Research About Technology And Algorithms On Software Defined Network Security Based On Flow Rules

The Software-defined networks(SDN)use layered ideas to decouple traditional closed network architectures into data planes,control planes,and application planes,so the centralized control and management of the network has been realized logically.The centralized control mechanisms and open programming interfaces has increased the flexibility in SDN management.At the same time,it also provides convenience for attackers and brings more challenges to SDN security.If an attacker can forge flow rules from the controller,it can control the path of network traffic and bypass the network devices deployed in SDN.Middleboxes such as firewalls and intrusion detection systems are the physical carriers for network flow monitoring.And network flow monitoring is the basis for providing advanced network processing services.It is also the core technical means for ensuring network security.This thesis studies the software-defined network security technologies and algorithms based on flow rules.The main contents and research values are as follows:1.For the dynamic problem of data flow in software-defined networks,a network security communication model based on data flow rules is designed.First of all,the corresponding security mechanism is designed to prevent the attack based on the data plane control forwarding mechanism that the control plane may suffer.2.For load problem of software-defined networks,a load balancing algorithm is designed.Firstly,a heuristic algorithm is used to find the deployment location where the middleboxes has the smallest network latency in the network.Secondly,in order to avoid a single point of failure caused by a middlebox becoming a network hotspot,an integer linear programming(ILP)algorithm and a linear programming(LP)flow control algorithm were developed based on the capacity limitations of middleboxes and SDN switches.To make the entire network load balanced.Finally,in order to avoid the middleboxes to modify the header of the data packet,this thesis designs a data flow association algorithm to ensure that the relevant algorithms and security mechanisms can be performed correctly.At last,the thesis verifies the proposed model and algorithm by using DARPA's real data set.Experimental results show that the proposed models and algorithms can combine the data flow dynamics of software-defined networks effectively,and manage the network data flow more efficiently.And finally protect the network load balance,and improve the stability and security of the entire software-defined network.