Research And Implementation Of SDN Southbound Security Protection System

As a new generation of network technology,SDN,which makes the control and data forward separated,open interface and network virtualization make it more applicable than traditional networks in the current environment of changing network resources,and it has been highly praised by many companies and reseachers.However,it is precisely because these characteristics of SDN also make it more vulnerable to attacks than traditional networks,and the southbound interface as the communication interface between the control plane and the data plane,the security issue is even more important.Under the background,this paper implemented the southbound security protection system of SDN network,including protection of SDN southbound security communication,detection of SDN network DDoS attack and of SDN controller performance monitor;In the research process of security protection technology,a targeted improvement scheme is proposed according to the deficiencies or characteristics of the SDN network.The specific works of the thesis is as follows:(1)Due to the shortage of the original TLS security channel of the SDN system,this paper proposed a southbound security authentication scheme for the SDN.The scheme will perform the southbound TLS security channel by default,and the trusted authority CA authenticates and signs the legitimate controllers and switches in the SDN to implement mutual authentication between the controller and the switch.We use RSA asymmetric encryption algorithm for key negotiation,and finally obtain the same symmetric key.The AES symmetric encryption algorithm is used to encrypt communication messages to achieve higher security and higher efficiency.Through the security analysis of this scheme,it can be proved that this scheme can effectively prevent man-in-the-middle attacks and realize the integrity and confidentiality of secure communication;(2)This paper proposed a DDoS attack detection algorithm based on convolutional neural network(CNN)for SDN,the CNN model is used to classify the characteristics of SDN network traffic and implement DDoS attack detection.Based on the characteristics of SDN network traffic,this paper analyzed the inapplicability of traditional CNN in the context of network traffic analysis,introduced the concept of information entropy,which improved the pooling method in CNN,and improved the generalization ability of network model.We pre-trained the network model on the NSL KDD dataset and then fine-tune it on the SDN traffic dataset.Finally,it is proved by experiments that the proposed algorithm achieves 98.1%accuracy on the SDN test set.(3)This paper implemented the SDN southbound security protection system.The SDN southbound security authentication scheme is used to implement security protection for the SDN southbound interface,the CNN-based traffic classification algorithm is used to implement DDoS attack detection in SDN,and the controller performance monitoring data is recorded,then the front-end visual display is realized to facilitate the network,which makes the administrators have a more intuitive understanding of controller performance.It has been verified by experiments that the system can monitor each performance parameter in real time and display it to the user in a visual way,so that the user can better understand the operation of the system,and also demonstrated the feasibility and practicability of the research.