MNOS:拟态网络操作系统设计与实现
|
摘要
控制层的漏洞利用攻击,如恶意APP、流表篡改等是软件定义网络(software defined networking,SDN)面临的主要威胁之一,而传统基于漏洞修复技术的防御策略无法应对未知漏洞或后门.提出一种基于拟态防御思想的网络操作系统安全架构——拟态网络操作系统(mimic network operating system,MNOS)——保障SDN控制层安全.该架构采用异构冗余的网络操作系统(network operating system,NOS),并在传统的SDN数据层和控制层间增设了拟态层,实现动态调度功能.首先拟态层动态选取若干NOS作为激活态并行提供服务,然后根据各NOS的处理结果决定最终的有效响应返回底层交换机.实验评估表明:在增加有限的时延开销下,MNOS可以有效降低SDN控制层被成功攻击的概率,并具备良好的容错/容侵能力;在此基础上,提出的选调策略和判决机制,可以有效提升系统的异构度和判决的准确性,进一步提升安全性能.
As a mission-critical network component in software defined networking(SDN),SDN control plane is suffering from the vulnerabilities exploited to launch malicious attacks,such as malicious applications attack,modifying flow rule attack,and so on.In this paper,we design and implement mimic network operating system(MNOS),an active defense architecture based on mimic security defense to deal with it.In addition to the SDN data plane and control plane,a mimic plane is introduced between them to manage and dynamically schedule heterogeneous SDN controllers.First,MNOS dynamically selects mcontrollers to be active to provide network service in parallel according to a certain scheduling strategy,and then judges whether controllers are in benign conditions via comparing the m responses from the controllers,and decides a most trusted response to send to switches so that the minority of malicious controllers will be tolerated.Theoretical analysis and experimental results demonstrate that MNOS can reduce the successful attack probability and significantly improve network security,and these benefits come at only modest cost:the latency is only about 9.47% lower.And simulation results prove that the scheduling strategy and decision fusion method proposed can increase system diversity and the accuracy of decisions respectively,which will enhance the security performance further.
As a mission-critical network component in software defined networking(SDN),SDN control plane is suffering from the vulnerabilities exploited to launch malicious attacks,such as malicious applications attack,modifying flow rule attack,and so on.In this paper,we design and implement mimic network operating system(MNOS),an active defense architecture based on mimic security defense to deal with it.In addition to the SDN data plane and control plane,a mimic plane is introduced between them to manage and dynamically schedule heterogeneous SDN controllers.First,MNOS dynamically selects mcontrollers to be active to provide network service in parallel according to a certain scheduling strategy,and then judges whether controllers are in benign conditions via comparing the m responses from the controllers,and decides a most trusted response to send to switches so that the minority of malicious controllers will be tolerated.Theoretical analysis and experimental results demonstrate that MNOS can reduce the successful attack probability and significantly improve network security,and these benefits come at only modest cost:the latency is only about 9.47% lower.And simulation results prove that the scheduling strategy and decision fusion method proposed can increase system diversity and the accuracy of decisions respectively,which will enhance the security performance further.
