计算机科学 ›› 2019, Vol. 46 ›› Issue (10): 135-140.doi: 10.11896/jsjkx.180901659
薛昊, 陈鸣, 钱红燕
XUE Hao, CHEN Ming, QIAN Hong-yan
摘要: 尽管软件定义网络(Software Defined Networking,SDN)的安全性得到了极大的关注,但SDN控制器受大流UDP冗余分组威胁的问题并没有得到有效解决。对此,基于SDN和网络功能虚拟化(Network Function Virtualization,NFV)技术的特点,结合SDN控制器处理UDP和TCP两种数据流时的负载状况,首先提出了一种新型的基于NFV的防范SDN控制器中UDP冗余分组的机制,前置于OpenFlow交换机口的检测中间盒能够有效地检测并滤除UDP流冗余分组;其次,提出了一种经济有效的基于NFV的检测中间盒的实现方法,使用Linux容器实现检测中间盒,在SDN控制器下发流表之前只允许UDP流首分组通过中间盒,保证后续UDP流分组在到达OpenFlow交换机时已经有相关的流表项存在;最后,在Linux服务器中实现了基于该机制的原型系统并进行实验。结果表明,当非首分组的时延t大于或等于控制器处理单个分组的时间时,该方法能够有效地解除UDP冗余分组的威胁。
中图分类号:
[1]MOUSAVI S M,ST-HILAIRE M.Early Detection of DDoS Attacks Against Software Defined Network Controllers[J].Journal of Network & Systems Management,2018,26(3):573-591. [2]ABDOU A R,OORSCHOT P C V,WAN T.Comparative Ana-lysis of Control Plane Security of SDN and Conventional Networks[J].IEEE Communications Surveys & Tutorials,2018,20(4):3542-3559. [3]DARGAHI T,CAPONI A,AMBROSIN M,et al.A Survey on the Security of Stateful SDN Data Planes[J].IEEE Communications Surveys & Tutorials,2017,19(3):1701-1725. [4]SHIN S,YEGNESWARAN V,PORRAS P,et al.AVANT-GUARD:scalable and vigilant switch flow management in software-defined networks[C]//ACM Sigsac Conference on Computer & Communications Security.New York:ACM,2013:413-424. [5]MIJUMBI R,SERRAT J,GORRICHO J L,et al.Network Function Virtualization:State-of-the-art and Research Challenges[J].IEEE Communications Surveys & Tutorials,2017,18(1):236-262. [6]TOOTOONCHIAN A,GORBUNOV S,SHERWOOD R,et al.On controller performance in software-defined networks[C]//Usenix Conference on Hot Topics in Management of Internet,Cloud,and Enterprise Networks and Services.San Jose:USENIX Association,2012:10-10. [7]JARSCHEL M,OECHSNER S,SCHLOSSER D,et al.Mode-ling and performance evaluation of an OpenFlow architecture[C]//Teletraffic Congress.San Francisco:IEEE,2011:1-7. [8]ZUO Q Y,CHEN M,DING K,et al.Eliminating Redundant Control Messages in OpenFlow Networks[J].Journal of Computer Research & Development,2014,51(11):2448-2457. [9]GUDE N,KOPONEN T,PETTIT J,et al.NOX:towards an operating system for networks[J].Acm Sigcomm Computer Communication Review,2008,38(3):105-110. [10]FONSECA P,BENNESBY R,MOTA E,et al.A replication component for resilient OpenFlow-based networking[C]//Network Operations and Management Symposium.Maui:IEEE,2012:933-939. [11]HU H,CHEN M,LIU B,et al.Mechanism of eliminating UDP redundancy control packets in OpenFlow network[J].Journal on Communications,2017,38(9):167-175. [12]JIA Y,WU C,LI Z,et al.Online Scaling of NFV Service Chains Across Geo-Distributed Datacenters[J].IEEE/ACM Transactions on Networking,2018,26(2):699-710. [13]HOFFMANN M,JARSCHEL M,PRIES R,et al.SDN and NFV as Enabler for the Distributed Network Cloud[J].Mobile Networks & Applications,2018,23(3):521-528. [14]GUAN J,WEI Z,YOU I.GRBC-based Network Security Functions placement scheme in SDS for 5G security[J].Journal of Network & Computer Applications,2018,114(15):48-56. [15]BERNSTEIN D.Containers and Cloud:From LXC to Docker to Kubernetes[J].IEEE Cloud Computing,2015,1(3):81-84. [16]QIU X,ZHANG K,REN Q.Global Flow Table:A convincing mechanism for security operations in SDN[J].Computer Networks,2017,120:56-70. [17]FIESSLER A,LORENZ C,HAGER S,et al.HyPaFilter+:Enhanced Hybrid Packet Filtering Using Hardware Assisted Classification and Header Space Analysis[J].IEEE/ACM Transactions on Networking,2017,25(6):3655-3669. [18]EMMERICH P,RAUMER D,GALLENMULLER S,et al. Throughput and Latency of Virtual Switching with Open vSwitch:A Quantitative Analysis[J].Journal of Network & Systems Management,2018,26(2):314-338. [19]FLOYD S,FALL K.Promoting the use of end-to-end congestion control in the Internet[J].IEEE/ACM Transactions on Networking,1999,7(4):458-472. |
