DiffSec:一种差别性的智能网络安全服务模型
|
摘要
网络安全对于现代信息社会越来越重要,随之而来的是网络安全的代价也越来越高.如何在保证网络安全的前提下,尽可能降低网络安全的开销是一个挑战性的任务.基于不同的用户群体具有不同安全需求的事实,提出了根据用户安全等级不同而提供有差别的安全服务的模型DiffSec,论证了该模型能够有效降低网络安全服务开销和提升网络性能,能够适应网络安全技术长期发展的需要.基于该模型,采用NFV和SDN结合的技术设计了安全接入网络(SANet)的结构和相应的智能控制方法,实现了原型系统.原型系统的实验结果表明:SANet不仅能够提供灵活、正确的网络安全功能,也具有良好的网络性能和实用价值.
Network security for our modern information society is more and more important, and what followed by the cost of network security is increasing. It is a challenging task to reduce the cost of network security as much as possible on the premise of ensuring network security. Based on the fact that different user communities have different security requirements, this paper proposes a model called DiffSec that provides differentiated security services according to different user security levels. We argue that this model can effectively reduce the network security service cost and improve the network performance and can meet the needs of long-term development of the network security technology. Based on the DiffSec, we design the structure of the secure access network(SANet) and the corresponding intelligent control method using the combination of NFV and SDN, and implement the prototype system. The experimental results of the prototype system show that SANet can not only provide flexible and correct network security functions, but also has good network performance and practical value.
Network security for our modern information society is more and more important, and what followed by the cost of network security is increasing. It is a challenging task to reduce the cost of network security as much as possible on the premise of ensuring network security. Based on the fact that different user communities have different security requirements, this paper proposes a model called DiffSec that provides differentiated security services according to different user security levels. We argue that this model can effectively reduce the network security service cost and improve the network performance and can meet the needs of long-term development of the network security technology. Based on the DiffSec, we design the structure of the secure access network(SANet) and the corresponding intelligent control method using the combination of NFV and SDN, and implement the prototype system. The experimental results of the prototype system show that SANet can not only provide flexible and correct network security functions, but also has good network performance and practical value.
引文
[1]Justine S,Shaddi H,Colin S,et al.Making middleboxes Someone Else’s problem:Network processing as a cloud service[C] //Proc of ACM SIGCOMM’12.Now York:ACM,2012
[2]Xie Gaogang,Zhang Yujun,Li Zhenyu,et al.A Review of Future Internet Architecture Research[J].Chinese Journal of Computers,2012,35(6):1109- 1119 (in Chinese)(谢高岗,张玉军,李振宇,等.未来互联网体系结构研究综述[J].计算机学报,2012,35(6):1109- 1119)
[3]Pan J,Paul S,Jain R.A survey of the research on future Internet architectures[J].IEEE Communications Magazine,2011,49(7):26- 36
[4]Alohali M,Clarke N,Furnell S,et al.Information security behavior:Recognizing the influencers[C] //Proc of Computing IEEE Conf.Piscataway,NJ:IEEE,2017:844- 853
[5]Liqin T,Chuang L.A kind of prediction method of user behaviour for future trustworthy network[C] //Proc of ICCT’06.Piscataway,NJ:IEEE,2006:1- 4
[6]He Xixi.Research on key technologies of network security behavior analysis based on granular computing theory[D].Chengdu:University of Electronic Science and Technology of China,2017 (in Chinese)(赫熙煦.基于粒计算理论的网络安全行为分析关键技术研究[D].成都:电子科技大学,2017)
[7]Jiang Zhuojian.Research and implementation of traffic-based network user association analysis method[D].Beijing:University of Posts and Telecommunications,2018 (in Chinese)(蒋卓键.基于流量的网络用户关联分析方法研究与实现[D].北京:北京邮电大学,2018)
[8]Li Chuanhui.User behavior monitoring in high-trust network[D].Beijing:Beijing University of Posts and Telecommuni-cations,2011 (in Chinese)(李传辉.高可信网络中的用户行为监测[D].北京:北京邮电大学,2011)
[9]Zhou Weilin,Yang Yuan,Xu Mingwei.Network function virtualization technology research[J].Journal of Computer Research and Development,2018,55(4):675- 688 (in Chinese)(周伟林,杨芫,徐明伟.网络功能虚拟化技术研究综述[J].计算机研究与发展,2018,55(4):675- 688)
[10]Shin S,Wang Haopei,Gu Guofei.A first step toward network security virtualization:From concept to prototype[J].IEEE Transactions on Information Forensics and Security,2015,10(10):2236- 2249
[11]Wu Haotian,Li Xin,Scoglio C,et al.Middlebox resources management using OpenFlow[C] //Proc of 2016 IEEE Conf on Computer Communications Workshops.Piscataway,NJ:IEEE,2016:976- 977
