一種面向安全的虛擬網(wǎng)絡(luò)功能動態(tài)異構(gòu)調(diào)度方法

季新生; 徐水靈; 劉文彥; 仝青; 李凌書

doi:10.11999/JEIT181130

一種面向安全的虛擬網(wǎng)絡(luò)功能動態(tài)異構(gòu)調(diào)度方法

doi: 10.11999/JEIT181130

國家數(shù)字交換系統(tǒng)工程技術(shù)研究中心 ??鄭州 ??450002

基金項目: 國家自然科學(xué)基金(61521003, 61602509)，國家重點研發(fā)計劃項目(2016YFB0800100, 2016YFB0800101)

詳細(xì)信息

作者簡介:
季新生：男，1964年生，教授，博士生導(dǎo)師，研究方向為網(wǎng)絡(luò)空間安全、擬態(tài)安全等

徐水靈：女，1995年生，碩士生，研究方向為網(wǎng)絡(luò)主動防御技術(shù)、NFV安全

劉文彥：男，1986年生，博士，研究方向為網(wǎng)絡(luò)空間安全、云安全

仝青：女，1992年生，博士，研究方向為網(wǎng)絡(luò)空間安全防御技術(shù)、主動防御技術(shù)

李凌書：男，1992年生，博士，研究方向為擬態(tài)防御技術(shù)、主動防御技術(shù)

通訊作者:
徐水靈　slxuuu@163.com

中圖分類號: TP309
計量
- 文章訪問數(shù): 1839
- HTML全文瀏覽量: 1047
- PDF下載量: 87
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2018-12-06
- 修回日期: 2019-04-03
- 網(wǎng)絡(luò)出版日期: 2019-04-23
- 刊出日期: 2019-10-01

A Security-oriented Dynamic and Heterogeneous Scheduling Method for Virtual Network Function

National Digital Switching System Engineering & Technological R&D Center, Zhengzhou 450002, China

Funds: The National Natural Science Foundation of China (61521003, 61602509), The National Key R&D Program of China (2016YFB0800100, 2016YFB0800101)

摘要

摘要: 網(wǎng)絡(luò)功能虛擬化(NFV)為服務(wù)鏈構(gòu)建帶來了靈活性與動態(tài)性，然而，軟件化與虛擬化環(huán)境可能存在軟件漏洞、后門等安全風(fēng)險，對服務(wù)鏈(SC)的安全產(chǎn)生影響。為此，該文提出一種服務(wù)鏈上虛擬網(wǎng)絡(luò)功能(VNF)調(diào)度方法。首先，為虛擬網(wǎng)絡(luò)功能構(gòu)建異構(gòu)鏡像池，避免利用共模漏洞的大范圍攻擊；隨后，以特定周期選擇服務(wù)鏈虛擬網(wǎng)絡(luò)功能進行調(diào)度，加載異構(gòu)鏡像對該網(wǎng)絡(luò)功能的執(zhí)行實體進行替換；最后，考慮調(diào)度對網(wǎng)絡(luò)功能性能的影響，應(yīng)用斯坦科爾伯格博弈對攻防過程建模，以最優(yōu)化防御者收益為目標(biāo)求解服務(wù)鏈上各網(wǎng)絡(luò)功能的調(diào)度概率。實驗表明，該方法能夠降低攻擊者攻擊成功率，同時將調(diào)度產(chǎn)生的開銷控制在可接受范圍內(nèi)。
- 網(wǎng)絡(luò)功能虛擬化 /
- 服務(wù)鏈 /
- 網(wǎng)絡(luò)安全 /
- 動態(tài) /
- 異構(gòu) /
- 博弈論
Abstract: Network Function Virtualization (NFV) brings flexibility and dynamics to the construction of service chain. However, the software and virtualization may cause security risks such as vulnerabilities and backdoors, which may have impact on Service Chain (SC) security. Thus, a Virtual Network Function (VNF) scheduling method is proposed. Firstly, heterogeneous images are built for every virtual network function in service chain, avoiding widespread attacks using common vulnerabilities. Then, one network function is selected dynamically and periodically. The executor of this network function is replaced by loading heterogeneous images. Finally, considering the impact of scheduling on the performance of network functions, Stackelberg game is used to model the attack and defense process, and the scheduling probability of each network function in the service chain is solved with the goal of optimizing the defender’s benefit. Experiments show that this method can reduce the rate of attacker’s success while controlling the overhead generated by the scheduling within an acceptable range.
- Network Function Virtualization(NFV) /
- Service Chain (SC) /
- Cyber security /
- Dynamic /
- Heterogeneous /
- Game theory

