网络与信息安全学报 ›› 2017, Vol. 3 ›› Issue (5): 10-25.doi: 10.11959/j.issn.2096-109x.2017.00165
施江勇,杨岳湘,李文华,王森
修回日期:
2017-04-24
出版日期:
2017-05-01
发布日期:
2017-05-13
作者简介:
施江勇(1990-),男,湖南岳阳人,国防科技大学博士生,主要研究方向为虚拟化和SDN安全。|杨岳湘(1965-),男,湖南岳阳人,国防科技大学研究员、博士生导师,主要研究方向为网络安全、云安全和移动安全。|李文华(1983-),男,河南周口人,国防科技大学工程师,主要研究方向为云计算和数据中心管理。|王森(1995-),男,陕西咸阳人,国防科技大学本科生,主要研究方向为信息化建模与处理。
基金资助:
Jiang-yong SHI,Yue-xiang YANG,Wen-hua LI,Sen WANG
Revised:
2017-04-24
Online:
2017-05-01
Published:
2017-05-13
Supported by:
摘要:
软件定义网络(SDN,software defined network)技术将传统网络的控制层和数据层进行解耦合,使网络具有可编程性,极大地方便了网络应用的开发。对基于 SDN 的云安全应用进行了全方位的分析,在分类的基础上,对每一类安全应用顺着其发展脉络分析了相关工作的优缺点,并进行了总结。另外,针对当前云安全服务模型不够完善、不能跟计算和网络服务有机整合的问题,提出了一种基于 SDN 的云安全服务模型SDCSec。最后,对基于SDN的云安全应用的未来发展方向做了展望。
中图分类号:
施江勇,杨岳湘,李文华,王森. 基于SDN的云安全应用研究综述[J]. 网络与信息安全学报, 2017, 3(5): 10-25.
Jiang-yong SHI,Yue-xiang YANG,Wen-hua LI,Sen WANG. Research on SDN-based cloud security application[J]. Chinese Journal of Network and Information Security, 2017, 3(5): 10-25.
表3
基于SDN的IDS/IPS应用"
IDS/IPS应用 | 类型 | 优点 | 缺点 |
NICE | IPS | 检测防护一体 | 无法检测外部攻击 |
SnortFlow | IDS | 较低的开销 | 无响应措施 |
SDNIPS | IPS | 检测防护一体 | 无法检测高级威胁 |
Security with SDN | IPS | 检测防护一体 | 无扩展能力 |
ScalableIDS | IDS | 基于流量分类的负载均衡 | 无响应措施 |
Multiple IDS | IDS | 基于流分组的负载均衡 | 无响应措施 |
Sampling for IDS | IDS | 引入采样降低开销 | 采样率计算有一定的延时 |
VMI-IDS | IDS | 细粒度,可检测到进程级 | 无响应措施 |
SDNSec | IDS | 结合了VMI和IDS各自的优点 | 无具体实现 |
表4
基于SDN的异常检测应用"
异常检测应用 | 检测类型 | 优点 | 缺点 |
Revisting | TCP Flood、UDP flood | 灵活、快速、准确 | 存在性能瓶颈 |
OpenFlow-sFlow | 端口扫描、DDoS和蠕虫 | 优先级和白名单机制 | 无法检测高级威胁 |
ADM | 端口扫描、僵尸主机 | 网络隔离、细粒度 | 缺乏动态调整功能 |
Security with SDN | 网络扫描和DDoS攻击 | 实现简单 | 查询间隔固定、效率不够高 |
OpenTAD | 阿尔法异常、闪拥异常、DDoS,入口/出口移动异常 | 简单、有效,异常流量得到快速隔离 | 提取的流量特征较为单一 |
OpenWatch,AdaptCount | 闪拥异常,小波异常 | 动态调整流量监控的粒度,低开销 | 无法检测应用层的异常流量 |
表5
基于SDN的网络监控应用"
网络监控应用 | 具体用途 | 优点 | 缺点 |
CloudWatcher,NetSecVisor | 安全设备和安全策略的统一管理 | 丰富的路由选择算法,便捷的脚本语言 | 没有考虑不同路径的负载和延迟,以及多个设备同时工作时的路由选择和规划 |
FlowSense | 网络链路利用率的评估 | 较低的开销 | 准确性不够 |
Payless | 抽象监控层,向上提供API供应用开发 | 自适应的轮询、准确性高 | 采样调整算法容易被欺骗 |
OrchSec | 抽象的监控层,供安全应用开发 | 结合sFlow、高效 | 需要额外的硬件 |
OpenTM | 生成流量矩阵供离线使用 | 周期性轮询流统计信息 | 没有统计分组丢失率和延迟的功能 |
OpenNetMon | 测量网络的吞吐量、分组丢失率、延时 | 自适应的轮询、开销低、准确性高 | 侧重于性能监控,缺乏安全监控 |
OF-ping | 测量延时 | 开销低 | 结果有偏差 |
SDM | 应用层协议分析 | 结合硬件加速器可以处理高达100 Gbit/s的流量 | 缺乏集中控制,硬件资源限制了应用开发 |
表6
SDN应用开发环境"
开发环境 | 类型 | 特点 |
FlowVisor | 网络hypervisor | 网络资源虚拟化,灵活划分,有效隔离,网络地址空间无法在不同租户间共享 |
OpenVirtex | 网络hypervisor | 租户可自主管理其网络资源 |
FRESCO | 开发框架 | 使用脚本语言开发模块 |
NETSECVISOR | 开发框架 | 高效的路径规划 |
Frenetic | SDN编程语言 | 类似于SQL,通过runtime将底层控制器控制指令抽象化 |
Pyretic | SDN编程语言 | 类似于JAVA,应用可以无需修改运行于不同的控制器上 |
NetCore | SDN编程语言 | 实现了高级语言编写的安全策略到底层流表的转换 |
FML,Nettle,Procera | SDN编程语言 | 被动式,只适用于特定的应用场景 |
