面向网络安全资源池的智能服务链系统设计与分析

doi:10.11959/j.issn.2096-109x.2022051

Abstract

Abstract:

The traditional network security architecture ensures network security by directing traffic through hardware based network security function devices.Since the architecture consists of fixed hardware devices, it leads to a single form of network security area deployment and poor scalability.Besides, the architecture cannot be flexibly adjusted when facing network security events, making it difficult to meet the security needs of future networks.The intelligent service chain system for network security resource pool was based on software-defined network and network function virtualization technologies, which can effectively solve the above problems.Network security functions of virtual form were added based on network function virtualization technology, combined with the existing hardware network elements to build a network security resource pool.In addition, the switching equipment connected to the network security elements can be flexibly controlled based on software-defined network technology.Then a dynamically adjustable network security service chain was built.Network security events were detected based on security log detection and a expert library consisting of security rules.This enabled dynamic and intelligent regulation of the service chain by means of centralized control in the face of network security events.The deployment process of the service chain was mathematically modeled and a heuristic algorithm was designed to realize the optimal deployment of the service chain.By building a prototype system and conducting experiments, the results show that the designed system can detect security events in seconds and automatically adjust the security service chain in minutes when facing security events, and the designed heuristic algorithm can reduce the occupation of virtual resources by 65%.The proposed system is expected to be applied to the network security area at the exit of the campus and data center network, simplifying the operation and maintenance of this area and improving the deployment flexibility of this area.

Key words: software define network, network security resource pool, service chain, network function virtualization

CLC Number:

TP393

Zenan WANG, Jiahao LI, Chaohong TAN, Dechang PI. Design and analysis of intelligent service chain system for network security resource pool[J]. Chinese Journal of Network and Information Security, 2022, 8(4): 175-181.

Figures/Tables 6

References 21

[1]	ZHANG X S , CHENG X Z , LI H B ,et al. Security service chain based on sdn＆nfv construction technology[C]// Signal and Information Processing,Networking and Computers.Lecture Notes in Electrical Engineering,vol 628. 2020.p. 840-848.
[2]	ZHU S , ZHOU C , WANG C . Security service function chain based on software-defined security[J]. Journal of Physics:Conference Series,2021. 2010(1): 12083.
[3]	KRISHNAN P , DUTTAGUPTA S , ACHUTHAN K . SDN/NFV security framework for fog to things computing infrastructure[J]. Software:Practice and Experience, 2020,50(5): 757-800.
[4]	CHIOSI M , CLARKE D , WILLIS P ,et al. Network functions virtualisation introductory white paper[R]. SDN and OpenFlow World Congress, 2012.
[5]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow:Enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74.
[6]	LINA Z , DONGZHAO Z . A new network security architecture based on SDN/NFV technology[C]// 2020 International Conference on Computer Engineering and Application (ICCEA). IEEE, 2020: 669-675.
[7]	SANTOS G L , BEZERRA D F , ROCHA E S ,et al. Service function chain placement in distributed scenarios:a systematic review[J]. Journal of Network and Systems Management, 2022,30(1): 1-39.
[8]	CHEN W , WANG Z , ZHANG H ,et al. Cost-efficient dynamic service function chain embedding in edge clouds[C]// 2021 17th International Conference on Network and Service Management (CNSM). IEEE, 2021: 310-318.
[9]	SHIN S , PORRAS P , YEGNESWARAN V ,et al. FRESCO:modular composable security services for soft-ware-defined networks[C]// Proceedings of the 20th Annual Network and Distributed System Security Symposium. 2013.
[10]	LIU Y P , GUO Z G , SHOU G C ,et al. To achieve a security service chain by integration of NFV and SDN[C]// 2016 Sixth International Conference on Instrumentation ＆ Measurement,Computer,Communication and Control (IMCCC). 2016: 974-977.
[11]	MARTINI B , PAGANELLI F , MOHAMMED A A ,et al. SDN controller for context-aware data delivery in dynamic service chaining[C]// Proceedings 1st IEEE Conference on Network Softwarization, 2015: 1-5.
[12]	GIOTIS K , KRYFTIS Y , MAGLARIS V . Policy-based orchestration of NFV services in software-defined networks[C]// Proceedings of the 1st IEEE Conference on Network Softwarization. 2015. 1-5.
[13]	QAZI Z A , TU C C , CHIANG L ,et al. SIMPLE-fying middlebox policy enforcement using SDN[C]// Proceedings of the ACMSIGCOMM 2013. 2013. 27-38.
[14]	IFFLANDER L , WALTER J , EISMANN S ,et al. The ¨Vision of self-aware reordering of security network function Chains[C]// Companion of the 2018 ACM/SPEC International Conference on Performance Engineering. 2018.
[15]	刘宇涛, 陈海波 . 虚拟化安全：机遇,挑战与未来[J]. 网络与信息安全学报, 2016,2(10): 17-28.
	LIU Y T , CHEN H B . Virtualization security:the good,the bad and the ugly[J]. Chinese Journal of Network and Information Security, 2016,2(10): 17-28.
[16]	LI B , CHENG B , LIU X ,et al. Joint resource optimization and delay-aware virtual network function migration in data center networks[J]. IEEE Transactions on Network and Service Management, 2021,18(3): 2960-2974.
[17]	CERRATO I , ANNARUMMA M , RISSO F . Supporting fine-grained network functions through Intel DPDK[C]// 2014 Third European Workshop on Software Defined Networks. 2014: 1-6.
[18]	MAHDAVIFAR S , GHORBANI A A . DeNNeS:deep embedded neural network expert system for detecting cyber attacks[J]. Neural Computing and Applications, 2020,32(18): 14753-14780.
[19]	LIU Y , LU Y , LI X ,et al. On dynamic service function chain reconfiguration in IoT networks[J]. IEEE Internet of Things Journal, 2020,7(11): 10969-10984.
[20]	谢记超, 伊鹏, 张震 ,等. 基于异构备份与重映射的服务功能链部署方案[J]. 网络与信息安全学报, 2018,4(6): 23-35.
	XIE J C , YI P , ZHANG Z ,et al. Service function chain deployment scheme based on heterogeneous backup and remapping[J]. Chinese Journal of Network and Information Security, 2018,4(6): 23-35.
[21]	HUANG M , LUO W , WAN X . Research on Network Security of Campus Network[C]// Journal of Physics:Conference Series. IOP Publishing,2019, 1187(4): 042113.

Metrics

Recommended 0

No Suggested Reading articles found!

注入危险流量类型	系统决策时间/s
1	2.7
2	3.1
3	3.7
4	3.2
5	3.2

Design and analysis of intelligent service chain system for network security resource pool

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 6

References 21

Related Articles 4

Metrics

Recommended 0

[1]	Haoyu CHEN, Deqing ZOU, Hai JIN. Verification on policies for network functions in SDN/NFV-based environment [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 59-71.
[2]	Qingqing ZHANG, Hongbo TANG, Wei YOU, Yingle LI. Network function heterogeneous redundancy deployment method based on immune algorithm [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 46-56.
[3]	Meisheng HAI,Peng YI,Yiming JIANG,Jichao XIE. Large-scale resource state monitoring strategy in network function virtualization environment [J]. Chinese Journal of Network and Information Security, 2019, 5(6): 42-49.
[4]	Chuanfeng XU,Hui LIN,Xuancheng GUO,Xiaoding WANG. New collaborative DDoS defense technology based on NFV [J]. Chinese Journal of Network and Information Security, 2019, 5(2): 66-76.