| 摘要: |
| 软件定义安全中,需要组合并实例化一个或多个安全虚拟网络功能构成安全服务功能链,实现对目标业务的安全加固和保护。传统的安全服务功能链组链过程中,安全虚拟网络功能的选取一般是基于专家经验完成的,缺乏统一的选择标准。为此,本文针对安全虚拟网络功能的选择问题,以可信评估思想为指导,提出一种面向安全虚拟网络功能的可信评估方法。首先,分析了现有相关研究工作,在此基础上定义了安全虚拟网络功能评价指标;其次,基于动态信任评估模型中的多属性决策方法提出安全虚拟网络功能可信评估模型;然后,利用熵权法和模糊层次分析法计算安全虚拟网络功能评价指标的权重,采用组合赋权法弥补单一赋权法的不足,建立安全虚拟网络功能指标权重计算模型;最后,基于逼近理想解排序法和向量投影法在最优解确定方面的优势,将逼近理想解排序法的距离计算与向量投影法的相似度计算相结合,改进逼近理想解排序法的计算过程,提出基于逼近理想解排序法的安全虚拟网络功能可信等级确定方法,得到安全虚拟网络功能的可信评估结果。本文以防火墙为安全虚拟网络功能的实例,选取3款主流商业虚拟防火墙与2款主流开源虚拟防火墙部署到云环境中进行实验。实验结果证明了本文提出的评估方法的有效性。 |
| 关键词: 安全虚拟网络功能 可信评估 可信性 软件定义安全 软件定义网络 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2025.11.03 |
| 投稿时间:2023-12-19修订日期:2024-06-03 |
| 基金项目:本课题得到工业和信息化部2023年产业基础再造和制造业高质量发展专项(No.TC220H054)资助。 |
|
| Trustworthiness Evaluation Approach for Security Virtual Network Function |
| LIU Hao,WANG Chong,TIAN Zhihong,WU Zhonghai |
| Department of Software and Microelectronics, Peking University, Beijing 100871, China;QiAnXin Technology Group Co., Ltd., Beijing 100044, China;Institute of Advanced Cyberspace Technology, Guangzhou University, Guangzhou 510623, China;Department of Software and Microelectronics, Peking University, Beijing 100871, China;National Engineering Research Center for Software Engineering, Peking University, Beijing 100871, China |
| Abstract: |
| In software-defined security, one or more security virtual network functions need to be combined and instantiated to form a security service function chain to achieve security reinforcement and protection of the target business. In the traditional construction stage of security service function chain, the selection of security virtual network functions is generally based on expert experience and lacks unified selection basis. Aiming to address the issue of selecting appropriate security virtual network functions, this paper proposes a evaluation approach for security virtual network functions, guided by the idea of trustworthiness measurement. First, the related research work is reviewed and analyzed. On this basis, the security virtual network function evaluation criterion is defined. Secondly, a security virtual network function trustworthiness measurement model is proposed based on the multiple attribute decision method from the dynamic trust evaluation model. Then, the entropy weight method and the fuzzy analytical hierarchy process are used to calculate the weight of the security virtual network functions evaluation criterion. The combined weighting method is used to eliminate the shortcomings of one single weighting method, and a security virtual network function criterion weight calculation model is established. At last, using the advantages of the technique for order preference by similarity to ideal solution and vector projection method, the distance calculation of the technique for order preference by similarity to ideal solution and the similarity calculation of vector projection method is combined. On the basis of improving the calculation process of these two methods, this paper proposes a trustworthiness evaluation approach for security virtual network functions based on the technique for order preference by similarity to ideal solution, and the trustworthiness evaluation results of security virtual network function are obtained. This paper tales firewall as instances of security virtual network functions, and selects three mainstream commercial virtual firewalls and two mainstream open source virtual firewalls to deploy them in a cloud en vironment for experiments. The experimental results demonstrate the effectiveness of the trustworthiness evaluation approach proposed in this paper. |
| Key words: security virtual network functions trustworthiness evaluation trustworthiness software defined security software defined network |
