SDN拓扑攻击及其防御

Research on SDN Topology Attack and Its Defense Mechanism

为保护软件定义网络(SDN)中控制器的视图安全,特别是在网络链路状态变化环境中的全局视图完整性,提出一种SDN拓扑攻击防御机制——PolicyTopo。该机制引入信息熵理论构建模型验证网络链路延时变化,同时定义数据设备端口的安全性,在防御传统拓扑攻击的同时进一步解决了网络状态变化下拓扑攻击的防御问题。在虚拟环境和物理实验台上分别布署PolicyTopo并基于Floodlight控制器进行攻防测试,结果表明,PolicyTopo能动态有效保护网络状态变化中拓扑完整性,提高网络全局视图安全性。与同类主流防御机制比较结果表明,该机制减少大量网络资源开销,增强网络安全性、灵活性以及可扩展性。

A SDN topology attack defense mechanism——PolicyTopo was proposed in order to protect the view security of the controller in software-defined networking(SDN),especially the global view integrity in the context of network link state changes.This mechanism introduces information entropy theory to build a model to verify the change of network link delay,and at the same time defines the security of data device ports.It also solves the defense problem of topology attacks under network state changes while defending against traditional topology attacks.PolicyTopo was deployed both on the virtual environment and the physical experiment platform,and the offensive and defensive tests were carried out based on Floodlight.The results show that PolicyTopo can dynamically and effectively protect the topology integrity during network state changes and improve the security of the global view of the network.Compared with other mainstream defense mechanisms,this mechanism can largely reduce the cost of network resource and improve the security,flexibility and scalability of the network.