面向网络安全资源池的智能服务链系统设计与分析

doi:10.11959/j.issn.2096-109x.2022051

网络与信息安全学报 ›› 2022, Vol. 8 ›› Issue (4): 175-181.doi: 10.11959/j.issn.2096-109x.2022051

面向网络安全资源池的智能服务链系统设计与分析

王泽南¹, 李佳浩², 檀朝红³, 皮德常²

¹ 网络通信与安全紫金山实验室，江苏南京 211100
² 南京航空航天大学，江苏南京 211100
³ 江苏省未来网络创新研究院，江苏南京 211100

修回日期:2022-07-22 出版日期:2022-08-15 发布日期:2022-08-01
作者简介:王泽南（1994− ），男，浙江湖州人，博士，主要研究方向为网络功能虚拟化、网络智能
李佳浩（2001− ），男，甘肃平凉人，主要研究方向为软件定义网络
檀朝红（1985− ），男，安徽安庆人，主要研究方向为软件定义网络、云计算、网络功能虚拟化
皮德常（1971− ），男，河南周口人，南京航空航天大学教授、博士生导师，主要研究方向为软件工程新技术、软件安全性测试方法
基金资助:
江苏省卓越博士后计划

Design and analysis of intelligent service chain system for network security resource pool

Zenan WANG¹, Jiahao LI², Chaohong TAN³, Dechang PI²

¹ Purple Mountain Laboratories, Nanjing 211100, China
² Nanjing University of Aeronautics and Astronautics, Nanjing 211100, China
³ Jiangsu Future Networks Innovation Institute, Nanjing 211100, China

Revised:2022-07-22 Online:2022-08-15 Published:2022-08-01
Supported by:
Jiangsu Funding Program for Excellent Postdoctoral Talent

摘要/Abstract

摘要：

传统网络安全架构通过将流量引导经过硬件形式的网络安全功能设备来保障网络安全，该架构由形式固定的硬件组成，导致网络安全区域部署形式单一，可扩展性较差，在面对网络安全事件时无法灵活地做出调整，难以满足未来网络的安全需求。面向网络安全资源池的智能服务链系统基于软件定义网络与网络功能虚拟化技术，能够有效解决上述问题。基于网络功能虚拟化技术新增虚拟形式的网络安全功能网元，结合已有的硬件网元构建虚实结合的网络安全资源池，并基于软件定义网络技术实现对连接网元的交换设备的灵活控制，从而构建可动态调节的网络安全服务链；基于安全日志检测与安全规则专家库实现对网络安全事件的检测与生成对应的响应方案，从而能够在面对网络安全事件时通过集中式控制的方式实现服务链的动态智能调节；对服务链的部署过程进行数学建模并设计了一种启发式的服务链优化编排算法，实现服务链的优化部署。通过搭建原型系统并进行实验，结果表明，所设计系统能够在面对安全事件时在秒级时间内完成安全事件的检测，并能够在分钟级时间内完成对安全服务链的自动调整，所设计的服务链优化部署算法能够将服务链对虚拟安全资源池中资源的占用降低 65%。所设计系统有望运用于园区与数据中心网络出口处的网络安全区域，简化该区域的运维并提高该区域的部署灵活度。

关键词: 软件定义网络, 网络安全资源池, 服务链, 网络功能虚拟化

Abstract:

The traditional network security architecture ensures network security by directing traffic through hardware based network security function devices.Since the architecture consists of fixed hardware devices, it leads to a single form of network security area deployment and poor scalability.Besides, the architecture cannot be flexibly adjusted when facing network security events, making it difficult to meet the security needs of future networks.The intelligent service chain system for network security resource pool was based on software-defined network and network function virtualization technologies, which can effectively solve the above problems.Network security functions of virtual form were added based on network function virtualization technology, combined with the existing hardware network elements to build a network security resource pool.In addition, the switching equipment connected to the network security elements can be flexibly controlled based on software-defined network technology.Then a dynamically adjustable network security service chain was built.Network security events were detected based on security log detection and a expert library consisting of security rules.This enabled dynamic and intelligent regulation of the service chain by means of centralized control in the face of network security events.The deployment process of the service chain was mathematically modeled and a heuristic algorithm was designed to realize the optimal deployment of the service chain.By building a prototype system and conducting experiments, the results show that the designed system can detect security events in seconds and automatically adjust the security service chain in minutes when facing security events, and the designed heuristic algorithm can reduce the occupation of virtual resources by 65%.The proposed system is expected to be applied to the network security area at the exit of the campus and data center network, simplifying the operation and maintenance of this area and improving the deployment flexibility of this area.

