面向SDN的安全威胁及其对抗技术研究
|
摘要
软件定义网络(software-defined networks,SDN)通过逻辑集中的网络控制,提高了网络编程的灵活性,但由此引入的安全威胁若被攻击者利用将会直接危及整个网络架构。针对SDN的特性,将安全威胁分类汇总为入侵攻击、异常攻击、DDoS和DoS攻击、欺骗攻击4类。鉴于DDoS和DoS攻击在SDN环境下比在传统网络环境下更具针对性且危害性更大,因此着重从攻击原理、手段和效果方面进行系统论述。最后根据攻击类型对现有对抗方案进行了介绍,并根据现有技术的不足提出未来的研究方向与发展趋势。
Software-defined networks(SDN) increase the flexibility of network programming through logically centralized network control, but the subsequent security threats that are exploited by attackers will directly compromise the entire network architecture.According to the characteristics of SDN, security threats were classified into four types including intrusion attacks, anomaly attacks, DDoS and DoS attacks and spoofing attacks. Since the DDoS and DoS attacks are more targeted and harmful in the SDN environment than in traditional networks, the principles, methods and effects of attacks were mainly formulated. In addition, the existing countermeasures were reviewed according to the type of attacks. Finally, the future research directions and development trends were proposed according to the shortcomings of the existing technology.
Software-defined networks(SDN) increase the flexibility of network programming through logically centralized network control, but the subsequent security threats that are exploited by attackers will directly compromise the entire network architecture.According to the characteristics of SDN, security threats were classified into four types including intrusion attacks, anomaly attacks, DDoS and DoS attacks and spoofing attacks. Since the DDoS and DoS attacks are more targeted and harmful in the SDN environment than in traditional networks, the principles, methods and effects of attacks were mainly formulated. In addition, the existing countermeasures were reviewed according to the type of attacks. Finally, the future research directions and development trends were proposed according to the shortcomings of the existing technology.
引文
[1]KREUTZ D,RAMOS F M V,ESTEVES VERISSI-MO P,et al.Software-defined networking:A comprehensive survey[J].Proceedings of the IEEE,2015,103(1):10-13.DOI:10.1109/JPROC.2014.2371999.
[2]AKHUNZADA A,GANI A,ANUAR N B,et al.Secure and dependable software defined networks[J].Journal of Network&Computer Applications,2016,61:199-221.DOI:10.1016/j.jnca.2015.11.012.
[3]GORANSSON P,BLACK C,CULVER T.Software Defined Networks:A Comprehensive Approach[M].San Francisco:Morgan Kaufmann,2016.
[4]LARA A,RAMAMURTHY B.OpenSec:A framework for implementing security policies using OpenFlow[C]//Global Communications Conference.Washington D C:IEEE Press,2014:781-786.DOI:10.1109/GLOCOM.2014.7036903.
[5]王蒙蒙,刘建伟,陈杰,等.软件定义网络:安全模型、机制及研究进展[J].软件学报,2016,27(4):969-992.WANG M M,LIU J W,CHEN J,et al.Software defined networking:Security model,threats and mechanism[J].Journal of Software,2016,27(4):969-992(Ch).
[6]BLENK A,BASTA A,KELLERER W.HyperFlex:An SDN virtualization architecture with flexible hypervisor function allocation[C]//2015 IFIP/IEEE International Symposium on Integrated Network Management(IM).Washington D C:IEEE Press,2015:397-405.DOI:10.1109/INM.2015.7140316.
[7]MU?OZ R,VILALTA R,CASELLAS R,et al.SDNorchestration and virtualization of heterogeneous multi-domain and multi-layer transport networks:The STRAUSSapproach[C]//2015 IEEE International Black Sea Conference on Communications and Networking(BlackSeaCom).Washington D C:IEEE Press,2015:142-146.DOI:10.1109/BlackSeaCom.2015.7185103.
[8]QI Q L,WANG W D,GONG X Y,et al.A SDN-based network virtualization architecture with autonomie management[C]//2014 IEEE Globecom Workshops(GC Wkshps).Washington D C:IEEE Press,2015:178-182.DOI:10.1109/GLOCOMW.2014.7063427.
[9]JESUS W P,SILVA D A,JúNIOR R T,et al.Analysis of SDN contributions for cloud computing security[C]//Proceedings of the 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing.Washington D C:IEEE Press,2014:922-927.DOI:10.1109/UCC.2014.150.
[10]HUANG H W,LI P,GUO S,et al.The joint optimization of rules allocation and traffic engineering in software defined network[C]//2014 IEEE 22nd International Symposium of Quality of Service(IWQoS).Washington D C:IEEE Press,2014:141-146.DOI:10.1109/IWQoS.2014.6914313.
[11]ZHOU R K,LAI Y X,LIU Z H,et al.Study on authentication protocol of SDN trusted domain[C]//2015 IEEETwelfth International Symposium on Autonomous Decentralized Systems.Washington D C:IEEE Press,2015:281-284.DOI:10.1109/ISADS.2015.29.
