SD-CPC: SDN Controller Placement Camouflage based on Stochastic Game for Moving-target Defense

Abstract

The modern paradigm of Software Defined Network (SDN) inspired the research community to develop more innovative and transformative solutions for large scale and complex crucial Cyber Physical Systems (CPS). However, the recent destructive attacks targeting such CPS applications, raised the need to initially secure and scale the core SDN network. These attacks may target the heart of SDN networks itself formed by the controllers. Therefore, recent research works discussed the Controller Placement Problem (CPP) to determine the required number of SDN controller(s) and their optimal locations in synonyms wide area networks. A few of the presented solutions discussed the network security aspect to solve this problem. In addition, none of them addressed the need to secure and dynamically change SDN controller location to confuse attackers. Therefore, in this paper, we introduce a new concept of Controller Placement Camouflage (CPC) to dynamically change the attack surface (SDN controller placements) for Moving-target Defense (MTD). The new paradigm of MTD imposes various asymmetric offensive and defensive modes against cyber-adversaries. We relied on the Zero-Sum game as a stochastic game between the system defender and the attacker to guide our MTD solution. In addition, our presented solution is adapted to consider the network vulnerabilities, evaluate the risk level of the system in real-time using Bayesian Attack Graph (BAG), to frequently shift the SDN controller(s) location. Furthermore, we used the Smart Grid as a case study for a mission critical CPS application. We conducted a scenario of UK Bulk Demand Points (BDP), 50MVA generation network capacity map to simulate a real mini-grid network topology. To the best of our knowledge, this research work may be considered the first introduction for SD-CPC for MTD.