By extracting the control plane from the data plane, SDN en?ables unprecedented flexibility for future network architec?tures and quickly changes the landscape of the networking industry. Although the maturity of comm...By extracting the control plane from the data plane, SDN en?ables unprecedented flexibility for future network architec?tures and quickly changes the landscape of the networking industry. Although the maturity of commonly accepted SDN security practices is the key to the proliferation of cloud DCN, SDN security research is still in its infancy. This pa?per gives a top?down survey of the approaches in this area, discussing security challenges and opportunities of software?defined datacenter networking for cloud computing. It lever?ages the well?known confidentiality?integrity?availability (CIA) matrix and protection?detection?reaction (PDR) model to give an overview of current security threats and security mea?sures. It also discusses promising research directions in this field.展开更多
Software defined networking (SDN) and network function virtualization (NFV) have attracted significant attention from both academia and industry. Fortunately, by virtue of unique advantages of programmability and cent...Software defined networking (SDN) and network function virtualization (NFV) have attracted significant attention from both academia and industry. Fortunately, by virtue of unique advantages of programmability and centralized control, SDN has been widely used in various scenarios, such展开更多
With the development and revolution of network in recent years,the scale and complexity of network have become big issues.Traditional hardware based network security solution has shown some significant disadvantages i...With the development and revolution of network in recent years,the scale and complexity of network have become big issues.Traditional hardware based network security solution has shown some significant disadvantages in cloud computing based Internet data centers(IDC),such as high cost and lack of flexibility.With the implementation of software defined networking(SDN),network security solution could be more flexible and efficient,such as SDN based firewall service and SDN based DDoS-attack mitigation service.Moreover,combined with cloud computing and SDN technology,network security services could be lighter-weighted,more flexible,and on-demanded.This paper analyzes some typical SDN based network security services,and provide a research on SDN based cloud security service(network security service pool)and its implementation in IDCs.展开更多
软件定义网络(Softeware Defined Network, SDN)是一种新型的网络体系架构,目前已成为下一代互联网研究的热点。为了解决SDN中的网络信息安全问题,文章对SDN中的控制平面、数据平面和应用平面进行分析,梳理并总结了SDN管理中的相关网络...软件定义网络(Softeware Defined Network, SDN)是一种新型的网络体系架构,目前已成为下一代互联网研究的热点。为了解决SDN中的网络信息安全问题,文章对SDN中的控制平面、数据平面和应用平面进行分析,梳理并总结了SDN管理中的相关网络安全问题。提出了一种基于SDN的网络安全框架及安全策略,有效弥补传统网络结构中的网络安全缺陷问题,增强SDN网络安全级别,并建立一种基于终端用户限定与管理的SDN的网络安全框架及其安全策略。展开更多
重点研究智慧校园网络与安全的软件定义网络(Software Defined Network,SDN)架构选择,分别讨论SDN架构应用的必要性、实现方法、网络与安全维护建议等内容。从智慧校园的集中部署、意图网络与智慧校园的融合、以零信任为核心构建网络安...重点研究智慧校园网络与安全的软件定义网络(Software Defined Network,SDN)架构选择,分别讨论SDN架构应用的必要性、实现方法、网络与安全维护建议等内容。从智慧校园的集中部署、意图网络与智慧校园的融合、以零信任为核心构建网络安全架构3个维度出发,提出保护智慧校园网络安全的建议。旨在强调SDN架构对于智慧校园建设的运行安全维护作用,以期为今后智慧校园的深化建设提供技术支持。展开更多
Software-Defined Network (SDN) empowers the evolution of Internet with the OpenFlow, Network Virtualization and Service Slicing strategies. With the fast increasing requirements of Mobile Internet services, the Inte...Software-Defined Network (SDN) empowers the evolution of Internet with the OpenFlow, Network Virtualization and Service Slicing strategies. With the fast increasing requirements of Mobile Internet services, the Internet and Mobile Networks go to the convergence. Mobile Networks can also get benefits from the SDN evolution to fulfill the 5th Generation (5G) capacity booming. The article implements SDN into Frameless Network Architecture (FNA) for 5G Mobile Network evolution with proposed Mobile-oriented OpenFlow Protocol (MOFP). The Control Plane/User Plane (CP/UP) separation and adaptation strategy is proposed to support the User-Centric scenario in FNA. The traditional Base Station is separated with Central Processing Entity (CPE) and Antenna Element (AE) to perform the OpenFlow and Network Virtualization. The AEs are released as new resources for serving users. The mobile-oriented Service Slicing with different Quality of Service (QoS) classification is proposed and Resource Pooling based Virtualized Radio Resource Management (VRRM) is optimized for the Service Slicing strategy with resource-limited feature in Mobile Networks. The capacity gains are provided to show the merits of SDN based FNA. And the MiniNet based Trial Network with Service Slicing is implemented with experimental results.展开更多
