摘要
针对当前防火墙或入侵阻断设备进行网络攻击防御存在适应性差和成本高的问题,设计了基于OpenFlow的入侵阻断规则,实现了对攻击流量的过滤及对入侵阻断过程的灵活控制;分析并测量了基于入侵阻断规则生成OpenFlow流表项的性能;引入OpenFlow交换机(H3CS6300),测量了在生产环境下OpenFlow流表项的数量和单位时间内OpenFlow报文数量(OpenFlow PPS)对OpenFlow Channel的性能的影响,发现OpenFlow PPS对OpenFlow Channel的性能具有决定性作用,随着OpenFlow PPS的增加,OpenFlow Channel的性能急剧下降,响应时间呈指数级增长.设计并实现了基于SDN技术的网络入侵阻断系统,实现了对攻击流量的阻断、对恶意流量的样本采集,证明了使用SDN技术构建入侵防御系统的可行性.
To solve high cost and poor adaptability by using traditional firewall or intrusion prevention devices in network attack prevention,the intrusion prevention rules were designed based on OpenFlow protocol,filtration of attack traffic and flexible control over the process of intrusion prevention were achieved.The performance of generate OpenFlow flow entries based on intrusion prevention rules was analyzed and measured.By using OpenFlow switch(H3CS6300),the effect of number of OpenFlow flow entries and Openflow packet per second(OpenFlow PPS)was measured in the production environment.It is found that as the decisive role of OpenFlow PPS in OpenFlow Channel performance,with the increase of OpenFlow PPS,OpenFlow Channel performance is sharp declined,and response time grows exponentially.Finally,the network intrusion prevention system was designed and implemented based on SDN,intrusion prevention and packet capture was achieved,and the feasibility of using the SDN technology to build intrusion prevention system was demonstrated.
作者
龚俭
金磊
Gong Jian Jin Lei(School of Computer Science and Engineering, Southeast University, Nanjing 211189, China)
出处
《华中科技大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2016年第11期1-6,共6页
Journal of Huazhong University of Science and Technology(Natural Science Edition)
基金
国家自然科学基金资助项目(61602114)
