软件定义网络的安全态势感知研究
|
摘要
随着SDN越来越多的开始在实际应用中进行部署,其安全问题备受关注.为准确评估SDN网络安全状况,本文提出一种面向SDN的网络安全态势感知方法.该方法根据数据平面、控制平面、应用平面可能遭受的攻击特征提取网络安全态势指标.并在对这些态势指标进行量化的基础上,构建优化的RBF神经网络模型,实现SDN网络安全态势的综合感知和可视化展示.实验结果表明,采用该方法评估网络安全态势不仅准确率高而且资源开销较小.
With the deployment of SDN is more and more in reality,its security issues have attracted much attention. In order to accurately evaluate the security status of SDN network,a SDN oriented network security situational awareness method is proposed in this paper,which extracts network security situation indicators based on characteristics of possible attacks from data plane,control plane and application plane. And on the basis of quantifying these situation indicators,an optimized RBF neural network model is constructed to realize comprehensive perception and visual display of SDN network security situation. The experiment results showthat this method has high accuracy and less resource cost in evaluating network security situation.
With the deployment of SDN is more and more in reality,its security issues have attracted much attention. In order to accurately evaluate the security status of SDN network,a SDN oriented network security situational awareness method is proposed in this paper,which extracts network security situation indicators based on characteristics of possible attacks from data plane,control plane and application plane. And on the basis of quantifying these situation indicators,an optimized RBF neural network model is constructed to realize comprehensive perception and visual display of SDN network security situation. The experiment results showthat this method has high accuracy and less resource cost in evaluating network security situation.
引文
[1]Zhang Chao-kun,Cui Yong,Tang He-yi,et al.State-of-the-art survey on softw are-defined netw orking(SDN)[J].Journal of Softw are,2015,26(1):62-81.
[2]Kannan K,Banerjee S.Scissors:dealing with header redundancies in data centers through SDN[C]//Proc.of the 8th Int'l Conf.on Netw ork and Service M anagement,Laxenburg:Int'l Federation for Information Processing,2013:295-301.
[3]Yang M,Li Y,Jin D,et al.OpenRAN:a software-defined ran architecture via virtualization[J].Computer Communication Review,2013,43(4):549-550.
[4]Jain,Raj.OpenADN:mobile apps on global clouds using software defined netw orking[C]//IEEE Globecom Workshops,IEEE,2012:719-723.
[5]Zhang Lin-kai,Yang En-zhong,Yao Zhen,et al.Design and inplementation of video conferencing system based on SDN-enabled layered multicast[J].Journal of Chinese Computer Systems,2017,38(3):425-430.
[6]Xie Li-xia,Wang Ya-chao,Yu Jin-bo.Network security situation perception based on neural netw ork[J].Journal of Tsinghua University(Science and Technology),2013,53(12):1750-1760.
[7]Li He-fei,Huang Xin-li,Zheng Zheng-qi.Detection method of DDoS attack based on softw are definition netw ork and its application[J].Computer Engineering,2016,42(2):118-123.
[8]Chi P W,Kuo C T,Guo J W,et al.How to detect a compromised SDN sw itch[C]//Netw ork Softw arization,IEEE,2015:1-6.
[9]Braga R,Mota E,Passito A.Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]//IEEE,Conference on Local Computer Netw orks,IEEE Computer Society,2010:408-415.
[10]Niyaz Q,Sun W,Javaid A Y.A deep learning based ddos detection system in softw are-defined netw orking(SDN)[J].Security&Safety,2016,4(12):1-18.
[11]Antikainen M,Aura T,SarelaM.Spook in your network:attacking an SDN w ith a compromised openflow sw itch[C]//Nordic Conference on Secure IT Systems,2014:229-244.
[12]Huan,Ding,Yang,et al.Bayes-based ARP attack detection algorithm for cloud centers[J].Tsinghua Science&Technology,2016,21(1):17-28.
[13]Cheung S,Fong M,Porras P,et al.Securing the software-defined netw ork control layer[C]//The Netw ork and Distributed System Security Symposium,NDSS,2015:251-258.
[14]Wang X,Chen M,Xing C.SDSNM:a software-defined security netw orking mechanism to defend against DDoS attacks[C]//International Conference on Frontier of Computer Science&Technology,IEEE Computer Society,2015:115-121.
[15]Matias J,Garay J,Mendiola A,et al.Flow NAC:flow-based netw ork access control[C]//European Workshop on Softw are Defined Netw orks,IEEE,2014:79-84.
[16]Kloti R,Kotronis V,Smith P.Openflow:a security analysis[C]//21st IEEE International Conference on Netw ork Protocols,IEEE,2013:1-6.
[17]Kobayashi T H,Batista A B,Brito A M,et al.Using a packet manipulation tool for security analysis of industrial netw ork protocols[C]//IEEE Conference on Emerging Technologies and Factory Automation,IEEE,2007:744-747.
