Research On Security Service Chain Mapping Mechanism Oriented To SDN/NFV

With the rapid development of diversified network businesses,the drawbacks of the traditional network security service model in terms of dynamics,flexibility and scalability have become more and more prominent.It is imperative to reform the network security service model.The development of software defined network(SDN)and the rise of network function virtualization(NFV)have provided support for exploring new network security service model.SDN migrates the control function from the traditional distributed network equipment to the centralized control platform by separating the logical plane and the physical plane,thereby implementing centralized control and open programming of the network.NFV transforms the network functions deployed in proprietary hardware into virtual network function(VNF)running on general-purposed servers,decoupling the software functions and hardware carriers of traditional network devices,and reducing the overhead of deploying dedicated middleboxes in specific locations of the network,and increasing the flexibility of network device deployment.Thus,the security service chain(SSC)technology with SDN/NFV came into being.SSC uses the NFV technology to virtualize and deploy the traditional security service function on the service node.The traffic is directed to pass through the virtual security function(VSF)instance on the service node according to the security service request(SSR)of the user/business with the centralized control function of SDN.Thus,it can provide customizable security services for the user/business.As an important part of implementing SSC,the SSC mapping problem needs to be solved urgently.Therefore,this paper focuses on the SSC mapping problem under different mapping scopes and reliability requirements.The main work is as follows:1.A single-domain SSC mapping mechanism based on cost optimization is proposed.Aiming at the problem that the existing single-domain mapping mechanism is difficult to balance the efficiency of mapping and the cost-benefit of security service providers,an SSC mapping cost model SCMC is proposed to model the problem as a combinatorial optimization problem under the discrete solution space.The SCMC-MA algorithm based on Markov approximation process is proposed.It used the dynamic programming idea to decouple the mapping problem of one SSC into multiple VSF deployment problems,which improves the cost-benefit of security service providers while reducing the processing time of mapping requests.The SCMC-MG algorithm based on many-to-one matching game theory is proposed to solve the problem of state space explosion in SCMC-MA algorithm in large-scale networks.The game between the two is used to quickly search for stable matching in solution space,which enhances the adaptability to large-scale physical networks of the algorithm.2.A cross-domain SSC mapping mechanism based on reinforcement learning is proposed.Aiming at the problem that the existing single-domain mapping mechanism is difficult to solve the SSC mapping problem across multiple Open Flow domains,a cross-domain SSC mapping framework with regional centralized management and global collaborative scheduling is proposed,which contains two parts: cross-domain resources management and control architecture,and cross-domain SSC mapping process.It realized the effective management and control of cross-domain resources while avoiding cross-domain mapping request processing conflicts and global service proxy overload.We modeled the cross-domain SSC mapping problem as an integer linear programming(ILP)problem with minimum mapping overhead.The cross-domain SSC construction request segmentation algorithm based on Q-learning mechanism is designed to slove the problem,which realizes the SSC effective mapping across multiple Open Flow domains.3.A SSC failure recovery mechanism based on resource reservation is proposed.Aiming at the problem that the existing survivability mapping mechanism has difficulty in balancing the fault recovery efficiency and ensuring that the new SSR is not restricted by resources,a backup and recovery method based on proportional resource reservation is proposed.It pre-scaled the primary and backup resources in the physical network and constructed the node/link candidate set.When the node failure occurs,the remapping target is selected from the candidate set and allocated reserved resources.The improved discrete particle swarm algorithm is used to solve the node fault remapping problem,which reduces the resource occupation while improving the fault repairring rate.When the link fault occurs,the affected traffic is migrated to the available link of the candidate set by dynamically changing the traffic splitting ratio of the underlying physical path.The dynamic path segmentation algorithm is designed to solve the link fault redirection problem,which maximizes the residual value of the underlying physical network resources.The feasibility and effectiveness of the above mechanism are verified by simulation experiments,which can provide strong support for implementing the new network security service mode under SDN/NFV environment.