Research On The Construction Of Network Dynamic Security Components

Nowadays,many cyber-security incidents happened frequently.In 2014,the private information of 500 million users of Yahoo was stolen.In 2017,the WannaCrypt virus outbreaks the whole world,causing huge damage to people's properties.These incidents show that the cyber-security has become a major issue concerning the economy of countries and the life of people.With the development of SDN,NFV,and Cloud,network architectures are migrating towards the data-center networks.Due to the over-reliance on secure devices and the closed service delivery,traditional security solutions are so lack of flexibility,scalability,and mobility that it is not able to satisfy the security needs of data-center networks.That's why Gartner proposed Software Defined Security(SDS).It separates the control plane and the data plane,and logically control the Network Security Functions(NSFs)through the control plane,which are software-oriented.So the flexibility and scalability of the security solution are enhanced to rapidly respond to security threats.Since SDS was proposed,many organizations are working on it and put forward many valuable solutions.However,although these solutions realized the software of the NSFs,they still have high coupling degree and lack mobility support.In addition,most researchers are focusing on the architecture design of the security controller and the Service Function Chain(SFC),regardless of the deployment strategy of NSFs,which is also an important issue in SDS.To solve the above problems,this paper presents a software-defined dynamic network security system,taking full account of the software-defined security requirements for scalability,flexibility,and mobility,to achieve flexible management of security functions and provide users with dynamic security services.The main contents of this dissertation are as follows.(1)An architecture of dynamic network security system is proposed based on SDS,to provide efficient security solutions.(2)A hierarchical SFC scheme based on Network Service Header(NSH)protocol is proposed,which is proactive and policy-driven.(3)A deployment scheme based on Group Routing Betweenness Centrality(GRBC)is proposed,which can decouple the NSF from the layers.(4)A security function scheduling scheme based on the "publish/subscribe" mode is innovatively proposed,to realize the flexibility of the security function scheduling,and provide security protection for networks.(5)A dynamic network security system is built based on Ryu controller and Mininet tools.At last,on the basis of the system which has been built.The functions and performance of proposed schemes are evaluated and tested from multiple perspectives.It is proved that they are correct and feasible.