Research On Key Technologies Of Service Funcion Chain Proactive Defense In NFV Environment

Network Function Virtualization(NFV)decouples network functions from dedicated hardware,so that software-implemented Virtualized Network Functions(VNF)can run on industry-standard hardware platforms and can be flexiblly deployed or migrated with virtualized environments such as virtual machines or containers.Service Function Chain(SFC)is a chained collection of network functions.NFV has changed the traditional method of service function chain's arrangement and deployment,making it more flexible and scalable in end-to-end network service delivery and have a wide range of potential application value in 5G mobile network,Internet of Things and other scenarios.However,compared with traditional network functions,the openness of VNF making it faces serious security challanges of software vulnerabilities,so that the security of VNF service function chain is unguaranteable.At present,researchers have researched the security problems of the VNF service function chain,but most of the current defense methods can only deal with attacks that have known characteristics,and are invalid for security threats based on unknown vulnerabilities,thus have the problems of :(1)VNFs in service function chain are always single and single-designed,making it easy for attackers to get the information of online VNF instance and exploit the vulnerabilities in it.Traditional defense mechanisms is invalid to attacks based on unknown vulnerabilities;(2)While security protections are performed on a single VNF,the security correlation between VNFs in the same service function chain or the overall security of service function chain is not considered,allowing attackers to perform hidden attacks which may spread along the service function chain;(3)The "single chain" deployment method makes the availability of service function chain strongly dependent on the the availability of every VNF in the chain,allowing attackers to perform repeated attacks on the same VNF and affect the availability of service function chain uninterruptedly.Network proactive defense mechanism,such as Moving Target Defense,Mimicry Defense,etc.,is a type of security defense mechanism that does not rely on the prior knowledge of attacks and mitigates unknown security threats by increasing the difficulty of vulnerability exploitation.The flexibility of VNF can reduce the overhead of the proactive defense mechanism,thus network proactive defense mechanism can be applied to VNF security protection.In order to solve the problems above,a VNF dynamic defense method is proposed at first to improve the security of VNFs in service function chain,which uses dynamic switching of VNF instances to disturb attacker's information collection and exploitation process.Then the dynamic defense method is extended to service function chain's level,considering security benefits and costs from the perspective of service function chain.At last,to improve availability of service function chain under repeated attacks,the "single chain" deployment model is changed by dividing service function chain into heterogeneous and parallel sub-chains,while each sub-chain contains heterogeneous VNF instances to process user traffic in different way.The research contents and results are mainly as follows:1.Aiming at the problem of VNF's single point failure under attacks using unknown vulnerability,a dynamic defense mechanism for VNF is proposed based on relativity and security measurements of VNF instances.This dynamic defense mechanism of VNF prepares VNF instances which vary in software application and underlying environment,then dynamically switching online VNF instance during service function chain's life cycle to increase attacker's cost of information collection and vulnerability exploitation.At the same time,considering the impact of security and relativity of switching VNF instances on the effectiveness of dynamic defense mechanism,a dynamic switching strategy is proposed to achieve the purpose of minimizing the attack success probability within a specific period of time.Simulation results show that the proposed dynamic defense mechanism can deal with unknown vulnerability attacks effectively,while the dynamic switching strategy based on relativity and security measurements of VNF instances improves the defense effect significantly.2.Aiming at the problem of hidden attacks spreading along service function chain,a scheduling mechanism of VNF service function chain is proposed based on attack-defence game model.The scheduling mechanism extends the dynamic defense mechanism to the entire service function chain by selecting one online VNF in service function chain and replacing the instance of it with a heterogeneous one in each switching cycle.To improve the performance of scheduling mechanism under dynamic defense scenario of service function chain,Stackelberg game is used to model interaction between attacker and defender,and the scheduling probability of each VNF in service function chain is caculated with the goal of optimizing the defender's benefit in Stackelberg game.Simulation results show that the proposed scheduling mechanism of VNF service function chain has a good defense effect and acceptable defence cost.3.Aiming at the problem of the decreace of service function chain availability caused by repeated attacks,a novel service function chain orchestration and deployment method based on heterogeneous and parallel sub-chains is proposed.Specifically,the service function chain is deconstructed into parallel sub-chains,and each sub-chain undertakes a part of user traffic processing tasks,providing network service simultaneously.In parallel sub-chains,heterogeneous VNF instances are used to improve the availability of service function chain under repeated attacks.At the same time,a method is put forward to measure the availability loss of service function chain under repeated attacks of different orchestration methods.To minimize the availability loss expectation in the orchestration phase and the resource consumption in the deployment phase,the orchestration and deployment problem of heterogeneous and parallel sub-chains is modeled as a two-stage mixed integer programming problem and solved using genetic algorithms.Simulation results show that proposed method can improve the availability of service function chain under repeated attacks.