Research On Security Issues Of Soft-Ware Defined Network

Since the traditional network architecture can hardly meet the demand of today's new net-work technologies,such as Cloud Computing,Big Data science,Data Center and so on.SDN(Software Defined Networking)was proposed.It gives hope to mitigate the limitations of current network infrastructures and breaks the vertical integration by separating the network's control logic(the control plane)from the underlying routers and switches that forward the packets(on the data plane).Although SDN architecture makes network management more easier than ever before,it has to face security issues as the traditional one.And due to its novel architecture,attacks could also appear on all(application,control and data)layers and(northbound and south-bound)APIs.In this thesis,we will firstly analyze the OpenFlow-SDN.Secondly,we will propose some security issues based on these analysis.Lastly,we propose some solutions of these security issues.Our goal is to achieve greater security of OpenFlow-SDN.Our research work is as follows:1.The network elements attract worm propagation attack due to the configuration is static.We hence propose an adaptive IP address mutation method based on MTD(Moving Target Defense).Adaptive IP address mutation is a proactive defense method that is used to reduce the risk of network attacks compared with the static one,especially when dealing with the worm propagation attacks.Our work is a trade-off between network performance and se-curity,which implies that when a security mechanism is reinforced,network performance would be impaired and vice versa.We then evaluate this method in a simulated computer cluster environment and demonstrate that our method can successfully find an optimal so-lution according to experimental results.For example,it can reduce the worm propagation significantly,while maintaining the network performance in a predefined level.2.The design flaws of SDN,which would introduce some security issues.For example,the design flaws in preliminary stage would cause packet retransmission and introduce scan-ning attack.We hence present an analytical model,which is based on stochastic network calculus theory,for evaluating the end-to-end delay.Our model is evaluated by using both simulation tool and realistic testbed.The results show the stochastic network calculus based analysis model can realistically measure the network performance of the end-to-end prop-erties between controller and switch.3.SDN opens some security challenges since its own architecture,such as flooding attacks.To prevent SDN framework from flooding attack,we present a defense approach called PBUF(Packet forwarding based on BUFfer sharing),which pools the idle switches to mitigate threat issues.The simulation results show that PBUF is effective and only brings a little overhead in SDN framework.Our research is mainly depended on the National Basic Research Program of China,the National High Technology Research Program of China(973 Program):Reconfigurable Informa-tion Communication Fundamental Network Architecture,National High Technology Research Program of China(863 program):Research and Development of Critical Elastic Resource Al-location and Corresponding Devices in Software-defined Networks and National Key Research and Development Program of China:Proactive Network Security Defense.The three works offer some thoughts and methods for more research works to achieve greater OpenFlow-SDN security in further.