表7
SDN流采样方法"
采样方法 | 实现途径 | 缺点 |
FleXam | 扩展OpenFlow协议,添加采样行为 | 对交换机性能有一定影响 |
Wildcard Sampling | 增加采样请求消息和action | 对交换机本身的性能有一定要求 |
OpenSample | 结合sFlow采样 | 限于分组速率估计 |
OpenNetMon,OpenWatch,AdaptCount | 自适应查询,根据变化率调整流表查询的粒度 | 对于流量工程有用,对于安全应用缺乏适应性 |
Adaptive Sampling | 基于流分类设置不同的采样间隔 | 缺乏对于采样后的数据分析 |
Sample&Pick | 两步采样,降低采样速率和交换机的内存开销 | 第一步采样过于简单,可能漏掉很多攻击数据分组 |
Sampling for IDS | 将恶意流量采样问题转化为使恶意流量捕获失败率最小的最优化问题 | 依赖于已知恶意流的速率,采样率更新有一定的延迟 |
[1] | MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow:enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74. |
[2] | KOERNER M , KAO O . Oftables:a distributed packet fil-ter[C]// 2014 6th International Conference on Communication Systems and Networks (COMSNETS). 2014. |
[3] | JIA X , WANG J K H . Distributed firewall for P2P network in data center[C]// ICCE-China Workshop (ICCE-China),IEEE. 2013: 15-19. |
[4] | SUH M , PARK S H , LEE B ,et al. Building firewall over the software-defined network controller[C]// The 16th International Con-ference on Advanced Communication Technology,IEEE. 2014: 744-748. |
[5] | PORRAS P , SHIN S , YEGNESWARAN V ,et al. A security enforcement kernel for OpenFlow networks[C]// The First Workshop on Hot Topics in Software Defined Networks,ACM. 2012: 121-126. |
[6] | HU H , HAN W , AHN G J ,et al. FlowGuard:building robust firewalls for software-defined networks[C]// The Third Workshop on Hot Topics in Software Defined Networking. 2014: 97-102. |
[7] | 王鹃, 王江, 焦虹阳 ,等. 一种基于OpenFlow的SDN访问控制策略实时冲突检测与解决方法[J]. 计算机学报, 2015,38(4): 872-883. |
WANG J , WANG J , JIAO H Y ,et al. A method of openflow-based real-time conflict detection and resolution for SDN access control policies[J]. Chinese Journal of Computers, 2015,38(4): 872-883. | |
[8] | BRAGA R , MOTA E , PASSITO A . Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]// 2010 IEEE 35th Conference on Local Computer Networks (LCN). 2010: 408-415. |
[9] | KRISHNAN R , KRISHNASWAMY D , MCDYSAN D . Behavioral security threat detection strategies for data center switches and routers[C]// 2014 IEEE 34th International Conference on Distributed Computing Systems Workshops (ICDCSW). 2014: 82-87. |
[10] | MOUSAVI S M , ST-HILAIRE M . Early detection of DDoS attacks against SDN controllers[C]// 2015 International Conference on Computing,Networking and Communications (ICNC). 2015: 77-81. |
[11] | WANG B , ZHENG Y , LOU W ,et al. DDoS attack protection in the era of cloud computing and software-defined networking[J]. Computer Networks, 2015,81: 308-319. |
[12] | WANG H , XU L , GU G . FloodGuard:a DoS attack prevention extension in software-defined networks[C]// 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 2015: 239-250. |
