2018 18th IEEE International Conference on Communication Technology
A Software-Defined Intranet Dynamic Defense System
Chen Yang
National Digital Switching System Engineering &
Technological R&D Center
Zhengzhou, China
e-mail: bedivere14@outlook.com
Cheng Guo-zhen
National Digital Switching System Engineering & Technological R&D Center
Zhengzhou, China
e-mail: chengguozhen1986@163.com
Abstract—The rise of Bring Your Own Device (BYOD) now
poses new challenges to the traditional intranet, which used to
deploy boundary-based defenses to guarantee internal security.
The bringing of personal devices has threatened the internal
security. Based on the idea of isolation and dynamic, this paper
designs and implements a Software-defined Intranet Dynamic
Defense System (SIDD) to harass cyber kill chain. Firstly, to
solve the issue that network can be easily reconnoitered due to
its static attributes, we allocate virtual IP address space for
intranet terminals and implement the dynamic mapping
between real IP addresses and virtual IP addresses to hide the
real IP address. Secondly, we propose a software-defined
dynamic defense architecture scheme, which manages to
provide a general control of the intranet, including three core
modules (e.g. DNS, virtual & real address assignment and
virtual address maneuvering). Finally, we implement a
dynamic defense system oriented to the production
environment, based on the OpenDaylight controller. Our
experiments indicate that this method can achieve a definable
IP address, which frequency and space are maneuverable, thus
it could significantly reduce the availability of network
reconnaissance and increase the difficulties of attacker's real-
time attack without affecting network applications.
Keywords-intranet defense; software-defined network;
isolation; dynamic
I. INTRODUCTION
The internal network of enterprises, institutions, and
governments, including a large number of high-value
information assets, is one of the main targets for attackers to
infiltrate and control. At present, there are two main types of
defense against the internal network: one is the traditional
defense scheme based on the boundary, and the other is a
zero-trust mechanism which has arisen in recent years. The
traditional intranet defense scheme mainly deploys a large
number of firewalls, IDSs, and other devices on the borders
to build a DMZ area between the internal and external
networks, which increases the security of the intranet to
some extent.
But defenses face new challenges. On the one hand, the
attack means to become more complex, e.g. advanced
978-1-5386-7635-6/18/$31.00 ©2018 IEEE
Hu Hong-chao
National Digital Switching System Engineering &
Technological R&D Center
Zhengzhou, China
e-mail: 13633833568@139.com
persistent threat (APT), social engineering attacks, and zero-
day exploits. These behaviors cannot be detected effectively
by the traditional security detection system; On the other
hand, the boundaries of the intranet tend to be blurred,
especially in recent years. With the development of the
mobile Internet, Bring Your Own Device (BYOD) [1] has
become a new model for enterprises, governments, and other
workplaces. It enables enterprises to allow their employees'
own devices to connect to the internal networks. While this
model reduces enterprise costs, it exposes enterprise intranets
to significant security risks. Attackers can easily penetrate
the internal network through these devices. Therefore, there
is an urgent need to study internal cyber threats.
The zero-trust network model was created by John
Kindervag [2] in 2010. In short, the zero-trust strategy holds
rejection unless the network determines the identity of the
user. But zero-trust migration needs to equip employees with
the new concept of thinking, system building requires a lot of
manpower and resources. Google spent two years creating a
trusted library for users and devices before migrating from
traditional corporate networks to BeyondCorp, it’s a
relatively lengthy process.
In response to these challenges, this paper aims to harass
cyber kill chain and increases the difficulty of attackers. We
design and implement a Software-defined Intranet Dynamic
Defense System (SIDD)with isolation and dynamic. It can
enable the system to maintain the integrity of the original
network configuration and minimize operation management.
We hide the real IP address (rIP) of the terminal in the
intranet and assign the virtual IP address (vIP) to the terminal
for isolation between users. It can realize network topology
and IP address random maneuvering while normal network
applications are unaffected.
The main contributions of this paper are as follows:
 We propose a software-defined dynamic defense
scheme for intranet;
 We implement a network dynamic address
maneuvering system based on Opendaylight;
 We build an experimental platform to verify the
performance of the system against attacks.
849
 The paper structure is as follows: In section 1, we
analyze the importance of intranet defense; In Section 2, the
current status of zero-trust networks and dynamic networks
is described; In section 3, we propose the system architecture
design, and realizes the defense system of the intranet based
on Opendaylight in section 4. In Section 5, we devise the
experiments to evaluate the defensive effect.
II. RELATED WORK
In terms of software-defined security, Google's
BeyondCorp [3] [4] enterprise security program frees the
focus from network boundaries to devices and users. Its
access policy is based on device information, status, and
associated users, and more biased toward user behavior and
device status analysis. Meanwhile, Duo Security's Duo
Beyond [5] assumes a zero-trust environment for all devices.
and deploys Duo certificates to a company-managed device
to help companies create and maintain accurate device lists
including personal device.
However, in addition to the complexity of zero-trust
network deployment, these technologies require the
installation of appropriate software at the client terminal,
which affects the use of experience, and we prefer a user-
insensitive way of making changes.
In the field of address maneuvering technology, research
results including APOD [6], DyNAT [7] and NASR [8] have
emerged, but none of above technologies provide an address
maneuvering mechanism that prevents internal and external
listening attacks without changing the terminal host
configuration. Thus, J.H. Jafarian et al. have proposed an
address maneuvering technology with high-speed mutation
and unpredictable characteristics, referred to as Random
Host Mutation (RHM) [9], RHM needs to add a central
