| With the rapid growth of data in the information age,multi-domain data center collaborative operation has become the best choice for large enterprise users to store data,and the information security of multi-data center has become the most concerned issue for enterprise users.Because each data center domain has a separate security management system,it is easy to form data islands,resulting in complex management.Therefore,a security deployment scheme for multi-domain data centers is needed to take into account the north-south trend and the east-west trend of traffic,unified management of multi-data centers security deployment.At the same time,aiming at the frequent attacks on multiple data centers,the traditional data center security defense system has three problems:insufficient awareness,poor isolation,and inflexible deployment of security services.And ensure that the legitimate traffic is not interfered in the process of defense attack.Based on Service Function Chaining(SFC)and traffic sensing technology,this paper proposes a security service architecture that can take into account both eth north-south trend and the east-west trend for multi-domain data centers.By deploying different granularity of traffic sensing components at the entrance and exit of the data center,different types of legitimate traffic and suspicious abnormal traffic are perceived.Perceptual classifier classifies legitimate traffic with fine-grained awareness,and provides customized security service paths for different types of legitimate traffic using passive strategy interacting with the controller.Threat-aware component makes coarse-grained awareness of all kinds of attack traffic,and provides customized cleaning strategies for different types of attack traffic based metadata lable strategy.Considering the characteristics of different attack traffic,it schedules high-concealment and lethal attack traffic to Honeynet for behavior analysis or adds rules to firewall to eliminate the attack,which will easily lead to network congestion and schedules the DDoS attack traffic to the data center.The attack elimination is carried out in the outer cleaning center domain to avoid the interference to the legitimate traffic when the attack traffic is eliminated inside the data center.At the same time,a load balancing algorithm for service functional chain is proposed in the cleaning center domain,which provides sufficient processing power for the elimination of DDoS in multiple data centers.By building a prototype system,we simulate the most common legal traffic,the most difficult to defend against APT attacks and DDoS attacks,respectively,to verify the feasibility of the proposed security service architecture.Firstly,experiments show that the proposed architecture can flexibly provide customized security services for different types of traffic.Secondly,it proves that the architecture can detect suspicious traffic in time and effectively defend against hidden APT attack traffic.At present,the typical DDoS attack cancellation strategy and the awareness-based DDoS attack cancellation strategy without load balancing are experimentally compared,and the influence of important parameters on the performance of the algorithm is discussed.Experiments show that the traffic-aware-based security service architecture can take into account both eth north-south trend and the east-west trend,and provide flexible and effective security services for multi-domain data centers. |
PDF Full Text Request