender

minus500

0

500

1000

1500

2000

2500

3000Pa

yoffs

of p

laye

rs

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 8 Payoffs of players against random probes with associate defending strategies under imperfect detections

Max Random---AttackerMax Random---Defender

Max Max---AttackerMax Max---Defender

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

minus500

0

500

1000

1500

2000

2500

3000

Payo

ffs o

f pla

yers

50 100 150 2000Time series

Figure 9 Payoffs of players against maximum probes with associate defending strategies under imperfect detections

can lead to diverse defense results In most cases randomprobe is a better option for attackers while the best responseof defenders is the combination of maximum reimage andMaxSG However as long as dynamism heterogeneity andredundancy are introduced into SDN its security can beimproved significantly and the failure probability of thecontrol plane can be maintained at relatively a low standard

44 Equilibrium Results In this section we report the equi-libria found in the simulation As we all know when thesystem reaches an equilibrium the failure probability ofMcad-SA andplayersrsquo payoffs stays stableTheyhave no intentto alter their strategies

Actually in Mcad-SA whenever in perfect or imperfectprobe detection environment the situations of equilibria are

Security and Communication Networks 9

identicalThe only occasion in which the equilibrium exists isthat defenders adoptmaximum reimage andMaxSG schedul-ing method while attackers select maximum probe Fromthe simulation results above as long as attackers carry outmaximum probe they always can acquire higher payoffs andhigher failure probability of the system over random probeon matter what actions defenders take Similarly defenderswill tend to choose maximum reimage and MaxSG to obtainhigher payoffs and lower failure probability whenever theyface random or maximum probe In other words maximumreimage and MaxSG are the best choice for defenders andmaximum probe is the best option for attackers as they canachieve their goals to maximum extent

5 Conclusion

Evaluation of security performance of SDN architecturesplays a critical role in designing reliable structures andestimating system risks Focused on Mcad-SA a novel SDNstructure we attempt to establish amodel to analyze its abilityto resist attackswith the assistance of game theoryThismodelcan represent playersrsquo related information (actions strategiesetc) and quantitatively assess systemrsquos capability to dealwith risks Experimental results indicate the introductionof dynamism redundancy and heterogeneity into SDN canintensify systemrsquos security andmaintain its consistent capabil-ity against diverse probes which is an extraordinary weaknessin current SDN frameworks Further we analyze equilibriumin particular situations where common types of probes anddefense methods are included And analysis results presenthints that for dynamic systems the design of their defensestrategies has certain effect on security enhancement whichimplies that how to devise effective defense mechanism iscrucial to maximize security gain In the future we plan totake internal security mechanism of diverse controllers intoconsideration and pay attention to hybrid security analysis

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work is supported by the Foundation for InnovativeResearch Groups of the National Natural Science Foundationof China (no 61521003) the National Key RampD Programof China (no 2016YFB0800100 and no 2016YFB0800101)and the National Natural Science Foundation of China (no61602509)

References

[1] N McKeown T Anderson H Balakrishnan et al ldquoOpenFlowenabling innovation in campus networksrdquo Computer Commu-nication Review vol 38 no 2 pp 69ndash74 2008

[2] D He S Chan and M Guizani ldquoSecuring software definedwireless networksrdquo IEEE Communications Magazine vol 54no 1 pp 20ndash25 2016

[3] C Monsanto J Reich and N Foster ldquoComposing software-defined networksrdquo in Proceedings of the 10th USENIX Confer-ence onNetworked SystemsDesign and Implementation pp 1ndash14USENIX Association 2013

[4] Z Guo M Su Y Xu et al ldquoImproving the performance of loadbalancing in software-defined networks through load variance-based synchronizationrdquoComputerNetworks vol 68 pp 95ndash1092014

[5] P Berde M Gerola J Hart et al ldquoONOS towards an opendistributed SDNOSrdquo in Proceedings of the 3rd ACM SIGCOMM2014 Workshop on Hot Topics in Software Defined Networking(HotSDN rsquo14) pp 1ndash6 August 2014

[6] V Yazici M O Sunay and A O Ercan ldquoControlling a softwaredefined network via distributed controllersrdquo in Proceedings ofthe 2012 NEM Summit pp 16ndash20 2014

