摘要
SDN控制器可实现网络的集中化管控,但易受到各种各样潜在的攻击导致整个网络崩溃。为提高SDN控制层的安全性,拟态防御技术被引用到SDN控制层,通过多个异构控制器同时处理请求,再对请求结果进行一致性判别,最后将最可能安全的规则下发给交换机,从而避免控制器因未知漏洞或后门而遭受攻击。然而,由于异构控制器生成的流规则在内容、数量等方面的不同,流规则的一致性判别较困难。从边缘端口输出流的一致性角度出发,通过建立流表规则的管道图,用几何方式表示边缘端口的输出流,并建立边缘端口流矩阵,通过对比矩阵判别规则的一致性。实验结果表明,该方法能够准确判别流规则的一致性,在性能方面可满足一般网络的实时性要求。
The SDN controller realizes the centralized management and control of the network and is vulnerable to all kinds of potential attacks that cause the entire network to crash. In order to improve the security of the SDN control layer, the mimic defense technology is introduced to the SDN network control layer. Multiple heterogeneous controllers process the request at the same time, and then the consistency of the request result is determined. Finally, the most likely security rule is issued to the switch, so as to avoid the controller being attacked due to an unknown vulnerability or backdoor. However, since the flow rules generated by the heterogeneous controllers may differ in terms of content, quantity, etc., it is difficult to distinguish the consistency of the flow rules. In this paper, from the perspective of the consistency of the output flow of the edge port, the pipeline graph of the flow table is established, the output flow of the edge port is represented geometrically, and the edge port flow matrix is established. The consistency of the rules is determined by the comparison matrix. Experimental results show that the proposed method can correctly identify the consistency of the flow rules and meet the real-time requirements of the general network in terms of performance.
作者
高洁
邬江兴
李军飞
贺磊
GAO Jie;WU Jiangxing;LI Junfei;HE Lei(National Digital Switching System Engineering & Technological R&D Center, Zhengzhou 450002, China)
出处
《信息工程大学学报》
2018年第6期641-646,共6页
Journal of Information Engineering University
基金
国家自然科学基金资助项目(61521003)
国家863计划资助项目(2015AA016102)
