ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2017, Vol. 54 ›› Issue (12): 2761-2771.doi: 10.7544/issn1000-1239.2017.20160461

• 信息安全 • 上一篇    下一篇

基于路径与端址跳变的SDN网络主动防御技术

张连成1,魏强1,唐秀存2,房家保1   

  1. 1(数学工程与先进计算国家重点实验室 郑州 450002); 2(江南计算技术研究所 江苏无锡 214083) (liancheng17@gmail.com)
  • 出版日期: 2017-12-01
  • 基金资助: 
    国家自然科学基金项目(61402526,61402525,61502528)

Path and Port Address Hopping Based SDN Proactive Defense Technology

Zhang Liancheng1, Wei Qiang1, Tang Xiucun2, Fang Jiabao1   

  1. 1(State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450002); 2(Jiangnan Institute of Computing Technology, Wuxi, Jiangsu 214083)
  • Online: 2017-12-01

摘要: 为解决已有路径跳变技术难以抵御全局截获分析攻击及已有端址跳变技术跳变同步难、部署难度大等问题,提出基于路径与端址跳变的SDN网络主动防御技术.首先,将路径跳变问题建模为约束求解问题,使用可满足性模理论求解器求解获得满足重复约束和容量约束的多条路径,然后,依据特定跳变时隙向所选跳变路径上的所有OpenFlow交换机下发对应的端址跳变流表项,使这些交换机对数据流进行正确转发的同时,更改其端口与地址信息.理论分析与实验结果表明:所提技术可以以较小的通信时延开销与计算开销实现通信双方传输路径与传输路径上端口与地址的随机跳变,且可提升SDN网络对于全局截获分析攻击、拒绝服务攻击与内部威胁的主动防御能力.

关键词: 软件定义网络, 移动目标防御, 路径跳变, 端址跳变, 主动防御

Abstract: Existing path hopping technologies are not so efficient for defending global network interception and analysis attackers, and existing port and address hopping technologies spend too much effect on hopping synchronization and are difficult to be deployed. In order to mitigate these problems, a path and port address hopping based SDN proactive defense (PPAH-SPD) scheme, making full use of SDN network characteristics (such as control plane and data plane separation, logically centralized control) and introducing of multi-path routing, is proposed. PPAH-SPD scheme models the path hopping problem as a constraint solving problem, and utilizes satisfiability modulo theory solver to obtain multiple available paths, which satisfy overlap and capacity constraints. According to path hopping strategy and specific hopping interval, SDN controller installs corresponding flow entries into all OpenFlow switches along every specific path, and these switches can then use these flow entries to properly forward the corresponding network flows, and simultaneously change their address and port information. Theoretical analysis and experimental results show that PPAH-SPD scheme can not only achieve transmission path hopping and port and address random hopping along every single transmission path with comparatively small communication time delay and computation overhead, and but also improve proactive defense capability of SDN network to resist global network interception and analysis attack, denial of service attack and insider threat.

Key words: software defined network (SDN), moving target defense, path hopping, port and address hopping, proactive defense

中图分类号: