基于贝叶斯−斯坦科尔伯格博弈的SDN安全控制平面模型

doi:10.11959/j.issn.2096-109x.2017.00211

网络与信息安全学报 ›› 2017, Vol. 3 ›› Issue (11): 40-49.doi: 10.11959/j.issn.2096-109x.2017.00211

基于贝叶斯−斯坦科尔伯格博弈的SDN安全控制平面模型

卢振平(),陈福才,程国振

国家数字交换系统工程技术研究中心，河南郑州 450002

修回日期:2017-09-20 出版日期:2017-11-01 发布日期:2017-11-30
作者简介:卢振平（1992-），男，河南商丘人，国家数字程控交换系统工程技术研究中心硕士生，主要研究方向为软件定义网络、网络先进防御。|陈福才（1974-），男，江西南昌人，硕士，国家数字程控交换系统工程技术研究中心研究员，主要研究方向为电信网关防、网络安全。|程国振（1986-），男，山东菏泽人，博士，国家数字程控交换系统工程技术研究中心助理研究员，主要研究方向为云数据中心、软件定义网络、网络安全。
基金资助:
国家自然科学基金创新群体基金资助项目(61521003);国家重点研发计划基金资助项目(2016YFB0800100);国家重点研发计划基金资助项目(2016YFB0800101);国家自然科学基金青年基金资助项目(61309020);国家自然科学基金青年基金资助项目(61602509)

Secure control plane for SDN using Bayesian Stackelberg games

Zhen-ping LU(),Fu-cai CHEN,Guo-zhen CHENG

National Digital Switching System Engineering＆Technological R＆D Center,Zhengzhou 450002,China

Revised:2017-09-20 Online:2017-11-01 Published:2017-11-30
Supported by:
The Foundation for Innovative Research Groups of the National Natural Science Foundation of China(61521003);The National Key R＆D Program of China(2016YFB0800100);The National Key R＆D Program of China(2016YFB0800101);The National Natu-ral Science Foundation of China(61309020);The National Natural Science Foundation of China(61602509)

摘要/Abstract

摘要：

提出一种基于动态异构冗余的安全控制平面，通过动态地变换异构的控制器以增加攻击者的难度。首先，提出基于贝叶斯?斯坦科尔伯格博弈模型的控制器动态调度方法，将攻击者和防御者作为博弈参与双方，求得均衡解，进而指导调度策略；其次，引入一种自清洗机制，与博弈策略结合形成闭环的防御机制，进一步地提高了控制层的安全增益；最后，实验定量地描述了基于该博弈策略的安全控制层相比与传统部署单个控制器以及采用随机策略调度控制器的收益增益，并且自清洗机制能够使控制平面一直处于较高的安全水平。

关键词: 软件定义网络, 网络安全, 贝叶斯?斯坦科尔伯格博弈, 控制器

Abstract:

A dynamic scheduling controller in SDN control layer was proposed by dynamically transform heteroge-neous controlled in order to increase the difficulty of the attacker.Firstly,a dynamic scheduling method based on Bayesian Stackelberg games the attacker and defender were game participation on both sides,obtained the equili-brium,which guided the scheduling strategy.Secondly,introducing a self-cleaning mechanism,it improved the gain of the control layer security combined with game strategy form closed-loop defense mechanism.The experiments described quantitatively based on the game strategy compared with traditional safety control layer to deploy a single controller and adopt the strategy of random scheduling profit gain of the controller,and self-cleaning mechanism could make the control plane to be in a higher level of security.

Key words: software defined networking, network security, Bayesian Stackelberg games, controller

中图分类号:

TP309

卢振平,陈福才,程国振. 基于贝叶斯−斯坦科尔伯格博弈的SDN安全控制平面模型[J]. 网络与信息安全学报, 2017, 3(11): 40-49.

Zhen-ping LU,Fu-cai CHEN,Guo-zhen CHENG. Secure control plane for SDN using Bayesian Stackelberg games[J]. Chinese Journal of Network and Information Security, 2017, 3(11): 40-49.