HTML全文

圖 1 服務(wù)鏈攻擊實例

下載: 全尺寸圖片幻燈片

圖 2 動態(tài)異構(gòu)式服務(wù)鏈模型舉例

下載: 全尺寸圖片幻燈片

圖 3 靜態(tài)系統(tǒng)與動態(tài)系統(tǒng)攻擊成功率對比

下載: 全尺寸圖片幻燈片

圖 4 靜態(tài)系統(tǒng)與動態(tài)系統(tǒng)防御者開銷對比

下載: 全尺寸圖片幻燈片

圖 6 純隨機調(diào)度與最優(yōu)化選擇調(diào)度攻擊成功率對比

下載: 全尺寸圖片幻燈片

圖 5 純隨機調(diào)度與最優(yōu)化選擇調(diào)度防御者開銷對比

下載: 全尺寸圖片幻燈片

圖 7 多攻擊者安全增益對比

下載: 全尺寸圖片幻燈片

圖 8 服務(wù)鏈整體異構(gòu)度對防御者開銷/攻擊成功率影響

下載: 全尺寸圖片幻燈片

圖 9 節(jié)點異構(gòu)度對節(jié)點被選概率影響

下載: 全尺寸圖片幻燈片

圖 10 調(diào)度周期對防御者開銷影響

下載: 全尺寸圖片幻燈片

參考文獻(15)

Network Functions Virtualization (NFV) ETSI Industry Specification Group (ISG). ETSI GS NFV 001: Network Functions Virtualisation (NFV); Use cases[EB/OL]. https://www.etsi.org/deliver/etsi_gs/NFV/001_099/001/01.01.01_60/gs_NFV001v010101p.pdf, 2013.

MEDHAT A M, TALEB T, ELMANGOUSH A, et al. Service function chaining in next generation networks: state of the art and research challenges[J]. IEEE Communications Magazine, 2017, 55(2): 216–223. doi: 10.1109/MCOM.2016.1600219RP

SAHHAF S, TAVERNIER W, COLLE D, et al. Network service chaining with efficient network function mapping based on service decompositions[C]. The 1st IEEE Conference on Network Softwarization, London, UK, 2015: 1–5.

Network Functions Virtualisation (NFV) ETSI Industry Specification Group (ISG). ETSI GS NFV-SEC 001: Network Functions Virtualisation (NFV); NFV security; Problem statement[EB/OL]. https://www.etsi.org/deliver/etsi_gs/NFV-SEC/001_099/001/01.01.01_60/gs_NFV-SEC001v010101p.pdf, 2014.

LAL S, TALEB T, and DUTTA A. NFV: Security threats and best practices[J]. IEEE Communications Magazine, 2017, 55(8): 211–217. doi: 10.1109/MCOM.2017.1600899

FIROOZJAEI M D, JEONG J, KO H, et al. Security challenges with network functions virtualization[J]. Future Generation Computer Systems, 2017, 67: 315–324. doi: 10.1016/j.future.2016.07.002

DING Weiran, YU Hongfang, and LUO Shouxi. Enhancing the reliability of services in NFV with the cost-efficient redundancy scheme[C]. IEEE International Conference on Communications, Paris, France, 2017: 1–6.

CARPIO F, JUKAN A, and PRIES R. Balancing the migration of virtual network functions with replications in data centers[C]. The 16th IEEE/IFIP Network Operations and Management Symposium, Taipei, China, 2018: 1–8.

PATTARANANTAKUL M, HE R, MEDDAHI A, et al. SecMANO: Towards Network Functions Virtualization (NFV) based security management and orchestration[C]. 2016 IEEE Trustcom/BigDataSE/ISPA, Tianjin, China, 2016: 598–605.

ZHENG Yan, ZHANG Peng, and VASILAKOS A V. A security and trust framework for virtualized networks and software‐defined networking[J]. Security and Communication Networks, 2016, 9(16): 3059–3069. doi: 10.1002/sec.1243

GUO Minzhe and BHATTACHARYA P. Diverse virtual replicas for improving intrusion tolerance in cloud[C]. The 9th Annual Cyber and Information Security Research Conference, Oak Ridge, USA, 2014: 41–44.

LI F, LAI A, and DDL D. Evidence of advanced persistent threat: a case study of malware for political espionage[C]. The 6th International Conference on Malicious and Unwanted Software, Fajardo, USA, 2011: 102–109.

MA Duohe, WANG Liming, LEI Cheng, et al. Quantitative security assessment method based on entropy for moving target defense[C]. The 2017 ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, United Arab Emirates, 2017: 9204–922.

GARCIA M, BESSANI A, GASHI I, et al. Analysis of operating system diversity for intrusion tolerance[J]. Journal of Research and Practice in Information Technology, 2014, 44(6): 735–770. doi: 10.1002/spe.2180

PARUCHURI P, PEARCE J P, MARECKI J, et al. Playing games for security: an efficient exact algorithm for solving Bayesian Stackelberg games[C]. The 7th International Joint Conference on Autonomous Agents and Multiagent Systems-Volume 2, Estoril, Portugal, 2008: 895–902.

相關(guān)文章

施引文獻

資源附件(0)

訪問統(tǒng)計