Font Size: a A A

Research On Trust Management And Attack Defense Mechanisms For Software-defined Internet Of Things

Posted on:2019-02-18Degree:DoctorType:Dissertation
Country:ChinaCandidate:R WangFull Text:PDF
GTID:1368330572462433Subject:Computer Science and Technology
Abstract/Summary:
The Internet of Things(IoT)has been regarded as the third revolution of the world’s information industry after the prosperity of the computer and the Internet.In recent years,with the development of microelectronics technology,embedded technology and wireless network technology,the IoT technology has made great progress and has been widely used in the fields of intelligent transportation,environmental monitoring,industrial control,e-commerce,national defense.It is foreseeable that the IoT technology will have a profound impact on both human’s economic development and their social lives.However,with the rapid development of the IoT industry,the emerging application scenarios and demands bring new challenges to the Internet of Things.In addition to the network management issues,such as high deployment and maintenance costs,difficult software updates,and insufficient resource utilization,the increasingly prominent security issue of IoT system has become a major bottleneck restricting the development of IoT system.The Internet of Things perception layer has security features such as open wireless communication channel,simple physical structure of nodes,limited node resources,and dynamic changes of network topology.These characteristics make the perceived network vulnerable to malicious attacks.Moreover,the phenomenon that a large number of IoT devices with security vulnerabilities have been compromised by hackers to form botnets and then launch network attacks becomes more and more serious.IoT devices have become the main source of Distributed Denial of Service(DDoS)attacks,causing great damage to the normal data transmission of the IoT network layer.Therefore,how to effectively control network nodes,defend against network attacks and ensure reliable data transmission are urgent problems which need to be solved in the security management process of IoT system.The emergence of a novel network architecture,Software-Defined Networking(SDN),provides a new opportunity for solving the above problems.In view of the success of SDN in network management and security maintenance,more and more domestic and foreign researchers have tried to introduce the design concept of separating control and forwarding layers and centralized control into the IoT system,and design a new architecture named Software-Defined Internet of Things(SDIoT).By unifying the southbound interface,SDIoT can effectively cope with multiple types of IoT network protocols,simplify the configuration and management of IoT devices,reduce the cost of service implementation and operation,and achieve flexible application deployment.More importantly,SDIoT brings significant opportunities to improve the IoT security issues.Generally,SDIoT controllers have high computing and storage resources,and can be easily implemented with the attack defense algorithms which are difficult to implement in traditional IoT and Wireless Sensor Networks(WSN).It can also utilize the advantages of centralized control and global topology view to enable flexible attack response measures.However,on the other hand,the current SDN design is not perfect enough,and also exists some security risks.Moreover,considering the vulnerability of the IoT network,some features of the SDN such as centralized control and new flow request processing will bring new challenges like security risk,control overhead and network energy consumption to SDIoT.This will cause a bad influence on the normal operation of SDIoT.Therefore,how to overcome the defects of SDIoT itself while using it to solve the IoT security attack,has important research significance and application value for improving SDIoT.This paper is focusing on these problems.By making reasonable use of the relevant advantages of SDN,this paper provides effective trust management and attack defense measures for various types of network attacks which seriously affect the security networking on the sensing layer and reliable transmission on the forwarding layer,implementing a more trusted,more reliable and more energy efficient SDIoT network environment.The following shows the major work and contributions of this article in details.This paper first discusses the Internet of Things,the origin of SDIoT,the architecture and security research status,especially focuses on the security opportunities and challenges faced by SDIoT.Taking advantage of SDN’s global topology awareness and centralized control,this paper designs a modular SDIoT secuity architecture based on the network security theories such as trust management model and P2DR security model.For multiple types of attacks such as selective forwarding attack,new flow attack and DDoS attack which seriously affect the normal operation of the SDIoT sensing layer and the forwarding layer,this paper provides effective trust management,attack detection,and security response functions utilizing the security resources of the sensing layer,the forwarding layer and the control layer.As an important part of the IoT perception layer,WSN systems are often closely tied to applications and difficult to update,seriously hampering the technological innovation.Introducing the idea of SDN into the WSN to design Software-Defined Wireless Sensor Network(SDWSN)can effectively solve this problem.However,most of the research work focused on architecture and application aspects and ignored the security and energy risks.To achieve centralized control,the periodic topology collection process of the SDWSN not only brings additional control overhead and energy consumption to the sensing layer,but also is vulnerable to the selective forwarding attack initiated by the compromised node,resulting in loss of critical control messages and affecting the normal operation of the network.In addition,attacker can use the feature that the unhandled traffic in the SDWSN needs to request the controller to process,to continuously create new packets to launch a New-flow attack,congesting control links and causing network paralysis.As an important complement to the cryptographic security mechanism,trust management mechanism can effectively defend against the internal network attacks.Therefore,this