网络与信息安全学报 ›› 2017, Vol. 3 ›› Issue (11): 40-49.doi: 10.11959/j.issn.2096-109x.2017.00211
修回日期:
2017-09-20
出版日期:
2017-11-01
发布日期:
2017-11-30
作者简介:
卢振平(1992-),男,河南商丘人,国家数字程控交换系统工程技术研究中心硕士生,主要研究方向为软件定义网络、网络先进防御。|陈福才(1974-),男,江西南昌人,硕士,国家数字程控交换系统工程技术研究中心研究员,主要研究方向为电信网关防、网络安全。|程国振(1986-),男,山东菏泽人,博士,国家数字程控交换系统工程技术研究中心助理研究员,主要研究方向为云数据中心、软件定义网络、网络安全。
基金资助:
Zhen-ping LU(),Fu-cai CHEN,Guo-zhen CHENG
Revised:
2017-09-20
Online:
2017-11-01
Published:
2017-11-30
Supported by:
摘要:
提出一种基于动态异构冗余的安全控制平面,通过动态地变换异构的控制器以增加攻击者的难度。首先,提出基于贝叶斯?斯坦科尔伯格博弈模型的控制器动态调度方法,将攻击者和防御者作为博弈参与双方,求得均衡解,进而指导调度策略;其次,引入一种自清洗机制,与博弈策略结合形成闭环的防御机制,进一步地提高了控制层的安全增益;最后,实验定量地描述了基于该博弈策略的安全控制层相比与传统部署单个控制器以及采用随机策略调度控制器的收益增益,并且自清洗机制能够使控制平面一直处于较高的安全水平。
中图分类号:
卢振平,陈福才,程国振. 基于贝叶斯−斯坦科尔伯格博弈的SDN安全控制平面模型[J]. 网络与信息安全学报, 2017, 3(11): 40-49.
Zhen-ping LU,Fu-cai CHEN,Guo-zhen CHENG. Secure control plane for SDN using Bayesian Stackelberg games[J]. Chinese Journal of Network and Information Security, 2017, 3(11): 40-49.
表4
博弈策略和随机策略的收益对比"
概率分布 | 随机策略的收益 | 博弈均衡策略的收益 | 收益增益 |
0,0,1 | ?2.5 | ?0.85 | 1.65 |
0,0.2,0.8 | ?2 | ?0.54 | 1.46 |
0,0.4,0.6 | ?1.5 | ?0.15 | 1.35 |
0,0.6,0.4 | ?1 | 0.22 | 1.22 |
0,0.8,0.2 | ?0.5 | 0.61 | 1.11 |
0,1,0 | 0 | 1 | 1 |
0.2,0,0.8 | ?2.5 | ?0.7 | 1.8 |
0.2,0.2,0.6 | ?2 | ?0.48 | 1.52 |
0.2,0.4,0.4 | ?1.5 | ?0.27 | 1.23 |
0.2,0.6,0.2 | ?1 | 0.05 | 1.05 |
0.2,0.8,0 | ?0.5 | 0.53 | 1.03 |
0.4,0,0.6 | ?2.5 | ?0.32 | 2.18 |
0.4,0.2,0.4 | ?2 | ?0.1 | 2.1 |
0.4,0.4,0.2 | ?1.5 | 0.11 | 1.61 |
0.4,0.6,0 | ?1 | 1 | 2 |
0.6,0,0.4 | ?2.5 | 0.06 | 2.56 |
0.6,0.2,0.2 | ?2 | 0.57 | 2.57 |
0.6,0.4,0 | ?1.5 | 1.5 | 3 |
0.8,0,0.2 | ?2.5 | 1.07 | 3.07 |
0.8,0.2,0 | ?2 | 2 | 4 |
1,0,0 | ?2.5 | 2.5 | 5 |
[1] | KREUTZ D , RAMOS F M V , VERISSIMO P . Towards secure and dependable software-defined networks[C]// ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013:55-60. |
[2] | SHIN S , SONG Y , LEE T , et al. Rosemary:a robust,secure,and high-performance network operating system[C]// ACM Conference on Computer and Communications Security. 2014:78-89. |
[3] | LENG J , ZHOU Y , ZHANG J , et al. An inference attack model for flow table capacity and usage:exploiting the vulnerability of flow table overflow in software-defined network[J]. Water Air & Soil Pollution, 2015,85(3): 1413-1418. |
[4] | SONCHACK J , AVIV A J , KELLER E . Timing SDN control planes to infer network configurations[C]// ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. 2016. |
[5] | LEE S , YOON C , SHIN S . The smaller,the shrewder:a simple malicious application can kill an entire SDN environment[C]// ACM International Workshop on Security in Software Defined Networks& Network Function Virtualization. 2016. |