引文
[1]Conti M,Gaspari F D,Mancini L V.Know your enemy:Stealth configuration-information gathering in SDN[C]//Proc of the 12th Int Conf on Green,Pervasive,and Cloud Computing.Berlin:Springer,2017:386-401
[2]Scott-Hayward S,Natarajan S,Sezer S.A survey of security in software defined networks[J].IEEE Communications Surveys&Tutorials,2015,18(1):623-654
[3]Lee S,Yoon C,Shin S.The smaller,the shrewder:A simple malicious application can kill an entire SDN environment[C]//Proc of the 2016ACM Int Workshop on Security in Software Defined Networks&Network Function Virtualization.New York:ACM,2016:23-28
[4]Hong Sungmin,Xu Lei,Wang Haopei,et al.Poisoning network visibility in software-defined networks:New attacks and countermeasures[C]//Proc of Network and Distributed System Security Symp.Reston,VA:ISOC,2015:8-11
[5]Matsumoto S,Hitz S,Perrig A.Fleet:Defending SDNs from malicious administrators[C]//Proc of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.New York:ACM,2014:103-108
[6]Sonchack J,Aviv A J,Keller E.Timing SDN control planes to infer network configurations[C]//Proc of the 2016ACM Int Workshop on Security in Software Defined Networks&Network Function Virtualization.New York:ACM,2016:19-22
[7]Lee S,Yoon C,Lee C,et al.DELTA:A security assessment framework for software-defined networks[C]//Proc of Network and Distributed System Security Symp2017.Reston,VA:ISOC,2017
[8]Lee C,Shin S.SHIELD:An automated framework for static analysis of SDN applications[C]//Proc of the ACM Int Workshop on Security in Software Defined Networks&Network Function Virtualization.New York:ACM,2016:29-34
[9]Wilczewski.Security considerations for equipment controllers and SDN[C]//Proc of IEEE Int Telecommunications Energy Conf.Piscataway,NJ:IEEE,2016:1-5
[10]Tootoonchian A,Ganjali Y.HyperFlow:A distributed control plane for OpenFlow[C]//Proc of the 2010Internet Network Management Conf on Research on Enterprise Networking.Berkeley,CA:USENIX Associations,2010
[11]Sherwood R,Gibb G,Yap K K,et al.FlowVisor:A network virtualization layer[EB/OL].(2009-10-14)[2017-06-01].http://archive.openflow.org/downloads/technicalreports/openflow-tr-2009-1-flowvisor.pdf
[12]Yeganeh S H,Ganjali Y.Kandoo:A framework for efficient and scalable offloading of control applications[C]//Proc of the 1st Workshop on Hot Topics in Software Defined Networks.New York:ACM,2012:19-24
[13]Koponen T,Casado M,Gude N,et al.Onix:A distributed control platform for large-scale production networks[C]//Proc of the 9th USENIX Symp on Operating Systems Design and Implementation.Berkeley,CA:USENIX Associations,2010:351-364
[14]Dixit A,Fang H,Mukherjee S,et al.Towards an elastic distributed SDN controller[C]//Proc of the 2nd Workshop on Hot Topics in Software Defined Networking.New York:ACM,2013:7-12
[15]Berde P,Hart J,et al.ONOS:Towards an open,distributed SDN OS[C]//Proc of the Workshop on Hot Topics in Software Defined Networking.New York:ACM,2014:1-6
[16]Voas J,Ghosh A,Charron F,et al.Reducing uncertainty about common-mode failures[C]//Proc of the 8th IEEE Symp Software Reliability Engineering.Piscataway,NJ:IEEE,1997:308-319
[17]Levitin G.Optimal structure of fault-tolerant software systems[J].Reliability Engineering&System Safety,2005,89(3):286-295
[18]Li He,Li Peng,Guo Song,et al.Byzantine-resilient secure software-defined networks with multiple controllers in cloud[J].IEEE Trans on Cloud Computing,2015,2(4):436-447
[19]Eldefrawy K,Kaczmarek T.Byzantine fault tolerant software-defined networking(SDN)controllers[C]//Proc of the 40th IEEE Computer Society Int Conf on Computers,Software&Applications.Piscataway,NJ:IEEE,2016:208-213
