An Adaptive IP Hopping Approach for Moving Target Defense Using a Light-Weight CNN Detector

Scanning attack is normally the first step of many other network attacks such as DDoS and propagation worm. Because of easy implementation and high returns, scanning attack especially cooperative scanning attack is widely used by hackers, which has become a serious threat to network security. In order to defend against scanning attack, this paper proposes an adaptive IP hopping in software defined network for moving target defense (MTD). In order to accurately respond to attacker’s behavior in real time, a light-weight convolutional neural network (CNN) detector composed of three convolutional modules and a judgment module is proposed to sense scanning attack. Input data of the detector is generated via designed packets sampling and data preprocess. *e detection result of the detector is used to trigger IP hopping. In order to provide some fault tolerance for the CNN detector, IP hopping can also be triggered by a preset timer. *e CNN driving adaptability is applied to a three-level hopping strategy to make the MTD system optimize its behavior according to real time attack. Experiments show that compared with existing technologies, our proposed method can significantly improve the defense effect to mitigate scanning attack and its subsequent attacks which are based on hit list. Hopping frequency of the proposed method is also lower than that of other methods, so the proposed method shows lower system overhead.


Introduction
According to Symantec's 2019 report [1], a growing number of people and organizations display an interest in compromising operational computers via network. e static properties of network make the state and behavior of information system predictable, so attackers can not only launch attack effectively, but also escape detection easily [2]. Methods of network and host properties randomization such as Moving Targets Defense (MTD) have been recommended as a countermeasure against reconnaissance that attacks the static and predictable property of network [3]. IP hopping is one of the key technologies of MTD. It frequently changes IP addresses of protected nodes in network in order to prevent attackers from creating effective hit list.
Existing researches [4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22] have proved that IP hopping technology is an effective method to defend against scanning attack which is normally the first step of many other network attacks such as DDoS [23] and propagation worm [24]. e game between scanning attacker and IP hopping defender is shown in Figure 1. Scanning attacks are generally manifested as attackers continuously release different forms of probe packets. Attackers will know which hosts in the network are potential targets according to the response packets received, while IP hopping technology frequently changes the used IP addresses of protected hosts. On the one hand, IP hopping makes the protected hosts avoid scanning attack to some extent. On the other hand, IP hopping could make the probed targets of attacker invalid in attacker's hit list in a short time. For example, once the attacker probed a target and added its IP to the hit list, the IP may be invalid soon under the protection of IP hopping. e main challenge of defender is to decide when and how to hop.
IP hopping technology is firstly proposed and deployed in legacy network [2,[4][5][6][7][8][9][10][11][12] and proved to be an excellent defensive means. In recent years, software defined network (SDN) [25] has been widely studied and considered as the next network technology. SDN provides an operation mode of separating data forwarding and rule control. e flexibility of SDN brings conveniences and supports many new network technologies. Meanwhile, SDN also faces endless network threats. IP hopping technology applied to SDN has also been researched in many papers [11][12][13][14][15][16][17][18][19][20]. ey usually use OpenFlow [26,27] to develop a MTD architecture for IP hopping defense. e controller in SDN controls the mutation of IP of protected hosts. e controller also manages switches in protected network to ensure timely and accurate forwarding of packets in situation of constantly changing terminal IP addresses. e structure of SDN provides flexible convenience to deploy IP hopping defense technology.
Faced with scanning attack, most of the researches do not pay enough attention to the behavior of attackers. e existing IP hopping defense systems lack the necessary perceptual ability to the attackers' behavior. For instance, when no attacker invades the protected network, IP addresses of nodes keep hopping. In addition, the IP hopping system may probably be disruptive to legitimate user behavior. Some researches propose adaptive IP hopping methods [16,[19][20][21][22]. Adaptive methods can configure IP hopping scheme and execute IP hopping according to behavior of attackers so as to achieve elaborate defense effect. However, there is still much to improve in existing adaptive methods in reducing the success rate of scanning attacks and reducing the average life time of scanned targets in hit list.
is paper proposes a novel adaptive IP hopping defense method in SDN. In our method, a light-weight convolutional neural network (CNN) [28,29] is used to perceive the attackers' scanning behavior and guide the configuration of next IP hopping. Experiments show that our proposed method can significantly improve the survival rate of protected hosts under scanning attack while reducing the average lifetime of targets in attackers' hit list to avoid DDoS and other subsequent attacks. e main contribution of this paper can be concluded as follows. Firstly, we propose a sampling and data preprocess method of attacker's behavior data in SDN. Secondly, we designed a light-weight CNN structure which can be used to detect attacker's behavior in real time and drive IP hopping defense. irdly, applying CNN driving adaptability to three-level hopping strategy, a novel adaptive IP hopping in SDN is proposed and proved to achieve better defense effect via considerable amount of experiments. e rest of this paper is organized as follows. Section 2 gives an overview of related works. Section 3 introduces the motivation of our proposed method. Section 4 presents our proposed method in detail. e implementation and experiments are presented in Section 5. Finally, Section 6 concludes this paper.