[6] | MORZHOV S , ALEKSEEV I , NIKITINSKIY M . Firewall applica-tion for Floodlight SDN controller[C]// The International Siberian Conference on Control and Communications. 2016. |
[7] | SHIN S , SNOS Y , LEE T , et al. Rosemary:a robust,secure,and high-performance network operating system[J]. 2014: 78-89. |
[8] | TOOTOONCHIAN A , GANJALI Y . HyperFlow:a distributed control plane for OpenFlow[C]// Internet Network Management Conference on Research on Enterprise Networking. 2010:3. |
[9] | SHERWOOD R , GIBB G , YAP K K , et al. FlowVisor:a network virtualization layer[J]. 2009. |
[10] | YEGANEH S H , GANJALI Y . Kandoo:a framework for efficient and scalable offloading of control applications[C]// The Workshop on Hot Topics in Software Defined Networks. 2012:19-24. |
[11] | KOPONEN T , CASADO M , GUDE N , et al. Onix:a distributed control platform for large-scale production networks[C]// Usenix Symposium on Operating Systems Design and Implementa-tion(OSDI 2010). 2010:351-364. |
[12] | DIXIT A , FANG H , MUKHERJEE S , et al. Towards an elastic distributed SDN controller[C]// The 1st Workshop on Hot Topics in Software Defined Networking (HotSDN 2013). 2013:7-12. |
[13] | BERDE P , GEROLA M ,and HART J , et al. ONOS:towards an open,distributed SDN OS[C]// The Workshop on Hot Topics in Software Defined Networking. 2014:1-6. |
[14] | LI H , LI P , GUO S , et al. Byzantine-resilient secure software-defined networks with multiple controllers in cloud[C]// 2014 IEEE International Conference on Communications (ICC 2014). 2014:695-700. |
[15] | ELDEFRAWY K , KACZMAREK T . Byzantine fault tolerant soft-ware-defined networking (SDN) controllers[C]// IEEE Computer Society International Conference on Computers,Software & Ap-plications. 2016:208-213. |
[16] | LEE C , SHIN S . SHIELD:an automated framework for static analysis of SDN applications[C]// ACM International Workshop on Security in Software Defined Networks & Network Function Virtu-alization. 2016:29-34. |
[17] | WILCZEWSKI . Security considerations for equipment controllers and SDN[C]// 2016 IEEE International Telecommunications Energy Conference (INTELEC). 2016:1-5. |
[18] | AHMAD I , NAMAL S , YLIANTTILA M , et al. Security in soft-ware defined networks:a survey[J]. IEEE Communications Sur-veys & Tutorials, 2015,17(4): 1. |
[19] | PORRAS P , SHIN S , YEGNESWARAN V , et al. A security en-forcement kernel for OpenFlow networks[C]// The First Workshop on Hot Topics in Software Defined Networks. 2012:121-126. |
[20] | SONCHACK J , AVIV A J , KELLER E , et al. Enabling practical software-defined networking security applications with OFX[C]// Network and Distributed System Security Symposium. 2016. |
