A proactive defense method against eavesdropping attack in SDN-based storage environment

Abstract

The integration of Software-Defined Networking (SDN) in storage centers aims to enhance storage performance. However, this integration also introduces new concerns, particularly the potential eavesdropping attacks that pose a substantial risk to data privacy. By issuing flow tables (e.g., via compromised SDN switches), attackers can conveniently collect target traffic and extract confidential information with session reassembly methods. To proactively mitigate such attacks by preventing session reassembly, various moving target defense methods, such as end hopping, have been proposed. However, this study uncovers several deficiencies within existing end hopping methods. To address these deficiencies, we propose a novel linkage-field-based self-synchronizing end hopping method, which obfuscates end information (e.g., IP, Port) and linkage fields (e.g., sequence number and ID number) without third-party assistance. Furthermore, to counter the potential invalidation of end hopping methods resulting from brute-force reassembly of a small number of sessions, we propose a fake segment injection method. Extensive experiments have been conducted both in simulation and real-world environment to evaluate the effectiveness of our proposed methods. The results demonstrate that our proposed methods can effectively defend against eavesdropping attacks with acceptable performance overhead.