[1] | 柳杰灵, 凌晓波, 张蕾, 王博, 王之梁, 李子木, 张辉, 杨家海, 吴程楠. 基于战术关联的网络安全风险评估框架 Network Security Risk Assessment Framework Based on Tactical Correlation 计算机科学, 2022, 49(9): 306-311. https://doi.org/10.11896/jsjkx.210600171 |
[2] | 王磊, 李晓宇. 基于随机洋葱路由的LBS移动隐私保护方案 LBS Mobile Privacy Protection Scheme Based on Random Onion Routing 计算机科学, 2022, 49(9): 347-354. https://doi.org/10.11896/jsjkx.210800077 |
[3] | 赵冬梅, 吴亚星, 张红斌. 基于IPSO-BiLSTM的网络安全态势预测 Network Security Situation Prediction Based on IPSO-BiLSTM 计算机科学, 2022, 49(7): 357-362. https://doi.org/10.11896/jsjkx.210900103 |
[4] | 邓凯, 杨频, 李益洲, 杨星, 曾凡瑞, 张振毓. 一种可快速迁移的领域知识图谱构建方法 Fast and Transmissible Domain Knowledge Graph Construction Method 计算机科学, 2022, 49(6A): 100-108. https://doi.org/10.11896/jsjkx.210900018 |
[5] | 陶礼靖, 邱菡, 朱俊虎, 李航天. 面向网络安全训练评估的受训者行为描述模型 Model for the Description of Trainee Behavior for Cyber Security Exercises Assessment 计算机科学, 2022, 49(6A): 480-484. https://doi.org/10.11896/jsjkx.210800048 |
[6] | 杜鸿毅, 杨华, 刘艳红, 杨鸿鹏. 基于网络媒体的非线性动力学信息传播模型 Nonlinear Dynamics Information Dissemination Model Based on Network Media 计算机科学, 2022, 49(6A): 280-284. https://doi.org/10.11896/jsjkx.210500043 |
[7] | 吕鹏鹏, 王少影, 周文芳, 连阳阳, 高丽芳. 基于进化神经网络的电力信息网安全态势量化方法 Quantitative Method of Power Information Network Security Situation Based on Evolutionary Neural Network 计算机科学, 2022, 49(6A): 588-593. https://doi.org/10.11896/jsjkx.210200151 |
[8] | 耿海军, 王威, 尹霞. 基于混合软件定义网络的单节点故障保护方法 Single Node Failure Routing Protection Algorithm Based on Hybrid Software Defined Networks 计算机科学, 2022, 49(2): 329-335. https://doi.org/10.11896/jsjkx.210100051 |
[9] | 张师鹏, 李永忠. 基于降噪自编码器和三支决策的入侵检测方法 Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions 计算机科学, 2021, 48(9): 345-351. https://doi.org/10.11896/jsjkx.200500059 |
[10] | 周仕承, 刘京菊, 钟晓峰, 卢灿举. 基于深度强化学习的智能化渗透测试路径发现 Intelligent Penetration Testing Path Discovery Based on Deep Reinforcement Learning 计算机科学, 2021, 48(7): 40-46. https://doi.org/10.11896/jsjkx.210400057 |
[11] | 李贝贝, 宋佳芮, 杜卿芸, 何俊江. DRL-IDS:基于深度强化学习的工业物联网入侵检测系统 DRL-IDS:Deep Reinforcement Learning Based Intrusion Detection System for Industrial Internet of Things 计算机科学, 2021, 48(7): 47-54. https://doi.org/10.11896/jsjkx.210400021 |
[12] | 陈海彪, 黄声勇, 蔡洁锐. 一个基于智能电网的跨层路由的信任评估协议 Trust Evaluation Protocol for Cross-layer Routing Based on Smart Grid 计算机科学, 2021, 48(6A): 491-497. https://doi.org/10.11896/jsjkx.201000169 |
[13] | 王金恒, 单志龙, 谭汉松, 王煜林. 基于遗传优化PNN神经网络的网络安全态势评估 Network Security Situation Assessment Based on Genetic Optimized PNN Neural Network 计算机科学, 2021, 48(6): 338-342. https://doi.org/10.11896/jsjkx.201200239 |
[14] | 张凯, 刘京菊. 基于吸收Markov链的网络入侵路径分析方法 Attack Path Analysis Method Based on Absorbing Markov Chain 计算机科学, 2021, 48(5): 294-300. https://doi.org/10.11896/jsjkx.200700108 |
[15] | 陈明豪, 祝跃飞, 芦斌, 翟懿, 李玎. 基于Attention-CNN的加密流量应用类型识别 Classification of Application Type of Encrypted Traffic Based on Attention-CNN 计算机科学, 2021, 48(4): 325-332. https://doi.org/10.11896/jsjkx.200900155 |
|