Open Access

ARTICLE

A Dynamic SDN-Based Address Hopping Model for IoT Anonymization

Zesheng Xi^1,2,#, Chuan He^1,3,#, Yunfan Wang^1,3,#, Bo Zhang^1,*

1 State Grid Laboratory of Power Cyber-Security Protection and Monitoring Technology, China Electric Power Research Institute Co., Ltd., Nanjing, 210003, China
2 School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing, 211189, China
3 School of Cyber Science and Engineering, Southeast University, Nanjing, 210014, China

* Corresponding Author: Bo Zhang. Email:
# These authors contributed equally to this work

(This article belongs to the Special Issue: Computer Modeling for Future Communications and Networks)

Computer Modeling in Engineering & Sciences 2025, 144(2), 2545-2565. https://doi.org/10.32604/cmes.2025.066822

Received 18 April 2025; Accepted 25 July 2025; Issue published 31 August 2025

Abstract

The increasing reliance on interconnected Internet of Things (IoT) devices has amplified the demand for robust anonymization strategies to protect device identities and ensure secure communication. However, traditional anonymization methods for IoT networks often rely on static identity models, making them vulnerable to inference attacks through long-term observation. Moreover, these methods tend to sacrifice data availability to protect privacy, limiting their practicality in real-world applications. To overcome these limitations, we propose a dynamic device identity anonymization framework using Moving Target Defense (MTD) principles implemented via Software-Defined Networking (SDN). In our model, the SDN controller periodically reconfigures the network addresses and routes of IoT devices using a constraint-aware backtracking algorithm that constructs new virtual topologies under connectivity and performance constraints. This address-hopping scheme introduces continuous unpredictability at the network layer dynamically changing device identifiers, routing paths, and even network topology which thwarts attacker reconnaissance while preserving normal communication. Experimental results demonstrate that our approach significantly reduces device identity exposure and scan success rates for attackers compared to static networks. Moreover, the dynamic scheme maintains high data availability and network performance. Under attack conditions it reduced average communication delay by approximately 60% vs. an unprotected network, with minimal overhead on system resources.

---

Keywords

---