entity Moving Target Controller and distributed entities
Moving Target Gateway for rIP and vIP transformation.
Afterwards, J.H. Jafarian et al. further improved RHM in
combination with the newly emerged OpenFlow technology
and obtained the OpenFlow Random Host Mutation (OF-
RHM) [10] model. OF-RHM due to the SDN flexible
infrastructure that can be more efficient and with less
processing cost to develop and manage host address random
maneuvering functions.
Although these papers have done a lot of research in
theory, but do not propose feasible solutions for engineering
practice. From the point of current intranet deployment
requirements, this paper solved key issues in the dynamic
engineering practice of the network.
III. SYSTEM ARCHITECTURE DESIGN
A. Design Principles
The intranet defense system designed in this paper can
disturb the dependence of target’s static attributes in intranet
and increase the cost of the attack. As a new defense system
based on dynamic technology, it is necessary to
comprehensively consider the compatibility with network
devices and traditional defense means It is also necessary to
consider the management cost caused by the introduction of
new defense device and so on. Therefore, it is necessary to
850
comb the design principles that the system needs to meet,
before discussing the overall scheme of the system:
Availability: In order to make the system more practical,
this system must be compatible with the existing
communication equipment. The goal of the system is not to
defend against all attacks, but to be compatible with
traditional security devices.
Manageability: Administrators need to be able to easily
configure the network; management is simple and adds as
little additional administrative overhead as possible.
Distributed: In general, enterprises are cross-regional,
dynamic defense equipment also exists cross-regional
deployment of the scene, so should support a unified
network management;
Customizable: For different network environment, users
need different levels of security. For different network n
requirements, this system needs provide on-demand network
customization, e.g. maneuvering time, IP address segment
selection.
Based on the above design principles, we need a device
that can centrally manage the network to achieve general
control of the intranet. The software-defined network (SDN)
[11] [12] [13] provides a flexible infrastructure for the
development and management with network. and has
minimal operational overhead. So, it becomes our design
priority. Based on this, we design a software-defined
dynamic defense architecture scheme.
B. General Framework
The scheme includes data plane, management plane, and
control plane. As shown in Figure 1, the former two are
responsible for data forwarding and configuration
management respectively; the latter is the core control unit of
allocation and maneuvering.
Data plane: This plane is responsible for data
forwarding, reducing transmission rate loss caused by IP
dynamic maneuvering.
Management plane: This plane is responsible for
configuring the system parameters to obtain the running state
of the system;
Control plane: There are two main functions:
 Resource configuration for terminal and maintain a
dynamic virtual configuration. It mainly includes the
DHCP module, the DNS module, and the vIP
Change module. The information of each terminal
deployed in the network, e.g. rIP, vIP, is stored in
the Terminal Information module.
 Establish a session for the communication and
deliver the forwarding flow. When a Packet_In
comes up, a forwarding path is generated and the
corresponding packet processing flow is delivered. It
enables communication between terminals using a
virtual configuration.
This method breaks the static characteristic of the
configuration in the traditional network. By dynamically
changing the configuration information in the
communication network, the attacker cannot obtain the real
information of the communication network, thus it can
effectively prevent attacks such as reconnaissance, and characteristic, realizes the flexible control to the underlying
greatly improve the network security capability. device network behavior change. Therefore, the SDN-based
IP maneuvering system can be implemented at the software
config
level cooperate with the SDN switch and is easier to manage
Dynamic IP Virtual IP
Change
get
Assignment
and configure. The actual physical device requirements are
relatively small.
Control modify
plane Manage- A. System State Diagram
Terminal table ment
Session get
plane
As shown in Figure 2, the system mainly has four
inquire
modules: DHCP module, Flow module, ARP module and
store inquire inquire store DNS module:
Flow Processing
DHCP module: It is mainly responsible for allocating
DNS ARP DHCP config real and virtual IP to the terminal. If the DISCOVER packet
of the terminal is up, this module generates terminal’s rIP,
and sends the OFFER packet back after querying the
General Switche
initialization configuration.
The initialization configuration is configured by the
Data management front-end. In this system, according to user's
plane
Internet demand, real IP can have multiple subnet domains. With the
Intranet gateway External Gateway
front-end configuration, we can bind a subnet to each switch
in the intranet to divide the switch into multiple domains. So,
Figure 1. System framework. the terminal's real IP is selected from the bounded switch
subnet.
IV. IMPLEMENTATION OF SIDD When the terminal sends a REQUEST packet, this
IP allocation and maneuvering mechanisms need the module generates a vIP and random domain name randomly
general configuration space and routing information. If for the terminal and sends ACK information. Then the rIP
consider the implement of the system based on the common and vIP information is stored to the database path
network, we need to rely on custom physical devices to corresponding to the switch port bound to the terminal.
Flow module: It is mainly responsible for establishing
achieve, and its practicality and economic efficiency are not
communication paths for both parties. It determines the
high. Because the SDN architecture has the characteristics of
source and destination address of the packet and establish the
separation of control plane and data plane, and the control
path. Only packets matching the rule can reach the peer. It
plane can centrally manage the network devices, and
can block other scans and attack packets.
accurately define the forwarding of the data packets by the
underlying device; The data plane has the programmable
System
RESTCONF Initialization
startup

