基于拟态防御架构的服务功能链执行体动态调度方法

doi:10.11959/j.issn.1000-0801.2022070

电信科学 ›› 2022, Vol. 38 ›› Issue (4): 101-112.doi: 10.11959/j.issn.1000-0801.2022070

基于拟态防御架构的服务功能链执行体动态调度方法

李传煌, 唐晶晶, 陈泱婷, 雷睿, 陈超, 王伟明

浙江工商大学信息与电子工程学院（萨塞克斯人工智能学院），浙江杭州 310018

修回日期:2022-04-06 出版日期:2022-04-20 发布日期:2022-04-01
作者简介:李传煌（1980− ），男，博士，浙江工商大学教授、硕士生导师，主要研究方向为软件定义网络、开放可编程网络、边缘计算、人工智能应用等
唐晶晶（1998− ），女，浙江工商大学硕士生，主要研究方向为软件定义网络、人工智能应用
陈泱婷（1998− ），女，浙江工商大学硕士生，主要研究方向为软件定义网络、人工智能应用
雷睿（1996− ），男，浙江工商大学硕士生，主要研究方向为软件定义网络、人工智能应用
陈超（1986− ），男，博士，浙江工商大学副教授、硕士生导师，主要研究方向为下一代无线通信网络技术、网络编码、机器/深度学习等
王伟明（1964− ），男，博士，浙江工商大学教授、硕士生导师，主要研究方向为新一代网络架构、开放可编程网络
基金资助:
国家自然科学基金资助项目(61871468);国家自然科学基金资助项目(62111540270);浙江省新型网络标准与应用技术重点实验室资助项目(2013E10012)

Dynamic scheduling method of service function chain executors based on the mimic defense architecture

Chuanhuang LI, Jingjing TANG, Yangting CHEN, Rui LEI, Chao CHEN, Weiming WANG

School of Information and Electronic Engineering (Sussex Artificial Intelligence Institute), Zhejiang Gongshang University, Hangzhou 310018, China

Revised:2022-04-06 Online:2022-04-20 Published:2022-04-01
Supported by:
The National Natural Science Foundation of China(61871468);The National Natural Science Foundation of China(62111540270);Zhejiang Key Laboratory of Network Standards and Applied Technology(2013E10012)

摘要/Abstract

摘要：

面对静态、滞后的传统防御技术无法有效应对新型网络攻击的问题，根据拟态安全防御理论，提出了一种建立在数据转发层面的拟态服务功能链（mimic service function chain，MSFC）防御架构，基于该架构进一步提出了一种基于判决反馈的执行体动态调度方法。该方法以判决器反馈的异常执行体信息、执行体的异构度以及系统的实际负载量作为调度影响因素，使调度方法可以根据网络实际变化进行自适应调整。此外，该调度方法利用判决反馈对调度时间进行调整，以达到系统花费与安全性的最佳平衡，降低了系统的资源开销。仿真结果表明，该调度方法可以在平衡系统花费与安全性的基础上，选出更符合当前网络需求的高异构度执行体集合，从而提升系统的安全性及可靠性。

关键词: 服务功能链, 拟态防御, 动态调度, 执行体, 异构度

Abstract:

Faced with the problem that static and lagging traditional defense technologies cannot effectively deal with new network attacks, according to the theory of mimetic security defense, a defense architecture of mimic service function chain (MSFC) based on the data forwarding level was proposed, and an execution dynamic scheduling method based on the decision feedback was further proposed.The method took the abnormal executor information fed back by the decision maker, the heterogeneity of executors and the actual load of the system as the scheduling influencing factors, so that the scheduling method can be adjusted adaptively according to the actual changes of the network.In addition, the scheduling method used decision feedback to adjust the scheduling time, so as to achieve the best balance between system cost and security, and reduce the resource overhead of the system.Simulation results showed that the scheduling method can select a set of highly heterogeneous actuators that better meet the current network requirements on the basis of balancing the system cost and security, so as to improve the security and reliability of the system.

Key words: service function chain, mimic defense, dynamic scheduling, executor, heterogeneous degree

中图分类号:

TP393

李传煌, 唐晶晶, 陈泱婷, 雷睿, 陈超, 王伟明. 基于拟态防御架构的服务功能链执行体动态调度方法[J]. 电信科学, 2022, 38(4): 101-112.

