| As a novel network architecture,software-defined networking(SDN)decouples network control from forwarding and gives network the evolvable capability to meet current and future needs.It not only becomes a new development direction of future internet,but also gives a new way to solve the problem of network security.Security service chain(SSC)is the core technology to achieve the end-to-end security of SDN network.It abstracts security service into an ordered set of security functions and exploits network function virtualization(NFV)techonology to deploy virtual security functions(VSFs)in the network.Moreover,with the help of fine grained flow management originated from SDN,flows are steered to VSFs according to the order specified by SSC.This dissertation focuses on two major scientific problems in deploying SSC,namely,optimal SSC embedding and adaptive SSC adjustment.To conclude,the following research results have been achieved.1.Aiming at the problem that the existing methods ignore the heterogeneity of service capacity and resource demand of miscellaneous VSFs and generate poor embedding scheme,a method for embedding SSC in single-domain network based on security service topology is proposed.Firstly,the security service topology generation algorithm is designed.It allocates a set of VSFs to SSC according to service capacity requirement of SSC and generates the global security service topology through planning the connection relationship among VSFs and the sharing relationship between VSFs and SSCs.Secondly,the service node selection algorithm based on bidirectional memory is designed.Through using the improved artificial immune algorithm to find the optimal deployment of VSFs,it can not only bring low ratio of server resource fragmentation,but also shorten the distance between the service nodes where VSFs are deployed,which helps to alleviate the influence of VSFs' location on optimizing security service latency.Thirdly,the service path construction algorithm based on hybrid taboo search is designed.It finds the service path with the minimum latency for SSC on the premise that multi-path routing is enabled.2.Aiming at the problem that the existing methods are unable to find the global optimal embedding scheme and ignore balancing loads among domains,a distributed method for embedding SSC in multi-domain network based on cooperation of multiple domains is proposed.Firstly,the collaborative embedding framework is designed.It includes three stages,namely,partitioning,segment embedding and load balancing.Secondly,the partitioning algorithm based on segment auction is designed.It uses the ?utility? to measure the contribution of deploying a certain segment to optimizing domain's embedding goal.Furthermore,it allows each domain to bid for the segments which bring high utilities according to intra-domain information.Meanwhile,it optimizes overall embedding scheme through a limited iteration of bidding and negotiating among domains.Thirdly,the capacity transaction algorithm is designed.Through migrating several segments from high-load domain to low-load domain,it effectively balances loads among domains.3.Aiming at the problem that the existing methods are unable to support various types of changes of SSC or alleviate the influence of SSC migration,a method for adjusting SSC based on dynamic resource adjustment is proposed.According to vertical scaling mechanism of VSF and SSC migration,it gives four operations,namely,initiating new VSF,reusing the existing VSF directly,scaling the existing VSF locally and migrating SSC.Based on those operations,it designs two adjusting algorithms,namely,the resource distributing algorithm and the resource recycling algorithm.The former flexibly combines four operations to generate candidate adjustment schemes.Furthermore,it exploits a weighted multi-layer graph and the Viterbi algorithm to select the optimal adjustment scheme which brings the minimum network resource cost and influence.The latter recycles server resources occupied by VSFs.Moreover,it prevents VSFs' configuration from being changed frequently by introducing sleep mode to server resources.4.Aiming at the problem that the existing methods have low recovering rate and high security service latency,a survivable adjusting method for SSC is proposed.It classifies SSCs into the key SSCs,which deliver essential services,and the normal SSCs,which deliver common services,and it designs two adjusting algorithms.The adjusting algorithm for key SSCs not only pre-allocates backup resources,but also establishes bridging path between the primary and the backup service paths.Moreover,it embeds nodes and links alternately based on greedy strategy to reduce security service latency.The adjusting algorithm for normal SSCs only reconstructs the failed service paths.It transforms the problem of finding the best positions for failed VSFs to the max-flow problem and exploits the Dinic algorithm to solve.Meanwhile,it uses the modified version of Dijkstra's shortest path algorithm to select the path with low latency to reconnect VSFs.It can increase the number of recovered SSCs and effectively solve the problem of survivable adjusting SSC against single-node or single-link failure.The experimental results show the feasibility and effectiveness of the proposed methods,which can provide powerful support for the widespread application and deployment of SDN network. |
PDF Full Text Request