(中国科学院信息工程研究所, 北京 中国 100093;中国科学院大学 网络空间安全学院, 北京 中国 100049)
关键词:  软件定义网络  流表  流规则  流标记  知识图谱
Research on Security Elements Knowledge Graph of Flows in Software-Defined Network
YOU Ruibang,YUAN Zimu,TU Bibo,MENG Dan
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
In software defined networks (SDN), flow table interacts as the core component between the control plane and data plane, and is also the key to achieve global coordination and dynamic mapping for implementing security policies. However, constructing such flow tables with security policies faces challenges that the source of the related knowledge elements are scattered over the network, need continuously expanding when flow applications differ, and it is almost impossible to implement all the security policies by preset rules or independent applications. To tackle these challenges, we propose to build a newly knowledge plane besides current planes in SDN. On this knowledge plane, we construct flow knowledge graph based on flow tables with the corresponding knowledge elements on policy adoptions and decisions, and choose or generate flow rules based on the constructed flow knowledge graph. On the aspect of choosing flow rules, we build a search tree based on homologous source-destination address of single or synthetic flow rules, and links the corresponding knowledge elements in flow knowledge graph. On the aspect of learning to generate flow rules, the decision graph of flow rules for a unit is generated by fusing the search trees from a set of targeted, training units, and the decision graph can be used to generate or choose the flow rules conforming to the security labels of a flow. In evaluation section, we assess the practicality of the flow knowledge graph (or say knowledge panel) through the view of its interactions with the application panel, choosing flow rules, and learning from the linked knowledge elements of flow rules, and conduct experiments on the performance of key algorithms. The built flow knowledge graph can be regarded as a base installation. With the flow knowledge graph, we can move into specific scenes, combining flow labeling with applications, to promote the performance of practices, such as dynamically evolving the flow tables under the dynamic SDN environment.
Key words:  software defined network  flow table  flow rule  flow label  knowledge graph