图/表 12

图1

图2

图3

图4

图5

图6

表1

变量说明"

符号	意义
t	攻击类型
l	防御策略
F^t	t的攻击策略集
a^t	攻击类型t的收益值
R^t	防御者在t的收益矩阵
C^t	攻击者在t的收益矩阵
p^t	攻击类型t的攻击可能性
$n_{f}^{t}$	攻击类型为t、策略为 f 的布尔值
C _lf	防御者策略l、攻击者策略 f 的收益
y	攻击策略分布
T	攻击类型集合
L	防御者纯策略集合
F	攻击纯策略集合
x	防御者策略分布

表1

表2

表3

表4

表5

表6

参考文献 28

[1]	KREUTZ D , RAMOS F M V , VERISSIMO P . Towards secure and dependable software-defined networks[C]// ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013:55-60.
[2]	SHIN S , SONG Y , LEE T , et al. Rosemary:a robust,secure,and high-performance network operating system[C]// ACM Conference on Computer and Communications Security. 2014:78-89.
[3]	LENG J , ZHOU Y , ZHANG J , et al. An inference attack model for flow table capacity and usage:exploiting the vulnerability of flow table overflow in software-defined network[J]. Water Air ＆ Soil Pollution, 2015,85(3): 1413-1418.
[4]	SONCHACK J , AVIV A J , KELLER E . Timing SDN control planes to infer network configurations[C]// ACM International Workshop on Security in Software Defined Networks ＆ Network Function Virtualization. 2016.
[5]	LEE S , YOON C , SHIN S . The smaller,the shrewder:a simple malicious application can kill an entire SDN environment[C]// ACM International Workshop on Security in Software Defined Networks＆ Network Function Virtualization. 2016.
[6]	MORZHOV S , ALEKSEEV I , NIKITINSKIY M . Firewall applica-tion for Floodlight SDN controller[C]// The International Siberian Conference on Control and Communications. 2016.
[7]	SHIN S , SNOS Y , LEE T , et al. Rosemary:a robust,secure,and high-performance network operating system[J]. 2014: 78-89.
[8]	TOOTOONCHIAN A , GANJALI Y . HyperFlow:a distributed control plane for OpenFlow[C]// Internet Network Management Conference on Research on Enterprise Networking. 2010:3.
[9]	SHERWOOD R , GIBB G , YAP K K , et al. FlowVisor:a network virtualization layer[J]. 2009.
[10]	YEGANEH S H , GANJALI Y . Kandoo:a framework for efficient and scalable offloading of control applications[C]// The Workshop on Hot Topics in Software Defined Networks. 2012:19-24.
[11]	KOPONEN T , CASADO M , GUDE N , et al. Onix:a distributed control platform for large-scale production networks[C]// Usenix Symposium on Operating Systems Design and Implementa-tion(OSDI 2010). 2010:351-364.
[12]	DIXIT A , FANG H , MUKHERJEE S , et al. Towards an elastic distributed SDN controller[C]// The 1st Workshop on Hot Topics in Software Defined Networking (HotSDN 2013). 2013:7-12.
[13]	BERDE P , GEROLA M ,and HART J , et al. ONOS:towards an open,distributed SDN OS[C]// The Workshop on Hot Topics in Software Defined Networking. 2014:1-6.
[14]	LI H , LI P , GUO S , et al. Byzantine-resilient secure software-defined networks with multiple controllers in cloud[C]// 2014 IEEE International Conference on Communications (ICC 2014). 2014:695-700.
[15]	ELDEFRAWY K , KACZMAREK T . Byzantine fault tolerant soft-ware-defined networking (SDN) controllers[C]// IEEE Computer Society International Conference on Computers,Software ＆ Ap-plications. 2016:208-213.
[16]	LEE C , SHIN S . SHIELD:an automated framework for static analysis of SDN applications[C]// ACM International Workshop on Security in Software Defined Networks ＆ Network Function Virtu-alization. 2016:29-34.
[17]	WILCZEWSKI . Security considerations for equipment controllers and SDN[C]// 2016 IEEE International Telecommunications Energy Conference (INTELEC). 2016:1-5.
[18]	AHMAD I , NAMAL S , YLIANTTILA M , et al. Security in soft-ware defined networks:a survey[J]. IEEE Communications Sur-veys ＆ Tutorials, 2015,17(4): 1.
[19]	PORRAS P , SHIN S , YEGNESWARAN V , et al. A security en-forcement kernel for OpenFlow networks[C]// The First Workshop on Hot Topics in Software Defined Networks. 2012:121-126.
[20]	SONCHACK J , AVIV A J , KELLER E , et al. Enabling practical software-defined networking security applications with OFX[C]// Network and Distributed System Security Symposium. 2016.
[21]	MEDVED J , VARGA R , TKACIK A , et al. OpenDaylight:towards a model-driven SDN controller architecture[C]// IEEE International Symposium on World of Wireless,Mobile and Multimedia Net-works. 2014:1-6.
[22]	WANG T , LIU F , GUO J , et al. Dynamic SDN controller assign-ment in data center networks:Stable matching with transfers[C]// IEEE Conference on Computer Communications. 2016:1-9.
[23]	LU Z P , CHEN F C , et al. Poster:a secure control plane with dynamic multi-NOS for SDN[C]// NDSS Posters. 2017.
[24]	LEE S , YOON C . DELTA:a security assessment framework for software-defined networks[C]// Network and Distributed System Security Symposium. 2017.
[25]	KIEKINTVELD C , MARECKI J , TAMBE M . Approximation methods for infinite bayesian stackelberg games:Modeling distri-butional payoff uncertainty[C]// The 10th International Conference on Autonomous Agents and Multiagent Systems. 2011:1005-1012.
[26]	PARUCHURI P , PEARCE J P . Playing games for security:an efficient exact algorithm for solving bayesian stackelberg games[C]// The 7th International Joint Conference on Autonomous Agents and Multiagent Systems (AAMAS'08). 2008:985-902.
	DAVID Jorm. 44CON LONDON 2015 Presentations[EB/OL]. .
[28]	PITA J , JAIN M , TAMBE M , et al. Robust solutions to stackelberg games:addressing bounded rationality and limited observations in human cognition[J]. Artificial Intelligence, 2010,174(15): 1142-1171.

策略		攻防收益
策略	Ryu	ODL	ONOS	Floodlight
A₁	?2,6	5,?8	5,?8	2,?6
A₂	?5,5	2,?6	?2,6	5,?8
A₃	5,?2	?10,10	?10,10	5,?2
A₄	?10,10	5,?2	5,?2	?10,10
A₅:A₁＆A₃	?8,8	?4,8	2,6	8,?8
A₆:A₂＆A₃	?4,8	?8,8	8,?8	2,6
A₇:A1＆A₄	2,6	8,?8	?8,8	?4,8
A₈:A2＆A₄	8,?8	2,6	?4,8	?8,8
A₉：无	0,0	0,0	0,0	0,0

攻击类型	攻击能力	攻击概率
黑客1	A₁,A₂,A₉	0.5
黑客2	A₁,A₃,A₅,A₉	0.2
黑客3	所有	0.1
黑客4	A₁,A₂,A₃,A₄,A₉	0.2

概率分布	随机策略的收益	博弈均衡策略的收益	收益增益
0,0,1	?2.5	?0.85	1.65
0,0.2,0.8	?2	?0.54	1.46
0,0.4,0.6	?1.5	?0.15	1.35
0,0.6,0.4	?1	0.22	1.22
0,0.8,0.2	?0.5	0.61	1.11
0,1,0	0	1	1
0.2,0,0.8	?2.5	?0.7	1.8
0.2,0.2,0.6	?2	?0.48	1.52
0.2,0.4,0.4	?1.5	?0.27	1.23
0.2,0.6,0.2	?1	0.05	1.05
0.2,0.8,0	?0.5	0.53	1.03
0.4,0,0.6	?2.5	?0.32	2.18
0.4,0.2,0.4	?2	?0.1	2.1
0.4,0.4,0.2	?1.5	0.11	1.61
0.4,0.6,0	?1	1	2
0.6,0,0.4	?2.5	0.06	2.56
0.6,0.2,0.2	?2	0.57	2.57
0.6,0.4,0	?1.5	1.5	3
0.8,0,0.2	?2.5	1.07	3.07
0.8,0.2,0	?2	2	4
1,0,0	?2.5	2.5	5

解决一个漏洞	收益更新
ν₁	?0.768
ν₂	?0.493
ν₃	0.318
ν₄	0.543

解决2个漏洞	收益更新
v ₁,v₂	?0.757
v ₁,v₃	0.318
v ₁,v₄	0.428
v ₂,v₃	0.318
v ₂,v₄	0.557
v ₃,₄v	0.829

基于贝叶斯−斯坦科尔伯格博弈的SDN安全控制平面模型

Secure control plane for SDN using Bayesian Stackelberg games

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 12

参考文献 28

相关文章 15

Metrics

推荐阅读 0

[1]	王贺立, 闫巧. 基于交易记录特征的自私挖矿检测方案[J]. 网络与信息安全学报, 2023, 9(2): 104-114.
[2]	陈训逊, 李明哲, 吕宁, 黄亮. 内禀安全：网络安全能力体系化构建方法[J]. 网络与信息安全学报, 2023, 9(1): 92-102.
[3]	李东, 郝艳妮, 彭升辉, 訾瑞杰, 刘西蒙. 国家自然科学基金委员会网络安全现状与展望[J]. 网络与信息安全学报, 2022, 8(6): 92-101.
[4]	邢福康, 张铮, 隋然, 曲晟, 季新生. 面向进程多变体软件系统的攻击面定性建模分析[J]. 网络与信息安全学报, 2022, 8(5): 121-128.
[5]	王泽南, 李佳浩, 檀朝红, 皮德常. 面向网络安全资源池的智能服务链系统设计与分析[J]. 网络与信息安全学报, 2022, 8(4): 175-181.
[6]	唐士杰, 袁方, 李俊, 丁勇, 王会勇. 工业控制系统关键组件安全风险综述[J]. 网络与信息安全学报, 2022, 8(3): 1-17.
[7]	王馨雅, 华光, 江昊, 张海剑. 深度学习模型的版权保护研究综述[J]. 网络与信息安全学报, 2022, 8(2): 1-14.
[8]	王洋, 汤光明, 王硕, 楚江. 基于API调用管理的SDN应用层DDoS攻击防御机制[J]. 网络与信息安全学报, 2022, 8(2): 73-87.
[9]	何威振, 陈福才, 牛杰, 谭晶磊, 霍树民, 程国振. 面向网络层的动态跳变技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 44-55.
[10]	邱洁, 韩瑞, 魏志丰, 王志洋. 网络空间公共基础设施体系及安全策略研究[J]. 网络与信息安全学报, 2021, 7(6): 56-67.
[11]	王硕, 柏军, 王佰玲, 张旭, 刘红日. 基于时间压缩的流量加速回放方法[J]. 网络与信息安全学报, 2021, 7(5): 178-188.
[12]	赵昊, 舒辉, 康绯, 邢颖. 基于智能合约的高对抗性僵尸网络研究[J]. 网络与信息安全学报, 2021, 7(4): 30-41.
[13]	陈浩宇, 邹德清, 金海. 面向SDN/NFV环境的网络功能策略验证[J]. 网络与信息安全学报, 2021, 7(3): 59-71.
[14]	王涛, 陈鸿昶. 考虑拜占庭属性的SDN安全控制器多目标优化部署方案[J]. 网络与信息安全学报, 2021, 7(3): 72-84.
[15]	赵普, 赵文涛, 付章杰, 刘强. 基于Renyi熵的SDN自主防护系统[J]. 网络与信息安全学报, 2021, 7(3): 85-94.