网络与信息安全学报 ›› 2022, Vol. 8 ›› Issue (4): 175-181.doi: 10.11959/j.issn.2096-109x.2022051

• 学术论文 • 上一篇    下一篇

面向网络安全资源池的智能服务链系统设计与分析

王泽南1, 李佳浩2, 檀朝红3, 皮德常2   

  1. 1 网络通信与安全紫金山实验室,江苏 南京 211100
    2 南京航空航天大学,江苏 南京 211100
    3 江苏省未来网络创新研究院,江苏 南京 211100
  • 修回日期:2022-07-22 出版日期:2022-08-15 发布日期:2022-08-01
  • 作者简介:王泽南(1994− ),男,浙江湖州人,博士,主要研究方向为网络功能虚拟化、网络智能
    李佳浩(2001− ),男,甘肃平凉人,主要研究方向为软件定义网络
    檀朝红(1985− ),男,安徽安庆人,主要研究方向为软件定义网络、云计算、网络功能虚拟化
    皮德常(1971− ),男,河南周口人,南京航空航天大学教授、博士生导师,主要研究方向为软件工程新技术、软件安全性测试方法
  • 基金资助:
    江苏省卓越博士后计划

Design and analysis of intelligent service chain system for network security resource pool

Zenan WANG1, Jiahao LI2, Chaohong TAN3, Dechang PI2   

  1. 1 Purple Mountain Laboratories, Nanjing 211100, China
    2 Nanjing University of Aeronautics and Astronautics, Nanjing 211100, China
    3 Jiangsu Future Networks Innovation Institute, Nanjing 211100, China
  • Revised:2022-07-22 Online:2022-08-15 Published:2022-08-01
  • Supported by:
    Jiangsu Funding Program for Excellent Postdoctoral Talent

摘要:

传统网络安全架构通过将流量引导经过硬件形式的网络安全功能设备来保障网络安全,该架构由形式固定的硬件组成,导致网络安全区域部署形式单一,可扩展性较差,在面对网络安全事件时无法灵活地做出调整,难以满足未来网络的安全需求。面向网络安全资源池的智能服务链系统基于软件定义网络与网络功能虚拟化技术,能够有效解决上述问题。基于网络功能虚拟化技术新增虚拟形式的网络安全功能网元,结合已有的硬件网元构建虚实结合的网络安全资源池,并基于软件定义网络技术实现对连接网元的交换设备的灵活控制,从而构建可动态调节的网络安全服务链;基于安全日志检测与安全规则专家库实现对网络安全事件的检测与生成对应的响应方案,从而能够在面对网络安全事件时通过集中式控制的方式实现服务链的动态智能调节;对服务链的部署过程进行数学建模并设计了一种启发式的服务链优化编排算法,实现服务链的优化部署。通过搭建原型系统并进行实验,结果表明,所设计系统能够在面对安全事件时在秒级时间内完成安全事件的检测,并能够在分钟级时间内完成对安全服务链的自动调整,所设计的服务链优化部署算法能够将服务链对虚拟安全资源池中资源的占用降低 65%。所设计系统有望运用于园区与数据中心网络出口处的网络安全区域,简化该区域的运维并提高该区域的部署灵活度。

关键词: 软件定义网络, 网络安全资源池, 服务链, 网络功能虚拟化

Abstract:

The traditional network security architecture ensures network security by directing traffic through hardware based network security function devices.Since the architecture consists of fixed hardware devices, it leads to a single form of network security area deployment and poor scalability.Besides, the architecture cannot be flexibly adjusted when facing network security events, making it difficult to meet the security needs of future networks.The intelligent service chain system for network security resource pool was based on software-defined network and network function virtualization technologies, which can effectively solve the above problems.Network security functions of virtual form were added based on network function virtualization technology, combined with the existing hardware network elements to build a network security resource pool.In addition, the switching equipment connected to the network security elements can be flexibly controlled based on software-defined network technology.Then a dynamically adjustable network security service chain was built.Network security events were detected based on security log detection and a expert library consisting of security rules.This enabled dynamic and intelligent regulation of the service chain by means of centralized control in the face of network security events.The deployment process of the service chain was mathematically modeled and a heuristic algorithm was designed to realize the optimal deployment of the service chain.By building a prototype system and conducting experiments, the results show that the designed system can detect security events in seconds and automatically adjust the security service chain in minutes when facing security events, and the designed heuristic algorithm can reduce the occupation of virtual resources by 65%.The proposed system is expected to be applied to the network security area at the exit of the campus and data center network, simplifying the operation and maintenance of this area and improving the deployment flexibility of this area.

Key words: software define network, network security resource pool, service chain, network function virtualization

中图分类号: 

No Suggested Reading articles found!