Moving Target Defense Based on Adaptive Forwarding Path Migration for Securing the SCADA Network

College of Computer, National University of Defense Technology, Changsha 410073, China Department of Electronic Information and Electrical Engineering, Changsha University, Changsha 410022, China Hunan Provincial Key Laboratory of Network Investigational Technology, Hunan Police Academy, Changsha 410138, China College of Systems Engineering, National University of Defense Technology, Changsha 410073, China Key Laboratory of Police Internet of .ings Application Ministry of Public Security, Beijing 100089, China College of Meteorology and Oceanography, National University of Defense Technology, Nanjing 211101, China College of Electrical Engineering, National University of Defense Technology, Hefei 230037, China


Introduction
Supervisory control and data acquisition (SCADA) system as an essential backbone of smart grids plays an important role in monitoring, controlling, and protecting critical infrastructure resources incorporated within the system. Figure 1 shows the architecture and the protocols in a SCADA system. In recent years, influential cyberattacks [1][2][3] that have led to massive power outages show more and more static network configurations or underlying vulnerabilities present in the cyber-physical system (CPS) that can be exploited by the adversary. In addition, if some vulnerable firmware of the embedded devices involved in smart grids is left unpatched, backdoors can be installed to perform sophisticated automated attacks.
For example, the centrifuges inside Iran's Natanz uranium enrichment facility were destroyed by Stuxnet worm [1], which was a rootkit exploiting the Siemens programmable logic controllers (PLC). Although critical infrastructure resources involved in smart grids are already protected by conventional security measures like firewall, IDS, IPS, etc., there are still powerful attacks capable of In this paper, we propose a novel MTD technique based on adaptive forwarding path migration (AFPM) that achieves an optimal path selection mechanism for path mutation. Different from the traditional path selection mechanism that focuses on the selection of mutation path without considering mutation period, we improve the defense capability by incorporating both the selections of mutation path and mutation period into our technique. In addition, we formalize the performance constraints that routing nodes and forwarding links on the forwarding path need to satisfy to prevent the transient problems during path  mutation. e main contribution of this paper is to show how AFPM concepts provide a dynamic attack surface to the adversary against passive monitoring and maximize the defense benefits without compromising the availability of path mutation. Specifically, To ensure the availability of path mutation, we formalize the mutation constraints based on the satisfiability modulo theory (SMT) to select the forwarding path that satisfies these constraints as the mutation path.
To achieve the maximum defense benefits, we design the mutation path generation algorithm based on the network security capacity matrix to obtain an optimal combination of mutation path and mutation period. e remainder of this paper is organized as follows. Section 2 reviews the related work. Section 3 introduces the necessary background. Section 4 explains the AFPM technique. Section 5 presents the evaluation results. Concluding remarks are drawn in Section 6 with future work.

Related Work
e DARPA Information Assurance Program did initial research in the area of dynamic network defense for the purpose of confusing any would-be adversaries sniffing the network [12]. us, network defense technique transforms from "passive defense" to "proactive defense" and networkbased MTD comes into being. Existing studies on path mutation technique mainly include multipath mutation [13][14][15] and random-path mutation [16][17][18].

Multipath Mutation.
Multipath mutation is the concept of calculating all possible disjoint paths in advance and randomly selecting one of them as the mutation path. Duan et al. [13] presented a proactive random route mutation (RRM) technique to defend against reconnaissance, eavesdropping, and DoS attacks by modeling and solving a constraint satisfaction problem, where they formalized the mutation constraints using the SMT to identify the optimal forwarding path. Compared with the static network using a single forwarding path, RRM can prevent more than 90% of eavesdropped or disrupted packets. RRM was extended by Jafarian et al. [14] via optimizing the mutation strategy based on game theory and constraint satisfaction optimization to improve the defense capability of path mutation. To enhance the mutation efficiency and increase the complexity of attacks in scanning and poisoning, Zkik et al. [15] focused on modeling software defined network (SDN) architectures, where two new modules were implemented to automatically calculate the suitable paths based on a pathfinder algorithm. However, owing to the deterministic nature of these multipath mutation techniques, the adversary who has acquired the routing algorithm can calculate the mutation path and hence endangers all packets forwarded over this path.

Random-Path Mutation.
Random-path mutation is the concept of collecting all the available routing nodes in advance and randomly selecting one of them as the next hop. Different from the existing multipath mutation techniques, the adversary cannot pinpoint the routes traversed by each packet even if he or she has known the routing algorithm. Considering that traditional routing protocols forwarded packets over a single path, Bohacek et al. [16] presented a game-theoretic stochastic routing (GTSR) framework where all paths between a source-destination pair were discovered and next-hop probabilities were determined. By proactively forcing packets to probabilistically take alternate paths, GTSR mitigated the effect of packet interception and eavesdropping attacks. Instead of selecting the path from a pre-calculated set of routes like multipath mutation, Shu et al. [17] proposed a randomized multipath routing algorithm that generated randomized routes taken by the shares of different packets to secure wireless sensor networks (WSN) against compromised node and DoS. To invalidate the adversary's knowledge and plan of attacks against critical network resources, Gillani et al. [18] employed virtual networks (VN) to proactively defend against sophisticated DDoS (Distributed DoS) attacks like Crossfire by dynamically reallocating network resources using VN placement and offering constant VN migration to new resources. Although these random-path mutation techniques can enhance security by increasing randomness, they still have problems that we have presented in Section 1.

Background and Motivation
In this section, we first explain the cyber risk of static cyber threats that exist in the SCADA network. en, we state the security problems with static configurations in a specific attack scenario. Finally, we introduce the methodology of network-based MTD based on the cyber kill chain.

Static Cyber reats.
Network communications in smart grids are supported by the SCADA system where network configurations and facilities are usually static (or fixed) for the attacker. Even if the system is upgraded, it goes into a

References
Technique Contribution [5] Random host mutation Providing high-speed and unpredictable IP mutation [6] SDN-based MTD analysis Implementing MTDs using SDN [7] Dynamic address solution Enlarging the changing scopes of terminal hosts [8] Collaborative mutation including end point mutation and routing mutation Improving the defensive benefit brought about by network mutation [9] Attack graph-based MTD Shuffling network configurations based on the criticality step-by-step update including deploying new network configurations and facilities, which gives the attacker plenty of time to trace out these update steps. Many security measures have been deployed in the system to protect these static network resources [19]. However, when the scale of smart grids reaches the level at which critical infrastructures are integrated into the system, potential cyber threats become more dangerous and numerous. Maybe only a small loophole on which a backdoor can be established is needed for the attacker to penetrate the inside system where vulnerabilities can be exploited to launch a powerful attack. To measure the cyber risk, security experts give the following equation: Cyber risk = reats * Vulnerabilities * Consequences. However, it is impossible that all threats including existing uncertain and unknown ones are factored into threat modeling, which means that the modeling result is not always accurate. Considering that there are so many vulnerabilities in such a large-scale system, it will take a considerable amount of time and effort to check system behaviors for them one by one. Even if all of these threats and vulnerabilities are counted, the results are still inconclusive considering false positives. erefore, achieving a 100% secure system is always theoretical. Intrusions are inevitable in most cases of cyberattacks, where attack scripts or malware are implanted into the system and they can lie dormant for days, weeks, or even months [20]. However, the security of a system where reactive types of security measures have been deployed can be enhanced by applying proactive defense technique to mislead the attacker into developing ineffective attacks. Figure 2 shows an abbreviated SCADA network consisting of three subnetworks connected by wide area networks (WAN). Since the WAN is exposed to the outside world, it is more likely that the traffic is vulnerable to attacks. For example, the attacker can trace out the IP addresses of the communication entities by monitoring and analyzing the traffic in the DNP3 communication established between the SCADA server in the control center and the remote terminal unit (RTU) in the substation. By targeting one of them, the attacker can maliciously trip open a relay that is connected to and controlled by the RTU via replaying the legitimate trip command issued by the control center to select an incorrect breaker to trip the breaker system.

Cyberattack Identification.
Since the source IP addresses of the trip packets are unauthenticated, they are usually detected and dropped by the gateway router where a specific firewall or IDS rule is added in the substation. However, there may be smart attackers able to legitimize the source IP addresses such that these trip packets can bypass the detection of this added firewall or IDS rule without being dropped. is kind of attacks can be detected unless the IDSs are distributed with event correlations between the control center and the substation. However, it will be very costly and time-consuming to check for every event such that normal legitimate communication cannot be guaranteed. And more seriously, DoS issues will be raised and the system will be unavailable. erefore, distributed IDSs fail to prevent such an attack at an early stage because system availability is a primary consideration.

Network-Based MTD.
To understand how networkbased MTD can be effective against cyberattacks in the SCADA network, we start with the cyber kill chain, as shown in Figure 3, where the loop of a cyberattack is divided into five steps: e attacker gathers topology information, such as host name, network address, and MAC address, to develop a blueprint of the system architecture and identify the key locations for the attack.
(2) Access. e attacker tries to connect or communicate with the target to explore version numbers, configurations, operating system, and other system properties for vulnerability identification.
(3) Exploitation. is is a weaponization step. e attacker exploits one of the vulnerabilities discovered in the system to establish a foothold for malicious activities, such as installing attack scripts or malware for specific types of attacks.
(4) Execution. After being clear enough about the operation state of the system within a period of lurk, the attacker finds a right time to execute the attack scripts or malware through a network connection or an infected USB pendrive.
(5) Persistence (optional). e attacker keeps the access channels and the inserted backdoors in the compromised system, which give chances for him or her to launch further more impactful attack in the future by repeating the above steps.
If we break one or more steps of the cyber kill chain, the development of the cyberattack will be disrupted. Especially in the first stage, if we mislead or delay the attacker's reconnaissance, i.e., obstructing the attacker's access to the knowledge about the system, the later steps become useless. is is where the idea of network-based MTD comes from, which achieves a kind of proactive defense technique against cyberattacks by extending the attack surface to alleviate the asymmetries between attack and defense, e.g., (i) Narrow the attack window by increasing the uncertainty of the network composition to alleviate the information asymmetry between attack and defense. (ii) Delay the attack time by increasing the dynamics of the network topology to alleviate the time asymmetry between attack and defense. (iii) Raise the attack cost by increasing the diversity of the network elements to alleviate the cost asymmetry between attack and defense.
However, network-based MTD may create additional performance overhead in the absence of cyber threats when system properties are dynamically changed. To maximize the defense benefits and lower the performance overhead, network-based MTD usually adopts a intelligent architecture by a combination of proactive mutation and reactive mutation.
e basic principle of network-based MTD is described in Figure 3, which is introduced as follows: (1) Formulate the security policy and the functional tasks based on some kind of security objective and initialize the network resources.
(2) Select mutation element and mutation period based on the formulated security policy and create mutation configurations by mutation configuration management. (3) Issue and deploy the mutation configurations to the corresponding devices of the target system by mutation implementation. (4) Perceive and analyze the current security state of the target system in the analysis engine and submit the result to the mutation triggering mechanism.

Adaptive Forwarding Path Migration
Owing to the imperceptibility of passive monitoring, most path mutation methods employ an autonomous random mutation technique, which relies on a preset path selection algorithm to select the forwarding path for the next mutation [13,18]. However, the quality of service (QoS) cannot be ensured because such technique fails to perform real-time adjustments for the network security state. erefore, we design the adaptive forwarding path migration (AFPM) mechanism to optimize the selection of mutation path, as shown in Figure 4, where the dynamic switching of the forwarding path is realized by changing the routing deployment and the forwarding strategy. For ease of reference, nomenclatures are provided in Tables 2 and 3.

Forwarding Path Migration Constraints.
Transient problem is the phenomenon of rapid decline in the network performance during path mutation. is will lead to an increased probability of packet disorder and packet loss. Packet disorder means that the packet sequence of forwarding data is out-of-order caused by forwarding path migration. Packet loss is caused by insufficient forwarding nodes and links, unreachable forwarding paths, and inconsistent update of flow tables. Since packet disorder and packet loss may trigger the TCP retransmission mechanism with the degradation of the TCP performance, the availability of path mutation is reduced. To ensure the QoS, we formalize the mutation constraints in terms of forwarding path capacity, forwarding path delay, and forwarding path accessibility.
Network resource capacity [21] refers to the remaining available resources of routing nodes and forwarding links in a network system. Among them, the remaining available resources of routing nodes mainly depend on the remaining available flow table entries because the CPU consumption and storage surplus of routing nodes are positively correlated with the number of the flow table entries [22], and the remaining available resources of forwarding links mainly depend on the remaining available bandwidth. In an actual network characterized by the multi-flow intersection, the overhead of a routing node or a forwarding link is equivalent to the sum of the costs of all the data flows passing through the node or the link at a time. We denote b T RMP v (k) as the Boolean variable whether routing node v forwards the k th data flow within mutation period T RMP e (k) � 0). us, path mutation needs to satisfy the following constraints.

Forwarding Path Capacity Constraint.
is constraint aims to prevent packet loss caused by data overflow via selecting the routing node that can carry the accumulated flow tables and the forwarding link that can carry the accumulated data flows. We use the exponential function based on marginal cost to quantify the resource consumption of routing nodes and forwarding paths.
Equation (1) represents the marginal cost function for a newly added flow table entry, where C v denotes the number of the remaining entries in the flow table, σ denotes the adjustment parameter whose value is set as σ � 2n through a theoretical analysis [23], where n is the number of routing nodes, and 1 − c v (k)/C v denotes the flow table utilization after forwarding information of the k th data flow is added to routing node v. Equation (2) indicates that the accumulated marginal cost of the flow table must be within the capacity limit of the selected node C max v , and the remaining flow table length should not be less than C th v to avoid data overflow. Equation (3) represents the marginal cost function of forwarding a data flow, where 1 − c e (k)/C e denotes the bandwidth utilization after the k th data flow passes through forwarding path e. Equation (4) indicates that the accumulated marginal cost of the bandwidth consumption must be within the capacity limit of forwarding path C max e , and the remaining bandwidth should not be less than C th e such that the forwarding path has the residual capacity to deal with data fluctuation caused by load balance or network jitter.

Forwarding Path Delay Constraint.
is constraint aims to prevent packet disorder via selecting the forwarding path whose total transmission delay is acceptable and whose mutation delay is less than the inter-packet delay.
6 Security and Communication Networks Equation (5) indicates that the length of each forwarding path should not exceed the preset maximum value L max (in this paper, L max � 32). Since the transmission delay is positively related to the number of routing nodes on the forwarding path [24], the deterioration in the QoS caused by excessive transmission delay can be prevented by limiting the length of the forwarding path. Before forwarding path migration, the minimum transmission delay of the alternative forwarding path in the next mutation period L T RMP+1 and the maximum transmission delay of the current forwarding path L T RMP are measured by the round trip time (RTT) [25]. Equation (6) indicates that the difference between the minimum transmission delay of L T RMP+1 and the maximum transmission delay of L T RMP should be less than the average inter-packet delay to avoid packet disorder.

Forwarding Path Accessibility Constraint.
is constraint aims to prevent the occurrence of forwarding loops that can cause packet loss via limiting the selection of mutation nodes.

Notation
Definition Boolean variable whether routing node v forwards the k th data flow within mutation period T RMP ML e Forwarding path e for mutation ML v Routing node v for mutation C e (k) Marginal cost of forwarding path e carrying data flow k C v (k) Marginal cost of routing node v carrying data flow k Set of the routing nodes on mutation path MR e excluding the routing nodes with the source and destination addresses

Security coefficient Q[sc S,D ] n×n
Network security capacity matrix from source node S to destination node D σ Adjustment parameter Equation (7) indicates that the input and the output of all routing nodes on the forwarding path are the same. Equation (8) indicates that each routing node on the forwarding path is physically adjacent to the routing nodes of its previous and next hops, where χ(MR v ) denotes the set of routing nodes excluding the source and destination nodes on the forwarding path. Since accessibility cannot be guaranteed when a data flow is forwarded from one node to its next-hop neighbor, equation (9) limits the distance between the forwarding node and the target node, i.e., the distance between the next-hop node and the target node cannot exceed the distance between the current forwarding node and the target node, where d k v− D denotes the distance from MR v to the target node. Equation (9) ensures that the data flow will not be forwarded again after reaching the target node.