[12]MCKEOWN N,ANDERSON T,BALAKRISHNANH,et al.OpenFlow:Enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74.DOI:10.1145/1355734.1355746.
[13]STALLINGS W.Software-defined networks and OpenFlow[J].The Internet Protocol Journal,2013,16(1):2-14.
[14]BHOLEBAWA I Z,DALAL U D.Performance analysis of SDN/OpenFlow controllers:POX versus floodlight[J].Wireless Personal Communications,2018,98(2):1679-1699.DOI:10.1007/s11277-017-4939-z.
[15]WANG Z P,HU H C,ZHANG C H.On achieving SDNcontroller diversity for improved network security using coloring algorithm[C]//2017 3rd IEEE International Conference on Computer and Communications(ICCC).Washington D C:IEEE Press,2017:1270-1275.DOI:10.1109/CompComm.2017.8322747.
[16]SHU Z G,WAN J F,LI D,et al.Security in softwaredefined networking:Threats and countermeasures[J].Mobile Networks and Applications,2016,21(5):764-776.DOI:10.1007/s11036-016-0676-x.
[17]SCOTT-HAYWARD S,O.CALLAGHAN G,SEZERS.SDN security:A survey[C]//2013 IEEE SDN for Future Networks and Services(SDN4FNS).Washington DC:IEEE Press,2013:1-7.DOI:10.1109/SDN4FNS.2013.6702553.
[18]SHIN S,XU L,HONG S,et al.Enhancing network security through software defined networking(SDN)[C]//2016 25th International Conference on Computer Communication and Networks(ICCCN).Washington D C:IEEEPress,2016:1-9.DOI:10.1109/ICCCN.2016.7568520.
[19]SCOTT-HAYWARD S,NATARAJAN S,SEZER S.A survey of security in software defined networks[J].IEEE Communications Surveys&Tutorials,2016,18(1):623-654.DOI:10.1109/COMST.2015.2453114.
[20]YAN Q,YU F R,GONG Q,et al.Software-defined networking(SDN)and distributed denial of service(DDoS)attacks in cloud computing environments:A survey,some research issues,and challenges[J].IEEE Communications Surveys&Tutorials,2016,18(1):602-622.DOI:10.1109/COMST.2015.2487361.
[21]ZOU T,XIE H Y,YIN H T.Supporting Software Defined Networking with Application Layer Traffic Optimization:US,9350671[P].2016-05-24.
[22]HUANG T,YU F R,ZHANG C,et al.A survey on large-scale software defined networking(SDN)testbeds:Approaches and challenges[J].IEEE Communications Surveys&Tutorials,2017,19(2):891-917.DOI:10.1109/COMST.2016.2630047
[23]SHIN S,SONG Y,LEE T,et al.Rosemary:A robust,secure,and high-performance network operating system[C]//Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security.New York:ACM Press,2014:78-89.DOI:10.1145/2660267.2660353.
[24]LEE S,YOON C,LEE C,et al.DELTA:A security assessment framework for software-defined networks[C]//NDSS Symposium 2017.San Diego:Internet Society,2017:1-15.DOI:10.14722/ndss.2017.23457.
[25]ABDOU A R,VAN OORSCHOT P C,WAN T.Comparative analysis of control plane security of SDN and conventional networks[J].IEEE Communications Surveys&Tutorials,2018,20(4):3542-3559.DOI:10.1109/COMST.2018.2839348.
[26]PORRAS P A,CHEUNG S,FONG M W,et al.Securing the software defined network control layer[C]//NDSSSymposium 2015.San Diego:Internet Society,2015:1-15.DOI:10.14722/ndss.2015.23222.
[27]RAWAT D B,REDDY S R.Software defined networking architecture,security and energy efficiency:A survey[J].IEEE Communications Surveys&Tutorials,2017,19(1):325-346.DOI:10.1109/COMST.2016.2618874.
[28]BERDE P,GEROLA M,HART J,et al.ONOS:Towards an open,distributed SDN OS[C]//Proceedings of the Third Workshop on Hot Topics in Software Defined Networking.New York:ACM Press,2014:1-6.DOI:10.1145/2620728.2620744.
[29]KOTANI D,OKABE Y.A packet-in message filtering mechanism for protection of control plane in openflow networks[C]//Proceedings of the Tenth ACM/IEEE Symposium on Architectures for Networking and Communications Systems.New York:ACM Press,2014:29-40.DOI:10.1145/2658260.2658276.
[30]NGUYEN T H,YOO M.Analysis of link discovery service attacks in SDN controller[C]//2017 International Conference on Information Networking(ICOIN).Washington D C:IEEE Press,2017:259-261.DOI:10.1109/ICOIN.2017.7899515.
[31]NAGARATHNA R,SHALINIE S M.SLAMHHA:Asupervised learning approach to mitigate host location hijacking attack on SDN controllers[C]//2017 Fourth International Conference on Signal Processing,Communication and Networking(ICSCN).Washington D C:IEEE Press,2017:1-7.DOI:10.1109/ICSCN.2017.8085680.
