Focused on network reconnaissance, eavesdropping, and DoS attacks caused by static routing policies, this paper designs a random routing mutation architecture based on the OpenFlow protocol, which takes advantages of the global network view and centralized control in a software-defined network. An entropy matrix of network traffic characteristics is constructed by using volume measurements and characteristic measurements of network traffic. Random routing mutation is triggered according to the result of network anomaly detection, which using a wavelet transform and principal component analysis to handle the above entropy matrix for both spatial and temporal correlations. The generation of a random routing path is specified as a 0-1 knapsack problem, which is calculated using an improved ant colony algorithm. Theoretical analysis and simulation results show that the proposed method not only increases the difficulty of network reconnaissance and eavesdropping but also reduces the impact of DoS attacks on the normal communication in an SDN network.

Self-updating encryption (SUE) is a new cryptographic scheme produced in the recent work of Lee, Choi, Lee, Park and Yung (Asiacrypt 2013) to achieve a time-updating mechanism for revocation. In SUE, a ciphetext and a private key are associated with the time and a user can decrypt a ciphertext only if its time is earlier than that of his private key. But one drawback is the encryption computational overhead scales with the size of the time which makes it a possible bottleneck for some applications. To address this problem, we provide a new technique for the SUE that splits the encryption algorithm into two phases: an offline phase and an online phase. In the offline phase, an intermediate ciphertext header is generated before it knows the concrete encryption time. Then an online phase is implemented to rapidly generate an SUE ciphertext header when the time becomes known by making use of the intermediate ciphertext header. In addition, two different online encryption constructions are proposed in view of different time level taking 50% as the boundary. At last, we prove the security of our scheme and provide the performance analysis which shows that the vast majority of computational overhead can be moved to the offline phase. One motivating application for this technique is resource-constrained mobile devices: the preparation work can be done when the mobile devices are plugged into a power source, then they can later rapidly perform SUE operations on the move without significantly consuming the battery.