基于贝叶斯−斯坦科尔伯格博弈的SDN安全控制平面模型

doi:10.11959/j.issn.2096-109x.2017.00211

网络与信息安全学报 ›› 2017, Vol. 3 ›› Issue (11): 40-49.doi: 10.11959/j.issn.2096-109x.2017.00211

基于贝叶斯−斯坦科尔伯格博弈的SDN安全控制平面模型

卢振平(),陈福才,程国振

国家数字交换系统工程技术研究中心，河南郑州 450002

修回日期:2017-09-20 出版日期:2017-11-01 发布日期:2017-11-30
作者简介:卢振平（1992-），男，河南商丘人，国家数字程控交换系统工程技术研究中心硕士生，主要研究方向为软件定义网络、网络先进防御。|陈福才（1974-），男，江西南昌人，硕士，国家数字程控交换系统工程技术研究中心研究员，主要研究方向为电信网关防、网络安全。|程国振（1986-），男，山东菏泽人，博士，国家数字程控交换系统工程技术研究中心助理研究员，主要研究方向为云数据中心、软件定义网络、网络安全。
基金资助:
国家自然科学基金创新群体基金资助项目(61521003);国家重点研发计划基金资助项目(2016YFB0800100);国家重点研发计划基金资助项目(2016YFB0800101);国家自然科学基金青年基金资助项目(61309020);国家自然科学基金青年基金资助项目(61602509)

Secure control plane for SDN using Bayesian Stackelberg games

Zhen-ping LU(),Fu-cai CHEN,Guo-zhen CHENG

National Digital Switching System Engineering＆Technological R＆D Center,Zhengzhou 450002,China

Revised:2017-09-20 Online:2017-11-01 Published:2017-11-30
Supported by:
The Foundation for Innovative Research Groups of the National Natural Science Foundation of China(61521003);The National Key R＆D Program of China(2016YFB0800100);The National Key R＆D Program of China(2016YFB0800101);The National Natu-ral Science Foundation of China(61309020);The National Natural Science Foundation of China(61602509)

摘要/Abstract

摘要：

提出一种基于动态异构冗余的安全控制平面，通过动态地变换异构的控制器以增加攻击者的难度。首先，提出基于贝叶斯?斯坦科尔伯格博弈模型的控制器动态调度方法，将攻击者和防御者作为博弈参与双方，求得均衡解，进而指导调度策略；其次，引入一种自清洗机制，与博弈策略结合形成闭环的防御机制，进一步地提高了控制层的安全增益；最后，实验定量地描述了基于该博弈策略的安全控制层相比与传统部署单个控制器以及采用随机策略调度控制器的收益增益，并且自清洗机制能够使控制平面一直处于较高的安全水平。

关键词: 软件定义网络, 网络安全, 贝叶斯?斯坦科尔伯格博弈, 控制器

Abstract:

A dynamic scheduling controller in SDN control layer was proposed by dynamically transform heteroge-neous controlled in order to increase the difficulty of the attacker.Firstly,a dynamic scheduling method based on Bayesian Stackelberg games the attacker and defender were game participation on both sides,obtained the equili-brium,which guided the scheduling strategy.Secondly,introducing a self-cleaning mechanism,it improved the gain of the control layer security combined with game strategy form closed-loop defense mechanism.The experiments described quantitatively based on the game strategy compared with traditional safety control layer to deploy a single controller and adopt the strategy of random scheduling profit gain of the controller,and self-cleaning mechanism could make the control plane to be in a higher level of security.

Key words: software defined networking, network security, Bayesian Stackelberg games, controller

中图分类号:

TP309

卢振平,陈福才,程国振. 基于贝叶斯−斯坦科尔伯格博弈的SDN安全控制平面模型[J]. 网络与信息安全学报, 2017, 3(11): 40-49.

Zhen-ping LU,Fu-cai CHEN,Guo-zhen CHENG. Secure control plane for SDN using Bayesian Stackelberg games[J]. Chinese Journal of Network and Information Security, 2017, 3(11): 40-49.

图/表 12

图1

图2

图3

图4

图5

图6

表1

变量说明"

符号	意义
t	攻击类型
l	防御策略
F^t	t的攻击策略集
a^t	攻击类型t的收益值
R^t	防御者在t的收益矩阵
C^t	攻击者在t的收益矩阵
p^t	攻击类型t的攻击可能性
$n_{f}^{t}$	攻击类型为t、策略为 f 的布尔值
C _lf	防御者策略l、攻击者策略 f 的收益
y	攻击策略分布
T	攻击类型集合
L	防御者纯策略集合
F	攻击纯策略集合
x	防御者策略分布

表1

表2

表3

表4

表5

表6

参考文献 28

[1]	KREUTZ D , RAMOS F M V , VERISSIMO P . Towards secure and dependable software-defined networks[C]// ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013:55-60.
[2]	SHIN S , SONG Y , LEE T , et al. Rosemary:a robust,secure,and high-performance network operating system[C]// ACM Conference on Computer and Communications Security. 2014:78-89.
[3]	LENG J , ZHOU Y , ZHANG J , et al. An inference attack model for flow table capacity and usage:exploiting the vulnerability of flow table overflow in software-defined network[J]. Water Air ＆ Soil Pollution, 2015,85(3): 1413-1418.
[4]	SONCHACK J , AVIV A J , KELLER E . Timing SDN control planes to infer network configurations[C]// ACM International Workshop on Security in Software Defined Networks ＆ Network Function Virtualization. 2016.
[5]	LEE S , YOON C , SHIN S . The smaller,the shrewder:a simple malicious application can kill an entire SDN environment[C]// ACM International Workshop on Security in Software Defined Networks＆ Network Function Virtualization. 2016.
[6]	MORZHOV S , ALEKSEEV I , NIKITINSKIY M . Firewall applica-tion for Floodlight SDN controller[C]// The International Siberian Conference on Control and Communications. 2016.
[7]	SHIN S , SNOS Y , LEE T , et al. Rosemary:a robust,secure,and high-performance network operating system[J]. 2014: 78-89.
[8]	TOOTOONCHIAN A , GANJALI Y . HyperFlow:a distributed control plane for OpenFlow[C]// Internet Network Management Conference on Research on Enterprise Networking. 2010:3.
[9]	SHERWOOD R , GIBB G , YAP K K , et al. FlowVisor:a network virtualization layer[J]. 2009.
[10]	YEGANEH S H , GANJALI Y . Kandoo:a framework for efficient and scalable offloading of control applications[C]// The Workshop on Hot Topics in Software Defined Networks. 2012:19-24.
[11]	KOPONEN T , CASADO M , GUDE N , et al. Onix:a distributed control platform for large-scale production networks[C]// Usenix Symposium on Operating Systems Design and Implementa-tion(OSDI 2010). 2010:351-364.
[12]	DIXIT A , FANG H , MUKHERJEE S , et al. Towards an elastic distributed SDN controller[C]// The 1st Workshop on Hot Topics in Software Defined Networking (HotSDN 2013). 2013:7-12.
[13]	BERDE P , GEROLA M ,and HART J , et al. ONOS:towards an open,distributed SDN OS[C]// The Workshop on Hot Topics in Software Defined Networking. 2014:1-6.
[14]	LI H , LI P , GUO S , et al. Byzantine-resilient secure software-defined networks with multiple controllers in cloud[C]// 2014 IEEE International Conference on Communications (ICC 2014). 2014:695-700.
[15]	ELDEFRAWY K , KACZMAREK T . Byzantine fault tolerant soft-ware-defined networking (SDN) controllers[C]// IEEE Computer Society International Conference on Computers,Software ＆ Ap-plications. 2016:208-213.
[16]	LEE C , SHIN S . SHIELD:an automated framework for static analysis of SDN applications[C]// ACM International Workshop on Security in Software Defined Networks ＆ Network Function Virtu-alization. 2016:29-34.
[17]	WILCZEWSKI . Security considerations for equipment controllers and SDN[C]// 2016 IEEE International Telecommunications Energy Conference (INTELEC). 2016:1-5.
[18]	AHMAD I , NAMAL S , YLIANTTILA M , et al. Security in soft-ware defined networks:a survey[J]. IEEE Communications Sur-veys ＆ Tutorials, 2015,17(4): 1.
[19]	PORRAS P , SHIN S , YEGNESWARAN V , et al. A security en-forcement kernel for OpenFlow networks[C]// The First Workshop on Hot Topics in Software Defined Networks. 2012:121-126.
[20]	SONCHACK J , AVIV A J , KELLER E , et al. Enabling practical software-defined networking security applications with OFX[C]// Network and Distributed System Security Symposium. 2016.
[21]	MEDVED J , VARGA R , TKACIK A , et al. OpenDaylight:towards a model-driven SDN controller architecture[C]// IEEE International Symposium on World of Wireless,Mobile and Multimedia Net-works. 2014:1-6.
[22]	WANG T , LIU F , GUO J , et al. Dynamic SDN controller assign-ment in data center networks:Stable matching with transfers[C]// IEEE Conference on Computer Communications. 2016:1-9.
[23]	LU Z P , CHEN F C , et al. Poster:a secure control plane with dynamic multi-NOS for SDN[C]// NDSS Posters. 2017.
[24]	LEE S , YOON C . DELTA:a security assessment framework for software-defined networks[C]// Network and Distributed System Security Symposium. 2017.
[25]	KIEKINTVELD C , MARECKI J , TAMBE M . Approximation methods for infinite bayesian stackelberg games:Modeling distri-butional payoff uncertainty[C]// The 10th International Conference on Autonomous Agents and Multiagent Systems. 2011:1005-1012.
[26]	PARUCHURI P , PEARCE J P . Playing games for security:an efficient exact algorithm for solving bayesian stackelberg games[C]// The 7th International Joint Conference on Autonomous Agents and Multiagent Systems (AAMAS'08). 2008:985-902.
	DAVID Jorm. 44CON LONDON 2015 Presentations[EB/OL]. .
[28]	PITA J , JAIN M , TAMBE M , et al. Robust solutions to stackelberg games:addressing bounded rationality and limited observations in human cognition[J]. Artificial Intelligence, 2010,174(15): 1142-1171.

策略		攻防收益
策略	Ryu	ODL	ONOS	Floodlight
A₁	?2,6	5,?8	5,?8	2,?6
A₂	?5,5	2,?6	?2,6	5,?8
A₃	5,?2	?10,10	?10,10	5,?2
A₄	?10,10	5,?2	5,?2	?10,10
A₅:A₁＆A₃	?8,8	?4,8	2,6	8,?8
A₆:A₂＆A₃	?4,8	?8,8	8,?8	2,6
A₇:A1＆A₄	2,6	8,?8	?8,8	?4,8
A₈:A2＆A₄	8,?8	2,6	?4,8	?8,8
A₉：无	0,0	0,0	0,0	0,0

攻击类型	攻击能力	攻击概率
黑客1	A₁,A₂,A₉	0.5
黑客2	A₁,A₃,A₅,A₉	0.2
黑客3	所有	0.1
黑客4	A₁,A₂,A₃,A₄,A₉	0.2

概率分布	随机策略的收益	博弈均衡策略的收益	收益增益
0,0,1	?2.5	?0.85	1.65
0,0.2,0.8	?2	?0.54	1.46
0,0.4,0.6	?1.5	?0.15	1.35
0,0.6,0.4	?1	0.22	1.22
0,0.8,0.2	?0.5	0.61	1.11
0,1,0	0	1	1
0.2,0,0.8	?2.5	?0.7	1.8
0.2,0.2,0.6	?2	?0.48	1.52
0.2,0.4,0.4	?1.5	?0.27	1.23
0.2,0.6,0.2	?1	0.05	1.05
0.2,0.8,0	?0.5	0.53	1.03
0.4,0,0.6	?2.5	?0.32	2.18
0.4,0.2,0.4	?2	?0.1	2.1
0.4,0.4,0.2	?1.5	0.11	1.61
0.4,0.6,0	?1	1	2
0.6,0,0.4	?2.5	0.06	2.56
0.6,0.2,0.2	?2	0.57	2.57
0.6,0.4,0	?1.5	1.5	3
0.8,0,0.2	?2.5	1.07	3.07
0.8,0.2,0	?2	2	4
1,0,0	?2.5	2.5	5

解决一个漏洞	收益更新
ν₁	?0.768
ν₂	?0.493
ν₃	0.318
ν₄	0.543

解决2个漏洞	收益更新
v ₁,v₂	?0.757
v ₁,v₃	0.318
v ₁,v₄	0.428
v ₂,v₃	0.318
v ₂,v₄	0.557
v ₃,₄v	0.829

基于贝叶斯−斯坦科尔伯格博弈的SDN安全控制平面模型

Secure control plane for SDN using Bayesian Stackelberg games

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 12

参考文献 28

相关文章 15

Metrics

推荐阅读 0

[1]	张成磊, 付玉龙, 李晖, 曹进. 6G网络安全场景分析及安全模型研究[J]. 网络与信息安全学报, 2021, 7(1): 28-45.
[2]	吴奇,陈鸿昶. 低故障恢复开销的软件定义网络控制器布局算法[J]. 网络与信息安全学报, 2020, 6(6): 97-104.
[3]	杨路辉,白惠文,刘光杰,戴跃伟. 基于可分离卷积的轻量级恶意域名检测模型[J]. 网络与信息安全学报, 2020, 6(6): 112-120.
[4]	谢博,申国伟,郭春,周燕,于淼. 基于残差空洞卷积神经网络的网络安全实体识别方法[J]. 网络与信息安全学报, 2020, 6(5): 126-138.
[5]	李国春,马睿,马季春,李伯中,刘惠明,张桂玉. 广域网出口流量调度SDN部署研究[J]. 网络与信息安全学报, 2020, 6(5): 148-157.
[6]	张孟媛,袁钟怡. 美国网络安全审查制度发展、特点及启示[J]. 网络与信息安全学报, 2019, 5(6): 1-9.
[7]	黄伟, 路冉, 刘存才, 祁思博. 基于SDN分级分域架构的QoS约束路由算法[J]. 网络与信息安全学报, 2019, 5(5): 21-31.
[8]	王洋,汤光明,雷程,韩冬. 面向链路洪泛攻击的多维检测与动态防御方法[J]. 网络与信息安全学报, 2019, 5(4): 80-90.
[9]	贾春福,李瑞琪,田美琦,程晓阳. 信息安全与法学复合型人才培养模式[J]. 网络与信息安全学报, 2019, 5(3): 31-35.
[10]	秦玉海,刘禄源,高浩航,刘晟桥,董涵. 创新专业技能大赛铸就警界实践英才[J]. 网络与信息安全学报, 2019, 5(3): 75-80.
[11]	胡浩, 刘玉岭, 张玉臣, 张红旗. 基于攻击图的网络安全度量研究综述[J]. 网络与信息安全学报, 2018, 4(9): 1-16.
[12]	胡军台,武振宇,付晓,王逸超. 基于博弈的异构控制器云安全策略研究[J]. 网络与信息安全学报, 2018, 4(9): 52-59.
[13]	谭晶磊, 张红旗, 雷程, 刘小虎, 王硕. 面向SDN的移动目标防御技术研究进展[J]. 网络与信息安全学报, 2018, 4(7): 1-12.
[14]	燕昺昊,韩国栋. 基于深度循环神经网络和改进SMOTE算法的组合式入侵检测模型[J]. 网络与信息安全学报, 2018, 4(7): 48-59.
[15]	刘文彦,霍树民,仝青,张淼,齐超. 网络安全评估与分析模型研究[J]. 网络与信息安全学报, 2018, 4(4): 1-11.