[32]DARGAHI T,CAPONI A,AMBROSIN M,et al.Asurvey on the security of stateful SDN data planes[J].IEEE Communications Surveys&Tutorials,2017,19(3):1701-1725.DOI:10.1109/COMST.2017.2689819.
[33]SHALIMOV A,ZUIKOV D,ZIMARINA D,et al.Advanced study of SDN/OpenFlow controllers[C]//Central&Eastern European Software Engineering Conference in Russia.New York:ACM Press,2013:1-6.DOI:10.1145/2556610.2556621.
[34]SHIN S,GU G F.Attacking software-defined networks:A first feasibility study[C]//HotSDN.13 Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.New York:ACM Press,2013:165-166.DOI:10.1145/2491185.2491220.
[35]DOVER J M.A Denial of Service Attack Against the Open Floodlight SDN Controller[EB/OL].[2018-03-05].http://dovernetworks.com/wp-content/uploads/2013/12/OpenFloodlight-12302013.pdf.
[36]PANDYA B,PARMAR S,SAQUIB Z,et al.Framework for securing SDN southbound communication[C]//2017 International Conference on Innovations in Information,Embedded and Communication Systems(ICIIECS).Washington D C:IEEE Press,2017:1-5.DOI:10.1109/ICIIECS.2017.8275912.
[37]BELYAEV M,GAIVORONSKI S.Towards load balancing in SDN-networks during DDoS-attacks[C]//Science and Technology Conference(Modern Networking Technologies)(MoNeTeC).Washington D C:IEEE Press,2014:1-6.DOI:10.1109/MoNeTeC.2014.6995578.
[38]GUPTA B B,BADVE O P.Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a cloud computing environment[J].Neural Computing&Applications,2017,28(12):3655-3682.DOI:10.1007/s00521-016-2317-5.
[39]AKYILDIZ I F,LEE A,WANG P,et al.A roadmap for traffic engineering in SDN-OpenFlow networks[J].Computer Networks,2014,71(3):1-30.DOI:10.1016/j.comnet.2014.06.002.
[40]KLOTI R,KOTRONIS V,SMITH P.OpenFlow:Asecurity analysis[C]//2013 21st IEEE International Conference on Network Protocols(ICNP).Washington D C:IEEE Press,2013:1-6.DOI:10.1109/ICNP.2013.6733671.
[41]LI W J,MENG W Z.A survey on OpenFlow-based software defined Networks:Security challenges and countermeasures[J].Journal of Network and Computer Applications,2016,68:126-139.DOI:10.1016/j.jnca.2016.04.011.
[42]YAN Q,YU F R.Distributed denial of service attacks in software-defined networking with cloud computing[J].IEEE Communications Magazine,2015,53(4):52-59.DOI:10.1109/MCOM.2015.7081075.
[43]ZHANG L,SHOU G,HU Y,et al.Deployment of intrusion prevention system based on software defined networking[C]//2013 15th IEEE International Conference on Communication Technology(ICCT).Washington D C:IEEE Press,2013:26-31.DOI:10.1109/ICCT.2013.6820345.
[44]XING T Y,XIONG Z Y,HUANG D J,et al.SDNIPS:Enabling software-defined networking based intrusion prevention system in clouds[C]//International Conference on Network and Service Management.Washington D C:IEEE Press,2014:308-311.DOI:10.1109/CNSM.2014.7014181.
[45]LE A,DINH P,LE H,et al.Flexible network-based intrusion detection and prevention system on softwaredefined networks[C]//2015 International Conference on Advanced Computing and Applications(ACOMP).Washington D C:IEEE Press,2015:106-111.DOI:10.1109/ACOMP.2015.19.
[46]HU H X,HAN W,AHN G J,et al.FLOWGUARD:Building robust firewalls for software-defined networks[C]//HotSDN.14 Proceedings of the Third Workshop on Hot topics in Software Defined Networking.New York:ACM Press,2014:97-102.DOI:10.1145/2620728.2620749.
[47]FAYAZBAKHSH S K,SEKAR V,YU M,et al.FlowTags:Enforcing network-wide policies in the presence of dynamic middlebox actions[C]//HotSDN.13 Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.New York:ACMPress,2013:19-24.DOI:10.1145/2491185.249 1203.
[48]CHI P W,KUO C T,RUAN H M,et al.An AMI threat detection mechanism based on SDN networks[J].The Eighth International Conference on Emerging Security Information,Systems and Technologies.Lisbon:IARIA,2014:208-211.
[49]FRANCOIS J,FESTOR O.Anomaly traceback using software defined networking[C]//2014 IEEE International Workshop on Information Forensics and Security(WIFS).Washington D C:IEEE Press,2014:203-208.DOI:10.1109/WIFS.2014.7084328.
[50]GIOTIS K,ANDROULIDAKIS G,MAGLARIS V.Leveraging SDN for efficient anomaly detection and mitigation on legacy networks[C]//2014 Third European Workshop on Software Defined Networks(EWSDN).Washington D C:IEEE Press,2014:85-90.DOI:10.1109/EWSDN.2014.24.
