计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (1): 362-372.doi: 10.11896/jsjkx.211100223

• 信息安全 • 上一篇    下一篇

SDN网络边缘交换机异常检测方法

赵扬1, 伊鹏1,2, 张震1,2, 胡涛1, 刘少勋2   

  1. 1 解放军战略支援部队信息工程大学信息技术研究所 郑州 450001
    2 网络通信与安全紫金山实验室 南京 210000
  • 收稿日期:2021-11-22 修回日期:2022-06-06 出版日期:2023-01-15 发布日期:2023-01-09
  • 通讯作者: 伊鹏(yp@mail.ndsc.com.cn)
  • 作者简介:zy169719@163.com
  • 基金资助:
    河南省重大科技专项(智能网联汽车内生安全关键技术研究及示范应用2022012);国家自然科学基金(61872382,62101598,61521003)

Anomaly Detection Method of SDN Network Edge Switch

ZHAO Yang1, YI Peng1,2, ZHANG Zhen1,2, HU Tao1, LIU Shaoxun2   

  1. 1 Institute of Scientific,Technical Information,People's Liberation Army Strategic Spport Force Information Engineering University, Zhengzhou 450001,China
    2 Network Communication and Security Purple Mountain Laboratory,Nanjing 210000,China
  • Received:2021-11-22 Revised:2022-06-06 Online:2023-01-15 Published:2023-01-09
  • About author:ZHAO Yang,born in 1997,postgra-duate.His main research interests include advanced network and defense technology.
    YI Peng,born in 1977,Ph.D,resear-cher,Ph.D supervisor.His main research interests include new network architecture,network security control and active defense technology.
  • Supported by:
    Major Science and Technology Projects in Henan Province(Research and Demonstration Application of Key Technologies for Endogenous Safety of Intelligent Connected Vehicles 2022012) and National Natural Science Foundation of China(61872382,62101598,61521003).

PDF (PC)

1273

摘要: 软件定义网络(SDN)为网络赋予了可编程性,降低了网络管理的复杂性,促进了新型网络技术的发展。SDN交换机作为数据转发与策略执行的设备,其权限不应被未经授权的实体窃取。然而,SDN交换机并不总是执行控制器下发的命令,恶意攻击者通过侵蚀SDN交换机对网络进行隐秘而致命的攻击,严重影响用户的端到端通信质量。通信顺序进程(CSP)作为针对并发系统设计的建模语言,可对SDN交换机-交换机,以及交换机-主机间的交互进行准确的描述。文中使用CSP对SDN交换机、终端主机进行建模,对两种异常交换机定位方法进行理论分析,并在实例化的模型系统中验证检测方法在边缘交换机作为出口交换机恶意转发时的有效性,结果表明无法检测该异常行为。针对这一问题,提出了边缘交换机异常检测方法,主机记录统计信息并通过构造特殊的数据包触发packet_in消息完成与控制器之间的信息传递,控制器收集统计信息并利用边缘交换机与主机之间的统计信息一致性检测边缘交换机的异常传输行为。最后,基于ryu控制器在mininet平台上进行实验,实验结果表明,边缘交换机异常检测方法可以成功检测异常行为。

关键词: 软件定义网络, 数据平面安全, 形式化认证与分析, 通信顺序进程, 受损交换机检测

Abstract: Software-defined network gives programmability to the network,reduces the complexity of network management,and promotes the development of new network technology.As a device for data forwarding and policy enforcement,the permissions of SDN switches should not be stolen by unauthorized entities.However,the SDN switch does not always execute the commands issued by the controller.Malicious attackers attack the network covertly and fatally by eroding the SDN switch,which seriously affects the end-to-end communication quality of users.Communicationsequential process(CSP),as a modeling language designed for concurrent systems,can accurately describe the interaction between SDN switch-switch and switch-host.In this paper,CSP is used to model SDN switch and terminal host,and two abnormal switch location methods are analyzed theoretically.We verify the effectiveness of the two detection methods in the instantiated model system when the edge switch is maliciously forwarded as an egress switch,and the authentication results show that the abnormal behavior cannot be detected.In order to solve this problem,an anomaly detection method for edge switch is proposed in this paper.In this method,the host records the statistical information and triggers the packet_in message to complete the information transmission with the controller by constructing a special packet.The controller collects the statistical information and detects the abnormal forwarding behavior of the edge switch by analyzing the statistical information consistency between the edge switch and the host.Finally,based on the ryu controller,experiments are carried out on the mininet platform,and experimental results show that the edge switch anomaly detection method can successfully detect abnormal behavior.