[18]Klaedtke F,Karame G O,Bifulco R,et al.Access control for SDNcontrollers[C]//HotSDN 2014-Proceedings of the ACM SIG-COM M 2014 Workshop on Hot Topics in Softw are Defined Netw orking,2014:219-220.
[19]Wang Xin,Gao Neng,Ma Cun-qing,et al.Rule conflict solution for distributed SDN controller[J].Netinfo Security,2014,14(9):6-11.
[20]He Gong-min.SDN security situation assessment system[D].Xi'an:Xi'an University of Electronic Science and Technology,2014.
[21]Fan Z,Xiao Y,Nayak A,et al.An improved network security situation assessment approach in softw are defined netw orks[J].Peerto-Peer Netw orking and Applications,2019,12(2):295-309.
[22]Masoud M Z,Jaradat Y,Jannoud I.On preventing ARP poisoning attack utilizing softw are defined netw ork(SDN)paradigm[C]//Applied Electrical Engineering and Computing Technologies,IEEE,2015:1-5.
[23]Liu Wen-mao,Qiu Xiao-feng,Chen Peng-cheng,et al.Software definition security architecture for SDN environment[J].Journal of Frontiers of Computer Science and Technology,2015,9(1):63-70.
[24]Pang Zhen,Xu Wei-hong.An RBF neural network learning method based on improved k-means[J].Computer Engineering and Application,2012,48(11):161-163.
[25]Liu Xue-juan,Yuan Jia-bin,Cao Feng-pin.Data distribution kmeans clustering for cloud computer[J].Journal of Chinese Computer Systems,2017,38(4):712-715.
[26]Ma Jun,Wei Guang-jun.An improved RBF neural network learning algorithm[J].Computer Systems&Applications,2013,22(2):84-87.
[1]张朝昆,崔勇,唐翯祎,等.软件定义网络(SDN)研究进展[J].软件学报,2015,26(1):62-81.
[5]张琳凯,杨恩众,姚振,等. SDN分层组播视频会议系统设计与实现[J].小型微型计算机系统,2017,38(3):425-430.
[6]谢丽霞,王亚超,于巾博.基于神经网络的网络安全态势感知[J].清华大学学报(自然科学版),2013,53(12):1750-1760.
[7]李鹤飞,黄新力,郑正奇.基于软件定义网络的DDoS攻击检测方法及其应用[J].计算机工程,2016,42(2):118-123.
[19]王鑫,高能,马存庆,等.分布式SDN控制器的规则冲突解决方案[J].信息网络安全,2014,14(9):6-11.
[20]何龚敏. SDN安全态势评估系统[D].西安:西安电子科技大学,2014.
[23]刘文懋,裘晓峰,陈鹏程,等.面向SDN环境的软件定义安全架构[J].计算机科学与探索,2015,9(1):63-70.
[24]庞振,徐蔚鸿.一种基于改进K-means的RBF神经网络学习方法[J].计算机工程与用,2012,48(11):161-163.
[25]刘雪娟,袁家斌,操凤萍.云计算环境下面向数据分布的Kmeans聚类算法[J].小型微型计算机系统,2017,38(4):712-715.
[26]马骏,尉广军.一种改进的RBF神经网络学习算法[J].计算机系统应用,2013,22(2):84-87.
[2]Kannan K,Banerjee S.Scissors:dealing with header redundancies in data centers through SDN[C]//Proc.of the 8th Int'l Conf.on Netw ork and Service M anagement,Laxenburg:Int'l Federation for Information Processing,2013:295-301.
[3]Yang M,Li Y,Jin D,et al.OpenRAN:a software-defined ran architecture via virtualization[J].Computer Communication Review,2013,43(4):549-550.
[4]Jain,Raj.OpenADN:mobile apps on global clouds using software defined netw orking[C]//IEEE Globecom Workshops,IEEE,2012:719-723.
[5]Zhang Lin-kai,Yang En-zhong,Yao Zhen,et al.Design and inplementation of video conferencing system based on SDN-enabled layered multicast[J].Journal of Chinese Computer Systems,2017,38(3):425-430.
[6]Xie Li-xia,Wang Ya-chao,Yu Jin-bo.Network security situation perception based on neural netw ork[J].Journal of Tsinghua University(Science and Technology),2013,53(12):1750-1760.
[7]Li He-fei,Huang Xin-li,Zheng Zheng-qi.Detection method of DDoS attack based on softw are definition netw ork and its application[J].Computer Engineering,2016,42(2):118-123.
[8]Chi P W,Kuo C T,Guo J W,et al.How to detect a compromised SDN sw itch[C]//Netw ork Softw arization,IEEE,2015:1-6.
[9]Braga R,Mota E,Passito A.Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]//IEEE,Conference on Local Computer Netw orks,IEEE Computer Society,2010:408-415.