[51]DRA?AR M,VIZVáRY M,VYKOPAL J.Similarity as a central approach to flow-based anomaly detection[J].International Journal of Network Management,2014,24(4):318-336.DOI:10.1002/nem.1867.
[52]CANINI M,VENZANO D,PERE?íNI P,et al.ANICE way to test OpenFlow applications[C]//NSDI.12Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation.Berkeley:USENIXAssociation,2012:10-25.DOI:http://hdl.handle.net/2078.1/139427.
[53]SHIN S,PORRAS P,YEGNESWARAN V,et al.FRESCO:Modular Composable Security Services for Software-defined Networks[DB/OL].[2018-11-12].http://koasas.kaist.ac.kr/bitstream/10203/205914/1/fresco_ndss13.pdf.
[54]HU F,HAO Q,BAO K.A survey on software-defined network and OpenFlow:From concept to implementation[J].Communications Surveys&Tutorials IEEE,2014,16(4):2181-2206.DOI:10.1109/COMST.2014.2326417.
[55]SAHAY R,BLANC G,ZHANG Z,et al.Towards autonomic DDoS mitigation using software defined networking[C]//NDSS Symposium 2015.San Diego:Internet Society,2015:1-7.DOI:10.14722/sent.2015.23004.
[56]KALLIOLA A,LEE K,LEE H,et al.Flooding DDoSmitigation and traffic management with software defined networking[C]//2015 IEEE 4th International Conference on Cloud Networking(CloudNet).Washington D C:IEEE Press,2015:248-254.DOI:10.14722/sent.2015.23004.
[57]KALKAN K,GUR G,ALAGOZ F.Defense mechanisms against DDoS attacks in SDN environment[J].IEEE Communications Magazine,2017,55(9):175-179.DOI:10.1109/MCOM.2017.1600970.
[58]LIM S,HA J,KIM H,et al.A SDN-oriented DDoSblocking scheme for botnet-based attacks[C]//2014 6th International Conference on Ubiquitous and Future Networks(ICUFN).Washington D C:IEEE Press,2014:63-68.DOI:10.1109/ICUFN.2014.6876752.
[59]SHIN S,YEGNESWARAN V,PORRAS P,et al.AVANT-GUARD:Scalable and vigilant switch flow management in software-defined networks[C]//ACMSIGSAC Conference on Computer&Communications Security.New York:ACM Press,2013:413-424.DOI:10.1145/2508859.2516684.
[60]GAO S,PENG Z,XIAO B,et al.FloodDefender:Protecting data and control plane resources under SDN-aimed DoS attacks[C]//IEEE Conference on Computer Communications.Washington D C:IEEE Press,2017:1-9.DOI:10.1109/INFOCOM.2017.8057009.
[61]HONG S M,XU L,WANG H D,et al.Poisoning network visibility in software-defined Networks:New attacks and countermeasures[C]//NDSS Symposium 2015.San Diego:Internet Society,2015,15:8-11.DOI:10.14722/ndss.2015.23283.
[62]AMBROSIN M,CONTI M,DE GASPARI F,et al.LineSwitch:Efficiently managing switch flow in softwaredefined networking while effectively tackling DoS attacks[C]//Proceedings of the 10th ACM Symposium on Information,Computer and Communications Security.New York:ACM Press,2015:639-644.DOI:10.1145/2714576.2714612.
[63]王涛,陈鸿昶,程国振.基于网络资源管理技术的SDNDoS攻击动态防御机制[J].计算机研究与发展,2017,54(10):2356-2368.DOI:10.7544/issn1000-1239.2017.20170389.WANG T,CHEN H C,CHENG G Z.A dynamic defense mechanism for SDN DoS attacks based on network resource management technology[J].Journal of Computer Research and Development,2017,54(10):2356-2368.DOI:10.7544/issn1000-1239.2017.20170389(Ch).
[64]何亨,胡艳,郑良汉,等.云环境中基于SDN的高效DDoS攻击检测与防御方案[J].通信学报,2018,39(4):139-151.DOI:10.11959/j.issn.1000-436x.2018068.HE H,HU Y,ZHENG L H,et al.Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment[J].Journal on Communications,2018,39(4):139-151.DOI:10.11959/j.issn.1000-436x.2018068.(Ch).
[65]MOUSAVI S M,ST-HILAIRE M.Early detection of DDoS attacks against SDN controllers[C]//2015 International Conference on Computing,Networking and Communications(ICNC).Washington D C:IEEE Press,2015:77-81.DOI:10.1109/ICCNC.2015.7069319.
[66]PHAM S,KRALL D,ADUSUMILLI V,et al.Sequentially Serving Network Security Devices Using a Software Defined Networking(SDN)Switch:US,0195292[P].2017-07-06.
