论文部分内容阅读
控制层的漏洞利用攻击,如恶意APP、流表篡改等是软件定义网络(software defined networking,SDN)面临的主要威胁之一,而传统基于漏洞修复技术的防御策略无法应对未知漏洞或后门.提出一种基于拟态防御思想的网络操作系统安全架构——拟态网络操作系统(mimic network operating system,MNOS)——保障SDN控制层安全.该架构采用异构冗余的网络操作系统(network operating system,NOS),并在传统的SDN数据层和控制层间增设了拟态层,实现动态调度功能.首先拟态层动态选取若干NOS作为激活态并行提供服务,然后根据各NOS的处理结果决定最终的有效响应返回底层交换机.实验评估表明:在增加有限的时延开销下,MNOS可以有效降低SDN控制层被成功攻击的概率,并具备良好的容错/容侵能力;在此基础上,提出的选调策略和判决机制,可以有效提升系统的异构度和判决的准确性,进一步提升安全性能.
Control-level exploit attacks, such as malicious APPs and flow table tampering, are among the major threats faced by software-defined networking (SDNs), while traditional vulnerability-based defense strategies do not address unknown vulnerabilities or backdoors. A mimic network operating system (MNOS), a network operating system security architecture based on mimicry defense, guarantees the security of SDN control layer. This architecture uses heterogeneous and redundant network operating system NOS) and a new muting layer is added between the traditional SDN data layer and control layer to realize the dynamic scheduling function.First, the mimic layer dynamically selects several NOSs as the active state to provide services in parallel, and then determines the final valid response according to the processing result of each NOS And return to the underlying switch.Experimental evaluation shows that MNOS can effectively reduce the probability of SDN control layer being successfully attacked and has good fault-tolerant / capacity-tolerant capacity with limited delay overhead. On the basis of this, Judgment mechanism can effectively improve the heterogeneity of the system and the accuracy of judgments to further enhance the safety performance.