[10]Niyaz Q,Sun W,Javaid A Y.A deep learning based ddos detection system in softw are-defined netw orking(SDN)[J].Security&Safety,2016,4(12):1-18.
[11]Antikainen M,Aura T,SarelaM.Spook in your network:attacking an SDN w ith a compromised openflow sw itch[C]//Nordic Conference on Secure IT Systems,2014:229-244.
[12]Huan,Ding,Yang,et al.Bayes-based ARP attack detection algorithm for cloud centers[J].Tsinghua Science&Technology,2016,21(1):17-28.
[13]Cheung S,Fong M,Porras P,et al.Securing the software-defined netw ork control layer[C]//The Netw ork and Distributed System Security Symposium,NDSS,2015:251-258.
[14]Wang X,Chen M,Xing C.SDSNM:a software-defined security netw orking mechanism to defend against DDoS attacks[C]//International Conference on Frontier of Computer Science&Technology,IEEE Computer Society,2015:115-121.
[15]Matias J,Garay J,Mendiola A,et al.Flow NAC:flow-based netw ork access control[C]//European Workshop on Softw are Defined Netw orks,IEEE,2014:79-84.
[16]Kloti R,Kotronis V,Smith P.Openflow:a security analysis[C]//21st IEEE International Conference on Netw ork Protocols,IEEE,2013:1-6.
[17]Kobayashi T H,Batista A B,Brito A M,et al.Using a packet manipulation tool for security analysis of industrial netw ork protocols[C]//IEEE Conference on Emerging Technologies and Factory Automation,IEEE,2007:744-747.
[18]Klaedtke F,Karame G O,Bifulco R,et al.Access control for SDNcontrollers[C]//HotSDN 2014-Proceedings of the ACM SIG-COM M 2014 Workshop on Hot Topics in Softw are Defined Netw orking,2014:219-220.
[19]Wang Xin,Gao Neng,Ma Cun-qing,et al.Rule conflict solution for distributed SDN controller[J].Netinfo Security,2014,14(9):6-11.
[20]He Gong-min.SDN security situation assessment system[D].Xi'an:Xi'an University of Electronic Science and Technology,2014.
[21]Fan Z,Xiao Y,Nayak A,et al.An improved network security situation assessment approach in softw are defined netw orks[J].Peerto-Peer Netw orking and Applications,2019,12(2):295-309.
[22]Masoud M Z,Jaradat Y,Jannoud I.On preventing ARP poisoning attack utilizing softw are defined netw ork(SDN)paradigm[C]//Applied Electrical Engineering and Computing Technologies,IEEE,2015:1-5.
[23]Liu Wen-mao,Qiu Xiao-feng,Chen Peng-cheng,et al.Software definition security architecture for SDN environment[J].Journal of Frontiers of Computer Science and Technology,2015,9(1):63-70.
[24]Pang Zhen,Xu Wei-hong.An RBF neural network learning method based on improved k-means[J].Computer Engineering and Application,2012,48(11):161-163.
[25]Liu Xue-juan,Yuan Jia-bin,Cao Feng-pin.Data distribution kmeans clustering for cloud computer[J].Journal of Chinese Computer Systems,2017,38(4):712-715.
[26]Ma Jun,Wei Guang-jun.An improved RBF neural network learning algorithm[J].Computer Systems&Applications,2013,22(2):84-87.
[1]张朝昆,崔勇,唐翯祎,等.软件定义网络(SDN)研究进展[J].软件学报,2015,26(1):62-81.
[5]张琳凯,杨恩众,姚振,等. SDN分层组播视频会议系统设计与实现[J].小型微型计算机系统,2017,38(3):425-430.
[6]谢丽霞,王亚超,于巾博.基于神经网络的网络安全态势感知[J].清华大学学报(自然科学版),2013,53(12):1750-1760.
[7]李鹤飞,黄新力,郑正奇.基于软件定义网络的DDoS攻击检测方法及其应用[J].计算机工程,2016,42(2):118-123.
[19]王鑫,高能,马存庆,等.分布式SDN控制器的规则冲突解决方案[J].信息网络安全,2014,14(9):6-11.
[20]何龚敏. SDN安全态势评估系统[D].西安:西安电子科技大学,2014.
[23]刘文懋,裘晓峰,陈鹏程,等.面向SDN环境的软件定义安全架构[J].计算机科学与探索,2015,9(1):63-70.
[24]庞振,徐蔚鸿.一种基于改进K-means的RBF神经网络学习方法[J].计算机工程与用,2012,48(11):161-163.
[25]刘雪娟,袁家斌,操凤萍.云计算环境下面向数据分布的Kmeans聚类算法[J].小型微型计算机系统,2017,38(4):712-715.
[26]马骏,尉广军.一种改进的RBF神经网络学习算法[J].计算机系统应用,2013,22(2):84-87.