Mutation Path Generation Algorithm.
To achieve the maximum defense benefits of forwarding path migration, we calculate the optimal combination of mutation path and mutation period by referring to the idea of maximum flowminimum cut [26]. Since the adversary usually monitors routing nodes and forwarding links for malicious purposes and the current network resource capacity has no consideration for security, the availability of routing nodes and forwarding links is reduced with the increase of cyber risks even if they satisfy the mutation constraints in Section 4.1. erefore, we define the network security capacity matrix to obtain an optimal combination of mutation path and mutation period. e actual network can be abstracted as a directed graph G (N, L), where N denotes the set of vertexes, i.e., the set of routing nodes MR v , and L denotes the set of directed edges, i.e., the set of forwarding paths ML e .
where c S,D denotes the maximum residual capacity [21] that can be calculated based on real-time online access to network status information, and ω s S,D denotes the security coefficient determined by the attacker and defender's strategies: the attacker adopts the monitoring strategy a ∈ A to maximize the attack benefits (i.e., minimize ω s S,D ), and the defender adopts the mutation strategy d ∈ D to maximize the defense benefits (i.e., maximize ω s S,D ). us, ω s S,D is related to the number of attacker's monitoring R A � T/r A , the number of mutations R D � T/T RMP , the probability of the attacker monitoring the j th path P a j , and the probability of data packets passing through the j th path P j· within timeT.
Equation (11) represents the max-flow problem of S-D for ∀l j ∈ L + with the constraint λ P j· ⩽1/P a j in G → . erefore, the solution to 1/1 − ω s S,D can be transformed into the solution to the max-flow problem of S-D with the constraint W(l j ) � 1/P a j . Based on the network security capacity matrix, we calculate the optimal combination of mutation path and mutation period to achieve the maximum ω s S,D . Figure 5 shows the flow chart of the mutation path generation algorithm, which is written as follows: (1) Initialize a combination queue Q of mutation path and mutation period; (2) Construct the breadth-first searching (BFS) tree of undirected graph G, where mutation node MR S acts as the root node, and mutation nodes MR i are sorted in descending order based on the distance from MR i to MR S and those of the same distance are placed in the same order; (11) Select the mutation path that satisfies the delay constraint based on equations (5) and (6); (12) Add the alternative combinations of mutation path and mutation period that satisfy the mutation constraints into queue Q; (13) Sort the alternative combinations of mutation path and mutation period in descending order; (14) Take the highest ranked combination as the optimal one for the next mutation; (15) Return the optimal combination of mutation path and mutation period; In this algorithm, we first traverse the mutation nodes using the BFS algorithm, and select the set of routing nodes and forwarding links that satisfy the forwarding path capacity constraint in steps (2)-(4). Next, we calculate the max-flow of c S,D using the Hao-Orlin algorithm [27] in step (5), and calculate the max-flow of f s S,D and transform it into ω s S,D based on eorem 1 in steps (6)- (8). en, we construct network security capacity matrix Q[sc S,D ] n×n in step (9), and screen out the possible forwarding paths in Q[sc S,D ] n×n by the forwarding path delay constraint and the forwarding path accessibility constraint in steps (10)- (12). Finally, we rank the alternative combinations of mutation path and mutation period in steps (13) and (14), and return the optimal one to achieve the maximum defense benefits in step (15).

