Research Article SDN-Based Double Hopping Communication ...a random port-hopping (RPH) scheme was proposed to defend DDoS attacks by changing the communication ports. MTD [], proposed

Research ArticleSDN-Based Double Hopping Communicationagainst Sniffer Attack

Zheng Zhao1 Daofu Gong1 Bin Lu1 Fenlin Liu1 and Chuanhao Zhang23

1Zhengzhou Science and Technology Institute Zhengzhou 450002 China2Railway Police College Zhengzhou 450002 China3National Digital Switching System Engineering amp Technological RampD Center Zhengzhou 450002 China

Correspondence should be addressed to Zheng Zhao diyigemsnhotmailcom

Received 7 September 2015 Revised 6 December 2015 Accepted 8 December 2015

Academic Editor Oleg V Gendelman

Copyright copy 2016 Zheng Zhao et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Sniffer attack has been a severe threat to network communication security Traditional network usually uses static networkconfiguration which provides convenience to sniffer attack In this paper an SDN-based double hopping communication (DHC)approach is proposed to solve this problem In DHC ends in communication packets as well as the routing paths are changeddynamically Therefore the traffic will be distributed to multiple flows and transmitted along different paths Moreover the datafrom multiple users will be mixed bringing difficulty for attackers in obtaining and recovering the communication data so thatsniffer attack will be prevented effectively It is concluded that DHC is able to increase the overhead of sniffer attack as well as thedifficulty of communication data recovery

1 Introduction

Sniffer attack is a serious matter for network communicationsecurity Sniffer attack is one of the most popular waysused by attackers which captures and analyzes networkcommunication data Sniffer attackers are able to eavesdropcommunication data from network nodes or links monitornetwork status and steal sensitive data such as usernamesand passwords However the static network configurationsin traditional network provide convenience for sniffer attackFor instance static ends and route configurationsmake it easyfor attackers to obtain and analyze communication data

Communication encryption is a traditional approachto preventing sniffer attack The communication data isencrypted during transmission making it difficult for attack-ers to crack the information However there are still somelimitations in practical applications Firstly encryption pro-tocol should be supported by both communicating sidesor communication would fail Secondly a large number ofpopular protocols such as HTTP FTP Telnet and SMTP donot apply encryption which causes serious security risk tocommunication based on these protocols Thirdly security

flaws exist in some encryption protocols by which attackersmay crack communication data

Moving target defense (MTD) [1ndash4] a recently proposedtechnology uses dynamicity to enhance communicationsecurity The network configuration is dynamically changedto deceive attackers [5 6] avoid attacks [7ndash9] and defendagainst attacks [10 11] However potential attacks still existeven if single network configuration is changed [5] Changesof multiple network configurations can enhance the dynam-icity of the network and further improve network security

Collaborative changes ofmultiple network configurationsput forward higher requirements on capabilities of networksmanagement Distributed control is adopted in traditional IPnetwork in which the routing table configuration relies onrouting protocols In this paradigm serious consequencessuch as service interruptions and routing inflation canappear due to the changing network configuration [9] Andit is hard for traditional network to change multiple networkconfiguration collaboratively For example it is difficult forMPLS a high-speednetworking technique used in traditionalnetwork to implement dynamic resources changes due tothe lack of a global view and flexible resource allocation

Hindawi Publishing CorporationMathematical Problems in EngineeringVolume 2016 Article ID 8927169 13 pageshttpdxdoiorg10115520168927169

2 Mathematical Problems in Engineering

[12] Dynamic transformation of host IP configuration isattempted to be realized in traditional network in [9] butthe cost is high because several new devices are introducedSo collaborative changes among multiple network config-urations demand powerful management of the networkEmerging software-defined network (SDN) [13] brings newmethod to realize dynamic network configuration SDNdecouples the control plane and the forwarding plane (dataplane) and applies logic centralized control The powerfulnetwork management and control ability of SDN make therealization of dynamic network configuration more flexibleThe programmable nature of SDN can control flowtable offorwarding devices directly and avoid service interruptionsand routing inflation The centralized control of SDN makesit possible to have a global view of network Thereforecollaborative changes of multiple network configuration canbe realized

In this paper double hopping communication (DHC) isproposed based on SDN architecture to enhance the abilityto resist sniffer attack DHC periodically changes the endinformation of both communication sides as well as therouting paths between them thus realizing double hopping ofend and route In DHC communication data is transmittedamong multiple paths and data flow from multiple userswill be mixed It is difficult for attackers to obtain completedata from one communication in DHC and moreover itsets obstacles to avoid the attackers to correctly separatedata of one single user among all the data they obtainTherefore overhead and difficulty for attackers to obtain andanalyze communication data are dramatically increased dueto the disability of attackers to conduct targeted sniffingIn addition DHC is constructed based on SDN whichis transparent to the terminals and neither extra externalsoftware nor hardware is needed

The rest of the paper is organized as follows In Section 2related works are discussed Section 3 describes the basicprinciples of DHC In Section 4 we describe the basic archi-tecture and communication protocols of DHC Section 5presents the prototype deployment and simulation exper-iment and security of DHC are analyzed in Section 6Section 7 concludes the paper

2 Related Work

Hopping communication based on dynamic and random-ness of MTD technology is one type of active networkdefense methods aimed at breaking the hypothesis of staticnetwork configuration and can improve network securityvia dynamic and randomness [11 14] Currently researchershave proposed different hopping communication techniquesAtighetchi et al [6] proposed a hopping approach basedon fake address and port Fake addresses and ports areused during data transmission to confuse attackers Sifalakiset al [15] proposed one network address hopping method(NAH) based on information hiding technique Data flowis spread across multiple end-to-end connections by net-work address hopping during transmission Thus point-to-point data transmission security could be improved In [10]a random port-hopping (RPH) scheme was proposed to

defend DDoS attacks by changing the communication portsMT6D [16] proposed by Dunlop et al taking the advantageof address space of IPv6 and robust IP hopping strategyis achieved Tunnel technique is used to encapsulate thepackets Source and destination IP addresses of the tunnel arechanged repeatedly making it difficult for attackers to sniffcommunication trafficThe approaches described above havetheir own advantages However in all of these methods endis hopped while routing path stays unchanged which makesit possible for attackers to obtain complete communicationdata and therefore recover communication dataMoreover inorder to realize hopping communication deploying softwareon terminal and adding hardware in the network are neededwhich causes high cost

In traditional network quick cooperative hopping isdifficult in distributed route management However theemerging software-defined network has brought new meth-ods to hopping communication Based on SDN Kampanakiset al [5] proposed three kinds of MTD methods includ-ing reconnaissance protection service versionOS hidingand random hostroute mutation Attack cost benefits andpotential attackersrsquo countermeasures of these three methodsare analyzed respectively in this work These methodsinvolve network scanning DDoS and worm but DHCfocuses on sniffer attack In the SDN architecture a flexibleas well as transparent to terminal IP hopping method calledOF-RHM [7 17] is proposed by Jafarian et al It is truethat the effectivity of sniffer attack is decreased by OF-RHMbut virtual IP should stay unchanged during one continuouscommunication which enables attackers to obtain completedata of one communication from a switch Jafarian et al[18] proposed a technique in which hopping is implementedtemporarily and spatially in order to interfere with attackersrsquoviews of the network This hopping communication candefeat collaborative scanning attacks effectively Howeverin our work multiple network configurations are changeddynamically to enhance the dynamism of network for resist-ing sniffer attackThework in [19] achieves fast IP hopping toresist scanning andwormpropagationThemethod discovershazardous network ranges and addresses adaptively and evac-uates network hosts from themquicklyMacFarland and Shue[20] provide a scalable moving target system to enable keysecurity properties and maintain acceptable performanceThe method distinguishes trustworthy and untrustworthyclients to provide access control for legacy clients

There exist multiple paths between two nodes in networktopology which are used by researchers to improve commu-nication security An active random route mutation (RRM)method is proposed by Duan et al [8 21] and applied in SDNenvironment Routes of multiple flows in the network arechanged randomly and simultaneously However multipleuncrossed paths between source and destination are requiredwhich is difficult to satisfy in common network topology Inaddition no end hopping is involved in RRMmethod whichenables attackers to recover communication data betweenhosts by sniffing multiple switches Dolev and David [22]use multiple paths between datacenters to achieve securecommunication In order to ensure the privacy an 119899-119896 secretsharing method is used to encrypt communication data The

Mathematical Problems in Engineering 3

source creates 119899 shares of its data then sends them alongmultiple paths and makes sure that no 119896 or more sharespass the same router Thus the method achieves theoreticallysecured channel to the public cloud However in our workends and route paths are changed frequently to increase thecost of attacks while obtaining and reconstructing communi-cation data Gillani et al [23] migrate virtual routers amongmultiple paths to invalidate the network topology probe ofattacks therefore link DDoS attacks are resisted Gkounis etal [24] proposed a method based on SDN architecture todetect and mitigate Crossfire attack [25] by rerouting trafficvia multiple paths The two abovementioned works aim toresist link DDoS attacks while our work aimed at resistingsniffer attack increases the cost of attackers through changesof ends and routing paths

3 Basic Principles of DHC

In static configuration based network communication whentwo hosts communicate on one connection all the packets incommunication contain information about this connectionand the transmission path of the communication packets isstatic These two facts provide convenience for attackers tosniff network communication Attackers are able to obtaincommunication data easily from the target by sniffing net-work flow based on target end on transmission path In DHCapproach both end and route are hopped based on SDNarchitecture Dynamic and randomness are introduced incommunication for two dimensions end and route For thedata plane random hopping end and route are configured bythe controller in every hopping period after one connectionis established In the meantime both end hopping and routehopping are achieved

In DHC ends in both communication sides hop dynami-cally The data frommultiple users will be mixed and end-to-end traffic is hidden in network background traffic Frequenthopping of the end brings difficulty for attackers to selectand sort the sniffed packets as well as recovering the initialdata Thus the difficulty of analyzing communication data isincreased Route hopping changes routing paths of the pack-ets dynamically spreading the communication traffic intomultiple routing paths In this way overhead and difficulty ofsniffing are increased since continuous communication datais difficult to obtain To sum up double hopping of both endand route limits the communication data that attackers canobtain and set obstacles for attackers to analyze the data

4 Basic Architecture of DHC

When conducting hopping communication in DHC endand routing path that are about to hop are selected firstThen flowtables are updated according to hopping protocolThus end hopping space and route hopping space as wellas hopping communication protocol should be taken intoconsideration to realize DHC

41 End Hopping Space End consists of IP address of thehost and port in communication It is an essential elementof communication between two hosts in network and it

uniquely defines one communication side in network Oneconnection in network communication contains IP addressesand ports of both source and destination hosts Therefore119864119868 = (IPsrc 119875src IPdst 119875dst) is defined to represent the end ofone connection End of packetsmentioned through the paperrefers to this definition In DHC end hopping space 119878EHconsists of hopping IP addresses and hopping ports GivenIP address pool Addr = IP

1 IP2 IP

119898 and hopping

port pool Port = 1198751 1198752 119875

119899 end hopping space can be

represented by

119878EH = (IPsrc 119875src IPdst 119875dst) | IPsrc IPdst isin Addr IPsrc

= IPdst 119875src 119875dst isin Port (1)

Unoccupied hopping ends are randomly selected in 119878EH toreplace the real ends in communication when the ends needhopping

42 Route Hopping Space One routing path betweensource and destination hosts is a sequence thatconsists of forwarding nodes (ie OF switch) Define119875119886119905ℎ = ⟨119899119900119889119890src 1198991199001198891198901 1198991199001198891198902 119899119900119889119890dst⟩ where 119899119900119889119890srcconnects with source host and is called source forwardingnode (source switch) 119899119900119889119890dst connects with destinationhost and is called destination forwarding node (destinationswitch) Under SDN architecture controller has the globalnetwork view Therefore all paths connecting source anddestination hosts that satisfy certain conditions can becalculated constituting the route hopping space

Suppose the source host1198671communicates with destina-

tion host1198672 the corresponding route hopping space 1198781198671rarr1198672RH

will be calculated as follows

(1) Calculate all acyclic paths between 1198671and 119867

2that

are not longer than the maximum path length 119871according to the topology of network and constitutethe path set 119875119886119905ℎ1198781198901199051198671rarr1198672

(2) For 119875119886119905ℎ119894 119875119886119905ℎ

119895isin 119875119886119905ℎ119878119890119905

1198671rarr1198672 if119873119900119889119890119904(119875119886119905ℎ

119894) sub

119873119900119889119890119904(119875119886119905ℎ119895) holds delete 119875119886119905ℎ

119895from path set

119875119886119905ℎ1198781198901199051198671rarr1198672 where 119873119900119889119890119904(119875119886119905ℎ

119894) represents the

set of nodes that path 119875119886119905ℎ119894passes The reason for

deleting119875119886119905ℎ119895is that no node in119875119886119905ℎ

119894can be avoided

when packets pass along 119875119886119905ℎ119895 which leads to a

longer path

The route hopping space 1198781198671rarr1198672RH is obtained from thesteps above If |1198781198671rarr1198672RH | gt 1holds the paths in 1198781198671rarr1198672RH satisfythe following forall119875119886119905ℎ

119894 119875119886119905ℎ

119895isin 1198781198671rarr1198672

RH 119875119886119905ℎ119894= 119875119886119905ℎ

119895 there

exists 119899119900119889119890 isin 119873119900119889119890119904(119875119886119905ℎ119894) and 119899119900119889119890 notin 119873119900119889119890119904(119875119886119905ℎ

119895)

which means that 119875119886119905ℎ119895does not pass at least one node in

119875119886119905ℎ119894

In order to guarantee the unpredictability of the hoppingpath randomness in hopping path selection is essential Onesimple method is random path selection which randomlyselects one path in 1198781198671rarr1198672RH at the beginning of each periodand takes it as the hopping path during the period Theprobability of selection for each path in 1198781198671rarr1198672RH is identical


Input (119875119886119905ℎ1 119875119886119905ℎ

119906) (1199081 119908

119906) 119877119886119899119889119873119906119898

Output 119875119886119905ℎWeightedRandomPathSelect((119875119886119905ℎ

1 119875119886119905ℎ

119906) (1199081 119908

119906) 119877119886119899119889119873119906119898)

(1) sum = 0(2) for 119894 in (1 2 119906)(3) new sumlarr sum + 119908

119894

(4) if sum lt RandNum le new sum(5) return 119875119886119905ℎ

119894

(6) else sum = new sum

Algorithm 1 Weighted random path selection algorithm

However traffic may be forwarded unbalanced by the nodeswhich means possibility of large amount of traffic forwardedby one single node exists In this case if attackers sniff on thisspecific node large amount of communication data will beobtained easily The reason is that paths in 1198781198671rarr1198672RH intersectFortunately this threat can be eliminated in DHC by usingweighted random path selection

For a node we define 1198621198671rarr1198672(119899119900119889119890) as the numberof paths in route hopping space 1198781198671rarr1198672RH that pass through119899119900119889119890 For a node set 119904119890119905 we define 1198621198671rarr1198672(119904119890119905) =

1198621198671rarr1198672(119899119900119889119890) | 119899119900119889119890 isin 119904119890119905 Suppose that for one

connection between hosts 1198671and 119867

2 there is 119875119886119905ℎ

119896isin

1198781198671rarr1198672

RH 119889(119875119886119905ℎ119896) donates the node set that contains the

nodes left after common nodes (eg source forwarding nodeand destination forwarding node) through which all paths in1198781198671rarr1198672

RH pass are deleted The weight of 119875119886119905ℎ119896is defined

119882119890119894119892ℎ119905 (119875119886119905ℎ119896)

=

1Max (1198621198671rarr1198672 (119889 (119875119886119905ℎ119896)))

sum119875119886119905ℎ119894isin1198781198671 rarr1198672

RH(1Max (1198621198671rarr1198672 (119889 (119875119886119905ℎ

119894))))

(2)

where the function Max gets the maximum value in1198621198671rarr1198672(119904119890119905) By using the weighting function above lower

weight is assigned to paths with nodes that more paths crossTherefore chances for overmuch traffic passes through onesingle node (except common nodes for all paths) in networkdue to intersection are eliminated

Weighted random path selection algorithm is shown inAlgorithm 1 The probability of one path to be chosen isset as the weight for the path The inputs of the algorithminclude paths (119875119886119905ℎ

1 119875119886119905ℎ

119906) in route hopping space

1198781198671rarr1198672

RH corresponding weights (1199081 119908

119906) and a random

number 119877119886119899119889119873119906119898 isin [0 1] In the algorithm weightsare accumulated for each path in steps 2 to 6 The pathcorresponding to the weight is returned when the sum ofaccumulated weights is bigger than or equal to the randomnumber 119877119886119899119889119873119906119898

43 DHC Protocol In DHC for each period 119879hop onehopping end ℎ119864119868 and one path from source to destination119875119886119905ℎ are randomly chosen New flow entries are generated bythe controller and installed in OF switches End of packetsfrom source host is modified to ℎ119864119868 and these packets are

transmitted to destination host along 119875119886119905ℎ Then doublehopping of end and route with period 119879hop as granularity isrealized

431 Double Hopping The basic protocol of DHC is illus-trated in Figure 1 It is a network with SDN architecture inwhich host 119867

1communicates with119867

2 Denote end hopping

space as 119878EH and route hopping space of the communicationas 1198781198671rarr1198672RH Firstly initial end 119903119864119868 = (IP

1 1198751 IP2 1198752)

is generated by 1198671according to the real IP address and

port of two communication sides then the address of thecommunication is determined

Detailed steps of double hopping are as follows

(1) The first packet containing 119903119864119868 is sent to the networkby 1198671 OF switch 119878

1receives the packet and encap-

sulates it as a packet-in message Then the packet-inmessage is sent to the controller

(2) The packet-in message is deencapsulated by thecontroller and 119903119864119868 is extracted Then hopping endℎ1198641198681= (IP1015840

1 1198751015840

1 IP10158402 1198751015840

2) is selected randomly in

119878EH Route hopping space 1198781198671rarr1198672RH is calculated bythe controller and 119875119886119905ℎ

1= (119878

1 1198782 1198785) is chosen

using weighted random path selection algorithmWith the knowledge of ℎ119864119868

1and 119875119886119905ℎ

1 controller

generates flow entries encapsulated as modify-statemessages and sends them to OF switches 119878

1 1198782 and

1198785 Corresponding modification and routing of the

packets are conducted(3) Ends (IP

1 1198751 IP2 1198752) in the packets are modified to

(IP10158401 1198751015840

1 IP10158402 1198751015840

2) by source switch 119878

1and the modified

packets are forwarded to OF switch 1198782then to desti-

nation switch 1198781

(4) Ends (IP10158401 1198751015840

1 IP10158402 1198751015840

2) in the packets are recovered

to the 119903119864119868 and forwarded to host 1198672by destination

switch 1198785 Then119867

2receives the packets from119867

1

In this communication the hopping end is recalculatedby the controller for a hopping period119879hop and is representedas ℎ119864119868

2= (IP101584010158401 11987510158401015840

1 IP101584010158402 11987510158401015840

2) as shown in Figure 1 Anewpath

denoted as 119875119886119905ℎ2= (1198781 1198783 1198784 1198785) is selected in 1198781198671rarr1198672RH using

weighted random path selection algorithm Then the flowentries in OF switches are updated Source switch 119878

1modifies

the end in the packets sent from 1198671to 1198672as ℎ119864119868

2and


Controller

1

4

2

3

IP2 P2 H2

H1

(IP1 P1 IP2 P2)

(IP1 P1 IP2 P2)

S5

S4

S3

S2

S1

(IP998400

1 P

998400

1 IP998400

2 P

998400

2)

(IP998400

1 P

998400

1 IP998400

2 P

998400

2)

IP1 P1

(IP998400998400

1 P

998400998400

1 IP998400998400

2 P

998400998400

2)

(IP998400998400

1 P

998400998400

1 IP998400998400

2 P

998400998400

2)

Figure 1 An example of double hopping communication

S1 S2

S6 S7

S3 S4 S5

rEI

hEI2

hEI1

Figure 2 An example of flow entries update

forwards the modified packets along 119875119886119905ℎ2 In destination

switch 1198785 the end of these packets is recovered to the real end

(IP1 1198751 IP2 1198752)

The procedure described above does not modify the realend on both hosts Instead it modifies the end and routingpath of the communication packets dynamically in networktransmission The source and destination hosts can achievehopping communication transparently in network withoutinterrupting the ongoing communication Once the packetsof communication between119867

1and119867

2enter the network end

of the packets and routing path are hopped with time Foreach hopping period 119879hop the hopping end and route willbe reconfigured by the controller The communication willbe considered finished when the controller detects the factthat the flow entries are not hit in a hopping period via flow-removedmessages sent by switchesThus flow entries will notbe updated

432 Flow Entries Update Flow entries in OF switches needto be updated when end and route are hopped in DHCMoreover it should be guaranteed that the flow entries updateis consistent and no packet is lost Suppose that hoppingcommunication is conducted in the network topology asshown in Figure 2 Assume that the end is being hopped byswitch 119878

1currently end changes from 119903119864119868 to ℎ119864119868

1 and the

packets are being transmitted along path (1198781 1198782 1198783 1198784 1198785) At

this circumstance to hop the end of the packets from 119903119864119868 toℎ1198641198682and to hop the routing path from (119878

1 1198782 1198783 1198784 1198785) to

(1198781 1198782 1198786 1198787 1198784 1198785) the steps of updating flow entries are as

follows

(1) Controller sendsmodify-statemessages to install newflow entries in switches 119878

2 1198786 1198787 1198784 1198785for forwarding

the packets with end ℎ1198641198682 At this time the new flow

entries will not be hit by packets because there are nopackets in the network that contain the end ℎ119864119868

2

(2) Controller sendsmodify-statemessages tomodify theflow entry in switch 119878

1 thus the end of packets is

converted from 119903119864119868 to ℎ1198641198682

(3) Controller sends modify-state messages to delete theold flow entries in switches 119878

2 1198783 1198784 1198785after themax-

imum transmission delay of path (1198781 1198782 1198783 1198784 1198785) is

reached

The method to update the flow entries described abovecan guarantee that the traffic is routed by the old flow entriesduring update avoiding packets loss In addition traffic isrouted by the updated flow entries after update maintainingper-packet consistency

5 Prototype Deployment andSimulation Experiment

51 Prototype Deployment To verify the performance andsecurity of DHC DhcFlower a prototype based on SDNcontroller is implemented As shown in Figure 3 DhcFlowerruns on the top of SDN controller which manages switchesthrough OpenFlow

In the prototype deployment of DHC TopologyDiscov-ery reports the changes of network topology and updates viewof network FlowMonitor monitors the flow state of networkto find initiation and termination of connections Based onthe view and flow state of network DhcFlower chooses theends and routing paths to convert network configurations

Detailed structure of DhcFlower is shown in Figure 4TopologyDiscovery updates topology database TopologyInfowith the changes of network topology Using the networktopology information hopping path calculator calculatesmultiple paths of each pair of nodes and stores hoppingpath information in the hopping path pool Hopping endsare stored in Hopping end pool With hopping end pooland hopping path pool double hopping engine as thecore module chooses the hopping end and path based onflow state information Afterwards strategies of hopping aregenerated Flow updater generates flow entries based onhopping strategies and updates the flowtables in a specificorder

52 Simulation Experiment To evaluate DHC we have oper-ated our implement prototype over the Mininet [26]

Open-

Flow 10 [27] is applied and POX [28] is used as controllerA class B address block is chosen as hopping IP address pooland hopping port pool denoted as 0 1 65535 Network


Controller

DhcFlower TopologyDiscoveryFlowMonitor

OF switches

OpenFlow

Figure 3 DHC prototype deployment

Double hopping

Hopping pathcalculator

Flow updater

Controller

DhcFlower

Hoppingpath pool

FlowMoniterTopology TopologyDiscovery Flowsentries

Hoppingend pool

engine

info

Figure 4 Makeup of DhcFlower

topology proposed by [29] is applied which has 16 nodes(forwarding nodes) as illustrated in Figure 5 The maximumpath length 119871 is set to 32

521 Validation of the Effectiveness of End Hopping UDPpackets from terminal on node 1 are sent to terminal on node16 for 500 s Packets are sniffed on the forwarding nodes andthe number of ends received on each node is counted Thesniffing results in DHC and traditional network are shown inFigure 6

As demonstrated in Figure 6 on some forwarding nodesin traditional network such as nodes 4 7 8 and 12 onlyone end is able to be sniffed However in DHC apart fromsource and destination forwarding nodes multiple ends canbe sniffed on other forwarding nodes Due to the invariantof packetsrsquo end in traditional networks end that is sniffedstays unchangeable which brings convenience for attackersAttackers can launch a targeted sniffer to any connection andobtain the complete communication data of the connection

In DHC end changes randomly and periodically The endssniffed on forwarding nodes between source and destinationhosts are various It is difficult for attackers to determinethe ends from the same connection increasing the difficultyin reconstructing the communication data Moreover themore frequently ends hop the more ends will be sniffed onforwarding nodes It can be seen in Figure 6 that more endsare sniffed when 119879hop = 5 s compared with 119879hop = 10 s Inaddition fewer ends can be sniffed on forwarding node 9than other nodes as can be seen in the figure The reason isthat fewer paths pass through forwarding node 9 than othernodes thus the probability of being hit by weighted randomselection is lower

522 Validation of the Effectiveness of Route Hopping Inthe experiment 106 packets are transmitted from node 5to node 6 with the speed of 104 packets per second Thehopping period 119879hop is set to 5 s Packets are sniffed onthe forwarding nodes and the number of packets sniffed


12

3

4

5

6

7

8

9

10

11

12

13

14

15

16

Figure 5 Network topology applied in the experiment

0

10

20

30

40

50

60

70

80

90

The n

umbe

r of s

niffe

d en

ds

3 4 5 6 7 8 9 10 11 12 13 14 152Forwarding node

Traditional networkDHCmdashThop = 10 sDHCmdashThop = 5 s

Figure 6 Number of ends sniffed from single flow

is counted In DHC network random path selection andweighted random path selection are applied to conducthopping communication Sniffing results are compared withtraditional network communication as shown in Figure 7

In Figure 7 the vertical coordinate stands for the fractionof all the packets transmitted from node 5 to node 6 Aswe can see in traditional network complete communicationdata from source host to destination host can be sniffed onsome nodes (eg nodes 6 11 and 12) which means thatattackers can sniff complete data on any of the nodes andfurther data analysis is possible Since shortest-path routing isapplied in traditional network and the path stays unchangedduring communication the complete communication data

1 2 3 4 6 7 8 9 10 11 12 13 14 15Forwarding node

DHC with random path selectionDHC with weighted path selectionTraditional network

0

02

04

06

08

1

Frac

tion

of th

e tra

nsm

itted

pac

kets

Figure 7 Percentage of packets sniffed from single flow

can be obtained on any node that the shortest path goesthrough In DHC packets of a connection are distributedto several paths by route hopping It is difficult for attackersto sniff complete data on single forwarding node Possibilityfor sniffing large amount of data on a certain nodes exists ifrandom path selection is applied As shown in Figure 7 morethan 50 of the data can be sniffed on forwarding nodes 48 and 12 Applying weighed random path selection can avoidexcessive traffic passing through certain nodes The reason isthat lower weight is assigned to paths with nodes that morepaths cross

523 Validation of Effectiveness of Antisniffer Attack In theexperiment 100MB data had been transmitted from node 1to node 16 for 500 sThe hopping period119879hop is set to 5 s Datais sniffed on node sets 1198601 = 8 1198602 = 8 9 1198603 = 8 9 10and 1198604 = 8 9 10 11 respectively The shortest path fromnode 1 to node 16 is 1 rarr 4 rarr 7 rarr 8 rarr 12 rarr 16 Thepercentage of data sniffed on node sets119860111986021198603 and1198604 ispresented in Figure 8

As illustrated in Figure 8 complete communication datacan be sniffed on all sniffed node sets 1198601 1198602 1198603 and1198604 in traditional network since they all contain node 8 onthe shortest path on which complete data can be sniffedHowever in DHC complete data cannot be obtained fromnode sets 1198601 1198602 and 1198603 since route hopping is appliedThe percentage of data sniffed on 1198601 and 1198602 is the samebecause traffic passes through1198602 and also passes through1198601Only1198604 can sniff the complete communication data in DHCHowever ends of the data are diverse because of end hoppingWe consider that packetswith the same end are static data thatattackers can obtain The static data that attackers can obtainin hopping communication is far less than that in traditionalnetwork


A1 A2 A3 A4

The sniffed set

The sniffed data in DHCThe sniffed static data in traditional networkThe sniffed static data in DHC

0

02

04

06

08

10

Frac

tion

of sn

iffed

dat

a

Figure 8 Percentage of data that can be sniffed by attackers

0

200

400

600

800

1000

1200

1400

Dat

a tra

nsm

issio

n tim

e (s)

10 100 200 500 10001The amount of data transmitted (MB)


Figure 9 Performance of forwarding in DHC

524 Performance of DHC In the experiment bandwidthof all connections in network topology is set to 10MbsData is transmitted from terminal on node 1 to terminalon node 16 using File Transfer Protocol (FTP) Time fordata transmission in both DHC and traditional network isrecorded Results are shown in Figure 9

As can be seen in Figure 9 time consumption of datatransmission in DHC increased in comparison with tradi-tional networkThe reason is that multiple paths from sourceto destination are selected including longer paths On thecontrary the data is routed by the shortest path in traditionalnetworkTherefore transmission time in DHC is longer thanthat in traditional network But the increase is less than 7

when119879hop = 5 s in the experiment Routing path hopping of aconnection results in a small amount of disordered packets atreceiving end when new period startsThen retransmission iscausedTherefore themore frequently the entries update flowthe more likely the retransmission happens We can also seefrom Figure 9 that longer time will be consumed to transmitdata when 119879hop = 5 s compared with 119879hop = 10 s

6 Analysis

In DHC each hopping connection needs to occupy hoppingends in every period In Section 61 the number of hoppingconnections that can be supported in DHC network that ishopping network capacity is analyzed DHC brings difficultyfor attackers to obtain complete data and to reconstructdata Therefore communication security is improved Theobtaining and reconstruction of communication data arediscussed in Sections 62 and 63Theunpredictability and thecost of DHC are analyzed in Sections 64 and 65 respectively

61 Capacity of Hopping Network Suppose the sizes ofhopping IP address pool and port pool are |Addr| and |Port|respectivelyThe number of all the ends (IPsrc 119875src IPdst 119875dst)

is |Addr|2 times |Port|2 and the number of the ends is |Addr| times|Port|2 when IPsrc = IPdst According to the definition ofend valid ends require IPsrc = IPdst so the size of valid endhopping space 119878EH can be calculated by

1003816100381610038161003816119878EH1003816100381610038161003816= |Addr|2 times |Port|2 minus |Addr| times |Port|2 (3)

In DHC end hopping is performed in both directions ofone connection which means that at any moment oneconnection needs two ends Assuming 119905 hopping connectionsexist simultaneously in network 2119905 ends will be needed so|119878EH|minus2119905 ends are left To ensure high randomness in hoppingend selection enough unoccupied hopping ends in 119878EH arenecessary Suppose the maximum occupancy rate in endhopping space 119878EH is 120572 that is there are at least (1 minus 120572)|119878EH|ends unoccupied Then inequality (4) holds

(1 minus 120572)1003816100381610038161003816119878EH1003816100381610038161003816le1003816100381610038161003816119878EH1003816100381610038161003816minus 2119905

119905 le

1

2

1205721003816100381610038161003816119878EH1003816100381610038161003816

(4)

Therefore the maximum number of hopping connectionsallowed in DHC is (12)120572|119878EH| that is the capacity ofhopping network is (12)120572|119878EH|

Combining (3) and inequality (4) the following inequal-ity can be obtained

119905 le

1

2

120572 (|Addr|2 times |Port|2 minus |Addr| times |Port|2) (5)

Assume |Port| = 216 |Addr| = 216 (hopping IP address poolis a class B address block) and 120572 = 08 DHC can support737 times 10

18 connections hopping simultaneously

62 Analysis of Complete Communication Data Obtaining byAttackers We hypothesize that attackers can sniff part of the


forwarding nodes in network randomly Suppose networktopology119866 = ⟨119881 119864⟩ is an undirected connected graph where119881 is a set of forwarding nodes and 119864 is a set of links 119881contains 119898 forwarding nodes and attackers can randomlysniff 119899 of them simultaneously (119899 le 119898) Sniffed node setconsisting of these sniffed forwarding nodes is denoted as119881119899

sniff 119881119899

sniff sube 119881 and |119881119899sniff | = 119899Source host ℎ119900119904119905src communicates with destination host

ℎ119900119904119905dst Source and destination forwarding nodes are denotedas 119899119900119889119890src and 119899119900119889119890dst respectively Assume there are 119904 nodeson the shortest path between ℎ119900119904119905src and ℎ119900119904119905dst (1 le 119904 le119898) which constitute node set 119880119904 In traditional network if119881119899

listen cap 119880119904= complete communication data between

ℎ119900119904119905src and ℎ119900119904119905dst can be obtained by attackers If 119881119899listen cap119880119904= no communication data can be sniffed The

probability of attackers obtaining complete communicationdata in traditional network can be calculated by (6) where119862119899

119898is number of all 119881119899sniff and 119862119899

119898minus119904is the number of 119881119899sniff

when 119881119899listen cap 119880119904= So 119862119899

119898minus 119862119899

119898minus119904represents the number

of 119881119899sniff when 119881119899listen cap 119880119904=

119875traditional =119862119899

119898minus 119862119899

119898minus119904

119862119899

119898

(6)

InDHC attackers can sniff complete data between ℎ119900119904119905srcand ℎ119900119904119905dst if 119899119900119889119890src isin 119881

119899

sniff or 119899119900119889119890dst isin 119881119899

sniff Thenumber of such 119881119899sniff is 1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2 In other cases

if 119899119900119889119890src notin 119881119899

listen and 119899119900119889119890dst notin 119881119899

listen to sniff completedata one vertex cut-set 119881cut should be contained in 119881119899sniff and 119899119900119889119890src and 119899119900119889119890dst should be cut by 119881cut into differentconnected subgraphs that is 119881119899sniff supe 119881cut exists where 119866 iscut by 119881cut into 119896 connected subgraphs 119866

