Research On The Key Technologies Of Mimic Network Operating System Architecture

Recently,the rapid rise of Software-Defined Network(SDN)has brought great convenience and advantages for simplifying network management,improving network performance and network application innovation.With the development and widespread application of SDN,the security problems caused by its centralized network architecture are becoming increasingly obvious.Especially the critical component in the control level,Network Operating System(NOS)which is responsible for the logical processing of the whole network,will directly affect the operation state of the whole network.Moreover,specific threats like NOS hijacking,flow rules tampering and single point failure have imposed considerable challenges on its extensive application.At present,the design of security-enhanced NOS and reliable architectures with multiple NOS is the main idea of the protection technology and researchers have paid great attention to these fields.By improving the security mechanism of NOS,or by means of NOS's cooperation,the availability of vulnerability and backdoor can be weakened,and then the robustness,reliability and fault tolerance of the control layer can be improved.However,the following problems remain to be solved at present.(1)Security-enhanced NOS is still vulnerable to withstand unknown vulnerabilities and backdoors.(2)Existing reliable architectures with multiple NOS are isomorphic,static and predictable,and lack of effective defense mechanisms when dealing with homologous vulnerabilities,backdoors and external attacks effectively.This dissertation is supported by the Foundation for Innovative Research Groups of the National Natural Science Foundation of China(No.61521003)---“Research on the basic theory of mimic defense for cyber space”.We conduct research by introducing heterogeneity,redundancy and dynamic to the control layer to improve its anti-attack performance so that the problem can be solved that the current NOS is difficult to deal with threats caused by unknown,homogeneous vulnerabilities and backdoor.The main work and achievements of this paper are as follows:1.Focused on the problem that the type of NOS is single and it's easy to be detected by external attackers in current NOS architectures.We put forward Mimic Network Operating System(MNOS),a dynamic,heterogeneous and redundant security architecture,which has an endogenous defense mechamism.It's constructed with existing heterogeneous open-source NOS and adopts dynamic scheduling mechanism to ensure that the running collection of NOS is always changing with time.Besides,it adopts “big number decision mechanism” to ensure correctness of flow rules.MNOS can reduce the possibility that the same backdoor and vulnerability is reused by attackers with cooperation of heterogeneous NOS.Further,it's able to eliminate the impact of single NOS failure on the system and restrain the effect of flow rule tampering attack.The experimental results show that,compared with the traditional SDN control plane,MNOS which adopts fusion defense mechanism can effectively reduce the overall failure probability of the system.2.In view of the dynamic switch mechanism adopted by running NOS in MNOS,a scheduling method based on negative feedback is proposed to ensure the security of running NOS and maintain the lower failure probability of the system in this paper.First,the dynamic scheduling problem is modeled as an optimization problem that aims at minimizing the failure probability of the system and takes requirements of security scenes and network resource overhead as constraints.Then,based on the decision given by MNOS,a feedback-driven dynamic aware swiching algorithm(FD-DAS)is proposed to solve the problem.The algorithm can optimize the running set of NOS by referring to their global state information and can achieve the goal of high security by maintaining the reliability of running NOS.The simulation results show that FD-DAS mechanism can effectively suppress the detection effect of attackers and maintain failure probability of the system at a low level for a long time.At the same time,the cost and overhead is acceptable compared to the gain achieved.3.Focused on the problem that flow rules from heterogeneous NOS are not exactly the same in MNOS,we presents a rule-coherence decision mechanism based on semantic analysis(RCDM-SA)to ensure the correctness of flow rules.First,this method splits the rules by use of semantic fields.Then the “big number decision” mechanism is used to match the splited fields and a score will be assigned to each rule segment according to the comparison results.After that,rules' reliability is obtained by sorting the total score of all flow segments.And only when the number of the most reliable rules is over half will the rules be sent to corresponding switches.The experimental results show that RCDM-SA can effectively deal with the attacker's tampering attack on flow rules,thus ensuring the normal operation of the underlying network.4.For the problem that quantitative analysis of SDN security performance is lacked in current research,this paper proposes a game-based security evaluation method to analyze MNOS effectiveness.First of all,the security evaluation problem of MNOS is abstracted as the attack and defense scenarios in which players in the game attempt to control running NOS.And both players can achieve their respective goals by controlling NOS as much as possible.Then we use the state information of NOS to describe players' behavior,tactics and payoffs.And the dynamic security performance of MNOS can be quantitatively evaluated with game theory.Experimental results show that MNOS,which is dynamic,heterogeneous and redundant,has a significant security advantage over control planes in existing SDN architectures when defending against attacks.Besides,the design and coordination of defense strategies and mechanisms are also crucial for maximizing system security.5.A design scheme of MNOS is proposed in this paper.Core components in MNOS include a mimic control communication protocol for internal message interaction,a heterogeneous variant set based on existing open source NOS,and a decision scheduling module.Their cooperation achieves a SDN control layer which has a complex operating mechanism and high security.The experimental results show that MNOS demonstrates strong fault tolerance and threat disposal capacity when facing single point of failure,flow rule tampering attacks and other security threats,greatly enhancing the security performance of traditional SDN control layer.