[7] H Li P Li S Guo and A Nayak ldquoByzantine-resilient securesoftware-defined networks with multiple controllers in cloudrdquoIEEE Transactions on Cloud Computing vol 2 no 4 pp 436ndash447 2014

[8] X Jin J Gossels J Rexford and D Walker ldquoCoVisor acompositional hypervisor for software-defined networksrdquo inProceedings of the 12th USENIX Symposium on NetworkedSystems Design and Implementation (NSDI rsquo15) pp 87ndash101USENIX Association May 2015

[9] CQi JWuHHu et al ldquoAn intensive security architecturewithmulti-controller for SDNrdquo in Proceedings of the 35th IEEE Con-ference on Computer Communications Workshops (INFOCOMWKSHPS rsquo16) pp 401-402 April 2016

[10] K ElDefrawy and T Kaczmarek ldquoByzantine fault tolerantsoftware-defined networking (SDN) controllersrdquo in Proceedingsof the 2016 IEEE 40th Annual Computer Software and Applica-tions Conference (COMPSAC rsquo16) pp 208ndash213 June 2016

[11] A Prakash and M P Wellman ldquoEmpirical game-theoreticanalysis for moving target defenserdquo in Proceedings of the 2ndACM Workshop on Moving Target Defense (MTD rsquo15) pp 57ndash65 2015

[12] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquo inProceedings of the 1st ACM InternationalWorkshop onHot Topicsin Software Defined Networks (HotSDN rsquo12) pp 121ndash126 August2012

[13] P Porras S Cheung M Fong K Skinner and V YegneswaranldquoSecuring the Software Defined Network Control Layerrdquo inProceedings of the Network and Distributed System SecuritySymposium (NDSS rsquo15) San Diego CA USA 2015

[14] Z Guo Y Xu M Cello et al ldquoJumpFlow Reducing flow tableusage in software-defined networksrdquo Computer Networks vol92 pp 300ndash315 2015

[15] P K Manadhata and J M Wing ldquoAn attack surface metricrdquoIEEE Transactions on Software Engineering vol 37 no 3 pp371ndash386 2011

[16] N Poolsappasit R Dewri and I Ray ldquoDynamic security riskmanagement using Bayesian attack graphsrdquo IEEE Transactionson Dependable and Secure Computing vol 9 no 1 pp 61ndash742012

[17] C-C Ten C-C Liu and M Govindarasu ldquoVulnerabilityassessment of cybersecurity for SCADA systems using attacktreesrdquo in Proceedings of the IEEE Power Engineering SocietyGeneral Meeting (PES rsquo07) pp 1ndash8 Tampa FL USA June 2007

[18] S Jajodia A K Ghosh and V SwarupMoving Target DefenseCreating Asymmetric Uncertainty for Cyber Threats SpringerEbooks 2011

10 Security and Communication Networks

[19] S Jajodia S K Ghosh V S Subrahmanian V Swarup CWangand X S WangMoving Target Defense II Application of GameTheory and Adversarial Modeling Advances in InformationSecurity Springer 2012

[20] M H Manshaei Q Zhu T Alpcan T Basar and J-P HubauxldquoGame theory meets network security and privacyrdquo ACMComputing Surveys vol 45 no 3 article 25 2013

[21] M Van Dijk A Juels A Oprea and R L Rivest ldquoFlipIt Thegame of ldquostealthy takeoverrdquordquo Journal of Cryptology vol 26 no4 pp 655ndash713 2013

[22] A Laszka G Horvath M Felegyhazi and L ButtyanldquoFlipThem modeling targeted attacks with flipit for multipleresourcesrdquo in Decision and Game Theory for Security vol 8840of Lecture Notes in Computer Science pp 175ndash194 SpringerInternational Publishing Cham 2014

[23] FloodLight ldquoOpen SDN controllerrdquo httpfloodlightopen-flowhuborg

[24] ldquoRyu SDN Frameworkrdquo httposrggithubioryu[25] ldquoOpenDaylight Consortiumrdquo httpwwwopendaylightorg[26] C Qi J Wu H Hu and G Cheng ldquoDynamic-scheduling

mechanism of controllers based on security policy in software-defined networkrdquo IEEE Electronics Letters vol 52 no 23 pp1918ndash1920 2016

