异构容错控制平面的安全性分析

doi:10.11959/j.issn.2096-109x.2018095

网络与信息安全学报 ›› 2018, Vol. 4 ›› Issue (11): 32-39.doi: 10.11959/j.issn.2096-109x.2018095

异构容错控制平面的安全性分析

吴奇,陈鸿昶,陈福才

国家数字交换系统工程技术研究中心，河南郑州 450001

修回日期:2018-10-20 出版日期:2018-11-01 发布日期:2019-01-03
作者简介:吴奇（1991-），男，江苏徐州人，国家数字交换系统工程技术研究中心博士生，主要研究方向为网络安全。|陈鸿昶（1964-），男，河南郑州人，国家数字交换系统工程技术研究中心研究员、博士生导师，主要研究方向为网络安全方向、大数据。|陈福才（1974-），男，江西高安人，国家数字交换系统工程技术研究中心研究员、硕士生导师，主要研究方向为网络安全方向、大数据。
基金资助:
国家重点研发计划资金资助项目(2016YFB0800101);国家自然科学创新群体基金资助项目(61521003)

Security analysis in heterogeneous fault-tolerant control plane

Qi WU,Hongchang CHEN,Fucai CHEN

National Digital Switching System Engineering and Technological R＆D Center,Zhengzhou 450001,China

Revised:2018-10-20 Online:2018-11-01 Published:2019-01-03
Supported by:
The National Key R＆D Program of China(2016YFB0800101)

摘要/Abstract

摘要：

随着软件定义网络的大规模应用，软件定义网络的安全性显得愈发重要。基于异构思想的容错控制平面作为一种重要的防御思路，近年来越来越引起研究者的注意。但是现有容错控制平面的研究中忽视了异构原件中的同构漏洞问题，这大大降低了容错控制架构对软件定义网络的安全收益。从异构原件中的同构漏洞出发，首先分析了同构漏洞对控制平面的安全影响，然后以此为基础对容错控制平面的容忍能力进行量化，构造出一个最大化容忍能力的控制平面布局方法。实验仿真证明了所提方法可以有效降低控制平面的故障概率，攻击者在对基于所提方法构造的控制平面进行攻击时，需要花费更多的攻击成本才可以瘫痪控制平面。

关键词: 软件定义网络, 同构漏洞, 异构控制器, 容忍能力

Abstract:

With the large-scale application of software-defined networks,the security of software-defined networks becomes more and more important.As an important defense idea,the fault-tolerant control plane based on heterogeneity has attracted more and more researchers' attention in recent years.However,the existing researches ignore the problem of common vulnerability in heterogeneous variants,which greatly reduces the security benefits of the fault-tolerant control architecture for software-defined networks.Addressing this problem,the common vulnerability was taken in heterogeneous variants into considerations.First,the tolerance capability of the fault-tolerant control plane was quantified.Then a control plane deployment method was constructed which was able to maximize the tolerance capability.The simulations show that the proposed method can effectively reduce the failure probability of the control plane.When the attackers attack the control plane constructed based on the proposed method,they pay more attack cost to compromise the control plane.

Key words: software-defined network, common vulnerability, heterogeneous variant, tolerance capability

中图分类号:

TP393

吴奇,陈鸿昶,陈福才. 异构容错控制平面的安全性分析[J]. 网络与信息安全学报, 2018, 4(11): 32-39.

Qi WU,Hongchang CHEN,Fucai CHEN. Security analysis in heterogeneous fault-tolerant control plane[J]. Chinese Journal of Network and Information Security, 2018, 4(11): 32-39.