[20]Wu Jiangxing.Research on cyber mimic defense[J].Journal of Cyber Security,2016,1(4):1-10(in Chinese)(邬江兴.网络空间拟态防御研究[J].信息安全学报,2016,1(4):1-10)
[21]Hu Hongchao,Chen Fucai,Wang Zhenpeng.Performance evaluations on DHR for cyberspace mimic defense[J].Journal of Cyber Security,2016,1(4):40-51(in Chinese)(扈红超,陈福才,王禛鹏.拟态防御DHR模型若干问题探讨和性能评估[J].信息安全学报,2016,1(4):40-51)
[22]Porras P,Shin S,Yegneswaran V,et al.A security enforcement kernel for OpenFlow networks[C]//Proc of the 1st Workshop on Hot Topics in Software Defined Networks.New York:ACM,2012:121-126
[23]Porras P,Cheung S,Fong M,et al.Securing the software defined network control layer[C]//Proc of Network and Distributed System Security Symp 2010.Reston,VA:ISOC,2010
[24]Shin S,Song Y,Lee T,et al.Rosemary:A robust,secure,and high-performance network operating system[C]//Proc of the 21st ACM Conf on Computer and Communications Security.New York:ACM,2014:78-89
[25]Ferguson A D,Guha A,Liang C,et al.Participatory networking:An API for application control of SDNs[C]//Proc of the ACM SIGCOMM 2013.New York:ACM,2013:327-338
[26]Veronese G S,Correia M,Bessani A N,et al.Efficient Byzantine Fault-Tolerance[J].IEEE Trans on Computers,2013,62(1):16-30
[27]Baker S.Trustworthy cyberspace:Strategic plan for the federal cybersecurity research and development program[EB/OL].(2011-12)[2017-09-06].https://www.nitrd.gov/SUBCOMMITTEE/csia/Fed_Cybersecurity_RD_Strategic_Plan_2011.pdf
[28]Lee S,Yoon C,Shin S.The smaller,the shrewder:A simple malicious application can kill an entire SDN environment[C]//Proc of ACM Int Workshop on Security in Software Defined Networks&Network Function Virtualization.New York:ACM,2016:23-28
(1)Security:Advisories,https://wiki.opendaylight.org/view/Security_Advisories#.5BImportant.5D_CVE-2014-5035_netconf:_XML_eXternal_Entity_.28XXE.29_vulnerability
(2)Denial-of-Service(DoS)due to exceptions in application packet processors,https://gerrit.onosproject.org/#/c/6137/
[2]Scott-Hayward S,Natarajan S,Sezer S.A survey of security in software defined networks[J].IEEE Communications Surveys&Tutorials,2015,18(1):623-654
[3]Lee S,Yoon C,Shin S.The smaller,the shrewder:A simple malicious application can kill an entire SDN environment[C]//Proc of the 2016ACM Int Workshop on Security in Software Defined Networks&Network Function Virtualization.New York:ACM,2016:23-28
[4]Hong Sungmin,Xu Lei,Wang Haopei,et al.Poisoning network visibility in software-defined networks:New attacks and countermeasures[C]//Proc of Network and Distributed System Security Symp.Reston,VA:ISOC,2015:8-11
[5]Matsumoto S,Hitz S,Perrig A.Fleet:Defending SDNs from malicious administrators[C]//Proc of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.New York:ACM,2014:103-108
[6]Sonchack J,Aviv A J,Keller E.Timing SDN control planes to infer network configurations[C]//Proc of the 2016ACM Int Workshop on Security in Software Defined Networks&Network Function Virtualization.New York:ACM,2016:19-22
[7]Lee S,Yoon C,Lee C,et al.DELTA:A security assessment framework for software-defined networks[C]//Proc of Network and Distributed System Security Symp2017.Reston,VA:ISOC,2017
[8]Lee C,Shin S.SHIELD:An automated framework for static analysis of SDN applications[C]//Proc of the ACM Int Workshop on Security in Software Defined Networks&Network Function Virtualization.New York:ACM,2016:29-34
[9]Wilczewski.Security considerations for equipment controllers and SDN[C]//Proc of IEEE Int Telecommunications Energy Conf.Piscataway,NJ:IEEE,2016:1-5
[10]Tootoonchian A,Ganjali Y.HyperFlow:A distributed control plane for OpenFlow[C]//Proc of the 2010Internet Network Management Conf on Research on Enterprise Networking.Berkeley,CA:USENIX Associations,2010