[67]DU X,WANG M Z,ZHANG X,et al.Traffic-based malicious switch detection in SDN[J].International Journal of Security&Its Applications,2014,8(5):119-130.DOI:10.14257/ijsia.2014.8.5.12.
[68]DHAWAN M,PODDAR R,MAHAJAN K,et al.SPHINX:Detecting security attacks in software-defined networks[C]//NDSS Symposium 2015.San Diego:Internet Society,2015,15:8-11.DOI:10.14722/ndss.2015.23064.
[69]郑正,徐明伟,李琦,等.SDN网络拓扑污染攻击防御机制研究[J].计算机研究与发展,2018,55(1):207-215.DOI:10.7544/issn1000-1239.2018.20160740.ZHENG Z,XU M W,LI Q,et al.Defending against SDN network topology poisoning attacks[J].Journal of Computer Research and Development,2018,55(1):207-215.DOI:10.7544/issn1000-1239.2018.20160740(Ch).
[70]SALLAHI A,ST-HILAIRE M.Optimal model for the controller placement problem in software defined networks[J].IEEE Communications Letters,2015,19(1):30-33.DOI:10.1109/LCOMM.2014.237101.
[2]AKHUNZADA A,GANI A,ANUAR N B,et al.Secure and dependable software defined networks[J].Journal of Network&Computer Applications,2016,61:199-221.DOI:10.1016/j.jnca.2015.11.012.
[3]GORANSSON P,BLACK C,CULVER T.Software Defined Networks:A Comprehensive Approach[M].San Francisco:Morgan Kaufmann,2016.
[4]LARA A,RAMAMURTHY B.OpenSec:A framework for implementing security policies using OpenFlow[C]//Global Communications Conference.Washington D C:IEEE Press,2014:781-786.DOI:10.1109/GLOCOM.2014.7036903.
[5]王蒙蒙,刘建伟,陈杰,等.软件定义网络:安全模型、机制及研究进展[J].软件学报,2016,27(4):969-992.WANG M M,LIU J W,CHEN J,et al.Software defined networking:Security model,threats and mechanism[J].Journal of Software,2016,27(4):969-992(Ch).
[6]BLENK A,BASTA A,KELLERER W.HyperFlex:An SDN virtualization architecture with flexible hypervisor function allocation[C]//2015 IFIP/IEEE International Symposium on Integrated Network Management(IM).Washington D C:IEEE Press,2015:397-405.DOI:10.1109/INM.2015.7140316.
[7]MU?OZ R,VILALTA R,CASELLAS R,et al.SDNorchestration and virtualization of heterogeneous multi-domain and multi-layer transport networks:The STRAUSSapproach[C]//2015 IEEE International Black Sea Conference on Communications and Networking(BlackSeaCom).Washington D C:IEEE Press,2015:142-146.DOI:10.1109/BlackSeaCom.2015.7185103.
[8]QI Q L,WANG W D,GONG X Y,et al.A SDN-based network virtualization architecture with autonomie management[C]//2014 IEEE Globecom Workshops(GC Wkshps).Washington D C:IEEE Press,2015:178-182.DOI:10.1109/GLOCOMW.2014.7063427.
[9]JESUS W P,SILVA D A,JúNIOR R T,et al.Analysis of SDN contributions for cloud computing security[C]//Proceedings of the 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing.Washington D C:IEEE Press,2014:922-927.DOI:10.1109/UCC.2014.150.
[10]HUANG H W,LI P,GUO S,et al.The joint optimization of rules allocation and traffic engineering in software defined network[C]//2014 IEEE 22nd International Symposium of Quality of Service(IWQoS).Washington D C:IEEE Press,2014:141-146.DOI:10.1109/IWQoS.2014.6914313.
[11]ZHOU R K,LAI Y X,LIU Z H,et al.Study on authentication protocol of SDN trusted domain[C]//2015 IEEETwelfth International Symposium on Autonomous Decentralized Systems.Washington D C:IEEE Press,2015:281-284.DOI:10.1109/ISADS.2015.29.
[12]MCKEOWN N,ANDERSON T,BALAKRISHNANH,et al.OpenFlow:Enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74.DOI:10.1145/1355734.1355746.
[13]STALLINGS W.Software-defined networks and OpenFlow[J].The Internet Protocol Journal,2013,16(1):2-14.
[14]BHOLEBAWA I Z,DALAL U D.Performance analysis of SDN/OpenFlow controllers:POX versus floodlight[J].Wireless Personal Communications,2018,98(2):1679-1699.DOI:10.1007/s11277-017-4939-z.
[15]WANG Z P,HU H C,ZHANG C H.On achieving SDNcontroller diversity for improved network security using coloring algorithm[C]//2017 3rd IEEE International Conference on Computer and Communications(ICCC).Washington D C:IEEE Press,2017:1270-1275.DOI:10.1109/CompComm.2017.8322747.
[16]SHU Z G,WAN J F,LI D,et al.Security in softwaredefined networking:Threats and countermeasures[J].Mobile Networks and Applications,2016,21(5):764-776.DOI:10.1007/s11036-016-0676-x.
