| Software Defined Network(SDN)is the representative technology of the next generation Internet.Its main idea is to decouple the network control plane from the data forwarding plane.Forwarding to achieve centralized management of the network,SDN brings logically centralized control.The data plane network devices can forward the data flow according to the requirements issued by the control layer rapidly.One of the most important components of achieving high-speed forwarding is the Flow Table.When the flow table resource is shared by multiple users and modules,for the network policies are independent of each other,different network policies may cause abnormalities,resulting in network policy failure and overflow of entries.On the other hand,since Open Flow is almost stateless and flexible,it is possible to modify or rewrite the packet header during the forwarding of the packet,which gives the network controllability and programmability.However,it also brings some security problems.This thesis does some research on the flow table and finds that the flow table optimization and management focus on many problems caused by the abnormal flow table rules.On the one hand,the newly added flow rule may bring flow rule exceptions(redundancy and conflicts,etc.),resulting in the problem of occupying redundant flow table resources and conflicting rules.This thesis proposes an anomaly detection and processing scheme based on Detect Tree model.First,we establish the Detect Tree node hierarchical tree anomaly detection data model.The scheme defines the rule relationship and rule anomaly,and uses it as the detection node of Detect Tree.And then analyzes the anomaly type relationship and processes the detected rule anomaly.On the one hand,when using SDN for data stream replication,multiple network monitoring tools need the same stream data.It may cause flow table conflicts.And then the data sharing cannot be completed.Therefore,this thesis proposes a transaction-based shared conflict detection and processing algorithm,which solves the problem of flow table conflicts arising from the need of data sharing.On the other hand,due to the flexibility of the Open Flow protocol,the flow table is allowed to modify the data packet matching domain.After modification,the data packet may bypass the firewall rule,causing serious security problems.In this thesis,we optimize the Open Flow security kernel scheme proposed by Philip Porras.And the establishment of Modified-Flow address set based on ARR is proposed.First,we do the conflict prediction,and then the HSA framework is used to calculate the reachability.The results of the pre-judgment are reviewed to ensure the accuracy of the improvement plan.Simulation experiments show that the improvement scheme has a lower detection rate than the previous ones with different flow table items and different complexity topologies.Furthermore,based on the above theoretical research,this theis designs and implements a flow table optimization and detection system,which mainly includes three modules: abnormal detection and processing module,security conflict detection module and shared conflict detection and processing module.Finally,the system was tested for functionality,which proved the effectiveness of the system. |
PDF Full Text Request