针对大流检测、突变流检测和基数估计等的网络流量测量对保障网络安全具有重要意义.但当前相关研究存在实时性不足、测量精度不高等问题.针对上述问题,设计了一种基于多层Sketch(multiple layer sketch, ML Sketch)的网络流量测量模型....针对大流检测、突变流检测和基数估计等的网络流量测量对保障网络安全具有重要意义.但当前相关研究存在实时性不足、测量精度不高等问题.针对上述问题,设计了一种基于多层Sketch(multiple layer sketch, ML Sketch)的网络流量测量模型.首先,该模型采用自主设计的ML Sketch结构,使用分类存储结构提高了流量测量的精度.其次,在SDN(software defined network)环境下利用流量实时回放技术,模拟了流量的动态发生场景.最后,在SDN控制平面实现了对大流、突变流和基数估计类流量的实时动态检测.在UNSW-NB15上的实验结果表明,与传统Sketch结构相比,所设计的ML Sketch结构在F1_Score指标上最高提高4.81%,相关误差最高降低81.12%,验证了该模型的有效性.展开更多
Software Defined Networking(SDN)being an emerging network control model is widely recognized as a control and management platform.This model provides efficient techniques to control and manage the enterprise network.A...Software Defined Networking(SDN)being an emerging network control model is widely recognized as a control and management platform.This model provides efficient techniques to control and manage the enterprise network.Another emerging paradigm is edge computing in which data processing is performed at the edges of the network instead of a central controller.This data processing at the edge nodes reduces the latency and bandwidth requirements.In SDN,the controller is a single point of failure.Several security issues related to the traditional network can be solved by using SDN central management and control.Address Spoofing and Network Intrusion are the most common attacks.These attacks severely degrade performance and security.We propose an edge computing-based mechanism that automatically detects and mitigates those attacks.In this mechanism,an edge system gets the network topology from the controller and the Address Resolution Protocol(ARP)traffic is directed to it for further analysis.As such,the controller is saved from unnecessary processing related to addressing translation.We propose a graph computation based method to identify the location of an attacker or intruder by implementing a graph difference method.By using the correct location information,the exact attacker or intruder is blocked,while the legitimate users get access to the network resources.The proposed mechanism is evaluated in a Mininet simulator and a POX controller.The results show that it improves system performance in terms of attack mitigation time,attack detection time,and bandwidth requirements.展开更多
Virtualization is the key technology of cloud computing. Network virtualization plays an important role in this field. Its performance is very relevant to network virtualizing. Nowadays its implementations are mainly ...Virtualization is the key technology of cloud computing. Network virtualization plays an important role in this field. Its performance is very relevant to network virtualizing. Nowadays its implementations are mainly based on the idea of Software Define Network (SDN). Open vSwitch is a sort of software virtual switch, which conforms to the OpenFlow protocol standard. It is basically deployed in the Linux kernel hypervisor. This leads to its performance relatively poor because of the limited system resource. In turn, the packet process throughput is very low.In this paper, we present a Cavium-based Open vSwitch implementation. The Cavium platform features with multi cores and couples of hard ac-celerators. It supports zero-copy of packets and handles packet more quickly. We also carry some experiments on the platform. It indicates that we can use it in the enterprise network or campus network as convergence layer and core layer device.展开更多
The ever-increasing needs of Internet of Things networks (IoTn) present considerable issues in computing complexity, security, trust, and authentication, among others. This gets increasingly more challenging as techno...The ever-increasing needs of Internet of Things networks (IoTn) present considerable issues in computing complexity, security, trust, and authentication, among others. This gets increasingly more challenging as technology advances, and its use expands. As a consequence, boosting the capacity of these networks has garnered widespread attention. As a result, 5G, the next phase of cellular networks, is expected to be a game-changer, bringing with it faster data transmission rates, more capacity, improved service quality, and reduced latency. However, 5G networks continue to confront difficulties in establishing pervasive and dependable connections amongst high-speed IoT devices. Thus, to address the shortcomings in current recommendations, we present a unified architecture based on software-defined networks (SDNs) that provides 5G-enabled devices that must have complete secrecy. Through SDN, the architecture streamlines network administration while optimizing network communications. A mutual authentication protocol using elliptic curve cryptography is introduced for mutual authentication across certificate authorities and clustered heads in IoT network deployments based on IoT. Again, a dimensionality reduction intrusion detection mechanism is introduced to decrease computational cost and identify possible network breaches. However, to leverage the method’s potential, the initial module's security is reviewed. The second module is evaluated and compared to modern models.