[13] | FAYAZ S K , TOBIOKA Y , SEKAR V ,et al. Bohatei:flexible and elastic DDoS defense[C]// 24th Usenix Security Symposium (USENIX Security 15). 2015: 817-832. |
[14] | CHUNG C J , KHATKAR P , XING T ,et al. NICE:network intrusion detection and countermeasure selection in virtual network systems[J]. IEEE Transactions on Dependable and Secure Computing, 2013,10(4): 198-211. |
[15] | XING T , HUANG D , XU L ,et al. Snortflow:a OpenFlow-based intrusion prevention system in cloud environment[C]// 2013 Second GENI Research and Educational Experiment Workshop (GREE). 2013: 89-92. |
[16] | XING T , XIONG Z , HUANG D ,et al. SDNIPS:enabling soft-ware-defined networking based intrusion prevention system in clouds[C]// The 10th International Conference on Network and Service Management (CNSM) and Workshop. 2014: 308-311. |
[17] | YOON C , PARK T , LEE S ,et al. Enabling security functions with SDN:a feasibility study[J]. Computer Networks, 2015,85: 19-35. |
[18] | JEONG C , HA T , NARANTUYA J ,et al. Scalable network intrusion detection on virtual SDN environment[C]// 2014 IEEE 3rd International Conference on Cloud Networking (CloudNet). 2014: 264-265. |
[19] | HA T , YOON S , RISDIANTO A C ,et al. Suspicious flow for warding for multiple intrusion detection systems on software-defined networks[J]. IEEE Network, 2016,30(6): 22-27. |
[20] | HA T , KIM S , AN N ,et al. Suspicious traffic sampling for intrusion detection in software-defined networks[J]. Computer Networks, 2016. |
[21] | 崔竞松, 郭迟, 陈龙 ,等. 创建软件定义网络中的进程级纵深防御体系结构[J]. 软件学报, 2014,25(10): 2251-2265. |
CUI J S , GUO C , CHEN L ,et al. Establishing process-level defense-in-depth framework for software defined networks[J]. Journal of Software, 2014,25(10): 2251-2265. | |
[22] | SHIN Y , SON K , PARK H . SDN-based security in virtualized environments for cloud computing[J]. Life Science Journal, 2014,11(7): 642-647. |
[23] | MEHDI S A , KHALID J , KHAYAM S A . Revisiting traffic ano maly detection using software defined networking[C]// The International Workshop on Recent Advances in Intrusion Detection. 2011: 161-180. |
[24] | GIOTIS K , ARGYROPOULOS C , ANDROULIDAKIS G ,et al. Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environ-ments[J]. Computer Networks, 2014,62: 122-136. |
[25] | JASINSKA E , . sFlow-I can feel your traffic[C]// 23C3:23rd Chaos Communication Congress. 2006. |
[26] | GIOTIS K , ANDROULIDAKIS G , MAGLARIS V . Leveraging SDN for efficient anomaly detection and mitigation on legacy networks[C]// 2014 Third European Workshop on Software Defined Networks. 2014: 85-90. |
[27] | 左青云, 陈鸣, 王秀磊 ,等. 一种基于SDN的在线流量异常检测方法[J]. 西安电子科技大学学报, 2015,42(1): 155-160. |
