基于地址重载的SDN分组转发验证

doi:10.11959/j.issn.1000-436x.2022047

Abstract

Abstract:

Aiming at the problem that the most existing forwarding verification mechanisms in software-defined network (SDN) verified packets hop-by-hop by incorporating new secure communication protocols, which incurred significant computation and communication overhead, an address overloading-based forwarding verification mechanism was proposed.The flow runtime was divided into consecutive random intervals by the ingress switch via overloading address fields of packet, basing on overloading address, packets were forwarded by each subsequent switch, and the controller sampled the packets forwarded by ingress and egress switch in the interval to detect abnormal behavior on the path.Finally, the proposed mechanism and simulation network was implemented and evaluated.Experiments show that the mechanism achieves efficient forwarding and effective anomaly detection with less than 8% of additional forwarding delays.

Key words: software-defined networking, address overloading, hash-based sampling, anomaly detection

CLC Number:

TP393

Ping WU, Chaowen CHANG, Zhibin ZUO, Yingying MA. Address overloading-based packet forwarding verification in SDN[J]. Journal on Communications, 2022, 43(3): 88-100.

Figures/Tables 17

References 20

[1]	SARASWAT S , AGARWAL V , GUPTA H P ,et al. Challenges and solutions in software defined networking:a survey[J]. Journal of Network and Computer Applications, 2019,141: 23-58.
[2]	王涛, 陈鸿昶, 程国振 . 软件定义网络及安全防御技术研究[J]. 通信学报, 2017,38(11): 133-160.
	WANG T , CHEN H C , CHENG G Z . Research on soft-ware-defined network and the security defense technology[J]. Journal on Communications, 2017,38(11): 133-160.
[3]	岳猛, 王怀远, 吴志军 ,等. 云计算中DDoS攻防技术研究综述[J]. 计算机学报, 2020,43(12): 2315-2336.
	YUE M , WANG H Y , WU Z J ,et al. A survey of DDoS attack and defense technologies in cloud computing[J]. Chinese Journal of Com-puters, 2020,43(12): 2315-2336.
[4]	MIZRAK A T , CHENG Y C , MARZULLO K ,et al. Detecting and isolating malicious routers[J]. IEEE Transactions on Dependable and Secure Computing, 2006,3(3): 230-244.
[5]	AKHUNZADA A , GANI A , ANUAR N B ,et al. Secure and dependable software defined networks[J]. Journal of Network and Computer Applications, 2016,61: 199-221.
[6]	SHAGHAGHI A , KAAFAR M A , BUYYA R ,et al. Software-defined network (SDN) data plane security:issues,solutions,and future directions handbook of computer networks and cyber security[J]. arXiv Preprint,arXiv:1804.00262, 2018.
[7]	KIM T H J , BASESCU C , JIA L M ,et al. Lightweight source authentication and path validation[J]. ACM SIGCOMM Computer Communication Review, 2015,44(4): 271-282.
[8]	WU B , XU K , LI Q ,et al. RFL:robust fault localization on unreliable communication channels[J]. Computer Networks, 2019,158: 158-174.
[9]	ZHANG P , WU H , ZHANG D ,et al. Verifying rule enforcement in software defined networks with REV[J]. IEEE/ACM Transactions on Networking, 2020,28(2): 917-929.
[10]	祝现威, 常朝稳, 朱智强 ,等. 基于身份属性的 SDN 控制转发方法[J]. 通信学报, 2019,40(11): 1-18.
	ZHU X W , CHANG C W , ZHU Z Q ,et al. SDN control and forwarding method based on identity attribute[J]. Journal on Communications, 2019,40(11): 1-18.
[11]	王首一, 李琦, 张云 . 轻量级的软件定义网络数据包转发验证[J]. 计算机学报, 2019,42(1): 176-189.
	WANG S Y , LI Q , ZHANG Y . LPV:lightweight packet forward-ing verification in SDN[J]. Chinese Journal of Computers, 2019,42(1): 176-189.
[12]	左志斌, 常朝稳, 祝现威 . 一种基于数据平面可编程的软件定义网络报文转发验证机制[J]. 电子与信息学报, 2020,42(5): 1110-1117.
	ZUO Z B , CHANG C W , ZHU X W . A software-defined net-working packet forwarding verification mechanism based on programmable data plane[J]. Journal of Electronics ＆ Informa-tion Technology, 2020,42(5): 1110-1117.
[13]	林耘森箫, 毕军, 周禹 ,等. 基于 P4 的可编程数据平面研究及其应用[J]. 计算机学报, 2019,42(11): 2539-2560.
	LIN Y S X , BI J , ZHOU Y ,et al. Research and applications of programmable data plane based on P4[J]. Chinese Journal of Computers, 2019,42(11): 2539-2560.
[14]	DHAWAN M , PODDAR R , MAHAJAN K ,et al. SPHINX:detecting security attacks in software-defined networks[C]// Proceedings of 2015 Network and Distributed System Security Symposium. Virginia:the Internet Society, 2015: 1-15.
[15]	吴平, 常朝稳, 马莹莹 . 基于端址重载的 SDN 包转发验证[J]. 通信学报, 2021,42(7): 70-83.
	WU P , CHANG C W , MA Y Y . Port address overloading based packet forwarding verification in SDN[J]. Journal on Communications, 2021,42(7): 70-83.
[16]	SENGUPTA S , CHOWDHARY A , SABUR A ,et al. A survey of moving target defenses for network security[J]. IEEE Communications Surveys ＆ Tutorials, 2020,22(3): 1909-1941.
[17]	JAFARIAN J H , AL-SHAER E , DUAN Q . Formal approach for route agility against persistent attackers[M]. Berlin: Springer, 2013: 237-254.
[18]	DUFFIELD N G , GROSSGLAUSER M . Trajectory sampling for direct traffic observation[J]. IEEE/ACM Transactions on Networking, 2001,9(3): 280-292.
[19]	GOLDBERG S , XIAO D , BARAK B ,et al. Measuring path quality in the presence of adversaries:the role of cryptography in network accountability[R]. 2007.
[20]	HAGERUP T , RüB C , . A guided tour of Chernoff bounds[J]. Information Processing Letters, 1990,33(6): 305-308.