[17]SCOTT-HAYWARD S,O.CALLAGHAN G,SEZERS.SDN security:A survey[C]//2013 IEEE SDN for Future Networks and Services(SDN4FNS).Washington DC:IEEE Press,2013:1-7.DOI:10.1109/SDN4FNS.2013.6702553.
[18]SHIN S,XU L,HONG S,et al.Enhancing network security through software defined networking(SDN)[C]//2016 25th International Conference on Computer Communication and Networks(ICCCN).Washington D C:IEEEPress,2016:1-9.DOI:10.1109/ICCCN.2016.7568520.
[19]SCOTT-HAYWARD S,NATARAJAN S,SEZER S.A survey of security in software defined networks[J].IEEE Communications Surveys&Tutorials,2016,18(1):623-654.DOI:10.1109/COMST.2015.2453114.
[20]YAN Q,YU F R,GONG Q,et al.Software-defined networking(SDN)and distributed denial of service(DDoS)attacks in cloud computing environments:A survey,some research issues,and challenges[J].IEEE Communications Surveys&Tutorials,2016,18(1):602-622.DOI:10.1109/COMST.2015.2487361.
[21]ZOU T,XIE H Y,YIN H T.Supporting Software Defined Networking with Application Layer Traffic Optimization:US,9350671[P].2016-05-24.
[22]HUANG T,YU F R,ZHANG C,et al.A survey on large-scale software defined networking(SDN)testbeds:Approaches and challenges[J].IEEE Communications Surveys&Tutorials,2017,19(2):891-917.DOI:10.1109/COMST.2016.2630047
[23]SHIN S,SONG Y,LEE T,et al.Rosemary:A robust,secure,and high-performance network operating system[C]//Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security.New York:ACM Press,2014:78-89.DOI:10.1145/2660267.2660353.
[24]LEE S,YOON C,LEE C,et al.DELTA:A security assessment framework for software-defined networks[C]//NDSS Symposium 2017.San Diego:Internet Society,2017:1-15.DOI:10.14722/ndss.2017.23457.
[25]ABDOU A R,VAN OORSCHOT P C,WAN T.Comparative analysis of control plane security of SDN and conventional networks[J].IEEE Communications Surveys&Tutorials,2018,20(4):3542-3559.DOI:10.1109/COMST.2018.2839348.
[26]PORRAS P A,CHEUNG S,FONG M W,et al.Securing the software defined network control layer[C]//NDSSSymposium 2015.San Diego:Internet Society,2015:1-15.DOI:10.14722/ndss.2015.23222.
[27]RAWAT D B,REDDY S R.Software defined networking architecture,security and energy efficiency:A survey[J].IEEE Communications Surveys&Tutorials,2017,19(1):325-346.DOI:10.1109/COMST.2016.2618874.
[28]BERDE P,GEROLA M,HART J,et al.ONOS:Towards an open,distributed SDN OS[C]//Proceedings of the Third Workshop on Hot Topics in Software Defined Networking.New York:ACM Press,2014:1-6.DOI:10.1145/2620728.2620744.
[29]KOTANI D,OKABE Y.A packet-in message filtering mechanism for protection of control plane in openflow networks[C]//Proceedings of the Tenth ACM/IEEE Symposium on Architectures for Networking and Communications Systems.New York:ACM Press,2014:29-40.DOI:10.1145/2658260.2658276.
[30]NGUYEN T H,YOO M.Analysis of link discovery service attacks in SDN controller[C]//2017 International Conference on Information Networking(ICOIN).Washington D C:IEEE Press,2017:259-261.DOI:10.1109/ICOIN.2017.7899515.
[31]NAGARATHNA R,SHALINIE S M.SLAMHHA:Asupervised learning approach to mitigate host location hijacking attack on SDN controllers[C]//2017 Fourth International Conference on Signal Processing,Communication and Networking(ICSCN).Washington D C:IEEE Press,2017:1-7.DOI:10.1109/ICSCN.2017.8085680.
[32]DARGAHI T,CAPONI A,AMBROSIN M,et al.Asurvey on the security of stateful SDN data planes[J].IEEE Communications Surveys&Tutorials,2017,19(3):1701-1725.DOI:10.1109/COMST.2017.2689819.
[33]SHALIMOV A,ZUIKOV D,ZIMARINA D,et al.Advanced study of SDN/OpenFlow controllers[C]//Central&Eastern European Software Engineering Conference in Russia.New York:ACM Press,2013:1-6.DOI:10.1145/2556610.2556621.
[34]SHIN S,GU G F.Attacking software-defined networks:A first feasibility study[C]//HotSDN.13 Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.New York:ACM Press,2013:165-166.DOI:10.1145/2491185.2491220.
[35]DOVER J M.A Denial of Service Attack Against the Open Floodlight SDN Controller[EB/OL].[2018-03-05].http://dovernetworks.com/wp-content/uploads/2013/12/OpenFloodlight-12302013.pdf.
