Research On Network Security Defense Methods Based On SDN

As a new network technology,the software-defined networking has re-ceived extensive attention and research in recent years.The security threats and corresponding defense technologies faced by the SDN network can be divided into five aspects according to its architecture characteristics,i.e.,the threats and defenses for the application layer,the northbound interface,the control layer,the southbound interface,and the data layer.In view of importance of the con-trol layer,the southbound interface and the data layer,the researches on the security of these three layers are very extensive.The southbound interface is the core technology that implements the decoupled control and data plane in SDN.Therefore,its security largely determines the overall security of the SDN network.The control layer is the control center of the SDN architecture and re-sponsible for determining network strategies.At the same time,the distributed control layer,as the solution to the single-point failure and the scalability prob-lems at the control plane,has attracted lots of attention.However,how to ensure the security of the distributed control plane,especially the strategically located important controller nodes,is of significant importance to the security of the SDN network.Furthermore,the data layer provides fast forwarding and the integrity of data.Therefore,it is of great value to enhance the security de-fense capabilities by ensuring the integrity of data and the security of backbone nodes at data plane,including improving their abilities to counter interception and identification attacks.Based on the features of SDN architecture,the distributed control layer is an important method to solve the DDoS threats on control plane of SDN and also provides the scalability of the control layer.This paper proposes a solution that can guarantee the performance of the distributed control plane and protect the strategically located important nodes from attacks.In addition,the data layer implements the forwarding function of the SDN by using switches.Therefore,this paper proposes a method to ensure the data integrity and the security of the backbone forwarding nodes on data plane.Besides that,this paper also proposes a detection method for DDoS threats appearing at the southbound interface of SDN.The detailed defense schemes are listed as follows,1.On the demand of the security of strategically important nodes on the dis-tributed control plane and the high computational complexities of the cur-rent load balance solutions,we firstly propose an optimal switch migration algorithm in this paper.This algorithm interprets the switch migration problem as a signature matching problem with a new three-dimensional EMD algorithm,with source controllers,destination controllers and the switch to be migrated formulated as the variables to be solved.This algo-rithm is developed to protect the strategically important controller nodes in the network.Considering the scalability,we further propose a heuris-tic method with two concatenated sub-problems which is time-efficient and suitable to large-scale networks.Simulation results show that our proposed methods can disguise strategically important controllers by di-minishing the difference of traffic load between controllers.Moreover,our proposed methods can significantly relieve the traffic pressure of con-trollers and prevent saturation attacks.2.Randomly and instantly mutating routes can disguise strategically impor-tant nodes on data plane and protect the integrity of data networks.How-ever,the state-of-the-art route mutation methods have high computational complexities and lack scalabilities.In this paper,we firstly propose a new node-centric route mutation method,and expand a single node to a detour.Besides that,we formulate this problem as a signature matching prob-lem in a three-dimensional EMD model.We utilize the binary branch and bound algorithm to solve this problem.Considering the scalability,we fur-ther propose a heuristic method with low computational complexity that applies to large-scale SDN networks.In addition,we take the scenarios of real networks into consideration,i.e.,we further design our proposed methods with different constraint conditions.Simulation results show that our methods can effectively disguise and protect strategically important nodes by diminishing the difference of historical accumulated traffic be-tween them.At the same time,the proposed methods significantly reduce the computational complexity and can be effectively applied to large-scale SDNs.3.The decoupled data and control plane of SDN introduces threats of DDoS attacks.Moreover,current solutions cannot detect these attacks accu-rately.Consider this problem,we propose a novel DDoS detection method based on EMD algorithm to comprehensively analyze multidimensional characteristics of network traffic.Furthermore,in order to improve the feasibility and accuracy of the proposed algorithm,we develop a new sym-metric Renyi entropy divergence as the cost function in EMD.Simulation results show that the proposed method can not only detect DDoS attacks in SDN by comparing the EMD values,but also effectively improve the detection accuracy of the algorithm.In summary,this paper focuses on the key defense technologies of SDN.Based on the features of SDN,we propose the corresponding security detection and defense solutions.Simulation results show that our methods can achieve fast and effective defense against corresponding SDN security problems,and also have significant value in practical.