[21] | MEDVED J , VARGA R , TKACIK A , et al. OpenDaylight:towards a model-driven SDN controller architecture[C]// IEEE International Symposium on World of Wireless,Mobile and Multimedia Net-works. 2014:1-6. |
[22] | WANG T , LIU F , GUO J , et al. Dynamic SDN controller assign-ment in data center networks:Stable matching with transfers[C]// IEEE Conference on Computer Communications. 2016:1-9. |
[23] | LU Z P , CHEN F C , et al. Poster:a secure control plane with dynamic multi-NOS for SDN[C]// NDSS Posters. 2017. |
[24] | LEE S , YOON C . DELTA:a security assessment framework for software-defined networks[C]// Network and Distributed System Security Symposium. 2017. |
[25] | KIEKINTVELD C , MARECKI J , TAMBE M . Approximation methods for infinite bayesian stackelberg games:Modeling distri-butional payoff uncertainty[C]// The 10th International Conference on Autonomous Agents and Multiagent Systems. 2011:1005-1012. |
[26] | PARUCHURI P , PEARCE J P . Playing games for security:an efficient exact algorithm for solving bayesian stackelberg games[C]// The 7th International Joint Conference on Autonomous Agents and Multiagent Systems (AAMAS'08). 2008:985-902. |
DAVID Jorm. 44CON LONDON 2015 Presentations[EB/OL]. . | |
[28] | PITA J , JAIN M , TAMBE M , et al. Robust solutions to stackelberg games:addressing bounded rationality and limited observations in human cognition[J]. Artificial Intelligence, 2010,174(15): 1142-1171. |
[1] | 王贺立, 闫巧. 基于交易记录特征的自私挖矿检测方案[J]. 网络与信息安全学报, 2023, 9(2): 104-114. |
[2] | 陈训逊, 李明哲, 吕宁, 黄亮. 内禀安全:网络安全能力体系化构建方法[J]. 网络与信息安全学报, 2023, 9(1): 92-102. |
[3] | 李东, 郝艳妮, 彭升辉, 訾瑞杰, 刘西蒙. 国家自然科学基金委员会网络安全现状与展望[J]. 网络与信息安全学报, 2022, 8(6): 92-101. |
[4] | 邢福康, 张铮, 隋然, 曲晟, 季新生. 面向进程多变体软件系统的攻击面定性建模分析[J]. 网络与信息安全学报, 2022, 8(5): 121-128. |
[5] | 王泽南, 李佳浩, 檀朝红, 皮德常. 面向网络安全资源池的智能服务链系统设计与分析[J]. 网络与信息安全学报, 2022, 8(4): 175-181. |
[6] | 唐士杰, 袁方, 李俊, 丁勇, 王会勇. 工业控制系统关键组件安全风险综述[J]. 网络与信息安全学报, 2022, 8(3): 1-17. |
[7] | 王馨雅, 华光, 江昊, 张海剑. 深度学习模型的版权保护研究综述[J]. 网络与信息安全学报, 2022, 8(2): 1-14. |
[8] | 王洋, 汤光明, 王硕, 楚江. 基于API调用管理的SDN应用层DDoS攻击防御机制[J]. 网络与信息安全学报, 2022, 8(2): 73-87. |
[9] | 何威振, 陈福才, 牛杰, 谭晶磊, 霍树民, 程国振. 面向网络层的动态跳变技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 44-55. |
[10] | 邱洁, 韩瑞, 魏志丰, 王志洋. 网络空间公共基础设施体系及安全策略研究[J]. 网络与信息安全学报, 2021, 7(6): 56-67. |
[11] | 王硕, 柏军, 王佰玲, 张旭, 刘红日. 基于时间压缩的流量加速回放方法[J]. 网络与信息安全学报, 2021, 7(5): 178-188. |
[12] | 赵昊, 舒辉, 康绯, 邢颖. 基于智能合约的高对抗性僵尸网络研究[J]. 网络与信息安全学报, 2021, 7(4): 30-41. |
[13] | 陈浩宇, 邹德清, 金海. 面向SDN/NFV环境的网络功能策略验证[J]. 网络与信息安全学报, 2021, 7(3): 59-71. |
[14] | 王涛, 陈鸿昶. 考虑拜占庭属性的SDN安全控制器多目标优化部署方案[J]. 网络与信息安全学报, 2021, 7(3): 72-84. |
[15] | 赵普, 赵文涛, 付章杰, 刘强. 基于Renyi熵的SDN自主防护系统[J]. 网络与信息安全学报, 2021, 7(3): 85-94. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|