Related Works
Researches of IP hopping for MTD can be classified into two categories according to implementation platform, which are legacy network and SDN. We list both technologies in legacy network and SDN in detail.
Traditional IP address randomization techniques such as DHCP [30] or NAT [31] do not develop the potential of IP randomization in network defense completely for the reasons of infrequency and traceability [2]. IP hopping technologies were firstly proposed and developed in legacy network.
ey have been tested to effective measures to contain different kinds of scanning attacks and other attacks based on hit list such as worms. Krylov and Kravtsov [4] proposed an IP hopping method which is deployable and  effective to hide content and destination server. Zhao et al. [5] analyzed shortcomings of service migration and proposed new technique called "Middle Agent" which was applied to the end-hopping prototype system. Clark et al. [6] showed via analysis that refreshing and reassigning the IP addresses would disrupt the normal communication, so they introduced an optimal method to minimize the disruption. Zhuang et al. [7] defined some key concepts that might be used to formally talk about MTD system; they also discussed some essential problems of the MTD system. Yackoski et al. [8] introduced a new network architecture called Selfshielding Dynamic Network Architecture (SDNA) allowing multiple types of dynamics. Cho et al. [9] concluded the design principles, key methodologies, important algorithms, and some relevant key techniques about MTD. Dunlop et al. [10] proposed a hopping system based on IPv6 address called MT6D to handle the limit of number of IP addresses while ensuring the acceptable speed of UDP requests. Morrell et al. [11] explored the ratio of clients and server of MT6D and discovered some network limits. Miao et al. [12] pointed out that IP hopping defense in SDN is inefficient because of flow table matching which introduces high latency. ey proposed the use of vector packet processing to accelerate IP hopping defense in legacy network. Experiment results showed that they effectively reduced the hit rate under scanning attack while maintaining the data processing capability.
In SDN environment, Jafarian et al. [13] firstly proposed and deployed IP hopping in SDN; they proposed a MTD method named Random Host Mutation (RHM) which mutates IP addresses on the switches and keeps the mutation process transparent to the users (hosts). However, the hopping caused a certain amount of system overhead and cannot adapt to the behavior of the attacker. It is easy for attackers to find out the regular pattern of hopping defense. Jafarian et al. [14] then proposed a spatiotemporal address mutation that binds the changed IP address to the host. e source identity further improves the security of information system. However, the defense system requires sufficient address space, which is an additional overhead of defense. Krylov et al. [15] proposed a method countermeasure of DDoS attack called IP Fast Hopping, which is an implementable network layer software solution. is method also lacks the necessary perception of attack behavior and cannot adapt to the change of different attack behavior. On the basis of paper [13], Jafarian et al. [2] proposed an effective address randomization method which improves the unpredictability by fast mutation and constrained configuration. ey proposed to use two-level hopping scheme to improve the efficiency of defense and further enhance the uncertainty of hopping. A flaw is that its attack perception ability is not sensitive enough, and it cannot adapt to the variety of attacks, such as irregular scanning frequency. Jafarian et al. [16] proposed an adversary-aware IP address randomization, which uses hypothesis testing to character behavior of attacker. Experiment shows a method in [16] which significantly slows down attack and increases its detectability. However, the accuracy of hypothesis test method depends on the number of known samples, which reduces the efficiency of attack perception. MacFarland and Shue proposed a new hopping method in SDN which provides protection for information system without any modification on clients [17]. is transparent defense method is similar to [13] in effect and cannot adapt to the changes of attacker behavior. In [18], Chang et al. not only randomize the IP address to achieve the purpose of defense, but also solve the problem of IP address synchronization between network nodes. is scheme is another implementation method in SDN. However, its synchronization behavior inevitably results in additional system overhead. In [19], Lei et al. deployed adversary strategy awareness module in MTD system and proposed a novel technique called self-adaptive end-point hopping technique (SEHT). In SEHT, IP hopping is triggered and configured with the guide of adversary strategy awareness. e result of three-level hoping is a more refined method, which improves the unpredictability of defense. However, similar to [16], its perception method is not sensitive to the change of aggressive behavior. In [20], Smith et al. also introduce intrusion detection to trigger MTD system. In their work, the intrusion detection is based on neuroevolution of augmented topologies algorithm (NEAT) and is real time in operation. However, the accuracy of detection still needs to be improved. In [21], in order to maximize unpredictability of network mutation, Zhang et al. use adversary strategy awareness with hypothesis test to make mutation strategy selection. Similar to [16], the accuracy of hypothesis testing depends on the number of valid samples, which is an additional overhead. In [22], Ma et al. use anomalous awareness in [32] to drive a self-adaptive end-point hopping defense. However, the anomalous awareness based on information distance is not accurate enough. A smart attacker may be scanning without anomalousness on information distance.
In conclusion, IP hopping for MTD is an effective method that can defend against network attack especially scanning attack. However, some existing methods do have to be improved in their adaptability, which means the MTD system should respond to attack behavior accurately in real time and make fine-grained adjustment on hopping strategy.

Attack Analysis.
In this paper, we mainly focus on one kind of cooperative scanning attack.
is cooperative scanning indicates that a number of hosts act as scanners and sample (probe) IP addresses in the protected network. e whole IP space will be divided and assigned to the scanners and will be scanned uniformly. e purpose of attacker is testing which IP addresses are currently used online, so that he can prepare for following attacks such as DDoS. A cautious attacker usually scans IP addresses without repetition to minimize failed probes [33].
We assume that the scanning attack starts from the outer network but is a propagating scanning. Each newly probed host may get infected and start acting as a scanner. Once a host is probed, it takes time t p to infect the host. Scanners can share the IP address space that has not been scanned.

Security and Communication Networks
Each scanner has two important attributes which are frequency of scanning packet (FSP) and proportion of scanning packet (PSP). FSP denotes the number of probes sent per second. PSP denotes the proportion of probe packets in all packets sent by the scanner.
We believe that, compared with network data flow produced by normal host for legal communication, data flow produced for scanning attack does have distinguishing features. ese features make it possible to detect scanning attack from network data flow without being disturbed by normal probes. "Normal probes" means probes released for legal communication.

Promotion Idea.
In adaptive IP hoping system, the result of attack awareness is used to guide the configuration of IP hopping and trigger IP hopping. Both the accuracy and timeliness of attack awareness directly affect the validity of hopping. e accuracy demands not only detecting malicious packet (false rejection rate) but also not being disturbed by normal probes (false acceptance rate).
However, the accuracy and timeliness of previous adaptive IP hopping methods still need to be improved. e method in [20] uses a nearly fully connected structure to build a lightweight detection network. e structure of full connection makes it difficult to balance the capacity and lightweight of the network, so it is difficult for the detection to achieve balance between accuracy and timeliness. e method in [19] simply judges failed probe packets as malicious. However, not failed probe packets can also be malicious ones, and failed probe packets may also be legal ones. e method of data sampling in [19] also needs to be improved.
Regarding accurately aware behavior of attack in real time, in this paper, we firstly propose a new method of data sampling. e proposed sampling method collected all probe packets in order to include all malicious scanning packets. A part of nonprobe packets that may be related to scanning attack are also included. We then propose a novel CNN structure to detect sampled data and drive IP hopping system including guiding hopping configuration and triggering hopping. We try to make hopping defense react each illegal probe to improve effectiveness of hop and reduce invalid hops. Architecture of CNN driving adaptive IP hopping is shown in Figure 2. e reason for choosing CNN as the detector is as follows: firstly CNN's local perception processing can mine the data correlation and remove the redundant information in data so as to ensure the detection accuracy; secondly, CNN's weight sharing and pooling process can reduce the number of connections and weights in neural network so as to build a light-weight detector.
irdly, CNN has been used in intrusion detection system and proved an effective tool to detect behavior of attackers [34][35][36][37]; thus, previous works can be used for reference in this paper.

Architecture and Workflow.
e proposed IP hopping system evades and prevents scanning attacks by dynamically changing IP address of protected hosts, thus increasing the usage difficulty of vulnerabilities and backdoors and ensuring the security of protected network. e adaptability of proposed method is reflected in two aspects: adaptive IP hopping configuration and adaptive IP hopping trigger. e CNN detector is used to make the attack behavior aware automatically and to not only guide hopping configuration but also trigger hopping. e flowchart of our proposed method is composed of 4 modules as shown in Figure 3 which are packets sampling, data preprocess, trained CNN detector, and hopping strategy execution. In packets sampling module, we collect packets which may be related to scanning attack. Data preprocess module is used to form the collected packets into a data matrix as the input of the following CNN detector. e CNN detector is a designed module which is used to judge whether the input data correspond to a malicious host or not. Finally, IP hopping strategy is activated by the judgment result of CNN detector. Besides, the hopping can also be triggered by a preset timer in case that the CNN detector makes missed alert.

Packets Sampling.
Input data of CNN should include packets of normal probe or scanning attack and their related packets. In order to ensure the accuracy of detection, the input data should be as complete as possible but as little redundant as possible. Considering that the scanning behavior of attackers is variable, for example, attacker can launch scanning attack packets in different FSPs and PSPs. Smart attacker can also hide his scanning attack packets among background data stream. Considering that the attack data traffic may have the above characteristics, two different sampling methods are used at the same time, which are continuous sampling and precise sampling. Continuous sampling is used to sample not only probe packet itself but also the after background stream packet, so as to make it possible for the subsequent processing to mine the relationship between the attack packet and the background stream. Precise sampling is used to collect all probe packets since each probe packet could be an attack packet. Precise sampling collects only probe packets. Both precise sampling and continuous sampling are touched off by any of the eight kinds of packets which could be used to probe including ARP request, ICMP echo, ICMP time stamp, ICMP netmask, TCP SYN, TCP ACK, TCP FIN, and UDP empty.