图/表 5

图1

图2

表1

图3

图4

参考文献 21

[1]	SCOTT-HAYWARD S , NATARAJAN S , SEZER S . A survey of security in software defined networks[J]. IEEE Communications Surveys ＆ Tutorials, 2016,18(1): 623-654.
[2]	PORRAS P , SHIN S , YEGNESWARAN V ,et al. A security enforcement kernel for OpenFlow networks[C]// International Workshop on Hot Topics in Software Defined Networks. ACM, 2012: 121-126.
[3]	SHIN S , SONG Y , LEE T ,et al. Rosemary:a robust,secure,and high-performance network operating system[C]// Conference on Computer and Communications Security. ACM, 2014: 78-89.
[4]	YEGANEH S H , GANJALI Y . Kandoo:a framework for efficient and scalable offloading of control applications[C]// The Workshop on Hot Topics in Software Defined Networks. ACM, 2012: 19-24.
[5]	JIN X , GOSSELS J , Rexford J ,et al. CoVisor:a compositional hypervisor for software-defined networks[C]// Usenix Conference on Networked Systems Design and Implementation. USENIX Association, 2015: 87-101.
[6]	LENG J , ZHOU Y , ZHANG J ,et al. An inference attack model for flow table capacity and usage:exploiting the vulnerability of flow table overflow in software-defined network[J]. Water Air ＆ Soil Pollution, 2015,85(3): 1413-1418.
[7]	卢振平, 陈福才, 程国振 . 软件定义网络中控制器调度时间机制设计与实现[J]. 网络与信息安全学报, 2018(1): 36-44.
	LU Z P , CHEN F C , CHENG G Z . Design and implementation of the controller scheduling-time in SDN[J]. Chinese Journal of Network and Information Security, 2018(1): 36-44.
[8]	[EB/OL].
[9]	YOON C , LEE S , KANG H ,et al. Flow wars:systemizing the attack surface and defenses in software-defined networks[J]. IEEE/ACM Transactions on Networking, 2017,(99): 1-17.
[10]	GUDE N , KOPONEN T , PETTIT J ,et al. NOX:towards an operating system for networks[J]. ACM Sigcomm Computer Communication Review, 2008,38(3): 105-110.
[11]	Floodlight documentation[EB/OL].
[12]	CHEUNG S , FONG M , PORRAS P ,et al. Securing the software-defined network control layer[C]// Proceedings of the Network and Distributed System Security Symposium, 2015.
[13]	FERGUSON A D , GUHA A , LIANG C ,et al. Participatory networking:an API for application control of SDNs[C]// ACM SIGCOMM. 2013: 327-338.
[14]	KOPONEN T , CASADO M , GUDE N ,et al. Onix:a distributed control platform for large-scale production networks[C]// Usenix Conference on Operating Systems Design and Implementation. 2010: 351-364.
[15]	MEDVED J , VARGA R , TKACIK A ,et al. OpenDaylight:towards a model-driven SDN controller architecture[C]// IEEE,International Symposium on a World of Wireless,Mobile and Multimedia Networks. IEEE, 2014: 1-6.
[16]	BERDE P , HART J , HART J ,et al. ONOS:towards an open,distributed SDN OS[C]// The Work-shop on Hot Topics in Software Defined Networking. ACM, 2014: 1-6.
[17]	Castro M , Liskov B . Practical byzantine fault tolerance and proactive recovery[J]. ACM Transactions on Computer Systems, 2002,20(4): 398-461.
[18]	BOTELHO F , BESSANI A , RAMOS F M V ,et al. On the design of practical fault-tolerant SDN controllers[C]// . European Workshop on Software-Defined Networks, 2014: 73-78.
[19]	Li H , Li P , Guo S ,et al. Byzantine-resilient secure software-defined networks with multiple controllers[J]. IEEE Transactions on Cloud Computing, 2015,2(4): 436-447.
[20]	王禛鹏, 扈红超, 程国振 ,等. 软件定义网络下的拟态防御实现架构[J]. 网络与信息安全学报, 2017,3(10): 52-61.
	WANG Z P , HU H C , CHENG G Z ,et al. Implementation architecture of mimic security defense based on SDN[J]. Chinese Journal of Network and Information Security, 2017,3(10): 52-61.
[21]	KELLER E ,et al. Timing-based reconnaissance and defense in software-defined networks[C]// Conference on Computer Security Applications. ACM, 2016: 89-100.

