一種軟件定義網(wǎng)絡(luò)的安全服務(wù)鏈動態(tài)組合機制
doi: 10.11999/JEIT150876
國家重點基礎(chǔ)研究發(fā)展計劃(2012CB315901, 2013CB329104),國家自然科學(xué)基金(61309019, 61372121),國家高技術(shù)研究發(fā)展計劃(2013AA013505)
A Dynamic Composition Mechanism for the Security Service Chain Oriented Software Defined Networking
The National Basic Research Program of China (2012CB315901, 2013CB329104), The National Natural Science Foundation of China (61309019, 61372121), The National High Technology Research and Development Program of China (2013AA013505)
-
摘要: 網(wǎng)絡(luò)安全功能與硬件設(shè)備的緊耦合關(guān)系,造成傳統(tǒng)網(wǎng)絡(luò)安全服務(wù)模式靜態(tài)僵化,難以滿足未來業(yè)務(wù)發(fā)展的多樣化安全需求。為此,基于軟件定義網(wǎng)絡(luò)環(huán)境,該文提出一種靈活可配的安全服務(wù)鏈動態(tài)組合機制。首先,介紹了該機制的總體結(jié)構(gòu),并建立了基于向量空間和整數(shù)規(guī)劃的組合模型。其次,設(shè)計了啟發(fā)式算法進行模型求解,并構(gòu)建了該機制的實現(xiàn)原型。最后,實驗結(jié)果表明所提組合算法在性能指標上優(yōu)于對比算法,并且試驗驗證了該機制的優(yōu)勢。
-
關(guān)鍵詞:
- 軟件定義網(wǎng)絡(luò) /
- 安全服務(wù) /
- 元能力 /
- 功能組合
Abstract: The close relationship between the network security function and the hardware devices causes the static rigidity of the traditional security service mode, which is difficult to meet the various security requirement of future network business development. Based on the features of the Software Defined Networking (SDN), a dynamic composition mechanism is proposed for the Composable Security Service Chain (CSSC). First, the overall framework is introduced, and a mathematical model about the composition problem is established by the vector space and integer programming. Then, a heuristic algorithm is designed for solving the model, and the prototype is achieved in SDN environment. Finally, the results of the experiments show that the proposed algorithm outperforms the compared ones, and the advantage of the CSSC is validated by the simulation. -
蘭巨龍, 程東年, 胡宇翔. 可重構(gòu)信息通信基礎(chǔ)網(wǎng)絡(luò)體系研究 [J]. 通信學(xué)報, 2014, 35(1): 64-76. doi: 10.3969/j.issn. 1000- 436x.2014.01.015. LAN J L, CHENG D N, and HU Y X. Research on reconfigurable information communication basal network architecture[J]. Journal on Communications, 2014, 35(1): 64-76. doi: 10.3969/j.issn.1000-436x.2014.01.015. PAUL S, PAN J L, and JAIN R. Architectures for the future networks and next generation internet: a survey[J]. Computer Communications, 2011, 34(1): 2-42. doi: 10.1016/j.comcom. 2010.08.001. 黃韜, 劉江, 霍如, 等. 未來網(wǎng)絡(luò)體系架構(gòu)研究綜述[J]. 通信學(xué)報, 2014, 35(8): 184-197. doi: 10.3969/j.issn.1000-436x. 2014.08.023. HUANG T, LIU J, HUO R, et al. Survey of research on future network architectures[J]. Journal on Communications, 2014, 35(8): 184-197. doi: 10.3969/j.issn.1000-436x. 2014.08.023. 張宏科, 羅洪斌. 智慧協(xié)同網(wǎng)絡(luò)體系基礎(chǔ)研究[J]. 電子學(xué)報, 2013, 41(7): 1249-1255. doi: 10.3969/j.issn.0372-2112. 2013.07.001. ZHANG H K and LUO H B. Fundamental research on theories of smart and cooperative network[J]. Acta Electronica Sinica, 2013, 41(7): 1249-1255. doi: 10.3969/j.issn. 0372-2112. 