Research On Key Technologies Of Endogenous Security For Software-defined Network

Software Defined Network(SDN)decouples network control management function and data forwarding function,and simplifies the network configuration based on centralized controller based on logically concentrated controllers and open programming interface,so as to realize flat management mode and flexible data forwarding function.But at the same time,the characteristics of centralized control and programmable network also make the security problems,for example flow-table manipulation,faced by SDN more diversified and the scope of security threats more extensive.The traditional incremental security deployment is bound to increase the network complexity and thus affect the network performance,while the new defense technologies have limitations due to the static isomorphism of their architectures(e.g.byzantine fault-tolerant technology)or the switching strategy blindness of dynamic defense(e.g.moving target defense technology).Endogenous security technology,based on the intrinsic properties of the system,attributes the security problem to the disturbance of attackers to the internal functional modules of the system,and increases the inherent anti-attack capability,recoverability and uncertainty of the system by introducing dynamics,heterogeneity and redundancy,thus increasing the attack cost of attackers.This dissertation introduces the endogenous security technology into SDN system and studies the key technology of endogenous security for SDN.The main research work and contributions are as follows:1.Aiming at the core factors of security threats faced by SDN at present,a mimic architecture for SDN is proposed.Firstly,based on the known vulnerability distribution of SDN,the protection boundary(mimic boundary)is delimited on the control plane of SDN,and the reliability and security of its core functions and data are improved with the help of the dynamic heterogeneous redundant mimic construction method.Then,aiming at the realizable problems caused by the introduction of mimic construction in SDN,specific solutions such as mimic agent design and heterogeneous executor synchronization are proposed to ensure the effective implementation of endogenous security technology.Finally,modeling analysis is carried out on the anti-attack capability of the mimic SDN,and the defense capability of the architecture is evaluated in the cases of single and attack-chain attacks.2.Aiming at the problem of effective evaluation of executors' heterogeneity in mimic SDN architecture,a quantification method for the heterogeneity of mimic control plane in SDN is proposed.Firstly,on the basis of previous studies,drawing on biodiversity and based on Shannon entropy and quadratic entropy,the vulnerability attribute of the SDN control plane is introduced into the quadratic entropy as a parameter to evaluate the difference and incorporated into the quantitative model.Secondly,the real characteristics of vulnerability are discussed,the concept of high-order symbiosis and the quantization method of vulnerability are put forward,and the evaluation model of the heterogeneity of executors is further optimized.Finally,the advantages of the proposed quantization model are verified by experiments.This model provides an effective scheme for evaluating the heterogeneity of executors in the mimc SDN architecture and an important basis for the implementation of core functions such as arbitration and scheduling in endogenous security technology.3.Aiming at the problem of how to improve the security of the mimic system by improving the scheduling strategy under the mimic SDN architecture,this dissertation presents a mimic scheduling algorithm based on the degree of heterogeneity and confidence to deal with a variety of attack scenarios and improve the security and execution efficiency of the system.Firstly,the threat model of mimic SDN control plane and the indexes of system security and execution efficiency are constructed.Secondly,based on the system vulnerability distribution,the concept and calculation method of sliding window confidence are proposed.In combination with the proposed heterogeneity,TOPSIS algorithm is used as the objective function to design a mimic scheduling algorithm based on heterogeneity and confidence.Then,test scenarios with different attack characteristics are constructed to verify the improvement of the proposed scheduling algorithm in terms of security and execution efficiency.Simulation results show that compared with other algorithms,TOPSIS achieves a better trade-off in terms of security and execution efficiency.4.In view of the problem of polymorphism and redundancy of transmission protocol data in in mimic brackets of the mimic SDN,this dissertation,by referring to the programmable thought and protocol data forwarding technology,proposes a programmable semantic parsing method for mimic brackets,which increases the flexibility and efficiency of the normalization processing of mimic brackets.On the one hand,the hardware structure of programmable semantic parsing is designed.On the other hand,the analytic algorithm and semantic extraction algorithm are designed,and the resource overhead and processing performance of the algorithm are analyzed and verified on FPGA platform.Experimental and simulation results show that the proposed method can support a variety of protocol resolution scenarios,and its delay and throughput is significantly improved compared with the scheme implemented by the software.