[36]PANDYA B,PARMAR S,SAQUIB Z,et al.Framework for securing SDN southbound communication[C]//2017 International Conference on Innovations in Information,Embedded and Communication Systems(ICIIECS).Washington D C:IEEE Press,2017:1-5.DOI:10.1109/ICIIECS.2017.8275912.
[37]BELYAEV M,GAIVORONSKI S.Towards load balancing in SDN-networks during DDoS-attacks[C]//Science and Technology Conference(Modern Networking Technologies)(MoNeTeC).Washington D C:IEEE Press,2014:1-6.DOI:10.1109/MoNeTeC.2014.6995578.
[38]GUPTA B B,BADVE O P.Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a cloud computing environment[J].Neural Computing&Applications,2017,28(12):3655-3682.DOI:10.1007/s00521-016-2317-5.
[39]AKYILDIZ I F,LEE A,WANG P,et al.A roadmap for traffic engineering in SDN-OpenFlow networks[J].Computer Networks,2014,71(3):1-30.DOI:10.1016/j.comnet.2014.06.002.
[40]KLOTI R,KOTRONIS V,SMITH P.OpenFlow:Asecurity analysis[C]//2013 21st IEEE International Conference on Network Protocols(ICNP).Washington D C:IEEE Press,2013:1-6.DOI:10.1109/ICNP.2013.6733671.
[41]LI W J,MENG W Z.A survey on OpenFlow-based software defined Networks:Security challenges and countermeasures[J].Journal of Network and Computer Applications,2016,68:126-139.DOI:10.1016/j.jnca.2016.04.011.
[42]YAN Q,YU F R.Distributed denial of service attacks in software-defined networking with cloud computing[J].IEEE Communications Magazine,2015,53(4):52-59.DOI:10.1109/MCOM.2015.7081075.
[43]ZHANG L,SHOU G,HU Y,et al.Deployment of intrusion prevention system based on software defined networking[C]//2013 15th IEEE International Conference on Communication Technology(ICCT).Washington D C:IEEE Press,2013:26-31.DOI:10.1109/ICCT.2013.6820345.
[44]XING T Y,XIONG Z Y,HUANG D J,et al.SDNIPS:Enabling software-defined networking based intrusion prevention system in clouds[C]//International Conference on Network and Service Management.Washington D C:IEEE Press,2014:308-311.DOI:10.1109/CNSM.2014.7014181.
[45]LE A,DINH P,LE H,et al.Flexible network-based intrusion detection and prevention system on softwaredefined networks[C]//2015 International Conference on Advanced Computing and Applications(ACOMP).Washington D C:IEEE Press,2015:106-111.DOI:10.1109/ACOMP.2015.19.
[46]HU H X,HAN W,AHN G J,et al.FLOWGUARD:Building robust firewalls for software-defined networks[C]//HotSDN.14 Proceedings of the Third Workshop on Hot topics in Software Defined Networking.New York:ACM Press,2014:97-102.DOI:10.1145/2620728.2620749.
[47]FAYAZBAKHSH S K,SEKAR V,YU M,et al.FlowTags:Enforcing network-wide policies in the presence of dynamic middlebox actions[C]//HotSDN.13 Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.New York:ACMPress,2013:19-24.DOI:10.1145/2491185.249 1203.
[48]CHI P W,KUO C T,RUAN H M,et al.An AMI threat detection mechanism based on SDN networks[J].The Eighth International Conference on Emerging Security Information,Systems and Technologies.Lisbon:IARIA,2014:208-211.
[49]FRANCOIS J,FESTOR O.Anomaly traceback using software defined networking[C]//2014 IEEE International Workshop on Information Forensics and Security(WIFS).Washington D C:IEEE Press,2014:203-208.DOI:10.1109/WIFS.2014.7084328.
[50]GIOTIS K,ANDROULIDAKIS G,MAGLARIS V.Leveraging SDN for efficient anomaly detection and mitigation on legacy networks[C]//2014 Third European Workshop on Software Defined Networks(EWSDN).Washington D C:IEEE Press,2014:85-90.DOI:10.1109/EWSDN.2014.24.
[51]DRA?AR M,VIZVáRY M,VYKOPAL J.Similarity as a central approach to flow-based anomaly detection[J].International Journal of Network Management,2014,24(4):318-336.DOI:10.1002/nem.1867.
[52]CANINI M,VENZANO D,PERE?íNI P,et al.ANICE way to test OpenFlow applications[C]//NSDI.12Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation.Berkeley:USENIXAssociation,2012:10-25.DOI:http://hdl.handle.net/2078.1/139427.
[53]SHIN S,PORRAS P,YEGNESWARAN V,et al.FRESCO:Modular Composable Security Services for Software-defined Networks[DB/OL].[2018-11-12].http://koasas.kaist.ac.kr/bitstream/10203/205914/1/fresco_ndss13.pdf.
[54]HU F,HAO Q,BAO K.A survey on software-defined network and OpenFlow:From concept to implementation[J].Communications Surveys&Tutorials IEEE,2014,16(4):2181-2206.DOI:10.1109/COMST.2014.2326417.
