Research On Security Mechanisms Based On Control/Forwarding Separation In Smart Identifier Network

The existing Internet is characterized as "triple binding",which includes resource and location binding of the service,control and forwarding binding of the network and network and user binding of the host.The "three-layers" and"two-domains" architecture model proposed by the Smart Identifier Network(SINET)could effectively solve problems around scalability and security aroused by the "triple binding".This paper focuses on the key theories and techniques related to the security of control and forwarding separation mechanism of SINET,analyzes both the security advantages and risks brought by the control and forwarding separation mechanism.Moreover,the paper proposes mechanisms and methods of defending threats.The main innovative work is carried out as follows,1.Aiming at studying the scalability and security of SINET,this paper proposes a fusion architecture including Identifiers Separation&Mapping(ISM)and Control/Forwarding Separation in SINET.To implement the separation of the host's network and user in the network component layer of SINET,the paper uses the access identifier in the access network to represent the identity and routing identifier in the core network to represent the location.The identifier assignment function is separated from the data forwarding plane,and the mapping function is configured in the central controller.The access forwarding element with mapping flow table is designed to connect access network with core network.The paper further proposes an aggregation mechanism of flow table entries in core network and analyzes the advantages on the aspect of flow table entries aggregation by introducing ISM theoretically.In the worst case,the forwarding flow table entries in the core network will also be reduced by 35%-45%.The prototype system of the proposed architecture is developed.Besides,its performance in data plane forwarding delay and mapping query delay is evaluated through experiments.Compared to the system without ISM,the fusion architecture has little impact on the forwarding delay.The mapping query delay occurs only during the first query.It is experimentally verified that when the number of mapping entries reaches 1 million,the mapping lookup latency does not exceed 0.2ms.2.Based on the characteristics of the above-mentioned fusion architecture,the paper proposes a data plane DDoS attack detection approach by analyzing Packet In message.The approach uses the non-parametric CUSUM algorithm to analyze the traffic of Packet_In messages with mapping relationship received by the Central Controller,so that it can detect the abnormal traffic of data forwarding plane and give an alarm.The general non-parametric cusum algorithm may cause continuous alarm even when the anomaly ends.This paper improves the general non-parametric cusum algorithm to release the alarm quickly after the anomaly ends.In addition,the paper compares the anomaly detection effect of using the traffic of Packet In messages with mapping relationship received by the Controller to using the traffic received by the victim through the simulation.The anomaly detection method based on traffic of Packet In messages with mapping relationship in this paper can reduce the false alarm which is caused by the surge of normal traffic.It is also possible to prejudge network traffic anomalies about 0.35 seconds before the attack traffic reaches the affected host.3.An anomaly traffic detection approach based on sliding window traffic matrix is proposed under the control and forwarding separation architecture in SINET.The anomaly detection function based on principal component analysis method is developed in the central controller,which includes the Flow Feature Request module,the Flow Statistical Analysis module and the Abnormal Traffic Detection and Mitigation module.To build a traffic feature matrix based on sliding window,the paper obtains the traffic feature from each access forwarding element through a centralized controller.The dimension of the traffic feature matrix is reduced through the principal component analysis method and the traffic matrix can be divided into normal subspace and abnormal subspace,so that the mean Square Prediction Error of the abnormal subspace is calculated periodically.At the end of a cycle,the mean Square Prediction Error will be compared with the Q statistic threshold value of the previous period to judge whether the anomaly emerges.If an anomaly is detected,the source of the anomaly can be inferred backwards through the traffic feature matrix to prevent the anomaly from the access forwarding element.The paper evaluates the effect of the anomaly detection approach through experiments.In the case that the abnormal proportion is 15%,the detection rate can reach 100%while the false alarm rate is only 5%to 7%.The effect of anomaly mitigation is also demonstrated to be effective.Finally,the overhead of the anomaly detection approach from anomaly detection time and CPU utilization is evaluated.The experimental result shows our approach is efficient and light-weighted.4.Aiming at the security problem that central controller of SINET is vulnerable to the saturation attack,a central controller protection approach based on popularity and timeout analysis is proposed.A controller protection application is developed in the smart service layer which maintains a popularity list.In a stable state,the most popular destination addresses can be marked through the frequency of users'requests according to Zipf's Law.The proactive flow table rules of popular destination addresses can be installed in the forwarding elements when the controller is overloaded.In this way,users can be ensured to access to these addresses.For other Packet In requests,rate limiting mechanism is used to prevent higher load on the controller.Furthermore,the behavior of the controller-oriented attack is analyzed,and a malicious host discrimination algorithm based on the duration of flow is proposed.Bayesian law is used to calculate the posterior probability which can discriminate malicious hosts from benign ones.The algorithm can further install defense flow table rules to prevent the malicious traffic from the source.Finally,the function and the defense effect of the controller protection application are verified by experiments.The advantages of our approach are compared with other approaches.Our controller protection approach can effectively alleviate the impact of the SDN controller-oriented attack.It can discriminate the malicious host quickly with the detection rate is 99.90%,and the false alarm rate is 0.41%.