1 1198662 119866

119896 and

119899119900119889119890src isin 119866119894 and 119899119900119889119890dst isin 119866119895 1 le 119894 119895 le 119896 and 119894 = 119895hold Suppose there exists119876119899srcdst sniffed node set119881

119899

sniff where119881119899

sniff contains such 119881cut in this case Then the probability ofattackers obtaining complete data between ℎ119900119904119905src and ℎ119900119904119905dstcan be calculated by

119875hop =1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst

119862119899

119898

(7)

Proposition 1 The probability of attackers obtaining completedata in traditional network on one communication is not lessthan that in DHC that is 119875traditional ge 119875hop

The proof process of this proposition is shown in theAppendix In the network topology shown in Figure 5suppose a host on node 1 communicates with a host on node16The shortest path fromnode 1 to node 16 contains 6 nodesAttackers can sniff 119899 nodes randomly (1 le 119899 le 16) Prob-abilities of attackers obtaining complete data in traditionalnetwork and DHC network are shown in Figure 10

As can be seen from Figure 10 probability of attackersobtaining complete data increases when number of sniffednodes increases both in traditional and DHC network But119875hop le 119875traditional always holds Probability of attackersobtaining complete data is 1 in both traditional and DHCnetwork when the number of sniffed nodes is more than10 Although probability of attackers sniffing complete data

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16The number of monitored nodes

DHCTraditional network

0

02

04

06

08

1

The p

roba

bilit

y of

obt

aini

ng co

mpl

ete

com

mun

icat

ion

data

Figure 10 Probability of obtaining complete data

increases in DHC network when large number of forwardingnodes are sniffed attackers obtain more irrelevant dataSince end hops constantly during a communication attackerscannot pick out the traffic that belongs to the target from thesniffed data easily which increases the difficulty for attackersto reconstruct and recover communication data

63 Analysis of Communication Data Reconstruction forAttackers Reconstruction of communication data requirescomplete data in this communication Assume attackers cansniff complete data in communication between source anddestination hosts in this section In traditional networkattackers can deduce the positions of both communicationsides and upper layer protocol according to IP and portof the sniffed packets Useless packets can be eliminatedbased on the end and the target communication data canbe obtained However in DHC network no real end fromsource and destination hosts can be sniffed by attackers ifsource and host forwarding nodes are not sniffed Data incommunication is distributed to various flows that attackersare not able to distinguish Suppose that there are 119891sniffflows in the sniffed data among which 119891real flows containthe data of target connections (119891real le 119891sniff ) and differentends are applied in different connections There are 119862ℎ

119891sniffcombinations since attackers randomly choose ℎ flows from119891sniff flows Attackers can reconstruct communication dataproperly with only one combination that is 119862119891real

119891real= 1

Given that attackers select several flows randomly for asingle time to reconstruct communication data probabilityof reconstructing data properly can be calculated with

119875once =119862119891real119891real

1198621

119891sniff+ 1198622

119891sniff+ sdot sdot sdot + 119862

119891sniff119891sniff

=

1

2119891sniff minus 1

(8)

As shown in (8) probability of attackers reconstructing datasuccessfully with a single time decreases exponentially with


Table 1 Comparison of packet transmission time between traditional network and DHC network

Approach Average cost of packet transmission time Period of flow update Routing pathTraditional 119905 times 119897

119904Infinite The shortest path from source to destination

DHC 119905 times 119897119886

119879hop Multiple paths from source to destination

the increase of number of flows sniffedThemore data sniffedthe more difficulties for successful data reconstruction Sinceattackers cannot determine the timing of target communi-cation easily due to end hopping longer sniffing time isneeded to obtain complete communication data Thereforelarge amount of irrelevant data is obtained increasing thedifficulty for data reconstruction Given 119891sniff = 100 and119891real = 10 the probability of attackers reconstructing datacorrectly by selecting several flows randomly for one timewould be 789 times 10minus31

64 Analysis of Unpredictability Since the end and routehop randomly in DHC (detailed information is illustratedin Section 43) the end and route used in next period cannot be predicted precisely Under the condition of exposingDHC protocol end hopping space and route hopping spaceDHC can still increase the cost of sniffer attackers andresist sniffer attacks Suppose that an attacker with all theinformation above sniffs the DHC network for a targetcommunication then shewill face the following difficulties inlaunching sniffer attack Firstly even though DHC protocolis transparent to the attacker a targeted sniffer attack cannot be launched thanks to the randomness of end and routehopping Secondly it is hard for the attacker to get completecommunication data during sniffing due to periodical hop-ping of route Thirdly the attacker will get a large number ofends because of frequent end hopping which prevents theattacker from extracting the right packets belonging to thetarget communication when shehe attempts to recover com-munication data So the unpredictability of DHC guaranteesthat it can resist sniffer attack under the condition of exposingDHC protocol and network information

65 Analysis of Cost Under traditional routing schemes thepackets are routed along the shortest path However in DHCnetwork packets may be routed along longer paths due todynamic changing of the route Therefore the cost of packettransmission time is higher in DHC Let 119897

119904denote length (the

length of a routing path is estimated by hops) of the shortestpath between source and destination 119897

119886the average length of

paths in route hopping space (119897119904le 119897119886) and 119879hop the hopping

period then the cost of packet transmission time is shown inTable 1 Moreover random selection of routing is periodicallyconducted by routing path hop of a communication whichresults in a small number of disordered packets at receivingend when a new period starts leaving no obstacles to normalcommunication

Ends and routing paths will be selected in DHC whenflow entries are generated which is more complicated thanthat in traditional networkTherefore time cost of generatingflow entries is higher in DHC Since average path is longer in

Time of flow setup in DHCTime of flow generation in DHCTime of flow setup in traditional networkTime of flow generation in traditional network

0

005

01

015

02

025

Aver

age t

ime o

verh

ead

(ms)

Different node pairs1 rarr16 3rarr 11 4rarr14 5rarr12

Figure 11 Comparison average time cost of flow entries installationin DHC and traditional network

DHC more flow entries are installed for one communicationcompared with traditional network Thus the time cost forflow entries setup is higher in DHC as well In Figure 11 theaverage time cost for installing flow entries between differentnode pairs in topology (shown in Figure 5) of DHC andtraditional network is compared As illustrated in Figure 11the average time for flow entries generation and setup inDHCis longer than that in traditional network

In the network without DHC flow entries are installedonly once at the beginning of communication while in DHCflow entries of data plane are updated periodically and hop-ping ends and paths have to be allocated for any connectionof two communication sides which brings more loads forthe controller In experiment topology 50 pairs of source anddestination hosts are chosen randomly and communicationbetween any pairs is stared The CPU utilization of DHC andtraditional network is compared in Figure 12 If controllerdoes not run DHC the load is low because the flow entryis not periodically updated Therefore the CPU utilization isunder 10 as shown in Figure 12 If a controller runs DHCthe load increases due to periodical updating of flow entriesIt can be found in the figure that CPU utilization is muchhigher when controller runsDHCWhen119879hop = 5 s the CPUutilization is between 20 and 40 and when 119879hop = 10 sthe CPU utilization is between 10 and 30 The shorterhopping period enables more controller operations So when119879hop = 5 s CPUutilization of a controller is higher thanwhen119879hop = 10 s Controller will be the bottleneck when DHC


No DHCDHCmdashThop = 10 sDHCmdashThop = 5 s

0

10

20

30

40

50

60

CPU

util

izat

ion

()

20 30 40 50 60 70 80 90 10010Run time (s)

Figure 12 CPU utilization of controller

is used in large scale network Fortunately distributed SDNcontroller [30] is a solution to the problem

In traditional network flows are matched only by des-tination addresses So the length of routing tables is anorder of 119874(119898) given the network of 119898 nodes Howeverflows are matched by ends (including sourcedestinationaddress and ports) in DHC meaning that two flows mustbe specified for every connection (TCP or UDP) betweentwo communication sides Let 120582 denote the average speed ofconnection establishment and let 119908 denote the lasting timeof each connection then the mean length of flowtables isan order of 119874(119898120582119908) [7] Moreover to avoid packets lossDHC requires both old and new flow entries in flowtablesimultaneously for a brief period of time during whichthe cost of flowtable space increases Therefore the cost offlowtable space is higher in DHC

7 Conclusion

The centralized control and programmability of SDN makehopping communication easier to realize and deploy In thispaper end hopping and route hopping are combined anddouble hopping communication based on SDN is proposedEnd is changed dynamically in DHC so that the data frommultiple users is mixed and communication traffic can behidden in background traffic So traffic cannot be distin-guished easily and the difficulty for attackers to reconstructand recover data increases In addition the data is transmittedalong multiple paths by changing routing path dynamicallyThe difficulty for attackers to obtain complete communi-cation data is increased Results show that the approachproposed in this paper effectively enables antisniffer More-over DHC is realized completely based on software andalso transparent to terminals Controller bottleneck usuallyoccurs in large scale network of DHC In the future work adistributed controller model will be applied to deal with the

problem and feasible communication solution of DHC willbe tested in real network

Appendix

Suppose there are 119898 nodes in network topology 119866 Attackercan sniff 119899 nodes and the sniffed nodes constitute a sniffednode set 119881119899sniff (|119881119899sniff | = 119899 119899 le 119898) Given the route hoppingspace 1198781198671rarr1198672RH there are 119904 nodes in the shortest path betweensource host 119867

1and destination host 119867

2(119904 le 119898) 119881cut is

a vertex cut-set by which 119866 is cut into several connectedsubgraphs and source forwarding node 119899119900119889119890src and desti-nation forwarding node 119899119900119889119890dst are in different subgraphsSuppose there are 119876119899srcdst sniffed node set 119881119899sniff satisfying119881119899

sniff supe 119881cut Proof of the probability that attacker can obtaincomplete communication data in traditional network in onecommunication which is not less than that in DHCmdashthat is119875traditional ge 119875hopmdashis shown below

Proof Verify that 119875traditional ge 119875hop andmake sure 119875traditionalminus119875hop ge 0

Given 119875traditional = (119862119899

119898minus 119862119899

119898minus119904)119862119899

119898 119875hop = (119862

1

2119862119899minus1

119898minus2+

1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)119862119899

119898 we have

119875traditional minus 119875hop

=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 1198761

srcdst)

119862119899

119898

(A1)

Suppose the shortest path from 1198671to 1198672is 119901119886119905ℎlowast

(119901119886119905ℎlowast isin 1198781198671rarr1198672RH ) The complete communication data fromsource host to destination host can be sniffed on 119881119899sniff thenforall119901119886119905ℎ isin 119878

1198671rarr1198672

RH there exists 119881119899sniff cap 119873119900119889119890119904(119901119886119905ℎ) =

where 119873119900119889119890119904(119901119886119905ℎ) represents the set of nodes that119875119886119905ℎ passes Because 119901119886119905ℎlowast isin 119878

1198671rarr1198672

RH then 119881119899sniff cap119873119900119889119890119904(119901119886119905ℎ

lowast) = that is 119881119899sniff contains at least one node

on the shortest path (Conclusion 1)When 119899 = 1 attack sniffs 1 node in the network Then

based on (A1) we have


=

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)

1198621

119898

(A2)

In (A2) the denominator 1198621119898gt 0 and the numerator is as

follows

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)

= 119898 minus (119898 minus 119904) minus (2 + 1198761

srcdst) = 119904 minus 2 minus 1198761

srcdst(A3)

Known by Conclusion 1 1198811sniff cap 119873119900119889119890119904(119901119886119905ℎlowast) = that

is the sniffed node is on the shortest path In the 119904 nodeson the shortest path the number of 1198811sniff which can dividesource node and destination node into different connectedsubgraphs is not more than 119904 minus 2 that is 1198761srcdst le 119904 minus 2 So


(A3) ge 0 can be got The numerator of (A2) is not less than0 then in (A2) 119875traditional minus 119875hop ge 0

When 119899 ge 2 attack sniffs more than 1 node in thenetwork Then based on (A1) we have


=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

119862119899

119898

(A4)

In (A4) denominator 119862119899119898gt 0 and the numerator is as

follows

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

= 119862119899

119898minus 119862119899

119898minus119904minus 2119862119899minus1


119898minus2minus 119876119899

srcdst

= 119862119899

119898minus2minus 119862119899

119898minus119904minus 119876119899

srcdst

(A5)

According to the definition 119876119899srcdst is the number of those119881119899

sniff which can divide 119899119900119889119890src and 119899119900119889119890dst into differentconnected subgraphs So 119899119900119889119890src and 119899119900119889119890dst do not belongto such 119881119899sniff 119862

119899

119898minus2is the number of all 119881119899sniff satisfying both

119899119900119889119890src notin 119881119899

sniff and 119899119900119889119890dst notin 119881119899

sniff 119862119899

119898minus2minus(119904minus2)is the number

of 119881119899sniff satisfying 119881119899sniff cap 119873119900119889119890119904(119901119886119905ℎlowast) = Known by

Conclusion 1 119881119899sniff cap 119873119900119889119890119904(119901119886119905ℎlowast) = then 119876119899srcdst is

not more than 119862119899119898minus2

minus 119862119899

119898minus2minus(119904minus2) So (A5) ge 0 can be got

The numerator of (A4) is not less than 0 then in (A4)119875traditional minus 119875hop ge 0

In conclusion 119875traditional minus 119875hop ge 0 that is 119875traditional ge119875hop

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This work is supported by the National Natural ScienceFoundation of China (nos 61379151 61272489 61302159and 61401512) andThe National Cryptography DevelopmentFund of China (no MMJJ201301005) The National BasicResearch Program of China (973) (Grants nos 2012CB315901and 2013CB329104) andThe National Natural Science Foun-dation of China (Grants nos 61309019 and 61372121)

References

[1] National Cyber Leap Year Summit 2009 Co-Chairsrsquo ReportldquoNetworking and information technology research and devel-opmentrdquo Tech Rep 2009

[2] T Cyberspace Strategic Plan for the Federal CybersecurityResearch and Development Program Executive Office of thePresident National Science and Technology Council Washing-ton DC USA 2011

[3] S Jajodia A K Ghosh V Swarup C Wang and X S WangMoving Target Defense Creating Asymmetric Uncertainty forCyberThreats vol 54 Springer Science amp Business Media NewYork NY USA 2011

[4] E Al-Shaer ldquoToward network configuration randomization formoving target defenserdquo in Moving Target Defense vol 54 ofAdvances in Information Security pp 153ndash159 Springer NewYork NY USA 2011

[5] P Kampanakis H Perros and T Beyene ldquoSDN-based solutionsfor Moving Target Defense network protectionrdquo in Proceedingsof the 15th IEEE International Symposium on aWorld ofWirelessMobile and Multimedia Networks (WoWMoM rsquo14) pp 1ndash6Sydney Australia June 2014

[6] M Atighetchi P Pal F Webber and C Jones ldquoAdaptive use ofnetwork-centric mechanisms in cyber-defenserdquo in Proceedingsof the 6th IEEE International Symposium on Object-OrientedReal-Time Distributed Computing pp 183ndash192 HokkaidoJapan May 2003

[7] JH Jafarian EAl-Shaer andQDuan ldquoOpenflow randomhostmutation transparent moving target defense using softwaredefined networkingrdquo in Proceedings of the 1st Workshop on HotTopics in Software Defined Networks (HotSDN rsquo12) pp 127ndash132ACM Helsinki Finland August 2012

[8] Q Duan E Al-Shaer and H Jafarian ldquoEfficient RandomRoute Mutation considering flow and network constraintsrdquoin Proceedings of the IEEE Conference on Communicationsand Network Security (CNS rsquo13) pp 260ndash268 IEEE NationalHarbor Md USA October 2013

[9] EAl-ShaerQDuan and JH Jafarian ldquoRandomhostmutationfor moving target defenserdquo in Security and Privacy in Commu-nication Networks pp 310ndash327 Springer New York NY USA2013

[10] G Badishi A Herzberg and I Keidar ldquoKeeping denial-of-service attackers in the darkrdquo IEEE Transactions on Dependableand Secure Computing vol 4 no 3 pp 191ndash204 2007

[11] H Wang Q Jia D Fleck W Powell F Li and A Stavrou ldquoAmoving target DDoS defense mechanismrdquo Computer Commu-nications vol 46 pp 10ndash21 2014

[12] C-Y Hong S Kandula R Mahajan et al ldquoAchieving highutilization with software-drivenWANrdquoACM SIGCOMMCom-puter Communication Review vol 43 no 3 pp 15ndash26 2013

[13] N McKeown ldquoSoftware-defined networkingrdquo INFOCOMKeynote Talk vol 17 no 2 pp 30ndash32 2009

[14] M Carvalho and R Ford ldquoMoving-target defenses for com-puter networksrdquo IEEE Security amp Privacy vol 12 no 2 pp 73ndash76 2014

[15] M Sifalakis S Schmid and D Hutchison ldquoNetwork addresshopping a mechanism to enhance data protection for packetcommunicationsrdquo in Proceedings of the IEEE InternationalConference on Communications (ICC rsquo05) vol 3 pp 1518ndash1523IEEE Seoul Republic of Korea May 2005

[16] M Dunlop S Groat W Urbanski R Marchany and J TrontldquoMT6D a moving target IPv6 defenserdquo in Proceedings of theMilitary Communications Conference (MILCOM rsquo11) pp 1321ndash1326 IEEE Baltimore Md USA November 2011

[17] J H Jafarian E Al-Shaer and Q Duan ldquoAn effective addressmutation approach for disrupting reconnaissance attacksrdquo IEEETransactions on Information Forensics and Security vol 10 no12 pp 2562ndash2577 2015

[18] J H H Jafarian E Al-Shaer and Q Duan ldquoSpatio-temporaladdress mutation for proactive cyber agility against sophisti-cated attackersrdquo in Proceedings of the 1st ACM Workshop onMoving Target Defense (MTD rsquo14) pp 69ndash78 Scottsdale AZUSA November 2014


[19] J H Jafarian E Al-Shaer and Q Duan ldquoAdversary-awareIP address randomization for proactive agility against sophis-ticated attackersrdquo in Proceedings of the IEEE Conference onComputer Communications (INFOCOM rsquo15) pp 738ndash746 IEEEApril 2015

[20] D C MacFarland and C A Shue ldquoThe SDN shuffle creatinga moving-target defense using host-based software-definednetworkingrdquo in Proceedings of the 2nd ACM Workshop onMoving Target Defense (MTD rsquo15) pp 37ndash41 ACM DenverColo USA October 2015

[21] J Jafarian EAl-Shaer andQDuan ldquoFormal approach for routeagility against persistent attackersrdquo in Computer SecuritymdashESORICS 2013 J Crampton S Jajodia and K Mayes Edsvol 8134 of Lecture Notes in Computer Science pp 237ndash254Springer Berlin Germany 2013

[22] S Dolev and S T David ldquoSDN-based private interconnectionrdquoin Proceedings of the IEEE 13th International Symposium onNetwork Computing and Applications (NCA rsquo14) 2014

[23] F Gillani E Al-Shaer S Lo Q Duan M H Ammar and E WZegura ldquoAgile virtualized infrastructure to proactively defendagainst cyber attacksrdquo in Proceedings of the IEEE Conference onComputer Communications (INFOCOM rsquo15) pp 729ndash737 HongKong April-May 2015

[24] D Gkounis V Kotronis and X Dimitropoulos ldquoTowardsdefeating the crossfireattack using SDNrdquo httparxivorgabs14122013

[25] A Studer and A Perrig ldquoThe coremelt attackrdquo in ComputerSecuritymdashESORICS 2009 vol 5789 of Lecture Notes in Com-puter Science pp 37ndash52 Springer Berlin Germany 2009

[26] B Lantz B Heller and N McKeown ldquoA network in a laptoprapid prototyping for software-defined networksrdquo in Proceed-ings of the 9th ACM SIGCOMM Workshop on Hot Topics inNetworks ACM October 2010

[27] N McKeown T Anderson H Balakrishnan et al ldquoOpenFlowenabling innovation in campus networksrdquo ACM SIGCOMMComputer Communication Review vol 38 no 2 pp 69ndash742008

[28] M McCauley ldquoAbout poxrdquo 2013 httpwwwgithubcomnoxrepopox

[29] S De Maesschalck D Colle I Lievens et al ldquoPan-Europeanoptical transport networks an availability-based comparisonrdquoPhotonic Network Communications vol 5 no 3 pp 203ndash2252003

[30] A Dixit F Hao S Mukherjee T V Lakshman and R Kom-pella ldquoTowards an elastic distributed SDN controllerrdquo ACMSIGCOMMComputer Communication Review vol 43 no 4 pp7ndash12 2013

Submit your manuscripts athttpwwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of


Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of


Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of


Mathematical PhysicsAdvances in

Complex AnalysisJournal of


OptimizationJournal of


CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of


Operations ResearchAdvances in

Journal of


Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences


The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Algebra

Discrete Dynamics in Nature and Society



Decision SciencesAdvances in

Discrete MathematicsJournal of


Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of


[12] Dynamic transformation of host IP configuration isattempted to be realized in traditional network in [9] butthe cost is high because several new devices are introducedSo collaborative changes among multiple network config-urations demand powerful management of the networkEmerging software-defined network (SDN) [13] brings newmethod to realize dynamic network configuration SDNdecouples the control plane and the forwarding plane (dataplane) and applies logic centralized control The powerfulnetwork management and control ability of SDN make therealization of dynamic network configuration more flexibleThe programmable nature of SDN can control flowtable offorwarding devices directly and avoid service interruptionsand routing inflation The centralized control of SDN makesit possible to have a global view of network Thereforecollaborative changes of multiple network configuration canbe realized

In this paper double hopping communication (DHC) isproposed based on SDN architecture to enhance the abilityto resist sniffer attack DHC periodically changes the endinformation of both communication sides as well as therouting paths between them thus realizing double hopping ofend and route In DHC communication data is transmittedamong multiple paths and data flow from multiple userswill be mixed It is difficult for attackers to obtain completedata from one communication in DHC and moreover itsets obstacles to avoid the attackers to correctly separatedata of one single user among all the data they obtainTherefore overhead and difficulty for attackers to obtain andanalyze communication data are dramatically increased dueto the disability of attackers to conduct targeted sniffingIn addition DHC is constructed based on SDN whichis transparent to the terminals and neither extra externalsoftware nor hardware is needed

The rest of the paper is organized as follows In Section 2related works are discussed Section 3 describes the basicprinciples of DHC In Section 4 we describe the basic archi-tecture and communication protocols of DHC Section 5presents the prototype deployment and simulation exper-iment and security of DHC are analyzed in Section 6Section 7 concludes the paper