Key words: Software defined network, Data plane security, Formal authentication and analysis, Communication sequence process, Damaged switch detection

中图分类号: 

  • TP391
[1]YOON C,LEE S,KANG H,et al.Flow wars:Systemizing the attack surface and defenses in software-defined networks[J].IEEE/ACM Transactions on Networking,2017,25(6):3514-3530.
[2]ZHANG P,XU S,YANG Z,et al.FOCES:Detecting forwarding anomalies in software defined networks[C]//2018 IEEE 38th International Conference on Distributed Computing Systems(ICDCS).IEEE,2018:830-840.
[3]SASAKI T,PAPPAS C,LEE T,et al.SDNsec:Forwarding accountability for the SDN data plane[C]//2016 25th Interna-tional Conference on Computer Communication and Networks(ICCCN).IEEE,2016:1-10.
[4]CHAO T W,KE Y M,CHEN B H,et al.Securing data planes in software-defined networks[C]//2016 IEEE NetSoft Conference and Workshops(NetSoft).IEEE,2016:465-470.
[5]KAMISIĆSKI A,FUNG C.Flowmon:Detecting malicious switches in software-defined networks[C]//Proceedings of the 2015 Workshop on Automated Decision Making for Active Cyber Defense.2015:39-45.
[6]YUAN B,JIN H,ZOU D,et al.A practical byzantine-based approach for faulty switch tolerance in software-defined networks[J].IEEE Transactions on Network and Service Management,2018,15(2):825-839.
[7]HOARE C A R.Communicating sequential processes[J].Communications of the ACM,1978,21(8):666-677.
[8]XIANG S,ZHU H,WU X,et al.Modeling and verifying the topology discovery mechanism of OpenFlow controllers in software-defined networks using process algebra[J].Science of Computer Programming,2020,187:102343.
[9]SUN J,LIU Y,DONG J S,et al.PAT:Towards flexible verification under fairness[C]//International Conference on Computer Aided Verification.Berlin,Heidelberg:Springer,2009:709-714.
[10]NYGREN A,PFAFF B,LANTZ B,et al.Openflow switch spe-cification version 1.5.1[J/OL].Open Networking Foundation.https://opennetworking.org/wp-content/uploads/2014/10/open-flow-switch-v1.5.1.pdf.
[11]ZHANG P,WU H,ZHANG D,et al.Verifying rule enforcement in software defined networks with REV[J].IEEE/ACM Tran-sactions on Networking,2020,28(2):917-929.
[12]SHAGHAGHI A,KAAFAR M A,JHA S.Wedgetail:An intrusion prevention system for the data plane of software defined networks[C]//Proceedings of the 2017 ACM on Asia Confe-rence on Computer and Communications Security.2017:849-861.
[13]SHUKLA A,SAIDI S J,SCHMID S,et al.Toward Consistent SDNs:A Case for Network State Fuzzing[J].IEEE Transactions on Network and Service Management,2019,17(2):668-681.
[14]GHANNAM R,CHUNG A.Handling malicious switches insoftware defined networks[C]//NOMS 2016-2016 IEEE/IFIP Network Operations and Management Symposium.IEEE,2016:1245-1248.
[15]PANG C,JIANG Y,LI Q.FADE:Detecting forwarding anomaly in software-defined networks[C]//2016 IEEE International Conference on Communications(ICC).IEEE,2016:1-6.
[16]SHANG G,ZHE P,BIN X,et al.FloodDefender:Protecting dataand control plane resources under SDN-aimed DoS attacks[C]//IEEE INFOCOM 2017-IEEE Conference on Computer Communications.IEEE,2017:1-9.
