Research On The Key Technologies Of Mimic Defense In SDN Control Layer

With the continuous expansion of the network scale and the rapid growth of the number of application services,network operation and maintenance are becoming more and more difficult.The traditional equipment manufacturers stick to the technology,making the network equipment configuration complex,upgrading the network and deploying new business is difficult,so it is difficult to adapt to the development trend of future network.The emergence of Software Defined Networking(SDN)broke this stalemate,SDN separates the control and forwarding functions to implement the programmability and centralized operation and management of the network.However,the structure and programmability of SDN also brings a lot of security problems.In particular,the centralized controller in the control layer is the preferred target of the attackers.The inherent security holes and backdoors of controller are likely to be exploited by the attackers,which will cause many security problems,such as single point failure of the controller,hijacking of the controller and falsification of flow rules.As an innovative integrated defense technology,mimic defense technology is effective in defending against known or unknown vulnerabilities and backdoor security threats based on Dynamic Heterogeneous Redundancy(DHR)architecture This paper introduces mimic defense technology in the SDN control layer to improve the robustness and security of the SDN control layer,and solves the problems arising from the process of introduction.This paper relies on the National Natural Science Foundation of China Innovation Group Project,“Basic Theory Research of Cyberspace Mimic Defense”.This paper studies the problem of how to solve the security of SDN control layer.Firstly,the mimic defense technology is introduced to the SDN control layer to enhance the anti-attack ability of SDN control layer.Secondly,the consistency arbitration and dynamic scheduling problems are studied in the process of introducing mimic defense technology.Finally,the security of SDN control layer is analyzed.The main work and research results of this paper are as follows:1.For the structure of traditional SDN,the controller has a single point of failure,hijacking of the controller,static configuration and other security threats.The paper introduces the dynamic heterogeneous architecture into the SDN control layer to construct the mimic SDN control layer(MCL),where the network was controlled by multiple heterogeneous controllers at the same time.MCL breaks the traditional single-controller control situation.Combining with dynamic scheduling strategies,it can effectively prevent attacks based on loopholes and backdoors in the controller.However,due to the different of flow tables generated by many heterogeneous controllers in quantity and content,it is difficult to determine the consistency of the flow rules in the mimic arbitration process.Aiming at this problem,a consistency arbitration method based on network pipeline graph is proposed.This method is based on the fact that the final forwarding port of any data flow in the network is determined,and the consistency of the rules is determined by the traffic view of the network edge ports.The experimental results show that the proposed mimic arbitration method can accurately judge the consistency of the flow rules and meet the real-time requirements of the general network.2.A dynamic scheduling strategy based on the heterogeneity of executive set is proposed for the first time to solve the problem of dynamic scheduling in MCL.Firstly,the dynamic scheduling problem and the effect of heterogeneity on security are introduced.Secondly,based on the multi-attribute features of the controller,the control layer model is established in a finer-grained manner and the heterogeneity of the execution set is defined based on the weighted Hamming Distance.Furthermore,the controller scheduling problem is modeled as an optimization problem with the goal of maximizing the heterogeneity of the executive set.Finally,the problem is decomposed into two parts and the corresponding solution algorithms are proposed.The experimental results show that the proposed dynamic scheduling strategy can effectively improve the stability of the network system within a reasonable cost range,and has little impact on network performance.3.A method based on game theory is proposed to assess the security of MCL.Firstly,the security assessment problem of MCL is modeled as a game scenarios,where the offensive and defensive try their best to control the controllers.Secondly,in view of the aging of the information detected by the attackers and limited number of exploratory attacks in the mimic defense.The gamer's action strategy is proposed from the point of view of action time.Furthermore,the game gains are quantified by the difference between the control time of gamer and the cost of action.Finally,the security of MCL is evaluated by the failure probability of the SDN control layer and the benefit of defender.The simulation results show that the failure probability of MCL is very low and the safety is better.In addition,the security benefits of MCL can be effectively ensured by selecting the appropriate scheduling timing.