计算机科学 ›› 2023, Vol. 50 ›› Issue (1): 362-372.doi: 10.11896/jsjkx.211100223
赵扬1, 伊鹏1,2, 张震1,2, 胡涛1, 刘少勋2
ZHAO Yang1, YI Peng1,2, ZHANG Zhen1,2, HU Tao1, LIU Shaoxun2
摘要: 软件定义网络(SDN)为网络赋予了可编程性,降低了网络管理的复杂性,促进了新型网络技术的发展。SDN交换机作为数据转发与策略执行的设备,其权限不应被未经授权的实体窃取。然而,SDN交换机并不总是执行控制器下发的命令,恶意攻击者通过侵蚀SDN交换机对网络进行隐秘而致命的攻击,严重影响用户的端到端通信质量。通信顺序进程(CSP)作为针对并发系统设计的建模语言,可对SDN交换机-交换机,以及交换机-主机间的交互进行准确的描述。文中使用CSP对SDN交换机、终端主机进行建模,对两种异常交换机定位方法进行理论分析,并在实例化的模型系统中验证检测方法在边缘交换机作为出口交换机恶意转发时的有效性,结果表明无法检测该异常行为。针对这一问题,提出了边缘交换机异常检测方法,主机记录统计信息并通过构造特殊的数据包触发packet_in消息完成与控制器之间的信息传递,控制器收集统计信息并利用边缘交换机与主机之间的统计信息一致性检测边缘交换机的异常传输行为。最后,基于ryu控制器在mininet平台上进行实验,实验结果表明,边缘交换机异常检测方法可以成功检测异常行为。
中图分类号:
[1]YOON C,LEE S,KANG H,et al.Flow wars:Systemizing the attack surface and defenses in software-defined networks[J].IEEE/ACM Transactions on Networking,2017,25(6):3514-3530. [2]ZHANG P,XU S,YANG Z,et al.FOCES:Detecting forwarding anomalies in software defined networks[C]//2018 IEEE 38th International Conference on Distributed Computing Systems(ICDCS).IEEE,2018:830-840. [3]SASAKI T,PAPPAS C,LEE T,et al.SDNsec:Forwarding accountability for the SDN data plane[C]//2016 25th Interna-tional Conference on Computer Communication and Networks(ICCCN).IEEE,2016:1-10. [4]CHAO T W,KE Y M,CHEN B H,et al.Securing data planes in software-defined networks[C]//2016 IEEE NetSoft Conference and Workshops(NetSoft).IEEE,2016:465-470. [5]KAMISIĆSKI A,FUNG C.Flowmon:Detecting malicious switches in software-defined networks[C]//Proceedings of the 2015 Workshop on Automated Decision Making for Active Cyber Defense.2015:39-45. [6]YUAN B,JIN H,ZOU D,et al.A practical byzantine-based approach for faulty switch tolerance in software-defined networks[J].IEEE Transactions on Network and Service Management,2018,15(2):825-839. [7]HOARE C A R.Communicating sequential processes[J].Communications of the ACM,1978,21(8):666-677. [8]XIANG S,ZHU H,WU X,et al.Modeling and verifying the topology discovery mechanism of OpenFlow controllers in software-defined networks using process algebra[J].Science of Computer Programming,2020,187:102343. [9]SUN J,LIU Y,DONG J S,et al.PAT:Towards flexible verification under fairness[C]//International Conference on Computer Aided Verification.Berlin,Heidelberg:Springer,2009:709-714. [10]NYGREN A,PFAFF B,LANTZ B,et al.Openflow switch spe-cification version 1.5.1[J/OL].Open Networking Foundation.https://opennetworking.org/wp-content/uploads/2014/10/open-flow-switch-v1.5.1.pdf. [11]ZHANG P,WU H,ZHANG D,et al.Verifying rule enforcement in software defined networks with REV[J].IEEE/ACM Tran-sactions on Networking,2020,28(2):917-929. [12]SHAGHAGHI A,KAAFAR M A,JHA S.Wedgetail:An intrusion prevention system for the data plane of software defined networks[C]//Proceedings of the 2017 ACM on Asia Confe-rence on Computer and Communications Security.2017:849-861. [13]SHUKLA A,SAIDI S J,SCHMID S,et al.Toward Consistent SDNs:A Case for Network State Fuzzing[J].IEEE Transactions on Network and Service Management,2019,17(2):668-681. [14]GHANNAM R,CHUNG A.Handling malicious switches insoftware defined networks[C]//NOMS 2016-2016 IEEE/IFIP Network Operations and Management Symposium.IEEE,2016:1245-1248. [15]PANG C,JIANG Y,LI Q.FADE:Detecting forwarding anomaly in software-defined networks[C]//2016 IEEE International Conference on