Key words: software define network, network security resource pool, service chain, network function virtualization

中图分类号:

TP393

王泽南, 李佳浩, 檀朝红, 皮德常. 面向网络安全资源池的智能服务链系统设计与分析[J]. 网络与信息安全学报, 2022, 8(4): 175-181.

Zenan WANG, Jiahao LI, Chaohong TAN, Dechang PI. Design and analysis of intelligent service chain system for network security resource pool[J]. Chinese Journal of Network and Information Security, 2022, 8(4): 175-181.

图/表 6

图1

图2

图3

表1

图4

图5

参考文献 21

[1]	ZHANG X S , CHENG X Z , LI H B ,et al. Security service chain based on sdn＆nfv construction technology[C]// Signal and Information Processing,Networking and Computers.Lecture Notes in Electrical Engineering,vol 628. 2020.p. 840-848.
[2]	ZHU S , ZHOU C , WANG C . Security service function chain based on software-defined security[J]. Journal of Physics:Conference Series,2021. 2010(1): 12083.
[3]	KRISHNAN P , DUTTAGUPTA S , ACHUTHAN K . SDN/NFV security framework for fog to things computing infrastructure[J]. Software:Practice and Experience, 2020,50(5): 757-800.
[4]	CHIOSI M , CLARKE D , WILLIS P ,et al. Network functions virtualisation introductory white paper[R]. SDN and OpenFlow World Congress, 2012.
[5]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow:Enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74.
[6]	LINA Z , DONGZHAO Z . A new network security architecture based on SDN/NFV technology[C]// 2020 International Conference on Computer Engineering and Application (ICCEA). IEEE, 2020: 669-675.
[7]	SANTOS G L , BEZERRA D F , ROCHA E S ,et al. Service function chain placement in distributed scenarios:a systematic review[J]. Journal of Network and Systems Management, 2022,30(1): 1-39.
[8]	CHEN W , WANG Z , ZHANG H ,et al. Cost-efficient dynamic service function chain embedding in edge clouds[C]// 2021 17th International Conference on Network and Service Management (CNSM). IEEE, 2021: 310-318.
[9]	SHIN S , PORRAS P , YEGNESWARAN V ,et al. FRESCO:modular composable security services for soft-ware-defined networks[C]// Proceedings of the 20th Annual Network and Distributed System Security Symposium. 2013.
[10]	LIU Y P , GUO Z G , SHOU G C ,et al. To achieve a security service chain by integration of NFV and SDN[C]// 2016 Sixth International Conference on Instrumentation ＆ Measurement,Computer,Communication and Control (IMCCC). 2016: 974-977.
[11]	MARTINI B , PAGANELLI F , MOHAMMED A A ,et al. SDN controller for context-aware data delivery in dynamic service chaining[C]// Proceedings 1st IEEE Conference on Network Softwarization, 2015: 1-5.
[12]	GIOTIS K , KRYFTIS Y , MAGLARIS V . Policy-based orchestration of NFV services in software-defined networks[C]// Proceedings of the 1st IEEE Conference on Network Softwarization. 2015. 1-5.
[13]	QAZI Z A , TU C C , CHIANG L ,et al. SIMPLE-fying middlebox policy enforcement using SDN[C]// Proceedings of the ACMSIGCOMM 2013. 2013. 27-38.
[14]	IFFLANDER L , WALTER J , EISMANN S ,et al. The ¨Vision of self-aware reordering of security network function Chains[C]// Companion of the 2018 ACM/SPEC International Conference on Performance Engineering. 2018.
[15]	刘宇涛, 陈海波 . 虚拟化安全：机遇,挑战与未来[J]. 网络与信息安全学报, 2016,2(10): 17-28.
	LIU Y T , CHEN H B . Virtualization security:the good,the bad and the ugly[J]. Chinese Journal of Network and Information Security, 2016,2(10): 17-28.
[16]	LI B , CHENG B , LIU X ,et al. Joint resource optimization and delay-aware virtual network function migration in data center networks[J]. IEEE Transactions on Network and Service Management, 2021,18(3): 2960-2974.
[17]	CERRATO I , ANNARUMMA M , RISSO F . Supporting fine-grained network functions through Intel DPDK[C]// 2014 Third European Workshop on Software Defined Networks. 2014: 1-6.
[18]	MAHDAVIFAR S , GHORBANI A A . DeNNeS:deep embedded neural network expert system for detecting cyber attacks[J]. Neural Computing and Applications, 2020,32(18): 14753-14780.
[19]	LIU Y , LU Y , LI X ,et al. On dynamic service function chain reconfiguration in IoT networks[J]. IEEE Internet of Things Journal, 2020,7(11): 10969-10984.
[20]	谢记超, 伊鹏, 张震 ,等. 基于异构备份与重映射的服务功能链部署方案[J]. 网络与信息安全学报, 2018,4(6): 23-35.
	XIE J C , YI P , ZHANG Z ,et al. Service function chain deployment scheme based on heterogeneous backup and remapping[J]. Chinese Journal of Network and Information Security, 2018,4(6): 23-35.
[21]	HUANG M , LUO W , WAN X . Research on Network Security of Campus Network[C]// Journal of Physics:Conference Series. IOP Publishing,2019, 1187(4): 042113.

