Research On Key Technologies Of Security Service Based On Smart Identifier NETwork

With the rapid development of the Internet,the network security situation is increasingly severe.The static and ossify architecture of the traditional Internet and high construction and maintenance costs of dedicated security equipment cannot cope with new security threats in a timely and effective manner.The Smart Identifier NETwork(SINET)architecture proposes the concept of "three layers" and "two domains"to achieve the triple separation including"identity and location separation","control and forwarding separation",and"resource and location separation",which can combine network security services flexibly and dynamically to meet the complex and diverse security services needs of users.In the security service framework based on the SINET architecture,this thesis studies the key technologies of network security services in the security service layer,resource adaptation layer and data forwarding layer respectively,and provides flexible and efficient security service composition according to user-defined security requirements.The main contribution of this thesis is as following:(1)Research on security service demand mapping mechanism based on fuzzy inference system:from the security service layer to the resource adaptation layer,it is necessary to analyze the fuzzy user security requirements.Since the subjective evaluation is affected by many different factors,the fuzzy inference system model is adopted to defuzzified the subjective evaluation of multiple optimization targets to obtain the abstract security service demands under actual situations.Moreover,with the Hungarian algorithm,the execution order of the required security service combination can be determined,and the available security service to the user can be optimized.The prototype verifies the proposed security service chain architecture.The performance evaluation experiments show that the proposed service demand mapping algorithm can improve the performance and execution time of the security service requirements mapping operation.(2)Research on security service resource adaptation mechanism based on Semi-Markov Decision Process(SMDP):in the process of matching the abstract security service combination and the security service resource in the resource adaptation layer,it is necessary to simultaneously consider the user request acceptance rate and the capability that the security service resource pool can accommodate,and satisfy as many security service demands as possible in the case of limited resources.Based on the SMDP method,the service resource allocation model is established,which considers the comprehensive income of resource utilization and user request acceptance rate.The value iteration algorithm is used to obtain the maximum satisfaction rate of security service demands.The performance evaluation experiment proves that the proposed model and algorithm can obtain higher system income,and gives the optimal parameter configuration scheme in different the security service resource allocation scenarios.(3)Research on the priority-based security service rules coordination mechanism:to meet the practical user security service demands,not only the security service resources need to be effectively combined,but also the security service policy deployment method and the interaction among different security service rules.Firstly,because of the heterogeneous policy configuration methods of different security service resources,a unified description model is established and the automated policy configuration way is proposed.Secondly,since there may be conflicts among security rules,a priority-based security rule anomaly detection and elimination mechanism is proposed to ensure the normal running of security service functions.The prototype verifies the proposed security service policy deployment system.The performance evaluation experiment proves that the performance of the priority-based security rule anomaly detection and elimination algorithm is better than that of the traditional algorithm.(4)Research on Binary Particle Swarm Optimization(BPSO)based security service controller deployment mechanism:a large-scale security service resource pool is established in the data forwarding layer based on the interconnected data center network,and these pooled security service resources can be jointly managed by distributed controllers.Therefore,when dealing with the security service demands of users,it may involve cross-domain deployment of security service resources.Based on the linear programming theory,the logical space of the resource pool is divided on demand so that security service controllers can be deployed at appropriate locations to ensure flexibly meet user requirements and improve service efficiency with lower latency.Performance evaluation experiments show that the proposed security service controller deployment algorithm can achieve better performance in an acceptable runtime.