Performance and Security Evaluation of a Moving Target Defense Based on a Software-Defined Networking Environment

As cyberattacks continuously threaten conventional defense techniques, Moving Target Defense (MTD) has emerged as a promising countermeasure to defend a system against them by dynamically changing attack surfaces of the system. MTD provides the system a state-of-art security mechanism that increases the attack cost or complexity of the system aiming for reducing vulnerabilities exposed to potential attackers. However, the notion of the proactive and dynamic systems adopting MTD services causes a substantial trade-off between system performance and security effectiveness, compared to conventional defense strategies. The MTD tactics accordingly result in performance degradation (e.g., interruptions of service availability) as one of the drawbacks caused by continuous mutations of the system configuration. Therefore, it is crucial to validate not only the security benefits against system threats but also quality-of-service (QoS) for clients when an MTDenabled system proactively continues to mutate attack surfaces. This paper contributes to (i) developing new security metrics; (ii) measuring both the performance degradation and security effectiveness against potential real attacks (i.e., scanning, HTTP flood, dictionary, and SQL injection attack); and (iii) comparing the proposed job management strategies (i.e., drop and switchover) from a performance and security perspective in a physical SDN testbed.