Mutation efficiency analysis.
Suppose that there is a data flow f transmitted within time T in which case the data flow transmitted in each mutation period is denoted as f/R D , there are rrouting nodes included in set V R monitored by the attacker, there are srouting nodes included in set V T between source node S and destination node D, and the successful probability of the attacker monitoring a data flow is independently distributed as x � P a j P j· . Case 1: R A ⩽R D . When the successful probability of the attacker monitoring a data flow obeys binomial distribution B(R A , x), the data flow monitored by the attacker is fxR A /R D . Case 2: R A > R D . e attacker achieves a higher frequency of passive monitoring, z � R A /R D times in each mutation period, which obeys geometric distribution G(x). If the attacker successfully penetrates a routing node by an attack, he or she can monitor the data flow through this node for the rest of the mutation period. When the successful probability of the attacker monitoring a data flow obeys binomial distribution B(R A , x), the data flow monitored by the attacker is In the static network, we have that z � R A since there is no path mutation. e successful probability of the attacker monitoring the j th path is P a j � C r n − C r n− s /C r n , and the data flow monitored by the attacker is f In the RRM network [13], the attacker can monitor the path from S to D when MR S ∈ V R or MR D ∈ V R while the attacker can do that when MR S ∉ V R and MR D ∉ V R if and only if the routing nodes on the path from S to D in G can be divided in x interconnected subgraphs G 1 , G 2 , . . . , G x by the cut set V C , i.e., us, the successful probability of the attacker Select the mutation path Add the mutation combinations that satisfy the mutation constraints in queue Q

Sort the mutation combinations in sc S,D
Determine the mutation combination for the next mutation Return the optimal mutation combination Security and Communication Networks monitoring the j th path is P a j � C 1 2 C r− 1 r− 2 + C 2 2 C r− 2 r− 2 + n V R /C r n , where n V R denotes the number of V R . Since RRM has a fixed mutation period, the data flow monitored by the attacker is min( In the AFPM network, similarly, the successful probability of the attacker monitoring the j th path is P a Since AFPM can adjust the mutation period as the frequency of the attacker's passive monitoring changes, the data flow monitored by the attacker is fxR A /R D . erefore, the successful probability of the attacker monitoring the data flow can be significantly reduced in the AFPM network compared with the two other networks.

Network Performance Analysis.
According to Section 4.1, packet disorder caused by path mutation is the reason for the performance consumption, which reduces the availability of path mutation. erefore, we have imposed the forwarding path delay constraint on path mutation to prevent such transient problem.

]} ensures that packet disorder does not occur in the AFPM network.
Proof. Since the selected mutation path in the next mutation period satisfies L T RMP+1 |(t(i + 1,k) − t(i, k))> max holds for any data flow f k . Suppose that data packet x i of data flow f k is transmitted by forwarding path L T RMP and data packet x i+1 of data flow f k is transmitted by forwarding path L T RMP+1 , we set Δt � t(i + 1,k) − t(i, k).
e maximum transmission delay of data packet x i transmitted by forwarding path e maximum transmission delay of data packet x i transmitted by forwarding path )] + Δt holds based on Case 1 and Case 2. erefore, any data flow will not cause packet disorder during path mutation.
Considering that differential flow table configurations resulting from inconsistent update of flow tables may lead to packet loss that also affects the network performance, we prevent this transient problem by updating the flow tables based on the principle of reverse adding and forward deleting: the mutation controller adds new flow table rules for the routing nodes in reverse order (i.e., from the destination node to the source node) while deleting old flow table rules for the routing nodes in order (i.e., from the source node to the destination node).

Theorem 3.
e principle of reverse adding and forward deleting during the update of flow tables ensures the packet accessibility during path mutation.
Proof. Suppose that the principle of reverse adding and forward deleting during the update of flow tables cannot ensure the packet accessibility during path mutation. is means that there must be a mutation node MR i that cannot forward packets to the other nodes. All possible mutation nodes can be classified as follows: is indicates that the mutation node is not included in the set of the routing nodes in the current mutation period nor is it included in the set of routing nodes in the next mutation period. In this case, MR i does not receive any packets.
is indicates that the mutation node is only included in the set of the routing nodes in the next mutation period. In this case, MR i does not receive packets in the current mutation period and only forwards packets in the next mutation period based on the updated flow table. Case 3: is indicates that the mutation node is not only included in the set of the routing nodes in the current mutation period but also included in the set of the routing nodes in the next mutation period. In this case, MR i receives packets in the current mutation period and forwards them according to the updated flow table. Case 4: is indicates that the mutation node is only included in the set of the routing nodes in the current mutation period. In this case, MR i only receives packets in the current mutation period and forwards them according to the original flow table. However, MR i does not receive any packets after the RTT, which means that all packets have been forwarded within the current mutation period [13]. erefore, the packets forwarded by mutation node MR i are still reachable during path mutation, which contradicts this supposition.