ZUO Q , CHEN M , WANG X L ,et al. Online traffic anomaly detection method for SDN[J]. Journal of Xidian University, 2015,42(1): 155-160. | |
[28] | ZHANG Y , . An adaptive flow counting method for anomaly detection in SDN[C]// The 9th ACM Conference on Emerging Networking Experiments and Technologies. 2013: 25-30. |
[29] | GARG G , GARG R . Security of networks using efficient adaptive flow counting for anomaly detection in SDN[M]. Artificial Intelligence and Evolutionary Computations in Engineering Systems. 2016: 667-674. |
[30] | SHIN S , GU G . CloudWatcher:network security monitoring using OpenFlow in dynamic cloud networks (or:how to provide security monitoring as a service in clouds?)[C]// 2012 20th IEEE International Conference on Network Protocols (ICNP). 2012: 1-6. |
[31] | SHIN S , WANG H , GU G . A first step toward network security virtualization:from concept to prototype[J]. IEEE Transactions on Information Forensics and Security, 2015,10(10): 2236-2249. |
[32] | ZHANG Y , SINGH V , WANG Y ,et al. FlowSense:light-weight networking sensing with OpenFlow:U.S.Patent 8,918,502[P]. 2015-12-23 |
[33] | CHOWDHURY S R , BARI M F , AHMED R ,et al. Payless:a low cost network monitoring framework for software defined net-works[C]// 2014 IEEE Network Operations and Management Symposium (NOMS). 2014: 1-9. |
[34] | ZAALOUK A , KHONDOKER R , MARX R ,et al. Orchsec:an orchestrator-based architecture for enhancing network-security using network monitoring and SDN control functions[C]// 2014 IEEE Network Operations and Management Symposium (NOMS). 2014: 1-9. |
[35] | TOOTOONCHIAN A , GHOBADI M , GANJALI Y . OpenTM:traffic matrix estimator for OpenFlow networks[C]// The International Conference on Passive and Active Network Measurement. 2010: 201-210. |
[36] | VAN-ADRICHEM N L M , DOERR C , KUIPERS F A . Opennetmon:network monitoring in OpenFlow software-defined networks[C]// 2014 IEEE Network Operations and Management Symposium (NOMS). 2014: 1-8. |
[37] | PHEMIUS K , BOUET M . Monitoring latency with Open-Flow[C]// The 9th International Conference on Network and Service Management (CNSM 2013). 2013: 122-125. |
[38] | KEKELY L , KU?ERA J , PU? V ,et al. Software defined monitoring of application protocols[J]. IEEE Transactions on Computers, 2016,65(2): 615-626. |
[39] | KAPOOR R D , CALABRESE A D , DUBEY R K ,et al. Sample netflow for network traffic data collection:U.S.Patent 7,193,968[P]. 2007-3-20 |
[40] | HAN W , ZHAO Z,DOUPé A , et al . HoneyMix:toward SDNbased Intelligent Honeynet[C]// The 2016 ACM International Workshop on Security in Software Defined Networks &Network Function Virtualization. 2016: 1-6. |