Security and Communication Networks 9

identicalThe only occasion in which the equilibrium exists isthat defenders adoptmaximum reimage andMaxSG schedul-ing method while attackers select maximum probe Fromthe simulation results above as long as attackers carry outmaximum probe they always can acquire higher payoffs andhigher failure probability of the system over random probeon matter what actions defenders take Similarly defenderswill tend to choose maximum reimage and MaxSG to obtainhigher payoffs and lower failure probability whenever theyface random or maximum probe In other words maximumreimage and MaxSG are the best choice for defenders andmaximum probe is the best option for attackers as they canachieve their goals to maximum extent

5 Conclusion

Evaluation of security performance of SDN architecturesplays a critical role in designing reliable structures andestimating system risks Focused on Mcad-SA a novel SDNstructure we attempt to establish amodel to analyze its abilityto resist attackswith the assistance of game theoryThismodelcan represent playersrsquo related information (actions strategiesetc) and quantitatively assess systemrsquos capability to dealwith risks Experimental results indicate the introductionof dynamism redundancy and heterogeneity into SDN canintensify systemrsquos security andmaintain its consistent capabil-ity against diverse probes which is an extraordinary weaknessin current SDN frameworks Further we analyze equilibriumin particular situations where common types of probes anddefense methods are included And analysis results presenthints that for dynamic systems the design of their defensestrategies has certain effect on security enhancement whichimplies that how to devise effective defense mechanism iscrucial to maximize security gain In the future we plan totake internal security mechanism of diverse controllers intoconsideration and pay attention to hybrid security analysis

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work is supported by the Foundation for InnovativeResearch Groups of the National Natural Science Foundationof China (no 61521003) the National Key RampD Programof China (no 2016YFB0800100 and no 2016YFB0800101)and the National Natural Science Foundation of China (no61602509)

References

[1] N McKeown T Anderson H Balakrishnan et al ldquoOpenFlowenabling innovation in campus networksrdquo Computer Commu-nication Review vol 38 no 2 pp 69ndash74 2008

[2] D He S Chan and M Guizani ldquoSecuring software definedwireless networksrdquo IEEE Communications Magazine vol 54no 1 pp 20ndash25 2016

[3] C Monsanto J Reich and N Foster ldquoComposing software-defined networksrdquo in Proceedings of the 10th USENIX Confer-ence onNetworked SystemsDesign and Implementation pp 1ndash14USENIX Association 2013

[4] Z Guo M Su Y Xu et al ldquoImproving the performance of loadbalancing in software-defined networks through load variance-based synchronizationrdquoComputerNetworks vol 68 pp 95ndash1092014

[5] P Berde M Gerola J Hart et al ldquoONOS towards an opendistributed SDNOSrdquo in Proceedings of the 3rd ACM SIGCOMM2014 Workshop on Hot Topics in Software Defined Networking(HotSDN rsquo14) pp 1ndash6 August 2014

[6] V Yazici M O Sunay and A O Ercan ldquoControlling a softwaredefined network via distributed controllersrdquo in Proceedings ofthe 2012 NEM Summit pp 16ndash20 2014

[7] H Li P Li S Guo and A Nayak ldquoByzantine-resilient securesoftware-defined networks with multiple controllers in cloudrdquoIEEE Transactions on Cloud Computing vol 2 no 4 pp 436ndash447 2014

[8] X Jin J Gossels J Rexford and D Walker ldquoCoVisor acompositional hypervisor for software-defined networksrdquo inProceedings of the 12th USENIX Symposium on NetworkedSystems Design and Implementation (NSDI rsquo15) pp 87ndash101USENIX Association May 2015

[9] CQi JWuHHu et al ldquoAn intensive security architecturewithmulti-controller for SDNrdquo in Proceedings of the 35th IEEE Con-ference on Computer Communications Workshops (INFOCOMWKSHPS rsquo16) pp 401-402 April 2016

[10] K ElDefrawy and T Kaczmarek ldquoByzantine fault tolerantsoftware-defined networking (SDN) controllersrdquo in Proceedingsof the 2016 IEEE 40th Annual Computer Software and Applica-tions Conference (COMPSAC rsquo16) pp 208ndash213 June 2016

[11] A Prakash and M P Wellman ldquoEmpirical game-theoreticanalysis for moving target defenserdquo in Proceedings of the 2ndACM Workshop on Moving Target Defense (MTD rsquo15) pp 57ndash65 2015