Evaluation
To demonstrate the significance and necessity of networkbased MTD, we first compare the strengths and weaknesses of various cyber defense techniques by analyzing their defense capability and system performance. Based on the security analysis in Section 4.3, we then discuss the security performance and transient problems of our proposed MTD technique against passive monitoring through case studies.
We simulated communication networks of the kinds used by SCADA to deliver smart grid commands and measurements. We used real SDN-enabled hardware routers and switches in different physical locations to build a backbone network, which supported communications between the control center and the substations. Figure 6 shows the network topology of our test bed, where network-based MTD strategies are deployed in the backbone network that is targeted by the attacker.

Cyber Defense Technique
Comparison. In a network system, there are many network security applications for preventing different types of cyber threats. In this paper, we will discuss some of them that are most commonly and significantly used in the SCADA network. Based on the defense mechanism, cyber defense techniques can be classified into four categories: (a) obfuscation (e.g., networkbased MTD), (b) end point filter (e.g., firewall/IDS/IPS), (c) secure protocol (e.g., DNP3sec), and (d) crypto encapsulation (e.g., scalence/VPNsec/GRE tunnelling). Table 4 shows security features, threats addressed and unaddressed for various cyber defense techniques used in the SCADA network.
Based on the defense performance in Table 4 and through extensive investigations, we quantify the defense capability of these cyber defense techniques against cyberattacks in Figure 7, which is graded from 0 to 10.
Overall, each of the cyber defense techniques performs differently for different attacks and no one is one-size-fits-all. However, we can observe that network-based MTD shows better performance on most attacks, such as targeted attack, APT, command injection, MITM/hijacking, and IP spoofing intrusion. is is because the dynamic change of the system properties increases the difficulty for the attacker to identify the target, thereby reducing the probability of a successful attack. On the other hand, we also find that network-based MTD has poor performance on some attacks, such as random attack, timing attack, and data leakage. We guess that this may be the result of the attacker knowing that network-based MTD is activated and the system properties are changed. To compensate for this, it is wise to have a combination of network-based MTD and other cyber defense techniques to prevent various attacks. erefore, network-based MTD is often adopted as a complement rather than a replacement for existing passive defense techniques.
Since defense capability comparison alone cannot represent a comprehensive analysis of these cyber defense techniques, we quantify the system performance of them against performance parameters in Figure 8, which is graded from 0 to 10. Overall, all the cyber defense techniques are unevenly distributed in the radar chart and they differ greatly in shape from one another. Compared to the other cyber defense techniques, network-based MTD has a relatively smooth distribution for all the performance parameters. Although some of the cyber defense techniques that are customized for the system have more optimal performance in certain aspects, additional overhead is still introduced owing to their inherent operation mechanism. For example, the latency must be introduced when the firewall or the IDS installs new rules or checks all rules in the gateway routers. Networkbased MTD manipulates the network to be less static, less homogeneous, and less deterministic by dynamically changing the network topology and configurations in ways that are manageable by the defender to create an unpredictable attack surface to the adversary. erefore, networkbased MTD is also referred to as an adaptive cyber defense as it involves shifting the defense strategies from reactive to proactive technique by employing dynamic momentum to the system from its static counterparts.

