Journal on Communications ›› 2022, Vol. 43 ›› Issue (3): 88-100.doi: 10.11959/j.issn.1000-436x.2022047
• Papers • Previous Articles Next Articles
Ping WU1, Chaowen CHANG1, Zhibin ZUO2, Yingying MA1
Revised:
2021-12-26
Online:
2022-03-25
Published:
2022-03-01
Supported by:
CLC Number:
Ping WU, Chaowen CHANG, Zhibin ZUO, Yingying MA. Address overloading-based packet forwarding verification in SDN[J]. Journal on Communications, 2022, 43(3): 88-100.
"
方案 | 解决的问题 | 主要技术 | 存在的优缺点 |
文献[ | 分组转发、路径验证 | 消息验证码、哈希链 | 嵌入的分组头随路径长度线性增加,难以抵御恶意节点的丢弃与劫持攻击 |
文献[ | 分组转发、路径验证 | 轻量级密钥分发、采样 | 协议通信开销大,源节点接收中间节点回传的采样信息易受干扰 |
文献[ | 传输路径一致性检测 | 压缩消息验证码 | 基于流的压缩验证码减小了通信开销,分组丢失时易发生误报,嵌入的分组头随路径线性增加 |
文献[ | 分组转发控制 | 属性密码学、基于密码标签转发 | 计算与通信开销大,可以检测恶意的篡改/注入,不能检测丢弃/劫持攻击 |
文献[ | 分组转发验证 | 消息验证码、基于特定的标签采样 | 插入的标签增加了通信开销,控制器下发分组验证码实现逐跳验证 |
文献[ | 分组转发验证 | 密码标识、采样 | 通信开销较小,可检测篡改,不能检测丢弃/劫持 |
文献[ | 网络异常检测 | 抽象流图 | 难以检测丢弃并注入或篡改等复杂攻击 |
文献[ | 分组转发验证 | 消息验证码、端址重载 | 通信开销较小,源节点需保存流路径信息 |
"
方案 | 通信开销 | 计算时间/μs | 篡改攻击 | 丢弃攻击 | ||||
α | 漏报率 | α | 漏报率 | 误报率 | ||||
文献[ | 23% | 300~380 | — | 0 | — | — | — | |
文献[ | 4.58% | 160~190 | — | 0 | — | — | — | |
文献[ | 14.4% | 3 800~4 000 | — | 0 | — | — | — | |
文献[ | 0.2%~0.5% | 50 | 10%~30% | 4%~10% | 10% | 2% | 3%~4% | |
文献[ | 4.14% | 30~36 | 10% | 7%~10% | — | — | — | |
<0.5% | > 10% | |||||||
文献[ | 0 | 160~190 | 1%~4% | <1% | 1%~2% | |||
1%~4% | < 2% | |||||||
0.02%~0.05% | 5%~15% | <0.5θ | 40%~90% | |||||
AO-PFV | 0 | 10~12 | 0.06%~0.07% | 1% | 0.5 θ~θ | 10%~30% | 0.3%~1% | |
> 0.08% | < 0.5% | >θ | <1% |
[1] | SARASWAT S , AGARWAL V , GUPTA H P ,et al. Challenges and solutions in software defined networking:a survey[J]. Journal of Network and Computer Applications, 2019,141: 23-58. |
[2] | 王涛, 陈鸿昶, 程国振 . 软件定义网络及安全防御技术研究[J]. 通信学报, 2017,38(11): 133-160. |
WANG T , CHEN H C , CHENG G Z . Research on soft-ware-defined network and the security defense technology[J]. Journal on Communications, 2017,38(11): 133-160. | |
[3] | 岳猛, 王怀远, 吴志军 ,等. 云计算中DDoS攻防技术研究综述[J]. 计算机学报, 2020,43(12): 2315-2336. |
YUE M , WANG H Y , WU Z J ,et al. A survey of DDoS attack and defense technologies in cloud computing[J]. Chinese Journal of Com-puters, 2020,43(12): 2315-2336. | |
[4] | MIZRAK A T , CHENG Y C , MARZULLO K ,et al. Detecting and isolating malicious routers[J]. IEEE Transactions on Dependable and Secure Computing, 2006,3(3): 230-244. |
[5] | AKHUNZADA A , GANI A , ANUAR N B ,et al. Secure and dependable software defined networks[J]. Journal of Network and Computer Applications, 2016,61: 199-221. |
[6] | SHAGHAGHI A , KAAFAR M A , BUYYA R ,et al. Software-defined network (SDN) data plane security:issues,solutions,and future directions handbook of computer networks and cyber security[J]. arXiv Preprint,arXiv:1804.00262, 2018. |
[7] | KIM T H J , BASESCU C , JIA L M ,et al. Lightweight source authentication and path validation[J]. ACM SIGCOMM Computer Communication Review, 2015,44(4): 271-282. |
[8] | WU B , XU K , LI Q ,et al. RFL:robust fault localization on unreliable communication channels[J]. Computer Networks, 2019,158: 158-174. |
[9] | ZHANG P , WU H , ZHANG D ,et al. Verifying rule enforcement in software defined networks with REV[J]. IEEE/ACM Transactions on Networking, 2020,28(2): 917-929. |
[10] | 祝现威, 常朝稳, 朱智强 ,等. 基于身份属性的 SDN 控制转发方法[J]. 通信学报, 2019,40(11): 1-18. |
ZHU X W , CHANG C W , ZHU Z Q ,et al. SDN control and forwarding method based on identity attribute[J]. Journal on Communications, 2019,40(11): 1-18. | |
[11] | 王首一, 李琦, 张云 . 轻量级的软件定义网络数据包转发验证[J]. 计算机学报, 2019,42(1): 176-189. |
WANG S Y , LI Q , ZHANG Y . LPV:lightweight packet forward-ing verification in SDN[J]. Chinese Journal of Computers, 2019,42(1): 176-189. | |
[12] | 左志斌, 常朝稳, 祝现威 . 一种基于数据平面可编程的软件定义网络报文转发验证机制[J]. 电子与信息学报, 2020,42(5): 1110-1117. |
ZUO Z B , CHANG C W , ZHU X W . A software-defined net-working packet forwarding verification mechanism based on programmable data plane[J]. Journal of Electronics & Informa-tion Technology, 2020,42(5): 1110-1117. | |
[13] | 林耘森箫, 毕军, 周禹 ,等. 基于 P4 的可编程数据平面研究及其应用[J]. 计算机学报, 2019,42(11): 2539-2560. |
LIN Y S X , BI J , ZHOU Y ,et al. Research and applications of programmable data plane based on P4[J]. Chinese Journal of Computers, 2019,42(11): 2539-2560. | |
[14] | DHAWAN M , PODDAR R , MAHAJAN K ,et al. SPHINX:detecting security attacks in software-defined networks[C]// Proceedings of 2015 Network and Distributed System Security Symposium. Virginia:the Internet Society, 2015: 1-15. |
[15] | 吴平, 常朝稳, 马莹莹 . 基于端址重载的 SDN 包转发验证[J]. 通信学报, 2021,42(7): 70-83. |
WU P , CHANG C W , MA Y Y . Port address overloading based packet forwarding verification in SDN[J]. Journal on Communications, 2021,42(7): 70-83. | |
[16] | SENGUPTA S , CHOWDHARY A , SABUR A ,et al. A survey of moving target defenses for network security[J]. IEEE Communications Surveys & Tutorials, 2020,22(3): 1909-1941. |
[17] | JAFARIAN J H , AL-SHAER E , DUAN Q . Formal approach for route agility against persistent attackers[M]. Berlin: Springer, 2013: 237-254. |
[18] | DUFFIELD N G , GROSSGLAUSER M . Trajectory sampling for direct traffic observation[J]. IEEE/ACM Transactions on Networking, 2001,9(3): 280-292. |
[19] | GOLDBERG S , XIAO D , BARAK B ,et al. Measuring path quality in the presence of adversaries:the role of cryptography in network accountability[R]. 2007. |
[20] | HAGERUP T , RüB C , . A guided tour of Chernoff bounds[J]. Information Processing Letters, 1990,33(6): 305-308. |
[1] | Weigang HUO, Rui LIANG, Yonghua LI. Anomaly detection model for multivariate time series based on stochastic Transformer [J]. Journal on Communications, 2023, 44(2): 94-103. |
[2] | Jianxin LIAO, Xiaoyuan FU, Qi QI, Jingyu WANG, Haifeng SUN. 6G-ADM: knowledge based 6G network management and control architecture [J]. Journal on Communications, 2022, 43(6): 3-15. |
[3] | Xueyuan DUAN, Yu FU, Kun WANG. Multi-dimensional time series anomaly detection method based on VAE-WGAN [J]. Journal on Communications, 2022, 43(3): 1-13. |
[4] | Haili SUN, Xiang LONG, Lansheng HAN, Yan HUANG, Qingbo LI. Overview of anomaly detection techniques for industrial Internet of things [J]. Journal on Communications, 2022, 43(3): 196-210. |
[5] | Zhuo CHEN, Miao ZHU, Junwei DU. Multi-view graph neural network for fraud detection algorithm [J]. Journal on Communications, 2022, 43(11): 225-232. |
[6] | Xueyuan DUAN, Yu FU, Kun WANG, Taotao LIU, Bin LI. Network traffic anomaly detection method based on multi-scale characteristic [J]. Journal on Communications, 2022, 43(10): 65-76. |
[7] | Ping WU, Chaowen CHANG, Yingying MA. Port address overloading based packet forwarding verification in SDN [J]. Journal on Communications, 2021, 42(7): 70-83. |
[8] | Lan YAO,Julong LAN. Adaptive SDN switch migration mechanism based on coalitional game [J]. Journal on Communications, 2020, 41(8): 1-10. |
[9] | Tieming CHEN,Chengqiang JIN,Mingqi LYU,Tiantian ZHU. Intelligent detection method on network malicious traffic based on sample enhancement [J]. Journal on Communications, 2020, 41(6): 128-138. |
[10] | Qi QI,Runye SHEN,Jingyu WANG. GAD:topology-aware time series anomaly detection [J]. Journal on Communications, 2020, 41(6): 152-160. |
[11] | Xiaohui YANG,Shengchang ZHANG. Anomaly detection model based on multi-grained cascade isolation forest algorithm [J]. Journal on Communications, 2019, 40(8): 133-142. |
[12] | Julong LAN,Xueshuai ZHANG,Yuxiang HU,Penghao SUN. Software-defined networking QoS optimization based on deep reinforcement learning [J]. Journal on Communications, 2019, 40(12): 60-67. |
[13] | Qian DONG,Jun LI,Yuxiang MA,Shujun HAN. Traffic scheduling method based on segment routing in software-defined networking [J]. Journal on Communications, 2018, 39(11): 23-35. |
[14] | Yi-wei GAO,Rui-kang ZHOU,Ying-xu LAI,Ke-feng FAN,Xiang-zhen YAO,Lin LI. Research on industrial control system intrusion detection method based on simulation modelling [J]. Journal on Communications, 2017, 38(7): 186-198. |
[15] | Zhi-jun WU,Jing-an ZHANG,Meng YUE,Cai-feng ZHANG. Approach of detecting low-rate DoS attack based on combined features [J]. Journal on Communications, 2017, 38(5): 19-30. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|