Research On Key Technologies Of Network Security Situational Awareness Based On Software-Defined Networks

Software-defined networking(SDN)is a novel network architecture used for network virtualization.Due to the ability of SDN to support diverse network application implementations,it has been widely used in emerging industries such as data centers,mobile communication,and the Internet of Things,gradually replacing traditional networking as the mainstream.However,the widespread deployment of SDN has also brought about various issues at the network application layer.The network security situational awareness can scientifically analyze the current state of network application security and reasonably predict future changes,it’s currently a hot spot in security technology research.However,currently,the network security situational awareness framework based on SDN networks is not fully developed: the data collection technology cannot collect service application level log data,the feature extraction technology faces difficulties in balancing detection accuracy,work efficiency,and resource consumption due to the large-scale network environment,and the situational assessment technology also results in inaccurate conclusions or weak timeliness due to the above issues,and requires reliance on third parties for risk disposition.To solve the above problems,this study conducts research on key technologies for SDN-based network security situational awareness.The main research contents and achievements include the following four aspects:(1)Aiming at the problem that the current network security situation awareness framework based on SDN is not perfect enough,the relevant technologies are effectively integrated,and a "SDN-based network security situational awareness framework" is proposed.The overall structure of the framework is designed,including the application interfaces at the SDN application layer,the basic and management interfaces,load balancing module at the SDN control layer,and the data storage module at the SDN data link layer.This effectively solves the problem of inconvenient use caused by technology separation.To make the framework more fully functional,designs are made for application-level microservice registration and access to enable the framework to flexibly support various types of applications.The control layer permissions control function is designed to enable the framework to flexibly manage administrators,various applications,and services.The data link layer data storage is also designed to enable the framework to collect,store,and process logs,laying a foundation for subsequent work.(2)To address the problem of data collection technology’s inability to collect service application-level log data,the "SDN-based network isolation and risk disposition technology" is proposed.a SDN-based network isolation model is innovatively proposed based on existing network isolation technologies.This model provides a stable and unified network interface for network applications,enabling a dedicated data transmission network for specialized applications,solving the problem of service application-level log data that cannot be collected,providing a platform for the data collection technology.The model structure is optimized to achieve decentralization,avoiding congestion caused by a massive amount of network applications in large-scale network environments using overlay networks and mesh virtual networking technologies.Through experimental verification,the model was found to have excellent isolation effects,and only a 6% performance attenuation compared to other business isolation models,making it more advantageous.(3)To address the difficulty in configuring log probes and their low integration levels with applications,and to make application logs easier to analyze,detect,manage,and monitor,the "SDN Log Probe-based Data Collection Technology" is proposed.Based on the SDN virtual network isolation model,a application log collection probe is designed for application-level logs as an object of analysis.The probe configuration function is integrated using network auto-configuration technology,and the probe state monitoring function is achieved through network feedback.The probe collects data according to application network requirements and sends the collected data to the log collector through the application network.The log collector labels and processes the data sent to data storage,realizing efficient data collection and providing data support for multi-source log feature extraction and situational assessment.(4)Aiming at problems such as low detection accuracy,work efficiency and resource consumption in feature extraction technology as well as inaccurate conclusions or weak timeliness in situation evaluation technology,the "Unsupervised Classification-based Feature Extraction and Situational Assessment Technology" is proposed.After building the overall structure of the technology,key value extraction and key information extraction are used to reduce resource consumption and complexity.A log cycle tagging method is developed to enrich log information and applied in unsupervised classification models,effectively avoiding the negative impact caused by the individual aspect of unsupervised classification.In the situational assessment model,risk is quantified using vector analysis methods,and a risk disposition model is designed based on the advanced access control permission,network namespace,and other technologies to effectively address risks.In this study,we tested the functionality and performance of key technologies for network security situational awareness based on SDN networks.we constructed an experimental testing environment based on the situational awareness framework and utilized an SDN network application isolation model to build a virtual application operational network,the proposed data collection technique is used to collect Wordpress and related service logs.Through feature extraction and situational assessment technology,the collected data is analyzed,and the network risk details and risk hazard levels are accurately assessed.The model has a low false-positive rate of less than 10%for high separation logs,and the SDN controller can automatically execute predetermined decision-making plans based on the model score,further disposing of risk sources,The entire methodology achieves the predetermined goals.