| Software defined network decouples traditional closed network system into data plane,control plane and application plane.This loosely coupled control plane and data plane can support centralized network state control and make the underlying network facilities transparent to the upper application.Among them,SDN northbound interface refers to the interface that is open to the upper business application through the controller.Its goal is to enable business applications to easily access the underlying network resources and capabilities.However,the dependencies between the northbound interface controller and the application program are very fragile.Attackers can make arbitrary calls and access to some important resources in the controller by using the openness and programmability of the northbound interface.At present,the security problems faced by northbound interfaces mainly include illegal access,data leakage,message tampering,identity counterfeiting,application vulnerabilities and new vulnerabilities introduced by different applications in cooperation.Firstly,this paper investigates and tests the security of the northbound interface of the current mainstream controllers.By analyzing the previous research results and shortcomings of the northbound controller security,and considering the actual demand of the current SDN northbound interface resource access threat,a more scalable and fine-grained dynamic access control scheme is proposed.According to the behavioral characteri-stics of OFapp,this paper proposes a set of access policy templates.In particular,a flow table threshold prediction algorithm is proposed to solve the problem of abusing ADD privilege threat controller in OFapp.By analyzing the characteristics of the predicted input flows,the access threshold of OFapp is dynamically changed.In the stress test,the delay of our scheme is about 10%compared with other safety control schemes.Finally,this paper Research and implementation SDN Controller Dynamic Access Control System.We Repackaged northbound interface and designed a flexible access policy template for different OFapp.We have developed the security filter module and background management interface of the OFapp to manage the security automation of the northbound interface.The experimental results show that the system can provide fine-grained access control for OFapplications with different access northbound interfaces.According to the specific access privileges and reasonable setting of access threshold,our system separates the OFapplication from the controller,so it can be extended to all control and effectively protect the security of the controller. |
PDF Full Text Request