Passive Monitoring Attack Test.
To demonstrate the feasibility and effectiveness of AFPM in disrupting the steps of the cyber kill chain, we used OpenVSwitRC [28] as the mutation switch and OpenDaylight [29] as the mutation controller. AFPM was deployed on the OpenVSwitRC and OpenDaylight with Z3 SMT solver [30] to solve the mutation constraints. In the test, the volume of data flow is set as 8 × 10 5 whose rate is 1.6 × 10 3 pps, and the probability of the attacker monitoring a forwarding link or a routing nodeP a  Figure 9 shows the relationship between the successful probability of passive monitoring and the network size on the condition that R A � R D and the attacker can passively monitor 100 routing nodes simultaneously. Overall, the successful probability of passive monitoring is reduced as the network size increases when the length of the forwarding path is fixed. In each case, the longer the forwarding path, the higher the successful probability of passive monitoring, when the network size is fixed. Since the static network has no strategic protection, the successful probability of passive monitoring reaches the highest among the three cases, which remains above 70%. In the two MTD cases, there is a significant reduction in the successful probability of passive monitoring. Compared to MTD-RRM, MTD-AFPM is more capable of preventing passive monitoring and especially when L T � 10 and the network size is large enough, it can prevent more than 92% of passive monitoring.
is is because MTD-AFPM optimizes the selection of mutation path based on the network security capacity matrix such that an optimal combination of mutation path and mutation period can be obtained according to the current network security state. Figure 10 shows the relationship between the successful probability of passive monitoring and the number of routing nodes monitored by the attacker on the condition that R A � R D , n � 1000.    Reverse to Figure 9, the successful probability of passive monitoring gets increased as the number of routing nodes monitored by the attacker increases when the length of the forwarding path is fixed. In each case, the longer the forwarding path, the higher the successful probability of passive monitoring, when the number of routing nodes monitored by the attacker is fixed. Compared with the static network, MTD-RRM and MTD-AFPM are advantageous against passive monitoring when the number of routing nodes monitored by the attacker is less than half of the total number of routing nodes in the network. In addition, MTD-APFM is more effective than MTD-RRM because the optimal combination of mutation path and mutation period is adopted. Figure 11 shows the relationship between the successful probability of passive monitoring and the attack frequency on the condition that n � 1000 and the attacker can passively monitor 100 routing nodes simultaneously.
We can observe that the successful probability of passive monitoring gets increased as the attack frequency increases on the condition that R A ⩽R D when the length of the forwarding path is fixed. In each case, the longer the forwarding path, the higher the successful probability of passive monitoring, when the attack frequency is fixed. Because of the fixed mutation period, MTD-RRM is equally capable of preventing passive monitoring as the static network regardless of the increase in the attack frequency on the condition that R A > R D . Different from MTD-RRM, MTD-AFPM has an optimal combination of mutation path and mutation period according to the current network security state. erefore, even if the attacker increases the attack frequency, MTD-AFPM can still adjust the mutation period such that R A ⩽R D .
Considering the impact of path mutation on network performance, we evaluate the network performance by recording the number of out-of-order packets. Figure 12 shows the proportion of out-of-order packets in different cases.
Since MTD-RRM randomly selects a feasible forwarding path for the next mutation, the proportion of the difference between the minimum transmission delay of the forwarding path in the next mutation period L T RMP+1 and the maximum transmission delay of the current forwarding path L T RMP greater than the minimum inter-packet delay gets increased as the mutation frequency increases, which results in a gradual increase in the proportion of out-of-order packets. However, MTD-AFPM does not have such packet disorder problem because of our imposed forwarding path delay constraint on path mutation.
is is the reason why the curve of MTD-AFPM is very close to that of the static network.

Conclusion and Future Work
In this paper, we propose an AFPM-based MTD technique and demonstrate through simulations that it optimizes the network performance and improves the defense capability of path mutation. In our technique, we presented solutions to the two existing problems in path mutation, respectively. First, we formalized the mutation constraints in three terms  based on the SMT to select the appropriate forwarding path. Second, we designed the mutation path generation algorithm based on the network security capacity matrix to calculate the optimal combination of mutation path and mutation period. Simulation results show that AFPM can prevent more than 92% of passive monitoring when L T � 10 and 1/20 of routing nodes are monitored. In addition, the probability of packet disorder in the AFPM network is almost equivalent to that in the static network. erefore, AFPM can maximize the defense benefits with the guarantee of the QoS.
In the future, we will incorporate IP hopping and network port hopping to increase the attack complexity and cost. Such an integrated technique can extend the attack surface to a considerable extent, even for sophisticated attack scenarios.

Data Availability
e data used to support the findings of this study are available from the corresponding authors upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.