[55]SAHAY R,BLANC G,ZHANG Z,et al.Towards autonomic DDoS mitigation using software defined networking[C]//NDSS Symposium 2015.San Diego:Internet Society,2015:1-7.DOI:10.14722/sent.2015.23004.
[56]KALLIOLA A,LEE K,LEE H,et al.Flooding DDoSmitigation and traffic management with software defined networking[C]//2015 IEEE 4th International Conference on Cloud Networking(CloudNet).Washington D C:IEEE Press,2015:248-254.DOI:10.14722/sent.2015.23004.
[57]KALKAN K,GUR G,ALAGOZ F.Defense mechanisms against DDoS attacks in SDN environment[J].IEEE Communications Magazine,2017,55(9):175-179.DOI:10.1109/MCOM.2017.1600970.
[58]LIM S,HA J,KIM H,et al.A SDN-oriented DDoSblocking scheme for botnet-based attacks[C]//2014 6th International Conference on Ubiquitous and Future Networks(ICUFN).Washington D C:IEEE Press,2014:63-68.DOI:10.1109/ICUFN.2014.6876752.
[59]SHIN S,YEGNESWARAN V,PORRAS P,et al.AVANT-GUARD:Scalable and vigilant switch flow management in software-defined networks[C]//ACMSIGSAC Conference on Computer&Communications Security.New York:ACM Press,2013:413-424.DOI:10.1145/2508859.2516684.
[60]GAO S,PENG Z,XIAO B,et al.FloodDefender:Protecting data and control plane resources under SDN-aimed DoS attacks[C]//IEEE Conference on Computer Communications.Washington D C:IEEE Press,2017:1-9.DOI:10.1109/INFOCOM.2017.8057009.
[61]HONG S M,XU L,WANG H D,et al.Poisoning network visibility in software-defined Networks:New attacks and countermeasures[C]//NDSS Symposium 2015.San Diego:Internet Society,2015,15:8-11.DOI:10.14722/ndss.2015.23283.
[62]AMBROSIN M,CONTI M,DE GASPARI F,et al.LineSwitch:Efficiently managing switch flow in softwaredefined networking while effectively tackling DoS attacks[C]//Proceedings of the 10th ACM Symposium on Information,Computer and Communications Security.New York:ACM Press,2015:639-644.DOI:10.1145/2714576.2714612.
[63]王涛,陈鸿昶,程国振.基于网络资源管理技术的SDNDoS攻击动态防御机制[J].计算机研究与发展,2017,54(10):2356-2368.DOI:10.7544/issn1000-1239.2017.20170389.WANG T,CHEN H C,CHENG G Z.A dynamic defense mechanism for SDN DoS attacks based on network resource management technology[J].Journal of Computer Research and Development,2017,54(10):2356-2368.DOI:10.7544/issn1000-1239.2017.20170389(Ch).
[64]何亨,胡艳,郑良汉,等.云环境中基于SDN的高效DDoS攻击检测与防御方案[J].通信学报,2018,39(4):139-151.DOI:10.11959/j.issn.1000-436x.2018068.HE H,HU Y,ZHENG L H,et al.Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment[J].Journal on Communications,2018,39(4):139-151.DOI:10.11959/j.issn.1000-436x.2018068.(Ch).
[65]MOUSAVI S M,ST-HILAIRE M.Early detection of DDoS attacks against SDN controllers[C]//2015 International Conference on Computing,Networking and Communications(ICNC).Washington D C:IEEE Press,2015:77-81.DOI:10.1109/ICCNC.2015.7069319.
[66]PHAM S,KRALL D,ADUSUMILLI V,et al.Sequentially Serving Network Security Devices Using a Software Defined Networking(SDN)Switch:US,0195292[P].2017-07-06.
[67]DU X,WANG M Z,ZHANG X,et al.Traffic-based malicious switch detection in SDN[J].International Journal of Security&Its Applications,2014,8(5):119-130.DOI:10.14257/ijsia.2014.8.5.12.
[68]DHAWAN M,PODDAR R,MAHAJAN K,et al.SPHINX:Detecting security attacks in software-defined networks[C]//NDSS Symposium 2015.San Diego:Internet Society,2015,15:8-11.DOI:10.14722/ndss.2015.23064.
[69]郑正,徐明伟,李琦,等.SDN网络拓扑污染攻击防御机制研究[J].计算机研究与发展,2018,55(1):207-215.DOI:10.7544/issn1000-1239.2018.20160740.ZHENG Z,XU M W,LI Q,et al.Defending against SDN network topology poisoning attacks[J].Journal of Computer Research and Development,2018,55(1):207-215.DOI:10.7544/issn1000-1239.2018.20160740(Ch).
[70]SALLAHI A,ST-HILAIRE M.Optimal model for the controller placement problem in software defined networks[J].IEEE Communications Letters,2015,19(1):30-33.DOI:10.1109/LCOMM.2014.237101.