2013.07.001. MCKEOWN N, ANDERSON T, BALAKRISHAN H, et al. OpenFlow: Enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008, 38(2): 69-74. doi: 10.1145/1355734.1355746. 左青云, 陳鳴, 趙廣松, 等. 基于OpenFlow的SDN技術(shù)研究[J]. 軟件學(xué)報, 2013, 24(5): 1078-1097. doi: 10.3724/SP.J. 1001.2013.04390. ZUO Q Y, CHEN M, ZHAO G S, et al. Research on OpenFlow-based SDN technologies[J]. Journal of Software, 2013, 24(5): 1078-1097. doi: 10.3724/SP.J. 1001.2013.04390. 周燁, 楊旭, 李勇, 等. 基于分類的軟件定義網(wǎng)絡(luò)流表更新一致性方案[J]. 電子與信息學(xué)報, 2013, 35(7): 1746-1752. doi: 10.3724/SP.J.1146.2012.01431. ZHOU Y, YANG X, LI Y, et al. Classification based consistent flow update scheme in software defined network[J]. Journal of Electronics Information Technology, 2013, 35(7): 1746-1752. doi: 10.3724/SP.J.1146.2012.01431. CHIOSI M, CLARKE D, WILLIS P, et al. Network functions virtualization-introductory white paper[R]. SDN and OpenFlow World Congress, Germany, 2012. SHIN S, PORRAS P, YEGNESWARAN V, et al. FRESCO: modular composable security services for software-defined networks[C]. Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, 2013: 1-16. QAZI Z, TU C C, and CHIANG L. SIMPLE-fying middlebox policy enforcement using SDN[C]. Proceedings of the ACM SIGCOMM13, Hong Kong, China, 2013: 27-38. LEE W, CHOI Y H, and KIM N. Study on virtual service chain for secure software defined networking[J]. Advanced Science and Technology Letters, 2013, 29(13): 177-180. GUSHCHIN A, WALID A, and TANG A. Scalable routing in SDN-enabled networks with consolidated middleboxes[C]. Proceedings of the HotMiddlebox15, London, United Kingdom, 2015: 55-60. CHENG G Z, CHEN H C, CHEN S Q, et al. How to make network nodes adaptive?[J]. IEEE Communications Letters, 2014, 18(3): 515-518. doi: 10.1109/LCOMM.2014.011714. 132622. AARON G J, RAAJAY V, CHAITHAN P, et al. OpenNF: enabling innovation in network function control[C]. Proceedings of the ACM SIGCOMM14, Chicago, IL, USA, 2014: 163-174. ISO7498-2. Information processing systems-open systems interconnection basic reference model-part 2: security architecture[S]. British Standard, 1989. 陳杰, 劉建偉, 王蒙蒙, 等. 基于安全基片的可重構(gòu)網(wǎng)絡(luò)安全管控機制[J]. 電信科學(xué), 2014, 30(7): 19-25. doi: 10.3969/ j.issn.1000-0801.2014.07.004. CHEN J, LIU J W, WANG M M, et al. Security substrate based security management and control mechanism of reconfigurable network[J]. Telecommunications Science, 2014, 30(7): 19-25. doi: 10.3969/ j.issn.1000-0801.2014.07.004. MOORE R. Global optimization to prescribed accuracy[J]. Computers Mathematics with Applications, 1991, 21(6/7): 2539. doi: 10.1016/0898-1221(91)90158-Z. Gibb G. NetFPGA-10G project [OL]. https://github.com/ NetFPGA/NetFPGA-public/wiki, 2014. GEBERT S, PRIES R, SCHLOSSER D, et al. Internet access traffic measurement and analysis[J]. LNCS, 2012, 7189: 2942. doi: 10.1007/978-3-642-28534-9_3. -
計量
- 文章訪問數(shù): 1601
- HTML全文瀏覽量: 178
- PDF下載量: 611
- 被引次數(shù): 0