Continuous Sampling.
For every probe packet, continuous sampling collects some following packets from the same source host. e following packets and probe packet itself form the sampled packets of one continuous sampling.
Considering different packets from the same source that host may reach and that are forwarded by different switches, once any switch receives a probe packet, it packets in the probe packet to the controller and raises an event (it is called "event" in RYU platform) of continuous sampling. After that, it is ordered by the controller that every switch in the controlled network should packet in a certain number of following packets sent by the source host of the probe packet in a specified time.

Precise Sampling.
Precise sampling only pays attention to probe packets. For every probe packet, precise sampling collects some previous probe packets and some following probe packets from the same source. e previous probe packets, following probe packets, and probe packet itself form the sampled packets of one precise sampling. Implementation of precise sampling is similar to continuous sampling, but precise sampling only collects probe packets. Once any switch receives a probe packet, it packets in the probe packet to the controller and raises an event of precise sampling. After that, it is ordered by the controller that every switch in the controlled network should packet in a certain number of following probe packets from the same source in a specified time. e controller has already stored all previous probe packets in the network, and it selects a certain number of previous probe packets from the same source.

Data Preprocessing.
Our designed CNN detectors will operate on data extracted from sampled packets in order to make a classification whether the packet and its source host are illegal or not. Data extracted from one continuous sampling and one precise sampling combine an input data of CNN detector. e method of data extraction is as follows.
Each packet is essentially a binary bitstream. In order to further remove invalid parts from sampled data, only parts that may be related to scanning attack are preserved, while Content of the packet that does not belong to the above five parts will be discarded. We also notice that since IP hopping system makes the protected network ever-changing, the judgment whether one probe packet is illegal or not should consider the current network situation. For this purpose, we add a flag bit at the end of the binary bitstream extracted from each probe packet, as shown in Figure 4. If the probe packet hits a currently used IP address, the flag bit is set 1; otherwise it is set 0.
We do not convert these binary bitstreams to integers as [20] does for the purpose of avoiding data confusion and preserving data integrity. Data extracted from each sampled packet were placed end-to-end forming vector F. In order to adapt to convolutional process in CNN detector, vector F is then converted to matrix M. Zero padding is used to ensure a two-dimensional matrix.
Since the number of sampled packets may probably be different in each sampling, and the types of packets obtained  To adapt different size of input data, we introduce global pooling to be the last pooling layer in the structure of CNN, which is described in the next subsection.

Designed CNN
Detector. CNN has been widely used in network intrusion detection such as [34][35][36][37]. Meanwhile, because of its local perceptual processing mode, CNN has special advantage in discovering the local to local correlation in data. As analysis in packets sampling and data process, the local to local correlation in our data may probably be related to the classification (malicious or not). For the structural design of CNN, we have kept adjusting the structure of CNN empirically in a large number of experiments. e adjustment process includes using different activation functions and using convolution kernels of different sizes to make sure the structure is suitable for the judgment on our processed attack traffic data. e CNN detector is designed to be deployed on the controller of SDN. We set two requirements of the deployment of the designed CNN: firstly, there should be no special requirements for hardware performance of the controller; secondly, time consumed in one execution of judgment should not be too long to avoid data piling up. e CNN should be a light-weight detector. e structure of the designed CNN is shown in Figure 5, which is composed of three convolutional modules and a judgment module. Each convolutional module is composed of a convolutional layer, a batch normalization layer [38], a ReLU layer [39], and a pooling layer. e reason for using ReLU as activation is that our input data is a binary matrix. ReLU makes different activation for the element greater than 0 and less than 0. e judgment module is composed of a fully connected layer and a Softmax layer.
In Figure 5, the boxes with "Conv" mean convolutional layer. e formulas a × (b × c × d) in "Conv" boxes show the size and shape of convolutional kernel. A convolutional layer inputs d matrixes and outputs a matrixes, and b × c is the size of convolutional kernel on each input matrix. e process of a convolutional layer is shown in where X out j is the jth output matrix of the layer, X in i is the ith input matrix of the layer, K ij is a convolutional kernel operated on X in i and output to X out j , and B j is the bias matrix added to the jth output matrix. In (1), * means convolutional operation. e boxes in Figure 5 with "Pooling" mean pooling layer. In the boxes of pooling layer, "size" means the size of pooling window and "s" means the stride of pooling operation. e process of pooling layer can be described in where x is an output neuron, ave means we use average pooling in each pooling layer, R means a pooling region in the input matrix, and r is a neuron in R. Global pooling is operated in the last pooling layer, which means the size of pooling window flexibly is equal to the size of each input matrix of the layer. Global pooling enables the CNN to adapt to different size of input data. e process of convolution and pooling is shown in Figure 6. e boxes in Figure 5 with "ReLU" mean ReLU layer which is an activation layer. ese layers improve the nonlinear factors of CNN and enable the model to fit a problem that linear model cannot. e process of ReLU layer is described in where x out is an output neuron and x in is an input neuron of ReLU layer. e boxes in Figure 5 with "BN" mean batch normalization layer. BN layer first normalizes elements in each input feature map to zero-mean and unit-variance to ensure that the input neuron to ReLU falls in the region near value 0, and hence the gradient back-propagation would not fall into poor local minima. e box in Figure 5 with "Fully connected" means fully connected layer. In this layer, each output neuron is connected to each input neuron with a weight parameter. e process of this layer is shown in where x out j means the jth output neuron of this layer, x in i means the ith input neuron of this layer, N f means the number of input neurons of this layer, and ω ij is the weight parameter of connection between x out j and x in i . e box in Figure 5 with "Softmax" means Softmax layer. is layer normalizes the value of neuron to the range of [0, 1] to indicate probabilities of the input data belonging to each class. e process of Softmax layer is shown in where x out j means the jth output neuron of this layer, e x in j and e x in i mean jth and ith input neurons of this layer, and N s means the number of input neurons and is also the number of output neurons of this layer. In our designed CNN, both fully connected layer and Softmax layer output two neurons; one indicates "normal" and the other indicates "malice." Denote D(·) as the process of the trained CNN detector and X as a matrix of input date. Judgment of the CNN detector is shown in (6) where result "1" means "malice" and result "0" means "normal." It is obvious that packets sampling occupies the channel between the switch and the controller to some extent. Also, data process and CNN detection consumes the resources on the controller side. In order to mitigate the impact on network QoS, one judgment result will also be applicable for other probe packets from the same source in 1 minute. In the following 1 minute, probe packets from the same source will not raise packets sampling. is also prevents the defense system from being overburdened by an excessive number of probe packets.