paper proposes an energy-efficient trust management and trusted routing mechanism for the security attacks and control overheads in SDWSN for IoT applications.By combining the Bayesian based lightweight local trust evaluation mechanism with the controller global trust management mechanism,an integrated trust management mechanism is realized,which can effectively identify and isolate the malicious attack nodes existing in the network.Then,based on the global trust,an energy-efficient topology information aggregation collection mechanism based on aggregate nodes is proposed.Taking minimum the global topology collection energy consumption as the optimization goal,the node global trust value,residual energy and network coverage as the constraints,this paper formalizes the problem as integer nonlinear programming(INLP)to elect the aggregation nodes,to achieve energy efficient,highly reliable topology collection.Finally,by considering the global trust value and residual energy of the node at the same time,a centralized minimum cost routing mechanism is proposed to ensure the reliability of data packet transmission.The experimental results show that compared with the existing solution SDN-WISE[5],the proposed scheme effectively improves the network packet delivery ratio,reduces the network energy consumption,reduces the control overhead,prolongs the network lifetime,and guarantees the security networking of the perception layer.Although the trust management mechanism could ensure the IoT devices to be securely and reliably connected to the Internet,the phenomenon that uses of the malware Mirai to invade a large number of IoT devices with security vulnerabilities,forms botnets and launches DDoS attacks is becoming more and more serious,seriously affecting the normal data transmission of the forwarding layer.Attack detection is the prerequisite for defending against DDoS attack.The SDN based DDoS attack detection scheme can analyze and detect abnormal traffic by collecting the flow table information in each switch.However,as the network scales up,the collection of flow table burdens on the control link.Although the sampling mechanism can alleviate the link pressure of the southbound interface,packet sampling reduces the attack detection accuracy and requires a trade-off between the sampling frequency and the detection accuracy.In this regard,based on the security architecture of SDIoT,through the collaborative use of the security resources of both the control layer and the forwarding layer,this paper proposes a distributed detection mechanism based on information entropy for DDoS flooding attack.This article introduces some security capabilities into the SDN edge switch without violating the SDN features.By utilizing the extended OpenFlow counter field,the edge switch conveniently implements the statistical process of local ingress traffic.Based on the local ingress traffic,this paper proposes an anomaly detection algorithm based on information entropy to realize the detection of DDoS attack in the local network.Finally,by distributing the DDoS attack algorithm across all the edge switches,attack detection within the entire network is realized.The simulation and prototype experimental results show that the strategy of this paper has the advantages of fast attack detection,high detection precision and small resource overhead.Compared with the centralized detection scheme,the strategy of this paper effectively alleviates the monitoring burden of the controller and reduces the attack detection delay.When the DDoS attack happens in the network,not only the victim can not respond to the normal request,but also a large amount of attack traffic exists in the network,occupying a large amount of network bandwidth and resources.Therefore,it is necessary to timely respond to the DDoS attack when the attack is detected.However,to avoid being tracked,DDoS attackers often use fake IP addresses and springboards to hide their true identities.This makes it difficult for defenders to determine the source of the attack and implement targeted defense measures.Therefore,network attack traceback is an important part of network active defense.According to the traceback result,attack mitigation at the source of the attack can reduce the damage of the attack traffic to the network.However,the current research work on DDoS attack in SDN focuses on the attack detection and attacked side flow cleaning,while DDoS attack traceback and source side mitigation are relatively rare.Therefore,based on the SDIoT security architecture,through the cross-layer cooperation between the forwarding layer and the control layer,this paper proposes the DDoS attack traceback and attack mitigation mechanism,and combines with the DDoS attack detection mechanism forming a complete DDoS attack active defense system.In the DDoS traceback process of SDN,the existing flow table analysis based or Packet-In message based attack traceback mechanism transfers all the analysis work to the SDN controller.As the scale of the network expands,the burden of traceability in the controller is increasing.In this regard,under the premise of not violating the SDN operating principle,this paper will transfer part of the traceability work to the SDN edge switch to reduce the pressure of the controller.In order to meet the traceback requirements of different scale networks,this paper proposes two DDoS attack traceback algorithms based on OpenFlow-DPM using the traditional Deterministic Packet Marking(DPM)algorithm.Through the extended OpenFlow packet marking action,the edge switch can mark the attack traffic in a pipelined manner.Based on the tagged data packets,the victim can reconstruct the address of the attacker’s ingress switch.Finally,based on the results of attack traceback,using the advantages of centralized control and global network view in SDN,an ingress filtering mechanism based on packet symmetry is designed.Attack traffic is filtered at the source of the attack to achieve attack mitigation.The simulation and prototype experiments both show that the proposed strategy can block DDoS attack at the attack source and reduce the bandwidth and resource consumption of the network intermediate devices while protecting the victims from being attacked.
Keywords/Search Tags:Internet of Things, Software-Defined Internet of Things, Trust Management, DDoS Attack, Attack Detection, Attack Traceback and Mitigation
Related items