An SDN-Enabled Pseudo-Honeypot Strategy for Distributed Denial of Service Attacks in Industrial Internet of Things

摘要

Leveraging high-performance software-defined networks (SDNs) to manage industrial Internet of Things (IIoT) devices has become a promising trend; the SDN is expected to be the next generation as a unified and virtualized network platform that provides unprecedented automation, flexibility, and efficiency. As the core of business applications and sensitive data storage, the SDN is vulnerable to distributed denial-of-service (DDoS) attacks in IIoT environment that numerous requests are sent to the SDN to interrupt its services. In the traditional defense systems, honeypots have shown great promises in resisting DDoS attacks. In this paper, we reveal a new attack that can identify honeypots to invalidate their protection. In addition, we analyze the optimal strategies of attackers, so that they can find the best time to carry on attacks. To protect SDN from such a kind of anti-honeypot attacks, we propose a pseudo-honeypot game (PHG) strategy with theoretical performance guarantee. We prove several groups of Bayesian-Nash Equilibrium in the PHG strategy. Moreover, we show that these strategies can achieve the optimal equilibrium between legitimate users and attackers. The proposed honeypot strategies can provide dynamic protection for SDN. Hence, malicious attacks under our strategies can be effectively controlled. Finally, we evaluate our proposals on a testbed, and experimental results show that our proposals can effectively resist DDoS attacks with lower energy consumption compared with the existing methods.