Communications(ICC).IEEE,2016:1-6. [16]SHANG G,ZHE P,BIN X,et al.FloodDefender:Protecting dataand control plane resources under SDN-aimed DoS attacks[C]//IEEE INFOCOM 2017-IEEE Conference on Computer Communications.IEEE,2017:1-9. [17]JAIN S,KUMAR A,MANDAL S,et al.B4:Experience with a globally-deployed software defined WAN[J].ACM SIGCOMM Computer Communication Review,2013,43(4):3-14. [18]NAM H,KIM K H,KIM J Y,et al.Towards QoE-aware video streaming using SDN[C]//2014 IEEE Global Communications Conference.IEEE,2014:1317-1322. |
[1] | 耿海军, 王威, 尹霞. 基于混合软件定义网络的单节点故障保护方法 Single Node Failure Routing Protection Algorithm Based on Hybrid Software Defined Networks 计算机科学, 2022, 49(2): 329-335. https://doi.org/10.11896/jsjkx.210100051 |
[2] | 许逸铭, 马礼, 傅颖勋, 李阳, 马东超. 一体化网络多终端接入智能路由技术 Intelligent Routing Technology for Multi-terminal Access in Integrated Network 计算机科学, 2022, 49(12): 332-339. https://doi.org/10.11896/jsjkx.210900042 |
[3] | 包春晖, 庄毅, 郭黎烨. 一种面向SDN的移动网络可靠性评估算法 SDN Oriented Mobile Network Reliability Evaluation Algorithm 计算机科学, 2022, 49(11A): 211000080-8. https://doi.org/10.11896/jsjkx.211000080 |
[4] | 陈港, 孟相如, 康巧燕, 翟东. 基于最小生成树的vSDN故障快速恢复算法 vSDN Fault Recovery Algorithm Based on Minimum Spanning Tree 计算机科学, 2022, 49(11A): 211200034-7. https://doi.org/10.11896/jsjkx.211200034 |
[5] | 董仕. 软件定义网络安全问题研究综述 Survey on Software Defined Networks Security 计算机科学, 2021, 48(3): 295-306. https://doi.org/10.11896/jsjkx.200300119 |
[6] | 高明, 周慧颖, 焦海, 应丽莉. 基于加权图的链路映射算法 Link Mapping Algorithm Based on Weighted Graph 计算机科学, 2021, 48(11A): 476-480. https://doi.org/10.11896/jsjkx.201200216 |
[7] | 高雅卓, 刘亚群, 张国敏, 邢长友, 王秀磊. 基于多阶段博弈的虚拟化蜜罐动态部署机制 Multi-stage Game Based Dynamic Deployment Mechanism of Virtualized Honeypots 计算机科学, 2021, 48(10): 294-300. https://doi.org/10.11896/jsjkx.210500071 |
[8] | 贾吾财, 吕光宏, 王桂芝, 宋元隆. SDN多控制器放置问题研究综述 Review on Placement of Multiple Controllers in SDN 计算机科学, 2020, 47(7): 206-212. https://doi.org/10.11896/jsjkx.200200075 |
[9] | 黄梅根, 汪涛, 刘亮, 庞瑞琴, 杜欢. 基于软件定义网络资源优化的虚拟网络功能部署策略 Virtual Network Function Deployment Strategy Based on Software Defined Network Resource Optimization 计算机科学, 2020, 47(6A): 404-408. https://doi.org/10.11896/JsJkx.191000116 |
[10] | 张举, 王浩, 罗舒婷, 耿海军, 尹霞. 基于遗传算法的混合软件定义网络路由节能算法 Hybrid Software Defined Network Energy Efficient Routing Algorithm Based on Genetic Algorithm 计算机科学, 2020, 47(6): 236-241. https://doi.org/10.11896/jsjkx.191000139 |
[11] | 谢英英, 石涧, 黄硕康, 雷凯. 面向5G的命名数据网络物联网研究综述 Survey on Internet of Things Based on Named Data Networking Facing 5G 计算机科学, 2020, 47(4): 217-225. https://doi.org/10.11896/jsjkx.191000157 |
[12] | 周建新, 张志鹏, 周宁. 基于CKSP的分段路由负载均衡技术 Load Balancing Technology of Segment Routing Based on CKSP 计算机科学, 2020, 47(4): 256-261. https://doi.org/10.11896/jsjkx.190500122 |
[13] | 高航航,赵尚弘,王翔,张晓燕. 基于系统最优的航空信息网络流量均衡方案 Traffic Balance Scheme of Aeronautical Information Network Based on System Optimal Strategy 计算机科学, 2020, 47(3): 261-266. https://doi.org/10.11896/jsjkx.190200296 |
[14] | 赵金龙, 张国敏, 邢长友, 宋丽华, 宗祎本. 一种对抗网络侦察的自适应欺骗防御机制 Self-adaptive Deception Defense Mechanism Against Network Reconnaissance 计算机科学, 2020, 47(12): 304-310. https://doi.org/10.11896/jsjkx.200900126 |
[15] | 谷晓会,章国安. SDN在车载网中的应用综述 Survey of SDN Applications in Vehicular Networks 计算机科学, 2020, 47(1): 237-244. https://doi.org/10.11896/jsjkx.190100178 |
|