IP Hopping Strategy.
In this paper, we provide each protected host with a fixed real IP (rIP) and a hopping virtual IP (vIP). In our IP hopping system, IP hopping can be touched off by two kinds of events: the first is the system timer (periodic hopping) and the second is the judgment result of the CNN detector (triggered hopping). Periodic hopping and triggered hopping run independently. e set of periodic hopping is in case that CNN makes missed alert and triggered hopping was not executed in some situation. e notions used in our IP hopping strategy are listed in Table 1. Assume the whole protected network has k subnets which are represented by S 1 , S 2 , . . . , S k . Total l protected hosts are distributed in the k subnets. e l protected hosts are represented by h 1 , h 2 , . . . , h l . IP W , IP R , and IP V represent the whole IP set, the real IP set, and the virtual IP set, respectively, so IP W � IP R ∨IP V , rIP ∈ IP R , and vIP ∈ IP V . It is impossible to choose vIP from the whole IP V in each hopping, because a range of vIPs can only be assigned to one physical subnet at a given time. We adopt a three-level hopping to assign available vIP space, which are base hopping, low-frequency hopping, and high-frequency hopping. As shown in (7), the IP V set is divided into m B number of base hopping range (BHR) according to the number and scale of subnets, m B ≥ k.
en, as shown in (8), each BHR is divided into m L number of low-frequency hopping range (LHR) according to the number of hosts in subnet. Each LHR contains several vIPs, and these vIPs are used for high-frequency hopping.

Periodic
Hopping. e IP hopping system periodically refers to three levels of hopping which are base hopping, low-frequency hopping, and high-frequency hopping. Base hopping changes the IP address range assigned to a given subnet with time interval T BH . Low-frequency hopping changes the IP address ranges assigned to a given host within the corresponding BHR with time interval T LH . High-frequency hopping changes the vIP assigned to a given host within the corresponding LHR with time interval T HH .
Adaptive IP hopping configuration is an important aspect of adaptability in proposed method. To characterize attacker's scanning behavior, we associate a weight ω B with each BHR, a weight ω L with each LHR, and a weight ω H with each protected host. Higher weight for a range indicates  higher attacker activity in that range in the last interval. e value of ω B , ω L , and ω H is computed according to the malicious probe packets in the last interval. ese weights will guide the configuration of next hopping.
(1) Base Hopping. In base hopping, each subnet will be assigned with one or more BHRs. Denote ω i B as the weight of the R i BHR and N i BHR as the number of vIPs in it. Computation of weight ω i B is in Algorithm 1. When more than one BHR assignment schemes is available, we choose the scheme that achieves minimal standard deviation of sums of weights of BHRs assigned to a subnet, in order to ensure nearly equal security of each subnet. Denote r t ij as a flag. r t ij �� 1 means R j BHR is allocated to S i in the tth assignment scheme, and r t ij �� 0 means R j BHR is not allocated to S i in the tth assignment scheme. In the tth assignment scheme, we compute the standard deviation of sums of weights of BHRs assigned to S i as (9)- (13). Vector W denotes the set of ω B ; vector R t i denotes the set of flag r t ij ; s t i denotes the sum of weights of BHRs assigned to S i in the tth BHR assignment scheme. μ t denotes the mean, and σ t denotes the standard deviation.
We compare σ t in each assignment scheme and select the assignment scheme with minimal σ t for next base hopping.
(2) Low-Frequency Hopping. Once a subnet is assigned with one or more BHRs, these BHRs are divided into several LHR. For low-frequency hopping, each host will be assigned with one or more LHRs. Each LHR has a weight ω L . e computing method of ω L and the selection of LHR assignment scheme are the same as those of base hopping, so they are not elaborated here.
(3) High-Frequency Hopping. Once a host is assigned with one or more LHRs, vIPs in these LHRs form a vIP pool. In high-frequency hopping, a vIP in the pool will be selected and used in next interval. For high-frequency hopping, denote ω i H as the weight of the ith vIP in the pool of a host. Computation of weight ω i H is in Algorithm 2. For one host, only one vIP can be used at one time. All vIPs in the pool are sorted according to their weights. e vIPs with higher weights will be preferred.

