摘要
软件定义网络(SDN)为网络赋予了可编程性,降低了网络管理的复杂性,促进了新型网络技术的发展。SDN交换机作为数据转发与策略执行的设备,其权限不应被未经授权的实体窃取。然而,SDN交换机并不总是执行控制器下发的命令,恶意攻击者通过侵蚀SDN交换机对网络进行隐秘而致命的攻击,严重影响用户的端到端通信质量。通信顺序进程(CSP)作为针对并发系统设计的建模语言,可对SDN交换机-交换机,以及交换机-主机间的交互进行准确的描述。文中使用CSP对SDN交换机、终端主机进行建模,对两种异常交换机定位方法进行理论分析,并在实例化的模型系统中验证检测方法在边缘交换机作为出口交换机恶意转发时的有效性,结果表明无法检测该异常行为。针对这一问题,提出了边缘交换机异常检测方法,主机记录统计信息并通过构造特殊的数据包触发packet_in消息完成与控制器之间的信息传递,控制器收集统计信息并利用边缘交换机与主机之间的统计信息一致性检测边缘交换机的异常传输行为。最后,基于ryu控制器在mininet平台上进行实验,实验结果表明,边缘交换机异常检测方法可以成功检测异常行为。
Software-defined network gives programmability to the network,reduces the complexity of network management,and promotes the development of new network technology.As a device for data forwarding and policy enforcement,the permissions of SDN switches should not be stolen by unauthorized entities.However,the SDN switch does not always execute the commands issued by the controller.Malicious attackers attack the network covertly and fatally by eroding the SDN switch,which seriously affects the end-to-end communication quality of users.Communicationsequential process(CSP),as a modeling language designed for concurrent systems,can accurately describe the interaction between SDN switch-switch and switch-host.In this paper,CSP is used to model SDN switch and terminal host,and two abnormal switch location methods are analyzed theoretically.We verify the effectiveness of the two detection methods in the instantiated model system when the edge switch is maliciously forwarded as an egress switch,and the authentication results show that the abnormal behavior cannot be detected.In order to solve this problem,an anomaly detection method for edge switch is proposed in this paper.In this method,the host records the statistical information and triggers the packet_in message to complete the information transmission with the controller by constructing a special packet.The controller collects the statistical information and detects the abnormal forwarding behavior of the edge switch by analyzing the statistical information consistency between the edge switch and the host.Finally,based on the ryu controller,experiments are carried out on the mininet platform,and experimental results show that the edge switch anomaly detection method can successfully detect abnormal behavior.
作者
赵扬
伊鹏
张震
胡涛
刘少勋
ZHAO Yang;YI Peng;ZHANG Zhen;HU Tao;LIU Shaoxun(Institute of Scientific,Technical Information,People's Liberation Army Strategic Spport Force Information Engineering University,Zhengzhou 450001,China;Network Communication and Security Purple Mountain Laboratory,Nanjing 210000,China)
出处
《计算机科学》
CSCD
北大核心
2023年第1期362-372,共11页
Computer Science
基金
河南省重大科技专项(智能网联汽车内生安全关键技术研究及示范应用2022012)
国家自然科学基金(61872382,62101598,61521003)。
关键词
软件定义网络
数据平面安全
形式化认证与分析
通信顺序进程
受损交换机检测
Software defined network
Data plane security
Formal authentication and analysis
Communication sequence process
Damaged switch detection