Initial flow delivery

Listen

DHCP_DISCOVER DNS_QUESTION ARP_QUESTION Communication data

DNS ARP Ip
DHCP_OFFER rIP Select Analyze Response Analyze
Intranet query Extranet query Source is rIP,
DHCP_REQUEST ARP Destination is vIP
DNS DNS
rIP Request Route
Response Forward
Planning
DNS
DHCP_ACK path generate
D
H Create
C vIP Select Mutation cycle
Session
P
vIP generate Wait Match & Action
generate

Bound store Flow

DHCP_REQUEST
Delivery

DHCP_ACK rIP Rebind

Flow

Release Lease expires

Figure 2. System state diagram.

851
 ARP module: It is mainly responsible for storing the representing the source’s rIP, vIP, the destination’s rIP, vIP,
gateway address of each real subnet. Because the communication protocol, and lifetime, respectively. The vIP
communication messages of both peers must be a in the array is the current virtual address of the terminals
combination of "rIP + vIP", the real IP domain and the when the session is established. It is destroyed until the end
virtual IP domain configured are not on one network of the session’s lifetime TTL.
segment to ensure security. Messages to be emitted from the
terminal must have their own rIP subnet domain's gateway Terminal2
mac. There are two functions in the ARP module: 1)
Disallow broadcast of ARP packets on the intranet (ARP
<rIP2,vIP1>
broadcast packets are the best helper for network sniffing on
the intranet); 2) Respond to the terminal's gateway MAC Access
request. End ④<rIP2→vIP2,vIP1→rIP1>
DNS module: It is mainly responsible for reverse
<vIP2,rIP1>
domain name lookup and rIP query. For reverse domain
name lookups, only the terminal can find its own domain Transmission
name and cannot obtain other terminal domain names. The Domain
Controller
terminal can find the corresponding rIP through the domain
name. Such communication sessions can only be established ⑤<vIP1,rIP2>