2 Related Work

Hopping communication based on dynamic and random-ness of MTD technology is one type of active networkdefense methods aimed at breaking the hypothesis of staticnetwork configuration and can improve network securityvia dynamic and randomness [11 14] Currently researchershave proposed different hopping communication techniquesAtighetchi et al [6] proposed a hopping approach basedon fake address and port Fake addresses and ports areused during data transmission to confuse attackers Sifalakiset al [15] proposed one network address hopping method(NAH) based on information hiding technique Data flowis spread across multiple end-to-end connections by net-work address hopping during transmission Thus point-to-point data transmission security could be improved In [10]a random port-hopping (RPH) scheme was proposed to

defend DDoS attacks by changing the communication portsMT6D [16] proposed by Dunlop et al taking the advantageof address space of IPv6 and robust IP hopping strategyis achieved Tunnel technique is used to encapsulate thepackets Source and destination IP addresses of the tunnel arechanged repeatedly making it difficult for attackers to sniffcommunication trafficThe approaches described above havetheir own advantages However in all of these methods endis hopped while routing path stays unchanged which makesit possible for attackers to obtain complete communicationdata and therefore recover communication dataMoreover inorder to realize hopping communication deploying softwareon terminal and adding hardware in the network are neededwhich causes high cost

In traditional network quick cooperative hopping isdifficult in distributed route management However theemerging software-defined network has brought new meth-ods to hopping communication Based on SDN Kampanakiset al [5] proposed three kinds of MTD methods includ-ing reconnaissance protection service versionOS hidingand random hostroute mutation Attack cost benefits andpotential attackersrsquo countermeasures of these three methodsare analyzed respectively in this work These methodsinvolve network scanning DDoS and worm but DHCfocuses on sniffer attack In the SDN architecture a flexibleas well as transparent to terminal IP hopping method calledOF-RHM [7 17] is proposed by Jafarian et al It is truethat the effectivity of sniffer attack is decreased by OF-RHMbut virtual IP should stay unchanged during one continuouscommunication which enables attackers to obtain completedata of one communication from a switch Jafarian et al[18] proposed a technique in which hopping is implementedtemporarily and spatially in order to interfere with attackersrsquoviews of the network This hopping communication candefeat collaborative scanning attacks effectively Howeverin our work multiple network configurations are changeddynamically to enhance the dynamism of network for resist-ing sniffer attackThework in [19] achieves fast IP hopping toresist scanning andwormpropagationThemethod discovershazardous network ranges and addresses adaptively and evac-uates network hosts from themquicklyMacFarland and Shue[20] provide a scalable moving target system to enable keysecurity properties and maintain acceptable performanceThe method distinguishes trustworthy and untrustworthyclients to provide access control for legacy clients

There exist multiple paths between two nodes in networktopology which are used by researchers to improve commu-nication security An active random route mutation (RRM)method is proposed by Duan et al [8 21] and applied in SDNenvironment Routes of multiple flows in the network arechanged randomly and simultaneously However multipleuncrossed paths between source and destination are requiredwhich is difficult to satisfy in common network topology Inaddition no end hopping is involved in RRMmethod whichenables attackers to recover communication data betweenhosts by sniffing multiple switches Dolev and David [22]use multiple paths between datacenters to achieve securecommunication In order to ensure the privacy an 119899-119896 secretsharing method is used to encrypt communication data The










1 IP2 IP

119898 and hopping

port pool Port = 1198751 1198752 119875


represented by









2that


(2) For 119875119886119905ℎ119894 119875119886119905ℎ

119895isin 119875119886119905ℎ119878119890119905

1198671rarr1198672 if119873119900119889119890119904(119875119886119905ℎ

119894) sub

119873119900119889119890119904(119875119886119905ℎ119895) holds delete 119875119886119905ℎ

119895from path set

119875119886119905ℎ1198781198901199051198671rarr1198672 where 119873119900119889119890119904(119875119886119905ℎ






longer path


119894 119875119886119905ℎ

119895isin 1198781198671rarr1198672

RH 119875119886119905ℎ119894= 119875119886119905ℎ

119895 there


119895)


119875119886119905ℎ119894



Input (119875119886119905ℎ1 119875119886119905ℎ

119906) (1199081 119908

119906) 119877119886119899119889119873119906119898


1 119875119886119905ℎ

119906) (1199081 119908

119906) 119877119886119899119889119873119906119898)


119894


119894







2 there is 119875119886119905ℎ

119896isin

1198781198671rarr1198672




119882119890119894119892ℎ119905 (119875119886119905ℎ119896)

=

1Max (1198621198671rarr1198672 (119889 (119875119886119905ℎ119896)))

sum119875119886119905ℎ119894isin1198781198671 rarr1198672

RH(1Max (1198621198671rarr1198672 (119889 (119875119886119905ℎ

119894))))

(2)




1 119875119886119905ℎ


1198781198671rarr1198672










1 1198751 IP2 1198752)








1 1198751015840

1 IP10158402 1198751015840



1= (119878

1 1198782 1198785) is chosen


1and 119875119886119905ℎ

1 controller


1 1198782 and




(IP10158401 1198751015840

1 IP10158402 1198751015840


1and the modified



(4) Ends (IP10158401 1198751015840

1 IP10158402 1198751015840





1


2= (IP101584010158401 11987510158401015840

1 IP101584010158402 11987510158401015840




1modifies


2and


Controller

1

4

2

3

IP2 P2 H2

H1

(IP1 P1 IP2 P2)

(IP1 P1 IP2 P2)

S5

S4

S3

S2

S1

(IP998400

1 P

998400

1 IP998400

2 P

998400

2)

(IP998400

1 P

998400

1 IP998400

2 P

998400

2)

IP1 P1

(IP998400998400

1 P

998400998400

1 IP998400998400

2 P

998400998400

2)

(IP998400998400

1 P

998400998400

1 IP998400998400

2 P

998400998400

2)


S1 S2

S6 S7

S3 S4 S5

rEI

hEI2

hEI1




(IP1 1198751 IP2 1198752)


1and119867





1 and the



1 1198782 1198783 1198784 1198785) to


follows


2 1198786 1198787 1198784 1198785for forwarding



2





2 1198783 1198784 1198785after themax-


reached







Open-



Controller


OF switches

OpenFlow


Double hopping


Flow updater

Controller

DhcFlower

Hoppingpath pool


Hoppingend pool

engine

info








12

3

4

5

6

7

8

9

10

11

12

13

14

15

16


0

10

20

30

40

50

60

70

80

90

The n

umbe

r of s

niffe

d en

ds

3 4 5 6 7 8 9 10 11 12 13 14 152Forwarding node





1 2 3 4 6 7 8 9 10 11 12 13 14 15Forwarding node


0

02

04

06

08

1

Frac

tion

of th

e tra

nsm

itted

pac

kets






A1 A2 A3 A4

The sniffed set


0

02

04

06

08

10

Frac

tion

of sn

iffed

dat

a


0

200

400

600

800

1000

1200

1400

Dat

a tra

nsm

issio

n tim

e (s)







6 Analysis







119905 le

1

2

1205721003816100381610038161003816119878EH1003816100381610038161003816

(4)



119905 le

1

2







sniff 119881119899









119898minus 119862119899



119875traditional =119862119899

119898minus 119862119899

119898minus119904

119862119899

119898

(6)


119899

sniff or 119899119900119889119890dst isin 119881119899


2119862119899minus1

119898minus2+ 1198622

2119862119899minus2


if 119899119900119889119890src notin 119881119899



1 1198662 119866

119896 and


119899



119875hop =1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst

119862119899

119898

(7)






0

02

04

06

08

1

The p

roba

bilit

y of

obt

aini

ng co

mpl

ete

com

mun

icat

ion

data





119891real= 1


119875once =119862119891real119891real

1198621

119891sniff+ 1198622



=

1


(8)






DHC 119905 times 119897119886












0

005

01

015

02

025

Aver

age t

ime o

verh

ead

(ms)







0

10

20

30

40

50

60

CPU

util

izat

ion

()

20 30 40 50 60 70 80 90 10010Run time (s)




7 Conclusion



Appendix



2(119904 le 119898) 119881cut is





119898minus 119862119899

119898minus119904)119862119899

119898 119875hop = (119862

1

2119862119899minus1

119898minus2+

1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)119862119899

119898 we have


=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 1198761

srcdst)

119862119899

119898

(A1)



1198671rarr1198672



1198671rarr1198672






=

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)

1198621

119898

(A2)


follows

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)



srcdst(A3)







=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

119862119899

119898

(A4)


follows

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

= 119862119899

119898minus 119862119899



119898minus2minus 119876119899

srcdst

= 119862119899

119898minus2minus 119862119899

119898minus119904minus 119876119899

srcdst

(A5)



119899


119899119900119889119890src notin 119881119899


sniff 119862119899





minus 119862119899






Acknowledgments


References







































Volume 2014




Journal of











Journal of


Function Spaces






Algebra


















1 IP2 IP

119898 and hopping

port pool Port = 1198751 1198752 119875


represented by









2that


(2) For 119875119886119905ℎ119894 119875119886119905ℎ

119895isin 119875119886119905ℎ119878119890119905

1198671rarr1198672 if119873119900119889119890119904(119875119886119905ℎ

119894) sub

119873119900119889119890119904(119875119886119905ℎ119895) holds delete 119875119886119905ℎ

119895from path set

119875119886119905ℎ1198781198901199051198671rarr1198672 where 119873119900119889119890119904(119875119886119905ℎ






longer path


119894 119875119886119905ℎ

119895isin 1198781198671rarr1198672

RH 119875119886119905ℎ119894= 119875119886119905ℎ

119895 there


119895)


119875119886119905ℎ119894



Input (119875119886119905ℎ1 119875119886119905ℎ

119906) (1199081 119908

119906) 119877119886119899119889119873119906119898


1 119875119886119905ℎ

119906) (1199081 119908

119906) 119877119886119899119889119873119906119898)


119894


119894







2 there is 119875119886119905ℎ

119896isin

1198781198671rarr1198672




119882119890119894119892ℎ119905 (119875119886119905ℎ119896)

=

1Max (1198621198671rarr1198672 (119889 (119875119886119905ℎ119896)))

sum119875119886119905ℎ119894isin1198781198671 rarr1198672

RH(1Max (1198621198671rarr1198672 (119889 (119875119886119905ℎ

119894))))

(2)




1 119875119886119905ℎ


1198781198671rarr1198672










1 1198751 IP2 1198752)








1 1198751015840

1 IP10158402 1198751015840



1= (119878

1 1198782 1198785) is chosen


1and 119875119886119905ℎ

1 controller


1 1198782 and




(IP10158401 1198751015840

1 IP10158402 1198751015840


1and the modified



(4) Ends (IP10158401 1198751015840

1 IP10158402 1198751015840





1


2= (IP101584010158401 11987510158401015840

1 IP101584010158402 11987510158401015840




1modifies


2and


Controller

1

4

2

3

IP2 P2 H2

H1

(IP1 P1 IP2 P2)

(IP1 P1 IP2 P2)

S5

S4

S3

S2

S1

(IP998400

1 P

998400

1 IP998400

2 P

998400

2)

(IP998400

1 P

998400

1 IP998400

2 P

998400

2)

IP1 P1

(IP998400998400

1 P

998400998400

1 IP998400998400

2 P

998400998400

2)

(IP998400998400

1 P

998400998400

1 IP998400998400

2 P

998400998400

2)


S1 S2

S6 S7

S3 S4 S5

rEI

hEI2

hEI1




(IP1 1198751 IP2 1198752)


1and119867





1 and the



1 1198782 1198783 1198784 1198785) to


follows


2 1198786 1198787 1198784 1198785for forwarding



2





2 1198783 1198784 1198785after themax-


reached







Open-



Controller


OF switches

OpenFlow


Double hopping


Flow updater

Controller

DhcFlower

Hoppingpath pool


Hoppingend pool

engine

info








12

3

4

5

6

7

8

9

10

11

12

13

14

15

16


0

10

20

30

40

50

60

70

80

90

The n

umbe

r of s

niffe

d en

ds

3 4 5 6 7 8 9 10 11 12 13 14 152Forwarding node





1 2 3 4 6 7 8 9 10 11 12 13 14 15Forwarding node


0

02

04

06

08

1

Frac

tion

of th

e tra

nsm

itted

pac

kets






A1 A2 A3 A4

The sniffed set


0

02

04

06

08

10

Frac

tion

of sn

iffed

dat

a


0

200

400

600

800

1000

1200

1400

Dat

a tra

nsm

issio

n tim

e (s)







