Several Security Issues In Software Defined Networking

With the advance of network technology,the Internet is changing every aspect of our lives.Online office,online learning and online shopping have greatly enriched and facilitated people's work,study and life.However,whilst offering various great conveniences to people,the rapid development of the Internet also brings great challenges to the management and innovation of the network.The proliferation of network traffic has made routers and other network devices increasingly overwhelmed,and the entire network has become bloated,and difficult to manage and innovate.The software defined networking(SDN)is a new kind of network architecture that can meet the needs of the future Internet,and its emergence makes it possible to break through the bottlenecks of existing network architecture.The software defined networking separates the control plane and the data plane,shielding the complexity of the underlying network infrastructure,making the management of the whole network more convenient and efficient.At the same time,the centralized management,openness and programmability of SDN make it a good support for the innovation of future new business.However,everything has two sides.As a kind of emerging technology in the initial phase,SDN can't be perfect,and its many advantages are like a double-edged sword,which not only provides great benefits and convenience,but also brings security problems that can not be ignored.For example,the centralized management of SDN has caused security issues such as application policy conflict and illegal access from time to time;and the programmability of SDN enables hackers to easily launch distributed denial of service(DDoS)attack on the network through software programming.Therefore,in-depth study and resolution of several security problems in the software defined networking is the key for further rapid and healthy development of SDN.Based on the Research and Application of Key Technologies of Information Security Certification and Recognition for the project of key national research and development plan,three hot-spot security issues of the application policy conflict,unauthorized access and DDoS attack in the software defined networking were further researched in this paper.The main research content and innovation points of this paper include:1.To solve the issue of application policy conflict,a policy conflict detection scheme based on rule group in the software defined networking was proposed.Firstly,five logical relations between the rules of uniqueness and certainty were defined according to the set theory.On this basis,the rule conflict was divided into four categories based on the similarities and differences of the rules Action domain.Then the application policy conflict detection scheme was proposed:firstly,according to the Protocol domain and Dst_Port domain,the rule set was divided into several subsets.Then,each subset was refined according to the effective bit position,and a number of smaller rule groups were obtained.In each rule group,the rule conflict detection algorithm based on set theory was implemented and all conflicts and conflict types were detected in the rule set.The experimental results showed that compared with the comparison scheme,the application policy conflict detection scheme based on the rule group had higher detection efficiency.At the same time,this scheme not only applies to the policy conflict between common application and security application,but also among common applications.2.To solve the issue of illegal access,an access control scheme based on user trust in the software defined networking was proposed.Firstly,the system model of the access control scheme was designed.Next,the principle discussion and process design of the main modules in the system model were done.On this basis,an access control scheme was proposed:firstly,determine whether the corresponding flow entry of the user's network access request packet existed,if it doesn't exist,then determine whether the user is a new user(if it is a new user,it needs to guide him/her to complete registration and authorization,and only then can the controller send the flow entry to the switch).Then obtain the user's trust according to the calculation and updating method of the user trust.Finally,make different responses to the user's access request based on the user trust.The experimental results showed that the proposed access control scheme based on the user trust was correct and effective,and the user's real identity could be reflected in the scheme through trust,and it had a better ability to recognize the malicious illegal users to effectively prevent illegal access and protect lawful access.At the same time,compared with the traditional access control scheme,this scheme achieved more finely granular access control.3.To solve the issue of the DDoS attack,a DDoS attack detection scheme based on self-organizing mapping network in the software defined networking was proposed.The first is to give an early warning according to the probability of occurrence of Packet_In event.If the threshold value is exceeded,the self-adaptive flow sampling is made according to the flow length,which reduces the massive data and decreases the consumption of resources.On the basis of this,the characteristics of the flow are calculated and the self-organizing mapping network is used for clustering of eigenvalues to finally detect the DDoS attack flow.The experimental results showed that the DDoS attack detection scheme based on self-organizing mapping network was superior to the comparison scheme in detection rate and false alarm ratio.