注入危险流量类型	系统决策时间/s
1	2.7
2	3.1
3	3.7
4	3.2
5	3.2

面向网络安全资源池的智能服务链系统设计与分析

Design and analysis of intelligent service chain system for network security resource pool

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 6

参考文献 21

相关文章 15

Metrics

推荐阅读 0

[1]	王洋, 汤光明, 王硕, 楚江. 基于API调用管理的SDN应用层DDoS攻击防御机制[J]. 网络与信息安全学报, 2022, 8(2): 73-87.
[2]	何威振, 陈福才, 牛杰, 谭晶磊, 霍树民, 程国振. 面向网络层的动态跳变技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 44-55.
[3]	陈浩宇, 邹德清, 金海. 面向SDN/NFV环境的网络功能策略验证[J]. 网络与信息安全学报, 2021, 7(3): 59-71.
[4]	王涛, 陈鸿昶. 考虑拜占庭属性的SDN安全控制器多目标优化部署方案[J]. 网络与信息安全学报, 2021, 7(3): 72-84.
[5]	赵普, 赵文涛, 付章杰, 刘强. 基于Renyi熵的SDN自主防护系统[J]. 网络与信息安全学报, 2021, 7(3): 85-94.
[6]	张青青, 汤红波, 游伟, 李英乐. 基于免疫算法的网络功能异构冗余部署方法[J]. 网络与信息安全学报, 2021, 7(1): 46-56.
[7]	吴奇,陈鸿昶. 低故障恢复开销的软件定义网络控制器布局算法[J]. 网络与信息安全学报, 2020, 6(6): 97-104.
[8]	李国春,马睿,马季春,李伯中,刘惠明,张桂玉. 广域网出口流量调度SDN部署研究[J]. 网络与信息安全学报, 2020, 6(5): 148-157.
[9]	海梅生,伊鹏,江逸茗,谢记超. 网络功能虚拟化环境中大规模资源状态监测策略[J]. 网络与信息安全学报, 2019, 5(6): 42-49.
[10]	黄伟, 路冉, 刘存才, 祁思博. 基于SDN分级分域架构的QoS约束路由算法[J]. 网络与信息安全学报, 2019, 5(5): 21-31.
[11]	王洋,汤光明,雷程,韩冬. 面向链路洪泛攻击的多维检测与动态防御方法[J]. 网络与信息安全学报, 2019, 5(4): 80-90.
[12]	许传丰,林晖,郭烜成,汪晓丁. 基于NFV的新的协作式DDoS防御技术[J]. 网络与信息安全学报, 2019, 5(2): 66-76.
[13]	谭晶磊, 张红旗, 雷程, 刘小虎, 王硕. 面向SDN的移动目标防御技术研究进展[J]. 网络与信息安全学报, 2018, 4(7): 1-12.
[14]	谢记超,伊鹏,张震,张传浩,谷允捷. 基于异构备份与重映射的服务功能链部署方案[J]. 网络与信息安全学报, 2018, 4(6): 23-35.
[15]	郭中孚, 张兴明, 赵博, 王苏南. 软件定义网络数据平面安全综述[J]. 网络与信息安全学报, 2018, 4(11): 1-12.