6 Analysis







119905 le

1

2

1205721003816100381610038161003816119878EH1003816100381610038161003816

(4)



119905 le

1

2







sniff 119881119899









119898minus 119862119899



119875traditional =119862119899

119898minus 119862119899

119898minus119904

119862119899

119898

(6)


119899

sniff or 119899119900119889119890dst isin 119881119899


2119862119899minus1

119898minus2+ 1198622

2119862119899minus2


if 119899119900119889119890src notin 119881119899



1 1198662 119866

119896 and


119899



119875hop =1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst

119862119899

119898

(7)






0

02

04

06

08

1

The p

roba

bilit

y of

obt

aini

ng co

mpl

ete

com

mun

icat

ion

data





119891real= 1


119875once =119862119891real119891real

1198621

119891sniff+ 1198622



=

1


(8)






DHC 119905 times 119897119886












0

005

01

015

02

025

Aver

age t

ime o

verh

ead

(ms)







0

10

20

30

40

50

60

CPU

util

izat

ion

()

20 30 40 50 60 70 80 90 10010Run time (s)




7 Conclusion



Appendix



2(119904 le 119898) 119881cut is





119898minus 119862119899

119898minus119904)119862119899

119898 119875hop = (119862

1

2119862119899minus1

119898minus2+

1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)119862119899

119898 we have


=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 1198761

srcdst)

119862119899

119898

(A1)



1198671rarr1198672



1198671rarr1198672






=

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)

1198621

119898

(A2)


follows

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)



srcdst(A3)







=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

119862119899

119898

(A4)


follows

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

= 119862119899

119898minus 119862119899



119898minus2minus 119876119899

srcdst

= 119862119899

119898minus2minus 119862119899

119898minus119904minus 119876119899

srcdst

(A5)



119899


119899119900119889119890src notin 119881119899


sniff 119862119899





minus 119862119899






Acknowledgments


References







































Volume 2014




Journal of











Journal of


Function Spaces






Algebra










Input (119875119886119905ℎ1 119875119886119905ℎ

119906) (1199081 119908

119906) 119877119886119899119889119873119906119898


1 119875119886119905ℎ

119906) (1199081 119908

119906) 119877119886119899119889119873119906119898)


119894


119894







2 there is 119875119886119905ℎ

119896isin

1198781198671rarr1198672




119882119890119894119892ℎ119905 (119875119886119905ℎ119896)

=

1Max (1198621198671rarr1198672 (119889 (119875119886119905ℎ119896)))

sum119875119886119905ℎ119894isin1198781198671 rarr1198672

RH(1Max (1198621198671rarr1198672 (119889 (119875119886119905ℎ

119894))))

(2)




1 119875119886119905ℎ


1198781198671rarr1198672










1 1198751 IP2 1198752)








1 1198751015840

1 IP10158402 1198751015840



1= (119878

1 1198782 1198785) is chosen


1and 119875119886119905ℎ

1 controller


1 1198782 and




(IP10158401 1198751015840

1 IP10158402 1198751015840


1and the modified



(4) Ends (IP10158401 1198751015840

1 IP10158402 1198751015840





1


2= (IP101584010158401 11987510158401015840

1 IP101584010158402 11987510158401015840




1modifies


2and


Controller

1

4

2

3

IP2 P2 H2

H1

(IP1 P1 IP2 P2)

(IP1 P1 IP2 P2)

S5

S4

S3

S2

S1

(IP998400

1 P

998400

1 IP998400

2 P

998400

2)

(IP998400

1 P

998400

1 IP998400

2 P

998400

2)

IP1 P1

(IP998400998400

1 P

998400998400

1 IP998400998400

2 P

998400998400

2)

(IP998400998400

1 P

998400998400

1 IP998400998400

2 P

998400998400

2)


S1 S2

S6 S7

S3 S4 S5

rEI

hEI2

hEI1




(IP1 1198751 IP2 1198752)


1and119867





1 and the



1 1198782 1198783 1198784 1198785) to


follows


2 1198786 1198787 1198784 1198785for forwarding



2





2 1198783 1198784 1198785after themax-


reached







Open-



Controller


OF switches

OpenFlow


Double hopping


Flow updater

Controller

DhcFlower

Hoppingpath pool


Hoppingend pool

engine

info








12

3

4

5

6

7

8

9

10

11

12

13

14

15

16


0

10

20

30

40

50

60

70

80

90

The n

umbe

r of s

niffe

d en

ds

3 4 5 6 7 8 9 10 11 12 13 14 152Forwarding node





1 2 3 4 6 7 8 9 10 11 12 13 14 15Forwarding node


0

02

04

06

08

1

Frac

tion

of th

e tra

nsm

itted

pac

kets






A1 A2 A3 A4

The sniffed set


0

02

04

06

08

10

Frac

tion

of sn

iffed

dat

a


0

200

400

600

800

1000

1200

1400

Dat

a tra

nsm

issio

n tim

e (s)







6 Analysis







119905 le

1

2

1205721003816100381610038161003816119878EH1003816100381610038161003816

(4)



119905 le

1

2







sniff 119881119899









119898minus 119862119899



119875traditional =119862119899

119898minus 119862119899

119898minus119904

119862119899

119898

(6)


119899

sniff or 119899119900119889119890dst isin 119881119899


2119862119899minus1

119898minus2+ 1198622

2119862119899minus2


if 119899119900119889119890src notin 119881119899



1 1198662 119866

119896 and


119899



119875hop =1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst

119862119899

119898

(7)






0

02

04

06

08

1

The p

roba

bilit

y of

obt

aini

ng co

mpl

ete

com

mun

icat

ion

data





119891real= 1


119875once =119862119891real119891real

1198621

119891sniff+ 1198622



=

1


(8)






DHC 119905 times 119897119886












0

005

01

015

02

025

Aver

age t

ime o

verh

ead

(ms)







0

10

20

30

40

50

60

CPU

util

izat

ion

()

20 30 40 50 60 70 80 90 10010Run time (s)




7 Conclusion



Appendix



2(119904 le 119898) 119881cut is





119898minus 119862119899

119898minus119904)119862119899

119898 119875hop = (119862

1

2119862119899minus1

119898minus2+

1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)119862119899

119898 we have


=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 1198761

srcdst)

119862119899

119898

(A1)



1198671rarr1198672



1198671rarr1198672






=

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)

1198621

119898

(A2)


follows

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)



srcdst(A3)







=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

119862119899

119898

(A4)


follows

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

= 119862119899

119898minus 119862119899



119898minus2minus 119876119899

srcdst

= 119862119899

119898minus2minus 119862119899

119898minus119904minus 119876119899

srcdst

(A5)



119899


119899119900119889119890src notin 119881119899


sniff 119862119899





minus 119862119899






Acknowledgments


References







































Volume 2014




Journal of











Journal of


Function Spaces






Algebra










Controller

1

4

2

3

IP2 P2 H2

H1

(IP1 P1 IP2 P2)

(IP1 P1 IP2 P2)

S5

S4

S3

S2

S1

(IP998400

1 P

998400

1 IP998400

2 P

998400

2)

(IP998400

1 P

998400

1 IP998400

2 P

998400

2)

IP1 P1

(IP998400998400

1 P

998400998400

1 IP998400998400

2 P

998400998400

2)

(IP998400998400

1 P

998400998400

1 IP998400998400

2 P

998400998400

2)


S1 S2

S6 S7

S3 S4 S5

rEI

hEI2

hEI1




(IP1 1198751 IP2 1198752)


1and119867





1 and the



1 1198782 1198783 1198784 1198785) to


follows


2 1198786 1198787 1198784 1198785for forwarding



2





2 1198783 1198784 1198785after themax-


reached







Open-



Controller


OF switches

OpenFlow


Double hopping


Flow updater

Controller

DhcFlower

Hoppingpath pool


Hoppingend pool

engine

info








12

3

4

5

6

7

8

9

10

11

12

13

14

15

16


0

10

20

30

40

50

60

70

80

90

The n

umbe

r of s

niffe

d en

ds

3 4 5 6 7 8 9 10 11 12 13 14 152Forwarding node





1 2 3 4 6 7 8 9 10 11 12 13 14 15Forwarding node


0

02

04

06

08

1

Frac

tion

of th

e tra

nsm

itted

pac

kets






A1 A2 A3 A4

The sniffed set


0

02

04

06

08

10

Frac

tion

of sn

iffed

dat

a


0

200

400

600

800

1000

1200

1400

Dat

a tra

nsm

issio

n tim

e (s)







6 Analysis







119905 le

1

2

1205721003816100381610038161003816119878EH1003816100381610038161003816

(4)



119905 le

1

2







sniff 119881119899









119898minus 119862119899



119875traditional =119862119899

119898minus 119862119899

119898minus119904

119862119899

119898

(6)


119899

sniff or 119899119900119889119890dst isin 119881119899


2119862119899minus1

119898minus2+ 1198622

2119862119899minus2


if 119899119900119889119890src notin 119881119899



1 1198662 119866

119896 and


119899



119875hop =1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst

119862119899

119898

(7)






0

02

04

06

08

1

The p

roba

bilit

y of

obt

aini

ng co

mpl

ete

com

mun

icat

ion

data





119891real= 1


119875once =119862119891real119891real

1198621

119891sniff+ 1198622



=

1


(8)






DHC 119905 times 119897119886












0

005

01

015

02

025

Aver

age t

ime o

verh

ead

(ms)







0

10

20

30

40

50

60

CPU

util

izat

ion

()

20 30 40 50 60 70 80 90 10010Run time (s)




7 Conclusion



Appendix



2(119904 le 119898) 119881cut is





119898minus 119862119899

119898minus119904)119862119899

119898 119875hop = (119862

1

2119862119899minus1

119898minus2+

1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)119862119899

119898 we have


=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 1198761

srcdst)

119862119899

119898

(A1)



1198671rarr1198672



1198671rarr1198672






=

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)

1198621

119898

(A2)


follows

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)



srcdst(A3)







=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

119862119899

119898

(A4)


follows

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

= 119862119899

119898minus 119862119899



119898minus2minus 119876119899

srcdst

= 119862119899

119898minus2minus 119862119899

119898minus119904minus 119876119899

srcdst

(A5)



119899


119899119900119889119890src notin 119881119899


sniff 119862119899





minus 119862119899






Acknowledgments


References







































Volume 2014




Journal of











Journal of


Function Spaces






Algebra










Controller


OF switches

OpenFlow


Double hopping


Flow updater

Controller

DhcFlower

Hoppingpath pool


Hoppingend pool

engine

info








12

3

4

5

6

7

8

9

10

11

12

13

14

15

16


0

10

20

30

40

50

60

70

80

90

The n

umbe

r of s

niffe

d en

ds

3 4 5 6 7 8 9 10 11 12 13 14 152Forwarding node





1 2 3 4 6 7 8 9 10 11 12 13 14 15Forwarding node


0

02

04

06

08

1

Frac

tion

of th

e tra

nsm

itted

pac

kets






A1 A2 A3 A4

The sniffed set


0

02

04

06

08

10

Frac

tion

of sn

iffed

dat

a


0

200

400

600

800

1000

1200

1400

Dat

a tra

nsm

issio

n tim

e (s)