Triggered
Hopping. In our IP hopping system, the hopping can also be touched off by the judgment result of the CNN detector. Base hopping, low-frequency hopping, and high-frequency hopping will be active in three cases, respectively.
(1) Base Hopping. e proposed periodic hopping and triggered hopping are both adaptive hopping strategies. On the one hand, they can make protected hosts avoid using IP addresses that attackers may seriously scan, so as to improve the survival rate protected hosts under scanning attack. On the other hand, once a protected host is hit in scanning attack, its used IP address may immediately hop to another one to disable the scanned target in attacker's hit list.

Implementation and Evaluation
In this section, we firstly introduce the hardware and software platform of our implementation. en the used network topology and the behavior of attackers are briefly described. Finally we propose three performance indexes to experiment and evaluate the performance of our proposed method.

Hardware and Software Platform.
To investigate the effectiveness and scalability of proposed approach, we implemented it on an OpenFlow controller [26] that manages a Mininet network [40]. We used Mininet to create a network of OpenFlow switches (Open vSwitch kernel switches). Ryu platform is used on the controller to deploy the application of proposed IP hopping. We used Tensorflow 1.0 [41] to train and save the CNN model, and the trained model is called from Ryu application to enforce a judgment. e CNN model is trained in GPU mode with a Nvidia K40c, but it is used in CPU mode with Intel Core i7 8700 for the purpose of no high hardware requirements of controller.
We use Mininet to create a virtual network which is managed by a remote controller. e virtual network is shown as Figure 7. e created virtual network contains 2 10 hosts. ese hosts are distributed in 2 5 subnets. e number of hosts in each subnet is random. e subnets are connected with each other with OpenFlow switches. Wireshark is used in our Mininet to collect and form data set of probe packets.
To show the effectiveness of the proposed method against hit list attacks, cooperative scanning attack is launched on some host and then may propagate to others. We assume that the scanners are aware of the IP resource pool of the protected network.

Performance Evaluation.
ree performance indexes are used to experiment and evaluate the performance of our proposed method which are accuracy and performance of CNN detection, survival rate of protected hosts, and the average lifetime of targets in attack's hit list. Technologies for performance comparison with our proposed method are OF-RHM [13], SEHT [19], and the method in [12]. In order to ensure fairness, OF-RHM and method in [12] are adjusted to three-level hopping which is consistent with SEHT and proposed method.

Performance of CNN Detection.
Accuracy and time efficiency are important indexes of CNN and determine the effectiveness of adaptability of our proposed method. Data extracted from one continuous sampling and one precise sampling combine a sample. We totally collected 10000 samples and these samples make up our data set. e data set is divided into three sets, which are training set, validation set, and testing set. e training set consists of 7000 samples and is used in training the CNN model; validation set consists of 1000 samples and is used to monitor the real time accuracy performance of CNN in the process of training; testing set consists of 2000 samples and is used to finally test the accuracy and time efficiency of CNN detection. Our data set is composed of samples collected from scanners with PSP 20%, 40%, 60%, and 80% and FSP 0.5 s, 1 s, and 2 s. e training phase takes 7.29 hours on our platform.
In order to ensure real time of detection, if the amount of data in the queue to be detected reaches three, undetected data except the new arrival one will be discarded (data loss).
Denote Acc as the accuracy of CNN detection, FRR as the false rejection rate, and FAR as the false acceptance rate. Testing performance is shown in Table 2. e proposed CNN performs better under higher PSP.
Denote TE as time efficiency, which means time consumed in one test including the time of data preprocess and CNN detection. Although the test of CNN is set in CPU mode, TE is only 0.019377 s. Another adaptive hopping method SEHT [19] directly treats all failed probe packets as scanning attacks, so it takes nearly no time to discover scanning attack. However, not distinguishing between scanning attack and normal probe in SEHT makes the result Require: All detected data X after last high-frequency hopping Require: Currently used IP of h i If D(X) �� 1 && the target IP is at use by h i Triggering high-frequency hopping for h i ; End if Return Null ALGORITHM 5: High-frequency hopping in triggered hopping. inaccurate. Moreover, SEHT adopts hypothesis tests based on Sibson entropy to discriminate scanning attack strategy. We obtain that TE of hypothesis test in SEHT is about 0.015377 s, which is only slightly better than our proposed CNN. CNN could be retrained through transfer learning to acquire ability of multiclassification to discriminate scanning attack strategy while barely increasing TE. For further research, we calculate the rate of data loss in different number of scanners under nonpropagating scanning. RDL denotes the rate of data loss. Table 3 shows RDLs in different number of scanners (NoS). Obviously, higher FSP and larger NoS cause higher RDL. e reason is that, with higher FSP and larger NoS, the CNN may probably find it more difficult to handle the coming packets in time.