展开更多
文摘By extracting the control plane from the data plane, SDN en?ables unprecedented flexibility for future network architec?tures and quickly changes the landscape of the networking industry. Although the maturity of commonly accepted SDN security practices is the key to the proliferation of cloud DCN, SDN security research is still in its infancy. This pa?per gives a top?down survey of the approaches in this area, discussing security challenges and opportunities of software?defined datacenter networking for cloud computing. It lever?ages the well?known confidentiality?integrity?availability (CIA) matrix and protection?detection?reaction (PDR) model to give an overview of current security threats and security mea?sures. It also discusses promising research directions in this field.
文摘Software defined networking (SDN) and network function virtualization (NFV) have attracted significant attention from both academia and industry. Fortunately, by virtue of unique advantages of programmability and centralized control, SDN has been widely used in various scenarios, such
文摘With the development and revolution of network in recent years,the scale and complexity of network have become big issues.Traditional hardware based network security solution has shown some significant disadvantages in cloud computing based Internet data centers(IDC),such as high cost and lack of flexibility.With the implementation of software defined networking(SDN),network security solution could be more flexible and efficient,such as SDN based firewall service and SDN based DDoS-attack mitigation service.Moreover,combined with cloud computing and SDN technology,network security services could be lighter-weighted,more flexible,and on-demanded.This paper analyzes some typical SDN based network security services,and provide a research on SDN based cloud security service(network security service pool)and its implementation in IDCs.
文摘软件定义网络(Softeware Defined Network, SDN)是一种新型的网络体系架构,目前已成为下一代互联网研究的热点。为了解决SDN中的网络信息安全问题,文章对SDN中的控制平面、数据平面和应用平面进行分析,梳理并总结了SDN管理中的相关网络安全问题。提出了一种基于SDN的网络安全框架及安全策略,有效弥补传统网络结构中的网络安全缺陷问题,增强SDN网络安全级别,并建立一种基于终端用户限定与管理的SDN的网络安全框架及其安全策略。
文摘重点研究智慧校园网络与安全的软件定义网络(Software Defined Network,SDN)架构选择,分别讨论SDN架构应用的必要性、实现方法、网络与安全维护建议等内容。从智慧校园的集中部署、意图网络与智慧校园的融合、以零信任为核心构建网络安全架构3个维度出发,提出保护智慧校园网络安全的建议。旨在强调SDN架构对于智慧校园建设的运行安全维护作用,以期为今后智慧校园的深化建设提供技术支持。
基金This material is supported by the National Natural Science Foundation of China under Grant No.61001116 and 61121001,Beijing Nova Programme No.Z131101000413030,the National Major Project No.2013ZX03003002 and Program for Changjiang Scholars and Innovative Research Team in University No.IRT1049
文摘Software-Defined Network (SDN) empowers the evolution of Internet with the OpenFlow, Network Virtualization and Service Slicing strategies. With the fast increasing requirements of Mobile Internet services, the Internet and Mobile Networks go to the convergence. Mobile Networks can also get benefits from the SDN evolution to fulfill the 5th Generation (5G) capacity booming. The article implements SDN into Frameless Network Architecture (FNA) for 5G Mobile Network evolution with proposed Mobile-oriented OpenFlow Protocol (MOFP). The Control Plane/User Plane (CP/UP) separation and adaptation strategy is proposed to support the User-Centric scenario in FNA. The traditional Base Station is separated with Central Processing Entity (CPE) and Antenna Element (AE) to perform the OpenFlow and Network Virtualization. The AEs are released as new resources for serving users. The mobile-oriented Service Slicing with different Quality of Service (QoS) classification is proposed and Resource Pooling based Virtualized Radio Resource Management (VRRM) is optimized for the Service Slicing strategy with resource-limited feature in Mobile Networks. The capacity gains are provided to show the merits of SDN based FNA. And the MiniNet based Trial Network with Service Slicing is implemented with experimental results.