	OB	NB	FB	W03	W08	W12	UB	DE	RE	SO	OS
OB	149	45	58	2	1	0	3	2	10	13	1
NB	45	139	56	1	1	0	0	4	8	16	0
FB	58	56	254	3	2	0	6	9	22	22	0
W03	2	1	3	412	344	85	0	0	1	7	0
W08	1	1	2	344	846	385	0	0	0	0	0
W12	0	0	0	85	385	467	0	0	0	0	0
UB	3	0	6	0	0	0	840	909	176	86	1
DE	2	4	9	0	0	0	303	995	220	76	1
RE	10	8	22	1	0	0	179	220	1518	69	1
SO	13	16	22	7	0	0	86	73	69	365	27
OS	1	0	0	0	0	0	1	1	1	57	100

异构容错控制平面的安全性分析

Security analysis in heterogeneous fault-tolerant control plane

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 5

参考文献 21

相关文章 15

Metrics

推荐阅读 0

[1]	王泽南, 李佳浩, 檀朝红, 皮德常. 面向网络安全资源池的智能服务链系统设计与分析[J]. 网络与信息安全学报, 2022, 8(4): 175-181.
[2]	王洋, 汤光明, 王硕, 楚江. 基于API调用管理的SDN应用层DDoS攻击防御机制[J]. 网络与信息安全学报, 2022, 8(2): 73-87.
[3]	何威振, 陈福才, 牛杰, 谭晶磊, 霍树民, 程国振. 面向网络层的动态跳变技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 44-55.
[4]	陈浩宇, 邹德清, 金海. 面向SDN/NFV环境的网络功能策略验证[J]. 网络与信息安全学报, 2021, 7(3): 59-71.
[5]	王涛, 陈鸿昶. 考虑拜占庭属性的SDN安全控制器多目标优化部署方案[J]. 网络与信息安全学报, 2021, 7(3): 72-84.
[6]	赵普, 赵文涛, 付章杰, 刘强. 基于Renyi熵的SDN自主防护系统[J]. 网络与信息安全学报, 2021, 7(3): 85-94.
[7]	吴奇,陈鸿昶. 低故障恢复开销的软件定义网络控制器布局算法[J]. 网络与信息安全学报, 2020, 6(6): 97-104.
[8]	李国春,马睿,马季春,李伯中,刘惠明,张桂玉. 广域网出口流量调度SDN部署研究[J]. 网络与信息安全学报, 2020, 6(5): 148-157.
[9]	黄伟, 路冉, 刘存才, 祁思博. 基于SDN分级分域架构的QoS约束路由算法[J]. 网络与信息安全学报, 2019, 5(5): 21-31.
[10]	王洋,汤光明,雷程,韩冬. 面向链路洪泛攻击的多维检测与动态防御方法[J]. 网络与信息安全学报, 2019, 5(4): 80-90.
[11]	谭晶磊, 张红旗, 雷程, 刘小虎, 王硕. 面向SDN的移动目标防御技术研究进展[J]. 网络与信息安全学报, 2018, 4(7): 1-12.
[12]	郭中孚, 张兴明, 赵博, 王苏南. 软件定义网络数据平面安全综述[J]. 网络与信息安全学报, 2018, 4(11): 1-12.
[13]	卢振平,陈福才,程国振. 软件定义网络中控制器调度时间机制设计与实现[J]. 网络与信息安全学报, 2018, 4(1): 36-44.
[14]	施江勇,杨岳湘,李文华,王森. 基于SDN的云安全应用研究综述[J]. 网络与信息安全学报, 2017, 3(5): 10-25.
[15]	卢振平,陈福才,程国振. 基于贝叶斯−斯坦科尔伯格博弈的SDN安全控制平面模型[J]. 网络与信息安全学报, 2017, 3(11): 40-49.