Chuanhuang LI, Jingjing TANG, Yangting CHEN, Rui LEI, Chao CHEN, Weiming WANG. Dynamic scheduling method of service function chain executors based on the mimic defense architecture[J]. Telecommunications Science, 2022, 38(4): 101-112.

图/表 11

表1

图1

图2

图3

图4

表2

图5

图6

图7

图8

图9

参考文献 25

[1]	RFC. Service function chaining (SFC) architecture[R]. 2015.
[2]	李天龙 . 多域网络安全服务编排系统的设计与实现[D]. 北京:北京交通大学, 2018.
	LI T L . The design and implement of multi-domain network security service orchestration system[D]. Beijing:Beijing Jiaotong University, 2018.
[3]	RFC. Forwarding and control element separation (ForCES) protocol specification[R]. 2010.
[4]	BIFULCO R , CANONICO R , BRUNNER M ,et al. A practical experience in designing an OpenFlow controller[C]// Proceedings of 2012 European Workshop on Software Defined Networking. Piscataway:IEEE Press, 2012: 61-66.
[5]	Table of contents[EB]. 2006.
[6]	JAIN R , PAUL S . Network virtualization and software defined networking for cloud computing:a survey[J]. IEEE Communications Magazine, 2013,51(11): 24-31.
[7]	GUERZONI R , . Network functions virtualization an introduction,benefits,enablers,challenges and call for action[C]// SDN and OpenFlow World Congress,St Louis.[S.l.:s.n.], 2012.
[8]	CHOWDHURY N M M K , BOUTABA R . A survey of network virtualization[J]. Computer Networks, 2010,54(5): 862-876.
[9]	宋永春 . 基于 SDN 的设备间服务链设计与实现[D]. 兰州:兰州大学, 2017.
	SONG Y C . The design and realization of equipment service-chain in SDN[D]. Lanzhou:Lanzhou University, 2017.
[10]	IETF. Problem statement for service function chaining:RFC 7498[S]. 2018.
[11]	OKTIAN Y E , LEE S , LEE H . Mitigating Denial of Service (DoS) attacks in OpenFlow networks[C]// Proceedings of 2014 International Conference on Information and Communication Technology Convergence (ICTC). Piscataway:IEEE Press, 2014: 325-330.
[12]	JABEUR N , MOH A N S , BARKIA M M . A bully approach for competitive redundancy in heterogeneous wireless sensor network[J]. Procedia Computer Science, 2016(83): 628-635.
[13]	邬江兴 . 网络空间拟态安全防御[J]. 保密科学技术, 2014(10): 1,4-9.
	WU J X . Cyberspace pseudo security defense[J]. Secrecy Science and Technology, 2014(10): 1,4-9.
[14]	马海龙, 伊鹏, 江逸茗 ,等. 基于动态异构冗余机制的路由器拟态防御体系结构[J]. 信息安全学报, 2017,2(1): 29-42.
	MA H L , YI P , JIANG Y M ,et al. Dynamic heterogeneous redundancy based router architecture with mimic defenses[J]. Journal of Cyber Security, 2017,2(1): 29-42.
[15]	马海龙, 江逸茗, 白冰 ,等. 路由器拟态防御能力测试与分析[J]. 信息安全学报, 2017,2(1): 43-53.
	MA H L , JIANG Y M , BAI B ,et al. Tests and analyses for mimic defense ability of routers[J]. Journal of Cyber Security, 2017,2(1): 43-53.
[16]	DURANTE L , SENO L , VALENZA F ,et al. A model for the analysis of security policies in service function chains[C]// Proceedings of 2017 IEEE Conference on Network Softwarization (NetSoft). Piscataway:IEEE Press, 2017.
[17]	XIE J C , YI P , ZHANG Z ,et al. A service function chain deployment scheme based on heterogeneous backup[C]// Proceedings of 2018 IEEE 18th International Conference on Communication Technology (ICCT). Piscataway:IEEE Press, 2018.
[18]	JAJODIA S , GHOSH A K , SWARUP V ,et al. Moving Target Defense[M]. New York,NY: Springer New York, 2011.
[19]	OKHRAVI H , HOBSON T , BIGELOW D ,et al. Finding focus in the blur of moving-target techniques[J]. IEEE Security ＆Privacy, 2014,12(2): 16-26.
[20]	CADAR C , AKRITIDIS P , COSTA M ,et al. Data randomization[R]. 2008.
[21]	邬江兴, 李军飞 . 一种异构功能等价体调度装置及方法:CN106161417A[P]. 2016.
	WU J X , LI J F . A heterogeneous functional equivalent scheduling device and method:CN106161417A[P]. 2016.
[22]	QI C , WU J X , HU H C ,et al. Dynamic-scheduling mechanism of controllers based on security policy in software-defined network[J]. Electronics Letters, 2016,52(23): 1918-1920.
[23]	季新生, 徐水灵, 刘文彦 ,等. 一种面向安全的虚拟网络功能动态异构调度方法[J]. 电子与信息学报, 2019,41(10): 2435-2441.
	JI X S , XU S L , LIU W Y ,et al. A security-oriented dynamic and heterogeneous scheduling method for virtual network function[J]. Journal of Electronics ＆ Information Technology, 2019,41(10): 2435-2441.
[24]	王禛鹏 . 拟态网络操作系统调度与裁决机制研究及实现[D]. 郑州:战略支援部队信息工程大学, 2017.
	WANG Z P . Research on the scheduling and decision-making mechanism of mimic network operating system[D]. Zhengzhou:Information Engineering University, 2017.
[25]	王宇 . 网络主动防御与主动防御网络[J]. 保密科学技术, 2014(11): 27-34.
	WANG Y . Cyber active defense and active defense network[J]. Secrecy Science and Technology, 2014(11): 27-34.