Metrics

Recommended 0

No Suggested Reading articles found!

方案	解决的问题	主要技术	存在的优缺点
文献[7]	分组转发、路径验证	消息验证码、哈希链	嵌入的分组头随路径长度线性增加，难以抵御恶意节点的丢弃与劫持攻击
文献[8]	分组转发、路径验证	轻量级密钥分发、采样	协议通信开销大，源节点接收中间节点回传的采样信息易受干扰
文献[9]	传输路径一致性检测	压缩消息验证码	基于流的压缩验证码减小了通信开销，分组丢失时易发生误报，嵌入的分组头随路径线性增加
文献[10]	分组转发控制	属性密码学、基于密码标签转发	计算与通信开销大，可以检测恶意的篡改/注入，不能检测丢弃/劫持攻击
文献[11]	分组转发验证	消息验证码、基于特定的标签采样	插入的标签增加了通信开销，控制器下发分组验证码实现逐跳验证
文献[12]	分组转发验证	密码标识、采样	通信开销较小，可检测篡改，不能检测丢弃/劫持
文献[14]	网络异常检测	抽象流图	难以检测丢弃并注入或篡改等复杂攻击
文献[15]	分组转发验证	消息验证码、端址重载	通信开销较小，源节点需保存流路径信息

方案	源端	中间节点	目的端	总开销
文献[7]	LH	2H	LH	4LH
文献[9]	2H	2H	2H	2LH
文献[10]	KP	—	KP	2KP
文献[11]	M	M	M	LM
文献[12]	H	—	H	3H
文献[15]	LH	H	H	2LH
AO-PFV	M	—	M	2M

方案	篡改	丢弃	注入	无额外通信协议	无分组头开销
文献[7]	√	×	√	×	×
文献[9]	√	×	√	×	×
文献[10]	√	×	√	×	×
文献[11]	√	√	√	√	×
文献[12]	√	×	√	×	×
文献[15]	√	√	√	×	√
AO-PFV	√	√	√	√	√

