Research On Proactive Defense Of SDN Controller

Software-Defined Networking(SDN)improves the efficiency of network routing,enhances the on-demand service capability of the network,simplifies the network operation and management,and enhances the network operation and management effectively due to structure of separating the control plane and data plane and the open programmable interface,which promotes the innovation of the network architecture.The controller,as the core component of SDN,holds the view of the whole network and translates the upper decision into the forwarding rules of the data plane.It is like the brain of the network,but it also becomes the focus of the attack.Once the controller is attacked,it will lead to information leakage,and even cause paralysis of the entire SDN network.At present,the security research on SDN controller still depends on passive defense mechanism mainly through improving the existing controller security module and the deployment of attack detection mechanism to improve the ability to deal with security,both difficult to cope with the ever-changing high-level sustainability Threat(APT attack)challenges,but can not deal with the SDN controller unknown vulnerabilities or even back door caused by the uncertainty of the threat.Based on the theory of Cyperspace Mimic Defense,this paper aims at using the diversified SDN controller of academic and industrial ecology to improve the active defense capability of SDN controller.The heterogeneous redundancy mechanism of reliability field is applied to SDN controller security architecture,and then the dynamic design breaks inherent mapping relationship between the system function and the realization of the structure,burden the attacker to detect and exploit the vulnerability of the system,establish the active defense capabilities based on the system architecture.The main contents of the thesis are as follows:1.Aiming at the security threats such as unknown vulnerabilities and back doors faced by current SDN controllers,a dynamic,heterogeneous and redundant security controller architecture by using a variety of heterogeneous controllers and integrating dynamic factors is proposed.Based on this architecture,the impact of dynamic scheduling strategy on security performance is analyzed,and an optimal security scheduling mechanism is calculated by using game theory.The simulation results show that the architecture and scheduling mechanism can effectively prevent the security threats caused by the unknown vulnerabilities of the controller and have the self-cleaning ability of the loopholes.2.Aiming at the contradictory influence of the scheduling frequency on the performance and security performance of the heterogeneous controller in the dynamic scheduling process,a scheduling mechanism based on the renewal process is proposed.The simulation results show that the mechanism can balance the performance and safety performance of SDN network during a dynamic scheduling effectively.3.Aiming at the loss of SDN system,the threat model of the attack is analyzed and the game theory is used to model the attack and defense process.The game model proves the Strong Stackelberg Equilibrium is the optimal strategy to minimize the loss of the defender.On this basis,a controller hijacking defense strategy based on active information scrambling is proposed,and the experimental simulation and comparative analysis.