[41] | JAFARIAN J H,AL-SHAER E , DUAN Q . OpenFlow random host mutation:transparent moving target defense using software defined networking[C]// The First Workshop on Hot Topics in Software Defined Networks. 2012: 127-132. |
[42] | CABAJ K , MAZURCZYK W . Using software-defined networking for ransom ware mitigation:the case of cryptoWall[J]. arXiv preprint arXiv:1608.06673, 2016 |
[43] | MCBRIDE M , COHN M , DESHPANDE S ,et al. SDN security considerations in the data center[J]. Open Networking Foundation ONF Solution Brief, 2013 |
[44] | SHERWOOD R , GIBB G , YAP K K ,et al. Flowvisor:a network virtualization layer[J]. OpenFlow Switch Consortium, 2009: 1-13. |
[45] | AL-SHABIBI A , DE-LEENHEER M , GEROLA M ,et al. Open-VirteX:make your virtual SDNs programmable[C]// The 3rd Workshop on Hot Topics in Software Defined Networking. 2014: 25-30. |
[46] | SHIN S , PORRAS P A , YEGNESWARAN V ,et al. FRESCO:modular composable security services for software-defined networks[C]// NDSS. 2013. |
[47] | FOSTER N , GUHA A , REITBLATT M ,et al. Languages for software-defined networks[J]. IEEE Communications Magazine, 2013,51(2): 128-134. |
[48] | REICH J , MONSANTO C , FOSTER N ,et al. Modular sdn programming with pyretic[J]. Technical Reprot of USENIX, 2013. |
[49] | MONSANTO C , FOSTER N , HARRISON R ,et al. A compiler and run-time system for network programming languages[C]// ACM SIGPLAN Notices. 2012: 217-230. |
[50] | HINRICHS T L , GUDE N S , CASADO M ,et al. Practical declarative network management[C]// The 1st ACM Workshop on Research on Enterprise Networking. 2009: 1-10. |
[51] | VOELLMY A , HUDAK P . Nettle:Taking the sting out of pro-gramming network routers[C]// The International Symposium on Practical Aspects of Declarative Languages. 2011: 235-249. |
[52] | VOELLMY A , KIM H , FEAMSTER N . Procera:a language for high-level reactive network control[C]// The first Workshop on Hot Topics in Software Defined Networks. 2012: 43-48. |
[53] | SHIRALI-SHAHREZA S , GANJALI Y . FleXam:flexible sampling extension for monitoring and security applications in Open-Flow[C]// The second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013: 167-168. |
[54] | WETTE P , KARL H . Which flows are hiding behind my wildcard rule? adding packet sampling to OpenFlow[J]. ACM SIGCOMM Computer Communication Review, 2013,43(4): 541-542. |
[55] | SUH J , KWON T T , DIXON C ,et al. OpenSample:a low-latency,sampling-based measurement platform for commodity SDN[C]// 2014 IEEE 34th International Conference on Distributed Computing Systems (ICDCS). 2014: 228-237. |
[56] | TAESANG C , . Adaptive flow monitoring[C]// Open Networking Summit. 2016. |