by mutual confirmation. Access

②<n2,vIP2>

End ④<rIP1→vIP1,vIP2→rIP2>
B. Communication Protocols
③<rIP1,vIP2>
The communication process in this paper adopts the way ①<n2 ,？>
of source virtual address and destination real address, which
has the following advantages: Terminal1
 The packets from the terminal and modified by the
access end, can be directly received by the
Figure 3. Communication process.
destination terminal and do not need to make any
changes. This can improve the efficiency of switch
The vIP of this session is unchanged, even the terminal's
packet processing;
assigned vIP has been updated. The purpose of this is to
 It also relaxes the packet on the switch requirements ensure a good user experience and improve the efficiency of
in the transmission domain, that is, you can use the the use of network resources. In this way, when the new
switch that does not support SDN. the actual packet arrives, the controller first checks whether the session
application of the system can play a good role in exist, and uses the existing virtual configuration to distribute
promoting. the flows.
As shown in Figure 3, the communication process steps
are as follows: V. EVALUATION
Step 1: Host 1 sends a packet <n2, ?> to the DNS server
in controller to request the Host 2’s address; In this section, we provide an experimental evaluation of
Step 2: The DNS server responds Host 1’s request by SIDD defense effectiveness and overhead. The experimental
sending a packet <n2, v2> with the Host 2’s vIP; topology is shown in Figure 4.
step 3: Host 1 sends a packet to Host 2 using its rIP and For example, if H2 wants to communicate with H1, it has
host 2's current virtual address v2 in the format of <r1, v2>; to inform H1 first. H1 queries its own domain name by using
Step 4: When the packet passes through the access end reverse-DNS lookup, and then tells H2 by out of band.
of host 1, if the packet arrives for the first time and there is Finally, H2 obtains H1’s rIP through the domain name, and a
no matching flow table, it will be sent to the controller for communication is completed. The actual process is shown in
processing. The controller establishes a transmission path Figure 5, and the switch's flow table information is shown in
and delivers the flow table processing packet to the Table I.
corresponding switch. After the flow table matches, the
TABLE I. RELEASED FLOW
switch replaces the source address of the packet with the
current virtual address v1 of host 1, and the destination Match Action
address is replaced with the real address of host 2. The LLDP,DHCP,
controller
message format is <v1, r2>; ARP,DNS
Step 5: The packet is transmitted in the network in the mod_dl_dst:c2:32:f7:4a:12:72,
tcp,
mod_nw_src: 182.92.251.111,
format of <v1, r2> until reaching host 2; nw_src=100.0.0.42,
mod_nw_dst: 100.0.0.40,
Step 6: The packets of host 2 are returned with steps 3, 4 nw_dst=171.11.201.38
output:1
and 5. mod_dl_dst:06:23:f7:b9:bd:98,
In this paper, we establish a session for each tcp,
mod_nw_src: 171.11.201.38,
nw_src=100.0.0.40,
communication process and store it. The session is a six- nw_dst=182.92.251.111
mod_nw_dst: 100.0.0.42,
element array, 𝑆 = {𝑠𝑅𝑖𝑝, 𝑠𝑉𝑖𝑝, 𝑑𝑅𝑖𝑝, 𝑑𝑉𝑖𝑝, 𝑃𝑟𝑜𝑡𝑜𝑐𝑜𝑙, 𝑇𝑇𝐿}, output:1