[17]JAIN S,KUMAR A,MANDAL S,et al.B4:Experience with a globally-deployed software defined WAN[J].ACM SIGCOMM Computer Communication Review,2013,43(4):3-14.
[18]NAM H,KIM K H,KIM J Y,et al.Towards QoE-aware video streaming using SDN[C]//2014 IEEE Global Communications Conference.IEEE,2014:1317-1322.
[1] 耿海军, 王威, 尹霞.
基于混合软件定义网络的单节点故障保护方法
Single Node Failure Routing Protection Algorithm Based on Hybrid Software Defined Networks
计算机科学, 2022, 49(2): 329-335. https://doi.org/10.11896/jsjkx.210100051
[2] 许逸铭, 马礼, 傅颖勋, 李阳, 马东超.
一体化网络多终端接入智能路由技术
Intelligent Routing Technology for Multi-terminal Access in Integrated Network
计算机科学, 2022, 49(12): 332-339. https://doi.org/10.11896/jsjkx.210900042
[3] 包春晖, 庄毅, 郭黎烨.
一种面向SDN的移动网络可靠性评估算法
SDN Oriented Mobile Network Reliability Evaluation Algorithm
计算机科学, 2022, 49(11A): 211000080-8. https://doi.org/10.11896/jsjkx.211000080
[4] 陈港, 孟相如, 康巧燕, 翟东.
基于最小生成树的vSDN故障快速恢复算法
vSDN Fault Recovery Algorithm Based on Minimum Spanning Tree
计算机科学, 2022, 49(11A): 211200034-7. https://doi.org/10.11896/jsjkx.211200034
[5] 董仕.
软件定义网络安全问题研究综述
Survey on Software Defined Networks Security
计算机科学, 2021, 48(3): 295-306. https://doi.org/10.11896/jsjkx.200300119
[6] 高明, 周慧颖, 焦海, 应丽莉.
基于加权图的链路映射算法
Link Mapping Algorithm Based on Weighted Graph
计算机科学, 2021, 48(11A): 476-480. https://doi.org/10.11896/jsjkx.201200216
[7] 高雅卓, 刘亚群, 张国敏, 邢长友, 王秀磊.
基于多阶段博弈的虚拟化蜜罐动态部署机制
Multi-stage Game Based Dynamic Deployment Mechanism of Virtualized Honeypots
计算机科学, 2021, 48(10): 294-300. https://doi.org/10.11896/jsjkx.210500071
[8] 贾吾财, 吕光宏, 王桂芝, 宋元隆.
SDN多控制器放置问题研究综述
Review on Placement of Multiple Controllers in SDN
计算机科学, 2020, 47(7): 206-212. https://doi.org/10.11896/jsjkx.200200075
[9] 黄梅根, 汪涛, 刘亮, 庞瑞琴, 杜欢.
基于软件定义网络资源优化的虚拟网络功能部署策略
Virtual Network Function Deployment Strategy Based on Software Defined Network Resource Optimization
计算机科学, 2020, 47(6A): 404-408. https://doi.org/10.11896/JsJkx.191000116
[10] 张举, 王浩, 罗舒婷, 耿海军, 尹霞.
基于遗传算法的混合软件定义网络路由节能算法
Hybrid Software Defined Network Energy Efficient Routing Algorithm Based on Genetic Algorithm
计算机科学, 2020, 47(6): 236-241. https://doi.org/10.11896/jsjkx.191000139
[11] 谢英英, 石涧, 黄硕康, 雷凯.
面向5G的命名数据网络物联网研究综述
Survey on Internet of Things Based on Named Data Networking Facing 5G
计算机科学, 2020, 47(4): 217-225. https://doi.org/10.11896/jsjkx.191000157
[12] 周建新, 张志鹏, 周宁.
基于CKSP的分段路由负载均衡技术
Load Balancing Technology of Segment Routing Based on CKSP
计算机科学, 2020, 47(4): 256-261. https://doi.org/10.11896/jsjkx.190500122
[13] 高航航,赵尚弘,王翔,张晓燕.
基于系统最优的航空信息网络流量均衡方案
Traffic Balance Scheme of Aeronautical Information Network Based on System Optimal Strategy
计算机科学, 2020, 47(3): 261-266. https://doi.org/10.11896/jsjkx.190200296
[14] 赵金龙, 张国敏, 邢长友, 宋丽华, 宗祎本.
一种对抗网络侦察的自适应欺骗防御机制
Self-adaptive Deception Defense Mechanism Against Network Reconnaissance
计算机科学, 2020, 47(12): 304-310. https://doi.org/10.11896/jsjkx.200900126
[15] 谷晓会,章国安.
SDN在车载网中的应用综述
Survey of SDN Applications in Vehicular Networks
计算机科学, 2020, 47(1): 237-244. https://doi.org/10.11896/jsjkx.190100178
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发