摘要: |
流表是软件定义网络控制平面与数据平面交互的核心组件,也是实现安全策略全局协同及动态映射的关键。然而,构建具备相关安全策略的流表却需应对流知识要素过于分散、不断扩充、难以通过独立应用或预设规则满足等诸多难点。针对这一现状问题,本文通过采取在软件定义网络控制、数据和应用等三大平面之外新建知识平面的方式,构建流表及其相关安全知识要素聚集的流知识图谱,并基于此选择或生成流表规则。在流规则选择方面,构建同源-目的地址单条/合成流规则合并的流规则搜索树并关联流知识图谱,达到对已有流规则快速选择并决策的目的;在流规则学习生成方面,以流规则搜索树图融合的方式分裂生成流规则安全决策图,以此根据流标记生成或选择流规则。在评估部分,本文通过与应用平面交互、流规则选择、流规则学习等三个角度观察流知识图谱的实际应用方向及可能性,并通过实验衡量了基于流知识图谱的关键算法性能。以流知识平面的图谱等为基础设施,可近一步深入具体场景,通过流安全标记与应用相结合的方式,促进流规则演进等实践开展。 |
关键词: 软件定义网络 流表 流规则 流标记 知识图谱 |
DOI:10.19363/J.cnki.cn10-1380/tn.2019.07.05 |
投稿时间:2017-11-03修订日期:2018-02-13 |
基金项目:本课题得到国家重点研发计划基金资助项目“网络空间安全”重大专项课题(No.2016YFB0801002),国家自然科学基金(No.61602470)和中国科学院信息工程研究所基础前沿项目(No.Y7Z0271116)资助。 |
|
Research on Security Elements Knowledge Graph of Flows in Software-Defined Network |
YOU Ruibang,YUAN Zimu,TU Bibo,MENG Dan |
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China |
Abstract: |
In software defined networks (SDN), flow table interacts as the core component between the control plane and data plane, and is also the key to achieve global coordination and dynamic mapping for implementing security policies. However, constructing such flow tables with security policies faces challenges that the source of the related knowledge elements are scattered over the network, need continuously expanding when flow applications differ, and it is almost impossible to implement all the security policies by preset rules or independent applications. To tackle these challenges, we propose to build a newly knowledge plane besides current planes in SDN. On this knowledge plane, we construct flow knowledge graph based on flow tables with the corresponding knowledge elements on policy adoptions and decisions, and choose or generate flow rules based on the constructed flow knowledge graph. On the aspect of choosing flow rules, we build a search tree based on homologous source-destination address of single or synthetic flow rules, and links the corresponding knowledge elements in flow knowledge graph. On the aspect of learning to generate flow rules, the decision graph of flow rules for a unit is generated by fusing the search trees from a set of targeted, training units, and the decision graph can be used to generate or choose the flow rules conforming to the security labels of a flow. In evaluation section, we assess the practicality of the flow knowledge graph (or say knowledge panel) through the view of its interactions with the application panel, choosing flow rules, and learning from the linked knowledge elements of flow rules, and conduct experiments on the performance of key algorithms. The built flow knowledge graph can be regarded as a base installation. With the flow knowledge graph, we can move into specific scenes, combining flow labeling with applications, to promote the performance of practices, such as dynamically evolving the flow tables under the dynamic SDN environment. |
Key words: software defined network flow table flow rule flow label knowledge graph |