[11]Sherwood R,Gibb G,Yap K K,et al.FlowVisor:A network virtualization layer[EB/OL].(2009-10-14)[2017-06-01].http://archive.openflow.org/downloads/technicalreports/openflow-tr-2009-1-flowvisor.pdf
[12]Yeganeh S H,Ganjali Y.Kandoo:A framework for efficient and scalable offloading of control applications[C]//Proc of the 1st Workshop on Hot Topics in Software Defined Networks.New York:ACM,2012:19-24
[13]Koponen T,Casado M,Gude N,et al.Onix:A distributed control platform for large-scale production networks[C]//Proc of the 9th USENIX Symp on Operating Systems Design and Implementation.Berkeley,CA:USENIX Associations,2010:351-364
[14]Dixit A,Fang H,Mukherjee S,et al.Towards an elastic distributed SDN controller[C]//Proc of the 2nd Workshop on Hot Topics in Software Defined Networking.New York:ACM,2013:7-12
[15]Berde P,Hart J,et al.ONOS:Towards an open,distributed SDN OS[C]//Proc of the Workshop on Hot Topics in Software Defined Networking.New York:ACM,2014:1-6
[16]Voas J,Ghosh A,Charron F,et al.Reducing uncertainty about common-mode failures[C]//Proc of the 8th IEEE Symp Software Reliability Engineering.Piscataway,NJ:IEEE,1997:308-319
[17]Levitin G.Optimal structure of fault-tolerant software systems[J].Reliability Engineering&System Safety,2005,89(3):286-295
[18]Li He,Li Peng,Guo Song,et al.Byzantine-resilient secure software-defined networks with multiple controllers in cloud[J].IEEE Trans on Cloud Computing,2015,2(4):436-447
[19]Eldefrawy K,Kaczmarek T.Byzantine fault tolerant software-defined networking(SDN)controllers[C]//Proc of the 40th IEEE Computer Society Int Conf on Computers,Software&Applications.Piscataway,NJ:IEEE,2016:208-213
[20]Wu Jiangxing.Research on cyber mimic defense[J].Journal of Cyber Security,2016,1(4):1-10(in Chinese)(邬江兴.网络空间拟态防御研究[J].信息安全学报,2016,1(4):1-10)
[21]Hu Hongchao,Chen Fucai,Wang Zhenpeng.Performance evaluations on DHR for cyberspace mimic defense[J].Journal of Cyber Security,2016,1(4):40-51(in Chinese)(扈红超,陈福才,王禛鹏.拟态防御DHR模型若干问题探讨和性能评估[J].信息安全学报,2016,1(4):40-51)
[22]Porras P,Shin S,Yegneswaran V,et al.A security enforcement kernel for OpenFlow networks[C]//Proc of the 1st Workshop on Hot Topics in Software Defined Networks.New York:ACM,2012:121-126
[23]Porras P,Cheung S,Fong M,et al.Securing the software defined network control layer[C]//Proc of Network and Distributed System Security Symp 2010.Reston,VA:ISOC,2010
[24]Shin S,Song Y,Lee T,et al.Rosemary:A robust,secure,and high-performance network operating system[C]//Proc of the 21st ACM Conf on Computer and Communications Security.New York:ACM,2014:78-89
[25]Ferguson A D,Guha A,Liang C,et al.Participatory networking:An API for application control of SDNs[C]//Proc of the ACM SIGCOMM 2013.New York:ACM,2013:327-338
[26]Veronese G S,Correia M,Bessani A N,et al.Efficient Byzantine Fault-Tolerance[J].IEEE Trans on Computers,2013,62(1):16-30
[27]Baker S.Trustworthy cyberspace:Strategic plan for the federal cybersecurity research and development program[EB/OL].(2011-12)[2017-09-06].https://www.nitrd.gov/SUBCOMMITTEE/csia/Fed_Cybersecurity_RD_Strategic_Plan_2011.pdf
[28]Lee S,Yoon C,Shin S.The smaller,the shrewder:A simple malicious application can kill an entire SDN environment[C]//Proc of ACM Int Workshop on Security in Software Defined Networks&Network Function Virtualization.New York:ACM,2016:23-28
(1)Security:Advisories,https://wiki.opendaylight.org/view/Security_Advisories#.5BImportant.5D_CVE-2014-5035_netconf:_XML_eXternal_Entity_.28XXE.29_vulnerability
(2)Denial-of-Service(DoS)due to exceptions in application packet processors,https://gerrit.onosproject.org/#/c/6137/