Survival Rate of Protected Hosts under Cooperative Scanning Attack.
e attacker carries out uniform and unrepeatable scan on the IP space used in protected network. Survival rate of protected hosts denotes the proportion of hosts which are not probed by attacker through a round of attack.
(1) Survival Rate under Different Initial Scanners. e survival rates of protected hosts under propagating cooperative scanning attack using different quantity of initial scanners are shown in Figures 8-11. Figure 8 shows survival rate under cooperative worm using 50 scanners; Figure 9 shows survival rate under cooperative worm using 100 scanners; Figure 10 shows survival rate under cooperative worm using 150 scanners; Figure 11 shows survival rate under cooperative worm using 200 scanners. e hyperparameters are set as follows: T HH � 20 s, T LH � 40 s, T BH � 160 s, PSP � 60%, FSP � 2 s, P BH � 0.5. P LH is equal to half the number of IPs in the IP pool of corresponding host.
In a static network, the survival rate reaches 0 after spending 101 s-247 s because of using uniform active scanning. Method of OF-RHM can lower the reduction of survival rate and finally improve the minimum survival rate to some extent. e two adaptive methods can significantly lower the reduction of survival rate and finally improve the minimum survival rate. Moreover, performance of our proposed method is slightly better than SEHT. Meanwhile, the defense performance of method in [12] is similar to that of OF-RHM. e proposed method achieves the best result among the five methods, because it can accurately identify scanning attack packets and guide IP hopping of hosts to avoid attack.

(2) Minimal Survival Rate under Different Time Intervals.
Minimal survival rate denotes the proportion of hosts which are not probed after a round of scanning attack. Table 4 shows ten different time intervals used in our experiments. e minimum survival rates under cooperative worm on IP hopping systems with different time intervals are shown in Figures 12-15. Figure 12 shows the minimum survival rate using 50 scanners; Figure 13 shows the minimum survival rate using 100 scanners; Figure 14 shows the minimum survival rate using 150 scanners; Figure 15 shows the minimum survival rate using 200 scanners. e hyperparameters are set as follows: PSP � 60%, FSP � 2 s,  SEHT [19] Method in [12] Proposed method Static network Method in [12] OF-RHM [13] SEHT [19] Proposed method Static network Method in [12] OF-RHM [13] SEHT [19] Proposed method

Different time intervals
Method in [12] OF-RHM [13] SEHT [19] Proposed method cooperative worm in network with the method in [12] are similar to that of OF-RHM. e minimum survival rates under cooperative worm in network with our proposed method decrease the most slightly in the three methods. Because scanning behavior of attacker triggers IP hopping with different levels, our proposed method gets the best performance in the three methods. Using our proposed method, defender can set greater time interval to reduce network resource overhead and the possibility of packet loss.  Table 5. e hyperparameters are set as follows: T HH � 20 s, T LH � 40 s, T BH � 160 s, P BH � 0.5, NoS � 50, and P LH is equal to half the number of IPs in the IP pool of corresponding host.
As shown in Table 5, compared with SEHT, our proposed method performs better significantly when PSP � 60% and PSP � 80%; when PSP � 40%, our proposed method performs slightly better than SEHT; when PSP � 20%, our proposed method performs slightly worse except for FSP � 0.5 s. With the decrease of PSP value, the CNN makes more false rejection which weakens the advantage of our proposed method gradually. Lower FSP indicates better performance both in the proposed method and in SEHT. Also notable is that performance of SEHT is not sensitive to change of PSP for the reason that SEHT treats all failed probe packets as scanning attack.