[12] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquo inProceedings of the 1st ACM InternationalWorkshop onHot Topicsin Software Defined Networks (HotSDN rsquo12) pp 121ndash126 August2012

[13] P Porras S Cheung M Fong K Skinner and V YegneswaranldquoSecuring the Software Defined Network Control Layerrdquo inProceedings of the Network and Distributed System SecuritySymposium (NDSS rsquo15) San Diego CA USA 2015

[14] Z Guo Y Xu M Cello et al ldquoJumpFlow Reducing flow tableusage in software-defined networksrdquo Computer Networks vol92 pp 300ndash315 2015

[15] P K Manadhata and J M Wing ldquoAn attack surface metricrdquoIEEE Transactions on Software Engineering vol 37 no 3 pp371ndash386 2011

[16] N Poolsappasit R Dewri and I Ray ldquoDynamic security riskmanagement using Bayesian attack graphsrdquo IEEE Transactionson Dependable and Secure Computing vol 9 no 1 pp 61ndash742012

[17] C-C Ten C-C Liu and M Govindarasu ldquoVulnerabilityassessment of cybersecurity for SCADA systems using attacktreesrdquo in Proceedings of the IEEE Power Engineering SocietyGeneral Meeting (PES rsquo07) pp 1ndash8 Tampa FL USA June 2007

[18] S Jajodia A K Ghosh and V SwarupMoving Target DefenseCreating Asymmetric Uncertainty for Cyber Threats SpringerEbooks 2011

10 Security and Communication Networks

[19] S Jajodia S K Ghosh V S Subrahmanian V Swarup CWangand X S WangMoving Target Defense II Application of GameTheory and Adversarial Modeling Advances in InformationSecurity Springer 2012

[20] M H Manshaei Q Zhu T Alpcan T Basar and J-P HubauxldquoGame theory meets network security and privacyrdquo ACMComputing Surveys vol 45 no 3 article 25 2013

[21] M Van Dijk A Juels A Oprea and R L Rivest ldquoFlipIt Thegame of ldquostealthy takeoverrdquordquo Journal of Cryptology vol 26 no4 pp 655ndash713 2013

[22] A Laszka G Horvath M Felegyhazi and L ButtyanldquoFlipThem modeling targeted attacks with flipit for multipleresourcesrdquo in Decision and Game Theory for Security vol 8840of Lecture Notes in Computer Science pp 175ndash194 SpringerInternational Publishing Cham 2014

[23] FloodLight ldquoOpen SDN controllerrdquo httpfloodlightopen-flowhuborg

[24] ldquoRyu SDN Frameworkrdquo httposrggithubioryu[25] ldquoOpenDaylight Consortiumrdquo httpwwwopendaylightorg[26] C Qi J Wu H Hu and G Cheng ldquoDynamic-scheduling

mechanism of controllers based on security policy in software-defined networkrdquo IEEE Electronics Letters vol 52 no 23 pp1918ndash1920 2016

10 Security and Communication Networks

[19] S Jajodia S K Ghosh V S Subrahmanian V Swarup CWangand X S WangMoving Target Defense II Application of GameTheory and Adversarial Modeling Advances in InformationSecurity Springer 2012

[20] M H Manshaei Q Zhu T Alpcan T Basar and J-P HubauxldquoGame theory meets network security and privacyrdquo ACMComputing Surveys vol 45 no 3 article 25 2013

[21] M Van Dijk A Juels A Oprea and R L Rivest ldquoFlipIt Thegame of ldquostealthy takeoverrdquordquo Journal of Cryptology vol 26 no4 pp 655ndash713 2013

[22] A Laszka G Horvath M Felegyhazi and L ButtyanldquoFlipThem modeling targeted attacks with flipit for multipleresourcesrdquo in Decision and Game Theory for Security vol 8840of Lecture Notes in Computer Science pp 175ndash194 SpringerInternational Publishing Cham 2014

[23] FloodLight ldquoOpen SDN controllerrdquo httpfloodlightopen-flowhuborg

[24] ldquoRyu SDN Frameworkrdquo httposrggithubioryu[25] ldquoOpenDaylight Consortiumrdquo httpwwwopendaylightorg[26] C Qi J Wu H Hu and G Cheng ldquoDynamic-scheduling

mechanism of controllers based on security policy in software-defined networkrdquo IEEE Electronics Letters vol 52 no 23 pp1918ndash1920 2016

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom