SDN中基于历史信息的负反馈调度算法

doi:10.11959/j.issn.2096-109x.2018047

网络与信息安全学报 ›› 2018, Vol. 4 ›› Issue (6): 45-51.doi: 10.11959/j.issn.2096-109x.2018047

SDN中基于历史信息的负反馈调度算法

吕迎迎,郭云飞,王禛鹏,程国振,王亚文

国家数字交换系统工程技术研究中心，河南郑州 450002

修回日期:2018-05-17 出版日期:2018-06-01 发布日期:2018-08-08
作者简介:吕迎迎（1993-），男，江西进贤人，国家数字交换系统工程技术研究中心硕士生，主要研究方向为网络空间安全和软件定义网络。|郭云飞（1963-），男，河南郑州人，国家数字交换系统工程技术研究中心教授、博士生导师，主要研究方向为网络空间安全、云安全和电信网安全。|王禛鹏（1993-），男，湖北黄冈人，国家数字交换系统工程技术研究中心硕士生，主要研究方向为拟态安全防御和网络空间安全。|程国振（1986-），男，山东定陶人，国家数字交换系统工程技术研究中心助理研究员，主要研究方向为网络空间安全和软件定义网络。|王亚文（1990-），男，河南郑州人，国家数字交换系统工程技术研究中心博士生，主要研究方向为云计算、入侵容忍和网络空间安全。
基金资助:
国家自然科学基金创新研究群体基金资助项目(61521003);国家重点研发计划基金资助项目(2016YFB0800100);国家重点研发计划基金资助项目(2016YFB0800101);河南省科技攻关计划基金资助项目(172102210615);国家自然科学基金资助项目(61602509)

Negative feedback scheduling algorithm based on historical information in SDN

Yingying LYU,Yunfei GUO,Zhenpeng WANG,Guozhen CHENG,Yawen WANG

National Digital Switching System Engineering ＆Technological R＆D Center,Zhengzhou 450002,China

Revised:2018-05-17 Online:2018-06-01 Published:2018-08-08
Supported by:
The Foundation for Innovative Research Groups of the National Natural Science Foundation of China(61521003);The National Key R＆D Program of China(2016YFB0800100);The National Key R＆D Program of China(2016YFB0800101);The National Science Foundation of China(61602509)

摘要/Abstract

摘要：

在当前SDN架构中，控制器遭受着很多潜在的攻击，如恶意流规则等可能会引入虚假的流规则使主机混乱。基以此，提出一种基于历史信息的负反馈调度算法，利用假设检验对攻击者的行为进行判断，并将此作为调度的依据。仿真实验结果和分析表明，相比于传统调度方法，所提算法在一定程度上可以增加攻击者的时间成本，从而有效防御攻击者的探测攻击，而且控制器种类越多，系统越难被攻破。

关键词: 动态异构冗余, 负反馈, 主动防御

Abstract:

In the current SDN architecture,the controllers suffer from lots of potential attacks.For example,malicious flow rule attacks may introduce fake flow rules to confuse the host.A negative feedback scheduling algorithm based on historical information was proposed,in which hypothesis testing was used to judge the behavior of the attacker and the result will be used as a basis for scheduling.Simulation results and analysis show that,compared with the traditional scheduling methods,the proposed algorithm can increase the attacker’s time cost to a certain extent,so as to effectively defend the attacker’s probe attack.In addition,the more types of controllers,the more difficult it is to break the system.

Key words: dynamic heterogeneous redundancy, negative feedback, active defense

中图分类号:

TP393

吕迎迎,郭云飞,王禛鹏,程国振,王亚文. SDN中基于历史信息的负反馈调度算法[J]. 网络与信息安全学报, 2018, 4(6): 45-51.

Yingying LYU,Yunfei GUO,Zhenpeng WANG,Guozhen CHENG,Yawen WANG. Negative feedback scheduling algorithm based on historical information in SDN[J]. Chinese Journal of Network and Information Security, 2018, 4(6): 45-51.