852

H1
OF Switch
H2 Switch
Attacker
Figure 4. Network topology.
Figure 5. Session process.
A. Evaluation of Attack Effect
Scanning is usually a precursory step to an attack.
Attackers often use scanning tools such as Nmap to discover
active hosts in the target network and use them as hitlists.
SIDD can prevent hitlist-based attacks effectively because
the IP addresses will soon out-of-date.
Figure 6. Ratio of Hit
In order to show the effectiveness of SIDD against
attacks, this paper uses Mininet to generate 100 online hosts
and 50 attackers running Nmap. The online host maneuvers
in a class B network pool. The attacker scans the network for
853
FTP Server
OF Switch
Controller
Mail Server
Web Server
OF Switch
120 minutes using PING, TCP packet (TCP_SYN), and
reverse domain name (DNS_PTR). We found that the vIP
found in any scan did not exceed 4%, as shown in Figure 6.
The PING scan and reverse domain scan have no result. This
is related to the maneuvering space of the host. If we
continue to expand the scope of its maneuvering, its vIP is
less likely to be scanned. An attacker can use reverse domain
name resolution to discover the scan targets and use them for
future attacks. However, SIDD will only process the reverse
domain name that belongs to the requesting host, so this
attack method is invalid.
Figure 7. No. of flow
B. Overhead Evaluation
Because SIDD establishes a pair of flows for every
session, the amount of flows stored by the switch is very
large. As shown in the Figure 7, when the switch is
processing sessions of 100 terminals at the same time, the
delivery flows can reach
up to 4954, which is a huge challenge to the
performance of the switch. In comparison, the switch only
needs 100 flows in normal circumstances.
VI. SUMMARY
This paper aims at the existing intranet security issues.
From the perspective of harassing cyber kill chain, we design
and implement a Software-defined Intranet Dynamic
Defense System (SIDD) to prevent the availability of
detection by using the random and unpredictable host IP
address maneuvering. Our experimental results show that
SIDD can invalidate the information collection of external
scans by up to 99% and can block large-scale network
attacks e.g. zero-day, worms, DoS. In the future, we plan to
study the effect of SIDD on other attack models (such as
application layer attacks).
ACKNOWLEDGMENT
This work was supported by Information Engineering
University Emerging Direction Nurturing Fund
(2016610708), the Foundation of the National Natural
Science Foundation of China (61602509), the National Key
Research and Development Program of China
(2016YFB0800100, 2016YFB0800101), and the Key
Technologies Research and Development Program of Henan
Province of China (172102210615).
REFERENCES
[1] Flores D A, Qazi F, Jhumka “A. Bring Your Own Disclosure:
Analysing BYOD Threats to Corporate Information,”
Trustcom/bigdatase/I spa. IEEE, 2017.
854
[2] Kindervag J. “Build Security Into Your Network's DNA: The Zero
Trust Network Architecture,” Forrester Research Inc, 2010: 1-26.
[3] Escobedo V, Beyer B, Saltonstall M, et al. “BeyondCorp: The User
Experience,” 2017.
[4] Beske C M C, Peck J, Saltonstall M. “Migrating to BeyondCorp:
Maintaining Productivity While Improving Security,” 2017.
[5] https://duo.com/docs.
[6] Atighetchi M, Pal P, Webber F, et al. “Adaptive use of network-
centric mechanisms in cyber-defense,” IEEE International
Symposium on Object-Oriented Real-Time Distributed Computing.
IEEE, 2003:183-192.
[7] Kewley D, Fink R, Lowry J, et al. “Dynamic approaches to thwart
adversary intelligence gathering,” DARPA Information Survivability
Conference & Exposition II, 2001. DISCEX '01. Proceedings. IEEE,
2001:176-185 vol.1.
[8] Antonatos S, Anagnostakis K G. “TAO: Protecting Against Hitlist
Worms Using Transparent Address Obfuscation,” Ifip Tc-6 Tc-11
International Conference on Communications and Multimedia
Security. Springer-Verlag, 2006:12-21.
[9] Jafarian J H, Al-Shaer E, Duan Q. “An Effective Address Mutation
Approach for Disrupting Reconnaissance Attacks,” IEEE
Transactions on Information Forensics & Security, 2015,
10(12):2562-2577.
[10] Jafarian J H, Al-Shaer E, Duan Q. “Openflow random host
mutation:transparent moving target defense using software defined
networking,” The Workshop on Hot Topics in Software Defined
Networks. ACM, 2012:127-132.
[11] Hassan W, Omar T. “Future Controller Design and Implementation
Trends in Software Defined Networking,” Journal of
Communications, 2018, 13(5):209-217.
[12] Zhu X, Chen B, Qian H. HawkFlow: “Scheme for Scalable
Hierarchically Distributed Control in Software Defined Network,”
Journal of Communications, 2016, 11(10):910-917.
[13] Xu C, Chen B, Qian H. “Quality of Service Guaranteed Resource
Management Dynamically in Software Defined Network,” Journal of
Communications, 2015, 10(11): 843-850.