[57] | AFEK Y,BREMLER-BARR A , LANDAU F S , et al . Sampling and large flow detection in SDN[C]// ACM SIGCOMM Computer Communication Review. 2015: 345-346. |
[58] | HUSSAIN M , ABDULSALAM H . SECaaS:security as a service for cloud-based applications[C]// The Second Kuwait Conference on e-Services and e-Systems. 2011:8. |
[59] | AL-AYYOUB M , JARARWEH Y , BENKHELIFA E ,et al. SDSecurity:a software defined security experimental frame-work[C]// 2015 IEEE International Conference on Communication Workshop (ICCW). 2015: 1871-1876. |
[60] | AHMAD I , NAMAL S , YLIANTTILA M ,et al. Security in software defined networks:a survey[J]. IEEE Communications Surveys &Tutorials, 2015,17(4): 2317-2346. |
[61] | 王蒙蒙, 刘建伟, 陈杰 ,等. 软件定义网络:安全模型、机制及研究进展[J]. 软件学报, 2016,27(4): 969-992. |
WANG M M , LIU J W , CHEN J ,et al. Software defined networking:security model,threats and mechanism[J]. Journal of Software, 2016,27(4): 969-992. | |
[62] | COUGHLIN M . A survey of SDN security research[J]. University of Colorado Boulder, 2014. |
[63] | FRAN?OIS J , DOLBERG L , FESTOR O ,et al. Network security through software defined networking:a survey[C]// The Conference on Principles,Systems and Applications of IP Telecommunications. 2014:6. |
[64] | SHIN S , XU L , HONG S ,et al. Enhancing network security through software defined networking (SDN)[C]// 2016 25th International Conference on Computer Communication and Networks (ICCCN). 2016: 1-9. |
[1] | 王泽南, 李佳浩, 檀朝红, 皮德常. 面向网络安全资源池的智能服务链系统设计与分析[J]. 网络与信息安全学报, 2022, 8(4): 175-181. |
[2] | 李凌书, 邬江兴, 曾威, 刘文彦. 容器云中基于信号博弈的容器迁移与蜜罐部署策略[J]. 网络与信息安全学报, 2022, 8(3): 87-96. |
[3] | 刘尚, 郭银章. 云计算多授权中心CP-ABE代理重加密方案[J]. 网络与信息安全学报, 2022, 8(3): 176-188. |
[4] | 王洋, 汤光明, 王硕, 楚江. 基于API调用管理的SDN应用层DDoS攻击防御机制[J]. 网络与信息安全学报, 2022, 8(2): 73-87. |
[5] | 张艺, 田立勤, 毋泽南, 武文星. 基于FANP的云用户行为信任评估优化机制[J]. 网络与信息安全学报, 2022, 8(2): 175-182. |
[6] | 何威振, 陈福才, 牛杰, 谭晶磊, 霍树民, 程国振. 面向网络层的动态跳变技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 44-55. |
[7] | 陈浩宇, 邹德清, 金海. 面向SDN/NFV环境的网络功能策略验证[J]. 网络与信息安全学报, 2021, 7(3): 59-71. |
[8] | 王涛, 陈鸿昶. 考虑拜占庭属性的SDN安全控制器多目标优化部署方案[J]. 网络与信息安全学报, 2021, 7(3): 72-84. |
[9] | 赵普, 赵文涛, 付章杰, 刘强. 基于Renyi熵的SDN自主防护系统[J]. 网络与信息安全学报, 2021, 7(3): 85-94. |
[10] | 曾威, 扈红超, 李凌书, 霍树民. 容器云中基于Stackelberg博弈的动态异构调度方法[J]. 网络与信息安全学报, 2021, 7(3): 95-104. |
[11] | 吴奇,陈鸿昶. 低故障恢复开销的软件定义网络控制器布局算法[J]. 网络与信息安全学报, 2020, 6(6): 97-104. |
[12] | 李国春,马睿,马季春,李伯中,刘惠明,张桂玉. 广域网出口流量调度SDN部署研究[J]. 网络与信息安全学报, 2020, 6(5): 148-157. |
[13] | 黄伟, 路冉, 刘存才, 祁思博. 基于SDN分级分域架构的QoS约束路由算法[J]. 网络与信息安全学报, 2019, 5(5): 21-31. |
[14] | 吴颖,李璇,金彪,金榕榕. 隐私保护的图像内容检索技术研究综述[J]. 网络与信息安全学报, 2019, 5(4): 14-28. |
[15] | 王洋,汤光明,雷程,韩冬. 面向链路洪泛攻击的多维检测与动态防御方法[J]. 网络与信息安全学报, 2019, 5(4): 80-90. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|