图/表 6

图1

图2

表1

图

图4

图5

参考文献 21

[1]	仝青, 张铮, 邬江兴 . 基于软硬件多样性的主动防御技术[J]. 信息安全学报, 2017,2(1): 1-12.
	TONG Q , ZHANG Z , WU J X . Active defense technology based on hardware and software’s diversity[J]. Journal of Cyber Security, 2017,2(1): 1-12.
[2]	PICEK S , HEMBERG E , O'REILLY U M . If you can't measure it,you can't improve it:moving target defense metrics[C]// The Workshop on Moving Target Defense. 2017: 115-118.
[3]	ADELSBACH A , ALESSANDRI D , CACHIN C ,et al. Conceptual model and architecture of MAFTIA[R]. 2003.
[4]	KEWLEY D L , BOUCHARD J F . Darpa information assurance program dynamic defense experiment summary[J]. IEEE Transactions on Systems,Man,and Cybernetics-Part A:Systems and Humans, 2001,31(4): 331-336.
[5]	邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10.
	WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10.
[6]	DESWARTE Y , BLAIN L , FABRE J C . Intrusion tolerance in distributed computing systems[C]// Intrusion Tolerance in Distributed Computing Systems. 2001: 110-121.
[7]	JAJODIA S , GHOSH A K , SWARUP V ,et al. Moving target defense:creating asymmetric uncertainty for cyber threats[J]. Springer Ebooks, 2011,54.
[8]	邬江兴 . 拟态计算与拟态安全防御的原意和愿景[J]. 电信科学, 2014,30(7): 1-7.
	WU J X . Meaning and vision of mimic computing and mimic security defense[J]. Telecommunications Science, 2014,30(7): 1-7.
[9]	JAFARIAN J H , AL-SHAER E , DUAN Q . Adversary-aware IP address randomization for proactive agility against sophisticated attackers[C]// Computer Communications. 2015: 738-746.
[10]	PORRAS P , SHIN S , YEGNESWARAN V ,et al. A security enforcement kernel for Open Flow networks[C]// The First Workshop on Hot Topics in Software Defined Networks. 2012: 121-126.
[11]	CHEUNG S , FONG M , PORRAS P ,et al. Securing the software-defined network control layer[C]// The 2015 Network and Distributed System Security Symposium. 2015.
[12]	FERGUSON A D , GUHA A , LIANG C ,et al. Participatory networking:an API for application control of SDNs[C]// The ACM SIGCOMM 2013 Conference on SIGCOMM. 2013: 327-338.
[13]	SHIN S , SONG Y , LEE T ,et al. Rosemary:a robust,secure,and high-performance network operating system[C]// The 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 78-89.
[14]	SHIN S , PORRAS P , YEGNESWARAN V ,et al. FRESCO:modular composable security services for software defined networks[J]. The Network ＆ Distributed Security Symposium, 2013(2): 1-16.
[15]	SHIN S , GU G . Attacking software-defrned networks :a first feasibility study[C]// ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013: 165-166.
[16]	BERDE P , HART J , HART J ,et al. ONOS:towards an open,distributed SDN OS[C]// The Workshop on Hot Topics in Software Defined Networking. 2014: 1-6.
[17]	LAMPORT L , FISCHER M . Byzantine generals and transaction commit protocols[R]. Computer Science Laboratory Sri International OP, 1982.
[18]	HU H , WANG Z , CHENG G ,et al. MNOS:a mimic network operating system for software defined networks[J]. Iet Information Security, 2017,11(6): 345-355.
[19]	QI C , WU J , HU H ,et al. An intensive security architecture with multi-controller for SDN[C]// Computer Communications Workshops. 2016: 401-402.
[20]	QI C , WU J , CHENG G ,et al. An aware-scheduling security architecture with priority-equal multi-controller for SDN[J]. China Communications, 2017,14(9): 144-154.
[21]	PEARSON K . On the criterion that a given system of deviations from the probable in the case of a correlated system of variables is such that it can be reasonably supposed to have arisen from random sampling[M]. Breakthroughs in Statistics. New York: Springer, 1992: 157-175.

编号	NOS类型	探测次数
1	Floodlight	χ₁
2	Ryu	χ₂
…	…	…
k	ONOS	χ_k
…	…	…
n	OpenDaylight	χ_n

SDN中基于历史信息的负反馈调度算法

Negative feedback scheduling algorithm based on historical information in SDN

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 6

参考文献 21

相关文章 2

Metrics

推荐阅读 0

[1]	杨德全,刘卫民,俞宙. 基于蜜罐的主动防御应用研究[J]. 网络与信息安全学报, 2018, 4(1): 57-62.
[2]	王禛鹏,扈红超,程国振,张传浩. 软件定义网络下的拟态防御实现架构[J]. 网络与信息安全学报, 2017, 3(10): 52-61.