文摘针对大流检测、突变流检测和基数估计等的网络流量测量对保障网络安全具有重要意义.但当前相关研究存在实时性不足、测量精度不高等问题.针对上述问题,设计了一种基于多层Sketch(multiple layer sketch, ML Sketch)的网络流量测量模型.首先,该模型采用自主设计的ML Sketch结构,使用分类存储结构提高了流量测量的精度.其次,在SDN(software defined network)环境下利用流量实时回放技术,模拟了流量的动态发生场景.最后,在SDN控制平面实现了对大流、突变流和基数估计类流量的实时动态检测.在UNSW-NB15上的实验结果表明,与传统Sketch结构相比,所设计的ML Sketch结构在F1_Score指标上最高提高4.81%,相关误差最高降低81.12%,验证了该模型的有效性.
文摘Software Defined Networking(SDN)being an emerging network control model is widely recognized as a control and management platform.This model provides efficient techniques to control and manage the enterprise network.Another emerging paradigm is edge computing in which data processing is performed at the edges of the network instead of a central controller.This data processing at the edge nodes reduces the latency and bandwidth requirements.In SDN,the controller is a single point of failure.Several security issues related to the traditional network can be solved by using SDN central management and control.Address Spoofing and Network Intrusion are the most common attacks.These attacks severely degrade performance and security.We propose an edge computing-based mechanism that automatically detects and mitigates those attacks.In this mechanism,an edge system gets the network topology from the controller and the Address Resolution Protocol(ARP)traffic is directed to it for further analysis.As such,the controller is saved from unnecessary processing related to addressing translation.We propose a graph computation based method to identify the location of an attacker or intruder by implementing a graph difference method.By using the correct location information,the exact attacker or intruder is blocked,while the legitimate users get access to the network resources.The proposed mechanism is evaluated in a Mininet simulator and a POX controller.The results show that it improves system performance in terms of attack mitigation time,attack detection time,and bandwidth requirements.
文摘Virtualization is the key technology of cloud computing. Network virtualization plays an important role in this field. Its performance is very relevant to network virtualizing. Nowadays its implementations are mainly based on the idea of Software Define Network (SDN). Open vSwitch is a sort of software virtual switch, which conforms to the OpenFlow protocol standard. It is basically deployed in the Linux kernel hypervisor. This leads to its performance relatively poor because of the limited system resource. In turn, the packet process throughput is very low.In this paper, we present a Cavium-based Open vSwitch implementation. The Cavium platform features with multi cores and couples of hard ac-celerators. It supports zero-copy of packets and handles packet more quickly. We also carry some experiments on the platform. It indicates that we can use it in the enterprise network or campus network as convergence layer and core layer device.
文摘The ever-increasing needs of Internet of Things networks (IoTn) present considerable issues in computing complexity, security, trust, and authentication, among others. This gets increasingly more challenging as technology advances, and its use expands. As a consequence, boosting the capacity of these networks has garnered widespread attention. As a result, 5G, the next phase of cellular networks, is expected to be a game-changer, bringing with it faster data transmission rates, more capacity, improved service quality, and reduced latency. However, 5G networks continue to confront difficulties in establishing pervasive and dependable connections amongst high-speed IoT devices. Thus, to address the shortcomings in current recommendations, we present a unified architecture based on software-defined networks (SDNs) that provides 5G-enabled devices that must have complete secrecy. Through SDN, the architecture streamlines network administration while optimizing network communications. A mutual authentication protocol using elliptic curve cryptography is introduced for mutual authentication across certificate authorities and clustered heads in IoT network deployments based on IoT. Again, a dimensionality reduction intrusion detection mechanism is introduced to decrease computational cost and identify possible network breaches. However, to leverage the method’s potential, the initial module's security is reviewed. The second module is evaluated and compared to modern models.