[12]Lee W,Choi Y H,Kim N.Study on virtual service chain for secure software-defined networking[J].Advanced Science and Technology Letters,2013,29(13):177- 180
[13]Qazi Z A,Tu C C,Chiang L,et al.SIMPLE-fying middlebox policy enforcement using SDN[J].ACM SIGCOMM Computer Communication Review,2013,43(4):27- 38
[14]Xu Ran,Wang Wendong,Gong Xiangyang,et al.Delay-aware resource scheduling optimization in network function virtualization[J].Journal of Computer Research and Development,2018,55(4):738- 747 (in Chinese)(徐冉,王文东,龚向阳,等.网络功能虚拟化中延时感知的资源调度优化方法[J].计算机研究与发展,2018,55(4):738- 747)
[15]Wang Yuwei,Liu Min,Ma Cheng,et al.High performance load balancing mechanism for network function virtualization[J].Journal of Computer Research and Development,2018,55(4):689- 703 (in Chinese)(王煜炜,刘敏,马诚,等.面向网络功能虚拟化的高性能负载均衡机制[J].计算机研究与发展,2018,55(4):689- 703)
[16]Hettich S,Bay D.KDD Cup 1999 Data[DB/OL].[2018-12-20].http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
[17]?zgür A,Erdem H.A review of KDD99 dataset usage in intrusion detection and machine learning between 2010 and 2015[OL].[2016-04-14].https://peerj.com/preprints/1954.pdf
[18]Wang Xiulei,Chen Ming,Hu Chao,et al.SDICN:A software defined deployable framework of information centric networking[J].China Communications,2016,13(3):53- 65
[2]Xie Gaogang,Zhang Yujun,Li Zhenyu,et al.A Review of Future Internet Architecture Research[J].Chinese Journal of Computers,2012,35(6):1109- 1119 (in Chinese)(谢高岗,张玉军,李振宇,等.未来互联网体系结构研究综述[J].计算机学报,2012,35(6):1109- 1119)
[3]Pan J,Paul S,Jain R.A survey of the research on future Internet architectures[J].IEEE Communications Magazine,2011,49(7):26- 36
[4]Alohali M,Clarke N,Furnell S,et al.Information security behavior:Recognizing the influencers[C] //Proc of Computing IEEE Conf.Piscataway,NJ:IEEE,2017:844- 853
[5]Liqin T,Chuang L.A kind of prediction method of user behaviour for future trustworthy network[C] //Proc of ICCT’06.Piscataway,NJ:IEEE,2006:1- 4
[6]He Xixi.Research on key technologies of network security behavior analysis based on granular computing theory[D].Chengdu:University of Electronic Science and Technology of China,2017 (in Chinese)(赫熙煦.基于粒计算理论的网络安全行为分析关键技术研究[D].成都:电子科技大学,2017)
[7]Jiang Zhuojian.Research and implementation of traffic-based network user association analysis method[D].Beijing:University of Posts and Telecommunications,2018 (in Chinese)(蒋卓键.基于流量的网络用户关联分析方法研究与实现[D].北京:北京邮电大学,2018)
[8]Li Chuanhui.User behavior monitoring in high-trust network[D].Beijing:Beijing University of Posts and Telecommuni-cations,2011 (in Chinese)(李传辉.高可信网络中的用户行为监测[D].北京:北京邮电大学,2011)
[9]Zhou Weilin,Yang Yuan,Xu Mingwei.Network function virtualization technology research[J].Journal of Computer Research and Development,2018,55(4):675- 688 (in Chinese)(周伟林,杨芫,徐明伟.网络功能虚拟化技术研究综述[J].计算机研究与发展,2018,55(4):675- 688)
[10]Shin S,Wang Haopei,Gu Guofei.A first step toward network security virtualization:From concept to prototype[J].IEEE Transactions on Information Forensics and Security,2015,10(10):2236- 2249
[11]Wu Haotian,Li Xin,Scoglio C,et al.Middlebox resources management using OpenFlow[C] //Proc of 2016 IEEE Conf on Computer Communications Workshops.Piscataway,NJ:IEEE,2016:976- 977
[12]Lee W,Choi Y H,Kim N.Study on virtual service chain for secure software-defined networking[J].Advanced Science and Technology Letters,2013,29(13):177- 180
[13]Qazi Z A,Tu C C,Chiang L,et al.SIMPLE-fying middlebox policy enforcement using SDN[J].ACM SIGCOMM Computer Communication Review,2013,43(4):27- 38
[14]Xu Ran,Wang Wendong,Gong Xiangyang,et al.Delay-aware resource scheduling optimization in network function virtualization[J].Journal of Computer Research and Development,2018,55(4):738- 747 (in Chinese)(徐冉,王文东,龚向阳,等.网络功能虚拟化中延时感知的资源调度优化方法[J].计算机研究与发展,2018,55(4):738- 747)
[15]Wang Yuwei,Liu Min,Ma Cheng,et al.High performance load balancing mechanism for network function virtualization[J].Journal of Computer Research and Development,2018,55(4):689- 703 (in Chinese)(王煜炜,刘敏,马诚,等.面向网络功能虚拟化的高性能负载均衡机制[J].计算机研究与发展,2018,55(4):689- 703)
[16]Hettich S,Bay D.KDD Cup 1999 Data[DB/OL].[2018-12-20].http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
[17]?zgür A,Erdem H.A review of KDD99 dataset usage in intrusion detection and machine learning between 2010 and 2015[OL].[2016-04-14].https://peerj.com/preprints/1954.pdf
[18]Wang Xiulei,Chen Ming,Hu Chao,et al.SDICN:A software defined deployable framework of information centric networking[J].China Communications,2016,13(3):53- 65