Average Lifetime of Targets in Attack's Hit List.
Worm-type virus and other hit list based network attacks need time long enough to launch. For example, propagation of worm from one host to another must take enough time. If vIP of target host hopped before the completeness of worm propagation, the worm propagation fails. We compute the average lifetime of targets in attack's hit list. Reducing lifetime of targets in attack's hit list is beneficial to reduce the success rate of worm propagation. Lifetime of a target is explained as the duration between receiving response of probe packet from the target host and hopping of IP address of the target host. Figure 16 takes host 1 as an example to explain the meaning of lifetime. Figure 17 shows the average lifetime of targets using 50 scanners; Figure 18 shows the average lifetime of targets using 100 scanners; Figure 19 shows the average lifetime of targets using 150 scanners; Figure 20 shows the average lifetime of targets using 200 scanners. e hyperparameters are set as follows: PSP � 60%, FSP � 2 s, P BH � 0.5. P LH is equal to half the number of IPs in the IP pool of corresponding host.
e average lifetime of targets in our proposed method is significantly lower than methods without CNN assistance. However, we also find that as the number of scanners increases, advantage of our proposed method is weakened gradually. at may be probably because of the increasing rate of data loss.
Moreover, we make a comparison of average lifetime between targets caused by discarded data and data not discarded. e result of the comparison is shown in Table 6. In Table 6, "NoS" means number of scanners. Once probe packets of attacker are detected, the lifetime of targets caused by these packets can be controlled in less than 1 second. e adaptability of our proposed method driven by CNN can obviously reduce the average lifetime of targets in attack's hit list. Moreover, improve the efficiency of attack awareness and reduce data loss may probably be our future work.

Hopping Frequency.
Once the IP address of a host hops, communication to the host will withstand a short time high delay for the reason of querying and loading new flow table. High delay may affect experience of legal users, so high hopping frequency may not be user friendly. Denote HF RHM , HF SEHT , and HF PM as the actual hopping frequency of RHM, SEHT, and the proposed method. Hopping frequency here is defined as hopping times divided by time.
e hyperparameters are set as follows: PSP � 60%, FSP � 2 s, P BH � 0.5, NoS � 50. P LH is equal to half the number of IPs in the IP pool of corresponding host.
Comparison of hopping frequency in normal period is shown in Table 7. In normal period without attack, their hopping frequencies are tested as HF [12] � HF RHM ; HF PM < HF SEHT under a set time interval. e proposed method performs better than SEHT for the reason of nearly not being disturbed by normal probes. Hopping frequency of RHM and the method in [12] is equal to T HH . OF-RHM Method in [12] OF-RHM [13] SEHT [19] Proposed method  and the method in [12] achieve the best performance because of not conducting any adaptive strategy. Comparison of hopping frequency in attack period is shown in Table 8. In attack period, their hopping frequencies are tested as HF PM < HF SEHT < HF RHM � HF [12] when achieving same survival rate. e proposed method acts according to behavior of attack carefully to make each hop as effective as possible. e proposed method performs about 4%-14% better than SEHT and 21%-29% better than OF-RHM and the method in [12].

Performance Overhead and Limitation.
While making some performance breakthroughs, our proposed method does have performance overhead and limitation. Firstly, as detailed in Section 4.2, both the used switches and controller should have enough cache space to temporarily store packets related to scanning attack. Secondly, training the CNN detector needs some devices and takes a period of time. irdly, our proposed method is designed and deployed in SDN environment. It cannot be used in legacy network environment directly. Adopting our proposed method to legacy network will be our future work. Method in [12] OF-RHM [13] SEHT [19] Proposed method Method in [12] OF-RHM [13] SEHT [19] Proposed method Method in [12] OF-RHM [13] SEHT [19] Proposed method Figure 19: Average lifetime of targets in attacker's hit list against different time intervals (150 scanners).

Conclusions
Faced with scanning attack, in order to improve the effectiveness of IP hopping defense, this paper proposes an adaptive moving target defense system, which uses a designed light-weight CNN to sense changeable attack behavior and guide IP hopping defense. In terms of security, experiment result shows that the proposed method achieves better effectiveness of defense for it performs better under the indexes of survival rate of protected hosts and average lifetime of targets in attack's hit list compared with other methods. In terms of usability, experiment result shows that, when achieving same defense effect, the proposed method only needs lower hopping frequency, thus with lower overhead than other existing methods. Our following work includes firstly improving the structure of CNN detector to improve the processing efficiency while keeping the accuracy, so as to reduce the rate of data loss and achieve better security of protected network; secondly, applying the proposed method to different scanning strategies such as follow-up scanning; thirdly, exploring the deployment scheme of our proposed method in legacy network.
Data Availability e data that support the findings of this study are not publicly available due to restrictions as the data contain sensitive information about a real-world enterprise network. Access of the dataset is restricted by the original owner. Data are available upon request to the corresponding author, who will apply for permission of sharing the data from the original owner.

Conflicts of Interest
e authors declare that they have no conflicts of interest regarding the publication of this paper.