An SDN-Based Fingerprint Hopping Method to Prevent Fingerprinting Attacks

Fingerprinting attacks are one of the most severe threats to the security of networks. Fingerprinting attack aims to obtain the operating system information of target hosts to make preparations for future attacks. In this paper, a fingerprint hopping method (FPH) is proposed based on software-defined networks to defend against fingerprinting attacks. FPH introduces the idea of moving target defense to show a hopping fingerprint toward the fingerprinting attackers. The interaction of the fingerprinting attack and its defense is modeled as a signal game, and the equilibriums of the game are analyzed to develop an optimal defense strategy. Experiments show that FPH can resist fingerprinting attacks effectively.


Introduction
Fingerprinting is a technique that is used to identify the operating system (OS) type and version of a target host and is an essential step for a successful network attack.With the OS information of the target host, the attacker can launch a better-targeted attack.Therefore, fingerprinting attacks are a significant threat to network security.
Fingerprinting attacks explore the OS of a target host based on the traffic from the target host.Different OS implementations and TCP/IP stacks exist; thus, different OS platforms communicate in different patterns, which means that some fields in packet headers are different and can be precisely distinguished by the fingerprinting attacker.The fingerprinting technique can be classified into two main classes: passive fingerprinting and active fingerprinting.A passive fingerprinting attacker sniffs and analyzes traffic from the target hosts and determines the OS type.Reconnaissance tools, such as p0f [1] and SinFP [2], can support this type of fingerprinting, whereas an active fingerprinting attacker sends a set of carefully constructed probes to the target host proactively and collects the response packets to determine the host OS type.Reconnaissance tools, such as Nmap [3] and Xprobe2 [4,5], can be used in active fingerprinting.An attacker can collect much more OS information using active fingerprinting than passive fingerprinting, but active fingerprinting is more likely to be detected by a defender.In both passive and active fingerprinting, a set of packets sent from a target host is collected by the attacker; then, these packets are compared with a range of known OS signatures.If any signature is matched, the OS type can be obtained.
In fingerprinting attacks, a vital assumption is made by an attacker that the fingerprint of the target host is static.In fact, the static nature of the network gives the attacker a large advantage because they have relatively unlimited time and methods to explore the target.However, it is difficult for the defender to deal with every exploration because unknown attack methods always exist.However, if the fingerprint of a host is changed over time, an attacker will observe a dynamic fingerprint while the exploration space [6] of the attacker is enlarged.Thus, the attacker cannot accurately determine the target host OS.This is the idea behind moving target defense (MTD) [7][8][9][10].MTD has recently been proposed to eliminate the asymmetric advantage of attackers, which shifts the attack surface [11] of the system to achieve an unpredictable network, effectively reducing the vulnerability exposure.
In this paper, a fingerprint hopping method (FPH) is proposed using MTD to enhance the host's ability to defend against fingerprinting attacks.First, a terminal-transparent 2 Security and Communication Networks architecture for FPH is constructed based on softwaredefined networks (SDN) [12].Second, the interaction of a fingerprinting attack and defense is modeled as a signal game with consideration given to both active and passive fingerprinting.The equilibriums of the game are analyzed to obtain an optimal defense strategy.Third, an algorithm of selecting defense strategy is described.Experiments show that FPH can effectively defend against fingerprinting attacks.

Related Work
Honeypots are a traditional approach to defend against attackers that are attempting to fingerprint intranet hosts.Researchers use honeypots as a mechanism to deceive fingerprinting attackers and provide activity logs to defend against attacks.La et al. [13] proposed a game-based method for honeypot-enabled networks to defend against sophisticated attackers who attempt to deceive the defender by using different types of attacks.The equilibriums of both single and repeated games are analyzed to determine the optimal defense strategy.To make the best use of honeypot resources, HoneyMix [14], an SDN-based intelligent honeynet, has been proposed by Han et al., which takes advantage of SDN to achieve fine-grained flow control.HoneyMix forwards suspicious packets to a set of honeypots and replies to the attacker with the most desirable responses.Fan et al. [15] proposed a flexible general platform that supports deploying various types of honeypots.A dynamic configuration is used in virtual honeypot management to adapt to the changing network environment.However, these methods can only address attackers who try to communicate with a honeypot.If an attacker fingerprints the target host directly, these defense mechanisms will lose effectiveness.FPH is able to tackle the situation where an attacker has obtained the IP addresses of the target hosts and launched fingerprinting attack directly to the target hosts.
Packet scrubbing is a straightforward method that is used to avoid revealing intranet host information.Smart et al. [16] proposed a fingerprint scrubber to defend fingerprinting attacks.The scrubber removes identifiable information from all the packets in communication to prevent identification of the target host OS.However, this exhaustive defense method degenerates the communication performance because fingerprint scrubber modifies various fields in the packet header that are critical to performance and this method treats a benign sender and an attacker in the same way.Different from fingerprint scrubber, FPH tries to differentiate benign sender from attacker and utilizes game theory to get an optimal defense strategy to reduce the defense cost.Deceiving approaches are another way to defend against fingerprint attackers.These approaches distort the view of the attackers regarding the target host.Rahman et al. [17] proposed a gametheory approach named DeceiveGame to deceive fingerprinting attackers.Two types of senders are considered in this method, and the optimal strategy is obtained based on the equilibrium of the game.DeceiveGame scrubs fingerprint in outgoing packets and some fields of packets are randomized.However, FPH transforms the fingerprint in the packets into another fingerprint so that the attacker will misjudge the OS of target host, which can steer attackers away from the target hosts or deceive them to launch an invalid attack.Albanese et al. [18] proposed a graph-based approach to deceive attackers who are performing target host fingerprinting.The fingerprint of the host changes by manipulating the responses of the attacker's probes, but in a static way.The fingerprint of a host is transformed to another one.Different from this method, FPH hops the fingerprints in real time to achieve a dynamic host fingerprint and brings more obfuscation to the fingerprinting attacks.
MTD-based defense methods change the system surface to increase the cost and complexity for the attackers.Fulp et al. [19] proposed a resilient configuration management that changes the configuration of the host based on an evolutionary algorithm.The vulnerability exposure is reduced, and the cost to the attacker increases.Unlike this method, instead of changing the terminal configuration, FPH transparently diversifies the responses to suspicious traffic, which can be easily deployed.Wang and Wu [20] proposed a sniffer reflector based on SDN to defend against reconnaissance attacks.This method builds a shadow network for suspicious traffic to obfuscate the attacker's view of the network.However, if a false alarm appears, normal communications will be influenced.FPH changes the packet fingerprint instead of its destination, which ensures normal communications even if a false alarm appears.
OF-RHM [21], a flexible IP hopping method based on SDN, has been proposed by Jafarian et al., which can randomly mutate an IP address to defend against scanning attacks.J. Sun and K. Sun [22] proposed a seamless IP randomization method to mitigate reconnaissance attacks.The host IP addresses mutate randomly to confuse attackers; then, legitimate communications are migrated seamlessly and kept alive.However, the above two methods lose their power when it comes to fingerprinting attack, as OS information still can leak even if real IP cannot be sniffed.FPH is able to change the external view of the OSes and limit the information obtained by an attacker.RRM [23,24], a route hopping method, has been proposed by Duan et al., which can protect 90% of traffic flow from being sniffed.Instead of hopping routes in the network, FPH tries to change some attributes of the packets of outgoing traffic to defense fingerprinting attackers.Badishi et al. proposed a random port hopping method [25], which can repel DoS attacks by changing the communication port in an unpredictable way.This method randomizes the port of a packet, but attacker still can analyze the fingerprint through the IP header or TCP options.However, FPH hops the fingerprint in packets dynamically to confuse the attacker.DHC has been proposed in the literature [26], which changes multiple network configurations, including end information and the route, to resist sniffer attackers.But the fingerprint of hosts is not removed.FPH changes multiple fields in the packets and manipulates the attacker's view of the target host's OS.
Similar to proposed work, Kampanakis et al. [27] proposed a novel SDN-based OS hiding method against fingerprinting attack.Their method forges OS fingerprints to confuse attackers based on MTD technique.TCP sequence numbers as well as payload pattern in TCP, UDP, and ICMP are randomized for hiding the OS information.If illegitimate traffic is detected, a random sequence number or payload will be generated to respond to the opponent and a large overhead will be introduced to the attacker.However, a well-elaborated fingerprint hopping strategy may defend the fingerprinting attack with minor defense cost.FPH analyzes the fingerprinting attack and defense game and further provides optimal fingerprint hopping strategies for different situations based on the equilibriums of the game.Then, a strategy selection algorithm is proposed to maximize defense utility.

System Description of FPH
FPH monitors the traffic of each connection and identifies potential fingerprinting attackers based on the traffic pattern.If a communication is considered to have a fingerprinting behavior, the outgoing traffic of the communication will be rerouted and modified to hop their fingerprints.A flexible network configuration is needed to achieve traffic rerouting without communication interruption.
The powerful network management of SDN is used to construct a FPH system, as shown in Figure 1.It is a system that is transparent to the terminals because no terminal modifications are needed.The Controller, IDS, and Fingerprint Hopping Engine are the three main components of FPH.As the manager of the intranet, the Controller takes charge of route management.If fingerprint hopping is needed, the Controller generates corresponding flow entries and installs them on the switches to deliver packets from the protected host to the Fingerprint Hopping Engine.The IDS monitors the network traffic and detects the fingerprinting probes during communication.If any fingerprinting probes are detected, the IDS will inform the Controller to develop a strategy.The Fingerprint Hopping Engine is in charge of modifying fingerprints in response to fingerprinting probes and sending the response packets back to the network.It changes fingerprint in packets by modifying several fields in the packets, such as order of TCP options, the pattern of initial sequence numbers, the initial window size, TTL value, and some application layer protocol fields.
FPH can detect suspicious packets from the Internet and hop the fingerprints of responses when suspicious packets appear.However, some benign communications also have a small number of packets that can be detected as suspicious.If FPH hops fingerprints for all packets in these communications, a heavy load will be placed on the Fingerprint Hopping Engine and a large delay will be introduced into these benign communications.Furthermore, with the knowledge of the strategy of the defender, the fingerprinting attacker will hide his identity to avoid detection by FPH.A sophisticated fingerprinting attacker will try to remain "normal" as a benign user to deceive the defender and carefully conduct fingerprinting to maximize the collection of fingerprint information.However, the defender hopes to allow only benign users to access the host on the intranet and randomly hop the fingerprints of the outgoing packets of any suspicious communication within an appropriate cost.To model this interaction, a fingerprinting attacker and defender game is formulated in the next section.

Fingerprint Attack and Defense Game
When an attacker fingerprints a remote host, two modes can be adopted by the attacker.One mode is the "Normal" mode through which the attacker communicates with the target host in a normal way.In the "Normal" mode, the attacker can obtain limited information about the target host, but the attacker is hard to be detected by the defender because he communicates with the target host as a benign user.On the other hand, the other mode is the "Suspicious" model.In this case, the attacker sends suspicious probes to the target host and much more information about the target OS can be obtained.However, the "Suspicious" mode is much more likely to be detected by the defender because it is one of the attack patterns.
Multiple attackers may present in the network at the same time.For each of them, the interaction with the defender of the network can be modeled as a game.Here, we analyze each attacker-defender pair separately.There are two sender types, fingerprinting attacker and benign user.The fingerprint attacker tries to fingerprint the target host, and the benign user communicates with the host normally on the intranet.
The two types of senders can communicate in two modes, Normal and Suspicious.The receiver is a defender of the intranet who monitors the network traffic and develops the defense strategy.When a fingerprinting behavior appears, the "defense" strategy is adopted to randomly hop the fingerprint of the protected host.Otherwise, an "Abstain" strategy is adopted to allow the sender to communicate with the intranet hosts.

Game Model.
The interaction between the sender and receiver can be formulated as a game.Known from the interaction of the two players, the sender acts first (Normal or Suspicious); then, the receiver can observe the action and take action accordingly.Therefore, the game is a dynamic game.Moreover, the type of sender is private information to the receiver, and the game is an incomplete information game.By observing the actions of the sender, the receiver can infer the type of sender and selects an action (Defense or Abstain) based on the information regarding the sender type.This fingerprinting attack and defense can be modeled as a signaling game, and the definition is as follows.
Definition 1.The fingerprinting attack and defense game is a 5-tuple (Ω, Θ, Σ, , ).Ω = {Sender, Receive} denotes the player set and consists of one sender and one receiver in the game.Θ = {, } is the type space of the sender, where  denotes the fingerprinting attacker and  denotes the benign user.Σ = (  ×   ) × (  ×   ) is the strategy combination space of the game.  = {, } is the signal space of the sender, where  and  denote the Suspicious mode and Normal mode, respectively.  ×   is the strategy space of the sender.For (  ,   : Θ  → [0, 1] is the prior probability over the sender types or the belief of the defender regarding its opponent. = (, 1 − ), where  = P(), 1 −  = P(). = (  ,   ).  : Θ×  ×   → R is the utility function of the sender, and   : Θ×  ×   → R is the utility function of the receiver.
The fingerprinting attack and defense game can be represented as the extensive form shown in Figure 2, where each branch represents a special situation with one type of sender.The nodes connected by the dotted line constitute an information set in which the defender cannot distinguish the nodes because the sender type is unknown.As seen in Figure 2, there are two information sets in this game.The left set is indicated as the  information set, and the right set is indicated as the  information set.
When the attacker fingerprints a host with probes, if the defender takes action , the host OS information will be exposed.The attacker can benefit from this process under the risk of being detected by the defender.For the fingerprinting attacker,   and   are introduced to denote the benefit of the attacker given the signals  and , respectively.  and   denote the cost of the attacker given the two signals, which is caused by the risk.Note that, for the attacker, a suspicious probe will obtain much more information than a normal probe and also increase the risk correspondingly.Therefore, it is assumed that   >   and   >   .Considering a zero sum model, the more the attacker benefits (e.g.,   ), the more losses the defender suffers (e.g., −  ).
For the defender, it is assumed that the fingerprint hopping space of the protected host is Ξ and the size of the hopping space is  = |Ξ|, which means that the defender can randomly select one of  different OS fingerprints to answer the attacker.If the defender replies to a fingerprinting attacker with Ξ, he will receive benefit   () and pay cost   ().  () and   () increase with  because if the fingerprint space is larger, it will be more difficult for the attacker to discover the real fingerprint of the target host and the defender will take more resources, that is monotone increase function.
The utilities of both players in every situation are modeled as Utility = Benefit − Cost.In Figure 2, when the type of sender is  and (, ) is played by the sender and receiver, the cost of the sender is   and the benefit is −  (), which is caused by the hopping fingerprint defense.Therefore, the utility of the sender is −  () −   .The receiver benefits   (), and the cost of the receiver is   (); therefore, the utility of the receiver is   () −   () (  () −   () > 0).When the type of the sender is  and (, ) is played by the sender and receiver, the sender will obtain a hopping fingerprint, so he will obtain benefit −  () and cost   .The receiver benefits   () and cost   (); therefore, the utility of the receiver is   () −   ().When the type of sender is  and (, ) is played by the sender and receiver, the sender achieves benefit   (  > 0) because the benign user communicates with the target host successfully.In this case, the benefit of the receiver is −  because the receiver responds to the sender with real fingerprint information that can be sniffed by a passive fingerprinting attacker.When the type of sender is  and (, ) is played by the sender and receiver, the cost of the sender is   + , where cost  is caused by the delay addition from hopping fingerprints.The benefit of the receiver is   because fingerprint information leakage is prevented using the hopping fingerprint.It is assumed that the utility of the receiver is   −   () > 0. When the type of sender is  and (, ) is played by the sender and receiver, the utility of receiver is assumed to be 0 because the defender neither prevents fingerprint leakage nor takes a defensive measure.Other situations are easy to understand.

Equilibriums Analysis.
As mentioned previously, the interaction between a fingerprinting attack and its defense has been modeled as a signaling game, where Perfect Bayesian Equilibrium (PBE) [28] is used to predict the outcome of the game.PBE describes the complete course of action of both players, which is an optimal strategy for all of the players of the game.None of the players can obtain a higher utility if they deviate from the PBE strategy.In the fingerprinting attack and defense game, a PBE is defined as a strategy combination; that is, PBE ≜ ((  ,    ), (  ,    )) ∈ ∑. (  ,    ) describes the signals for both types of senders and (  ,    ) describes the actions of the receiver as responses to the two potential signals sent by the sender.When the receiver observes a signal from the sender, the posterior probability of the sender type can be computed based on Bayes' rule.In the fingerprinting attack and defense game, the posterior probabilities are defined as (, ), as shown in Figure 2, where (1) In the signal game, a pooling equilibrium means that both types of senders send the same signal.A separating equilibrium is a strategy in which different types of senders send different signals.In this section, all of the pooling equilibriums and separating equilibriums are analyzed for the fingerprinting attack and defense game.

Pooling PBE.
There are two pooling strategies for the sender: (, ) and (, S).The pooling strategy (, ) is examined first.
Proof.The sender pooling strategy (, ) means that the sender plays  in the game regardless of his type.Given the sender strategy (, ), the information set  in Figure 2 is reached and the posterior probability about sender type can be calculated by Bayes' rule, as shown in Using this posterior probability, the expected utility of the two actions of the receiver are shown in the following.( To ensure that the sender has no intention to deviate from signal , we verified whether  can provide higher utility for a sender of any type.If  is the sender signal, the information set  in Figure 2 From ( 5) and ( 7),   (, , ) >   (, , ) and   (, , ) >   (, , ) can be obtained, which mean that the signal  can provide higher utility for both sender types.Therefore, the sender will not deviate from ; that is, ((, )(, )) is a pooling PBE of the game if  ≥   ()/(  () +   ).

Theorem 3. The fingerprinting attack and defense game has a pooling PBE ((𝑁, 𝑁)(𝐷, 𝐴)) if 𝑝 < 𝑐 𝑑 (𝑘)/(𝑔 𝑑 (𝑘) + 𝑔 𝑛 ).
Using the same process, Theorem 3 can be proved.Theorems 2 and 3 show that the optimal strategy for a fingerprinting attacker is to appear normal, as a benign user.If the prior probability  is larger than a certain threshold, the defender will hop fingerprints for every packet, regardless of the signal of the opponent.Otherwise, the defender will play  for signal  and play  for signal .It can also be proved that the pooling strategy (, ) is not a part of PBE using the same process, and the details are omitted.

Theorem 4. The fingerprinting attack and defense game has no separating PBE.
Proof.There are two possible separating strategies for the sender in this game: (, ) and (, ).(, ) will be first discussed below.
Assuming that (, ) is the strategy for the sender or that the -type sender only sends signal  and the -type sender only sends signal , the utility of the sender is discussed as follows.
(1) If the sender is -type,  is the signal of the sender according to the separating strategy.In this case, if the receiver plays , he will obtain utility   ()−  ().Otherwise, if the receiver plays , he will obtain utility −  .  ()−  () > 0 > −  , so the optimal action for the receiver is ; thus, the utility of the -type sender is −  () −   .
(2) If the sender is -type,  is the signal of the sender according to the separating strategy.In this case, if the receiver plays , he will obtain utility −  ().Otherwise, if the receiver plays , he will obtain utility 0. Obviously,  is the optimal action for the receiver because −  () < 0. Thus, the utility of the sender is   −   .
Given the receiver strategy (, ), it is verified whether the sender will deviate from the separating strategy (, ).If the -type sender deviates from  to ,  is the receiver response and the sender will obtain utility   −   , which is larger than the utility when he plays .Thus, the sender will deviate from signal  to .Therefore, the separating strategy (, ) is not part of a PBE.
For the other separating strategy for the sender (, ), the same conclusion can be obtained using a similar process and the details are omitted.
In conclusion, the fingerprinting attack and defense game has no separating PBE.

Belief Model.
In order to facilitate the analysis, the conclusions of Theorems 2 and 3 are obtained under an ideal condition that both the false positive rate (FP) and false negative rate (FN) of IDS are zero.In reality, small parts of suspicious probes cannot be detected by the IDS (FN > 0).It is also possible that a benign user can send a few suspicious packets in some special situations.With this knowledge, the fingerprinting attacker will send some suspicious probes to obtain more information about the target host OS.When the defender identifies suspicious packets from a sender, the belief of the defender about the sender type will be updated.Function () is defined as the belief of the defender instead of the constant  when  suspicious packets are received.Similar to the literature [17], () is formalized as In ( 8),  0 is the initial value when no suspicious packet is detected.A larger  0 indicates that the sender is more likely to be a fingerprinting attacker. denotes the total fingerprint information obtained by a sender.() is the fingerprint information gained for the sender in the communication, which can be calculated by (9), where   is the fingerprint information gain for the th suspicious packet [17]. (0 <  ≤ 1) represents the ratio of fingerprint information that can be reconnoitered by probes detected by IDS to that which can be reconnoitered by all probes sent by the attacker.It can be estimated by repeated tests on IDS using fingerprinting tools, such as Nmap.When a part of probes is not detected (FN > 0), some fingerprint information is leaked; that is  < 1.Note that (0) = 0.
The exponential function is chosen as the belief function so that a unit increase of fingerprint information obtained by the sender leads to higher increase of suspiciousness with the increase of already obtained fingerprint information.

Fingerprint Hopping Space.
Assuming that Ξ is the fingerprint hopping space for a protected host ℎ and  = |Ξ|, fingerprint(ℎ) ∈ Ξ, where fingerprint(ℎ) is the real fingerprint of host ℎ.In other words, the fingerprint hopping Get  = k using Eq. ( 14) (10) Set up the strategy on the IDS and Fingerprint Hopping Engine ( 11) else (12) Select (, ) as the strategy of the defender (13)  =   (14) Set up the strategy on the IDS and Fingerprint Hopping Engine (15) end while (16) return Algorithm 1: Strategy selection algorithm.space of ℎ contains the real fingerprint of ℎ because normal communication with ℎ has exposed a part of its fingerprint.  () and   () are the benefit and cost of the defender, respectively, when the hopping space size is .  () and   () are calculated by (10) and (11), respectively, where  > 1,  > 0,  ∈ Z + .
A logarithmic function is considered for   () because the defender will benefit less with unit increase of  when the hopping space size is already large, as the addition of confusion to the attacker is less.Furthermore,   (1) = 0 should hold, which indicates that there should be no benefit for the defender if the hopping space size is 1; that is, Ξ = {fingerprint(ℎ)}.Therefore, (10) is able to describe the property of the defender's benefit with respect to hopping space size.Other types of functions, such as exponential function and linear function, cannot reflect the relationship between defender's benefit and hopping space size.The cost function   () reflects the penalty of memory consumption increased with the growth of hopping space size, which is defined as linear function, indicating fixed growth rate of hopping cost regardless of hopping space size.The defender's cost should be zero when the hopping space size is 1; that is,   (1) = 0. Other functions cannot describe the fixed growth rate of the hopping cost with the size of hopping space.As mentioned previously, when  ≥   ()/(  () +   ), ((, )(, )) is the equilibrium solution of the fingerprinting attack and defense game, and the expected utility of defender is shown in (3).Combined with (3), (10), and ( 11), ( 12) can be obtained.
If  is very small, the probability of successfully deducing the correct fingerprint by the attacker will be high; however, if  is very large, the defender must bear a large defense cost.Thus, the defender will decide the value of  to maximize his expected utility.Equation ( 13) is obtained by deriving    with respect to .
When     is zero, the maximum expected utility is found.Thus   can be obtained, as shown in (14).In practical application, k is chosen as the optimal value shown in (15), where   is the minimum size of the fingerprint hopping space.

Strategy Selection Algorithm
With the updated belief, the defender should adjust his strategy to maximize his utility.A strategy selection algorithm is proposed to find the optimal strategy, as shown in Algorithm 1.In the algorithm, the belief threshold  * is found with the initial size of the fingerprint hopping space   .When the IDS identifies a suspicious packet, the belief of the defender about the sender type will be updated.If the belief is smaller than threshold  * , strategy (, ) will be played by the defender.Otherwise, (, ) will be played.

FPH Design
A prototype system of FPH is designed based on SDN, as shown in Figure 3, which consists of the following three components: the Controller, IDS, and Fingerprint Hopping Engine.The green solid line and red solid line denote the paths of a normal packet and a fingerprinting probe, respectively.The green dash line and red dash line denote the paths of the responses of a normal packet and a fingerprinting probe, respectively.IDS monitors the packets in the communication.The Detection Module of IDS detects the fingerprinting behavior based on a Signature Database, which can be built through collecting the probe signatures of fingerprinting tools, such as Nmap.When a packet arrives, IDS will match the packet with the signatures in the database.If no signature is matched, the outgoing packets will be sent to network without modification.Otherwise, if any signature is matched, IDS will report to the Controller through the Controller Interface.When the defender strategizes to hop the fingerprint of a packet, the response packet will be tagged by the Tag Module of IDS.Then the tagged packet (red rectangle in Figure 3) will be forwarded to the network through Forwarding Module.
With the report message sent by the IDS, the Controller calculates the belief about the sender type and makes a strategy.If fingerprinting behaviors are detected, the Controller will set up flow entries to the Openflow switches through the Flow Manager to deliver the tagged response packets to the Fingerprint Hopping Engine.The Fingerprint Hopping Engine changes the fingerprint of these packets based on the size of the fingerprint hopping space informed by the Controller.Finally, the packets with the hopping fingerprints will be sent back to the network through the Forwarding Module of the Fingerprint Hopping Engine and the tag will be deleted.
To reroute the responses of suspicious packets, the tagging technique [29] is used to mark these responses.If the defender takes the Defense action, the IDS will be informed to add a tag to the responses of these suspicious packets and related flow entries will be installed on the switches to forward the packets with this tag to the Fingerprint Hopping Engine.The outgoing traffic routes of a protected host for a fingerprinting attacker and benign user are shown in Figure 4, in which the tagged packets are marked in red.

Experiments and Analysis
In this section, the security and performance of FPH are evaluated.The topology of the network, as shown in Figure 1, is constructed using Mininet [30] with a benign user, a fingerprinting attacker, and a target host.Openflow 1.0 [31] is applied and POX [32] is used as the Controller.In our experiments, all the evaluation examples are done on a machine with a 2.53 GHz Intel Xeon and 32 G RAM 64 bits.

Performance Evaluation.
When FPH adopts hopping fingerprints to a suspicious communication, the Controller will set up related flow entries on the switches to forward the outgoing packets to the Fingerprint Hopping Engine.The Controller will also inform the Fingerprint Hopping Engine about the size of the hopping space.Due to these processes, network latency will be introduced.To evaluate the network delay, FPH is deployed based on Mininet and 10 repeated tests are conducted on a fingerprinting communication and a benign communication, which are created by Nmap and FTP, respectively.The result is shown in Figure 5, where the horizontal coordinates stand for the number of the tests in the experiment.When the communication is benign, the network delay is low, as seen in the figure, because the Defense action is not taken.FPH will not cause an additional delay for the benign user because the Defense action is only taken  when the belief of the defender exceeds a certain threshold, which is unlikely to be reached by a benign user.The fingerprinting communication will cause the FPH Defense action, and the network delay of the suspicious communication will increase.A high delay is introduced for a packet that causes the Defense action because this packet has to wait in the network for the related flow entries to be set up.The average delay of the fingerprinting communication is much lower but still higher than that of the benign communication because the outgoing traffic of the fingerprinting communication will be sent to the Fingerprint Hopping Engine for modification.Different from FPH, scrubber [16] is an exhaustive defense method, which degenerates the communication performance.In this experiment, the network delay introduced to different types of communications by FPH and scrubber are compared.We focus on the fingerprint scrubbing method described in [16], which normalizes IP type-of-service and fragment bits in the IP header.We also implement a scrubber on SDN, so that all the experiments are conducted in the same condition.The delay of each packet in the communication is collected.The results are shown in Figure 6, where the communication delays are sorted in ascending order.For the scrubber, all the packets in the communication need to be modified regardless of the type of traffic.Compared with scrubber, FPH achieves much lower communication delay when the opponent is a benign sender, because no packet modification is required in the communication, which is a time-consuming operation.Therefore, FPH can achieve lower delay for a benign communication.However, for a fingerprinting communication, the communication delay of FPH is higher than that of scrubber.The reason is that, in FPH, not only does the outgoing traffic need to be modified to hop fingerprint, but also the incoming traffic needs to be monitored.

Evaluation of the Fingerprint Hopping Space.
The optimal size of the hopping space, k , changes with the belief of the defender.Intuitively, if the defender has a stronger belief that the opponent is a fingerprinting attacker, he will adopt a larger hopping space to confuse the attacker.Otherwise, he will adopt a smaller hopping space to save defense costs.In the experiment,  and  in (10) and ( 11) are set to  = 0.1,  = 0.2, and  = 0.3, with  = 1.1 and   = 20.Then, the optimal size of the fingerprint hopping space can be obtained using (15), as shown in Figure 7. Due to the minimum size of the fingerprint hopping space, k is a constant value when the belief value is small.When the belief value increases, k grows linearly.As seen in the figure, a smaller  produces a larger hopping space because if the fingerprint hopping costs less, the defender can adopt a larger hopping space to obtain a greater benefit from making the attacker more confused.

Security Evaluation.
In this experiment, Nmap (v7.40) and p0f (v3.09b) are used as active and passive fingerprinting tools to verify the security of FPH.The target host runs on a separate VM which is connected to the network generated by Mininet.The firewall of the target host is closed and we assume that false negative rate is 0; that is,  = 1.The attacker uses Nmap to actively fingerprint the target host, and p0f is employed to passively fingerprint the target host.The commands of the two tools are as follows.
Command for Nmap: nmap -O -v target IP Command for p0f: p0f -i target interface The results of the experiment are shown in Table 1.As can be seen, the security of FPH is verified on different OSes and OS versions.When no defense mechanism is adopted in the network, Nmap is able to fingerprint the target host precisely and p0f can also identify the OS of the host correctly for most cases.Windows 10 is falsely identified as Windows 7 or 8 by p0f, but the OS type is recognized correctly.Windows XP and Ubuntu 14.04 are not identified by p0f.This is because the feature database does not contain features that match the packets sent by target host.However, both the two fingerprinting tools fail to detect OS of the target host when FPH is adopted.Since the responses of the probes sent by Nmap are modified by FPH, the fingerprint observed by the attacker changes dynamically.As a result, Nmap cannot recognize the OS of target host through analyzing the responses.It also can be seen that, in some cases, p0f falsely identifies the target OS.The reason is that p0f fingerprints the target host using the attributes of single packet.FPH transforms the fingerprint in the packet into another fingerprint, so p0f misjudges the OS of target host, which will steer the attacker away from the target host or deceive them to launch an invalid attack.

Conclusions and Future Work
Fingerprinting is an essential step for network attacks, which enables the attacker to obtain the OS information of target host for attackers.In this paper, FPH is proposed based on SDN to provide a hopping fingerprint for attackers to resist fingerprinting attacks.Using the idea of MTD, FPH hops the fingerprint of the protected host to expand the exploration space of the attacker and disable the fingerprinting tools.
The fingerprinting attack and defense game is modeled, and the equilibriums of the game are analyzed.An appropriate defense strategy is presented with sender type consideration.Experiments show that FPH can effectively defend against fingerprinting attacks.In this paper, the interactions of fingerprinting attack and defense are modeled as a series of one-shot games and the change of defender's belief is taken into consideration.However, we assume that only the defender has the knowledge of game history.In future work, a multistage game will be modeled for continuous interaction between the fingerprinting attack and defense.In addition, a more reasonable assumption that both the attacker and defender have knowledge of game history will be made and experiments where both attacker and defender adopt strategies derived based on this history will be conducted.

Figure 1 :
Figure 1: FPH architecture.(The blue line indicates the outgoing traffic route in a benign communication; the red line indicates the outgoing traffic route in a suspicious communication.)

SFigure 2 :
Figure 2: Extensive form of the fingerprinting attack and defense game.

Figure 6 :
Figure 6: The comparison of communication delay between FPH and scrubber.

Table 1 :
Output of the fingerprinting tools Nmap and p0f.: attacker fails to fingerprint the target host.NF: attacker falsely identifies the OS.Y: attacker succeeds to identify the OS.YF: attacker succeeds to identify the OS type but falsely identify the OS version. N