方案	通信开销	计算时间/μs	篡改攻击		丢弃攻击
方案	通信开销	计算时间/μs	α	漏报率	α	漏报率	误报率
文献[7]	23%	300～380	—	0	—	—	—
文献[9]	4.58%	160～190	—	0	—	—	—
文献[10]	14.4%	3 800～4 000	—	0	—	—	—
文献[11]	0.2%～0.5%	50	10%～30%	4%～10%	10%	2%	3%～4%
文献[12]	4.14%	30～36	10%	7%～10%	—	—	—
					<0.5%	> 10%
文献[15]	0	160～190	1%～4%	<1%			1%～2%
					1%～4%	< 2%
			0.02%～0.05%	5%～15%	<0.5θ	40%～90%
AO-PFV	0	10～12	0.06%～0.07%	1%	0.5 θ～θ	10%～30%	0.3%～1%
			> 0.08%	< 0.5%	>θ	<1%

Address overloading-based packet forwarding verification in SDN

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 17

References 20

Related Articles 15

Metrics

Recommended 0

[1]	Weigang HUO, Rui LIANG, Yonghua LI. Anomaly detection model for multivariate time series based on stochastic Transformer [J]. Journal on Communications, 2023, 44(2): 94-103.
[2]	Jianxin LIAO, Xiaoyuan FU, Qi QI, Jingyu WANG, Haifeng SUN. 6G-ADM: knowledge based 6G network management and control architecture [J]. Journal on Communications, 2022, 43(6): 3-15.
[3]	Xueyuan DUAN, Yu FU, Kun WANG. Multi-dimensional time series anomaly detection method based on VAE-WGAN [J]. Journal on Communications, 2022, 43(3): 1-13.
[4]	Haili SUN, Xiang LONG, Lansheng HAN, Yan HUANG, Qingbo LI. Overview of anomaly detection techniques for industrial Internet of things [J]. Journal on Communications, 2022, 43(3): 196-210.
[5]	Zhuo CHEN, Miao ZHU, Junwei DU. Multi-view graph neural network for fraud detection algorithm [J]. Journal on Communications, 2022, 43(11): 225-232.
[6]	Xueyuan DUAN, Yu FU, Kun WANG, Taotao LIU, Bin LI. Network traffic anomaly detection method based on multi-scale characteristic [J]. Journal on Communications, 2022, 43(10): 65-76.
[7]	Ping WU, Chaowen CHANG, Yingying MA. Port address overloading based packet forwarding verification in SDN [J]. Journal on Communications, 2021, 42(7): 70-83.
[8]	Lan YAO,Julong LAN. Adaptive SDN switch migration mechanism based on coalitional game [J]. Journal on Communications, 2020, 41(8): 1-10.
[9]	Tieming CHEN,Chengqiang JIN,Mingqi LYU,Tiantian ZHU. Intelligent detection method on network malicious traffic based on sample enhancement [J]. Journal on Communications, 2020, 41(6): 128-138.
[10]	Qi QI,Runye SHEN,Jingyu WANG. GAD:topology-aware time series anomaly detection [J]. Journal on Communications, 2020, 41(6): 152-160.
[11]	Xiaohui YANG,Shengchang ZHANG. Anomaly detection model based on multi-grained cascade isolation forest algorithm [J]. Journal on Communications, 2019, 40(8): 133-142.
[12]	Julong LAN,Xueshuai ZHANG,Yuxiang HU,Penghao SUN. Software-defined networking QoS optimization based on deep reinforcement learning [J]. Journal on Communications, 2019, 40(12): 60-67.
[13]	Qian DONG,Jun LI,Yuxiang MA,Shujun HAN. Traffic scheduling method based on segment routing in software-defined networking [J]. Journal on Communications, 2018, 39(11): 23-35.
[14]	Yi-wei GAO,Rui-kang ZHOU,Ying-xu LAI,Ke-feng FAN,Xiang-zhen YAO,Lin LI. Research on industrial control system intrusion detection method based on simulation modelling [J]. Journal on Communications, 2017, 38(7): 186-198.
[15]	Zhi-jun WU,Jing-an ZHANG,Meng YUE,Cai-feng ZHANG. Approach of detecting low-rate DoS attack based on combined features [J]. Journal on Communications, 2017, 38(5): 19-30.