防御机制	防御方案	特点
被动防御	SF安全加固	需增设安全模块，造成额外开销
	SFC安全编排与部署	未知漏洞易被攻破
主动防御	移动目标防御	计算难度较大
	拟态安全防御	对调度算法质量要求较高

虚拟机	操作系统	软件
V₃	Ubuntu	iptables
V₄	Windows	Kaspersky Anti-Hacker
V₅	CentOS	XELIOS Personal Firewall
V₆	Windows	ZoneAlarm Pro
V₇	Windows	Norton Personal Firewall
V₈	CentOS	LVS
V₉	Windows	Nginx
V₁₀	CentOS	HAproxy
V₁₁	Ubuntu	LVS
V₁₂	Ubuntu	Nginx

基于拟态防御架构的服务功能链执行体动态调度方法

Dynamic scheduling method of service function chain executors based on the mimic defense architecture

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献 25

相关文章 10

Metrics

推荐阅读 0

[1]	吴晓春, 洪晨, 张岳, 张俊楠, 周静静. 基于微服务架构的粒度可变服务功能链映射算法[J]. 电信科学, 2022, 38(12): 11-26.
[2]	张岳, 张俊楠, 吴晓春, 洪晨, 周静静. 基于改进灰狼优化算法的服务功能链映射算法[J]. 电信科学, 2022, 38(11): 57-72.
[3]	张汝云, 李合元, 李顺斌. 有限异构资源条件下的工业控制拟态调度算法[J]. 电信科学, 2021, 37(3): 57-65.
[4]	全硕, 王旭亮, 朱泽亚. 5G+时代的软件定义安全技术架构研究与实践[J]. 电信科学, 2021, 37(12): 60-71.
[5]	秦俊宁,韩嘉佳,周升,吴春明,陈双喜,赵若琰,张江瑜. 基于异构冗余架构的拟态防御建模技术[J]. 电信科学, 2020, 36(5): 31-38.
[6]	陈利跃,孙歆,成天晟,吴春明,陈双喜. 面向Web隐藏后门技术的防御[J]. 电信科学, 2020, 36(5): 39-46.
[7]	高明,罗锦,周慧颖,焦海,应丽莉. 一种基于拟态防御的差异化反馈调度判决算法[J]. 电信科学, 2020, 36(5): 73-82.
[8]	季新生,梁浩,扈红超. 天地一体化信息网络安全防护技术的新思考[J]. 电信科学, 2017, 33(12): 24-35.
[9]	董黎刚,何博翰,徐倜杰,费硕成,王伟明. 面向SDN的动态网络策略部署与实现[J]. 电信科学, 2016, 32(10): 137-149.
[10]	牟宏蕾,杨波,郝亚飞. 业务支撑系统云化平台资源调度方案[J]. 电信科学, 2015, 31(Z1): 179-185.