【打印本页】      【下载PDF全文】   查看/发表评论  下载PDF阅读器  关闭
←前一篇|后一篇→ 过刊浏览    高级检索
本文已被:浏览 6164次   下载 5354 本文二维码信息
码上扫一扫!
基于拟态防御的SDN控制层安全机制研究
丁绍虎,李军飞,季新生
分享到: 微信 更多
(国家数字交换系统工程技术研究中心, 郑州 中国 450002)
摘要:
软件定义网络(Software-Defined Networking,SDN)的集中式管控为网络带来了创新与便利,但主控制器被赋予了足够的管理权限,仅依赖其自身内部的防御技术,难以确保其不发生异常,以独裁的能力来危害整个网络。本文提出基于拟态防御的SDN控制层安全机制,以一种多样化民主监督的方式,使用多个异构的等价控制器同时处理数据层的请求,通过对比它们的流表项来检测主控制是否存在恶意行为。其中,重点研究了如何在语义层面对比多个异构控制器的流表项,以解决它们在语法上的差异化问题。该安全机制不依赖于对恶意行为的先验知识,实验结果验证了它检测恶意行为是有效的,同时具有较好的性能。
关键词:  软件定义网络  控制器  拟态防御  网络安全  监督
DOI:10.19363/J.cnki.cn10-1380/tn.2019.07.06
投稿时间:2018-02-20修订日期:2019-02-26
基金项目:本课题得到国家网络空间安全专项(No.2017YFB0803204);国家自然科学基金创新群体项目(No.61521003);国家自然科学基金项目(No.61802429,No.61872382,No.61702547,No.61502530)资助。
Research on SDN Control Layer Security Based on Mimic Defense
DING Shaohu,LI Junfei,JI Xinsheng
National Digital Switching System Engineering and Technological Research Center, Zhengzhou 450002, China
Abstract:
Software-Defined Networking (SDN) brings innovation and convenience to the network benefiting from the centralized management. However, the master controller is given sufficient management authority and relies solely on its own internal defense technology. But this method is hard to ensure that it does not occur anomaly, and the entire network is under threat. We propose an SDN control layer security mechanism based on mimic defense. In a diversified democratic supervision mode, multiple heterogeneous equivalent controllers are used to simultaneously process data layer requests, and main control is detected by comparing their flow entries. We focus on how to compare the flow table items of multiple heterogeneous controllers at the semantic level to solve their grammatical differences. The security mechanism does not rely on prior knowledge of malicious behavior. The experimental results verify that it detects malicious behavior is effective and has good performance.
Key words:  software defined networking  controller  mimic defense  security  supervision