6 Analysis







119905 le

1

2

1205721003816100381610038161003816119878EH1003816100381610038161003816

(4)



119905 le

1

2







sniff 119881119899









119898minus 119862119899



119875traditional =119862119899

119898minus 119862119899

119898minus119904

119862119899

119898

(6)


119899

sniff or 119899119900119889119890dst isin 119881119899


2119862119899minus1

119898minus2+ 1198622

2119862119899minus2


if 119899119900119889119890src notin 119881119899



1 1198662 119866

119896 and


119899



119875hop =1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst

119862119899

119898

(7)






0

02

04

06

08

1

The p

roba

bilit

y of

obt

aini

ng co

mpl

ete

com

mun

icat

ion

data





119891real= 1


119875once =119862119891real119891real

1198621

119891sniff+ 1198622



=

1


(8)






DHC 119905 times 119897119886












0

005

01

015

02

025

Aver

age t

ime o

verh

ead

(ms)







0

10

20

30

40

50

60

CPU

util

izat

ion

()

20 30 40 50 60 70 80 90 10010Run time (s)




7 Conclusion



Appendix



2(119904 le 119898) 119881cut is





119898minus 119862119899

119898minus119904)119862119899

119898 119875hop = (119862

1

2119862119899minus1

119898minus2+

1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)119862119899

119898 we have


=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 1198761

srcdst)

119862119899

119898

(A1)



1198671rarr1198672



1198671rarr1198672






=

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)

1198621

119898

(A2)


follows

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)



srcdst(A3)







=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

119862119899

119898

(A4)


follows

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

= 119862119899

119898minus 119862119899



119898minus2minus 119876119899

srcdst

= 119862119899

119898minus2minus 119862119899

119898minus119904minus 119876119899

srcdst

(A5)



119899


119899119900119889119890src notin 119881119899


sniff 119862119899





minus 119862119899






Acknowledgments


References







































Volume 2014




Journal of











Journal of


Function Spaces






Algebra










12

3

4

5

6

7

8

9

10

11

12

13

14

15

16


0

10

20

30

40

50

60

70

80

90

The n

umbe

r of s

niffe

d en

ds

3 4 5 6 7 8 9 10 11 12 13 14 152Forwarding node





1 2 3 4 6 7 8 9 10 11 12 13 14 15Forwarding node


0

02

04

06

08

1

Frac

tion

of th

e tra

nsm

itted

pac

kets






A1 A2 A3 A4

The sniffed set


0

02

04

06

08

10

Frac

tion

of sn

iffed

dat

a


0

200

400

600

800

1000

1200

1400

Dat

a tra

nsm

issio

n tim

e (s)







6 Analysis







119905 le

1

2

1205721003816100381610038161003816119878EH1003816100381610038161003816

(4)



119905 le

1

2







sniff 119881119899









119898minus 119862119899



119875traditional =119862119899

119898minus 119862119899

119898minus119904

119862119899

119898

(6)


119899

sniff or 119899119900119889119890dst isin 119881119899


2119862119899minus1

119898minus2+ 1198622

2119862119899minus2


if 119899119900119889119890src notin 119881119899



1 1198662 119866

119896 and


119899



119875hop =1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst

119862119899

119898

(7)






0

02

04

06

08

1

The p

roba

bilit

y of

obt

aini

ng co

mpl

ete

com

mun

icat

ion

data





119891real= 1


119875once =119862119891real119891real

1198621

119891sniff+ 1198622



=

1


(8)






DHC 119905 times 119897119886












0

005

01

015

02

025

Aver

age t

ime o

verh

ead

(ms)







0

10

20

30

40

50

60

CPU

util

izat

ion

()

20 30 40 50 60 70 80 90 10010Run time (s)




7 Conclusion



Appendix



2(119904 le 119898) 119881cut is





119898minus 119862119899

119898minus119904)119862119899

119898 119875hop = (119862

1

2119862119899minus1

119898minus2+

1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)119862119899

119898 we have


=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 1198761

srcdst)

119862119899

119898

(A1)



1198671rarr1198672



1198671rarr1198672






=

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)

1198621

119898

(A2)


follows

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)



srcdst(A3)







=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

119862119899

119898

(A4)


follows

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

= 119862119899

119898minus 119862119899



119898minus2minus 119876119899

srcdst

= 119862119899

119898minus2minus 119862119899

119898minus119904minus 119876119899

srcdst

(A5)



119899


119899119900119889119890src notin 119881119899


sniff 119862119899





minus 119862119899






Acknowledgments


References







































Volume 2014




Journal of











Journal of


Function Spaces






Algebra










A1 A2 A3 A4

The sniffed set


0

02

04

06

08

10

Frac

tion

of sn

iffed

dat

a


0

200

400

600

800

1000

1200

1400

Dat

a tra

nsm

issio

n tim

e (s)







6 Analysis







119905 le

1

2

1205721003816100381610038161003816119878EH1003816100381610038161003816

(4)



119905 le

1

2







sniff 119881119899









119898minus 119862119899



119875traditional =119862119899

119898minus 119862119899

119898minus119904

119862119899

119898

(6)


119899

sniff or 119899119900119889119890dst isin 119881119899


2119862119899minus1

119898minus2+ 1198622

2119862119899minus2


if 119899119900119889119890src notin 119881119899



1 1198662 119866

119896 and


119899



119875hop =1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst

119862119899

119898

(7)






0

02

04

06

08

1

The p

roba

bilit

y of

obt

aini

ng co

mpl

ete

com

mun

icat

ion

data





119891real= 1


119875once =119862119891real119891real

1198621

119891sniff+ 1198622



=

1


(8)






DHC 119905 times 119897119886












0

005

01

015

02

025

Aver

age t

ime o

verh

ead

(ms)







0

10

20

30

40

50

60

CPU

util

izat

ion

()

20 30 40 50 60 70 80 90 10010Run time (s)




7 Conclusion



Appendix



2(119904 le 119898) 119881cut is





119898minus 119862119899

119898minus119904)119862119899

119898 119875hop = (119862

1

2119862119899minus1

119898minus2+

1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)119862119899

119898 we have


=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 1198761

srcdst)

119862119899

119898

(A1)



1198671rarr1198672



1198671rarr1198672






=

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)

1198621

119898

(A2)


follows

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)



srcdst(A3)







=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

119862119899

119898

(A4)


follows

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

= 119862119899

119898minus 119862119899



119898minus2minus 119876119899

srcdst

= 119862119899

119898minus2minus 119862119899

119898minus119904minus 119876119899

srcdst

(A5)



119899


119899119900119889119890src notin 119881119899


sniff 119862119899





minus 119862119899






Acknowledgments


References







































Volume 2014




Journal of











Journal of


Function Spaces






Algebra











sniff 119881119899









119898minus 119862119899



119875traditional =119862119899

119898minus 119862119899

119898minus119904

119862119899

119898

(6)


119899

sniff or 119899119900119889119890dst isin 119881119899


2119862119899minus1

119898minus2+ 1198622

2119862119899minus2


if 119899119900119889119890src notin 119881119899



1 1198662 119866

119896 and


119899



119875hop =1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst

119862119899

119898

(7)






0

02

04

06

08

1

The p

roba

bilit

y of

obt

aini

ng co

mpl

ete

com

mun

icat

ion

data





119891real= 1


119875once =119862119891real119891real

1198621

119891sniff+ 1198622



=

1


(8)






DHC 119905 times 119897119886












0

005

01

015

02

025

Aver

age t

ime o

verh

ead

(ms)







0

10

20

30

40

50

60

CPU

util

izat

ion

()

20 30 40 50 60 70 80 90 10010Run time (s)




7 Conclusion



Appendix



2(119904 le 119898) 119881cut is





119898minus 119862119899

119898minus119904)119862119899

119898 119875hop = (119862

1

2119862119899minus1

119898minus2+

1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)119862119899

119898 we have


=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 1198761

srcdst)

119862119899

119898

(A1)



1198671rarr1198672



1198671rarr1198672






=

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)

1198621

119898

(A2)


follows

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)



srcdst(A3)







=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

119862119899

119898

(A4)


follows

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

= 119862119899

119898minus 119862119899



119898minus2minus 119876119899

srcdst

= 119862119899

119898minus2minus 119862119899

119898minus119904minus 119876119899

srcdst

(A5)



119899


119899119900119889119890src notin 119881119899


sniff 119862119899





minus 119862119899






Acknowledgments


References







































Volume 2014




Journal of











Journal of


Function Spaces






Algebra













DHC 119905 times 119897119886












0

005

01

015

02

025

Aver

age t

ime o

verh

ead

(ms)







0

10

20

30

40

50

60

CPU

util

izat

ion

()

20 30 40 50 60 70 80 90 10010Run time (s)




7 Conclusion



Appendix



2(119904 le 119898) 119881cut is





119898minus 119862119899

119898minus119904)119862119899

119898 119875hop = (119862

1

2119862119899minus1

119898minus2+

1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)119862119899

119898 we have


=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 1198761

srcdst)

119862119899

119898

(A1)



1198671rarr1198672



1198671rarr1198672






=

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)

1198621

119898

(A2)


follows

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)



srcdst(A3)







=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

119862119899

119898

(A4)


follows

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

= 119862119899

119898minus 119862119899



119898minus2minus 119876119899

srcdst

= 119862119899

119898minus2minus 119862119899

119898minus119904minus 119876119899

srcdst

(A5)



119899


119899119900119889119890src notin 119881119899


sniff 119862119899





minus 119862119899






Acknowledgments


References







































Volume 2014




Journal of











Journal of


Function Spaces






Algebra











0

10

20

30

40

50

60

CPU

util

izat

ion

()

20 30 40 50 60 70 80 90 10010Run time (s)




7 Conclusion



Appendix



2(119904 le 119898) 119881cut is





119898minus 119862119899

119898minus119904)119862119899

119898 119875hop = (119862

1

2119862119899minus1

119898minus2+

1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)119862119899

119898 we have


=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 1198761

srcdst)

119862119899

119898

(A1)



1198671rarr1198672



1198671rarr1198672






=

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)

1198621

119898

(A2)


follows

1198621

119898minus 1198621

119898minus119904minus (1198621

21198620

119898minus2+ 1198761

srcdst)



srcdst(A3)







=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

119862119899

119898

(A4)


follows

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

= 119862119899

119898minus 119862119899



119898minus2minus 119876119899

srcdst

= 119862119899

119898minus2minus 119862119899

119898minus119904minus 119876119899

srcdst

(A5)



119899


119899119900119889119890src notin 119881119899


sniff 119862119899





minus 119862119899






Acknowledgments


References







































Volume 2014




Journal of











Journal of


Function Spaces






Algebra













=

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

119862119899

119898

(A4)


follows

119862119899

119898minus 119862119899

119898minus119904minus (1198621

2119862119899minus1

119898minus2+ 1198622

2119862119899minus2

119898minus2+ 119876119899

srcdst)

= 119862119899

119898minus 119862119899



119898minus2minus 119876119899

srcdst

= 119862119899

119898minus2minus 119862119899

119898minus119904minus 119876119899

srcdst

(A5)



119899


119899119900119889119890src notin 119881119899


sniff 119862119899





minus 119862119899






Acknowledgments


References







































Volume 2014




Journal of











Journal of


Function Spaces






Algebra





























Volume 2014




Journal of











Journal of


Function Spaces






Algebra
















Volume 2014




Journal of











Journal of


Function Spaces






Algebra









Documents

Research Article SDN-Based Double Hopping Communication ...a random port-hopping (RPH) scheme was proposed to defend DDoS attacks by changing the communication ports. MTD [], proposed